1 /* $NetBSD: smtp_proto.c,v 1.1.1.5 2014/07/06 19:27:56 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Pipelining code in cooperation with: 79 /* Jon Ribbens 80 /* Oaktree Internet Solutions Ltd., 81 /* Internet House, 82 /* Canal Basin, 83 /* Coventry, 84 /* CV1 4LY, United Kingdom. 85 /* 86 /* Connection caching in cooperation with: 87 /* Victor Duchovni 88 /* Morgan Stanley 89 /* 90 /* TLS support originally by: 91 /* Lutz Jaenicke 92 /* BTU Cottbus 93 /* Allgemeine Elektrotechnik 94 /* Universitaetsplatz 3-4 95 /* D-03044 Cottbus, Germany 96 /*--*/ 97 98 /* System library. */ 99 100 #include <sys_defs.h> 101 #include <sys/stat.h> 102 #include <sys/socket.h> /* shutdown(2) */ 103 #include <netinet/in.h> /* ntohs() */ 104 #include <string.h> 105 #include <unistd.h> 106 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 107 #include <stdarg.h> 108 #include <time.h> 109 110 #ifdef STRCASECMP_IN_STRINGS_H 111 #include <strings.h> 112 #endif 113 114 /* Utility library. */ 115 116 #include <msg.h> 117 #include <vstring.h> 118 #include <vstream.h> 119 #include <vstring_vstream.h> 120 #include <stringops.h> 121 #include <mymalloc.h> 122 #include <iostuff.h> 123 #include <split_at.h> 124 #include <name_code.h> 125 #include <name_mask.h> 126 127 /* Global library. */ 128 129 #include <mail_params.h> 130 #include <smtp_stream.h> 131 #include <mail_queue.h> 132 #include <recipient_list.h> 133 #include <deliver_request.h> 134 #include <defer.h> 135 #include <bounce.h> 136 #include <record.h> 137 #include <rec_type.h> 138 #include <off_cvt.h> 139 #include <mark_corrupt.h> 140 #include <quote_821_local.h> 141 #include <quote_822_local.h> 142 #include <mail_proto.h> 143 #include <mime_state.h> 144 #include <ehlo_mask.h> 145 #include <maps.h> 146 #include <tok822.h> 147 #include <mail_addr_map.h> 148 #include <ext_prop.h> 149 #include <lex_822.h> 150 #include <dsn_mask.h> 151 #include <xtext.h> 152 153 /* Application-specific. */ 154 155 #include "smtp.h" 156 #include "smtp_sasl.h" 157 158 /* 159 * Sender and receiver state. A session does not necessarily go through a 160 * linear progression, but states are guaranteed to not jump backwards. 161 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 162 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 163 * 164 * When connection caching is enabled, the QUIT state is suppressed. Normal 165 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 166 * end with ABORT->LAST. The connection is left open for a limited time. An 167 * RSET probe should be sent before attempting to reuse an open connection 168 * for a new transaction. 169 * 170 * The code to send an RSET probe is a special case with its own initial state 171 * and with its own dedicated state transitions. The session proceeds as 172 * RSET->LAST. This code is kept inside the main protocol engine for 173 * consistent error handling and error reporting. It is not to be confused 174 * with the code that sends RSET to abort a mail transaction in progress. 175 * 176 * The code to send QUIT without message delivery transaction jumps into the 177 * main state machine. If this introduces complications, then we should 178 * introduce a second QUIT state with its own dedicated state transitions, 179 * just like we did for RSET probes. 180 * 181 * By default, the receiver skips the QUIT response. Some SMTP servers 182 * disconnect after responding to ".", and some SMTP servers wait before 183 * responding to QUIT. 184 * 185 * Client states that are associated with sending mail (up to and including 186 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 187 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 188 */ 189 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 190 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 191 #define SMTP_STATE_MAIL 2 192 #define SMTP_STATE_RCPT 3 193 #define SMTP_STATE_DATA 4 194 #define SMTP_STATE_DOT 5 195 #define SMTP_STATE_ABORT 6 196 #define SMTP_STATE_RSET 7 197 #define SMTP_STATE_QUIT 8 198 #define SMTP_STATE_LAST 9 199 200 int *xfer_timeouts[SMTP_STATE_LAST] = { 201 &var_smtp_xfwd_tmout, /* name/addr */ 202 &var_smtp_xfwd_tmout, /* helo/proto */ 203 &var_smtp_mail_tmout, 204 &var_smtp_rcpt_tmout, 205 &var_smtp_data0_tmout, 206 &var_smtp_data2_tmout, 207 &var_smtp_rset_tmout, 208 &var_smtp_rset_tmout, 209 &var_smtp_quit_tmout, 210 }; 211 212 char *xfer_states[SMTP_STATE_LAST] = { 213 "sending XFORWARD name/address", 214 "sending XFORWARD protocol/helo_name", 215 "sending MAIL FROM", 216 "sending RCPT TO", 217 "sending DATA command", 218 "sending end of data -- message may be sent more than once", 219 "sending final RSET", 220 "sending RSET probe", 221 "sending QUIT", 222 }; 223 224 char *xfer_request[SMTP_STATE_LAST] = { 225 "XFORWARD name/address command", 226 "XFORWARD helo/protocol command", 227 "MAIL FROM command", 228 "RCPT TO command", 229 "DATA command", 230 "end of DATA command", 231 "final RSET command", 232 "RSET probe", 233 "QUIT command", 234 }; 235 236 #define SMTP_MIME_DOWNGRADE(session, request) \ 237 (var_disable_mime_oconv == 0 \ 238 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 239 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 240 241 #ifdef USE_TLS 242 243 static int smtp_start_tls(SMTP_STATE *); 244 245 #endif 246 247 /* 248 * Call-back information for header/body checks. We don't provide call-backs 249 * for actions that change the message delivery time or destination. 250 */ 251 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 252 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 253 254 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 255 smtp_hbc_logger, 256 smtp_text_out, 257 }; 258 259 /* smtp_helo - perform initial handshake with SMTP server */ 260 261 int smtp_helo(SMTP_STATE *state) 262 { 263 const char *myname = "smtp_helo"; 264 SMTP_SESSION *session = state->session; 265 DELIVER_REQUEST *request = state->request; 266 SMTP_ITERATOR *iter = state->iterator; 267 SMTP_RESP *resp; 268 SMTP_RESP fake; 269 int except; 270 char *lines; 271 char *words; 272 char *word; 273 int n; 274 static const NAME_CODE xforward_features[] = { 275 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 276 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 277 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 278 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 279 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 280 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 281 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 282 0, 0, 283 }; 284 const char *ehlo_words; 285 int discard_mask; 286 static const NAME_MASK pix_bug_table[] = { 287 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 288 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 289 0, 290 }; 291 const char *pix_bug_words; 292 const char *pix_bug_source; 293 int pix_bug_mask; 294 295 #ifdef USE_TLS 296 int saved_features = session->features; 297 int tls_helo_status; 298 299 #endif 300 const char *NOCLOBBER where; 301 302 /* 303 * Prepare for disaster. 304 */ 305 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 306 var_smtp_rec_deadline); 307 if ((except = vstream_setjmp(state->session->stream)) != 0) 308 return (smtp_stream_except(state, except, where)); 309 310 /* 311 * If not recursing after STARTTLS, examine the server greeting banner 312 * and decide if we are going to send EHLO as the next command. 313 */ 314 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 315 316 /* 317 * Read and parse the server's SMTP greeting banner. 318 */ 319 where = "receiving the initial server greeting"; 320 switch ((resp = smtp_chat_resp(session))->code / 100) { 321 case 2: 322 break; 323 case 5: 324 if (var_smtp_skip_5xx_greeting) 325 STR(resp->dsn_buf)[0] = '4'; 326 /* FALLTHROUGH */ 327 default: 328 return (smtp_site_fail(state, STR(iter->host), resp, 329 "host %s refused to talk to me: %s", 330 session->namaddr, 331 translit(resp->str, "\n", " "))); 332 } 333 334 /* 335 * If the policy table specifies a bogus TLS security level, fail 336 * now. 337 */ 338 #ifdef USE_TLS 339 if (session->tls->level == TLS_LEV_INVALID) 340 /* Warning is already logged. */ 341 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 342 SMTP_RESP_FAKE(&fake, "4.7.0"), 343 "client TLS configuration problem")); 344 #endif 345 346 /* 347 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 348 * it does not span a packet boundary. This hurts performance so it 349 * is not on by default. 350 */ 351 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 352 /* Best effort only. Ignore errors. */ 353 if (smtp_pix_bug_maps != 0 354 && (pix_bug_words = 355 maps_find(smtp_pix_bug_maps, 356 STR(iter->addr), 0)) != 0) { 357 pix_bug_source = SMTP_X(PIX_BUG_MAPS); 358 } else { 359 pix_bug_words = var_smtp_pix_bug_words; 360 pix_bug_source = SMTP_X(PIX_BUG_WORDS); 361 } 362 if (*pix_bug_words) { 363 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 364 pix_bug_words, 365 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 366 msg_info("%s: enabling PIX workarounds: %s for %s", 367 request->queue_id, 368 str_name_mask("pix workaround bitmask", 369 pix_bug_table, pix_bug_mask), 370 session->namaddrport); 371 session->features |= pix_bug_mask; 372 } 373 } 374 375 /* 376 * See if we are talking to ourself. This should not be possible with 377 * the way we implement DNS lookups. However, people are known to 378 * sometimes screw up the naming service. And, mailer loops are still 379 * possible when our own mailer routing tables are mis-configured. 380 */ 381 words = resp->str; 382 (void) mystrtok(&words, "- \t\n"); 383 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 384 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 385 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 386 msg_warn("host %s greeted me with my own hostname %s", 387 session->namaddrport, var_myhostname); 388 } else if (strcasecmp(word, "ESMTP") == 0) 389 session->features |= SMTP_FEATURE_ESMTP; 390 } 391 if (smtp_mode) { 392 if (var_smtp_always_ehlo 393 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 394 session->features |= SMTP_FEATURE_ESMTP; 395 if (var_smtp_never_ehlo 396 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 397 session->features &= ~SMTP_FEATURE_ESMTP; 398 } else { 399 session->features |= SMTP_FEATURE_ESMTP; 400 } 401 } 402 403 /* 404 * If recursing after STARTTLS, there is no server greeting banner. 405 * Always send EHLO as the next command. 406 */ 407 else { 408 session->features |= SMTP_FEATURE_ESMTP; 409 } 410 411 /* 412 * Return the compliment. Fall back to SMTP if our ESMTP recognition 413 * heuristic failed. 414 */ 415 if (smtp_mode) { 416 where = "performing the EHLO handshake"; 417 if (session->features & SMTP_FEATURE_ESMTP) { 418 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 419 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 420 if (resp->code == 421) 421 return (smtp_site_fail(state, STR(iter->host), resp, 422 "host %s refused to talk to me: %s", 423 session->namaddr, 424 translit(resp->str, "\n", " "))); 425 else 426 session->features &= ~SMTP_FEATURE_ESMTP; 427 } 428 } 429 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 430 where = "performing the HELO handshake"; 431 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 432 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 433 return (smtp_site_fail(state, STR(iter->host), resp, 434 "host %s refused to talk to me: %s", 435 session->namaddr, 436 translit(resp->str, "\n", " "))); 437 } 438 } else { 439 where = "performing the LHLO handshake"; 440 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 441 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 442 return (smtp_site_fail(state, STR(iter->host), resp, 443 "host %s refused to talk to me: %s", 444 session->namaddr, 445 translit(resp->str, "\n", " "))); 446 } 447 448 /* 449 * No early returns allowed, to ensure consistent handling of TLS and 450 * SASL policies. 451 */ 452 if (session->features & SMTP_FEATURE_ESMTP) { 453 454 /* 455 * Determine what server EHLO keywords to ignore, typically to avoid 456 * inter-operability problems. 457 */ 458 if (smtp_ehlo_dis_maps == 0 459 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 460 STR(iter->addr), 0)) == 0) 461 ehlo_words = var_smtp_ehlo_dis_words; 462 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 463 msg_warn("%s: %s map lookup error for %s", 464 session->state->request->queue_id, 465 smtp_ehlo_dis_maps->title, STR(iter->addr)); 466 vstream_longjmp(session->stream, SMTP_ERR_DATA); 467 } 468 discard_mask = ehlo_mask(ehlo_words); 469 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 470 msg_info("discarding EHLO keywords: %s", 471 str_ehlo_mask(discard_mask)); 472 473 /* 474 * Pick up some useful features offered by the SMTP server. XXX Until 475 * we have a portable routine to convert from string to off_t with 476 * proper overflow detection, ignore the message size limit 477 * advertised by the SMTP server. Otherwise, we might do the wrong 478 * thing when the server advertises a really huge message size limit. 479 * 480 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 481 * because MicroSoft implemented AUTH based on an old draft. 482 */ 483 lines = resp->str; 484 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 485 if (mystrtok(&words, "- ") 486 && (word = mystrtok(&words, " \t=")) != 0) { 487 if (n == 0) { 488 if (session->helo != 0) 489 myfree(session->helo); 490 491 /* 492 * XXX: Keep the original case: we don't expect a single 493 * SMTP server to randomly change the case of its helo 494 * response. If different capitalization is detected, we 495 * should assume disjoint TLS caches. 496 */ 497 session->helo = mystrdup(word); 498 if (strcasecmp(word, var_myhostname) == 0 499 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 500 msg_warn("host %s replied to HELO/EHLO" 501 " with my own hostname %s", 502 session->namaddrport, var_myhostname); 503 if (session->features & SMTP_FEATURE_BEST_MX) 504 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 505 SMTP_RESP_FAKE(&fake, "5.4.6"), 506 "mail for %s loops back to myself", 507 request->nexthop)); 508 else 509 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 510 SMTP_RESP_FAKE(&fake, "4.4.6"), 511 "mail for %s loops back to myself", 512 request->nexthop)); 513 } 514 } else if (strcasecmp(word, "8BITMIME") == 0) { 515 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 516 session->features |= SMTP_FEATURE_8BITMIME; 517 } else if (strcasecmp(word, "PIPELINING") == 0) { 518 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 519 session->features |= SMTP_FEATURE_PIPELINING; 520 } else if (strcasecmp(word, "XFORWARD") == 0) { 521 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 522 while ((word = mystrtok(&words, " \t")) != 0) 523 session->features |= 524 name_code(xforward_features, 525 NAME_CODE_FLAG_NONE, word); 526 } else if (strcasecmp(word, "SIZE") == 0) { 527 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 528 session->features |= SMTP_FEATURE_SIZE; 529 if ((word = mystrtok(&words, " \t")) != 0) { 530 if (!alldig(word)) 531 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 532 word, session->namaddrport); 533 else 534 session->size_limit = off_cvt_string(word); 535 } 536 } 537 #ifdef USE_TLS 538 } else if (strcasecmp(word, "STARTTLS") == 0) { 539 /* Ignored later if we already sent STARTTLS. */ 540 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 541 session->features |= SMTP_FEATURE_STARTTLS; 542 #endif 543 #ifdef USE_SASL_AUTH 544 } else if (var_smtp_sasl_enable 545 && strcasecmp(word, "AUTH") == 0) { 546 if ((discard_mask & EHLO_MASK_AUTH) == 0) 547 smtp_sasl_helo_auth(session, words); 548 #endif 549 } else if (strcasecmp(word, "DSN") == 0) { 550 if ((discard_mask & EHLO_MASK_DSN) == 0) 551 session->features |= SMTP_FEATURE_DSN; 552 } 553 n++; 554 } 555 } 556 } 557 if (msg_verbose) 558 msg_info("server features: 0x%x size %.0f", 559 session->features, (double) session->size_limit); 560 561 /* 562 * We use SMTP command pipelining if the server said it supported it. 563 * Since we use blocking I/O, RFC 2197 says that we should inspect the 564 * TCP window size and not send more than this amount of information. 565 * Unfortunately this information is unavailable using the sockets 566 * interface. However, we *can* get the TCP send buffer size on the local 567 * TCP/IP stack. We should be able to fill this buffer without being 568 * blocked, and then the kernel will effectively do non-blocking I/O for 569 * us by automatically writing out the contents of its send buffer while 570 * we are reading in the responses. In addition to TCP buffering we have 571 * to be aware of application-level buffering by the vstream module, 572 * which is limited to a couple kbytes. 573 * 574 * XXX No need to do this before and after STARTTLS, but it's not a big deal 575 * if we do. 576 * 577 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 578 * TLS messages. Thus, the TCP-level payload will be larger than the 579 * SMTP-level payload. This has implications for the PIPELINING engine. 580 * 581 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 582 * buffer size that can hold the unacknowledged commands plus the TLS 583 * encapsulation overhead. 584 * 585 * The PIPELINING engine keeps the unacknowledged command size <= the 586 * default VSTREAM buffer size (to avoid small-write performance issues 587 * when the VSTREAM buffer size is at its default size). With a default 588 * VSTREAM buffer size of 4096 there is no reason to increase the 589 * unacknowledged command size as the TCP MSS increases. It's safer to 590 * spread the remote SMTP server's recipient processing load over time, 591 * than dumping a very large recipient list all at once. 592 * 593 * For TLS encapsulation overhead we make a conservative guess: take the 594 * current protocol overhead of ~40 bytes, double the number for future 595 * proofing (~80 bytes), then round up the result to the nearest power of 596 * 2 (128 bytes). Plus, be prepared for worst-case compression that 597 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 598 * message becomes 15 kbytes. 599 */ 600 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 601 #ifdef USE_TLS 602 #define TLS_WORST_PAYLOAD 16384 603 #define TLS_WORST_COMP_OVERHD 1024 604 #define TLS_WORST_PROTO_OVERHD 128 605 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 606 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 607 #endif 608 609 if (session->features & SMTP_FEATURE_PIPELINING) { 610 SOCKOPT_SIZE optlen; 611 int tcp_bufsize; 612 int enc_overhead = 0; 613 614 optlen = sizeof(tcp_bufsize); 615 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 616 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 617 msg_fatal("%s: getsockopt: %m", myname); 618 #ifdef USE_TLS 619 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 620 enc_overhead += 621 (1 + (PIPELINING_BUFSIZE - 1) 622 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 623 #endif 624 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 625 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 626 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 627 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 628 msg_fatal("%s: setsockopt: %m", myname); 629 } 630 if (msg_verbose) 631 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 632 "PIPELINING buffer size is %d", 633 smtp_mode ? "ESMTP" : "LMTP", 634 tcp_bufsize, PIPELINING_BUFSIZE); 635 } 636 #ifdef USE_TLS 637 638 /* 639 * Skip this part if we already sent STARTTLS. 640 */ 641 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 642 643 /* 644 * Optionally log unused STARTTLS opportunities. 645 */ 646 if ((session->features & SMTP_FEATURE_STARTTLS) && 647 var_smtp_tls_note_starttls_offer && 648 session->tls->level <= TLS_LEV_NONE) 649 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 650 651 /* 652 * Decide whether or not to send STARTTLS. 653 */ 654 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 655 && smtp_tls_ctx != 0 && session->tls->level >= TLS_LEV_MAY) { 656 657 /* 658 * Prepare for disaster. 659 */ 660 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 661 var_smtp_rec_deadline); 662 if ((except = vstream_setjmp(state->session->stream)) != 0) 663 return (smtp_stream_except(state, except, 664 "receiving the STARTTLS response")); 665 666 /* 667 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 668 * resetting the SASL and EHLO features lists. 669 * 670 * Reset the SASL mechanism list to avoid spurious warnings. 671 * 672 * Use the smtp_sasl_tls_security_options feature to allow SASL 673 * mechanisms that may not be allowed with plain-text 674 * connections. 675 */ 676 smtp_chat_cmd(session, "STARTTLS"); 677 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 678 #ifdef USE_SASL_AUTH 679 if (session->features & SMTP_FEATURE_AUTH) 680 smtp_sasl_cleanup(session); 681 #endif 682 session->features = saved_features; 683 /* XXX Mix-up of per-session and per-request flags. */ 684 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 685 tls_helo_status = smtp_start_tls(state); 686 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 687 return (tls_helo_status); 688 } 689 690 /* 691 * Give up if we must use TLS but the server rejects STARTTLS 692 * although support for it was announced in the EHLO response. 693 */ 694 session->features &= ~SMTP_FEATURE_STARTTLS; 695 if (TLS_REQUIRED(session->tls->level)) 696 return (smtp_site_fail(state, STR(iter->host), resp, 697 "TLS is required, but host %s refused to start TLS: %s", 698 session->namaddr, 699 translit(resp->str, "\n", " "))); 700 /* Else try to continue in plain-text mode. */ 701 } 702 703 /* 704 * Give up if we must use TLS but can't for various reasons. 705 * 706 * 200412 Be sure to provide the default clause at the bottom of this 707 * block. When TLS is required we must never, ever, end up in 708 * plain-text mode. 709 */ 710 if (TLS_REQUIRED(session->tls->level)) { 711 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 712 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 713 SMTP_RESP_FAKE(&fake, "4.7.4"), 714 "TLS is required, but was not offered by host %s", 715 session->namaddr)); 716 } else if (smtp_tls_ctx == 0) { 717 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 718 SMTP_RESP_FAKE(&fake, "4.7.5"), 719 "TLS is required, but our TLS engine is unavailable")); 720 } else { 721 msg_warn("%s: TLS is required but unavailable, don't know why", 722 myname); 723 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 724 SMTP_RESP_FAKE(&fake, "4.7.0"), 725 "TLS is required, but unavailable")); 726 } 727 } 728 } 729 #endif 730 #ifdef USE_SASL_AUTH 731 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 732 return (smtp_sasl_helo_login(state)); 733 #endif 734 735 return (0); 736 } 737 738 #ifdef USE_TLS 739 740 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 741 742 static int smtp_start_tls(SMTP_STATE *state) 743 { 744 SMTP_SESSION *session = state->session; 745 SMTP_ITERATOR *iter = state->iterator; 746 TLS_CLIENT_START_PROPS tls_props; 747 VSTRING *serverid; 748 SMTP_RESP fake; 749 750 /* 751 * Turn off SMTP connection caching. When the TLS handshake succeeds, we 752 * can't reuse the SMTP connection. Reason: we can't turn off TLS in one 753 * process, save the connection to the cache which is shared with all 754 * SMTP clients, migrate the connection to another SMTP client, and 755 * resume TLS there. When the TLS handshake fails, we can't reuse the 756 * SMTP connection either, because the conversation is in an unknown 757 * state. 758 */ 759 DONT_CACHE_THIS_SESSION; 760 761 /* 762 * The following assumes sites that use TLS in a perverse configuration: 763 * multiple hosts per hostname, or even multiple hosts per IP address. 764 * All this without a shared TLS session cache, and they still want to 765 * use TLS session caching??? 766 * 767 * The TLS session cache records the trust chain verification status of 768 * cached sessions. Different transports may have different CAfile or 769 * CApath settings, perhaps to allow authenticated connections to sites 770 * with private CA certs without trusting said private certs for other 771 * sites. So we cannot assume that a trust chain valid for one transport 772 * is valid for another. Therefore the client session id must include 773 * either the transport name or the values of CAfile and CApath. We use 774 * the transport name. 775 * 776 * XXX: We store only one session per lookup key. Ideally the the key maps 777 * 1-to-1 to a server TLS session cache. We use the IP address, port and 778 * ehlo response name to build a lookup key that works for split caches 779 * (that announce distinct names) behind a load balancer. 780 * 781 * XXX: The TLS library will salt the serverid with further details of the 782 * protocol and cipher requirements including the server ehlo response. 783 * Deferring the helo to the digested suffix results in more predictable 784 * SSL session lookup key lengths. 785 */ 786 serverid = vstring_alloc(10); 787 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 788 | SMTP_KEY_FLAG_NEXTHOP /* With port */ 789 | SMTP_KEY_FLAG_HOSTNAME 790 | SMTP_KEY_FLAG_ADDR); 791 792 /* 793 * As of Postfix 2.5, tls_client_start() tries hard to always complete 794 * the TLS handshake. It records the verification and match status in the 795 * resulting TLScontext. It is now up to the application to abort the TLS 796 * connection if it chooses. 797 * 798 * XXX When tls_client_start() fails then we don't know what state the SMTP 799 * connection is in, so we give up on this connection even if we are not 800 * required to use TLS. 801 * 802 * Large parameter lists are error-prone, so we emulate a language feature 803 * that C does not have natively: named parameter lists. 804 */ 805 session->tls_context = 806 TLS_CLIENT_START(&tls_props, 807 ctx = smtp_tls_ctx, 808 stream = session->stream, 809 timeout = var_smtp_starttls_tmout, 810 tls_level = session->tls->level, 811 nexthop = session->tls_nexthop, 812 host = STR(iter->host), 813 namaddr = session->namaddrport, 814 serverid = vstring_str(serverid), 815 helo = session->helo, 816 protocols = session->tls->protocols, 817 cipher_grade = session->tls->grade, 818 cipher_exclusions 819 = vstring_str(session->tls->exclusions), 820 matchargv = session->tls->matchargv, 821 mdalg = var_smtp_tls_fpt_dgst, 822 dane = session->tls->dane); 823 vstring_free(serverid); 824 825 if (session->tls_context == 0) { 826 827 /* 828 * We must avoid further I/O, the peer is in an undefined state. 829 */ 830 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 831 DONT_USE_DEAD_SESSION; 832 833 /* 834 * If TLS is optional, try delivery to the same server over a 835 * plaintext connection. Otherwise we would defer mail forever with 836 * destinations that have no alternate MX host. 837 * 838 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 839 * authentication. If the server doesn't announce SASL support over 840 * plaintext connections, then we don't want delivery to fail with 841 * "relay access denied". 842 */ 843 if (session->tls->level == TLS_LEV_MAY 844 #ifdef USE_SASL_AUTH 845 && !(var_smtp_sasl_enable 846 && *var_smtp_sasl_passwd 847 && smtp_sasl_passwd_lookup(session)) 848 #endif 849 ) 850 RETRY_AS_PLAINTEXT; 851 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 852 SMTP_RESP_FAKE(&fake, "4.7.5"), 853 "Cannot start TLS: handshake failure")); 854 } 855 856 /* 857 * If we are verifying the server certificate and are not happy with the 858 * result, abort the delivery here. We have a usable TLS session with the 859 * server, so no need to disable I/O, ... we can even be polite and send 860 * "QUIT". 861 * 862 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 863 * matching. Levels >= "dane" require CA or DNSSEC trust. 864 * 865 * When DANE TLSA records specify an end-entity certificate, the trust and 866 * match bits always coincide, but it is fine to report the wrong 867 * end-entity certificate as untrusted rather than unmatched. 868 */ 869 if (TLS_MUST_TRUST(session->tls->level)) 870 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 871 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 872 SMTP_RESP_FAKE(&fake, "4.7.5"), 873 "Server certificate not trusted")); 874 if (TLS_MUST_MATCH(session->tls->level)) 875 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 876 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 877 SMTP_RESP_FAKE(&fake, "4.7.5"), 878 "Server certificate not verified")); 879 880 /* At this point there must not be any pending plaintext. */ 881 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 882 883 /* 884 * At this point we have to re-negotiate the "EHLO" to reget the 885 * feature-list. 886 */ 887 return (smtp_helo(state)); 888 } 889 890 #endif 891 892 /* smtp_hbc_logger - logging call-back for header/body checks */ 893 894 static void smtp_hbc_logger(void *context, const char *action, 895 const char *where, const char *content, 896 const char *text) 897 { 898 const SMTP_STATE *state = (SMTP_STATE *) context; 899 900 if (*text) { 901 msg_info("%s: %s: %s %.60s: %s", 902 state->request->queue_id, action, where, content, text); 903 } else { 904 msg_info("%s: %s: %s %.60s", 905 state->request->queue_id, action, where, content); 906 } 907 } 908 909 /* smtp_text_out - output one header/body record */ 910 911 static void smtp_text_out(void *context, int rec_type, 912 const char *text, ssize_t len, 913 off_t unused_offset) 914 { 915 SMTP_STATE *state = (SMTP_STATE *) context; 916 SMTP_SESSION *session = state->session; 917 ssize_t data_left; 918 const char *data_start; 919 920 /* 921 * Deal with an impedance mismatch between Postfix queue files (record 922 * length <= $message_line_length_limit) and SMTP (DATA record length <= 923 * $smtp_line_length_limit). The code below does a little too much work 924 * when the SMTP line length limit is disabled, but it avoids code 925 * duplication, and thus, it avoids testing and maintenance problems. 926 */ 927 data_left = len; 928 data_start = text; 929 do { 930 if (state->space_left == var_smtp_line_limit 931 && data_left > 0 && *data_start == '.') 932 smtp_fputc('.', session->stream); 933 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 934 smtp_fputs(data_start, state->space_left, session->stream); 935 data_start += state->space_left; 936 data_left -= state->space_left; 937 state->space_left = var_smtp_line_limit; 938 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 939 smtp_fputc(' ', session->stream); 940 state->space_left -= 1; 941 } 942 } else { 943 if (rec_type == REC_TYPE_CONT) { 944 smtp_fwrite(data_start, data_left, session->stream); 945 state->space_left -= data_left; 946 } else { 947 smtp_fputs(data_start, data_left, session->stream); 948 state->space_left = var_smtp_line_limit; 949 } 950 break; 951 } 952 } while (data_left > 0); 953 } 954 955 /* smtp_format_out - output one header/body record */ 956 957 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 958 959 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 960 { 961 static VSTRING *vp; 962 va_list ap; 963 964 if (vp == 0) 965 vp = vstring_alloc(100); 966 va_start(ap, fmt); 967 vstring_vsprintf(vp, fmt, ap); 968 va_end(ap); 969 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 970 } 971 972 /* smtp_header_out - output one message header */ 973 974 static void smtp_header_out(void *context, int unused_header_class, 975 const HEADER_OPTS *unused_info, 976 VSTRING *buf, off_t offset) 977 { 978 char *start = vstring_str(buf); 979 char *line; 980 char *next_line; 981 982 /* 983 * This code destroys the header. We could try to avoid clobbering it, 984 * but we're not going to use the data any further. 985 */ 986 for (line = start; line; line = next_line) { 987 next_line = split_at(line, '\n'); 988 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 989 next_line - line - 1 : strlen(line), offset); 990 } 991 } 992 993 /* smtp_header_rewrite - rewrite message header before output */ 994 995 static void smtp_header_rewrite(void *context, int header_class, 996 const HEADER_OPTS *header_info, 997 VSTRING *buf, off_t offset) 998 { 999 SMTP_STATE *state = (SMTP_STATE *) context; 1000 int did_rewrite = 0; 1001 char *line; 1002 char *start; 1003 char *next_line; 1004 char *end_line; 1005 char *result; 1006 1007 /* 1008 * Apply optional header filtering. 1009 */ 1010 if (smtp_header_checks) { 1011 result = hbc_header_checks(context, smtp_header_checks, header_class, 1012 header_info, buf, offset); 1013 if (result == 0) 1014 return; 1015 if (result == HBC_CHECKS_STAT_ERROR) { 1016 msg_warn("%s: smtp header checks lookup error", 1017 state->request->queue_id); 1018 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1019 } 1020 if (result != STR(buf)) { 1021 vstring_strcpy(buf, result); 1022 myfree(result); 1023 } 1024 } 1025 1026 /* 1027 * Rewrite primary header addresses that match the smtp_generic_maps. The 1028 * cleanup server already enforces that all headers have proper lengths 1029 * and that all addresses are in proper form, so we don't have to repeat 1030 * that. 1031 */ 1032 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1033 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1034 TOK822 *tree; 1035 TOK822 **addr_list; 1036 TOK822 **tpp; 1037 1038 tree = tok822_parse(vstring_str(buf) 1039 + strlen(header_info->name) + 1); 1040 addr_list = tok822_grep(tree, TOK822_ADDR); 1041 for (tpp = addr_list; *tpp; tpp++) 1042 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1043 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1044 if (did_rewrite) { 1045 vstring_truncate(buf, strlen(header_info->name)); 1046 vstring_strcat(buf, ": "); 1047 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1048 } 1049 myfree((char *) addr_list); 1050 tok822_free_tree(tree); 1051 } 1052 1053 /* 1054 * Pass through unmodified headers without reconstruction. 1055 */ 1056 if (did_rewrite == 0) { 1057 smtp_header_out(context, header_class, header_info, buf, offset); 1058 return; 1059 } 1060 1061 /* 1062 * A rewritten address list contains one address per line. The code below 1063 * replaces newlines by spaces, to fit as many addresses on a line as 1064 * possible (without rearranging the order of addresses). Prepending 1065 * white space to the beginning of lines is delegated to the output 1066 * routine. 1067 * 1068 * Code derived from cleanup_fold_header(). 1069 */ 1070 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1071 end_line = line + strcspn(line, "\n"); 1072 if (line > start) { 1073 if (end_line - start < 70) { /* TAB counts as one */ 1074 line[-1] = ' '; 1075 } else { 1076 start = line; 1077 } 1078 } 1079 next_line = *end_line ? end_line + 1 : 0; 1080 } 1081 1082 /* 1083 * Prepend a tab to continued header lines that went through the address 1084 * rewriting machinery. Just like smtp_header_out(), this code destroys 1085 * the header. We could try to avoid clobbering it, but we're not going 1086 * to use the data any further. 1087 * 1088 * Code derived from cleanup_out_header(). 1089 */ 1090 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1091 next_line = split_at(line, '\n'); 1092 if (line == start || IS_SPACE_TAB(*line)) { 1093 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1094 next_line - line - 1 : strlen(line), offset); 1095 } else { 1096 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1097 } 1098 } 1099 } 1100 1101 /* smtp_body_rewrite - rewrite message body before output */ 1102 1103 static void smtp_body_rewrite(void *context, int type, 1104 const char *buf, ssize_t len, 1105 off_t offset) 1106 { 1107 SMTP_STATE *state = (SMTP_STATE *) context; 1108 char *result; 1109 1110 /* 1111 * Apply optional body filtering. 1112 */ 1113 if (smtp_body_checks) { 1114 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1115 if (result == buf) { 1116 smtp_text_out(state, type, buf, len, offset); 1117 } else if (result == HBC_CHECKS_STAT_ERROR) { 1118 msg_warn("%s: smtp body checks lookup error", 1119 state->request->queue_id); 1120 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1121 } else if (result != 0) { 1122 smtp_text_out(state, type, result, strlen(result), offset); 1123 myfree(result); 1124 } 1125 } 1126 } 1127 1128 /* smtp_mime_fail - MIME problem */ 1129 1130 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1131 { 1132 const MIME_STATE_DETAIL *detail; 1133 SMTP_RESP fake; 1134 1135 detail = mime_state_detail(mime_errs); 1136 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1137 SMTP_RESP_FAKE(&fake, detail->dsn), 1138 "%s", detail->text); 1139 } 1140 1141 /* smtp_loop - exercise the SMTP protocol engine */ 1142 1143 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1144 NOCLOBBER int recv_state) 1145 { 1146 const char *myname = "smtp_loop"; 1147 DELIVER_REQUEST *request = state->request; 1148 SMTP_SESSION *session = state->session; 1149 SMTP_ITERATOR *iter = state->iterator; 1150 SMTP_RESP *resp; 1151 RECIPIENT *rcpt; 1152 VSTRING *next_command = vstring_alloc(100); 1153 int *NOCLOBBER survivors = 0; 1154 NOCLOBBER int next_state; 1155 NOCLOBBER int next_rcpt; 1156 NOCLOBBER int send_rcpt; 1157 NOCLOBBER int recv_rcpt; 1158 NOCLOBBER int nrcpt; 1159 NOCLOBBER int recv_done; 1160 int except; 1161 int rec_type; 1162 NOCLOBBER int prev_type = 0; 1163 NOCLOBBER int mail_from_rejected; 1164 NOCLOBBER int downgrading; 1165 int mime_errs; 1166 SMTP_RESP fake; 1167 int fail_status; 1168 1169 /* 1170 * Macros for readability. 1171 */ 1172 #define REWRITE_ADDRESS(dst, src) do { \ 1173 vstring_strcpy(dst, src); \ 1174 if (*(src) && smtp_generic_maps) \ 1175 smtp_map11_internal(dst, smtp_generic_maps, \ 1176 smtp_ext_prop_mask & EXT_PROP_GENERIC); \ 1177 } while (0) 1178 1179 #define QUOTE_ADDRESS(dst, src) do { \ 1180 if (*(src) && var_smtp_quote_821_env) { \ 1181 quote_821_local(dst, src); \ 1182 } else { \ 1183 vstring_strcpy(dst, src); \ 1184 } \ 1185 } while (0) 1186 1187 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1188 1189 #define RETURN(x) do { \ 1190 if (recv_state != SMTP_STATE_LAST) \ 1191 DONT_CACHE_THIS_SESSION; \ 1192 vstring_free(next_command); \ 1193 if (survivors) \ 1194 myfree((char *) survivors); \ 1195 if (session->mime_state) \ 1196 session->mime_state = mime_state_free(session->mime_state); \ 1197 return (x); \ 1198 } while (0) 1199 1200 #define SENDER_IS_AHEAD \ 1201 (recv_state < send_state || recv_rcpt != send_rcpt) 1202 1203 #define SENDER_IN_WAIT_STATE \ 1204 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1205 1206 #define SENDING_MAIL \ 1207 (recv_state <= SMTP_STATE_DOT) 1208 1209 #define CANT_RSET_THIS_SESSION \ 1210 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1211 1212 /* 1213 * Pipelining support requires two loops: one loop for sending and one 1214 * for receiving. Each loop has its own independent state. Most of the 1215 * time the sender can run ahead of the receiver by as much as the TCP 1216 * send buffer permits. There are only two places where the sender must 1217 * wait for status information from the receiver: once after sending DATA 1218 * and once after sending QUIT. 1219 * 1220 * The sender state advances until the TCP send buffer would overflow, or 1221 * until the sender needs status information from the receiver. At that 1222 * point the receiver starts processing responses. Once the receiver has 1223 * caught up with the sender, the sender resumes sending commands. If the 1224 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1225 * commands rejected, DATA rejected) it forces the sender to abort the 1226 * SMTP dialog with RSET and QUIT. 1227 */ 1228 nrcpt = 0; 1229 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1230 mail_from_rejected = 0; 1231 1232 /* 1233 * Prepare for disaster. This should not be needed because the design 1234 * guarantees that no output is flushed before smtp_chat_resp() is 1235 * called. 1236 * 1237 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1238 * 1239 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1240 * there is sufficient space for the command in the output buffer. 1241 * 1242 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1243 * 1244 * Changing any of these would violate the design, and would likely break 1245 * SMTP pipelining. 1246 * 1247 * We set up the error handler anyway (only upon entry to avoid wasting 1248 * resources) because 1) there is code below that expects that VSTREAM 1249 * timeouts are enabled, and 2) this allows us to detect if someone broke 1250 * Postfix by introducing spurious flush before read operations. 1251 */ 1252 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1253 || send_state > SMTP_STATE_QUIT) 1254 msg_panic("%s: bad sender state %d (receiver state %d)", 1255 myname, send_state, recv_state); 1256 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1257 var_smtp_rec_deadline); 1258 if ((except = vstream_setjmp(session->stream)) != 0) { 1259 msg_warn("smtp_proto: spurious flush before read in send state %d", 1260 send_state); 1261 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1262 xfer_states[send_state]) : -1); 1263 } 1264 1265 /* 1266 * The main protocol loop. 1267 */ 1268 do { 1269 1270 /* 1271 * Build the next command. 1272 */ 1273 switch (send_state) { 1274 1275 /* 1276 * Sanity check. 1277 */ 1278 default: 1279 msg_panic("%s: bad sender state %d", myname, send_state); 1280 1281 /* 1282 * Build the XFORWARD command. With properly sanitized 1283 * information, the command length stays within the 512 byte 1284 * command line length limit. 1285 * 1286 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1287 * and some as null; historically, pickup(8) does not send any of 1288 * these, and the queue manager presets absent fields to "not 1289 * available" except for the rewrite context which is preset to 1290 * local by way of migration aid. These definitions need to be 1291 * centralized for maintainability. 1292 */ 1293 #ifndef CAN_FORWARD_CLIENT_NAME 1294 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1295 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1296 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1297 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1298 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1299 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1300 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1301 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1302 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1303 #endif 1304 1305 case SMTP_STATE_XFORWARD_NAME_ADDR: 1306 vstring_strcpy(next_command, XFORWARD_CMD); 1307 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1308 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1309 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1310 xtext_quote_append(next_command, request->client_name, ""); 1311 } 1312 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1313 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1314 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1315 xtext_quote_append(next_command, request->client_addr, ""); 1316 } 1317 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1318 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1319 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1320 xtext_quote_append(next_command, request->client_port, ""); 1321 } 1322 if (session->send_proto_helo) 1323 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1324 else 1325 next_state = SMTP_STATE_MAIL; 1326 break; 1327 1328 case SMTP_STATE_XFORWARD_PROTO_HELO: 1329 vstring_strcpy(next_command, XFORWARD_CMD); 1330 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1331 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1332 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1333 xtext_quote_append(next_command, request->client_proto, ""); 1334 } 1335 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1336 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1337 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1338 xtext_quote_append(next_command, request->client_helo, ""); 1339 } 1340 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1341 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1342 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1343 xtext_quote_append(next_command, request->log_ident, ""); 1344 } 1345 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1346 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1347 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1348 xtext_quote_append(next_command, 1349 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1350 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1351 } 1352 next_state = SMTP_STATE_MAIL; 1353 break; 1354 1355 /* 1356 * Build the MAIL FROM command. 1357 */ 1358 case SMTP_STATE_MAIL: 1359 request->msg_stats.reuse_count = session->reuse_count; 1360 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1361 REWRITE_ADDRESS(session->scratch2, request->sender); 1362 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1363 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1364 vstring_str(session->scratch)); 1365 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1366 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1367 && !SMTP_MIME_DOWNGRADE(session, request)) 1368 vstring_sprintf_append(next_command, " SIZE=%lu", 1369 request->data_size); 1370 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1371 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1372 vstring_strcat(next_command, " BODY=8BITMIME"); 1373 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1374 vstring_strcat(next_command, " BODY=7BIT"); 1375 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1376 msg_warn("%s: unknown content encoding: %s", 1377 request->queue_id, request->encoding); 1378 } 1379 if (session->features & SMTP_FEATURE_DSN) { 1380 if (request->dsn_envid[0]) { 1381 vstring_sprintf_append(next_command, " ENVID="); 1382 xtext_quote_append(next_command, request->dsn_envid, "+="); 1383 } 1384 if (request->dsn_ret) 1385 vstring_sprintf_append(next_command, " RET=%s", 1386 dsn_ret_str(request->dsn_ret)); 1387 } 1388 1389 /* 1390 * We authenticate the local MTA only, but not the sender. 1391 */ 1392 #ifdef USE_SASL_AUTH 1393 if (var_smtp_sasl_enable 1394 && var_smtp_dummy_mail_auth 1395 && (session->features & SMTP_FEATURE_AUTH)) 1396 vstring_strcat(next_command, " AUTH=<>"); 1397 #endif 1398 1399 /* 1400 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1401 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1402 * commands to our TLS session. 1403 * 1404 * For the attack to succeed, the remote SMTP server must reply to 1405 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1406 * TLS (re)negotiation, so that the replies arrive in our TLS 1407 * session (otherwise the Postfix SMTP client would time out 1408 * waiting for an answer). With some luck we can detect this 1409 * specific attack as a server MAIL reply that arrives before we 1410 * send our own MAIL command. 1411 * 1412 * We don't apply this test to the HELO command because the result 1413 * would be very timing sensitive, and we don't apply this test 1414 * to RCPT and DATA replies because these may be pipelined for 1415 * legitimate reasons. 1416 */ 1417 #ifdef USE_TLS 1418 if (var_smtp_tls_blk_early_mail_reply 1419 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1420 && (vstream_peek(session->stream) > 0 1421 || peekfd(vstream_fileno(session->stream)) > 0)) 1422 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1423 #endif 1424 1425 /* 1426 * We now return to our regular broadcast. 1427 */ 1428 next_state = SMTP_STATE_RCPT; 1429 break; 1430 1431 /* 1432 * Build one RCPT TO command before we have seen the MAIL FROM 1433 * response. 1434 */ 1435 case SMTP_STATE_RCPT: 1436 rcpt = request->rcpt_list.info + send_rcpt; 1437 REWRITE_ADDRESS(session->scratch2, rcpt->address); 1438 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1439 vstring_sprintf(next_command, "RCPT TO:<%s>", 1440 vstring_str(session->scratch)); 1441 if (session->features & SMTP_FEATURE_DSN) { 1442 /* XXX DSN xtext encode address value not type. */ 1443 if (rcpt->dsn_orcpt[0]) { 1444 xtext_quote(session->scratch, rcpt->dsn_orcpt, "+="); 1445 vstring_sprintf_append(next_command, " ORCPT=%s", 1446 vstring_str(session->scratch)); 1447 } else if (rcpt->orig_addr[0]) { 1448 quote_822_local(session->scratch, rcpt->orig_addr); 1449 vstring_sprintf(session->scratch2, "rfc822;%s", 1450 vstring_str(session->scratch)); 1451 xtext_quote(session->scratch, vstring_str(session->scratch2), "+="); 1452 vstring_sprintf_append(next_command, " ORCPT=%s", 1453 vstring_str(session->scratch)); 1454 } 1455 if (rcpt->dsn_notify) 1456 vstring_sprintf_append(next_command, " NOTIFY=%s", 1457 dsn_notify_str(rcpt->dsn_notify)); 1458 } 1459 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1460 next_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1461 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1462 break; 1463 1464 /* 1465 * Build the DATA command before we have seen all the RCPT TO 1466 * responses. 1467 */ 1468 case SMTP_STATE_DATA: 1469 vstring_strcpy(next_command, "DATA"); 1470 next_state = SMTP_STATE_DOT; 1471 break; 1472 1473 /* 1474 * Build the "." command after we have seen the DATA response 1475 * (DATA is a protocol synchronization point). 1476 * 1477 * Changing the connection caching state here is safe because it 1478 * affects none of the not-yet processed replies to 1479 * already-generated commands. 1480 */ 1481 case SMTP_STATE_DOT: 1482 vstring_strcpy(next_command, "."); 1483 if (THIS_SESSION_IS_EXPIRED) 1484 DONT_CACHE_THIS_SESSION; 1485 next_state = THIS_SESSION_IS_CACHED ? 1486 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1487 break; 1488 1489 /* 1490 * The SMTP_STATE_ABORT sender state is entered by the sender 1491 * when it has verified all recipients; or it is entered by the 1492 * receiver when all recipients are verified or rejected, and is 1493 * then left before the bottom of the main loop. 1494 * 1495 * Changing the connection caching state here is safe because there 1496 * are no not-yet processed replies to already-generated 1497 * commands. 1498 */ 1499 case SMTP_STATE_ABORT: 1500 vstring_strcpy(next_command, "RSET"); 1501 if (THIS_SESSION_IS_EXPIRED) 1502 DONT_CACHE_THIS_SESSION; 1503 next_state = THIS_SESSION_IS_CACHED ? 1504 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1505 break; 1506 1507 /* 1508 * Build the RSET command. This is entered as initial state from 1509 * smtp_rset() and has its own dedicated state transitions. It is 1510 * used to find out the status of a cached session before 1511 * attempting mail delivery. 1512 */ 1513 case SMTP_STATE_RSET: 1514 vstring_strcpy(next_command, "RSET"); 1515 next_state = SMTP_STATE_LAST; 1516 break; 1517 1518 /* 1519 * Build the QUIT command before we have seen the "." or RSET 1520 * response. This is entered as initial state from smtp_quit(), 1521 * or is reached near the end of any non-cached session. 1522 * 1523 * Changing the connection caching state here is safe. If this 1524 * command is pipelined together with a preceding command, then 1525 * connection caching was already turned off. Do not clobber the 1526 * "bad connection" flag. 1527 */ 1528 case SMTP_STATE_QUIT: 1529 vstring_strcpy(next_command, "QUIT"); 1530 next_state = SMTP_STATE_LAST; 1531 if (THIS_SESSION_IS_CACHED) 1532 DONT_CACHE_THIS_SESSION; 1533 break; 1534 1535 /* 1536 * The final sender state has no action associated with it. 1537 */ 1538 case SMTP_STATE_LAST: 1539 VSTRING_RESET(next_command); 1540 break; 1541 } 1542 VSTRING_TERMINATE(next_command); 1543 1544 /* 1545 * Process responses until the receiver has caught up. Vstreams 1546 * automatically flush buffered output when reading new data. 1547 * 1548 * Flush unsent output if command pipelining is off or if no I/O 1549 * happened for a while. This limits the accumulation of client-side 1550 * delays in pipelined sessions. 1551 * 1552 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1553 * could otherwise produce more output than fits the PIPELINING 1554 * buffer. This generally works because we know exactly how much 1555 * output we produced since the last time that the sender and 1556 * receiver synchronized the SMTP state. However this logic is not 1557 * applicable after the sender enters the DATA phase, where it does 1558 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1559 * Thus, the PIPELINING engine no longer knows how much data is 1560 * pending in the TCP send buffer. For this reason, if PIPELINING is 1561 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1562 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1563 * stack either has already received the QUIT<CR><LF>, or else it 1564 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1565 * making room in the sender's TCP stack for QUIT<CR><LF>. 1566 */ 1567 #define CHECK_PIPELINING_BUFSIZE \ 1568 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1569 1570 if (SENDER_IN_WAIT_STATE 1571 || (SENDER_IS_AHEAD 1572 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1573 || (CHECK_PIPELINING_BUFSIZE 1574 && (VSTRING_LEN(next_command) + 2 1575 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1576 > PIPELINING_BUFSIZE)) 1577 || time((time_t *) 0) 1578 - vstream_ftime(session->stream) > 10))) { 1579 while (SENDER_IS_AHEAD) { 1580 1581 /* 1582 * Sanity check. 1583 */ 1584 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1585 || recv_state > SMTP_STATE_QUIT) 1586 msg_panic("%s: bad receiver state %d (sender state %d)", 1587 myname, recv_state, send_state); 1588 1589 /* 1590 * Receive the next server response. Use the proper timeout, 1591 * and log the proper client state in case of trouble. 1592 * 1593 * XXX If we lose the connection before sending end-of-data, 1594 * find out if the server sent a premature end-of-data reply. 1595 * If this read attempt fails, report "lost connection while 1596 * sending message body", not "lost connection while sending 1597 * end-of-data". 1598 * 1599 * "except" becomes zero just above the protocol loop, and stays 1600 * zero or triggers an early return from the loop. In just 1601 * one case: loss of the connection when sending the message 1602 * body, we record the exception, and keep processing in the 1603 * hope of detecting a premature 5XX. We must be careful to 1604 * not clobber this non-zero value once it is set. The 1605 * variable need not survive longjmp() calls, since the only 1606 * setjmp() which does not return early is the one sets this 1607 * condition, subquent failures always return early. 1608 */ 1609 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1610 1611 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1612 var_smtp_rec_deadline); 1613 if (LOST_CONNECTION_INSIDE_DATA) { 1614 if (vstream_setjmp(session->stream) != 0) 1615 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1616 "sending message body")); 1617 } else { 1618 if ((except = vstream_setjmp(session->stream)) != 0) 1619 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1620 xfer_states[recv_state]) : -1); 1621 } 1622 resp = smtp_chat_resp(session); 1623 1624 /* 1625 * Process the response. 1626 */ 1627 switch (recv_state) { 1628 1629 /* 1630 * Process the XFORWARD response. 1631 */ 1632 case SMTP_STATE_XFORWARD_NAME_ADDR: 1633 if (resp->code / 100 != 2) 1634 msg_warn("host %s said: %s (in reply to %s)", 1635 session->namaddrport, 1636 translit(resp->str, "\n", " "), 1637 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1638 if (session->send_proto_helo) 1639 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1640 else 1641 recv_state = SMTP_STATE_MAIL; 1642 break; 1643 1644 case SMTP_STATE_XFORWARD_PROTO_HELO: 1645 if (resp->code / 100 != 2) 1646 msg_warn("host %s said: %s (in reply to %s)", 1647 session->namaddrport, 1648 translit(resp->str, "\n", " "), 1649 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1650 recv_state = SMTP_STATE_MAIL; 1651 break; 1652 1653 /* 1654 * Process the MAIL FROM response. When the server 1655 * rejects the sender, set the mail_from_rejected flag so 1656 * that the receiver may apply a course correction. 1657 */ 1658 case SMTP_STATE_MAIL: 1659 if (resp->code / 100 != 2) { 1660 smtp_mesg_fail(state, STR(iter->host), resp, 1661 "host %s said: %s (in reply to %s)", 1662 session->namaddr, 1663 translit(resp->str, "\n", " "), 1664 xfer_request[SMTP_STATE_MAIL]); 1665 mail_from_rejected = 1; 1666 } 1667 1668 /* 1669 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1670 * that arrived before we sent our MAIL FROM command, it 1671 * was not a fatal-level TLS alert message. It could be a 1672 * warning-level TLS alert message, or a ChangeCipherSpec 1673 * message, but such messages are not normally sent in 1674 * the middle of a TLS session. We disconnect and try 1675 * again later. 1676 */ 1677 #ifdef USE_TLS 1678 if (var_smtp_tls_blk_early_mail_reply 1679 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 1680 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1681 SMTP_RESP_FAKE(&fake, "4.7.0"), 1682 "unexpected server message"); 1683 msg_warn("server %s violates %s policy", 1684 session->namaddr, 1685 SMTP_X(TLS_BLK_EARLY_MAIL_REPLY)); 1686 mail_from_rejected = 1; 1687 } 1688 #endif 1689 1690 /* 1691 * We now return to our regular broadcast. 1692 */ 1693 recv_state = SMTP_STATE_RCPT; 1694 break; 1695 1696 /* 1697 * Process one RCPT TO response. If MAIL FROM was 1698 * rejected, ignore RCPT TO responses: all recipients are 1699 * dead already. When all recipients are rejected the 1700 * receiver may apply a course correction. 1701 * 1702 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 1703 * must be treated as if the server replied with 452. 1704 * However, this causes "too much mail data" to be 1705 * treated as a recoverable error, which is wrong. I'll 1706 * stick with RFC 821. 1707 */ 1708 case SMTP_STATE_RCPT: 1709 if (!mail_from_rejected) { 1710 #ifdef notdef 1711 if (resp->code == 552) { 1712 resp->code = 452; 1713 resp->dsn[0] = '4'; 1714 } 1715 #endif 1716 rcpt = request->rcpt_list.info + recv_rcpt; 1717 if (resp->code / 100 == 2) { 1718 if (!smtp_mode) { 1719 if (survivors == 0) 1720 survivors = (int *) 1721 mymalloc(request->rcpt_list.len 1722 * sizeof(int)); 1723 survivors[nrcpt] = recv_rcpt; 1724 } 1725 ++nrcpt; 1726 /* If trace-only, mark the recipient done. */ 1727 if (DEL_REQ_TRACE_ONLY(request->flags)) { 1728 translit(resp->str, "\n", " "); 1729 smtp_rcpt_done(state, resp, rcpt); 1730 } 1731 } else { 1732 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1733 "host %s said: %s (in reply to %s)", 1734 session->namaddr, 1735 translit(resp->str, "\n", " "), 1736 xfer_request[SMTP_STATE_RCPT]); 1737 } 1738 } 1739 /* If trace-only, send RSET instead of DATA. */ 1740 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 1741 recv_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1742 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1743 /* XXX Also: record if non-delivering session. */ 1744 break; 1745 1746 /* 1747 * Process the DATA response. When the server rejects 1748 * DATA, set nrcpt to a negative value so that the 1749 * receiver can apply a course correction. 1750 */ 1751 case SMTP_STATE_DATA: 1752 if (resp->code / 100 != 3) { 1753 if (nrcpt > 0) 1754 smtp_mesg_fail(state, STR(iter->host), resp, 1755 "host %s said: %s (in reply to %s)", 1756 session->namaddr, 1757 translit(resp->str, "\n", " "), 1758 xfer_request[SMTP_STATE_DATA]); 1759 nrcpt = -1; 1760 } 1761 recv_state = SMTP_STATE_DOT; 1762 break; 1763 1764 /* 1765 * Process the end of message response. Ignore the 1766 * response when no recipient was accepted: all 1767 * recipients are dead already, and the next receiver 1768 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 1769 * if the message transfer fails, bounce all remaining 1770 * recipients, else cross off the recipients that were 1771 * delivered. 1772 */ 1773 case SMTP_STATE_DOT: 1774 GETTIMEOFDAY(&request->msg_stats.deliver_done); 1775 if (smtp_mode) { 1776 if (nrcpt > 0) { 1777 if (resp->code / 100 != 2) { 1778 smtp_mesg_fail(state, STR(iter->host), resp, 1779 "host %s said: %s (in reply to %s)", 1780 session->namaddr, 1781 translit(resp->str, "\n", " "), 1782 xfer_request[SMTP_STATE_DOT]); 1783 } else { 1784 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1785 rcpt = request->rcpt_list.info + nrcpt; 1786 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1787 translit(resp->str, "\n", " "); 1788 smtp_rcpt_done(state, resp, rcpt); 1789 } 1790 } 1791 } 1792 } 1793 } 1794 1795 /* 1796 * With LMTP we have one response per accepted RCPT TO 1797 * command. Stay in the SMTP_STATE_DOT state until we 1798 * have collected all responses. 1799 */ 1800 else { 1801 if (nrcpt > 0) { 1802 rcpt = request->rcpt_list.info 1803 + survivors[recv_done++]; 1804 if (resp->code / 100 != 2) { 1805 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1806 "host %s said: %s (in reply to %s)", 1807 session->namaddr, 1808 translit(resp->str, "\n", " "), 1809 xfer_request[SMTP_STATE_DOT]); 1810 } else { 1811 translit(resp->str, "\n", " "); 1812 smtp_rcpt_done(state, resp, rcpt); 1813 } 1814 } 1815 if (msg_verbose) 1816 msg_info("%s: got %d of %d end-of-data replies", 1817 myname, recv_done, nrcpt); 1818 if (recv_done < nrcpt) 1819 break; 1820 } 1821 1822 /* 1823 * XXX Do not change the connection caching state here, 1824 * even if the connection caching timer expired between 1825 * generating the command and processing the reply, 1826 * otherwise the sender and receiver loops get out of 1827 * sync. The caller will call smtp_quit() if appropriate. 1828 */ 1829 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 1830 || LOST_CONNECTION_INSIDE_DATA) 1831 recv_state = SMTP_STATE_LAST; 1832 else 1833 recv_state = SMTP_STATE_QUIT; 1834 break; 1835 1836 /* 1837 * Receive the RSET response. 1838 * 1839 * The SMTP_STATE_ABORT sender state is entered by the 1840 * sender when it has verified all recipients; or it is 1841 * entered by the receiver when all recipients are 1842 * verified or rejected, and is then left before the 1843 * bottom of the main loop. 1844 * 1845 * XXX Do not change the connection caching state here, even 1846 * if the server rejected RSET or if the connection 1847 * caching timer expired between generating the command 1848 * and processing the reply, otherwise the sender and 1849 * receiver loops get out of sync. The caller will call 1850 * smtp_quit() if appropriate. 1851 */ 1852 case SMTP_STATE_ABORT: 1853 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 1854 SMTP_STATE_LAST : SMTP_STATE_QUIT); 1855 break; 1856 1857 /* 1858 * This is the initial receiver state from smtp_rset(). 1859 * It is used to find out the status of a cached session 1860 * before attempting mail delivery. 1861 */ 1862 case SMTP_STATE_RSET: 1863 if (resp->code / 100 != 2) 1864 CANT_RSET_THIS_SESSION; 1865 recv_state = SMTP_STATE_LAST; 1866 break; 1867 1868 /* 1869 * Receive, but otherwise ignore, the QUIT response. 1870 */ 1871 case SMTP_STATE_QUIT: 1872 recv_state = SMTP_STATE_LAST; 1873 break; 1874 } 1875 } 1876 1877 /* 1878 * At this point, the sender and receiver are fully synchronized. 1879 */ 1880 1881 /* 1882 * We know the server response to every command that was sent. 1883 * Apply a course correction if necessary: the sender wants to 1884 * send RCPT TO but MAIL FROM was rejected; the sender wants to 1885 * send DATA but all recipients were rejected; the sender wants 1886 * to deliver the message but DATA was rejected. 1887 */ 1888 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 1889 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 1890 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 1891 send_state = recv_state = SMTP_STATE_ABORT; 1892 send_rcpt = recv_rcpt = 0; 1893 vstring_strcpy(next_command, "RSET"); 1894 if (THIS_SESSION_IS_EXPIRED) 1895 DONT_CACHE_THIS_SESSION; 1896 next_state = THIS_SESSION_IS_CACHED ? 1897 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1898 /* XXX Also: record if non-delivering session. */ 1899 next_rcpt = 0; 1900 } 1901 } 1902 1903 /* 1904 * Make the next sender state the current sender state. 1905 */ 1906 if (send_state == SMTP_STATE_LAST) 1907 continue; 1908 1909 /* 1910 * Special case if the server accepted the DATA command. If the 1911 * server accepted at least one recipient send the entire message. 1912 * Otherwise, just send "." as per RFC 2197. 1913 * 1914 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 1915 * disconnect ungracefully, because there is no other way to cancel a 1916 * transaction in progress. 1917 */ 1918 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 1919 1920 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 1921 var_smtp_rec_deadline); 1922 1923 if ((except = vstream_setjmp(session->stream)) == 0) { 1924 1925 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 1926 msg_fatal("seek queue file: %m"); 1927 1928 downgrading = SMTP_MIME_DOWNGRADE(session, request); 1929 1930 /* 1931 * XXX Don't downgrade just because generic_maps is turned 1932 * on. 1933 */ 1934 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 1935 1936 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 1937 session->mime_state = mime_state_alloc(downgrading ? 1938 MIME_OPT_DOWNGRADE 1939 | MIME_OPT_REPORT_NESTING : 1940 SMTP_ANY_CHECKS == 0 ? 1941 MIME_OPT_DISABLE_MIME : 1942 0, 1943 smtp_generic_maps 1944 || smtp_header_checks ? 1945 smtp_header_rewrite : 1946 smtp_header_out, 1947 (MIME_STATE_ANY_END) 0, 1948 smtp_body_checks ? 1949 smtp_body_rewrite : 1950 smtp_text_out, 1951 (MIME_STATE_ANY_END) 0, 1952 (MIME_STATE_ERR_PRINT) 0, 1953 (void *) state); 1954 state->space_left = var_smtp_line_limit; 1955 1956 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 1957 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 1958 break; 1959 if (session->mime_state == 0) { 1960 smtp_text_out((void *) state, rec_type, 1961 vstring_str(session->scratch), 1962 VSTRING_LEN(session->scratch), 1963 (off_t) 0); 1964 } else { 1965 mime_errs = 1966 mime_state_update(session->mime_state, rec_type, 1967 vstring_str(session->scratch), 1968 VSTRING_LEN(session->scratch)); 1969 if (mime_errs) { 1970 smtp_mime_fail(state, mime_errs); 1971 RETURN(0); 1972 } 1973 } 1974 prev_type = rec_type; 1975 } 1976 1977 if (session->mime_state) { 1978 1979 /* 1980 * The cleanup server normally ends MIME content with a 1981 * normal text record. The following code is needed to 1982 * flush an internal buffer when someone submits 8-bit 1983 * mail not ending in newline via /usr/sbin/sendmail 1984 * while MIME input processing is turned off, and MIME 1985 * 8bit->7bit conversion is requested upon delivery. 1986 * 1987 * Or some error while doing generic address mapping. 1988 */ 1989 mime_errs = 1990 mime_state_update(session->mime_state, rec_type, "", 0); 1991 if (mime_errs) { 1992 smtp_mime_fail(state, mime_errs); 1993 RETURN(0); 1994 } 1995 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 1996 smtp_fputs("", 0, session->stream); 1997 if ((session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) != 0 1998 && request->msg_stats.incoming_arrival.tv_sec 1999 <= vstream_ftime(session->stream) - var_smtp_pix_thresh) { 2000 smtp_flush(session->stream);/* hurts performance */ 2001 sleep(var_smtp_pix_delay); /* not to mention this */ 2002 } 2003 if (vstream_ferror(state->src)) 2004 msg_fatal("queue file read error"); 2005 if (rec_type != REC_TYPE_XTRA) { 2006 msg_warn("%s: bad record type: %d in message content", 2007 request->queue_id, rec_type); 2008 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2009 SMTP_RESP_FAKE(&fake, "5.3.0"), 2010 "unreadable mail queue entry"); 2011 /* Bailing out, abort stream with prejudice */ 2012 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2013 DONT_USE_DEAD_SESSION; 2014 /* If bounce_append() succeeded, status is still 0 */ 2015 if (state->status == 0) 2016 (void) mark_corrupt(state->src); 2017 /* Don't override smtp_mesg_fail() here. */ 2018 RETURN(fail_status); 2019 } 2020 } else { 2021 if (!LOST_CONNECTION_INSIDE_DATA) 2022 RETURN(smtp_stream_except(state, except, 2023 "sending message body")); 2024 2025 /* 2026 * We will clear the stream error flag to try and read a 2027 * premature 5XX response, so it is important to flush any 2028 * unwritten data. Otherwise, we will try to flush it again 2029 * before reading, which may incur an unnecessary delay and 2030 * will prevent the reading of any response that is not 2031 * already buffered (bundled with the DATA 354 response). 2032 * 2033 * Not much point in sending QUIT at this point, skip right to 2034 * SMTP_STATE_LAST. The read engine above will likewise avoid 2035 * looking for a QUIT response. 2036 */ 2037 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2038 next_state = SMTP_STATE_LAST; 2039 } 2040 } 2041 2042 /* 2043 * Copy the next command to the buffer and update the sender state. 2044 */ 2045 if (except == 0) { 2046 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2047 } else { 2048 DONT_CACHE_THIS_SESSION; 2049 } 2050 send_state = next_state; 2051 send_rcpt = next_rcpt; 2052 } while (recv_state != SMTP_STATE_LAST); 2053 RETURN(0); 2054 } 2055 2056 /* smtp_xfer - send a batch of envelope information and the message data */ 2057 2058 int smtp_xfer(SMTP_STATE *state) 2059 { 2060 DELIVER_REQUEST *request = state->request; 2061 SMTP_SESSION *session = state->session; 2062 SMTP_RESP fake; 2063 int send_state; 2064 int recv_state; 2065 int send_name_addr; 2066 int result; 2067 2068 /* 2069 * Sanity check. Recipients should be unmarked at this point. 2070 */ 2071 if (SMTP_RCPT_LEFT(state) <= 0) 2072 msg_panic("smtp_xfer: bad recipient count: %d", 2073 SMTP_RCPT_LEFT(state)); 2074 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2075 msg_panic("smtp_xfer: bad recipient status: %d", 2076 request->rcpt_list.info->u.status); 2077 2078 /* 2079 * See if we should even try to send this message at all. This code sits 2080 * here rather than in the EHLO processing code, because of SMTP 2081 * connection caching. 2082 */ 2083 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2084 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2085 SMTP_RESP_FAKE(&fake, "5.3.4"), 2086 "message size %lu exceeds size limit %.0f of server %s", 2087 request->data_size, (double) session->size_limit, 2088 session->namaddr); 2089 /* Redundant. We abort this delivery attempt. */ 2090 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2091 return (0); 2092 } 2093 2094 /* 2095 * Use XFORWARD to forward the origin of this email message across an 2096 * SMTP-based content filter. Send client attribute information only if 2097 * it exists (i.e. remote submission). Local submissions have no client 2098 * attributes; the mail will appear to originate from the content filter 2099 * which is acceptable. 2100 */ 2101 send_name_addr = 2102 var_smtp_send_xforward 2103 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2104 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2105 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2106 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2107 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2108 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2109 session->send_proto_helo = 2110 var_smtp_send_xforward 2111 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2112 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2113 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2114 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2115 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2116 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2117 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2118 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2119 if (send_name_addr) 2120 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2121 else if (session->send_proto_helo) 2122 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2123 else 2124 recv_state = send_state = SMTP_STATE_MAIL; 2125 2126 /* 2127 * Remember this session's "normal completion", even if the server 4xx-ed 2128 * some or all recipients. Connection or handshake errors with a later MX 2129 * host should not cause this destination be marked as unreachable. 2130 */ 2131 result = smtp_loop(state, send_state, recv_state); 2132 2133 if (result == 0 2134 /* Just in case */ 2135 && vstream_ferror(session->stream) == 0 2136 && vstream_feof(session->stream) == 0) 2137 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2138 2139 return (result); 2140 } 2141 2142 /* smtp_rset - send a lone RSET command */ 2143 2144 int smtp_rset(SMTP_STATE *state) 2145 { 2146 2147 /* 2148 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2149 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2150 */ 2151 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2152 } 2153 2154 /* smtp_quit - send a lone QUIT command */ 2155 2156 int smtp_quit(SMTP_STATE *state) 2157 { 2158 2159 /* 2160 * This works because SMTP_STATE_QUIT is the last state with a sender 2161 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2162 */ 2163 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2164 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2165 } 2166