1 /* $NetBSD: smtp_proto.c,v 1.1.1.4 2013/01/02 18:59:08 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Pipelining code in cooperation with: 79 /* Jon Ribbens 80 /* Oaktree Internet Solutions Ltd., 81 /* Internet House, 82 /* Canal Basin, 83 /* Coventry, 84 /* CV1 4LY, United Kingdom. 85 /* 86 /* Connection caching in cooperation with: 87 /* Victor Duchovni 88 /* Morgan Stanley 89 /* 90 /* TLS support originally by: 91 /* Lutz Jaenicke 92 /* BTU Cottbus 93 /* Allgemeine Elektrotechnik 94 /* Universitaetsplatz 3-4 95 /* D-03044 Cottbus, Germany 96 /*--*/ 97 98 /* System library. */ 99 100 #include <sys_defs.h> 101 #include <sys/stat.h> 102 #include <sys/socket.h> /* shutdown(2) */ 103 #include <netinet/in.h> /* ntohs() */ 104 #include <string.h> 105 #include <unistd.h> 106 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 107 #include <stdarg.h> 108 #include <time.h> 109 110 #ifdef STRCASECMP_IN_STRINGS_H 111 #include <strings.h> 112 #endif 113 114 /* Utility library. */ 115 116 #include <msg.h> 117 #include <vstring.h> 118 #include <vstream.h> 119 #include <vstring_vstream.h> 120 #include <stringops.h> 121 #include <mymalloc.h> 122 #include <iostuff.h> 123 #include <split_at.h> 124 #include <name_code.h> 125 #include <name_mask.h> 126 127 /* Global library. */ 128 129 #include <mail_params.h> 130 #include <smtp_stream.h> 131 #include <mail_queue.h> 132 #include <recipient_list.h> 133 #include <deliver_request.h> 134 #include <defer.h> 135 #include <bounce.h> 136 #include <record.h> 137 #include <rec_type.h> 138 #include <off_cvt.h> 139 #include <mark_corrupt.h> 140 #include <quote_821_local.h> 141 #include <quote_822_local.h> 142 #include <mail_proto.h> 143 #include <mime_state.h> 144 #include <ehlo_mask.h> 145 #include <maps.h> 146 #include <tok822.h> 147 #include <mail_addr_map.h> 148 #include <ext_prop.h> 149 #include <lex_822.h> 150 #include <dsn_mask.h> 151 #include <xtext.h> 152 153 /* Application-specific. */ 154 155 #include "smtp.h" 156 #include "smtp_sasl.h" 157 158 /* 159 * Sender and receiver state. A session does not necessarily go through a 160 * linear progression, but states are guaranteed to not jump backwards. 161 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 162 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 163 * 164 * When connection caching is enabled, the QUIT state is suppressed. Normal 165 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 166 * end with ABORT->LAST. The connection is left open for a limited time. An 167 * RSET probe should be sent before attempting to reuse an open connection 168 * for a new transaction. 169 * 170 * The code to send an RSET probe is a special case with its own initial state 171 * and with its own dedicated state transitions. The session proceeds as 172 * RSET->LAST. This code is kept inside the main protocol engine for 173 * consistent error handling and error reporting. It is not to be confused 174 * with the code that sends RSET to abort a mail transaction in progress. 175 * 176 * The code to send QUIT without message delivery transaction jumps into the 177 * main state machine. If this introduces complications, then we should 178 * introduce a second QUIT state with its own dedicated state transitions, 179 * just like we did for RSET probes. 180 * 181 * By default, the receiver skips the QUIT response. Some SMTP servers 182 * disconnect after responding to ".", and some SMTP servers wait before 183 * responding to QUIT. 184 * 185 * Client states that are associated with sending mail (up to and including 186 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 187 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 188 */ 189 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 190 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 191 #define SMTP_STATE_MAIL 2 192 #define SMTP_STATE_RCPT 3 193 #define SMTP_STATE_DATA 4 194 #define SMTP_STATE_DOT 5 195 #define SMTP_STATE_ABORT 6 196 #define SMTP_STATE_RSET 7 197 #define SMTP_STATE_QUIT 8 198 #define SMTP_STATE_LAST 9 199 200 int *xfer_timeouts[SMTP_STATE_LAST] = { 201 &var_smtp_xfwd_tmout, /* name/addr */ 202 &var_smtp_xfwd_tmout, /* helo/proto */ 203 &var_smtp_mail_tmout, 204 &var_smtp_rcpt_tmout, 205 &var_smtp_data0_tmout, 206 &var_smtp_data2_tmout, 207 &var_smtp_rset_tmout, 208 &var_smtp_rset_tmout, 209 &var_smtp_quit_tmout, 210 }; 211 212 char *xfer_states[SMTP_STATE_LAST] = { 213 "sending XFORWARD name/address", 214 "sending XFORWARD protocol/helo_name", 215 "sending MAIL FROM", 216 "sending RCPT TO", 217 "sending DATA command", 218 "sending end of data -- message may be sent more than once", 219 "sending final RSET", 220 "sending RSET probe", 221 "sending QUIT", 222 }; 223 224 char *xfer_request[SMTP_STATE_LAST] = { 225 "XFORWARD name/address command", 226 "XFORWARD helo/protocol command", 227 "MAIL FROM command", 228 "RCPT TO command", 229 "DATA command", 230 "end of DATA command", 231 "final RSET command", 232 "RSET probe", 233 "QUIT command", 234 }; 235 236 #define SMTP_MIME_DOWNGRADE(session, request) \ 237 (var_disable_mime_oconv == 0 \ 238 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 239 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 240 241 static int smtp_start_tls(SMTP_STATE *); 242 243 /* 244 * Call-back information for header/body checks. We don't provide call-backs 245 * for actions that change the message delivery time or destination. 246 */ 247 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 248 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 249 250 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 251 smtp_hbc_logger, 252 smtp_text_out, 253 }; 254 255 /* smtp_helo - perform initial handshake with SMTP server */ 256 257 int smtp_helo(SMTP_STATE *state) 258 { 259 const char *myname = "smtp_helo"; 260 SMTP_SESSION *session = state->session; 261 DELIVER_REQUEST *request = state->request; 262 SMTP_RESP *resp; 263 SMTP_RESP fake; 264 int except; 265 char *lines; 266 char *words; 267 char *word; 268 int n; 269 static const NAME_CODE xforward_features[] = { 270 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 271 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 272 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 273 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 274 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 275 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 276 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 277 0, 0, 278 }; 279 const char *ehlo_words; 280 int discard_mask; 281 static const NAME_MASK pix_bug_table[] = { 282 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 283 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 284 0, 285 }; 286 const char *pix_bug_words; 287 const char *pix_bug_source; 288 int pix_bug_mask; 289 290 #ifdef USE_TLS 291 int saved_features = session->features; 292 int tls_helo_status; 293 294 #endif 295 const char *NOCLOBBER where; 296 297 /* 298 * Prepare for disaster. 299 */ 300 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 301 var_smtp_rec_deadline); 302 if ((except = vstream_setjmp(state->session->stream)) != 0) 303 return (smtp_stream_except(state, except, where)); 304 305 /* 306 * If not recursing after STARTTLS, examine the server greeting banner 307 * and decide if we are going to send EHLO as the next command. 308 */ 309 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 310 311 /* 312 * Read and parse the server's SMTP greeting banner. 313 */ 314 where = "receiving the initial server greeting"; 315 switch ((resp = smtp_chat_resp(session))->code / 100) { 316 case 2: 317 break; 318 case 5: 319 if (var_smtp_skip_5xx_greeting) 320 STR(resp->dsn_buf)[0] = '4'; 321 /* FALLTHROUGH */ 322 default: 323 return (smtp_site_fail(state, session->host, resp, 324 "host %s refused to talk to me: %s", 325 session->namaddr, 326 translit(resp->str, "\n", " "))); 327 } 328 329 /* 330 * If the policy table specifies a bogus TLS security level, fail 331 * now. 332 */ 333 #ifdef USE_TLS 334 if (session->tls_level == TLS_LEV_INVALID) 335 /* Warning is already logged. */ 336 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 337 SMTP_RESP_FAKE(&fake, "4.7.0"), 338 "client TLS configuration problem")); 339 #endif 340 341 /* 342 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 343 * it does not span a packet boundary. This hurts performance so it 344 * is not on by default. 345 */ 346 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 347 /* Best effort only. Ignore errors. */ 348 if (smtp_pix_bug_maps != 0 349 && (pix_bug_words = 350 maps_find(smtp_pix_bug_maps, 351 state->session->addr, 0)) != 0) { 352 pix_bug_source = VAR_SMTP_PIX_BUG_MAPS; 353 } else { 354 pix_bug_words = var_smtp_pix_bug_words; 355 pix_bug_source = VAR_SMTP_PIX_BUG_WORDS; 356 } 357 if (*pix_bug_words) { 358 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 359 pix_bug_words, 360 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 361 msg_info("%s: enabling PIX workarounds: %s for %s", 362 request->queue_id, 363 str_name_mask("pix workaround bitmask", 364 pix_bug_table, pix_bug_mask), 365 session->namaddrport); 366 session->features |= pix_bug_mask; 367 } 368 } 369 370 /* 371 * See if we are talking to ourself. This should not be possible with 372 * the way we implement DNS lookups. However, people are known to 373 * sometimes screw up the naming service. And, mailer loops are still 374 * possible when our own mailer routing tables are mis-configured. 375 */ 376 words = resp->str; 377 (void) mystrtok(&words, "- \t\n"); 378 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 379 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 380 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 381 msg_warn("host %s greeted me with my own hostname %s", 382 session->namaddrport, var_myhostname); 383 } else if (strcasecmp(word, "ESMTP") == 0) 384 session->features |= SMTP_FEATURE_ESMTP; 385 } 386 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 387 if (var_smtp_always_ehlo 388 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 389 session->features |= SMTP_FEATURE_ESMTP; 390 if (var_smtp_never_ehlo 391 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 392 session->features &= ~SMTP_FEATURE_ESMTP; 393 } else { 394 session->features |= SMTP_FEATURE_ESMTP; 395 } 396 } 397 398 /* 399 * If recursing after STARTTLS, there is no server greeting banner. 400 * Always send EHLO as the next command. 401 */ 402 else { 403 session->features |= SMTP_FEATURE_ESMTP; 404 } 405 406 /* 407 * Return the compliment. Fall back to SMTP if our ESMTP recognition 408 * heuristic failed. 409 */ 410 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 411 where = "performing the EHLO handshake"; 412 if (session->features & SMTP_FEATURE_ESMTP) { 413 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 414 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 415 if (resp->code == 421) 416 return (smtp_site_fail(state, session->host, resp, 417 "host %s refused to talk to me: %s", 418 session->namaddr, 419 translit(resp->str, "\n", " "))); 420 else 421 session->features &= ~SMTP_FEATURE_ESMTP; 422 } 423 } 424 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 425 where = "performing the HELO handshake"; 426 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 427 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 428 return (smtp_site_fail(state, session->host, resp, 429 "host %s refused to talk to me: %s", 430 session->namaddr, 431 translit(resp->str, "\n", " "))); 432 } 433 } else { 434 where = "performing the LHLO handshake"; 435 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 436 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 437 return (smtp_site_fail(state, session->host, resp, 438 "host %s refused to talk to me: %s", 439 session->namaddr, 440 translit(resp->str, "\n", " "))); 441 } 442 443 /* 444 * No early returns allowed, to ensure consistent handling of TLS and 445 * SASL policies. 446 */ 447 if (session->features & SMTP_FEATURE_ESMTP) { 448 449 /* 450 * Determine what server EHLO keywords to ignore, typically to avoid 451 * inter-operability problems. 452 */ 453 if (smtp_ehlo_dis_maps == 0 454 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 455 state->session->addr, 0)) == 0) 456 ehlo_words = var_smtp_ehlo_dis_words; 457 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 458 msg_warn("%s: %s map lookup error for %s", 459 session->state->request->queue_id, 460 smtp_ehlo_dis_maps->title, state->session->addr); 461 vstream_longjmp(session->stream, SMTP_ERR_DATA); 462 } 463 discard_mask = ehlo_mask(ehlo_words); 464 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 465 msg_info("discarding EHLO keywords: %s", 466 str_ehlo_mask(discard_mask)); 467 468 /* 469 * Pick up some useful features offered by the SMTP server. XXX Until 470 * we have a portable routine to convert from string to off_t with 471 * proper overflow detection, ignore the message size limit 472 * advertised by the SMTP server. Otherwise, we might do the wrong 473 * thing when the server advertises a really huge message size limit. 474 * 475 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 476 * because MicroSoft implemented AUTH based on an old draft. 477 */ 478 lines = resp->str; 479 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 480 if (mystrtok(&words, "- ") 481 && (word = mystrtok(&words, " \t=")) != 0) { 482 if (n == 0) { 483 if (session->helo != 0) 484 myfree(session->helo); 485 486 /* 487 * XXX: Keep the original case: we don't expect a single 488 * SMTP server to randomly change the case of its helo 489 * response. If different capitalization is detected, we 490 * should assume disjoint TLS caches. 491 */ 492 session->helo = mystrdup(word); 493 if (strcasecmp(word, var_myhostname) == 0 494 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 495 msg_warn("host %s replied to HELO/EHLO" 496 " with my own hostname %s", 497 session->namaddrport, var_myhostname); 498 if (session->features & SMTP_FEATURE_BEST_MX) 499 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 500 SMTP_RESP_FAKE(&fake, "5.4.6"), 501 "mail for %s loops back to myself", 502 request->nexthop)); 503 else 504 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 505 SMTP_RESP_FAKE(&fake, "4.4.6"), 506 "mail for %s loops back to myself", 507 request->nexthop)); 508 } 509 } else if (strcasecmp(word, "8BITMIME") == 0) { 510 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 511 session->features |= SMTP_FEATURE_8BITMIME; 512 } else if (strcasecmp(word, "PIPELINING") == 0) { 513 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 514 session->features |= SMTP_FEATURE_PIPELINING; 515 } else if (strcasecmp(word, "XFORWARD") == 0) { 516 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 517 while ((word = mystrtok(&words, " \t")) != 0) 518 session->features |= 519 name_code(xforward_features, 520 NAME_CODE_FLAG_NONE, word); 521 } else if (strcasecmp(word, "SIZE") == 0) { 522 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 523 session->features |= SMTP_FEATURE_SIZE; 524 if ((word = mystrtok(&words, " \t")) != 0) { 525 if (!alldig(word)) 526 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 527 word, session->namaddrport); 528 else 529 session->size_limit = off_cvt_string(word); 530 } 531 } 532 #ifdef USE_TLS 533 } else if (strcasecmp(word, "STARTTLS") == 0) { 534 /* Ignored later if we already sent STARTTLS. */ 535 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 536 session->features |= SMTP_FEATURE_STARTTLS; 537 #endif 538 #ifdef USE_SASL_AUTH 539 } else if (var_smtp_sasl_enable 540 && strcasecmp(word, "AUTH") == 0) { 541 if ((discard_mask & EHLO_MASK_AUTH) == 0) 542 smtp_sasl_helo_auth(session, words); 543 #endif 544 } else if (strcasecmp(word, "DSN") == 0) { 545 if ((discard_mask & EHLO_MASK_DSN) == 0) 546 session->features |= SMTP_FEATURE_DSN; 547 } 548 n++; 549 } 550 } 551 } 552 if (msg_verbose) 553 msg_info("server features: 0x%x size %.0f", 554 session->features, (double) session->size_limit); 555 556 /* 557 * We use SMTP command pipelining if the server said it supported it. 558 * Since we use blocking I/O, RFC 2197 says that we should inspect the 559 * TCP window size and not send more than this amount of information. 560 * Unfortunately this information is unavailable using the sockets 561 * interface. However, we *can* get the TCP send buffer size on the local 562 * TCP/IP stack. We should be able to fill this buffer without being 563 * blocked, and then the kernel will effectively do non-blocking I/O for 564 * us by automatically writing out the contents of its send buffer while 565 * we are reading in the responses. In addition to TCP buffering we have 566 * to be aware of application-level buffering by the vstream module, 567 * which is limited to a couple kbytes. 568 * 569 * XXX No need to do this before and after STARTTLS, but it's not a big deal 570 * if we do. 571 * 572 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 573 * TLS messages. Thus, the TCP-level payload will be larger than the 574 * SMTP-level payload. This has implications for the PIPELINING engine. 575 * 576 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 577 * buffer size that can hold the unacknowledged commands plus the TLS 578 * encapsulation overhead. 579 * 580 * The PIPELINING engine keeps the unacknowledged command size <= the 581 * default VSTREAM buffer size (to avoid small-write performance issues 582 * when the VSTREAM buffer size is at its default size). With a default 583 * VSTREAM buffer size of 4096 there is no reason to increase the 584 * unacknowledged command size as the TCP MSS increases. It's safer to 585 * spread the remote SMTP server's recipient processing load over time, 586 * than dumping a very large recipient list all at once. 587 * 588 * For TLS encapsulation overhead we make a conservative guess: take the 589 * current protocol overhead of ~40 bytes, double the number for future 590 * proofing (~80 bytes), then round up the result to the nearest power of 591 * 2 (128 bytes). Plus, be prepared for worst-case compression that 592 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 593 * message becomes 15 kbytes. 594 */ 595 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 596 #ifdef USE_TLS 597 #define TLS_WORST_PAYLOAD 16384 598 #define TLS_WORST_COMP_OVERHD 1024 599 #define TLS_WORST_PROTO_OVERHD 128 600 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 601 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 602 #endif 603 604 if (session->features & SMTP_FEATURE_PIPELINING) { 605 SOCKOPT_SIZE optlen; 606 int tcp_bufsize; 607 int enc_overhead = 0; 608 609 optlen = sizeof(tcp_bufsize); 610 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 611 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 612 msg_fatal("%s: getsockopt: %m", myname); 613 #ifdef USE_TLS 614 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 615 enc_overhead += 616 (1 + (PIPELINING_BUFSIZE - 1) 617 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 618 #endif 619 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 620 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 621 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 622 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 623 msg_fatal("%s: setsockopt: %m", myname); 624 } 625 if (msg_verbose) 626 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 627 "PIPELINING buffer size is %d", (state->misc_flags & 628 SMTP_MISC_FLAG_USE_LMTP) ? "LMTP" : "ESMTP", 629 tcp_bufsize, PIPELINING_BUFSIZE); 630 } 631 #ifdef USE_TLS 632 633 /* 634 * Skip this part if we already sent STARTTLS. 635 */ 636 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 637 638 /* 639 * Optionally log unused STARTTLS opportunities. 640 */ 641 if ((session->features & SMTP_FEATURE_STARTTLS) && 642 var_smtp_tls_note_starttls_offer && 643 session->tls_level <= TLS_LEV_NONE) 644 msg_info("Host offered STARTTLS: [%s]", session->host); 645 646 /* 647 * Decide whether or not to send STARTTLS. 648 */ 649 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 650 && smtp_tls_ctx != 0 && session->tls_level >= TLS_LEV_MAY) { 651 652 /* 653 * Prepare for disaster. 654 */ 655 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 656 var_smtp_rec_deadline); 657 if ((except = vstream_setjmp(state->session->stream)) != 0) 658 return (smtp_stream_except(state, except, 659 "receiving the STARTTLS response")); 660 661 /* 662 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 663 * resetting the SASL and EHLO features lists. 664 * 665 * Reset the SASL mechanism list to avoid spurious warnings. 666 * 667 * Use the smtp_sasl_tls_security_options feature to allow SASL 668 * mechanisms that may not be allowed with plain-text 669 * connections. 670 */ 671 smtp_chat_cmd(session, "STARTTLS"); 672 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 673 #ifdef USE_SASL_AUTH 674 if (session->features & SMTP_FEATURE_AUTH) 675 smtp_sasl_cleanup(session); 676 #endif 677 session->features = saved_features; 678 /* XXX Mix-up of per-session and per-request flags. */ 679 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 680 tls_helo_status = smtp_start_tls(state); 681 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 682 return (tls_helo_status); 683 } 684 685 /* 686 * Give up if we must use TLS but the server rejects STARTTLS 687 * although support for it was announced in the EHLO response. 688 */ 689 session->features &= ~SMTP_FEATURE_STARTTLS; 690 if (session->tls_level >= TLS_LEV_ENCRYPT) 691 return (smtp_site_fail(state, session->host, resp, 692 "TLS is required, but host %s refused to start TLS: %s", 693 session->namaddr, 694 translit(resp->str, "\n", " "))); 695 /* Else try to continue in plain-text mode. */ 696 } 697 698 /* 699 * Give up if we must use TLS but can't for various reasons. 700 * 701 * 200412 Be sure to provide the default clause at the bottom of this 702 * block. When TLS is required we must never, ever, end up in 703 * plain-text mode. 704 */ 705 if (session->tls_level >= TLS_LEV_ENCRYPT) { 706 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 707 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 708 SMTP_RESP_FAKE(&fake, "4.7.4"), 709 "TLS is required, but was not offered by host %s", 710 session->namaddr)); 711 } else if (smtp_tls_ctx == 0) { 712 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 713 SMTP_RESP_FAKE(&fake, "4.7.5"), 714 "TLS is required, but our TLS engine is unavailable")); 715 } else { 716 msg_warn("%s: TLS is required but unavailable, don't know why", 717 myname); 718 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 719 SMTP_RESP_FAKE(&fake, "4.7.0"), 720 "TLS is required, but unavailable")); 721 } 722 } 723 } 724 #endif 725 #ifdef USE_SASL_AUTH 726 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 727 return (smtp_sasl_helo_login(state)); 728 #endif 729 730 return (0); 731 } 732 733 #ifdef USE_TLS 734 735 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 736 737 static int smtp_start_tls(SMTP_STATE *state) 738 { 739 SMTP_SESSION *session = state->session; 740 TLS_CLIENT_START_PROPS tls_props; 741 VSTRING *serverid; 742 SMTP_RESP fake; 743 744 /* 745 * Turn off SMTP connection caching. When the TLS handshake succeeds, we 746 * can't reuse the SMTP connection. Reason: we can't turn off TLS in one 747 * process, save the connection to the cache which is shared with all 748 * SMTP clients, migrate the connection to another SMTP client, and 749 * resume TLS there. When the TLS handshake fails, we can't reuse the 750 * SMTP connection either, because the conversation is in an unknown 751 * state. 752 */ 753 DONT_CACHE_THIS_SESSION; 754 755 /* 756 * As of Postfix 2.5, tls_client_start() tries hard to always complete 757 * the TLS handshake. It records the verification and match status in the 758 * resulting TLScontext. It is now up to the application to abort the TLS 759 * connection if it chooses. 760 * 761 * XXX When tls_client_start() fails then we don't know what state the SMTP 762 * connection is in, so we give up on this connection even if we are not 763 * required to use TLS. 764 * 765 * The following assumes sites that use TLS in a perverse configuration: 766 * multiple hosts per hostname, or even multiple hosts per IP address. 767 * All this without a shared TLS session cache, and they still want to 768 * use TLS session caching??? 769 * 770 * The TLS session cache records the trust chain verification status of 771 * cached sessions. Different transports may have different CAfile or 772 * CApath settings, perhaps to allow authenticated connections to sites 773 * with private CA certs without trusting said private certs for other 774 * sites. So we cannot assume that a trust chain valid for one transport 775 * is valid for another. Therefore the client session id must include 776 * either the transport name or the values of CAfile and CApath. We use 777 * the transport name. 778 * 779 * XXX: We store only one session per lookup key. Ideally the the key maps 780 * 1-to-1 to a server TLS session cache. We use the IP address, port and 781 * ehlo response name to build a lookup key that works for split caches 782 * (that announce distinct names) behind a load balancer. 783 * 784 * XXX: The TLS library may salt the serverid with further details of the 785 * protocol and cipher requirements. 786 * 787 * Large parameter lists are error-prone, so we emulate a language feature 788 * that C does not have natively: named parameter lists. 789 */ 790 serverid = vstring_alloc(10); 791 vstring_sprintf(serverid, "%s:%s:%u:%s", state->service, session->addr, 792 ntohs(session->port), session->helo ? session->helo : ""); 793 session->tls_context = 794 TLS_CLIENT_START(&tls_props, 795 ctx = smtp_tls_ctx, 796 stream = session->stream, 797 timeout = var_smtp_starttls_tmout, 798 tls_level = session->tls_level, 799 nexthop = session->tls_nexthop, 800 host = session->host, 801 namaddr = session->namaddrport, 802 serverid = vstring_str(serverid), 803 protocols = session->tls_protocols, 804 cipher_grade = session->tls_grade, 805 cipher_exclusions 806 = vstring_str(session->tls_exclusions), 807 matchargv = session->tls_matchargv, 808 fpt_dgst = var_smtp_tls_fpt_dgst); 809 vstring_free(serverid); 810 811 if (session->tls_context == 0) { 812 813 /* 814 * We must avoid further I/O, the peer is in an undefined state. 815 */ 816 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 817 DONT_USE_DEAD_SESSION; 818 819 /* 820 * If TLS is optional, try delivery to the same server over a 821 * plaintext connection. Otherwise we would defer mail forever with 822 * destinations that have no alternate MX host. 823 * 824 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 825 * authentication. If the server doesn't announce SASL support over 826 * plaintext connections, then we don't want delivery to fail with 827 * "relay access denied". 828 */ 829 if (session->tls_level == TLS_LEV_MAY 830 #ifdef USE_SASL_AUTH 831 && !(var_smtp_sasl_enable 832 && *var_smtp_sasl_passwd 833 && smtp_sasl_passwd_lookup(session)) 834 #endif 835 ) 836 RETRY_AS_PLAINTEXT; 837 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 838 SMTP_RESP_FAKE(&fake, "4.7.5"), 839 "Cannot start TLS: handshake failure")); 840 } 841 842 /* 843 * If we are verifying the server certificate and are not happy with the 844 * result, abort the delivery here. We have a usable TLS session with the 845 * server, so no need to disable I/O, ... we can even be polite and send 846 * "QUIT". 847 * 848 * See src/tls/tls_level.c. Levels above encrypt require matching. Levels >= 849 * verify require CA trust. 850 */ 851 if (session->tls_level >= TLS_LEV_VERIFY) 852 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 853 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 854 SMTP_RESP_FAKE(&fake, "4.7.5"), 855 "Server certificate not trusted")); 856 if (session->tls_level > TLS_LEV_ENCRYPT) 857 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 858 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 859 SMTP_RESP_FAKE(&fake, "4.7.5"), 860 "Server certificate not verified")); 861 862 863 /* At this point there must not be any pending plaintext. */ 864 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 865 866 /* 867 * At this point we have to re-negotiate the "EHLO" to reget the 868 * feature-list. 869 */ 870 return (smtp_helo(state)); 871 } 872 873 #endif 874 875 /* smtp_hbc_logger - logging call-back for header/body checks */ 876 877 static void smtp_hbc_logger(void *context, const char *action, 878 const char *where, const char *content, 879 const char *text) 880 { 881 const SMTP_STATE *state = (SMTP_STATE *) context; 882 883 if (*text) { 884 msg_info("%s: %s: %s %.60s: %s", 885 state->request->queue_id, action, where, content, text); 886 } else { 887 msg_info("%s: %s: %s %.60s", 888 state->request->queue_id, action, where, content); 889 } 890 } 891 892 /* smtp_text_out - output one header/body record */ 893 894 static void smtp_text_out(void *context, int rec_type, 895 const char *text, ssize_t len, 896 off_t unused_offset) 897 { 898 SMTP_STATE *state = (SMTP_STATE *) context; 899 SMTP_SESSION *session = state->session; 900 ssize_t data_left; 901 const char *data_start; 902 903 /* 904 * Deal with an impedance mismatch between Postfix queue files (record 905 * length <= $message_line_length_limit) and SMTP (DATA record length <= 906 * $smtp_line_length_limit). The code below does a little too much work 907 * when the SMTP line length limit is disabled, but it avoids code 908 * duplication, and thus, it avoids testing and maintenance problems. 909 */ 910 data_left = len; 911 data_start = text; 912 do { 913 if (state->space_left == var_smtp_line_limit 914 && data_left > 0 && *data_start == '.') 915 smtp_fputc('.', session->stream); 916 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 917 smtp_fputs(data_start, state->space_left, session->stream); 918 data_start += state->space_left; 919 data_left -= state->space_left; 920 state->space_left = var_smtp_line_limit; 921 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 922 smtp_fputc(' ', session->stream); 923 state->space_left -= 1; 924 } 925 } else { 926 if (rec_type == REC_TYPE_CONT) { 927 smtp_fwrite(data_start, data_left, session->stream); 928 state->space_left -= data_left; 929 } else { 930 smtp_fputs(data_start, data_left, session->stream); 931 state->space_left = var_smtp_line_limit; 932 } 933 break; 934 } 935 } while (data_left > 0); 936 } 937 938 /* smtp_format_out - output one header/body record */ 939 940 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 941 942 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 943 { 944 static VSTRING *vp; 945 va_list ap; 946 947 if (vp == 0) 948 vp = vstring_alloc(100); 949 va_start(ap, fmt); 950 vstring_vsprintf(vp, fmt, ap); 951 va_end(ap); 952 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 953 } 954 955 /* smtp_header_out - output one message header */ 956 957 static void smtp_header_out(void *context, int unused_header_class, 958 const HEADER_OPTS *unused_info, 959 VSTRING *buf, off_t offset) 960 { 961 char *start = vstring_str(buf); 962 char *line; 963 char *next_line; 964 965 /* 966 * This code destroys the header. We could try to avoid clobbering it, 967 * but we're not going to use the data any further. 968 */ 969 for (line = start; line; line = next_line) { 970 next_line = split_at(line, '\n'); 971 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 972 next_line - line - 1 : strlen(line), offset); 973 } 974 } 975 976 /* smtp_header_rewrite - rewrite message header before output */ 977 978 static void smtp_header_rewrite(void *context, int header_class, 979 const HEADER_OPTS *header_info, 980 VSTRING *buf, off_t offset) 981 { 982 SMTP_STATE *state = (SMTP_STATE *) context; 983 int did_rewrite = 0; 984 char *line; 985 char *start; 986 char *next_line; 987 char *end_line; 988 char *result; 989 990 /* 991 * Apply optional header filtering. 992 */ 993 if (smtp_header_checks) { 994 result = hbc_header_checks(context, smtp_header_checks, header_class, 995 header_info, buf, offset); 996 if (result == 0) 997 return; 998 if (result == HBC_CHECKS_STAT_ERROR) { 999 msg_warn("%s: smtp header checks lookup error", 1000 state->request->queue_id); 1001 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1002 } 1003 if (result != STR(buf)) { 1004 vstring_strcpy(buf, result); 1005 myfree(result); 1006 } 1007 } 1008 1009 /* 1010 * Rewrite primary header addresses that match the smtp_generic_maps. The 1011 * cleanup server already enforces that all headers have proper lengths 1012 * and that all addresses are in proper form, so we don't have to repeat 1013 * that. 1014 */ 1015 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1016 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1017 TOK822 *tree; 1018 TOK822 **addr_list; 1019 TOK822 **tpp; 1020 1021 tree = tok822_parse(vstring_str(buf) 1022 + strlen(header_info->name) + 1); 1023 addr_list = tok822_grep(tree, TOK822_ADDR); 1024 for (tpp = addr_list; *tpp; tpp++) 1025 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1026 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1027 if (did_rewrite) { 1028 vstring_truncate(buf, strlen(header_info->name)); 1029 vstring_strcat(buf, ": "); 1030 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1031 } 1032 myfree((char *) addr_list); 1033 tok822_free_tree(tree); 1034 } 1035 1036 /* 1037 * Pass through unmodified headers without reconstruction. 1038 */ 1039 if (did_rewrite == 0) { 1040 smtp_header_out(context, header_class, header_info, buf, offset); 1041 return; 1042 } 1043 1044 /* 1045 * A rewritten address list contains one address per line. The code below 1046 * replaces newlines by spaces, to fit as many addresses on a line as 1047 * possible (without rearranging the order of addresses). Prepending 1048 * white space to the beginning of lines is delegated to the output 1049 * routine. 1050 * 1051 * Code derived from cleanup_fold_header(). 1052 */ 1053 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1054 end_line = line + strcspn(line, "\n"); 1055 if (line > start) { 1056 if (end_line - start < 70) { /* TAB counts as one */ 1057 line[-1] = ' '; 1058 } else { 1059 start = line; 1060 } 1061 } 1062 next_line = *end_line ? end_line + 1 : 0; 1063 } 1064 1065 /* 1066 * Prepend a tab to continued header lines that went through the address 1067 * rewriting machinery. Just like smtp_header_out(), this code destroys 1068 * the header. We could try to avoid clobbering it, but we're not going 1069 * to use the data any further. 1070 * 1071 * Code derived from cleanup_out_header(). 1072 */ 1073 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1074 next_line = split_at(line, '\n'); 1075 if (line == start || IS_SPACE_TAB(*line)) { 1076 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1077 next_line - line - 1 : strlen(line), offset); 1078 } else { 1079 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1080 } 1081 } 1082 } 1083 1084 /* smtp_body_rewrite - rewrite message body before output */ 1085 1086 static void smtp_body_rewrite(void *context, int type, 1087 const char *buf, ssize_t len, 1088 off_t offset) 1089 { 1090 SMTP_STATE *state = (SMTP_STATE *) context; 1091 char *result; 1092 1093 /* 1094 * Apply optional body filtering. 1095 */ 1096 if (smtp_body_checks) { 1097 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1098 if (result == buf) { 1099 smtp_text_out(state, type, buf, len, offset); 1100 } else if (result == HBC_CHECKS_STAT_ERROR) { 1101 msg_warn("%s: smtp body checks lookup error", 1102 state->request->queue_id); 1103 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1104 } else if (result != 0) { 1105 smtp_text_out(state, type, result, strlen(result), offset); 1106 myfree(result); 1107 } 1108 } 1109 } 1110 1111 /* smtp_mime_fail - MIME problem */ 1112 1113 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1114 { 1115 const MIME_STATE_DETAIL *detail; 1116 SMTP_RESP fake; 1117 1118 detail = mime_state_detail(mime_errs); 1119 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1120 SMTP_RESP_FAKE(&fake, detail->dsn), 1121 "%s", detail->text); 1122 } 1123 1124 /* smtp_loop - exercise the SMTP protocol engine */ 1125 1126 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1127 NOCLOBBER int recv_state) 1128 { 1129 const char *myname = "smtp_loop"; 1130 DELIVER_REQUEST *request = state->request; 1131 SMTP_SESSION *session = state->session; 1132 SMTP_RESP *resp; 1133 RECIPIENT *rcpt; 1134 VSTRING *next_command = vstring_alloc(100); 1135 int *NOCLOBBER survivors = 0; 1136 NOCLOBBER int next_state; 1137 NOCLOBBER int next_rcpt; 1138 NOCLOBBER int send_rcpt; 1139 NOCLOBBER int recv_rcpt; 1140 NOCLOBBER int nrcpt; 1141 NOCLOBBER int recv_done; 1142 int except; 1143 int rec_type; 1144 NOCLOBBER int prev_type = 0; 1145 NOCLOBBER int mail_from_rejected; 1146 NOCLOBBER int downgrading; 1147 int mime_errs; 1148 SMTP_RESP fake; 1149 int fail_status; 1150 1151 /* 1152 * Macros for readability. 1153 */ 1154 #define REWRITE_ADDRESS(dst, src) do { \ 1155 vstring_strcpy(dst, src); \ 1156 if (*(src) && smtp_generic_maps) \ 1157 smtp_map11_internal(dst, smtp_generic_maps, \ 1158 smtp_ext_prop_mask & EXT_PROP_GENERIC); \ 1159 } while (0) 1160 1161 #define QUOTE_ADDRESS(dst, src) do { \ 1162 if (*(src) && var_smtp_quote_821_env) { \ 1163 quote_821_local(dst, src); \ 1164 } else { \ 1165 vstring_strcpy(dst, src); \ 1166 } \ 1167 } while (0) 1168 1169 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1170 1171 #define RETURN(x) do { \ 1172 if (recv_state != SMTP_STATE_LAST) \ 1173 DONT_CACHE_THIS_SESSION; \ 1174 vstring_free(next_command); \ 1175 if (survivors) \ 1176 myfree((char *) survivors); \ 1177 if (session->mime_state) \ 1178 session->mime_state = mime_state_free(session->mime_state); \ 1179 return (x); \ 1180 } while (0) 1181 1182 #define SENDER_IS_AHEAD \ 1183 (recv_state < send_state || recv_rcpt != send_rcpt) 1184 1185 #define SENDER_IN_WAIT_STATE \ 1186 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1187 1188 #define SENDING_MAIL \ 1189 (recv_state <= SMTP_STATE_DOT) 1190 1191 #define CANT_RSET_THIS_SESSION \ 1192 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1193 1194 /* 1195 * Pipelining support requires two loops: one loop for sending and one 1196 * for receiving. Each loop has its own independent state. Most of the 1197 * time the sender can run ahead of the receiver by as much as the TCP 1198 * send buffer permits. There are only two places where the sender must 1199 * wait for status information from the receiver: once after sending DATA 1200 * and once after sending QUIT. 1201 * 1202 * The sender state advances until the TCP send buffer would overflow, or 1203 * until the sender needs status information from the receiver. At that 1204 * point the receiver starts processing responses. Once the receiver has 1205 * caught up with the sender, the sender resumes sending commands. If the 1206 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1207 * commands rejected, DATA rejected) it forces the sender to abort the 1208 * SMTP dialog with RSET and QUIT. 1209 */ 1210 nrcpt = 0; 1211 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1212 mail_from_rejected = 0; 1213 1214 /* 1215 * Prepare for disaster. This should not be needed because the design 1216 * guarantees that no output is flushed before smtp_chat_resp() is 1217 * called. 1218 * 1219 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1220 * 1221 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1222 * there is sufficient space for the command in the output buffer. 1223 * 1224 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1225 * 1226 * Changing any of these would violate the design, and would likely break 1227 * SMTP pipelining. 1228 * 1229 * We set up the error handler anyway (only upon entry to avoid wasting 1230 * resources) because 1) there is code below that expects that VSTREAM 1231 * timeouts are enabled, and 2) this allows us to detect if someone broke 1232 * Postfix by introducing spurious flush before read operations. 1233 */ 1234 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1235 || send_state > SMTP_STATE_QUIT) 1236 msg_panic("%s: bad sender state %d (receiver state %d)", 1237 myname, send_state, recv_state); 1238 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1239 var_smtp_rec_deadline); 1240 if ((except = vstream_setjmp(session->stream)) != 0) { 1241 msg_warn("smtp_proto: spurious flush before read in send state %d", 1242 send_state); 1243 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1244 xfer_states[send_state]) : -1); 1245 } 1246 1247 /* 1248 * The main protocol loop. 1249 */ 1250 do { 1251 1252 /* 1253 * Build the next command. 1254 */ 1255 switch (send_state) { 1256 1257 /* 1258 * Sanity check. 1259 */ 1260 default: 1261 msg_panic("%s: bad sender state %d", myname, send_state); 1262 1263 /* 1264 * Build the XFORWARD command. With properly sanitized 1265 * information, the command length stays within the 512 byte 1266 * command line length limit. 1267 * 1268 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1269 * and some as null; historically, pickup(8) does not send any of 1270 * these, and the queue manager presets absent fields to "not 1271 * available" except for the rewrite context which is preset to 1272 * local by way of migration aid. These definitions need to be 1273 * centralized for maintainability. 1274 */ 1275 #ifndef CAN_FORWARD_CLIENT_NAME 1276 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1277 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1278 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1279 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1280 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1281 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1282 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1283 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1284 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1285 #endif 1286 1287 case SMTP_STATE_XFORWARD_NAME_ADDR: 1288 vstring_strcpy(next_command, XFORWARD_CMD); 1289 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1290 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1291 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1292 xtext_quote_append(next_command, request->client_name, ""); 1293 } 1294 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1295 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1296 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1297 xtext_quote_append(next_command, request->client_addr, ""); 1298 } 1299 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1300 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1301 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1302 xtext_quote_append(next_command, request->client_port, ""); 1303 } 1304 if (session->send_proto_helo) 1305 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1306 else 1307 next_state = SMTP_STATE_MAIL; 1308 break; 1309 1310 case SMTP_STATE_XFORWARD_PROTO_HELO: 1311 vstring_strcpy(next_command, XFORWARD_CMD); 1312 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1313 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1314 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1315 xtext_quote_append(next_command, request->client_proto, ""); 1316 } 1317 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1318 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1319 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1320 xtext_quote_append(next_command, request->client_helo, ""); 1321 } 1322 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1323 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1324 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1325 xtext_quote_append(next_command, request->log_ident, ""); 1326 } 1327 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1328 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1329 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1330 xtext_quote_append(next_command, 1331 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1332 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1333 } 1334 next_state = SMTP_STATE_MAIL; 1335 break; 1336 1337 /* 1338 * Build the MAIL FROM command. 1339 */ 1340 case SMTP_STATE_MAIL: 1341 request->msg_stats.reuse_count = session->reuse_count; 1342 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1343 REWRITE_ADDRESS(session->scratch2, request->sender); 1344 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1345 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1346 vstring_str(session->scratch)); 1347 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1348 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1349 && !SMTP_MIME_DOWNGRADE(session, request)) 1350 vstring_sprintf_append(next_command, " SIZE=%lu", 1351 request->data_size); 1352 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1353 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1354 vstring_strcat(next_command, " BODY=8BITMIME"); 1355 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1356 vstring_strcat(next_command, " BODY=7BIT"); 1357 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1358 msg_warn("%s: unknown content encoding: %s", 1359 request->queue_id, request->encoding); 1360 } 1361 if (session->features & SMTP_FEATURE_DSN) { 1362 if (request->dsn_envid[0]) { 1363 vstring_sprintf_append(next_command, " ENVID="); 1364 xtext_quote_append(next_command, request->dsn_envid, "+="); 1365 } 1366 if (request->dsn_ret) 1367 vstring_sprintf_append(next_command, " RET=%s", 1368 dsn_ret_str(request->dsn_ret)); 1369 } 1370 1371 /* 1372 * We authenticate the local MTA only, but not the sender. 1373 */ 1374 #ifdef USE_SASL_AUTH 1375 if (var_smtp_sasl_enable 1376 && var_smtp_dummy_mail_auth 1377 && (session->features & SMTP_FEATURE_AUTH)) 1378 vstring_strcat(next_command, " AUTH=<>"); 1379 #endif 1380 1381 /* 1382 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1383 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1384 * commands to our TLS session. 1385 * 1386 * For the attack to succeed, the remote SMTP server must reply to 1387 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1388 * TLS (re)negotiation, so that the replies arrive in our TLS 1389 * session (otherwise the Postfix SMTP client would time out 1390 * waiting for an answer). With some luck we can detect this 1391 * specific attack as a server MAIL reply that arrives before we 1392 * send our own MAIL command. 1393 * 1394 * We don't apply this test to the HELO command because the result 1395 * would be very timing sensitive, and we don't apply this test 1396 * to RCPT and DATA replies because these may be pipelined for 1397 * legitimate reasons. 1398 */ 1399 #ifdef USE_TLS 1400 if (var_smtp_tls_blk_early_mail_reply 1401 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1402 && (vstream_peek(session->stream) > 0 1403 || peekfd(vstream_fileno(session->stream)) > 0)) 1404 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1405 #endif 1406 1407 /* 1408 * We now return to our regular broadcast. 1409 */ 1410 next_state = SMTP_STATE_RCPT; 1411 break; 1412 1413 /* 1414 * Build one RCPT TO command before we have seen the MAIL FROM 1415 * response. 1416 */ 1417 case SMTP_STATE_RCPT: 1418 rcpt = request->rcpt_list.info + send_rcpt; 1419 REWRITE_ADDRESS(session->scratch2, rcpt->address); 1420 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1421 vstring_sprintf(next_command, "RCPT TO:<%s>", 1422 vstring_str(session->scratch)); 1423 if (session->features & SMTP_FEATURE_DSN) { 1424 /* XXX DSN xtext encode address value not type. */ 1425 if (rcpt->dsn_orcpt[0]) { 1426 xtext_quote(session->scratch, rcpt->dsn_orcpt, "+="); 1427 vstring_sprintf_append(next_command, " ORCPT=%s", 1428 vstring_str(session->scratch)); 1429 } else if (rcpt->orig_addr[0]) { 1430 quote_822_local(session->scratch, rcpt->orig_addr); 1431 vstring_sprintf(session->scratch2, "rfc822;%s", 1432 vstring_str(session->scratch)); 1433 xtext_quote(session->scratch, vstring_str(session->scratch2), "+="); 1434 vstring_sprintf_append(next_command, " ORCPT=%s", 1435 vstring_str(session->scratch)); 1436 } 1437 if (rcpt->dsn_notify) 1438 vstring_sprintf_append(next_command, " NOTIFY=%s", 1439 dsn_notify_str(rcpt->dsn_notify)); 1440 } 1441 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1442 next_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1443 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1444 break; 1445 1446 /* 1447 * Build the DATA command before we have seen all the RCPT TO 1448 * responses. 1449 */ 1450 case SMTP_STATE_DATA: 1451 vstring_strcpy(next_command, "DATA"); 1452 next_state = SMTP_STATE_DOT; 1453 break; 1454 1455 /* 1456 * Build the "." command after we have seen the DATA response 1457 * (DATA is a protocol synchronization point). 1458 * 1459 * Changing the connection caching state here is safe because it 1460 * affects none of the not-yet processed replies to 1461 * already-generated commands. 1462 */ 1463 case SMTP_STATE_DOT: 1464 vstring_strcpy(next_command, "."); 1465 if (THIS_SESSION_IS_EXPIRED) 1466 DONT_CACHE_THIS_SESSION; 1467 next_state = THIS_SESSION_IS_CACHED ? 1468 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1469 break; 1470 1471 /* 1472 * The SMTP_STATE_ABORT sender state is entered by the sender 1473 * when it has verified all recipients; or it is entered by the 1474 * receiver when all recipients are verified or rejected, and is 1475 * then left before the bottom of the main loop. 1476 * 1477 * Changing the connection caching state here is safe because there 1478 * are no not-yet processed replies to already-generated 1479 * commands. 1480 */ 1481 case SMTP_STATE_ABORT: 1482 vstring_strcpy(next_command, "RSET"); 1483 if (THIS_SESSION_IS_EXPIRED) 1484 DONT_CACHE_THIS_SESSION; 1485 next_state = THIS_SESSION_IS_CACHED ? 1486 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1487 break; 1488 1489 /* 1490 * Build the RSET command. This is entered as initial state from 1491 * smtp_rset() and has its own dedicated state transitions. It is 1492 * used to find out the status of a cached session before 1493 * attempting mail delivery. 1494 */ 1495 case SMTP_STATE_RSET: 1496 vstring_strcpy(next_command, "RSET"); 1497 next_state = SMTP_STATE_LAST; 1498 break; 1499 1500 /* 1501 * Build the QUIT command before we have seen the "." or RSET 1502 * response. This is entered as initial state from smtp_quit(), 1503 * or is reached near the end of any non-cached session. 1504 * 1505 * Changing the connection caching state here is safe. If this 1506 * command is pipelined together with a preceding command, then 1507 * connection caching was already turned off. Do not clobber the 1508 * "bad connection" flag. 1509 */ 1510 case SMTP_STATE_QUIT: 1511 vstring_strcpy(next_command, "QUIT"); 1512 next_state = SMTP_STATE_LAST; 1513 if (THIS_SESSION_IS_CACHED) 1514 DONT_CACHE_THIS_SESSION; 1515 break; 1516 1517 /* 1518 * The final sender state has no action associated with it. 1519 */ 1520 case SMTP_STATE_LAST: 1521 VSTRING_RESET(next_command); 1522 break; 1523 } 1524 VSTRING_TERMINATE(next_command); 1525 1526 /* 1527 * Process responses until the receiver has caught up. Vstreams 1528 * automatically flush buffered output when reading new data. 1529 * 1530 * Flush unsent output if command pipelining is off or if no I/O 1531 * happened for a while. This limits the accumulation of client-side 1532 * delays in pipelined sessions. 1533 * 1534 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1535 * could otherwise produce more output than fits the PIPELINING 1536 * buffer. This generally works because we know exactly how much 1537 * output we produced since the last time that the sender and 1538 * receiver synchronized the SMTP state. However this logic is not 1539 * applicable after the sender enters the DATA phase, where it does 1540 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1541 * Thus, the PIPELINING engine no longer knows how much data is 1542 * pending in the TCP send buffer. For this reason, if PIPELINING is 1543 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1544 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1545 * stack either has already received the QUIT<CR><LF>, or else it 1546 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1547 * making room in the sender's TCP stack for QUIT<CR><LF>. 1548 */ 1549 #define CHECK_PIPELINING_BUFSIZE \ 1550 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1551 1552 if (SENDER_IN_WAIT_STATE 1553 || (SENDER_IS_AHEAD 1554 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1555 || (CHECK_PIPELINING_BUFSIZE 1556 && (VSTRING_LEN(next_command) + 2 1557 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1558 > PIPELINING_BUFSIZE)) 1559 || time((time_t *) 0) 1560 - vstream_ftime(session->stream) > 10))) { 1561 while (SENDER_IS_AHEAD) { 1562 1563 /* 1564 * Sanity check. 1565 */ 1566 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1567 || recv_state > SMTP_STATE_QUIT) 1568 msg_panic("%s: bad receiver state %d (sender state %d)", 1569 myname, recv_state, send_state); 1570 1571 /* 1572 * Receive the next server response. Use the proper timeout, 1573 * and log the proper client state in case of trouble. 1574 * 1575 * XXX If we lose the connection before sending end-of-data, 1576 * find out if the server sent a premature end-of-data reply. 1577 * If this read attempt fails, report "lost connection while 1578 * sending message body", not "lost connection while sending 1579 * end-of-data". 1580 * 1581 * "except" becomes zero just above the protocol loop, and stays 1582 * zero or triggers an early return from the loop. In just 1583 * one case: loss of the connection when sending the message 1584 * body, we record the exception, and keep processing in the 1585 * hope of detecting a premature 5XX. We must be careful to 1586 * not clobber this non-zero value once it is set. The 1587 * variable need not survive longjmp() calls, since the only 1588 * setjmp() which does not return early is the one sets this 1589 * condition, subquent failures always return early. 1590 */ 1591 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1592 1593 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1594 var_smtp_rec_deadline); 1595 if (LOST_CONNECTION_INSIDE_DATA) { 1596 if (vstream_setjmp(session->stream) != 0) 1597 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1598 "sending message body")); 1599 } else { 1600 if ((except = vstream_setjmp(session->stream)) != 0) 1601 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1602 xfer_states[recv_state]) : -1); 1603 } 1604 resp = smtp_chat_resp(session); 1605 1606 /* 1607 * Process the response. 1608 */ 1609 switch (recv_state) { 1610 1611 /* 1612 * Process the XFORWARD response. 1613 */ 1614 case SMTP_STATE_XFORWARD_NAME_ADDR: 1615 if (resp->code / 100 != 2) 1616 msg_warn("host %s said: %s (in reply to %s)", 1617 session->namaddrport, 1618 translit(resp->str, "\n", " "), 1619 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1620 if (session->send_proto_helo) 1621 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1622 else 1623 recv_state = SMTP_STATE_MAIL; 1624 break; 1625 1626 case SMTP_STATE_XFORWARD_PROTO_HELO: 1627 if (resp->code / 100 != 2) 1628 msg_warn("host %s said: %s (in reply to %s)", 1629 session->namaddrport, 1630 translit(resp->str, "\n", " "), 1631 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1632 recv_state = SMTP_STATE_MAIL; 1633 break; 1634 1635 /* 1636 * Process the MAIL FROM response. When the server 1637 * rejects the sender, set the mail_from_rejected flag so 1638 * that the receiver may apply a course correction. 1639 */ 1640 case SMTP_STATE_MAIL: 1641 if (resp->code / 100 != 2) { 1642 smtp_mesg_fail(state, session->host, resp, 1643 "host %s said: %s (in reply to %s)", 1644 session->namaddr, 1645 translit(resp->str, "\n", " "), 1646 xfer_request[SMTP_STATE_MAIL]); 1647 mail_from_rejected = 1; 1648 } 1649 1650 /* 1651 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1652 * that arrived before we sent our MAIL FROM command, it 1653 * was not a fatal-level TLS alert message. It could be a 1654 * warning-level TLS alert message, or a ChangeCipherSpec 1655 * message, but such messages are not normally sent in 1656 * the middle of a TLS session. We disconnect and try 1657 * again later. 1658 */ 1659 #ifdef USE_TLS 1660 if (var_smtp_tls_blk_early_mail_reply 1661 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 1662 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1663 SMTP_RESP_FAKE(&fake, "4.7.0"), 1664 "unexpected server message"); 1665 msg_warn("server %s violates %s policy", 1666 session->namaddr, 1667 VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY); 1668 mail_from_rejected = 1; 1669 } 1670 #endif 1671 1672 /* 1673 * We now return to our regular broadcast. 1674 */ 1675 recv_state = SMTP_STATE_RCPT; 1676 break; 1677 1678 /* 1679 * Process one RCPT TO response. If MAIL FROM was 1680 * rejected, ignore RCPT TO responses: all recipients are 1681 * dead already. When all recipients are rejected the 1682 * receiver may apply a course correction. 1683 * 1684 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 1685 * must be treated as if the server replied with 452. 1686 * However, this causes "too much mail data" to be 1687 * treated as a recoverable error, which is wrong. I'll 1688 * stick with RFC 821. 1689 */ 1690 case SMTP_STATE_RCPT: 1691 if (!mail_from_rejected) { 1692 #ifdef notdef 1693 if (resp->code == 552) { 1694 resp->code = 452; 1695 resp->dsn[0] = '4'; 1696 } 1697 #endif 1698 rcpt = request->rcpt_list.info + recv_rcpt; 1699 if (resp->code / 100 == 2) { 1700 if (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) { 1701 if (survivors == 0) 1702 survivors = (int *) 1703 mymalloc(request->rcpt_list.len 1704 * sizeof(int)); 1705 survivors[nrcpt] = recv_rcpt; 1706 } 1707 ++nrcpt; 1708 /* If trace-only, mark the recipient done. */ 1709 if (DEL_REQ_TRACE_ONLY(request->flags)) { 1710 translit(resp->str, "\n", " "); 1711 smtp_rcpt_done(state, resp, rcpt); 1712 } 1713 } else { 1714 smtp_rcpt_fail(state, rcpt, session->host, resp, 1715 "host %s said: %s (in reply to %s)", 1716 session->namaddr, 1717 translit(resp->str, "\n", " "), 1718 xfer_request[SMTP_STATE_RCPT]); 1719 } 1720 } 1721 /* If trace-only, send RSET instead of DATA. */ 1722 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 1723 recv_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1724 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1725 /* XXX Also: record if non-delivering session. */ 1726 break; 1727 1728 /* 1729 * Process the DATA response. When the server rejects 1730 * DATA, set nrcpt to a negative value so that the 1731 * receiver can apply a course correction. 1732 */ 1733 case SMTP_STATE_DATA: 1734 if (resp->code / 100 != 3) { 1735 if (nrcpt > 0) 1736 smtp_mesg_fail(state, session->host, resp, 1737 "host %s said: %s (in reply to %s)", 1738 session->namaddr, 1739 translit(resp->str, "\n", " "), 1740 xfer_request[SMTP_STATE_DATA]); 1741 nrcpt = -1; 1742 } 1743 recv_state = SMTP_STATE_DOT; 1744 break; 1745 1746 /* 1747 * Process the end of message response. Ignore the 1748 * response when no recipient was accepted: all 1749 * recipients are dead already, and the next receiver 1750 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 1751 * if the message transfer fails, bounce all remaining 1752 * recipients, else cross off the recipients that were 1753 * delivered. 1754 */ 1755 case SMTP_STATE_DOT: 1756 GETTIMEOFDAY(&request->msg_stats.deliver_done); 1757 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 1758 if (nrcpt > 0) { 1759 if (resp->code / 100 != 2) { 1760 smtp_mesg_fail(state, session->host, resp, 1761 "host %s said: %s (in reply to %s)", 1762 session->namaddr, 1763 translit(resp->str, "\n", " "), 1764 xfer_request[SMTP_STATE_DOT]); 1765 } else { 1766 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1767 rcpt = request->rcpt_list.info + nrcpt; 1768 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1769 translit(resp->str, "\n", " "); 1770 smtp_rcpt_done(state, resp, rcpt); 1771 } 1772 } 1773 } 1774 } 1775 } 1776 1777 /* 1778 * With LMTP we have one response per accepted RCPT TO 1779 * command. Stay in the SMTP_STATE_DOT state until we 1780 * have collected all responses. 1781 */ 1782 else { 1783 if (nrcpt > 0) { 1784 rcpt = request->rcpt_list.info 1785 + survivors[recv_done++]; 1786 if (resp->code / 100 != 2) { 1787 smtp_rcpt_fail(state, rcpt, session->host, resp, 1788 "host %s said: %s (in reply to %s)", 1789 session->namaddr, 1790 translit(resp->str, "\n", " "), 1791 xfer_request[SMTP_STATE_DOT]); 1792 } else { 1793 translit(resp->str, "\n", " "); 1794 smtp_rcpt_done(state, resp, rcpt); 1795 } 1796 } 1797 if (msg_verbose) 1798 msg_info("%s: got %d of %d end-of-data replies", 1799 myname, recv_done, nrcpt); 1800 if (recv_done < nrcpt) 1801 break; 1802 } 1803 1804 /* 1805 * XXX Do not change the connection caching state here, 1806 * even if the connection caching timer expired between 1807 * generating the command and processing the reply, 1808 * otherwise the sender and receiver loops get out of 1809 * sync. The caller will call smtp_quit() if appropriate. 1810 */ 1811 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 1812 || LOST_CONNECTION_INSIDE_DATA) 1813 recv_state = SMTP_STATE_LAST; 1814 else 1815 recv_state = SMTP_STATE_QUIT; 1816 break; 1817 1818 /* 1819 * Receive the RSET response. 1820 * 1821 * The SMTP_STATE_ABORT sender state is entered by the 1822 * sender when it has verified all recipients; or it is 1823 * entered by the receiver when all recipients are 1824 * verified or rejected, and is then left before the 1825 * bottom of the main loop. 1826 * 1827 * XXX Do not change the connection caching state here, even 1828 * if the server rejected RSET or if the connection 1829 * caching timer expired between generating the command 1830 * and processing the reply, otherwise the sender and 1831 * receiver loops get out of sync. The caller will call 1832 * smtp_quit() if appropriate. 1833 */ 1834 case SMTP_STATE_ABORT: 1835 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 1836 SMTP_STATE_LAST : SMTP_STATE_QUIT); 1837 break; 1838 1839 /* 1840 * This is the initial receiver state from smtp_rset(). 1841 * It is used to find out the status of a cached session 1842 * before attempting mail delivery. 1843 */ 1844 case SMTP_STATE_RSET: 1845 if (resp->code / 100 != 2) 1846 CANT_RSET_THIS_SESSION; 1847 recv_state = SMTP_STATE_LAST; 1848 break; 1849 1850 /* 1851 * Receive, but otherwise ignore, the QUIT response. 1852 */ 1853 case SMTP_STATE_QUIT: 1854 recv_state = SMTP_STATE_LAST; 1855 break; 1856 } 1857 } 1858 1859 /* 1860 * At this point, the sender and receiver are fully synchronized. 1861 */ 1862 1863 /* 1864 * We know the server response to every command that was sent. 1865 * Apply a course correction if necessary: the sender wants to 1866 * send RCPT TO but MAIL FROM was rejected; the sender wants to 1867 * send DATA but all recipients were rejected; the sender wants 1868 * to deliver the message but DATA was rejected. 1869 */ 1870 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 1871 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 1872 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 1873 send_state = recv_state = SMTP_STATE_ABORT; 1874 send_rcpt = recv_rcpt = 0; 1875 vstring_strcpy(next_command, "RSET"); 1876 if (THIS_SESSION_IS_EXPIRED) 1877 DONT_CACHE_THIS_SESSION; 1878 next_state = THIS_SESSION_IS_CACHED ? 1879 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1880 /* XXX Also: record if non-delivering session. */ 1881 next_rcpt = 0; 1882 } 1883 } 1884 1885 /* 1886 * Make the next sender state the current sender state. 1887 */ 1888 if (send_state == SMTP_STATE_LAST) 1889 continue; 1890 1891 /* 1892 * Special case if the server accepted the DATA command. If the 1893 * server accepted at least one recipient send the entire message. 1894 * Otherwise, just send "." as per RFC 2197. 1895 * 1896 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 1897 * disconnect ungracefully, because there is no other way to cancel a 1898 * transaction in progress. 1899 */ 1900 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 1901 1902 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 1903 var_smtp_rec_deadline); 1904 1905 if ((except = vstream_setjmp(session->stream)) == 0) { 1906 1907 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 1908 msg_fatal("seek queue file: %m"); 1909 1910 downgrading = SMTP_MIME_DOWNGRADE(session, request); 1911 1912 /* 1913 * XXX Don't downgrade just because generic_maps is turned 1914 * on. 1915 */ 1916 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 1917 1918 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 1919 session->mime_state = mime_state_alloc(downgrading ? 1920 MIME_OPT_DOWNGRADE 1921 | MIME_OPT_REPORT_NESTING : 1922 SMTP_ANY_CHECKS == 0 ? 1923 MIME_OPT_DISABLE_MIME : 1924 0, 1925 smtp_generic_maps 1926 || smtp_header_checks ? 1927 smtp_header_rewrite : 1928 smtp_header_out, 1929 (MIME_STATE_ANY_END) 0, 1930 smtp_body_checks ? 1931 smtp_body_rewrite : 1932 smtp_text_out, 1933 (MIME_STATE_ANY_END) 0, 1934 (MIME_STATE_ERR_PRINT) 0, 1935 (void *) state); 1936 state->space_left = var_smtp_line_limit; 1937 1938 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 1939 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 1940 break; 1941 if (session->mime_state == 0) { 1942 smtp_text_out((void *) state, rec_type, 1943 vstring_str(session->scratch), 1944 VSTRING_LEN(session->scratch), 1945 (off_t) 0); 1946 } else { 1947 mime_errs = 1948 mime_state_update(session->mime_state, rec_type, 1949 vstring_str(session->scratch), 1950 VSTRING_LEN(session->scratch)); 1951 if (mime_errs) { 1952 smtp_mime_fail(state, mime_errs); 1953 RETURN(0); 1954 } 1955 } 1956 prev_type = rec_type; 1957 } 1958 1959 if (session->mime_state) { 1960 1961 /* 1962 * The cleanup server normally ends MIME content with a 1963 * normal text record. The following code is needed to 1964 * flush an internal buffer when someone submits 8-bit 1965 * mail not ending in newline via /usr/sbin/sendmail 1966 * while MIME input processing is turned off, and MIME 1967 * 8bit->7bit conversion is requested upon delivery. 1968 * 1969 * Or some error while doing generic address mapping. 1970 */ 1971 mime_errs = 1972 mime_state_update(session->mime_state, rec_type, "", 0); 1973 if (mime_errs) { 1974 smtp_mime_fail(state, mime_errs); 1975 RETURN(0); 1976 } 1977 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 1978 smtp_fputs("", 0, session->stream); 1979 if ((session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) != 0 1980 && request->msg_stats.incoming_arrival.tv_sec 1981 <= vstream_ftime(session->stream) - var_smtp_pix_thresh) { 1982 smtp_flush(session->stream);/* hurts performance */ 1983 sleep(var_smtp_pix_delay); /* not to mention this */ 1984 } 1985 if (vstream_ferror(state->src)) 1986 msg_fatal("queue file read error"); 1987 if (rec_type != REC_TYPE_XTRA) { 1988 msg_warn("%s: bad record type: %d in message content", 1989 request->queue_id, rec_type); 1990 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1991 SMTP_RESP_FAKE(&fake, "5.3.0"), 1992 "unreadable mail queue entry"); 1993 /* Bailing out, abort stream with prejudice */ 1994 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1995 DONT_USE_DEAD_SESSION; 1996 /* If bounce_append() succeeded, status is still 0 */ 1997 if (state->status == 0) 1998 (void) mark_corrupt(state->src); 1999 /* Don't override smtp_mesg_fail() here. */ 2000 RETURN(fail_status); 2001 } 2002 } else { 2003 if (!LOST_CONNECTION_INSIDE_DATA) 2004 RETURN(smtp_stream_except(state, except, 2005 "sending message body")); 2006 2007 /* 2008 * We will clear the stream error flag to try and read a 2009 * premature 5XX response, so it is important to flush any 2010 * unwritten data. Otherwise, we will try to flush it again 2011 * before reading, which may incur an unnecessary delay and 2012 * will prevent the reading of any response that is not 2013 * already buffered (bundled with the DATA 354 response). 2014 * 2015 * Not much point in sending QUIT at this point, skip right to 2016 * SMTP_STATE_LAST. The read engine above will likewise avoid 2017 * looking for a QUIT response. 2018 */ 2019 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2020 next_state = SMTP_STATE_LAST; 2021 } 2022 } 2023 2024 /* 2025 * Copy the next command to the buffer and update the sender state. 2026 */ 2027 if (except == 0) { 2028 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2029 } else { 2030 DONT_CACHE_THIS_SESSION; 2031 } 2032 send_state = next_state; 2033 send_rcpt = next_rcpt; 2034 } while (recv_state != SMTP_STATE_LAST); 2035 RETURN(0); 2036 } 2037 2038 /* smtp_xfer - send a batch of envelope information and the message data */ 2039 2040 int smtp_xfer(SMTP_STATE *state) 2041 { 2042 DELIVER_REQUEST *request = state->request; 2043 SMTP_SESSION *session = state->session; 2044 SMTP_RESP fake; 2045 int send_state; 2046 int recv_state; 2047 int send_name_addr; 2048 int result; 2049 2050 /* 2051 * Sanity check. Recipients should be unmarked at this point. 2052 */ 2053 if (SMTP_RCPT_LEFT(state) <= 0) 2054 msg_panic("smtp_xfer: bad recipient count: %d", 2055 SMTP_RCPT_LEFT(state)); 2056 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2057 msg_panic("smtp_xfer: bad recipient status: %d", 2058 request->rcpt_list.info->u.status); 2059 2060 /* 2061 * See if we should even try to send this message at all. This code sits 2062 * here rather than in the EHLO processing code, because of SMTP 2063 * connection caching. 2064 */ 2065 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2066 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2067 SMTP_RESP_FAKE(&fake, "5.3.4"), 2068 "message size %lu exceeds size limit %.0f of server %s", 2069 request->data_size, (double) session->size_limit, 2070 session->namaddr); 2071 /* Redundant. We abort this delivery attempt. */ 2072 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2073 return (0); 2074 } 2075 2076 /* 2077 * Use XFORWARD to forward the origin of this email message across an 2078 * SMTP-based content filter. Send client attribute information only if 2079 * it exists (i.e. remote submission). Local submissions have no client 2080 * attributes; the mail will appear to originate from the content filter 2081 * which is acceptable. 2082 */ 2083 send_name_addr = 2084 var_smtp_send_xforward 2085 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2086 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2087 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2088 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2089 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2090 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2091 session->send_proto_helo = 2092 var_smtp_send_xforward 2093 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2094 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2095 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2096 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2097 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2098 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2099 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2100 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2101 if (send_name_addr) 2102 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2103 else if (session->send_proto_helo) 2104 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2105 else 2106 recv_state = send_state = SMTP_STATE_MAIL; 2107 2108 /* 2109 * Remember this session's "normal completion", even if the server 4xx-ed 2110 * some or all recipients. Connection or handshake errors with a later MX 2111 * host should not cause this destination be marked as unreachable. 2112 */ 2113 result = smtp_loop(state, send_state, recv_state); 2114 2115 if (result == 0 2116 /* Just in case */ 2117 && vstream_ferror(session->stream) == 0 2118 && vstream_feof(session->stream) == 0) 2119 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2120 2121 return (result); 2122 } 2123 2124 /* smtp_rset - send a lone RSET command */ 2125 2126 int smtp_rset(SMTP_STATE *state) 2127 { 2128 2129 /* 2130 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2131 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2132 */ 2133 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2134 } 2135 2136 /* smtp_quit - send a lone QUIT command */ 2137 2138 int smtp_quit(SMTP_STATE *state) 2139 { 2140 2141 /* 2142 * This works because SMTP_STATE_QUIT is the last state with a sender 2143 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2144 */ 2145 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2146 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2147 } 2148