1 /* $NetBSD: smtp_proto.c,v 1.2 2017/02/14 01:16:48 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Pipelining code in cooperation with: 79 /* Jon Ribbens 80 /* Oaktree Internet Solutions Ltd., 81 /* Internet House, 82 /* Canal Basin, 83 /* Coventry, 84 /* CV1 4LY, United Kingdom. 85 /* 86 /* Connection caching in cooperation with: 87 /* Victor Duchovni 88 /* Morgan Stanley 89 /* 90 /* TLS support originally by: 91 /* Lutz Jaenicke 92 /* BTU Cottbus 93 /* Allgemeine Elektrotechnik 94 /* Universitaetsplatz 3-4 95 /* D-03044 Cottbus, Germany 96 /*--*/ 97 98 /* System library. */ 99 100 #include <sys_defs.h> 101 #include <sys/stat.h> 102 #include <sys/socket.h> /* shutdown(2) */ 103 #include <netinet/in.h> /* ntohs() */ 104 #include <string.h> 105 #include <unistd.h> 106 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 107 #include <stdarg.h> 108 #include <time.h> 109 110 #ifdef STRCASECMP_IN_STRINGS_H 111 #include <strings.h> 112 #endif 113 114 /* Utility library. */ 115 116 #include <msg.h> 117 #include <vstring.h> 118 #include <vstream.h> 119 #include <vstring_vstream.h> 120 #include <stringops.h> 121 #include <mymalloc.h> 122 #include <iostuff.h> 123 #include <split_at.h> 124 #include <name_code.h> 125 #include <name_mask.h> 126 127 /* Global library. */ 128 129 #include <mail_params.h> 130 #include <smtp_stream.h> 131 #include <mail_queue.h> 132 #include <recipient_list.h> 133 #include <deliver_request.h> 134 #include <defer.h> 135 #include <bounce.h> 136 #include <record.h> 137 #include <rec_type.h> 138 #include <off_cvt.h> 139 #include <mark_corrupt.h> 140 #include <quote_821_local.h> 141 #include <quote_822_local.h> 142 #include <mail_proto.h> 143 #include <mime_state.h> 144 #include <ehlo_mask.h> 145 #include <maps.h> 146 #include <tok822.h> 147 #include <mail_addr_map.h> 148 #include <ext_prop.h> 149 #include <namadr_list.h> 150 #include <match_parent_style.h> 151 #include <lex_822.h> 152 #include <dsn_mask.h> 153 #include <xtext.h> 154 #include <uxtext.h> 155 #include <smtputf8.h> 156 157 /* Application-specific. */ 158 159 #include "smtp.h" 160 #include "smtp_sasl.h" 161 162 /* 163 * Sender and receiver state. A session does not necessarily go through a 164 * linear progression, but states are guaranteed to not jump backwards. 165 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 166 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 167 * 168 * When connection caching is enabled, the QUIT state is suppressed. Normal 169 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 170 * end with ABORT->LAST. The connection is left open for a limited time. An 171 * RSET probe should be sent before attempting to reuse an open connection 172 * for a new transaction. 173 * 174 * The code to send an RSET probe is a special case with its own initial state 175 * and with its own dedicated state transitions. The session proceeds as 176 * RSET->LAST. This code is kept inside the main protocol engine for 177 * consistent error handling and error reporting. It is not to be confused 178 * with the code that sends RSET to abort a mail transaction in progress. 179 * 180 * The code to send QUIT without message delivery transaction jumps into the 181 * main state machine. If this introduces complications, then we should 182 * introduce a second QUIT state with its own dedicated state transitions, 183 * just like we did for RSET probes. 184 * 185 * By default, the receiver skips the QUIT response. Some SMTP servers 186 * disconnect after responding to ".", and some SMTP servers wait before 187 * responding to QUIT. 188 * 189 * Client states that are associated with sending mail (up to and including 190 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 191 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 192 */ 193 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 194 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 195 #define SMTP_STATE_MAIL 2 196 #define SMTP_STATE_RCPT 3 197 #define SMTP_STATE_DATA 4 198 #define SMTP_STATE_DOT 5 199 #define SMTP_STATE_ABORT 6 200 #define SMTP_STATE_RSET 7 201 #define SMTP_STATE_QUIT 8 202 #define SMTP_STATE_LAST 9 203 204 int *xfer_timeouts[SMTP_STATE_LAST] = { 205 &var_smtp_xfwd_tmout, /* name/addr */ 206 &var_smtp_xfwd_tmout, /* helo/proto */ 207 &var_smtp_mail_tmout, 208 &var_smtp_rcpt_tmout, 209 &var_smtp_data0_tmout, 210 &var_smtp_data2_tmout, 211 &var_smtp_rset_tmout, 212 &var_smtp_rset_tmout, 213 &var_smtp_quit_tmout, 214 }; 215 216 char *xfer_states[SMTP_STATE_LAST] = { 217 "sending XFORWARD name/address", 218 "sending XFORWARD protocol/helo_name", 219 "sending MAIL FROM", 220 "sending RCPT TO", 221 "sending DATA command", 222 "sending end of data -- message may be sent more than once", 223 "sending final RSET", 224 "sending RSET probe", 225 "sending QUIT", 226 }; 227 228 char *xfer_request[SMTP_STATE_LAST] = { 229 "XFORWARD name/address command", 230 "XFORWARD helo/protocol command", 231 "MAIL FROM command", 232 "RCPT TO command", 233 "DATA command", 234 "end of DATA command", 235 "final RSET command", 236 "RSET probe", 237 "QUIT command", 238 }; 239 240 /* 241 * Note: MIME downgrade never happens for mail that must be delivered with 242 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request 243 * involves at least one UTF-8 envelope address or header value. 244 */ 245 #define SMTP_MIME_DOWNGRADE(session, request) \ 246 (var_disable_mime_oconv == 0 \ 247 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 248 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 249 250 #ifdef USE_TLS 251 252 static int smtp_start_tls(SMTP_STATE *); 253 254 #endif 255 256 /* 257 * Call-back information for header/body checks. We don't provide call-backs 258 * for actions that change the message delivery time or destination. 259 */ 260 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 261 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 262 263 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 264 smtp_hbc_logger, 265 smtp_text_out, 266 }; 267 268 static int smtp_vrfy_tgt; 269 270 /* smtp_vrfy_init - initialize */ 271 272 void smtp_vrfy_init(void) 273 { 274 static const NAME_CODE vrfy_init_table[] = { 275 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT, 276 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA, 277 0, 278 }; 279 280 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE, 281 var_smtp_vrfy_tgt)) == 0) 282 msg_fatal("bad protocol stage: \"%s = %s\"", 283 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt); 284 } 285 286 /* smtp_helo - perform initial handshake with SMTP server */ 287 288 int smtp_helo(SMTP_STATE *state) 289 { 290 const char *myname = "smtp_helo"; 291 SMTP_SESSION *session = state->session; 292 DELIVER_REQUEST *request = state->request; 293 SMTP_ITERATOR *iter = state->iterator; 294 SMTP_RESP *resp; 295 SMTP_RESP fake; 296 int except; 297 char *lines; 298 char *words; 299 char *word; 300 int n; 301 static const NAME_CODE xforward_features[] = { 302 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 303 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 304 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 305 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 306 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 307 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 308 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 309 0, 0, 310 }; 311 const char *ehlo_words; 312 int discard_mask; 313 static const NAME_MASK pix_bug_table[] = { 314 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 315 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 316 0, 317 }; 318 const char *pix_bug_words; 319 const char *pix_bug_source; 320 int pix_bug_mask; 321 322 #ifdef USE_TLS 323 int saved_features = session->features; 324 int tls_helo_status; 325 326 #endif 327 const char *NOCLOBBER where; 328 329 /* 330 * Skip the plaintext SMTP handshake when connecting in SMTPS mode. 331 */ 332 #ifdef USE_TLS 333 if (var_smtp_tls_wrappermode 334 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 335 /* XXX Mix-up of per-session and per-request flags. */ 336 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 337 tls_helo_status = smtp_start_tls(state); 338 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 339 return (tls_helo_status); 340 } 341 #endif 342 343 /* 344 * Prepare for disaster. 345 */ 346 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 347 var_smtp_rec_deadline); 348 if ((except = vstream_setjmp(state->session->stream)) != 0) 349 return (smtp_stream_except(state, except, where)); 350 351 /* 352 * If not recursing after STARTTLS, examine the server greeting banner 353 * and decide if we are going to send EHLO as the next command. 354 */ 355 if (var_smtp_tls_wrappermode 356 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 357 358 /* 359 * Read and parse the server's SMTP greeting banner. 360 */ 361 where = "receiving the initial server greeting"; 362 switch ((resp = smtp_chat_resp(session))->code / 100) { 363 case 2: 364 break; 365 case 5: 366 if (var_smtp_skip_5xx_greeting) 367 STR(resp->dsn_buf)[0] = '4'; 368 /* FALLTHROUGH */ 369 default: 370 return (smtp_site_fail(state, STR(iter->host), resp, 371 "host %s refused to talk to me: %s", 372 session->namaddr, 373 translit(resp->str, "\n", " "))); 374 } 375 376 /* 377 * If the policy table specifies a bogus TLS security level, fail 378 * now. 379 */ 380 #ifdef USE_TLS 381 if (state->tls->level == TLS_LEV_INVALID) 382 /* Warning is already logged. */ 383 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 384 SMTP_RESP_FAKE(&fake, "4.7.0"), 385 "client TLS configuration problem")); 386 #endif 387 388 /* 389 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 390 * it does not span a packet boundary. This hurts performance so it 391 * is not on by default. 392 */ 393 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 394 /* Best effort only. Ignore errors. */ 395 if (smtp_pix_bug_maps != 0 396 && (pix_bug_words = 397 maps_find(smtp_pix_bug_maps, 398 STR(iter->addr), 0)) != 0) { 399 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS); 400 } else { 401 pix_bug_words = var_smtp_pix_bug_words; 402 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS); 403 } 404 if (*pix_bug_words) { 405 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 406 pix_bug_words, 407 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 408 msg_info("%s: enabling PIX workarounds: %s for %s", 409 request->queue_id, 410 str_name_mask("pix workaround bitmask", 411 pix_bug_table, pix_bug_mask), 412 session->namaddrport); 413 session->features |= pix_bug_mask; 414 } 415 } 416 417 /* 418 * See if we are talking to ourself. This should not be possible with 419 * the way we implement DNS lookups. However, people are known to 420 * sometimes screw up the naming service. And, mailer loops are still 421 * possible when our own mailer routing tables are mis-configured. 422 */ 423 words = resp->str; 424 (void) mystrtok(&words, "- \t\n"); 425 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 426 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 427 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 428 msg_warn("host %s greeted me with my own hostname %s", 429 session->namaddrport, var_myhostname); 430 } else if (strcasecmp(word, "ESMTP") == 0) 431 session->features |= SMTP_FEATURE_ESMTP; 432 } 433 if (smtp_mode) { 434 if (var_smtp_always_ehlo 435 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 436 session->features |= SMTP_FEATURE_ESMTP; 437 if (var_smtp_never_ehlo 438 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 439 session->features &= ~SMTP_FEATURE_ESMTP; 440 } else { 441 session->features |= SMTP_FEATURE_ESMTP; 442 } 443 } 444 445 /* 446 * If recursing after STARTTLS, there is no server greeting banner. 447 * Always send EHLO as the next command. 448 */ 449 else { 450 session->features |= SMTP_FEATURE_ESMTP; 451 } 452 453 /* 454 * Return the compliment. Fall back to SMTP if our ESMTP recognition 455 * heuristic failed. 456 */ 457 if (smtp_mode) { 458 where = "performing the EHLO handshake"; 459 if (session->features & SMTP_FEATURE_ESMTP) { 460 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 461 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 462 if (resp->code == 421) 463 return (smtp_site_fail(state, STR(iter->host), resp, 464 "host %s refused to talk to me: %s", 465 session->namaddr, 466 translit(resp->str, "\n", " "))); 467 else 468 session->features &= ~SMTP_FEATURE_ESMTP; 469 } 470 } 471 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 472 where = "performing the HELO handshake"; 473 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 474 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 475 return (smtp_site_fail(state, STR(iter->host), resp, 476 "host %s refused to talk to me: %s", 477 session->namaddr, 478 translit(resp->str, "\n", " "))); 479 } 480 } else { 481 where = "performing the LHLO handshake"; 482 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 483 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 484 return (smtp_site_fail(state, STR(iter->host), resp, 485 "host %s refused to talk to me: %s", 486 session->namaddr, 487 translit(resp->str, "\n", " "))); 488 } 489 490 /* 491 * No early returns allowed, to ensure consistent handling of TLS and 492 * SASL policies. 493 */ 494 if (session->features & SMTP_FEATURE_ESMTP) { 495 496 /* 497 * Determine what server EHLO keywords to ignore, typically to avoid 498 * inter-operability problems. 499 */ 500 if (smtp_ehlo_dis_maps == 0 501 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 502 STR(iter->addr), 0)) == 0) 503 ehlo_words = var_smtp_ehlo_dis_words; 504 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 505 msg_warn("%s: %s map lookup error for %s", 506 session->state->request->queue_id, 507 smtp_ehlo_dis_maps->title, STR(iter->addr)); 508 vstream_longjmp(session->stream, SMTP_ERR_DATA); 509 } 510 discard_mask = ehlo_mask(ehlo_words); 511 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 512 msg_info("discarding EHLO keywords: %s", 513 str_ehlo_mask(discard_mask)); 514 515 /* 516 * Pick up some useful features offered by the SMTP server. XXX Until 517 * we have a portable routine to convert from string to off_t with 518 * proper overflow detection, ignore the message size limit 519 * advertised by the SMTP server. Otherwise, we might do the wrong 520 * thing when the server advertises a really huge message size limit. 521 * 522 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 523 * because MicroSoft implemented AUTH based on an old draft. 524 */ 525 lines = resp->str; 526 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 527 if (mystrtok(&words, "- ") 528 && (word = mystrtok(&words, " \t=")) != 0) { 529 if (n == 0) { 530 if (session->helo != 0) 531 myfree(session->helo); 532 533 /* 534 * XXX: Keep the original case: we don't expect a single 535 * SMTP server to randomly change the case of its helo 536 * response. If different capitalization is detected, we 537 * should assume disjoint TLS caches. 538 */ 539 session->helo = mystrdup(word); 540 if (strcasecmp(word, var_myhostname) == 0 541 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 542 msg_warn("host %s replied to HELO/EHLO" 543 " with my own hostname %s", 544 session->namaddrport, var_myhostname); 545 if (session->features & SMTP_FEATURE_BEST_MX) 546 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 547 SMTP_RESP_FAKE(&fake, "5.4.6"), 548 "mail for %s loops back to myself", 549 request->nexthop)); 550 else 551 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 552 SMTP_RESP_FAKE(&fake, "4.4.6"), 553 "mail for %s loops back to myself", 554 request->nexthop)); 555 } 556 } else if (strcasecmp(word, "8BITMIME") == 0) { 557 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 558 session->features |= SMTP_FEATURE_8BITMIME; 559 } else if (strcasecmp(word, "PIPELINING") == 0) { 560 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 561 session->features |= SMTP_FEATURE_PIPELINING; 562 } else if (strcasecmp(word, "XFORWARD") == 0) { 563 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 564 while ((word = mystrtok(&words, " \t")) != 0) 565 session->features |= 566 name_code(xforward_features, 567 NAME_CODE_FLAG_NONE, word); 568 } else if (strcasecmp(word, "SIZE") == 0) { 569 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 570 session->features |= SMTP_FEATURE_SIZE; 571 if ((word = mystrtok(&words, " \t")) != 0) { 572 if (!alldig(word)) 573 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 574 word, session->namaddrport); 575 else 576 session->size_limit = off_cvt_string(word); 577 } 578 } 579 #ifdef USE_TLS 580 } else if (strcasecmp(word, "STARTTLS") == 0) { 581 /* Ignored later if we already sent STARTTLS. */ 582 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 583 session->features |= SMTP_FEATURE_STARTTLS; 584 #endif 585 #ifdef USE_SASL_AUTH 586 } else if (var_smtp_sasl_enable 587 && strcasecmp(word, "AUTH") == 0) { 588 if ((discard_mask & EHLO_MASK_AUTH) == 0) 589 smtp_sasl_helo_auth(session, words); 590 #endif 591 } else if (strcasecmp(word, "DSN") == 0) { 592 if ((discard_mask & EHLO_MASK_DSN) == 0) 593 session->features |= SMTP_FEATURE_DSN; 594 } else if (strcasecmp(word, "SMTPUTF8") == 0) { 595 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0) 596 session->features |= SMTP_FEATURE_SMTPUTF8; 597 } 598 n++; 599 } 600 } 601 } 602 if (msg_verbose) 603 msg_info("server features: 0x%x size %.0f", 604 session->features, (double) session->size_limit); 605 606 /* 607 * Decide if this delivery requires SMTPUTF8 server support. 608 * 609 * For now, we require that the remote SMTP server supports SMTPUTF8 when 610 * the sender requested SMTPUTF8 support. 611 * 612 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the 613 * delivery request involves at least one UTF-8 envelope address or 614 * header value. 615 * 616 * If the sender requested SMTPUTF8 support but the delivery request 617 * involves no UTF-8 envelope address or header value, then we could 618 * still deliver such mail to a non-SMTPUTF8 server, except that we must 619 * either uxtext-encode ORCPT parameters or not send them. We cannot 620 * encode the ORCPT in xtext, because legacy SMTP requires that the 621 * unencoded address consist entirely of printable (graphic and white 622 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A 623 * correct uxtext encoder will produce a result that an xtext decoder 624 * will pass through unchanged. 625 * 626 * XXX Should we try to encode headers with RFC 2047 when delivering to a 627 * non-SMTPUTF8 server? That could make life easier for mailing lists. 628 */ 629 #define DELIVERY_REQUIRES_SMTPUTF8 \ 630 ((request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) \ 631 && (request->smtputf8 & ~SMTPUTF8_FLAG_REQUESTED)) 632 633 /* 634 * Require that the server supports SMTPUTF8 when delivery requires 635 * SMTPUTF8. 636 * 637 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on. 638 */ 639 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0 640 && DELIVERY_REQUIRES_SMTPUTF8) 641 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 642 SMTP_RESP_FAKE(&fake, "5.6.7"), 643 "SMTPUTF8 is required, " 644 "but was not offered by host %s", 645 session->namaddr)); 646 647 /* 648 * Fix 20140706: don't do silly things when the remote server announces 649 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver 650 * mail, not to force people into compliance. 651 */ 652 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 653 && (session->features & SMTP_FEATURE_8BITMIME) == 0) { 654 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME", 655 session->namaddr); 656 session->features |= SMTP_FEATURE_8BITMIME; 657 } 658 659 /* 660 * We use SMTP command pipelining if the server said it supported it. 661 * Since we use blocking I/O, RFC 2197 says that we should inspect the 662 * TCP window size and not send more than this amount of information. 663 * Unfortunately this information is unavailable using the sockets 664 * interface. However, we *can* get the TCP send buffer size on the local 665 * TCP/IP stack. We should be able to fill this buffer without being 666 * blocked, and then the kernel will effectively do non-blocking I/O for 667 * us by automatically writing out the contents of its send buffer while 668 * we are reading in the responses. In addition to TCP buffering we have 669 * to be aware of application-level buffering by the vstream module, 670 * which is limited to a couple kbytes. 671 * 672 * XXX No need to do this before and after STARTTLS, but it's not a big deal 673 * if we do. 674 * 675 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 676 * TLS messages. Thus, the TCP-level payload will be larger than the 677 * SMTP-level payload. This has implications for the PIPELINING engine. 678 * 679 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 680 * buffer size that can hold the unacknowledged commands plus the TLS 681 * encapsulation overhead. 682 * 683 * The PIPELINING engine keeps the unacknowledged command size <= the 684 * default VSTREAM buffer size (to avoid small-write performance issues 685 * when the VSTREAM buffer size is at its default size). With a default 686 * VSTREAM buffer size of 4096 there is no reason to increase the 687 * unacknowledged command size as the TCP MSS increases. It's safer to 688 * spread the remote SMTP server's recipient processing load over time, 689 * than dumping a very large recipient list all at once. 690 * 691 * For TLS encapsulation overhead we make a conservative guess: take the 692 * current protocol overhead of ~40 bytes, double the number for future 693 * proofing (~80 bytes), then round up the result to the nearest power of 694 * 2 (128 bytes). Plus, be prepared for worst-case compression that 695 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 696 * message becomes 15 kbytes. 697 */ 698 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 699 #ifdef USE_TLS 700 #define TLS_WORST_PAYLOAD 16384 701 #define TLS_WORST_COMP_OVERHD 1024 702 #define TLS_WORST_PROTO_OVERHD 128 703 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 704 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 705 #endif 706 707 if (session->features & SMTP_FEATURE_PIPELINING) { 708 SOCKOPT_SIZE optlen; 709 int tcp_bufsize; 710 int enc_overhead = 0; 711 712 optlen = sizeof(tcp_bufsize); 713 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 714 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 715 msg_fatal("%s: getsockopt: %m", myname); 716 #ifdef USE_TLS 717 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 718 enc_overhead += 719 (1 + (PIPELINING_BUFSIZE - 1) 720 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 721 #endif 722 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 723 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 724 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 725 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 726 msg_fatal("%s: setsockopt: %m", myname); 727 } 728 if (msg_verbose) 729 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 730 "PIPELINING buffer size is %d", 731 smtp_mode ? "ESMTP" : "LMTP", 732 tcp_bufsize, PIPELINING_BUFSIZE); 733 } 734 #ifdef USE_TLS 735 736 /* 737 * Skip this part if we already sent STARTTLS. 738 */ 739 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 740 741 /* 742 * Optionally log unused STARTTLS opportunities. 743 */ 744 if ((session->features & SMTP_FEATURE_STARTTLS) && 745 var_smtp_tls_note_starttls_offer && 746 state->tls->level <= TLS_LEV_NONE) 747 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 748 749 /* 750 * Decide whether or not to send STARTTLS. 751 */ 752 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 753 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) { 754 755 /* 756 * Prepare for disaster. 757 */ 758 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 759 var_smtp_rec_deadline); 760 if ((except = vstream_setjmp(state->session->stream)) != 0) 761 return (smtp_stream_except(state, except, 762 "receiving the STARTTLS response")); 763 764 /* 765 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 766 * resetting the SASL and EHLO features lists. 767 * 768 * Reset the SASL mechanism list to avoid spurious warnings. 769 * 770 * Use the smtp_sasl_tls_security_options feature to allow SASL 771 * mechanisms that may not be allowed with plain-text 772 * connections. 773 */ 774 smtp_chat_cmd(session, "STARTTLS"); 775 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 776 #ifdef USE_SASL_AUTH 777 if (session->features & SMTP_FEATURE_AUTH) 778 smtp_sasl_cleanup(session); 779 #endif 780 session->features = saved_features; 781 /* XXX Mix-up of per-session and per-request flags. */ 782 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 783 tls_helo_status = smtp_start_tls(state); 784 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 785 return (tls_helo_status); 786 } 787 788 /* 789 * Give up if we must use TLS but the server rejects STARTTLS 790 * although support for it was announced in the EHLO response. 791 */ 792 session->features &= ~SMTP_FEATURE_STARTTLS; 793 if (TLS_REQUIRED(state->tls->level)) 794 return (smtp_site_fail(state, STR(iter->host), resp, 795 "TLS is required, but host %s refused to start TLS: %s", 796 session->namaddr, 797 translit(resp->str, "\n", " "))); 798 /* Else try to continue in plain-text mode. */ 799 } 800 801 /* 802 * Give up if we must use TLS but can't for various reasons. 803 * 804 * 200412 Be sure to provide the default clause at the bottom of this 805 * block. When TLS is required we must never, ever, end up in 806 * plain-text mode. 807 */ 808 if (TLS_REQUIRED(state->tls->level)) { 809 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 810 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 811 SMTP_RESP_FAKE(&fake, "4.7.4"), 812 "TLS is required, but was not offered by host %s", 813 session->namaddr)); 814 } else if (smtp_tls_ctx == 0) { 815 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 816 SMTP_RESP_FAKE(&fake, "4.7.5"), 817 "TLS is required, but our TLS engine is unavailable")); 818 } else { 819 msg_warn("%s: TLS is required but unavailable, don't know why", 820 myname); 821 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 822 SMTP_RESP_FAKE(&fake, "4.7.0"), 823 "TLS is required, but unavailable")); 824 } 825 } 826 } 827 #endif 828 #ifdef USE_SASL_AUTH 829 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 830 return (smtp_sasl_helo_login(state)); 831 #endif 832 833 return (0); 834 } 835 836 #ifdef USE_TLS 837 838 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 839 840 static int smtp_start_tls(SMTP_STATE *state) 841 { 842 SMTP_SESSION *session = state->session; 843 SMTP_ITERATOR *iter = state->iterator; 844 TLS_CLIENT_START_PROPS tls_props; 845 VSTRING *serverid; 846 SMTP_RESP fake; 847 848 /* 849 * Turn off SMTP connection caching. When the TLS handshake succeeds, we 850 * can't reuse the SMTP connection. Reason: we can't turn off TLS in one 851 * process, save the connection to the cache which is shared with all 852 * SMTP clients, migrate the connection to another SMTP client, and 853 * resume TLS there. When the TLS handshake fails, we can't reuse the 854 * SMTP connection either, because the conversation is in an unknown 855 * state. 856 */ 857 DONT_CACHE_THIS_SESSION; 858 859 /* 860 * The following assumes sites that use TLS in a perverse configuration: 861 * multiple hosts per hostname, or even multiple hosts per IP address. 862 * All this without a shared TLS session cache, and they still want to 863 * use TLS session caching??? 864 * 865 * The TLS session cache records the trust chain verification status of 866 * cached sessions. Different transports may have different CAfile or 867 * CApath settings, perhaps to allow authenticated connections to sites 868 * with private CA certs without trusting said private certs for other 869 * sites. So we cannot assume that a trust chain valid for one transport 870 * is valid for another. Therefore the client session id must include 871 * either the transport name or the values of CAfile and CApath. We use 872 * the transport name. 873 * 874 * XXX: We store only one session per lookup key. Ideally the the key maps 875 * 1-to-1 to a server TLS session cache. We use the IP address, port and 876 * ehlo response name to build a lookup key that works for split caches 877 * (that announce distinct names) behind a load balancer. 878 * 879 * XXX: The TLS library will salt the serverid with further details of the 880 * protocol and cipher requirements including the server ehlo response. 881 * Deferring the helo to the digested suffix results in more predictable 882 * SSL session lookup key lengths. 883 */ 884 serverid = vstring_alloc(10); 885 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 886 | SMTP_KEY_FLAG_NEXTHOP /* With port */ 887 | SMTP_KEY_FLAG_HOSTNAME 888 | SMTP_KEY_FLAG_ADDR); 889 890 /* 891 * As of Postfix 2.5, tls_client_start() tries hard to always complete 892 * the TLS handshake. It records the verification and match status in the 893 * resulting TLScontext. It is now up to the application to abort the TLS 894 * connection if it chooses. 895 * 896 * XXX When tls_client_start() fails then we don't know what state the SMTP 897 * connection is in, so we give up on this connection even if we are not 898 * required to use TLS. 899 * 900 * Large parameter lists are error-prone, so we emulate a language feature 901 * that C does not have natively: named parameter lists. 902 */ 903 session->tls_context = 904 TLS_CLIENT_START(&tls_props, 905 ctx = smtp_tls_ctx, 906 stream = session->stream, 907 timeout = var_smtp_starttls_tmout, 908 tls_level = state->tls->level, 909 nexthop = session->tls_nexthop, 910 host = STR(iter->host), 911 namaddr = session->namaddrport, 912 serverid = vstring_str(serverid), 913 helo = session->helo, 914 protocols = state->tls->protocols, 915 cipher_grade = state->tls->grade, 916 cipher_exclusions 917 = vstring_str(state->tls->exclusions), 918 matchargv = state->tls->matchargv, 919 mdalg = var_smtp_tls_fpt_dgst, 920 dane = state->tls->dane); 921 vstring_free(serverid); 922 923 if (session->tls_context == 0) { 924 925 /* 926 * We must avoid further I/O, the peer is in an undefined state. 927 */ 928 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 929 DONT_USE_FORBIDDEN_SESSION; 930 931 /* 932 * If TLS is optional, try delivery to the same server over a 933 * plaintext connection. Otherwise we would defer mail forever with 934 * destinations that have no alternate MX host. 935 * 936 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 937 * authentication. If the server doesn't announce SASL support over 938 * plaintext connections, then we don't want delivery to fail with 939 * "relay access denied". 940 * 941 * If TLS is opportunistic, don't throttle the destination, otherwise if 942 * the mail is volume is high enough we may have difficulty ever 943 * draining even the deferred mail, as new mail provides a constant 944 * stream of negative feedback. 945 */ 946 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE) 947 RETRY_AS_PLAINTEXT; 948 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ? 949 SMTP_NOTHROTTLE : SMTP_THROTTLE, 950 DSN_BY_LOCAL_MTA, 951 SMTP_RESP_FAKE(&fake, "4.7.5"), 952 "Cannot start TLS: handshake failure")); 953 } 954 955 /* 956 * If we are verifying the server certificate and are not happy with the 957 * result, abort the delivery here. We have a usable TLS session with the 958 * server, so no need to disable I/O, ... we can even be polite and send 959 * "QUIT". 960 * 961 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 962 * matching. Levels >= "dane" require CA or DNSSEC trust. 963 * 964 * When DANE TLSA records specify an end-entity certificate, the trust and 965 * match bits always coincide, but it is fine to report the wrong 966 * end-entity certificate as untrusted rather than unmatched. 967 */ 968 if (TLS_MUST_TRUST(state->tls->level)) 969 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 970 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 971 SMTP_RESP_FAKE(&fake, "4.7.5"), 972 "Server certificate not trusted")); 973 if (TLS_MUST_MATCH(state->tls->level)) 974 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 975 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 976 SMTP_RESP_FAKE(&fake, "4.7.5"), 977 "Server certificate not verified")); 978 979 /* At this point there must not be any pending plaintext. */ 980 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 981 982 /* 983 * At this point we have to re-negotiate the "EHLO" to reget the 984 * feature-list. 985 */ 986 return (smtp_helo(state)); 987 } 988 989 #endif 990 991 /* smtp_hbc_logger - logging call-back for header/body checks */ 992 993 static void smtp_hbc_logger(void *context, const char *action, 994 const char *where, const char *content, 995 const char *text) 996 { 997 const SMTP_STATE *state = (SMTP_STATE *) context; 998 999 if (*text) { 1000 msg_info("%s: %s: %s %.60s: %s", 1001 state->request->queue_id, action, where, content, text); 1002 } else { 1003 msg_info("%s: %s: %s %.60s", 1004 state->request->queue_id, action, where, content); 1005 } 1006 } 1007 1008 /* smtp_text_out - output one header/body record */ 1009 1010 static void smtp_text_out(void *context, int rec_type, 1011 const char *text, ssize_t len, 1012 off_t unused_offset) 1013 { 1014 SMTP_STATE *state = (SMTP_STATE *) context; 1015 SMTP_SESSION *session = state->session; 1016 ssize_t data_left; 1017 const char *data_start; 1018 1019 /* 1020 * Deal with an impedance mismatch between Postfix queue files (record 1021 * length <= $message_line_length_limit) and SMTP (DATA record length <= 1022 * $smtp_line_length_limit). The code below does a little too much work 1023 * when the SMTP line length limit is disabled, but it avoids code 1024 * duplication, and thus, it avoids testing and maintenance problems. 1025 */ 1026 data_left = len; 1027 data_start = text; 1028 do { 1029 if (state->space_left == var_smtp_line_limit 1030 && data_left > 0 && *data_start == '.') 1031 smtp_fputc('.', session->stream); 1032 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 1033 smtp_fputs(data_start, state->space_left, session->stream); 1034 data_start += state->space_left; 1035 data_left -= state->space_left; 1036 state->space_left = var_smtp_line_limit; 1037 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 1038 smtp_fputc(' ', session->stream); 1039 state->space_left -= 1; 1040 } 1041 } else { 1042 if (rec_type == REC_TYPE_CONT) { 1043 smtp_fwrite(data_start, data_left, session->stream); 1044 state->space_left -= data_left; 1045 } else { 1046 smtp_fputs(data_start, data_left, session->stream); 1047 state->space_left = var_smtp_line_limit; 1048 } 1049 break; 1050 } 1051 } while (data_left > 0); 1052 } 1053 1054 /* smtp_format_out - output one header/body record */ 1055 1056 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 1057 1058 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 1059 { 1060 static VSTRING *vp; 1061 va_list ap; 1062 1063 if (vp == 0) 1064 vp = vstring_alloc(100); 1065 va_start(ap, fmt); 1066 vstring_vsprintf(vp, fmt, ap); 1067 va_end(ap); 1068 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 1069 } 1070 1071 /* smtp_header_out - output one message header */ 1072 1073 static void smtp_header_out(void *context, int unused_header_class, 1074 const HEADER_OPTS *unused_info, 1075 VSTRING *buf, off_t offset) 1076 { 1077 char *start = vstring_str(buf); 1078 char *line; 1079 char *next_line; 1080 1081 /* 1082 * This code destroys the header. We could try to avoid clobbering it, 1083 * but we're not going to use the data any further. 1084 */ 1085 for (line = start; line; line = next_line) { 1086 next_line = split_at(line, '\n'); 1087 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 1088 next_line - line - 1 : strlen(line), offset); 1089 } 1090 } 1091 1092 /* smtp_header_rewrite - rewrite message header before output */ 1093 1094 static void smtp_header_rewrite(void *context, int header_class, 1095 const HEADER_OPTS *header_info, 1096 VSTRING *buf, off_t offset) 1097 { 1098 SMTP_STATE *state = (SMTP_STATE *) context; 1099 int did_rewrite = 0; 1100 char *line; 1101 char *start; 1102 char *next_line; 1103 char *end_line; 1104 char *result; 1105 1106 /* 1107 * Apply optional header filtering. 1108 */ 1109 if (smtp_header_checks) { 1110 result = hbc_header_checks(context, smtp_header_checks, header_class, 1111 header_info, buf, offset); 1112 if (result == 0) 1113 return; 1114 if (result == HBC_CHECKS_STAT_ERROR) { 1115 msg_warn("%s: smtp header checks lookup error", 1116 state->request->queue_id); 1117 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1118 } 1119 if (result != STR(buf)) { 1120 vstring_strcpy(buf, result); 1121 myfree(result); 1122 } 1123 } 1124 1125 /* 1126 * Rewrite primary header addresses that match the smtp_generic_maps. The 1127 * cleanup server already enforces that all headers have proper lengths 1128 * and that all addresses are in proper form, so we don't have to repeat 1129 * that. 1130 */ 1131 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1132 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1133 TOK822 *tree; 1134 TOK822 **addr_list; 1135 TOK822 **tpp; 1136 1137 tree = tok822_parse(vstring_str(buf) 1138 + strlen(header_info->name) + 1); 1139 addr_list = tok822_grep(tree, TOK822_ADDR); 1140 for (tpp = addr_list; *tpp; tpp++) 1141 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1142 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1143 if (did_rewrite) { 1144 vstring_truncate(buf, strlen(header_info->name)); 1145 vstring_strcat(buf, ": "); 1146 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1147 } 1148 myfree((void *) addr_list); 1149 tok822_free_tree(tree); 1150 } 1151 1152 /* 1153 * Pass through unmodified headers without reconstruction. 1154 */ 1155 if (did_rewrite == 0) { 1156 smtp_header_out(context, header_class, header_info, buf, offset); 1157 return; 1158 } 1159 1160 /* 1161 * A rewritten address list contains one address per line. The code below 1162 * replaces newlines by spaces, to fit as many addresses on a line as 1163 * possible (without rearranging the order of addresses). Prepending 1164 * white space to the beginning of lines is delegated to the output 1165 * routine. 1166 * 1167 * Code derived from cleanup_fold_header(). 1168 */ 1169 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1170 end_line = line + strcspn(line, "\n"); 1171 if (line > start) { 1172 if (end_line - start < 70) { /* TAB counts as one */ 1173 line[-1] = ' '; 1174 } else { 1175 start = line; 1176 } 1177 } 1178 next_line = *end_line ? end_line + 1 : 0; 1179 } 1180 1181 /* 1182 * Prepend a tab to continued header lines that went through the address 1183 * rewriting machinery. Just like smtp_header_out(), this code destroys 1184 * the header. We could try to avoid clobbering it, but we're not going 1185 * to use the data any further. 1186 * 1187 * Code derived from cleanup_out_header(). 1188 */ 1189 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1190 next_line = split_at(line, '\n'); 1191 if (line == start || IS_SPACE_TAB(*line)) { 1192 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1193 next_line - line - 1 : strlen(line), offset); 1194 } else { 1195 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1196 } 1197 } 1198 } 1199 1200 /* smtp_body_rewrite - rewrite message body before output */ 1201 1202 static void smtp_body_rewrite(void *context, int type, 1203 const char *buf, ssize_t len, 1204 off_t offset) 1205 { 1206 SMTP_STATE *state = (SMTP_STATE *) context; 1207 char *result; 1208 1209 /* 1210 * Apply optional body filtering. 1211 */ 1212 if (smtp_body_checks) { 1213 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1214 if (result == buf) { 1215 smtp_text_out(state, type, buf, len, offset); 1216 } else if (result == HBC_CHECKS_STAT_ERROR) { 1217 msg_warn("%s: smtp body checks lookup error", 1218 state->request->queue_id); 1219 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1220 } else if (result != 0) { 1221 smtp_text_out(state, type, result, strlen(result), offset); 1222 myfree(result); 1223 } 1224 } 1225 } 1226 1227 /* smtp_mime_fail - MIME problem */ 1228 1229 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1230 { 1231 const MIME_STATE_DETAIL *detail; 1232 SMTP_RESP fake; 1233 1234 detail = mime_state_detail(mime_errs); 1235 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1236 SMTP_RESP_FAKE(&fake, detail->dsn), 1237 "%s", detail->text); 1238 } 1239 1240 /* smtp_loop - exercise the SMTP protocol engine */ 1241 1242 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1243 NOCLOBBER int recv_state) 1244 { 1245 const char *myname = "smtp_loop"; 1246 DELIVER_REQUEST *request = state->request; 1247 SMTP_SESSION *session = state->session; 1248 SMTP_ITERATOR *iter = state->iterator; 1249 SMTP_RESP *resp; 1250 RECIPIENT *rcpt; 1251 VSTRING *next_command = vstring_alloc(100); 1252 int *NOCLOBBER survivors = 0; 1253 NOCLOBBER int next_state; 1254 NOCLOBBER int next_rcpt; 1255 NOCLOBBER int send_rcpt; 1256 NOCLOBBER int recv_rcpt; 1257 NOCLOBBER int nrcpt; 1258 NOCLOBBER int recv_done; 1259 int except; 1260 int rec_type; 1261 NOCLOBBER int prev_type = 0; 1262 NOCLOBBER int mail_from_rejected; 1263 NOCLOBBER int downgrading; 1264 int mime_errs; 1265 SMTP_RESP fake; 1266 int fail_status; 1267 1268 /* 1269 * Macros for readability. 1270 */ 1271 #define REWRITE_ADDRESS(dst, src) do { \ 1272 vstring_strcpy(dst, src); \ 1273 if (*(src) && smtp_generic_maps) \ 1274 smtp_map11_internal(dst, smtp_generic_maps, \ 1275 smtp_ext_prop_mask & EXT_PROP_GENERIC); \ 1276 } while (0) 1277 1278 #define QUOTE_ADDRESS(dst, src) do { \ 1279 if (*(src) && var_smtp_quote_821_env) { \ 1280 quote_821_local(dst, src); \ 1281 } else { \ 1282 vstring_strcpy(dst, src); \ 1283 } \ 1284 } while (0) 1285 1286 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1287 1288 #define RETURN(x) do { \ 1289 if (recv_state != SMTP_STATE_LAST) \ 1290 DONT_CACHE_THIS_SESSION; \ 1291 vstring_free(next_command); \ 1292 if (survivors) \ 1293 myfree((void *) survivors); \ 1294 if (session->mime_state) \ 1295 session->mime_state = mime_state_free(session->mime_state); \ 1296 return (x); \ 1297 } while (0) 1298 1299 #define SENDER_IS_AHEAD \ 1300 (recv_state < send_state || recv_rcpt != send_rcpt) 1301 1302 #define SENDER_IN_WAIT_STATE \ 1303 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1304 1305 #define SENDING_MAIL \ 1306 (recv_state <= SMTP_STATE_DOT) 1307 1308 #define CANT_RSET_THIS_SESSION \ 1309 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1310 1311 /* 1312 * Pipelining support requires two loops: one loop for sending and one 1313 * for receiving. Each loop has its own independent state. Most of the 1314 * time the sender can run ahead of the receiver by as much as the TCP 1315 * send buffer permits. There are only two places where the sender must 1316 * wait for status information from the receiver: once after sending DATA 1317 * and once after sending QUIT. 1318 * 1319 * The sender state advances until the TCP send buffer would overflow, or 1320 * until the sender needs status information from the receiver. At that 1321 * point the receiver starts processing responses. Once the receiver has 1322 * caught up with the sender, the sender resumes sending commands. If the 1323 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1324 * commands rejected, DATA rejected) it forces the sender to abort the 1325 * SMTP dialog with RSET and QUIT. 1326 */ 1327 nrcpt = 0; 1328 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1329 mail_from_rejected = 0; 1330 1331 /* 1332 * Prepare for disaster. This should not be needed because the design 1333 * guarantees that no output is flushed before smtp_chat_resp() is 1334 * called. 1335 * 1336 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1337 * 1338 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1339 * there is sufficient space for the command in the output buffer. 1340 * 1341 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1342 * 1343 * Changing any of these would violate the design, and would likely break 1344 * SMTP pipelining. 1345 * 1346 * We set up the error handler anyway (only upon entry to avoid wasting 1347 * resources) because 1) there is code below that expects that VSTREAM 1348 * timeouts are enabled, and 2) this allows us to detect if someone broke 1349 * Postfix by introducing spurious flush before read operations. 1350 */ 1351 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1352 || send_state > SMTP_STATE_QUIT) 1353 msg_panic("%s: bad sender state %d (receiver state %d)", 1354 myname, send_state, recv_state); 1355 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1356 var_smtp_rec_deadline); 1357 if ((except = vstream_setjmp(session->stream)) != 0) { 1358 msg_warn("smtp_proto: spurious flush before read in send state %d", 1359 send_state); 1360 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1361 xfer_states[send_state]) : -1); 1362 } 1363 1364 /* 1365 * The main protocol loop. 1366 */ 1367 do { 1368 1369 /* 1370 * Build the next command. 1371 */ 1372 switch (send_state) { 1373 1374 /* 1375 * Sanity check. 1376 */ 1377 default: 1378 msg_panic("%s: bad sender state %d", myname, send_state); 1379 1380 /* 1381 * Build the XFORWARD command. With properly sanitized 1382 * information, the command length stays within the 512 byte 1383 * command line length limit. 1384 * 1385 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1386 * and some as null; historically, pickup(8) does not send any of 1387 * these, and the queue manager presets absent fields to "not 1388 * available" except for the rewrite context which is preset to 1389 * local by way of migration aid. These definitions need to be 1390 * centralized for maintainability. 1391 */ 1392 #ifndef CAN_FORWARD_CLIENT_NAME 1393 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1394 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1395 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1396 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1397 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1398 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1399 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1400 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1401 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1402 #endif 1403 1404 case SMTP_STATE_XFORWARD_NAME_ADDR: 1405 vstring_strcpy(next_command, XFORWARD_CMD); 1406 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1407 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1408 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1409 xtext_quote_append(next_command, request->client_name, ""); 1410 } 1411 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1412 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1413 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1414 xtext_quote_append(next_command, request->client_addr, ""); 1415 } 1416 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1417 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1418 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1419 xtext_quote_append(next_command, request->client_port, ""); 1420 } 1421 if (session->send_proto_helo) 1422 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1423 else 1424 next_state = SMTP_STATE_MAIL; 1425 break; 1426 1427 case SMTP_STATE_XFORWARD_PROTO_HELO: 1428 vstring_strcpy(next_command, XFORWARD_CMD); 1429 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1430 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1431 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1432 xtext_quote_append(next_command, request->client_proto, ""); 1433 } 1434 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1435 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1436 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1437 xtext_quote_append(next_command, request->client_helo, ""); 1438 } 1439 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1440 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1441 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1442 xtext_quote_append(next_command, request->log_ident, ""); 1443 } 1444 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1445 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1446 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1447 xtext_quote_append(next_command, 1448 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1449 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1450 } 1451 next_state = SMTP_STATE_MAIL; 1452 break; 1453 1454 /* 1455 * Build the MAIL FROM command. 1456 */ 1457 case SMTP_STATE_MAIL: 1458 request->msg_stats.reuse_count = session->reuse_count; 1459 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1460 REWRITE_ADDRESS(session->scratch2, request->sender); 1461 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1462 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1463 vstring_str(session->scratch)); 1464 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1465 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1466 && !SMTP_MIME_DOWNGRADE(session, request)) 1467 vstring_sprintf_append(next_command, " SIZE=%lu", 1468 request->data_size); 1469 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1470 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1471 vstring_strcat(next_command, " BODY=8BITMIME"); 1472 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1473 vstring_strcat(next_command, " BODY=7BIT"); 1474 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1475 msg_warn("%s: unknown content encoding: %s", 1476 request->queue_id, request->encoding); 1477 } 1478 if (session->features & SMTP_FEATURE_DSN) { 1479 if (request->dsn_envid[0]) { 1480 vstring_sprintf_append(next_command, " ENVID="); 1481 xtext_quote_append(next_command, request->dsn_envid, "+="); 1482 } 1483 if (request->dsn_ret) 1484 vstring_sprintf_append(next_command, " RET=%s", 1485 dsn_ret_str(request->dsn_ret)); 1486 } 1487 1488 /* 1489 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 1490 * and the sender requested SMTPUTF8 support. 1491 * 1492 * If the sender requested SMTPUTF8 but the remote SMTP server does 1493 * not support SMTPUTF8, then we have already determined earlier 1494 * that delivering this message without SMTPUTF8 will not break 1495 * the SMTPUTF8 promise that was made to the sender. 1496 */ 1497 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 1498 && (request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) != 0) 1499 vstring_strcat(next_command, " SMTPUTF8"); 1500 1501 /* 1502 * We authenticate the local MTA only, but not the sender. 1503 */ 1504 #ifdef USE_SASL_AUTH 1505 if (var_smtp_sasl_enable 1506 && var_smtp_dummy_mail_auth 1507 && (session->features & SMTP_FEATURE_AUTH)) 1508 vstring_strcat(next_command, " AUTH=<>"); 1509 #endif 1510 1511 /* 1512 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1513 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1514 * commands to our TLS session. 1515 * 1516 * For the attack to succeed, the remote SMTP server must reply to 1517 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1518 * TLS (re)negotiation, so that the replies arrive in our TLS 1519 * session (otherwise the Postfix SMTP client would time out 1520 * waiting for an answer). With some luck we can detect this 1521 * specific attack as a server MAIL reply that arrives before we 1522 * send our own MAIL command. 1523 * 1524 * We don't apply this test to the HELO command because the result 1525 * would be very timing sensitive, and we don't apply this test 1526 * to RCPT and DATA replies because these may be pipelined for 1527 * legitimate reasons. 1528 */ 1529 #ifdef USE_TLS 1530 if (var_smtp_tls_blk_early_mail_reply 1531 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1532 && (vstream_peek(session->stream) > 0 1533 || peekfd(vstream_fileno(session->stream)) > 0)) 1534 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1535 #endif 1536 1537 /* 1538 * We now return to our regular broadcast. 1539 */ 1540 next_state = SMTP_STATE_RCPT; 1541 break; 1542 1543 /* 1544 * Build one RCPT TO command before we have seen the MAIL FROM 1545 * response. 1546 */ 1547 case SMTP_STATE_RCPT: 1548 rcpt = request->rcpt_list.info + send_rcpt; 1549 REWRITE_ADDRESS(session->scratch2, rcpt->address); 1550 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1551 vstring_sprintf(next_command, "RCPT TO:<%s>", 1552 vstring_str(session->scratch)); 1553 if (session->features & SMTP_FEATURE_DSN) { 1554 /* XXX DSN xtext encode address value not type. */ 1555 const char *orcpt_type_addr = rcpt->dsn_orcpt; 1556 1557 /* Fix 20140706: don't use empty rcpt->orig_addr. */ 1558 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) { 1559 quote_822_local(session->scratch, rcpt->orig_addr); 1560 vstring_sprintf(session->scratch2, "%s;%s", 1561 /* Fix 20140707: sender must request SMTPUTF8. */ 1562 (request->smtputf8 != 0 1563 && !allascii(vstring_str(session->scratch))) ? 1564 "utf-8" : "rfc822", 1565 vstring_str(session->scratch)); 1566 orcpt_type_addr = vstring_str(session->scratch2); 1567 } 1568 if (orcpt_type_addr[0] != 0) { 1569 /* Fix 20140706: don't send unquoted ORCPT. */ 1570 /* Fix 20140707: quoting method must match orcpt type. */ 1571 /* Fix 20140707: handle uxtext encoder errors. */ 1572 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) { 1573 if (uxtext_quote(session->scratch, 1574 orcpt_type_addr, "+=") != 0) 1575 vstring_sprintf_append(next_command, " ORCPT=%s", 1576 vstring_str(session->scratch)); 1577 } else { 1578 xtext_quote(session->scratch, orcpt_type_addr, "="); 1579 vstring_sprintf_append(next_command, " ORCPT=%s", 1580 vstring_str(session->scratch)); 1581 } 1582 } 1583 if (rcpt->dsn_notify) 1584 vstring_sprintf_append(next_command, " NOTIFY=%s", 1585 dsn_notify_str(rcpt->dsn_notify)); 1586 } 1587 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1588 next_state = (DEL_REQ_TRACE_ONLY(request->flags) 1589 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 1590 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1591 break; 1592 1593 /* 1594 * Build the DATA command before we have seen all the RCPT TO 1595 * responses. 1596 */ 1597 case SMTP_STATE_DATA: 1598 vstring_strcpy(next_command, "DATA"); 1599 next_state = SMTP_STATE_DOT; 1600 break; 1601 1602 /* 1603 * Build the "." command after we have seen the DATA response 1604 * (DATA is a protocol synchronization point). 1605 * 1606 * Changing the connection caching state here is safe because it 1607 * affects none of the not-yet processed replies to 1608 * already-generated commands. 1609 */ 1610 case SMTP_STATE_DOT: 1611 vstring_strcpy(next_command, "."); 1612 if (THIS_SESSION_IS_EXPIRED) 1613 DONT_CACHE_THIS_SESSION; 1614 next_state = THIS_SESSION_IS_CACHED ? 1615 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1616 break; 1617 1618 /* 1619 * The SMTP_STATE_ABORT sender state is entered by the sender 1620 * when it has verified all recipients; or it is entered by the 1621 * receiver when all recipients are verified or rejected, and is 1622 * then left before the bottom of the main loop. 1623 * 1624 * Changing the connection caching state here is safe because there 1625 * are no not-yet processed replies to already-generated 1626 * commands. 1627 */ 1628 case SMTP_STATE_ABORT: 1629 vstring_strcpy(next_command, "RSET"); 1630 if (THIS_SESSION_IS_EXPIRED) 1631 DONT_CACHE_THIS_SESSION; 1632 next_state = THIS_SESSION_IS_CACHED ? 1633 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1634 break; 1635 1636 /* 1637 * Build the RSET command. This is entered as initial state from 1638 * smtp_rset() and has its own dedicated state transitions. It is 1639 * used to find out the status of a cached session before 1640 * attempting mail delivery. 1641 */ 1642 case SMTP_STATE_RSET: 1643 vstring_strcpy(next_command, "RSET"); 1644 next_state = SMTP_STATE_LAST; 1645 break; 1646 1647 /* 1648 * Build the QUIT command before we have seen the "." or RSET 1649 * response. This is entered as initial state from smtp_quit(), 1650 * or is reached near the end of any non-cached session. 1651 * 1652 * Changing the connection caching state here is safe. If this 1653 * command is pipelined together with a preceding command, then 1654 * connection caching was already turned off. Do not clobber the 1655 * "bad connection" flag. 1656 */ 1657 case SMTP_STATE_QUIT: 1658 vstring_strcpy(next_command, "QUIT"); 1659 next_state = SMTP_STATE_LAST; 1660 if (THIS_SESSION_IS_CACHED) 1661 DONT_CACHE_THIS_SESSION; 1662 break; 1663 1664 /* 1665 * The final sender state has no action associated with it. 1666 */ 1667 case SMTP_STATE_LAST: 1668 VSTRING_RESET(next_command); 1669 break; 1670 } 1671 VSTRING_TERMINATE(next_command); 1672 1673 /* 1674 * Process responses until the receiver has caught up. Vstreams 1675 * automatically flush buffered output when reading new data. 1676 * 1677 * Flush unsent output if command pipelining is off or if no I/O 1678 * happened for a while. This limits the accumulation of client-side 1679 * delays in pipelined sessions. 1680 * 1681 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1682 * could otherwise produce more output than fits the PIPELINING 1683 * buffer. This generally works because we know exactly how much 1684 * output we produced since the last time that the sender and 1685 * receiver synchronized the SMTP state. However this logic is not 1686 * applicable after the sender enters the DATA phase, where it does 1687 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1688 * Thus, the PIPELINING engine no longer knows how much data is 1689 * pending in the TCP send buffer. For this reason, if PIPELINING is 1690 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1691 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1692 * stack either has already received the QUIT<CR><LF>, or else it 1693 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1694 * making room in the sender's TCP stack for QUIT<CR><LF>. 1695 */ 1696 #define CHECK_PIPELINING_BUFSIZE \ 1697 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1698 1699 if (SENDER_IN_WAIT_STATE 1700 || (SENDER_IS_AHEAD 1701 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1702 || (CHECK_PIPELINING_BUFSIZE 1703 && (VSTRING_LEN(next_command) + 2 1704 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1705 > PIPELINING_BUFSIZE)) 1706 || time((time_t *) 0) 1707 - vstream_ftime(session->stream) > 10))) { 1708 while (SENDER_IS_AHEAD) { 1709 1710 /* 1711 * Sanity check. 1712 */ 1713 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1714 || recv_state > SMTP_STATE_QUIT) 1715 msg_panic("%s: bad receiver state %d (sender state %d)", 1716 myname, recv_state, send_state); 1717 1718 /* 1719 * Receive the next server response. Use the proper timeout, 1720 * and log the proper client state in case of trouble. 1721 * 1722 * XXX If we lose the connection before sending end-of-data, 1723 * find out if the server sent a premature end-of-data reply. 1724 * If this read attempt fails, report "lost connection while 1725 * sending message body", not "lost connection while sending 1726 * end-of-data". 1727 * 1728 * "except" becomes zero just above the protocol loop, and stays 1729 * zero or triggers an early return from the loop. In just 1730 * one case: loss of the connection when sending the message 1731 * body, we record the exception, and keep processing in the 1732 * hope of detecting a premature 5XX. We must be careful to 1733 * not clobber this non-zero value once it is set. The 1734 * variable need not survive longjmp() calls, since the only 1735 * setjmp() which does not return early is the one sets this 1736 * condition, subquent failures always return early. 1737 */ 1738 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1739 1740 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1741 var_smtp_rec_deadline); 1742 if (LOST_CONNECTION_INSIDE_DATA) { 1743 if (vstream_setjmp(session->stream) != 0) 1744 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1745 "sending message body")); 1746 } else { 1747 if ((except = vstream_setjmp(session->stream)) != 0) 1748 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1749 xfer_states[recv_state]) : -1); 1750 } 1751 resp = smtp_chat_resp(session); 1752 1753 /* 1754 * Process the response. 1755 */ 1756 switch (recv_state) { 1757 1758 /* 1759 * Process the XFORWARD response. 1760 */ 1761 case SMTP_STATE_XFORWARD_NAME_ADDR: 1762 if (resp->code / 100 != 2) 1763 msg_warn("host %s said: %s (in reply to %s)", 1764 session->namaddrport, 1765 translit(resp->str, "\n", " "), 1766 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1767 if (session->send_proto_helo) 1768 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1769 else 1770 recv_state = SMTP_STATE_MAIL; 1771 break; 1772 1773 case SMTP_STATE_XFORWARD_PROTO_HELO: 1774 if (resp->code / 100 != 2) 1775 msg_warn("host %s said: %s (in reply to %s)", 1776 session->namaddrport, 1777 translit(resp->str, "\n", " "), 1778 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1779 recv_state = SMTP_STATE_MAIL; 1780 break; 1781 1782 /* 1783 * Process the MAIL FROM response. When the server 1784 * rejects the sender, set the mail_from_rejected flag so 1785 * that the receiver may apply a course correction. 1786 */ 1787 case SMTP_STATE_MAIL: 1788 if (resp->code / 100 != 2) { 1789 smtp_mesg_fail(state, STR(iter->host), resp, 1790 "host %s said: %s (in reply to %s)", 1791 session->namaddr, 1792 translit(resp->str, "\n", " "), 1793 xfer_request[SMTP_STATE_MAIL]); 1794 mail_from_rejected = 1; 1795 } 1796 1797 /* 1798 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1799 * that arrived before we sent our MAIL FROM command, it 1800 * was not a fatal-level TLS alert message. It could be a 1801 * warning-level TLS alert message, or a ChangeCipherSpec 1802 * message, but such messages are not normally sent in 1803 * the middle of a TLS session. We disconnect and try 1804 * again later. 1805 */ 1806 #ifdef USE_TLS 1807 if (var_smtp_tls_blk_early_mail_reply 1808 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 1809 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1810 SMTP_RESP_FAKE(&fake, "4.7.0"), 1811 "unexpected server message"); 1812 msg_warn("server %s violates %s policy", 1813 session->namaddr, 1814 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY)); 1815 mail_from_rejected = 1; 1816 } 1817 #endif 1818 1819 /* 1820 * We now return to our regular broadcast. 1821 */ 1822 recv_state = SMTP_STATE_RCPT; 1823 break; 1824 1825 /* 1826 * Process one RCPT TO response. If MAIL FROM was 1827 * rejected, ignore RCPT TO responses: all recipients are 1828 * dead already. When all recipients are rejected the 1829 * receiver may apply a course correction. 1830 * 1831 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 1832 * must be treated as if the server replied with 452. 1833 * However, this causes "too much mail data" to be 1834 * treated as a recoverable error, which is wrong. I'll 1835 * stick with RFC 821. 1836 */ 1837 case SMTP_STATE_RCPT: 1838 if (!mail_from_rejected) { 1839 #ifdef notdef 1840 if (resp->code == 552) { 1841 resp->code = 452; 1842 resp->dsn[0] = '4'; 1843 } 1844 #endif 1845 rcpt = request->rcpt_list.info + recv_rcpt; 1846 if (resp->code / 100 == 2) { 1847 if (!smtp_mode) { 1848 if (survivors == 0) 1849 survivors = (int *) 1850 mymalloc(request->rcpt_list.len 1851 * sizeof(int)); 1852 survivors[nrcpt] = recv_rcpt; 1853 } 1854 ++nrcpt; 1855 /* If trace-only, mark the recipient done. */ 1856 if (DEL_REQ_TRACE_ONLY(request->flags) 1857 && smtp_vrfy_tgt == SMTP_STATE_RCPT) { 1858 translit(resp->str, "\n", " "); 1859 smtp_rcpt_done(state, resp, rcpt); 1860 } 1861 } else { 1862 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1863 "host %s said: %s (in reply to %s)", 1864 session->namaddr, 1865 translit(resp->str, "\n", " "), 1866 xfer_request[SMTP_STATE_RCPT]); 1867 } 1868 } 1869 /* If trace-only, send RSET instead of DATA. */ 1870 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 1871 recv_state = (DEL_REQ_TRACE_ONLY(request->flags) 1872 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 1873 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1874 /* XXX Also: record if non-delivering session. */ 1875 break; 1876 1877 /* 1878 * Process the DATA response. When the server rejects 1879 * DATA, set nrcpt to a negative value so that the 1880 * receiver can apply a course correction. 1881 */ 1882 case SMTP_STATE_DATA: 1883 recv_state = SMTP_STATE_DOT; 1884 if (resp->code / 100 != 3) { 1885 if (nrcpt > 0) 1886 smtp_mesg_fail(state, STR(iter->host), resp, 1887 "host %s said: %s (in reply to %s)", 1888 session->namaddr, 1889 translit(resp->str, "\n", " "), 1890 xfer_request[SMTP_STATE_DATA]); 1891 nrcpt = -1; 1892 } 1893 1894 /* 1895 * In the case of a successful address probe with target 1896 * equal to DATA, the remote server is now in the DATA 1897 * state, and therefore we must not make any further 1898 * attempt to send or receive on this connection. This 1899 * means that we cannot not reuse the general-purpose 1900 * course-correction logic below which sends RSET (and 1901 * perhaps QUIT). Instead we "jump" straight to the exit 1902 * and force an unceremonious disconnect. 1903 */ 1904 else if (DEL_REQ_TRACE_ONLY(request->flags) 1905 && smtp_vrfy_tgt == SMTP_STATE_DATA) { 1906 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1907 rcpt = request->rcpt_list.info + nrcpt; 1908 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1909 translit(resp->str, "\n", " "); 1910 SMTP_RESP_SET_DSN(resp, "2.0.0"); 1911 smtp_rcpt_done(state, resp, rcpt); 1912 } 1913 } 1914 DONT_CACHE_THIS_SESSION; 1915 send_state = recv_state = SMTP_STATE_LAST; 1916 } 1917 break; 1918 1919 /* 1920 * Process the end of message response. Ignore the 1921 * response when no recipient was accepted: all 1922 * recipients are dead already, and the next receiver 1923 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 1924 * if the message transfer fails, bounce all remaining 1925 * recipients, else cross off the recipients that were 1926 * delivered. 1927 */ 1928 case SMTP_STATE_DOT: 1929 GETTIMEOFDAY(&request->msg_stats.deliver_done); 1930 if (smtp_mode) { 1931 if (nrcpt > 0) { 1932 if (resp->code / 100 != 2) { 1933 smtp_mesg_fail(state, STR(iter->host), resp, 1934 "host %s said: %s (in reply to %s)", 1935 session->namaddr, 1936 translit(resp->str, "\n", " "), 1937 xfer_request[SMTP_STATE_DOT]); 1938 } else { 1939 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1940 rcpt = request->rcpt_list.info + nrcpt; 1941 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1942 translit(resp->str, "\n", " "); 1943 smtp_rcpt_done(state, resp, rcpt); 1944 } 1945 } 1946 } 1947 } 1948 } 1949 1950 /* 1951 * With LMTP we have one response per accepted RCPT TO 1952 * command. Stay in the SMTP_STATE_DOT state until we 1953 * have collected all responses. 1954 */ 1955 else { 1956 if (nrcpt > 0) { 1957 rcpt = request->rcpt_list.info 1958 + survivors[recv_done++]; 1959 if (resp->code / 100 != 2) { 1960 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1961 "host %s said: %s (in reply to %s)", 1962 session->namaddr, 1963 translit(resp->str, "\n", " "), 1964 xfer_request[SMTP_STATE_DOT]); 1965 } else { 1966 translit(resp->str, "\n", " "); 1967 smtp_rcpt_done(state, resp, rcpt); 1968 } 1969 } 1970 if (msg_verbose) 1971 msg_info("%s: got %d of %d end-of-data replies", 1972 myname, recv_done, nrcpt); 1973 if (recv_done < nrcpt) 1974 break; 1975 } 1976 1977 /* 1978 * XXX Do not change the connection caching state here, 1979 * even if the connection caching timer expired between 1980 * generating the command and processing the reply, 1981 * otherwise the sender and receiver loops get out of 1982 * sync. The caller will call smtp_quit() if appropriate. 1983 */ 1984 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 1985 || LOST_CONNECTION_INSIDE_DATA) 1986 recv_state = SMTP_STATE_LAST; 1987 else 1988 recv_state = SMTP_STATE_QUIT; 1989 break; 1990 1991 /* 1992 * Receive the RSET response. 1993 * 1994 * The SMTP_STATE_ABORT sender state is entered by the 1995 * sender when it has verified all recipients; or it is 1996 * entered by the receiver when all recipients are 1997 * verified or rejected, and is then left before the 1998 * bottom of the main loop. 1999 * 2000 * XXX Do not change the connection caching state here, even 2001 * if the server rejected RSET or if the connection 2002 * caching timer expired between generating the command 2003 * and processing the reply, otherwise the sender and 2004 * receiver loops get out of sync. The caller will call 2005 * smtp_quit() if appropriate. 2006 */ 2007 case SMTP_STATE_ABORT: 2008 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 2009 SMTP_STATE_LAST : SMTP_STATE_QUIT); 2010 break; 2011 2012 /* 2013 * This is the initial receiver state from smtp_rset(). 2014 * It is used to find out the status of a cached session 2015 * before attempting mail delivery. 2016 */ 2017 case SMTP_STATE_RSET: 2018 if (resp->code / 100 != 2) 2019 CANT_RSET_THIS_SESSION; 2020 recv_state = SMTP_STATE_LAST; 2021 break; 2022 2023 /* 2024 * Receive, but otherwise ignore, the QUIT response. 2025 */ 2026 case SMTP_STATE_QUIT: 2027 recv_state = SMTP_STATE_LAST; 2028 break; 2029 } 2030 } 2031 2032 /* 2033 * At this point, the sender and receiver are fully synchronized. 2034 */ 2035 2036 /* 2037 * We know the server response to every command that was sent. 2038 * Apply a course correction if necessary: the sender wants to 2039 * send RCPT TO but MAIL FROM was rejected; the sender wants to 2040 * send DATA but all recipients were rejected; the sender wants 2041 * to deliver the message but DATA was rejected. 2042 */ 2043 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 2044 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 2045 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 2046 send_state = recv_state = SMTP_STATE_ABORT; 2047 send_rcpt = recv_rcpt = 0; 2048 vstring_strcpy(next_command, "RSET"); 2049 if (THIS_SESSION_IS_EXPIRED) 2050 DONT_CACHE_THIS_SESSION; 2051 next_state = THIS_SESSION_IS_CACHED ? 2052 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2053 /* XXX Also: record if non-delivering session. */ 2054 next_rcpt = 0; 2055 } 2056 } 2057 2058 /* 2059 * Make the next sender state the current sender state. 2060 */ 2061 if (send_state == SMTP_STATE_LAST) 2062 continue; 2063 2064 /* 2065 * Special case if the server accepted the DATA command. If the 2066 * server accepted at least one recipient send the entire message. 2067 * Otherwise, just send "." as per RFC 2197. 2068 * 2069 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 2070 * disconnect ungracefully, because there is no other way to cancel a 2071 * transaction in progress. 2072 */ 2073 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 2074 2075 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 2076 var_smtp_rec_deadline); 2077 2078 if ((except = vstream_setjmp(session->stream)) == 0) { 2079 2080 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 2081 msg_fatal("seek queue file: %m"); 2082 2083 downgrading = SMTP_MIME_DOWNGRADE(session, request); 2084 2085 /* 2086 * XXX Don't downgrade just because generic_maps is turned 2087 * on. 2088 */ 2089 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 2090 2091 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 2092 session->mime_state = mime_state_alloc(downgrading ? 2093 MIME_OPT_DOWNGRADE 2094 | MIME_OPT_REPORT_NESTING : 2095 SMTP_ANY_CHECKS == 0 ? 2096 MIME_OPT_DISABLE_MIME : 2097 0, 2098 smtp_generic_maps 2099 || smtp_header_checks ? 2100 smtp_header_rewrite : 2101 smtp_header_out, 2102 (MIME_STATE_ANY_END) 0, 2103 smtp_body_checks ? 2104 smtp_body_rewrite : 2105 smtp_text_out, 2106 (MIME_STATE_ANY_END) 0, 2107 (MIME_STATE_ERR_PRINT) 0, 2108 (void *) state); 2109 state->space_left = var_smtp_line_limit; 2110 2111 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 2112 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 2113 break; 2114 if (session->mime_state == 0) { 2115 smtp_text_out((void *) state, rec_type, 2116 vstring_str(session->scratch), 2117 VSTRING_LEN(session->scratch), 2118 (off_t) 0); 2119 } else { 2120 mime_errs = 2121 mime_state_update(session->mime_state, rec_type, 2122 vstring_str(session->scratch), 2123 VSTRING_LEN(session->scratch)); 2124 if (mime_errs) { 2125 smtp_mime_fail(state, mime_errs); 2126 RETURN(0); 2127 } 2128 } 2129 prev_type = rec_type; 2130 } 2131 2132 if (session->mime_state) { 2133 2134 /* 2135 * The cleanup server normally ends MIME content with a 2136 * normal text record. The following code is needed to 2137 * flush an internal buffer when someone submits 8-bit 2138 * mail not ending in newline via /usr/sbin/sendmail 2139 * while MIME input processing is turned off, and MIME 2140 * 8bit->7bit conversion is requested upon delivery. 2141 * 2142 * Or some error while doing generic address mapping. 2143 */ 2144 mime_errs = 2145 mime_state_update(session->mime_state, rec_type, "", 0); 2146 if (mime_errs) { 2147 smtp_mime_fail(state, mime_errs); 2148 RETURN(0); 2149 } 2150 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 2151 smtp_fputs("", 0, session->stream); 2152 if ((session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) != 0 2153 && request->msg_stats.incoming_arrival.tv_sec 2154 <= vstream_ftime(session->stream) - var_smtp_pix_thresh) { 2155 smtp_flush(session->stream);/* hurts performance */ 2156 sleep(var_smtp_pix_delay); /* not to mention this */ 2157 } 2158 if (vstream_ferror(state->src)) 2159 msg_fatal("queue file read error"); 2160 if (rec_type != REC_TYPE_XTRA) { 2161 msg_warn("%s: bad record type: %d in message content", 2162 request->queue_id, rec_type); 2163 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2164 SMTP_RESP_FAKE(&fake, "5.3.0"), 2165 "unreadable mail queue entry"); 2166 /* Bailing out, abort stream with prejudice */ 2167 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2168 DONT_USE_FORBIDDEN_SESSION; 2169 /* If bounce_append() succeeded, status is still 0 */ 2170 if (state->status == 0) 2171 (void) mark_corrupt(state->src); 2172 /* Don't override smtp_mesg_fail() here. */ 2173 RETURN(fail_status); 2174 } 2175 } else { 2176 if (!LOST_CONNECTION_INSIDE_DATA) 2177 RETURN(smtp_stream_except(state, except, 2178 "sending message body")); 2179 2180 /* 2181 * We will clear the stream error flag to try and read a 2182 * premature 5XX response, so it is important to flush any 2183 * unwritten data. Otherwise, we will try to flush it again 2184 * before reading, which may incur an unnecessary delay and 2185 * will prevent the reading of any response that is not 2186 * already buffered (bundled with the DATA 354 response). 2187 * 2188 * Not much point in sending QUIT at this point, skip right to 2189 * SMTP_STATE_LAST. The read engine above will likewise avoid 2190 * looking for a QUIT response. 2191 */ 2192 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2193 next_state = SMTP_STATE_LAST; 2194 } 2195 } 2196 2197 /* 2198 * Copy the next command to the buffer and update the sender state. 2199 */ 2200 if (except == 0) { 2201 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2202 } else { 2203 DONT_CACHE_THIS_SESSION; 2204 } 2205 send_state = next_state; 2206 send_rcpt = next_rcpt; 2207 } while (recv_state != SMTP_STATE_LAST); 2208 RETURN(0); 2209 } 2210 2211 /* smtp_xfer - send a batch of envelope information and the message data */ 2212 2213 int smtp_xfer(SMTP_STATE *state) 2214 { 2215 DELIVER_REQUEST *request = state->request; 2216 SMTP_SESSION *session = state->session; 2217 SMTP_RESP fake; 2218 int send_state; 2219 int recv_state; 2220 int send_name_addr; 2221 int result; 2222 2223 /* 2224 * Sanity check. Recipients should be unmarked at this point. 2225 */ 2226 if (SMTP_RCPT_LEFT(state) <= 0) 2227 msg_panic("smtp_xfer: bad recipient count: %d", 2228 SMTP_RCPT_LEFT(state)); 2229 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2230 msg_panic("smtp_xfer: bad recipient status: %d", 2231 request->rcpt_list.info->u.status); 2232 2233 /* 2234 * See if we should even try to send this message at all. This code sits 2235 * here rather than in the EHLO processing code, because of SMTP 2236 * connection caching. 2237 */ 2238 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2239 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2240 SMTP_RESP_FAKE(&fake, "5.3.4"), 2241 "message size %lu exceeds size limit %.0f of server %s", 2242 request->data_size, (double) session->size_limit, 2243 session->namaddr); 2244 /* Redundant. We abort this delivery attempt. */ 2245 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2246 return (0); 2247 } 2248 2249 /* 2250 * Use XFORWARD to forward the origin of this email message across an 2251 * SMTP-based content filter. Send client attribute information only if 2252 * it exists (i.e. remote submission). Local submissions have no client 2253 * attributes; the mail will appear to originate from the content filter 2254 * which is acceptable. 2255 */ 2256 send_name_addr = 2257 var_smtp_send_xforward 2258 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2259 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2260 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2261 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2262 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2263 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2264 session->send_proto_helo = 2265 var_smtp_send_xforward 2266 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2267 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2268 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2269 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2270 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2271 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2272 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2273 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2274 if (send_name_addr) 2275 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2276 else if (session->send_proto_helo) 2277 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2278 else 2279 recv_state = send_state = SMTP_STATE_MAIL; 2280 2281 /* 2282 * Remember this session's "normal completion", even if the server 4xx-ed 2283 * some or all recipients. Connection or handshake errors with a later MX 2284 * host should not cause this destination be marked as unreachable. 2285 */ 2286 result = smtp_loop(state, send_state, recv_state); 2287 2288 if (result == 0 2289 /* Just in case */ 2290 && vstream_ferror(session->stream) == 0 2291 && vstream_feof(session->stream) == 0) 2292 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2293 2294 return (result); 2295 } 2296 2297 /* smtp_rset - send a lone RSET command */ 2298 2299 int smtp_rset(SMTP_STATE *state) 2300 { 2301 2302 /* 2303 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2304 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2305 */ 2306 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2307 } 2308 2309 /* smtp_quit - send a lone QUIT command */ 2310 2311 int smtp_quit(SMTP_STATE *state) 2312 { 2313 2314 /* 2315 * This works because SMTP_STATE_QUIT is the last state with a sender 2316 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2317 */ 2318 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2319 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2320 } 2321