1 /* $NetBSD: smtp_proto.c,v 1.5 2023/12/23 20:30:45 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Wietse Venema 79 /* Google, Inc. 80 /* 111 8th Avenue 81 /* New York, NY 10011, USA 82 /* 83 /* Pipelining code in cooperation with: 84 /* Jon Ribbens 85 /* Oaktree Internet Solutions Ltd., 86 /* Internet House, 87 /* Canal Basin, 88 /* Coventry, 89 /* CV1 4LY, United Kingdom. 90 /* 91 /* Connection caching in cooperation with: 92 /* Victor Duchovni 93 /* Morgan Stanley 94 /* 95 /* TLS support originally by: 96 /* Lutz Jaenicke 97 /* BTU Cottbus 98 /* Allgemeine Elektrotechnik 99 /* Universitaetsplatz 3-4 100 /* D-03044 Cottbus, Germany 101 /*--*/ 102 103 /* System library. */ 104 105 #include <sys_defs.h> 106 #include <sys/stat.h> 107 #include <sys/socket.h> /* shutdown(2) */ 108 #include <netinet/in.h> /* ntohs() */ 109 #include <string.h> 110 #include <unistd.h> 111 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 112 #include <stdarg.h> 113 #include <time.h> 114 115 #ifdef STRCASECMP_IN_STRINGS_H 116 #include <strings.h> 117 #endif 118 119 /* Utility library. */ 120 121 #include <msg.h> 122 #include <vstring.h> 123 #include <vstream.h> 124 #include <vstring_vstream.h> 125 #include <stringops.h> 126 #include <mymalloc.h> 127 #include <iostuff.h> 128 #include <split_at.h> 129 #include <name_code.h> 130 #include <name_mask.h> 131 132 /* Global library. */ 133 134 #include <mail_params.h> 135 #include <smtp_stream.h> 136 #include <mail_queue.h> 137 #include <recipient_list.h> 138 #include <deliver_request.h> 139 #include <defer.h> 140 #include <bounce.h> 141 #include <record.h> 142 #include <rec_type.h> 143 #include <off_cvt.h> 144 #include <mark_corrupt.h> 145 #include <quote_822_local.h> 146 #include <mail_proto.h> 147 #include <mime_state.h> 148 #include <ehlo_mask.h> 149 #include <maps.h> 150 #include <tok822.h> 151 #include <mail_addr_map.h> 152 #include <ext_prop.h> 153 #include <namadr_list.h> 154 #include <match_parent_style.h> 155 #include <lex_822.h> 156 #include <dsn_mask.h> 157 #include <xtext.h> 158 #include <uxtext.h> 159 #include <smtputf8.h> 160 161 /* Application-specific. */ 162 163 #include "smtp.h" 164 #include "smtp_sasl.h" 165 166 /* 167 * Sender and receiver state. A session does not necessarily go through a 168 * linear progression, but states are guaranteed to not jump backwards. 169 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 170 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 171 * 172 * When connection caching is enabled, the QUIT state is suppressed. Normal 173 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 174 * end with ABORT->LAST. The connection is left open for a limited time. An 175 * RSET probe should be sent before attempting to reuse an open connection 176 * for a new transaction. 177 * 178 * The code to send an RSET probe is a special case with its own initial state 179 * and with its own dedicated state transitions. The session proceeds as 180 * RSET->LAST. This code is kept inside the main protocol engine for 181 * consistent error handling and error reporting. It is not to be confused 182 * with the code that sends RSET to abort a mail transaction in progress. 183 * 184 * The code to send QUIT without message delivery transaction jumps into the 185 * main state machine. If this introduces complications, then we should 186 * introduce a second QUIT state with its own dedicated state transitions, 187 * just like we did for RSET probes. 188 * 189 * By default, the receiver skips the QUIT response. Some SMTP servers 190 * disconnect after responding to ".", and some SMTP servers wait before 191 * responding to QUIT. 192 * 193 * Client states that are associated with sending mail (up to and including 194 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 195 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 196 */ 197 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 198 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 199 #define SMTP_STATE_MAIL 2 200 #define SMTP_STATE_RCPT 3 201 #define SMTP_STATE_DATA 4 202 #define SMTP_STATE_DOT 5 203 #define SMTP_STATE_ABORT 6 204 #define SMTP_STATE_RSET 7 205 #define SMTP_STATE_QUIT 8 206 #define SMTP_STATE_LAST 9 207 208 int *xfer_timeouts[SMTP_STATE_LAST] = { 209 &var_smtp_xfwd_tmout, /* name/addr */ 210 &var_smtp_xfwd_tmout, /* helo/proto */ 211 &var_smtp_mail_tmout, 212 &var_smtp_rcpt_tmout, 213 &var_smtp_data0_tmout, 214 &var_smtp_data2_tmout, 215 &var_smtp_rset_tmout, 216 &var_smtp_rset_tmout, 217 &var_smtp_quit_tmout, 218 }; 219 220 char *xfer_states[SMTP_STATE_LAST] = { 221 "sending XFORWARD name/address", 222 "sending XFORWARD protocol/helo_name", 223 "sending MAIL FROM", 224 "sending RCPT TO", 225 "sending DATA command", 226 "sending end of data -- message may be sent more than once", 227 "sending final RSET", 228 "sending RSET probe", 229 "sending QUIT", 230 }; 231 232 char *xfer_request[SMTP_STATE_LAST] = { 233 "XFORWARD name/address command", 234 "XFORWARD helo/protocol command", 235 "MAIL FROM command", 236 "RCPT TO command", 237 "DATA command", 238 "end of DATA command", 239 "final RSET command", 240 "RSET probe", 241 "QUIT command", 242 }; 243 244 /* 245 * Note: MIME downgrade never happens for mail that must be delivered with 246 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request 247 * involves at least one UTF-8 envelope address or header value. 248 */ 249 #define SMTP_MIME_DOWNGRADE(session, request) \ 250 (var_disable_mime_oconv == 0 \ 251 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 252 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 253 254 #ifdef USE_TLS 255 256 static int smtp_start_tls(SMTP_STATE *); 257 258 #endif 259 260 /* 261 * Call-back information for header/body checks. We don't provide call-backs 262 * for actions that change the message delivery time or destination. 263 */ 264 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 265 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 266 267 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 268 smtp_hbc_logger, 269 smtp_text_out, 270 }; 271 272 static int smtp_vrfy_tgt; 273 274 /* smtp_vrfy_init - initialize */ 275 276 void smtp_vrfy_init(void) 277 { 278 static const NAME_CODE vrfy_init_table[] = { 279 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT, 280 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA, 281 0, 282 }; 283 284 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE, 285 var_smtp_vrfy_tgt)) == 0) 286 msg_fatal("bad protocol stage: \"%s = %s\"", 287 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt); 288 } 289 290 /* smtp_helo - perform initial handshake with SMTP server */ 291 292 int smtp_helo(SMTP_STATE *state) 293 { 294 const char *myname = "smtp_helo"; 295 SMTP_SESSION *session = state->session; 296 DELIVER_REQUEST *request = state->request; 297 SMTP_ITERATOR *iter = state->iterator; 298 SMTP_RESP *resp; 299 SMTP_RESP fake; 300 int except; 301 char *lines; 302 char *words; 303 char *word; 304 int n; 305 static const NAME_CODE xforward_features[] = { 306 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 307 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 308 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 309 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 310 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 311 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 312 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 313 0, 0, 314 }; 315 const char *ehlo_words; 316 int discard_mask; 317 static const NAME_MASK pix_bug_table[] = { 318 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 319 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 320 0, 321 }; 322 const char *pix_bug_words; 323 const char *pix_bug_source; 324 int pix_bug_mask; 325 326 #ifdef USE_TLS 327 int saved_features = session->features; 328 int tls_helo_status; 329 330 #endif 331 const char *NOCLOBBER where; 332 333 /* 334 * Skip the plaintext SMTP handshake when connecting in SMTPS mode. 335 */ 336 #ifdef USE_TLS 337 if (var_smtp_tls_wrappermode 338 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 339 /* XXX Mix-up of per-session and per-request flags. */ 340 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 341 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 342 var_smtp_req_deadline, 0); 343 tls_helo_status = smtp_start_tls(state); 344 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 345 return (tls_helo_status); 346 } 347 #endif 348 349 /* 350 * Prepare for disaster. 351 */ 352 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 353 var_smtp_req_deadline, 0); 354 if ((except = vstream_setjmp(state->session->stream)) != 0) 355 return (smtp_stream_except(state, except, where)); 356 357 /* 358 * If not recursing after STARTTLS, examine the server greeting banner 359 * and decide if we are going to send EHLO as the next command. 360 */ 361 if (var_smtp_tls_wrappermode 362 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 363 364 /* 365 * Read and parse the server's SMTP greeting banner. 366 */ 367 where = "receiving the initial server greeting"; 368 switch ((resp = smtp_chat_resp(session))->code / 100) { 369 case 2: 370 break; 371 case 5: 372 if (var_smtp_skip_5xx_greeting) 373 STR(resp->dsn_buf)[0] = '4'; 374 /* FALLTHROUGH */ 375 default: 376 return (smtp_site_fail(state, STR(iter->host), resp, 377 "host %s refused to talk to me: %s", 378 session->namaddr, 379 translit(resp->str, "\n", " "))); 380 } 381 382 /* 383 * If the policy table specifies a bogus TLS security level, fail 384 * now. 385 */ 386 #ifdef USE_TLS 387 if (state->tls->level == TLS_LEV_INVALID) 388 /* Warning is already logged. */ 389 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 390 SMTP_RESP_FAKE(&fake, "4.7.0"), 391 "client TLS configuration problem")); 392 #endif 393 394 /* 395 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 396 * it does not span a packet boundary. This hurts performance so it 397 * is not on by default. 398 */ 399 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 400 /* Best effort only. Ignore errors. */ 401 if (smtp_pix_bug_maps != 0 402 && (pix_bug_words = 403 maps_find(smtp_pix_bug_maps, 404 STR(iter->addr), 0)) != 0) { 405 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS); 406 } else { 407 pix_bug_words = var_smtp_pix_bug_words; 408 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS); 409 } 410 if (*pix_bug_words) { 411 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 412 pix_bug_words, 413 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 414 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF) 415 && request->msg_stats.incoming_arrival.tv_sec 416 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh) 417 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF; 418 msg_info("%s: enabling PIX workarounds: %s for %s", 419 request->queue_id, 420 str_name_mask("pix workaround bitmask", 421 pix_bug_table, pix_bug_mask), 422 session->namaddrport); 423 session->features |= pix_bug_mask; 424 } 425 } 426 427 /* 428 * See if we are talking to ourself. This should not be possible with 429 * the way we implement DNS lookups. However, people are known to 430 * sometimes screw up the naming service. And, mailer loops are still 431 * possible when our own mailer routing tables are mis-configured. 432 */ 433 words = resp->str; 434 (void) mystrtok(&words, "- \t\n"); 435 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 436 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 437 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 438 msg_warn("host %s greeted me with my own hostname %s", 439 session->namaddrport, var_myhostname); 440 } else if (strcasecmp(word, "ESMTP") == 0) 441 session->features |= SMTP_FEATURE_ESMTP; 442 } 443 if (smtp_mode) { 444 if (var_smtp_always_ehlo 445 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 446 session->features |= SMTP_FEATURE_ESMTP; 447 if (var_smtp_never_ehlo 448 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 449 session->features &= ~SMTP_FEATURE_ESMTP; 450 } else { 451 session->features |= SMTP_FEATURE_ESMTP; 452 } 453 } 454 455 /* 456 * If recursing after STARTTLS, there is no server greeting banner. 457 * Always send EHLO as the next command. 458 */ 459 else { 460 session->features |= SMTP_FEATURE_ESMTP; 461 } 462 463 /* 464 * Return the compliment. Fall back to SMTP if our ESMTP recognition 465 * heuristic failed. 466 */ 467 if (smtp_mode) { 468 where = "performing the EHLO handshake"; 469 if (session->features & SMTP_FEATURE_ESMTP) { 470 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 471 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 472 if (resp->code == 421) 473 return (smtp_site_fail(state, STR(iter->host), resp, 474 "host %s refused to talk to me: %s", 475 session->namaddr, 476 translit(resp->str, "\n", " "))); 477 else 478 session->features &= ~SMTP_FEATURE_ESMTP; 479 } 480 } 481 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 482 where = "performing the HELO handshake"; 483 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 484 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 485 return (smtp_site_fail(state, STR(iter->host), resp, 486 "host %s refused to talk to me: %s", 487 session->namaddr, 488 translit(resp->str, "\n", " "))); 489 } 490 } else { 491 where = "performing the LHLO handshake"; 492 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 493 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 494 return (smtp_site_fail(state, STR(iter->host), resp, 495 "host %s refused to talk to me: %s", 496 session->namaddr, 497 translit(resp->str, "\n", " "))); 498 } 499 500 /* 501 * No early returns allowed, to ensure consistent handling of TLS and 502 * SASL policies. 503 */ 504 if (session->features & SMTP_FEATURE_ESMTP) { 505 506 /* 507 * Determine what server EHLO keywords to ignore, typically to avoid 508 * inter-operability problems. 509 */ 510 if (smtp_ehlo_dis_maps == 0 511 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 512 STR(iter->addr), 0)) == 0) 513 ehlo_words = var_smtp_ehlo_dis_words; 514 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 515 msg_warn("%s: %s map lookup error for %s", 516 session->state->request->queue_id, 517 smtp_ehlo_dis_maps->title, STR(iter->addr)); 518 vstream_longjmp(session->stream, SMTP_ERR_DATA); 519 } 520 discard_mask = ehlo_mask(ehlo_words); 521 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 522 msg_info("discarding EHLO keywords: %s", 523 str_ehlo_mask(discard_mask)); 524 525 /* 526 * Pick up some useful features offered by the SMTP server. XXX Until 527 * we have a portable routine to convert from string to off_t with 528 * proper overflow detection, ignore the message size limit 529 * advertised by the SMTP server. Otherwise, we might do the wrong 530 * thing when the server advertises a really huge message size limit. 531 * 532 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 533 * because MicroSoft implemented AUTH based on an old draft. 534 */ 535 lines = resp->str; 536 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 537 if (mystrtok(&words, "- ") 538 && (word = mystrtok(&words, " \t=")) != 0) { 539 if (n == 0) { 540 if (session->helo != 0) 541 myfree(session->helo); 542 543 /* 544 * XXX: Keep the original case: we don't expect a single 545 * SMTP server to randomly change the case of its helo 546 * response. If different capitalization is detected, we 547 * should assume disjoint TLS caches. 548 */ 549 session->helo = mystrdup(word); 550 if (strcasecmp(word, var_myhostname) == 0 551 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 552 msg_warn("host %s replied to HELO/EHLO" 553 " with my own hostname %s", 554 session->namaddrport, var_myhostname); 555 if (session->features & SMTP_FEATURE_BEST_MX) 556 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 557 SMTP_RESP_FAKE(&fake, "5.4.6"), 558 "mail for %s loops back to myself", 559 request->nexthop)); 560 else 561 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 562 SMTP_RESP_FAKE(&fake, "4.4.6"), 563 "mail for %s loops back to myself", 564 request->nexthop)); 565 } 566 } else if (strcasecmp(word, "8BITMIME") == 0) { 567 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 568 session->features |= SMTP_FEATURE_8BITMIME; 569 } else if (strcasecmp(word, "PIPELINING") == 0) { 570 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 571 session->features |= SMTP_FEATURE_PIPELINING; 572 } else if (strcasecmp(word, "XFORWARD") == 0) { 573 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 574 while ((word = mystrtok(&words, " \t")) != 0) 575 session->features |= 576 name_code(xforward_features, 577 NAME_CODE_FLAG_NONE, word); 578 } else if (strcasecmp(word, "SIZE") == 0) { 579 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 580 session->features |= SMTP_FEATURE_SIZE; 581 if ((word = mystrtok(&words, " \t")) != 0) { 582 if (!alldig(word)) 583 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 584 word, session->namaddrport); 585 else 586 session->size_limit = off_cvt_string(word); 587 } 588 } 589 #ifdef USE_TLS 590 } else if (strcasecmp(word, "STARTTLS") == 0) { 591 /* Ignored later if we already sent STARTTLS. */ 592 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 593 session->features |= SMTP_FEATURE_STARTTLS; 594 #endif 595 #ifdef USE_SASL_AUTH 596 } else if (var_smtp_sasl_enable 597 && strcasecmp(word, "AUTH") == 0) { 598 if ((discard_mask & EHLO_MASK_AUTH) == 0) 599 smtp_sasl_helo_auth(session, words); 600 #endif 601 } else if (strcasecmp(word, "DSN") == 0) { 602 if ((discard_mask & EHLO_MASK_DSN) == 0) 603 session->features |= SMTP_FEATURE_DSN; 604 } else if (strcasecmp(word, "SMTPUTF8") == 0) { 605 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0) 606 session->features |= SMTP_FEATURE_SMTPUTF8; 607 } 608 n++; 609 } 610 } 611 } 612 if (msg_verbose) 613 msg_info("server features: 0x%x size %.0f", 614 session->features, (double) session->size_limit); 615 616 /* 617 * Decide if this delivery requires SMTPUTF8 server support. 618 * 619 * For now, we require that the remote SMTP server supports SMTPUTF8 when 620 * the sender requested SMTPUTF8 support. 621 * 622 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the 623 * delivery request involves at least one UTF-8 envelope address or 624 * header value. 625 * 626 * If the sender requested SMTPUTF8 support but the delivery request 627 * involves no UTF-8 envelope address or header value, then we could 628 * still deliver such mail to a non-SMTPUTF8 server, except that we must 629 * either uxtext-encode ORCPT parameters or not send them. We cannot 630 * encode the ORCPT in xtext, because legacy SMTP requires that the 631 * unencoded address consist entirely of printable (graphic and white 632 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A 633 * correct uxtext encoder will produce a result that an xtext decoder 634 * will pass through unchanged. 635 * 636 * XXX Should we try to encode headers with RFC 2047 when delivering to a 637 * non-SMTPUTF8 server? That could make life easier for mailing lists. 638 */ 639 #define DELIVERY_REQUIRES_SMTPUTF8 \ 640 ((request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) \ 641 && (request->smtputf8 & ~SMTPUTF8_FLAG_REQUESTED)) 642 643 /* 644 * Require that the server supports SMTPUTF8 when delivery requires 645 * SMTPUTF8. 646 * 647 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on. 648 */ 649 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0 650 && DELIVERY_REQUIRES_SMTPUTF8) 651 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 652 SMTP_RESP_FAKE(&fake, "5.6.7"), 653 "SMTPUTF8 is required, " 654 "but was not offered by host %s", 655 session->namaddr)); 656 657 /* 658 * Fix 20140706: don't do silly things when the remote server announces 659 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver 660 * mail, not to force people into compliance. 661 */ 662 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 663 && (session->features & SMTP_FEATURE_8BITMIME) == 0) { 664 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME", 665 session->namaddr); 666 session->features |= SMTP_FEATURE_8BITMIME; 667 } 668 669 /* 670 * We use SMTP command pipelining if the server said it supported it. 671 * Since we use blocking I/O, RFC 2197 says that we should inspect the 672 * TCP window size and not send more than this amount of information. 673 * Unfortunately this information is unavailable using the sockets 674 * interface. However, we *can* get the TCP send buffer size on the local 675 * TCP/IP stack. We should be able to fill this buffer without being 676 * blocked, and then the kernel will effectively do non-blocking I/O for 677 * us by automatically writing out the contents of its send buffer while 678 * we are reading in the responses. In addition to TCP buffering we have 679 * to be aware of application-level buffering by the vstream module, 680 * which is limited to a couple kbytes. 681 * 682 * XXX No need to do this before and after STARTTLS, but it's not a big deal 683 * if we do. 684 * 685 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 686 * TLS messages. Thus, the TCP-level payload will be larger than the 687 * SMTP-level payload. This has implications for the PIPELINING engine. 688 * 689 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 690 * buffer size that can hold the unacknowledged commands plus the TLS 691 * encapsulation overhead. 692 * 693 * The PIPELINING engine keeps the unacknowledged command size <= the 694 * default VSTREAM buffer size (to avoid small-write performance issues 695 * when the VSTREAM buffer size is at its default size). With a default 696 * VSTREAM buffer size of 4096 there is no reason to increase the 697 * unacknowledged command size as the TCP MSS increases. It's safer to 698 * spread the remote SMTP server's recipient processing load over time, 699 * than dumping a very large recipient list all at once. 700 * 701 * For TLS encapsulation overhead we make a conservative guess: take the 702 * current protocol overhead of ~40 bytes, double the number for future 703 * proofing (~80 bytes), then round up the result to the nearest power of 704 * 2 (128 bytes). Plus, be prepared for worst-case compression that 705 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 706 * message becomes 15 kbytes. 707 */ 708 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 709 #ifdef USE_TLS 710 #define TLS_WORST_PAYLOAD 16384 711 #define TLS_WORST_COMP_OVERHD 1024 712 #define TLS_WORST_PROTO_OVERHD 128 713 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 714 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 715 #endif 716 717 if (session->features & SMTP_FEATURE_PIPELINING) { 718 SOCKOPT_SIZE optlen; 719 int tcp_bufsize; 720 int enc_overhead = 0; 721 722 optlen = sizeof(tcp_bufsize); 723 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 724 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 725 msg_fatal("%s: getsockopt: %m", myname); 726 #ifdef USE_TLS 727 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 728 enc_overhead += 729 (1 + (PIPELINING_BUFSIZE - 1) 730 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 731 #endif 732 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 733 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 734 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 735 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 736 msg_fatal("%s: setsockopt: %m", myname); 737 } 738 if (msg_verbose) 739 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 740 "PIPELINING buffer size is %d", 741 smtp_mode ? "ESMTP" : "LMTP", 742 tcp_bufsize, PIPELINING_BUFSIZE); 743 } 744 #ifdef USE_TLS 745 746 /* 747 * Skip this part if we already sent STARTTLS. 748 */ 749 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 750 751 /* 752 * Optionally log unused STARTTLS opportunities. 753 */ 754 if ((session->features & SMTP_FEATURE_STARTTLS) && 755 var_smtp_tls_note_starttls_offer && 756 state->tls->level <= TLS_LEV_NONE) 757 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 758 759 /* 760 * Decide whether or not to send STARTTLS. 761 */ 762 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 763 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) { 764 765 /* 766 * Prepare for disaster. 767 */ 768 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 769 var_smtp_req_deadline, 0); 770 if ((except = vstream_setjmp(state->session->stream)) != 0) 771 return (smtp_stream_except(state, except, 772 "receiving the STARTTLS response")); 773 774 /* 775 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 776 * resetting the SASL and EHLO features lists. 777 * 778 * Reset the SASL mechanism list to avoid spurious warnings. 779 * 780 * Use the smtp_sasl_tls_security_options feature to allow SASL 781 * mechanisms that may not be allowed with plain-text 782 * connections. 783 */ 784 smtp_chat_cmd(session, "STARTTLS"); 785 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 786 #ifdef USE_SASL_AUTH 787 if (session->features & SMTP_FEATURE_AUTH) 788 smtp_sasl_cleanup(session); 789 #endif 790 session->features = saved_features; 791 /* XXX Mix-up of per-session and per-request flags. */ 792 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 793 tls_helo_status = smtp_start_tls(state); 794 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 795 return (tls_helo_status); 796 } 797 798 /* 799 * Give up if we must use TLS but the server rejects STARTTLS 800 * although support for it was announced in the EHLO response. 801 */ 802 session->features &= ~SMTP_FEATURE_STARTTLS; 803 if (TLS_REQUIRED(state->tls->level)) 804 return (smtp_site_fail(state, STR(iter->host), resp, 805 "TLS is required, but host %s refused to start TLS: %s", 806 session->namaddr, 807 translit(resp->str, "\n", " "))); 808 /* Else try to continue in plain-text mode. */ 809 } 810 811 /* 812 * Give up if we must use TLS but can't for various reasons. 813 * 814 * 200412 Be sure to provide the default clause at the bottom of this 815 * block. When TLS is required we must never, ever, end up in 816 * plain-text mode. 817 */ 818 if (TLS_REQUIRED(state->tls->level)) { 819 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 820 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 821 SMTP_RESP_FAKE(&fake, "4.7.4"), 822 "TLS is required, but was not offered by host %s", 823 session->namaddr)); 824 } else if (smtp_tls_ctx == 0) { 825 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 826 SMTP_RESP_FAKE(&fake, "4.7.5"), 827 "TLS is required, but our TLS engine is unavailable")); 828 } else { 829 msg_warn("%s: TLS is required but unavailable, don't know why", 830 myname); 831 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 832 SMTP_RESP_FAKE(&fake, "4.7.0"), 833 "TLS is required, but unavailable")); 834 } 835 } 836 } 837 #endif 838 #ifdef USE_SASL_AUTH 839 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 840 return (smtp_sasl_helo_login(state)); 841 #endif 842 843 return (0); 844 } 845 846 #ifdef USE_TLS 847 848 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 849 850 static int smtp_start_tls(SMTP_STATE *state) 851 { 852 SMTP_SESSION *session = state->session; 853 SMTP_ITERATOR *iter = state->iterator; 854 TLS_CLIENT_START_PROPS start_props; 855 VSTRING *serverid; 856 SMTP_RESP fake; 857 TLS_CLIENT_INIT_PROPS init_props; 858 VSTREAM *tlsproxy; 859 VSTRING *port_buf; 860 861 /* 862 * When the TLS handshake succeeds, we can reuse a connection only if TLS 863 * remains turned on for the lifetime of that connection. This requires 864 * that the TLS library state is maintained in some proxy process, for 865 * example, in tlsproxy(8). We then store the proxy file handle in the 866 * connection cache, and reuse that file handle. 867 * 868 * Otherwise, we must turn off connection caching. We can't turn off TLS in 869 * one SMTP client process, save the open connection to a cache which is 870 * shared with all SMTP clients, migrate the connection to another SMTP 871 * client, and resume TLS there. When the TLS handshake fails, we can't 872 * reuse the SMTP connection either, because the conversation is in an 873 * unknown state. 874 */ 875 if (state->tls->conn_reuse == 0) 876 DONT_CACHE_THIS_SESSION; 877 878 /* 879 * The following assumes sites that use TLS in a perverse configuration: 880 * multiple hosts per hostname, or even multiple hosts per IP address. 881 * All this without a shared TLS session cache, and they still want to 882 * use TLS session caching??? 883 * 884 * The TLS session cache records the trust chain verification status of 885 * cached sessions. Different transports may have different CAfile or 886 * CApath settings, perhaps to allow authenticated connections to sites 887 * with private CA certs without trusting said private certs for other 888 * sites. So we cannot assume that a trust chain valid for one transport 889 * is valid for another. Therefore the client session id must include 890 * either the transport name or the values of CAfile and CApath. We use 891 * the transport name. 892 * 893 * XXX: We store only one session per lookup key. Ideally the key maps 894 * 1-to-1 to a server TLS session cache. We use the IP address, port and 895 * ehlo response name to build a lookup key that works for split caches 896 * (that announce distinct names) behind a load balancer. 897 * 898 * XXX: The TLS library will salt the serverid with further details of the 899 * protocol and cipher requirements including the server ehlo response. 900 * Deferring the helo to the digested suffix results in more predictable 901 * SSL session lookup key lengths. 902 */ 903 serverid = vstring_alloc(10); 904 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 905 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */ 906 | SMTP_KEY_FLAG_HOSTNAME 907 | SMTP_KEY_FLAG_ADDR); 908 909 if (state->tls->conn_reuse) { 910 TLS_CLIENT_PARAMS tls_params; 911 912 /* 913 * Send all our wishes in one big request. 914 */ 915 TLS_PROXY_CLIENT_INIT_PROPS(&init_props, 916 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), 917 log_level = var_smtp_tls_loglevel, 918 verifydepth = var_smtp_tls_scert_vd, 919 cache_type 920 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE), 921 chain_files = var_smtp_tls_chain_files, 922 cert_file = var_smtp_tls_cert_file, 923 key_file = var_smtp_tls_key_file, 924 dcert_file = var_smtp_tls_dcert_file, 925 dkey_file = var_smtp_tls_dkey_file, 926 eccert_file = var_smtp_tls_eccert_file, 927 eckey_file = var_smtp_tls_eckey_file, 928 CAfile = var_smtp_tls_CAfile, 929 CApath = var_smtp_tls_CApath, 930 mdalg = var_smtp_tls_fpt_dgst); 931 TLS_PROXY_CLIENT_START_PROPS(&start_props, 932 timeout = var_smtp_starttls_tmout, 933 tls_level = state->tls->level, 934 nexthop = session->tls_nexthop, 935 host = STR(iter->host), 936 namaddr = session->namaddrport, 937 sni = state->tls->sni, 938 serverid = vstring_str(serverid), 939 helo = session->helo, 940 protocols = state->tls->protocols, 941 cipher_grade = state->tls->grade, 942 cipher_exclusions 943 = vstring_str(state->tls->exclusions), 944 matchargv = state->tls->matchargv, 945 mdalg = var_smtp_tls_fpt_dgst, 946 dane = state->tls->dane); 947 948 /* 949 * The tlsproxy(8) server enforces timeouts that are larger than 950 * those specified by the tlsproxy(8) client. These timeouts are a 951 * safety net for the case that the tlsproxy(8) client fails to 952 * enforce time limits. Normally, the tlsproxy(8) client would time 953 * out and trigger a plaintext event in the tlsproxy(8) server, and 954 * cause it to tear down the session. 955 * 956 * However, the tlsproxy(8) server has no insight into the SMTP 957 * protocol, and therefore it cannot by itself support different 958 * timeouts at different SMTP protocol stages. Instead, we specify 959 * the largest timeout (end-of-data) and rely on the SMTP client to 960 * time out first, which normally results in a plaintext event in the 961 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext 962 * events during the TLS handshake, so we specify a separate timeout 963 * for that stage (the end-of-data timeout would be unreasonably 964 * large anyway). 965 */ 966 #define PROXY_OPEN_FLAGS \ 967 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT) 968 969 port_buf = vstring_alloc(100); /* minimize fragmentation */ 970 vstring_sprintf(port_buf, "%d", ntohs(iter->port)); 971 tlsproxy = 972 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, 973 session->stream, STR(iter->addr), 974 STR(port_buf), var_smtp_starttls_tmout, 975 var_smtp_data2_tmout, state->service, 976 tls_proxy_client_param_from_config(&tls_params), 977 &init_props, &start_props); 978 vstring_free(port_buf); 979 980 /* 981 * To insert tlsproxy(8) between this process and the remote SMTP 982 * server, we swap the file descriptors between the tlsproxy and 983 * session->stream VSTREAMS, so that we don't lose all the 984 * user-configurable session->stream attributes (such as longjump 985 * buffers or timeouts). 986 * 987 * TODO: the tlsproxy RPCs should return more error detail than a "NO" 988 * result. OTOH, the in-process TLS engine does not return such info 989 * either. 990 * 991 * If the tlsproxy request fails we do not fall back to the in-process 992 * TLS stack. Reason: the admin enabled connection reuse to respect 993 * receiver policy; silently violating such policy would not be 994 * useful. 995 * 996 * We also don't fall back to the in-process TLS stack under low-traffic 997 * conditions, to avoid frustrating attempts to debug a problem with 998 * using the tlsproxy(8) service. 999 */ 1000 if (tlsproxy == 0) { 1001 session->tls_context = 0; 1002 } else { 1003 vstream_control(tlsproxy, 1004 CA_VSTREAM_CTL_DOUBLE, 1005 CA_VSTREAM_CTL_END); 1006 vstream_control(session->stream, 1007 CA_VSTREAM_CTL_SWAP_FD(tlsproxy), 1008 CA_VSTREAM_CTL_END); 1009 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */ 1010 1011 /* 1012 * There must not be any pending data in the stream buffers 1013 * before we read the TLS context attributes. 1014 */ 1015 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1016 1017 /* 1018 * After plumbing the plaintext stream, receive the TLS context 1019 * object. For this we use the same VSTREAM buffer that we also 1020 * use to receive subsequent SMTP commands, therefore we must be 1021 * prepared for the possibility that the remote SMTP server 1022 * starts talking immediately. The tlsproxy implementation sends 1023 * the TLS context before remote content. The attribute protocol 1024 * is robust enough that an adversary cannot insert their own TLS 1025 * context attributes. 1026 */ 1027 session->tls_context = tls_proxy_context_receive(session->stream); 1028 if (session->tls_context) { 1029 session->features |= SMTP_FEATURE_FROM_PROXY; 1030 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, 1031 session->tls_context); 1032 } 1033 } 1034 } else { /* state->tls->conn_reuse */ 1035 1036 /* 1037 * As of Postfix 2.5, tls_client_start() tries hard to always 1038 * complete the TLS handshake. It records the verification and match 1039 * status in the resulting TLScontext. It is now up to the 1040 * application to abort the TLS connection if it chooses. 1041 * 1042 * XXX When tls_client_start() fails then we don't know what state the 1043 * SMTP connection is in, so we give up on this connection even if we 1044 * are not required to use TLS. 1045 * 1046 * Large parameter lists are error-prone, so we emulate a language 1047 * feature that C does not have natively: named parameter lists. 1048 */ 1049 session->tls_context = 1050 TLS_CLIENT_START(&start_props, 1051 ctx = smtp_tls_ctx, 1052 stream = session->stream, 1053 fd = -1, 1054 timeout = var_smtp_starttls_tmout, 1055 tls_level = state->tls->level, 1056 nexthop = session->tls_nexthop, 1057 host = STR(iter->host), 1058 namaddr = session->namaddrport, 1059 sni = state->tls->sni, 1060 serverid = vstring_str(serverid), 1061 helo = session->helo, 1062 protocols = state->tls->protocols, 1063 cipher_grade = state->tls->grade, 1064 cipher_exclusions 1065 = vstring_str(state->tls->exclusions), 1066 matchargv = state->tls->matchargv, 1067 mdalg = var_smtp_tls_fpt_dgst, 1068 dane = state->tls->dane); 1069 1070 /* 1071 * At this point there must not be any pending data in the stream 1072 * buffers. 1073 */ 1074 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1075 } /* state->tls->conn_reuse */ 1076 1077 vstring_free(serverid); 1078 1079 if (session->tls_context == 0) { 1080 1081 /* 1082 * We must avoid further I/O, the peer is in an undefined state. 1083 */ 1084 DONT_USE_FORBIDDEN_SESSION; 1085 1086 /* 1087 * If TLS is optional, try delivery to the same server over a 1088 * plaintext connection. Otherwise we would defer mail forever with 1089 * destinations that have no alternate MX host. 1090 * 1091 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 1092 * authentication. If the server doesn't announce SASL support over 1093 * plaintext connections, then we don't want delivery to fail with 1094 * "relay access denied". 1095 * 1096 * If TLS is opportunistic, don't throttle the destination, otherwise if 1097 * the mail is volume is high enough we may have difficulty ever 1098 * draining even the deferred mail, as new mail provides a constant 1099 * stream of negative feedback. 1100 */ 1101 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE) 1102 RETRY_AS_PLAINTEXT; 1103 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ? 1104 SMTP_NOTHROTTLE : SMTP_THROTTLE, 1105 DSN_BY_LOCAL_MTA, 1106 SMTP_RESP_FAKE(&fake, "4.7.5"), 1107 "Cannot start TLS: handshake failure")); 1108 } 1109 1110 /* 1111 * If we are verifying the server certificate and are not happy with the 1112 * result, abort the delivery here. We have a usable TLS session with the 1113 * server, so no need to disable I/O, ... we can even be polite and send 1114 * "QUIT". 1115 * 1116 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 1117 * matching. 1118 * 1119 * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log 1120 * effective security. Thus "half-dane" is never "Verified" only 1121 * "Trusted", but matching is enforced here. 1122 * 1123 * NOTE: When none of the TLSA records were usable, "dane" and "half-dane" 1124 * fall back to "encrypt", updating the tls_context level accordingly, so 1125 * we must check that here, and not state->tls->level. 1126 */ 1127 if (TLS_MUST_MATCH(session->tls_context->level)) 1128 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 1129 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1130 SMTP_RESP_FAKE(&fake, "4.7.5"), 1131 "Server certificate not verified")); 1132 1133 /* 1134 * At this point we have to re-negotiate the "EHLO" to reget the 1135 * feature-list. 1136 */ 1137 return (smtp_helo(state)); 1138 } 1139 1140 #endif 1141 1142 /* smtp_hbc_logger - logging call-back for header/body checks */ 1143 1144 static void smtp_hbc_logger(void *context, const char *action, 1145 const char *where, const char *content, 1146 const char *text) 1147 { 1148 const SMTP_STATE *state = (SMTP_STATE *) context; 1149 1150 if (*text) { 1151 msg_info("%s: %s: %s %.200s: %s", 1152 state->request->queue_id, action, where, content, text); 1153 } else { 1154 msg_info("%s: %s: %s %.200s", 1155 state->request->queue_id, action, where, content); 1156 } 1157 } 1158 1159 /* smtp_text_out - output one header/body record */ 1160 1161 static void smtp_text_out(void *context, int rec_type, 1162 const char *text, ssize_t len, 1163 off_t unused_offset) 1164 { 1165 SMTP_STATE *state = (SMTP_STATE *) context; 1166 SMTP_SESSION *session = state->session; 1167 ssize_t data_left; 1168 const char *data_start; 1169 1170 /* 1171 * Deal with an impedance mismatch between Postfix queue files (record 1172 * length <= $message_line_length_limit) and SMTP (DATA record length <= 1173 * $smtp_line_length_limit). The code below does a little too much work 1174 * when the SMTP line length limit is disabled, but it avoids code 1175 * duplication, and thus, it avoids testing and maintenance problems. 1176 */ 1177 data_left = len; 1178 data_start = text; 1179 do { 1180 if (state->space_left == var_smtp_line_limit 1181 && data_left > 0 && *data_start == '.') 1182 smtp_fputc('.', session->stream); 1183 if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit) 1184 && data_left >= state->space_left) { 1185 smtp_fputs(data_start, state->space_left, session->stream); 1186 data_start += state->space_left; 1187 data_left -= state->space_left; 1188 state->space_left = var_smtp_line_limit; 1189 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 1190 smtp_fputc(' ', session->stream); 1191 state->space_left -= 1; 1192 1193 /* 1194 * XXX This can insert a line break into the middle of a 1195 * multi-byte character (not necessarily UTF-8). Note that 1196 * multibyte characters can span queue file records, for 1197 * example if line_length_limit == smtp_line_length_limit. 1198 */ 1199 if (state->logged_line_length_limit == 0) { 1200 msg_info("%s: breaking line > %d bytes with <CR><LF>SPACE", 1201 state->request->queue_id, var_smtp_line_limit); 1202 state->logged_line_length_limit = 1; 1203 } 1204 } 1205 } else { 1206 if (rec_type == REC_TYPE_CONT) { 1207 smtp_fwrite(data_start, data_left, session->stream); 1208 state->space_left -= data_left; 1209 } else { 1210 smtp_fputs(data_start, data_left, session->stream); 1211 state->space_left = var_smtp_line_limit; 1212 } 1213 break; 1214 } 1215 } while (data_left > 0); 1216 } 1217 1218 /* smtp_format_out - output one header/body record */ 1219 1220 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 1221 1222 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 1223 { 1224 static VSTRING *vp; 1225 va_list ap; 1226 1227 if (vp == 0) 1228 vp = vstring_alloc(100); 1229 va_start(ap, fmt); 1230 vstring_vsprintf(vp, fmt, ap); 1231 va_end(ap); 1232 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 1233 } 1234 1235 /* smtp_header_out - output one message header */ 1236 1237 static void smtp_header_out(void *context, int unused_header_class, 1238 const HEADER_OPTS *unused_info, 1239 VSTRING *buf, off_t offset) 1240 { 1241 char *start = vstring_str(buf); 1242 char *line; 1243 char *next_line; 1244 1245 /* 1246 * This code destroys the header. We could try to avoid clobbering it, 1247 * but we're not going to use the data any further. 1248 */ 1249 for (line = start; line; line = next_line) { 1250 next_line = split_at(line, '\n'); 1251 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 1252 next_line - line - 1 : strlen(line), offset); 1253 } 1254 } 1255 1256 /* smtp_header_rewrite - rewrite message header before output */ 1257 1258 static void smtp_header_rewrite(void *context, int header_class, 1259 const HEADER_OPTS *header_info, 1260 VSTRING *buf, off_t offset) 1261 { 1262 SMTP_STATE *state = (SMTP_STATE *) context; 1263 int did_rewrite = 0; 1264 char *line; 1265 char *start; 1266 char *next_line; 1267 char *end_line; 1268 char *result; 1269 1270 /* 1271 * Apply optional header filtering. 1272 */ 1273 if (smtp_header_checks) { 1274 result = hbc_header_checks(context, smtp_header_checks, header_class, 1275 header_info, buf, offset); 1276 if (result == 0) 1277 return; 1278 if (result == HBC_CHECKS_STAT_ERROR) { 1279 msg_warn("%s: smtp header checks lookup error", 1280 state->request->queue_id); 1281 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1282 } 1283 if (result != STR(buf)) { 1284 vstring_strcpy(buf, result); 1285 myfree(result); 1286 } 1287 } 1288 1289 /* 1290 * Rewrite primary header addresses that match the smtp_generic_maps. The 1291 * cleanup server already enforces that all headers have proper lengths 1292 * and that all addresses are in proper form, so we don't have to repeat 1293 * that. 1294 */ 1295 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1296 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1297 TOK822 *tree; 1298 TOK822 **addr_list; 1299 TOK822 **tpp; 1300 1301 tree = tok822_parse(vstring_str(buf) 1302 + strlen(header_info->name) + 1); 1303 addr_list = tok822_grep(tree, TOK822_ADDR); 1304 for (tpp = addr_list; *tpp; tpp++) 1305 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1306 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1307 if (did_rewrite) { 1308 vstring_truncate(buf, strlen(header_info->name)); 1309 vstring_strcat(buf, ": "); 1310 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1311 } 1312 myfree((void *) addr_list); 1313 tok822_free_tree(tree); 1314 } 1315 1316 /* 1317 * Pass through unmodified headers without reconstruction. 1318 */ 1319 if (did_rewrite == 0) { 1320 smtp_header_out(context, header_class, header_info, buf, offset); 1321 return; 1322 } 1323 1324 /* 1325 * A rewritten address list contains one address per line. The code below 1326 * replaces newlines by spaces, to fit as many addresses on a line as 1327 * possible (without rearranging the order of addresses). Prepending 1328 * white space to the beginning of lines is delegated to the output 1329 * routine. 1330 * 1331 * Code derived from cleanup_fold_header(). 1332 */ 1333 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1334 end_line = line + strcspn(line, "\n"); 1335 if (line > start) { 1336 if (end_line - start < 70) { /* TAB counts as one */ 1337 line[-1] = ' '; 1338 } else { 1339 start = line; 1340 } 1341 } 1342 next_line = *end_line ? end_line + 1 : 0; 1343 } 1344 1345 /* 1346 * Prepend a tab to continued header lines that went through the address 1347 * rewriting machinery. Just like smtp_header_out(), this code destroys 1348 * the header. We could try to avoid clobbering it, but we're not going 1349 * to use the data any further. 1350 * 1351 * Code derived from cleanup_out_header(). 1352 */ 1353 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1354 next_line = split_at(line, '\n'); 1355 if (line == start || IS_SPACE_TAB(*line)) { 1356 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1357 next_line - line - 1 : strlen(line), offset); 1358 } else { 1359 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1360 } 1361 } 1362 } 1363 1364 /* smtp_body_rewrite - rewrite message body before output */ 1365 1366 static void smtp_body_rewrite(void *context, int type, 1367 const char *buf, ssize_t len, 1368 off_t offset) 1369 { 1370 SMTP_STATE *state = (SMTP_STATE *) context; 1371 char *result; 1372 1373 /* 1374 * Apply optional body filtering. 1375 */ 1376 if (smtp_body_checks) { 1377 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1378 if (result == buf) { 1379 smtp_text_out(state, type, buf, len, offset); 1380 } else if (result == HBC_CHECKS_STAT_ERROR) { 1381 msg_warn("%s: smtp body checks lookup error", 1382 state->request->queue_id); 1383 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1384 } else if (result != 0) { 1385 smtp_text_out(state, type, result, strlen(result), offset); 1386 myfree(result); 1387 } 1388 } 1389 } 1390 1391 /* smtp_mime_fail - MIME problem */ 1392 1393 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1394 { 1395 const MIME_STATE_DETAIL *detail; 1396 SMTP_RESP fake; 1397 1398 detail = mime_state_detail(mime_errs); 1399 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1400 SMTP_RESP_FAKE(&fake, detail->dsn), 1401 "%s", detail->text); 1402 } 1403 1404 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */ 1405 1406 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf) 1407 { 1408 SMTP_SESSION *session = state->session; 1409 int mime_errs; 1410 1411 if (session->mime_state == 0) { 1412 smtp_text_out((void *) state, rec_type, vstring_str(buf), 1413 VSTRING_LEN(buf), (off_t) 0); 1414 } else { 1415 mime_errs = 1416 mime_state_update(session->mime_state, rec_type, 1417 vstring_str(buf), VSTRING_LEN(buf)); 1418 if (mime_errs) { 1419 smtp_mime_fail(state, mime_errs); 1420 return (-1); 1421 } 1422 } 1423 return (0); 1424 } 1425 1426 /* smtp_out_add_header - format address header, uses session->scratch* */ 1427 1428 static int smtp_out_add_header(SMTP_STATE *state, const char *label, 1429 const char *lt, const char *addr, 1430 const char *gt) 1431 { 1432 SMTP_SESSION *session = state->session; 1433 1434 smtp_rewrite_generic_internal(session->scratch2, addr); 1435 vstring_sprintf(session->scratch, "%s: %s", label, lt); 1436 smtp_quote_822_address_flags(session->scratch, 1437 vstring_str(session->scratch2), 1438 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND); 1439 vstring_strcat(session->scratch, gt); 1440 return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch)); 1441 } 1442 1443 /* smtp_out_add_headers - output additional headers, uses session->scratch* */ 1444 1445 static int smtp_out_add_headers(SMTP_STATE *state) 1446 { 1447 /* Prepend headers in the same order as mail_copy.c. */ 1448 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH) 1449 if (smtp_out_add_header(state, "Return-Path", "<", 1450 state->request->sender, ">") < 0) 1451 return (-1); 1452 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT) 1453 if (smtp_out_add_header(state, "X-Original-To", "", 1454 state->request->rcpt_list.info->orig_addr, "") < 0) 1455 return (-1); 1456 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO) 1457 if (smtp_out_add_header(state, "Delivered-To", "", 1458 state->request->rcpt_list.info->address, "") < 0) 1459 return (-1); 1460 return (0); 1461 } 1462 1463 /* smtp_loop - exercise the SMTP protocol engine */ 1464 1465 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1466 NOCLOBBER int recv_state) 1467 { 1468 const char *myname = "smtp_loop"; 1469 DELIVER_REQUEST *request = state->request; 1470 SMTP_SESSION *session = state->session; 1471 SMTP_ITERATOR *iter = state->iterator; 1472 SMTP_RESP *resp; 1473 RECIPIENT *rcpt; 1474 VSTRING *next_command = vstring_alloc(100); 1475 int *NOCLOBBER survivors = 0; 1476 NOCLOBBER int next_state; 1477 NOCLOBBER int next_rcpt; 1478 NOCLOBBER int send_rcpt; 1479 NOCLOBBER int recv_rcpt; 1480 NOCLOBBER int nrcpt; 1481 NOCLOBBER int recv_done; 1482 int except; 1483 int rec_type; 1484 NOCLOBBER int prev_type = 0; 1485 NOCLOBBER int mail_from_rejected; 1486 NOCLOBBER int downgrading; 1487 int mime_errs; 1488 SMTP_RESP fake; 1489 int fail_status; 1490 1491 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1492 1493 #define RETURN(x) do { \ 1494 if (recv_state != SMTP_STATE_LAST) \ 1495 DONT_CACHE_THIS_SESSION; \ 1496 vstring_free(next_command); \ 1497 if (survivors) \ 1498 myfree((void *) survivors); \ 1499 if (session->mime_state) \ 1500 session->mime_state = mime_state_free(session->mime_state); \ 1501 return (x); \ 1502 } while (0) 1503 1504 #define SENDER_IS_AHEAD \ 1505 (recv_state < send_state || recv_rcpt != send_rcpt) 1506 1507 #define SENDER_IN_WAIT_STATE \ 1508 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1509 1510 #define SENDING_MAIL \ 1511 (recv_state <= SMTP_STATE_DOT) 1512 1513 #define CANT_RSET_THIS_SESSION \ 1514 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1515 1516 /* 1517 * Pipelining support requires two loops: one loop for sending and one 1518 * for receiving. Each loop has its own independent state. Most of the 1519 * time the sender can run ahead of the receiver by as much as the TCP 1520 * send buffer permits. There are only two places where the sender must 1521 * wait for status information from the receiver: once after sending DATA 1522 * and once after sending QUIT. 1523 * 1524 * The sender state advances until the TCP send buffer would overflow, or 1525 * until the sender needs status information from the receiver. At that 1526 * point the receiver starts processing responses. Once the receiver has 1527 * caught up with the sender, the sender resumes sending commands. If the 1528 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1529 * commands rejected, DATA rejected) it forces the sender to abort the 1530 * SMTP dialog with RSET and QUIT. 1531 */ 1532 nrcpt = 0; 1533 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1534 mail_from_rejected = 0; 1535 1536 /* 1537 * Prepare for disaster. This should not be needed because the design 1538 * guarantees that no output is flushed before smtp_chat_resp() is 1539 * called. 1540 * 1541 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1542 * 1543 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1544 * there is sufficient space for the command in the output buffer. 1545 * 1546 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1547 * 1548 * Changing any of these would violate the design, and would likely break 1549 * SMTP pipelining. 1550 * 1551 * We set up the error handler anyway (only upon entry to avoid wasting 1552 * resources) because 1) there is code below that expects that VSTREAM 1553 * timeouts are enabled, and 2) this allows us to detect if someone broke 1554 * Postfix by introducing spurious flush before read operations. 1555 */ 1556 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1557 || send_state > SMTP_STATE_QUIT) 1558 msg_panic("%s: bad sender state %d (receiver state %d)", 1559 myname, send_state, recv_state); 1560 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1561 var_smtp_req_deadline, 0); 1562 if ((except = vstream_setjmp(session->stream)) != 0) { 1563 msg_warn("smtp_proto: spurious flush before read in send state %d", 1564 send_state); 1565 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1566 xfer_states[send_state]) : -1); 1567 } 1568 1569 /* 1570 * The main protocol loop. 1571 */ 1572 do { 1573 1574 /* 1575 * Build the next command. 1576 */ 1577 switch (send_state) { 1578 1579 /* 1580 * Sanity check. 1581 */ 1582 default: 1583 msg_panic("%s: bad sender state %d", myname, send_state); 1584 1585 /* 1586 * Build the XFORWARD command. With properly sanitized 1587 * information, the command length stays within the 512 byte 1588 * command line length limit. 1589 * 1590 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1591 * and some as null; historically, pickup(8) does not send any of 1592 * these, and the queue manager presets absent fields to "not 1593 * available" except for the rewrite context which is preset to 1594 * local by way of migration aid. These definitions need to be 1595 * centralized for maintainability. 1596 */ 1597 #ifndef CAN_FORWARD_CLIENT_NAME 1598 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1599 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1600 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1601 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1602 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1603 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1604 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1605 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1606 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1607 #endif 1608 1609 case SMTP_STATE_XFORWARD_NAME_ADDR: 1610 vstring_strcpy(next_command, XFORWARD_CMD); 1611 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1612 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1613 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1614 xtext_quote_append(next_command, request->client_name, ""); 1615 } 1616 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1617 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1618 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1619 xtext_quote_append(next_command, request->client_addr, ""); 1620 } 1621 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1622 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1623 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1624 xtext_quote_append(next_command, request->client_port, ""); 1625 } 1626 if (session->send_proto_helo) 1627 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1628 else 1629 next_state = SMTP_STATE_MAIL; 1630 break; 1631 1632 case SMTP_STATE_XFORWARD_PROTO_HELO: 1633 vstring_strcpy(next_command, XFORWARD_CMD); 1634 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1635 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1636 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1637 xtext_quote_append(next_command, request->client_proto, ""); 1638 } 1639 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1640 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1641 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1642 xtext_quote_append(next_command, request->client_helo, ""); 1643 } 1644 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1645 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1646 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1647 xtext_quote_append(next_command, request->log_ident, ""); 1648 } 1649 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1650 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1651 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1652 xtext_quote_append(next_command, 1653 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1654 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1655 } 1656 next_state = SMTP_STATE_MAIL; 1657 break; 1658 1659 /* 1660 * Build the MAIL FROM command. 1661 */ 1662 case SMTP_STATE_MAIL: 1663 request->msg_stats.reuse_count = session->reuse_count; 1664 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1665 smtp_rewrite_generic_internal(session->scratch2, request->sender); 1666 smtp_quote_821_address(session->scratch, 1667 vstring_str(session->scratch2)); 1668 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1669 vstring_str(session->scratch)); 1670 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1671 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1672 && !SMTP_MIME_DOWNGRADE(session, request)) 1673 vstring_sprintf_append(next_command, " SIZE=%lu", 1674 request->data_size); 1675 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1676 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1677 vstring_strcat(next_command, " BODY=8BITMIME"); 1678 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1679 vstring_strcat(next_command, " BODY=7BIT"); 1680 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1681 msg_warn("%s: unknown content encoding: %s", 1682 request->queue_id, request->encoding); 1683 } 1684 if (session->features & SMTP_FEATURE_DSN) { 1685 if (request->dsn_envid[0]) { 1686 vstring_sprintf_append(next_command, " ENVID="); 1687 xtext_quote_append(next_command, request->dsn_envid, "+="); 1688 } 1689 if (request->dsn_ret) 1690 vstring_sprintf_append(next_command, " RET=%s", 1691 dsn_ret_str(request->dsn_ret)); 1692 } 1693 1694 /* 1695 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 1696 * and the sender requested SMTPUTF8 support. 1697 * 1698 * If the sender requested SMTPUTF8 but the remote SMTP server does 1699 * not support SMTPUTF8, then we have already determined earlier 1700 * that delivering this message without SMTPUTF8 will not break 1701 * the SMTPUTF8 promise that was made to the sender. 1702 */ 1703 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 1704 && (request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) != 0) 1705 vstring_strcat(next_command, " SMTPUTF8"); 1706 1707 /* 1708 * We authenticate the local MTA only, but not the sender. 1709 */ 1710 #ifdef USE_SASL_AUTH 1711 if (var_smtp_sasl_enable 1712 && var_smtp_dummy_mail_auth 1713 && (session->features & SMTP_FEATURE_AUTH)) 1714 vstring_strcat(next_command, " AUTH=<>"); 1715 #endif 1716 1717 /* 1718 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1719 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1720 * commands to our TLS session. 1721 * 1722 * For the attack to succeed, the remote SMTP server must reply to 1723 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1724 * TLS (re)negotiation, so that the replies arrive in our TLS 1725 * session (otherwise the Postfix SMTP client would time out 1726 * waiting for an answer). With some luck we can detect this 1727 * specific attack as a server MAIL reply that arrives before we 1728 * send our own MAIL command. 1729 * 1730 * We don't apply this test to the HELO command because the result 1731 * would be very timing sensitive, and we don't apply this test 1732 * to RCPT and DATA replies because these may be pipelined for 1733 * legitimate reasons. 1734 */ 1735 #ifdef USE_TLS 1736 if (var_smtp_tls_blk_early_mail_reply 1737 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1738 && (vstream_peek(session->stream) > 0 1739 || peekfd(vstream_fileno(session->stream)) > 0)) 1740 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1741 #endif 1742 1743 /* 1744 * We now return to our regular broadcast. 1745 */ 1746 next_state = SMTP_STATE_RCPT; 1747 break; 1748 1749 /* 1750 * Build one RCPT TO command before we have seen the MAIL FROM 1751 * response. 1752 */ 1753 case SMTP_STATE_RCPT: 1754 rcpt = request->rcpt_list.info + send_rcpt; 1755 smtp_rewrite_generic_internal(session->scratch2, rcpt->address); 1756 smtp_quote_821_address(session->scratch, 1757 vstring_str(session->scratch2)); 1758 vstring_sprintf(next_command, "RCPT TO:<%s>", 1759 vstring_str(session->scratch)); 1760 if (session->features & SMTP_FEATURE_DSN) { 1761 /* XXX DSN xtext encode address value not type. */ 1762 const char *orcpt_type_addr = rcpt->dsn_orcpt; 1763 1764 /* Fix 20140706: don't use empty rcpt->orig_addr. */ 1765 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) { 1766 quote_822_local(session->scratch, rcpt->orig_addr); 1767 vstring_sprintf(session->scratch2, "%s;%s", 1768 /* Fix 20140707: sender must request SMTPUTF8. */ 1769 (request->smtputf8 != 0 1770 && !allascii(vstring_str(session->scratch))) ? 1771 "utf-8" : "rfc822", 1772 vstring_str(session->scratch)); 1773 orcpt_type_addr = vstring_str(session->scratch2); 1774 } 1775 if (orcpt_type_addr[0] != 0) { 1776 /* Fix 20140706: don't send unquoted ORCPT. */ 1777 /* Fix 20140707: quoting method must match orcpt type. */ 1778 /* Fix 20140707: handle uxtext encoder errors. */ 1779 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) { 1780 if (uxtext_quote(session->scratch, 1781 orcpt_type_addr, "+=") != 0) 1782 vstring_sprintf_append(next_command, " ORCPT=%s", 1783 vstring_str(session->scratch)); 1784 } else { 1785 xtext_quote(session->scratch, orcpt_type_addr, "="); 1786 vstring_sprintf_append(next_command, " ORCPT=%s", 1787 vstring_str(session->scratch)); 1788 } 1789 } 1790 if (rcpt->dsn_notify) 1791 vstring_sprintf_append(next_command, " NOTIFY=%s", 1792 dsn_notify_str(rcpt->dsn_notify)); 1793 } 1794 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1795 next_state = (DEL_REQ_TRACE_ONLY(request->flags) 1796 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 1797 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1798 break; 1799 1800 /* 1801 * Build the DATA command before we have seen all the RCPT TO 1802 * responses. 1803 */ 1804 case SMTP_STATE_DATA: 1805 vstring_strcpy(next_command, "DATA"); 1806 next_state = SMTP_STATE_DOT; 1807 break; 1808 1809 /* 1810 * Build the "." command after we have seen the DATA response 1811 * (DATA is a protocol synchronization point). 1812 * 1813 * Changing the connection caching state here is safe because it 1814 * affects none of the not-yet processed replies to 1815 * already-generated commands. 1816 */ 1817 case SMTP_STATE_DOT: 1818 vstring_strcpy(next_command, "."); 1819 if (THIS_SESSION_IS_EXPIRED) 1820 DONT_CACHE_THIS_SESSION; 1821 next_state = THIS_SESSION_IS_CACHED ? 1822 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1823 break; 1824 1825 /* 1826 * The SMTP_STATE_ABORT sender state is entered by the sender 1827 * when it has verified all recipients; or it is entered by the 1828 * receiver when all recipients are verified or rejected, and is 1829 * then left before the bottom of the main loop. 1830 * 1831 * Changing the connection caching state here is safe because there 1832 * are no not-yet processed replies to already-generated 1833 * commands. 1834 */ 1835 case SMTP_STATE_ABORT: 1836 vstring_strcpy(next_command, "RSET"); 1837 if (THIS_SESSION_IS_EXPIRED) 1838 DONT_CACHE_THIS_SESSION; 1839 next_state = THIS_SESSION_IS_CACHED ? 1840 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1841 break; 1842 1843 /* 1844 * Build the RSET command. This is entered as initial state from 1845 * smtp_rset() and has its own dedicated state transitions. It is 1846 * used to find out the status of a cached session before 1847 * attempting mail delivery. 1848 */ 1849 case SMTP_STATE_RSET: 1850 vstring_strcpy(next_command, "RSET"); 1851 next_state = SMTP_STATE_LAST; 1852 break; 1853 1854 /* 1855 * Build the QUIT command before we have seen the "." or RSET 1856 * response. This is entered as initial state from smtp_quit(), 1857 * or is reached near the end of any non-cached session. 1858 * 1859 * Changing the connection caching state here is safe. If this 1860 * command is pipelined together with a preceding command, then 1861 * connection caching was already turned off. Do not clobber the 1862 * "bad connection" flag. 1863 */ 1864 case SMTP_STATE_QUIT: 1865 vstring_strcpy(next_command, "QUIT"); 1866 next_state = SMTP_STATE_LAST; 1867 if (THIS_SESSION_IS_CACHED) 1868 DONT_CACHE_THIS_SESSION; 1869 break; 1870 1871 /* 1872 * The final sender state has no action associated with it. 1873 */ 1874 case SMTP_STATE_LAST: 1875 VSTRING_RESET(next_command); 1876 break; 1877 } 1878 VSTRING_TERMINATE(next_command); 1879 1880 /* 1881 * Process responses until the receiver has caught up. Vstreams 1882 * automatically flush buffered output when reading new data. 1883 * 1884 * Flush unsent output if command pipelining is off or if no I/O 1885 * happened for a while. This limits the accumulation of client-side 1886 * delays in pipelined sessions. 1887 * 1888 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1889 * could otherwise produce more output than fits the PIPELINING 1890 * buffer. This generally works because we know exactly how much 1891 * output we produced since the last time that the sender and 1892 * receiver synchronized the SMTP state. However this logic is not 1893 * applicable after the sender enters the DATA phase, where it does 1894 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1895 * Thus, the PIPELINING engine no longer knows how much data is 1896 * pending in the TCP send buffer. For this reason, if PIPELINING is 1897 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1898 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1899 * stack either has already received the QUIT<CR><LF>, or else it 1900 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1901 * making room in the sender's TCP stack for QUIT<CR><LF>. 1902 */ 1903 #define CHECK_PIPELINING_BUFSIZE \ 1904 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1905 1906 if (SENDER_IN_WAIT_STATE 1907 || (SENDER_IS_AHEAD 1908 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1909 || (CHECK_PIPELINING_BUFSIZE 1910 && (VSTRING_LEN(next_command) + 2 1911 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1912 > PIPELINING_BUFSIZE)) 1913 || time((time_t *) 0) 1914 - vstream_ftime(session->stream) > 10))) { 1915 while (SENDER_IS_AHEAD) { 1916 1917 /* 1918 * Sanity check. 1919 */ 1920 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1921 || recv_state > SMTP_STATE_QUIT) 1922 msg_panic("%s: bad receiver state %d (sender state %d)", 1923 myname, recv_state, send_state); 1924 1925 /* 1926 * Receive the next server response. Use the proper timeout, 1927 * and log the proper client state in case of trouble. 1928 * 1929 * XXX If we lose the connection before sending end-of-data, 1930 * find out if the server sent a premature end-of-data reply. 1931 * If this read attempt fails, report "lost connection while 1932 * sending message body", not "lost connection while sending 1933 * end-of-data". 1934 * 1935 * "except" becomes zero just above the protocol loop, and stays 1936 * zero or triggers an early return from the loop. In just 1937 * one case: loss of the connection when sending the message 1938 * body, we record the exception, and keep processing in the 1939 * hope of detecting a premature 5XX. We must be careful to 1940 * not clobber this non-zero value once it is set. The 1941 * variable need not survive longjmp() calls, since the only 1942 * setjmp() which does not return early is the one sets this 1943 * condition, subsequent failures always return early. 1944 */ 1945 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1946 1947 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1948 var_smtp_req_deadline, 0); 1949 if (LOST_CONNECTION_INSIDE_DATA) { 1950 if (vstream_setjmp(session->stream) != 0) 1951 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1952 "sending message body")); 1953 } else { 1954 if ((except = vstream_setjmp(session->stream)) != 0) 1955 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1956 xfer_states[recv_state]) : -1); 1957 } 1958 resp = smtp_chat_resp(session); 1959 1960 /* 1961 * Process the response. 1962 */ 1963 switch (recv_state) { 1964 1965 /* 1966 * Process the XFORWARD response. 1967 */ 1968 case SMTP_STATE_XFORWARD_NAME_ADDR: 1969 if (resp->code / 100 != 2) 1970 msg_warn("host %s said: %s (in reply to %s)", 1971 session->namaddrport, 1972 translit(resp->str, "\n", " "), 1973 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1974 if (session->send_proto_helo) 1975 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1976 else 1977 recv_state = SMTP_STATE_MAIL; 1978 break; 1979 1980 case SMTP_STATE_XFORWARD_PROTO_HELO: 1981 if (resp->code / 100 != 2) 1982 msg_warn("host %s said: %s (in reply to %s)", 1983 session->namaddrport, 1984 translit(resp->str, "\n", " "), 1985 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1986 recv_state = SMTP_STATE_MAIL; 1987 break; 1988 1989 /* 1990 * Process the MAIL FROM response. When the server 1991 * rejects the sender, set the mail_from_rejected flag so 1992 * that the receiver may apply a course correction. 1993 */ 1994 case SMTP_STATE_MAIL: 1995 if (resp->code / 100 != 2) { 1996 smtp_mesg_fail(state, STR(iter->host), resp, 1997 "host %s said: %s (in reply to %s)", 1998 session->namaddr, 1999 translit(resp->str, "\n", " "), 2000 xfer_request[SMTP_STATE_MAIL]); 2001 mail_from_rejected = 1; 2002 } 2003 2004 /* 2005 * CVE-2009-3555 (TLS renegotiation). Whatever it was 2006 * that arrived before we sent our MAIL FROM command, it 2007 * was not a fatal-level TLS alert message. It could be a 2008 * warning-level TLS alert message, or a ChangeCipherSpec 2009 * message, but such messages are not normally sent in 2010 * the middle of a TLS session. We disconnect and try 2011 * again later. 2012 */ 2013 #ifdef USE_TLS 2014 if (var_smtp_tls_blk_early_mail_reply 2015 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 2016 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 2017 SMTP_RESP_FAKE(&fake, "4.7.0"), 2018 "unexpected server message"); 2019 msg_warn("server %s violates %s policy", 2020 session->namaddr, 2021 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY)); 2022 mail_from_rejected = 1; 2023 } 2024 #endif 2025 2026 /* 2027 * We now return to our regular broadcast. 2028 */ 2029 recv_state = SMTP_STATE_RCPT; 2030 break; 2031 2032 /* 2033 * Process one RCPT TO response. If MAIL FROM was 2034 * rejected, ignore RCPT TO responses: all recipients are 2035 * dead already. When all recipients are rejected the 2036 * receiver may apply a course correction. 2037 * 2038 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 2039 * must be treated as if the server replied with 452. 2040 * However, this causes "too much mail data" to be 2041 * treated as a recoverable error, which is wrong. I'll 2042 * stick with RFC 821. 2043 */ 2044 case SMTP_STATE_RCPT: 2045 if (!mail_from_rejected) { 2046 #ifdef notdef 2047 if (resp->code == 552) { 2048 resp->code = 452; 2049 resp->dsn[0] = '4'; 2050 } 2051 #endif 2052 rcpt = request->rcpt_list.info + recv_rcpt; 2053 if (resp->code / 100 == 2) { 2054 if (!smtp_mode) { 2055 if (survivors == 0) 2056 survivors = (int *) 2057 mymalloc(request->rcpt_list.len 2058 * sizeof(int)); 2059 survivors[nrcpt] = recv_rcpt; 2060 } 2061 ++nrcpt; 2062 /* If trace-only, mark the recipient done. */ 2063 if (DEL_REQ_TRACE_ONLY(request->flags) 2064 && smtp_vrfy_tgt == SMTP_STATE_RCPT) { 2065 translit(resp->str, "\n", " "); 2066 smtp_rcpt_done(state, resp, rcpt); 2067 } 2068 } else { 2069 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2070 "host %s said: %s (in reply to %s)", 2071 session->namaddr, 2072 translit(resp->str, "\n", " "), 2073 xfer_request[SMTP_STATE_RCPT]); 2074 } 2075 } 2076 /* If trace-only, send RSET instead of DATA. */ 2077 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 2078 recv_state = (DEL_REQ_TRACE_ONLY(request->flags) 2079 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 2080 SMTP_STATE_ABORT : SMTP_STATE_DATA; 2081 /* XXX Also: record if non-delivering session. */ 2082 break; 2083 2084 /* 2085 * Process the DATA response. When the server rejects 2086 * DATA, set nrcpt to a negative value so that the 2087 * receiver can apply a course correction. 2088 */ 2089 case SMTP_STATE_DATA: 2090 recv_state = SMTP_STATE_DOT; 2091 if (resp->code / 100 != 3) { 2092 if (nrcpt > 0) 2093 smtp_mesg_fail(state, STR(iter->host), resp, 2094 "host %s said: %s (in reply to %s)", 2095 session->namaddr, 2096 translit(resp->str, "\n", " "), 2097 xfer_request[SMTP_STATE_DATA]); 2098 nrcpt = -1; 2099 } 2100 2101 /* 2102 * In the case of a successful address probe with target 2103 * equal to DATA, the remote server is now in the DATA 2104 * state, and therefore we must not make any further 2105 * attempt to send or receive on this connection. This 2106 * means that we cannot not reuse the general-purpose 2107 * course-correction logic below which sends RSET (and 2108 * perhaps QUIT). Instead we "jump" straight to the exit 2109 * and force an unceremonious disconnect. 2110 */ 2111 else if (DEL_REQ_TRACE_ONLY(request->flags) 2112 && smtp_vrfy_tgt == SMTP_STATE_DATA) { 2113 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2114 rcpt = request->rcpt_list.info + nrcpt; 2115 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2116 translit(resp->str, "\n", " "); 2117 SMTP_RESP_SET_DSN(resp, "2.0.0"); 2118 smtp_rcpt_done(state, resp, rcpt); 2119 } 2120 } 2121 DONT_CACHE_THIS_SESSION; 2122 send_state = recv_state = SMTP_STATE_LAST; 2123 } 2124 break; 2125 2126 /* 2127 * Process the end of message response. Ignore the 2128 * response when no recipient was accepted: all 2129 * recipients are dead already, and the next receiver 2130 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 2131 * if the message transfer fails, bounce all remaining 2132 * recipients, else cross off the recipients that were 2133 * delivered. 2134 */ 2135 case SMTP_STATE_DOT: 2136 GETTIMEOFDAY(&request->msg_stats.deliver_done); 2137 if (smtp_mode) { 2138 if (nrcpt > 0) { 2139 if (resp->code / 100 != 2) { 2140 smtp_mesg_fail(state, STR(iter->host), resp, 2141 "host %s said: %s (in reply to %s)", 2142 session->namaddr, 2143 translit(resp->str, "\n", " "), 2144 xfer_request[SMTP_STATE_DOT]); 2145 } else { 2146 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2147 rcpt = request->rcpt_list.info + nrcpt; 2148 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2149 translit(resp->str, "\n", " "); 2150 smtp_rcpt_done(state, resp, rcpt); 2151 } 2152 } 2153 } 2154 } 2155 } 2156 2157 /* 2158 * With LMTP we have one response per accepted RCPT TO 2159 * command. Stay in the SMTP_STATE_DOT state until we 2160 * have collected all responses. 2161 */ 2162 else { 2163 if (nrcpt > 0) { 2164 rcpt = request->rcpt_list.info 2165 + survivors[recv_done++]; 2166 if (resp->code / 100 != 2) { 2167 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2168 "host %s said: %s (in reply to %s)", 2169 session->namaddr, 2170 translit(resp->str, "\n", " "), 2171 xfer_request[SMTP_STATE_DOT]); 2172 } else { 2173 translit(resp->str, "\n", " "); 2174 smtp_rcpt_done(state, resp, rcpt); 2175 } 2176 } 2177 if (msg_verbose) 2178 msg_info("%s: got %d of %d end-of-data replies", 2179 myname, recv_done, nrcpt); 2180 if (recv_done < nrcpt) 2181 break; 2182 } 2183 2184 /* 2185 * XXX Do not change the connection caching state here, 2186 * even if the connection caching timer expired between 2187 * generating the command and processing the reply, 2188 * otherwise the sender and receiver loops get out of 2189 * sync. The caller will call smtp_quit() if appropriate. 2190 */ 2191 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 2192 || LOST_CONNECTION_INSIDE_DATA) 2193 recv_state = SMTP_STATE_LAST; 2194 else 2195 recv_state = SMTP_STATE_QUIT; 2196 break; 2197 2198 /* 2199 * Receive the RSET response. 2200 * 2201 * The SMTP_STATE_ABORT sender state is entered by the 2202 * sender when it has verified all recipients; or it is 2203 * entered by the receiver when all recipients are 2204 * verified or rejected, and is then left before the 2205 * bottom of the main loop. 2206 * 2207 * XXX Do not change the connection caching state here, even 2208 * if the server rejected RSET or if the connection 2209 * caching timer expired between generating the command 2210 * and processing the reply, otherwise the sender and 2211 * receiver loops get out of sync. The caller will call 2212 * smtp_quit() if appropriate. 2213 */ 2214 case SMTP_STATE_ABORT: 2215 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 2216 SMTP_STATE_LAST : SMTP_STATE_QUIT); 2217 break; 2218 2219 /* 2220 * This is the initial receiver state from smtp_rset(). 2221 * It is used to find out the status of a cached session 2222 * before attempting mail delivery. 2223 */ 2224 case SMTP_STATE_RSET: 2225 if (resp->code / 100 != 2) 2226 CANT_RSET_THIS_SESSION; 2227 recv_state = SMTP_STATE_LAST; 2228 break; 2229 2230 /* 2231 * Receive, but otherwise ignore, the QUIT response. 2232 */ 2233 case SMTP_STATE_QUIT: 2234 recv_state = SMTP_STATE_LAST; 2235 break; 2236 } 2237 } 2238 2239 /* 2240 * At this point, the sender and receiver are fully synchronized. 2241 */ 2242 2243 /* 2244 * We know the server response to every command that was sent. 2245 * Apply a course correction if necessary: the sender wants to 2246 * send RCPT TO but MAIL FROM was rejected; the sender wants to 2247 * send DATA but all recipients were rejected; the sender wants 2248 * to deliver the message but DATA was rejected. 2249 */ 2250 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 2251 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 2252 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 2253 send_state = recv_state = SMTP_STATE_ABORT; 2254 send_rcpt = recv_rcpt = 0; 2255 vstring_strcpy(next_command, "RSET"); 2256 if (THIS_SESSION_IS_EXPIRED) 2257 DONT_CACHE_THIS_SESSION; 2258 next_state = THIS_SESSION_IS_CACHED ? 2259 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2260 /* XXX Also: record if non-delivering session. */ 2261 next_rcpt = 0; 2262 } 2263 } 2264 2265 /* 2266 * Make the next sender state the current sender state. 2267 */ 2268 if (send_state == SMTP_STATE_LAST) 2269 continue; 2270 2271 /* 2272 * Special case if the server accepted the DATA command. If the 2273 * server accepted at least one recipient send the entire message. 2274 * Otherwise, just send "." as per RFC 2197. 2275 * 2276 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 2277 * disconnect ungracefully, because there is no other way to cancel a 2278 * transaction in progress. 2279 */ 2280 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 2281 2282 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 2283 var_smtp_req_deadline, var_smtp_min_data_rate); 2284 2285 if ((except = vstream_setjmp(session->stream)) == 0) { 2286 2287 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 2288 msg_fatal("seek queue file: %m"); 2289 2290 downgrading = SMTP_MIME_DOWNGRADE(session, request); 2291 2292 /* 2293 * XXX Don't downgrade just because generic_maps is turned 2294 * on. 2295 */ 2296 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 2297 2298 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 2299 session->mime_state = mime_state_alloc(downgrading ? 2300 MIME_OPT_DOWNGRADE 2301 | MIME_OPT_REPORT_NESTING : 2302 SMTP_ANY_CHECKS == 0 ? 2303 MIME_OPT_DISABLE_MIME : 2304 0, 2305 smtp_generic_maps 2306 || smtp_header_checks ? 2307 smtp_header_rewrite : 2308 smtp_header_out, 2309 (MIME_STATE_ANY_END) 0, 2310 smtp_body_checks ? 2311 smtp_body_rewrite : 2312 smtp_text_out, 2313 (MIME_STATE_ANY_END) 0, 2314 (MIME_STATE_ERR_PRINT) 0, 2315 (void *) state); 2316 state->space_left = var_smtp_line_limit; 2317 2318 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0 2319 && smtp_out_add_headers(state) < 0) 2320 RETURN(0); 2321 2322 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 2323 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 2324 break; 2325 if (smtp_out_raw_or_mime(state, rec_type, 2326 session->scratch) < 0) 2327 RETURN(0); 2328 prev_type = rec_type; 2329 } 2330 2331 if (session->mime_state) { 2332 2333 /* 2334 * The cleanup server normally ends MIME content with a 2335 * normal text record. The following code is needed to 2336 * flush an internal buffer when someone submits 8-bit 2337 * mail not ending in newline via /usr/sbin/sendmail 2338 * while MIME input processing is turned off, and MIME 2339 * 8bit->7bit conversion is requested upon delivery. 2340 * 2341 * Or some error while doing generic address mapping. 2342 */ 2343 mime_errs = 2344 mime_state_update(session->mime_state, rec_type, "", 0); 2345 if (mime_errs) { 2346 smtp_mime_fail(state, mime_errs); 2347 RETURN(0); 2348 } 2349 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 2350 smtp_fputs("", 0, session->stream); 2351 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) { 2352 smtp_flush(session->stream);/* hurts performance */ 2353 sleep(var_smtp_pix_delay); /* not to mention this */ 2354 } 2355 if (vstream_ferror(state->src)) 2356 msg_fatal("queue file read error"); 2357 if (rec_type != REC_TYPE_XTRA) { 2358 msg_warn("%s: bad record type: %d in message content", 2359 request->queue_id, rec_type); 2360 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2361 SMTP_RESP_FAKE(&fake, "5.3.0"), 2362 "unreadable mail queue entry"); 2363 /* Bailing out, abort stream with prejudice */ 2364 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2365 DONT_USE_FORBIDDEN_SESSION; 2366 /* If bounce_append() succeeded, status is still 0 */ 2367 if (state->status == 0) 2368 (void) mark_corrupt(state->src); 2369 /* Don't override smtp_mesg_fail() here. */ 2370 RETURN(fail_status); 2371 } 2372 } else { 2373 if (!LOST_CONNECTION_INSIDE_DATA) 2374 RETURN(smtp_stream_except(state, except, 2375 "sending message body")); 2376 2377 /* 2378 * We will clear the stream error flag to try and read a 2379 * premature 5XX response, so it is important to flush any 2380 * unwritten data. Otherwise, we will try to flush it again 2381 * before reading, which may incur an unnecessary delay and 2382 * will prevent the reading of any response that is not 2383 * already buffered (bundled with the DATA 354 response). 2384 * 2385 * Not much point in sending QUIT at this point, skip right to 2386 * SMTP_STATE_LAST. The read engine above will likewise avoid 2387 * looking for a QUIT response. 2388 */ 2389 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2390 next_state = SMTP_STATE_LAST; 2391 } 2392 } 2393 2394 /* 2395 * Copy the next command to the buffer and update the sender state. 2396 */ 2397 if (except == 0) { 2398 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2399 } else { 2400 DONT_CACHE_THIS_SESSION; 2401 } 2402 send_state = next_state; 2403 send_rcpt = next_rcpt; 2404 } while (recv_state != SMTP_STATE_LAST); 2405 RETURN(0); 2406 } 2407 2408 /* smtp_xfer - send a batch of envelope information and the message data */ 2409 2410 int smtp_xfer(SMTP_STATE *state) 2411 { 2412 DELIVER_REQUEST *request = state->request; 2413 SMTP_SESSION *session = state->session; 2414 SMTP_RESP fake; 2415 int send_state; 2416 int recv_state; 2417 int send_name_addr; 2418 int result; 2419 2420 /* 2421 * Sanity check. Recipients should be unmarked at this point. 2422 */ 2423 if (SMTP_RCPT_LEFT(state) <= 0) 2424 msg_panic("smtp_xfer: bad recipient count: %d", 2425 SMTP_RCPT_LEFT(state)); 2426 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2427 msg_panic("smtp_xfer: bad recipient status: %d", 2428 request->rcpt_list.info->u.status); 2429 2430 /* 2431 * See if we should even try to send this message at all. This code sits 2432 * here rather than in the EHLO processing code, because of SMTP 2433 * connection caching. 2434 */ 2435 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2436 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2437 SMTP_RESP_FAKE(&fake, "5.3.4"), 2438 "message size %lu exceeds size limit %.0f of server %s", 2439 request->data_size, (double) session->size_limit, 2440 session->namaddr); 2441 /* Redundant. We abort this delivery attempt. */ 2442 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2443 return (0); 2444 } 2445 2446 /* 2447 * Use XFORWARD to forward the origin of this email message across an 2448 * SMTP-based content filter. Send client attribute information only if 2449 * it exists (i.e. remote submission). Local submissions have no client 2450 * attributes; the mail will appear to originate from the content filter 2451 * which is acceptable. 2452 */ 2453 send_name_addr = 2454 var_smtp_send_xforward 2455 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2456 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2457 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2458 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2459 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2460 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2461 session->send_proto_helo = 2462 var_smtp_send_xforward 2463 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2464 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2465 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2466 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2467 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2468 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2469 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2470 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2471 if (send_name_addr) 2472 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2473 else if (session->send_proto_helo) 2474 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2475 else 2476 recv_state = send_state = SMTP_STATE_MAIL; 2477 2478 /* 2479 * Remember this session's "normal completion", even if the server 4xx-ed 2480 * some or all recipients. Connection or handshake errors with a later MX 2481 * host should not cause this destination be marked as unreachable. 2482 */ 2483 result = smtp_loop(state, send_state, recv_state); 2484 2485 if (result == 0 2486 /* Just in case */ 2487 && vstream_ferror(session->stream) == 0 2488 && vstream_feof(session->stream) == 0) 2489 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2490 2491 return (result); 2492 } 2493 2494 /* smtp_rset - send a lone RSET command */ 2495 2496 int smtp_rset(SMTP_STATE *state) 2497 { 2498 2499 /* 2500 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2501 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2502 */ 2503 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2504 } 2505 2506 /* smtp_quit - send a lone QUIT command */ 2507 2508 int smtp_quit(SMTP_STATE *state) 2509 { 2510 2511 /* 2512 * This works because SMTP_STATE_QUIT is the last state with a sender 2513 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2514 */ 2515 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2516 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2517 } 2518