1 /* $NetBSD: smtp_proto.c,v 1.3 2020/03/18 19:05:20 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Wietse Venema 79 /* Google, Inc. 80 /* 111 8th Avenue 81 /* New York, NY 10011, USA 82 /* 83 /* Pipelining code in cooperation with: 84 /* Jon Ribbens 85 /* Oaktree Internet Solutions Ltd., 86 /* Internet House, 87 /* Canal Basin, 88 /* Coventry, 89 /* CV1 4LY, United Kingdom. 90 /* 91 /* Connection caching in cooperation with: 92 /* Victor Duchovni 93 /* Morgan Stanley 94 /* 95 /* TLS support originally by: 96 /* Lutz Jaenicke 97 /* BTU Cottbus 98 /* Allgemeine Elektrotechnik 99 /* Universitaetsplatz 3-4 100 /* D-03044 Cottbus, Germany 101 /*--*/ 102 103 /* System library. */ 104 105 #include <sys_defs.h> 106 #include <sys/stat.h> 107 #include <sys/socket.h> /* shutdown(2) */ 108 #include <netinet/in.h> /* ntohs() */ 109 #include <string.h> 110 #include <unistd.h> 111 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 112 #include <stdarg.h> 113 #include <time.h> 114 115 #ifdef STRCASECMP_IN_STRINGS_H 116 #include <strings.h> 117 #endif 118 119 /* Utility library. */ 120 121 #include <msg.h> 122 #include <vstring.h> 123 #include <vstream.h> 124 #include <vstring_vstream.h> 125 #include <stringops.h> 126 #include <mymalloc.h> 127 #include <iostuff.h> 128 #include <split_at.h> 129 #include <name_code.h> 130 #include <name_mask.h> 131 132 /* Global library. */ 133 134 #include <mail_params.h> 135 #include <smtp_stream.h> 136 #include <mail_queue.h> 137 #include <recipient_list.h> 138 #include <deliver_request.h> 139 #include <defer.h> 140 #include <bounce.h> 141 #include <record.h> 142 #include <rec_type.h> 143 #include <off_cvt.h> 144 #include <mark_corrupt.h> 145 #include <quote_822_local.h> 146 #include <mail_proto.h> 147 #include <mime_state.h> 148 #include <ehlo_mask.h> 149 #include <maps.h> 150 #include <tok822.h> 151 #include <mail_addr_map.h> 152 #include <ext_prop.h> 153 #include <namadr_list.h> 154 #include <match_parent_style.h> 155 #include <lex_822.h> 156 #include <dsn_mask.h> 157 #include <xtext.h> 158 #include <uxtext.h> 159 #include <smtputf8.h> 160 161 /* Application-specific. */ 162 163 #include "smtp.h" 164 #include "smtp_sasl.h" 165 166 /* 167 * Sender and receiver state. A session does not necessarily go through a 168 * linear progression, but states are guaranteed to not jump backwards. 169 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 170 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 171 * 172 * When connection caching is enabled, the QUIT state is suppressed. Normal 173 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 174 * end with ABORT->LAST. The connection is left open for a limited time. An 175 * RSET probe should be sent before attempting to reuse an open connection 176 * for a new transaction. 177 * 178 * The code to send an RSET probe is a special case with its own initial state 179 * and with its own dedicated state transitions. The session proceeds as 180 * RSET->LAST. This code is kept inside the main protocol engine for 181 * consistent error handling and error reporting. It is not to be confused 182 * with the code that sends RSET to abort a mail transaction in progress. 183 * 184 * The code to send QUIT without message delivery transaction jumps into the 185 * main state machine. If this introduces complications, then we should 186 * introduce a second QUIT state with its own dedicated state transitions, 187 * just like we did for RSET probes. 188 * 189 * By default, the receiver skips the QUIT response. Some SMTP servers 190 * disconnect after responding to ".", and some SMTP servers wait before 191 * responding to QUIT. 192 * 193 * Client states that are associated with sending mail (up to and including 194 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 195 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 196 */ 197 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 198 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 199 #define SMTP_STATE_MAIL 2 200 #define SMTP_STATE_RCPT 3 201 #define SMTP_STATE_DATA 4 202 #define SMTP_STATE_DOT 5 203 #define SMTP_STATE_ABORT 6 204 #define SMTP_STATE_RSET 7 205 #define SMTP_STATE_QUIT 8 206 #define SMTP_STATE_LAST 9 207 208 int *xfer_timeouts[SMTP_STATE_LAST] = { 209 &var_smtp_xfwd_tmout, /* name/addr */ 210 &var_smtp_xfwd_tmout, /* helo/proto */ 211 &var_smtp_mail_tmout, 212 &var_smtp_rcpt_tmout, 213 &var_smtp_data0_tmout, 214 &var_smtp_data2_tmout, 215 &var_smtp_rset_tmout, 216 &var_smtp_rset_tmout, 217 &var_smtp_quit_tmout, 218 }; 219 220 char *xfer_states[SMTP_STATE_LAST] = { 221 "sending XFORWARD name/address", 222 "sending XFORWARD protocol/helo_name", 223 "sending MAIL FROM", 224 "sending RCPT TO", 225 "sending DATA command", 226 "sending end of data -- message may be sent more than once", 227 "sending final RSET", 228 "sending RSET probe", 229 "sending QUIT", 230 }; 231 232 char *xfer_request[SMTP_STATE_LAST] = { 233 "XFORWARD name/address command", 234 "XFORWARD helo/protocol command", 235 "MAIL FROM command", 236 "RCPT TO command", 237 "DATA command", 238 "end of DATA command", 239 "final RSET command", 240 "RSET probe", 241 "QUIT command", 242 }; 243 244 /* 245 * Note: MIME downgrade never happens for mail that must be delivered with 246 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request 247 * involves at least one UTF-8 envelope address or header value. 248 */ 249 #define SMTP_MIME_DOWNGRADE(session, request) \ 250 (var_disable_mime_oconv == 0 \ 251 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 252 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 253 254 #ifdef USE_TLS 255 256 static int smtp_start_tls(SMTP_STATE *); 257 258 #endif 259 260 /* 261 * Call-back information for header/body checks. We don't provide call-backs 262 * for actions that change the message delivery time or destination. 263 */ 264 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 265 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 266 267 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 268 smtp_hbc_logger, 269 smtp_text_out, 270 }; 271 272 static int smtp_vrfy_tgt; 273 274 /* smtp_vrfy_init - initialize */ 275 276 void smtp_vrfy_init(void) 277 { 278 static const NAME_CODE vrfy_init_table[] = { 279 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT, 280 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA, 281 0, 282 }; 283 284 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE, 285 var_smtp_vrfy_tgt)) == 0) 286 msg_fatal("bad protocol stage: \"%s = %s\"", 287 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt); 288 } 289 290 /* smtp_helo - perform initial handshake with SMTP server */ 291 292 int smtp_helo(SMTP_STATE *state) 293 { 294 const char *myname = "smtp_helo"; 295 SMTP_SESSION *session = state->session; 296 DELIVER_REQUEST *request = state->request; 297 SMTP_ITERATOR *iter = state->iterator; 298 SMTP_RESP *resp; 299 SMTP_RESP fake; 300 int except; 301 char *lines; 302 char *words; 303 char *word; 304 int n; 305 static const NAME_CODE xforward_features[] = { 306 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 307 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 308 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 309 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 310 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 311 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 312 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 313 0, 0, 314 }; 315 const char *ehlo_words; 316 int discard_mask; 317 static const NAME_MASK pix_bug_table[] = { 318 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 319 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 320 0, 321 }; 322 const char *pix_bug_words; 323 const char *pix_bug_source; 324 int pix_bug_mask; 325 326 #ifdef USE_TLS 327 int saved_features = session->features; 328 int tls_helo_status; 329 330 #endif 331 const char *NOCLOBBER where; 332 333 /* 334 * Skip the plaintext SMTP handshake when connecting in SMTPS mode. 335 */ 336 #ifdef USE_TLS 337 if (var_smtp_tls_wrappermode 338 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 339 /* XXX Mix-up of per-session and per-request flags. */ 340 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 341 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 342 var_smtp_rec_deadline); 343 tls_helo_status = smtp_start_tls(state); 344 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 345 return (tls_helo_status); 346 } 347 #endif 348 349 /* 350 * Prepare for disaster. 351 */ 352 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 353 var_smtp_rec_deadline); 354 if ((except = vstream_setjmp(state->session->stream)) != 0) 355 return (smtp_stream_except(state, except, where)); 356 357 /* 358 * If not recursing after STARTTLS, examine the server greeting banner 359 * and decide if we are going to send EHLO as the next command. 360 */ 361 if (var_smtp_tls_wrappermode 362 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 363 364 /* 365 * Read and parse the server's SMTP greeting banner. 366 */ 367 where = "receiving the initial server greeting"; 368 switch ((resp = smtp_chat_resp(session))->code / 100) { 369 case 2: 370 break; 371 case 5: 372 if (var_smtp_skip_5xx_greeting) 373 STR(resp->dsn_buf)[0] = '4'; 374 /* FALLTHROUGH */ 375 default: 376 return (smtp_site_fail(state, STR(iter->host), resp, 377 "host %s refused to talk to me: %s", 378 session->namaddr, 379 translit(resp->str, "\n", " "))); 380 } 381 382 /* 383 * If the policy table specifies a bogus TLS security level, fail 384 * now. 385 */ 386 #ifdef USE_TLS 387 if (state->tls->level == TLS_LEV_INVALID) 388 /* Warning is already logged. */ 389 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 390 SMTP_RESP_FAKE(&fake, "4.7.0"), 391 "client TLS configuration problem")); 392 #endif 393 394 /* 395 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 396 * it does not span a packet boundary. This hurts performance so it 397 * is not on by default. 398 */ 399 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 400 /* Best effort only. Ignore errors. */ 401 if (smtp_pix_bug_maps != 0 402 && (pix_bug_words = 403 maps_find(smtp_pix_bug_maps, 404 STR(iter->addr), 0)) != 0) { 405 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS); 406 } else { 407 pix_bug_words = var_smtp_pix_bug_words; 408 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS); 409 } 410 if (*pix_bug_words) { 411 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 412 pix_bug_words, 413 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 414 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF) 415 && request->msg_stats.incoming_arrival.tv_sec 416 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh) 417 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF; 418 msg_info("%s: enabling PIX workarounds: %s for %s", 419 request->queue_id, 420 str_name_mask("pix workaround bitmask", 421 pix_bug_table, pix_bug_mask), 422 session->namaddrport); 423 session->features |= pix_bug_mask; 424 } 425 } 426 427 /* 428 * See if we are talking to ourself. This should not be possible with 429 * the way we implement DNS lookups. However, people are known to 430 * sometimes screw up the naming service. And, mailer loops are still 431 * possible when our own mailer routing tables are mis-configured. 432 */ 433 words = resp->str; 434 (void) mystrtok(&words, "- \t\n"); 435 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 436 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 437 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 438 msg_warn("host %s greeted me with my own hostname %s", 439 session->namaddrport, var_myhostname); 440 } else if (strcasecmp(word, "ESMTP") == 0) 441 session->features |= SMTP_FEATURE_ESMTP; 442 } 443 if (smtp_mode) { 444 if (var_smtp_always_ehlo 445 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 446 session->features |= SMTP_FEATURE_ESMTP; 447 if (var_smtp_never_ehlo 448 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 449 session->features &= ~SMTP_FEATURE_ESMTP; 450 } else { 451 session->features |= SMTP_FEATURE_ESMTP; 452 } 453 } 454 455 /* 456 * If recursing after STARTTLS, there is no server greeting banner. 457 * Always send EHLO as the next command. 458 */ 459 else { 460 session->features |= SMTP_FEATURE_ESMTP; 461 } 462 463 /* 464 * Return the compliment. Fall back to SMTP if our ESMTP recognition 465 * heuristic failed. 466 */ 467 if (smtp_mode) { 468 where = "performing the EHLO handshake"; 469 if (session->features & SMTP_FEATURE_ESMTP) { 470 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 471 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 472 if (resp->code == 421) 473 return (smtp_site_fail(state, STR(iter->host), resp, 474 "host %s refused to talk to me: %s", 475 session->namaddr, 476 translit(resp->str, "\n", " "))); 477 else 478 session->features &= ~SMTP_FEATURE_ESMTP; 479 } 480 } 481 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 482 where = "performing the HELO handshake"; 483 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 484 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 485 return (smtp_site_fail(state, STR(iter->host), resp, 486 "host %s refused to talk to me: %s", 487 session->namaddr, 488 translit(resp->str, "\n", " "))); 489 } 490 } else { 491 where = "performing the LHLO handshake"; 492 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 493 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 494 return (smtp_site_fail(state, STR(iter->host), resp, 495 "host %s refused to talk to me: %s", 496 session->namaddr, 497 translit(resp->str, "\n", " "))); 498 } 499 500 /* 501 * No early returns allowed, to ensure consistent handling of TLS and 502 * SASL policies. 503 */ 504 if (session->features & SMTP_FEATURE_ESMTP) { 505 506 /* 507 * Determine what server EHLO keywords to ignore, typically to avoid 508 * inter-operability problems. 509 */ 510 if (smtp_ehlo_dis_maps == 0 511 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 512 STR(iter->addr), 0)) == 0) 513 ehlo_words = var_smtp_ehlo_dis_words; 514 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 515 msg_warn("%s: %s map lookup error for %s", 516 session->state->request->queue_id, 517 smtp_ehlo_dis_maps->title, STR(iter->addr)); 518 vstream_longjmp(session->stream, SMTP_ERR_DATA); 519 } 520 discard_mask = ehlo_mask(ehlo_words); 521 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 522 msg_info("discarding EHLO keywords: %s", 523 str_ehlo_mask(discard_mask)); 524 525 /* 526 * Pick up some useful features offered by the SMTP server. XXX Until 527 * we have a portable routine to convert from string to off_t with 528 * proper overflow detection, ignore the message size limit 529 * advertised by the SMTP server. Otherwise, we might do the wrong 530 * thing when the server advertises a really huge message size limit. 531 * 532 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 533 * because MicroSoft implemented AUTH based on an old draft. 534 */ 535 lines = resp->str; 536 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 537 if (mystrtok(&words, "- ") 538 && (word = mystrtok(&words, " \t=")) != 0) { 539 if (n == 0) { 540 if (session->helo != 0) 541 myfree(session->helo); 542 543 /* 544 * XXX: Keep the original case: we don't expect a single 545 * SMTP server to randomly change the case of its helo 546 * response. If different capitalization is detected, we 547 * should assume disjoint TLS caches. 548 */ 549 session->helo = mystrdup(word); 550 if (strcasecmp(word, var_myhostname) == 0 551 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 552 msg_warn("host %s replied to HELO/EHLO" 553 " with my own hostname %s", 554 session->namaddrport, var_myhostname); 555 if (session->features & SMTP_FEATURE_BEST_MX) 556 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 557 SMTP_RESP_FAKE(&fake, "5.4.6"), 558 "mail for %s loops back to myself", 559 request->nexthop)); 560 else 561 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 562 SMTP_RESP_FAKE(&fake, "4.4.6"), 563 "mail for %s loops back to myself", 564 request->nexthop)); 565 } 566 } else if (strcasecmp(word, "8BITMIME") == 0) { 567 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 568 session->features |= SMTP_FEATURE_8BITMIME; 569 } else if (strcasecmp(word, "PIPELINING") == 0) { 570 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 571 session->features |= SMTP_FEATURE_PIPELINING; 572 } else if (strcasecmp(word, "XFORWARD") == 0) { 573 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 574 while ((word = mystrtok(&words, " \t")) != 0) 575 session->features |= 576 name_code(xforward_features, 577 NAME_CODE_FLAG_NONE, word); 578 } else if (strcasecmp(word, "SIZE") == 0) { 579 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 580 session->features |= SMTP_FEATURE_SIZE; 581 if ((word = mystrtok(&words, " \t")) != 0) { 582 if (!alldig(word)) 583 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 584 word, session->namaddrport); 585 else 586 session->size_limit = off_cvt_string(word); 587 } 588 } 589 #ifdef USE_TLS 590 } else if (strcasecmp(word, "STARTTLS") == 0) { 591 /* Ignored later if we already sent STARTTLS. */ 592 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 593 session->features |= SMTP_FEATURE_STARTTLS; 594 #endif 595 #ifdef USE_SASL_AUTH 596 } else if (var_smtp_sasl_enable 597 && strcasecmp(word, "AUTH") == 0) { 598 if ((discard_mask & EHLO_MASK_AUTH) == 0) 599 smtp_sasl_helo_auth(session, words); 600 #endif 601 } else if (strcasecmp(word, "DSN") == 0) { 602 if ((discard_mask & EHLO_MASK_DSN) == 0) 603 session->features |= SMTP_FEATURE_DSN; 604 } else if (strcasecmp(word, "SMTPUTF8") == 0) { 605 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0) 606 session->features |= SMTP_FEATURE_SMTPUTF8; 607 } 608 n++; 609 } 610 } 611 } 612 if (msg_verbose) 613 msg_info("server features: 0x%x size %.0f", 614 session->features, (double) session->size_limit); 615 616 /* 617 * Decide if this delivery requires SMTPUTF8 server support. 618 * 619 * For now, we require that the remote SMTP server supports SMTPUTF8 when 620 * the sender requested SMTPUTF8 support. 621 * 622 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the 623 * delivery request involves at least one UTF-8 envelope address or 624 * header value. 625 * 626 * If the sender requested SMTPUTF8 support but the delivery request 627 * involves no UTF-8 envelope address or header value, then we could 628 * still deliver such mail to a non-SMTPUTF8 server, except that we must 629 * either uxtext-encode ORCPT parameters or not send them. We cannot 630 * encode the ORCPT in xtext, because legacy SMTP requires that the 631 * unencoded address consist entirely of printable (graphic and white 632 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A 633 * correct uxtext encoder will produce a result that an xtext decoder 634 * will pass through unchanged. 635 * 636 * XXX Should we try to encode headers with RFC 2047 when delivering to a 637 * non-SMTPUTF8 server? That could make life easier for mailing lists. 638 */ 639 #define DELIVERY_REQUIRES_SMTPUTF8 \ 640 ((request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) \ 641 && (request->smtputf8 & ~SMTPUTF8_FLAG_REQUESTED)) 642 643 /* 644 * Require that the server supports SMTPUTF8 when delivery requires 645 * SMTPUTF8. 646 * 647 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on. 648 */ 649 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0 650 && DELIVERY_REQUIRES_SMTPUTF8) 651 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 652 SMTP_RESP_FAKE(&fake, "5.6.7"), 653 "SMTPUTF8 is required, " 654 "but was not offered by host %s", 655 session->namaddr)); 656 657 /* 658 * Fix 20140706: don't do silly things when the remote server announces 659 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver 660 * mail, not to force people into compliance. 661 */ 662 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 663 && (session->features & SMTP_FEATURE_8BITMIME) == 0) { 664 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME", 665 session->namaddr); 666 session->features |= SMTP_FEATURE_8BITMIME; 667 } 668 669 /* 670 * We use SMTP command pipelining if the server said it supported it. 671 * Since we use blocking I/O, RFC 2197 says that we should inspect the 672 * TCP window size and not send more than this amount of information. 673 * Unfortunately this information is unavailable using the sockets 674 * interface. However, we *can* get the TCP send buffer size on the local 675 * TCP/IP stack. We should be able to fill this buffer without being 676 * blocked, and then the kernel will effectively do non-blocking I/O for 677 * us by automatically writing out the contents of its send buffer while 678 * we are reading in the responses. In addition to TCP buffering we have 679 * to be aware of application-level buffering by the vstream module, 680 * which is limited to a couple kbytes. 681 * 682 * XXX No need to do this before and after STARTTLS, but it's not a big deal 683 * if we do. 684 * 685 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 686 * TLS messages. Thus, the TCP-level payload will be larger than the 687 * SMTP-level payload. This has implications for the PIPELINING engine. 688 * 689 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 690 * buffer size that can hold the unacknowledged commands plus the TLS 691 * encapsulation overhead. 692 * 693 * The PIPELINING engine keeps the unacknowledged command size <= the 694 * default VSTREAM buffer size (to avoid small-write performance issues 695 * when the VSTREAM buffer size is at its default size). With a default 696 * VSTREAM buffer size of 4096 there is no reason to increase the 697 * unacknowledged command size as the TCP MSS increases. It's safer to 698 * spread the remote SMTP server's recipient processing load over time, 699 * than dumping a very large recipient list all at once. 700 * 701 * For TLS encapsulation overhead we make a conservative guess: take the 702 * current protocol overhead of ~40 bytes, double the number for future 703 * proofing (~80 bytes), then round up the result to the nearest power of 704 * 2 (128 bytes). Plus, be prepared for worst-case compression that 705 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 706 * message becomes 15 kbytes. 707 */ 708 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 709 #ifdef USE_TLS 710 #define TLS_WORST_PAYLOAD 16384 711 #define TLS_WORST_COMP_OVERHD 1024 712 #define TLS_WORST_PROTO_OVERHD 128 713 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 714 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 715 #endif 716 717 if (session->features & SMTP_FEATURE_PIPELINING) { 718 SOCKOPT_SIZE optlen; 719 int tcp_bufsize; 720 int enc_overhead = 0; 721 722 optlen = sizeof(tcp_bufsize); 723 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 724 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 725 msg_fatal("%s: getsockopt: %m", myname); 726 #ifdef USE_TLS 727 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 728 enc_overhead += 729 (1 + (PIPELINING_BUFSIZE - 1) 730 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 731 #endif 732 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 733 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 734 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 735 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 736 msg_fatal("%s: setsockopt: %m", myname); 737 } 738 if (msg_verbose) 739 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 740 "PIPELINING buffer size is %d", 741 smtp_mode ? "ESMTP" : "LMTP", 742 tcp_bufsize, PIPELINING_BUFSIZE); 743 } 744 #ifdef USE_TLS 745 746 /* 747 * Skip this part if we already sent STARTTLS. 748 */ 749 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 750 751 /* 752 * Optionally log unused STARTTLS opportunities. 753 */ 754 if ((session->features & SMTP_FEATURE_STARTTLS) && 755 var_smtp_tls_note_starttls_offer && 756 state->tls->level <= TLS_LEV_NONE) 757 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 758 759 /* 760 * Decide whether or not to send STARTTLS. 761 */ 762 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 763 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) { 764 765 /* 766 * Prepare for disaster. 767 */ 768 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 769 var_smtp_rec_deadline); 770 if ((except = vstream_setjmp(state->session->stream)) != 0) 771 return (smtp_stream_except(state, except, 772 "receiving the STARTTLS response")); 773 774 /* 775 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 776 * resetting the SASL and EHLO features lists. 777 * 778 * Reset the SASL mechanism list to avoid spurious warnings. 779 * 780 * Use the smtp_sasl_tls_security_options feature to allow SASL 781 * mechanisms that may not be allowed with plain-text 782 * connections. 783 */ 784 smtp_chat_cmd(session, "STARTTLS"); 785 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 786 #ifdef USE_SASL_AUTH 787 if (session->features & SMTP_FEATURE_AUTH) 788 smtp_sasl_cleanup(session); 789 #endif 790 session->features = saved_features; 791 /* XXX Mix-up of per-session and per-request flags. */ 792 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 793 tls_helo_status = smtp_start_tls(state); 794 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 795 return (tls_helo_status); 796 } 797 798 /* 799 * Give up if we must use TLS but the server rejects STARTTLS 800 * although support for it was announced in the EHLO response. 801 */ 802 session->features &= ~SMTP_FEATURE_STARTTLS; 803 if (TLS_REQUIRED(state->tls->level)) 804 return (smtp_site_fail(state, STR(iter->host), resp, 805 "TLS is required, but host %s refused to start TLS: %s", 806 session->namaddr, 807 translit(resp->str, "\n", " "))); 808 /* Else try to continue in plain-text mode. */ 809 } 810 811 /* 812 * Give up if we must use TLS but can't for various reasons. 813 * 814 * 200412 Be sure to provide the default clause at the bottom of this 815 * block. When TLS is required we must never, ever, end up in 816 * plain-text mode. 817 */ 818 if (TLS_REQUIRED(state->tls->level)) { 819 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 820 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 821 SMTP_RESP_FAKE(&fake, "4.7.4"), 822 "TLS is required, but was not offered by host %s", 823 session->namaddr)); 824 } else if (smtp_tls_ctx == 0) { 825 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 826 SMTP_RESP_FAKE(&fake, "4.7.5"), 827 "TLS is required, but our TLS engine is unavailable")); 828 } else { 829 msg_warn("%s: TLS is required but unavailable, don't know why", 830 myname); 831 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 832 SMTP_RESP_FAKE(&fake, "4.7.0"), 833 "TLS is required, but unavailable")); 834 } 835 } 836 } 837 #endif 838 #ifdef USE_SASL_AUTH 839 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 840 return (smtp_sasl_helo_login(state)); 841 #endif 842 843 return (0); 844 } 845 846 #ifdef USE_TLS 847 848 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 849 850 static int smtp_start_tls(SMTP_STATE *state) 851 { 852 SMTP_SESSION *session = state->session; 853 SMTP_ITERATOR *iter = state->iterator; 854 TLS_CLIENT_START_PROPS start_props; 855 VSTRING *serverid; 856 SMTP_RESP fake; 857 TLS_CLIENT_INIT_PROPS init_props; 858 VSTREAM *tlsproxy; 859 VSTRING *port_buf; 860 861 /* 862 * When the TLS handshake succeeds, we can reuse a connection only if TLS 863 * remains turned on for the lifetime of that connection. This requires 864 * that the TLS library state is maintained in some proxy process, for 865 * example, in tlsproxy(8). We then store the proxy file handle in the 866 * connection cache, and reuse that file handle. 867 * 868 * Otherwise, we must turn off connection caching. We can't turn off TLS in 869 * one SMTP client process, save the open connection to a cache which is 870 * shared with all SMTP clients, migrate the connection to another SMTP 871 * client, and resume TLS there. When the TLS handshake fails, we can't 872 * reuse the SMTP connection either, because the conversation is in an 873 * unknown state. 874 */ 875 if (state->tls->conn_reuse == 0) 876 DONT_CACHE_THIS_SESSION; 877 878 /* 879 * The following assumes sites that use TLS in a perverse configuration: 880 * multiple hosts per hostname, or even multiple hosts per IP address. 881 * All this without a shared TLS session cache, and they still want to 882 * use TLS session caching??? 883 * 884 * The TLS session cache records the trust chain verification status of 885 * cached sessions. Different transports may have different CAfile or 886 * CApath settings, perhaps to allow authenticated connections to sites 887 * with private CA certs without trusting said private certs for other 888 * sites. So we cannot assume that a trust chain valid for one transport 889 * is valid for another. Therefore the client session id must include 890 * either the transport name or the values of CAfile and CApath. We use 891 * the transport name. 892 * 893 * XXX: We store only one session per lookup key. Ideally the the key maps 894 * 1-to-1 to a server TLS session cache. We use the IP address, port and 895 * ehlo response name to build a lookup key that works for split caches 896 * (that announce distinct names) behind a load balancer. 897 * 898 * XXX: The TLS library will salt the serverid with further details of the 899 * protocol and cipher requirements including the server ehlo response. 900 * Deferring the helo to the digested suffix results in more predictable 901 * SSL session lookup key lengths. 902 */ 903 serverid = vstring_alloc(10); 904 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 905 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */ 906 | SMTP_KEY_FLAG_HOSTNAME 907 | SMTP_KEY_FLAG_ADDR); 908 909 if (state->tls->conn_reuse) { 910 TLS_CLIENT_PARAMS tls_params; 911 912 /* 913 * Send all our wishes in one big request. 914 */ 915 TLS_PROXY_CLIENT_INIT_PROPS(&init_props, 916 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), 917 log_level = var_smtp_tls_loglevel, 918 verifydepth = var_smtp_tls_scert_vd, 919 cache_type 920 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE), 921 chain_files = var_smtp_tls_chain_files, 922 cert_file = var_smtp_tls_cert_file, 923 key_file = var_smtp_tls_key_file, 924 dcert_file = var_smtp_tls_dcert_file, 925 dkey_file = var_smtp_tls_dkey_file, 926 eccert_file = var_smtp_tls_eccert_file, 927 eckey_file = var_smtp_tls_eckey_file, 928 CAfile = var_smtp_tls_CAfile, 929 CApath = var_smtp_tls_CApath, 930 mdalg = var_smtp_tls_fpt_dgst); 931 TLS_PROXY_CLIENT_START_PROPS(&start_props, 932 timeout = var_smtp_starttls_tmout, 933 tls_level = state->tls->level, 934 nexthop = session->tls_nexthop, 935 host = STR(iter->host), 936 namaddr = session->namaddrport, 937 sni = state->tls->sni, 938 serverid = vstring_str(serverid), 939 helo = session->helo, 940 protocols = state->tls->protocols, 941 cipher_grade = state->tls->grade, 942 cipher_exclusions 943 = vstring_str(state->tls->exclusions), 944 matchargv = state->tls->matchargv, 945 mdalg = var_smtp_tls_fpt_dgst, 946 dane = state->tls->dane); 947 948 /* 949 * The tlsproxy(8) server enforces timeouts that are larger than 950 * those specified by the tlsproxy(8) client. These timeouts are a 951 * safety net for the case that the tlsproxy(8) client fails to 952 * enforce time limits. Normally, the tlsproxy(8) client would time 953 * out and trigger a plaintext event in the tlsproxy(8) server, and 954 * cause it to tear down the session. 955 * 956 * However, the tlsproxy(8) server has no insight into the SMTP 957 * protocol, and therefore it cannot by itself support different 958 * timeouts at different SMTP protocol stages. Instead, we specify 959 * the largest timeout (end-of-data) and rely on the SMTP client to 960 * time out first, which normally results in a plaintext event in the 961 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext 962 * events during the TLS handshake, so we specify a separate timeout 963 * for that stage (the end-of-data timeout would be unreasonably 964 * large anyway). 965 */ 966 #define PROXY_OPEN_FLAGS \ 967 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT) 968 969 port_buf = vstring_alloc(100); /* minimize fragmentation */ 970 vstring_sprintf(port_buf, "%d", ntohs(iter->port)); 971 tlsproxy = 972 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, 973 session->stream, STR(iter->addr), 974 STR(port_buf), var_smtp_starttls_tmout, 975 var_smtp_data2_tmout, state->service, 976 tls_proxy_client_param_from_config(&tls_params), 977 &init_props, &start_props); 978 vstring_free(port_buf); 979 980 /* 981 * To insert tlsproxy(8) between this process and the remote SMTP 982 * server, we swap the file descriptors between the tlsproxy and 983 * session->stream VSTREAMS, so that we don't lose all the 984 * user-configurable session->stream attributes (such as longjump 985 * buffers or timeouts). 986 * 987 * TODO: the tlsproxy RPCs should return more error detail than a "NO" 988 * result. OTOH, the in-process TLS engine does not return such info 989 * either. 990 * 991 * If the tlsproxy request fails we do not fall back to the in-process 992 * TLS stack. Reason: the admin enabled connection reuse to respect 993 * receiver policy; silently violating such policy would not be 994 * useful. 995 * 996 * We also don't fall back to the in-process TLS stack under low-traffic 997 * conditions, to avoid frustrating attempts to debug a problem with 998 * using the tlsproxy(8) service. 999 */ 1000 if (tlsproxy == 0) { 1001 session->tls_context = 0; 1002 } else { 1003 vstream_control(tlsproxy, 1004 CA_VSTREAM_CTL_DOUBLE, 1005 CA_VSTREAM_CTL_END); 1006 vstream_control(session->stream, 1007 CA_VSTREAM_CTL_SWAP_FD(tlsproxy), 1008 CA_VSTREAM_CTL_END); 1009 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */ 1010 1011 /* 1012 * There must not be any pending data in the stream buffers 1013 * before we read the TLS context attributes. 1014 */ 1015 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1016 1017 /* 1018 * After plumbing the plaintext stream, receive the TLS context 1019 * object. For this we use the same VSTREAM buffer that we also 1020 * use to receive subsequent SMTP commands, therefore we must be 1021 * prepared for the possibility that the remote SMTP server 1022 * starts talking immediately. The tlsproxy implementation sends 1023 * the TLS context before remote content. The attribute protocol 1024 * is robust enough that an adversary cannot insert their own TLS 1025 * context attributes. 1026 */ 1027 session->tls_context = tls_proxy_context_receive(session->stream); 1028 if (session->tls_context) { 1029 session->features |= SMTP_FEATURE_FROM_PROXY; 1030 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, 1031 session->tls_context); 1032 } 1033 } 1034 } else { /* state->tls->conn_reuse */ 1035 1036 /* 1037 * As of Postfix 2.5, tls_client_start() tries hard to always 1038 * complete the TLS handshake. It records the verification and match 1039 * status in the resulting TLScontext. It is now up to the 1040 * application to abort the TLS connection if it chooses. 1041 * 1042 * XXX When tls_client_start() fails then we don't know what state the 1043 * SMTP connection is in, so we give up on this connection even if we 1044 * are not required to use TLS. 1045 * 1046 * Large parameter lists are error-prone, so we emulate a language 1047 * feature that C does not have natively: named parameter lists. 1048 */ 1049 session->tls_context = 1050 TLS_CLIENT_START(&start_props, 1051 ctx = smtp_tls_ctx, 1052 stream = session->stream, 1053 fd = -1, 1054 timeout = var_smtp_starttls_tmout, 1055 tls_level = state->tls->level, 1056 nexthop = session->tls_nexthop, 1057 host = STR(iter->host), 1058 namaddr = session->namaddrport, 1059 sni = state->tls->sni, 1060 serverid = vstring_str(serverid), 1061 helo = session->helo, 1062 protocols = state->tls->protocols, 1063 cipher_grade = state->tls->grade, 1064 cipher_exclusions 1065 = vstring_str(state->tls->exclusions), 1066 matchargv = state->tls->matchargv, 1067 mdalg = var_smtp_tls_fpt_dgst, 1068 dane = state->tls->dane); 1069 1070 /* 1071 * At this point there must not be any pending data in the stream 1072 * buffers. 1073 */ 1074 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1075 } /* state->tls->conn_reuse */ 1076 1077 vstring_free(serverid); 1078 1079 if (session->tls_context == 0) { 1080 1081 /* 1082 * We must avoid further I/O, the peer is in an undefined state. 1083 */ 1084 DONT_USE_FORBIDDEN_SESSION; 1085 1086 /* 1087 * If TLS is optional, try delivery to the same server over a 1088 * plaintext connection. Otherwise we would defer mail forever with 1089 * destinations that have no alternate MX host. 1090 * 1091 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 1092 * authentication. If the server doesn't announce SASL support over 1093 * plaintext connections, then we don't want delivery to fail with 1094 * "relay access denied". 1095 * 1096 * If TLS is opportunistic, don't throttle the destination, otherwise if 1097 * the mail is volume is high enough we may have difficulty ever 1098 * draining even the deferred mail, as new mail provides a constant 1099 * stream of negative feedback. 1100 */ 1101 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE) 1102 RETRY_AS_PLAINTEXT; 1103 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ? 1104 SMTP_NOTHROTTLE : SMTP_THROTTLE, 1105 DSN_BY_LOCAL_MTA, 1106 SMTP_RESP_FAKE(&fake, "4.7.5"), 1107 "Cannot start TLS: handshake failure")); 1108 } 1109 1110 /* 1111 * If we are verifying the server certificate and are not happy with the 1112 * result, abort the delivery here. We have a usable TLS session with the 1113 * server, so no need to disable I/O, ... we can even be polite and send 1114 * "QUIT". 1115 * 1116 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 1117 * matching. Levels >= "dane" require CA or DNSSEC trust. 1118 * 1119 * When DANE TLSA records specify an end-entity certificate, the trust and 1120 * match bits always coincide, but it is fine to report the wrong 1121 * end-entity certificate as untrusted rather than unmatched. 1122 */ 1123 if (TLS_MUST_TRUST(state->tls->level)) 1124 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 1125 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1126 SMTP_RESP_FAKE(&fake, "4.7.5"), 1127 "Server certificate not trusted")); 1128 if (TLS_MUST_MATCH(state->tls->level)) 1129 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 1130 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1131 SMTP_RESP_FAKE(&fake, "4.7.5"), 1132 "Server certificate not verified")); 1133 1134 /* 1135 * At this point we have to re-negotiate the "EHLO" to reget the 1136 * feature-list. 1137 */ 1138 return (smtp_helo(state)); 1139 } 1140 1141 #endif 1142 1143 /* smtp_hbc_logger - logging call-back for header/body checks */ 1144 1145 static void smtp_hbc_logger(void *context, const char *action, 1146 const char *where, const char *content, 1147 const char *text) 1148 { 1149 const SMTP_STATE *state = (SMTP_STATE *) context; 1150 1151 if (*text) { 1152 msg_info("%s: %s: %s %.60s: %s", 1153 state->request->queue_id, action, where, content, text); 1154 } else { 1155 msg_info("%s: %s: %s %.60s", 1156 state->request->queue_id, action, where, content); 1157 } 1158 } 1159 1160 /* smtp_text_out - output one header/body record */ 1161 1162 static void smtp_text_out(void *context, int rec_type, 1163 const char *text, ssize_t len, 1164 off_t unused_offset) 1165 { 1166 SMTP_STATE *state = (SMTP_STATE *) context; 1167 SMTP_SESSION *session = state->session; 1168 ssize_t data_left; 1169 const char *data_start; 1170 1171 /* 1172 * Deal with an impedance mismatch between Postfix queue files (record 1173 * length <= $message_line_length_limit) and SMTP (DATA record length <= 1174 * $smtp_line_length_limit). The code below does a little too much work 1175 * when the SMTP line length limit is disabled, but it avoids code 1176 * duplication, and thus, it avoids testing and maintenance problems. 1177 */ 1178 data_left = len; 1179 data_start = text; 1180 do { 1181 if (state->space_left == var_smtp_line_limit 1182 && data_left > 0 && *data_start == '.') 1183 smtp_fputc('.', session->stream); 1184 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 1185 smtp_fputs(data_start, state->space_left, session->stream); 1186 data_start += state->space_left; 1187 data_left -= state->space_left; 1188 state->space_left = var_smtp_line_limit; 1189 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 1190 smtp_fputc(' ', session->stream); 1191 state->space_left -= 1; 1192 } 1193 } else { 1194 if (rec_type == REC_TYPE_CONT) { 1195 smtp_fwrite(data_start, data_left, session->stream); 1196 state->space_left -= data_left; 1197 } else { 1198 smtp_fputs(data_start, data_left, session->stream); 1199 state->space_left = var_smtp_line_limit; 1200 } 1201 break; 1202 } 1203 } while (data_left > 0); 1204 } 1205 1206 /* smtp_format_out - output one header/body record */ 1207 1208 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 1209 1210 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 1211 { 1212 static VSTRING *vp; 1213 va_list ap; 1214 1215 if (vp == 0) 1216 vp = vstring_alloc(100); 1217 va_start(ap, fmt); 1218 vstring_vsprintf(vp, fmt, ap); 1219 va_end(ap); 1220 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 1221 } 1222 1223 /* smtp_header_out - output one message header */ 1224 1225 static void smtp_header_out(void *context, int unused_header_class, 1226 const HEADER_OPTS *unused_info, 1227 VSTRING *buf, off_t offset) 1228 { 1229 char *start = vstring_str(buf); 1230 char *line; 1231 char *next_line; 1232 1233 /* 1234 * This code destroys the header. We could try to avoid clobbering it, 1235 * but we're not going to use the data any further. 1236 */ 1237 for (line = start; line; line = next_line) { 1238 next_line = split_at(line, '\n'); 1239 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 1240 next_line - line - 1 : strlen(line), offset); 1241 } 1242 } 1243 1244 /* smtp_header_rewrite - rewrite message header before output */ 1245 1246 static void smtp_header_rewrite(void *context, int header_class, 1247 const HEADER_OPTS *header_info, 1248 VSTRING *buf, off_t offset) 1249 { 1250 SMTP_STATE *state = (SMTP_STATE *) context; 1251 int did_rewrite = 0; 1252 char *line; 1253 char *start; 1254 char *next_line; 1255 char *end_line; 1256 char *result; 1257 1258 /* 1259 * Apply optional header filtering. 1260 */ 1261 if (smtp_header_checks) { 1262 result = hbc_header_checks(context, smtp_header_checks, header_class, 1263 header_info, buf, offset); 1264 if (result == 0) 1265 return; 1266 if (result == HBC_CHECKS_STAT_ERROR) { 1267 msg_warn("%s: smtp header checks lookup error", 1268 state->request->queue_id); 1269 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1270 } 1271 if (result != STR(buf)) { 1272 vstring_strcpy(buf, result); 1273 myfree(result); 1274 } 1275 } 1276 1277 /* 1278 * Rewrite primary header addresses that match the smtp_generic_maps. The 1279 * cleanup server already enforces that all headers have proper lengths 1280 * and that all addresses are in proper form, so we don't have to repeat 1281 * that. 1282 */ 1283 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1284 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1285 TOK822 *tree; 1286 TOK822 **addr_list; 1287 TOK822 **tpp; 1288 1289 tree = tok822_parse(vstring_str(buf) 1290 + strlen(header_info->name) + 1); 1291 addr_list = tok822_grep(tree, TOK822_ADDR); 1292 for (tpp = addr_list; *tpp; tpp++) 1293 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1294 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1295 if (did_rewrite) { 1296 vstring_truncate(buf, strlen(header_info->name)); 1297 vstring_strcat(buf, ": "); 1298 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1299 } 1300 myfree((void *) addr_list); 1301 tok822_free_tree(tree); 1302 } 1303 1304 /* 1305 * Pass through unmodified headers without reconstruction. 1306 */ 1307 if (did_rewrite == 0) { 1308 smtp_header_out(context, header_class, header_info, buf, offset); 1309 return; 1310 } 1311 1312 /* 1313 * A rewritten address list contains one address per line. The code below 1314 * replaces newlines by spaces, to fit as many addresses on a line as 1315 * possible (without rearranging the order of addresses). Prepending 1316 * white space to the beginning of lines is delegated to the output 1317 * routine. 1318 * 1319 * Code derived from cleanup_fold_header(). 1320 */ 1321 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1322 end_line = line + strcspn(line, "\n"); 1323 if (line > start) { 1324 if (end_line - start < 70) { /* TAB counts as one */ 1325 line[-1] = ' '; 1326 } else { 1327 start = line; 1328 } 1329 } 1330 next_line = *end_line ? end_line + 1 : 0; 1331 } 1332 1333 /* 1334 * Prepend a tab to continued header lines that went through the address 1335 * rewriting machinery. Just like smtp_header_out(), this code destroys 1336 * the header. We could try to avoid clobbering it, but we're not going 1337 * to use the data any further. 1338 * 1339 * Code derived from cleanup_out_header(). 1340 */ 1341 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1342 next_line = split_at(line, '\n'); 1343 if (line == start || IS_SPACE_TAB(*line)) { 1344 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1345 next_line - line - 1 : strlen(line), offset); 1346 } else { 1347 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1348 } 1349 } 1350 } 1351 1352 /* smtp_body_rewrite - rewrite message body before output */ 1353 1354 static void smtp_body_rewrite(void *context, int type, 1355 const char *buf, ssize_t len, 1356 off_t offset) 1357 { 1358 SMTP_STATE *state = (SMTP_STATE *) context; 1359 char *result; 1360 1361 /* 1362 * Apply optional body filtering. 1363 */ 1364 if (smtp_body_checks) { 1365 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1366 if (result == buf) { 1367 smtp_text_out(state, type, buf, len, offset); 1368 } else if (result == HBC_CHECKS_STAT_ERROR) { 1369 msg_warn("%s: smtp body checks lookup error", 1370 state->request->queue_id); 1371 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1372 } else if (result != 0) { 1373 smtp_text_out(state, type, result, strlen(result), offset); 1374 myfree(result); 1375 } 1376 } 1377 } 1378 1379 /* smtp_mime_fail - MIME problem */ 1380 1381 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1382 { 1383 const MIME_STATE_DETAIL *detail; 1384 SMTP_RESP fake; 1385 1386 detail = mime_state_detail(mime_errs); 1387 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1388 SMTP_RESP_FAKE(&fake, detail->dsn), 1389 "%s", detail->text); 1390 } 1391 1392 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */ 1393 1394 static int smtp_out_raw_or_mime(SMTP_STATE *state, VSTRING *buf) 1395 { 1396 SMTP_SESSION *session = state->session; 1397 int mime_errs; 1398 1399 if (session->mime_state == 0) { 1400 smtp_text_out((void *) state, REC_TYPE_NORM, vstring_str(buf), 1401 VSTRING_LEN(buf), (off_t) 0); 1402 } else { 1403 mime_errs = 1404 mime_state_update(session->mime_state, REC_TYPE_NORM, 1405 vstring_str(buf), VSTRING_LEN(buf)); 1406 if (mime_errs) { 1407 smtp_mime_fail(state, mime_errs); 1408 return (-1); 1409 } 1410 } 1411 return (0); 1412 } 1413 1414 /* smtp_out_add_header - format address header, uses session->scratch* */ 1415 1416 static int smtp_out_add_header(SMTP_STATE *state, const char *label, 1417 const char *lt, const char *addr, 1418 const char *gt) 1419 { 1420 SMTP_SESSION *session = state->session; 1421 1422 smtp_rewrite_generic_internal(session->scratch2, addr); 1423 vstring_sprintf(session->scratch, "%s: %s", label, lt); 1424 smtp_quote_822_address_flags(session->scratch, 1425 vstring_str(session->scratch2), 1426 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND); 1427 vstring_strcat(session->scratch, gt); 1428 return (smtp_out_raw_or_mime(state, session->scratch)); 1429 } 1430 1431 /* smtp_out_add_headers - output additional headers, uses session->scratch* */ 1432 1433 static int smtp_out_add_headers(SMTP_STATE *state) 1434 { 1435 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO) 1436 if (smtp_out_add_header(state, "Delivered-To", "", 1437 state->request->rcpt_list.info->address, "") < 0) 1438 return (-1); 1439 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT) 1440 if (smtp_out_add_header(state, "X-Original-To", "", 1441 state->request->rcpt_list.info->orig_addr, "") < 0) 1442 return (-1); 1443 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH) 1444 if (smtp_out_add_header(state, "Return-Path", "<", 1445 state->request->sender, ">") < 0) 1446 return (-1); 1447 return (0); 1448 } 1449 1450 /* smtp_loop - exercise the SMTP protocol engine */ 1451 1452 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1453 NOCLOBBER int recv_state) 1454 { 1455 const char *myname = "smtp_loop"; 1456 DELIVER_REQUEST *request = state->request; 1457 SMTP_SESSION *session = state->session; 1458 SMTP_ITERATOR *iter = state->iterator; 1459 SMTP_RESP *resp; 1460 RECIPIENT *rcpt; 1461 VSTRING *next_command = vstring_alloc(100); 1462 int *NOCLOBBER survivors = 0; 1463 NOCLOBBER int next_state; 1464 NOCLOBBER int next_rcpt; 1465 NOCLOBBER int send_rcpt; 1466 NOCLOBBER int recv_rcpt; 1467 NOCLOBBER int nrcpt; 1468 NOCLOBBER int recv_done; 1469 int except; 1470 int rec_type; 1471 NOCLOBBER int prev_type = 0; 1472 NOCLOBBER int mail_from_rejected; 1473 NOCLOBBER int downgrading; 1474 int mime_errs; 1475 SMTP_RESP fake; 1476 int fail_status; 1477 1478 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1479 1480 #define RETURN(x) do { \ 1481 if (recv_state != SMTP_STATE_LAST) \ 1482 DONT_CACHE_THIS_SESSION; \ 1483 vstring_free(next_command); \ 1484 if (survivors) \ 1485 myfree((void *) survivors); \ 1486 if (session->mime_state) \ 1487 session->mime_state = mime_state_free(session->mime_state); \ 1488 return (x); \ 1489 } while (0) 1490 1491 #define SENDER_IS_AHEAD \ 1492 (recv_state < send_state || recv_rcpt != send_rcpt) 1493 1494 #define SENDER_IN_WAIT_STATE \ 1495 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1496 1497 #define SENDING_MAIL \ 1498 (recv_state <= SMTP_STATE_DOT) 1499 1500 #define CANT_RSET_THIS_SESSION \ 1501 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1502 1503 /* 1504 * Pipelining support requires two loops: one loop for sending and one 1505 * for receiving. Each loop has its own independent state. Most of the 1506 * time the sender can run ahead of the receiver by as much as the TCP 1507 * send buffer permits. There are only two places where the sender must 1508 * wait for status information from the receiver: once after sending DATA 1509 * and once after sending QUIT. 1510 * 1511 * The sender state advances until the TCP send buffer would overflow, or 1512 * until the sender needs status information from the receiver. At that 1513 * point the receiver starts processing responses. Once the receiver has 1514 * caught up with the sender, the sender resumes sending commands. If the 1515 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1516 * commands rejected, DATA rejected) it forces the sender to abort the 1517 * SMTP dialog with RSET and QUIT. 1518 */ 1519 nrcpt = 0; 1520 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1521 mail_from_rejected = 0; 1522 1523 /* 1524 * Prepare for disaster. This should not be needed because the design 1525 * guarantees that no output is flushed before smtp_chat_resp() is 1526 * called. 1527 * 1528 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1529 * 1530 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1531 * there is sufficient space for the command in the output buffer. 1532 * 1533 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1534 * 1535 * Changing any of these would violate the design, and would likely break 1536 * SMTP pipelining. 1537 * 1538 * We set up the error handler anyway (only upon entry to avoid wasting 1539 * resources) because 1) there is code below that expects that VSTREAM 1540 * timeouts are enabled, and 2) this allows us to detect if someone broke 1541 * Postfix by introducing spurious flush before read operations. 1542 */ 1543 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1544 || send_state > SMTP_STATE_QUIT) 1545 msg_panic("%s: bad sender state %d (receiver state %d)", 1546 myname, send_state, recv_state); 1547 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1548 var_smtp_rec_deadline); 1549 if ((except = vstream_setjmp(session->stream)) != 0) { 1550 msg_warn("smtp_proto: spurious flush before read in send state %d", 1551 send_state); 1552 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1553 xfer_states[send_state]) : -1); 1554 } 1555 1556 /* 1557 * The main protocol loop. 1558 */ 1559 do { 1560 1561 /* 1562 * Build the next command. 1563 */ 1564 switch (send_state) { 1565 1566 /* 1567 * Sanity check. 1568 */ 1569 default: 1570 msg_panic("%s: bad sender state %d", myname, send_state); 1571 1572 /* 1573 * Build the XFORWARD command. With properly sanitized 1574 * information, the command length stays within the 512 byte 1575 * command line length limit. 1576 * 1577 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1578 * and some as null; historically, pickup(8) does not send any of 1579 * these, and the queue manager presets absent fields to "not 1580 * available" except for the rewrite context which is preset to 1581 * local by way of migration aid. These definitions need to be 1582 * centralized for maintainability. 1583 */ 1584 #ifndef CAN_FORWARD_CLIENT_NAME 1585 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1586 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1587 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1588 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1589 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1590 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1591 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1592 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1593 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1594 #endif 1595 1596 case SMTP_STATE_XFORWARD_NAME_ADDR: 1597 vstring_strcpy(next_command, XFORWARD_CMD); 1598 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1599 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1600 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1601 xtext_quote_append(next_command, request->client_name, ""); 1602 } 1603 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1604 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1605 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1606 xtext_quote_append(next_command, request->client_addr, ""); 1607 } 1608 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1609 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1610 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1611 xtext_quote_append(next_command, request->client_port, ""); 1612 } 1613 if (session->send_proto_helo) 1614 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1615 else 1616 next_state = SMTP_STATE_MAIL; 1617 break; 1618 1619 case SMTP_STATE_XFORWARD_PROTO_HELO: 1620 vstring_strcpy(next_command, XFORWARD_CMD); 1621 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1622 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1623 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1624 xtext_quote_append(next_command, request->client_proto, ""); 1625 } 1626 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1627 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1628 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1629 xtext_quote_append(next_command, request->client_helo, ""); 1630 } 1631 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1632 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1633 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1634 xtext_quote_append(next_command, request->log_ident, ""); 1635 } 1636 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1637 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1638 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1639 xtext_quote_append(next_command, 1640 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1641 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1642 } 1643 next_state = SMTP_STATE_MAIL; 1644 break; 1645 1646 /* 1647 * Build the MAIL FROM command. 1648 */ 1649 case SMTP_STATE_MAIL: 1650 request->msg_stats.reuse_count = session->reuse_count; 1651 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1652 smtp_rewrite_generic_internal(session->scratch2, request->sender); 1653 smtp_quote_821_address(session->scratch, 1654 vstring_str(session->scratch2)); 1655 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1656 vstring_str(session->scratch)); 1657 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1658 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1659 && !SMTP_MIME_DOWNGRADE(session, request)) 1660 vstring_sprintf_append(next_command, " SIZE=%lu", 1661 request->data_size); 1662 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1663 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1664 vstring_strcat(next_command, " BODY=8BITMIME"); 1665 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1666 vstring_strcat(next_command, " BODY=7BIT"); 1667 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1668 msg_warn("%s: unknown content encoding: %s", 1669 request->queue_id, request->encoding); 1670 } 1671 if (session->features & SMTP_FEATURE_DSN) { 1672 if (request->dsn_envid[0]) { 1673 vstring_sprintf_append(next_command, " ENVID="); 1674 xtext_quote_append(next_command, request->dsn_envid, "+="); 1675 } 1676 if (request->dsn_ret) 1677 vstring_sprintf_append(next_command, " RET=%s", 1678 dsn_ret_str(request->dsn_ret)); 1679 } 1680 1681 /* 1682 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 1683 * and the sender requested SMTPUTF8 support. 1684 * 1685 * If the sender requested SMTPUTF8 but the remote SMTP server does 1686 * not support SMTPUTF8, then we have already determined earlier 1687 * that delivering this message without SMTPUTF8 will not break 1688 * the SMTPUTF8 promise that was made to the sender. 1689 */ 1690 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 1691 && (request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) != 0) 1692 vstring_strcat(next_command, " SMTPUTF8"); 1693 1694 /* 1695 * We authenticate the local MTA only, but not the sender. 1696 */ 1697 #ifdef USE_SASL_AUTH 1698 if (var_smtp_sasl_enable 1699 && var_smtp_dummy_mail_auth 1700 && (session->features & SMTP_FEATURE_AUTH)) 1701 vstring_strcat(next_command, " AUTH=<>"); 1702 #endif 1703 1704 /* 1705 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1706 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1707 * commands to our TLS session. 1708 * 1709 * For the attack to succeed, the remote SMTP server must reply to 1710 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1711 * TLS (re)negotiation, so that the replies arrive in our TLS 1712 * session (otherwise the Postfix SMTP client would time out 1713 * waiting for an answer). With some luck we can detect this 1714 * specific attack as a server MAIL reply that arrives before we 1715 * send our own MAIL command. 1716 * 1717 * We don't apply this test to the HELO command because the result 1718 * would be very timing sensitive, and we don't apply this test 1719 * to RCPT and DATA replies because these may be pipelined for 1720 * legitimate reasons. 1721 */ 1722 #ifdef USE_TLS 1723 if (var_smtp_tls_blk_early_mail_reply 1724 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1725 && (vstream_peek(session->stream) > 0 1726 || peekfd(vstream_fileno(session->stream)) > 0)) 1727 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1728 #endif 1729 1730 /* 1731 * We now return to our regular broadcast. 1732 */ 1733 next_state = SMTP_STATE_RCPT; 1734 break; 1735 1736 /* 1737 * Build one RCPT TO command before we have seen the MAIL FROM 1738 * response. 1739 */ 1740 case SMTP_STATE_RCPT: 1741 rcpt = request->rcpt_list.info + send_rcpt; 1742 smtp_rewrite_generic_internal(session->scratch2, rcpt->address); 1743 smtp_quote_821_address(session->scratch, 1744 vstring_str(session->scratch2)); 1745 vstring_sprintf(next_command, "RCPT TO:<%s>", 1746 vstring_str(session->scratch)); 1747 if (session->features & SMTP_FEATURE_DSN) { 1748 /* XXX DSN xtext encode address value not type. */ 1749 const char *orcpt_type_addr = rcpt->dsn_orcpt; 1750 1751 /* Fix 20140706: don't use empty rcpt->orig_addr. */ 1752 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) { 1753 quote_822_local(session->scratch, rcpt->orig_addr); 1754 vstring_sprintf(session->scratch2, "%s;%s", 1755 /* Fix 20140707: sender must request SMTPUTF8. */ 1756 (request->smtputf8 != 0 1757 && !allascii(vstring_str(session->scratch))) ? 1758 "utf-8" : "rfc822", 1759 vstring_str(session->scratch)); 1760 orcpt_type_addr = vstring_str(session->scratch2); 1761 } 1762 if (orcpt_type_addr[0] != 0) { 1763 /* Fix 20140706: don't send unquoted ORCPT. */ 1764 /* Fix 20140707: quoting method must match orcpt type. */ 1765 /* Fix 20140707: handle uxtext encoder errors. */ 1766 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) { 1767 if (uxtext_quote(session->scratch, 1768 orcpt_type_addr, "+=") != 0) 1769 vstring_sprintf_append(next_command, " ORCPT=%s", 1770 vstring_str(session->scratch)); 1771 } else { 1772 xtext_quote(session->scratch, orcpt_type_addr, "="); 1773 vstring_sprintf_append(next_command, " ORCPT=%s", 1774 vstring_str(session->scratch)); 1775 } 1776 } 1777 if (rcpt->dsn_notify) 1778 vstring_sprintf_append(next_command, " NOTIFY=%s", 1779 dsn_notify_str(rcpt->dsn_notify)); 1780 } 1781 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1782 next_state = (DEL_REQ_TRACE_ONLY(request->flags) 1783 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 1784 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1785 break; 1786 1787 /* 1788 * Build the DATA command before we have seen all the RCPT TO 1789 * responses. 1790 */ 1791 case SMTP_STATE_DATA: 1792 vstring_strcpy(next_command, "DATA"); 1793 next_state = SMTP_STATE_DOT; 1794 break; 1795 1796 /* 1797 * Build the "." command after we have seen the DATA response 1798 * (DATA is a protocol synchronization point). 1799 * 1800 * Changing the connection caching state here is safe because it 1801 * affects none of the not-yet processed replies to 1802 * already-generated commands. 1803 */ 1804 case SMTP_STATE_DOT: 1805 vstring_strcpy(next_command, "."); 1806 if (THIS_SESSION_IS_EXPIRED) 1807 DONT_CACHE_THIS_SESSION; 1808 next_state = THIS_SESSION_IS_CACHED ? 1809 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1810 break; 1811 1812 /* 1813 * The SMTP_STATE_ABORT sender state is entered by the sender 1814 * when it has verified all recipients; or it is entered by the 1815 * receiver when all recipients are verified or rejected, and is 1816 * then left before the bottom of the main loop. 1817 * 1818 * Changing the connection caching state here is safe because there 1819 * are no not-yet processed replies to already-generated 1820 * commands. 1821 */ 1822 case SMTP_STATE_ABORT: 1823 vstring_strcpy(next_command, "RSET"); 1824 if (THIS_SESSION_IS_EXPIRED) 1825 DONT_CACHE_THIS_SESSION; 1826 next_state = THIS_SESSION_IS_CACHED ? 1827 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1828 break; 1829 1830 /* 1831 * Build the RSET command. This is entered as initial state from 1832 * smtp_rset() and has its own dedicated state transitions. It is 1833 * used to find out the status of a cached session before 1834 * attempting mail delivery. 1835 */ 1836 case SMTP_STATE_RSET: 1837 vstring_strcpy(next_command, "RSET"); 1838 next_state = SMTP_STATE_LAST; 1839 break; 1840 1841 /* 1842 * Build the QUIT command before we have seen the "." or RSET 1843 * response. This is entered as initial state from smtp_quit(), 1844 * or is reached near the end of any non-cached session. 1845 * 1846 * Changing the connection caching state here is safe. If this 1847 * command is pipelined together with a preceding command, then 1848 * connection caching was already turned off. Do not clobber the 1849 * "bad connection" flag. 1850 */ 1851 case SMTP_STATE_QUIT: 1852 vstring_strcpy(next_command, "QUIT"); 1853 next_state = SMTP_STATE_LAST; 1854 if (THIS_SESSION_IS_CACHED) 1855 DONT_CACHE_THIS_SESSION; 1856 break; 1857 1858 /* 1859 * The final sender state has no action associated with it. 1860 */ 1861 case SMTP_STATE_LAST: 1862 VSTRING_RESET(next_command); 1863 break; 1864 } 1865 VSTRING_TERMINATE(next_command); 1866 1867 /* 1868 * Process responses until the receiver has caught up. Vstreams 1869 * automatically flush buffered output when reading new data. 1870 * 1871 * Flush unsent output if command pipelining is off or if no I/O 1872 * happened for a while. This limits the accumulation of client-side 1873 * delays in pipelined sessions. 1874 * 1875 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1876 * could otherwise produce more output than fits the PIPELINING 1877 * buffer. This generally works because we know exactly how much 1878 * output we produced since the last time that the sender and 1879 * receiver synchronized the SMTP state. However this logic is not 1880 * applicable after the sender enters the DATA phase, where it does 1881 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1882 * Thus, the PIPELINING engine no longer knows how much data is 1883 * pending in the TCP send buffer. For this reason, if PIPELINING is 1884 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1885 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1886 * stack either has already received the QUIT<CR><LF>, or else it 1887 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1888 * making room in the sender's TCP stack for QUIT<CR><LF>. 1889 */ 1890 #define CHECK_PIPELINING_BUFSIZE \ 1891 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1892 1893 if (SENDER_IN_WAIT_STATE 1894 || (SENDER_IS_AHEAD 1895 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1896 || (CHECK_PIPELINING_BUFSIZE 1897 && (VSTRING_LEN(next_command) + 2 1898 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1899 > PIPELINING_BUFSIZE)) 1900 || time((time_t *) 0) 1901 - vstream_ftime(session->stream) > 10))) { 1902 while (SENDER_IS_AHEAD) { 1903 1904 /* 1905 * Sanity check. 1906 */ 1907 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1908 || recv_state > SMTP_STATE_QUIT) 1909 msg_panic("%s: bad receiver state %d (sender state %d)", 1910 myname, recv_state, send_state); 1911 1912 /* 1913 * Receive the next server response. Use the proper timeout, 1914 * and log the proper client state in case of trouble. 1915 * 1916 * XXX If we lose the connection before sending end-of-data, 1917 * find out if the server sent a premature end-of-data reply. 1918 * If this read attempt fails, report "lost connection while 1919 * sending message body", not "lost connection while sending 1920 * end-of-data". 1921 * 1922 * "except" becomes zero just above the protocol loop, and stays 1923 * zero or triggers an early return from the loop. In just 1924 * one case: loss of the connection when sending the message 1925 * body, we record the exception, and keep processing in the 1926 * hope of detecting a premature 5XX. We must be careful to 1927 * not clobber this non-zero value once it is set. The 1928 * variable need not survive longjmp() calls, since the only 1929 * setjmp() which does not return early is the one sets this 1930 * condition, subquent failures always return early. 1931 */ 1932 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1933 1934 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1935 var_smtp_rec_deadline); 1936 if (LOST_CONNECTION_INSIDE_DATA) { 1937 if (vstream_setjmp(session->stream) != 0) 1938 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1939 "sending message body")); 1940 } else { 1941 if ((except = vstream_setjmp(session->stream)) != 0) 1942 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1943 xfer_states[recv_state]) : -1); 1944 } 1945 resp = smtp_chat_resp(session); 1946 1947 /* 1948 * Process the response. 1949 */ 1950 switch (recv_state) { 1951 1952 /* 1953 * Process the XFORWARD response. 1954 */ 1955 case SMTP_STATE_XFORWARD_NAME_ADDR: 1956 if (resp->code / 100 != 2) 1957 msg_warn("host %s said: %s (in reply to %s)", 1958 session->namaddrport, 1959 translit(resp->str, "\n", " "), 1960 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1961 if (session->send_proto_helo) 1962 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1963 else 1964 recv_state = SMTP_STATE_MAIL; 1965 break; 1966 1967 case SMTP_STATE_XFORWARD_PROTO_HELO: 1968 if (resp->code / 100 != 2) 1969 msg_warn("host %s said: %s (in reply to %s)", 1970 session->namaddrport, 1971 translit(resp->str, "\n", " "), 1972 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1973 recv_state = SMTP_STATE_MAIL; 1974 break; 1975 1976 /* 1977 * Process the MAIL FROM response. When the server 1978 * rejects the sender, set the mail_from_rejected flag so 1979 * that the receiver may apply a course correction. 1980 */ 1981 case SMTP_STATE_MAIL: 1982 if (resp->code / 100 != 2) { 1983 smtp_mesg_fail(state, STR(iter->host), resp, 1984 "host %s said: %s (in reply to %s)", 1985 session->namaddr, 1986 translit(resp->str, "\n", " "), 1987 xfer_request[SMTP_STATE_MAIL]); 1988 mail_from_rejected = 1; 1989 } 1990 1991 /* 1992 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1993 * that arrived before we sent our MAIL FROM command, it 1994 * was not a fatal-level TLS alert message. It could be a 1995 * warning-level TLS alert message, or a ChangeCipherSpec 1996 * message, but such messages are not normally sent in 1997 * the middle of a TLS session. We disconnect and try 1998 * again later. 1999 */ 2000 #ifdef USE_TLS 2001 if (var_smtp_tls_blk_early_mail_reply 2002 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 2003 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 2004 SMTP_RESP_FAKE(&fake, "4.7.0"), 2005 "unexpected server message"); 2006 msg_warn("server %s violates %s policy", 2007 session->namaddr, 2008 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY)); 2009 mail_from_rejected = 1; 2010 } 2011 #endif 2012 2013 /* 2014 * We now return to our regular broadcast. 2015 */ 2016 recv_state = SMTP_STATE_RCPT; 2017 break; 2018 2019 /* 2020 * Process one RCPT TO response. If MAIL FROM was 2021 * rejected, ignore RCPT TO responses: all recipients are 2022 * dead already. When all recipients are rejected the 2023 * receiver may apply a course correction. 2024 * 2025 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 2026 * must be treated as if the server replied with 452. 2027 * However, this causes "too much mail data" to be 2028 * treated as a recoverable error, which is wrong. I'll 2029 * stick with RFC 821. 2030 */ 2031 case SMTP_STATE_RCPT: 2032 if (!mail_from_rejected) { 2033 #ifdef notdef 2034 if (resp->code == 552) { 2035 resp->code = 452; 2036 resp->dsn[0] = '4'; 2037 } 2038 #endif 2039 rcpt = request->rcpt_list.info + recv_rcpt; 2040 if (resp->code / 100 == 2) { 2041 if (!smtp_mode) { 2042 if (survivors == 0) 2043 survivors = (int *) 2044 mymalloc(request->rcpt_list.len 2045 * sizeof(int)); 2046 survivors[nrcpt] = recv_rcpt; 2047 } 2048 ++nrcpt; 2049 /* If trace-only, mark the recipient done. */ 2050 if (DEL_REQ_TRACE_ONLY(request->flags) 2051 && smtp_vrfy_tgt == SMTP_STATE_RCPT) { 2052 translit(resp->str, "\n", " "); 2053 smtp_rcpt_done(state, resp, rcpt); 2054 } 2055 } else { 2056 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2057 "host %s said: %s (in reply to %s)", 2058 session->namaddr, 2059 translit(resp->str, "\n", " "), 2060 xfer_request[SMTP_STATE_RCPT]); 2061 } 2062 } 2063 /* If trace-only, send RSET instead of DATA. */ 2064 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 2065 recv_state = (DEL_REQ_TRACE_ONLY(request->flags) 2066 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 2067 SMTP_STATE_ABORT : SMTP_STATE_DATA; 2068 /* XXX Also: record if non-delivering session. */ 2069 break; 2070 2071 /* 2072 * Process the DATA response. When the server rejects 2073 * DATA, set nrcpt to a negative value so that the 2074 * receiver can apply a course correction. 2075 */ 2076 case SMTP_STATE_DATA: 2077 recv_state = SMTP_STATE_DOT; 2078 if (resp->code / 100 != 3) { 2079 if (nrcpt > 0) 2080 smtp_mesg_fail(state, STR(iter->host), resp, 2081 "host %s said: %s (in reply to %s)", 2082 session->namaddr, 2083 translit(resp->str, "\n", " "), 2084 xfer_request[SMTP_STATE_DATA]); 2085 nrcpt = -1; 2086 } 2087 2088 /* 2089 * In the case of a successful address probe with target 2090 * equal to DATA, the remote server is now in the DATA 2091 * state, and therefore we must not make any further 2092 * attempt to send or receive on this connection. This 2093 * means that we cannot not reuse the general-purpose 2094 * course-correction logic below which sends RSET (and 2095 * perhaps QUIT). Instead we "jump" straight to the exit 2096 * and force an unceremonious disconnect. 2097 */ 2098 else if (DEL_REQ_TRACE_ONLY(request->flags) 2099 && smtp_vrfy_tgt == SMTP_STATE_DATA) { 2100 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2101 rcpt = request->rcpt_list.info + nrcpt; 2102 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2103 translit(resp->str, "\n", " "); 2104 SMTP_RESP_SET_DSN(resp, "2.0.0"); 2105 smtp_rcpt_done(state, resp, rcpt); 2106 } 2107 } 2108 DONT_CACHE_THIS_SESSION; 2109 send_state = recv_state = SMTP_STATE_LAST; 2110 } 2111 break; 2112 2113 /* 2114 * Process the end of message response. Ignore the 2115 * response when no recipient was accepted: all 2116 * recipients are dead already, and the next receiver 2117 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 2118 * if the message transfer fails, bounce all remaining 2119 * recipients, else cross off the recipients that were 2120 * delivered. 2121 */ 2122 case SMTP_STATE_DOT: 2123 GETTIMEOFDAY(&request->msg_stats.deliver_done); 2124 if (smtp_mode) { 2125 if (nrcpt > 0) { 2126 if (resp->code / 100 != 2) { 2127 smtp_mesg_fail(state, STR(iter->host), resp, 2128 "host %s said: %s (in reply to %s)", 2129 session->namaddr, 2130 translit(resp->str, "\n", " "), 2131 xfer_request[SMTP_STATE_DOT]); 2132 } else { 2133 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2134 rcpt = request->rcpt_list.info + nrcpt; 2135 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2136 translit(resp->str, "\n", " "); 2137 smtp_rcpt_done(state, resp, rcpt); 2138 } 2139 } 2140 } 2141 } 2142 } 2143 2144 /* 2145 * With LMTP we have one response per accepted RCPT TO 2146 * command. Stay in the SMTP_STATE_DOT state until we 2147 * have collected all responses. 2148 */ 2149 else { 2150 if (nrcpt > 0) { 2151 rcpt = request->rcpt_list.info 2152 + survivors[recv_done++]; 2153 if (resp->code / 100 != 2) { 2154 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2155 "host %s said: %s (in reply to %s)", 2156 session->namaddr, 2157 translit(resp->str, "\n", " "), 2158 xfer_request[SMTP_STATE_DOT]); 2159 } else { 2160 translit(resp->str, "\n", " "); 2161 smtp_rcpt_done(state, resp, rcpt); 2162 } 2163 } 2164 if (msg_verbose) 2165 msg_info("%s: got %d of %d end-of-data replies", 2166 myname, recv_done, nrcpt); 2167 if (recv_done < nrcpt) 2168 break; 2169 } 2170 2171 /* 2172 * XXX Do not change the connection caching state here, 2173 * even if the connection caching timer expired between 2174 * generating the command and processing the reply, 2175 * otherwise the sender and receiver loops get out of 2176 * sync. The caller will call smtp_quit() if appropriate. 2177 */ 2178 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 2179 || LOST_CONNECTION_INSIDE_DATA) 2180 recv_state = SMTP_STATE_LAST; 2181 else 2182 recv_state = SMTP_STATE_QUIT; 2183 break; 2184 2185 /* 2186 * Receive the RSET response. 2187 * 2188 * The SMTP_STATE_ABORT sender state is entered by the 2189 * sender when it has verified all recipients; or it is 2190 * entered by the receiver when all recipients are 2191 * verified or rejected, and is then left before the 2192 * bottom of the main loop. 2193 * 2194 * XXX Do not change the connection caching state here, even 2195 * if the server rejected RSET or if the connection 2196 * caching timer expired between generating the command 2197 * and processing the reply, otherwise the sender and 2198 * receiver loops get out of sync. The caller will call 2199 * smtp_quit() if appropriate. 2200 */ 2201 case SMTP_STATE_ABORT: 2202 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 2203 SMTP_STATE_LAST : SMTP_STATE_QUIT); 2204 break; 2205 2206 /* 2207 * This is the initial receiver state from smtp_rset(). 2208 * It is used to find out the status of a cached session 2209 * before attempting mail delivery. 2210 */ 2211 case SMTP_STATE_RSET: 2212 if (resp->code / 100 != 2) 2213 CANT_RSET_THIS_SESSION; 2214 recv_state = SMTP_STATE_LAST; 2215 break; 2216 2217 /* 2218 * Receive, but otherwise ignore, the QUIT response. 2219 */ 2220 case SMTP_STATE_QUIT: 2221 recv_state = SMTP_STATE_LAST; 2222 break; 2223 } 2224 } 2225 2226 /* 2227 * At this point, the sender and receiver are fully synchronized. 2228 */ 2229 2230 /* 2231 * We know the server response to every command that was sent. 2232 * Apply a course correction if necessary: the sender wants to 2233 * send RCPT TO but MAIL FROM was rejected; the sender wants to 2234 * send DATA but all recipients were rejected; the sender wants 2235 * to deliver the message but DATA was rejected. 2236 */ 2237 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 2238 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 2239 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 2240 send_state = recv_state = SMTP_STATE_ABORT; 2241 send_rcpt = recv_rcpt = 0; 2242 vstring_strcpy(next_command, "RSET"); 2243 if (THIS_SESSION_IS_EXPIRED) 2244 DONT_CACHE_THIS_SESSION; 2245 next_state = THIS_SESSION_IS_CACHED ? 2246 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2247 /* XXX Also: record if non-delivering session. */ 2248 next_rcpt = 0; 2249 } 2250 } 2251 2252 /* 2253 * Make the next sender state the current sender state. 2254 */ 2255 if (send_state == SMTP_STATE_LAST) 2256 continue; 2257 2258 /* 2259 * Special case if the server accepted the DATA command. If the 2260 * server accepted at least one recipient send the entire message. 2261 * Otherwise, just send "." as per RFC 2197. 2262 * 2263 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 2264 * disconnect ungracefully, because there is no other way to cancel a 2265 * transaction in progress. 2266 */ 2267 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 2268 2269 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 2270 var_smtp_rec_deadline); 2271 2272 if ((except = vstream_setjmp(session->stream)) == 0) { 2273 2274 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 2275 msg_fatal("seek queue file: %m"); 2276 2277 downgrading = SMTP_MIME_DOWNGRADE(session, request); 2278 2279 /* 2280 * XXX Don't downgrade just because generic_maps is turned 2281 * on. 2282 */ 2283 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 2284 2285 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 2286 session->mime_state = mime_state_alloc(downgrading ? 2287 MIME_OPT_DOWNGRADE 2288 | MIME_OPT_REPORT_NESTING : 2289 SMTP_ANY_CHECKS == 0 ? 2290 MIME_OPT_DISABLE_MIME : 2291 0, 2292 smtp_generic_maps 2293 || smtp_header_checks ? 2294 smtp_header_rewrite : 2295 smtp_header_out, 2296 (MIME_STATE_ANY_END) 0, 2297 smtp_body_checks ? 2298 smtp_body_rewrite : 2299 smtp_text_out, 2300 (MIME_STATE_ANY_END) 0, 2301 (MIME_STATE_ERR_PRINT) 0, 2302 (void *) state); 2303 state->space_left = var_smtp_line_limit; 2304 2305 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0 2306 && smtp_out_add_headers(state) < 0) 2307 RETURN(0); 2308 2309 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 2310 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 2311 break; 2312 if (smtp_out_raw_or_mime(state, session->scratch) < 0) 2313 RETURN(0); 2314 prev_type = rec_type; 2315 } 2316 2317 if (session->mime_state) { 2318 2319 /* 2320 * The cleanup server normally ends MIME content with a 2321 * normal text record. The following code is needed to 2322 * flush an internal buffer when someone submits 8-bit 2323 * mail not ending in newline via /usr/sbin/sendmail 2324 * while MIME input processing is turned off, and MIME 2325 * 8bit->7bit conversion is requested upon delivery. 2326 * 2327 * Or some error while doing generic address mapping. 2328 */ 2329 mime_errs = 2330 mime_state_update(session->mime_state, rec_type, "", 0); 2331 if (mime_errs) { 2332 smtp_mime_fail(state, mime_errs); 2333 RETURN(0); 2334 } 2335 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 2336 smtp_fputs("", 0, session->stream); 2337 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) { 2338 smtp_flush(session->stream);/* hurts performance */ 2339 sleep(var_smtp_pix_delay); /* not to mention this */ 2340 } 2341 if (vstream_ferror(state->src)) 2342 msg_fatal("queue file read error"); 2343 if (rec_type != REC_TYPE_XTRA) { 2344 msg_warn("%s: bad record type: %d in message content", 2345 request->queue_id, rec_type); 2346 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2347 SMTP_RESP_FAKE(&fake, "5.3.0"), 2348 "unreadable mail queue entry"); 2349 /* Bailing out, abort stream with prejudice */ 2350 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2351 DONT_USE_FORBIDDEN_SESSION; 2352 /* If bounce_append() succeeded, status is still 0 */ 2353 if (state->status == 0) 2354 (void) mark_corrupt(state->src); 2355 /* Don't override smtp_mesg_fail() here. */ 2356 RETURN(fail_status); 2357 } 2358 } else { 2359 if (!LOST_CONNECTION_INSIDE_DATA) 2360 RETURN(smtp_stream_except(state, except, 2361 "sending message body")); 2362 2363 /* 2364 * We will clear the stream error flag to try and read a 2365 * premature 5XX response, so it is important to flush any 2366 * unwritten data. Otherwise, we will try to flush it again 2367 * before reading, which may incur an unnecessary delay and 2368 * will prevent the reading of any response that is not 2369 * already buffered (bundled with the DATA 354 response). 2370 * 2371 * Not much point in sending QUIT at this point, skip right to 2372 * SMTP_STATE_LAST. The read engine above will likewise avoid 2373 * looking for a QUIT response. 2374 */ 2375 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2376 next_state = SMTP_STATE_LAST; 2377 } 2378 } 2379 2380 /* 2381 * Copy the next command to the buffer and update the sender state. 2382 */ 2383 if (except == 0) { 2384 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2385 } else { 2386 DONT_CACHE_THIS_SESSION; 2387 } 2388 send_state = next_state; 2389 send_rcpt = next_rcpt; 2390 } while (recv_state != SMTP_STATE_LAST); 2391 RETURN(0); 2392 } 2393 2394 /* smtp_xfer - send a batch of envelope information and the message data */ 2395 2396 int smtp_xfer(SMTP_STATE *state) 2397 { 2398 DELIVER_REQUEST *request = state->request; 2399 SMTP_SESSION *session = state->session; 2400 SMTP_RESP fake; 2401 int send_state; 2402 int recv_state; 2403 int send_name_addr; 2404 int result; 2405 2406 /* 2407 * Sanity check. Recipients should be unmarked at this point. 2408 */ 2409 if (SMTP_RCPT_LEFT(state) <= 0) 2410 msg_panic("smtp_xfer: bad recipient count: %d", 2411 SMTP_RCPT_LEFT(state)); 2412 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2413 msg_panic("smtp_xfer: bad recipient status: %d", 2414 request->rcpt_list.info->u.status); 2415 2416 /* 2417 * See if we should even try to send this message at all. This code sits 2418 * here rather than in the EHLO processing code, because of SMTP 2419 * connection caching. 2420 */ 2421 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2422 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2423 SMTP_RESP_FAKE(&fake, "5.3.4"), 2424 "message size %lu exceeds size limit %.0f of server %s", 2425 request->data_size, (double) session->size_limit, 2426 session->namaddr); 2427 /* Redundant. We abort this delivery attempt. */ 2428 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2429 return (0); 2430 } 2431 2432 /* 2433 * Use XFORWARD to forward the origin of this email message across an 2434 * SMTP-based content filter. Send client attribute information only if 2435 * it exists (i.e. remote submission). Local submissions have no client 2436 * attributes; the mail will appear to originate from the content filter 2437 * which is acceptable. 2438 */ 2439 send_name_addr = 2440 var_smtp_send_xforward 2441 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2442 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2443 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2444 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2445 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2446 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2447 session->send_proto_helo = 2448 var_smtp_send_xforward 2449 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2450 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2451 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2452 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2453 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2454 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2455 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2456 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2457 if (send_name_addr) 2458 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2459 else if (session->send_proto_helo) 2460 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2461 else 2462 recv_state = send_state = SMTP_STATE_MAIL; 2463 2464 /* 2465 * Remember this session's "normal completion", even if the server 4xx-ed 2466 * some or all recipients. Connection or handshake errors with a later MX 2467 * host should not cause this destination be marked as unreachable. 2468 */ 2469 result = smtp_loop(state, send_state, recv_state); 2470 2471 if (result == 0 2472 /* Just in case */ 2473 && vstream_ferror(session->stream) == 0 2474 && vstream_feof(session->stream) == 0) 2475 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2476 2477 return (result); 2478 } 2479 2480 /* smtp_rset - send a lone RSET command */ 2481 2482 int smtp_rset(SMTP_STATE *state) 2483 { 2484 2485 /* 2486 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2487 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2488 */ 2489 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2490 } 2491 2492 /* smtp_quit - send a lone QUIT command */ 2493 2494 int smtp_quit(SMTP_STATE *state) 2495 { 2496 2497 /* 2498 * This works because SMTP_STATE_QUIT is the last state with a sender 2499 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2500 */ 2501 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2502 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2503 } 2504