1 /* $NetBSD: smtp_connect.c,v 1.1.1.4 2013/08/21 20:09:56 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_connect 3 6 /* SUMMARY 7 /* connect to SMTP/LMTP server and deliver 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_connect(state) 12 /* SMTP_STATE *state; 13 /* DESCRIPTION 14 /* This module implements SMTP/LMTP connection management and controls 15 /* mail delivery. 16 /* 17 /* smtp_connect() attempts to establish an SMTP/LMTP session with a host 18 /* that represents the destination domain, or with an optional fallback 19 /* relay when {the destination cannot be found, or when all the 20 /* destination servers are unavailable}. It skips over IP addresses 21 /* that fail to complete the SMTP/LMTP handshake and tries to find 22 /* an alternate server when an SMTP/LMTP session fails to deliver. 23 /* 24 /* This layer also controls what connections are retrieved from 25 /* the connection cache, and what connections are saved to the cache. 26 /* 27 /* The destination is either a host (or domain) name or a numeric 28 /* address. Symbolic or numeric service port information may be 29 /* appended, separated by a colon (":"). In the case of LMTP, 30 /* destinations may be specified as "unix:pathname", "inet:host" 31 /* or "inet:host:port". 32 /* 33 /* With SMTP, the Internet domain name service is queried for mail 34 /* exchanger hosts. Quote the domain name with `[' and `]' to 35 /* suppress mail exchanger lookups. 36 /* 37 /* Numerical address information should always be quoted with `[]'. 38 /* DIAGNOSTICS 39 /* The delivery status is the result value. 40 /* SEE ALSO 41 /* smtp_proto(3) SMTP client protocol 42 /* LICENSE 43 /* .ad 44 /* .fi 45 /* The Secure Mailer license must be distributed with this software. 46 /* AUTHOR(S) 47 /* Wietse Venema 48 /* IBM T.J. Watson Research 49 /* P.O. Box 704 50 /* Yorktown Heights, NY 10598, USA 51 /* 52 /* Connection caching in cooperation with: 53 /* Victor Duchovni 54 /* Morgan Stanley 55 /*--*/ 56 57 /* System library. */ 58 59 #include <sys_defs.h> 60 #include <stdlib.h> 61 #include <sys/socket.h> 62 #include <sys/un.h> 63 #include <netinet/in.h> 64 #include <arpa/inet.h> 65 #include <errno.h> 66 #include <netdb.h> 67 #include <stdlib.h> 68 #include <string.h> 69 #include <unistd.h> 70 #include <fcntl.h> 71 #include <ctype.h> 72 73 #ifndef IPPORT_SMTP 74 #define IPPORT_SMTP 25 75 #endif 76 77 /* Utility library. */ 78 79 #include <msg.h> 80 #include <vstream.h> 81 #include <vstring.h> 82 #include <split_at.h> 83 #include <mymalloc.h> 84 #include <inet_addr_list.h> 85 #include <iostuff.h> 86 #include <timed_connect.h> 87 #include <stringops.h> 88 #include <host_port.h> 89 #include <sane_connect.h> 90 #include <myaddrinfo.h> 91 #include <sock_addr.h> 92 #include <inet_proto.h> 93 94 /* Global library. */ 95 96 #include <mail_params.h> 97 #include <own_inet_addr.h> 98 #include <deliver_pass.h> 99 #include <mail_error.h> 100 #include <dsn_buf.h> 101 #include <mail_addr.h> 102 103 /* DNS library. */ 104 105 #include <dns.h> 106 107 /* Application-specific. */ 108 109 #include <smtp.h> 110 #include <smtp_addr.h> 111 #include <smtp_reuse.h> 112 113 /* 114 * Forward declaration. 115 */ 116 static SMTP_SESSION *smtp_connect_sock(int, struct sockaddr *, int, 117 const char *, const char *, 118 unsigned, 119 const char *, DSN_BUF *, 120 int); 121 122 /* smtp_connect_unix - connect to UNIX-domain address */ 123 124 static SMTP_SESSION *smtp_connect_unix(const char *addr, 125 DSN_BUF *why, 126 int sess_flags) 127 { 128 const char *myname = "smtp_connect_unix"; 129 struct sockaddr_un sock_un; 130 int len = strlen(addr); 131 int sock; 132 133 dsb_reset(why); /* Paranoia */ 134 135 /* 136 * Sanity checks. 137 */ 138 if (len >= (int) sizeof(sock_un.sun_path)) { 139 msg_warn("unix-domain name too long: %s", addr); 140 dsb_simple(why, "4.3.5", "Server configuration error"); 141 return (0); 142 } 143 144 /* 145 * Initialize. 146 */ 147 memset((char *) &sock_un, 0, sizeof(sock_un)); 148 sock_un.sun_family = AF_UNIX; 149 #ifdef HAS_SUN_LEN 150 sock_un.sun_len = len + 1; 151 #endif 152 memcpy(sock_un.sun_path, addr, len + 1); 153 154 /* 155 * Create a client socket. 156 */ 157 if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) 158 msg_fatal("%s: socket: %m", myname); 159 160 /* 161 * Connect to the server. 162 */ 163 if (msg_verbose) 164 msg_info("%s: trying: %s...", myname, addr); 165 166 return (smtp_connect_sock(sock, (struct sockaddr *) & sock_un, 167 sizeof(sock_un), var_myhostname, addr, 168 0, addr, why, sess_flags)); 169 } 170 171 /* smtp_connect_addr - connect to explicit address */ 172 173 static SMTP_SESSION *smtp_connect_addr(const char *destination, DNS_RR *addr, 174 unsigned port, DSN_BUF *why, 175 int sess_flags) 176 { 177 const char *myname = "smtp_connect_addr"; 178 struct sockaddr_storage ss; /* remote */ 179 struct sockaddr *sa = (struct sockaddr *) & ss; 180 SOCKADDR_SIZE salen = sizeof(ss); 181 MAI_HOSTADDR_STR hostaddr; 182 int sock; 183 char *bind_addr; 184 char *bind_var; 185 186 dsb_reset(why); /* Paranoia */ 187 188 /* 189 * Sanity checks. 190 */ 191 if (dns_rr_to_sa(addr, port, sa, &salen) != 0) { 192 msg_warn("%s: skip address type %s: %m", 193 myname, dns_strtype(addr->type)); 194 dsb_simple(why, "4.4.0", "network address conversion failed: %m"); 195 return (0); 196 } 197 198 /* 199 * Initialize. 200 */ 201 if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) 202 msg_fatal("%s: socket: %m", myname); 203 204 if (inet_windowsize > 0) 205 set_inet_windowsize(sock, inet_windowsize); 206 207 /* 208 * Allow the sysadmin to specify the source address, for example, as "-o 209 * smtp_bind_address=x.x.x.x" in the master.cf file. 210 */ 211 #ifdef HAS_IPV6 212 if (sa->sa_family == AF_INET6) { 213 bind_addr = var_smtp_bind_addr6; 214 bind_var = VAR_SMTP_BIND_ADDR6; 215 } else 216 #endif 217 if (sa->sa_family == AF_INET) { 218 bind_addr = var_smtp_bind_addr; 219 bind_var = VAR_SMTP_BIND_ADDR; 220 } else 221 bind_var = bind_addr = ""; 222 if (*bind_addr) { 223 int aierr; 224 struct addrinfo *res0; 225 226 if ((aierr = hostaddr_to_sockaddr(bind_addr, (char *) 0, 0, &res0)) != 0) 227 msg_fatal("%s: bad %s parameter: %s: %s", 228 myname, bind_var, bind_addr, MAI_STRERROR(aierr)); 229 if (bind(sock, res0->ai_addr, res0->ai_addrlen) < 0) 230 msg_warn("%s: bind %s: %m", myname, bind_addr); 231 else if (msg_verbose) 232 msg_info("%s: bind %s", myname, bind_addr); 233 freeaddrinfo(res0); 234 } 235 236 /* 237 * When running as a virtual host, bind to the virtual interface so that 238 * the mail appears to come from the "right" machine address. 239 * 240 * XXX The IPv6 patch expands the null host (as client endpoint) and uses 241 * the result as the loopback address list. 242 */ 243 else { 244 int count = 0; 245 struct sockaddr *own_addr = 0; 246 INET_ADDR_LIST *addr_list = own_inet_addr_list(); 247 struct sockaddr_storage *s; 248 249 for (s = addr_list->addrs; s < addr_list->addrs + addr_list->used; s++) { 250 if (SOCK_ADDR_FAMILY(s) == sa->sa_family) { 251 if (count++ > 0) 252 break; 253 own_addr = SOCK_ADDR_PTR(s); 254 } 255 } 256 if (count == 1 && !sock_addr_in_loopback(own_addr)) { 257 if (bind(sock, own_addr, SOCK_ADDR_LEN(own_addr)) < 0) { 258 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 259 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 260 msg_warn("%s: bind %s: %m", myname, hostaddr.buf); 261 } else if (msg_verbose) { 262 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 263 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 264 msg_info("%s: bind %s", myname, hostaddr.buf); 265 } 266 } 267 } 268 269 /* 270 * Connect to the server. 271 */ 272 SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 273 if (msg_verbose) 274 msg_info("%s: trying: %s[%s] port %d...", 275 myname, SMTP_HNAME(addr), hostaddr.buf, ntohs(port)); 276 277 return (smtp_connect_sock(sock, sa, salen, SMTP_HNAME(addr), hostaddr.buf, 278 port, destination, why, sess_flags)); 279 } 280 281 /* smtp_connect_sock - connect a socket over some transport */ 282 283 static SMTP_SESSION *smtp_connect_sock(int sock, struct sockaddr * sa, 284 int salen, const char *name, 285 const char *addr, 286 unsigned port, 287 const char *destination, 288 DSN_BUF *why, 289 int sess_flags) 290 { 291 int conn_stat; 292 int saved_errno; 293 VSTREAM *stream; 294 time_t start_time; 295 296 start_time = time((time_t *) 0); 297 if (var_smtp_conn_tmout > 0) { 298 non_blocking(sock, NON_BLOCKING); 299 conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout); 300 saved_errno = errno; 301 non_blocking(sock, BLOCKING); 302 errno = saved_errno; 303 } else { 304 conn_stat = sane_connect(sock, sa, salen); 305 } 306 if (conn_stat < 0) { 307 if (port) 308 dsb_simple(why, "4.4.1", "connect to %s[%s]:%d: %m", 309 name, addr, ntohs(port)); 310 else 311 dsb_simple(why, "4.4.1", "connect to %s[%s]: %m", name, addr); 312 close(sock); 313 return (0); 314 } 315 stream = vstream_fdopen(sock, O_RDWR); 316 317 /* 318 * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. 319 */ 320 if (sa->sa_family == AF_INET 321 #ifdef AF_INET6 322 || sa->sa_family == AF_INET6 323 #endif 324 ) 325 vstream_tweak_tcp(stream); 326 327 /* 328 * Bundle up what we have into a nice SMTP_SESSION object. 329 */ 330 return (smtp_session_alloc(stream, destination, name, addr, 331 port, start_time, sess_flags)); 332 } 333 334 /* smtp_parse_destination - parse host/port destination */ 335 336 static char *smtp_parse_destination(char *destination, char *def_service, 337 char **hostp, unsigned *portp) 338 { 339 char *buf = mystrdup(destination); 340 char *service; 341 struct servent *sp; 342 char *protocol = "tcp"; /* XXX configurable? */ 343 unsigned port; 344 const char *err; 345 346 if (msg_verbose) 347 msg_info("smtp_parse_destination: %s %s", destination, def_service); 348 349 /* 350 * Parse the host/port information. We're working with a copy of the 351 * destination argument so the parsing can be destructive. 352 */ 353 if ((err = host_port(buf, hostp, (char *) 0, &service, def_service)) != 0) 354 msg_fatal("%s in server description: %s", err, destination); 355 356 /* 357 * Convert service to port number, network byte order. 358 */ 359 if (alldig(service)) { 360 if ((port = atoi(service)) >= 65536 || port == 0) 361 msg_fatal("bad network port in destination: %s", destination); 362 *portp = htons(port); 363 } else { 364 if ((sp = getservbyname(service, protocol)) == 0) 365 msg_fatal("unknown service: %s/%s", service, protocol); 366 *portp = sp->s_port; 367 } 368 return (buf); 369 } 370 371 /* smtp_cleanup_session - clean up after using a session */ 372 373 static void smtp_cleanup_session(SMTP_STATE *state) 374 { 375 DELIVER_REQUEST *request = state->request; 376 SMTP_SESSION *session = state->session; 377 int bad_session; 378 379 /* 380 * Inform the postmaster of trouble. 381 * 382 * XXX Don't send notifications about errors while sending notifications. 383 */ 384 #define POSSIBLE_NOTIFICATION(sender) \ 385 (*sender == 0 || strcmp(sender, mail_addr_double_bounce()) == 0) 386 387 if (session->history != 0 388 && (session->error_mask & name_mask(VAR_NOTIFY_CLASSES, 389 mail_error_masks, 390 var_notify_classes)) != 0 391 && POSSIBLE_NOTIFICATION(request->sender) == 0) 392 smtp_chat_notify(session); 393 394 /* 395 * When session caching is enabled, cache the first good session for this 396 * delivery request under the next-hop destination, and cache all good 397 * sessions under their server network address (destroying the session in 398 * the process). 399 * 400 * Caching under the next-hop destination name (rather than the fall-back 401 * destination) allows us to skip over non-responding primary or backup 402 * hosts. In fact, this is the only benefit of caching logical to 403 * physical bindings; caching a session under its own hostname provides 404 * no performance benefit, given the way smtp_connect() works. 405 */ 406 bad_session = THIS_SESSION_IS_BAD; /* smtp_quit() may fail */ 407 if (THIS_SESSION_IS_EXPIRED) 408 smtp_quit(state); /* also disables caching */ 409 if (THIS_SESSION_IS_CACHED 410 /* Redundant tests for safety... */ 411 && vstream_ferror(session->stream) == 0 412 && vstream_feof(session->stream) == 0) { 413 smtp_save_session(state); 414 } else { 415 smtp_session_free(session); 416 } 417 state->session = 0; 418 419 /* 420 * If this session was good, reset the logical next-hop state, so that we 421 * won't cache connections to alternate servers under the logical 422 * next-hop destination. Otherwise we could end up skipping over the 423 * available and more preferred servers. 424 */ 425 if (HAVE_NEXTHOP_STATE(state) && !bad_session) 426 FREE_NEXTHOP_STATE(state); 427 428 /* 429 * Clean up the lists with todo and dropped recipients. 430 */ 431 smtp_rcpt_cleanup(state); 432 433 /* 434 * Reset profiling info. 435 * 436 * XXX When one delivery request results in multiple sessions, the set-up 437 * and transmission latencies of the earlier sessions will count as 438 * connection set-up time for the later sessions. 439 * 440 * XXX On the other hand, when we first try to connect to one or more dead 441 * hosts before we reach a good host, then all that time must be counted 442 * as connection set-up time for the session with the good host. 443 * 444 * XXX So this set-up attribution problem exists only when we actually 445 * engage in a session, spend a lot of time delivering a message, find 446 * that it fails, and then connect to an alternate host. 447 */ 448 memset((char *) &request->msg_stats.conn_setup_done, 0, 449 sizeof(request->msg_stats.conn_setup_done)); 450 memset((char *) &request->msg_stats.deliver_done, 0, 451 sizeof(request->msg_stats.deliver_done)); 452 request->msg_stats.reuse_count = 0; 453 } 454 455 static void smtp_cache_policy(SMTP_STATE *state, const char *dest) 456 { 457 DELIVER_REQUEST *request = state->request; 458 459 state->misc_flags &= ~SMTP_MISC_FLAG_CONN_CACHE_MASK; 460 461 /* 462 * XXX Disable connection caching when SASL authentication is 463 * enabled. We must not send someone elses mail over an authenticated 464 * connection, and we must not send mail that requires authentication 465 * over a connection that wasn't authenticated. 466 */ 467 if (var_smtp_sasl_passwd && *var_smtp_sasl_passwd) 468 return; 469 470 if (smtp_cache_dest && string_list_match(smtp_cache_dest, dest)) { 471 state->misc_flags |= SMTP_MISC_FLAG_CONN_CACHE_MASK; 472 } else if (var_smtp_cache_demand) { 473 if (request->flags & DEL_REQ_FLAG_CONN_LOAD) 474 state->misc_flags |= SMTP_MISC_FLAG_CONN_LOAD; 475 if (request->flags & DEL_REQ_FLAG_CONN_STORE) 476 state->misc_flags |= SMTP_MISC_FLAG_CONN_STORE; 477 } 478 } 479 480 /* smtp_connect_local - connect to local server */ 481 482 static void smtp_connect_local(SMTP_STATE *state, const char *path) 483 { 484 const char *myname = "smtp_connect_local"; 485 SMTP_SESSION *session; 486 DSN_BUF *why = state->why; 487 488 /* 489 * It's too painful to weave this code into the SMTP connection 490 * management routine. 491 * 492 * Connection cache management is based on the UNIX-domain pathname, without 493 * the "unix:" prefix. 494 */ 495 smtp_cache_policy(state, path); 496 497 /* 498 * XXX We assume that the session->addr member refers to a copy of the 499 * UNIX-domain pathname, so that smtp_save_session() will cache the 500 * connection using the pathname as the physical endpoint name. 501 */ 502 #define NO_PORT 0 503 504 /* 505 * Opportunistic TLS for unix domain sockets does not make much sense, 506 * since the channel is private, mere encryption without authentication 507 * is just wasted cycles and opportunity for breakage. Since we are not 508 * willing to retry after TLS handshake failures here, we downgrade "may" 509 * no "none". Nothing is lost, and much waste is avoided. 510 * 511 * We don't know who is authenticating whom, so if a client cert is 512 * available, "encrypt" may be a sensible policy. Otherwise, we also 513 * downgrade "encrypt" to "none", this time just to avoid waste. 514 */ 515 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 516 || (session = smtp_reuse_addr(state, path, NO_PORT)) == 0) 517 session = smtp_connect_unix(path, why, state->misc_flags); 518 if ((state->session = session) != 0) { 519 session->state = state; 520 #ifdef USE_TLS 521 session->tls_nexthop = var_myhostname; /* for TLS_LEV_SECURE */ 522 if (session->tls_level == TLS_LEV_MAY) { 523 msg_warn("%s: opportunistic TLS encryption is not appropriate " 524 "for unix-domain destinations.", myname); 525 session->tls_level = TLS_LEV_NONE; 526 } 527 #endif 528 /* All delivery errors bounce or defer. */ 529 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 530 531 /* 532 * When a TLS handshake fails, the stream is marked "dead" to avoid 533 * further I/O over a broken channel. 534 */ 535 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 536 && smtp_helo(state) != 0) { 537 if (!THIS_SESSION_IS_DEAD 538 && vstream_ferror(session->stream) == 0 539 && vstream_feof(session->stream) == 0) 540 smtp_quit(state); 541 } else { 542 smtp_xfer(state); 543 } 544 545 /* 546 * With opportunistic TLS disabled we don't expect to be asked to 547 * retry connections without TLS, and so we expect the final server 548 * flag to stay on. 549 */ 550 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) 551 msg_panic("%s: unix-domain destination not final!", myname); 552 smtp_cleanup_session(state); 553 } 554 } 555 556 /* smtp_scrub_address_list - delete all cached addresses from list */ 557 558 static void smtp_scrub_addr_list(HTABLE *cached_addr, DNS_RR **addr_list) 559 { 560 MAI_HOSTADDR_STR hostaddr; 561 DNS_RR *addr; 562 DNS_RR *next; 563 564 /* 565 * XXX Extend the DNS_RR structure with fields for the printable address 566 * and/or binary sockaddr representations, so that we can avoid repeated 567 * binary->string transformations for the same address. 568 */ 569 for (addr = *addr_list; addr; addr = next) { 570 next = addr->next; 571 if (dns_rr_to_pa(addr, &hostaddr) == 0) { 572 msg_warn("cannot convert type %s resource record to socket address", 573 dns_strtype(addr->type)); 574 continue; 575 } 576 if (htable_locate(cached_addr, hostaddr.buf)) 577 *addr_list = dns_rr_remove(*addr_list, addr); 578 } 579 } 580 581 /* smtp_update_addr_list - common address list update */ 582 583 static void smtp_update_addr_list(DNS_RR **addr_list, const char *server_addr, 584 int session_count) 585 { 586 DNS_RR *addr; 587 DNS_RR *next; 588 int aierr; 589 struct addrinfo *res0; 590 591 if (*addr_list == 0) 592 return; 593 594 /* 595 * Truncate the address list if we are not going to use it anyway. 596 */ 597 if (session_count == var_smtp_mxsess_limit 598 || session_count == var_smtp_mxaddr_limit) { 599 dns_rr_free(*addr_list); 600 *addr_list = 0; 601 return; 602 } 603 604 /* 605 * Convert server address to internal form, and look it up in the address 606 * list. 607 * 608 * XXX smtp_reuse_session() breaks if we remove two or more adjacent list 609 * elements but do not truncate the list to zero length. 610 * 611 * XXX Extend the SMTP_SESSION structure with sockaddr information so that 612 * we can avoid repeated string->binary transformations for the same 613 * address. 614 */ 615 if ((aierr = hostaddr_to_sockaddr(server_addr, (char *) 0, 0, &res0)) != 0) { 616 msg_warn("hostaddr_to_sockaddr %s: %s", 617 server_addr, MAI_STRERROR(aierr)); 618 } else { 619 for (addr = *addr_list; addr; addr = next) { 620 next = addr->next; 621 if (DNS_RR_EQ_SA(addr, (struct sockaddr *) res0->ai_addr)) { 622 *addr_list = dns_rr_remove(*addr_list, addr); 623 break; 624 } 625 } 626 freeaddrinfo(res0); 627 } 628 } 629 630 /* smtp_reuse_session - try to use existing connection, return session count */ 631 632 static int smtp_reuse_session(SMTP_STATE *state, int lookup_mx, 633 const char *domain, unsigned port, 634 DNS_RR **addr_list, int domain_best_pref) 635 { 636 int session_count = 0; 637 DNS_RR *addr; 638 DNS_RR *next; 639 MAI_HOSTADDR_STR hostaddr; 640 SMTP_SESSION *session; 641 642 /* 643 * First, search the cache by logical destination. We truncate the server 644 * address list when all the sessions for this destination are used up, 645 * to reduce the number of variables that need to be checked later. 646 * 647 * Note: lookup by logical destination restores the "best MX" bit. 648 */ 649 if (*addr_list && SMTP_RCPT_LEFT(state) > 0 650 && (session = smtp_reuse_domain(state, lookup_mx, domain, port)) != 0) { 651 session_count = 1; 652 smtp_update_addr_list(addr_list, session->addr, session_count); 653 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 654 && *addr_list == 0) 655 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 656 smtp_xfer(state); 657 smtp_cleanup_session(state); 658 } 659 660 /* 661 * Second, search the cache by primary MX address. Again, we use address 662 * list truncation so that we have to check fewer variables later. 663 * 664 * XXX This loop is safe because smtp_update_addr_list() either truncates 665 * the list to zero length, or removes at most one list element. 666 */ 667 for (addr = *addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 668 if (addr->pref != domain_best_pref) 669 break; 670 next = addr->next; 671 if (dns_rr_to_pa(addr, &hostaddr) != 0 672 && (session = smtp_reuse_addr(state, hostaddr.buf, port)) != 0) { 673 session->features |= SMTP_FEATURE_BEST_MX; 674 session_count += 1; 675 smtp_update_addr_list(addr_list, session->addr, session_count); 676 if (*addr_list == 0) 677 next = 0; 678 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 679 && next == 0) 680 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 681 smtp_xfer(state); 682 smtp_cleanup_session(state); 683 } 684 } 685 return (session_count); 686 } 687 688 /* smtp_connect_inet - establish network connection */ 689 690 static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, 691 char *def_service) 692 { 693 DELIVER_REQUEST *request = state->request; 694 ARGV *sites; 695 char *dest; 696 char **cpp; 697 int non_fallback_sites; 698 int retry_plain = 0; 699 DSN_BUF *why = state->why; 700 701 /* 702 * For sanity, require that at least one of INET or INET6 is enabled. 703 * Otherwise, we can't look up interface information, and we can't 704 * convert names or addresses. 705 */ 706 if (inet_proto_info()->ai_family_list[0] == 0) { 707 dsb_simple(why, "4.4.4", "all network protocols are disabled"); 708 return; 709 } 710 711 /* 712 * First try to deliver to the indicated destination, then try to deliver 713 * to the optional fall-back relays. 714 * 715 * Future proofing: do a null destination sanity check in case we allow the 716 * primary destination to be a list (it could be just separators). 717 */ 718 sites = argv_alloc(1); 719 argv_add(sites, nexthop, (char *) 0); 720 if (sites->argc == 0) 721 msg_panic("null destination: \"%s\"", nexthop); 722 non_fallback_sites = sites->argc; 723 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) 724 argv_split_append(sites, var_fallback_relay, ", \t\r\n"); 725 726 /* 727 * Don't give up after a hard host lookup error until we have tried the 728 * fallback relay servers. 729 * 730 * Don't bounce mail after a host lookup problem with a relayhost or with a 731 * fallback relay. 732 * 733 * Don't give up after a qualifying soft error until we have tried all 734 * qualifying backup mail servers. 735 * 736 * All this means that error handling and error reporting depends on whether 737 * the error qualifies for trying to deliver to a backup mail server, or 738 * whether we're looking up a relayhost or fallback relay. The challenge 739 * then is to build this into the pre-existing SMTP client without 740 * getting lost in the complexity. 741 */ 742 #define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \ 743 (*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites)) 744 745 for (cpp = sites->argv, (state->misc_flags |= SMTP_MISC_FLAG_FIRST_NEXTHOP); 746 SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0; 747 cpp++, (state->misc_flags &= ~SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 748 char *dest_buf; 749 char *domain; 750 unsigned port; 751 DNS_RR *addr_list; 752 DNS_RR *addr; 753 DNS_RR *next; 754 int addr_count; 755 int sess_count; 756 SMTP_SESSION *session; 757 int lookup_mx; 758 unsigned domain_best_pref; 759 MAI_HOSTADDR_STR hostaddr; 760 761 if (cpp[1] == 0) 762 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 763 764 /* 765 * Parse the destination. Default is to use the SMTP port. Look up 766 * the address instead of the mail exchanger when a quoted host is 767 * specified, or when DNS lookups are disabled. 768 */ 769 dest_buf = smtp_parse_destination(dest, def_service, &domain, &port); 770 if (var_helpful_warnings && ntohs(port) == 465) { 771 msg_info("CLIENT wrappermode (port smtps/465) is unimplemented"); 772 msg_info("instead, send to (port submission/587) with STARTTLS"); 773 } 774 775 /* 776 * Resolve an SMTP server. Skip mail exchanger lookups when a quoted 777 * host is specified, or when DNS lookups are disabled. 778 */ 779 if (msg_verbose) 780 msg_info("connecting to %s port %d", domain, ntohs(port)); 781 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 782 if (ntohs(port) == IPPORT_SMTP) 783 state->misc_flags |= SMTP_MISC_FLAG_LOOP_DETECT; 784 else 785 state->misc_flags &= ~SMTP_MISC_FLAG_LOOP_DETECT; 786 lookup_mx = (var_disable_dns == 0 && *dest != '['); 787 } else 788 lookup_mx = 0; 789 if (!lookup_mx) { 790 addr_list = smtp_host_addr(domain, state->misc_flags, why); 791 /* XXX We could be an MX host for this destination... */ 792 } else { 793 int i_am_mx = 0; 794 795 addr_list = smtp_domain_addr(domain, state->misc_flags, 796 why, &i_am_mx); 797 /* If we're MX host, don't connect to non-MX backups. */ 798 if (i_am_mx) 799 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 800 } 801 802 /* 803 * Don't try fall-back hosts if mail loops to myself. That would just 804 * make the problem worse. 805 */ 806 if (addr_list == 0 && SMTP_HAS_LOOP_DSN(why)) 807 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 808 809 /* 810 * No early loop exit or we have a memory leak with dest_buf. 811 */ 812 if (addr_list) 813 domain_best_pref = addr_list->pref; 814 815 /* 816 * When session caching is enabled, store the first good session for 817 * this delivery request under the next-hop destination name. All 818 * good sessions will be stored under their specific server IP 819 * address. 820 * 821 * XXX Replace sites->argv by (lookup_mx, domain, port) triples so we 822 * don't have to make clumsy ad-hoc copies and keep track of who 823 * free()s the memory. 824 * 825 * XXX smtp_session_cache_destinations specifies domain names without 826 * :port, because : is already used for maptype:mapname. Because of 827 * this limitation we use the bare domain without the optional [] or 828 * non-default TCP port. 829 * 830 * Opportunistic (a.k.a. on-demand) session caching on request by the 831 * queue manager. This is turned temporarily when a destination has a 832 * high volume of mail in the active queue. 833 * 834 * XXX Disable connection caching when sender-dependent authentication 835 * is enabled. We must not send someone elses mail over an 836 * authenticated connection, and we must not send mail that requires 837 * authentication over a connection that wasn't authenticated. 838 */ 839 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 840 smtp_cache_policy(state, domain); 841 if (state->misc_flags & SMTP_MISC_FLAG_CONN_STORE) 842 SET_NEXTHOP_STATE(state, lookup_mx, domain, port); 843 } 844 845 /* 846 * Delete visited cached hosts from the address list. 847 * 848 * Optionally search the connection cache by domain name or by primary 849 * MX address before we try to create new connections. 850 * 851 * Enforce the MX session and MX address counts per next-hop or 852 * fall-back destination. smtp_reuse_session() will truncate the 853 * address list when either limit is reached. 854 */ 855 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD)) { 856 if (state->cache_used->used > 0) 857 smtp_scrub_addr_list(state->cache_used, &addr_list); 858 sess_count = addr_count = 859 smtp_reuse_session(state, lookup_mx, domain, port, 860 &addr_list, domain_best_pref); 861 } else 862 sess_count = addr_count = 0; 863 864 /* 865 * Connect to an SMTP server: create primary MX connections, and 866 * reuse or create backup MX connections. 867 * 868 * At the start of an SMTP session, all recipients are unmarked. In the 869 * course of an SMTP session, recipients are marked as KEEP (deliver 870 * to alternate mail server) or DROP (remove from recipient list). At 871 * the end of an SMTP session, weed out the recipient list. Unmark 872 * any left-over recipients and try to deliver them to a backup mail 873 * server. 874 * 875 * Cache the first good session under the next-hop destination name. 876 * Cache all good sessions under their physical endpoint. 877 * 878 * Don't query the session cache for primary MX hosts. We already did 879 * that in smtp_reuse_session(), and if any were found in the cache, 880 * they were already deleted from the address list. 881 */ 882 for (addr = addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 883 next = addr->next; 884 if (++addr_count == var_smtp_mxaddr_limit) 885 next = 0; 886 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 887 || addr->pref == domain_best_pref 888 || dns_rr_to_pa(addr, &hostaddr) == 0 889 || !(session = smtp_reuse_addr(state, hostaddr.buf, port))) 890 session = smtp_connect_addr(dest, addr, port, why, 891 state->misc_flags); 892 if ((state->session = session) != 0) { 893 session->state = state; 894 if (addr->pref == domain_best_pref) 895 session->features |= SMTP_FEATURE_BEST_MX; 896 /* Don't count handshake errors towards the session limit. */ 897 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 898 && next == 0) 899 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 900 #ifdef USE_TLS 901 /* Disable TLS when retrying after a handshake failure */ 902 if (retry_plain) { 903 if (session->tls_level >= TLS_LEV_ENCRYPT) 904 msg_panic("Plain-text retry wrong for mandatory TLS"); 905 session->tls_level = TLS_LEV_NONE; 906 retry_plain = 0; 907 } 908 session->tls_nexthop = domain; /* for TLS_LEV_SECURE */ 909 #endif 910 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 911 && smtp_helo(state) != 0) { 912 #ifdef USE_TLS 913 914 /* 915 * When an opportunistic TLS handshake fails, try the 916 * same address again, with TLS disabled. See also the 917 * RETRY_AS_PLAINTEXT macro. 918 */ 919 if ((retry_plain = session->tls_retry_plain) != 0) { 920 --addr_count; 921 next = addr; 922 } 923 #endif 924 925 /* 926 * When a TLS handshake fails, the stream is marked 927 * "dead" to avoid further I/O over a broken channel. 928 */ 929 if (!THIS_SESSION_IS_DEAD 930 && vstream_ferror(session->stream) == 0 931 && vstream_feof(session->stream) == 0) 932 smtp_quit(state); 933 } else { 934 /* Do count delivery errors towards the session limit. */ 935 if (++sess_count == var_smtp_mxsess_limit) 936 next = 0; 937 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 938 && next == 0) 939 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 940 smtp_xfer(state); 941 } 942 smtp_cleanup_session(state); 943 } else { 944 /* The reason already includes the IP address and TCP port. */ 945 msg_info("%s", STR(why->reason)); 946 } 947 /* Insert: test if we must skip the remaining MX hosts. */ 948 } 949 dns_rr_free(addr_list); 950 myfree(dest_buf); 951 if (state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 952 break; 953 } 954 955 /* 956 * We still need to deliver, bounce or defer some left-over recipients: 957 * either mail loops or some backup mail server was unavailable. 958 */ 959 if (SMTP_RCPT_LEFT(state) > 0) { 960 961 /* 962 * In case of a "no error" indication we make up an excuse: we did 963 * find the host address, but we did not attempt to connect to it. 964 * This can happen when the fall-back relay was already tried via a 965 * cached connection, so that the address list scrubber left behind 966 * an empty list. 967 */ 968 if (!SMTP_HAS_DSN(why)) { 969 dsb_simple(why, "4.3.0", 970 "server unavailable or unable to receive mail"); 971 } 972 973 /* 974 * Pay attention to what could be configuration problems, and pretend 975 * that these are recoverable rather than bouncing the mail. 976 */ 977 else if (!SMTP_HAS_SOFT_DSN(why) 978 && (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 979 980 /* 981 * The fall-back destination did not resolve as expected, or it 982 * is refusing to talk to us, or mail for it loops back to us. 983 */ 984 if (IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites)) { 985 msg_warn("%s configuration problem", VAR_SMTP_FALLBACK); 986 vstring_strcpy(why->status, "4.3.5"); 987 /* XXX Keep the diagnostic code and MTA. */ 988 } 989 990 /* 991 * The next-hop relayhost did not resolve as expected, or it is 992 * refusing to talk to us, or mail for it loops back to us. 993 */ 994 else if (strcmp(sites->argv[0], var_relayhost) == 0) { 995 msg_warn("%s configuration problem", VAR_RELAYHOST); 996 vstring_strcpy(why->status, "4.3.5"); 997 /* XXX Keep the diagnostic code and MTA. */ 998 } 999 1000 /* 1001 * Mail for the next-hop destination loops back to myself. Pass 1002 * the mail to the best_mx_transport or bounce it. 1003 */ 1004 else if (SMTP_HAS_LOOP_DSN(why) && *var_bestmx_transp) { 1005 dsb_reset(why); /* XXX */ 1006 state->status = deliver_pass_all(MAIL_CLASS_PRIVATE, 1007 var_bestmx_transp, 1008 request); 1009 SMTP_RCPT_LEFT(state) = 0; /* XXX */ 1010 } 1011 } 1012 } 1013 1014 /* 1015 * Cleanup. 1016 */ 1017 if (HAVE_NEXTHOP_STATE(state)) 1018 FREE_NEXTHOP_STATE(state); 1019 argv_free(sites); 1020 } 1021 1022 /* smtp_connect - establish SMTP connection */ 1023 1024 int smtp_connect(SMTP_STATE *state) 1025 { 1026 DELIVER_REQUEST *request = state->request; 1027 char *destination = request->nexthop; 1028 1029 /* 1030 * All deliveries proceed along the same lines, whether they are over TCP 1031 * or UNIX-domain sockets, and whether they use SMTP or LMTP: get a 1032 * connection from the cache or create a new connection; deliver mail; 1033 * update the connection cache or disconnect. 1034 * 1035 * The major differences appear at a higher level: the expansion from 1036 * destination to address list, and whether to stop before we reach the 1037 * end of that list. 1038 */ 1039 #define DEF_LMTP_SERVICE var_lmtp_tcp_port 1040 #define DEF_SMTP_SERVICE "smtp" 1041 1042 /* 1043 * With LMTP we have direct-to-host delivery only. The destination may 1044 * have multiple IP addresses. 1045 */ 1046 if (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) { 1047 if (strncmp(destination, "unix:", 5) == 0) { 1048 smtp_connect_local(state, destination + 5); 1049 } else { 1050 if (strncmp(destination, "inet:", 5) == 0) 1051 destination += 5; 1052 smtp_connect_inet(state, destination, DEF_LMTP_SERVICE); 1053 } 1054 } 1055 1056 /* 1057 * With SMTP we can have indirection via MX host lookup, as well as an 1058 * optional fall-back relayhost that we must avoid when we are MX host. 1059 * 1060 * XXX We don't add support for "unix:" or "inet:" prefixes in SMTP 1061 * destinations, because that would break compatibility with existing 1062 * Postfix configurations that have a host with such a name. 1063 */ 1064 else { 1065 smtp_connect_inet(state, destination, DEF_SMTP_SERVICE); 1066 } 1067 1068 /* 1069 * We still need to bounce or defer some left-over recipients: either 1070 * (SMTP) mail loops or some server was unavailable. 1071 * 1072 * We could avoid this (and the "final server" complexity) by keeping one 1073 * DSN structure per recipient in memory, by updating those in-memory 1074 * structures with each delivery attempt, and by always flushing all 1075 * deferred recipients at the end. We'd probably still want to bounce 1076 * recipients immediately, so we'd end up with another chunk of code for 1077 * defer logging only. 1078 */ 1079 if (SMTP_RCPT_LEFT(state) > 0) { 1080 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; /* XXX */ 1081 smtp_sess_fail(state); 1082 1083 /* 1084 * Sanity check. Don't silently lose recipients. 1085 */ 1086 smtp_rcpt_cleanup(state); 1087 if (SMTP_RCPT_LEFT(state) > 0) 1088 msg_panic("smtp_connect: left-over recipients"); 1089 } 1090 return (state->status); 1091 } 1092