1 /* $NetBSD: milter8.c,v 1.3 2020/03/18 19:05:17 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* milter8 3 6 /* SUMMARY 7 /* MTA-side Sendmail 8 Milter protocol 8 /* SYNOPSIS 9 /* #include <milter8.h> 10 /* 11 /* MILTER *milter8_create(name, conn_timeout, cmd_timeout, msg_timeout, 12 /* protocol, def_action, parent) 13 /* const char *name; 14 /* int conn_timeout; 15 /* int cmd_timeout; 16 /* int msg_timeout; 17 /* const char *protocol; 18 /* const char *def_action; 19 /* MILTERS *parent; 20 /* 21 /* MILTER *milter8_receive(stream) 22 /* VSTREAM *stream; 23 /* DESCRIPTION 24 /* This module implements the MTA side of the Sendmail 8 mail 25 /* filter protocol. 26 /* 27 /* milter8_create() creates a MILTER data structure with virtual 28 /* functions that implement a client for the Sendmail 8 Milter 29 /* protocol. These virtual functions are then invoked via the 30 /* milter(3) interface. The *timeout, protocol and def_action 31 /* arguments come directly from milter_create(). The parent 32 /* argument specifies a context for content editing. 33 /* 34 /* milter8_receive() receives a mail filter definition from the 35 /* specified stream. The result is zero in case of success. 36 /* 37 /* Arguments: 38 /* .IP name 39 /* The Milter application endpoint, either inet:host:port or 40 /* unix:/pathname. 41 /* DIAGNOSTICS 42 /* Panic: interface violation. Fatal errors: out of memory. 43 /* CONFIGURATION PARAMETERS 44 /* milter8_protocol, protocol version and extensions 45 /* SEE ALSO 46 /* milter(3) generic Milter interface 47 /* LICENSE 48 /* .ad 49 /* .fi 50 /* The Secure Mailer license must be distributed with this software. 51 /* AUTHOR(S) 52 /* Wietse Venema 53 /* IBM T.J. Watson Research 54 /* P.O. Box 704 55 /* Yorktown Heights, NY 10598, USA 56 /* 57 /* Wietse Venema 58 /* Google, Inc. 59 /* 111 8th Avenue 60 /* New York, NY 10011, USA 61 /*--*/ 62 63 /* System library. */ 64 65 #include <sys_defs.h> 66 #include <sys/socket.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <stddef.h> /* offsetof() */ 71 #include <stdlib.h> 72 #include <string.h> 73 #include <stdarg.h> 74 #include <limits.h> /* INT_MAX */ 75 76 #ifndef SHUT_RDWR 77 #define SHUT_RDWR 2 78 #endif 79 80 #ifdef STRCASECMP_IN_STRINGS_H 81 #include <strings.h> 82 #endif 83 84 /* Utility library. */ 85 86 #include <msg.h> 87 #include <mymalloc.h> 88 #include <split_at.h> 89 #include <connect.h> 90 #include <argv.h> 91 #include <name_mask.h> 92 #include <name_code.h> 93 #include <stringops.h> 94 #include <compat_va_copy.h> 95 96 /* Global library. */ 97 98 #include <mail_params.h> 99 #include <mail_proto.h> 100 #include <rec_type.h> 101 #include <record.h> 102 #include <mime_state.h> 103 #include <is_header.h> 104 105 /* Postfix Milter library. */ 106 107 #include <milter.h> 108 109 /* Application-specific. */ 110 111 /* 112 * Use our own protocol definitions, so that Postfix can be built even when 113 * libmilter is not installed. This means that we must specify the libmilter 114 * protocol version in main.cf, and that we must send only the commands that 115 * are supported for that protocol version. 116 */ 117 118 /* 119 * Commands from MTA to filter. 120 */ 121 #define SMFIC_ABORT 'A' /* Abort */ 122 #define SMFIC_BODY 'B' /* Body chunk */ 123 #define SMFIC_CONNECT 'C' /* Connection information */ 124 #define SMFIC_MACRO 'D' /* Define macro */ 125 #define SMFIC_BODYEOB 'E' /* final body chunk (End) */ 126 #define SMFIC_HELO 'H' /* HELO/EHLO */ 127 #define SMFIC_HEADER 'L' /* Header */ 128 #define SMFIC_MAIL 'M' /* MAIL from */ 129 #define SMFIC_EOH 'N' /* EOH */ 130 #define SMFIC_OPTNEG 'O' /* Option negotiation */ 131 #define SMFIC_QUIT 'Q' /* QUIT */ 132 #define SMFIC_RCPT 'R' /* RCPT to */ 133 #define SMFIC_DATA 'T' /* DATA */ 134 #define SMFIC_UNKNOWN 'U' /* Any unknown command */ 135 /* Introduced with Sendmail 8.14. */ 136 #define SMFIC_QUIT_NC 'K' /* Quit + new connection */ 137 138 static const NAME_CODE smfic_table[] = { 139 "SMFIC_ABORT", SMFIC_ABORT, 140 "SMFIC_BODY", SMFIC_BODY, 141 "SMFIC_CONNECT", SMFIC_CONNECT, 142 "SMFIC_MACRO", SMFIC_MACRO, 143 "SMFIC_BODYEOB", SMFIC_BODYEOB, 144 "SMFIC_HELO", SMFIC_HELO, 145 "SMFIC_HEADER", SMFIC_HEADER, 146 "SMFIC_MAIL", SMFIC_MAIL, 147 "SMFIC_EOH", SMFIC_EOH, 148 "SMFIC_OPTNEG", SMFIC_OPTNEG, 149 "SMFIC_QUIT", SMFIC_QUIT, 150 "SMFIC_RCPT", SMFIC_RCPT, 151 "SMFIC_DATA", SMFIC_DATA, 152 "SMFIC_UNKNOWN", SMFIC_UNKNOWN, 153 /* Introduced with Sendmail 8.14. */ 154 "SMFIC_QUIT_NC", SMFIC_QUIT_NC, 155 0, 0, 156 }; 157 158 /* 159 * Responses from filter to MTA. 160 */ 161 #define SMFIR_ADDRCPT '+' /* add recipient */ 162 #define SMFIR_DELRCPT '-' /* remove recipient */ 163 #define SMFIR_ACCEPT 'a' /* accept */ 164 #define SMFIR_REPLBODY 'b' /* replace body (chunk) */ 165 #define SMFIR_CONTINUE 'c' /* continue */ 166 #define SMFIR_DISCARD 'd' /* discard */ 167 #define SMFIR_CONN_FAIL 'f' /* cause a connection failure */ 168 #define SMFIR_CHGHEADER 'm' /* change header */ 169 #define SMFIR_PROGRESS 'p' /* progress */ 170 #define SMFIR_REJECT 'r' /* reject */ 171 #define SMFIR_TEMPFAIL 't' /* tempfail */ 172 #define SMFIR_SHUTDOWN '4' /* 421: shutdown (internal to MTA) */ 173 #define SMFIR_ADDHEADER 'h' /* add header */ 174 #define SMFIR_INSHEADER 'i' /* insert header */ 175 #define SMFIR_REPLYCODE 'y' /* reply code etc */ 176 #define SMFIR_QUARANTINE 'q' /* quarantine */ 177 /* Introduced with Sendmail 8.14. */ 178 #define SMFIR_SKIP 's' /* skip further events of this type */ 179 #define SMFIR_CHGFROM 'e' /* change sender (incl. ESMTP args) */ 180 #define SMFIR_ADDRCPT_PAR '2' /* add recipient (incl. ESMTP args) */ 181 #define SMFIR_SETSYMLIST 'l' /* set list of symbols (macros) */ 182 183 static const NAME_CODE smfir_table[] = { 184 "SMFIR_ADDRCPT", SMFIR_ADDRCPT, 185 "SMFIR_DELRCPT", SMFIR_DELRCPT, 186 "SMFIR_ACCEPT", SMFIR_ACCEPT, 187 "SMFIR_REPLBODY", SMFIR_REPLBODY, 188 "SMFIR_CONTINUE", SMFIR_CONTINUE, 189 "SMFIR_DISCARD", SMFIR_DISCARD, 190 "SMFIR_CONN_FAIL", SMFIR_CONN_FAIL, 191 "SMFIR_CHGHEADER", SMFIR_CHGHEADER, 192 "SMFIR_PROGRESS", SMFIR_PROGRESS, 193 "SMFIR_REJECT", SMFIR_REJECT, 194 "SMFIR_TEMPFAIL", SMFIR_TEMPFAIL, 195 "SMFIR_SHUTDOWN", SMFIR_SHUTDOWN, 196 "SMFIR_ADDHEADER", SMFIR_ADDHEADER, 197 "SMFIR_INSHEADER", SMFIR_INSHEADER, 198 "SMFIR_REPLYCODE", SMFIR_REPLYCODE, 199 "SMFIR_QUARANTINE", SMFIR_QUARANTINE, 200 /* Introduced with Sendmail 8.14. */ 201 "SMFIR_SKIP", SMFIR_SKIP, 202 "SMFIR_CHGFROM", SMFIR_CHGFROM, 203 "SMFIR_ADDRCPT_PAR", SMFIR_ADDRCPT_PAR, 204 "SMFIR_SETSYMLIST", SMFIR_SETSYMLIST, 205 0, 0, 206 }; 207 208 /* 209 * Commands that the filter does not want to receive, and replies that the 210 * filter will not send. Plus some other random stuff. 211 */ 212 #define SMFIP_NOCONNECT (1L<<0) /* filter does not want connect info */ 213 #define SMFIP_NOHELO (1L<<1) /* filter does not want HELO info */ 214 #define SMFIP_NOMAIL (1L<<2) /* filter does not want MAIL info */ 215 #define SMFIP_NORCPT (1L<<3) /* filter does not want RCPT info */ 216 #define SMFIP_NOBODY (1L<<4) /* filter does not want body */ 217 #define SMFIP_NOHDRS (1L<<5) /* filter does not want headers */ 218 #define SMFIP_NOEOH (1L<<6) /* filter does not want EOH */ 219 #define SMFIP_NR_HDR (1L<<7) /* filter won't reply for header */ 220 #define SMFIP_NOHREPL SMFIP_NR_HDR 221 #define SMFIP_NOUNKNOWN (1L<<8) /* filter does not want unknown cmd */ 222 #define SMFIP_NODATA (1L<<9) /* filter does not want DATA */ 223 /* Introduced with Sendmail 8.14. */ 224 #define SMFIP_SKIP (1L<<10)/* MTA supports SMFIR_SKIP */ 225 #define SMFIP_RCPT_REJ (1L<<11)/* filter wants rejected RCPTs */ 226 #define SMFIP_NR_CONN (1L<<12)/* filter won't reply for connect */ 227 #define SMFIP_NR_HELO (1L<<13)/* filter won't reply for HELO */ 228 #define SMFIP_NR_MAIL (1L<<14)/* filter won't reply for MAIL */ 229 #define SMFIP_NR_RCPT (1L<<15)/* filter won't reply for RCPT */ 230 #define SMFIP_NR_DATA (1L<<16)/* filter won't reply for DATA */ 231 #define SMFIP_NR_UNKN (1L<<17)/* filter won't reply for UNKNOWN */ 232 #define SMFIP_NR_EOH (1L<<18)/* filter won't reply for eoh */ 233 #define SMFIP_NR_BODY (1L<<19)/* filter won't reply for body chunk */ 234 #define SMFIP_HDR_LEADSPC (1L<<20)/* header value has leading space */ 235 236 #define SMFIP_NOSEND_MASK \ 237 (SMFIP_NOCONNECT | SMFIP_NOHELO | SMFIP_NOMAIL | SMFIP_NORCPT \ 238 | SMFIP_NOBODY | SMFIP_NOHDRS | SMFIP_NOEOH | SMFIP_NOUNKNOWN \ 239 | SMFIP_NODATA) 240 241 #define SMFIP_NOREPLY_MASK \ 242 (SMFIP_NR_CONN | SMFIP_NR_HELO | SMFIP_NR_MAIL | SMFIP_NR_RCPT \ 243 | SMFIP_NR_DATA | SMFIP_NR_UNKN | SMFIP_NR_HDR | SMFIP_NR_EOH | \ 244 SMFIP_NR_BODY) 245 246 static const NAME_MASK smfip_table[] = { 247 "SMFIP_NOCONNECT", SMFIP_NOCONNECT, 248 "SMFIP_NOHELO", SMFIP_NOHELO, 249 "SMFIP_NOMAIL", SMFIP_NOMAIL, 250 "SMFIP_NORCPT", SMFIP_NORCPT, 251 "SMFIP_NOBODY", SMFIP_NOBODY, 252 "SMFIP_NOHDRS", SMFIP_NOHDRS, 253 "SMFIP_NOEOH", SMFIP_NOEOH, 254 "SMFIP_NR_HDR", SMFIP_NR_HDR, 255 "SMFIP_NOUNKNOWN", SMFIP_NOUNKNOWN, 256 "SMFIP_NODATA", SMFIP_NODATA, 257 /* Introduced with Sendmail 8.14. */ 258 "SMFIP_SKIP", SMFIP_SKIP, 259 "SMFIP_RCPT_REJ", SMFIP_RCPT_REJ, 260 "SMFIP_NR_CONN", SMFIP_NR_CONN, 261 "SMFIP_NR_HELO", SMFIP_NR_HELO, 262 "SMFIP_NR_MAIL", SMFIP_NR_MAIL, 263 "SMFIP_NR_RCPT", SMFIP_NR_RCPT, 264 "SMFIP_NR_DATA", SMFIP_NR_DATA, 265 "SMFIP_NR_UNKN", SMFIP_NR_UNKN, 266 "SMFIP_NR_EOH", SMFIP_NR_EOH, 267 "SMFIP_NR_BODY", SMFIP_NR_BODY, 268 "SMFIP_HDR_LEADSPC", SMFIP_HDR_LEADSPC, 269 0, 0, 270 }; 271 272 /* 273 * Options that the filter may send at initial handshake time, and message 274 * modifications that the filter may request at the end of the message body. 275 */ 276 #define SMFIF_ADDHDRS (1L<<0) /* filter may add headers */ 277 #define SMFIF_CHGBODY (1L<<1) /* filter may replace body */ 278 #define SMFIF_ADDRCPT (1L<<2) /* filter may add recipients */ 279 #define SMFIF_DELRCPT (1L<<3) /* filter may delete recipients */ 280 #define SMFIF_CHGHDRS (1L<<4) /* filter may change/delete headers */ 281 #define SMFIF_QUARANTINE (1L<<5) /* filter may quarantine envelope */ 282 /* Introduced with Sendmail 8.14. */ 283 #define SMFIF_CHGFROM (1L<<6) /* filter may replace sender */ 284 #define SMFIF_ADDRCPT_PAR (1L<<7) /* filter may add recipients + args */ 285 #define SMFIF_SETSYMLIST (1L<<8) /* filter may send macro names */ 286 287 static const NAME_MASK smfif_table[] = { 288 "SMFIF_ADDHDRS", SMFIF_ADDHDRS, 289 "SMFIF_CHGBODY", SMFIF_CHGBODY, 290 "SMFIF_ADDRCPT", SMFIF_ADDRCPT, 291 "SMFIF_DELRCPT", SMFIF_DELRCPT, 292 "SMFIF_CHGHDRS", SMFIF_CHGHDRS, 293 "SMFIF_QUARANTINE", SMFIF_QUARANTINE, 294 /* Introduced with Sendmail 8.14. */ 295 "SMFIF_CHGFROM", SMFIF_CHGFROM, 296 "SMFIF_ADDRCPT_PAR", SMFIF_ADDRCPT_PAR, 297 "SMFIF_SETSYMLIST", SMFIF_SETSYMLIST, 298 0, 0, 299 }; 300 301 /* 302 * Network protocol families, used when sending CONNECT information. 303 */ 304 #define SMFIA_UNKNOWN 'U' /* unknown */ 305 #define SMFIA_UNIX 'L' /* unix/local */ 306 #define SMFIA_INET '4' /* inet */ 307 #define SMFIA_INET6 '6' /* inet6 */ 308 309 /* 310 * External macro class numbers, to identify the optional macro name lists 311 * that may be sent after the initial negotiation header. 312 */ 313 #define SMFIM_CONNECT 0 /* macros for connect */ 314 #define SMFIM_HELO 1 /* macros for HELO */ 315 #define SMFIM_ENVFROM 2 /* macros for MAIL */ 316 #define SMFIM_ENVRCPT 3 /* macros for RCPT */ 317 #define SMFIM_DATA 4 /* macros for DATA */ 318 #define SMFIM_EOM 5 /* macros for end-of-message */ 319 #define SMFIM_EOH 6 /* macros for end-of-header */ 320 321 static const NAME_CODE smfim_table[] = { 322 "SMFIM_CONNECT", SMFIM_CONNECT, 323 "SMFIM_HELO", SMFIM_HELO, 324 "SMFIM_ENVFROM", SMFIM_ENVFROM, 325 "SMFIM_ENVRCPT", SMFIM_ENVRCPT, 326 "SMFIM_DATA", SMFIM_DATA, 327 "SMFIM_EOM", SMFIM_EOM, 328 "SMFIM_EOH", SMFIM_EOH, 329 0, 0, 330 }; 331 332 /* 333 * Mapping from external macro class numbers to our internal MILTER_MACROS 334 * structure members, without using a switch statement. 335 */ 336 static const size_t milter8_macro_offsets[] = { 337 offsetof(MILTER_MACROS, conn_macros), /* SMFIM_CONNECT */ 338 offsetof(MILTER_MACROS, helo_macros), /* SMFIM_HELO */ 339 offsetof(MILTER_MACROS, mail_macros), /* SMFIM_ENVFROM */ 340 offsetof(MILTER_MACROS, rcpt_macros), /* SMFIM_ENVRCPT */ 341 offsetof(MILTER_MACROS, data_macros), /* SMFIM_DATA */ 342 offsetof(MILTER_MACROS, eod_macros),/* Note: SMFIM_EOM < SMFIM_EOH */ 343 offsetof(MILTER_MACROS, eoh_macros),/* Note: SMFIM_EOH > SMFIM_EOM */ 344 }; 345 346 #define MILTER8_MACRO_PTR(__macros, __class) \ 347 ((char **) (((char *) (__macros)) + milter8_macro_offsets[(__class)])) 348 349 /* 350 * How much buffer space is available for sending body content. 351 */ 352 #define MILTER_CHUNK_SIZE 65535 /* body chunk size */ 353 354 /*#define msg_verbose 2*/ 355 356 /* 357 * Sendmail 8 mail filter client. 358 */ 359 typedef struct { 360 MILTER m; /* parent class */ 361 int conn_timeout; /* connect timeout */ 362 int cmd_timeout; /* per-command timeout */ 363 int msg_timeout; /* content inspection timeout */ 364 char *protocol; /* protocol version/extension */ 365 char *def_action; /* action if unavailable */ 366 int version; /* application protocol version */ 367 int rq_mask; /* application requests (SMFIF_*) */ 368 int ev_mask; /* application events (SMFIP_*) */ 369 int np_mask; /* events outside my protocol version */ 370 VSTRING *buf; /* I/O buffer */ 371 VSTRING *body; /* I/O buffer */ 372 VSTREAM *fp; /* stream or null (closed) */ 373 374 /* 375 * Following fields must be reset after successful CONNECT, to avoid 376 * leakage from one use to another. 377 */ 378 int state; /* MILTER8_STAT_mumble */ 379 char *def_reply; /* error response or null */ 380 int skip_event_type; /* skip operations of this type */ 381 } MILTER8; 382 383 /* 384 * XXX Sendmail 8 libmilter automatically closes the MTA-to-filter socket 385 * when it finds out that the SMTP client has disconnected. Because of this 386 * behavior, Postfix has to open a new MTA-to-filter socket each time an 387 * SMTP client connects. 388 */ 389 #define LIBMILTER_AUTO_DISCONNECT 390 391 /* 392 * Milter internal state. For the external representation we use SMTP 393 * replies (4XX X.Y.Z text, 5XX X.Y.Z text) and one-letter strings 394 * (H=quarantine, D=discard, S=shutdown). 395 */ 396 #define MILTER8_STAT_ERROR 1 /* error, must be non-zero */ 397 #define MILTER8_STAT_CLOSED 2 /* no connection */ 398 #define MILTER8_STAT_READY 3 /* wait for connect event */ 399 #define MILTER8_STAT_ENVELOPE 4 /* in envelope */ 400 #define MILTER8_STAT_MESSAGE 5 /* in message */ 401 #define MILTER8_STAT_ACCEPT_CON 6 /* accept all commands */ 402 #define MILTER8_STAT_ACCEPT_MSG 7 /* accept one message */ 403 #define MILTER8_STAT_REJECT_CON 8 /* reject all commands */ 404 405 /* 406 * Protocol formatting requests. Note: the terms "long" and "short" refer to 407 * the data types manipulated by htonl(), htons() and friends. These types 408 * are network specific, not host platform specific. 409 */ 410 #define MILTER8_DATA_END 0 /* no more arguments */ 411 #define MILTER8_DATA_HLONG 1 /* host long */ 412 #define MILTER8_DATA_BUFFER 2 /* network-formatted buffer */ 413 #define MILTER8_DATA_STRING 3 /* null-terminated string */ 414 #define MILTER8_DATA_NSHORT 4 /* network short */ 415 #define MILTER8_DATA_ARGV 5 /* array of null-terminated strings */ 416 #define MILTER8_DATA_OCTET 6 /* byte */ 417 #define MILTER8_DATA_MORE 7 /* more arguments in next call */ 418 419 /* 420 * We don't accept insane amounts of data. 421 */ 422 #define XXX_MAX_DATA (INT_MAX / 2) 423 #define XXX_TIMEOUT 10 424 425 /* 426 * We implement the protocol up to and including version 6, and configure in 427 * main.cf what protocol version we will use. The version is the first data 428 * item in the SMFIC_OPTNEG packet. 429 * 430 * We must send only events that are defined for the specified protocol 431 * version. Libmilter may disconnect when we send unexpected events. 432 * 433 * The following events are supported in all our milter protocol versions. 434 */ 435 #define MILTER8_V2_PROTO_MASK \ 436 (SMFIP_NOCONNECT | SMFIP_NOHELO | SMFIP_NOMAIL | SMFIP_NORCPT | \ 437 SMFIP_NOBODY | SMFIP_NOHDRS | SMFIP_NOEOH) 438 439 /* 440 * Events supported by later versions. 441 */ 442 #define MILTER8_V3_PROTO_MASK (MILTER8_V2_PROTO_MASK | SMFIP_NOUNKNOWN) 443 #define MILTER8_V4_PROTO_MASK (MILTER8_V3_PROTO_MASK | SMFIP_NODATA) 444 #define MILTER8_V6_PROTO_MASK \ 445 (MILTER8_V4_PROTO_MASK | SMFIP_SKIP | SMFIP_RCPT_REJ \ 446 | SMFIP_NOREPLY_MASK | SMFIP_HDR_LEADSPC) 447 448 /* 449 * What events we can send to the milter application. The milter8_protocol 450 * parameter can specify a protocol version as well as protocol extensions 451 * such as "no_header_reply", a feature that speeds up the protocol by not 452 * sending a filter reply for every individual message header. 453 * 454 * This looks unclean because the user can specify multiple protocol versions, 455 * but that is taken care of by the table that follows this one. 456 * 457 * XXX Is this still needed? Sendmail 8.14 provides a proper way to negotiate 458 * what replies the mail filter will send. 459 * 460 * XXX Keep this table in reverse numerical order. This is needed by the code 461 * that implements compatibility with older Milter protocol versions. 462 */ 463 static const NAME_CODE milter8_event_masks[] = { 464 "6", MILTER8_V6_PROTO_MASK, 465 "4", MILTER8_V4_PROTO_MASK, 466 "3", MILTER8_V3_PROTO_MASK, 467 "2", MILTER8_V2_PROTO_MASK, 468 "no_header_reply", SMFIP_NOHREPL, 469 0, -1, 470 }; 471 472 /* 473 * The following table lets us use the same milter8_protocol parameter 474 * setting to derive the protocol version number. In this case we ignore 475 * protocol extensions such as "no_header_reply", and require that exactly 476 * one version number is specified. 477 */ 478 static const NAME_CODE milter8_versions[] = { 479 "2", 2, 480 "3", 3, 481 "4", 4, 482 "6", 6, 483 "no_header_reply", 0, 484 0, -1, 485 }; 486 487 /* SLMs. */ 488 489 #define STR(x) vstring_str(x) 490 #define LEN(x) VSTRING_LEN(x) 491 492 /* milter8_def_reply - set persistent response */ 493 494 static const char *milter8_def_reply(MILTER8 *milter, const char *reply) 495 { 496 if (milter->def_reply) 497 myfree(milter->def_reply); 498 milter->def_reply = reply ? mystrdup(reply) : 0; 499 return (milter->def_reply); 500 } 501 502 /* milter8_conf_error - local/remote configuration error */ 503 504 static int milter8_conf_error(MILTER8 *milter) 505 { 506 const char *reply; 507 508 /* 509 * XXX When the cleanup server closes its end of the Milter socket while 510 * editing a queue file, the SMTP server is left out of sync with the 511 * Milter. Sending an ABORT to the Milters will not restore 512 * synchronization, because there may be any number of Milter replies 513 * already in flight. Workaround: poison the socket and force the SMTP 514 * server to abandon it. 515 */ 516 if (milter->fp != 0) { 517 (void) shutdown(vstream_fileno(milter->fp), SHUT_RDWR); 518 (void) vstream_fclose(milter->fp); 519 milter->fp = 0; 520 } 521 if (strcasecmp(milter->def_action, "accept") == 0) { 522 reply = 0; 523 } else if (strcasecmp(milter->def_action, "quarantine") == 0) { 524 reply = "H"; 525 } else { 526 reply = "451 4.3.5 Server configuration problem - try again later"; 527 } 528 milter8_def_reply(milter, reply); 529 return (milter->state = MILTER8_STAT_ERROR); 530 } 531 532 /* milter8_comm_error - read/write/format communication error */ 533 534 static int milter8_comm_error(MILTER8 *milter) 535 { 536 const char *reply; 537 538 /* 539 * XXX When the cleanup server closes its end of the Milter socket while 540 * editing a queue file, the SMTP server is left out of sync with the 541 * Milter. Sending an ABORT to the Milters will not restore 542 * synchronization, because there may be any number of Milter replies 543 * already in flight. Workaround: poison the socket and force the SMTP 544 * server to abandon it. 545 */ 546 if (milter->fp != 0) { 547 (void) shutdown(vstream_fileno(milter->fp), SHUT_RDWR); 548 (void) vstream_fclose(milter->fp); 549 milter->fp = 0; 550 } 551 if (strcasecmp(milter->def_action, "accept") == 0) { 552 reply = 0; 553 } else if (strcasecmp(milter->def_action, "reject") == 0) { 554 reply = "550 5.5.0 Service unavailable"; 555 } else if (strcasecmp(milter->def_action, "tempfail") == 0) { 556 reply = "451 4.7.1 Service unavailable - try again later"; 557 } else if (strcasecmp(milter->def_action, "quarantine") == 0) { 558 reply = "H"; 559 } else { 560 msg_warn("milter %s: unrecognized default action: %s", 561 milter->m.name, milter->def_action); 562 reply = "451 4.3.5 Server configuration problem - try again later"; 563 } 564 milter8_def_reply(milter, reply); 565 return (milter->state = MILTER8_STAT_ERROR); 566 } 567 568 /* milter8_close_stream - close stream to milter application */ 569 570 static void milter8_close_stream(MILTER8 *milter) 571 { 572 if (milter->fp != 0) { 573 (void) vstream_fclose(milter->fp); 574 milter->fp = 0; 575 } 576 milter->state = MILTER8_STAT_CLOSED; 577 } 578 579 /* milter8_read_resp - receive command code now, receive data later */ 580 581 static int milter8_read_resp(MILTER8 *milter, int event, unsigned char *command, 582 ssize_t *data_len) 583 { 584 UINT32_TYPE len; 585 ssize_t pkt_len; 586 const char *smfic_name; 587 int cmd; 588 589 /* 590 * Receive the packet length. 591 */ 592 if ((vstream_fread(milter->fp, (void *) &len, UINT32_SIZE)) 593 != UINT32_SIZE) { 594 smfic_name = str_name_code(smfic_table, event); 595 msg_warn("milter %s: can't read %s reply packet header: %m", 596 milter->m.name, smfic_name != 0 ? 597 smfic_name : "(unknown MTA event)"); 598 return (milter8_comm_error(milter)); 599 } else if ((pkt_len = ntohl(len)) < 1) { 600 msg_warn("milter %s: bad packet length: %ld", 601 milter->m.name, (long) pkt_len); 602 return (milter8_comm_error(milter)); 603 } else if (pkt_len > XXX_MAX_DATA) { 604 msg_warn("milter %s: unreasonable packet length: %ld > %ld", 605 milter->m.name, (long) pkt_len, (long) XXX_MAX_DATA); 606 return (milter8_comm_error(milter)); 607 } 608 609 /* 610 * Receive the command code. 611 */ 612 else if ((cmd = VSTREAM_GETC(milter->fp)) == VSTREAM_EOF) { 613 msg_warn("milter %s: EOF while reading command code: %m", 614 milter->m.name); 615 return (milter8_comm_error(milter)); 616 } 617 618 /* 619 * All is well. 620 */ 621 else { 622 *command = cmd; 623 *data_len = pkt_len - 1; 624 return (0); 625 } 626 } 627 628 static int milter8_read_data(MILTER8 *milter, ssize_t *data_len,...); 629 630 /* vmilter8_read_data - read command data */ 631 632 static int vmilter8_read_data(MILTER8 *milter, ssize_t *data_len, va_list ap) 633 { 634 const char *myname = "milter8_read_data"; 635 int arg_type; 636 UINT32_TYPE net_long; 637 UINT32_TYPE *host_long_ptr; 638 VSTRING *buf; 639 int ch; 640 641 while ((arg_type = va_arg(ap, int)) > 0 && arg_type != MILTER8_DATA_MORE) { 642 switch (arg_type) { 643 644 /* 645 * Host order long. 646 */ 647 case MILTER8_DATA_HLONG: 648 if (*data_len < UINT32_SIZE) { 649 msg_warn("milter %s: input packet too short for network long", 650 milter->m.name); 651 return (milter8_comm_error(milter)); 652 } 653 host_long_ptr = va_arg(ap, UINT32_TYPE *); 654 if (vstream_fread(milter->fp, (void *) &net_long, UINT32_SIZE) 655 != UINT32_SIZE) { 656 msg_warn("milter %s: EOF while reading network long: %m", 657 milter->m.name); 658 return (milter8_comm_error(milter)); 659 } 660 *data_len -= UINT32_SIZE; 661 *host_long_ptr = ntohl(net_long); 662 break; 663 664 /* 665 * Raw on-the-wire format, without explicit null terminator. 666 */ 667 case MILTER8_DATA_BUFFER: 668 if (*data_len < 0) { 669 msg_warn("milter %s: no data in input packet", milter->m.name); 670 return (milter8_comm_error(milter)); 671 } 672 buf = va_arg(ap, VSTRING *); 673 if (vstream_fread_buf(milter->fp, buf, *data_len) 674 != *data_len) { 675 msg_warn("milter %s: EOF while reading data: %m", milter->m.name); 676 return (milter8_comm_error(milter)); 677 } 678 *data_len = 0; 679 break; 680 681 /* 682 * Pointer to null-terminated string. 683 */ 684 case MILTER8_DATA_STRING: 685 if (*data_len < 1) { 686 msg_warn("milter %s: packet too short for string", 687 milter->m.name); 688 return (milter8_comm_error(milter)); 689 } 690 buf = va_arg(ap, VSTRING *); 691 VSTRING_RESET(buf); 692 for (;;) { 693 if ((ch = VSTREAM_GETC(milter->fp)) == VSTREAM_EOF) { 694 msg_warn("%s: milter %s: EOF while reading string: %m", 695 myname, milter->m.name); 696 return (milter8_comm_error(milter)); 697 } 698 *data_len -= 1; 699 if (ch == 0) 700 break; 701 VSTRING_ADDCH(buf, ch); 702 if (*data_len <= 0) { 703 msg_warn("%s: milter %s: missing string null termimator", 704 myname, milter->m.name); 705 return (milter8_comm_error(milter)); 706 } 707 } 708 VSTRING_TERMINATE(buf); 709 break; 710 711 /* 712 * Error. 713 */ 714 default: 715 msg_panic("%s: unknown argument type: %d", myname, arg_type); 716 } 717 } 718 719 /* 720 * Sanity checks. We may have excess data when the sender is confused. We 721 * may have a negative count when we're confused ourselves. 722 */ 723 if (arg_type != MILTER8_DATA_MORE && *data_len > 0) { 724 msg_warn("%s: left-over data %ld bytes", myname, (long) *data_len); 725 return (milter8_comm_error(milter)); 726 } 727 if (*data_len < 0) 728 msg_panic("%s: bad left-over data count %ld", 729 myname, (long) *data_len); 730 return (0); 731 } 732 733 /* milter8_read_data - read command data */ 734 735 static int milter8_read_data(MILTER8 *milter, ssize_t *data_len,...) 736 { 737 va_list ap; 738 int ret; 739 740 va_start(ap, data_len); 741 ret = vmilter8_read_data(milter, data_len, ap); 742 va_end(ap); 743 return (ret); 744 } 745 746 /* vmilter8_size_data - compute command data length */ 747 748 static ssize_t vmilter8_size_data(va_list ap) 749 { 750 const char *myname = "vmilter8_size_data"; 751 ssize_t data_len; 752 int arg_type; 753 VSTRING *buf; 754 const char *str; 755 const char **cpp; 756 757 /* 758 * Compute data size. 759 */ 760 for (data_len = 0; (arg_type = va_arg(ap, int)) > 0; /* void */ ) { 761 switch (arg_type) { 762 763 /* 764 * Host order long. 765 */ 766 case MILTER8_DATA_HLONG: 767 (void) va_arg(ap, UINT32_TYPE); 768 data_len += UINT32_SIZE; 769 break; 770 771 /* 772 * Raw on-the-wire format. 773 */ 774 case MILTER8_DATA_BUFFER: 775 buf = va_arg(ap, VSTRING *); 776 data_len += LEN(buf); 777 break; 778 779 /* 780 * Pointer to null-terminated string. 781 */ 782 case MILTER8_DATA_STRING: 783 str = va_arg(ap, char *); 784 data_len += strlen(str) + 1; 785 break; 786 787 /* 788 * Array of pointers to null-terminated strings. 789 */ 790 case MILTER8_DATA_ARGV: 791 for (cpp = va_arg(ap, const char **); *cpp; cpp++) 792 data_len += strlen(*cpp) + 1; 793 break; 794 795 /* 796 * Network order short, promoted to int. 797 */ 798 case MILTER8_DATA_NSHORT: 799 (void) va_arg(ap, unsigned); 800 data_len += UINT16_SIZE; 801 break; 802 803 /* 804 * Octet, promoted to int. 805 */ 806 case MILTER8_DATA_OCTET: 807 (void) va_arg(ap, unsigned); 808 data_len += 1; 809 break; 810 811 /* 812 * Error. 813 */ 814 default: 815 msg_panic("%s: bad argument type: %d", myname, arg_type); 816 } 817 } 818 va_end(ap); 819 return (data_len); 820 } 821 822 /* vmilter8_write_cmd - write command to Sendmail 8 Milter */ 823 824 static int vmilter8_write_cmd(MILTER8 *milter, int command, ssize_t data_len, 825 va_list ap) 826 { 827 const char *myname = "vmilter8_write_cmd"; 828 int arg_type; 829 UINT32_TYPE pkt_len; 830 UINT32_TYPE host_long; 831 UINT32_TYPE net_long; 832 UINT16_TYPE net_short; 833 VSTRING *buf; 834 const char *str; 835 const char **cpp; 836 char ch; 837 838 /* 839 * Deliver the packet. 840 */ 841 if ((pkt_len = 1 + data_len) < 1) 842 msg_panic("%s: bad packet length %d", myname, pkt_len); 843 pkt_len = htonl(pkt_len); 844 (void) vstream_fwrite(milter->fp, (void *) &pkt_len, UINT32_SIZE); 845 (void) VSTREAM_PUTC(command, milter->fp); 846 while ((arg_type = va_arg(ap, int)) > 0) { 847 switch (arg_type) { 848 849 /* 850 * Network long. 851 */ 852 case MILTER8_DATA_HLONG: 853 host_long = va_arg(ap, UINT32_TYPE); 854 net_long = htonl(host_long); 855 (void) vstream_fwrite(milter->fp, (void *) &net_long, UINT32_SIZE); 856 break; 857 858 /* 859 * Raw on-the-wire format. 860 */ 861 case MILTER8_DATA_BUFFER: 862 buf = va_arg(ap, VSTRING *); 863 (void) vstream_fwrite(milter->fp, STR(buf), LEN(buf)); 864 break; 865 866 /* 867 * Pointer to null-terminated string. 868 */ 869 case MILTER8_DATA_STRING: 870 str = va_arg(ap, char *); 871 (void) vstream_fwrite(milter->fp, str, strlen(str) + 1); 872 break; 873 874 /* 875 * Octet, promoted to int. 876 */ 877 case MILTER8_DATA_OCTET: 878 ch = va_arg(ap, unsigned); 879 (void) vstream_fwrite(milter->fp, &ch, 1); 880 break; 881 882 /* 883 * Array of pointers to null-terminated strings. 884 */ 885 case MILTER8_DATA_ARGV: 886 for (cpp = va_arg(ap, const char **); *cpp; cpp++) 887 (void) vstream_fwrite(milter->fp, *cpp, strlen(*cpp) + 1); 888 break; 889 890 /* 891 * Network order short, promoted to int. 892 */ 893 case MILTER8_DATA_NSHORT: 894 net_short = va_arg(ap, unsigned); 895 (void) vstream_fwrite(milter->fp, (void *) &net_short, UINT16_SIZE); 896 break; 897 898 /* 899 * Error. 900 */ 901 default: 902 msg_panic("%s: bad argument type: %d", myname, arg_type); 903 } 904 905 /* 906 * Report errors immediately. 907 */ 908 if (vstream_ferror(milter->fp)) { 909 msg_warn("milter %s: error writing command: %m", milter->m.name); 910 milter8_comm_error(milter); 911 break; 912 } 913 } 914 va_end(ap); 915 return (milter->state == MILTER8_STAT_ERROR); 916 } 917 918 /* milter8_write_cmd - write command to Sendmail 8 Milter */ 919 920 static int milter8_write_cmd(MILTER8 *milter, int command,...) 921 { 922 va_list ap; 923 va_list ap2; 924 ssize_t data_len; 925 int err; 926 927 /* 928 * Initialize argument lists. 929 */ 930 va_start(ap, command); 931 VA_COPY(ap2, ap); 932 933 /* 934 * Size the command data. 935 */ 936 data_len = vmilter8_size_data(ap); 937 va_end(ap); 938 939 /* 940 * Send the command and data. 941 */ 942 err = vmilter8_write_cmd(milter, command, data_len, ap2); 943 va_end(ap2); 944 945 return (err); 946 } 947 948 /* milter8_event - report event and receive reply */ 949 950 static const char *milter8_event(MILTER8 *milter, int event, 951 int skip_event_flag, 952 int skip_reply, 953 ARGV *macros,...) 954 { 955 const char *myname = "milter8_event"; 956 va_list ap; 957 va_list ap2; 958 ssize_t data_len; 959 int err; 960 unsigned char cmd; 961 ssize_t data_size; 962 const char *smfic_name; 963 const char *smfir_name; 964 MILTERS *parent = milter->m.parent; 965 UINT32_TYPE index; 966 const char *edit_resp = 0; 967 const char *retval = 0; 968 VSTRING *body_line_buf = 0; 969 int done = 0; 970 int body_edit_lockout = 0; 971 972 #define DONT_SKIP_REPLY 0 973 974 /* 975 * Sanity check. 976 */ 977 if (milter->fp == 0 || milter->def_reply != 0) { 978 msg_warn("%s: attempt to send event %s to milter %s after error", 979 myname, 980 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 981 smfic_name : "(unknown MTA event)", milter->m.name); 982 return (milter->def_reply); 983 } 984 985 /* 986 * Skip this event if it doesn't exist in the protocol that I announced. 987 */ 988 if ((skip_event_flag & milter->np_mask) != 0) { 989 if (msg_verbose) 990 msg_info("skipping non-protocol event %s for milter %s", 991 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 992 smfic_name : "(unknown MTA event)", milter->m.name); 993 return (milter->def_reply); 994 } 995 996 /* 997 * Skip further events of this type if the filter told us so. 998 */ 999 if (milter->skip_event_type != 0) { 1000 if (event == milter->skip_event_type) { 1001 if (msg_verbose) 1002 msg_info("skipping event %s after SMFIR_SKIP from milter %s", 1003 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 1004 smfic_name : "(unknown MTA event)", milter->m.name); 1005 return (milter->def_reply); 1006 } else { 1007 milter->skip_event_type = 0; 1008 } 1009 } 1010 1011 /* 1012 * Send the macros for this event, even when we're not reporting the 1013 * event itself. This does not introduce a performance problem because 1014 * we're sending macros and event parameters in one VSTREAM transaction. 1015 * 1016 * XXX Is this still necessary? 1017 */ 1018 if (msg_verbose) { 1019 VSTRING *buf = vstring_alloc(100); 1020 1021 if (macros) { 1022 if (macros->argc > 0) { 1023 char **cpp; 1024 1025 for (cpp = macros->argv; *cpp && cpp[1]; cpp += 2) 1026 vstring_sprintf_append(buf, " %s=%s", *cpp, cpp[1]); 1027 } 1028 } 1029 msg_info("event: %s; macros:%s", 1030 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 1031 smfic_name : "(unknown MTA event)", *STR(buf) ? 1032 STR(buf) : " (none)"); 1033 vstring_free(buf); 1034 } 1035 if (macros) { 1036 if (milter8_write_cmd(milter, SMFIC_MACRO, 1037 MILTER8_DATA_OCTET, event, 1038 MILTER8_DATA_ARGV, macros->argv, 1039 MILTER8_DATA_END) != 0) 1040 return (milter->def_reply); 1041 } 1042 1043 /* 1044 * Skip this event if the Milter told us not to send it. 1045 */ 1046 if ((skip_event_flag & milter->ev_mask) != 0) { 1047 if (msg_verbose) 1048 msg_info("skipping event %s for milter %s", 1049 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 1050 smfic_name : "(unknown MTA event)", milter->m.name); 1051 return (milter->def_reply); 1052 } 1053 1054 /* 1055 * Initialize argument lists. 1056 */ 1057 va_start(ap, macros); 1058 VA_COPY(ap2, ap); 1059 1060 /* 1061 * Compute the command data size. This is necessary because the protocol 1062 * sends length before content. 1063 */ 1064 data_len = vmilter8_size_data(ap); 1065 va_end(ap); 1066 1067 /* 1068 * Send the command and data. 1069 */ 1070 err = vmilter8_write_cmd(milter, event, data_len, ap2); 1071 va_end(ap2); 1072 1073 /* 1074 * C99 requires that we finalize argument lists before returning. 1075 */ 1076 if (err != 0) 1077 return (milter->def_reply); 1078 1079 /* 1080 * Special feature: don't wait for one reply per header. This allows us 1081 * to send multiple headers in one VSTREAM transaction, and improves 1082 * over-all performance. 1083 */ 1084 if (skip_reply) { 1085 if (msg_verbose) 1086 msg_info("skipping reply for event %s from milter %s", 1087 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 1088 smfic_name : "(unknown MTA event)", milter->m.name); 1089 return (milter->def_reply); 1090 } 1091 1092 /* 1093 * Receive the reply or replies. 1094 * 1095 * Intercept all loop exits so that we can do post header/body edit 1096 * processing. 1097 * 1098 * XXX Bound the loop iteration count. 1099 * 1100 * In the end-of-body stage, the Milter may reply with one or more queue 1101 * file edit requests before it replies with its final decision: accept, 1102 * reject, etc. After a local queue file edit error (file too big, media 1103 * write error), do not close the Milter socket in the cleanup server. 1104 * Instead skip all further Milter replies until the final decision. This 1105 * way the Postfix SMTP server stays in sync with the Milter, and Postfix 1106 * doesn't have to lose the ability to handle multiple deliveries within 1107 * the same SMTP session. This requires that the Postfix SMTP server uses 1108 * something other than CLEANUP_STAT_WRITE when it loses contact with the 1109 * cleanup server. 1110 */ 1111 #define IN_CONNECT_EVENT(e) ((e) == SMFIC_CONNECT || (e) == SMFIC_HELO) 1112 1113 /* 1114 * XXX Don't evaluate this macro's argument multiple times. Since we use 1115 * "continue" the macro can't be enclosed in do .. while (0). 1116 */ 1117 #define MILTER8_EVENT_BREAK(s) { \ 1118 retval = (s); \ 1119 done = 1; \ 1120 continue; \ 1121 } 1122 1123 while (done == 0) { 1124 char *cp; 1125 char *rp; 1126 char ch; 1127 char *next; 1128 1129 if (milter8_read_resp(milter, event, &cmd, &data_size) != 0) 1130 MILTER8_EVENT_BREAK(milter->def_reply); 1131 if (msg_verbose) 1132 msg_info("reply: %s data %ld bytes", 1133 (smfir_name = str_name_code(smfir_table, cmd)) != 0 ? 1134 smfir_name : "unknown", (long) data_size); 1135 1136 /* 1137 * Handle unfinished message body replacement first. 1138 * 1139 * XXX When SMFIR_REPLBODY is followed by some different request, we 1140 * assume that the body replacement operation is complete. The queue 1141 * file editing implementation currently does not support sending 1142 * part 1 of the body replacement text, doing some other queue file 1143 * updates, and then sending part 2 of the body replacement text. To 1144 * avoid loss of data, we log an error when SMFIR_REPLBODY requests 1145 * are alternated with other requests. 1146 */ 1147 if (body_line_buf != 0 && cmd != SMFIR_REPLBODY) { 1148 /* In case the last body replacement line didn't end in CRLF. */ 1149 if (edit_resp == 0 && LEN(body_line_buf) > 0) 1150 edit_resp = parent->repl_body(parent->chg_context, 1151 MILTER_BODY_LINE, 1152 body_line_buf); 1153 if (edit_resp == 0) 1154 edit_resp = parent->repl_body(parent->chg_context, 1155 MILTER_BODY_END, 1156 (VSTRING *) 0); 1157 body_edit_lockout = 1; 1158 vstring_free(body_line_buf); 1159 body_line_buf = 0; 1160 } 1161 switch (cmd) { 1162 1163 /* 1164 * Still working on it. 1165 */ 1166 case SMFIR_PROGRESS: 1167 if (data_size != 0) 1168 break; 1169 continue; 1170 1171 /* 1172 * Decision: continue processing. 1173 */ 1174 case SMFIR_CONTINUE: 1175 if (data_size != 0) 1176 break; 1177 MILTER8_EVENT_BREAK(milter->def_reply); 1178 1179 /* 1180 * Decision: accept this message, or accept all further commands 1181 * in this SMTP connection. This decision is final (i.e. Sendmail 1182 * 8 changes receiver state). 1183 */ 1184 case SMFIR_ACCEPT: 1185 if (data_size != 0) 1186 break; 1187 if (IN_CONNECT_EVENT(event)) { 1188 #ifdef LIBMILTER_AUTO_DISCONNECT 1189 milter8_close_stream(milter); 1190 #endif 1191 /* No more events for this SMTP connection. */ 1192 milter->state = MILTER8_STAT_ACCEPT_CON; 1193 } else { 1194 /* No more events for this message. */ 1195 milter->state = MILTER8_STAT_ACCEPT_MSG; 1196 } 1197 MILTER8_EVENT_BREAK(milter->def_reply); 1198 1199 /* 1200 * Decision: accept and silently discard this message. According 1201 * to the milter API documentation there will be no action when 1202 * this is requested by a connection-level function. This 1203 * decision is final (i.e. Sendmail 8 changes receiver state). 1204 */ 1205 case SMFIR_DISCARD: 1206 if (data_size != 0) 1207 break; 1208 if (IN_CONNECT_EVENT(event)) { 1209 msg_warn("milter %s: DISCARD action is not allowed " 1210 "for connect or helo", milter->m.name); 1211 MILTER8_EVENT_BREAK(milter->def_reply); 1212 } else { 1213 /* No more events for this message. */ 1214 milter->state = MILTER8_STAT_ACCEPT_MSG; 1215 MILTER8_EVENT_BREAK("D"); 1216 } 1217 1218 /* 1219 * Decision: reject connection, message or recipient. This 1220 * decision is final (i.e. Sendmail 8 changes receiver state). 1221 */ 1222 case SMFIR_REJECT: 1223 if (data_size != 0) 1224 break; 1225 if (IN_CONNECT_EVENT(event)) { 1226 #ifdef LIBMILTER_AUTO_DISCONNECT 1227 milter8_close_stream(milter); 1228 #endif 1229 milter->state = MILTER8_STAT_REJECT_CON; 1230 MILTER8_EVENT_BREAK(milter8_def_reply(milter, "550 5.7.1 Command rejected")); 1231 } else { 1232 MILTER8_EVENT_BREAK("550 5.7.1 Command rejected"); 1233 } 1234 1235 /* 1236 * Decision: tempfail. This decision is final (i.e. Sendmail 8 1237 * changes receiver state). 1238 */ 1239 case SMFIR_TEMPFAIL: 1240 if (data_size != 0) 1241 break; 1242 if (IN_CONNECT_EVENT(event)) { 1243 #ifdef LIBMILTER_AUTO_DISCONNECT 1244 milter8_close_stream(milter); 1245 #endif 1246 milter->state = MILTER8_STAT_REJECT_CON; 1247 MILTER8_EVENT_BREAK(milter8_def_reply(milter, 1248 "451 4.7.1 Service unavailable - try again later")); 1249 } else { 1250 MILTER8_EVENT_BREAK("451 4.7.1 Service unavailable - try again later"); 1251 } 1252 1253 /* 1254 * Decision: disconnect. This decision is final (i.e. Sendmail 8 1255 * changes receiver state). 1256 */ 1257 case SMFIR_SHUTDOWN: 1258 if (data_size != 0) 1259 break; 1260 #ifdef LIBMILTER_AUTO_DISCONNECT 1261 milter8_close_stream(milter); 1262 #endif 1263 milter->state = MILTER8_STAT_REJECT_CON; 1264 MILTER8_EVENT_BREAK(milter8_def_reply(milter, "S")); 1265 1266 /* 1267 * Decision: "ddd d.d+.d+ text". This decision is final (i.e. 1268 * Sendmail 8 changes receiver state). Note: the reply may be in 1269 * multi-line SMTP format. 1270 * 1271 * XXX Sendmail compatibility: sendmail 8 uses the reply as a format 1272 * string; therefore any '%' characters in the reply are doubled. 1273 * Postfix doesn't use replies as format strings; we replace '%%' 1274 * by '%', and remove single (i.e. invalid) '%' characters. 1275 */ 1276 case SMFIR_REPLYCODE: 1277 if (milter8_read_data(milter, &data_size, 1278 MILTER8_DATA_BUFFER, milter->buf, 1279 MILTER8_DATA_END) != 0) 1280 MILTER8_EVENT_BREAK(milter->def_reply); 1281 /* XXX Enforce this for each line of a multi-line reply. */ 1282 if ((STR(milter->buf)[0] != '4' && STR(milter->buf)[0] != '5') 1283 || !ISDIGIT(STR(milter->buf)[1]) 1284 || !ISDIGIT(STR(milter->buf)[2]) 1285 || (STR(milter->buf)[3] != ' ' && STR(milter->buf)[3] != '-') 1286 || (ISDIGIT(STR(milter->buf)[4]) 1287 && (STR(milter->buf)[4] != STR(milter->buf)[0]))) { 1288 msg_warn("milter %s: malformed reply: %s", 1289 milter->m.name, STR(milter->buf)); 1290 milter8_conf_error(milter); 1291 MILTER8_EVENT_BREAK(milter->def_reply); 1292 } 1293 if ((rp = cp = strchr(STR(milter->buf), '%')) != 0) { 1294 for (;;) { 1295 if ((ch = *cp++) == '%') 1296 ch = *cp++; 1297 *rp++ = ch; 1298 if (ch == 0) 1299 break; 1300 } 1301 } 1302 if (var_soft_bounce) { 1303 for (cp = STR(milter->buf); /* void */ ; cp = next) { 1304 if (cp[0] == '5') { 1305 cp[0] = '4'; 1306 if (cp[4] == '5') 1307 cp[4] = '4'; 1308 } 1309 if ((next = strstr(cp, "\r\n")) == 0) 1310 break; 1311 next += 2; 1312 } 1313 } 1314 if (IN_CONNECT_EVENT(event)) { 1315 #ifdef LIBMILTER_AUTO_DISCONNECT 1316 milter8_close_stream(milter); 1317 #endif 1318 milter->state = MILTER8_STAT_REJECT_CON; 1319 MILTER8_EVENT_BREAK(milter8_def_reply(milter, STR(milter->buf))); 1320 } else { 1321 MILTER8_EVENT_BREAK(STR(milter->buf)); 1322 } 1323 1324 /* 1325 * Decision: quarantine. In Sendmail 8.13 this does not imply a 1326 * transition in the receiver state (reply, reject, tempfail, 1327 * accept, discard). We should not transition, either, otherwise 1328 * we get out of sync. 1329 */ 1330 case SMFIR_QUARANTINE: 1331 /* XXX What to do with the "reason" text? */ 1332 if (milter8_read_data(milter, &data_size, 1333 MILTER8_DATA_BUFFER, milter->buf, 1334 MILTER8_DATA_END) != 0) 1335 MILTER8_EVENT_BREAK(milter->def_reply); 1336 milter8_def_reply(milter, "H"); 1337 continue; 1338 1339 /* 1340 * Decision: skip further events of this type. 1341 */ 1342 case SMFIR_SKIP: 1343 if (data_size != 0) 1344 break; 1345 milter->skip_event_type = event; 1346 MILTER8_EVENT_BREAK(milter->def_reply); 1347 1348 /* 1349 * Modification request or error. 1350 */ 1351 default: 1352 if (event == SMFIC_BODYEOB) { 1353 switch (cmd) { 1354 1355 #define MILTER8_HDR_SPACE(m) (((m)->ev_mask & SMFIP_HDR_LEADSPC) ? "" : " ") 1356 1357 /* 1358 * Modification request: replace, insert or delete 1359 * header. Index 1 means the first instance. 1360 */ 1361 case SMFIR_CHGHEADER: 1362 if (milter8_read_data(milter, &data_size, 1363 MILTER8_DATA_HLONG, &index, 1364 MILTER8_DATA_STRING, milter->buf, 1365 MILTER8_DATA_STRING, milter->body, 1366 MILTER8_DATA_END) != 0) 1367 MILTER8_EVENT_BREAK(milter->def_reply); 1368 /* Skip to the next request after previous edit error. */ 1369 if (edit_resp) 1370 continue; 1371 /* XXX Sendmail 8 compatibility. */ 1372 if (index == 0) 1373 index = 1; 1374 if ((ssize_t) index < 1) { 1375 msg_warn("milter %s: bad change header index: %ld", 1376 milter->m.name, (long) index); 1377 milter8_conf_error(milter); 1378 MILTER8_EVENT_BREAK(milter->def_reply); 1379 } 1380 if (LEN(milter->buf) == 0) { 1381 msg_warn("milter %s: null change header name", 1382 milter->m.name); 1383 milter8_conf_error(milter); 1384 MILTER8_EVENT_BREAK(milter->def_reply); 1385 } 1386 if (STR(milter->body)[0]) 1387 edit_resp = parent->upd_header(parent->chg_context, 1388 (ssize_t) index, 1389 STR(milter->buf), 1390 MILTER8_HDR_SPACE(milter), 1391 STR(milter->body)); 1392 else 1393 edit_resp = parent->del_header(parent->chg_context, 1394 (ssize_t) index, 1395 STR(milter->buf)); 1396 continue; 1397 1398 /* 1399 * Modification request: append header. 1400 */ 1401 case SMFIR_ADDHEADER: 1402 if (milter8_read_data(milter, &data_size, 1403 MILTER8_DATA_STRING, milter->buf, 1404 MILTER8_DATA_STRING, milter->body, 1405 MILTER8_DATA_END) != 0) 1406 MILTER8_EVENT_BREAK(milter->def_reply); 1407 /* Skip to the next request after previous edit error. */ 1408 if (edit_resp) 1409 continue; 1410 edit_resp = parent->add_header(parent->chg_context, 1411 STR(milter->buf), 1412 MILTER8_HDR_SPACE(milter), 1413 STR(milter->body)); 1414 continue; 1415 1416 /* 1417 * Modification request: insert header. With Sendmail 8, 1418 * index 0 means the top-most header. We use 1-based 1419 * indexing for consistency with header change 1420 * operations. 1421 */ 1422 case SMFIR_INSHEADER: 1423 if (milter8_read_data(milter, &data_size, 1424 MILTER8_DATA_HLONG, &index, 1425 MILTER8_DATA_STRING, milter->buf, 1426 MILTER8_DATA_STRING, milter->body, 1427 MILTER8_DATA_END) != 0) 1428 MILTER8_EVENT_BREAK(milter->def_reply); 1429 /* Skip to the next request after previous edit error. */ 1430 if (edit_resp) 1431 continue; 1432 if ((ssize_t) index + 1 < 1) { 1433 msg_warn("milter %s: bad insert header index: %ld", 1434 milter->m.name, (long) index); 1435 milter8_conf_error(milter); 1436 MILTER8_EVENT_BREAK(milter->def_reply); 1437 } 1438 edit_resp = parent->ins_header(parent->chg_context, 1439 (ssize_t) index + 1, 1440 STR(milter->buf), 1441 MILTER8_HDR_SPACE(milter), 1442 STR(milter->body)); 1443 continue; 1444 1445 /* 1446 * Modification request: replace sender, with optional 1447 * ESMTP args. 1448 */ 1449 case SMFIR_CHGFROM: 1450 if (milter8_read_data(milter, &data_size, 1451 MILTER8_DATA_STRING, milter->buf, 1452 MILTER8_DATA_MORE) != 0) 1453 MILTER8_EVENT_BREAK(milter->def_reply); 1454 if (data_size > 0) { 1455 if (milter8_read_data(milter, &data_size, 1456 MILTER8_DATA_STRING, milter->body, 1457 MILTER8_DATA_END) != 0) 1458 MILTER8_EVENT_BREAK(milter->def_reply); 1459 } else { 1460 VSTRING_RESET(milter->body); 1461 VSTRING_TERMINATE(milter->body); 1462 } 1463 /* Skip to the next request after previous edit error. */ 1464 if (edit_resp) 1465 continue; 1466 edit_resp = parent->chg_from(parent->chg_context, 1467 STR(milter->buf), 1468 STR(milter->body)); 1469 continue; 1470 1471 /* 1472 * Modification request: append recipient. 1473 */ 1474 case SMFIR_ADDRCPT: 1475 if (milter8_read_data(milter, &data_size, 1476 MILTER8_DATA_STRING, milter->buf, 1477 MILTER8_DATA_END) != 0) 1478 MILTER8_EVENT_BREAK(milter->def_reply); 1479 /* Skip to the next request after previous edit error. */ 1480 if (edit_resp) 1481 continue; 1482 edit_resp = parent->add_rcpt(parent->chg_context, 1483 STR(milter->buf)); 1484 continue; 1485 1486 /* 1487 * Modification request: append recipient, with optional 1488 * ESMTP args. 1489 */ 1490 case SMFIR_ADDRCPT_PAR: 1491 if (milter8_read_data(milter, &data_size, 1492 MILTER8_DATA_STRING, milter->buf, 1493 MILTER8_DATA_MORE) != 0) 1494 MILTER8_EVENT_BREAK(milter->def_reply); 1495 if (data_size > 0) { 1496 if (milter8_read_data(milter, &data_size, 1497 MILTER8_DATA_STRING, milter->body, 1498 MILTER8_DATA_END) != 0) 1499 MILTER8_EVENT_BREAK(milter->def_reply); 1500 } else { 1501 VSTRING_RESET(milter->body); 1502 VSTRING_TERMINATE(milter->body); 1503 } 1504 /* Skip to the next request after previous edit error. */ 1505 if (edit_resp) 1506 continue; 1507 edit_resp = parent->add_rcpt_par(parent->chg_context, 1508 STR(milter->buf), 1509 STR(milter->body)); 1510 continue; 1511 1512 /* 1513 * Modification request: delete (expansion of) recipient. 1514 */ 1515 case SMFIR_DELRCPT: 1516 if (milter8_read_data(milter, &data_size, 1517 MILTER8_DATA_STRING, milter->buf, 1518 MILTER8_DATA_END) != 0) 1519 MILTER8_EVENT_BREAK(milter->def_reply); 1520 /* Skip to the next request after previous edit error. */ 1521 if (edit_resp) 1522 continue; 1523 edit_resp = parent->del_rcpt(parent->chg_context, 1524 STR(milter->buf)); 1525 continue; 1526 1527 /* 1528 * Modification request: replace the message body, and 1529 * update the message size. 1530 */ 1531 case SMFIR_REPLBODY: 1532 if (body_edit_lockout) { 1533 msg_warn("milter %s: body replacement requests can't " 1534 "currently be mixed with other requests", 1535 milter->m.name); 1536 milter8_conf_error(milter); 1537 MILTER8_EVENT_BREAK(milter->def_reply); 1538 } 1539 if (milter8_read_data(milter, &data_size, 1540 MILTER8_DATA_BUFFER, milter->body, 1541 MILTER8_DATA_END) != 0) 1542 MILTER8_EVENT_BREAK(milter->def_reply); 1543 /* Skip to the next request after previous edit error. */ 1544 if (edit_resp) 1545 continue; 1546 /* Start body replacement. */ 1547 if (body_line_buf == 0) { 1548 body_line_buf = vstring_alloc(var_line_limit); 1549 edit_resp = parent->repl_body(parent->chg_context, 1550 MILTER_BODY_START, 1551 (VSTRING *) 0); 1552 } 1553 /* Extract lines from the on-the-wire CRLF format. */ 1554 for (cp = STR(milter->body); edit_resp == 0 1555 && cp < vstring_end(milter->body); cp++) { 1556 ch = *(unsigned char *) cp; 1557 if (ch == '\n') { 1558 if (LEN(body_line_buf) > 0 1559 && vstring_end(body_line_buf)[-1] == '\r') 1560 vstring_truncate(body_line_buf, 1561 LEN(body_line_buf) - 1); 1562 edit_resp = parent->repl_body(parent->chg_context, 1563 MILTER_BODY_LINE, 1564 body_line_buf); 1565 VSTRING_RESET(body_line_buf); 1566 } else { 1567 VSTRING_ADDCH(body_line_buf, ch); 1568 } 1569 } 1570 continue; 1571 } 1572 } 1573 msg_warn("milter %s: unexpected filter response %s after event %s", 1574 milter->m.name, 1575 (smfir_name = str_name_code(smfir_table, cmd)) != 0 ? 1576 smfir_name : "(unknown filter reply)", 1577 (smfic_name = str_name_code(smfic_table, event)) != 0 ? 1578 smfic_name : "(unknown MTA event)"); 1579 milter8_comm_error(milter); 1580 MILTER8_EVENT_BREAK(milter->def_reply); 1581 } 1582 1583 /* 1584 * Get here when the reply was followed by data bytes that weren't 1585 * supposed to be there. 1586 */ 1587 msg_warn("milter %s: reply %s was followed by %ld data bytes", 1588 milter->m.name, (smfir_name = str_name_code(smfir_table, cmd)) != 0 ? 1589 smfir_name : "unknown", (long) data_len); 1590 milter8_comm_error(milter); 1591 MILTER8_EVENT_BREAK(milter->def_reply); 1592 } 1593 1594 /* 1595 * Clean up after aborted message body replacement. 1596 */ 1597 if (body_line_buf) 1598 vstring_free(body_line_buf); 1599 1600 /* 1601 * XXX Some cleanup clients ask the cleanup server to bounce mail for 1602 * them. In that case we must override a hard reject retval result after 1603 * queue file update failure. This is not a big problem; the odds are 1604 * small that a Milter application sends a hard reject after replacing 1605 * the message body. 1606 */ 1607 if (edit_resp && (retval == 0 || strchr("DS4", retval[0]) == 0)) 1608 retval = edit_resp; 1609 return (retval); 1610 } 1611 1612 /* milter8_connect - connect to filter */ 1613 1614 static void milter8_connect(MILTER8 *milter) 1615 { 1616 const char *myname = "milter8_connect"; 1617 ssize_t data_len; 1618 unsigned char cmd; 1619 char *transport; 1620 char *endpoint; 1621 int (*connect_fn) (const char *, int, int); 1622 int fd; 1623 const UINT32_TYPE my_actions = (SMFIF_ADDHDRS | SMFIF_ADDRCPT 1624 | SMFIF_DELRCPT | SMFIF_CHGHDRS 1625 | SMFIF_CHGBODY 1626 | SMFIF_QUARANTINE 1627 | SMFIF_CHGFROM 1628 | SMFIF_ADDRCPT_PAR 1629 | SMFIF_SETSYMLIST 1630 ); 1631 UINT32_TYPE my_version = 0; 1632 UINT32_TYPE my_events = 0; 1633 char *saved_version; 1634 char *cp; 1635 char *name; 1636 1637 /* 1638 * Sanity check. 1639 */ 1640 if (milter->fp != 0) 1641 msg_panic("%s: milter %s: socket is not closed", 1642 myname, milter->m.name); 1643 1644 /* 1645 * For user friendliness reasons the milter_protocol configuration 1646 * parameter can specify both the protocol version and protocol 1647 * extensions (e.g., don't reply for each individual message header). 1648 * 1649 * The protocol version is sent as is to the milter application. 1650 * 1651 * The version and extensions determine what events we can send to the 1652 * milter application. 1653 * 1654 * We don't announce support for events that aren't defined for my protocol 1655 * version. Today's libmilter implementations don't seem to care, but we 1656 * don't want to take the risk that a future version will be more picky. 1657 */ 1658 cp = saved_version = mystrdup(milter->protocol); 1659 while ((name = mystrtok(&cp, CHARS_COMMA_SP)) != 0) { 1660 int mask; 1661 int vers; 1662 1663 if ((mask = name_code(milter8_event_masks, 1664 NAME_CODE_FLAG_NONE, name)) == -1 1665 || (vers = name_code(milter8_versions, 1666 NAME_CODE_FLAG_NONE, name)) == -1 1667 || (vers != 0 && my_version != 0)) { 1668 msg_warn("milter %s: bad protocol information: %s", 1669 milter->m.name, name); 1670 milter8_conf_error(milter); 1671 return; 1672 } 1673 if (vers != 0) 1674 my_version = vers; 1675 my_events |= mask; 1676 } 1677 myfree(saved_version); 1678 if (my_events == 0 || my_version == 0) { 1679 msg_warn("milter %s: no protocol version information", milter->m.name); 1680 milter8_conf_error(milter); 1681 return; 1682 } 1683 1684 /* 1685 * Don't send events that aren't defined for my protocol version. 1686 */ 1687 milter->np_mask = (SMFIP_NOSEND_MASK & ~my_events); 1688 if (msg_verbose) 1689 msg_info("%s: non-protocol events for protocol version %d: %s", 1690 myname, my_version, 1691 str_name_mask_opt(milter->buf, "non-protocol event mask", 1692 smfip_table, milter->np_mask, NAME_MASK_NUMBER)); 1693 1694 /* 1695 * Parse the Milter application endpoint. 1696 */ 1697 #define FREE_TRANSPORT_AND_BAIL_OUT(milter, milter_error) do { \ 1698 myfree(transport); \ 1699 milter_error(milter); \ 1700 return; \ 1701 } while (0); 1702 1703 transport = mystrdup(milter->m.name); 1704 if ((endpoint = split_at(transport, ':')) == 0 1705 || *endpoint == 0 || *transport == 0) { 1706 msg_warn("Milter service needs transport:endpoint instead of \"%s\"", 1707 milter->m.name); 1708 FREE_TRANSPORT_AND_BAIL_OUT(milter, milter8_conf_error); 1709 } 1710 if (msg_verbose) 1711 msg_info("%s: transport=%s endpoint=%s", myname, transport, endpoint); 1712 if (strcmp(transport, "inet") == 0) { 1713 connect_fn = inet_connect; 1714 } else if (strcmp(transport, "unix") == 0) { 1715 connect_fn = unix_connect; 1716 } else if (strcmp(transport, "local") == 0) { 1717 connect_fn = LOCAL_CONNECT; 1718 } else { 1719 msg_warn("invalid transport name: %s in Milter service: %s", 1720 transport, milter->m.name); 1721 FREE_TRANSPORT_AND_BAIL_OUT(milter, milter8_conf_error); 1722 } 1723 1724 /* 1725 * Connect to the Milter application. 1726 */ 1727 if ((fd = connect_fn(endpoint, BLOCKING, milter->conn_timeout)) < 0) { 1728 msg_warn("connect to Milter service %s: %m", milter->m.name); 1729 FREE_TRANSPORT_AND_BAIL_OUT(milter, milter8_comm_error); 1730 } 1731 myfree(transport); 1732 milter->fp = vstream_fdopen(fd, O_RDWR); 1733 vstream_control(milter->fp, 1734 CA_VSTREAM_CTL_DOUBLE, 1735 CA_VSTREAM_CTL_TIMEOUT(milter->cmd_timeout), 1736 CA_VSTREAM_CTL_END); 1737 /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */ 1738 if (connect_fn == inet_connect) 1739 vstream_tweak_tcp(milter->fp); 1740 1741 /* 1742 * Open the negotiations by sending what actions the Milter may request 1743 * and what events the Milter can receive. 1744 */ 1745 if (msg_verbose) { 1746 msg_info("%s: my_version=0x%lx", myname, (long) my_version); 1747 msg_info("%s: my_actions=0x%lx %s", myname, (long) my_actions, 1748 str_name_mask_opt(milter->buf, "request mask", 1749 smfif_table, my_actions, NAME_MASK_NUMBER)); 1750 msg_info("%s: my_events=0x%lx %s", myname, (long) my_events, 1751 str_name_mask_opt(milter->buf, "event mask", 1752 smfip_table, my_events, NAME_MASK_NUMBER)); 1753 } 1754 errno = 0; 1755 if (milter8_write_cmd(milter, SMFIC_OPTNEG, 1756 MILTER8_DATA_HLONG, my_version, 1757 MILTER8_DATA_HLONG, my_actions, 1758 MILTER8_DATA_HLONG, my_events, 1759 MILTER8_DATA_END) != 0) { 1760 msg_warn("milter %s: write error in initial handshake", 1761 milter->m.name); 1762 /* milter8_write_cmd() called milter8_comm_error() */ 1763 return; 1764 } 1765 1766 /* 1767 * Receive the filter's response and verify that we are compatible. 1768 */ 1769 if (milter8_read_resp(milter, SMFIC_OPTNEG, &cmd, &data_len) != 0) { 1770 msg_warn("milter %s: read error in initial handshake", milter->m.name); 1771 /* milter8_read_resp() called milter8_comm_error() */ 1772 return; 1773 } 1774 if (cmd != SMFIC_OPTNEG) { 1775 msg_warn("milter %s: unexpected reply \"%c\" in initial handshake", 1776 milter->m.name, cmd); 1777 (void) milter8_comm_error(milter); 1778 return; 1779 } 1780 if (milter8_read_data(milter, &data_len, 1781 MILTER8_DATA_HLONG, &milter->version, 1782 MILTER8_DATA_HLONG, &milter->rq_mask, 1783 MILTER8_DATA_HLONG, &milter->ev_mask, 1784 MILTER8_DATA_MORE) != 0) { 1785 msg_warn("milter %s: read error in initial handshake", milter->m.name); 1786 /* milter8_read_data() called milter8_comm_error() */ 1787 return; 1788 } 1789 if (milter->version > my_version) { 1790 msg_warn("milter %s: protocol version %d conflict" 1791 " with MTA protocol version %d", 1792 milter->m.name, milter->version, my_version); 1793 (void) milter8_comm_error(milter); 1794 return; 1795 } 1796 if ((milter->rq_mask & my_actions) != milter->rq_mask) { 1797 msg_warn("milter %s: request mask 0x%x conflict" 1798 " with MTA request mask 0x%lx", 1799 milter->m.name, milter->rq_mask, (long) my_actions); 1800 (void) milter8_comm_error(milter); 1801 return; 1802 } 1803 if (milter->ev_mask & SMFIP_RCPT_REJ) 1804 milter->m.flags |= MILTER_FLAG_WANT_RCPT_REJ; 1805 1806 /* 1807 * Allow the remote application to run an older protocol version, but 1808 * don't them send events that their protocol version doesn't support. 1809 * Based on a suggestion by Kouhei Sutou. 1810 * 1811 * XXX When the Milter sends a protocol version that we don't have 1812 * information for, use the information for the next-lower protocol 1813 * version instead. This code assumes that the milter8_event_masks table 1814 * is organized in reverse numerical order. 1815 */ 1816 if (milter->version < my_version) { 1817 const NAME_CODE *np; 1818 int version; 1819 1820 for (np = milter8_event_masks; /* see below */ ; np++) { 1821 if (np->name == 0) { 1822 msg_warn("milter %s: unexpected protocol version %d", 1823 milter->m.name, milter->version); 1824 break; 1825 } 1826 if ((version = atoi(np->name)) > 0 && version <= milter->version) { 1827 milter->np_mask |= (SMFIP_NOSEND_MASK & ~np->code); 1828 if (msg_verbose) 1829 msg_info("%s: non-protocol events for milter %s" 1830 " protocol version %d: %s", 1831 myname, milter->m.name, milter->version, 1832 str_name_mask_opt(milter->buf, 1833 "non-protocol event mask", 1834 smfip_table, milter->np_mask, 1835 NAME_MASK_NUMBER)); 1836 break; 1837 } 1838 } 1839 } 1840 1841 /* 1842 * Initial negotiations completed. 1843 */ 1844 if (msg_verbose) { 1845 if ((milter->ev_mask & my_events) != milter->ev_mask) 1846 msg_info("milter %s: event mask 0x%x includes features not" 1847 " offered in MTA event mask 0x%lx", 1848 milter->m.name, milter->ev_mask, (long) my_events); 1849 msg_info("%s: milter %s version %d", 1850 myname, milter->m.name, milter->version); 1851 msg_info("%s: events %s", myname, 1852 str_name_mask_opt(milter->buf, "event mask", 1853 smfip_table, milter->ev_mask, NAME_MASK_NUMBER)); 1854 msg_info("%s: requests %s", myname, 1855 str_name_mask_opt(milter->buf, "request mask", 1856 smfif_table, milter->rq_mask, NAME_MASK_NUMBER)); 1857 } 1858 milter->state = MILTER8_STAT_READY; 1859 milter8_def_reply(milter, 0); 1860 milter->skip_event_type = 0; 1861 1862 /* 1863 * Secondary negotiations: override lists of macro names. 1864 */ 1865 if (data_len > 0) { 1866 VSTRING *buf = vstring_alloc(100); 1867 UINT32_TYPE mac_type; 1868 const char *smfim_name; 1869 char **mac_value_ptr; 1870 1871 milter->m.macros = milter_macros_alloc(MILTER_MACROS_ALLOC_EMPTY); 1872 1873 while (data_len > 0 1874 && milter8_read_data(milter, &data_len, 1875 MILTER8_DATA_HLONG, &mac_type, 1876 MILTER8_DATA_STRING, buf, 1877 MILTER8_DATA_MORE) == 0) { 1878 smfim_name = str_name_code(smfim_table, mac_type); 1879 if (smfim_name == 0) { 1880 msg_warn("milter %s: ignoring unknown macro type %u", 1881 milter->m.name, (unsigned) mac_type); 1882 } else { 1883 if (msg_verbose) 1884 msg_info("override %s macro list with \"%s\"", 1885 smfim_name, STR(buf)); 1886 mac_value_ptr = MILTER8_MACRO_PTR(milter->m.macros, mac_type); 1887 myfree(*mac_value_ptr); 1888 *mac_value_ptr = mystrdup(STR(buf)); 1889 } 1890 } 1891 /* milter8_read_data() calls milter8_comm_error() after error. */ 1892 vstring_free(buf); 1893 /* At this point the filter state is either READY or ERROR. */ 1894 } 1895 } 1896 1897 /* milter8_conn_event - report connect event to Sendmail 8 milter */ 1898 1899 static const char *milter8_conn_event(MILTER *m, 1900 const char *client_name, 1901 const char *client_addr, 1902 const char *client_port, 1903 unsigned addr_family, 1904 ARGV *macros) 1905 { 1906 const char *myname = "milter8_conn_event"; 1907 MILTER8 *milter = (MILTER8 *) m; 1908 int port; 1909 int skip_reply; 1910 const char *sm_name; 1911 char *ptr = 0; 1912 const char *resp; 1913 1914 /* 1915 * Need a global definition for "unknown" host name or address that is 1916 * shared by smtpd, cleanup and libmilter. 1917 */ 1918 #define XXX_UNKNOWN "unknown" 1919 #define STR_EQ(x,y) (strcmp((x), (y)) == 0) 1920 #define STR_NE(x,y) (strcmp((x), (y)) != 0) 1921 1922 /* 1923 * Report the event. 1924 */ 1925 switch (milter->state) { 1926 case MILTER8_STAT_ERROR: 1927 if (msg_verbose) 1928 msg_info("%s: skip milter %s", myname, milter->m.name); 1929 return (milter->def_reply); 1930 case MILTER8_STAT_READY: 1931 if (msg_verbose) 1932 msg_info("%s: milter %s: connect %s/%s", 1933 myname, milter->m.name, client_name, client_addr); 1934 if (client_port == 0) { 1935 port = 0; 1936 } else if (!alldig(client_port) || (port = atoi(client_port)) < 0 1937 || port > 65535) { 1938 msg_warn("milter %s: bad client port number %s", 1939 milter->m.name, client_port); 1940 port = 0; 1941 } 1942 milter->state = MILTER8_STAT_ENVELOPE; 1943 skip_reply = ((milter->ev_mask & SMFIP_NR_CONN) != 0); 1944 /* Transform unknown hostname from Postfix to Sendmail form. */ 1945 sm_name = (STR_NE(client_name, XXX_UNKNOWN) ? client_name : 1946 STR_EQ(client_addr, XXX_UNKNOWN) ? client_name : 1947 (ptr = concatenate("[", client_addr, "]", (char *) 0))); 1948 switch (addr_family) { 1949 case AF_INET: 1950 resp = milter8_event(milter, SMFIC_CONNECT, SMFIP_NOCONNECT, 1951 skip_reply, macros, 1952 MILTER8_DATA_STRING, sm_name, 1953 MILTER8_DATA_OCTET, SMFIA_INET, 1954 MILTER8_DATA_NSHORT, htons(port), 1955 MILTER8_DATA_STRING, client_addr, 1956 MILTER8_DATA_END); 1957 break; 1958 #ifdef HAS_IPV6 1959 case AF_INET6: 1960 resp = milter8_event(milter, SMFIC_CONNECT, SMFIP_NOCONNECT, 1961 skip_reply, macros, 1962 MILTER8_DATA_STRING, sm_name, 1963 MILTER8_DATA_OCTET, SMFIA_INET6, 1964 MILTER8_DATA_NSHORT, htons(port), 1965 MILTER8_DATA_STRING, client_addr, 1966 MILTER8_DATA_END); 1967 break; 1968 #endif 1969 case AF_UNIX: 1970 resp = milter8_event(milter, SMFIC_CONNECT, SMFIP_NOCONNECT, 1971 skip_reply, macros, 1972 MILTER8_DATA_STRING, sm_name, 1973 MILTER8_DATA_OCTET, SMFIA_UNIX, 1974 MILTER8_DATA_NSHORT, htons(0), 1975 MILTER8_DATA_STRING, client_addr, 1976 MILTER8_DATA_END); 1977 break; 1978 default: 1979 resp = milter8_event(milter, SMFIC_CONNECT, SMFIP_NOCONNECT, 1980 skip_reply, macros, 1981 MILTER8_DATA_STRING, sm_name, 1982 MILTER8_DATA_OCTET, SMFIA_UNKNOWN, 1983 MILTER8_DATA_END); 1984 break; 1985 } 1986 if (ptr != 0) 1987 myfree(ptr); 1988 return (resp); 1989 default: 1990 msg_panic("%s: milter %s: bad state %d", 1991 myname, milter->m.name, milter->state); 1992 } 1993 } 1994 1995 /* milter8_helo_event - report HELO/EHLO command to Sendmail 8 milter */ 1996 1997 static const char *milter8_helo_event(MILTER *m, const char *helo_name, 1998 int unused_esmtp, 1999 ARGV *macros) 2000 { 2001 const char *myname = "milter8_helo_event"; 2002 MILTER8 *milter = (MILTER8 *) m; 2003 int skip_reply; 2004 2005 /* 2006 * Report the event. 2007 */ 2008 switch (milter->state) { 2009 case MILTER8_STAT_ERROR: 2010 case MILTER8_STAT_ACCEPT_CON: 2011 case MILTER8_STAT_REJECT_CON: 2012 if (msg_verbose) 2013 msg_info("%s: skip milter %s", myname, milter->m.name); 2014 return (milter->def_reply); 2015 case MILTER8_STAT_ENVELOPE: 2016 case MILTER8_STAT_ACCEPT_MSG: 2017 /* With HELO after MAIL, smtpd(8) calls milter8_abort() next. */ 2018 if (msg_verbose) 2019 msg_info("%s: milter %s: helo %s", 2020 myname, milter->m.name, helo_name); 2021 skip_reply = ((milter->ev_mask & SMFIP_NR_HELO) != 0); 2022 return (milter8_event(milter, SMFIC_HELO, SMFIP_NOHELO, 2023 skip_reply, macros, 2024 MILTER8_DATA_STRING, helo_name, 2025 MILTER8_DATA_END)); 2026 default: 2027 msg_panic("%s: milter %s: bad state %d", 2028 myname, milter->m.name, milter->state); 2029 } 2030 } 2031 2032 /* milter8_mail_event - report MAIL command to Sendmail 8 milter */ 2033 2034 static const char *milter8_mail_event(MILTER *m, const char **argv, 2035 ARGV *macros) 2036 { 2037 const char *myname = "milter8_mail_event"; 2038 MILTER8 *milter = (MILTER8 *) m; 2039 const char **cpp; 2040 int skip_reply; 2041 2042 /* 2043 * Report the event. 2044 */ 2045 switch (milter->state) { 2046 case MILTER8_STAT_ERROR: 2047 case MILTER8_STAT_ACCEPT_CON: 2048 case MILTER8_STAT_REJECT_CON: 2049 if (msg_verbose) 2050 msg_info("%s: skip milter %s", myname, milter->m.name); 2051 return (milter->def_reply); 2052 case MILTER8_STAT_ENVELOPE: 2053 if (msg_verbose) { 2054 VSTRING *buf = vstring_alloc(100); 2055 2056 for (cpp = argv; *cpp; cpp++) 2057 vstring_sprintf_append(buf, " %s", *cpp); 2058 msg_info("%s: milter %s: mail%s", 2059 myname, milter->m.name, STR(buf)); 2060 vstring_free(buf); 2061 } 2062 skip_reply = ((milter->ev_mask & SMFIP_NR_MAIL) != 0); 2063 return (milter8_event(milter, SMFIC_MAIL, SMFIP_NOMAIL, 2064 skip_reply, macros, 2065 MILTER8_DATA_ARGV, argv, 2066 MILTER8_DATA_END)); 2067 default: 2068 msg_panic("%s: milter %s: bad state %d", 2069 myname, milter->m.name, milter->state); 2070 } 2071 } 2072 2073 /* milter8_rcpt_event - report RCPT command to Sendmail 8 milter */ 2074 2075 static const char *milter8_rcpt_event(MILTER *m, const char **argv, 2076 ARGV *macros) 2077 { 2078 const char *myname = "milter8_rcpt_event"; 2079 MILTER8 *milter = (MILTER8 *) m; 2080 const char **cpp; 2081 int skip_reply; 2082 2083 /* 2084 * Report the event. 2085 */ 2086 switch (milter->state) { 2087 case MILTER8_STAT_ERROR: 2088 case MILTER8_STAT_ACCEPT_CON: 2089 case MILTER8_STAT_REJECT_CON: 2090 case MILTER8_STAT_ACCEPT_MSG: 2091 if (msg_verbose) 2092 msg_info("%s: skip milter %s", myname, milter->m.name); 2093 return (milter->def_reply); 2094 case MILTER8_STAT_ENVELOPE: 2095 if (msg_verbose) { 2096 VSTRING *buf = vstring_alloc(100); 2097 2098 for (cpp = argv; *cpp; cpp++) 2099 vstring_sprintf_append(buf, " %s", *cpp); 2100 msg_info("%s: milter %s: rcpt%s", 2101 myname, milter->m.name, STR(buf)); 2102 vstring_free(buf); 2103 } 2104 skip_reply = ((milter->ev_mask & SMFIP_NR_RCPT) != 0); 2105 return (milter8_event(milter, SMFIC_RCPT, SMFIP_NORCPT, 2106 skip_reply, macros, 2107 MILTER8_DATA_ARGV, argv, 2108 MILTER8_DATA_END)); 2109 default: 2110 msg_panic("%s: milter %s: bad state %d", 2111 myname, milter->m.name, milter->state); 2112 } 2113 } 2114 2115 /* milter8_data_event - report DATA command to Sendmail 8 milter */ 2116 2117 static const char *milter8_data_event(MILTER *m, ARGV *macros) 2118 { 2119 const char *myname = "milter8_data_event"; 2120 MILTER8 *milter = (MILTER8 *) m; 2121 int skip_reply; 2122 2123 /* 2124 * Report the event. 2125 */ 2126 switch (milter->state) { 2127 case MILTER8_STAT_ERROR: 2128 case MILTER8_STAT_ACCEPT_CON: 2129 case MILTER8_STAT_REJECT_CON: 2130 case MILTER8_STAT_ACCEPT_MSG: 2131 if (msg_verbose) 2132 msg_info("%s: skip milter %s", myname, milter->m.name); 2133 return (milter->def_reply); 2134 case MILTER8_STAT_ENVELOPE: 2135 if (msg_verbose) 2136 msg_info("%s: milter %s: data command", myname, milter->m.name); 2137 skip_reply = ((milter->ev_mask & SMFIP_NR_DATA) != 0); 2138 return (milter8_event(milter, SMFIC_DATA, SMFIP_NODATA, 2139 skip_reply, macros, 2140 MILTER8_DATA_END)); 2141 default: 2142 msg_panic("%s: milter %s: bad state %d", 2143 myname, milter->m.name, milter->state); 2144 } 2145 } 2146 2147 /* milter8_unknown_event - report unknown SMTP command to Sendmail 8 milter */ 2148 2149 static const char *milter8_unknown_event(MILTER *m, const char *command, 2150 ARGV *macros) 2151 { 2152 const char *myname = "milter8_unknown_event"; 2153 MILTER8 *milter = (MILTER8 *) m; 2154 int skip_reply; 2155 2156 /* 2157 * Report the event. 2158 */ 2159 switch (milter->state) { 2160 case MILTER8_STAT_ERROR: 2161 case MILTER8_STAT_ACCEPT_CON: 2162 case MILTER8_STAT_REJECT_CON: 2163 case MILTER8_STAT_ACCEPT_MSG: 2164 if (msg_verbose) 2165 msg_info("%s: skip milter %s", myname, milter->m.name); 2166 return (milter->def_reply); 2167 case MILTER8_STAT_ENVELOPE: 2168 if (msg_verbose) 2169 msg_info("%s: milter %s: unknown command: %s", 2170 myname, milter->m.name, command); 2171 /* XXX Sendmail doesn't send macros (checked with 8.6.13). */ 2172 skip_reply = ((milter->ev_mask & SMFIP_NR_UNKN) != 0); 2173 return (milter8_event(milter, SMFIC_UNKNOWN, SMFIP_NOUNKNOWN, 2174 skip_reply, macros, 2175 MILTER8_DATA_STRING, command, 2176 MILTER8_DATA_END)); 2177 default: 2178 msg_panic("%s: milter %s: bad state %d", 2179 myname, milter->m.name, milter->state); 2180 } 2181 } 2182 2183 /* milter8_other_event - reply for other event */ 2184 2185 static const char *milter8_other_event(MILTER *m) 2186 { 2187 const char *myname = "milter8_other_event"; 2188 MILTER8 *milter = (MILTER8 *) m; 2189 2190 /* 2191 * Return the default reply. 2192 */ 2193 if (msg_verbose) 2194 msg_info("%s: milter %s", myname, milter->m.name); 2195 return (milter->def_reply); 2196 } 2197 2198 /* milter8_abort - cancel one milter's message receiving state */ 2199 2200 static void milter8_abort(MILTER *m) 2201 { 2202 const char *myname = "milter8_abort"; 2203 MILTER8 *milter = (MILTER8 *) m; 2204 2205 /* 2206 * XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it finds 2207 * out that the SMTP client has disconnected. Because of this, Postfix 2208 * has to open a new MTA-to-filter socket for each SMTP client. 2209 */ 2210 switch (milter->state) { 2211 case MILTER8_STAT_CLOSED: 2212 case MILTER8_STAT_READY: 2213 return; 2214 case MILTER8_STAT_ERROR: 2215 case MILTER8_STAT_ACCEPT_CON: 2216 case MILTER8_STAT_REJECT_CON: 2217 if (msg_verbose) 2218 msg_info("%s: skip milter %s", myname, milter->m.name); 2219 break; 2220 case MILTER8_STAT_ENVELOPE: 2221 case MILTER8_STAT_MESSAGE: 2222 case MILTER8_STAT_ACCEPT_MSG: 2223 if (msg_verbose) 2224 msg_info("%s: abort milter %s", myname, milter->m.name); 2225 (void) milter8_write_cmd(milter, SMFIC_ABORT, MILTER8_DATA_END); 2226 if (milter->state != MILTER8_STAT_ERROR) 2227 milter->state = MILTER8_STAT_ENVELOPE; 2228 break; 2229 default: 2230 msg_panic("%s: milter %s: bad state %d", 2231 myname, milter->m.name, milter->state); 2232 } 2233 } 2234 2235 /* milter8_disc_event - report client disconnect event */ 2236 2237 static void milter8_disc_event(MILTER *m) 2238 { 2239 const char *myname = "milter8_disc_event"; 2240 MILTER8 *milter = (MILTER8 *) m; 2241 2242 /* 2243 * XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it finds 2244 * out that the SMTP client has disconnected. Because of this, Postfix 2245 * has to open a new MTA-to-filter socket for each SMTP client. 2246 */ 2247 switch (milter->state) { 2248 case MILTER8_STAT_CLOSED: 2249 case MILTER8_STAT_READY: 2250 return; 2251 case MILTER8_STAT_ERROR: 2252 #ifdef LIBMILTER_AUTO_DISCONNECT 2253 case MILTER8_STAT_ACCEPT_CON: 2254 case MILTER8_STAT_REJECT_CON: 2255 #endif 2256 if (msg_verbose) 2257 msg_info("%s: skip quit milter %s", myname, milter->m.name); 2258 break; 2259 case MILTER8_STAT_ENVELOPE: 2260 case MILTER8_STAT_MESSAGE: 2261 #ifndef LIBMILTER_AUTO_DISCONNECT 2262 case MILTER8_STAT_ACCEPT_CON: 2263 case MILTER8_STAT_REJECT_CON: 2264 #endif 2265 case MILTER8_STAT_ACCEPT_MSG: 2266 if (msg_verbose) 2267 msg_info("%s: quit milter %s", myname, milter->m.name); 2268 (void) milter8_write_cmd(milter, SMFIC_QUIT, MILTER8_DATA_END); 2269 break; 2270 } 2271 #ifdef LIBMILTER_AUTO_DISCONNECT 2272 milter8_close_stream(milter); 2273 #else 2274 if (milter->state != MILTER8_STAT_ERROR) 2275 milter->state = MILTER8_STAT_READY; 2276 #endif 2277 milter8_def_reply(milter, 0); 2278 } 2279 2280 /* 2281 * Structure to ship context across the MIME_STATE engine. 2282 */ 2283 typedef struct { 2284 MILTER8 *milter; /* milter client */ 2285 ARGV *eoh_macros; /* end-of-header macros */ 2286 ARGV *eod_macros; /* end-of-body macros */ 2287 ARGV *auto_hdrs; /* auto-generated headers */ 2288 int auto_done; /* good enough for now */ 2289 int first_header; /* first header */ 2290 int first_body; /* first body line */ 2291 const char *resp; /* milter application response */ 2292 } MILTER_MSG_CONTEXT; 2293 2294 /* milter8_header - milter8_message call-back for message header */ 2295 2296 static void milter8_header(void *ptr, int unused_header_class, 2297 const HEADER_OPTS *header_info, 2298 VSTRING *buf, off_t unused_offset) 2299 { 2300 const char *myname = "milter8_header"; 2301 MILTER_MSG_CONTEXT *msg_ctx = (MILTER_MSG_CONTEXT *) ptr; 2302 MILTER8 *milter = msg_ctx->milter; 2303 char *cp; 2304 int skip_reply; 2305 char **cpp; 2306 unsigned done; 2307 2308 /* 2309 * XXX Workaround: mime_state_update() may invoke multiple call-backs 2310 * before returning to the caller. 2311 */ 2312 #define MILTER8_MESSAGE_DONE(milter, msg_ctx) \ 2313 ((milter)->state != MILTER8_STAT_MESSAGE || (msg_ctx)->resp != 0) 2314 2315 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2316 return; 2317 2318 /* 2319 * XXX Sendmail compatibility. Don't expose our first (received) header 2320 * to mail filter applications. See also cleanup_milter.c for code to 2321 * ensure that header replace requests are relative to the message 2322 * content as received, that is, without our own first (received) header, 2323 * while header insert requests are relative to the message as delivered, 2324 * that is, including our own first (received) header. 2325 * 2326 * XXX But this breaks when they delete our own Received: header with 2327 * header_checks before it reaches the queue file. Even then we must not 2328 * expose the first header to mail filter applications, otherwise the 2329 * dk-filter signature will be inserted at the wrong position. It should 2330 * precede the headers that it signs. 2331 * 2332 * XXX Sendmail compatibility. It eats the first space (not tab) after the 2333 * header label and ":". 2334 */ 2335 for (cpp = msg_ctx->auto_hdrs->argv, done = 1; *cpp; cpp++, done <<= 1) 2336 if ((msg_ctx->auto_done & done) == 0 && strcmp(*cpp, STR(buf)) == 0) { 2337 msg_ctx->auto_done |= done; 2338 return; 2339 } 2340 2341 /* 2342 * Sendmail 8 sends multi-line headers as text separated by newline. 2343 * 2344 * We destroy the header buffer to split it into label and value. Changing 2345 * the buffer is explicitly allowed by the mime_state(3) interface. 2346 */ 2347 if (msg_verbose > 1) 2348 msg_info("%s: header milter %s: %.100s", 2349 myname, milter->m.name, STR(buf)); 2350 cp = STR(buf) + (header_info ? strlen(header_info->name) : 2351 is_header(STR(buf))); 2352 /* XXX Following matches is_header.c */ 2353 while (*cp == ' ' || *cp == '\t') 2354 *cp++ = 0; 2355 if (*cp != ':') 2356 msg_panic("%s: header label not followed by ':'", myname); 2357 *cp++ = 0; 2358 /* XXX Sendmail by default eats one space (not tab) after the colon. */ 2359 if ((milter->ev_mask & SMFIP_HDR_LEADSPC) == 0 && *cp == ' ') 2360 cp++; 2361 skip_reply = ((milter->ev_mask & SMFIP_NOHREPL) != 0); 2362 msg_ctx->resp = 2363 milter8_event(milter, SMFIC_HEADER, SMFIP_NOHDRS, 2364 skip_reply, msg_ctx->eoh_macros, 2365 MILTER8_DATA_STRING, STR(buf), 2366 MILTER8_DATA_STRING, cp, 2367 MILTER8_DATA_END); 2368 } 2369 2370 /* milter8_eoh - milter8_message call-back for end-of-header */ 2371 2372 static void milter8_eoh(void *ptr) 2373 { 2374 const char *myname = "milter8_eoh"; 2375 MILTER_MSG_CONTEXT *msg_ctx = (MILTER_MSG_CONTEXT *) ptr; 2376 MILTER8 *milter = msg_ctx->milter; 2377 int skip_reply; 2378 2379 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2380 return; 2381 if (msg_verbose) 2382 msg_info("%s: eoh milter %s", myname, milter->m.name); 2383 skip_reply = ((milter->ev_mask & SMFIP_NR_EOH) != 0); 2384 msg_ctx->resp = 2385 milter8_event(milter, SMFIC_EOH, SMFIP_NOEOH, 2386 skip_reply, msg_ctx->eoh_macros, 2387 MILTER8_DATA_END); 2388 } 2389 2390 /* milter8_body - milter8_message call-back for body content */ 2391 2392 static void milter8_body(void *ptr, int rec_type, 2393 const char *buf, ssize_t len, 2394 off_t offset) 2395 { 2396 const char *myname = "milter8_body"; 2397 MILTER_MSG_CONTEXT *msg_ctx = (MILTER_MSG_CONTEXT *) ptr; 2398 MILTER8 *milter = msg_ctx->milter; 2399 ssize_t todo = len; 2400 const char *bp = buf; 2401 ssize_t space; 2402 ssize_t count; 2403 int skip_reply; 2404 2405 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2406 return; 2407 2408 /* 2409 * XXX Sendmail compatibility: don't expose our first body line. 2410 */ 2411 if (msg_ctx->first_body) { 2412 msg_ctx->first_body = 0; 2413 return; 2414 } 2415 2416 /* 2417 * XXX I thought I was going to delegate all the on-the-wire formatting 2418 * to a common lower layer, but unfortunately it's not practical. If we 2419 * were to do MILTER_CHUNK_SIZE buffering in a common lower layer, then 2420 * we would have to pass along call-backs and state, so that the 2421 * call-back can invoke milter8_event() with the right arguments when the 2422 * MILTER_CHUNK_SIZE buffer reaches capacity. That's just too ugly. 2423 * 2424 * To recover the cost of making an extra copy of body content from Milter 2425 * buffer to VSTREAM buffer, we could make vstream_fwrite() a little 2426 * smarter so that it does large transfers directly from the user buffer 2427 * instead of copying the data one block at a time into a VSTREAM buffer. 2428 */ 2429 if (msg_verbose > 1) 2430 msg_info("%s: body milter %s: %.100s", myname, milter->m.name, buf); 2431 skip_reply = ((milter->ev_mask & SMFIP_NR_BODY) != 0); 2432 /* To append \r\n, simply redirect input to another buffer. */ 2433 if (rec_type == REC_TYPE_NORM && todo == 0) { 2434 bp = "\r\n"; 2435 todo = 2; 2436 rec_type = REC_TYPE_EOF; 2437 } 2438 while (todo > 0) { 2439 /* Append one REC_TYPE_NORM or REC_TYPE_CONT to body chunk buffer. */ 2440 space = MILTER_CHUNK_SIZE - LEN(milter->body); 2441 if (space <= 0) 2442 msg_panic("%s: bad buffer size: %ld", 2443 myname, (long) LEN(milter->body)); 2444 count = (todo > space ? space : todo); 2445 vstring_memcat(milter->body, bp, count); 2446 bp += count; 2447 todo -= count; 2448 /* Flush body chunk buffer when full. See also milter8_eob(). */ 2449 if (LEN(milter->body) == MILTER_CHUNK_SIZE) { 2450 msg_ctx->resp = 2451 milter8_event(milter, SMFIC_BODY, SMFIP_NOBODY, 2452 skip_reply, msg_ctx->eod_macros, 2453 MILTER8_DATA_BUFFER, milter->body, 2454 MILTER8_DATA_END); 2455 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2456 break; 2457 VSTRING_RESET(milter->body); 2458 } 2459 /* To append \r\n, simply redirect input to another buffer. */ 2460 if (rec_type == REC_TYPE_NORM && todo == 0) { 2461 bp = "\r\n"; 2462 todo = 2; 2463 rec_type = REC_TYPE_EOF; 2464 } 2465 } 2466 } 2467 2468 /* milter8_eob - milter8_message call-back for end-of-body */ 2469 2470 static void milter8_eob(void *ptr) 2471 { 2472 const char *myname = "milter8_eob"; 2473 MILTER_MSG_CONTEXT *msg_ctx = (MILTER_MSG_CONTEXT *) ptr; 2474 MILTER8 *milter = msg_ctx->milter; 2475 int skip_reply; 2476 2477 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2478 return; 2479 if (msg_verbose) 2480 msg_info("%s: eob milter %s", myname, milter->m.name); 2481 2482 /* 2483 * Flush partial body chunk buffer. See also milter8_body(). 2484 * 2485 * XXX Sendmail 8 libmilter accepts SMFIC_EOB+data, and delivers it to the 2486 * application as two events: SMFIC_BODY+data followed by SMFIC_EOB. This 2487 * breaks with the PMilter 0.95 protocol re-implementation, which 2488 * delivers the SMFIC_EOB event and ignores the data. To avoid such 2489 * compatibility problems we separate the events in the client. With 2490 * this, we also prepare for a future where different event types can 2491 * have different macro lists. 2492 */ 2493 if (LEN(milter->body) > 0) { 2494 skip_reply = ((milter->ev_mask & SMFIP_NR_BODY) != 0); 2495 msg_ctx->resp = 2496 milter8_event(milter, SMFIC_BODY, SMFIP_NOBODY, 2497 skip_reply, msg_ctx->eod_macros, 2498 MILTER8_DATA_BUFFER, milter->body, 2499 MILTER8_DATA_END); 2500 if (MILTER8_MESSAGE_DONE(milter, msg_ctx)) 2501 return; 2502 } 2503 msg_ctx->resp = 2504 milter8_event(msg_ctx->milter, SMFIC_BODYEOB, 0, 2505 DONT_SKIP_REPLY, msg_ctx->eod_macros, 2506 MILTER8_DATA_END); 2507 } 2508 2509 /* milter8_message - send message content and receive reply */ 2510 2511 static const char *milter8_message(MILTER *m, VSTREAM *qfile, 2512 off_t data_offset, 2513 ARGV *eoh_macros, 2514 ARGV *eod_macros, 2515 ARGV *auto_hdrs) 2516 { 2517 const char *myname = "milter8_message"; 2518 MILTER8 *milter = (MILTER8 *) m; 2519 MIME_STATE *mime_state; 2520 int rec_type; 2521 const MIME_STATE_DETAIL *detail; 2522 int mime_errs = 0; 2523 MILTER_MSG_CONTEXT msg_ctx; 2524 VSTRING *buf; 2525 int saved_errno; 2526 2527 switch (milter->state) { 2528 case MILTER8_STAT_ERROR: 2529 case MILTER8_STAT_ACCEPT_CON: 2530 case MILTER8_STAT_REJECT_CON: 2531 case MILTER8_STAT_ACCEPT_MSG: 2532 if (msg_verbose) 2533 msg_info("%s: skip message to milter %s", myname, milter->m.name); 2534 return (milter->def_reply); 2535 case MILTER8_STAT_ENVELOPE: 2536 if (msg_verbose) 2537 msg_info("%s: message to milter %s", myname, milter->m.name); 2538 if (vstream_fseek(qfile, data_offset, SEEK_SET) < 0) { 2539 saved_errno = errno; 2540 msg_warn("%s: vstream_fseek %s: %m", myname, VSTREAM_PATH(qfile)); 2541 /* XXX This should be available from cleanup_strerror.c. */ 2542 return (saved_errno == EFBIG ? 2543 "552 5.3.4 Message file too big" : 2544 "451 4.3.0 Queue file write error"); 2545 } 2546 msg_ctx.milter = milter; 2547 msg_ctx.eoh_macros = eoh_macros; 2548 msg_ctx.eod_macros = eod_macros; 2549 msg_ctx.auto_hdrs = auto_hdrs; 2550 msg_ctx.auto_done = 0; 2551 msg_ctx.first_header = 1; 2552 msg_ctx.first_body = 1; 2553 msg_ctx.resp = 0; 2554 mime_state = 2555 mime_state_alloc(MIME_OPT_DISABLE_MIME, 2556 (milter->ev_mask & SMFIP_NOHDRS) ? 2557 (MIME_STATE_HEAD_OUT) 0 : milter8_header, 2558 (milter->ev_mask & SMFIP_NOEOH) ? 2559 (MIME_STATE_ANY_END) 0 : milter8_eoh, 2560 (milter->ev_mask & SMFIP_NOBODY) ? 2561 (MIME_STATE_BODY_OUT) 0 : milter8_body, 2562 milter8_eob, 2563 (MIME_STATE_ERR_PRINT) 0, 2564 (void *) &msg_ctx); 2565 buf = vstring_alloc(100); 2566 milter->state = MILTER8_STAT_MESSAGE; 2567 VSTRING_RESET(milter->body); 2568 vstream_control(milter->fp, 2569 CA_VSTREAM_CTL_DOUBLE, 2570 CA_VSTREAM_CTL_TIMEOUT(milter->msg_timeout), 2571 CA_VSTREAM_CTL_END); 2572 2573 /* 2574 * XXX When the message (not MIME body part) does not end in CRLF 2575 * (i.e. the last record was REC_TYPE_CONT), do we send a CRLF 2576 * terminator before triggering the end-of-body condition? 2577 */ 2578 for (;;) { 2579 if ((rec_type = rec_get(qfile, buf, 0)) < 0) { 2580 msg_warn("%s: error reading %s: %m", 2581 myname, VSTREAM_PATH(qfile)); 2582 msg_ctx.resp = "450 4.3.0 Queue file write error"; 2583 break; 2584 } 2585 /* Invoke the appropriate call-back routine. */ 2586 mime_errs = mime_state_update(mime_state, rec_type, 2587 STR(buf), LEN(buf)); 2588 if (mime_errs) { 2589 detail = mime_state_detail(mime_errs); 2590 msg_warn("%s: MIME problem %s in %s", 2591 myname, detail->text, VSTREAM_PATH(qfile)); 2592 msg_ctx.resp = "450 4.3.0 Queue file write error"; 2593 break; 2594 } 2595 if (MILTER8_MESSAGE_DONE(milter, &msg_ctx)) 2596 break; 2597 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 2598 break; 2599 } 2600 mime_state_free(mime_state); 2601 vstring_free(buf); 2602 if (milter->fp) 2603 vstream_control(milter->fp, 2604 CA_VSTREAM_CTL_DOUBLE, 2605 CA_VSTREAM_CTL_TIMEOUT(milter->cmd_timeout), 2606 CA_VSTREAM_CTL_END); 2607 if (milter->state == MILTER8_STAT_MESSAGE 2608 || milter->state == MILTER8_STAT_ACCEPT_MSG) 2609 milter->state = MILTER8_STAT_ENVELOPE; 2610 return (msg_ctx.resp); 2611 default: 2612 msg_panic("%s: milter %s: bad state %d", 2613 myname, milter->m.name, milter->state); 2614 } 2615 } 2616 2617 /* 2618 * Preliminary protocol to send/receive milter instances. This needs to be 2619 * extended with type information once we support multiple milter protocols. 2620 */ 2621 #define MAIL_ATTR_MILT_NAME "milter_name" 2622 #define MAIL_ATTR_MILT_VERS "milter_version" 2623 #define MAIL_ATTR_MILT_ACTS "milter_actions" 2624 #define MAIL_ATTR_MILT_EVTS "milter_events" 2625 #define MAIL_ATTR_MILT_NPTS "milter_non_events" 2626 #define MAIL_ATTR_MILT_STAT "milter_state" 2627 #define MAIL_ATTR_MILT_CONN "milter_conn_timeout" 2628 #define MAIL_ATTR_MILT_CMD "milter_cmd_timeout" 2629 #define MAIL_ATTR_MILT_MSG "milter_msg_timeout" 2630 #define MAIL_ATTR_MILT_ACT "milter_action" 2631 #define MAIL_ATTR_MILT_MAC "milter_macro_list" 2632 2633 /* milter8_active - report if this milter still wants events */ 2634 2635 static int milter8_active(MILTER *m) 2636 { 2637 MILTER8 *milter = (MILTER8 *) m; 2638 2639 return (milter->fp != 0 2640 && (milter->state == MILTER8_STAT_ENVELOPE 2641 || milter->state == MILTER8_STAT_READY)); 2642 } 2643 2644 /* milter8_send - send milter instance */ 2645 2646 static int milter8_send(MILTER *m, VSTREAM *stream) 2647 { 2648 const char *myname = "milter8_send"; 2649 MILTER8 *milter = (MILTER8 *) m; 2650 2651 if (msg_verbose) 2652 msg_info("%s: milter %s", myname, milter->m.name); 2653 2654 /* 2655 * The next read on this Milter socket happens in a different process. It 2656 * will not automatically flush the output buffer in this process. 2657 */ 2658 if (milter->fp) 2659 vstream_fflush(milter->fp); 2660 2661 if (attr_print(stream, ATTR_FLAG_MORE, 2662 SEND_ATTR_STR(MAIL_ATTR_MILT_NAME, milter->m.name), 2663 SEND_ATTR_INT(MAIL_ATTR_MILT_VERS, milter->version), 2664 SEND_ATTR_INT(MAIL_ATTR_MILT_ACTS, milter->rq_mask), 2665 SEND_ATTR_INT(MAIL_ATTR_MILT_EVTS, milter->ev_mask), 2666 SEND_ATTR_INT(MAIL_ATTR_MILT_NPTS, milter->np_mask), 2667 SEND_ATTR_INT(MAIL_ATTR_MILT_STAT, milter->state), 2668 SEND_ATTR_INT(MAIL_ATTR_MILT_CONN, milter->conn_timeout), 2669 SEND_ATTR_INT(MAIL_ATTR_MILT_CMD, milter->cmd_timeout), 2670 SEND_ATTR_INT(MAIL_ATTR_MILT_MSG, milter->msg_timeout), 2671 SEND_ATTR_STR(MAIL_ATTR_MILT_ACT, milter->def_action), 2672 SEND_ATTR_INT(MAIL_ATTR_MILT_MAC, milter->m.macros != 0), 2673 ATTR_TYPE_END) != 0 2674 || (milter->m.macros != 0 2675 && attr_print(stream, ATTR_FLAG_NONE, 2676 SEND_ATTR_FUNC(milter_macros_print, 2677 (void *) milter->m.macros), 2678 ATTR_TYPE_END) != 0) 2679 || (milter->m.macros == 0 2680 && attr_print(stream, ATTR_FLAG_NONE, 2681 ATTR_TYPE_END) != 0) 2682 || vstream_fflush(stream) != 0) { 2683 return (-1); 2684 #ifdef CANT_WRITE_BEFORE_SENDING_FD 2685 } else if (attr_scan(stream, ATTR_FLAG_STRICT, 2686 RECV_ATTR_STR(MAIL_ATTR_DUMMY, milter->buf), 2687 ATTR_TYPE_END) != 1) { 2688 return (-1); 2689 #endif 2690 } else if (LOCAL_SEND_FD(vstream_fileno(stream), 2691 vstream_fileno(milter->fp)) < 0) { 2692 return (-1); 2693 #ifdef MUST_READ_AFTER_SENDING_FD 2694 } else if (attr_scan(stream, ATTR_FLAG_STRICT, 2695 RECV_ATTR_STR(MAIL_ATTR_DUMMY, milter->buf), 2696 ATTR_TYPE_END) != 1) { 2697 return (-1); 2698 #endif 2699 } else { 2700 return (0); 2701 } 2702 } 2703 2704 static MILTER8 *milter8_alloc(const char *, int, int, int, const char *, 2705 const char *, MILTERS *); 2706 2707 /* milter8_receive - receive milter instance */ 2708 2709 MILTER *milter8_receive(VSTREAM *stream, MILTERS *parent) 2710 { 2711 const char *myname = "milter8_receive"; 2712 static VSTRING *name_buf; 2713 static VSTRING *act_buf; 2714 MILTER8 *milter; 2715 int version; 2716 int rq_mask; 2717 int ev_mask; 2718 int np_mask; 2719 int state; 2720 int conn_timeout; 2721 int cmd_timeout; 2722 int msg_timeout; 2723 int fd; 2724 int has_macros; 2725 MILTER_MACROS *macros = 0; 2726 2727 #define FREE_MACROS_AND_RETURN(x) do { \ 2728 if (macros) \ 2729 milter_macros_free(macros); \ 2730 return (x); \ 2731 } while (0) 2732 2733 if (name_buf == 0) { 2734 name_buf = vstring_alloc(10); 2735 act_buf = vstring_alloc(10); 2736 } 2737 if (attr_scan(stream, ATTR_FLAG_STRICT | ATTR_FLAG_MORE, 2738 RECV_ATTR_STR(MAIL_ATTR_MILT_NAME, name_buf), 2739 RECV_ATTR_INT(MAIL_ATTR_MILT_VERS, &version), 2740 RECV_ATTR_INT(MAIL_ATTR_MILT_ACTS, &rq_mask), 2741 RECV_ATTR_INT(MAIL_ATTR_MILT_EVTS, &ev_mask), 2742 RECV_ATTR_INT(MAIL_ATTR_MILT_NPTS, &np_mask), 2743 RECV_ATTR_INT(MAIL_ATTR_MILT_STAT, &state), 2744 RECV_ATTR_INT(MAIL_ATTR_MILT_CONN, &conn_timeout), 2745 RECV_ATTR_INT(MAIL_ATTR_MILT_CMD, &cmd_timeout), 2746 RECV_ATTR_INT(MAIL_ATTR_MILT_MSG, &msg_timeout), 2747 RECV_ATTR_STR(MAIL_ATTR_MILT_ACT, act_buf), 2748 RECV_ATTR_INT(MAIL_ATTR_MILT_MAC, &has_macros), 2749 ATTR_TYPE_END) < 10 2750 || (has_macros != 0 2751 && attr_scan(stream, ATTR_FLAG_STRICT, 2752 RECV_ATTR_FUNC(milter_macros_scan, 2753 (void *) (macros = 2754 milter_macros_alloc(MILTER_MACROS_ALLOC_ZERO))), 2755 ATTR_TYPE_END) < 1) 2756 || (has_macros == 0 2757 && attr_scan(stream, ATTR_FLAG_STRICT, 2758 ATTR_TYPE_END) < 0)) { 2759 FREE_MACROS_AND_RETURN(0); 2760 #ifdef CANT_WRITE_BEFORE_SENDING_FD 2761 } else if (attr_print(stream, ATTR_FLAG_NONE, 2762 SEND_ATTR_STR(MAIL_ATTR_DUMMY, ""), 2763 ATTR_TYPE_END) != 0 2764 || vstream_fflush(stream) != 0) { 2765 FREE_MACROS_AND_RETURN(0); 2766 #endif 2767 } else if ((fd = LOCAL_RECV_FD(vstream_fileno(stream))) < 0) { 2768 FREE_MACROS_AND_RETURN(0); 2769 } else { 2770 #ifdef MUST_READ_AFTER_SENDING_FD 2771 (void) attr_print(stream, ATTR_FLAG_NONE, 2772 SEND_ATTR_STR(MAIL_ATTR_DUMMY, ""), 2773 ATTR_TYPE_END); 2774 #endif 2775 #define NO_PROTOCOL ((char *) 0) 2776 2777 if (msg_verbose) 2778 msg_info("%s: milter %s", myname, STR(name_buf)); 2779 2780 milter = milter8_alloc(STR(name_buf), conn_timeout, cmd_timeout, 2781 msg_timeout, NO_PROTOCOL, STR(act_buf), parent); 2782 milter->fp = vstream_fdopen(fd, O_RDWR); 2783 milter->m.macros = macros; 2784 vstream_control(milter->fp, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END); 2785 /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */ 2786 vstream_tweak_sock(milter->fp); 2787 milter->version = version; 2788 milter->rq_mask = rq_mask; 2789 milter->ev_mask = ev_mask; 2790 milter->np_mask = np_mask; 2791 milter->state = state; 2792 return (&milter->m); 2793 } 2794 } 2795 2796 /* milter8_free - destroy Milter instance */ 2797 2798 static void milter8_free(MILTER *m) 2799 { 2800 MILTER8 *milter = (MILTER8 *) m; 2801 2802 if (msg_verbose) 2803 msg_info("free milter %s", milter->m.name); 2804 if (milter->fp) 2805 (void) vstream_fclose(milter->fp); 2806 myfree(milter->m.name); 2807 vstring_free(milter->buf); 2808 vstring_free(milter->body); 2809 if (milter->protocol) 2810 myfree(milter->protocol); 2811 myfree(milter->def_action); 2812 if (milter->def_reply) 2813 myfree(milter->def_reply); 2814 if (milter->m.macros) 2815 milter_macros_free(milter->m.macros); 2816 myfree((void *) milter); 2817 } 2818 2819 /* milter8_alloc - create MTA-side Sendmail 8 Milter instance */ 2820 2821 static MILTER8 *milter8_alloc(const char *name, int conn_timeout, 2822 int cmd_timeout, int msg_timeout, 2823 const char *protocol, 2824 const char *def_action, 2825 MILTERS *parent) 2826 { 2827 MILTER8 *milter; 2828 2829 /* 2830 * Fill in the structure. Note: all strings must be copied. 2831 * 2832 * XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it finds 2833 * out that the SMTP client has disconnected. Because of this, Postfix 2834 * has to open a new MTA-to-filter socket for each SMTP client. 2835 */ 2836 milter = (MILTER8 *) mymalloc(sizeof(*milter)); 2837 milter->m.name = mystrdup(name); 2838 milter->m.flags = 0; 2839 milter->m.next = 0; 2840 milter->m.parent = parent; 2841 milter->m.macros = 0; 2842 #ifdef LIBMILTER_AUTO_DISCONNECT 2843 milter->m.connect_on_demand = (void (*) (struct MILTER *)) milter8_connect; 2844 #else 2845 milter->m.connect_on_demand = 0; 2846 #endif 2847 milter->m.conn_event = milter8_conn_event; 2848 milter->m.helo_event = milter8_helo_event; 2849 milter->m.mail_event = milter8_mail_event; 2850 milter->m.rcpt_event = milter8_rcpt_event; 2851 milter->m.data_event = milter8_data_event; /* may be null */ 2852 milter->m.message = milter8_message; 2853 milter->m.unknown_event = milter8_unknown_event; /* may be null */ 2854 milter->m.other_event = milter8_other_event; 2855 milter->m.abort = milter8_abort; 2856 milter->m.disc_event = milter8_disc_event; 2857 milter->m.active = milter8_active; 2858 milter->m.send = milter8_send; 2859 milter->m.free = milter8_free; 2860 milter->fp = 0; 2861 milter->buf = vstring_alloc(100); 2862 milter->body = vstring_alloc(100); 2863 milter->version = 0; 2864 milter->rq_mask = 0; 2865 milter->ev_mask = 0; 2866 milter->state = MILTER8_STAT_CLOSED; 2867 milter->conn_timeout = conn_timeout; 2868 milter->cmd_timeout = cmd_timeout; 2869 milter->msg_timeout = msg_timeout; 2870 milter->protocol = (protocol ? mystrdup(protocol) : 0); 2871 milter->def_action = mystrdup(def_action); 2872 milter->def_reply = 0; 2873 milter->skip_event_type = 0; 2874 2875 return (milter); 2876 } 2877 2878 /* milter8_create - create MTA-side Sendmail 8 Milter instance */ 2879 2880 MILTER *milter8_create(const char *name, int conn_timeout, int cmd_timeout, 2881 int msg_timeout, const char *protocol, 2882 const char *def_action, MILTERS *parent) 2883 { 2884 MILTER8 *milter; 2885 2886 /* 2887 * Fill in the structure. 2888 */ 2889 milter = milter8_alloc(name, conn_timeout, cmd_timeout, msg_timeout, 2890 protocol, def_action, parent); 2891 2892 /* 2893 * XXX Sendmail 8 libmilter closes the MTA-to-filter socket when it finds 2894 * out that the SMTP client has disconnected. Because of this, Postfix 2895 * has to open a new MTA-to-filter socket for each SMTP client. 2896 */ 2897 #ifndef LIBMILTER_AUTO_DISCONNECT 2898 milter8_connect(milter); 2899 #endif 2900 return (&milter->m); 2901 } 2902