1 /*	$NetBSD: smtpd.c,v 1.20 2023/12/23 20:30:45 christos Exp $	*/
2 
3 /*++
4 /* NAME
5 /*	smtpd 8
6 /* SUMMARY
7 /*	Postfix SMTP server
8 /* SYNOPSIS
9 /*	\fBsmtpd\fR [generic Postfix daemon options]
10 /*
11 /*	\fBsendmail -bs\fR
12 /* DESCRIPTION
13 /*	The SMTP server accepts network connection requests
14 /*	and performs zero or more SMTP transactions per connection.
15 /*	Each received message is piped through the \fBcleanup\fR(8)
16 /*	daemon, and is placed into the \fBincoming\fR queue as one
17 /*	single queue file.  For this mode of operation, the program
18 /*	expects to be run from the \fBmaster\fR(8) process manager.
19 /*
20 /*	Alternatively, the SMTP server be can run in stand-alone
21 /*	mode; this is traditionally obtained with "\fBsendmail
22 /*	-bs\fR".  When the SMTP server runs stand-alone with non
23 /*	$\fBmail_owner\fR privileges, it receives mail even while
24 /*	the mail system is not running, deposits messages directly
25 /*	into the \fBmaildrop\fR queue, and disables the SMTP server's
26 /*	access policies. As of Postfix version 2.3, the SMTP server
27 /*	refuses to receive mail from the network when it runs with
28 /*	non $\fBmail_owner\fR privileges.
29 /*
30 /*	The SMTP server implements a variety of policies for connection
31 /*	requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR
32 /*	and \fBRCPT TO\fR commands. They are detailed below and in the
33 /*	\fBmain.cf\fR configuration file.
34 /* SECURITY
35 /* .ad
36 /* .fi
37 /*	The SMTP server is moderately security-sensitive. It talks to SMTP
38 /*	clients and to DNS servers on the network. The SMTP server can be
39 /*	run chrooted at fixed low privilege.
40 /* STANDARDS
41 /*	RFC 821 (SMTP protocol)
42 /*	RFC 1123 (Host requirements)
43 /*	RFC 1652 (8bit-MIME transport)
44 /*	RFC 1869 (SMTP service extensions)
45 /*	RFC 1870 (Message size declaration)
46 /*	RFC 1985 (ETRN command)
47 /*	RFC 2034 (SMTP enhanced status codes)
48 /*	RFC 2554 (AUTH command)
49 /*	RFC 2821 (SMTP protocol)
50 /*	RFC 2920 (SMTP pipelining)
51 /*	RFC 3030 (CHUNKING without BINARYMIME)
52 /*	RFC 3207 (STARTTLS command)
53 /*	RFC 3461 (SMTP DSN extension)
54 /*	RFC 3463 (Enhanced status codes)
55 /*	RFC 3848 (ESMTP transmission types)
56 /*	RFC 4409 (Message submission)
57 /*	RFC 4954 (AUTH command)
58 /*	RFC 5321 (SMTP protocol)
59 /*	RFC 6531 (Internationalized SMTP)
60 /*	RFC 6533 (Internationalized Delivery Status Notifications)
61 /*	RFC 7505 ("Null MX" No Service Resource Record)
62 /* DIAGNOSTICS
63 /*	Problems and transactions are logged to \fBsyslogd\fR(8)
64 /*	or \fBpostlogd\fR(8).
65 /*
66 /*	Depending on the setting of the \fBnotify_classes\fR parameter,
67 /*	the postmaster is notified of bounces, protocol problems,
68 /*	policy violations, and of other trouble.
69 /* CONFIGURATION PARAMETERS
70 /* .ad
71 /* .fi
72 /*	Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8)
73 /*	processes run for only a limited amount of time. Use the command
74 /*	"\fBpostfix reload\fR" to speed up a change.
75 /*
76 /*	The text below provides only a parameter summary. See
77 /*	\fBpostconf\fR(5) for more details including examples.
78 /* COMPATIBILITY CONTROLS
79 /* .ad
80 /* .fi
81 /*	The following parameters work around implementation errors in other
82 /*	software, and/or allow you to override standards in order to prevent
83 /*	undesirable use.
84 /* .ad
85 /* .fi
86 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
87 /*	Enable interoperability with remote SMTP clients that implement an obsolete
88 /*	version of the AUTH command (RFC 4954).
89 /* .IP "\fBdisable_vrfy_command (no)\fR"
90 /*	Disable the SMTP VRFY command.
91 /* .IP "\fBsmtpd_noop_commands (empty)\fR"
92 /*	List of commands that the Postfix SMTP server replies to with "250
93 /*	Ok", without doing any syntax checks and without changing state.
94 /* .IP "\fBstrict_rfc821_envelopes (no)\fR"
95 /*	Require that addresses received in SMTP MAIL FROM and RCPT TO
96 /*	commands are enclosed with <>, and that those addresses do
97 /*	not contain RFC 822 style comments or phrases.
98 /* .PP
99 /*	Available in Postfix version 2.1 and later:
100 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
101 /*	Request that the Postfix SMTP server rejects mail from unknown
102 /*	sender addresses, even when no explicit reject_unlisted_sender
103 /*	access restriction is specified.
104 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
105 /*	What remote SMTP clients the Postfix SMTP server will not offer
106 /*	AUTH support to.
107 /* .PP
108 /*	Available in Postfix version 2.2 and later:
109 /* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR"
110 /*	Lookup tables, indexed by the remote SMTP client address, with
111 /*	case insensitive lists of EHLO keywords (pipelining, starttls, auth,
112 /*	etc.) that the Postfix SMTP server will not send in the EHLO response
113 /*	to a
114 /*	remote SMTP client.
115 /* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR"
116 /*	A case insensitive list of EHLO keywords (pipelining, starttls,
117 /*	auth, etc.) that the Postfix SMTP server will not send in the EHLO
118 /*	response
119 /*	to a remote SMTP client.
120 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
121 /*	Postpone the start of an SMTP mail transaction until a valid
122 /*	RCPT TO command is received.
123 /* .PP
124 /*	Available in Postfix version 2.3 and later:
125 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
126 /*	Force the Postfix SMTP server to issue a TLS session id, even
127 /*	when TLS session caching is turned off (smtpd_tls_session_cache_database
128 /*	is empty).
129 /* .PP
130 /*	Available in Postfix version 2.6 and later:
131 /* .IP "\fBtcp_windowsize (0)\fR"
132 /*	An optional workaround for routers that break TCP window scaling.
133 /* .PP
134 /*	Available in Postfix version 2.7 and later:
135 /* .IP "\fBsmtpd_command_filter (empty)\fR"
136 /*	A mechanism to transform commands from remote SMTP clients.
137 /* .PP
138 /*	Available in Postfix version 2.9 - 3.6:
139 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
140 /*	Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
141 /*	time limits, from a
142 /*	time limit per read or write system call, to a time limit to send
143 /*	or receive a complete record (an SMTP command line, SMTP response
144 /*	line, SMTP message content line, or TLS protocol message).
145 /* .PP
146 /*	Available in Postfix version 3.0 and later:
147 /* .IP "\fBsmtpd_dns_reply_filter (empty)\fR"
148 /*	Optional filter for Postfix SMTP server DNS lookup results.
149 /* .PP
150 /*	Available in Postfix 3.5 and later:
151 /* .IP "\fBinfo_log_address_format (external)\fR"
152 /*	The email address form that will be used in non-debug logging
153 /*	(info, warning, etc.).
154 /* .PP
155 /*	Available in Postfix version 3.6 and later:
156 /* .IP "\fBsmtpd_relay_before_recipient_restrictions (see 'postconf -d' output)\fR"
157 /*	Evaluate smtpd_relay_restrictions before smtpd_recipient_restrictions.
158 /* .IP "\fBknown_tcp_ports (lmtp=24, smtp=25, smtps=submissions=465, submission=587)\fR"
159 /*	Optional setting that avoids lookups in the \fBservices\fR(5) database.
160 /* .PP
161 /*	Available in Postfix version 3.7 and later:
162 /* .IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
163 /*	Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
164 /*	time limits, from a time limit per plaintext or TLS read or write
165 /*	call, to a combined time limit for receiving a complete SMTP request
166 /*	and for sending a complete SMTP response.
167 /* .IP "\fBsmtpd_min_data_rate (500)\fR"
168 /*	The minimum plaintext data transfer rate in bytes/second for
169 /*	DATA and BDAT requests, when deadlines are enabled with
170 /*	smtpd_per_request_deadline.
171 /* ADDRESS REWRITING CONTROLS
172 /* .ad
173 /* .fi
174 /*	See the ADDRESS_REWRITING_README document for a detailed
175 /*	discussion of Postfix address rewriting.
176 /* .IP "\fBreceive_override_options (empty)\fR"
177 /*	Enable or disable recipient validation, built-in content
178 /*	filtering, or address mapping.
179 /* .PP
180 /*	Available in Postfix version 2.2 and later:
181 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
182 /*	Rewrite or add message headers in mail from these clients,
183 /*	updating incomplete addresses with the domain name in $myorigin or
184 /*	$mydomain, and adding missing headers.
185 /* BEFORE-SMTPD PROXY AGENT
186 /* .ad
187 /* .fi
188 /*	Available in Postfix version 2.10 and later:
189 /* .IP "\fBsmtpd_upstream_proxy_protocol (empty)\fR"
190 /*	The name of the proxy protocol used by an optional before-smtpd
191 /*	proxy agent.
192 /* .IP "\fBsmtpd_upstream_proxy_timeout (5s)\fR"
193 /*	The time limit for the proxy protocol specified with the
194 /*	smtpd_upstream_proxy_protocol parameter.
195 /* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
196 /* .ad
197 /* .fi
198 /*	As of version 1.0, Postfix can be configured to send new mail to
199 /*	an external content filter AFTER the mail is queued. This content
200 /*	filter is expected to inject mail back into a (Postfix or other)
201 /*	MTA for further delivery. See the FILTER_README document for details.
202 /* .IP "\fBcontent_filter (empty)\fR"
203 /*	After the message is queued, send the entire message to the
204 /*	specified \fItransport:destination\fR.
205 /* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
206 /* .ad
207 /* .fi
208 /*	As of version 2.1, the Postfix SMTP server can be configured
209 /*	to send incoming mail to a real-time SMTP-based content filter
210 /*	BEFORE mail is queued.  This content filter is expected to inject
211 /*	mail back into Postfix.  See the SMTPD_PROXY_README document for
212 /*	details on how to configure and operate this feature.
213 /* .IP "\fBsmtpd_proxy_filter (empty)\fR"
214 /*	The hostname and TCP port of the mail filtering proxy server.
215 /* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR"
216 /*	How the Postfix SMTP server announces itself to the proxy filter.
217 /* .IP "\fBsmtpd_proxy_options (empty)\fR"
218 /*	List of options that control how the Postfix SMTP server
219 /*	communicates with a before-queue content filter.
220 /* .IP "\fBsmtpd_proxy_timeout (100s)\fR"
221 /*	The time limit for connecting to a proxy filter and for sending or
222 /*	receiving information.
223 /* BEFORE QUEUE MILTER CONTROLS
224 /* .ad
225 /* .fi
226 /*	As of version 2.3, Postfix supports the Sendmail version 8
227 /*	Milter (mail filter) protocol. These content filters run
228 /*	outside Postfix. They can inspect the SMTP command stream
229 /*	and the message content, and can request modifications before
230 /*	mail is queued. For details see the MILTER_README document.
231 /* .IP "\fBsmtpd_milters (empty)\fR"
232 /*	A list of Milter (mail filter) applications for new mail that
233 /*	arrives via the Postfix \fBsmtpd\fR(8) server.
234 /* .IP "\fBmilter_protocol (6)\fR"
235 /*	The mail filter protocol version and optional protocol extensions
236 /*	for communication with a Milter application; prior to Postfix 2.6
237 /*	the default protocol is 2.
238 /* .IP "\fBmilter_default_action (tempfail)\fR"
239 /*	The default action when a Milter (mail filter) response is
240 /*	unavailable (for example, bad Postfix configuration or Milter
241 /*	failure).
242 /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR"
243 /*	The {daemon_name} macro value for Milter (mail filter) applications.
244 /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR"
245 /*	The {v} macro value for Milter (mail filter) applications.
246 /* .IP "\fBmilter_connect_timeout (30s)\fR"
247 /*	The time limit for connecting to a Milter (mail filter)
248 /*	application, and for negotiating protocol options.
249 /* .IP "\fBmilter_command_timeout (30s)\fR"
250 /*	The time limit for sending an SMTP command to a Milter (mail
251 /*	filter) application, and for receiving the response.
252 /* .IP "\fBmilter_content_timeout (300s)\fR"
253 /*	The time limit for sending message content to a Milter (mail
254 /*	filter) application, and for receiving the response.
255 /* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR"
256 /*	The macros that are sent to Milter (mail filter) applications
257 /*	after completion of an SMTP connection.
258 /* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR"
259 /*	The macros that are sent to Milter (mail filter) applications
260 /*	after the SMTP HELO or EHLO command.
261 /* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR"
262 /*	The macros that are sent to Milter (mail filter) applications
263 /*	after the SMTP MAIL FROM command.
264 /* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR"
265 /*	The macros that are sent to Milter (mail filter) applications
266 /*	after the SMTP RCPT TO command.
267 /* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR"
268 /*	The macros that are sent to version 4 or higher Milter (mail
269 /*	filter) applications after the SMTP DATA command.
270 /* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR"
271 /*	The macros that are sent to version 3 or higher Milter (mail
272 /*	filter) applications after an unknown SMTP command.
273 /* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR"
274 /*	The macros that are sent to Milter (mail filter) applications
275 /*	after the end of the message header.
276 /* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR"
277 /*	The macros that are sent to Milter (mail filter) applications
278 /*	after the message end-of-data.
279 /* .PP
280 /*	Available in Postfix version 3.1 and later:
281 /* .IP "\fBmilter_macro_defaults (empty)\fR"
282 /*	Optional list of \fIname=value\fR pairs that specify default
283 /*	values for arbitrary macros that Postfix may send to Milter
284 /*	applications.
285 /* .PP
286 /*	Available in Postfix version 3.2 and later:
287 /* .IP "\fBsmtpd_milter_maps (empty)\fR"
288 /*	Lookup tables with Milter settings per remote SMTP client IP
289 /*	address.
290 /* GENERAL CONTENT INSPECTION CONTROLS
291 /* .ad
292 /* .fi
293 /*	The following parameters are applicable for both built-in
294 /*	and external content filters.
295 /* .PP
296 /*	Available in Postfix version 2.1 and later:
297 /* .IP "\fBreceive_override_options (empty)\fR"
298 /*	Enable or disable recipient validation, built-in content
299 /*	filtering, or address mapping.
300 /* EXTERNAL CONTENT INSPECTION CONTROLS
301 /* .ad
302 /* .fi
303 /*	The following parameters are applicable for both before-queue
304 /*	and after-queue content filtering.
305 /* .PP
306 /*	Available in Postfix version 2.1 and later:
307 /* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR"
308 /*	What remote SMTP clients are allowed to use the XFORWARD feature.
309 /* SASL AUTHENTICATION CONTROLS
310 /* .ad
311 /* .fi
312 /*	Postfix SASL support (RFC 4954) can be used to authenticate remote
313 /*	SMTP clients to the Postfix SMTP server, and to authenticate the
314 /*	Postfix SMTP client to a remote SMTP server.
315 /*	See the SASL_README document for details.
316 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
317 /*	Enable interoperability with remote SMTP clients that implement an obsolete
318 /*	version of the AUTH command (RFC 4954).
319 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
320 /*	Enable SASL authentication in the Postfix SMTP server.
321 /* .IP "\fBsmtpd_sasl_local_domain (empty)\fR"
322 /*	The name of the Postfix SMTP server's local SASL authentication
323 /*	realm.
324 /* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR"
325 /*	Postfix SMTP server SASL security options; as of Postfix 2.3
326 /*	the list of available
327 /*	features depends on the SASL server implementation that is selected
328 /*	with \fBsmtpd_sasl_type\fR.
329 /* .IP "\fBsmtpd_sender_login_maps (empty)\fR"
330 /*	Optional lookup table with the SASL login names that own the sender
331 /*	(MAIL FROM) addresses.
332 /* .PP
333 /*	Available in Postfix version 2.1 and later:
334 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
335 /*	What remote SMTP clients the Postfix SMTP server will not offer
336 /*	AUTH support to.
337 /* .PP
338 /*	Available in Postfix version 2.1 and 2.2:
339 /* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR"
340 /*	The application name that the Postfix SMTP server uses for SASL
341 /*	server initialization.
342 /* .PP
343 /*	Available in Postfix version 2.3 and later:
344 /* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
345 /*	Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
346 /*	message header.
347 /* .IP "\fBsmtpd_sasl_path (smtpd)\fR"
348 /*	Implementation-specific information that the Postfix SMTP server
349 /*	passes through to
350 /*	the SASL plug-in implementation that is selected with
351 /*	\fBsmtpd_sasl_type\fR.
352 /* .IP "\fBsmtpd_sasl_type (cyrus)\fR"
353 /*	The SASL plug-in type that the Postfix SMTP server should use
354 /*	for authentication.
355 /* .PP
356 /*	Available in Postfix version 2.5 and later:
357 /* .IP "\fBcyrus_sasl_config_path (empty)\fR"
358 /*	Search path for Cyrus SASL application configuration files,
359 /*	currently used only to locate the $smtpd_sasl_path.conf file.
360 /* .PP
361 /*	Available in Postfix version 2.11 and later:
362 /* .IP "\fBsmtpd_sasl_service (smtp)\fR"
363 /*	The service name that is passed to the SASL plug-in that is
364 /*	selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR.
365 /* .PP
366 /*	Available in Postfix version 3.4 and later:
367 /* .IP "\fBsmtpd_sasl_response_limit (12288)\fR"
368 /*	The maximum length of a SASL client's response to a server challenge.
369 /* .PP
370 /*	Available in Postfix 3.6 and later:
371 /* .IP "\fBsmtpd_sasl_mechanism_filter (!external, static:rest)\fR"
372 /*	If non-empty, a filter for the SASL mechanism names that the
373 /*	Postfix SMTP server will announce in the EHLO response.
374 /* STARTTLS SUPPORT CONTROLS
375 /* .ad
376 /* .fi
377 /*	Detailed information about STARTTLS configuration may be
378 /*	found in the TLS_README document.
379 /* .IP "\fBsmtpd_tls_security_level (empty)\fR"
380 /*	The SMTP TLS security level for the Postfix SMTP server; when
381 /*	a non-empty value is specified, this overrides the obsolete parameters
382 /*	smtpd_use_tls and smtpd_enforce_tls.
383 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
384 /*	The SASL authentication security options that the Postfix SMTP
385 /*	server uses for TLS encrypted SMTP sessions.
386 /* .IP "\fBsmtpd_starttls_timeout (see 'postconf -d' output)\fR"
387 /*	The time limit for Postfix SMTP server write and read operations
388 /*	during TLS startup and shutdown handshake procedures.
389 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
390 /*	A file containing (PEM format) CA certificates of root CAs trusted
391 /*	to sign either remote SMTP client certificates or intermediate CA
392 /*	certificates.
393 /* .IP "\fBsmtpd_tls_CApath (empty)\fR"
394 /*	A directory containing (PEM format) CA certificates of root CAs
395 /*	trusted to sign either remote SMTP client certificates or intermediate CA
396 /*	certificates.
397 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
398 /*	Force the Postfix SMTP server to issue a TLS session id, even
399 /*	when TLS session caching is turned off (smtpd_tls_session_cache_database
400 /*	is empty).
401 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
402 /*	Ask a remote SMTP client for a client certificate.
403 /* .IP "\fBsmtpd_tls_auth_only (no)\fR"
404 /*	When TLS encryption is optional in the Postfix SMTP server, do
405 /*	not announce or accept SASL authentication over unencrypted
406 /*	connections.
407 /* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR"
408 /*	The verification depth for remote SMTP client certificates.
409 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
410 /*	File with the Postfix SMTP server RSA certificate in PEM format.
411 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
412 /*	List of ciphers or cipher types to exclude from the SMTP server
413 /*	cipher list at all TLS security levels.
414 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
415 /*	File with the Postfix SMTP server DSA certificate in PEM format.
416 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
417 /*	File with DH parameters that the Postfix SMTP server should
418 /*	use with non-export EDH ciphers.
419 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
420 /*	File with DH parameters that the Postfix SMTP server should
421 /*	use with export-grade EDH ciphers.
422 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
423 /*	File with the Postfix SMTP server DSA private key in PEM format.
424 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
425 /*	File with the Postfix SMTP server RSA private key in PEM format.
426 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
427 /*	Enable additional Postfix SMTP server logging of TLS activity.
428 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
429 /*	The minimum TLS cipher grade that the Postfix SMTP server will
430 /*	use with mandatory TLS encryption.
431 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
432 /*	Additional list of ciphers or cipher types to exclude from the
433 /*	Postfix SMTP server cipher list at mandatory TLS security levels.
434 /* .IP "\fBsmtpd_tls_mandatory_protocols (see 'postconf -d' output)\fR"
435 /*	TLS protocols accepted by the Postfix SMTP server with mandatory TLS
436 /*	encryption.
437 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
438 /*	Request that the Postfix SMTP server produces Received:  message
439 /*	headers that include information about the protocol and cipher used,
440 /*	as well as the remote SMTP client CommonName and client certificate issuer
441 /*	CommonName.
442 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
443 /*	With mandatory TLS encryption, require a trusted remote SMTP client
444 /*	certificate in order to allow TLS connections to proceed.
445 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
446 /*	Run the Postfix SMTP server in TLS "wrapper" mode,
447 /*	instead of using the STARTTLS command.
448 /* .IP "\fBtls_daemon_random_bytes (32)\fR"
449 /*	The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
450 /*	process requests from the \fBtlsmgr\fR(8) server in order to seed its
451 /*	internal pseudo random number generator (PRNG).
452 /* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR"
453 /*	The OpenSSL cipherlist for "high" grade ciphers.
454 /* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR"
455 /*	The OpenSSL cipherlist for "medium" or higher grade ciphers.
456 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
457 /*	The OpenSSL cipherlist for "NULL" grade ciphers that provide
458 /*	authentication without encryption.
459 /* .PP
460 /*	Available in Postfix version 2.3..3.7:
461 /* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR"
462 /*	The OpenSSL cipherlist for "low" or higher grade ciphers.
463 /* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR"
464 /*	The OpenSSL cipherlist for "export" or higher grade ciphers.
465 /* .PP
466 /*	Available in Postfix version 2.5 and later:
467 /* .IP "\fBsmtpd_tls_fingerprint_digest (see 'postconf -d' output)\fR"
468 /*	The message digest algorithm to construct remote SMTP client-certificate
469 /*	fingerprints or public key fingerprints (Postfix 2.9 and later) for
470 /*	\fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR.
471 /* .PP
472 /*	Available in Postfix version 2.6 and later:
473 /* .IP "\fBsmtpd_tls_protocols (see postconf -d output)\fR"
474 /*	TLS protocols accepted by the Postfix SMTP server with opportunistic
475 /*	TLS encryption.
476 /* .IP "\fBsmtpd_tls_ciphers (medium)\fR"
477 /*	The minimum TLS cipher grade that the Postfix SMTP server
478 /*	will use with opportunistic TLS encryption.
479 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
480 /*	File with the Postfix SMTP server ECDSA certificate in PEM format.
481 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
482 /*	File with the Postfix SMTP server ECDSA private key in PEM format.
483 /* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR"
484 /*	The Postfix SMTP server security grade for ephemeral elliptic-curve
485 /*	Diffie-Hellman (EECDH) key exchange.
486 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
487 /*	The elliptic curve used by the Postfix SMTP server for sensibly
488 /*	strong
489 /*	ephemeral ECDH key exchange.
490 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
491 /*	The elliptic curve used by the Postfix SMTP server for maximally
492 /*	strong
493 /*	ephemeral ECDH key exchange.
494 /* .PP
495 /*	Available in Postfix version 2.8 and later:
496 /* .IP "\fBtls_preempt_cipherlist (no)\fR"
497 /*	With SSLv3 and later, use the Postfix SMTP server's cipher
498 /*	preference order instead of the remote client's cipher preference
499 /*	order.
500 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR"
501 /*	List or bit-mask of OpenSSL bug work-arounds to disable.
502 /* .PP
503 /*	Available in Postfix version 2.11 and later:
504 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR"
505 /*	The name of the \fBtlsmgr\fR(8) service entry in master.cf.
506 /* .PP
507 /*	Available in Postfix version 3.0 and later:
508 /* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR"
509 /*	Algorithm used to encrypt RFC5077 TLS session tickets.
510 /* .PP
511 /*	Available in Postfix version 3.2 and later:
512 /* .IP "\fBtls_eecdh_auto_curves (see 'postconf -d' output)\fR"
513 /*	The prioritized list of elliptic curves supported by the Postfix
514 /*	SMTP client and server.
515 /* .PP
516 /*	Available in Postfix version 3.4 and later:
517 /* .IP "\fBsmtpd_tls_chain_files (empty)\fR"
518 /*	List of one or more PEM files, each holding one or more private keys
519 /*	directly followed by a corresponding certificate chain.
520 /* .IP "\fBtls_server_sni_maps (empty)\fR"
521 /*	Optional lookup tables that map names received from remote SMTP
522 /*	clients via the TLS Server Name Indication (SNI) extension to the
523 /*	appropriate keys and certificate chains.
524 /* .PP
525 /*	Available in Postfix 3.5, 3.4.6, 3.3.5, 3.2.10, 3.1.13 and later:
526 /* .IP "\fBtls_fast_shutdown_enable (yes)\fR"
527 /*	A workaround for implementations that hang Postfix while shutting
528 /*	down a TLS session, until Postfix times out.
529 /* .PP
530 /*	Available in Postfix version 3.8 and later:
531 /* .IP "\fBtls_ffdhe_auto_groups (see 'postconf -d' output)\fR"
532 /*	The prioritized list of finite-field Diffie-Hellman ephemeral
533 /*	(FFDHE) key exchange groups supported by the Postfix SMTP client and
534 /*	server.
535 /* .PP
536 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
537 /* .IP "\fBtls_config_file (default)\fR"
538 /*	Optional configuration file with baseline OpenSSL settings.
539 /* .IP "\fBtls_config_name (empty)\fR"
540 /*	The application name passed by Postfix to OpenSSL library
541 /*	initialization functions.
542 /* OBSOLETE STARTTLS CONTROLS
543 /* .ad
544 /* .fi
545 /*	The following configuration parameters exist for compatibility
546 /*	with Postfix versions before 2.3. Support for these will
547 /*	be removed in a future release.
548 /* .IP "\fBsmtpd_use_tls (no)\fR"
549 /*	Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
550 /*	but do not require that clients use TLS encryption.
551 /* .IP "\fBsmtpd_enforce_tls (no)\fR"
552 /*	Mandatory TLS: announce STARTTLS support to remote SMTP clients,
553 /*	and require that clients use TLS encryption.
554 /* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
555 /*	Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
556 /*	cipher list.
557 /* SMTPUTF8 CONTROLS
558 /* .ad
559 /* .fi
560 /*	Preliminary SMTPUTF8 support is introduced with Postfix 3.0.
561 /* .IP "\fBsmtputf8_enable (yes)\fR"
562 /*	Enable preliminary SMTPUTF8 support for the protocols described
563 /*	in RFC 6531, RFC 6532, and RFC 6533.
564 /* .IP "\fBstrict_smtputf8 (no)\fR"
565 /*	Enable stricter enforcement of the SMTPUTF8 protocol.
566 /* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR"
567 /*	Detect that a message requires SMTPUTF8 support for the specified
568 /*	mail origin classes.
569 /* .PP
570 /*	Available in Postfix version 3.2 and later:
571 /* .IP "\fBenable_idna2003_compatibility (no)\fR"
572 /*	Enable 'transitional' compatibility between IDNA2003 and IDNA2008,
573 /*	when converting UTF-8 domain names to/from the ASCII form that is
574 /*	used for DNS lookups.
575 /* VERP SUPPORT CONTROLS
576 /* .ad
577 /* .fi
578 /*	With VERP style delivery, each recipient of a message receives a
579 /*	customized copy of the message with his/her own recipient address
580 /*	encoded in the envelope sender address.  The VERP_README file
581 /*	describes configuration and operation details of Postfix support
582 /*	for variable envelope return path addresses.  VERP style delivery
583 /*	is requested with the SMTP XVERP command or with the "sendmail
584 /*	-V" command-line option and is available in Postfix version 1.1
585 /*	and later.
586 /* .IP "\fBdefault_verp_delimiters (+=)\fR"
587 /*	The two default VERP delimiter characters.
588 /* .IP "\fBverp_delimiter_filter (-=+)\fR"
589 /*	The characters Postfix accepts as VERP delimiter characters on the
590 /*	Postfix \fBsendmail\fR(1) command line and in SMTP commands.
591 /* .PP
592 /*	Available in Postfix version 1.1 and 2.0:
593 /* .IP "\fBauthorized_verp_clients ($mynetworks)\fR"
594 /*	What remote SMTP clients are allowed to specify the XVERP command.
595 /* .PP
596 /*	Available in Postfix version 2.1 and later:
597 /* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR"
598 /*	What remote SMTP clients are allowed to specify the XVERP command.
599 /* TROUBLE SHOOTING CONTROLS
600 /* .ad
601 /* .fi
602 /*	The DEBUG_README document describes how to debug parts of the
603 /*	Postfix mail system. The methods vary from making the software log
604 /*	a lot of detail, to running some daemon processes under control of
605 /*	a call tracer or debugger.
606 /* .IP "\fBdebug_peer_level (2)\fR"
607 /*	The increment in verbose logging level when a nexthop destination,
608 /*	remote client or server name or network address matches a pattern
609 /*	given with the debug_peer_list parameter.
610 /* .IP "\fBdebug_peer_list (empty)\fR"
611 /*	Optional list of nexthop destination, remote client or server
612 /*	name or network address patterns that, if matched, cause the verbose
613 /*	logging level to increase by the amount specified in $debug_peer_level.
614 /* .IP "\fBerror_notice_recipient (postmaster)\fR"
615 /*	The recipient of postmaster notifications about mail delivery
616 /*	problems that are caused by policy, resource, software or protocol
617 /*	errors.
618 /* .IP "\fBinternal_mail_filter_classes (empty)\fR"
619 /*	What categories of Postfix-generated mail are subject to
620 /*	before-queue content inspection by non_smtpd_milters, header_checks
621 /*	and body_checks.
622 /* .IP "\fBnotify_classes (resource, software)\fR"
623 /*	The list of error classes that are reported to the postmaster.
624 /* .IP "\fBsmtpd_reject_footer (empty)\fR"
625 /*	Optional information that is appended after each Postfix SMTP
626 /*	server
627 /*	4XX or 5XX response.
628 /* .IP "\fBsoft_bounce (no)\fR"
629 /*	Safety net to keep mail queued that would otherwise be returned to
630 /*	the sender.
631 /* .PP
632 /*	Available in Postfix version 2.1 and later:
633 /* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR"
634 /*	What remote SMTP clients are allowed to use the XCLIENT feature.
635 /* .PP
636 /*	Available in Postfix version 2.10 and later:
637 /* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR"
638 /*	Enable logging of the named "permit" actions in SMTP server
639 /*	access lists (by default, the SMTP server logs "reject" actions but
640 /*	not "permit" actions).
641 /* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
642 /* .ad
643 /* .fi
644 /*	As of Postfix version 2.0, the SMTP server rejects mail for
645 /*	unknown recipients. This prevents the mail queue from clogging up
646 /*	with undeliverable MAILER-DAEMON messages. Additional information
647 /*	on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README
648 /*	documents.
649 /* .IP "\fBshow_user_unknown_table_name (yes)\fR"
650 /*	Display the name of the recipient table in the "User unknown"
651 /*	responses.
652 /* .IP "\fBcanonical_maps (empty)\fR"
653 /*	Optional address mapping lookup tables for message headers and
654 /*	envelopes.
655 /* .IP "\fBrecipient_canonical_maps (empty)\fR"
656 /*	Optional address mapping lookup tables for envelope and header
657 /*	recipient addresses.
658 /* .IP "\fBsender_canonical_maps (empty)\fR"
659 /*	Optional address mapping lookup tables for envelope and header
660 /*	sender addresses.
661 /* .PP
662 /*	Parameters concerning known/unknown local recipients:
663 /* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
664 /*	The list of domains that are delivered via the $local_transport
665 /*	mail delivery transport.
666 /* .IP "\fBinet_interfaces (all)\fR"
667 /*	The local network interface addresses that this mail system receives
668 /*	mail on.
669 /* .IP "\fBproxy_interfaces (empty)\fR"
670 /*	The remote network interface addresses that this mail system receives mail
671 /*	on by way of a proxy or network address translation unit.
672 /* .IP "\fBinet_protocols (see 'postconf -d output')\fR"
673 /*	The Internet protocols Postfix will attempt to use when making
674 /*	or accepting connections.
675 /* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
676 /*	Lookup tables with all names or addresses of local recipients:
677 /*	a recipient address is local when its domain matches $mydestination,
678 /*	$inet_interfaces or $proxy_interfaces.
679 /* .IP "\fBunknown_local_recipient_reject_code (550)\fR"
680 /*	The numerical Postfix SMTP server response code when a recipient
681 /*	address is local, and $local_recipient_maps specifies a list of
682 /*	lookup tables that does not match the recipient.
683 /* .PP
684 /*	Parameters concerning known/unknown recipients of relay destinations:
685 /* .IP "\fBrelay_domains (Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)\fR"
686 /*	What destination domains (and subdomains thereof) this system
687 /*	will relay mail to.
688 /* .IP "\fBrelay_recipient_maps (empty)\fR"
689 /*	Optional lookup tables with all valid addresses in the domains
690 /*	that match $relay_domains.
691 /* .IP "\fBunknown_relay_recipient_reject_code (550)\fR"
692 /*	The numerical Postfix SMTP server reply code when a recipient
693 /*	address matches $relay_domains, and relay_recipient_maps specifies
694 /*	a list of lookup tables that does not match the recipient address.
695 /* .PP
696 /*	Parameters concerning known/unknown recipients in virtual alias
697 /*	domains:
698 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
699 /*	Postfix is the final destination for the specified list of virtual
700 /*	alias domains, that is, domains for which all addresses are aliased
701 /*	to addresses in other local or remote domains.
702 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
703 /*	Optional lookup tables that alias specific mail addresses or domains
704 /*	to other local or remote addresses.
705 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
706 /*	The Postfix SMTP server reply code when a recipient address matches
707 /*	$virtual_alias_domains, and $virtual_alias_maps specifies a list
708 /*	of lookup tables that does not match the recipient address.
709 /* .PP
710 /*	Parameters concerning known/unknown recipients in virtual mailbox
711 /*	domains:
712 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
713 /*	Postfix is the final destination for the specified list of domains;
714 /*	mail is delivered via the $virtual_transport mail delivery transport.
715 /* .IP "\fBvirtual_mailbox_maps (empty)\fR"
716 /*	Optional lookup tables with all valid addresses in the domains that
717 /*	match $virtual_mailbox_domains.
718 /* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR"
719 /*	The Postfix SMTP server reply code when a recipient address matches
720 /*	$virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list
721 /*	of lookup tables that does not match the recipient address.
722 /* RESOURCE AND RATE CONTROLS
723 /* .ad
724 /* .fi
725 /*	The following parameters limit resource usage by the SMTP
726 /*	server and/or control client request rates.
727 /* .IP "\fBline_length_limit (2048)\fR"
728 /*	Upon input, long lines are chopped up into pieces of at most
729 /*	this length; upon delivery, long lines are reconstructed.
730 /* .IP "\fBqueue_minfree (0)\fR"
731 /*	The minimal amount of free space in bytes in the queue file system
732 /*	that is needed to receive mail.
733 /* .IP "\fBmessage_size_limit (10240000)\fR"
734 /*	The maximal size in bytes of a message, including envelope information.
735 /* .IP "\fBsmtpd_recipient_limit (1000)\fR"
736 /*	The maximal number of recipients that the Postfix SMTP server
737 /*	accepts per message delivery request.
738 /* .IP "\fBsmtpd_timeout (normal: 300s, overload: 10s)\fR"
739 /*	When the Postfix SMTP server wants to send an SMTP server
740 /*	response, how long the Postfix SMTP server will wait for an underlying
741 /*	network write operation to complete; and when the Postfix SMTP
742 /*	server Postfix wants to receive an SMTP client request, how long
743 /*	the Postfix SMTP server will wait for an underlying network read
744 /*	operation to complete.
745 /* .IP "\fBsmtpd_history_flush_threshold (100)\fR"
746 /*	The maximal number of lines in the Postfix SMTP server command history
747 /*	before it is flushed upon receipt of EHLO, RSET, or end of DATA.
748 /* .PP
749 /*	Available in Postfix version 2.3 and later:
750 /* .IP "\fBsmtpd_peername_lookup (yes)\fR"
751 /*	Attempt to look up the remote SMTP client hostname, and verify that
752 /*	the name matches the client IP address.
753 /* .PP
754 /*	The per SMTP client connection count and request rate limits are
755 /*	implemented in co-operation with the \fBanvil\fR(8) service, and
756 /*	are available in Postfix version 2.2 and later.
757 /* .IP "\fBsmtpd_client_connection_count_limit (50)\fR"
758 /*	How many simultaneous connections any client is allowed to
759 /*	make to this service.
760 /* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR"
761 /*	The maximal number of connection attempts any client is allowed to
762 /*	make to this service per time unit.
763 /* .IP "\fBsmtpd_client_message_rate_limit (0)\fR"
764 /*	The maximal number of message delivery requests that any client is
765 /*	allowed to make to this service per time unit, regardless of whether
766 /*	or not Postfix actually accepts those messages.
767 /* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR"
768 /*	The maximal number of recipient addresses that any client is allowed
769 /*	to send to this service per time unit, regardless of whether or not
770 /*	Postfix actually accepts those recipients.
771 /* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR"
772 /*	Clients that are excluded from smtpd_client_*_count/rate_limit
773 /*	restrictions.
774 /* .PP
775 /*	Available in Postfix version 2.3 and later:
776 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
777 /*	The maximal number of new (i.e., uncached) TLS sessions that a
778 /*	remote SMTP client is allowed to negotiate with this service per
779 /*	time unit.
780 /* .PP
781 /*	Available in Postfix version 2.9 - 3.6:
782 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
783 /*	Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
784 /*	time limits, from a
785 /*	time limit per read or write system call, to a time limit to send
786 /*	or receive a complete record (an SMTP command line, SMTP response
787 /*	line, SMTP message content line, or TLS protocol message).
788 /* .PP
789 /*	Available in Postfix version 3.1 and later:
790 /* .IP "\fBsmtpd_client_auth_rate_limit (0)\fR"
791 /*	The maximal number of AUTH commands that any client is allowed to
792 /*	send to this service per time unit, regardless of whether or not
793 /*	Postfix actually accepts those commands.
794 /* .PP
795 /*	Available in Postfix version 3.7 and later:
796 /* .IP "\fBsmtpd_per_request_deadline (normal: no, overload: yes)\fR"
797 /*	Change the behavior of the smtpd_timeout and smtpd_starttls_timeout
798 /*	time limits, from a time limit per plaintext or TLS read or write
799 /*	call, to a combined time limit for receiving a complete SMTP request
800 /*	and for sending a complete SMTP response.
801 /* .IP "\fBsmtpd_min_data_rate (500)\fR"
802 /*	The minimum plaintext data transfer rate in bytes/second for
803 /*	DATA and BDAT requests, when deadlines are enabled with
804 /*	smtpd_per_request_deadline.
805 /* .IP "\fBheader_from_format (standard)\fR"
806 /*	The format of the Postfix-generated \fBFrom:\fR header.
807 /* .PP
808 /*	Available in Postfix version 3.8 and later:
809 /* .IP "\fBsmtpd_client_ipv4_prefix_length (32)\fR"
810 /*	Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics
811 /*	by IPv4 network blocks with the specified network prefix.
812 /* .IP "\fBsmtpd_client_ipv6_prefix_length (84)\fR"
813 /*	Aggregate smtpd_client_*_count and smtpd_client_*_rate statistics
814 /*	by IPv6 network blocks with the specified network prefix.
815 /* .PP
816 /*	Available in Postfix 3.9, 3.8.1, 3.7.6, 3.6.10, 3.5.20 and later:
817 /* .IP "\fBsmtpd_forbid_unauth_pipelining (Postfix >= 3.9: yes)\fR"
818 /*	Disconnect remote SMTP clients that violate RFC 2920 (or 5321)
819 /*	command pipelining constraints.
820 /* .PP
821 /*	Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
822 /* .IP "\fBsmtpd_forbid_bare_newline (Postfix < 3.9: no)\fR"
823 /*	Reply with "Error: bare <LF> received" and disconnect
824 /*	when a remote SMTP client sends a line ending in <LF>, violating
825 /*	the RFC 5321 requirement that lines must end in <CR><LF>.
826 /* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
827 /*	Exclude the specified clients from smtpd_forbid_bare_newline
828 /*	enforcement.
829 /* TARPIT CONTROLS
830 /* .ad
831 /* .fi
832 /*	When a remote SMTP client makes errors, the Postfix SMTP server
833 /*	can insert delays before responding. This can help to slow down
834 /*	run-away software.  The behavior is controlled by an error counter
835 /*	that counts the number of errors within an SMTP session that a
836 /*	client makes without delivering mail.
837 /* .IP "\fBsmtpd_error_sleep_time (1s)\fR"
838 /*	With Postfix version 2.1 and later: the SMTP server response delay after
839 /*	a client has made more than $smtpd_soft_error_limit errors, and
840 /*	fewer than $smtpd_hard_error_limit errors, without delivering mail.
841 /* .IP "\fBsmtpd_soft_error_limit (10)\fR"
842 /*	The number of errors a remote SMTP client is allowed to make without
843 /*	delivering mail before the Postfix SMTP server slows down all its
844 /*	responses.
845 /* .IP "\fBsmtpd_hard_error_limit (normal: 20, overload: 1)\fR"
846 /*	The maximal number of errors a remote SMTP client is allowed to
847 /*	make without delivering mail.
848 /* .IP "\fBsmtpd_junk_command_limit (normal: 100, overload: 1)\fR"
849 /*	The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
850 /*	SMTP client can send before the Postfix SMTP server starts to
851 /*	increment the error counter with each junk command.
852 /* .PP
853 /*	Available in Postfix version 2.1 and later:
854 /* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR"
855 /*	The number of recipients that a remote SMTP client can send in
856 /*	excess of the limit specified with $smtpd_recipient_limit, before
857 /*	the Postfix SMTP server increments the per-session error count
858 /*	for each excess recipient.
859 /* ACCESS POLICY DELEGATION CONTROLS
860 /* .ad
861 /* .fi
862 /*	As of version 2.1, Postfix can be configured to delegate access
863 /*	policy decisions to an external server that runs outside Postfix.
864 /*	See the file SMTPD_POLICY_README for more information.
865 /* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR"
866 /*	The time after which an idle SMTPD policy service connection is
867 /*	closed.
868 /* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR"
869 /*	The time after which an active SMTPD policy service connection is
870 /*	closed.
871 /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR"
872 /*	The time limit for connecting to, writing to, or receiving from a
873 /*	delegated SMTPD policy server.
874 /* .PP
875 /*	Available in Postfix version 3.0 and later:
876 /* .IP "\fBsmtpd_policy_service_default_action (451 4.3.5 Server configuration problem)\fR"
877 /*	The default action when an SMTPD policy service request fails.
878 /* .IP "\fBsmtpd_policy_service_request_limit (0)\fR"
879 /*	The maximal number of requests per SMTPD policy service connection,
880 /*	or zero (no limit).
881 /* .IP "\fBsmtpd_policy_service_try_limit (2)\fR"
882 /*	The maximal number of attempts to send an SMTPD policy service
883 /*	request before giving up.
884 /* .IP "\fBsmtpd_policy_service_retry_delay (1s)\fR"
885 /*	The delay between attempts to resend a failed SMTPD policy
886 /*	service request.
887 /* .PP
888 /*	Available in Postfix version 3.1 and later:
889 /* .IP "\fBsmtpd_policy_service_policy_context (empty)\fR"
890 /*	Optional information that the Postfix SMTP server specifies in
891 /*	the "policy_context" attribute of a policy service request (originally,
892 /*	to share the same service endpoint among multiple check_policy_service
893 /*	clients).
894 /* ACCESS CONTROLS
895 /* .ad
896 /* .fi
897 /*	The SMTPD_ACCESS_README document gives an introduction to all the
898 /*	SMTP server access control features.
899 /* .IP "\fBsmtpd_delay_reject (yes)\fR"
900 /*	Wait until the RCPT TO command before evaluating
901 /*	$smtpd_client_restrictions, $smtpd_helo_restrictions and
902 /*	$smtpd_sender_restrictions, or wait until the ETRN command before
903 /*	evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
904 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
905 /*	A list of Postfix features where the pattern "example.com" also
906 /*	matches subdomains of example.com,
907 /*	instead of requiring an explicit ".example.com" pattern.
908 /* .IP "\fBsmtpd_client_restrictions (empty)\fR"
909 /*	Optional restrictions that the Postfix SMTP server applies in the
910 /*	context of a client connection request.
911 /* .IP "\fBsmtpd_helo_required (no)\fR"
912 /*	Require that a remote SMTP client introduces itself with the HELO
913 /*	or EHLO command before sending the MAIL command or other commands
914 /*	that require EHLO negotiation.
915 /* .IP "\fBsmtpd_helo_restrictions (empty)\fR"
916 /*	Optional restrictions that the Postfix SMTP server applies in the
917 /*	context of a client HELO command.
918 /* .IP "\fBsmtpd_sender_restrictions (empty)\fR"
919 /*	Optional restrictions that the Postfix SMTP server applies in the
920 /*	context of a client MAIL FROM command.
921 /* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR"
922 /*	Optional restrictions that the Postfix SMTP server applies in the
923 /*	context of a client RCPT TO command, after smtpd_relay_restrictions.
924 /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR"
925 /*	Optional restrictions that the Postfix SMTP server applies in the
926 /*	context of a client ETRN command.
927 /* .IP "\fBallow_untrusted_routing (no)\fR"
928 /*	Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
929 /*	from untrusted clients to destinations matching $relay_domains.
930 /* .IP "\fBsmtpd_restriction_classes (empty)\fR"
931 /*	User-defined aliases for groups of access restrictions.
932 /* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR"
933 /*	The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
934 /*	null sender address.
935 /* .IP "\fBpermit_mx_backup_networks (empty)\fR"
936 /*	Restrict the use of the permit_mx_backup SMTP access feature to
937 /*	only domains whose primary MX hosts match the listed networks.
938 /* .PP
939 /*	Available in Postfix version 2.0 and later:
940 /* .IP "\fBsmtpd_data_restrictions (empty)\fR"
941 /*	Optional access restrictions that the Postfix SMTP server applies
942 /*	in the context of the SMTP DATA command.
943 /* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR"
944 /*	What characters are allowed in $name expansions of RBL reply
945 /*	templates.
946 /* .PP
947 /*	Available in Postfix version 2.1 and later:
948 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
949 /*	Request that the Postfix SMTP server rejects mail from unknown
950 /*	sender addresses, even when no explicit reject_unlisted_sender
951 /*	access restriction is specified.
952 /* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR"
953 /*	Request that the Postfix SMTP server rejects mail for unknown
954 /*	recipient addresses, even when no explicit reject_unlisted_recipient
955 /*	access restriction is specified.
956 /* .PP
957 /*	Available in Postfix version 2.2 and later:
958 /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
959 /*	Optional access restrictions that the Postfix SMTP server
960 /*	applies in the context of the SMTP END-OF-DATA command.
961 /* .PP
962 /*	Available in Postfix version 2.10 and later:
963 /* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR"
964 /*	Access restrictions for mail relay control that the Postfix
965 /*	SMTP server applies in the context of the RCPT TO command, before
966 /*	smtpd_recipient_restrictions.
967 /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
968 /* .ad
969 /* .fi
970 /*	Postfix version 2.1 introduces sender and recipient address verification.
971 /*	This feature is implemented by sending probe email messages that
972 /*	are not actually delivered.
973 /*	This feature is requested via the reject_unverified_sender and
974 /*	reject_unverified_recipient access restrictions.  The status of
975 /*	verification probes is maintained by the \fBverify\fR(8) server.
976 /*	See the file ADDRESS_VERIFICATION_README for information
977 /*	about how to configure and operate the Postfix sender/recipient
978 /*	address verification service.
979 /* .IP "\fBaddress_verify_poll_count (normal: 3, overload: 1)\fR"
980 /*	How many times to query the \fBverify\fR(8) service for the completion
981 /*	of an address verification request in progress.
982 /* .IP "\fBaddress_verify_poll_delay (3s)\fR"
983 /*	The delay between queries for the completion of an address
984 /*	verification request in progress.
985 /* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
986 /*	The sender address to use in address verification probes; prior
987 /*	to Postfix 2.5 the default was "postmaster".
988 /* .IP "\fBunverified_sender_reject_code (450)\fR"
989 /*	The numerical Postfix SMTP server response code when a recipient
990 /*	address is rejected by the reject_unverified_sender restriction.
991 /* .IP "\fBunverified_recipient_reject_code (450)\fR"
992 /*	The numerical Postfix SMTP server response when a recipient address
993 /*	is rejected by the reject_unverified_recipient restriction.
994 /* .PP
995 /*	Available in Postfix version 2.6 and later:
996 /* .IP "\fBunverified_sender_defer_code (450)\fR"
997 /*	The numerical Postfix SMTP server response code when a sender address
998 /*	probe fails due to a temporary error condition.
999 /* .IP "\fBunverified_recipient_defer_code (450)\fR"
1000 /*	The numerical Postfix SMTP server response when a recipient address
1001 /*	probe fails due to a temporary error condition.
1002 /* .IP "\fBunverified_sender_reject_reason (empty)\fR"
1003 /*	The Postfix SMTP server's reply when rejecting mail with
1004 /*	reject_unverified_sender.
1005 /* .IP "\fBunverified_recipient_reject_reason (empty)\fR"
1006 /*	The Postfix SMTP server's reply when rejecting mail with
1007 /*	reject_unverified_recipient.
1008 /* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR"
1009 /*	The Postfix SMTP server's action when reject_unverified_sender
1010 /*	fails due to a temporary error condition.
1011 /* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
1012 /*	The Postfix SMTP server's action when reject_unverified_recipient
1013 /*	fails due to a temporary error condition.
1014 /* .PP
1015 /*	Available with Postfix 2.9 and later:
1016 /* .IP "\fBaddress_verify_sender_ttl (0s)\fR"
1017 /*	The time between changes in the time-dependent portion of address
1018 /*	verification probe sender addresses.
1019 /* ACCESS CONTROL RESPONSES
1020 /* .ad
1021 /* .fi
1022 /*	The following parameters control numerical SMTP reply codes
1023 /*	and/or text responses.
1024 /* .IP "\fBaccess_map_reject_code (554)\fR"
1025 /*	The numerical Postfix SMTP server response code for
1026 /*	an \fBaccess\fR(5) map "reject" action.
1027 /* .IP "\fBdefer_code (450)\fR"
1028 /*	The numerical Postfix SMTP server response code when a remote SMTP
1029 /*	client request is rejected by the "defer" restriction.
1030 /* .IP "\fBinvalid_hostname_reject_code (501)\fR"
1031 /*	The numerical Postfix SMTP server response code when the client
1032 /*	HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
1033 /*	restriction.
1034 /* .IP "\fBmaps_rbl_reject_code (554)\fR"
1035 /*	The numerical Postfix SMTP server response code when a remote SMTP
1036 /*	client request is blocked by the reject_rbl_client, reject_rhsbl_client,
1037 /*	reject_rhsbl_reverse_client, reject_rhsbl_sender or
1038 /*	reject_rhsbl_recipient restriction.
1039 /* .IP "\fBnon_fqdn_reject_code (504)\fR"
1040 /*	The numerical Postfix SMTP server reply code when a client request
1041 /*	is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
1042 /*	or reject_non_fqdn_recipient restriction.
1043 /* .IP "\fBplaintext_reject_code (450)\fR"
1044 /*	The numerical Postfix SMTP server response code when a request
1045 /*	is rejected by the \fBreject_plaintext_session\fR restriction.
1046 /* .IP "\fBreject_code (554)\fR"
1047 /*	The numerical Postfix SMTP server response code when a remote SMTP
1048 /*	client request is rejected by the "reject" restriction.
1049 /* .IP "\fBrelay_domains_reject_code (554)\fR"
1050 /*	The numerical Postfix SMTP server response code when a client
1051 /*	request is rejected by the reject_unauth_destination recipient
1052 /*	restriction.
1053 /* .IP "\fBunknown_address_reject_code (450)\fR"
1054 /*	The numerical response code when the Postfix SMTP server rejects a
1055 /*	sender or recipient address because its domain is unknown.
1056 /* .IP "\fBunknown_client_reject_code (450)\fR"
1057 /*	The numerical Postfix SMTP server response code when a client
1058 /*	without valid address <=> name mapping is rejected by the
1059 /*	reject_unknown_client_hostname restriction.
1060 /* .IP "\fBunknown_hostname_reject_code (450)\fR"
1061 /*	The numerical Postfix SMTP server response code when the hostname
1062 /*	specified with the HELO or EHLO command is rejected by the
1063 /*	reject_unknown_helo_hostname restriction.
1064 /* .PP
1065 /*	Available in Postfix version 2.0 and later:
1066 /* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR"
1067 /*	The default Postfix SMTP server response template for a request that is
1068 /*	rejected by an RBL-based restriction.
1069 /* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR"
1070 /*	The numerical Postfix SMTP server response code when a remote SMTP
1071 /*	client request is blocked by the reject_multi_recipient_bounce
1072 /*	restriction.
1073 /* .IP "\fBrbl_reply_maps (empty)\fR"
1074 /*	Optional lookup tables with RBL response templates.
1075 /* .PP
1076 /*	Available in Postfix version 2.6 and later:
1077 /* .IP "\fBaccess_map_defer_code (450)\fR"
1078 /*	The numerical Postfix SMTP server response code for
1079 /*	an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
1080 /*	or "defer_if_reject".
1081 /* .IP "\fBreject_tempfail_action (defer_if_permit)\fR"
1082 /*	The Postfix SMTP server's action when a reject-type restriction
1083 /*	fails due to a temporary error condition.
1084 /* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR"
1085 /*	The Postfix SMTP server's action when reject_unknown_helo_hostname
1086 /*	fails due to a temporary error condition.
1087 /* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR"
1088 /*	The Postfix SMTP server's action when reject_unknown_sender_domain
1089 /*	or reject_unknown_recipient_domain fail due to a temporary error
1090 /*	condition.
1091 /* MISCELLANEOUS CONTROLS
1092 /* .ad
1093 /* .fi
1094 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
1095 /*	The default location of the Postfix main.cf and master.cf
1096 /*	configuration files.
1097 /* .IP "\fBdaemon_timeout (18000s)\fR"
1098 /*	How much time a Postfix daemon process may take to handle a
1099 /*	request before it is terminated by a built-in watchdog timer.
1100 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
1101 /*	The location of all postfix administrative commands.
1102 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
1103 /*	The sender address of postmaster notifications that are generated
1104 /*	by the mail system.
1105 /* .IP "\fBipc_timeout (3600s)\fR"
1106 /*	The time limit for sending or receiving information over an internal
1107 /*	communication channel.
1108 /* .IP "\fBmail_name (Postfix)\fR"
1109 /*	The mail system name that is displayed in Received: headers, in
1110 /*	the SMTP greeting banner, and in bounced mail.
1111 /* .IP "\fBmail_owner (postfix)\fR"
1112 /*	The UNIX system account that owns the Postfix queue and most Postfix
1113 /*	daemon processes.
1114 /* .IP "\fBmax_idle (100s)\fR"
1115 /*	The maximum amount of time that an idle Postfix daemon process waits
1116 /*	for an incoming connection before terminating voluntarily.
1117 /* .IP "\fBmax_use (100)\fR"
1118 /*	The maximal number of incoming connections that a Postfix daemon
1119 /*	process will service before terminating voluntarily.
1120 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
1121 /*	The internet hostname of this mail system.
1122 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
1123 /*	The list of "trusted" remote SMTP clients that have more privileges than
1124 /*	"strangers".
1125 /* .IP "\fBmyorigin ($myhostname)\fR"
1126 /*	The domain name that locally-posted mail appears to come
1127 /*	from, and that locally posted mail is delivered to.
1128 /* .IP "\fBprocess_id (read-only)\fR"
1129 /*	The process ID of a Postfix command or daemon process.
1130 /* .IP "\fBprocess_name (read-only)\fR"
1131 /*	The process name of a Postfix command or daemon process.
1132 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
1133 /*	The location of the Postfix top-level queue directory.
1134 /* .IP "\fBrecipient_delimiter (empty)\fR"
1135 /*	The set of characters that can separate an email address
1136 /*	localpart, user name, or a .forward file name from its extension.
1137 /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
1138 /*	The text that follows the 220 status code in the SMTP greeting
1139 /*	banner.
1140 /* .IP "\fBsyslog_facility (mail)\fR"
1141 /*	The syslog facility of Postfix logging.
1142 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
1143 /*	A prefix that is prepended to the process name in syslog
1144 /*	records, so that, for example, "smtpd" becomes "prefix/smtpd".
1145 /* .PP
1146 /*	Available in Postfix version 2.2 and later:
1147 /* .IP "\fBsmtpd_forbidden_commands (CONNECT GET POST regexp:{{/^[^A-Z]/ Bogus}})\fR"
1148 /*	List of commands that cause the Postfix SMTP server to immediately
1149 /*	terminate the session with a 221 code.
1150 /* .PP
1151 /*	Available in Postfix version 2.5 and later:
1152 /* .IP "\fBsmtpd_client_port_logging (no)\fR"
1153 /*	Enable logging of the remote SMTP client port in addition to
1154 /*	the hostname and IP address.
1155 /* .PP
1156 /*	Available in Postfix 3.3 and later:
1157 /* .IP "\fBservice_name (read-only)\fR"
1158 /*	The master.cf service name of a Postfix daemon process.
1159 /* .PP
1160 /*	Available in Postfix 3.4 and later:
1161 /* .IP "\fBsmtpd_reject_footer_maps (empty)\fR"
1162 /*	Lookup tables, indexed by the complete Postfix SMTP server 4xx or
1163 /*	5xx response, with reject footer templates.
1164 /* SEE ALSO
1165 /*	anvil(8), connection/rate limiting
1166 /*	cleanup(8), message canonicalization
1167 /*	tlsmgr(8), TLS session and PRNG management
1168 /*	trivial-rewrite(8), address resolver
1169 /*	verify(8), address verification service
1170 /*	postconf(5), configuration parameters
1171 /*	master(5), generic daemon options
1172 /*	master(8), process manager
1173 /*	postlogd(8), Postfix logging
1174 /*	syslogd(8), system logging
1175 /* README FILES
1176 /* .ad
1177 /* .fi
1178 /*	Use "\fBpostconf readme_directory\fR" or
1179 /*	"\fBpostconf html_directory\fR" to locate this information.
1180 /* .na
1181 /* .nf
1182 /*	ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
1183 /*	ADDRESS_REWRITING_README, Postfix address manipulation
1184 /*	BDAT_README, Postfix CHUNKING support
1185 /*	FILTER_README, external after-queue content filter
1186 /*	LOCAL_RECIPIENT_README, blocking unknown local recipients
1187 /*	MILTER_README, before-queue mail filter applications
1188 /*	SMTPD_ACCESS_README, built-in access policies
1189 /*	SMTPD_POLICY_README, external policy server
1190 /*	SMTPD_PROXY_README, external before-queue content filter
1191 /*	SASL_README, Postfix SASL howto
1192 /*	TLS_README, Postfix STARTTLS howto
1193 /*	VERP_README, Postfix XVERP extension
1194 /*	XCLIENT_README, Postfix XCLIENT extension
1195 /*	XFORWARD_README, Postfix XFORWARD extension
1196 /* LICENSE
1197 /* .ad
1198 /* .fi
1199 /*	The Secure Mailer license must be distributed with this software.
1200 /* AUTHOR(S)
1201 /*	Wietse Venema
1202 /*	IBM T.J. Watson Research
1203 /*	P.O. Box 704
1204 /*	Yorktown Heights, NY 10598, USA
1205 /*
1206 /*	Wietse Venema
1207 /*	Google, Inc.
1208 /*	111 8th Avenue
1209 /*	New York, NY 10011, USA
1210 /*
1211 /*	SASL support originally by:
1212 /*	Till Franke
1213 /*	SuSE Rhein/Main AG
1214 /*	65760 Eschborn, Germany
1215 /*
1216 /*	TLS support originally by:
1217 /*	Lutz Jaenicke
1218 /*	BTU Cottbus
1219 /*	Allgemeine Elektrotechnik
1220 /*	Universitaetsplatz 3-4
1221 /*	D-03044 Cottbus, Germany
1222 /*
1223 /*	Revised TLS support by:
1224 /*	Victor Duchovni
1225 /*	Morgan Stanley
1226 /*--*/
1227 
1228 /* System library. */
1229 
1230 #include <sys_defs.h>
1231 #include <sys/socket.h>
1232 #include <sys/stat.h>
1233 #include <netinet/in.h>
1234 #include <arpa/inet.h>
1235 #include <netdb.h>
1236 #include <string.h>
1237 #include <stdio.h>			/* remove() */
1238 #include <unistd.h>
1239 #include <stdlib.h>
1240 #include <errno.h>
1241 #include <ctype.h>
1242 #include <signal.h>
1243 #include <stddef.h>			/* offsetof() */
1244 
1245 #ifdef STRCASECMP_IN_STRINGS_H
1246 #include <strings.h>
1247 #endif
1248 
1249 /* Utility library. */
1250 
1251 #include <msg.h>
1252 #include <mymalloc.h>
1253 #include <vstring.h>
1254 #include <vstream.h>
1255 #include <vstring_vstream.h>
1256 #include <stringops.h>
1257 #include <events.h>
1258 #include <smtp_stream.h>
1259 #include <valid_hostname.h>
1260 #include <dict.h>
1261 #include <watchdog.h>
1262 #include <iostuff.h>
1263 #include <split_at.h>
1264 #include <name_code.h>
1265 #include <inet_proto.h>
1266 
1267 /* Global library. */
1268 
1269 #include <mail_params.h>
1270 #include <mail_version.h>		/* milter_macro_v */
1271 #include <record.h>
1272 #include <rec_type.h>
1273 #include <mail_proto.h>
1274 #include <cleanup_user.h>
1275 #include <mail_date.h>
1276 #include <mail_conf.h>
1277 #include <off_cvt.h>
1278 #include <debug_peer.h>
1279 #include <mail_error.h>
1280 #include <flush_clnt.h>
1281 #include <mail_stream.h>
1282 #include <mail_queue.h>
1283 #include <tok822.h>
1284 #include <verp_sender.h>
1285 #include <string_list.h>
1286 #include <quote_822_local.h>
1287 #include <lex_822.h>
1288 #include <namadr_list.h>
1289 #include <input_transp.h>
1290 #include <is_header.h>
1291 #include <anvil_clnt.h>
1292 #include <flush_clnt.h>
1293 #include <ehlo_mask.h>			/* ehlo filter */
1294 #include <maps.h>			/* ehlo filter */
1295 #include <valid_mailhost_addr.h>
1296 #include <dsn_mask.h>
1297 #include <xtext.h>
1298 #include <uxtext.h>
1299 #include <tls_proxy.h>
1300 #include <verify_sender_addr.h>
1301 #include <smtputf8.h>
1302 #include <match_parent_style.h>
1303 #include <normalize_mailhost_addr.h>
1304 #include <info_log_addr_form.h>
1305 #include <hfrom_format.h>
1306 
1307 /* Single-threaded server skeleton. */
1308 
1309 #include <mail_server.h>
1310 
1311 /* Mail filter library. */
1312 
1313 #include <milter.h>
1314 
1315 /* DNS library. */
1316 
1317 #include <dns.h>
1318 
1319 /* Application-specific */
1320 
1321 #include <smtpd_token.h>
1322 #include <smtpd.h>
1323 #include <smtpd_check.h>
1324 #include <smtpd_chat.h>
1325 #include <smtpd_sasl_proto.h>
1326 #include <smtpd_sasl_glue.h>
1327 #include <smtpd_proxy.h>
1328 #include <smtpd_milter.h>
1329 #include <smtpd_expand.h>
1330 
1331 #include "pfilter.h"
1332 
1333  /*
1334   * Tunable parameters. Make sure that there is some bound on the length of
1335   * an SMTP command, so that the mail system stays in control even when a
1336   * malicious client sends commands of unreasonable length (qmail-dos-1).
1337   * Make sure there is some bound on the number of recipients, so that the
1338   * mail system stays in control even when a malicious client sends an
1339   * unreasonable number of recipients (qmail-dos-2).
1340   */
1341 int     var_smtpd_rcpt_limit;
1342 int     var_smtpd_tmout;
1343 int     var_smtpd_soft_erlim;
1344 int     var_smtpd_hard_erlim;
1345 long    var_queue_minfree;		/* XXX use off_t */
1346 char   *var_smtpd_banner;
1347 char   *var_notify_classes;
1348 char   *var_client_checks;
1349 char   *var_helo_checks;
1350 char   *var_mail_checks;
1351 char   *var_relay_checks;
1352 char   *var_rcpt_checks;
1353 char   *var_etrn_checks;
1354 char   *var_data_checks;
1355 char   *var_eod_checks;
1356 int     var_unk_client_code;
1357 int     var_bad_name_code;
1358 int     var_unk_name_code;
1359 int     var_unk_addr_code;
1360 int     var_relay_code;
1361 int     var_maps_rbl_code;
1362 int     var_map_reject_code;
1363 int     var_map_defer_code;
1364 char   *var_maps_rbl_domains;
1365 char   *var_rbl_reply_maps;
1366 int     var_helo_required;
1367 int     var_reject_code;
1368 int     var_defer_code;
1369 int     var_smtpd_err_sleep;
1370 int     var_non_fqdn_code;
1371 char   *var_bounce_rcpt;
1372 char   *var_error_rcpt;
1373 int     var_smtpd_delay_reject;
1374 char   *var_rest_classes;
1375 int     var_strict_rfc821_env;
1376 bool    var_disable_vrfy_cmd;
1377 char   *var_canonical_maps;
1378 char   *var_send_canon_maps;
1379 char   *var_rcpt_canon_maps;
1380 char   *var_virt_alias_maps;
1381 char   *var_virt_mailbox_maps;
1382 char   *var_alias_maps;
1383 char   *var_local_rcpt_maps;
1384 bool    var_allow_untrust_route;
1385 int     var_smtpd_junk_cmd_limit;
1386 int     var_smtpd_rcpt_overlim;
1387 bool    var_smtpd_sasl_enable;
1388 bool    var_smtpd_sasl_auth_hdr;
1389 char   *var_smtpd_sasl_opts;
1390 char   *var_smtpd_sasl_path;
1391 char   *var_smtpd_sasl_service;
1392 char   *var_cyrus_conf_path;
1393 char   *var_smtpd_sasl_realm;
1394 int     var_smtpd_sasl_resp_limit;
1395 char   *var_smtpd_sasl_exceptions_networks;
1396 char   *var_smtpd_sasl_type;
1397 char   *var_smtpd_sasl_mech_filter;
1398 char   *var_filter_xport;
1399 bool    var_broken_auth_clients;
1400 char   *var_perm_mx_networks;
1401 char   *var_smtpd_snd_auth_maps;
1402 char   *var_smtpd_noop_cmds;
1403 char   *var_smtpd_null_key;
1404 int     var_smtpd_hist_thrsh;
1405 char   *var_smtpd_exp_filter;
1406 char   *var_def_rbl_reply;
1407 int     var_unv_from_rcode;
1408 int     var_unv_rcpt_rcode;
1409 int     var_unv_from_dcode;
1410 int     var_unv_rcpt_dcode;
1411 char   *var_unv_from_why;
1412 char   *var_unv_rcpt_why;
1413 int     var_mul_rcpt_code;
1414 char   *var_relay_rcpt_maps;
1415 int     var_local_rcpt_code;
1416 int     var_virt_alias_code;
1417 int     var_virt_mailbox_code;
1418 int     var_relay_rcpt_code;
1419 char   *var_verp_clients;
1420 int     var_show_unk_rcpt_table;
1421 int     var_verify_poll_count;
1422 int     var_verify_poll_delay;
1423 char   *var_smtpd_proxy_filt;
1424 int     var_smtpd_proxy_tmout;
1425 char   *var_smtpd_proxy_ehlo;
1426 char   *var_smtpd_proxy_opts;
1427 char   *var_input_transp;
1428 int     var_smtpd_policy_tmout;
1429 int     var_smtpd_policy_req_limit;
1430 int     var_smtpd_policy_try_limit;
1431 int     var_smtpd_policy_try_delay;
1432 char   *var_smtpd_policy_def_action;
1433 char   *var_smtpd_policy_context;
1434 int     var_smtpd_policy_idle;
1435 int     var_smtpd_policy_ttl;
1436 char   *var_xclient_hosts;
1437 char   *var_xforward_hosts;
1438 bool    var_smtpd_rej_unl_from;
1439 bool    var_smtpd_rej_unl_rcpt;
1440 char   *var_smtpd_forbid_cmds;
1441 int     var_smtpd_crate_limit;
1442 int     var_smtpd_cconn_limit;
1443 int     var_smtpd_cmail_limit;
1444 int     var_smtpd_crcpt_limit;
1445 int     var_smtpd_cntls_limit;
1446 int     var_smtpd_cauth_limit;
1447 int     var_smtpd_cipv4_prefix;
1448 int     var_smtpd_cipv6_prefix;
1449 char   *var_smtpd_hoggers;
1450 char   *var_local_rwr_clients;
1451 char   *var_smtpd_ehlo_dis_words;
1452 char   *var_smtpd_ehlo_dis_maps;
1453 
1454 char   *var_smtpd_tls_level;
1455 bool    var_smtpd_use_tls;
1456 bool    var_smtpd_enforce_tls;
1457 bool    var_smtpd_tls_wrappermode;
1458 bool    var_smtpd_tls_auth_only;
1459 char   *var_smtpd_cmd_filter;
1460 char   *var_smtpd_rej_footer;
1461 char   *var_smtpd_rej_ftr_maps;
1462 char   *var_smtpd_acl_perm_log;
1463 char   *var_smtpd_dns_re_filter;
1464 
1465 #ifdef USE_TLS
1466 char   *var_smtpd_relay_ccerts;
1467 char   *var_smtpd_sasl_tls_opts;
1468 int     var_smtpd_starttls_tmout;
1469 char   *var_smtpd_tls_CAfile;
1470 char   *var_smtpd_tls_CApath;
1471 bool    var_smtpd_tls_ask_ccert;
1472 int     var_smtpd_tls_ccert_vd;
1473 char   *var_smtpd_tls_cert_file;
1474 char   *var_smtpd_tls_mand_ciph;
1475 char   *var_smtpd_tls_excl_ciph;
1476 char   *var_smtpd_tls_mand_excl;
1477 char   *var_smtpd_tls_dcert_file;
1478 char   *var_smtpd_tls_dh1024_param_file;
1479 char   *var_smtpd_tls_dh512_param_file;
1480 char   *var_smtpd_tls_dkey_file;
1481 char   *var_smtpd_tls_key_file;
1482 char   *var_smtpd_tls_loglevel;
1483 char   *var_smtpd_tls_mand_proto;
1484 bool    var_smtpd_tls_received_header;
1485 bool    var_smtpd_tls_req_ccert;
1486 bool    var_smtpd_tls_set_sessid;
1487 char   *var_smtpd_tls_fpt_dgst;
1488 char   *var_smtpd_tls_ciph;
1489 char   *var_smtpd_tls_proto;
1490 char   *var_smtpd_tls_eecdh;
1491 char   *var_smtpd_tls_eccert_file;
1492 char   *var_smtpd_tls_eckey_file;
1493 char   *var_smtpd_tls_chain_files;
1494 
1495 #endif
1496 
1497 bool    var_smtpd_peername_lookup;
1498 int     var_plaintext_code;
1499 bool    var_smtpd_delay_open;
1500 char   *var_smtpd_milters;
1501 char   *var_smtpd_milter_maps;
1502 int     var_milt_conn_time;
1503 int     var_milt_cmd_time;
1504 int     var_milt_msg_time;
1505 char   *var_milt_protocol;
1506 char   *var_milt_def_action;
1507 char   *var_milt_daemon_name;
1508 char   *var_milt_v;
1509 char   *var_milt_conn_macros;
1510 char   *var_milt_helo_macros;
1511 char   *var_milt_mail_macros;
1512 char   *var_milt_rcpt_macros;
1513 char   *var_milt_data_macros;
1514 char   *var_milt_eoh_macros;
1515 char   *var_milt_eod_macros;
1516 char   *var_milt_unk_macros;
1517 char   *var_milt_macro_deflts;
1518 bool    var_smtpd_client_port_log;
1519 bool    var_smtpd_forbid_unauth_pipe;
1520 char   *var_stress;
1521 
1522 char   *var_reject_tmpf_act;
1523 char   *var_unk_name_tf_act;
1524 char   *var_unk_addr_tf_act;
1525 char   *var_unv_rcpt_tf_act;
1526 char   *var_unv_from_tf_act;
1527 
1528 int     smtpd_proxy_opts;
1529 
1530 #ifdef USE_TLSPROXY
1531 char   *var_tlsproxy_service;
1532 
1533 #endif
1534 
1535 char   *var_smtpd_uproxy_proto;
1536 int     var_smtpd_uproxy_tmout;
1537 bool    var_relay_before_rcpt_checks;
1538 bool    var_smtpd_req_deadline;
1539 int     var_smtpd_min_data_rate;
1540 char   *var_hfrom_format;
1541 bool    var_smtpd_forbid_bare_lf;
1542 char   *var_smtpd_forbid_bare_lf_excl;
1543 static NAMADR_LIST *bare_lf_excl;
1544 
1545  /*
1546   * Silly little macros.
1547   */
1548 #define STR(x)	vstring_str(x)
1549 #define LEN(x)	VSTRING_LEN(x)
1550 
1551  /*
1552   * EHLO keyword filter
1553   */
1554 static MAPS *ehlo_discard_maps;
1555 
1556  /*
1557   * Per-client Milter support.
1558   */
1559 static MAPS *smtpd_milter_maps;
1560 static void setup_milters(SMTPD_STATE *);
1561 static void teardown_milters(SMTPD_STATE *);
1562 
1563  /*
1564   * VERP command name.
1565   */
1566 #define VERP_CMD	"XVERP"
1567 #define VERP_CMD_LEN	5
1568 
1569 static NAMADR_LIST *verp_clients;
1570 
1571  /*
1572   * XCLIENT command. Access control is cached, so that XCLIENT can't override
1573   * its own access control.
1574   */
1575 static NAMADR_LIST *xclient_hosts;
1576 static int xclient_allowed;		/* XXX should be SMTPD_STATE member */
1577 
1578  /*
1579   * XFORWARD command. Access control is cached.
1580   */
1581 static NAMADR_LIST *xforward_hosts;
1582 static int xforward_allowed;		/* XXX should be SMTPD_STATE member */
1583 
1584  /*
1585   * Client connection and rate limiting.
1586   */
1587 ANVIL_CLNT *anvil_clnt;
1588 static NAMADR_LIST *hogger_list;
1589 
1590  /*
1591   * Other application-specific globals.
1592   */
1593 int     smtpd_input_transp_mask;
1594 
1595  /*
1596   * Forward declarations.
1597   */
1598 static void helo_reset(SMTPD_STATE *);
1599 static void mail_reset(SMTPD_STATE *);
1600 static void rcpt_reset(SMTPD_STATE *);
1601 static void chat_reset(SMTPD_STATE *, int);
1602 
1603 #ifdef USE_TLS
1604 static void tls_reset(SMTPD_STATE *);
1605 
1606 #endif
1607 
1608  /*
1609   * This filter is applied after printable().
1610   */
1611 #define NEUTER_CHARACTERS " <>()\\\";@"
1612 
1613  /*
1614   * Reasons for losing the client.
1615   */
1616 #define REASON_TIMEOUT		"timeout"
1617 #define REASON_LOST_CONNECTION	"lost connection"
1618 #define REASON_ERROR_LIMIT	"too many errors"
1619 #define REASON_BARE_LF		"bare <LF> received"
1620 
1621 #ifdef USE_TLS
1622 
1623  /*
1624   * TLS initialization status.
1625   */
1626 #ifndef USE_TLSPROXY
1627 static TLS_APPL_STATE *smtpd_tls_ctx;
1628 static int ask_client_cert;
1629 
1630 #endif					/* USE_TLSPROXY */
1631 #endif
1632 
1633  /*
1634   * SMTP command mapping for broken clients.
1635   */
1636 static DICT *smtpd_cmd_filter;
1637 
1638  /*
1639   * Parsed header_from_format setting.
1640   */
1641 int     smtpd_hfrom_format;
1642 
1643 #ifdef USE_SASL_AUTH
1644 
1645  /*
1646   * SASL exceptions.
1647   */
1648 static NAMADR_LIST *sasl_exceptions_networks;
1649 
1650 /* sasl_client_exception - can we offer AUTH for this client */
1651 
sasl_client_exception(SMTPD_STATE * state)1652 static int sasl_client_exception(SMTPD_STATE *state)
1653 {
1654     int     match;
1655 
1656     /*
1657      * This is to work around a Netscape mail client bug where it tries to
1658      * use AUTH if available, even if user has not configured it. Returns
1659      * TRUE if AUTH should be offered in the EHLO.
1660      */
1661     if (sasl_exceptions_networks == 0)
1662 	return (0);
1663 
1664     if ((match = namadr_list_match(sasl_exceptions_networks,
1665 				   state->name, state->addr)) == 0)
1666 	match = sasl_exceptions_networks->error;
1667 
1668     if (msg_verbose)
1669 	msg_info("sasl_exceptions: %s, match=%d",
1670 		 state->namaddr, match);
1671 
1672     return (match);
1673 }
1674 
1675 #endif
1676 
1677 /* smtpd_whatsup - gather available evidence for logging */
1678 
smtpd_whatsup(SMTPD_STATE * state)1679 static const char *smtpd_whatsup(SMTPD_STATE *state)
1680 {
1681     static VSTRING *buf = 0;
1682 
1683     if (buf == 0)
1684 	buf = vstring_alloc(100);
1685     else
1686 	VSTRING_RESET(buf);
1687     if (state->sender)
1688 	vstring_sprintf_append(buf, " from=<%s>",
1689 			       info_log_addr_form_sender(state->sender));
1690     if (state->recipient)
1691 	vstring_sprintf_append(buf, " to=<%s>",
1692 			    info_log_addr_form_recipient(state->recipient));
1693     if (state->protocol)
1694 	vstring_sprintf_append(buf, " proto=%s", state->protocol);
1695     if (state->helo_name)
1696 	vstring_sprintf_append(buf, " helo=<%s>", state->helo_name);
1697 #ifdef USE_SASL_AUTH
1698     if (state->sasl_username)
1699 	vstring_sprintf_append(buf, " sasl_username=<%s>",
1700 			       state->sasl_username);
1701 #endif
1702     return (STR(buf));
1703 }
1704 
1705 /* collapse_args - put arguments together again */
1706 
collapse_args(int argc,SMTPD_TOKEN * argv)1707 static void collapse_args(int argc, SMTPD_TOKEN *argv)
1708 {
1709     int     i;
1710 
1711     for (i = 1; i < argc; i++) {
1712 	vstring_strcat(argv[0].vstrval, " ");
1713 	vstring_strcat(argv[0].vstrval, argv[i].strval);
1714     }
1715     argv[0].strval = STR(argv[0].vstrval);
1716 }
1717 
1718 /* check_milter_reply - process reply from Milter */
1719 
check_milter_reply(SMTPD_STATE * state,const char * reply)1720 static const char *check_milter_reply(SMTPD_STATE *state, const char *reply)
1721 {
1722     const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE";
1723     const char *action;
1724     const char *text;
1725 
1726     /*
1727      * The syntax of user-specified SMTP replies is checked by the Milter
1728      * module, because the replies are also used in the cleanup server.
1729      * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8
1730      * Milter quarantine action is not final, so it is not included in
1731      * MILTER_SKIP_FLAGS.
1732      */
1733 #define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD)
1734 
1735     switch (reply[0]) {
1736     case 'H':
1737 	state->saved_flags |= CLEANUP_FLAG_HOLD;
1738 	action = "milter-hold";
1739 	reply = 0;
1740 	text = "milter triggers HOLD action";
1741 	break;
1742     case 'D':
1743 	state->saved_flags |= CLEANUP_FLAG_DISCARD;
1744 	action = "milter-discard";
1745 	reply = 0;
1746 	text = "milter triggers DISCARD action";
1747 	break;
1748     case 'S':
1749 	state->error_mask |= MAIL_ERROR_POLICY;
1750 	action = "milter-reject";
1751 	reply = "421 4.7.0 Server closing connection";
1752 	text = 0;
1753 	break;
1754     case '4':
1755     case '5':
1756 	state->error_mask |= MAIL_ERROR_POLICY;
1757 	action = "milter-reject";
1758 	text = 0;
1759 	break;
1760     default:
1761 	state->error_mask |= MAIL_ERROR_SOFTWARE;
1762 	action = "reject";
1763 	reply = "421 4.3.5 Server configuration error";
1764 	text = 0;
1765 	break;
1766     }
1767     msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where,
1768 	     state->namaddr, reply ? reply : text, smtpd_whatsup(state));
1769     return (reply);
1770 }
1771 
1772 /* helo_cmd - process HELO command */
1773 
helo_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)1774 static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1775 {
1776     const char *err;
1777 
1778     /*
1779      * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1780      * than the initial greeting and any response to HELO or EHLO are
1781      * prefaced with a status code as defined in RFC 3463.
1782      */
1783     if (argc < 2) {
1784 	state->error_mask |= MAIL_ERROR_PROTOCOL;
1785 	smtpd_chat_reply(state, "501 Syntax: HELO hostname");
1786 	return (-1);
1787     }
1788     if (argc > 2)
1789 	collapse_args(argc - 1, argv + 1);
1790     if (SMTPD_STAND_ALONE(state) == 0
1791 	&& var_smtpd_delay_reject == 0
1792 	&& (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1793 	smtpd_chat_reply(state, "%s", err);
1794 	return (-1);
1795     }
1796 
1797     /*
1798      * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or
1799      * HELO, reply with 250 except in case of 421 (disconnect). The reply
1800      * persists so it will apply to MAIL FROM and to other commands such as
1801      * AUTH, STARTTLS, and VRFY.
1802      */
1803 #define PUSH_STRING(old, curr, new)	{ char *old = (curr); (curr) = (new);
1804 #define POP_STRING(old, curr)		(curr) = old; }
1805 
1806     if (state->milters != 0
1807 	&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1808      && (err = milter_helo_event(state->milters, argv[1].strval, 0)) != 0) {
1809 	/* Log reject etc. with correct HELO information. */
1810 	PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1811 	err = check_milter_reply(state, err);
1812 	POP_STRING(saved_helo, state->helo_name);
1813 	if (err != 0 && strncmp(err, "421", 3) == 0) {
1814 	    smtpd_chat_reply(state, "%s", err);
1815 	    return (-1);
1816 	}
1817     }
1818     if (state->helo_name != 0)
1819 	helo_reset(state);
1820     chat_reset(state, var_smtpd_hist_thrsh);
1821     mail_reset(state);
1822     rcpt_reset(state);
1823     state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1824     neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1825     /* Downgrading the protocol name breaks the unauthorized pipelining test. */
1826     if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
1827 	&& strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
1828 	myfree(state->protocol);
1829 	state->protocol = mystrdup(MAIL_PROTO_SMTP);
1830     }
1831     smtpd_chat_reply(state, "250 %s", var_myhostname);
1832     return (0);
1833 }
1834 
1835 /* cant_announce_feature - explain and terminate this session */
1836 
cant_announce_feature(SMTPD_STATE * state,const char * feature)1837 static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature)
1838 {
1839     msg_warn("don't know if EHLO feature %s should be announced to %s",
1840 	     feature, state->namaddr);
1841     vstream_longjmp(state->client, SMTP_ERR_DATA);
1842 }
1843 
1844 /* cant_permit_command - explain and terminate this session */
1845 
cant_permit_command(SMTPD_STATE * state,const char * command)1846 static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command)
1847 {
1848     msg_warn("don't know if command %s should be allowed from %s",
1849 	     command, state->namaddr);
1850     vstream_longjmp(state->client, SMTP_ERR_DATA);
1851 }
1852 
1853 /* ehlo_cmd - process EHLO command */
1854 
ehlo_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)1855 static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1856 {
1857     const char *err;
1858     int     discard_mask;
1859     char  **cpp;
1860 
1861     /*
1862      * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear
1863      * all buffers and reset the state exactly as if a RSET command had been
1864      * issued.
1865      *
1866      * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1867      * than the initial greeting and any response to HELO or EHLO are
1868      * prefaced with a status code as defined in RFC 3463.
1869      */
1870     if (argc < 2) {
1871 	state->error_mask |= MAIL_ERROR_PROTOCOL;
1872 	smtpd_chat_reply(state, "501 Syntax: EHLO hostname");
1873 	return (-1);
1874     }
1875     if (argc > 2)
1876 	collapse_args(argc - 1, argv + 1);
1877     if (SMTPD_STAND_ALONE(state) == 0
1878 	&& var_smtpd_delay_reject == 0
1879 	&& (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1880 	smtpd_chat_reply(state, "%s", err);
1881 	return (-1);
1882     }
1883 
1884     /*
1885      * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or
1886      * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate
1887      * disconnect. The reply persists so it will apply to MAIL FROM and to
1888      * other commands such as AUTH, STARTTLS, and VRFY.
1889      */
1890     err = 0;
1891     if (state->milters != 0
1892 	&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1893      && (err = milter_helo_event(state->milters, argv[1].strval, 1)) != 0) {
1894 	/* Log reject etc. with correct HELO information. */
1895 	PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1896 	err = check_milter_reply(state, err);
1897 	POP_STRING(saved_helo, state->helo_name);
1898 	if (err != 0 && strncmp(err, "421", 3) == 0) {
1899 	    smtpd_chat_reply(state, "%s", err);
1900 	    return (-1);
1901 	}
1902     }
1903     if (state->helo_name != 0)
1904 	helo_reset(state);
1905     chat_reset(state, var_smtpd_hist_thrsh);
1906     mail_reset(state);
1907     rcpt_reset(state);
1908     state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1909     neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1910 
1911     /*
1912      * XXX reject_unauth_pipelining depends on the following. If the user
1913      * sends EHLO then we announce PIPELINING and we can't accuse them of
1914      * using pipelining in places where it is allowed.
1915      *
1916      * XXX The reject_unauth_pipelining test needs to change and also account
1917      * for mechanisms that disable PIPELINING selectively.
1918      */
1919     if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) {
1920 	myfree(state->protocol);
1921 	state->protocol = mystrdup(MAIL_PROTO_ESMTP);
1922     }
1923 
1924     /*
1925      * Build the EHLO response, producing no output until we know what to
1926      * send - this simplifies exception handling. The CRLF record boundaries
1927      * don't exist at this level in the code, so we represent multi-line
1928      * output as an array of single-line responses.
1929      */
1930 #define EHLO_APPEND(state, cmd) \
1931     do { \
1932 	vstring_sprintf((state)->ehlo_buf, (cmd)); \
1933 	argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1934     } while (0)
1935 
1936 #define EHLO_APPEND1(state, cmd, arg) \
1937     do { \
1938 	vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \
1939 	argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \
1940     } while (0)
1941 
1942     /*
1943      * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or
1944      * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it
1945      * will apply to MAIL FROM, but we currently don't have a proper
1946      * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other
1947      * commands while still allowing HELO/EHLO.
1948      */
1949     discard_mask = state->ehlo_discard_mask;
1950     if (err != 0 && err[0] == '5')
1951 	discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES;
1952     if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1953 	if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
1954 	    msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
1955     if (ehlo_discard_maps && ehlo_discard_maps->error) {
1956 	msg_warn("don't know what EHLO features to announce to %s",
1957 		 state->namaddr);
1958 	vstream_longjmp(state->client, SMTP_ERR_DATA);
1959     }
1960 
1961     /*
1962      * These may still exist after a prior exception.
1963      */
1964     if (state->ehlo_argv == 0) {
1965 	state->ehlo_argv = argv_alloc(10);
1966 	state->ehlo_buf = vstring_alloc(10);
1967     } else
1968 	argv_truncate(state->ehlo_argv, 0);
1969 
1970     EHLO_APPEND1(state, "%s", var_myhostname);
1971     if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
1972 	EHLO_APPEND(state, "PIPELINING");
1973     if ((discard_mask & EHLO_MASK_SIZE) == 0) {
1974 	if (ENFORCING_SIZE_LIMIT(var_message_limit))
1975 	    EHLO_APPEND1(state, "SIZE %lu",
1976 			 (unsigned long) var_message_limit);	/* XXX */
1977 	else
1978 	    EHLO_APPEND(state, "SIZE");
1979     }
1980     if ((discard_mask & EHLO_MASK_VRFY) == 0)
1981 	if (var_disable_vrfy_cmd == 0)
1982 	    EHLO_APPEND(state, SMTPD_CMD_VRFY);
1983     if ((discard_mask & EHLO_MASK_ETRN) == 0)
1984 	EHLO_APPEND(state, SMTPD_CMD_ETRN);
1985 #ifdef USE_TLS
1986     if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
1987 	if (var_smtpd_use_tls && (!state->tls_context))
1988 	    EHLO_APPEND(state, SMTPD_CMD_STARTTLS);
1989 #endif
1990 #ifdef USE_SASL_AUTH
1991 #ifndef AUTH_CMD
1992 #define AUTH_CMD	"AUTH"
1993 #endif
1994     if ((discard_mask & EHLO_MASK_AUTH) == 0) {
1995 	if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
1996 	    EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list);
1997 	    if (var_broken_auth_clients)
1998 		EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list);
1999 	} else if (sasl_exceptions_networks && sasl_exceptions_networks->error)
2000 	    cant_announce_feature(state, AUTH_CMD);
2001     }
2002 #define XCLIENT_LOGIN_KLUDGE	" " XCLIENT_LOGIN
2003 #else
2004 #define XCLIENT_LOGIN_KLUDGE	""
2005 #endif
2006     if ((discard_mask & EHLO_MASK_VERP) == 0) {
2007 	if (namadr_list_match(verp_clients, state->name, state->addr))
2008 	    EHLO_APPEND(state, VERP_CMD);
2009 	else if (verp_clients && verp_clients->error)
2010 	    cant_announce_feature(state, VERP_CMD);
2011     }
2012     /* XCLIENT must not override its own access control. */
2013     if ((discard_mask & EHLO_MASK_XCLIENT) == 0) {
2014 	if (xclient_allowed)
2015 	    EHLO_APPEND(state, XCLIENT_CMD
2016 			" " XCLIENT_NAME " " XCLIENT_ADDR
2017 			" " XCLIENT_PROTO " " XCLIENT_HELO
2018 			" " XCLIENT_REVERSE_NAME " " XCLIENT_PORT
2019 			XCLIENT_LOGIN_KLUDGE
2020 			" " XCLIENT_DESTADDR
2021 			" " XCLIENT_DESTPORT);
2022 	else if (xclient_hosts && xclient_hosts->error)
2023 	    cant_announce_feature(state, XCLIENT_CMD);
2024     }
2025     if ((discard_mask & EHLO_MASK_XFORWARD) == 0) {
2026 	if (xforward_allowed)
2027 	    EHLO_APPEND(state, XFORWARD_CMD
2028 			" " XFORWARD_NAME " " XFORWARD_ADDR
2029 			" " XFORWARD_PROTO " " XFORWARD_HELO
2030 			" " XFORWARD_DOMAIN " " XFORWARD_PORT
2031 			" " XFORWARD_IDENT);
2032 	else if (xforward_hosts && xforward_hosts->error)
2033 	    cant_announce_feature(state, XFORWARD_CMD);
2034     }
2035     if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
2036 	EHLO_APPEND(state, "ENHANCEDSTATUSCODES");
2037     if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
2038 	EHLO_APPEND(state, "8BITMIME");
2039     if ((discard_mask & EHLO_MASK_DSN) == 0)
2040 	EHLO_APPEND(state, "DSN");
2041     if (var_smtputf8_enable && (discard_mask & EHLO_MASK_SMTPUTF8) == 0)
2042 	EHLO_APPEND(state, "SMTPUTF8");
2043     if ((discard_mask & EHLO_MASK_CHUNKING) == 0)
2044 	EHLO_APPEND(state, "CHUNKING");
2045 
2046     /*
2047      * Send the reply.
2048      */
2049     for (cpp = state->ehlo_argv->argv; *cpp; cpp++)
2050 	smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp);
2051 
2052     /*
2053      * Clean up.
2054      */
2055     argv_free(state->ehlo_argv);
2056     state->ehlo_argv = 0;
2057     vstring_free(state->ehlo_buf);
2058     state->ehlo_buf = 0;
2059 
2060     return (0);
2061 }
2062 
2063 /* helo_reset - reset HELO/EHLO command stuff */
2064 
helo_reset(SMTPD_STATE * state)2065 static void helo_reset(SMTPD_STATE *state)
2066 {
2067     if (state->helo_name) {
2068 	myfree(state->helo_name);
2069 	state->helo_name = 0;
2070 	if (state->milters != 0)
2071 	    milter_abort(state->milters);
2072     }
2073     if (state->ehlo_argv) {
2074 	argv_free(state->ehlo_argv);
2075 	state->ehlo_argv = 0;
2076     }
2077     if (state->ehlo_buf) {
2078 	vstring_free(state->ehlo_buf);
2079 	state->ehlo_buf = 0;
2080     }
2081 }
2082 
2083 #ifdef USE_SASL_AUTH
2084 
2085 /* smtpd_sasl_auth_cmd_wrapper - smtpd_sasl_auth_cmd front-end */
2086 
smtpd_sasl_auth_cmd_wrapper(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)2087 static int smtpd_sasl_auth_cmd_wrapper(SMTPD_STATE *state, int argc,
2088 				               SMTPD_TOKEN *argv)
2089 {
2090     int     rate;
2091 
2092     if (SMTPD_STAND_ALONE(state) == 0
2093 	&& !xclient_allowed
2094 	&& anvil_clnt
2095 	&& var_smtpd_cauth_limit > 0
2096 	&& !namadr_list_match(hogger_list, state->name, state->addr)
2097 	&& anvil_clnt_auth(anvil_clnt, state->service, state->anvil_range,
2098 			   &rate) == ANVIL_STAT_OK
2099 	&& rate > var_smtpd_cauth_limit) {
2100 	state->error_mask |= MAIL_ERROR_POLICY;
2101 	msg_warn("AUTH command rate limit exceeded: %d from %s for service %s",
2102 		 rate, state->namaddr, state->service);
2103 	smtpd_chat_reply(state,
2104 			 "450 4.7.1 Error: too many AUTH commands from %s",
2105 			 state->addr);
2106 	return (-1);
2107     }
2108     return (smtpd_sasl_auth_cmd(state, argc, argv));
2109 }
2110 
2111 #endif
2112 
2113 /* mail_open_stream - open mail queue file or IPC stream */
2114 
mail_open_stream(SMTPD_STATE * state)2115 static int mail_open_stream(SMTPD_STATE *state)
2116 {
2117 
2118     /*
2119      * Connect to the before-queue filter when one is configured. The MAIL
2120      * FROM and RCPT TO commands are forwarded as received (including DSN
2121      * attributes), with the exception that the before-filter smtpd process
2122      * handles all authentication, encryption, access control and relay
2123      * control, and that the before-filter smtpd process does not forward
2124      * blocked commands. If the after-filter smtp server does not support
2125      * some of Postfix's ESMTP features, then they must be turned off in the
2126      * before-filter smtpd process with the smtpd_discard_ehlo_keywords
2127      * feature.
2128      */
2129     if (state->proxy_mail) {
2130 	if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt,
2131 			       var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo,
2132 			       state->proxy_mail) != 0) {
2133 	    smtpd_chat_reply(state, "%s", STR(state->proxy->reply));
2134 	    smtpd_proxy_free(state);
2135 	    return (-1);
2136 	}
2137     }
2138 
2139     /*
2140      * If running from the master or from inetd, connect to the cleanup
2141      * service.
2142      *
2143      * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the
2144      * case of original submissions.
2145      *
2146      * We implement this by distinguishing between mail that we are willing to
2147      * rewrite (the local rewrite context) and mail from elsewhere.
2148      */
2149     else if (SMTPD_STAND_ALONE(state) == 0) {
2150 	int     cleanup_flags;
2151 
2152 	cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL,
2153 					     smtpd_input_transp_mask)
2154 	    | CLEANUP_FLAG_SMTP_REPLY;
2155 	if (state->flags & SMTPD_FLAG_SMTPUTF8)
2156 	    cleanup_flags |= CLEANUP_FLAG_SMTPUTF8;
2157 	else
2158 	    cleanup_flags |= smtputf8_autodetect(MAIL_SRC_MASK_SMTPD);
2159 	state->dest = mail_stream_service(MAIL_CLASS_PUBLIC,
2160 					  var_cleanup_service);
2161 	if (state->dest == 0
2162 	    || attr_print(state->dest->stream, ATTR_FLAG_NONE,
2163 			  SEND_ATTR_INT(MAIL_ATTR_FLAGS, cleanup_flags),
2164 			  ATTR_TYPE_END) != 0)
2165 	    msg_fatal("unable to connect to the %s %s service",
2166 		      MAIL_CLASS_PUBLIC, var_cleanup_service);
2167     }
2168 
2169     /*
2170      * Otherwise, pipe the message through the privileged postdrop helper.
2171      * XXX Make postdrop a manifest constant.
2172      */
2173     else {
2174 	char   *postdrop_command;
2175 
2176 	postdrop_command = concatenate(var_command_dir, "/postdrop",
2177 			      msg_verbose ? " -v" : (char *) 0, (char *) 0);
2178 	state->dest = mail_stream_command(postdrop_command);
2179 	if (state->dest == 0)
2180 	    msg_fatal("unable to execute %s", postdrop_command);
2181 	myfree(postdrop_command);
2182     }
2183 
2184     /*
2185      * Record the time of arrival, the SASL-related stuff if applicable, the
2186      * sender envelope address, some session information, and some additional
2187      * attributes.
2188      *
2189      * XXX Send Milter information first, because this will hang when cleanup
2190      * goes into "throw away" mode. Also, cleanup needs to know early on
2191      * whether or not it has to do its own SMTP event emulation.
2192      *
2193      * XXX At this point we send only dummy information to keep the cleanup
2194      * server from using its non_smtpd_milters settings. We have to send
2195      * up-to-date Milter information after DATA so that the cleanup server
2196      * knows the actual Milter state.
2197      */
2198     if (state->dest) {
2199 	state->cleanup = state->dest->stream;
2200 	state->queue_id = mystrdup(state->dest->id);
2201 	if (SMTPD_STAND_ALONE(state) == 0) {
2202 	    if (state->milters != 0
2203 		&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
2204 		/* Send place-holder smtpd_milters list. */
2205 		(void) milter_dummy(state->milters, state->cleanup);
2206 	    rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
2207 			REC_TYPE_TIME_ARG(state->arrival_time));
2208 	    if (*var_filter_xport)
2209 		rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", var_filter_xport);
2210 	    if (FORWARD_IDENT(state))
2211 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2212 			    MAIL_ATTR_LOG_IDENT, FORWARD_IDENT(state));
2213 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2214 			MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state));
2215 #ifdef USE_SASL_AUTH
2216 	    /* Make external authentication painless (e.g., XCLIENT). */
2217 	    if (state->sasl_method)
2218 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2219 			    MAIL_ATTR_SASL_METHOD, state->sasl_method);
2220 	    if (state->sasl_username)
2221 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2222 			    MAIL_ATTR_SASL_USERNAME, state->sasl_username);
2223 	    if (state->sasl_sender)
2224 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2225 			    MAIL_ATTR_SASL_SENDER, state->sasl_sender);
2226 #endif
2227 
2228 	    /*
2229 	     * Record DSN related information that was received with the MAIL
2230 	     * FROM command.
2231 	     *
2232 	     * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the
2233 	     * MAIL command when the message was received, the ENVID
2234 	     * parameter MUST NOT be supplied when the message is relayed.
2235 	     * Ditto for the RET parameter.
2236 	     *
2237 	     * In other words, we can't simply make up our default ENVID or RET
2238 	     * values. We have to remember whether the client sent any.
2239 	     *
2240 	     * We store DSN information as named attribute records so that we
2241 	     * don't have to pollute the queue file with records that are
2242 	     * incompatible with past Postfix versions. Preferably, people
2243 	     * should be able to back out from an upgrade without losing
2244 	     * mail.
2245 	     */
2246 	    if (state->dsn_envid)
2247 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2248 			    MAIL_ATTR_DSN_ENVID, state->dsn_envid);
2249 	    if (state->dsn_ret)
2250 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2251 			    MAIL_ATTR_DSN_RET, state->dsn_ret);
2252 	}
2253 	rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender);
2254 	if (state->encoding != 0)
2255 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2256 			MAIL_ATTR_ENCODING, state->encoding);
2257 
2258 	/*
2259 	 * Store client attributes.
2260 	 */
2261 	if (SMTPD_STAND_ALONE(state) == 0) {
2262 
2263 	    /*
2264 	     * Attributes for logging, also used for XFORWARD.
2265 	     *
2266 	     * We store all client attributes, including ones with unknown
2267 	     * values. Otherwise, an unknown client hostname would be treated
2268 	     * as a non-existent hostname (i.e. local submission).
2269 	     */
2270 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2271 			MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state));
2272 	    /* XXX Note: state->rfc_addr, not state->addr. */
2273 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2274 			MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state));
2275 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2276 			MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state));
2277 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2278 			MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state));
2279 	    if (FORWARD_HELO(state))
2280 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2281 			    MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state));
2282 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2283 			MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state));
2284 
2285 	    /*
2286 	     * Attributes with actual client information. These are used by
2287 	     * the smtpd Milter client for policy decisions. Mail that is
2288 	     * requeued with "postsuper -r" is not subject to processing by
2289 	     * the cleanup Milter client, because a) it has already been
2290 	     * filtered, and b) we don't have sufficient information to
2291 	     * reproduce the exact same SMTP events and Sendmail macros that
2292 	     * the smtpd Milter client received when the message originally
2293 	     * arrived in Postfix.
2294 	     */
2295 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2296 			MAIL_ATTR_ACT_CLIENT_NAME, state->name);
2297 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2298 		    MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name);
2299 	    /* XXX Note: state->addr, not state->rfc_addr. */
2300 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2301 			MAIL_ATTR_ACT_CLIENT_ADDR, state->addr);
2302 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2303 			MAIL_ATTR_ACT_CLIENT_PORT, state->port);
2304 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2305 			MAIL_ATTR_ACT_SERVER_ADDR, state->dest_addr);
2306 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2307 			MAIL_ATTR_ACT_SERVER_PORT, state->dest_port);
2308 	    if (state->helo_name)
2309 		rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2310 			    MAIL_ATTR_ACT_HELO_NAME, state->helo_name);
2311 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2312 			MAIL_ATTR_ACT_PROTO_NAME, state->protocol);
2313 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u",
2314 			MAIL_ATTR_ACT_CLIENT_AF, state->addr_family);
2315 
2316 	    /*
2317 	     * Don't send client certificate down the pipeline unless it is
2318 	     * a) verified or b) just a fingerprint.
2319 	     */
2320 	}
2321 	if (state->verp_delims)
2322 	    rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims);
2323     }
2324 
2325     /*
2326      * Log the queue ID with the message origin.
2327      */
2328 #define PRINT_OR_NULL(cond, str) \
2329 	    ((cond) ? (str) : "")
2330 #define PRINT2_OR_NULL(cond, name, value) \
2331 	    PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value))
2332 
2333     msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s",
2334 	     (state->queue_id ? state->queue_id : "NOQUEUE"),
2335 	     state->namaddr,
2336 #ifdef USE_SASL_AUTH
2337 	     PRINT2_OR_NULL(state->sasl_method,
2338 			    ", sasl_method=", state->sasl_method),
2339 	     PRINT2_OR_NULL(state->sasl_username,
2340 			    ", sasl_username=", state->sasl_username),
2341 	     PRINT2_OR_NULL(state->sasl_sender,
2342 			    ", sasl_sender=", state->sasl_sender),
2343 #else
2344 	     "", "", "", "", "", "",
2345 #endif
2346     /* Insert transaction TLS status here. */
2347 	     PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state),
2348 			    ", orig_queue_id=", FORWARD_IDENT(state)),
2349 	     PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state),
2350 			    ", orig_client=", FORWARD_NAMADDR(state)));
2351     return (0);
2352 }
2353 
2354 /* extract_addr - extract address from rubble */
2355 
extract_addr(SMTPD_STATE * state,SMTPD_TOKEN * arg,int allow_empty_addr,int strict_rfc821,int smtputf8)2356 static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg,
2357 			        int allow_empty_addr, int strict_rfc821,
2358 			        int smtputf8)
2359 {
2360     const char *myname = "extract_addr";
2361     TOK822 *tree;
2362     TOK822 *tp;
2363     TOK822 *addr = 0;
2364     int     naddr;
2365     int     non_addr;
2366     int     err = 0;
2367     char   *junk = 0;
2368     char   *text;
2369     char   *colon;
2370 
2371     /*
2372      * Special case.
2373      */
2374 #define PERMIT_EMPTY_ADDR	1
2375 #define REJECT_EMPTY_ADDR	0
2376 
2377     /*
2378      * Some mailers send RFC822-style address forms (with comments and such)
2379      * in SMTP envelopes. We cannot blame users for this: the blame is with
2380      * programmers violating the RFC, and with sendmail for being permissive.
2381      *
2382      * XXX The SMTP command tokenizer must leave the address in externalized
2383      * (quoted) form, so that the address parser can correctly extract the
2384      * address from surrounding junk.
2385      *
2386      * XXX We have only one address parser, written according to the rules of
2387      * RFC 822. That standard differs subtly from RFC 821.
2388      */
2389     if (msg_verbose)
2390 	msg_info("%s: input: %s", myname, STR(arg->vstrval));
2391     if (STR(arg->vstrval)[0] == '<'
2392 	&& STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') {
2393 	junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2);
2394     } else
2395 	text = STR(arg->vstrval);
2396 
2397     /*
2398      * Truncate deprecated route address form.
2399      */
2400     if (*text == '@' && (colon = strchr(text, ':')) != 0)
2401 	text = colon + 1;
2402     tree = tok822_parse(text);
2403 
2404     if (junk)
2405 	myfree(junk);
2406 
2407     /*
2408      * Find trouble.
2409      */
2410     for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) {
2411 	if (tp->type == TOK822_ADDR) {
2412 	    addr = tp;
2413 	    naddr += 1;				/* count address forms */
2414 	} else if (tp->type == '<' || tp->type == '>') {
2415 	     /* void */ ;			/* ignore brackets */
2416 	} else {
2417 	    non_addr += 1;			/* count non-address forms */
2418 	}
2419     }
2420 
2421     /*
2422      * Report trouble. XXX Should log a warning only if we are going to
2423      * sleep+reject so that attackers can't flood our logfiles.
2424      *
2425      * XXX Unfortunately, the sleep-before-reject feature had to be abandoned
2426      * (at least for small error counts) because servers were DOS-ing
2427      * themselves when flooded by backscatter traffic.
2428      */
2429     if (naddr > 1
2430 	|| (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) {
2431 	msg_warn("Illegal address syntax from %s in %s command: %s",
2432 		 state->namaddr, state->where,
2433 		 printable(STR(arg->vstrval), '?'));
2434 	err = 1;
2435     }
2436 
2437     /*
2438      * Don't overwrite the input with the extracted address. We need the
2439      * original (external) form in case the client does not send ORCPT
2440      * information; and error messages are more accurate if we log the
2441      * unmodified form. We need the internal form for all other purposes.
2442      */
2443     if (addr)
2444 	tok822_internalize(state->addr_buf, addr->head, TOK822_STR_DEFL);
2445     else
2446 	vstring_strcpy(state->addr_buf, "");
2447 
2448     /*
2449      * Report trouble. XXX Should log a warning only if we are going to
2450      * sleep+reject so that attackers can't flood our logfiles. Log the
2451      * original address.
2452      */
2453     if (err == 0)
2454 	if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr)
2455 	    || (strict_rfc821 && STR(state->addr_buf)[0] == '@')
2456 	    || (SMTPD_STAND_ALONE(state) == 0
2457 	     && smtpd_check_addr(strcmp(state->where, SMTPD_CMD_MAIL) == 0 ?
2458 				 state->recipient : state->sender,
2459 				 STR(state->addr_buf), smtputf8) != 0)) {
2460 	    msg_warn("Illegal address syntax from %s in %s command: %s",
2461 		     state->namaddr, state->where,
2462 		     printable(STR(arg->vstrval), '?'));
2463 	    err = 1;
2464 	}
2465 
2466     /*
2467      * Cleanup.
2468      */
2469     tok822_free_tree(tree);
2470     if (msg_verbose)
2471 	msg_info("%s: in: %s, result: %s",
2472 		 myname, STR(arg->vstrval), STR(state->addr_buf));
2473     return (err);
2474 }
2475 
2476 /* milter_argv - impedance adapter */
2477 
milter_argv(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)2478 static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2479 {
2480     int     n;
2481     ssize_t len = argc + 1;
2482 
2483     if (state->milter_argc < len) {
2484 	if (state->milter_argc > 0)
2485 	    state->milter_argv = (const char **)
2486 		myrealloc((void *) state->milter_argv,
2487 			  sizeof(const char *) * len);
2488 	else
2489 	    state->milter_argv = (const char **)
2490 		mymalloc(sizeof(const char *) * len);
2491 	state->milter_argc = len;
2492     }
2493     for (n = 0; n < argc; n++)
2494 	state->milter_argv[n] = argv[n].strval;
2495     state->milter_argv[n] = 0;
2496     return (state->milter_argv);
2497 }
2498 
2499 /* mail_cmd - process MAIL command */
2500 
mail_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)2501 static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2502 {
2503     const char *err;
2504     int     narg;
2505     char   *arg;
2506     char   *verp_delims = 0;
2507     int     rate;
2508     int     dsn_envid = 0;
2509 
2510     state->flags &= ~SMTPD_FLAG_SMTPUTF8;
2511     state->encoding = 0;
2512     state->dsn_ret = 0;
2513 
2514     /*
2515      * Sanity checks.
2516      *
2517      * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2518      * command in which invalid character codes have been employed, and for
2519      * which there are no other reasons for rejection, MUST reject that
2520      * command with a 501 response. Postfix attempts to be 8-bit clean.
2521      */
2522     if (var_helo_required && state->helo_name == 0) {
2523 	state->error_mask |= MAIL_ERROR_POLICY;
2524 	smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first");
2525 	return (-1);
2526     }
2527     if (SMTPD_IN_MAIL_TRANSACTION(state)) {
2528 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2529 	smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command");
2530 	return (-1);
2531     }
2532     /* Don't accept MAIL after out-of-order BDAT. */
2533     if (SMTPD_PROCESSING_BDAT(state)) {
2534 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2535 	smtpd_chat_reply(state, "503 5.5.1 Error: MAIL after BDAT");
2536 	return (-1);
2537     }
2538     if (argc < 3
2539 	|| strcasecmp(argv[1].strval, "from:") != 0) {
2540 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2541 	smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>");
2542 	return (-1);
2543     }
2544 
2545     /*
2546      * XXX The client event count/rate control must be consistent in its use
2547      * of client address information in connect and disconnect events. For
2548      * now we exclude xclient authorized hosts from event count/rate control.
2549      */
2550     if (SMTPD_STAND_ALONE(state) == 0
2551 	&& !xclient_allowed
2552 	&& anvil_clnt
2553 	&& var_smtpd_cmail_limit > 0
2554 	&& !namadr_list_match(hogger_list, state->name, state->addr)
2555 	&& anvil_clnt_mail(anvil_clnt, state->service, state->anvil_range,
2556 			   &rate) == ANVIL_STAT_OK
2557 	&& rate > var_smtpd_cmail_limit) {
2558 	state->error_mask |= MAIL_ERROR_POLICY;
2559 	smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
2560 			 state->addr);
2561 	msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
2562 		 rate, state->namaddr, state->service);
2563 	return (-1);
2564     }
2565     if (argv[2].tokval == SMTPD_TOK_ERROR) {
2566 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2567 	smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2568 	return (-1);
2569     }
2570 
2571     /*
2572      * XXX The sender address comes first, but the optional SMTPUTF8
2573      * parameter determines what address syntax is permitted. We must process
2574      * this parameter early.
2575      */
2576     if (var_smtputf8_enable
2577 	&& (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0) {
2578 	for (narg = 3; narg < argc; narg++) {
2579 	    arg = argv[narg].strval;
2580 	    if (strcasecmp(arg, "SMTPUTF8") == 0) {	/* RFC 6531 */
2581 		/* Fix 20161206: allow UTF8 in smtpd_sender_restrictions. */
2582 		state->flags |= SMTPD_FLAG_SMTPUTF8;
2583 		break;
2584 	    }
2585 	}
2586     }
2587     if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR,
2588 		     var_strict_rfc821_env,
2589 		     state->flags & SMTPD_FLAG_SMTPUTF8) != 0) {
2590 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2591 	smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2592 	return (-1);
2593     }
2594     for (narg = 3; narg < argc; narg++) {
2595 	arg = argv[narg].strval;
2596 	if (strcasecmp(arg, "BODY=8BITMIME") == 0) {	/* RFC 1652 */
2597 	    state->encoding = MAIL_ATTR_ENC_8BIT;
2598 	} else if (strcasecmp(arg, "BODY=7BIT") == 0) {	/* RFC 1652 */
2599 	    state->encoding = MAIL_ATTR_ENC_7BIT;
2600 	} else if (strncasecmp(arg, "SIZE=", 5) == 0) {	/* RFC 1870 */
2601 	    /* Reject non-numeric size. */
2602 	    if (!alldig(arg + 5)) {
2603 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2604 		smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax");
2605 		return (-1);
2606 	    }
2607 	    /* Reject size overflow. */
2608 	    if ((state->msg_size = off_cvt_string(arg + 5)) < 0) {
2609 		state->error_mask |= MAIL_ERROR_POLICY;
2610 		smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit");
2611 		return (-1);
2612 	    }
2613 	} else if (var_smtputf8_enable
2614 		   && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0
2615 		   && strcasecmp(arg, "SMTPUTF8") == 0) {	/* RFC 6531 */
2616 	     /* Already processed early. */ ;
2617 #ifdef USE_SASL_AUTH
2618 	} else if (strncasecmp(arg, "AUTH=", 5) == 0) {
2619 	    if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
2620 		smtpd_chat_reply(state, "%s", err);
2621 		return (-1);
2622 	    }
2623 #endif
2624 	} else if (namadr_list_match(verp_clients, state->name, state->addr)
2625 		   && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0
2626 		   && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) {
2627 	    if (arg[VERP_CMD_LEN] == 0) {
2628 		verp_delims = var_verp_delims;
2629 	    } else {
2630 		verp_delims = arg + VERP_CMD_LEN + 1;
2631 		if (verp_delims_verify(verp_delims) != 0) {
2632 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
2633 		    smtpd_chat_reply(state,
2634 			 "501 5.5.4 Error: %s needs two characters from %s",
2635 				     VERP_CMD, var_verp_filter);
2636 		    return (-1);
2637 		}
2638 	    }
2639 	} else if (strncasecmp(arg, "RET=", 4) == 0) {	/* RFC 3461 */
2640 	    /* Sanitized on input. */
2641 	    if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2642 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2643 		smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2644 		return (-1);
2645 	    }
2646 	    if (state->dsn_ret
2647 		|| (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) {
2648 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2649 		smtpd_chat_reply(state,
2650 				 "501 5.5.4 Bad RET parameter syntax");
2651 		return (-1);
2652 	    }
2653 	} else if (strncasecmp(arg, "ENVID=", 6) == 0) {	/* RFC 3461 */
2654 	    /* Sanitized by bounce server. */
2655 	    if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2656 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2657 		smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2658 		return (-1);
2659 	    }
2660 	    if (dsn_envid
2661 		|| xtext_unquote(state->dsn_buf, arg + 6) == 0
2662 		|| !allprint(STR(state->dsn_buf))) {
2663 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2664 		smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax");
2665 		return (-1);
2666 	    }
2667 	    dsn_envid = 1;
2668 	} else {
2669 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
2670 	    smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2671 	    return (-1);
2672 	}
2673     }
2674     /* Fix 20161205: show the envelope sender in reject logging. */
2675     PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf));
2676     err = smtpd_check_size(state, state->msg_size);
2677     POP_STRING(saved_sender, state->sender);
2678     if (err != 0) {
2679 	smtpd_chat_reply(state, "%s", err);
2680 	return (-1);
2681     }
2682     if (verp_delims && STR(state->addr_buf)[0] == 0) {
2683 	smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender",
2684 			 VERP_CMD);
2685 	return (-1);
2686     }
2687     if (SMTPD_STAND_ALONE(state) == 0) {
2688 	const char *verify_sender;
2689 
2690 	/*
2691 	 * XXX Don't reject the address when we're probed with our own
2692 	 * address verification sender address. Otherwise, some timeout or
2693 	 * some UCE block may result in mutual negative caching, making it
2694 	 * painful to get the mail through. Unfortunately we still have to
2695 	 * send the address to the Milters otherwise they may bail out with a
2696 	 * "missing recipient" protocol error.
2697 	 */
2698 	verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
2699 	if (verify_sender != 0)
2700 	    vstring_strcpy(state->addr_buf, verify_sender);
2701     }
2702     if (SMTPD_STAND_ALONE(state) == 0
2703 	&& var_smtpd_delay_reject == 0
2704 	&& (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) {
2705 	/* XXX Reset access map side effects. */
2706 	mail_reset(state);
2707 	smtpd_chat_reply(state, "%s", err);
2708 	return (-1);
2709     }
2710     if (state->milters != 0
2711 	&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2712 	state->flags |= SMTPD_FLAG_NEED_MILTER_ABORT;
2713 	PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf));
2714 	err = milter_mail_event(state->milters,
2715 				milter_argv(state, argc - 2, argv + 2));
2716 	if (err != 0) {
2717 	    /* Log reject etc. with correct sender information. */
2718 	    err = check_milter_reply(state, err);
2719 	}
2720 	POP_STRING(saved_sender, state->sender);
2721 	if (err != 0) {
2722 	    /* XXX Reset access map side effects. */
2723 	    mail_reset(state);
2724 	    smtpd_chat_reply(state, "%s", err);
2725 	    return (-1);
2726 	}
2727     }
2728     if (SMTPD_STAND_ALONE(state) == 0) {
2729 	err = smtpd_check_rewrite(state);
2730 	if (err != 0) {
2731 	    /* XXX Reset access map side effects. */
2732 	    mail_reset(state);
2733 	    smtpd_chat_reply(state, "%s", err);
2734 	    return (-1);
2735 	}
2736     }
2737 
2738     /*
2739      * Historically, Postfix does not forbid 8-bit envelope localparts.
2740      * Changing this would be a compatibility break. That can't happen in the
2741      * foreseeable future.
2742      */
2743     if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable)
2744 	&& (state->flags & SMTPD_FLAG_SMTPUTF8) == 0
2745 	&& *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
2746 	if (var_strict_smtputf8) {
2747 	    smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to "
2748 			     "send unicode address");
2749 	    return (-1);
2750 	}
2751 
2752 	/*
2753 	 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a
2754 	 * warning message is logged, so that they don't suddenly start to
2755 	 * lose mail after Postfix is built with EAI support.
2756 	 */
2757 	if (warn_compat_break_smtputf8_enable)
2758 	    msg_info("using backwards-compatible default setting "
2759 		     VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII sender "
2760 		     "address \"%s\" from %s", STR(state->addr_buf),
2761 		     state->namaddr);
2762     }
2763 
2764     /*
2765      * Check the queue file space, if applicable. The optional before-filter
2766      * speed-adjust buffers use disk space. However, we don't know if they
2767      * compete for storage space with the after-filter queue, so we can't
2768      * simply bump up the free space requirement to 2.5 * message_size_limit.
2769      */
2770     if (!USE_SMTPD_PROXY(state)
2771 	|| (smtpd_proxy_opts & SMTPD_PROXY_FLAG_SPEED_ADJUST)) {
2772 	if (SMTPD_STAND_ALONE(state) == 0
2773 	    && (err = smtpd_check_queue(state)) != 0) {
2774 	    /* XXX Reset access map side effects. */
2775 	    mail_reset(state);
2776 	    smtpd_chat_reply(state, "%s", err);
2777 	    return (-1);
2778 	}
2779     }
2780 
2781     /*
2782      * No more early returns. The mail transaction is in progress.
2783      */
2784     GETTIMEOFDAY(&state->arrival_time);
2785     state->sender = mystrdup(STR(state->addr_buf));
2786     vstring_sprintf(state->instance, "%x.%lx.%lx.%x",
2787 		    var_pid, (unsigned long) state->arrival_time.tv_sec,
2788 	       (unsigned long) state->arrival_time.tv_usec, state->seqno++);
2789     if (verp_delims)
2790 	state->verp_delims = mystrdup(verp_delims);
2791     if (dsn_envid)
2792 	state->dsn_envid = mystrdup(STR(state->dsn_buf));
2793     if (USE_SMTPD_PROXY(state))
2794 	state->proxy_mail = mystrdup(STR(state->buffer));
2795     if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) {
2796 	/* XXX Reset access map side effects. */
2797 	mail_reset(state);
2798 	return (-1);
2799     }
2800     smtpd_chat_reply(state, "250 2.1.0 Ok");
2801     return (0);
2802 }
2803 
2804 /* mail_reset - reset MAIL command stuff */
2805 
mail_reset(SMTPD_STATE * state)2806 static void mail_reset(SMTPD_STATE *state)
2807 {
2808     state->msg_size = 0;
2809     state->act_size = 0;
2810     state->flags &= SMTPD_MASK_MAIL_KEEP;
2811 
2812     /*
2813      * Unceremoniously close the pipe to the cleanup service. The cleanup
2814      * service will delete the queue file when it detects a premature
2815      * end-of-file condition on input.
2816      */
2817     if (state->cleanup != 0) {
2818 	mail_stream_cleanup(state->dest);
2819 	state->dest = 0;
2820 	state->cleanup = 0;
2821     }
2822     state->err = 0;
2823     if (state->queue_id != 0) {
2824 	myfree(state->queue_id);
2825 	state->queue_id = 0;
2826     }
2827     if (state->sender) {
2828 	myfree(state->sender);
2829 	state->sender = 0;
2830     }
2831     /* WeiYu Wu: need to undo milter_mail_event() state change. */
2832     if (state->flags & SMTPD_FLAG_NEED_MILTER_ABORT) {
2833 	milter_abort(state->milters);
2834 	state->flags &= ~SMTPD_FLAG_NEED_MILTER_ABORT;
2835     }
2836     if (state->verp_delims) {
2837 	myfree(state->verp_delims);
2838 	state->verp_delims = 0;
2839     }
2840     if (state->proxy_mail) {
2841 	myfree(state->proxy_mail);
2842 	state->proxy_mail = 0;
2843     }
2844     if (state->saved_filter) {
2845 	myfree(state->saved_filter);
2846 	state->saved_filter = 0;
2847     }
2848     if (state->saved_redirect) {
2849 	myfree(state->saved_redirect);
2850 	state->saved_redirect = 0;
2851     }
2852     if (state->saved_bcc) {
2853 	argv_free(state->saved_bcc);
2854 	state->saved_bcc = 0;
2855     }
2856     state->saved_flags = 0;
2857 #ifdef DELAY_ACTION
2858     state->saved_delay = 0;
2859 #endif
2860 #ifdef USE_SASL_AUTH
2861     if (state->sasl_sender)
2862 	smtpd_sasl_mail_reset(state);
2863 #endif
2864     state->discard = 0;
2865     VSTRING_RESET(state->instance);
2866     VSTRING_TERMINATE(state->instance);
2867 
2868     if (state->proxy)
2869 	smtpd_proxy_free(state);
2870     if (state->xforward.flags)
2871 	smtpd_xforward_reset(state);
2872     if (state->prepend)
2873 	state->prepend = argv_free(state->prepend);
2874     if (state->dsn_envid) {
2875 	myfree(state->dsn_envid);
2876 	state->dsn_envid = 0;
2877     }
2878     if (state->milter_argv) {
2879 	myfree((void *) state->milter_argv);
2880 	state->milter_argv = 0;
2881 	state->milter_argc = 0;
2882     }
2883 
2884     /*
2885      * BDAT.
2886      */
2887     state->bdat_state = SMTPD_BDAT_STAT_NONE;
2888     if (state->bdat_get_stream) {
2889 	(void) vstream_fclose(state->bdat_get_stream);
2890 	state->bdat_get_stream = 0;
2891     }
2892     if (state->bdat_get_buffer)
2893 	VSTRING_RESET(state->bdat_get_buffer);
2894 }
2895 
2896 /* rcpt_cmd - process RCPT TO command */
2897 
rcpt_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)2898 static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2899 {
2900     SMTPD_PROXY *proxy;
2901     const char *err;
2902     int     narg;
2903     char   *arg;
2904     int     rate;
2905     const char *dsn_orcpt_addr = 0;
2906     ssize_t dsn_orcpt_addr_len = 0;
2907     const char *dsn_orcpt_type = 0;
2908     int     dsn_notify = 0;
2909     const char *coded_addr;
2910     const char *milter_err;
2911 
2912     /*
2913      * Sanity checks.
2914      *
2915      * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2916      * command in which invalid character codes have been employed, and for
2917      * which there are no other reasons for rejection, MUST reject that
2918      * command with a 501 response. So much for the principle of "be liberal
2919      * in what you accept, be strict in what you send".
2920      */
2921     if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
2922 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2923 	smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command");
2924 	return (-1);
2925     }
2926     /* Don't accept RCPT after BDAT. */
2927     if (SMTPD_PROCESSING_BDAT(state)) {
2928 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2929 	smtpd_chat_reply(state, "503 5.5.1 Error: RCPT after BDAT");
2930 	return (-1);
2931     }
2932     if (argc < 3
2933 	|| strcasecmp(argv[1].strval, "to:") != 0) {
2934 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2935 	smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>");
2936 	return (-1);
2937     }
2938 
2939     /*
2940      * XXX The client event count/rate control must be consistent in its use
2941      * of client address information in connect and disconnect events. For
2942      * now we exclude xclient authorized hosts from event count/rate control.
2943      */
2944     if (SMTPD_STAND_ALONE(state) == 0
2945 	&& !xclient_allowed
2946 	&& anvil_clnt
2947 	&& var_smtpd_crcpt_limit > 0
2948 	&& !namadr_list_match(hogger_list, state->name, state->addr)
2949 	&& anvil_clnt_rcpt(anvil_clnt, state->service, state->anvil_range,
2950 			   &rate) == ANVIL_STAT_OK
2951 	&& rate > var_smtpd_crcpt_limit) {
2952 	state->error_mask |= MAIL_ERROR_POLICY;
2953 	msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
2954 		 rate, state->namaddr, state->service);
2955 	smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
2956 			 state->addr);
2957 	return (-1);
2958     }
2959     if (argv[2].tokval == SMTPD_TOK_ERROR) {
2960 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2961 	smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2962 	return (-1);
2963     }
2964     if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env,
2965 		     state->flags & SMTPD_FLAG_SMTPUTF8) != 0) {
2966 	state->error_mask |= MAIL_ERROR_PROTOCOL;
2967 	smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2968 	return (-1);
2969     }
2970     for (narg = 3; narg < argc; narg++) {
2971 	arg = argv[narg].strval;
2972 	if (strncasecmp(arg, "NOTIFY=", 7) == 0) {	/* RFC 3461 */
2973 	    /* Sanitized on input. */
2974 	    if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2975 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2976 		smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2977 		return (-1);
2978 	    }
2979 	    if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) {
2980 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2981 		smtpd_chat_reply(state,
2982 			    "501 5.5.4 Error: Bad NOTIFY parameter syntax");
2983 		return (-1);
2984 	    }
2985 	} else if (strncasecmp(arg, "ORCPT=", 6) == 0) {	/* RFC 3461 */
2986 	    /* Sanitized by bounce server. */
2987 	    if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2988 		state->error_mask |= MAIL_ERROR_PROTOCOL;
2989 		smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2990 		return (-1);
2991 	    }
2992 	    vstring_strcpy(state->dsn_orcpt_buf, arg + 6);
2993 	    if (dsn_orcpt_addr
2994 	     || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0
2995 		|| *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0
2996 		|| (strcasecmp(dsn_orcpt_type, "utf-8") == 0 ?
2997 		    uxtext_unquote(state->dsn_buf, coded_addr) == 0 :
2998 		    xtext_unquote(state->dsn_buf, coded_addr) == 0)) {
2999 		state->error_mask |= MAIL_ERROR_PROTOCOL;
3000 		smtpd_chat_reply(state,
3001 			     "501 5.5.4 Error: Bad ORCPT parameter syntax");
3002 		return (-1);
3003 	    }
3004 	    dsn_orcpt_addr = STR(state->dsn_buf);
3005 	    dsn_orcpt_addr_len = LEN(state->dsn_buf);
3006 	} else {
3007 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
3008 	    smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
3009 	    return (-1);
3010 	}
3011     }
3012     if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
3013 	smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients");
3014 	if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim)
3015 	    return (0);
3016 	state->error_mask |= MAIL_ERROR_POLICY;
3017 	return (-1);
3018     }
3019 
3020     /*
3021      * Historically, Postfix does not forbid 8-bit envelope localparts.
3022      * Changing this would be a compatibility break. That can't happen in the
3023      * foreseeable future.
3024      */
3025     if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable)
3026 	&& (state->flags & SMTPD_FLAG_SMTPUTF8) == 0
3027 	&& *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
3028 	if (var_strict_smtputf8) {
3029 	    smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to "
3030 			     "send unicode address");
3031 	    return (-1);
3032 	}
3033 
3034 	/*
3035 	 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a
3036 	 * warning message is logged, so that they don't suddenly start to
3037 	 * lose mail after Postfix is built with EAI support.
3038 	 */
3039 	if (warn_compat_break_smtputf8_enable)
3040 	    msg_info("using backwards-compatible default setting "
3041 		     VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII recipient "
3042 		     "address \"%s\" from %s", STR(state->addr_buf),
3043 		     state->namaddr);
3044     }
3045     if (SMTPD_STAND_ALONE(state) == 0) {
3046 	const char *verify_sender;
3047 
3048 	/*
3049 	 * XXX Don't reject the address when we're probed with our own
3050 	 * address verification sender address. Otherwise, some timeout or
3051 	 * some UCE block may result in mutual negative caching, making it
3052 	 * painful to get the mail through. Unfortunately we still have to
3053 	 * send the address to the Milters otherwise they may bail out with a
3054 	 * "missing recipient" protocol error.
3055 	 */
3056 	verify_sender = valid_verify_sender_addr(STR(state->addr_buf));
3057 	if (verify_sender != 0) {
3058 	    vstring_strcpy(state->addr_buf, verify_sender);
3059 	    err = 0;
3060 	} else {
3061 	    err = smtpd_check_rcpt(state, STR(state->addr_buf));
3062 	}
3063 	if (state->milters != 0
3064 	    && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
3065 	    PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
3066 	    state->milter_reject_text = err;
3067 	    milter_err = milter_rcpt_event(state->milters,
3068 					   err == 0 ? MILTER_FLAG_NONE :
3069 					   MILTER_FLAG_WANT_RCPT_REJ,
3070 				    milter_argv(state, argc - 2, argv + 2));
3071 	    if (err == 0 && milter_err != 0) {
3072 		/* Log reject etc. with correct recipient information. */
3073 		err = check_milter_reply(state, milter_err);
3074 	    }
3075 	    POP_STRING(saved_rcpt, state->recipient);
3076 	}
3077 	if (err != 0) {
3078 	    smtpd_chat_reply(state, "%s", err);
3079 	    return (-1);
3080 	}
3081     }
3082 
3083     /*
3084      * Don't access the proxy, queue file, or queue file writer process until
3085      * we have a valid recipient address.
3086      */
3087     if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0)
3088 	return (-1);
3089 
3090     /*
3091      * Proxy the recipient. OK, so we lied. If the real-time proxy rejects
3092      * the recipient then we can have a proxy connection without having
3093      * accepted a recipient.
3094      */
3095     proxy = state->proxy;
3096     if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK,
3097 				 "%s", STR(state->buffer)) != 0) {
3098 	smtpd_chat_reply(state, "%s", STR(proxy->reply));
3099 	return (-1);
3100     }
3101 
3102     /*
3103      * Store the recipient. Remember the first one.
3104      *
3105      * Flush recipients to maintain a stiffer coupling with the next stage and
3106      * to better utilize parallelism.
3107      *
3108      * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a
3109      * recipient when the message was received, the NOTIFY parameter MUST NOT
3110      * be supplied for that recipient when the message is relayed.
3111      *
3112      * In other words, we can't simply make up our default NOTIFY value. We have
3113      * to remember whether the client sent any.
3114      *
3115      * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the
3116      * message was received, an ORCPT parameter MAY be added to the RCPT
3117      * command when the message is relayed.  If an ORCPT parameter is added
3118      * by the relaying MTA, it MUST contain the recipient address from the
3119      * RCPT command used when the message was received by that MTA.
3120      *
3121      * In other words, it is OK to make up our own DSN original recipient when
3122      * the client didn't send one. Although the RFC mentions mail relaying
3123      * only, we also make up our own original recipient for the purpose of
3124      * final delivery. For now, we do this here, rather than on the fly.
3125      *
3126      * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though
3127      * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named
3128      * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr)
3129      * requires that we map attributes with rec_attr_map() in order to
3130      * simplify the recipient record processing loops in the cleanup and qmgr
3131      * servers.
3132      *
3133      * Another possibility, yet to be explored, is to leave the additional
3134      * recipient information in the queue file and just pass queue file
3135      * offsets along with the delivery request. This is a trade off between
3136      * memory allocation versus numeric conversion overhead.
3137      *
3138      * Since we have no record grouping mechanism, all recipient-specific
3139      * parameters must be sent to the cleanup server before the actual
3140      * recipient address.
3141      */
3142     state->rcpt_count++;
3143     if (state->recipient == 0)
3144 	state->recipient = mystrdup(STR(state->addr_buf));
3145     if (state->cleanup) {
3146 	/* Note: RFC(2)821 externalized address! */
3147 	if (dsn_orcpt_addr == 0) {
3148 	    dsn_orcpt_type = "rfc822";
3149 	    dsn_orcpt_addr = argv[2].strval;
3150 	    dsn_orcpt_addr_len = strlen(argv[2].strval);
3151 	    if (dsn_orcpt_addr[0] == '<'
3152 		&& dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') {
3153 		dsn_orcpt_addr += 1;
3154 		dsn_orcpt_addr_len -= 2;
3155 	    }
3156 	}
3157 	if (dsn_notify)
3158 	    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
3159 			MAIL_ATTR_DSN_NOTIFY, dsn_notify);
3160 	rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s",
3161 		    MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type,
3162 		    (int) dsn_orcpt_addr_len, dsn_orcpt_addr);
3163 	rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf));
3164 	vstream_fflush(state->cleanup);
3165     }
3166     smtpd_chat_reply(state, "250 2.1.5 Ok");
3167     return (0);
3168 }
3169 
3170 /* rcpt_reset - reset RCPT stuff */
3171 
rcpt_reset(SMTPD_STATE * state)3172 static void rcpt_reset(SMTPD_STATE *state)
3173 {
3174     if (state->recipient) {
3175 	myfree(state->recipient);
3176 	state->recipient = 0;
3177     }
3178     state->rcpt_count = 0;
3179     /* XXX Must flush the command history. */
3180     state->rcpt_overshoot = 0;
3181 }
3182 
3183 #if 0
3184 
3185 /* rfc2047_comment_encode - encode comment string */
3186 
3187 static VSTRING *rfc2047_comment_encode(const char *str, const char *charset)
3188 {
3189     VSTRING *buf = vstring_alloc(30);
3190     const unsigned char *cp;
3191     int     ch;
3192 
3193     /*
3194      * XXX This is problematic code.
3195      *
3196      * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments,
3197      * but we encode them anyway to avoid complaints.
3198      *
3199      * XXX In Received: header comments we enclose peer and issuer common names
3200      * with "" quotes (inherited from the Lutz Jaenicke patch). This is the
3201      * cause of several quirks.
3202      *
3203      * 1) We encode text that contains the " character, even though that
3204      * character is not special for RFC*822 comments.
3205      *
3206      * 2) We ignore the recommended limit of 75 characters per encoded word,
3207      * because long comments look ugly when folded in-between quotes.
3208      *
3209      * 3) We encode the enclosing quotes, to avoid producing invalid encoded
3210      * words. Microsoft abuses RFC 2047 encoding with attachment names, but
3211      * we have no information on what decoders do with malformed encoding in
3212      * comments. This means the comments are Jaenicke-compatible only after
3213      * decoding.
3214      */
3215 #define ESPECIALS "()<>@,;:\"/[]?.="		/* Special in RFC 2047 */
3216 #define QSPECIALS "_" ESPECIALS			/* Special in RFC 2047 'Q' */
3217 #define CSPECIALS "\\\"()"			/* Special in our comments */
3218 
3219     /* Don't encode if not needed. */
3220     for (cp = (unsigned char *) str; /* see below */ ; ++cp) {
3221 	if ((ch = *cp) == 0) {
3222 	    vstring_sprintf(buf, "\"%s\"", str);
3223 	    return (buf);
3224 	}
3225 	if (!ISPRINT(ch) || strchr(CSPECIALS, ch))
3226 	    break;
3227     }
3228 
3229     /*
3230      * Use quoted-printable (like) encoding with spaces mapped to underscore.
3231      */
3232     vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"');
3233     for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) {
3234 	if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) {
3235 	    vstring_sprintf_append(buf, "=%02X", ch);
3236 	} else if (ch == ' ') {
3237 	    VSTRING_ADDCH(buf, '_');
3238 	} else {
3239 	    VSTRING_ADDCH(buf, ch);
3240 	}
3241     }
3242     vstring_sprintf_append(buf, "=%02X?=", '"');
3243     return (buf);
3244 }
3245 
3246 #endif
3247 
3248 /* comment_sanitize - clean up comment string */
3249 
comment_sanitize(VSTRING * comment_string)3250 static void comment_sanitize(VSTRING *comment_string)
3251 {
3252     unsigned char *cp;
3253     int     ch;
3254     int     pc;
3255 
3256     /*
3257      * Postfix Received: headers can be configured to include a comment with
3258      * the CN (CommonName) of the peer and its issuer, or the login name of a
3259      * SASL authenticated user. To avoid problems with RFC 822 etc. syntax,
3260      * we limit this information to printable ASCII text, and neutralize
3261      * characters that affect comment parsing: the backslash and unbalanced
3262      * parentheses.
3263      */
3264     for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) {
3265 	if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') {
3266 	    *cp = '?';
3267 	} else if (ch == '(') {
3268 	    pc++;
3269 	} else if (ch == ')') {
3270 	    if (pc > 0)
3271 		pc--;
3272 	    else
3273 		*cp = '?';
3274 	}
3275     }
3276     while (pc-- > 0)
3277 	VSTRING_ADDCH(comment_string, ')');
3278     VSTRING_TERMINATE(comment_string);
3279 }
3280 
3281 static void common_pre_message_handling(SMTPD_STATE *state,
3282 	          int (*out_record) (VSTREAM *, int, const char *, ssize_t),
3283 	              int (*out_fprintf) (VSTREAM *, int, const char *,...),
3284 				        VSTREAM *out_stream, int out_error);
3285 static void receive_data_message(SMTPD_STATE *state,
3286 	          int (*out_record) (VSTREAM *, int, const char *, ssize_t),
3287 	              int (*out_fprintf) (VSTREAM *, int, const char *,...),
3288 				         VSTREAM *out_stream, int out_error);
3289 static int common_post_message_handling(SMTPD_STATE *state);
3290 
3291 /* data_cmd - process DATA command */
3292 
data_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * unused_argv)3293 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3294 {
3295     SMTPD_PROXY *proxy;
3296     const char *err;
3297     int     (*out_record) (VSTREAM *, int, const char *, ssize_t);
3298     int     (*out_fprintf) (VSTREAM *, int, const char *,...);
3299     VSTREAM *out_stream;
3300     int     out_error;
3301 
3302     /*
3303      * Sanity checks. With ESMTP command pipelining the client can send DATA
3304      * before all recipients are rejected, so don't report that as a protocol
3305      * error.
3306      */
3307     if (SMTPD_PROCESSING_BDAT(state)) {
3308 	state->error_mask |= MAIL_ERROR_PROTOCOL;
3309 	smtpd_chat_reply(state, "503 5.5.1 Error: DATA after BDAT");
3310 	return (-1);
3311     }
3312     if (state->rcpt_count == 0) {
3313 	if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
3314 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
3315 	    smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command");
3316 	} else {
3317 	    smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients");
3318 	}
3319 	return (-1);
3320     }
3321     if (argc != 1) {
3322 	state->error_mask |= MAIL_ERROR_PROTOCOL;
3323 	smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA");
3324 	return (-1);
3325     }
3326     if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) {
3327 	smtpd_chat_reply(state, "%s", err);
3328 	return (-1);
3329     }
3330     if (state->milters != 0
3331 	&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0
3332 	&& (err = milter_data_event(state->milters)) != 0
3333 	&& (err = check_milter_reply(state, err)) != 0) {
3334 	smtpd_chat_reply(state, "%s", err);
3335 	return (-1);
3336     }
3337     proxy = state->proxy;
3338     if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE,
3339 				 "%s", STR(state->buffer)) != 0) {
3340 	smtpd_chat_reply(state, "%s", STR(proxy->reply));
3341 	return (-1);
3342     }
3343 
3344     /*
3345      * One level of indirection to choose between normal or proxied
3346      * operation. We want to avoid massive code duplication within tons of
3347      * if-else clauses.
3348      */
3349     if (proxy) {
3350 	out_stream = proxy->stream;
3351 	out_record = proxy->rec_put;
3352 	out_fprintf = proxy->rec_fprintf;
3353 	out_error = CLEANUP_STAT_PROXY;
3354     } else {
3355 	out_stream = state->cleanup;
3356 	out_record = rec_put;
3357 	out_fprintf = rec_fprintf;
3358 	out_error = CLEANUP_STAT_WRITE;
3359     }
3360     common_pre_message_handling(state, out_record, out_fprintf,
3361 				out_stream, out_error);
3362     smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
3363     state->where = SMTPD_AFTER_DATA;
3364     receive_data_message(state, out_record, out_fprintf, out_stream, out_error);
3365     return common_post_message_handling(state);
3366 }
3367 
3368 /* common_pre_message_handling - finish envelope and open message segment */
3369 
common_pre_message_handling(SMTPD_STATE * state,int (* out_record)(VSTREAM *,int,const char *,ssize_t),int (* out_fprintf)(VSTREAM *,int,const char *,...),VSTREAM * out_stream,int out_error)3370 static void common_pre_message_handling(SMTPD_STATE *state,
3371 	          int (*out_record) (VSTREAM *, int, const char *, ssize_t),
3372 	              int (*out_fprintf) (VSTREAM *, int, const char *,...),
3373 					        VSTREAM *out_stream,
3374 					        int out_error)
3375 {
3376     SMTPD_PROXY *proxy = state->proxy;
3377     char  **cpp;
3378     const char *rfc3848_sess;
3379     const char *rfc3848_auth;
3380     const char *with_protocol = (state->flags & SMTPD_FLAG_SMTPUTF8) ?
3381     "UTF8SMTP" : state->protocol;
3382 
3383 #ifdef USE_TLS
3384     VSTRING *peer_CN;
3385     VSTRING *issuer_CN;
3386 
3387 #endif
3388 #ifdef USE_SASL_AUTH
3389     VSTRING *username;
3390 
3391 #endif
3392 
3393     /*
3394      * Flush out a first batch of access table actions that are delegated to
3395      * the cleanup server, and that may trigger before we accept the first
3396      * valid recipient. There will be more after end-of-data.
3397      *
3398      * Terminate the message envelope segment. Start the message content
3399      * segment, and prepend our own Received: header. If there is only one
3400      * recipient, list the recipient address.
3401      */
3402     if (state->cleanup) {
3403 	if (SMTPD_STAND_ALONE(state) == 0) {
3404 	    if (state->milters != 0
3405 		&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
3406 		/* Send actual smtpd_milters list. */
3407 		(void) milter_send(state->milters, state->cleanup);
3408 	    if (state->saved_flags)
3409 		rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
3410 			    state->saved_flags);
3411 	}
3412 	rec_fputs(state->cleanup, REC_TYPE_MESG, "");
3413     }
3414 
3415     /*
3416      * PREPEND message headers above our own Received: header.
3417      */
3418     if (state->prepend)
3419 	for (cpp = state->prepend->argv; *cpp; cpp++)
3420 	    out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
3421 
3422     /*
3423      * Suppress our own Received: header in the unlikely case that we are an
3424      * intermediate proxy.
3425      */
3426     if (!proxy || state->xforward.flags == 0) {
3427 	out_fprintf(out_stream, REC_TYPE_NORM,
3428 		    "Received: from %s (%s [%s])",
3429 		    state->helo_name ? state->helo_name : state->name,
3430 		    state->name, state->rfc_addr);
3431 
3432 #define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
3433 
3434 #ifdef USE_TLS
3435 	if (var_smtpd_tls_received_header && state->tls_context) {
3436 	    int     cont = 0;
3437 
3438 	    vstring_sprintf(state->buffer,
3439 			    "\t(using %s with cipher %s (%d/%d bits)",
3440 			    state->tls_context->protocol,
3441 			    state->tls_context->cipher_name,
3442 			    state->tls_context->cipher_usebits,
3443 			    state->tls_context->cipher_algbits);
3444 	    if (state->tls_context->kex_name && *state->tls_context->kex_name) {
3445 		out_record(out_stream, REC_TYPE_NORM, STR(state->buffer),
3446 			   LEN(state->buffer));
3447 		vstring_sprintf(state->buffer, "\t key-exchange %s",
3448 				state->tls_context->kex_name);
3449 		if (state->tls_context->kex_curve
3450 		    && *state->tls_context->kex_curve)
3451 		    vstring_sprintf_append(state->buffer, " (%s)",
3452 					   state->tls_context->kex_curve);
3453 		else if (state->tls_context->kex_bits > 0)
3454 		    vstring_sprintf_append(state->buffer, " (%d bits)",
3455 					   state->tls_context->kex_bits);
3456 		cont = 1;
3457 	    }
3458 	    if (state->tls_context->srvr_sig_name
3459 		&& *state->tls_context->srvr_sig_name) {
3460 		if (cont) {
3461 		    vstring_sprintf_append(state->buffer, " server-signature %s",
3462 					 state->tls_context->srvr_sig_name);
3463 		} else {
3464 		    out_record(out_stream, REC_TYPE_NORM, STR(state->buffer),
3465 			       LEN(state->buffer));
3466 		    vstring_sprintf(state->buffer, "\t server-signature %s",
3467 				    state->tls_context->srvr_sig_name);
3468 		}
3469 		if (state->tls_context->srvr_sig_curve
3470 		    && *state->tls_context->srvr_sig_curve)
3471 		    vstring_sprintf_append(state->buffer, " (%s)",
3472 					state->tls_context->srvr_sig_curve);
3473 		else if (state->tls_context->srvr_sig_bits > 0)
3474 		    vstring_sprintf_append(state->buffer, " (%d bits)",
3475 					 state->tls_context->srvr_sig_bits);
3476 		if (state->tls_context->srvr_sig_dgst
3477 		    && *state->tls_context->srvr_sig_dgst)
3478 		    vstring_sprintf_append(state->buffer, " server-digest %s",
3479 					 state->tls_context->srvr_sig_dgst);
3480 	    }
3481 	    if (state->tls_context->clnt_sig_name
3482 		&& *state->tls_context->clnt_sig_name) {
3483 		out_record(out_stream, REC_TYPE_NORM, STR(state->buffer),
3484 			   LEN(state->buffer));
3485 		vstring_sprintf(state->buffer, "\t client-signature %s",
3486 				state->tls_context->clnt_sig_name);
3487 		if (state->tls_context->clnt_sig_curve
3488 		    && *state->tls_context->clnt_sig_curve)
3489 		    vstring_sprintf_append(state->buffer, " (%s)",
3490 					state->tls_context->clnt_sig_curve);
3491 		else if (state->tls_context->clnt_sig_bits > 0)
3492 		    vstring_sprintf_append(state->buffer, " (%d bits)",
3493 					 state->tls_context->clnt_sig_bits);
3494 		if (state->tls_context->clnt_sig_dgst
3495 		    && *state->tls_context->clnt_sig_dgst)
3496 		    vstring_sprintf_append(state->buffer, " client-digest %s",
3497 					 state->tls_context->clnt_sig_dgst);
3498 	    }
3499 	    out_fprintf(out_stream, REC_TYPE_NORM, "%s)", STR(state->buffer));
3500 	    if (TLS_CERT_IS_PRESENT(state->tls_context)) {
3501 		peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN);
3502 		comment_sanitize(peer_CN);
3503 		issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ?
3504 					state->tls_context->issuer_CN : "");
3505 		comment_sanitize(issuer_CN);
3506 		out_fprintf(out_stream, REC_TYPE_NORM,
3507 			    "\t(Client CN \"%s\", Issuer \"%s\" (%s))",
3508 			    STR(peer_CN), STR(issuer_CN),
3509 			    TLS_CERT_IS_TRUSTED(state->tls_context) ?
3510 			    "verified OK" : "not verified");
3511 		vstring_free(issuer_CN);
3512 		vstring_free(peer_CN);
3513 	    } else if (var_smtpd_tls_ask_ccert)
3514 		out_fprintf(out_stream, REC_TYPE_NORM,
3515 			    "\t(Client did not present a certificate)");
3516 	    else
3517 		out_fprintf(out_stream, REC_TYPE_NORM,
3518 			    "\t(No client certificate requested)");
3519 	}
3520 	/* RFC 3848 is defined for ESMTP only. */
3521 	if (state->tls_context != 0
3522 	    && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3523 	    rfc3848_sess = "S";
3524 	else
3525 #endif
3526 	    rfc3848_sess = "";
3527 #ifdef USE_SASL_AUTH
3528 	if (var_smtpd_sasl_auth_hdr && state->sasl_username) {
3529 	    username = VSTRING_STRDUP(state->sasl_username);
3530 	    comment_sanitize(username);
3531 	    out_fprintf(out_stream, REC_TYPE_NORM,
3532 			"\t(Authenticated sender: %s)", STR(username));
3533 	    vstring_free(username);
3534 	}
3535 	/* RFC 3848 is defined for ESMTP only. */
3536 	if (state->sasl_username
3537 	    && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
3538 	    rfc3848_auth = "A";
3539 	else
3540 #endif
3541 	    rfc3848_auth = "";
3542 	if (state->rcpt_count == 1 && state->recipient) {
3543 	    out_fprintf(out_stream, REC_TYPE_NORM,
3544 			state->cleanup ? "\tby %s (%s) with %s%s%s id %s" :
3545 			"\tby %s (%s) with %s%s%s",
3546 			var_myhostname, var_mail_name,
3547 			with_protocol, rfc3848_sess,
3548 			rfc3848_auth, state->queue_id);
3549 	    quote_822_local(state->buffer, state->recipient);
3550 	    out_fprintf(out_stream, REC_TYPE_NORM,
3551 			"\tfor <%s>; %s", STR(state->buffer),
3552 			mail_date(state->arrival_time.tv_sec));
3553 	} else {
3554 	    out_fprintf(out_stream, REC_TYPE_NORM,
3555 			state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" :
3556 			"\tby %s (%s) with %s%s%s;",
3557 			var_myhostname, var_mail_name,
3558 			with_protocol, rfc3848_sess,
3559 			rfc3848_auth, state->queue_id);
3560 	    out_fprintf(out_stream, REC_TYPE_NORM,
3561 			"\t%s", mail_date(state->arrival_time.tv_sec));
3562 	}
3563 #ifdef RECEIVED_ENVELOPE_FROM
3564 	quote_822_local(state->buffer, state->sender);
3565 	out_fprintf(out_stream, REC_TYPE_NORM,
3566 		    "\t(envelope-from %s)", STR(state->buffer));
3567 #endif
3568     }
3569 }
3570 
3571 /* receive_data_message - finish envelope and open message segment */
3572 
receive_data_message(SMTPD_STATE * state,int (* out_record)(VSTREAM *,int,const char *,ssize_t),int (* out_fprintf)(VSTREAM *,int,const char *,...),VSTREAM * out_stream,int out_error)3573 static void receive_data_message(SMTPD_STATE *state,
3574 	          int (*out_record) (VSTREAM *, int, const char *, ssize_t),
3575 	              int (*out_fprintf) (VSTREAM *, int, const char *,...),
3576 				         VSTREAM *out_stream,
3577 				         int out_error)
3578 {
3579     SMTPD_PROXY *proxy = state->proxy;
3580     char   *start;
3581     int     len;
3582     int     curr_rec_type;
3583     int     prev_rec_type;
3584     int     first = 1;
3585 
3586     /*
3587      * If deadlines are enabled, increase the time budget as message content
3588      * arrives.
3589      */
3590     smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline,
3591 		      var_smtpd_min_data_rate);
3592 
3593     /*
3594      * Copy the message content. If the cleanup process has a problem, keep
3595      * reading until the remote stops sending, then complain. Produce typed
3596      * records from the SMTP stream so we can handle data that spans buffers.
3597      *
3598      * XXX Force an empty record when the queue file content begins with
3599      * whitespace, so that it won't be considered as being part of our own
3600      * Received: header. What an ugly Kluge.
3601      *
3602      * XXX Deal with UNIX-style From_ lines at the start of message content
3603      * because sendmail permits it.
3604      */
3605     for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
3606 	if (smtp_get(state->buffer, state->client, var_line_limit,
3607 		     SMTP_GET_FLAG_NONE) == '\n')
3608 	    curr_rec_type = REC_TYPE_NORM;
3609 	else
3610 	    curr_rec_type = REC_TYPE_CONT;
3611 	start = vstring_str(state->buffer);
3612 	len = VSTRING_LEN(state->buffer);
3613 	if (first) {
3614 	    if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
3615 		out_fprintf(out_stream, curr_rec_type,
3616 			    "X-Mailbox-Line: %s", start);
3617 		continue;
3618 	    }
3619 	    first = 0;
3620 	    if (len > 0 && IS_SPACE_TAB(start[0]))
3621 		out_record(out_stream, REC_TYPE_NORM, "", 0);
3622 	}
3623 	if (prev_rec_type != REC_TYPE_CONT && *start == '.'
3624 	    && (proxy == 0 ? (++start, --len) == 0 : len == 1))
3625 	    break;
3626 	if (state->err == CLEANUP_STAT_OK) {
3627 	    if (ENFORCING_SIZE_LIMIT(var_message_limit)
3628 		&& var_message_limit - state->act_size < len + 2) {
3629 		state->err = CLEANUP_STAT_SIZE;
3630 		msg_warn("%s: queue file size limit exceeded",
3631 			 state->queue_id ? state->queue_id : "NOQUEUE");
3632 	    } else {
3633 		state->act_size += len + 2;
3634 		if (out_record(out_stream, curr_rec_type, start, len) < 0)
3635 		    state->err = out_error;
3636 	    }
3637 	}
3638     }
3639     state->where = SMTPD_AFTER_EOM;
3640 }
3641 
3642 /* common_post_message_handling - commit message or report error */
3643 
common_post_message_handling(SMTPD_STATE * state)3644 static int common_post_message_handling(SMTPD_STATE *state)
3645 {
3646     SMTPD_PROXY *proxy = state->proxy;
3647     const char *err;
3648     VSTRING *why = 0;
3649     int     saved_err;
3650     const CLEANUP_STAT_DETAIL *detail;
3651 
3652 #define IS_SMTP_REJECT(s) \
3653 	(((s)[0] == '4' || (s)[0] == '5') \
3654 	 && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
3655 	 && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
3656 
3657     if (state->err == CLEANUP_STAT_OK
3658 	&& SMTPD_STAND_ALONE(state) == 0
3659 	&& (err = smtpd_check_eod(state)) != 0) {
3660 	smtpd_chat_reply(state, "%s", err);
3661 	if (proxy) {
3662 	    smtpd_proxy_close(state);
3663 	} else {
3664 	    mail_stream_cleanup(state->dest);
3665 	    state->dest = 0;
3666 	    state->cleanup = 0;
3667 	}
3668 	return (-1);
3669     }
3670 
3671     /*
3672      * Send the end of DATA and finish the proxy connection. Set the
3673      * CLEANUP_STAT_PROXY error flag in case of trouble.
3674      */
3675     if (proxy) {
3676 	if (state->err == CLEANUP_STAT_OK) {
3677 	    (void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, ".");
3678 	    if (state->err == CLEANUP_STAT_OK &&
3679 		*STR(proxy->reply) != '2')
3680 		state->err = CLEANUP_STAT_CONT;
3681 	}
3682     }
3683 
3684     /*
3685      * Flush out access table actions that are delegated to the cleanup
3686      * server. There is similar code at the beginning of the DATA command.
3687      *
3688      * Send the end-of-segment markers and finish the queue file record stream.
3689      */
3690     else {
3691 	if (state->err == CLEANUP_STAT_OK) {
3692 	    rec_fputs(state->cleanup, REC_TYPE_XTRA, "");
3693 	    if (state->saved_filter)
3694 		rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s",
3695 			    state->saved_filter);
3696 	    if (state->saved_redirect)
3697 		rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s",
3698 			    state->saved_redirect);
3699 	    if (state->saved_bcc) {
3700 		char  **cpp;
3701 
3702 		for (cpp = state->saved_bcc->argv; *cpp; cpp++) {
3703 		    rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s",
3704 				*cpp);
3705 		    rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
3706 				MAIL_ATTR_DSN_NOTIFY, DSN_NOTIFY_NEVER);
3707 		}
3708 	    }
3709 	    if (state->saved_flags)
3710 		rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
3711 			    state->saved_flags);
3712 #ifdef DELAY_ACTION
3713 	    if (state->saved_delay)
3714 		rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d",
3715 			    state->saved_delay);
3716 #endif
3717 	    if (vstream_ferror(state->cleanup))
3718 		state->err = CLEANUP_STAT_WRITE;
3719 	}
3720 	if (state->err == CLEANUP_STAT_OK)
3721 	    if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0
3722 		|| vstream_fflush(state->cleanup))
3723 		state->err = CLEANUP_STAT_WRITE;
3724 	if (state->err == 0) {
3725 	    why = vstring_alloc(10);
3726 	    state->err = mail_stream_finish(state->dest, why);
3727 	    if (IS_SMTP_REJECT(STR(why)))
3728 		printable_except(STR(why), ' ', "\r\n");
3729 	    else
3730 		printable(STR(why), ' ');
3731 	} else
3732 	    mail_stream_cleanup(state->dest);
3733 	state->dest = 0;
3734 	state->cleanup = 0;
3735     }
3736 
3737     /*
3738      * XXX If we lose the cleanup server while it is editing a queue file,
3739      * the Postfix SMTP server will be out of sync with Milter applications.
3740      * Sending an ABORT to the Milters is not sufficient to restore
3741      * synchronization, because there may be any number of Milter replies
3742      * already in flight. Destroying and recreating the Milters (and faking
3743      * the connect and ehlo events) is too much trouble for testing and
3744      * maintenance. Workaround: force the Postfix SMTP server to hang up with
3745      * a 421 response in the rare case that the cleanup server breaks AND
3746      * that the remote SMTP client continues the session after end-of-data.
3747      *
3748      * XXX Should use something other than CLEANUP_STAT_WRITE when we lose
3749      * contact with the cleanup server. This requires changes to the
3750      * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail).
3751      *
3752      * XXX See exception below in code that overrides state->access_denied for
3753      * compliance with RFC 2821 Sec 3.1.
3754      */
3755     if (state->milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
3756 	state->access_denied = mystrdup("421 4.3.0 Mail system error");
3757 
3758     /*
3759      * Handle any errors. One message may suffer from multiple errors, so
3760      * complain only about the most severe error. Forgive any previous client
3761      * errors when a message was received successfully.
3762      *
3763      * See also: qmqpd.c
3764      */
3765     if (state->err == CLEANUP_STAT_OK) {
3766 	state->error_count = 0;
3767 	state->error_mask = 0;
3768 	state->junk_cmds = 0;
3769 	if (proxy)
3770 	    smtpd_chat_reply(state, "%s", STR(proxy->reply));
3771 	else if (SMTPD_PROCESSING_BDAT(state))
3772 	    smtpd_chat_reply(state,
3773 			     "250 2.0.0 Ok: %ld bytes queued as %s",
3774 			     (long) state->act_size, state->queue_id);
3775 	else
3776 	    smtpd_chat_reply(state,
3777 			     "250 2.0.0 Ok: queued as %s", state->queue_id);
3778     } else if (why && IS_SMTP_REJECT(STR(why))) {
3779 	state->error_mask |= MAIL_ERROR_POLICY;
3780 	smtpd_chat_reply(state, "%s", STR(why));
3781     } else if ((state->err & CLEANUP_STAT_DEFER) != 0) {
3782 	state->error_mask |= MAIL_ERROR_POLICY;
3783 	detail = cleanup_stat_detail(CLEANUP_STAT_DEFER);
3784 	if (why && LEN(why) > 0) {
3785 	    /* Allow address-specific DSN status in header/body_checks. */
3786 	    smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3787 	} else {
3788 	    smtpd_chat_reply(state, "%d %s Error: %s",
3789 			     detail->smtp, detail->dsn, detail->text);
3790 	}
3791     } else if ((state->err & CLEANUP_STAT_BAD) != 0) {
3792 	state->error_mask |= MAIL_ERROR_SOFTWARE;
3793 	detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3794 	smtpd_chat_reply(state, "%d %s Error: internal error %d",
3795 			 detail->smtp, detail->dsn, state->err);
3796     } else if ((state->err & CLEANUP_STAT_SIZE) != 0) {
3797 	state->error_mask |= MAIL_ERROR_BOUNCE;
3798 	detail = cleanup_stat_detail(CLEANUP_STAT_SIZE);
3799 	smtpd_chat_reply(state, "%d %s Error: %s",
3800 			 detail->smtp, detail->dsn, detail->text);
3801     } else if ((state->err & CLEANUP_STAT_HOPS) != 0) {
3802 	state->error_mask |= MAIL_ERROR_BOUNCE;
3803 	detail = cleanup_stat_detail(CLEANUP_STAT_HOPS);
3804 	smtpd_chat_reply(state, "%d %s Error: %s",
3805 			 detail->smtp, detail->dsn, detail->text);
3806     } else if ((state->err & CLEANUP_STAT_CONT) != 0) {
3807 	state->error_mask |= MAIL_ERROR_POLICY;
3808 	detail = cleanup_stat_detail(CLEANUP_STAT_CONT);
3809 	if (proxy) {
3810 	    smtpd_chat_reply(state, "%s", STR(proxy->reply));
3811 	} else if (why && LEN(why) > 0) {
3812 	    /* Allow address-specific DSN status in header/body_checks. */
3813 	    smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3814 	} else {
3815 	    smtpd_chat_reply(state, "%d %s Error: %s",
3816 			     detail->smtp, detail->dsn, detail->text);
3817 	}
3818     } else if ((state->err & CLEANUP_STAT_WRITE) != 0) {
3819 	state->error_mask |= MAIL_ERROR_RESOURCE;
3820 	detail = cleanup_stat_detail(CLEANUP_STAT_WRITE);
3821 	smtpd_chat_reply(state, "%d %s Error: %s",
3822 			 detail->smtp, detail->dsn, detail->text);
3823     } else if ((state->err & CLEANUP_STAT_PROXY) != 0) {
3824 	state->error_mask |= MAIL_ERROR_SOFTWARE;
3825 	smtpd_chat_reply(state, "%s", STR(proxy->reply));
3826     } else {
3827 	state->error_mask |= MAIL_ERROR_SOFTWARE;
3828 	detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3829 	smtpd_chat_reply(state, "%d %s Error: internal error %d",
3830 			 detail->smtp, detail->dsn, state->err);
3831     }
3832 
3833     /*
3834      * By popular command: the proxy's end-of-data reply.
3835      */
3836     if (proxy)
3837 	msg_info("proxy-%s: %s: %s;%s",
3838 		 (state->err == CLEANUP_STAT_OK) ? "accept" : "reject",
3839 		 state->where, STR(proxy->reply), smtpd_whatsup(state));
3840 
3841     /*
3842      * Cleanup. The client may send another MAIL command.
3843      */
3844     saved_err = state->err;
3845     chat_reset(state, var_smtpd_hist_thrsh);
3846     mail_reset(state);
3847     rcpt_reset(state);
3848     if (why)
3849 	vstring_free(why);
3850     return (saved_err);
3851 }
3852 
3853 /* skip_bdat - skip content and respond to BDAT error */
3854 
skip_bdat(SMTPD_STATE * state,off_t chunk_size,bool final_chunk,const char * format,...)3855 static int skip_bdat(SMTPD_STATE *state, off_t chunk_size,
3856 		             bool final_chunk, const char *format,...)
3857 {
3858     va_list ap;
3859     off_t   done;
3860     off_t   len;
3861 
3862     /*
3863      * Read and discard content from the remote SMTP client. TODO: drop the
3864      * connection in case of overload.
3865      */
3866     for (done = 0; done < chunk_size; done += len) {
3867 	if ((len = chunk_size - done) > VSTREAM_BUFSIZE)
3868 	    len = VSTREAM_BUFSIZE;
3869 	smtp_fread_buf(state->buffer, len, state->client);
3870     }
3871 
3872     /*
3873      * Send the response to the remote SMTP client.
3874      */
3875     va_start(ap, format);
3876     vsmtpd_chat_reply(state, format, ap);
3877     va_end(ap);
3878 
3879     /*
3880      * Reset state, or drop subsequent BDAT payloads until BDAT LAST or RSET.
3881      */
3882     if (final_chunk)
3883 	mail_reset(state);
3884     else
3885 	state->bdat_state = SMTPD_BDAT_STAT_ERROR;
3886     return (-1);
3887 }
3888 
3889 /* bdat_cmd - process BDAT command */
3890 
bdat_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)3891 static int bdat_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3892 {
3893     SMTPD_PROXY *proxy;
3894     const char *err;
3895     off_t   chunk_size;
3896     bool    final_chunk;
3897     off_t   done;
3898     off_t   read_len;
3899     char   *start;
3900     int     len;
3901     int     curr_rec_type;
3902     int     (*out_record) (VSTREAM *, int, const char *, ssize_t);
3903     int     (*out_fprintf) (VSTREAM *, int, const char *,...);
3904     VSTREAM *out_stream;
3905     int     out_error;
3906 
3907     /*
3908      * Hang up if the BDAT command is disabled. The next input would be raw
3909      * message content and that would trigger lots of command errors.
3910      */
3911     if (state->ehlo_discard_mask & EHLO_MASK_CHUNKING) {
3912 	state->error_mask |= MAIL_ERROR_PROTOCOL;
3913 	smtpd_chat_reply(state, "521 5.5.1 Error: command not implemented");
3914 	return (-1);
3915     }
3916 
3917     /*
3918      * Hang up if the BDAT command is malformed. The next input would be raw
3919      * message content and that would trigger lots of command errors.
3920      */
3921     if (argc < 2 || argc > 3 || !alldig(argv[1].strval)
3922 	|| (chunk_size = off_cvt_string(argv[1].strval)) < 0
3923 	|| ((final_chunk = (argc == 3))
3924 	    && strcasecmp(argv[2].strval, "LAST") != 0)) {
3925 	state->error_mask |= MAIL_ERROR_PROTOCOL;
3926 	msg_warn("%s: malformed BDAT command syntax from %s: %.100s",
3927 		 state->queue_id ? state->queue_id : "NOQUEUE",
3928 		 state->namaddr, printable(vstring_str(state->buffer), '?'));
3929 	smtpd_chat_reply(state, "521 5.5.4 Syntax: BDAT count [LAST]");
3930 	return (-1);
3931     }
3932 
3933     /*
3934      * If deadlines are enabled, increase the time budget as message content
3935      * arrives.
3936      */
3937     smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline,
3938 		      var_smtpd_min_data_rate);
3939 
3940     /*
3941      * Block abuse involving empty chunks (alternatively, we could count
3942      * "BDAT 0" as a "NOOP", but then we would have to refactor the code that
3943      * enforces the junk command limit). Clients that send a message as a
3944      * sequence of "BDAT 1" should not be a problem: the Postfix BDAT
3945      * implementation should be efficient enough to handle that.
3946      */
3947     if (chunk_size == 0 && !final_chunk) {
3948 	msg_warn("%s: null BDAT request from %s",
3949 		 state->queue_id ? state->queue_id : "NOQUEUE",
3950 		 state->namaddr);
3951 	return skip_bdat(state, chunk_size, final_chunk,
3952 			 "551 5.7.1 Null BDAT request");
3953     }
3954 
3955     /*
3956      * BDAT commands may be pipelined within a MAIL transaction. After a BDAT
3957      * request fails, keep accepting BDAT requests and skipping BDAT payloads
3958      * to maintain synchronization with the remote SMTP client, until the
3959      * client sends BDAT LAST or RSET.
3960      */
3961     if (state->bdat_state == SMTPD_BDAT_STAT_ERROR)
3962 	return skip_bdat(state, chunk_size, final_chunk,
3963 			 "551 5.0.0 Discarded %ld bytes after earlier error",
3964 			 (long) chunk_size);
3965 
3966     /*
3967      * Special handling for the first BDAT command in a MAIL transaction,
3968      * treating it as a kind of "DATA" command for the purpose of policy
3969      * evaluation.
3970      */
3971     if (!SMTPD_PROCESSING_BDAT(state)) {
3972 
3973 	/*
3974 	 * With ESMTP command pipelining a client may send BDAT before the
3975 	 * server has replied to all RCPT commands. For this reason we cannot
3976 	 * treat BDAT without valid recipients as a protocol error.  Worse,
3977 	 * RFC 3030 does not discuss the role of BDAT commands in RFC 2920
3978 	 * command groups (batches of commands that may be sent without
3979 	 * waiting for a response to each individual command). Therefore we
3980 	 * have to allow for clients that pipeline the entire SMTP session
3981 	 * after EHLO, including multiple MAIL transactions.
3982 	 */
3983 	if (state->rcpt_count == 0) {
3984 	    if (!SMTPD_IN_MAIL_TRANSACTION(state)) {
3985 		/* TODO: maybe remove this from the DATA and BDAT handlers. */
3986 		state->error_mask |= MAIL_ERROR_PROTOCOL;
3987 		return skip_bdat(state, chunk_size, final_chunk,
3988 				 "503 5.5.1 Error: need RCPT command");
3989 	    } else {
3990 		return skip_bdat(state, chunk_size, final_chunk,
3991 				 "554 5.5.1 Error: no valid recipients");
3992 	    }
3993 	}
3994 	if (SMTPD_STAND_ALONE(state) == 0
3995 	    && (err = smtpd_check_data(state)) != 0) {
3996 	    return skip_bdat(state, chunk_size, final_chunk, "%s", err);
3997 	}
3998 	if (state->milters != 0
3999 	    && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
4000 	    && (err = milter_data_event(state->milters)) != 0
4001 	    && (err = check_milter_reply(state, err)) != 0) {
4002 	    return skip_bdat(state, chunk_size, final_chunk, "%s", err);
4003 	}
4004 	proxy = state->proxy;
4005 	if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE,
4006 				     SMTPD_CMD_DATA) != 0) {
4007 	    return skip_bdat(state, chunk_size, final_chunk,
4008 			     "%s", STR(proxy->reply));
4009 	}
4010     }
4011     /* Block too large chunks. */
4012     if (ENFORCING_SIZE_LIMIT(var_message_limit)
4013 	&& state->act_size > var_message_limit - chunk_size) {
4014 	state->error_mask |= MAIL_ERROR_POLICY;
4015 	msg_warn("%s: BDAT request from %s exceeds message size limit",
4016 		 state->queue_id ? state->queue_id : "NOQUEUE",
4017 		 state->namaddr);
4018 	return skip_bdat(state, chunk_size, final_chunk,
4019 			 "552 5.3.4 Chunk exceeds message size limit");
4020     }
4021 
4022     /*
4023      * One level of indirection to choose between normal or proxied
4024      * operation. We want to avoid massive code duplication within tons of
4025      * if-else clauses. TODO: store this in its own data structure, or in
4026      * SMTPD_STATE.
4027      */
4028     proxy = state->proxy;
4029     if (proxy) {
4030 	out_stream = proxy->stream;
4031 	out_record = proxy->rec_put;
4032 	out_fprintf = proxy->rec_fprintf;
4033 	out_error = CLEANUP_STAT_PROXY;
4034     } else {
4035 	out_stream = state->cleanup;
4036 	out_record = rec_put;
4037 	out_fprintf = rec_fprintf;
4038 	out_error = CLEANUP_STAT_WRITE;
4039     }
4040     if (!SMTPD_PROCESSING_BDAT(state)) {
4041 	common_pre_message_handling(state, out_record, out_fprintf,
4042 				    out_stream, out_error);
4043 	if (state->bdat_get_buffer == 0)
4044 	    state->bdat_get_buffer = vstring_alloc(VSTREAM_BUFSIZE);
4045 	else
4046 	    VSTRING_RESET(state->bdat_get_buffer);
4047 	state->bdat_prev_rec_type = 0;
4048     }
4049     state->bdat_state = SMTPD_BDAT_STAT_OK;
4050     state->where = SMTPD_AFTER_BDAT;
4051 
4052     /*
4053      * Copy the message content. If the cleanup process has a problem, keep
4054      * reading until the remote stops sending, then complain. Produce typed
4055      * records from the SMTP stream so we can handle data that spans buffers.
4056      */
4057 
4058     /*
4059      * Instead of reading the entire BDAT chunk into memory, read the chunk
4060      * one fragment at a time. The loops below always make one iteration, to
4061      * avoid code duplication for the "BDAT 0 LAST" case (empty chunk).
4062      */
4063     done = 0;
4064     do {
4065 	int     payload_err;
4066 
4067 	/*
4068 	 * Do not skip the smtp_fread_buf() call if read_len == 0. We still
4069 	 * need the side effects which include resetting the buffer write
4070 	 * position. Skipping the call would invalidate the buffer state.
4071 	 *
4072 	 * Caution: smtp_fread_buf() will long jump after EOF or timeout.
4073 	 */
4074 	if ((read_len = chunk_size - done) > VSTREAM_BUFSIZE)
4075 	    read_len = VSTREAM_BUFSIZE;
4076 	smtp_fread_buf(state->buffer, read_len, state->client);
4077 	state->bdat_get_stream = vstream_memreopen(
4078 			   state->bdat_get_stream, state->buffer, O_RDONLY);
4079 	vstream_control(state->bdat_get_stream, CA_VSTREAM_CTL_EXCEPT,
4080 			CA_VSTREAM_CTL_END);
4081 	if ((payload_err = vstream_setjmp(state->bdat_get_stream)) != 0)
4082 	    vstream_longjmp(state->client, payload_err);
4083 
4084 	/*
4085 	 * Read lines from the fragment. The last line may continue in the
4086 	 * next fragment, or in the next chunk.
4087 	 */
4088 	do {
4089 	    if (smtp_get_noexcept(state->bdat_get_buffer,
4090 				  state->bdat_get_stream,
4091 				  var_line_limit,
4092 				  SMTP_GET_FLAG_APPEND) == '\n') {
4093 		/* Stopped at end-of-line. */
4094 		curr_rec_type = REC_TYPE_NORM;
4095 	    } else if (!vstream_feof(state->bdat_get_stream)) {
4096 		/* Stopped at var_line_limit. */
4097 		curr_rec_type = REC_TYPE_CONT;
4098 	    } else if (VSTRING_LEN(state->bdat_get_buffer) > 0
4099 		       && final_chunk && read_len == chunk_size - done) {
4100 		/* Stopped at final chunk end; handle missing end-of-line. */
4101 		curr_rec_type = REC_TYPE_NORM;
4102 	    } else {
4103 		/* Stopped at fragment end; empty buffer or not at chunk end. */
4104 		/* Skip the out_record() and VSTRING_RESET() calls below. */
4105 		break;
4106 	    }
4107 	    start = vstring_str(state->bdat_get_buffer);
4108 	    len = VSTRING_LEN(state->bdat_get_buffer);
4109 	    if (state->err == CLEANUP_STAT_OK) {
4110 		if (ENFORCING_SIZE_LIMIT(var_message_limit)
4111 		    && var_message_limit - state->act_size < len + 2) {
4112 		    state->err = CLEANUP_STAT_SIZE;
4113 		    msg_warn("%s: queue file size limit exceeded",
4114 			     state->queue_id ? state->queue_id : "NOQUEUE");
4115 		} else {
4116 		    state->act_size += len + 2;
4117 		    if (*start == '.' && proxy != 0
4118 			&& state->bdat_prev_rec_type != REC_TYPE_CONT)
4119 			if (out_record(out_stream, REC_TYPE_CONT, ".", 1) < 0)
4120 			    state->err = out_error;
4121 		    if (state->err == CLEANUP_STAT_OK
4122 			&& out_record(out_stream, curr_rec_type,
4123 				      vstring_str(state->bdat_get_buffer),
4124 				   VSTRING_LEN(state->bdat_get_buffer)) < 0)
4125 			state->err = out_error;
4126 		}
4127 	    }
4128 	    VSTRING_RESET(state->bdat_get_buffer);
4129 	    state->bdat_prev_rec_type = curr_rec_type;
4130 	} while (!vstream_feof(state->bdat_get_stream));
4131 	done += read_len;
4132     } while (done < chunk_size);
4133 
4134     /*
4135      * Special handling for BDAT LAST (successful or unsuccessful).
4136      */
4137     if (final_chunk) {
4138 	state->where = SMTPD_AFTER_EOM;
4139 	return common_post_message_handling(state);
4140     }
4141 
4142     /*
4143      * Unsuccessful non-final BDAT command. common_post_message_handling()
4144      * resets all MAIL transaction state including BDAT state. To avoid
4145      * useless error messages due to pipelined BDAT commands, enter the
4146      * SMTPD_BDAT_STAT_ERROR state to accept BDAT commands and skip BDAT
4147      * payloads.
4148      */
4149     else if (state->err != CLEANUP_STAT_OK) {
4150 	/* NOT: state->where = SMTPD_AFTER_EOM; */
4151 	(void) common_post_message_handling(state);
4152 	state->bdat_state = SMTPD_BDAT_STAT_ERROR;
4153 	return (-1);
4154     }
4155 
4156     /*
4157      * Successful non-final BDAT command.
4158      */
4159     else {
4160 	smtpd_chat_reply(state, "250 2.0.0 Ok: %ld bytes", (long) chunk_size);
4161 	return (0);
4162     }
4163 }
4164 
4165 /* rset_cmd - process RSET */
4166 
rset_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * unused_argv)4167 static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4168 {
4169 
4170     /*
4171      * Sanity checks.
4172      */
4173     if (argc != 1) {
4174 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4175 	smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET");
4176 	return (-1);
4177     }
4178 
4179     /*
4180      * Restore state to right after HELO/EHLO command.
4181      */
4182     chat_reset(state, var_smtpd_hist_thrsh);
4183     mail_reset(state);
4184     rcpt_reset(state);
4185     smtpd_chat_reply(state, "250 2.0.0 Ok");
4186     return (0);
4187 }
4188 
4189 /* noop_cmd - process NOOP */
4190 
noop_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * unused_argv)4191 static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4192 {
4193 
4194     /*
4195      * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a
4196      * parameter string which is to be ignored. NOOP instructions with
4197      * parameters? Go figure.
4198      *
4199      * RFC 2821 violates RFC 821, which says that NOOP takes no parameters.
4200      */
4201 #ifdef RFC821_SYNTAX
4202 
4203     /*
4204      * Sanity checks.
4205      */
4206     if (argc != 1) {
4207 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4208 	smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP");
4209 	return (-1);
4210     }
4211 #endif
4212     smtpd_chat_reply(state, "250 2.0.0 Ok");
4213     return (0);
4214 }
4215 
4216 /* vrfy_cmd - process VRFY */
4217 
vrfy_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)4218 static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
4219 {
4220     const char *err = 0;
4221     int     rate;
4222     int     smtputf8 = 0;
4223     int     saved_flags;
4224 
4225     /*
4226      * The SMTP standard (RFC 821) disallows unquoted special characters in
4227      * the VRFY argument. Common practice violates the standard, however.
4228      * Postfix accommodates common practice where it violates the standard.
4229      *
4230      * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting,
4231      * whereas the recipient restrictions checks expect unquoted (internal)
4232      * address forms. Therefore we must parse out the address, or we must
4233      * stop doing recipient restriction checks and lose the opportunity to
4234      * say "user unknown" at the SMTP port.
4235      *
4236      * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that
4237      * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets
4238      * even worse: section 3.5.3 says that a 502 (command recognized but not
4239      * implemented) reply is not fully compliant.
4240      *
4241      * Thus, an RFC 2821 compliant implementation cannot refuse to supply
4242      * information in reply to VRFY queries. That is simply bogus. The only
4243      * reply we could supply is a generic 252 reply. This causes spammers to
4244      * add tons of bogus addresses to their mailing lists (spam harvesting by
4245      * trying out large lists of potential recipient names with VRFY).
4246      */
4247 #define SLOPPY	0
4248 
4249     if (var_disable_vrfy_cmd) {
4250 	state->error_mask |= MAIL_ERROR_POLICY;
4251 	smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled");
4252 	return (-1);
4253     }
4254     /* Fix 20140707: handle missing address. */
4255     if (var_smtputf8_enable
4256 	&& (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0
4257 	&& argc > 1 && strcasecmp(argv[argc - 1].strval, "SMTPUTF8") == 0) {
4258 	argc--;					/* RFC 6531 */
4259 	smtputf8 = 1;
4260     }
4261     if (argc < 2) {
4262 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4263 	smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address%s",
4264 			 var_smtputf8_enable ? " [SMTPUTF8]" : "");
4265 	return (-1);
4266     }
4267 
4268     /*
4269      * XXX The client event count/rate control must be consistent in its use
4270      * of client address information in connect and disconnect events. For
4271      * now we exclude xclient authorized hosts from event count/rate control.
4272      */
4273     if (SMTPD_STAND_ALONE(state) == 0
4274 	&& !xclient_allowed
4275 	&& anvil_clnt
4276 	&& var_smtpd_crcpt_limit > 0
4277 	&& !namadr_list_match(hogger_list, state->name, state->addr)
4278 	&& anvil_clnt_rcpt(anvil_clnt, state->service, state->anvil_range,
4279 			   &rate) == ANVIL_STAT_OK
4280 	&& rate > var_smtpd_crcpt_limit) {
4281 	state->error_mask |= MAIL_ERROR_POLICY;
4282 	msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
4283 		 rate, state->namaddr, state->service);
4284 	smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
4285 			 state->addr);
4286 	return (-1);
4287     }
4288     if (state->milters != 0 && (err = milter_other_event(state->milters)) != 0
4289 	&& (err[0] == '5' || err[0] == '4')) {
4290 	state->error_mask |= MAIL_ERROR_POLICY;
4291 	smtpd_chat_reply(state, "%s", err);
4292 	return (-1);
4293     }
4294     if (argc > 2)
4295 	collapse_args(argc - 1, argv + 1);
4296     if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY, smtputf8) != 0) {
4297 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4298 	smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
4299 	return (-1);
4300     }
4301     /* Fix 20140707: Check the VRFY command. */
4302     if (smtputf8 == 0 && var_strict_smtputf8) {
4303 	if (*STR(state->addr_buf) && !allascii(STR(state->addr_buf))) {
4304 	    mail_reset(state);
4305 	    smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to send unicode address");
4306 	    return (-1);
4307 	}
4308     }
4309     /* Use state->addr_buf, with the unquoted result from extract_addr() */
4310     if (SMTPD_STAND_ALONE(state) == 0) {
4311 	/* Fix 20161206: allow UTF8 in smtpd_recipient_restrictions. */
4312 	saved_flags = state->flags;
4313 	if (smtputf8)
4314 	    state->flags |= SMTPD_FLAG_SMTPUTF8;
4315 	err = smtpd_check_rcpt(state, STR(state->addr_buf));
4316 	state->flags = saved_flags;
4317 	if (err != 0) {
4318 	    smtpd_chat_reply(state, "%s", err);
4319 	    return (-1);
4320 	}
4321     }
4322 
4323     /*
4324      * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is
4325      * either "full name <user@domain>" or "user@domain". Postfix replies
4326      * with the string that was provided by the client, whether or not it is
4327      * in fully qualified domain form and the address is in <>.
4328      *
4329      * Reply code 250 is reserved for the case where the address is verified;
4330      * reply code 252 should be used when no definitive certainty exists.
4331      */
4332     smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval);
4333     return (0);
4334 }
4335 
4336 /* etrn_cmd - process ETRN command */
4337 
etrn_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)4338 static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
4339 {
4340     const char *err;
4341 
4342     /*
4343      * Sanity checks.
4344      */
4345     if (var_helo_required && state->helo_name == 0) {
4346 	state->error_mask |= MAIL_ERROR_POLICY;
4347 	smtpd_chat_reply(state, "503 Error: send HELO/EHLO first");
4348 	return (-1);
4349     }
4350     if (state->milters != 0 && (err = milter_other_event(state->milters)) != 0
4351 	&& (err[0] == '5' || err[0] == '4')) {
4352 	state->error_mask |= MAIL_ERROR_POLICY;
4353 	smtpd_chat_reply(state, "%s", err);
4354 	return (-1);
4355     }
4356     if (SMTPD_IN_MAIL_TRANSACTION(state)) {
4357 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4358 	smtpd_chat_reply(state, "503 Error: MAIL transaction in progress");
4359 	return (-1);
4360     }
4361     if (argc != 2) {
4362 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4363 	smtpd_chat_reply(state, "500 Syntax: ETRN domain");
4364 	return (-1);
4365     }
4366     if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#')
4367 	argv[1].strval++;
4368 
4369     /*
4370      * As an extension to RFC 1985 we also allow an RFC 2821 address literal
4371      * enclosed in [].
4372      *
4373      * XXX There does not appear to be an ETRN parameter to indicate that the
4374      * domain name is UTF-8.
4375      */
4376     if (!valid_hostname(argv[1].strval, DONT_GRIPE)
4377 	&& !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) {
4378 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4379 	smtpd_chat_reply(state, "501 Error: invalid parameter syntax");
4380 	return (-1);
4381     }
4382 
4383     /*
4384      * XXX The implementation borrows heavily from the code that implements
4385      * UCE restrictions. These typically return 450 or 550 when a request is
4386      * rejected. RFC 1985 requires that 459 be sent when the server refuses
4387      * to perform the request.
4388      */
4389     if (SMTPD_STAND_ALONE(state)) {
4390 	msg_warn("do not use ETRN in \"sendmail -bs\" mode");
4391 	smtpd_chat_reply(state, "458 Unable to queue messages");
4392 	return (-1);
4393     }
4394     if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) {
4395 	smtpd_chat_reply(state, "%s", err);
4396 	return (-1);
4397     }
4398     switch (flush_send_site(argv[1].strval)) {
4399     case FLUSH_STAT_OK:
4400 	smtpd_chat_reply(state, "250 Queuing started");
4401 	return (0);
4402     case FLUSH_STAT_DENY:
4403 	msg_warn("reject: ETRN %.100s... from %s",
4404 		 argv[1].strval, state->namaddr);
4405 	smtpd_chat_reply(state, "459 <%s>: service unavailable",
4406 			 argv[1].strval);
4407 	return (-1);
4408     case FLUSH_STAT_BAD:
4409 	msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr);
4410 	smtpd_chat_reply(state, "458 Unable to queue messages");
4411 	return (-1);
4412     default:
4413 	msg_warn("unable to talk to fast flush service");
4414 	smtpd_chat_reply(state, "458 Unable to queue messages");
4415 	return (-1);
4416     }
4417 }
4418 
4419 /* quit_cmd - process QUIT command */
4420 
quit_cmd(SMTPD_STATE * state,int unused_argc,SMTPD_TOKEN * unused_argv)4421 static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv)
4422 {
4423     int     out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND);
4424 
4425     /*
4426      * Don't bother checking the syntax.
4427      */
4428     smtpd_chat_reply(state, "221 2.0.0 Bye");
4429 
4430     /*
4431      * When the "." and quit replies are pipelined, make sure they are
4432      * flushed now, to avoid repeated mail deliveries in case of a crash in
4433      * the "clean up before disconnect" code.
4434      *
4435      * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of
4436      * Postfix 2.3 we use smtp_flush() for better error reporting.
4437      */
4438     if (out_pending > 0)
4439 	smtp_flush(state->client);
4440     return (0);
4441 }
4442 
4443 /* xclient_cmd - override SMTP client attributes */
4444 
xclient_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)4445 static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
4446 {
4447     SMTPD_TOKEN *argp;
4448     char   *raw_value;
4449     char   *attr_value;
4450     char   *attr_name;
4451     int     update_namaddr = 0;
4452     int     name_status;
4453     static const NAME_CODE peer_codes[] = {
4454 	XCLIENT_UNAVAILABLE, SMTPD_PEER_CODE_PERM,
4455 	XCLIENT_TEMPORARY, SMTPD_PEER_CODE_TEMP,
4456 	0, SMTPD_PEER_CODE_OK,
4457     };
4458     static const NAME_CODE proto_names[] = {
4459 	MAIL_PROTO_SMTP, 1,
4460 	MAIL_PROTO_ESMTP, 2,
4461 	0, -1,
4462     };
4463     int     got_helo = 0;
4464     int     got_proto = 0;
4465 
4466 #ifdef USE_SASL_AUTH
4467     int     got_login = 0;
4468     char   *saved_username;
4469 
4470 #endif
4471 
4472     /*
4473      * Sanity checks.
4474      *
4475      * XXX The XCLIENT command will override its own access control, so that
4476      * connection count/rate restrictions can be correctly simulated.
4477      */
4478     if (SMTPD_IN_MAIL_TRANSACTION(state)) {
4479 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4480 	smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
4481 	return (-1);
4482     }
4483     if (argc < 2) {
4484 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4485 	smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
4486 			 XCLIENT_CMD);
4487 	return (-1);
4488     }
4489     if (xclient_hosts && xclient_hosts->error)
4490 	cant_permit_command(state, XCLIENT_CMD);
4491     if (!xclient_allowed) {
4492 	state->error_mask |= MAIL_ERROR_POLICY;
4493 	smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
4494 	return (-1);
4495     }
4496 #define STREQ(x,y)	(strcasecmp((x), (y)) == 0)
4497 
4498     /*
4499      * Initialize.
4500      */
4501     if (state->expand_buf == 0)
4502 	state->expand_buf = vstring_alloc(100);
4503 
4504     /*
4505      * Iterate over all attribute=value elements.
4506      */
4507     for (argp = argv + 1; argp < argv + argc; argp++) {
4508 	attr_name = argp->strval;
4509 
4510 	if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
4511 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
4512 	    smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
4513 	    return (-1);
4514 	}
4515 	if (strlen(raw_value) > 255) {
4516 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
4517 	    smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
4518 	    return (-1);
4519 	}
4520 
4521 	/*
4522 	 * Backwards compatibility: Postfix prior to version 2.3 does not
4523 	 * xtext encode attribute values.
4524 	 */
4525 	attr_value = xtext_unquote(state->expand_buf, raw_value) ?
4526 	    STR(state->expand_buf) : raw_value;
4527 
4528 	/*
4529 	 * For safety's sake mask non-printable characters. We'll do more
4530 	 * specific censoring later.
4531 	 */
4532 	printable(attr_value, '?');
4533 
4534 #define UPDATE_STR(s, v) do { \
4535 	const char *_v = (v); \
4536 	if (s) myfree(s); \
4537 	(s) = (_v) ? mystrdup(_v) : 0; \
4538     } while(0)
4539 
4540 	/*
4541 	 * NAME=substitute SMTP client hostname (and reverse/forward name, in
4542 	 * case of success). Also updates the client hostname lookup status
4543 	 * code.
4544 	 */
4545 	if (STREQ(attr_name, XCLIENT_NAME)) {
4546 	    name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
4547 	    if (name_status != SMTPD_PEER_CODE_OK) {
4548 		attr_value = CLIENT_NAME_UNKNOWN;
4549 	    } else {
4550 		/* XXX EAI */
4551 		if (!valid_hostname(attr_value, DONT_GRIPE)) {
4552 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4553 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4554 				     XCLIENT_NAME, attr_value);
4555 		    return (-1);
4556 		}
4557 	    }
4558 	    state->name_status = name_status;
4559 	    UPDATE_STR(state->name, attr_value);
4560 	    update_namaddr = 1;
4561 	    if (name_status == SMTPD_PEER_CODE_OK) {
4562 		UPDATE_STR(state->reverse_name, attr_value);
4563 		state->reverse_name_status = name_status;
4564 	    }
4565 	}
4566 
4567 	/*
4568 	 * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates
4569 	 * the client reverse hostname lookup status code.
4570 	 */
4571 	else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) {
4572 	    name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
4573 	    if (name_status != SMTPD_PEER_CODE_OK) {
4574 		attr_value = CLIENT_NAME_UNKNOWN;
4575 	    } else {
4576 		/* XXX EAI */
4577 		if (!valid_hostname(attr_value, DONT_GRIPE)) {
4578 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4579 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4580 				     XCLIENT_REVERSE_NAME, attr_value);
4581 		    return (-1);
4582 		}
4583 	    }
4584 	    state->reverse_name_status = name_status;
4585 	    UPDATE_STR(state->reverse_name, attr_value);
4586 	}
4587 
4588 	/*
4589 	 * ADDR=substitute SMTP client network address.
4590 	 */
4591 	else if (STREQ(attr_name, XCLIENT_ADDR)) {
4592 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4593 		attr_value = CLIENT_ADDR_UNKNOWN;
4594 		UPDATE_STR(state->addr, attr_value);
4595 		UPDATE_STR(state->rfc_addr, attr_value);
4596 	    } else {
4597 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4598 		if (normalize_mailhost_addr(attr_value, &state->rfc_addr,
4599 					    &state->addr,
4600 					    &state->addr_family) < 0) {
4601 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4602 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4603 				     XCLIENT_ADDR, attr_value);
4604 		    return (-1);
4605 		}
4606 	    }
4607 	    update_namaddr = 1;
4608 	}
4609 
4610 	/*
4611 	 * PORT=substitute SMTP client port number.
4612 	 */
4613 	else if (STREQ(attr_name, XCLIENT_PORT)) {
4614 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4615 		attr_value = CLIENT_PORT_UNKNOWN;
4616 	    } else {
4617 		if (!alldig(attr_value)
4618 		    || strlen(attr_value) > sizeof("65535") - 1) {
4619 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4620 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4621 				     XCLIENT_PORT, attr_value);
4622 		    return (-1);
4623 		}
4624 	    }
4625 	    UPDATE_STR(state->port, attr_value);
4626 	    update_namaddr = 1;
4627 	}
4628 
4629 	/*
4630 	 * HELO=substitute SMTP client HELO parameter. Censor special
4631 	 * characters that could mess up message headers.
4632 	 */
4633 	else if (STREQ(attr_name, XCLIENT_HELO)) {
4634 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4635 		attr_value = CLIENT_HELO_UNKNOWN;
4636 	    } else {
4637 		if (strlen(attr_value) > VALID_HOSTNAME_LEN) {
4638 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4639 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4640 				     XCLIENT_HELO, attr_value);
4641 		    return (-1);
4642 		}
4643 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4644 	    }
4645 	    UPDATE_STR(state->helo_name, attr_value);
4646 	    got_helo = 1;
4647 	}
4648 
4649 	/*
4650 	 * PROTO=SMTP protocol name.
4651 	 */
4652 	else if (STREQ(attr_name, XCLIENT_PROTO)) {
4653 	    if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) {
4654 		state->error_mask |= MAIL_ERROR_PROTOCOL;
4655 		smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4656 				 XCLIENT_PROTO, attr_value);
4657 		return (-1);
4658 	    }
4659 	    UPDATE_STR(state->protocol, uppercase(attr_value));
4660 	    got_proto = 1;
4661 	}
4662 
4663 	/*
4664 	 * LOGIN=sasl_username. Sets the authentication method as XCLIENT.
4665 	 * This can be used even if SASL authentication is turned off in
4666 	 * main.cf. We can't make it easier than that.
4667 	 */
4668 #ifdef USE_SASL_AUTH
4669 	else if (STREQ(attr_name, XCLIENT_LOGIN)) {
4670 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) {
4671 		smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD);
4672 		got_login = 1;
4673 	    }
4674 	}
4675 #endif
4676 
4677 	/*
4678 	 * DESTADDR=substitute SMTP server network address.
4679 	 */
4680 	else if (STREQ(attr_name, XCLIENT_DESTADDR)) {
4681 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4682 		attr_value = SERVER_ADDR_UNKNOWN;
4683 		UPDATE_STR(state->dest_addr, attr_value);
4684 	    } else {
4685 #define NO_NORM_RFC_ADDR		((char **) 0)
4686 #define NO_NORM_ADDR_FAMILY	((int *) 0)
4687 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4688 		if (normalize_mailhost_addr(attr_value, NO_NORM_RFC_ADDR,
4689 					    &state->dest_addr,
4690 					    NO_NORM_ADDR_FAMILY) < 0) {
4691 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4692 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4693 				     XCLIENT_DESTADDR, attr_value);
4694 		    return (-1);
4695 		}
4696 	    }
4697 	    /* XXX Require same address family as client address. */
4698 	}
4699 
4700 	/*
4701 	 * DESTPORT=substitute SMTP server port number.
4702 	 */
4703 	else if (STREQ(attr_name, XCLIENT_DESTPORT)) {
4704 	    if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
4705 		attr_value = SERVER_PORT_UNKNOWN;
4706 	    } else {
4707 		if (!alldig(attr_value)
4708 		    || strlen(attr_value) > sizeof("65535") - 1) {
4709 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4710 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4711 				     XCLIENT_DESTPORT, attr_value);
4712 		    return (-1);
4713 		}
4714 	    }
4715 	    UPDATE_STR(state->dest_port, attr_value);
4716 	}
4717 
4718 	/*
4719 	 * Unknown attribute name. Complain.
4720 	 */
4721 	else {
4722 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
4723 	    smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
4724 			     XCLIENT_CMD, attr_name);
4725 	    return (-1);
4726 	}
4727     }
4728 
4729     /*
4730      * Update the combined name and address when either has changed.
4731      */
4732     if (update_namaddr) {
4733 	if (state->namaddr)
4734 	    myfree(state->namaddr);
4735 	state->namaddr =
4736 	    SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port);
4737     }
4738 
4739     /*
4740      * XXX Compatibility: when the client issues XCLIENT then we have to go
4741      * back to initial server greeting stage, otherwise we can't correctly
4742      * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and
4743      * Milter connect restrictions.
4744      *
4745      * XXX Compatibility: for accurate simulation we must also reset the HELO
4746      * information. We keep the information if it was specified in the
4747      * XCLIENT command.
4748      *
4749      * XXX The client connection count/rate control must be consistent in its
4750      * use of client address information in connect and disconnect events. We
4751      * re-evaluate xclient so that we correctly simulate connection
4752      * concurrency and connection rate restrictions.
4753      *
4754      * XXX Duplicated from smtpd_proto().
4755      */
4756     xclient_allowed =
4757 	namadr_list_match(xclient_hosts, state->name, state->addr);
4758     smtp_forbid_bare_lf = SMTPD_STAND_ALONE((state)) == 0
4759 	&& var_smtpd_forbid_bare_lf
4760 	&& !namadr_list_match(bare_lf_excl, state->name, state->addr);
4761     /* NOT: tls_reset() */
4762     if (got_helo == 0)
4763 	helo_reset(state);
4764     if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
4765 	myfree(state->protocol);
4766 	state->protocol = mystrdup(MAIL_PROTO_SMTP);
4767     }
4768 #ifdef USE_SASL_AUTH
4769     /* XXX What if they send the parameters via multiple commands? */
4770     if (got_login == 0)
4771 	smtpd_sasl_auth_reset(state);
4772     if (smtpd_sasl_is_active(state)) {
4773 	if (got_login)
4774 	    saved_username = mystrdup(state->sasl_username);
4775 	smtpd_sasl_deactivate(state);
4776 #ifdef USE_TLS
4777 	if (state->tls_context != 0)		/* TLS from XCLIENT proxy? */
4778 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
4779 				var_smtpd_sasl_tls_opts);
4780 	else
4781 #endif
4782 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
4783 				var_smtpd_sasl_opts);
4784 	if (got_login) {
4785 	    smtpd_sasl_auth_extern(state, saved_username, XCLIENT_CMD);
4786 	    myfree(saved_username);
4787 	}
4788     }
4789 #endif
4790     chat_reset(state, 0);
4791     mail_reset(state);
4792     rcpt_reset(state);
4793     if (state->milters)
4794 	milter_disc_event(state->milters);
4795     /* Following duplicates the top-level connect/disconnect handler. */
4796     teardown_milters(state);
4797     setup_milters(state);
4798     vstream_longjmp(state->client, SMTP_ERR_NONE);
4799     return (0);
4800 }
4801 
4802 /* xforward_cmd - forward logging attributes */
4803 
xforward_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * argv)4804 static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
4805 {
4806     SMTPD_TOKEN *argp;
4807     char   *raw_value;
4808     char   *attr_value;
4809     char   *attr_name;
4810     int     updated = 0;
4811     static const NAME_CODE xforward_flags[] = {
4812 	XFORWARD_NAME, SMTPD_STATE_XFORWARD_NAME,
4813 	XFORWARD_ADDR, SMTPD_STATE_XFORWARD_ADDR,
4814 	XFORWARD_PORT, SMTPD_STATE_XFORWARD_PORT,
4815 	XFORWARD_PROTO, SMTPD_STATE_XFORWARD_PROTO,
4816 	XFORWARD_HELO, SMTPD_STATE_XFORWARD_HELO,
4817 	XFORWARD_IDENT, SMTPD_STATE_XFORWARD_IDENT,
4818 	XFORWARD_DOMAIN, SMTPD_STATE_XFORWARD_DOMAIN,
4819 	0, 0,
4820     };
4821     static const char *context_name[] = {
4822 	MAIL_ATTR_RWR_LOCAL,		/* Postfix internal form */
4823 	MAIL_ATTR_RWR_REMOTE,		/* Postfix internal form */
4824     };
4825     static const NAME_CODE xforward_to_context[] = {
4826 	XFORWARD_DOM_LOCAL, 0,		/* XFORWARD representation */
4827 	XFORWARD_DOM_REMOTE, 1,		/* XFORWARD representation */
4828 	0, -1,
4829     };
4830     int     flag;
4831     int     context_code;
4832 
4833     /*
4834      * Sanity checks.
4835      */
4836     if (SMTPD_IN_MAIL_TRANSACTION(state)) {
4837 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4838 	smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
4839 	return (-1);
4840     }
4841     if (argc < 2) {
4842 	state->error_mask |= MAIL_ERROR_PROTOCOL;
4843 	smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
4844 			 XFORWARD_CMD);
4845 	return (-1);
4846     }
4847     if (xforward_hosts && xforward_hosts->error)
4848 	cant_permit_command(state, XFORWARD_CMD);
4849     if (!xforward_allowed) {
4850 	state->error_mask |= MAIL_ERROR_POLICY;
4851 	smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
4852 	return (-1);
4853     }
4854 
4855     /*
4856      * Initialize.
4857      */
4858     if (state->xforward.flags == 0)
4859 	smtpd_xforward_preset(state);
4860     if (state->expand_buf == 0)
4861 	state->expand_buf = vstring_alloc(100);
4862 
4863     /*
4864      * Iterate over all attribute=value elements.
4865      */
4866     for (argp = argv + 1; argp < argv + argc; argp++) {
4867 	attr_name = argp->strval;
4868 
4869 	if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
4870 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
4871 	    smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
4872 	    return (-1);
4873 	}
4874 	if (strlen(raw_value) > 255) {
4875 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
4876 	    smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
4877 	    return (-1);
4878 	}
4879 
4880 	/*
4881 	 * Backwards compatibility: Postfix prior to version 2.3 does not
4882 	 * xtext encode attribute values.
4883 	 */
4884 	attr_value = xtext_unquote(state->expand_buf, raw_value) ?
4885 	    STR(state->expand_buf) : raw_value;
4886 
4887 	/*
4888 	 * For safety's sake mask non-printable characters. We'll do more
4889 	 * specific censoring later.
4890 	 */
4891 	printable(attr_value, '?');
4892 
4893 	flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name);
4894 	switch (flag) {
4895 
4896 	    /*
4897 	     * NAME=up-stream host name, not necessarily in the DNS. Censor
4898 	     * special characters that could mess up message headers.
4899 	     */
4900 	case SMTPD_STATE_XFORWARD_NAME:
4901 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4902 		attr_value = CLIENT_NAME_UNKNOWN;
4903 	    } else {
4904 		/* XXX EAI */
4905 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4906 		if (!valid_hostname(attr_value, DONT_GRIPE)) {
4907 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4908 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4909 				     XFORWARD_NAME, attr_value);
4910 		    return (-1);
4911 		}
4912 	    }
4913 	    UPDATE_STR(state->xforward.name, attr_value);
4914 	    break;
4915 
4916 	    /*
4917 	     * ADDR=up-stream host network address, not necessarily on the
4918 	     * Internet. Censor special characters that could mess up message
4919 	     * headers.
4920 	     */
4921 	case SMTPD_STATE_XFORWARD_ADDR:
4922 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4923 		attr_value = CLIENT_ADDR_UNKNOWN;
4924 		UPDATE_STR(state->xforward.addr, attr_value);
4925 	    } else {
4926 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4927 		if (normalize_mailhost_addr(attr_value,
4928 					    &state->xforward.rfc_addr,
4929 					    &state->xforward.addr,
4930 					    NO_NORM_ADDR_FAMILY) < 0) {
4931 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4932 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4933 				     XFORWARD_ADDR, attr_value);
4934 		    return (-1);
4935 		}
4936 	    }
4937 	    break;
4938 
4939 	    /*
4940 	     * PORT=up-stream port number.
4941 	     */
4942 	case SMTPD_STATE_XFORWARD_PORT:
4943 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4944 		attr_value = CLIENT_PORT_UNKNOWN;
4945 	    } else {
4946 		if (!alldig(attr_value)
4947 		    || strlen(attr_value) > sizeof("65535") - 1) {
4948 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4949 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4950 				     XFORWARD_PORT, attr_value);
4951 		    return (-1);
4952 		}
4953 	    }
4954 	    UPDATE_STR(state->xforward.port, attr_value);
4955 	    break;
4956 
4957 	    /*
4958 	     * HELO=hostname that the up-stream MTA introduced itself with
4959 	     * (not necessarily SMTP HELO). Censor special characters that
4960 	     * could mess up message headers.
4961 	     */
4962 	case SMTPD_STATE_XFORWARD_HELO:
4963 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4964 		attr_value = CLIENT_HELO_UNKNOWN;
4965 	    } else {
4966 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4967 	    }
4968 	    UPDATE_STR(state->xforward.helo_name, attr_value);
4969 	    break;
4970 
4971 	    /*
4972 	     * PROTO=up-stream protocol, not necessarily SMTP or ESMTP.
4973 	     * Censor special characters that could mess up message headers.
4974 	     */
4975 	case SMTPD_STATE_XFORWARD_PROTO:
4976 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4977 		attr_value = CLIENT_PROTO_UNKNOWN;
4978 	    } else {
4979 		if (strlen(attr_value) > 64) {
4980 		    state->error_mask |= MAIL_ERROR_PROTOCOL;
4981 		    smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
4982 				     XFORWARD_PROTO, attr_value);
4983 		    return (-1);
4984 		}
4985 		neuter(attr_value, NEUTER_CHARACTERS, '?');
4986 	    }
4987 	    UPDATE_STR(state->xforward.protocol, attr_value);
4988 	    break;
4989 
4990 	    /*
4991 	     * IDENT=local message identifier on the up-stream MTA. Censor
4992 	     * special characters that could mess up logging or macro
4993 	     * expansions.
4994 	     */
4995 	case SMTPD_STATE_XFORWARD_IDENT:
4996 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
4997 		attr_value = CLIENT_IDENT_UNKNOWN;
4998 	    } else {
4999 		neuter(attr_value, NEUTER_CHARACTERS, '?');
5000 	    }
5001 	    UPDATE_STR(state->xforward.ident, attr_value);
5002 	    break;
5003 
5004 	    /*
5005 	     * DOMAIN=local or remote.
5006 	     */
5007 	case SMTPD_STATE_XFORWARD_DOMAIN:
5008 	    if (STREQ(attr_value, XFORWARD_UNAVAILABLE))
5009 		attr_value = XFORWARD_DOM_LOCAL;
5010 	    if ((context_code = name_code(xforward_to_context,
5011 					  NAME_CODE_FLAG_NONE,
5012 					  attr_value)) < 0) {
5013 		state->error_mask |= MAIL_ERROR_PROTOCOL;
5014 		smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
5015 				 XFORWARD_DOMAIN, attr_value);
5016 		return (-1);
5017 	    }
5018 	    UPDATE_STR(state->xforward.domain, context_name[context_code]);
5019 	    break;
5020 
5021 	    /*
5022 	     * Unknown attribute name. Complain.
5023 	     */
5024 	default:
5025 	    state->error_mask |= MAIL_ERROR_PROTOCOL;
5026 	    smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
5027 			     XFORWARD_CMD, attr_name);
5028 	    return (-1);
5029 	}
5030 	updated |= flag;
5031     }
5032     state->xforward.flags |= updated;
5033 
5034     /*
5035      * Update the combined name and address when either has changed. Use only
5036      * the name when no address is available.
5037      */
5038     if (updated & (SMTPD_STATE_XFORWARD_NAME | SMTPD_STATE_XFORWARD_ADDR
5039 		   | SMTPD_STATE_XFORWARD_PORT)) {
5040 	if (state->xforward.namaddr)
5041 	    myfree(state->xforward.namaddr);
5042 	state->xforward.namaddr =
5043 	    IS_AVAIL_CLIENT_ADDR(state->xforward.addr) ?
5044 	    SMTPD_BUILD_NAMADDRPORT(state->xforward.name,
5045 				    state->xforward.addr,
5046 				    state->xforward.port) :
5047 	    mystrdup(state->xforward.name);
5048     }
5049     smtpd_chat_reply(state, "250 2.0.0 Ok");
5050     return (0);
5051 }
5052 
5053 /* chat_reset - notify postmaster and reset conversation log */
5054 
chat_reset(SMTPD_STATE * state,int threshold)5055 static void chat_reset(SMTPD_STATE *state, int threshold)
5056 {
5057 
5058     /*
5059      * Notify the postmaster if there were errors. This usually indicates a
5060      * client configuration problem, or that someone is trying nasty things.
5061      * Either is significant enough to bother the postmaster. XXX Can't
5062      * report problems when running in stand-alone mode: postmaster notices
5063      * require availability of the cleanup service.
5064      */
5065     if (state->history != 0 && state->history->argc > threshold) {
5066 	if (SMTPD_STAND_ALONE(state) == 0
5067 	    && (state->error_mask & state->notify_mask))
5068 	    smtpd_chat_notify(state);
5069 	state->error_mask = 0;
5070 	smtpd_chat_reset(state);
5071     }
5072 }
5073 
5074 #ifdef USE_TLS
5075 
5076 /* smtpd_start_tls - turn on TLS or force disconnect */
5077 
smtpd_start_tls(SMTPD_STATE * state)5078 static void smtpd_start_tls(SMTPD_STATE *state)
5079 {
5080     int     rate;
5081     int     cert_present;
5082     int     requirecert;
5083 
5084 #ifdef USE_TLSPROXY
5085 
5086     /*
5087      * This is non-production code, for tlsproxy(8) load testing only. It
5088      * implements enough to enable some Postfix features that depend on TLS
5089      * encryption.
5090      *
5091      * To insert tlsproxy(8) between this process and the SMTP client, we swap
5092      * the file descriptors between the state->tlsproxy and state->client
5093      * VSTREAMS, so that we don't lose all the user-configurable
5094      * state->client attributes (such as longjump buffers or timeouts).
5095      *
5096      * As we implement tlsproxy support in the Postfix SMTP client we should
5097      * develop a usable abstraction that encapsulates this stream plumbing in
5098      * a library module.
5099      */
5100     vstream_control(state->tlsproxy, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END);
5101     vstream_control(state->client, CA_VSTREAM_CTL_SWAP_FD(state->tlsproxy),
5102 		    CA_VSTREAM_CTL_END);
5103     (void) vstream_fclose(state->tlsproxy);	/* direct-to-client stream! */
5104     state->tlsproxy = 0;
5105 
5106     /*
5107      * After plumbing the plaintext stream, receive the TLS context object.
5108      * For this we must use the same VSTREAM buffer that we also use to
5109      * receive subsequent SMTP commands. The attribute protocol is robust
5110      * enough that an adversary cannot inject their own bogus TLS context
5111      * attributes into the stream.
5112      */
5113     state->tls_context = tls_proxy_context_receive(state->client);
5114 
5115     /*
5116      * XXX Maybe it is better to send this information to tlsproxy(8) when
5117      * requesting service, effectively making a remote tls_server_start()
5118      * call.
5119      */
5120     requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls);
5121 
5122 #else						/* USE_TLSPROXY */
5123     TLS_SERVER_START_PROPS props;
5124     static char *cipher_grade;
5125     static VSTRING *cipher_exclusions;
5126 
5127     /*
5128      * Wrapper mode uses a dedicated port and always requires TLS.
5129      *
5130      * XXX In non-wrapper mode, it is possible to require client certificate
5131      * verification without requiring TLS. Since certificates can be verified
5132      * only while TLS is turned on, this means that Postfix will happily
5133      * perform SMTP transactions when the client does not use the STARTTLS
5134      * command. For this reason, Postfix does not require client certificate
5135      * verification unless TLS is required.
5136      *
5137      * The cipher grade and exclusions don't change between sessions. Compute
5138      * just once and cache.
5139      */
5140 #define ADD_EXCLUDE(vstr, str) \
5141     do { \
5142 	if (*(str)) \
5143 	    vstring_sprintf_append((vstr), "%s%s", \
5144 				   VSTRING_LEN(vstr) ? " " : "", (str)); \
5145     } while (0)
5146 
5147     if (cipher_grade == 0) {
5148 	cipher_grade = var_smtpd_enforce_tls ?
5149 	    var_smtpd_tls_mand_ciph : var_smtpd_tls_ciph;
5150 	cipher_exclusions = vstring_alloc(10);
5151 	ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
5152 	if (var_smtpd_enforce_tls)
5153 	    ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
5154 	if (ask_client_cert)
5155 	    ADD_EXCLUDE(cipher_exclusions, "aNULL");
5156     }
5157 
5158     /*
5159      * Perform the TLS handshake now. Check the client certificate
5160      * requirements later, if necessary.
5161      */
5162     requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls);
5163 
5164     state->tls_context =
5165 	TLS_SERVER_START(&props,
5166 			 ctx = smtpd_tls_ctx,
5167 			 stream = state->client,
5168 			 fd = -1,
5169 			 timeout = var_smtpd_starttls_tmout,
5170 			 requirecert = requirecert,
5171 			 serverid = state->service,
5172 			 namaddr = state->namaddr,
5173 			 cipher_grade = cipher_grade,
5174 			 cipher_exclusions = STR(cipher_exclusions),
5175 			 mdalg = var_smtpd_tls_fpt_dgst);
5176 
5177 #endif						/* USE_TLSPROXY */
5178 
5179     /*
5180      * For new (i.e. not re-used) TLS sessions, increment the client's new
5181      * TLS session rate counter. We enforce the limit here only for human
5182      * factors reasons (reduce the WTF factor), even though it is too late to
5183      * save the CPU that was already burnt on PKI ops. The real safety
5184      * mechanism applies with future STARTTLS commands (or wrappermode
5185      * connections), prior to the SSL handshake.
5186      *
5187      * XXX The client event count/rate control must be consistent in its use of
5188      * client address information in connect and disconnect events. For now
5189      * we exclude xclient authorized hosts from event count/rate control.
5190      */
5191     if (var_smtpd_cntls_limit > 0
5192      && (state->tls_context == 0 || state->tls_context->session_reused == 0)
5193 	&& SMTPD_STAND_ALONE(state) == 0
5194 	&& !xclient_allowed
5195 	&& anvil_clnt
5196 	&& !namadr_list_match(hogger_list, state->name, state->addr)
5197 	&& anvil_clnt_newtls(anvil_clnt, state->service, state->anvil_range,
5198 			     &rate) == ANVIL_STAT_OK
5199 	&& rate > var_smtpd_cntls_limit) {
5200 	state->error_mask |= MAIL_ERROR_POLICY;
5201 	msg_warn("New TLS session rate limit exceeded: %d from %s for service %s",
5202 		 rate, state->namaddr, state->service);
5203 	if (state->tls_context)
5204 	    smtpd_chat_reply(state,
5205 		    "421 4.7.0 %s Error: too many new TLS sessions from %s",
5206 			     var_myhostname, state->namaddr);
5207 	/* XXX Use regular return to signal end of session. */
5208 	vstream_longjmp(state->client, SMTP_ERR_QUIET);
5209     }
5210 
5211     /*
5212      * When the TLS handshake fails, the conversation is in an unknown state.
5213      * There is nothing we can do except to disconnect from the client.
5214      */
5215     if (state->tls_context == 0)
5216 	vstream_longjmp(state->client, SMTP_ERR_EOF);
5217 
5218     /*
5219      * If we are requiring verified client certs, enforce the constraint
5220      * here. We have a usable TLS session with the client, so no need to
5221      * disable I/O, ...  we can even be polite and send "421 ...".
5222      */
5223     if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
5224 
5225 	/*
5226 	 * In non-wrappermode, fetch the next command (should be EHLO). Reply
5227 	 * with 421, then disconnect (as a side-effect of replying with 421).
5228 	 */
5229 	cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
5230 	msg_info("NOQUEUE: abort: TLS from %s: %s",
5231 		 state->namaddr, cert_present ?
5232 		 "Client certificate not trusted" :
5233 		 "No client certificate presented");
5234 	if (var_smtpd_tls_wrappermode == 0)
5235 	    smtpd_chat_query(state);
5236 	smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
5237 			 var_myhostname, cert_present ?
5238 			 "Client certificate not trusted" :
5239 			 "No client certificate presented");
5240 	state->error_mask |= MAIL_ERROR_POLICY;
5241 	return;
5242     }
5243 
5244     /*
5245      * When TLS is turned on, we may offer AUTH methods that would not be
5246      * offered within a plain-text session.
5247      *
5248      * XXX Always refresh SASL the mechanism list after STARTTLS. Dovecot
5249      * responses may depend on whether the SMTP connection is encrypted.
5250      */
5251 #ifdef USE_SASL_AUTH
5252     if (var_smtpd_sasl_enable) {
5253 	/* Non-wrappermode, presumably. */
5254 	if (smtpd_sasl_is_active(state)) {
5255 	    smtpd_sasl_auth_reset(state);
5256 	    smtpd_sasl_deactivate(state);
5257 	}
5258 	/* Wrappermode and non-wrappermode. */
5259 	if (smtpd_sasl_is_active(state) == 0)
5260 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
5261 				var_smtpd_sasl_tls_opts);
5262     }
5263 #endif
5264 }
5265 
5266 /* starttls_cmd - respond to STARTTLS */
5267 
starttls_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * unused_argv)5268 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
5269 {
5270     const char *err;
5271     int     rate;
5272 
5273     if (argc != 1) {
5274 	state->error_mask |= MAIL_ERROR_PROTOCOL;
5275 	smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
5276 	return (-1);
5277     }
5278     if (state->milters != 0 && (err = milter_other_event(state->milters)) != 0) {
5279 	if (err[0] == '5') {
5280 	    state->error_mask |= MAIL_ERROR_POLICY;
5281 	    smtpd_chat_reply(state, "%s", err);
5282 	    return (-1);
5283 	}
5284 	/* Sendmail compatibility: map 4xx into 454. */
5285 	else if (err[0] == '4') {
5286 	    state->error_mask |= MAIL_ERROR_POLICY;
5287 	    smtpd_chat_reply(state, "454 4.3.0 Try again later");
5288 	    return (-1);
5289 	}
5290     }
5291     if (state->tls_context != 0) {
5292 	state->error_mask |= MAIL_ERROR_PROTOCOL;
5293 	smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active");
5294 	return (-1);
5295     }
5296     if (var_smtpd_use_tls == 0
5297 	|| (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) {
5298 	state->error_mask |= MAIL_ERROR_PROTOCOL;
5299 	smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
5300 	return (-1);
5301     }
5302 #ifdef USE_TLSPROXY
5303 
5304     /*
5305      * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(),
5306      * so we garbage-collect the VSTREAM in smtpd_state_reset().
5307      */
5308 #define PROXY_OPEN_FLAGS \
5309 	(TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT)
5310 
5311     state->tlsproxy =
5312 	tls_proxy_legacy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
5313 			      state->client, state->addr,
5314 			      state->port, var_smtpd_tmout,
5315 			      state->service);
5316     if (state->tlsproxy == 0) {
5317 	state->error_mask |= MAIL_ERROR_SOFTWARE;
5318 	/* RFC 3207 Section 4. */
5319 	smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
5320 	return (-1);
5321     }
5322 #else						/* USE_TLSPROXY */
5323     if (smtpd_tls_ctx == 0) {
5324 	state->error_mask |= MAIL_ERROR_SOFTWARE;
5325 	/* RFC 3207 Section 4. */
5326 	smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
5327 	return (-1);
5328     }
5329 #endif						/* USE_TLSPROXY */
5330 
5331     /*
5332      * Enforce TLS handshake rate limit when this client negotiated too many
5333      * new TLS sessions in the recent past.
5334      *
5335      * XXX The client event count/rate control must be consistent in its use of
5336      * client address information in connect and disconnect events. For now
5337      * we exclude xclient authorized hosts from event count/rate control.
5338      */
5339     if (var_smtpd_cntls_limit > 0
5340 	&& SMTPD_STAND_ALONE(state) == 0
5341 	&& !xclient_allowed
5342 	&& anvil_clnt
5343 	&& !namadr_list_match(hogger_list, state->name, state->addr)
5344 	&& anvil_clnt_newtls_stat(anvil_clnt, state->service,
5345 				  state->anvil_range, &rate) == ANVIL_STAT_OK
5346 	&& rate > var_smtpd_cntls_limit) {
5347 	state->error_mask |= MAIL_ERROR_POLICY;
5348 	msg_warn("Refusing STARTTLS request from %s for service %s",
5349 		 state->namaddr, state->service);
5350 	smtpd_chat_reply(state,
5351 		       "454 4.7.0 Error: too many new TLS sessions from %s",
5352 			 state->namaddr);
5353 #ifdef USE_TLSPROXY
5354 	(void) vstream_fclose(state->tlsproxy);
5355 	state->tlsproxy = 0;
5356 #endif
5357 	return (-1);
5358     }
5359     smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
5360     /* Flush before we switch read/write routines or file descriptors. */
5361     smtp_flush(state->client);
5362     /* At this point there must not be any pending plaintext. */
5363     vstream_fpurge(state->client, VSTREAM_PURGE_BOTH);
5364 
5365     /*
5366      * Reset all inputs to the initial state.
5367      *
5368      * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is
5369      * in progress, so we have to allow it even when it makes no sense.
5370      */
5371     helo_reset(state);
5372     mail_reset(state);
5373     rcpt_reset(state);
5374 
5375     /*
5376      * Turn on TLS, using code that is shared with TLS wrapper mode. This
5377      * code does not return when the handshake fails.
5378      */
5379     smtpd_start_tls(state);
5380     return (0);
5381 }
5382 
5383 /* tls_reset - undo STARTTLS */
5384 
tls_reset(SMTPD_STATE * state)5385 static void tls_reset(SMTPD_STATE *state)
5386 {
5387     int     failure = 0;
5388 
5389     /*
5390      * Don't waste time when we lost contact.
5391      */
5392     if (state->tls_context) {
5393 	if (vstream_feof(state->client) || vstream_ferror(state->client))
5394 	    failure = 1;
5395 	vstream_fflush(state->client);		/* NOT: smtp_flush() */
5396 #ifdef USE_TLSPROXY
5397 	tls_proxy_context_free(state->tls_context);
5398 #else
5399 	tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout,
5400 			failure, state->tls_context);
5401 #endif
5402 	state->tls_context = 0;
5403     }
5404 }
5405 
5406 #endif
5407 
5408 #if !defined(USE_TLS) || !defined(USE_SASL_AUTH)
5409 
5410 /* unimpl_cmd - dummy for functionality that is not compiled in */
5411 
unimpl_cmd(SMTPD_STATE * state,int argc,SMTPD_TOKEN * unused_argv)5412 static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
5413 {
5414 
5415     /*
5416      * When a connection is closed we want to log the request counts for
5417      * unimplemented STARTTLS or AUTH commands separately, instead of logging
5418      * those commands as "unknown". By handling unimplemented commands with
5419      * this dummy function, we avoid messing up the command processing loop.
5420      */
5421     state->error_mask |= MAIL_ERROR_PROTOCOL;
5422     smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
5423     return (-1);
5424 }
5425 
5426 #endif
5427 
5428  /*
5429   * The table of all SMTP commands that we know. Set the junk limit flag on
5430   * any command that can be repeated an arbitrary number of times without
5431   * triggering a tarpit delay of some sort.
5432   */
5433 typedef struct SMTPD_CMD {
5434     char   *name;
5435     int     (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *);
5436     int     flags;
5437     int     success_count;
5438     int     total_count;
5439 } SMTPD_CMD;
5440 
5441  /*
5442   * Per RFC 2920: "In particular, the commands RSET, MAIL FROM, SEND FROM,
5443   * SOML FROM, SAML FROM, and RCPT TO can all appear anywhere in a pipelined
5444   * command group. The EHLO, DATA, VRFY, EXPN, TURN, QUIT, and NOOP commands
5445   * can only appear as the last command in a group". RFC 3030 allows BDAT
5446   * commands to be pipelined as well.
5447   */
5448 #define SMTPD_CMD_FLAG_LIMIT	(1<<0)	/* limit usage */
5449 #define SMTPD_CMD_FLAG_PRE_TLS	(1<<1)	/* allow before STARTTLS */
5450 #define SMTPD_CMD_FLAG_LAST	(1<<2)	/* last in PIPELINING command group */
5451 
5452 static SMTPD_CMD smtpd_cmd_table[] = {
5453     {SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
5454     {SMTPD_CMD_EHLO, ehlo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
5455     {SMTPD_CMD_XCLIENT, xclient_cmd, SMTPD_CMD_FLAG_PRE_TLS},
5456     {SMTPD_CMD_XFORWARD, xforward_cmd,},
5457 #ifdef USE_TLS
5458     {SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
5459 #else
5460     {SMTPD_CMD_STARTTLS, unimpl_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
5461 #endif
5462 #ifdef USE_SASL_AUTH
5463     {SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd_wrapper,},
5464 #else
5465     {SMTPD_CMD_AUTH, unimpl_cmd,},
5466 #endif
5467     {SMTPD_CMD_MAIL, mail_cmd,},
5468     {SMTPD_CMD_RCPT, rcpt_cmd,},
5469     {SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST,},
5470     {SMTPD_CMD_BDAT, bdat_cmd,},
5471     {SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT,},
5472     {SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,},
5473     {SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_LAST,},
5474     {SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT,},
5475     {SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS,},
5476     {0,},
5477 };
5478 
5479 static STRING_LIST *smtpd_noop_cmds;
5480 static STRING_LIST *smtpd_forbid_cmds;
5481 
5482 /* smtpd_flag_ill_pipelining - flag pipelining protocol violation */
5483 
smtpd_flag_ill_pipelining(SMTPD_STATE * state)5484 static int smtpd_flag_ill_pipelining(SMTPD_STATE *state)
5485 {
5486 
5487     /*
5488      * This code will not return after I/O error, timeout, or EOF. VSTREAM
5489      * exceptions must be enabled in advance with smtp_stream_setup().
5490      */
5491     if (vstream_peek(state->client) == 0
5492 	&& peekfd(vstream_fileno(state->client)) > 0)
5493 	(void) vstream_ungetc(state->client, smtp_fgetc(state->client));
5494     if (vstream_peek(state->client) > 0) {
5495 	if (state->expand_buf == 0)
5496 	    state->expand_buf = vstring_alloc(100);
5497 	escape(state->expand_buf, vstream_peek_data(state->client),
5498 	       vstream_peek(state->client) < 100 ?
5499 	       vstream_peek(state->client) : 100);
5500 	msg_info("improper command pipelining after %s from %s: %s",
5501 		 state->where, state->namaddr, STR(state->expand_buf));
5502 	state->flags |= SMTPD_FLAG_ILL_PIPELINING;
5503 	return (1);
5504     }
5505     return (0);
5506 }
5507 
5508 /* smtpd_proto - talk the SMTP protocol */
5509 
smtpd_proto(SMTPD_STATE * state)5510 static void smtpd_proto(SMTPD_STATE *state)
5511 {
5512     int     argc;
5513     SMTPD_TOKEN *argv;
5514     SMTPD_CMD *cmdp;
5515     const char *ehlo_words;
5516     const char *err;
5517     int     status;
5518     const char *cp;
5519 
5520 #ifdef USE_TLS
5521     int     tls_rate;
5522 
5523 #endif
5524 
5525     /*
5526      * Print a greeting banner and run the state machine. Read SMTP commands
5527      * one line at a time. According to the standard, a sender or recipient
5528      * address could contain an escaped newline. I think this is perverse,
5529      * and anyone depending on this is really asking for trouble.
5530      *
5531      * In case of mail protocol trouble, the program jumps back to this place,
5532      * so that it can perform the necessary cleanup before talking to the
5533      * next client. The setjmp/longjmp primitives are like a sharp tool: use
5534      * with care. I would certainly recommend against the use of
5535      * setjmp/longjmp in programs that change privilege levels.
5536      *
5537      * In case of file system trouble the program terminates after logging the
5538      * error and after informing the client. In all other cases (out of
5539      * memory, panic) the error is logged, and the msg_cleanup() exit handler
5540      * cleans up, but no attempt is made to inform the client of the nature
5541      * of the problem.
5542      *
5543      * With deadlines enabled, do not increase the time budget while receiving a
5544      * command, because that would give an attacker too much time.
5545      */
5546     vstream_control(state->client, VSTREAM_CTL_EXCEPT, VSTREAM_CTL_END);
5547     while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
5548 	 /* void */ ;
5549     smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_req_deadline, 0);
5550     switch (status) {
5551 
5552     default:
5553 	msg_panic("smtpd_proto: unknown error reading from %s",
5554 		  state->namaddr);
5555 	break;
5556 
5557     case SMTP_ERR_TIME:
5558 	state->reason = REASON_TIMEOUT;
5559 	if (vstream_setjmp(state->client) == 0)
5560 	    smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded",
5561 			     var_myhostname);
5562 	break;
5563 
5564     case SMTP_ERR_EOF:
5565 	state->reason = REASON_LOST_CONNECTION;
5566 	break;
5567 
5568     case SMTP_ERR_QUIET:
5569 	break;
5570 
5571     case SMTP_ERR_DATA:
5572 	msg_info("%s: reject: %s from %s: "
5573 		 "421 4.3.0 %s Server local data error",
5574 		 (state->queue_id ? state->queue_id : "NOQUEUE"),
5575 		 state->where, state->namaddr, var_myhostname);
5576 	state->error_mask |= MAIL_ERROR_DATA;
5577 	if (vstream_setjmp(state->client) == 0)
5578 	    smtpd_chat_reply(state, "421 4.3.0 %s Server local data error",
5579 			     var_myhostname);
5580 	break;
5581 
5582     case SMTP_ERR_LF:
5583 	state->reason = REASON_BARE_LF;
5584 	if (vstream_setjmp(state->client) == 0)
5585 	    smtpd_chat_reply(state, "521 5.5.2 %s Error: bare <LF> received",
5586 			     var_myhostname);
5587 	break;
5588 
5589     case 0:
5590 
5591 	/*
5592 	 * Don't bother doing anything if some pre-SMTP handshake (haproxy)
5593 	 * did not work out.
5594 	 */
5595 	if (state->flags & SMTPD_FLAG_HANGUP) {
5596 	    smtpd_chat_reply(state, "421 4.3.0 %s Server local error",
5597 			     var_myhostname);
5598 	    break;
5599 	}
5600 
5601 	/*
5602 	 * In TLS wrapper mode, turn on TLS using code that is shared with
5603 	 * the STARTTLS command. This code does not return when the handshake
5604 	 * fails.
5605 	 *
5606 	 * Enforce TLS handshake rate limit when this client negotiated too many
5607 	 * new TLS sessions in the recent past.
5608 	 *
5609 	 * XXX This means we don't complete a TLS handshake just to tell the
5610 	 * client that we don't provide service. TLS wrapper mode is
5611 	 * obsolete, so we don't have to provide perfect support.
5612 	 */
5613 #ifdef USE_TLS
5614 	if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode
5615 	    && state->tls_context == 0) {
5616 #ifdef USE_TLSPROXY
5617 	    /* We garbage-collect the VSTREAM in smtpd_state_reset() */
5618 	    state->tlsproxy =
5619 		tls_proxy_legacy_open(var_tlsproxy_service,
5620 				      PROXY_OPEN_FLAGS,
5621 				      state->client, state->addr,
5622 				      state->port, var_smtpd_tmout,
5623 				      state->service);
5624 	    if (state->tlsproxy == 0) {
5625 		msg_warn("Wrapper-mode request dropped from %s for service %s."
5626 		       " TLS context initialization failed. For details see"
5627 			 " earlier warnings in your logs.",
5628 			 state->namaddr, state->service);
5629 		break;
5630 	    }
5631 #else						/* USE_TLSPROXY */
5632 	    if (smtpd_tls_ctx == 0) {
5633 		msg_warn("Wrapper-mode request dropped from %s for service %s."
5634 		       " TLS context initialization failed. For details see"
5635 			 " earlier warnings in your logs.",
5636 			 state->namaddr, state->service);
5637 		break;
5638 	    }
5639 #endif						/* USE_TLSPROXY */
5640 	    if (var_smtpd_cntls_limit > 0
5641 		&& !xclient_allowed
5642 		&& anvil_clnt
5643 		&& !namadr_list_match(hogger_list, state->name, state->addr)
5644 		&& anvil_clnt_newtls_stat(anvil_clnt, state->service,
5645 			     state->anvil_range, &tls_rate) == ANVIL_STAT_OK
5646 		&& tls_rate > var_smtpd_cntls_limit) {
5647 		state->error_mask |= MAIL_ERROR_POLICY;
5648 		msg_warn("Refusing TLS service request from %s for service %s",
5649 			 state->namaddr, state->service);
5650 		break;
5651 	    }
5652 	    smtpd_start_tls(state);
5653 	}
5654 #endif
5655 
5656 	/*
5657 	 * If the client spoke before the server sends the initial greeting,
5658 	 * raise a flag and log the content of the protocol violation. This
5659 	 * check MUST NOT apply to TLS wrappermode connections.
5660 	 */
5661 	if (SMTPD_STAND_ALONE(state) == 0
5662 	    && vstream_context(state->client) == 0	/* not postscreen */
5663 	    && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
5664 	    && smtpd_flag_ill_pipelining(state)
5665 	    && var_smtpd_forbid_unauth_pipe) {
5666 	    smtpd_chat_reply(state,
5667 			  "554 5.5.0 Error: SMTP protocol synchronization");
5668 	    break;
5669 	}
5670 
5671 	/*
5672 	 * XXX The client connection count/rate control must be consistent in
5673 	 * its use of client address information in connect and disconnect
5674 	 * events. For now we exclude xclient authorized hosts from
5675 	 * connection count/rate control.
5676 	 *
5677 	 * XXX Must send connect/disconnect events to the anvil server even when
5678 	 * this service is not connection count or rate limited, otherwise it
5679 	 * will discard client message or recipient rate information too
5680 	 * early or too late.
5681 	 */
5682 	if (SMTPD_STAND_ALONE(state) == 0
5683 	    && !xclient_allowed
5684 	    && anvil_clnt
5685 	    && !namadr_list_match(hogger_list, state->name, state->addr)
5686 	    && anvil_clnt_connect(anvil_clnt, state->service,
5687 				  state->anvil_range, &state->conn_count,
5688 				  &state->conn_rate)
5689 	    == ANVIL_STAT_OK) {
5690 	    if (var_smtpd_cconn_limit > 0
5691 		&& state->conn_count > var_smtpd_cconn_limit) {
5692 		state->error_mask |= MAIL_ERROR_POLICY;
5693 		msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",
5694 			 state->conn_count, state->namaddr, state->service);
5695 		smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
5696 				 var_myhostname, state->addr);
5697 		break;
5698 	    }
5699 	    if (var_smtpd_crate_limit > 0
5700 		&& state->conn_rate > var_smtpd_crate_limit) {
5701 		msg_warn("Connection rate limit exceeded: %d from %s for service %s",
5702 			 state->conn_rate, state->namaddr, state->service);
5703 		smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
5704 				 var_myhostname, state->addr);
5705 		break;
5706 	    }
5707 	}
5708 
5709 	/*
5710 	 * Determine what server ESMTP features to suppress, typically to
5711 	 * avoid inter-operability problems. Moved up so we don't send 421
5712 	 * immediately after sending the initial server response.
5713 	 */
5714 	if (ehlo_discard_maps == 0
5715 	|| (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
5716 	    ehlo_words = var_smtpd_ehlo_dis_words;
5717 	state->ehlo_discard_mask = ehlo_mask(ehlo_words);
5718 
5719 	/* XXX We use the real client for connect access control. */
5720 	if (SMTPD_STAND_ALONE(state) == 0
5721 	    && var_smtpd_delay_reject == 0
5722 	    && (err = smtpd_check_client(state)) != 0) {
5723 	    state->error_mask |= MAIL_ERROR_POLICY;
5724 	    state->access_denied = mystrdup(err);
5725 	    smtpd_chat_reply(state, "%s", state->access_denied);
5726 	    state->error_count++;
5727 	}
5728 
5729 	/*
5730 	 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses
5731 	 * other than the initial greeting and any response to HELO or EHLO
5732 	 * are prefaced with a status code as defined in RFC 3463.
5733 	 */
5734 
5735 	/*
5736 	 * XXX If a Milter rejects CONNECT, reply with 220 except in case of
5737 	 * hard reject or 421 (disconnect). The reply persists so it will
5738 	 * apply to MAIL FROM and to other commands such as AUTH, STARTTLS,
5739 	 * and VRFY. Note: after a Milter CONNECT reject, we must not reject
5740 	 * HELO or EHLO, but we do change the feature list that is announced
5741 	 * in the EHLO response.
5742 	 */
5743 	else {
5744 	    err = 0;
5745 	    if (state->milters != 0) {
5746 		milter_macro_callback(state->milters, smtpd_milter_eval,
5747 				      (void *) state);
5748 		if ((err = milter_conn_event(state->milters, state->name,
5749 					     state->addr,
5750 				  strcmp(state->port, CLIENT_PORT_UNKNOWN) ?
5751 					     state->port : "0",
5752 					     state->addr_family)) != 0)
5753 		    err = check_milter_reply(state, err);
5754 	    }
5755 	    if (err && err[0] == '5') {
5756 		state->error_mask |= MAIL_ERROR_POLICY;
5757 		smtpd_chat_reply(state, "554 %s ESMTP not accepting connections",
5758 				 var_myhostname);
5759 		state->error_count++;
5760 	    } else if (err && strncmp(err, "421", 3) == 0) {
5761 		state->error_mask |= MAIL_ERROR_POLICY;
5762 		smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
5763 				 var_myhostname);
5764 		/* Not: state->error_count++; */
5765 	    } else {
5766 		smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
5767 	    }
5768 	}
5769 
5770 	/*
5771 	 * SASL initialization for plaintext mode.
5772 	 *
5773 	 * XXX Backwards compatibility: allow AUTH commands when the AUTH
5774 	 * announcement is suppressed via smtpd_sasl_exceptions_networks.
5775 	 *
5776 	 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and
5777 	 * non-TLS build.
5778 	 */
5779 #ifdef USE_SASL_AUTH
5780 	if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0
5781 #ifdef USE_TLS
5782 	    && state->tls_context == 0 && !var_smtpd_tls_auth_only
5783 #else
5784 	    && var_smtpd_tls_auth_only == 0
5785 #endif
5786 	    )
5787 	    smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
5788 				var_smtpd_sasl_opts);
5789 #endif
5790 
5791 	/*
5792 	 * The command read/execute loop.
5793 	 */
5794 	for (;;) {
5795 	    if (state->flags & SMTPD_FLAG_HANGUP)
5796 		break;
5797 	    smtp_stream_setup(state->client, var_smtpd_tmout,
5798 			      var_smtpd_req_deadline, 0);
5799 	    if (state->error_count >= var_smtpd_hard_erlim) {
5800 		state->reason = REASON_ERROR_LIMIT;
5801 		state->error_mask |= MAIL_ERROR_PROTOCOL;
5802 		smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
5803 				 var_myhostname);
5804 		pfilter_notify(1, vstream_fileno(state->client));
5805 		break;
5806 	    }
5807 	    watchdog_pat();
5808 	    smtpd_chat_query(state);
5809 	    /* Safety: protect internal interfaces against malformed UTF-8. */
5810 	    if (var_smtputf8_enable && valid_utf8_string(STR(state->buffer),
5811 						 LEN(state->buffer)) == 0) {
5812 		state->error_mask |= MAIL_ERROR_PROTOCOL;
5813 		smtpd_chat_reply(state, "500 5.5.2 Error: bad UTF-8 syntax");
5814 		state->error_count++;
5815 		continue;
5816 	    }
5817 	    /* Move into smtpd_chat_query() and update session transcript. */
5818 	    if (smtpd_cmd_filter != 0) {
5819 		for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++)
5820 		     /* void */ ;
5821 		if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) {
5822 		    msg_info("%s: replacing command \"%.100s\" with \"%.100s\"",
5823 			     state->namaddr, STR(state->buffer), cp);
5824 		    vstring_strcpy(state->buffer, cp);
5825 		} else if (smtpd_cmd_filter->error != 0) {
5826 		    msg_warn("%s:%s lookup error for \"%.100s\"",
5827 			     smtpd_cmd_filter->type, smtpd_cmd_filter->name,
5828 			     printable(STR(state->buffer), '?'));
5829 		    vstream_longjmp(state->client, SMTP_ERR_DATA);
5830 		}
5831 	    }
5832 	    if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
5833 		state->error_mask |= MAIL_ERROR_PROTOCOL;
5834 		smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax");
5835 		state->error_count++;
5836 		continue;
5837 	    }
5838 	    /* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */
5839 	    if (*var_smtpd_noop_cmds
5840 		&& string_list_match(smtpd_noop_cmds, argv[0].strval)) {
5841 		smtpd_chat_reply(state, "250 2.0.0 Ok");
5842 		if (state->junk_cmds++ > var_smtpd_junk_cmd_limit)
5843 		    state->error_count++;
5844 		continue;
5845 	    }
5846 	    for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++)
5847 		if (strcasecmp(argv[0].strval, cmdp->name) == 0)
5848 		    break;
5849 	    cmdp->total_count += 1;
5850 	    /* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
5851 	    if (cmdp->name == 0) {
5852 		state->where = SMTPD_CMD_UNKNOWN;
5853 		if (is_header(argv[0].strval)
5854 		    || (*var_smtpd_forbid_cmds
5855 		 && string_list_match(smtpd_forbid_cmds, argv[0].strval))) {
5856 		    VSTRING *escape_buf = vstring_alloc(100);
5857 
5858 		    msg_warn("non-SMTP command from %s: %.100s",
5859 			     state->namaddr,
5860 			     vstring_str(escape(escape_buf,
5861 						vstring_str(state->buffer),
5862 					      VSTRING_LEN(state->buffer))));
5863 		    smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye.");
5864 		    vstring_free(escape_buf);
5865 		    break;
5866 		}
5867 	    }
5868 	    /* XXX We use the real client for connect access control. */
5869 	    if (state->access_denied && cmdp->action != quit_cmd) {
5870 		/* XXX Exception for Milter override. */
5871 		if (strncmp(state->access_denied + 1, "21", 2) == 0) {
5872 		    smtpd_chat_reply(state, "%s", state->access_denied);
5873 		    continue;
5874 		}
5875 		smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
5876 				 state->namaddr);	/* RFC 2821 Sec 3.1 */
5877 		state->error_count++;
5878 		continue;
5879 	    }
5880 	    /* state->access_denied == 0 || cmdp->action == quit_cmd */
5881 	    if (cmdp->name == 0) {
5882 		if (state->milters != 0
5883 		    && (err = milter_unknown_event(state->milters,
5884 						   argv[0].strval)) != 0
5885 		    && (err = check_milter_reply(state, err)) != 0) {
5886 		    smtpd_chat_reply(state, "%s", err);
5887 		} else
5888 		    smtpd_chat_reply(state, "500 5.5.2 Error: command not recognized");
5889 		state->error_mask |= MAIL_ERROR_PROTOCOL;
5890 		state->error_count++;
5891 		continue;
5892 	    }
5893 #ifdef USE_TLS
5894 	    if (var_smtpd_enforce_tls &&
5895 		!state->tls_context &&
5896 		(cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) {
5897 		smtpd_chat_reply(state,
5898 			   "530 5.7.0 Must issue a STARTTLS command first");
5899 		state->error_count++;
5900 		continue;
5901 	    }
5902 #endif
5903 	    state->where = cmdp->name;
5904 	    if (SMTPD_STAND_ALONE(state) == 0
5905 		&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
5906 		    || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
5907 		&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
5908 		&& smtpd_flag_ill_pipelining(state)
5909 		&& var_smtpd_forbid_unauth_pipe) {
5910 		smtpd_chat_reply(state,
5911 			  "554 5.5.0 Error: SMTP protocol synchronization");
5912 		break;
5913 	    }
5914 	    if (cmdp->action(state, argc, argv) != 0)
5915 		state->error_count++;
5916 	    else
5917 		cmdp->success_count += 1;
5918 	    if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
5919 		&& state->junk_cmds++ > var_smtpd_junk_cmd_limit)
5920 		state->error_count++;
5921 	    if (cmdp->action == quit_cmd)
5922 		break;
5923 	}
5924 	break;
5925     }
5926 
5927     /*
5928      * XXX The client connection count/rate control must be consistent in its
5929      * use of client address information in connect and disconnect events.
5930      * For now we exclude xclient authorized hosts from connection count/rate
5931      * control.
5932      *
5933      * XXX Must send connect/disconnect events to the anvil server even when
5934      * this service is not connection count or rate limited, otherwise it
5935      * will discard client message or recipient rate information too early or
5936      * too late.
5937      */
5938     if (SMTPD_STAND_ALONE(state) == 0
5939 	&& !xclient_allowed
5940 	&& anvil_clnt
5941 	&& !namadr_list_match(hogger_list, state->name, state->addr))
5942 	anvil_clnt_disconnect(anvil_clnt, state->service, state->anvil_range);
5943 
5944     /*
5945      * Log abnormal session termination, in case postmaster notification has
5946      * been turned off. In the log, indicate the last recognized state before
5947      * things went wrong. Don't complain about clients that go away without
5948      * sending QUIT. Log the byte count after DATA to help diagnose MTU
5949      * troubles.
5950      */
5951     if (state->reason && state->where) {
5952 	if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) {
5953 	    msg_info("%s after %s (%lu bytes) from %s",	/* 2.5 compat */
5954 		     state->reason, SMTPD_CMD_DATA,	/* 2.5 compat */
5955 		     (long) (state->act_size + vstream_peek(state->client)),
5956 		     state->namaddr);
5957 	} else if (strcmp(state->where, SMTPD_AFTER_BDAT) == 0) {
5958 	    msg_info("%s after %s (%lu bytes) from %s",
5959 		     state->reason, SMTPD_CMD_BDAT,
5960 		     (long) (state->act_size + VSTRING_LEN(state->buffer)
5961 			     + VSTRING_LEN(state->bdat_get_buffer)),
5962 		     state->namaddr);
5963 	} else if (strcmp(state->where, SMTPD_AFTER_EOM)
5964 		   || strcmp(state->reason, REASON_LOST_CONNECTION)) {
5965 	    msg_info("%s after %s from %s",
5966 		     state->reason, state->where, state->namaddr);
5967 	    if (strcmp(state->where, SMTPD_CMD_AUTH) == 0)
5968 		pfilter_notify(1, vstream_fileno(state->client));
5969 	}
5970     }
5971 
5972     /*
5973      * Cleanup whatever information the client gave us during the SMTP
5974      * dialog.
5975      *
5976      * XXX Duplicated in xclient_cmd().
5977      */
5978 #ifdef USE_TLS
5979     tls_reset(state);
5980 #endif
5981     helo_reset(state);
5982 #ifdef USE_SASL_AUTH
5983     smtpd_sasl_auth_reset(state);
5984     if (smtpd_sasl_is_active(state)) {
5985 	smtpd_sasl_deactivate(state);
5986     }
5987 #endif
5988     chat_reset(state, 0);
5989     mail_reset(state);
5990     rcpt_reset(state);
5991     if (state->milters)
5992 	milter_disc_event(state->milters);
5993 }
5994 
5995 /* smtpd_format_cmd_stats - format per-command statistics */
5996 
smtpd_format_cmd_stats(VSTRING * buf)5997 static char *smtpd_format_cmd_stats(VSTRING *buf)
5998 {
5999     SMTPD_CMD *cmdp;
6000     int     all_success = 0;
6001     int     all_total = 0;
6002 
6003     /*
6004      * Log the statistics. Note that this loop produces no output when no
6005      * command was received. We address that after the loop.
6006      */
6007     VSTRING_RESET(buf);
6008     for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
6009 	if (cmdp->total_count > 0) {
6010 	    vstring_sprintf_append(buf, " %s=%d",
6011 				   cmdp->name ? cmdp->name : "unknown",
6012 				   cmdp->success_count);
6013 	    if (cmdp->success_count != cmdp->total_count)
6014 		vstring_sprintf_append(buf, "/%d", cmdp->total_count);
6015 	    all_success += cmdp->success_count;
6016 	    all_total += cmdp->total_count;
6017 	}
6018 	if (cmdp->name == 0)
6019 	    break;
6020     }
6021 
6022     /*
6023      * Reset the per-command counters.
6024      *
6025      * Fix 20190621: the command counter resetting code was moved from the SMTP
6026      * protocol handler to this place, because the protocol handler was never
6027      * called after HaProxy handshake error, causing stale numbers to be
6028      * logged.
6029      */
6030     for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) {
6031 	cmdp->success_count = cmdp->total_count = 0;
6032 	if (cmdp->name == 0)
6033 	    break;
6034     }
6035 
6036     /*
6037      * Log total numbers, so that logfile analyzers will see something even
6038      * if the above loop produced no output. When no commands were received
6039      * log "0/0" to simplify the identification of abnormal sessions: any
6040      * statistics with [0-9]/ indicate that there was a problem.
6041      */
6042     vstring_sprintf_append(buf, " commands=%d", all_success);
6043     if (all_success != all_total || all_total == 0)
6044 	vstring_sprintf_append(buf, "/%d", all_total);
6045     return (lowercase(STR(buf)));
6046 }
6047 
6048 /* setup_milters - set up Milters after a connection is established */
6049 
setup_milters(SMTPD_STATE * state)6050 static void setup_milters(SMTPD_STATE *state)
6051 {
6052     const char *milter_string;
6053 
6054     /*
6055      * Postcondition: either state->milters is set, or the
6056      * INPUT_TRANSP_MILTER flag is passed down-stream.
6057      */
6058     if (SMTPD_STAND_ALONE(state) == 0
6059 	&& (smtpd_input_transp_mask & INPUT_TRANSP_MILTER) == 0
6060 	&& ((smtpd_milter_maps
6061 	     && (milter_string =
6062 		 maps_find(smtpd_milter_maps, state->addr, 0)) != 0)
6063 	    || *(milter_string = var_smtpd_milters) != 0)
6064 	&& strcasecmp(milter_string, SMTPD_MILTERS_DISABLE) != 0) {
6065 	state->milters = milter_create(milter_string,
6066 				       var_milt_conn_time,
6067 				       var_milt_cmd_time,
6068 				       var_milt_msg_time,
6069 				       var_milt_protocol,
6070 				       var_milt_def_action,
6071 				       var_milt_conn_macros,
6072 				       var_milt_helo_macros,
6073 				       var_milt_mail_macros,
6074 				       var_milt_rcpt_macros,
6075 				       var_milt_data_macros,
6076 				       var_milt_eoh_macros,
6077 				       var_milt_eod_macros,
6078 				       var_milt_unk_macros,
6079 				       var_milt_macro_deflts);
6080     }
6081 
6082     /*
6083      * Safety: disable non_smtpd_milters when not sending our own mail filter
6084      * list. Otherwise the next stage could handle this message as a local
6085      * submission.
6086      */
6087     if (state->milters == 0)
6088 	smtpd_input_transp_mask |= INPUT_TRANSP_MILTER;
6089 }
6090 
6091 /* teardown_milters - release resources */
6092 
teardown_milters(SMTPD_STATE * state)6093 static void teardown_milters(SMTPD_STATE *state)
6094 {
6095     if (state->milters) {
6096 	milter_free(state->milters);
6097 	state->milters = 0;
6098     }
6099     smtpd_input_transp_mask =
6100 	input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
6101 }
6102 
6103 
6104 /* smtpd_service - service one client */
6105 
smtpd_service(VSTREAM * stream,char * service,char ** argv)6106 static void smtpd_service(VSTREAM *stream, char *service, char **argv)
6107 {
6108     SMTPD_STATE state;
6109 
6110     /*
6111      * Sanity check. This service takes no command-line arguments.
6112      */
6113     if (argv[0])
6114 	msg_fatal("unexpected command-line argument: %s", argv[0]);
6115 
6116     /*
6117      * For sanity, require that at least one of INET or INET6 is enabled.
6118      * Otherwise, we can't look up interface information, and we can't
6119      * convert names or addresses.
6120      */
6121     if (SMTPD_STAND_ALONE_STREAM(stream) == 0
6122 	&& inet_proto_info()->ai_family_list[0] == 0)
6123 	msg_fatal("all network protocols are disabled (%s = %s)",
6124 		  VAR_INET_PROTOCOLS, var_inet_protocols);
6125 
6126     /*
6127      * This routine runs when a client has connected to our network port, or
6128      * when the smtp server is run in stand-alone mode (input from pipe).
6129      *
6130      * Look up and sanitize the peer name, then initialize some connection-
6131      * specific state. When the name service is hosed, hostname lookup will
6132      * take a while. This is why I always run a local name server on critical
6133      * machines.
6134      */
6135     smtpd_state_init(&state, stream, service);
6136     msg_info("connect from %s", state.namaddr);
6137 
6138     /*
6139      * Disable TLS when running in stand-alone mode via "sendmail -bs".
6140      */
6141     if (SMTPD_STAND_ALONE((&state))) {
6142 	var_smtpd_use_tls = 0;
6143 	var_smtpd_enforce_tls = 0;
6144 	var_smtpd_tls_auth_only = 0;
6145     }
6146 
6147     /*
6148      * XCLIENT must not override its own access control.
6149      */
6150     xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
6151 	namadr_list_match(xclient_hosts, state.name, state.addr);
6152 
6153     /*
6154      * Overriding XFORWARD access control makes no sense, either.
6155      */
6156     xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 &&
6157 	namadr_list_match(xforward_hosts, state.name, state.addr);
6158 
6159     /*
6160      * Enforce strict SMTP line endings, with compatibility exclusions.
6161      */
6162     smtp_forbid_bare_lf = SMTPD_STAND_ALONE((&state)) == 0
6163 	&& var_smtpd_forbid_bare_lf
6164 	&& !namadr_list_match(bare_lf_excl, state.name, state.addr);
6165 
6166     /*
6167      * See if we need to turn on verbose logging for this client.
6168      */
6169     debug_peer_check(state.name, state.addr);
6170 
6171     /*
6172      * Set up Milters, or disable Milters down-stream.
6173      */
6174     setup_milters(&state);			/* duplicates xclient_cmd */
6175 
6176     /*
6177      * Provide the SMTP service.
6178      */
6179     smtpd_proto(&state);
6180 
6181     /*
6182      * After the client has gone away, clean up whatever we have set up at
6183      * connection time.
6184      */
6185     msg_info("disconnect from %s%s", state.namaddr,
6186 	     smtpd_format_cmd_stats(state.buffer));
6187     teardown_milters(&state);			/* duplicates xclient_cmd */
6188     smtpd_state_reset(&state);
6189     debug_peer_restore();
6190 }
6191 
6192 /* pre_accept - see if tables have changed */
6193 
pre_accept(char * unused_name,char ** unused_argv)6194 static void pre_accept(char *unused_name, char **unused_argv)
6195 {
6196     const char *table;
6197 
6198     if ((table = dict_changed_name()) != 0) {
6199 	msg_info("table %s has changed -- restarting", table);
6200 	exit(0);
6201     }
6202 }
6203 
6204 /* pre_jail_init - pre-jail initialization */
6205 
pre_jail_init(char * unused_name,char ** unused_argv)6206 static void pre_jail_init(char *unused_name, char **unused_argv)
6207 {
6208 
6209     /*
6210      * Initialize denylist/etc. patterns before entering the chroot jail, in
6211      * case they specify a filename pattern.
6212      */
6213     smtpd_noop_cmds = string_list_init(VAR_SMTPD_NOOP_CMDS, MATCH_FLAG_RETURN,
6214 				       var_smtpd_noop_cmds);
6215     smtpd_forbid_cmds = string_list_init(VAR_SMTPD_FORBID_CMDS,
6216 					 MATCH_FLAG_RETURN,
6217 					 var_smtpd_forbid_cmds);
6218     verp_clients = namadr_list_init(VAR_VERP_CLIENTS, MATCH_FLAG_RETURN,
6219 				    var_verp_clients);
6220     xclient_hosts = namadr_list_init(VAR_XCLIENT_HOSTS, MATCH_FLAG_RETURN,
6221 				     var_xclient_hosts);
6222     xforward_hosts = namadr_list_init(VAR_XFORWARD_HOSTS, MATCH_FLAG_RETURN,
6223 				      var_xforward_hosts);
6224     hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN
6225 				   | match_parent_style(VAR_SMTPD_HOGGERS),
6226 				   var_smtpd_hoggers);
6227     bare_lf_excl = namadr_list_init(VAR_SMTPD_FORBID_BARE_LF_EXCL,
6228 				    MATCH_FLAG_RETURN
6229 				    | match_parent_style(VAR_MYNETWORKS),
6230 				    var_smtpd_forbid_bare_lf_excl);
6231 
6232     /*
6233      * Open maps before dropping privileges so we can read passwords etc.
6234      *
6235      * XXX We should not do this in stand-alone (sendmail -bs) mode, but we
6236      * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs"
6237      * will try to connect to proxymap when invoked by root for mail
6238      * submission. To fix, we would have to pass stand-alone mode information
6239      * via different means. For now we have to tell people not to run mail
6240      * clients as root.
6241      */
6242     if (getuid() == 0 || getuid() == var_owner_uid)
6243 	smtpd_check_init();
6244     smtpd_expand_init();
6245     debug_peer_init();
6246 
6247     if (var_smtpd_sasl_enable)
6248 #ifdef USE_SASL_AUTH
6249 	smtpd_sasl_initialize();
6250 
6251     if (*var_smtpd_sasl_exceptions_networks)
6252 	sasl_exceptions_networks =
6253 	    namadr_list_init(VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS,
6254 			     MATCH_FLAG_RETURN,
6255 			     var_smtpd_sasl_exceptions_networks);
6256 #else
6257 	msg_warn("%s is true, but SASL support is not compiled in",
6258 		 VAR_SMTPD_SASL_ENABLE);
6259 #endif
6260 
6261     if (*var_smtpd_cmd_filter)
6262 	smtpd_cmd_filter = dict_open(var_smtpd_cmd_filter, O_RDONLY,
6263 				     DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX);
6264 
6265     /*
6266      * XXX Temporary fix to pretend that we consistently implement TLS
6267      * security levels. We implement only a subset for now. If we implement
6268      * more levels, wrappermode should override only weaker TLS security
6269      * levels.
6270      *
6271      * Note: tls_level_lookup() logs no warning.
6272      */
6273     if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
6274 	switch (tls_level_lookup(var_smtpd_tls_level)) {
6275 	default:
6276 	    msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level);
6277 	    /* NOTREACHED */
6278 	    break;
6279 	case TLS_LEV_SECURE:
6280 	case TLS_LEV_VERIFY:
6281 	case TLS_LEV_FPRINT:
6282 	    msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
6283 		     VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
6284 	    /* FALLTHROUGH */
6285 	case TLS_LEV_ENCRYPT:
6286 	    var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
6287 	    break;
6288 	case TLS_LEV_MAY:
6289 	    var_smtpd_enforce_tls = 0;
6290 	    var_smtpd_use_tls = 1;
6291 	    break;
6292 	case TLS_LEV_NONE:
6293 	    var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
6294 	    break;
6295 	}
6296     }
6297 
6298     /*
6299      * With TLS wrapper mode, we run on a dedicated port and turn on TLS
6300      * before actually speaking the SMTP protocol. This implies TLS enforce
6301      * mode.
6302      *
6303      * With non-wrapper mode, TLS enforce mode implies that we don't advertise
6304      * AUTH before the client issues STARTTLS.
6305      */
6306     var_smtpd_enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
6307     var_smtpd_tls_auth_only = var_smtpd_tls_auth_only || var_smtpd_enforce_tls;
6308     var_smtpd_use_tls = var_smtpd_use_tls || var_smtpd_enforce_tls;
6309 
6310     /*
6311      * Keys can only be loaded when running with suitable permissions. When
6312      * called from "sendmail -bs" this is not the case, so we must not
6313      * announce STARTTLS support.
6314      */
6315     if (getuid() == 0 || getuid() == var_owner_uid) {
6316 	if (var_smtpd_use_tls) {
6317 #ifdef USE_TLS
6318 #ifndef USE_TLSPROXY
6319 	    TLS_SERVER_INIT_PROPS props;
6320 	    const char *cert_file;
6321 	    int     have_server_cert;
6322 	    int     no_server_cert_ok;
6323 	    int     require_server_cert;
6324 
6325 	    /*
6326 	     * Can't use anonymous ciphers if we want client certificates.
6327 	     * Must use anonymous ciphers if we have no certificates.
6328 	     *
6329 	     * XXX: Ugh! Too many booleans!
6330 	     */
6331 	    ask_client_cert = require_server_cert =
6332 		(var_smtpd_tls_ask_ccert
6333 		 || (var_smtpd_enforce_tls && var_smtpd_tls_req_ccert));
6334 	    if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
6335 		no_server_cert_ok = 1;
6336 		cert_file = "";
6337 	    } else {
6338 		no_server_cert_ok = 0;
6339 		cert_file = var_smtpd_tls_cert_file;
6340 	    }
6341 
6342 	    have_server_cert = *cert_file != 0;
6343 	    have_server_cert |= *var_smtpd_tls_eccert_file != 0;
6344 	    have_server_cert |= *var_smtpd_tls_dcert_file != 0;
6345 
6346 	    if (*var_smtpd_tls_chain_files != 0) {
6347 		if (!have_server_cert)
6348 		    have_server_cert = 1;
6349 		else
6350 		    msg_warn("Both %s and one or more of the legacy "
6351 			     " %s, %s or %s are non-empty; the legacy "
6352 			     " parameters will be ignored",
6353 			     VAR_SMTPD_TLS_CHAIN_FILES,
6354 			     VAR_SMTPD_TLS_CERT_FILE,
6355 			     VAR_SMTPD_TLS_ECCERT_FILE,
6356 			     VAR_SMTPD_TLS_DCERT_FILE);
6357 	    }
6358 	    /* Some TLS configuration errors are not show stoppers. */
6359 	    if (!have_server_cert && require_server_cert)
6360 		msg_warn("Need a server cert to request client certs");
6361 	    if (!var_smtpd_enforce_tls && var_smtpd_tls_req_ccert)
6362 		msg_warn("Can't require client certs unless TLS is required");
6363 	    /* After a show-stopper error, reply with 454 to STARTTLS. */
6364 	    if (have_server_cert
6365 		|| (no_server_cert_ok && !require_server_cert)) {
6366 
6367 		tls_pre_jail_init(TLS_ROLE_SERVER);
6368 
6369 		/*
6370 		 * Large parameter lists are error-prone, so we emulate a
6371 		 * language feature that C does not have natively: named
6372 		 * parameter lists.
6373 		 */
6374 		smtpd_tls_ctx =
6375 		    TLS_SERVER_INIT(&props,
6376 				    log_param = VAR_SMTPD_TLS_LOGLEVEL,
6377 				    log_level = var_smtpd_tls_loglevel,
6378 				    verifydepth = var_smtpd_tls_ccert_vd,
6379 				    cache_type = TLS_MGR_SCACHE_SMTPD,
6380 				    set_sessid = var_smtpd_tls_set_sessid,
6381 				    chain_files = var_smtpd_tls_chain_files,
6382 				    cert_file = cert_file,
6383 				    key_file = var_smtpd_tls_key_file,
6384 				    dcert_file = var_smtpd_tls_dcert_file,
6385 				    dkey_file = var_smtpd_tls_dkey_file,
6386 				    eccert_file = var_smtpd_tls_eccert_file,
6387 				    eckey_file = var_smtpd_tls_eckey_file,
6388 				    CAfile = var_smtpd_tls_CAfile,
6389 				    CApath = var_smtpd_tls_CApath,
6390 				    dh1024_param_file
6391 				    = var_smtpd_tls_dh1024_param_file,
6392 				    dh512_param_file
6393 				    = var_smtpd_tls_dh512_param_file,
6394 				    eecdh_grade = var_smtpd_tls_eecdh,
6395 				    protocols = var_smtpd_enforce_tls ?
6396 				    var_smtpd_tls_mand_proto :
6397 				    var_smtpd_tls_proto,
6398 				    ask_ccert = ask_client_cert,
6399 				    mdalg = var_smtpd_tls_fpt_dgst);
6400 	    } else {
6401 		msg_warn("No server certs available. TLS won't be enabled");
6402 	    }
6403 #endif						/* USE_TLSPROXY */
6404 #else
6405 	    msg_warn("TLS has been selected, but TLS support is not compiled in");
6406 #endif
6407 	}
6408     }
6409 
6410     /*
6411      * flush client.
6412      */
6413     flush_init();
6414 
6415     /*
6416      * EHLO keyword filter.
6417      */
6418     if (*var_smtpd_ehlo_dis_maps)
6419 	ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS,
6420 					var_smtpd_ehlo_dis_maps,
6421 					DICT_FLAG_LOCK);
6422 
6423     /*
6424      * Per-client Milter support.
6425      */
6426     if (*var_smtpd_milter_maps)
6427 	smtpd_milter_maps = maps_create(VAR_SMTPD_MILTER_MAPS,
6428 					var_smtpd_milter_maps,
6429 					DICT_FLAG_LOCK);
6430 
6431     /*
6432      * DNS reply filter.
6433      */
6434     if (*var_smtpd_dns_re_filter)
6435 	dns_rr_filter_compile(VAR_SMTPD_DNS_RE_FILTER,
6436 			      var_smtpd_dns_re_filter);
6437 
6438     /*
6439      * Reject footer.
6440      */
6441     if (*var_smtpd_rej_ftr_maps)
6442 	smtpd_chat_pre_jail_init();
6443 }
6444 
6445 /* post_jail_init - post-jail initialization */
6446 
post_jail_init(char * unused_name,char ** unused_argv)6447 static void post_jail_init(char *unused_name, char **unused_argv)
6448 {
6449 
6450     /*
6451      * Initialize the receive transparency options: do we want unknown
6452      * recipient checks, address mapping, header_body_checks?.
6453      */
6454     smtpd_input_transp_mask =
6455     input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
6456 
6457     /*
6458      * Initialize before-queue filter options: do we want speed-matching
6459      * support so that the entire message is received before we contact a
6460      * before-queue content filter?
6461      */
6462     if (*var_smtpd_proxy_filt)
6463 	smtpd_proxy_opts =
6464 	    smtpd_proxy_parse_opts(VAR_SMTPD_PROXY_OPTS, var_smtpd_proxy_opts);
6465 
6466     /*
6467      * Sanity checks. The queue_minfree value should be at least as large as
6468      * (process_limit * message_size_limit) but that is unpractical, so we
6469      * arbitrarily pick a small multiple of the per-message size limit. This
6470      * helps to avoid many unneeded (re)transmissions.
6471      */
6472     if (ENFORCING_SIZE_LIMIT(var_queue_minfree)
6473 	&& ENFORCING_SIZE_LIMIT(var_message_limit)
6474 	&& var_queue_minfree / 1.5 < var_message_limit)
6475 	msg_warn("%s(%lu) should be at least 1.5*%s(%lu)",
6476 		 VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree,
6477 		 VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit);
6478 
6479     /*
6480      * Connection rate management.
6481      */
6482     if (var_smtpd_crate_limit || var_smtpd_cconn_limit
6483 	|| var_smtpd_cmail_limit || var_smtpd_crcpt_limit
6484 	|| var_smtpd_cntls_limit || var_smtpd_cauth_limit)
6485 	anvil_clnt = anvil_clnt_create();
6486 
6487     /*
6488      * header_from_format support, for	postmaster notifications.
6489      */
6490     smtpd_hfrom_format = hfrom_format_parse(VAR_HFROM_FORMAT, var_hfrom_format);
6491 }
6492 
6493 MAIL_VERSION_STAMP_DECLARE;
6494 
6495 /* main - the main program */
6496 
main(int argc,char ** argv)6497 int     main(int argc, char **argv)
6498 {
6499     static const CONFIG_NINT_TABLE nint_table[] = {
6500 	VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0,
6501 	VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0,
6502 	VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
6503 	VAR_VERIFY_POLL_COUNT, DEF_VERIFY_POLL_COUNT, &var_verify_poll_count, 1, 0,
6504 	0,
6505     };
6506     static const CONFIG_INT_TABLE int_table[] = {
6507 	VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0,
6508 	VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0,
6509 	VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0,
6510 	VAR_UNK_NAME_CODE, DEF_UNK_NAME_CODE, &var_unk_name_code, 0, 0,
6511 	VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0,
6512 	VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0,
6513 	VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0,
6514 	VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0,
6515 	VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0,
6516 	VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0,
6517 	VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0,
6518 	VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
6519 	VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0,
6520 	VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0,
6521 	VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599,
6522 	VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599,
6523 	VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499,
6524 	VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499,
6525 	VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0,
6526 	VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0,
6527 	VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0,
6528 	VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0,
6529 	VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0,
6530 	VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0,
6531 	VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
6532 	VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
6533 	VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0,
6534 	VAR_SMTPD_CRCPT_LIMIT, DEF_SMTPD_CRCPT_LIMIT, &var_smtpd_crcpt_limit, 0, 0,
6535 	VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0,
6536 	VAR_SMTPD_CAUTH_LIMIT, DEF_SMTPD_CAUTH_LIMIT, &var_smtpd_cauth_limit, 0, 0,
6537 	VAR_SMTPD_CIPV4_PREFIX, DEF_SMTPD_CIPV4_PREFIX, &var_smtpd_cipv4_prefix, 0, MAX_SMTPD_CIPV4_PREFIX,
6538 	VAR_SMTPD_CIPV6_PREFIX, DEF_SMTPD_CIPV6_PREFIX, &var_smtpd_cipv6_prefix, 0, MAX_SMTPD_CIPV6_PREFIX,
6539 #ifdef USE_TLS
6540 	VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
6541 #endif
6542 	VAR_SMTPD_SASL_RESP_LIMIT, DEF_SMTPD_SASL_RESP_LIMIT, &var_smtpd_sasl_resp_limit, DEF_SMTPD_SASL_RESP_LIMIT, 0,
6543 	VAR_SMTPD_POLICY_REQ_LIMIT, DEF_SMTPD_POLICY_REQ_LIMIT, &var_smtpd_policy_req_limit, 0, 0,
6544 	VAR_SMTPD_POLICY_TRY_LIMIT, DEF_SMTPD_POLICY_TRY_LIMIT, &var_smtpd_policy_try_limit, 1, 0,
6545 	VAR_SMTPD_MIN_DATA_RATE, DEF_SMTPD_MIN_DATA_RATE, &var_smtpd_min_data_rate, 1, 0,
6546 	0,
6547     };
6548     static const CONFIG_LONG_TABLE long_table[] = {
6549 	VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0,
6550 	0,
6551     };
6552     static const CONFIG_TIME_TABLE time_table[] = {
6553 	VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0,
6554 	VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0,
6555 	VAR_SMTPD_PROXY_TMOUT, DEF_SMTPD_PROXY_TMOUT, &var_smtpd_proxy_tmout, 1, 0,
6556 	VAR_VERIFY_POLL_DELAY, DEF_VERIFY_POLL_DELAY, &var_verify_poll_delay, 1, 0,
6557 	VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
6558 	VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
6559 	VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
6560 #ifdef USE_TLS
6561 	VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
6562 #endif
6563 	VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0,
6564 	VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0,
6565 	VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0,
6566 	VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0,
6567 	VAR_SMTPD_UPROXY_TMOUT, DEF_SMTPD_UPROXY_TMOUT, &var_smtpd_uproxy_tmout, 1, 0,
6568 	VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, &var_smtpd_policy_try_delay, 1, 0,
6569 	0,
6570     };
6571     static const CONFIG_BOOL_TABLE bool_table[] = {
6572 	VAR_HELO_REQUIRED, DEF_HELO_REQUIRED, &var_helo_required,
6573 	VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject,
6574 	VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env,
6575 	VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
6576 	VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
6577 	VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
6578 	VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr,
6579 	VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
6580 	VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
6581 	VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
6582 	VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
6583 	VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
6584 	VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
6585 	VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
6586 	VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
6587 #ifdef USE_TLS
6588 	VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
6589 	VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
6590 	VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
6591 	VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
6592 #endif
6593 	VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
6594 	VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
6595 	VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
6596 	VAR_SMTPD_FORBID_UNAUTH_PIPE, DEF_SMTPD_FORBID_UNAUTH_PIPE, &var_smtpd_forbid_unauth_pipe,
6597 	VAR_SMTPD_FORBID_BARE_LF, DEF_SMTPD_FORBID_BARE_LF, &var_smtpd_forbid_bare_lf,
6598 	0,
6599     };
6600     static const CONFIG_NBOOL_TABLE nbool_table[] = {
6601 	VAR_RELAY_BEFORE_RCPT_CHECKS, DEF_RELAY_BEFORE_RCPT_CHECKS, &var_relay_before_rcpt_checks,
6602 	VAR_SMTPD_REQ_DEADLINE, DEF_SMTPD_REQ_DEADLINE, &var_smtpd_req_deadline,
6603 	0,
6604     };
6605     static const CONFIG_STR_TABLE str_table[] = {
6606 	VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0,
6607 	VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0,
6608 	VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0,
6609 	VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0,
6610 	VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0,
6611 	VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0,
6612 	VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0,
6613 	VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0,
6614 	VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0,
6615 	VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0,
6616 	VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0,
6617 	VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0,
6618 	VAR_BOUNCE_RCPT, DEF_BOUNCE_RCPT, &var_bounce_rcpt, 1, 0,
6619 	VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
6620 	VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0,
6621 	VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0,
6622 	VAR_SEND_CANON_MAPS, DEF_SEND_CANON_MAPS, &var_send_canon_maps, 0, 0,
6623 	VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0,
6624 	VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0,
6625 	VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0,
6626 	VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0,
6627 	VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
6628 	VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
6629 	VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0,
6630 	VAR_SMTPD_SASL_SERVICE, DEF_SMTPD_SASL_SERVICE, &var_smtpd_sasl_service, 1, 0,
6631 	VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
6632 	VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0,
6633 	VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0,
6634 	VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0,
6635 	VAR_PERM_MX_NETWORKS, DEF_PERM_MX_NETWORKS, &var_perm_mx_networks, 0, 0,
6636 	VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0,
6637 	VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0,
6638 	VAR_SMTPD_FORBID_CMDS, DEF_SMTPD_FORBID_CMDS, &var_smtpd_forbid_cmds, 0, 0,
6639 	VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0,
6640 	VAR_RELAY_RCPT_MAPS, DEF_RELAY_RCPT_MAPS, &var_relay_rcpt_maps, 0, 0,
6641 	VAR_VERIFY_SENDER, DEF_VERIFY_SENDER, &var_verify_sender, 0, 0,
6642 	VAR_VERP_CLIENTS, DEF_VERP_CLIENTS, &var_verp_clients, 0, 0,
6643 	VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0,
6644 	VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0,
6645 	VAR_SMTPD_PROXY_OPTS, DEF_SMTPD_PROXY_OPTS, &var_smtpd_proxy_opts, 0, 0,
6646 	VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0,
6647 	VAR_XCLIENT_HOSTS, DEF_XCLIENT_HOSTS, &var_xclient_hosts, 0, 0,
6648 	VAR_XFORWARD_HOSTS, DEF_XFORWARD_HOSTS, &var_xforward_hosts, 0, 0,
6649 	VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
6650 	VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0,
6651 	VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0,
6652 	VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0,
6653 #ifdef USE_TLS
6654 	VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, 0,
6655 	VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
6656 	VAR_SMTPD_TLS_CHAIN_FILES, DEF_SMTPD_TLS_CHAIN_FILES, &var_smtpd_tls_chain_files, 0, 0,
6657 	VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
6658 	VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
6659 	VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
6660 	VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
6661 	VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0,
6662 	VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0,
6663 	VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
6664 	VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
6665 	VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0,
6666 	VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
6667 	VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
6668 	VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
6669 	VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0,
6670 	VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
6671 	VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
6672 	VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
6673 	VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0,
6674 	VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
6675 	VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
6676 #endif
6677 	VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
6678 	VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
6679 	VAR_SMTPD_SASL_MECH_FILTER, DEF_SMTPD_SASL_MECH_FILTER, &var_smtpd_sasl_mech_filter, 0, 0,
6680 	VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
6681 	VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
6682 	VAR_MILT_HELO_MACROS, DEF_MILT_HELO_MACROS, &var_milt_helo_macros, 0, 0,
6683 	VAR_MILT_MAIL_MACROS, DEF_MILT_MAIL_MACROS, &var_milt_mail_macros, 0, 0,
6684 	VAR_MILT_RCPT_MACROS, DEF_MILT_RCPT_MACROS, &var_milt_rcpt_macros, 0, 0,
6685 	VAR_MILT_DATA_MACROS, DEF_MILT_DATA_MACROS, &var_milt_data_macros, 0, 0,
6686 	VAR_MILT_EOH_MACROS, DEF_MILT_EOH_MACROS, &var_milt_eoh_macros, 0, 0,
6687 	VAR_MILT_EOD_MACROS, DEF_MILT_EOD_MACROS, &var_milt_eod_macros, 0, 0,
6688 	VAR_MILT_UNK_MACROS, DEF_MILT_UNK_MACROS, &var_milt_unk_macros, 0, 0,
6689 	VAR_MILT_PROTOCOL, DEF_MILT_PROTOCOL, &var_milt_protocol, 1, 0,
6690 	VAR_MILT_DEF_ACTION, DEF_MILT_DEF_ACTION, &var_milt_def_action, 1, 0,
6691 	VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0,
6692 	VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0,
6693 	VAR_MILT_MACRO_DEFLTS, DEF_MILT_MACRO_DEFLTS, &var_milt_macro_deflts, 0, 0,
6694 	VAR_SMTPD_MILTER_MAPS, DEF_SMTPD_MILTER_MAPS, &var_smtpd_milter_maps, 0, 0,
6695 	VAR_STRESS, DEF_STRESS, &var_stress, 0, 0,
6696 	VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0,
6697 	VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0,
6698 	VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0,
6699 	VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0,
6700 	VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0,
6701 	VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0,
6702 	VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0,
6703 	VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0,
6704 #ifdef USE_TLSPROXY
6705 	VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0,
6706 #endif
6707 	VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0,
6708 	VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0,
6709 	VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0,
6710 	VAR_SMTPD_POLICY_CONTEXT, DEF_SMTPD_POLICY_CONTEXT, &var_smtpd_policy_context, 0, 0,
6711 	VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0,
6712 	VAR_SMTPD_REJ_FTR_MAPS, DEF_SMTPD_REJ_FTR_MAPS, &var_smtpd_rej_ftr_maps, 0, 0,
6713 	VAR_HFROM_FORMAT, DEF_HFROM_FORMAT, &var_hfrom_format, 1, 0,
6714 	VAR_SMTPD_FORBID_BARE_LF_EXCL, DEF_SMTPD_FORBID_BARE_LF_EXCL, &var_smtpd_forbid_bare_lf_excl, 0, 0,
6715 	0,
6716     };
6717     static const CONFIG_RAW_TABLE raw_table[] = {
6718 	VAR_SMTPD_EXP_FILTER, DEF_SMTPD_EXP_FILTER, &var_smtpd_exp_filter, 1, 0,
6719 	VAR_DEF_RBL_REPLY, DEF_DEF_RBL_REPLY, &var_def_rbl_reply, 1, 0,
6720 	VAR_SMTPD_REJ_FOOTER, DEF_SMTPD_REJ_FOOTER, &var_smtpd_rej_footer, 0, 0,
6721 	0,
6722     };
6723 
6724     /*
6725      * Fingerprint executables and core dumps.
6726      */
6727     MAIL_VERSION_STAMP_ALLOCATE;
6728 
6729     /*
6730      * Pass control to the single-threaded service skeleton.
6731      */
6732     single_server_main(argc, argv, smtpd_service,
6733 		       CA_MAIL_SERVER_NINT_TABLE(nint_table),
6734 		       CA_MAIL_SERVER_INT_TABLE(int_table),
6735 		       CA_MAIL_SERVER_LONG_TABLE(long_table),
6736 		       CA_MAIL_SERVER_STR_TABLE(str_table),
6737 		       CA_MAIL_SERVER_RAW_TABLE(raw_table),
6738 		       CA_MAIL_SERVER_BOOL_TABLE(bool_table),
6739 		       CA_MAIL_SERVER_NBOOL_TABLE(nbool_table),
6740 		       CA_MAIL_SERVER_TIME_TABLE(time_table),
6741 		       CA_MAIL_SERVER_PRE_INIT(pre_jail_init),
6742 		       CA_MAIL_SERVER_PRE_ACCEPT(pre_accept),
6743 		       CA_MAIL_SERVER_POST_INIT(post_jail_init),
6744 		       0);
6745 }
6746