1 /* $NetBSD: smtp_proto.c,v 1.1.1.2 2010/06/17 18:07:03 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Pipelining code in cooperation with: 79 /* Jon Ribbens 80 /* Oaktree Internet Solutions Ltd., 81 /* Internet House, 82 /* Canal Basin, 83 /* Coventry, 84 /* CV1 4LY, United Kingdom. 85 /* 86 /* Connection caching in cooperation with: 87 /* Victor Duchovni 88 /* Morgan Stanley 89 /* 90 /* TLS support originally by: 91 /* Lutz Jaenicke 92 /* BTU Cottbus 93 /* Allgemeine Elektrotechnik 94 /* Universitaetsplatz 3-4 95 /* D-03044 Cottbus, Germany 96 /*--*/ 97 98 /* System library. */ 99 100 #include <sys_defs.h> 101 #include <sys/stat.h> 102 #include <sys/socket.h> /* shutdown(2) */ 103 #include <netinet/in.h> /* ntohs() */ 104 #include <string.h> 105 #include <unistd.h> 106 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 107 #include <stdarg.h> 108 #include <time.h> 109 110 #ifdef STRCASECMP_IN_STRINGS_H 111 #include <strings.h> 112 #endif 113 114 /* Utility library. */ 115 116 #include <msg.h> 117 #include <vstring.h> 118 #include <vstream.h> 119 #include <vstring_vstream.h> 120 #include <stringops.h> 121 #include <mymalloc.h> 122 #include <iostuff.h> 123 #include <split_at.h> 124 #include <name_code.h> 125 #include <name_mask.h> 126 127 /* Global library. */ 128 129 #include <mail_params.h> 130 #include <smtp_stream.h> 131 #include <mail_queue.h> 132 #include <recipient_list.h> 133 #include <deliver_request.h> 134 #include <defer.h> 135 #include <bounce.h> 136 #include <record.h> 137 #include <rec_type.h> 138 #include <off_cvt.h> 139 #include <mark_corrupt.h> 140 #include <quote_821_local.h> 141 #include <quote_822_local.h> 142 #include <mail_proto.h> 143 #include <mime_state.h> 144 #include <ehlo_mask.h> 145 #include <maps.h> 146 #include <tok822.h> 147 #include <mail_addr_map.h> 148 #include <ext_prop.h> 149 #include <lex_822.h> 150 #include <dsn_mask.h> 151 #include <xtext.h> 152 153 /* Application-specific. */ 154 155 #include "smtp.h" 156 #include "smtp_sasl.h" 157 158 /* 159 * Sender and receiver state. A session does not necessarily go through a 160 * linear progression, but states are guaranteed to not jump backwards. 161 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 162 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 163 * 164 * When connection caching is enabled, the QUIT state is suppressed. Normal 165 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 166 * end with ABORT->LAST. The connection is left open for a limited time. An 167 * RSET probe should be sent before attempting to reuse an open connection 168 * for a new transaction. 169 * 170 * The code to send an RSET probe is a special case with its own initial state 171 * and with its own dedicated state transitions. The session proceeds as 172 * RSET->LAST. This code is kept inside the main protocol engine for 173 * consistent error handling and error reporting. It is not to be confused 174 * with the code that sends RSET to abort a mail transaction in progress. 175 * 176 * The code to send QUIT without message delivery transaction jumps into the 177 * main state machine. If this introduces complications, then we should 178 * introduce a second QUIT state with its own dedicated state transitions, 179 * just like we did for RSET probes. 180 * 181 * By default, the receiver skips the QUIT response. Some SMTP servers 182 * disconnect after responding to ".", and some SMTP servers wait before 183 * responding to QUIT. 184 * 185 * Client states that are associated with sending mail (up to and including 186 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 187 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 188 */ 189 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 190 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 191 #define SMTP_STATE_MAIL 2 192 #define SMTP_STATE_RCPT 3 193 #define SMTP_STATE_DATA 4 194 #define SMTP_STATE_DOT 5 195 #define SMTP_STATE_ABORT 6 196 #define SMTP_STATE_RSET 7 197 #define SMTP_STATE_QUIT 8 198 #define SMTP_STATE_LAST 9 199 200 int *xfer_timeouts[SMTP_STATE_LAST] = { 201 &var_smtp_xfwd_tmout, /* name/addr */ 202 &var_smtp_xfwd_tmout, /* helo/proto */ 203 &var_smtp_mail_tmout, 204 &var_smtp_rcpt_tmout, 205 &var_smtp_data0_tmout, 206 &var_smtp_data2_tmout, 207 &var_smtp_rset_tmout, 208 &var_smtp_rset_tmout, 209 &var_smtp_quit_tmout, 210 }; 211 212 char *xfer_states[SMTP_STATE_LAST] = { 213 "sending XFORWARD name/address", 214 "sending XFORWARD protocol/helo_name", 215 "sending MAIL FROM", 216 "sending RCPT TO", 217 "sending DATA command", 218 "sending end of data -- message may be sent more than once", 219 "sending final RSET", 220 "sending RSET probe", 221 "sending QUIT", 222 }; 223 224 char *xfer_request[SMTP_STATE_LAST] = { 225 "XFORWARD name/address command", 226 "XFORWARD helo/protocol command", 227 "MAIL FROM command", 228 "RCPT TO command", 229 "DATA command", 230 "end of DATA command", 231 "final RSET command", 232 "RSET probe", 233 "QUIT command", 234 }; 235 236 #define SMTP_MIME_DOWNGRADE(session, request) \ 237 (var_disable_mime_oconv == 0 \ 238 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 239 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 240 241 static int smtp_start_tls(SMTP_STATE *); 242 243 /* 244 * Call-back information for header/body checks. We don't provide call-backs 245 * for actions that change the message delivery time or destination. 246 */ 247 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 248 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 249 250 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 251 smtp_hbc_logger, 252 smtp_text_out, 253 }; 254 255 /* smtp_helo - perform initial handshake with SMTP server */ 256 257 int smtp_helo(SMTP_STATE *state) 258 { 259 const char *myname = "smtp_helo"; 260 SMTP_SESSION *session = state->session; 261 DELIVER_REQUEST *request = state->request; 262 SMTP_RESP *resp; 263 SMTP_RESP fake; 264 int except; 265 char *lines; 266 char *words; 267 char *word; 268 int n; 269 static const NAME_CODE xforward_features[] = { 270 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 271 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 272 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 273 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 274 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 275 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 276 0, 0, 277 }; 278 SOCKOPT_SIZE optlen; 279 int sndbufsize; 280 const char *ehlo_words; 281 int discard_mask; 282 static const NAME_MASK pix_bug_table[] = { 283 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 284 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 285 0, 286 }; 287 const char *pix_bug_words; 288 const char *pix_bug_source; 289 int pix_bug_mask; 290 291 #ifdef USE_TLS 292 int saved_features = session->features; 293 int tls_helo_status; 294 295 #endif 296 const char *NOCLOBBER where; 297 298 /* 299 * Prepare for disaster. 300 */ 301 smtp_timeout_setup(state->session->stream, var_smtp_helo_tmout); 302 if ((except = vstream_setjmp(state->session->stream)) != 0) 303 return (smtp_stream_except(state, except, where)); 304 305 /* 306 * If not recursing after STARTTLS, examine the server greeting banner 307 * and decide if we are going to send EHLO as the next command. 308 */ 309 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 310 311 /* 312 * Read and parse the server's SMTP greeting banner. 313 */ 314 where = "receiving the initial server greeting"; 315 switch ((resp = smtp_chat_resp(session))->code / 100) { 316 case 2: 317 break; 318 case 5: 319 if (var_smtp_skip_5xx_greeting) 320 STR(resp->dsn_buf)[0] = '4'; 321 /* FALLTHROUGH */ 322 default: 323 return (smtp_site_fail(state, session->host, resp, 324 "host %s refused to talk to me: %s", 325 session->namaddr, 326 translit(resp->str, "\n", " "))); 327 } 328 329 /* 330 * If the policy table specifies a bogus TLS security level, fail 331 * now. 332 */ 333 #ifdef USE_TLS 334 if (session->tls_level == TLS_LEV_INVALID) 335 /* Warning is already logged. */ 336 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 337 SMTP_RESP_FAKE(&fake, "4.7.0"), 338 "client TLS configuration problem")); 339 #endif 340 341 /* 342 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 343 * it does not span a packet boundary. This hurts performance so it 344 * is not on by default. 345 */ 346 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 347 if (smtp_pix_bug_maps != 0 348 && (pix_bug_words = 349 maps_find(smtp_pix_bug_maps, 350 state->session->addr, 0)) != 0) { 351 pix_bug_source = VAR_SMTP_PIX_BUG_MAPS; 352 } else { 353 pix_bug_words = var_smtp_pix_bug_words; 354 pix_bug_source = VAR_SMTP_PIX_BUG_WORDS; 355 } 356 if (*pix_bug_words) { 357 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 358 pix_bug_words, NAME_MASK_ANY_CASE); 359 msg_info("%s: enabling PIX workarounds: %s for %s", 360 request->queue_id, 361 str_name_mask("pix workaround bitmask", 362 pix_bug_table, pix_bug_mask), 363 session->namaddrport); 364 session->features |= pix_bug_mask; 365 } 366 } 367 368 /* 369 * See if we are talking to ourself. This should not be possible with 370 * the way we implement DNS lookups. However, people are known to 371 * sometimes screw up the naming service. And, mailer loops are still 372 * possible when our own mailer routing tables are mis-configured. 373 */ 374 words = resp->str; 375 (void) mystrtok(&words, "- \t\n"); 376 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 377 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 378 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 379 msg_warn("host %s greeted me with my own hostname %s", 380 session->namaddrport, var_myhostname); 381 } else if (strcasecmp(word, "ESMTP") == 0) 382 session->features |= SMTP_FEATURE_ESMTP; 383 } 384 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 385 if (var_smtp_always_ehlo 386 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 387 session->features |= SMTP_FEATURE_ESMTP; 388 if (var_smtp_never_ehlo 389 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 390 session->features &= ~SMTP_FEATURE_ESMTP; 391 } else { 392 session->features |= SMTP_FEATURE_ESMTP; 393 } 394 } 395 396 /* 397 * If recursing after STARTTLS, there is no server greeting banner. 398 * Always send EHLO as the next command. 399 */ 400 else { 401 session->features |= SMTP_FEATURE_ESMTP; 402 } 403 404 /* 405 * Return the compliment. Fall back to SMTP if our ESMTP recognition 406 * heuristic failed. 407 */ 408 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 409 where = "performing the EHLO handshake"; 410 if (session->features & SMTP_FEATURE_ESMTP) { 411 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 412 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 413 if (resp->code == 421) 414 return (smtp_site_fail(state, session->host, resp, 415 "host %s refused to talk to me: %s", 416 session->namaddr, 417 translit(resp->str, "\n", " "))); 418 else 419 session->features &= ~SMTP_FEATURE_ESMTP; 420 } 421 } 422 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 423 where = "performing the HELO handshake"; 424 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 425 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 426 return (smtp_site_fail(state, session->host, resp, 427 "host %s refused to talk to me: %s", 428 session->namaddr, 429 translit(resp->str, "\n", " "))); 430 } 431 } else { 432 where = "performing the LHLO handshake"; 433 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 434 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 435 return (smtp_site_fail(state, session->host, resp, 436 "host %s refused to talk to me: %s", 437 session->namaddr, 438 translit(resp->str, "\n", " "))); 439 } 440 441 /* 442 * No early returns allowed, to ensure consistent handling of TLS and 443 * SASL policies. 444 */ 445 if (session->features & SMTP_FEATURE_ESMTP) { 446 447 /* 448 * Determine what server EHLO keywords to ignore, typically to avoid 449 * inter-operability problems. 450 */ 451 if (smtp_ehlo_dis_maps == 0 452 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 453 state->session->addr, 0)) == 0) 454 ehlo_words = var_smtp_ehlo_dis_words; 455 discard_mask = ehlo_mask(ehlo_words); 456 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 457 msg_info("discarding EHLO keywords: %s", 458 str_ehlo_mask(discard_mask)); 459 460 /* 461 * Pick up some useful features offered by the SMTP server. XXX Until 462 * we have a portable routine to convert from string to off_t with 463 * proper overflow detection, ignore the message size limit 464 * advertised by the SMTP server. Otherwise, we might do the wrong 465 * thing when the server advertises a really huge message size limit. 466 * 467 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 468 * because MicroSoft implemented AUTH based on an old draft. 469 */ 470 lines = resp->str; 471 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 472 if (mystrtok(&words, "- ") 473 && (word = mystrtok(&words, " \t=")) != 0) { 474 if (n == 0) { 475 if (session->helo != 0) 476 myfree(session->helo); 477 478 /* 479 * XXX: Keep the original case: we don't expect a single 480 * SMTP server to randomly change the case of its helo 481 * response. If different capitalization is detected, we 482 * should assume disjoint TLS caches. 483 */ 484 session->helo = mystrdup(word); 485 if (strcasecmp(word, var_myhostname) == 0 486 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 487 msg_warn("host %s replied to HELO/EHLO" 488 " with my own hostname %s", 489 session->namaddrport, var_myhostname); 490 if (session->features & SMTP_FEATURE_BEST_MX) 491 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 492 SMTP_RESP_FAKE(&fake, "5.4.6"), 493 "mail for %s loops back to myself", 494 request->nexthop)); 495 else 496 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 497 SMTP_RESP_FAKE(&fake, "4.4.6"), 498 "mail for %s loops back to myself", 499 request->nexthop)); 500 } 501 } else if (strcasecmp(word, "8BITMIME") == 0) { 502 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 503 session->features |= SMTP_FEATURE_8BITMIME; 504 } else if (strcasecmp(word, "PIPELINING") == 0) { 505 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 506 session->features |= SMTP_FEATURE_PIPELINING; 507 } else if (strcasecmp(word, "XFORWARD") == 0) { 508 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 509 while ((word = mystrtok(&words, " \t")) != 0) 510 session->features |= 511 name_code(xforward_features, 512 NAME_CODE_FLAG_NONE, word); 513 } else if (strcasecmp(word, "SIZE") == 0) { 514 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 515 session->features |= SMTP_FEATURE_SIZE; 516 if ((word = mystrtok(&words, " \t")) != 0) { 517 if (!alldig(word)) 518 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 519 word, session->namaddrport); 520 else 521 session->size_limit = off_cvt_string(word); 522 } 523 } 524 #ifdef USE_TLS 525 } else if (strcasecmp(word, "STARTTLS") == 0) { 526 /* Ignored later if we already sent STARTTLS. */ 527 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 528 session->features |= SMTP_FEATURE_STARTTLS; 529 #endif 530 #ifdef USE_SASL_AUTH 531 } else if (var_smtp_sasl_enable 532 && strcasecmp(word, "AUTH") == 0) { 533 if ((discard_mask & EHLO_MASK_AUTH) == 0) 534 smtp_sasl_helo_auth(session, words); 535 #endif 536 } else if (strcasecmp(word, "DSN") == 0) { 537 if ((discard_mask & EHLO_MASK_DSN) == 0) 538 session->features |= SMTP_FEATURE_DSN; 539 } 540 n++; 541 } 542 } 543 } 544 if (msg_verbose) 545 msg_info("server features: 0x%x size %.0f", 546 session->features, (double) session->size_limit); 547 548 /* 549 * We use SMTP command pipelining if the server said it supported it. 550 * Since we use blocking I/O, RFC 2197 says that we should inspect the 551 * TCP window size and not send more than this amount of information. 552 * Unfortunately this information is unavailable using the sockets 553 * interface. However, we *can* get the TCP send buffer size on the local 554 * TCP/IP stack. We should be able to fill this buffer without being 555 * blocked, and then the kernel will effectively do non-blocking I/O for 556 * us by automatically writing out the contents of its send buffer while 557 * we are reading in the responses. In addition to TCP buffering we have 558 * to be aware of application-level buffering by the vstream module, 559 * which is limited to a couple kbytes. 560 * 561 * XXX No need to do this before and after STARTTLS, but it's not a big deal 562 * if we do. 563 * 564 * XXX This critically depends on VSTREAM buffers to never be smaller than 565 * VSTREAM_BUFSIZE. 566 */ 567 if (session->features & SMTP_FEATURE_PIPELINING) { 568 optlen = sizeof(sndbufsize); 569 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 570 SO_SNDBUF, (char *) &sndbufsize, &optlen) < 0) 571 msg_fatal("%s: getsockopt: %m", myname); 572 if (sndbufsize > VSTREAM_BUFSIZE) 573 sndbufsize = VSTREAM_BUFSIZE; 574 if (sndbufsize < VSTREAM_BUFSIZE) { 575 sndbufsize = VSTREAM_BUFSIZE; 576 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 577 SO_SNDBUF, (char *) &sndbufsize, optlen) < 0) 578 msg_fatal("%s: setsockopt: %m", myname); 579 } 580 if (msg_verbose) 581 msg_info("Using %s PIPELINING, TCP send buffer size is %d", 582 (state->misc_flags & 583 SMTP_MISC_FLAG_USE_LMTP) ? "LMTP" : "ESMTP", 584 sndbufsize); 585 } 586 #ifdef USE_TLS 587 588 /* 589 * Skip this part if we already sent STARTTLS. 590 */ 591 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 592 593 /* 594 * Optionally log unused STARTTLS opportunities. 595 */ 596 if ((session->features & SMTP_FEATURE_STARTTLS) && 597 var_smtp_tls_note_starttls_offer && 598 session->tls_level <= TLS_LEV_NONE) 599 msg_info("Host offered STARTTLS: [%s]", session->host); 600 601 /* 602 * Decide whether or not to send STARTTLS. 603 */ 604 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 605 && smtp_tls_ctx != 0 && session->tls_level >= TLS_LEV_MAY) { 606 607 /* 608 * Prepare for disaster. 609 */ 610 smtp_timeout_setup(state->session->stream, var_smtp_starttls_tmout); 611 if ((except = vstream_setjmp(state->session->stream)) != 0) 612 return (smtp_stream_except(state, except, 613 "receiving the STARTTLS response")); 614 615 /* 616 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 617 * resetting the SASL and EHLO features lists. 618 * 619 * Reset the SASL mechanism list to avoid spurious warnings. 620 * 621 * Use the smtp_sasl_tls_security_options feature to allow SASL 622 * mechanisms that may not be allowed with plain-text 623 * connections. 624 */ 625 smtp_chat_cmd(session, "STARTTLS"); 626 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 627 #ifdef USE_SASL_AUTH 628 if (session->features & SMTP_FEATURE_AUTH) 629 smtp_sasl_cleanup(session); 630 #endif 631 session->features = saved_features; 632 /* XXX Mix-up of per-session and per-request flags. */ 633 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 634 tls_helo_status = smtp_start_tls(state); 635 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 636 return (tls_helo_status); 637 } 638 639 /* 640 * Give up if we must use TLS but the server rejects STARTTLS 641 * although support for it was announced in the EHLO response. 642 */ 643 session->features &= ~SMTP_FEATURE_STARTTLS; 644 if (session->tls_level >= TLS_LEV_ENCRYPT) 645 return (smtp_site_fail(state, session->host, resp, 646 "TLS is required, but host %s refused to start TLS: %s", 647 session->namaddr, 648 translit(resp->str, "\n", " "))); 649 /* Else try to continue in plain-text mode. */ 650 } 651 652 /* 653 * Give up if we must use TLS but can't for various reasons. 654 * 655 * 200412 Be sure to provide the default clause at the bottom of this 656 * block. When TLS is required we must never, ever, end up in 657 * plain-text mode. 658 */ 659 if (session->tls_level >= TLS_LEV_ENCRYPT) { 660 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 661 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 662 SMTP_RESP_FAKE(&fake, "4.7.4"), 663 "TLS is required, but was not offered by host %s", 664 session->namaddr)); 665 } else if (smtp_tls_ctx == 0) { 666 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 667 SMTP_RESP_FAKE(&fake, "4.7.5"), 668 "TLS is required, but our TLS engine is unavailable")); 669 } else { 670 msg_warn("%s: TLS is required but unavailable, don't know why", 671 myname); 672 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 673 SMTP_RESP_FAKE(&fake, "4.7.0"), 674 "TLS is required, but unavailable")); 675 } 676 } 677 } 678 #endif 679 #ifdef USE_SASL_AUTH 680 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 681 return (smtp_sasl_helo_login(state)); 682 #endif 683 684 return (0); 685 } 686 687 #ifdef USE_TLS 688 689 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 690 691 static int smtp_start_tls(SMTP_STATE *state) 692 { 693 SMTP_SESSION *session = state->session; 694 TLS_CLIENT_START_PROPS tls_props; 695 VSTRING *serverid; 696 SMTP_RESP fake; 697 698 /* 699 * Turn off SMTP connection caching. When the TLS handshake succeeds, we 700 * can't reuse the SMTP connection. Reason: we can't turn off TLS in one 701 * process, save the connection to the cache which is shared with all 702 * SMTP clients, migrate the connection to another SMTP client, and 703 * resume TLS there. When the TLS handshake fails, we can't reuse the 704 * SMTP connection either, because the conversation is in an unknown 705 * state. 706 */ 707 DONT_CACHE_THIS_SESSION; 708 709 /* 710 * As of Postfix 2.5, tls_client_start() tries hard to always complete 711 * the TLS handshake. It records the verification and match status in the 712 * resulting TLScontext. It is now up to the application to abort the TLS 713 * connection if it chooses. 714 * 715 * XXX When tls_client_start() fails then we don't know what state the SMTP 716 * connection is in, so we give up on this connection even if we are not 717 * required to use TLS. 718 * 719 * The following assumes sites that use TLS in a perverse configuration: 720 * multiple hosts per hostname, or even multiple hosts per IP address. 721 * All this without a shared TLS session cache, and they still want to 722 * use TLS session caching??? 723 * 724 * The TLS session cache records the trust chain verification status of 725 * cached sessions. Different transports may have different CAfile or 726 * CApath settings, perhaps to allow authenticated connections to sites 727 * with private CA certs without trusting said private certs for other 728 * sites. So we cannot assume that a trust chain valid for one transport 729 * is valid for another. Therefore the client session id must include 730 * either the transport name or the values of CAfile and CApath. We use 731 * the transport name. 732 * 733 * XXX: We store only one session per lookup key. Ideally the the key maps 734 * 1-to-1 to a server TLS session cache. We use the IP address, port and 735 * ehlo response name to build a lookup key that works for split caches 736 * (that announce distinct names) behind a load balancer. 737 * 738 * XXX: The TLS library may salt the serverid with further details of the 739 * protocol and cipher requirements. 740 * 741 * Large parameter lists are error-prone, so we emulate a language feature 742 * that C does not have natively: named parameter lists. 743 */ 744 serverid = vstring_alloc(10); 745 vstring_sprintf(serverid, "%s:%s:%u:%s", state->service, session->addr, 746 ntohs(session->port), session->helo ? session->helo : ""); 747 session->tls_context = 748 TLS_CLIENT_START(&tls_props, 749 ctx = smtp_tls_ctx, 750 stream = session->stream, 751 log_level = var_smtp_tls_loglevel, 752 timeout = var_smtp_starttls_tmout, 753 tls_level = session->tls_level, 754 nexthop = session->tls_nexthop, 755 host = session->host, 756 namaddr = session->namaddrport, 757 serverid = vstring_str(serverid), 758 protocols = session->tls_protocols, 759 cipher_grade = session->tls_grade, 760 cipher_exclusions 761 = vstring_str(session->tls_exclusions), 762 matchargv = session->tls_matchargv, 763 fpt_dgst = var_smtp_tls_fpt_dgst); 764 vstring_free(serverid); 765 766 if (session->tls_context == 0) { 767 768 /* 769 * We must avoid further I/O, the peer is in an undefined state. 770 */ 771 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 772 DONT_USE_DEAD_SESSION; 773 774 /* 775 * If TLS is optional, try delivery to the same server over a 776 * plaintext connection. Otherwise we would defer mail forever with 777 * destinations that have no alternate MX host. 778 * 779 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 780 * authentication. If the server doesn't announce SASL support over 781 * plaintext connections, then we don't want delivery to fail with 782 * "relay access denied". 783 */ 784 if (session->tls_level == TLS_LEV_MAY 785 #ifdef USE_SASL_AUTH 786 && !(var_smtp_sasl_enable 787 && *var_smtp_sasl_passwd 788 && smtp_sasl_passwd_lookup(session)) 789 #endif 790 ) 791 RETRY_AS_PLAINTEXT; 792 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 793 SMTP_RESP_FAKE(&fake, "4.7.5"), 794 "Cannot start TLS: handshake failure")); 795 } 796 797 /* 798 * If we are verifying the server certificate and are not happy with the 799 * result, abort the delivery here. We have a usable TLS session with the 800 * server, so no need to disable I/O, ... we can even be polite and send 801 * "QUIT". 802 * 803 * See src/tls/tls_level.c. Levels above encrypt require matching. Levels >= 804 * verify require CA trust. 805 */ 806 if (session->tls_level >= TLS_LEV_VERIFY) 807 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 808 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 809 SMTP_RESP_FAKE(&fake, "4.7.5"), 810 "Server certificate not trusted")); 811 if (session->tls_level > TLS_LEV_ENCRYPT) 812 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 813 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 814 SMTP_RESP_FAKE(&fake, "4.7.5"), 815 "Server certificate not verified")); 816 817 /* 818 * At this point we have to re-negotiate the "EHLO" to reget the 819 * feature-list. 820 */ 821 return (smtp_helo(state)); 822 } 823 824 #endif 825 826 /* smtp_hbc_logger - logging call-back for header/body checks */ 827 828 static void smtp_hbc_logger(void *context, const char *action, 829 const char *where, const char *content, 830 const char *text) 831 { 832 const SMTP_STATE *state = (SMTP_STATE *) context; 833 834 if (*text) { 835 msg_info("%s: %s: %s %.60s: %s", 836 state->request->queue_id, action, where, content, text); 837 } else { 838 msg_info("%s: %s: %s %.60s", 839 state->request->queue_id, action, where, content); 840 } 841 } 842 843 /* smtp_text_out - output one header/body record */ 844 845 static void smtp_text_out(void *context, int rec_type, 846 const char *text, ssize_t len, 847 off_t unused_offset) 848 { 849 SMTP_STATE *state = (SMTP_STATE *) context; 850 SMTP_SESSION *session = state->session; 851 ssize_t data_left; 852 const char *data_start; 853 854 /* 855 * Deal with an impedance mismatch between Postfix queue files (record 856 * length <= $message_line_length_limit) and SMTP (DATA record length <= 857 * $smtp_line_length_limit). The code below does a little too much work 858 * when the SMTP line length limit is disabled, but it avoids code 859 * duplication, and thus, it avoids testing and maintenance problems. 860 */ 861 data_left = len; 862 data_start = text; 863 do { 864 if (state->space_left == var_smtp_line_limit 865 && data_left > 0 && *data_start == '.') 866 smtp_fputc('.', session->stream); 867 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 868 smtp_fputs(data_start, state->space_left, session->stream); 869 data_start += state->space_left; 870 data_left -= state->space_left; 871 state->space_left = var_smtp_line_limit; 872 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 873 smtp_fputc(' ', session->stream); 874 state->space_left -= 1; 875 } 876 } else { 877 if (rec_type == REC_TYPE_CONT) { 878 smtp_fwrite(data_start, data_left, session->stream); 879 state->space_left -= data_left; 880 } else { 881 smtp_fputs(data_start, data_left, session->stream); 882 state->space_left = var_smtp_line_limit; 883 } 884 break; 885 } 886 } while (data_left > 0); 887 } 888 889 /* smtp_format_out - output one header/body record */ 890 891 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 892 893 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 894 { 895 static VSTRING *vp; 896 va_list ap; 897 898 if (vp == 0) 899 vp = vstring_alloc(100); 900 va_start(ap, fmt); 901 vstring_vsprintf(vp, fmt, ap); 902 va_end(ap); 903 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 904 } 905 906 /* smtp_header_out - output one message header */ 907 908 static void smtp_header_out(void *context, int unused_header_class, 909 const HEADER_OPTS *unused_info, 910 VSTRING *buf, off_t offset) 911 { 912 char *start = vstring_str(buf); 913 char *line; 914 char *next_line; 915 916 /* 917 * This code destroys the header. We could try to avoid clobbering it, 918 * but we're not going to use the data any further. 919 */ 920 for (line = start; line; line = next_line) { 921 next_line = split_at(line, '\n'); 922 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 923 next_line - line - 1 : strlen(line), offset); 924 } 925 } 926 927 /* smtp_header_rewrite - rewrite message header before output */ 928 929 static void smtp_header_rewrite(void *context, int header_class, 930 const HEADER_OPTS *header_info, 931 VSTRING *buf, off_t offset) 932 { 933 SMTP_STATE *state = (SMTP_STATE *) context; 934 int did_rewrite = 0; 935 char *line; 936 char *start; 937 char *next_line; 938 char *end_line; 939 char *result; 940 941 /* 942 * Apply optional header filtering. 943 */ 944 if (smtp_header_checks) { 945 result = hbc_header_checks(context, smtp_header_checks, header_class, 946 header_info, buf, offset); 947 if (result == 0) 948 return; 949 if (result != STR(buf)) { 950 vstring_strcpy(buf, result); 951 myfree(result); 952 } 953 } 954 955 /* 956 * Rewrite primary header addresses that match the smtp_generic_maps. The 957 * cleanup server already enforces that all headers have proper lengths 958 * and that all addresses are in proper form, so we don't have to repeat 959 * that. 960 */ 961 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 962 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 963 TOK822 *tree; 964 TOK822 **addr_list; 965 TOK822 **tpp; 966 967 tree = tok822_parse(vstring_str(buf) 968 + strlen(header_info->name) + 1); 969 addr_list = tok822_grep(tree, TOK822_ADDR); 970 for (tpp = addr_list; *tpp; tpp++) 971 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 972 smtp_ext_prop_mask & EXT_PROP_GENERIC); 973 if (did_rewrite) { 974 vstring_truncate(buf, strlen(header_info->name)); 975 vstring_strcat(buf, ": "); 976 tok822_externalize(buf, tree, TOK822_STR_HEAD); 977 } 978 myfree((char *) addr_list); 979 tok822_free_tree(tree); 980 } 981 982 /* 983 * Pass through unmodified headers without reconstruction. 984 */ 985 if (did_rewrite == 0) { 986 smtp_header_out(context, header_class, header_info, buf, offset); 987 return; 988 } 989 990 /* 991 * A rewritten address list contains one address per line. The code below 992 * replaces newlines by spaces, to fit as many addresses on a line as 993 * possible (without rearranging the order of addresses). Prepending 994 * white space to the beginning of lines is delegated to the output 995 * routine. 996 * 997 * Code derived from cleanup_fold_header(). 998 */ 999 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1000 end_line = line + strcspn(line, "\n"); 1001 if (line > start) { 1002 if (end_line - start < 70) { /* TAB counts as one */ 1003 line[-1] = ' '; 1004 } else { 1005 start = line; 1006 } 1007 } 1008 next_line = *end_line ? end_line + 1 : 0; 1009 } 1010 1011 /* 1012 * Prepend a tab to continued header lines that went through the address 1013 * rewriting machinery. Just like smtp_header_out(), this code destroys 1014 * the header. We could try to avoid clobbering it, but we're not going 1015 * to use the data any further. 1016 * 1017 * Code derived from cleanup_out_header(). 1018 */ 1019 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1020 next_line = split_at(line, '\n'); 1021 if (line == start || IS_SPACE_TAB(*line)) { 1022 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1023 next_line - line - 1 : strlen(line), offset); 1024 } else { 1025 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1026 } 1027 } 1028 } 1029 1030 /* smtp_body_rewrite - rewrite message body before output */ 1031 1032 static void smtp_body_rewrite(void *context, int type, 1033 const char *buf, ssize_t len, 1034 off_t offset) 1035 { 1036 SMTP_STATE *state = (SMTP_STATE *) context; 1037 char *result; 1038 1039 /* 1040 * Apply optional body filtering. 1041 */ 1042 if (smtp_body_checks) { 1043 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1044 if (result == buf) { 1045 smtp_text_out(state, type, buf, len, offset); 1046 } else if (result != 0) { 1047 smtp_text_out(state, type, result, strlen(result), offset); 1048 myfree(result); 1049 } 1050 } 1051 } 1052 1053 /* smtp_mime_fail - MIME problem */ 1054 1055 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1056 { 1057 const MIME_STATE_DETAIL *detail; 1058 SMTP_RESP fake; 1059 1060 detail = mime_state_detail(mime_errs); 1061 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1062 SMTP_RESP_FAKE(&fake, detail->dsn), 1063 "%s", detail->text); 1064 } 1065 1066 /* smtp_loop - exercise the SMTP protocol engine */ 1067 1068 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1069 NOCLOBBER int recv_state) 1070 { 1071 const char *myname = "smtp_loop"; 1072 DELIVER_REQUEST *request = state->request; 1073 SMTP_SESSION *session = state->session; 1074 SMTP_RESP *resp; 1075 RECIPIENT *rcpt; 1076 VSTRING *next_command = vstring_alloc(100); 1077 int *NOCLOBBER survivors = 0; 1078 NOCLOBBER int next_state; 1079 NOCLOBBER int next_rcpt; 1080 NOCLOBBER int send_rcpt; 1081 NOCLOBBER int recv_rcpt; 1082 NOCLOBBER int nrcpt; 1083 NOCLOBBER int recv_done; 1084 int except; 1085 int rec_type; 1086 NOCLOBBER int prev_type = 0; 1087 NOCLOBBER int mail_from_rejected; 1088 NOCLOBBER int downgrading; 1089 int mime_errs; 1090 SMTP_RESP fake; 1091 int fail_status; 1092 1093 /* 1094 * Macros for readability. 1095 */ 1096 #define REWRITE_ADDRESS(dst, src) do { \ 1097 vstring_strcpy(dst, src); \ 1098 if (*(src) && smtp_generic_maps) \ 1099 smtp_map11_internal(dst, smtp_generic_maps, \ 1100 smtp_ext_prop_mask & EXT_PROP_GENERIC); \ 1101 } while (0) 1102 1103 #define QUOTE_ADDRESS(dst, src) do { \ 1104 if (*(src) && var_smtp_quote_821_env) { \ 1105 quote_821_local(dst, src); \ 1106 } else { \ 1107 vstring_strcpy(dst, src); \ 1108 } \ 1109 } while (0) 1110 1111 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1112 1113 #define RETURN(x) do { \ 1114 if (recv_state != SMTP_STATE_LAST) \ 1115 DONT_CACHE_THIS_SESSION; \ 1116 vstring_free(next_command); \ 1117 if (survivors) \ 1118 myfree((char *) survivors); \ 1119 if (session->mime_state) \ 1120 session->mime_state = mime_state_free(session->mime_state); \ 1121 return (x); \ 1122 } while (0) 1123 1124 #define SENDER_IS_AHEAD \ 1125 (recv_state < send_state || recv_rcpt != send_rcpt) 1126 1127 #define SENDER_IN_WAIT_STATE \ 1128 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1129 1130 #define SENDING_MAIL \ 1131 (recv_state <= SMTP_STATE_DOT) 1132 1133 #define CANT_RSET_THIS_SESSION \ 1134 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1135 1136 /* 1137 * Pipelining support requires two loops: one loop for sending and one 1138 * for receiving. Each loop has its own independent state. Most of the 1139 * time the sender can run ahead of the receiver by as much as the TCP 1140 * send buffer permits. There are only two places where the sender must 1141 * wait for status information from the receiver: once after sending DATA 1142 * and once after sending QUIT. 1143 * 1144 * The sender state advances until the TCP send buffer would overflow, or 1145 * until the sender needs status information from the receiver. At that 1146 * point the receiver starts processing responses. Once the receiver has 1147 * caught up with the sender, the sender resumes sending commands. If the 1148 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1149 * commands rejected, DATA rejected) it forces the sender to abort the 1150 * SMTP dialog with RSET and QUIT. 1151 */ 1152 nrcpt = 0; 1153 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1154 mail_from_rejected = 0; 1155 1156 /* 1157 * Prepare for disaster. This should not be needed because the design 1158 * guarantees that no output is flushed before smtp_chat_resp() is 1159 * called. 1160 * 1161 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1162 * 1163 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1164 * there is sufficient space for the command in the output buffer. 1165 * 1166 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1167 * 1168 * Changing any of these would violate the design, and would likely break 1169 * SMTP pipelining. 1170 * 1171 * We set up the error handler anyway (only upon entry to avoid wasting 1172 * resources) because 1) there is code below that expects that VSTREAM 1173 * timeouts are enabled, and 2) this allows us to detect if someone broke 1174 * Postfix by introducing spurious flush before read operations. 1175 */ 1176 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1177 || send_state > SMTP_STATE_QUIT) 1178 msg_panic("%s: bad sender state %d (receiver state %d)", 1179 myname, send_state, recv_state); 1180 smtp_timeout_setup(session->stream, 1181 *xfer_timeouts[send_state]); 1182 if ((except = vstream_setjmp(session->stream)) != 0) { 1183 msg_warn("smtp_proto: spurious flush before read in send state %d", 1184 send_state); 1185 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1186 xfer_states[send_state]) : -1); 1187 } 1188 1189 /* 1190 * The main protocol loop. 1191 */ 1192 do { 1193 1194 /* 1195 * Build the next command. 1196 */ 1197 switch (send_state) { 1198 1199 /* 1200 * Sanity check. 1201 */ 1202 default: 1203 msg_panic("%s: bad sender state %d", myname, send_state); 1204 1205 /* 1206 * Build the XFORWARD command. With properly sanitized 1207 * information, the command length stays within the 512 byte 1208 * command line length limit. 1209 * 1210 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1211 * and some as null; historically, pickup(8) does not send any of 1212 * these, and the queue manager presets absent fields to "not 1213 * available" except for the rewrite context which is preset to 1214 * local by way of migration aid. These definitions need to be 1215 * centralized for maintainability. 1216 */ 1217 #ifndef CAN_FORWARD_CLIENT_NAME 1218 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1219 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1220 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1221 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1222 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1223 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1224 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1225 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1226 #endif 1227 1228 case SMTP_STATE_XFORWARD_NAME_ADDR: 1229 vstring_strcpy(next_command, XFORWARD_CMD); 1230 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1231 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1232 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1233 xtext_quote_append(next_command, request->client_name, ""); 1234 } 1235 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1236 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1237 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1238 xtext_quote_append(next_command, request->client_addr, ""); 1239 } 1240 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1241 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1242 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1243 xtext_quote_append(next_command, request->client_port, ""); 1244 } 1245 if (session->send_proto_helo) 1246 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1247 else 1248 next_state = SMTP_STATE_MAIL; 1249 break; 1250 1251 case SMTP_STATE_XFORWARD_PROTO_HELO: 1252 vstring_strcpy(next_command, XFORWARD_CMD); 1253 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1254 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1255 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1256 xtext_quote_append(next_command, request->client_proto, ""); 1257 } 1258 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1259 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1260 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1261 xtext_quote_append(next_command, request->client_helo, ""); 1262 } 1263 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1264 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1265 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1266 xtext_quote_append(next_command, 1267 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1268 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1269 } 1270 next_state = SMTP_STATE_MAIL; 1271 break; 1272 1273 /* 1274 * Build the MAIL FROM command. 1275 */ 1276 case SMTP_STATE_MAIL: 1277 request->msg_stats.reuse_count = session->reuse_count; 1278 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1279 REWRITE_ADDRESS(session->scratch2, request->sender); 1280 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1281 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1282 vstring_str(session->scratch)); 1283 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1284 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1285 && !SMTP_MIME_DOWNGRADE(session, request)) 1286 vstring_sprintf_append(next_command, " SIZE=%lu", 1287 request->data_size); 1288 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1289 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1290 vstring_strcat(next_command, " BODY=8BITMIME"); 1291 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1292 vstring_strcat(next_command, " BODY=7BIT"); 1293 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1294 msg_warn("%s: unknown content encoding: %s", 1295 request->queue_id, request->encoding); 1296 } 1297 if (session->features & SMTP_FEATURE_DSN) { 1298 if (request->dsn_envid[0]) { 1299 vstring_sprintf_append(next_command, " ENVID="); 1300 xtext_quote_append(next_command, request->dsn_envid, "+="); 1301 } 1302 if (request->dsn_ret) 1303 vstring_sprintf_append(next_command, " RET=%s", 1304 dsn_ret_str(request->dsn_ret)); 1305 } 1306 1307 /* 1308 * We authenticate the local MTA only, but not the sender. 1309 */ 1310 #ifdef USE_SASL_AUTH 1311 if (var_smtp_sasl_enable 1312 && (session->features & SMTP_FEATURE_AUTH)) 1313 vstring_strcat(next_command, " AUTH=<>"); 1314 #endif 1315 1316 /* 1317 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1318 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1319 * commands to our TLS session. 1320 * 1321 * For the attack to succeed, the remote SMTP server must reply to 1322 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1323 * TLS (re)negotiation, so that the replies arrive in our TLS 1324 * session (otherwise the Postfix SMTP client would time out 1325 * waiting for an answer). With some luck we can detect this 1326 * specific attack as a server MAIL reply that arrives before we 1327 * send our own MAIL command. 1328 * 1329 * We don't apply this test to the HELO command because the result 1330 * would be very timing sensitive, and we don't apply this test 1331 * to RCPT and DATA replies because these may be pipelined for 1332 * legitimate reasons. 1333 */ 1334 #ifdef USE_TLS 1335 if (var_smtp_tls_blk_early_mail_reply 1336 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1337 && (vstream_peek(session->stream) > 0 1338 || peekfd(vstream_fileno(session->stream)) > 0)) 1339 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1340 #endif 1341 1342 /* 1343 * We now return to our regular broadcast. 1344 */ 1345 next_state = SMTP_STATE_RCPT; 1346 break; 1347 1348 /* 1349 * Build one RCPT TO command before we have seen the MAIL FROM 1350 * response. 1351 */ 1352 case SMTP_STATE_RCPT: 1353 rcpt = request->rcpt_list.info + send_rcpt; 1354 REWRITE_ADDRESS(session->scratch2, rcpt->address); 1355 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1356 vstring_sprintf(next_command, "RCPT TO:<%s>", 1357 vstring_str(session->scratch)); 1358 if (session->features & SMTP_FEATURE_DSN) { 1359 /* XXX DSN xtext encode address value not type. */ 1360 if (rcpt->dsn_orcpt[0]) { 1361 xtext_quote(session->scratch, rcpt->dsn_orcpt, "+="); 1362 vstring_sprintf_append(next_command, " ORCPT=%s", 1363 vstring_str(session->scratch)); 1364 } else if (rcpt->orig_addr[0]) { 1365 quote_822_local(session->scratch, rcpt->orig_addr); 1366 vstring_sprintf(session->scratch2, "rfc822;%s", 1367 vstring_str(session->scratch)); 1368 xtext_quote(session->scratch, vstring_str(session->scratch2), "+="); 1369 vstring_sprintf_append(next_command, " ORCPT=%s", 1370 vstring_str(session->scratch)); 1371 } 1372 if (rcpt->dsn_notify) 1373 vstring_sprintf_append(next_command, " NOTIFY=%s", 1374 dsn_notify_str(rcpt->dsn_notify)); 1375 } 1376 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1377 next_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1378 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1379 break; 1380 1381 /* 1382 * Build the DATA command before we have seen all the RCPT TO 1383 * responses. 1384 */ 1385 case SMTP_STATE_DATA: 1386 vstring_strcpy(next_command, "DATA"); 1387 next_state = SMTP_STATE_DOT; 1388 break; 1389 1390 /* 1391 * Build the "." command after we have seen the DATA response 1392 * (DATA is a protocol synchronization point). 1393 * 1394 * Changing the connection caching state here is safe because it 1395 * affects none of the not-yet processed replies to 1396 * already-generated commands. 1397 */ 1398 case SMTP_STATE_DOT: 1399 vstring_strcpy(next_command, "."); 1400 if (THIS_SESSION_IS_EXPIRED) 1401 DONT_CACHE_THIS_SESSION; 1402 next_state = THIS_SESSION_IS_CACHED ? 1403 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1404 break; 1405 1406 /* 1407 * The SMTP_STATE_ABORT sender state is entered by the sender 1408 * when it has verified all recipients; or it is entered by the 1409 * receiver when all recipients are verified or rejected, and is 1410 * then left before the bottom of the main loop. 1411 * 1412 * Changing the connection caching state here is safe because there 1413 * are no not-yet processed replies to already-generated 1414 * commands. 1415 */ 1416 case SMTP_STATE_ABORT: 1417 vstring_strcpy(next_command, "RSET"); 1418 if (THIS_SESSION_IS_EXPIRED) 1419 DONT_CACHE_THIS_SESSION; 1420 next_state = THIS_SESSION_IS_CACHED ? 1421 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1422 break; 1423 1424 /* 1425 * Build the RSET command. This is entered as initial state from 1426 * smtp_rset() and has its own dedicated state transitions. It is 1427 * used to find out the status of a cached session before 1428 * attempting mail delivery. 1429 */ 1430 case SMTP_STATE_RSET: 1431 vstring_strcpy(next_command, "RSET"); 1432 next_state = SMTP_STATE_LAST; 1433 break; 1434 1435 /* 1436 * Build the QUIT command before we have seen the "." or RSET 1437 * response. This is entered as initial state from smtp_quit(), 1438 * or is reached near the end of any non-cached session. 1439 * 1440 * Changing the connection caching state here is safe. If this 1441 * command is pipelined together with a preceding command, then 1442 * connection caching was already turned off. Do not clobber the 1443 * "bad connection" flag. 1444 */ 1445 case SMTP_STATE_QUIT: 1446 vstring_strcpy(next_command, "QUIT"); 1447 next_state = SMTP_STATE_LAST; 1448 if (THIS_SESSION_IS_CACHED) 1449 DONT_CACHE_THIS_SESSION; 1450 break; 1451 1452 /* 1453 * The final sender state has no action associated with it. 1454 */ 1455 case SMTP_STATE_LAST: 1456 VSTRING_RESET(next_command); 1457 break; 1458 } 1459 VSTRING_TERMINATE(next_command); 1460 1461 /* 1462 * Process responses until the receiver has caught up. Vstreams 1463 * automatically flush buffered output when reading new data. 1464 * 1465 * Flush unsent output if command pipelining is off or if no I/O 1466 * happened for a while. This limits the accumulation of client-side 1467 * delays in pipelined sessions. 1468 */ 1469 if (SENDER_IN_WAIT_STATE 1470 || (SENDER_IS_AHEAD 1471 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1472 || (VSTRING_LEN(next_command) + 2 1473 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1474 > VSTREAM_BUFSIZE) 1475 || time((time_t *) 0) 1476 - vstream_ftime(session->stream) > 10))) { 1477 while (SENDER_IS_AHEAD) { 1478 1479 /* 1480 * Sanity check. 1481 */ 1482 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1483 || recv_state > SMTP_STATE_QUIT) 1484 msg_panic("%s: bad receiver state %d (sender state %d)", 1485 myname, recv_state, send_state); 1486 1487 /* 1488 * Receive the next server response. Use the proper timeout, 1489 * and log the proper client state in case of trouble. 1490 * 1491 * XXX If we lose the connection before sending end-of-data, 1492 * find out if the server sent a premature end-of-data reply. 1493 * If this read attempt fails, report "lost connection while 1494 * sending message body", not "lost connection while sending 1495 * end-of-data". 1496 * 1497 * "except" becomes zero just above the protocol loop, and stays 1498 * zero or triggers an early return from the loop. In just 1499 * one case: loss of the connection when sending the message 1500 * body, we record the exception, and keep processing in the 1501 * hope of detecting a premature 5XX. We must be careful to 1502 * not clobber this non-zero value once it is set. The 1503 * variable need not survive longjmp() calls, since the only 1504 * setjmp() which does not return early is the one sets this 1505 * condition, subquent failures always return early. 1506 */ 1507 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1508 1509 smtp_timeout_setup(session->stream, 1510 *xfer_timeouts[recv_state]); 1511 if (LOST_CONNECTION_INSIDE_DATA) { 1512 if (vstream_setjmp(session->stream) != 0) 1513 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1514 "sending message body")); 1515 } else { 1516 if ((except = vstream_setjmp(session->stream)) != 0) 1517 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1518 xfer_states[recv_state]) : -1); 1519 } 1520 resp = smtp_chat_resp(session); 1521 1522 /* 1523 * Process the response. 1524 */ 1525 switch (recv_state) { 1526 1527 /* 1528 * Process the XFORWARD response. 1529 */ 1530 case SMTP_STATE_XFORWARD_NAME_ADDR: 1531 if (resp->code / 100 != 2) 1532 msg_warn("host %s said: %s (in reply to %s)", 1533 session->namaddrport, 1534 translit(resp->str, "\n", " "), 1535 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1536 if (session->send_proto_helo) 1537 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1538 else 1539 recv_state = SMTP_STATE_MAIL; 1540 break; 1541 1542 case SMTP_STATE_XFORWARD_PROTO_HELO: 1543 if (resp->code / 100 != 2) 1544 msg_warn("host %s said: %s (in reply to %s)", 1545 session->namaddrport, 1546 translit(resp->str, "\n", " "), 1547 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1548 recv_state = SMTP_STATE_MAIL; 1549 break; 1550 1551 /* 1552 * Process the MAIL FROM response. When the server 1553 * rejects the sender, set the mail_from_rejected flag so 1554 * that the receiver may apply a course correction. 1555 */ 1556 case SMTP_STATE_MAIL: 1557 if (resp->code / 100 != 2) { 1558 smtp_mesg_fail(state, session->host, resp, 1559 "host %s said: %s (in reply to %s)", 1560 session->namaddr, 1561 translit(resp->str, "\n", " "), 1562 xfer_request[SMTP_STATE_MAIL]); 1563 mail_from_rejected = 1; 1564 } 1565 1566 /* 1567 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1568 * that arrived before we sent our MAIL FROM command, it 1569 * was not a fatal-level TLS alert message. It could be a 1570 * warning-level TLS alert message, or a ChangeCipherSpec 1571 * message, but such messages are not normally sent in 1572 * the middle of a TLS session. We disconnect and try 1573 * again later. 1574 */ 1575 #ifdef USE_TLS 1576 if (var_smtp_tls_blk_early_mail_reply 1577 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 1578 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1579 SMTP_RESP_FAKE(&fake, "4.7.0"), 1580 "unexpected server message"); 1581 msg_warn("server %s violates %s policy", 1582 session->namaddr, 1583 VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY); 1584 mail_from_rejected = 1; 1585 } 1586 #endif 1587 1588 /* 1589 * We now return to our regular broadcast. 1590 */ 1591 recv_state = SMTP_STATE_RCPT; 1592 break; 1593 1594 /* 1595 * Process one RCPT TO response. If MAIL FROM was 1596 * rejected, ignore RCPT TO responses: all recipients are 1597 * dead already. When all recipients are rejected the 1598 * receiver may apply a course correction. 1599 * 1600 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 1601 * must be treated as if the server replied with 452. 1602 * However, this causes "too much mail data" to be 1603 * treated as a recoverable error, which is wrong. I'll 1604 * stick with RFC 821. 1605 */ 1606 case SMTP_STATE_RCPT: 1607 if (!mail_from_rejected) { 1608 #ifdef notdef 1609 if (resp->code == 552) { 1610 resp->code = 452; 1611 resp->dsn[0] = '4'; 1612 } 1613 #endif 1614 rcpt = request->rcpt_list.info + recv_rcpt; 1615 if (resp->code / 100 == 2) { 1616 if (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) { 1617 if (survivors == 0) 1618 survivors = (int *) 1619 mymalloc(request->rcpt_list.len 1620 * sizeof(int)); 1621 survivors[nrcpt] = recv_rcpt; 1622 } 1623 ++nrcpt; 1624 /* If trace-only, mark the recipient done. */ 1625 if (DEL_REQ_TRACE_ONLY(request->flags)) { 1626 translit(resp->str, "\n", " "); 1627 smtp_rcpt_done(state, resp, rcpt); 1628 } 1629 } else { 1630 smtp_rcpt_fail(state, rcpt, session->host, resp, 1631 "host %s said: %s (in reply to %s)", 1632 session->namaddr, 1633 translit(resp->str, "\n", " "), 1634 xfer_request[SMTP_STATE_RCPT]); 1635 } 1636 } 1637 /* If trace-only, send RSET instead of DATA. */ 1638 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 1639 recv_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1640 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1641 /* XXX Also: record if non-delivering session. */ 1642 break; 1643 1644 /* 1645 * Process the DATA response. When the server rejects 1646 * DATA, set nrcpt to a negative value so that the 1647 * receiver can apply a course correction. 1648 */ 1649 case SMTP_STATE_DATA: 1650 if (resp->code / 100 != 3) { 1651 if (nrcpt > 0) 1652 smtp_mesg_fail(state, session->host, resp, 1653 "host %s said: %s (in reply to %s)", 1654 session->namaddr, 1655 translit(resp->str, "\n", " "), 1656 xfer_request[SMTP_STATE_DATA]); 1657 nrcpt = -1; 1658 } 1659 recv_state = SMTP_STATE_DOT; 1660 break; 1661 1662 /* 1663 * Process the end of message response. Ignore the 1664 * response when no recipient was accepted: all 1665 * recipients are dead already, and the next receiver 1666 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 1667 * if the message transfer fails, bounce all remaining 1668 * recipients, else cross off the recipients that were 1669 * delivered. 1670 */ 1671 case SMTP_STATE_DOT: 1672 GETTIMEOFDAY(&request->msg_stats.deliver_done); 1673 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 1674 if (nrcpt > 0) { 1675 if (resp->code / 100 != 2) { 1676 smtp_mesg_fail(state, session->host, resp, 1677 "host %s said: %s (in reply to %s)", 1678 session->namaddr, 1679 translit(resp->str, "\n", " "), 1680 xfer_request[SMTP_STATE_DOT]); 1681 } else { 1682 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1683 rcpt = request->rcpt_list.info + nrcpt; 1684 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1685 translit(resp->str, "\n", " "); 1686 smtp_rcpt_done(state, resp, rcpt); 1687 } 1688 } 1689 } 1690 } 1691 } 1692 1693 /* 1694 * With LMTP we have one response per accepted RCPT TO 1695 * command. Stay in the SMTP_STATE_DOT state until we 1696 * have collected all responses. 1697 */ 1698 else { 1699 if (nrcpt > 0) { 1700 rcpt = request->rcpt_list.info 1701 + survivors[recv_done++]; 1702 if (resp->code / 100 != 2) { 1703 smtp_rcpt_fail(state, rcpt, session->host, resp, 1704 "host %s said: %s (in reply to %s)", 1705 session->namaddr, 1706 translit(resp->str, "\n", " "), 1707 xfer_request[SMTP_STATE_DOT]); 1708 } else { 1709 translit(resp->str, "\n", " "); 1710 smtp_rcpt_done(state, resp, rcpt); 1711 } 1712 } 1713 if (msg_verbose) 1714 msg_info("%s: got %d of %d end-of-data replies", 1715 myname, recv_done, nrcpt); 1716 if (recv_done < nrcpt) 1717 break; 1718 } 1719 1720 /* 1721 * XXX Do not change the connection caching state here, 1722 * even if the connection caching timer expired between 1723 * generating the command and processing the reply, 1724 * otherwise the sender and receiver loops get out of 1725 * sync. The caller will call smtp_quit() if appropriate. 1726 */ 1727 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 1728 || LOST_CONNECTION_INSIDE_DATA) 1729 recv_state = SMTP_STATE_LAST; 1730 else 1731 recv_state = SMTP_STATE_QUIT; 1732 break; 1733 1734 /* 1735 * Receive the RSET response. 1736 * 1737 * The SMTP_STATE_ABORT sender state is entered by the 1738 * sender when it has verified all recipients; or it is 1739 * entered by the receiver when all recipients are 1740 * verified or rejected, and is then left before the 1741 * bottom of the main loop. 1742 * 1743 * XXX Do not change the connection caching state here, even 1744 * if the server rejected RSET or if the connection 1745 * caching timer expired between generating the command 1746 * and processing the reply, otherwise the sender and 1747 * receiver loops get out of sync. The caller will call 1748 * smtp_quit() if appropriate. 1749 */ 1750 case SMTP_STATE_ABORT: 1751 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 1752 SMTP_STATE_LAST : SMTP_STATE_QUIT); 1753 break; 1754 1755 /* 1756 * This is the initial receiver state from smtp_rset(). 1757 * It is used to find out the status of a cached session 1758 * before attempting mail delivery. 1759 */ 1760 case SMTP_STATE_RSET: 1761 if (resp->code / 100 != 2) 1762 CANT_RSET_THIS_SESSION; 1763 recv_state = SMTP_STATE_LAST; 1764 break; 1765 1766 /* 1767 * Receive, but otherwise ignore, the QUIT response. 1768 */ 1769 case SMTP_STATE_QUIT: 1770 recv_state = SMTP_STATE_LAST; 1771 break; 1772 } 1773 } 1774 1775 /* 1776 * At this point, the sender and receiver are fully synchronized. 1777 */ 1778 1779 /* 1780 * We know the server response to every command that was sent. 1781 * Apply a course correction if necessary: the sender wants to 1782 * send RCPT TO but MAIL FROM was rejected; the sender wants to 1783 * send DATA but all recipients were rejected; the sender wants 1784 * to deliver the message but DATA was rejected. 1785 */ 1786 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 1787 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 1788 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 1789 send_state = recv_state = SMTP_STATE_ABORT; 1790 send_rcpt = recv_rcpt = 0; 1791 vstring_strcpy(next_command, "RSET"); 1792 if (THIS_SESSION_IS_EXPIRED) 1793 DONT_CACHE_THIS_SESSION; 1794 next_state = THIS_SESSION_IS_CACHED ? 1795 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1796 /* XXX Also: record if non-delivering session. */ 1797 next_rcpt = 0; 1798 } 1799 } 1800 1801 /* 1802 * Make the next sender state the current sender state. 1803 */ 1804 if (send_state == SMTP_STATE_LAST) 1805 continue; 1806 1807 /* 1808 * Special case if the server accepted the DATA command. If the 1809 * server accepted at least one recipient send the entire message. 1810 * Otherwise, just send "." as per RFC 2197. 1811 * 1812 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 1813 * disconnect ungracefully, because there is no other way to cancel a 1814 * transaction in progress. 1815 */ 1816 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 1817 1818 smtp_timeout_setup(session->stream, 1819 var_smtp_data1_tmout); 1820 1821 if ((except = vstream_setjmp(session->stream)) == 0) { 1822 1823 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 1824 msg_fatal("seek queue file: %m"); 1825 1826 downgrading = SMTP_MIME_DOWNGRADE(session, request); 1827 1828 /* 1829 * XXX Don't downgrade just because generic_maps is turned 1830 * on. 1831 */ 1832 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 1833 1834 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 1835 session->mime_state = mime_state_alloc(downgrading ? 1836 MIME_OPT_DOWNGRADE 1837 | MIME_OPT_REPORT_NESTING : 1838 SMTP_ANY_CHECKS == 0 ? 1839 MIME_OPT_DISABLE_MIME : 1840 0, 1841 smtp_generic_maps 1842 || smtp_header_checks ? 1843 smtp_header_rewrite : 1844 smtp_header_out, 1845 (MIME_STATE_ANY_END) 0, 1846 smtp_body_checks ? 1847 smtp_body_rewrite : 1848 smtp_text_out, 1849 (MIME_STATE_ANY_END) 0, 1850 (MIME_STATE_ERR_PRINT) 0, 1851 (void *) state); 1852 state->space_left = var_smtp_line_limit; 1853 1854 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 1855 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 1856 break; 1857 if (session->mime_state == 0) { 1858 smtp_text_out((void *) state, rec_type, 1859 vstring_str(session->scratch), 1860 VSTRING_LEN(session->scratch), 1861 (off_t) 0); 1862 } else { 1863 mime_errs = 1864 mime_state_update(session->mime_state, rec_type, 1865 vstring_str(session->scratch), 1866 VSTRING_LEN(session->scratch)); 1867 if (mime_errs) { 1868 smtp_mime_fail(state, mime_errs); 1869 RETURN(0); 1870 } 1871 } 1872 prev_type = rec_type; 1873 } 1874 1875 if (session->mime_state) { 1876 1877 /* 1878 * The cleanup server normally ends MIME content with a 1879 * normal text record. The following code is needed to 1880 * flush an internal buffer when someone submits 8-bit 1881 * mail not ending in newline via /usr/sbin/sendmail 1882 * while MIME input processing is turned off, and MIME 1883 * 8bit->7bit conversion is requested upon delivery. 1884 * 1885 * Or some error while doing generic address mapping. 1886 */ 1887 mime_errs = 1888 mime_state_update(session->mime_state, rec_type, "", 0); 1889 if (mime_errs) { 1890 smtp_mime_fail(state, mime_errs); 1891 RETURN(0); 1892 } 1893 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 1894 smtp_fputs("", 0, session->stream); 1895 if ((session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) != 0 1896 && request->msg_stats.incoming_arrival.tv_sec 1897 <= vstream_ftime(session->stream) - var_smtp_pix_thresh) { 1898 smtp_flush(session->stream);/* hurts performance */ 1899 sleep(var_smtp_pix_delay); /* not to mention this */ 1900 } 1901 if (vstream_ferror(state->src)) 1902 msg_fatal("queue file read error"); 1903 if (rec_type != REC_TYPE_XTRA) { 1904 msg_warn("%s: bad record type: %d in message content", 1905 request->queue_id, rec_type); 1906 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1907 SMTP_RESP_FAKE(&fake, "5.3.0"), 1908 "unreadable mail queue entry"); 1909 /* Bailing out, abort stream with prejudice */ 1910 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1911 DONT_USE_DEAD_SESSION; 1912 /* If bounce_append() succeeded, status is still 0 */ 1913 if (state->status == 0) 1914 (void) mark_corrupt(state->src); 1915 /* Don't override smtp_mesg_fail() here. */ 1916 RETURN(fail_status); 1917 } 1918 } else { 1919 if (!LOST_CONNECTION_INSIDE_DATA) 1920 RETURN(smtp_stream_except(state, except, 1921 "sending message body")); 1922 1923 /* 1924 * We will clear the stream error flag to try and read a 1925 * premature 5XX response, so it is important to flush any 1926 * unwritten data. Otherwise, we will try to flush it again 1927 * before reading, which may incur an unnecessary delay and 1928 * will prevent the reading of any response that is not 1929 * already buffered (bundled with the DATA 354 response). 1930 * 1931 * Not much point in sending QUIT at this point, skip right to 1932 * SMTP_STATE_LAST. The read engine above will likewise avoid 1933 * looking for a QUIT response. 1934 */ 1935 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 1936 next_state = SMTP_STATE_LAST; 1937 } 1938 } 1939 1940 /* 1941 * Copy the next command to the buffer and update the sender state. 1942 */ 1943 if (except == 0) { 1944 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 1945 } else { 1946 DONT_CACHE_THIS_SESSION; 1947 } 1948 send_state = next_state; 1949 send_rcpt = next_rcpt; 1950 } while (recv_state != SMTP_STATE_LAST); 1951 RETURN(0); 1952 } 1953 1954 /* smtp_xfer - send a batch of envelope information and the message data */ 1955 1956 int smtp_xfer(SMTP_STATE *state) 1957 { 1958 DELIVER_REQUEST *request = state->request; 1959 SMTP_SESSION *session = state->session; 1960 SMTP_RESP fake; 1961 int send_state; 1962 int recv_state; 1963 int send_name_addr; 1964 int result; 1965 1966 /* 1967 * Sanity check. Recipients should be unmarked at this point. 1968 */ 1969 if (SMTP_RCPT_LEFT(state) <= 0) 1970 msg_panic("smtp_xfer: bad recipient count: %d", 1971 SMTP_RCPT_LEFT(state)); 1972 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 1973 msg_panic("smtp_xfer: bad recipient status: %d", 1974 request->rcpt_list.info->u.status); 1975 1976 /* 1977 * See if we should even try to send this message at all. This code sits 1978 * here rather than in the EHLO processing code, because of SMTP 1979 * connection caching. 1980 */ 1981 if (session->size_limit > 0 && session->size_limit < request->data_size) { 1982 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1983 SMTP_RESP_FAKE(&fake, "5.3.4"), 1984 "message size %lu exceeds size limit %.0f of server %s", 1985 request->data_size, (double) session->size_limit, 1986 session->namaddr); 1987 /* Redundant. We abort this delivery attempt. */ 1988 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 1989 return (0); 1990 } 1991 1992 /* 1993 * Use XFORWARD to forward the origin of this email message across an 1994 * SMTP-based content filter. Send client attribute information only if 1995 * it exists (i.e. remote submission). Local submissions have no client 1996 * attributes; the mail will appear to originate from the content filter 1997 * which is acceptable. 1998 */ 1999 send_name_addr = 2000 var_smtp_send_xforward 2001 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2002 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2003 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2004 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2005 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2006 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2007 session->send_proto_helo = 2008 var_smtp_send_xforward 2009 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2010 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2011 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2012 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2013 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2014 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2015 if (send_name_addr) 2016 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2017 else if (session->send_proto_helo) 2018 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2019 else 2020 recv_state = send_state = SMTP_STATE_MAIL; 2021 2022 /* 2023 * Remember this session's "normal completion", even if the server 4xx-ed 2024 * some or all recipients. Connection or handshake errors with a later MX 2025 * host should not cause this destination be marked as unreachable. 2026 */ 2027 result = smtp_loop(state, send_state, recv_state); 2028 2029 if (result == 0 2030 /* Just in case */ 2031 && vstream_ferror(session->stream) == 0 2032 && vstream_feof(session->stream) == 0) 2033 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2034 2035 return (result); 2036 } 2037 2038 /* smtp_rset - send a lone RSET command */ 2039 2040 int smtp_rset(SMTP_STATE *state) 2041 { 2042 2043 /* 2044 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2045 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2046 */ 2047 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2048 } 2049 2050 /* smtp_quit - send a lone QUIT command */ 2051 2052 int smtp_quit(SMTP_STATE *state) 2053 { 2054 2055 /* 2056 * This works because SMTP_STATE_QUIT is the last state with a sender 2057 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2058 */ 2059 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2060 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2061 } 2062