1 /* $NetBSD: smtpd.c,v 1.14 2017/02/14 01:16:48 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtpd 8 6 /* SUMMARY 7 /* Postfix SMTP server 8 /* SYNOPSIS 9 /* \fBsmtpd\fR [generic Postfix daemon options] 10 /* 11 /* \fBsendmail -bs\fR 12 /* DESCRIPTION 13 /* The SMTP server accepts network connection requests 14 /* and performs zero or more SMTP transactions per connection. 15 /* Each received message is piped through the \fBcleanup\fR(8) 16 /* daemon, and is placed into the \fBincoming\fR queue as one 17 /* single queue file. For this mode of operation, the program 18 /* expects to be run from the \fBmaster\fR(8) process manager. 19 /* 20 /* Alternatively, the SMTP server be can run in stand-alone 21 /* mode; this is traditionally obtained with "\fBsendmail 22 /* -bs\fR". When the SMTP server runs stand-alone with non 23 /* $\fBmail_owner\fR privileges, it receives mail even while 24 /* the mail system is not running, deposits messages directly 25 /* into the \fBmaildrop\fR queue, and disables the SMTP server's 26 /* access policies. As of Postfix version 2.3, the SMTP server 27 /* refuses to receive mail from the network when it runs with 28 /* non $\fBmail_owner\fR privileges. 29 /* 30 /* The SMTP server implements a variety of policies for connection 31 /* requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR 32 /* and \fBRCPT TO\fR commands. They are detailed below and in the 33 /* \fBmain.cf\fR configuration file. 34 /* SECURITY 35 /* .ad 36 /* .fi 37 /* The SMTP server is moderately security-sensitive. It talks to SMTP 38 /* clients and to DNS servers on the network. The SMTP server can be 39 /* run chrooted at fixed low privilege. 40 /* STANDARDS 41 /* RFC 821 (SMTP protocol) 42 /* RFC 1123 (Host requirements) 43 /* RFC 1652 (8bit-MIME transport) 44 /* RFC 1869 (SMTP service extensions) 45 /* RFC 1870 (Message size declaration) 46 /* RFC 1985 (ETRN command) 47 /* RFC 2034 (SMTP enhanced status codes) 48 /* RFC 2554 (AUTH command) 49 /* RFC 2821 (SMTP protocol) 50 /* RFC 2920 (SMTP pipelining) 51 /* RFC 3207 (STARTTLS command) 52 /* RFC 3461 (SMTP DSN extension) 53 /* RFC 3463 (Enhanced status codes) 54 /* RFC 3848 (ESMTP transmission types) 55 /* RFC 4409 (Message submission) 56 /* RFC 4954 (AUTH command) 57 /* RFC 5321 (SMTP protocol) 58 /* RFC 6531 (Internationalized SMTP) 59 /* RFC 6533 (Internationalized Delivery Status Notifications) 60 /* RFC 7505 ("Null MX" No Service Resource Record) 61 /* DIAGNOSTICS 62 /* Problems and transactions are logged to \fBsyslogd\fR(8). 63 /* 64 /* Depending on the setting of the \fBnotify_classes\fR parameter, 65 /* the postmaster is notified of bounces, protocol problems, 66 /* policy violations, and of other trouble. 67 /* CONFIGURATION PARAMETERS 68 /* .ad 69 /* .fi 70 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8) 71 /* processes run for only a limited amount of time. Use the command 72 /* "\fBpostfix reload\fR" to speed up a change. 73 /* 74 /* The text below provides only a parameter summary. See 75 /* \fBpostconf\fR(5) for more details including examples. 76 /* COMPATIBILITY CONTROLS 77 /* .ad 78 /* .fi 79 /* The following parameters work around implementation errors in other 80 /* software, and/or allow you to override standards in order to prevent 81 /* undesirable use. 82 /* .ad 83 /* .fi 84 /* .IP "\fBbroken_sasl_auth_clients (no)\fR" 85 /* Enable interoperability with remote SMTP clients that implement an obsolete 86 /* version of the AUTH command (RFC 4954). 87 /* .IP "\fBdisable_vrfy_command (no)\fR" 88 /* Disable the SMTP VRFY command. 89 /* .IP "\fBsmtpd_noop_commands (empty)\fR" 90 /* List of commands that the Postfix SMTP server replies to with "250 91 /* Ok", without doing any syntax checks and without changing state. 92 /* .IP "\fBstrict_rfc821_envelopes (no)\fR" 93 /* Require that addresses received in SMTP MAIL FROM and RCPT TO 94 /* commands are enclosed with <>, and that those addresses do 95 /* not contain RFC 822 style comments or phrases. 96 /* .PP 97 /* Available in Postfix version 2.1 and later: 98 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR" 99 /* Request that the Postfix SMTP server rejects mail from unknown 100 /* sender addresses, even when no explicit reject_unlisted_sender 101 /* access restriction is specified. 102 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" 103 /* What remote SMTP clients the Postfix SMTP server will not offer 104 /* AUTH support to. 105 /* .PP 106 /* Available in Postfix version 2.2 and later: 107 /* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR" 108 /* Lookup tables, indexed by the remote SMTP client address, with 109 /* case insensitive lists of EHLO keywords (pipelining, starttls, auth, 110 /* etc.) that the Postfix SMTP server will not send in the EHLO response 111 /* to a 112 /* remote SMTP client. 113 /* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR" 114 /* A case insensitive list of EHLO keywords (pipelining, starttls, 115 /* auth, etc.) that the Postfix SMTP server will not send in the EHLO 116 /* response 117 /* to a remote SMTP client. 118 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR" 119 /* Postpone the start of an SMTP mail transaction until a valid 120 /* RCPT TO command is received. 121 /* .PP 122 /* Available in Postfix version 2.3 and later: 123 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR" 124 /* Force the Postfix SMTP server to issue a TLS session id, even 125 /* when TLS session caching is turned off (smtpd_tls_session_cache_database 126 /* is empty). 127 /* .PP 128 /* Available in Postfix version 2.6 and later: 129 /* .IP "\fBtcp_windowsize (0)\fR" 130 /* An optional workaround for routers that break TCP window scaling. 131 /* .PP 132 /* Available in Postfix version 2.7 and later: 133 /* .IP "\fBsmtpd_command_filter (empty)\fR" 134 /* A mechanism to transform commands from remote SMTP clients. 135 /* .PP 136 /* Available in Postfix version 2.9 and later: 137 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR" 138 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 139 /* time limits, from a 140 /* time limit per read or write system call, to a time limit to send 141 /* or receive a complete record (an SMTP command line, SMTP response 142 /* line, SMTP message content line, or TLS protocol message). 143 /* .PP 144 /* Available in Postfix version 3.0 and later: 145 /* .IP "\fBsmtpd_dns_reply_filter (empty)\fR" 146 /* Optional filter for Postfix SMTP server DNS lookup results. 147 /* ADDRESS REWRITING CONTROLS 148 /* .ad 149 /* .fi 150 /* See the ADDRESS_REWRITING_README document for a detailed 151 /* discussion of Postfix address rewriting. 152 /* .IP "\fBreceive_override_options (empty)\fR" 153 /* Enable or disable recipient validation, built-in content 154 /* filtering, or address mapping. 155 /* .PP 156 /* Available in Postfix version 2.2 and later: 157 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR" 158 /* Rewrite message header addresses in mail from these clients and 159 /* update incomplete addresses with the domain name in $myorigin or 160 /* $mydomain; either don't rewrite message headers from other clients 161 /* at all, or rewrite message headers and update incomplete addresses 162 /* with the domain specified in the remote_header_rewrite_domain 163 /* parameter. 164 /* BEFORE-SMTPD PROXY AGENT 165 /* .ad 166 /* .fi 167 /* Available in Postfix version 2.10 and later: 168 /* .IP "\fBsmtpd_upstream_proxy_protocol (empty)\fR" 169 /* The name of the proxy protocol used by an optional before-smtpd 170 /* proxy agent. 171 /* .IP "\fBsmtpd_upstream_proxy_timeout (5s)\fR" 172 /* The time limit for the proxy protocol specified with the 173 /* smtpd_upstream_proxy_protocol parameter. 174 /* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS 175 /* .ad 176 /* .fi 177 /* As of version 1.0, Postfix can be configured to send new mail to 178 /* an external content filter AFTER the mail is queued. This content 179 /* filter is expected to inject mail back into a (Postfix or other) 180 /* MTA for further delivery. See the FILTER_README document for details. 181 /* .IP "\fBcontent_filter (empty)\fR" 182 /* After the message is queued, send the entire message to the 183 /* specified \fItransport:destination\fR. 184 /* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS 185 /* .ad 186 /* .fi 187 /* As of version 2.1, the Postfix SMTP server can be configured 188 /* to send incoming mail to a real-time SMTP-based content filter 189 /* BEFORE mail is queued. This content filter is expected to inject 190 /* mail back into Postfix. See the SMTPD_PROXY_README document for 191 /* details on how to configure and operate this feature. 192 /* .IP "\fBsmtpd_proxy_filter (empty)\fR" 193 /* The hostname and TCP port of the mail filtering proxy server. 194 /* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR" 195 /* How the Postfix SMTP server announces itself to the proxy filter. 196 /* .IP "\fBsmtpd_proxy_options (empty)\fR" 197 /* List of options that control how the Postfix SMTP server 198 /* communicates with a before-queue content filter. 199 /* .IP "\fBsmtpd_proxy_timeout (100s)\fR" 200 /* The time limit for connecting to a proxy filter and for sending or 201 /* receiving information. 202 /* BEFORE QUEUE MILTER CONTROLS 203 /* .ad 204 /* .fi 205 /* As of version 2.3, Postfix supports the Sendmail version 8 206 /* Milter (mail filter) protocol. These content filters run 207 /* outside Postfix. They can inspect the SMTP command stream 208 /* and the message content, and can request modifications before 209 /* mail is queued. For details see the MILTER_README document. 210 /* .IP "\fBsmtpd_milters (empty)\fR" 211 /* A list of Milter (mail filter) applications for new mail that 212 /* arrives via the Postfix \fBsmtpd\fR(8) server. 213 /* .IP "\fBmilter_protocol (6)\fR" 214 /* The mail filter protocol version and optional protocol extensions 215 /* for communication with a Milter application; prior to Postfix 2.6 216 /* the default protocol is 2. 217 /* .IP "\fBmilter_default_action (tempfail)\fR" 218 /* The default action when a Milter (mail filter) application is 219 /* unavailable or mis-configured. 220 /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR" 221 /* The {daemon_name} macro value for Milter (mail filter) applications. 222 /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR" 223 /* The {v} macro value for Milter (mail filter) applications. 224 /* .IP "\fBmilter_connect_timeout (30s)\fR" 225 /* The time limit for connecting to a Milter (mail filter) 226 /* application, and for negotiating protocol options. 227 /* .IP "\fBmilter_command_timeout (30s)\fR" 228 /* The time limit for sending an SMTP command to a Milter (mail 229 /* filter) application, and for receiving the response. 230 /* .IP "\fBmilter_content_timeout (300s)\fR" 231 /* The time limit for sending message content to a Milter (mail 232 /* filter) application, and for receiving the response. 233 /* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR" 234 /* The macros that are sent to Milter (mail filter) applications 235 /* after completion of an SMTP connection. 236 /* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR" 237 /* The macros that are sent to Milter (mail filter) applications 238 /* after the SMTP HELO or EHLO command. 239 /* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR" 240 /* The macros that are sent to Milter (mail filter) applications 241 /* after the SMTP MAIL FROM command. 242 /* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR" 243 /* The macros that are sent to Milter (mail filter) applications 244 /* after the SMTP RCPT TO command. 245 /* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR" 246 /* The macros that are sent to version 4 or higher Milter (mail 247 /* filter) applications after the SMTP DATA command. 248 /* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR" 249 /* The macros that are sent to version 3 or higher Milter (mail 250 /* filter) applications after an unknown SMTP command. 251 /* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR" 252 /* The macros that are sent to Milter (mail filter) applications 253 /* after the end of the message header. 254 /* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR" 255 /* The macros that are sent to Milter (mail filter) applications 256 /* after the message end-of-data. 257 /* .PP 258 /* Available in Postfix version 3.1 and later: 259 /* .IP "\fBmilter_macro_defaults (empty)\fR" 260 /* Optional list of \fIname=value\fR pairs that specify default 261 /* values for arbitrary macros that Postfix may send to Milter 262 /* applications. 263 /* GENERAL CONTENT INSPECTION CONTROLS 264 /* .ad 265 /* .fi 266 /* The following parameters are applicable for both built-in 267 /* and external content filters. 268 /* .PP 269 /* Available in Postfix version 2.1 and later: 270 /* .IP "\fBreceive_override_options (empty)\fR" 271 /* Enable or disable recipient validation, built-in content 272 /* filtering, or address mapping. 273 /* EXTERNAL CONTENT INSPECTION CONTROLS 274 /* .ad 275 /* .fi 276 /* The following parameters are applicable for both before-queue 277 /* and after-queue content filtering. 278 /* .PP 279 /* Available in Postfix version 2.1 and later: 280 /* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR" 281 /* What remote SMTP clients are allowed to use the XFORWARD feature. 282 /* SASL AUTHENTICATION CONTROLS 283 /* .ad 284 /* .fi 285 /* Postfix SASL support (RFC 4954) can be used to authenticate remote 286 /* SMTP clients to the Postfix SMTP server, and to authenticate the 287 /* Postfix SMTP client to a remote SMTP server. 288 /* See the SASL_README document for details. 289 /* .IP "\fBbroken_sasl_auth_clients (no)\fR" 290 /* Enable interoperability with remote SMTP clients that implement an obsolete 291 /* version of the AUTH command (RFC 4954). 292 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR" 293 /* Enable SASL authentication in the Postfix SMTP server. 294 /* .IP "\fBsmtpd_sasl_local_domain (empty)\fR" 295 /* The name of the Postfix SMTP server's local SASL authentication 296 /* realm. 297 /* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR" 298 /* Postfix SMTP server SASL security options; as of Postfix 2.3 299 /* the list of available 300 /* features depends on the SASL server implementation that is selected 301 /* with \fBsmtpd_sasl_type\fR. 302 /* .IP "\fBsmtpd_sender_login_maps (empty)\fR" 303 /* Optional lookup table with the SASL login names that own the sender 304 /* (MAIL FROM) addresses. 305 /* .PP 306 /* Available in Postfix version 2.1 and later: 307 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" 308 /* What remote SMTP clients the Postfix SMTP server will not offer 309 /* AUTH support to. 310 /* .PP 311 /* Available in Postfix version 2.1 and 2.2: 312 /* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR" 313 /* The application name that the Postfix SMTP server uses for SASL 314 /* server initialization. 315 /* .PP 316 /* Available in Postfix version 2.3 and later: 317 /* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR" 318 /* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received 319 /* message header. 320 /* .IP "\fBsmtpd_sasl_path (smtpd)\fR" 321 /* Implementation-specific information that the Postfix SMTP server 322 /* passes through to 323 /* the SASL plug-in implementation that is selected with 324 /* \fBsmtpd_sasl_type\fR. 325 /* .IP "\fBsmtpd_sasl_type (cyrus)\fR" 326 /* The SASL plug-in type that the Postfix SMTP server should use 327 /* for authentication. 328 /* .PP 329 /* Available in Postfix version 2.5 and later: 330 /* .IP "\fBcyrus_sasl_config_path (empty)\fR" 331 /* Search path for Cyrus SASL application configuration files, 332 /* currently used only to locate the $smtpd_sasl_path.conf file. 333 /* .PP 334 /* Available in Postfix version 2.11 and later: 335 /* .IP "\fBsmtpd_sasl_service (smtp)\fR" 336 /* The service name that is passed to the SASL plug-in that is 337 /* selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR. 338 /* STARTTLS SUPPORT CONTROLS 339 /* .ad 340 /* .fi 341 /* Detailed information about STARTTLS configuration may be 342 /* found in the TLS_README document. 343 /* .IP "\fBsmtpd_tls_security_level (empty)\fR" 344 /* The SMTP TLS security level for the Postfix SMTP server; when 345 /* a non-empty value is specified, this overrides the obsolete parameters 346 /* smtpd_use_tls and smtpd_enforce_tls. 347 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR" 348 /* The SASL authentication security options that the Postfix SMTP 349 /* server uses for TLS encrypted SMTP sessions. 350 /* .IP "\fBsmtpd_starttls_timeout (see 'postconf -d' output)\fR" 351 /* The time limit for Postfix SMTP server write and read operations 352 /* during TLS startup and shutdown handshake procedures. 353 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR" 354 /* A file containing (PEM format) CA certificates of root CAs trusted 355 /* to sign either remote SMTP client certificates or intermediate CA 356 /* certificates. 357 /* .IP "\fBsmtpd_tls_CApath (empty)\fR" 358 /* A directory containing (PEM format) CA certificates of root CAs 359 /* trusted to sign either remote SMTP client certificates or intermediate CA 360 /* certificates. 361 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR" 362 /* Force the Postfix SMTP server to issue a TLS session id, even 363 /* when TLS session caching is turned off (smtpd_tls_session_cache_database 364 /* is empty). 365 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR" 366 /* Ask a remote SMTP client for a client certificate. 367 /* .IP "\fBsmtpd_tls_auth_only (no)\fR" 368 /* When TLS encryption is optional in the Postfix SMTP server, do 369 /* not announce or accept SASL authentication over unencrypted 370 /* connections. 371 /* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR" 372 /* The verification depth for remote SMTP client certificates. 373 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR" 374 /* File with the Postfix SMTP server RSA certificate in PEM format. 375 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR" 376 /* List of ciphers or cipher types to exclude from the SMTP server 377 /* cipher list at all TLS security levels. 378 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR" 379 /* File with the Postfix SMTP server DSA certificate in PEM format. 380 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR" 381 /* File with DH parameters that the Postfix SMTP server should 382 /* use with non-export EDH ciphers. 383 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR" 384 /* File with DH parameters that the Postfix SMTP server should 385 /* use with export-grade EDH ciphers. 386 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR" 387 /* File with the Postfix SMTP server DSA private key in PEM format. 388 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR" 389 /* File with the Postfix SMTP server RSA private key in PEM format. 390 /* .IP "\fBsmtpd_tls_loglevel (0)\fR" 391 /* Enable additional Postfix SMTP server logging of TLS activity. 392 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" 393 /* The minimum TLS cipher grade that the Postfix SMTP server will 394 /* use with mandatory TLS encryption. 395 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" 396 /* Additional list of ciphers or cipher types to exclude from the 397 /* Postfix SMTP server cipher list at mandatory TLS security levels. 398 /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2, !SSLv3)\fR" 399 /* The SSL/TLS protocols accepted by the Postfix SMTP server with 400 /* mandatory TLS encryption. 401 /* .IP "\fBsmtpd_tls_received_header (no)\fR" 402 /* Request that the Postfix SMTP server produces Received: message 403 /* headers that include information about the protocol and cipher used, 404 /* as well as the remote SMTP client CommonName and client certificate issuer 405 /* CommonName. 406 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR" 407 /* With mandatory TLS encryption, require a trusted remote SMTP client 408 /* certificate in order to allow TLS connections to proceed. 409 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR" 410 /* Run the Postfix SMTP server in the non-standard "wrapper" mode, 411 /* instead of using the STARTTLS command. 412 /* .IP "\fBtls_daemon_random_bytes (32)\fR" 413 /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) 414 /* process requests from the \fBtlsmgr\fR(8) server in order to seed its 415 /* internal pseudo random number generator (PRNG). 416 /* .IP "\fBtls_high_cipherlist (see 'postconf -d' output)\fR" 417 /* The OpenSSL cipherlist for "high" grade ciphers. 418 /* .IP "\fBtls_medium_cipherlist (see 'postconf -d' output)\fR" 419 /* The OpenSSL cipherlist for "medium" or higher grade ciphers. 420 /* .IP "\fBtls_low_cipherlist (see 'postconf -d' output)\fR" 421 /* The OpenSSL cipherlist for "low" or higher grade ciphers. 422 /* .IP "\fBtls_export_cipherlist (see 'postconf -d' output)\fR" 423 /* The OpenSSL cipherlist for "export" or higher grade ciphers. 424 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR" 425 /* The OpenSSL cipherlist for "NULL" grade ciphers that provide 426 /* authentication without encryption. 427 /* .PP 428 /* Available in Postfix version 2.5 and later: 429 /* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR" 430 /* The message digest algorithm to construct remote SMTP 431 /* client-certificate 432 /* fingerprints or public key fingerprints (Postfix 2.9 and later) 433 /* for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR. 434 /* .PP 435 /* Available in Postfix version 2.6 and later: 436 /* .IP "\fBsmtpd_tls_protocols (!SSLv2, !SSLv3)\fR" 437 /* List of TLS protocols that the Postfix SMTP server will exclude 438 /* or include with opportunistic TLS encryption. 439 /* .IP "\fBsmtpd_tls_ciphers (medium)\fR" 440 /* The minimum TLS cipher grade that the Postfix SMTP server 441 /* will use with opportunistic TLS encryption. 442 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR" 443 /* File with the Postfix SMTP server ECDSA certificate in PEM format. 444 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR" 445 /* File with the Postfix SMTP server ECDSA private key in PEM format. 446 /* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR" 447 /* The Postfix SMTP server security grade for ephemeral elliptic-curve 448 /* Diffie-Hellman (EECDH) key exchange. 449 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR" 450 /* The elliptic curve used by the Postfix SMTP server for sensibly 451 /* strong 452 /* ephemeral ECDH key exchange. 453 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR" 454 /* The elliptic curve used by the Postfix SMTP server for maximally 455 /* strong 456 /* ephemeral ECDH key exchange. 457 /* .PP 458 /* Available in Postfix version 2.8 and later: 459 /* .IP "\fBtls_preempt_cipherlist (no)\fR" 460 /* With SSLv3 and later, use the Postfix SMTP server's cipher 461 /* preference order instead of the remote client's cipher preference 462 /* order. 463 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" 464 /* List or bit-mask of OpenSSL bug work-arounds to disable. 465 /* .PP 466 /* Available in Postfix version 2.11 and later: 467 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" 468 /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. 469 /* .PP 470 /* Available in Postfix version 3.0 and later: 471 /* .IP "\fBtls_session_ticket_cipher (Postfix >= 3.0: aes-256-cbc, Postfix < 3.0: aes-128-cbc)\fR" 472 /* Algorithm used to encrypt RFC5077 TLS session tickets. 473 /* OBSOLETE STARTTLS CONTROLS 474 /* .ad 475 /* .fi 476 /* The following configuration parameters exist for compatibility 477 /* with Postfix versions before 2.3. Support for these will 478 /* be removed in a future release. 479 /* .IP "\fBsmtpd_use_tls (no)\fR" 480 /* Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 481 /* but do not require that clients use TLS encryption. 482 /* .IP "\fBsmtpd_enforce_tls (no)\fR" 483 /* Mandatory TLS: announce STARTTLS support to remote SMTP clients, 484 /* and require that clients use TLS encryption. 485 /* .IP "\fBsmtpd_tls_cipherlist (empty)\fR" 486 /* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS 487 /* cipher list. 488 /* SMTPUTF8 CONTROLS 489 /* .ad 490 /* .fi 491 /* Preliminary SMTPUTF8 support is introduced with Postfix 3.0. 492 /* .IP "\fBsmtputf8_enable (yes)\fR" 493 /* Enable preliminary SMTPUTF8 support for the protocols described 494 /* in RFC 6531..6533. 495 /* .IP "\fBstrict_smtputf8 (no)\fR" 496 /* Enable stricter enforcement of the SMTPUTF8 protocol. 497 /* .IP "\fBsmtputf8_autodetect_classes (sendmail, verify)\fR" 498 /* Detect that a message requires SMTPUTF8 support for the specified 499 /* mail origin classes. 500 /* VERP SUPPORT CONTROLS 501 /* .ad 502 /* .fi 503 /* With VERP style delivery, each recipient of a message receives a 504 /* customized copy of the message with his/her own recipient address 505 /* encoded in the envelope sender address. The VERP_README file 506 /* describes configuration and operation details of Postfix support 507 /* for variable envelope return path addresses. VERP style delivery 508 /* is requested with the SMTP XVERP command or with the "sendmail 509 /* -V" command-line option and is available in Postfix version 1.1 510 /* and later. 511 /* .IP "\fBdefault_verp_delimiters (+=)\fR" 512 /* The two default VERP delimiter characters. 513 /* .IP "\fBverp_delimiter_filter (-=+)\fR" 514 /* The characters Postfix accepts as VERP delimiter characters on the 515 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands. 516 /* .PP 517 /* Available in Postfix version 1.1 and 2.0: 518 /* .IP "\fBauthorized_verp_clients ($mynetworks)\fR" 519 /* What remote SMTP clients are allowed to specify the XVERP command. 520 /* .PP 521 /* Available in Postfix version 2.1 and later: 522 /* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR" 523 /* What remote SMTP clients are allowed to specify the XVERP command. 524 /* TROUBLE SHOOTING CONTROLS 525 /* .ad 526 /* .fi 527 /* The DEBUG_README document describes how to debug parts of the 528 /* Postfix mail system. The methods vary from making the software log 529 /* a lot of detail, to running some daemon processes under control of 530 /* a call tracer or debugger. 531 /* .IP "\fBdebug_peer_level (2)\fR" 532 /* The increment in verbose logging level when a remote client or 533 /* server matches a pattern in the debug_peer_list parameter. 534 /* .IP "\fBdebug_peer_list (empty)\fR" 535 /* Optional list of remote client or server hostname or network 536 /* address patterns that cause the verbose logging level to increase 537 /* by the amount specified in $debug_peer_level. 538 /* .IP "\fBerror_notice_recipient (postmaster)\fR" 539 /* The recipient of postmaster notifications about mail delivery 540 /* problems that are caused by policy, resource, software or protocol 541 /* errors. 542 /* .IP "\fBinternal_mail_filter_classes (empty)\fR" 543 /* What categories of Postfix-generated mail are subject to 544 /* before-queue content inspection by non_smtpd_milters, header_checks 545 /* and body_checks. 546 /* .IP "\fBnotify_classes (resource, software)\fR" 547 /* The list of error classes that are reported to the postmaster. 548 /* .IP "\fBsmtpd_reject_footer (empty)\fR" 549 /* Optional information that is appended after each Postfix SMTP 550 /* server 551 /* 4XX or 5XX response. 552 /* .IP "\fBsoft_bounce (no)\fR" 553 /* Safety net to keep mail queued that would otherwise be returned to 554 /* the sender. 555 /* .PP 556 /* Available in Postfix version 2.1 and later: 557 /* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR" 558 /* What remote SMTP clients are allowed to use the XCLIENT feature. 559 /* .PP 560 /* Available in Postfix version 2.10 and later: 561 /* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR" 562 /* Enable logging of the named "permit" actions in SMTP server 563 /* access lists (by default, the SMTP server logs "reject" actions but 564 /* not "permit" actions). 565 /* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS 566 /* .ad 567 /* .fi 568 /* As of Postfix version 2.0, the SMTP server rejects mail for 569 /* unknown recipients. This prevents the mail queue from clogging up 570 /* with undeliverable MAILER-DAEMON messages. Additional information 571 /* on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README 572 /* documents. 573 /* .IP "\fBshow_user_unknown_table_name (yes)\fR" 574 /* Display the name of the recipient table in the "User unknown" 575 /* responses. 576 /* .IP "\fBcanonical_maps (empty)\fR" 577 /* Optional address mapping lookup tables for message headers and 578 /* envelopes. 579 /* .IP "\fBrecipient_canonical_maps (empty)\fR" 580 /* Optional address mapping lookup tables for envelope and header 581 /* recipient addresses. 582 /* .PP 583 /* Parameters concerning known/unknown local recipients: 584 /* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR" 585 /* The list of domains that are delivered via the $local_transport 586 /* mail delivery transport. 587 /* .IP "\fBinet_interfaces (all)\fR" 588 /* The network interface addresses that this mail system receives 589 /* mail on. 590 /* .IP "\fBproxy_interfaces (empty)\fR" 591 /* The network interface addresses that this mail system receives mail 592 /* on by way of a proxy or network address translation unit. 593 /* .IP "\fBinet_protocols (all)\fR" 594 /* The Internet protocols Postfix will attempt to use when making 595 /* or accepting connections. 596 /* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR" 597 /* Lookup tables with all names or addresses of local recipients: 598 /* a recipient address is local when its domain matches $mydestination, 599 /* $inet_interfaces or $proxy_interfaces. 600 /* .IP "\fBunknown_local_recipient_reject_code (550)\fR" 601 /* The numerical Postfix SMTP server response code when a recipient 602 /* address is local, and $local_recipient_maps specifies a list of 603 /* lookup tables that does not match the recipient. 604 /* .PP 605 /* Parameters concerning known/unknown recipients of relay destinations: 606 /* .IP "\fBrelay_domains (Postfix >= 3.0: empty, Postfix < 3.0: $mydestination)\fR" 607 /* What destination domains (and subdomains thereof) this system 608 /* will relay mail to. 609 /* .IP "\fBrelay_recipient_maps (empty)\fR" 610 /* Optional lookup tables with all valid addresses in the domains 611 /* that match $relay_domains. 612 /* .IP "\fBunknown_relay_recipient_reject_code (550)\fR" 613 /* The numerical Postfix SMTP server reply code when a recipient 614 /* address matches $relay_domains, and relay_recipient_maps specifies 615 /* a list of lookup tables that does not match the recipient address. 616 /* .PP 617 /* Parameters concerning known/unknown recipients in virtual alias 618 /* domains: 619 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR" 620 /* Postfix is final destination for the specified list of virtual 621 /* alias domains, that is, domains for which all addresses are aliased 622 /* to addresses in other local or remote domains. 623 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR" 624 /* Optional lookup tables that alias specific mail addresses or domains 625 /* to other local or remote address. 626 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR" 627 /* The Postfix SMTP server reply code when a recipient address matches 628 /* $virtual_alias_domains, and $virtual_alias_maps specifies a list 629 /* of lookup tables that does not match the recipient address. 630 /* .PP 631 /* Parameters concerning known/unknown recipients in virtual mailbox 632 /* domains: 633 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR" 634 /* Postfix is final destination for the specified list of domains; 635 /* mail is delivered via the $virtual_transport mail delivery transport. 636 /* .IP "\fBvirtual_mailbox_maps (empty)\fR" 637 /* Optional lookup tables with all valid addresses in the domains that 638 /* match $virtual_mailbox_domains. 639 /* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR" 640 /* The Postfix SMTP server reply code when a recipient address matches 641 /* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list 642 /* of lookup tables that does not match the recipient address. 643 /* RESOURCE AND RATE CONTROLS 644 /* .ad 645 /* .fi 646 /* The following parameters limit resource usage by the SMTP 647 /* server and/or control client request rates. 648 /* .IP "\fBline_length_limit (2048)\fR" 649 /* Upon input, long lines are chopped up into pieces of at most 650 /* this length; upon delivery, long lines are reconstructed. 651 /* .IP "\fBqueue_minfree (0)\fR" 652 /* The minimal amount of free space in bytes in the queue file system 653 /* that is needed to receive mail. 654 /* .IP "\fBmessage_size_limit (10240000)\fR" 655 /* The maximal size in bytes of a message, including envelope information. 656 /* .IP "\fBsmtpd_recipient_limit (1000)\fR" 657 /* The maximal number of recipients that the Postfix SMTP server 658 /* accepts per message delivery request. 659 /* .IP "\fBsmtpd_timeout (normal: 300s, overload: 10s)\fR" 660 /* The time limit for sending a Postfix SMTP server response and for 661 /* receiving a remote SMTP client request. 662 /* .IP "\fBsmtpd_history_flush_threshold (100)\fR" 663 /* The maximal number of lines in the Postfix SMTP server command history 664 /* before it is flushed upon receipt of EHLO, RSET, or end of DATA. 665 /* .PP 666 /* Available in Postfix version 2.3 and later: 667 /* .IP "\fBsmtpd_peername_lookup (yes)\fR" 668 /* Attempt to look up the remote SMTP client hostname, and verify that 669 /* the name matches the client IP address. 670 /* .PP 671 /* The per SMTP client connection count and request rate limits are 672 /* implemented in co-operation with the \fBanvil\fR(8) service, and 673 /* are available in Postfix version 2.2 and later. 674 /* .IP "\fBsmtpd_client_connection_count_limit (50)\fR" 675 /* How many simultaneous connections any client is allowed to 676 /* make to this service. 677 /* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR" 678 /* The maximal number of connection attempts any client is allowed to 679 /* make to this service per time unit. 680 /* .IP "\fBsmtpd_client_message_rate_limit (0)\fR" 681 /* The maximal number of message delivery requests that any client is 682 /* allowed to make to this service per time unit, regardless of whether 683 /* or not Postfix actually accepts those messages. 684 /* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR" 685 /* The maximal number of recipient addresses that any client is allowed 686 /* to send to this service per time unit, regardless of whether or not 687 /* Postfix actually accepts those recipients. 688 /* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR" 689 /* Clients that are excluded from smtpd_client_*_count/rate_limit 690 /* restrictions. 691 /* .PP 692 /* Available in Postfix version 2.3 and later: 693 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR" 694 /* The maximal number of new (i.e., uncached) TLS sessions that a 695 /* remote SMTP client is allowed to negotiate with this service per 696 /* time unit. 697 /* .PP 698 /* Available in Postfix version 2.9 and later: 699 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR" 700 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 701 /* time limits, from a 702 /* time limit per read or write system call, to a time limit to send 703 /* or receive a complete record (an SMTP command line, SMTP response 704 /* line, SMTP message content line, or TLS protocol message). 705 /* .PP 706 /* Available in Postfix version 3.1 and later: 707 /* .IP "\fBsmtpd_client_auth_rate_limit (0)\fR" 708 /* The maximal number of AUTH commands that any client is allowed to 709 /* send to this service per time unit, regardless of whether or not 710 /* Postfix actually accepts those commands. 711 /* TARPIT CONTROLS 712 /* .ad 713 /* .fi 714 /* When a remote SMTP client makes errors, the Postfix SMTP server 715 /* can insert delays before responding. This can help to slow down 716 /* run-away software. The behavior is controlled by an error counter 717 /* that counts the number of errors within an SMTP session that a 718 /* client makes without delivering mail. 719 /* .IP "\fBsmtpd_error_sleep_time (1s)\fR" 720 /* With Postfix version 2.1 and later: the SMTP server response delay after 721 /* a client has made more than $smtpd_soft_error_limit errors, and 722 /* fewer than $smtpd_hard_error_limit errors, without delivering mail. 723 /* .IP "\fBsmtpd_soft_error_limit (10)\fR" 724 /* The number of errors a remote SMTP client is allowed to make without 725 /* delivering mail before the Postfix SMTP server slows down all its 726 /* responses. 727 /* .IP "\fBsmtpd_hard_error_limit (normal: 20, overload: 1)\fR" 728 /* The maximal number of errors a remote SMTP client is allowed to 729 /* make without delivering mail. 730 /* .IP "\fBsmtpd_junk_command_limit (normal: 100, overload: 1)\fR" 731 /* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote 732 /* SMTP client can send before the Postfix SMTP server starts to 733 /* increment the error counter with each junk command. 734 /* .PP 735 /* Available in Postfix version 2.1 and later: 736 /* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR" 737 /* The number of recipients that a remote SMTP client can send in 738 /* excess of the limit specified with $smtpd_recipient_limit, before 739 /* the Postfix SMTP server increments the per-session error count 740 /* for each excess recipient. 741 /* ACCESS POLICY DELEGATION CONTROLS 742 /* .ad 743 /* .fi 744 /* As of version 2.1, Postfix can be configured to delegate access 745 /* policy decisions to an external server that runs outside Postfix. 746 /* See the file SMTPD_POLICY_README for more information. 747 /* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR" 748 /* The time after which an idle SMTPD policy service connection is 749 /* closed. 750 /* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR" 751 /* The time after which an active SMTPD policy service connection is 752 /* closed. 753 /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR" 754 /* The time limit for connecting to, writing to, or receiving from a 755 /* delegated SMTPD policy server. 756 /* .PP 757 /* Available in Postfix version 3.0 and later: 758 /* .IP "\fBsmtpd_policy_service_default_action (451 4.3.5 Server configuration problem)\fR" 759 /* The default action when an SMTPD policy service request fails. 760 /* .IP "\fBsmtpd_policy_service_request_limit (0)\fR" 761 /* The maximal number of requests per SMTPD policy service connection, 762 /* or zero (no limit). 763 /* .IP "\fBsmtpd_policy_service_try_limit (2)\fR" 764 /* The maximal number of attempts to send an SMTPD policy service 765 /* request before giving up. 766 /* .IP "\fBsmtpd_policy_service_retry_delay (1s)\fR" 767 /* The delay between attempts to resend a failed SMTPD policy 768 /* service request. 769 /* .PP 770 /* Available in Postfix version 3.1 and later: 771 /* .IP "\fBsmtpd_policy_service_policy_context (empty)\fR" 772 /* Optional information that the Postfix SMTP server specifies in 773 /* the "policy_context" attribute of a policy service request (originally, 774 /* to share the same service endpoint among multiple check_policy_service 775 /* clients). 776 /* ACCESS CONTROLS 777 /* .ad 778 /* .fi 779 /* The SMTPD_ACCESS_README document gives an introduction to all the 780 /* SMTP server access control features. 781 /* .IP "\fBsmtpd_delay_reject (yes)\fR" 782 /* Wait until the RCPT TO command before evaluating 783 /* $smtpd_client_restrictions, $smtpd_helo_restrictions and 784 /* $smtpd_sender_restrictions, or wait until the ETRN command before 785 /* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. 786 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR" 787 /* A list of Postfix features where the pattern "example.com" also 788 /* matches subdomains of example.com, 789 /* instead of requiring an explicit ".example.com" pattern. 790 /* .IP "\fBsmtpd_client_restrictions (empty)\fR" 791 /* Optional restrictions that the Postfix SMTP server applies in the 792 /* context of a client connection request. 793 /* .IP "\fBsmtpd_helo_required (no)\fR" 794 /* Require that a remote SMTP client introduces itself with the HELO 795 /* or EHLO command before sending the MAIL command or other commands 796 /* that require EHLO negotiation. 797 /* .IP "\fBsmtpd_helo_restrictions (empty)\fR" 798 /* Optional restrictions that the Postfix SMTP server applies in the 799 /* context of a client HELO command. 800 /* .IP "\fBsmtpd_sender_restrictions (empty)\fR" 801 /* Optional restrictions that the Postfix SMTP server applies in the 802 /* context of a client MAIL FROM command. 803 /* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR" 804 /* Optional restrictions that the Postfix SMTP server applies in the 805 /* context of a client RCPT TO command, after smtpd_relay_restrictions. 806 /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR" 807 /* Optional restrictions that the Postfix SMTP server applies in the 808 /* context of a client ETRN command. 809 /* .IP "\fBallow_untrusted_routing (no)\fR" 810 /* Forward mail with sender-specified routing (user[@%!]remote[@%!]site) 811 /* from untrusted clients to destinations matching $relay_domains. 812 /* .IP "\fBsmtpd_restriction_classes (empty)\fR" 813 /* User-defined aliases for groups of access restrictions. 814 /* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR" 815 /* The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the 816 /* null sender address. 817 /* .IP "\fBpermit_mx_backup_networks (empty)\fR" 818 /* Restrict the use of the permit_mx_backup SMTP access feature to 819 /* only domains whose primary MX hosts match the listed networks. 820 /* .PP 821 /* Available in Postfix version 2.0 and later: 822 /* .IP "\fBsmtpd_data_restrictions (empty)\fR" 823 /* Optional access restrictions that the Postfix SMTP server applies 824 /* in the context of the SMTP DATA command. 825 /* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR" 826 /* What characters are allowed in $name expansions of RBL reply 827 /* templates. 828 /* .PP 829 /* Available in Postfix version 2.1 and later: 830 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR" 831 /* Request that the Postfix SMTP server rejects mail from unknown 832 /* sender addresses, even when no explicit reject_unlisted_sender 833 /* access restriction is specified. 834 /* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR" 835 /* Request that the Postfix SMTP server rejects mail for unknown 836 /* recipient addresses, even when no explicit reject_unlisted_recipient 837 /* access restriction is specified. 838 /* .PP 839 /* Available in Postfix version 2.2 and later: 840 /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR" 841 /* Optional access restrictions that the Postfix SMTP server 842 /* applies in the context of the SMTP END-OF-DATA command. 843 /* .PP 844 /* Available in Postfix version 2.10 and later: 845 /* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR" 846 /* Access restrictions for mail relay control that the Postfix 847 /* SMTP server applies in the context of the RCPT TO command, before 848 /* smtpd_recipient_restrictions. 849 /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS 850 /* .ad 851 /* .fi 852 /* Postfix version 2.1 introduces sender and recipient address verification. 853 /* This feature is implemented by sending probe email messages that 854 /* are not actually delivered. 855 /* This feature is requested via the reject_unverified_sender and 856 /* reject_unverified_recipient access restrictions. The status of 857 /* verification probes is maintained by the \fBverify\fR(8) server. 858 /* See the file ADDRESS_VERIFICATION_README for information 859 /* about how to configure and operate the Postfix sender/recipient 860 /* address verification service. 861 /* .IP "\fBaddress_verify_poll_count (normal: 3, overload: 1)\fR" 862 /* How many times to query the \fBverify\fR(8) service for the completion 863 /* of an address verification request in progress. 864 /* .IP "\fBaddress_verify_poll_delay (3s)\fR" 865 /* The delay between queries for the completion of an address 866 /* verification request in progress. 867 /* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR" 868 /* The sender address to use in address verification probes; prior 869 /* to Postfix 2.5 the default was "postmaster". 870 /* .IP "\fBunverified_sender_reject_code (450)\fR" 871 /* The numerical Postfix SMTP server response code when a recipient 872 /* address is rejected by the reject_unverified_sender restriction. 873 /* .IP "\fBunverified_recipient_reject_code (450)\fR" 874 /* The numerical Postfix SMTP server response when a recipient address 875 /* is rejected by the reject_unverified_recipient restriction. 876 /* .PP 877 /* Available in Postfix version 2.6 and later: 878 /* .IP "\fBunverified_sender_defer_code (450)\fR" 879 /* The numerical Postfix SMTP server response code when a sender address 880 /* probe fails due to a temporary error condition. 881 /* .IP "\fBunverified_recipient_defer_code (450)\fR" 882 /* The numerical Postfix SMTP server response when a recipient address 883 /* probe fails due to a temporary error condition. 884 /* .IP "\fBunverified_sender_reject_reason (empty)\fR" 885 /* The Postfix SMTP server's reply when rejecting mail with 886 /* reject_unverified_sender. 887 /* .IP "\fBunverified_recipient_reject_reason (empty)\fR" 888 /* The Postfix SMTP server's reply when rejecting mail with 889 /* reject_unverified_recipient. 890 /* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR" 891 /* The Postfix SMTP server's action when reject_unverified_sender 892 /* fails due to a temporary error condition. 893 /* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR" 894 /* The Postfix SMTP server's action when reject_unverified_recipient 895 /* fails due to a temporary error condition. 896 /* .PP 897 /* Available with Postfix 2.9 and later: 898 /* .IP "\fBaddress_verify_sender_ttl (0s)\fR" 899 /* The time between changes in the time-dependent portion of address 900 /* verification probe sender addresses. 901 /* ACCESS CONTROL RESPONSES 902 /* .ad 903 /* .fi 904 /* The following parameters control numerical SMTP reply codes 905 /* and/or text responses. 906 /* .IP "\fBaccess_map_reject_code (554)\fR" 907 /* The numerical Postfix SMTP server response code for 908 /* an \fBaccess\fR(5) map "reject" action. 909 /* .IP "\fBdefer_code (450)\fR" 910 /* The numerical Postfix SMTP server response code when a remote SMTP 911 /* client request is rejected by the "defer" restriction. 912 /* .IP "\fBinvalid_hostname_reject_code (501)\fR" 913 /* The numerical Postfix SMTP server response code when the client 914 /* HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname 915 /* restriction. 916 /* .IP "\fBmaps_rbl_reject_code (554)\fR" 917 /* The numerical Postfix SMTP server response code when a remote SMTP 918 /* client request is blocked by the reject_rbl_client, reject_rhsbl_client, 919 /* reject_rhsbl_reverse_client, reject_rhsbl_sender or 920 /* reject_rhsbl_recipient restriction. 921 /* .IP "\fBnon_fqdn_reject_code (504)\fR" 922 /* The numerical Postfix SMTP server reply code when a client request 923 /* is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender 924 /* or reject_non_fqdn_recipient restriction. 925 /* .IP "\fBplaintext_reject_code (450)\fR" 926 /* The numerical Postfix SMTP server response code when a request 927 /* is rejected by the \fBreject_plaintext_session\fR restriction. 928 /* .IP "\fBreject_code (554)\fR" 929 /* The numerical Postfix SMTP server response code when a remote SMTP 930 /* client request is rejected by the "reject" restriction. 931 /* .IP "\fBrelay_domains_reject_code (554)\fR" 932 /* The numerical Postfix SMTP server response code when a client 933 /* request is rejected by the reject_unauth_destination recipient 934 /* restriction. 935 /* .IP "\fBunknown_address_reject_code (450)\fR" 936 /* The numerical response code when the Postfix SMTP server rejects a 937 /* sender or recipient address because its domain is unknown. 938 /* .IP "\fBunknown_client_reject_code (450)\fR" 939 /* The numerical Postfix SMTP server response code when a client 940 /* without valid address <=> name mapping is rejected by the 941 /* reject_unknown_client_hostname restriction. 942 /* .IP "\fBunknown_hostname_reject_code (450)\fR" 943 /* The numerical Postfix SMTP server response code when the hostname 944 /* specified with the HELO or EHLO command is rejected by the 945 /* reject_unknown_helo_hostname restriction. 946 /* .PP 947 /* Available in Postfix version 2.0 and later: 948 /* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR" 949 /* The default Postfix SMTP server response template for a request that is 950 /* rejected by an RBL-based restriction. 951 /* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR" 952 /* The numerical Postfix SMTP server response code when a remote SMTP 953 /* client request is blocked by the reject_multi_recipient_bounce 954 /* restriction. 955 /* .IP "\fBrbl_reply_maps (empty)\fR" 956 /* Optional lookup tables with RBL response templates. 957 /* .PP 958 /* Available in Postfix version 2.6 and later: 959 /* .IP "\fBaccess_map_defer_code (450)\fR" 960 /* The numerical Postfix SMTP server response code for 961 /* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit" 962 /* or "defer_if_reject". 963 /* .IP "\fBreject_tempfail_action (defer_if_permit)\fR" 964 /* The Postfix SMTP server's action when a reject-type restriction 965 /* fails due to a temporary error condition. 966 /* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR" 967 /* The Postfix SMTP server's action when reject_unknown_helo_hostname 968 /* fails due to an temporary error condition. 969 /* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR" 970 /* The Postfix SMTP server's action when reject_unknown_sender_domain 971 /* or reject_unknown_recipient_domain fail due to a temporary error 972 /* condition. 973 /* MISCELLANEOUS CONTROLS 974 /* .ad 975 /* .fi 976 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 977 /* The default location of the Postfix main.cf and master.cf 978 /* configuration files. 979 /* .IP "\fBdaemon_timeout (18000s)\fR" 980 /* How much time a Postfix daemon process may take to handle a 981 /* request before it is terminated by a built-in watchdog timer. 982 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 983 /* The location of all postfix administrative commands. 984 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR" 985 /* The sender address of postmaster notifications that are generated 986 /* by the mail system. 987 /* .IP "\fBipc_timeout (3600s)\fR" 988 /* The time limit for sending or receiving information over an internal 989 /* communication channel. 990 /* .IP "\fBmail_name (Postfix)\fR" 991 /* The mail system name that is displayed in Received: headers, in 992 /* the SMTP greeting banner, and in bounced mail. 993 /* .IP "\fBmail_owner (postfix)\fR" 994 /* The UNIX system account that owns the Postfix queue and most Postfix 995 /* daemon processes. 996 /* .IP "\fBmax_idle (100s)\fR" 997 /* The maximum amount of time that an idle Postfix daemon process waits 998 /* for an incoming connection before terminating voluntarily. 999 /* .IP "\fBmax_use (100)\fR" 1000 /* The maximal number of incoming connections that a Postfix daemon 1001 /* process will service before terminating voluntarily. 1002 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR" 1003 /* The internet hostname of this mail system. 1004 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR" 1005 /* The list of "trusted" remote SMTP clients that have more privileges than 1006 /* "strangers". 1007 /* .IP "\fBmyorigin ($myhostname)\fR" 1008 /* The domain name that locally-posted mail appears to come 1009 /* from, and that locally posted mail is delivered to. 1010 /* .IP "\fBprocess_id (read-only)\fR" 1011 /* The process ID of a Postfix command or daemon process. 1012 /* .IP "\fBprocess_name (read-only)\fR" 1013 /* The process name of a Postfix command or daemon process. 1014 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 1015 /* The location of the Postfix top-level queue directory. 1016 /* .IP "\fBrecipient_delimiter (empty)\fR" 1017 /* The set of characters that can separate a user name from its 1018 /* extension (example: user+foo), or a .forward file name from its 1019 /* extension (example: .forward+foo). 1020 /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR" 1021 /* The text that follows the 220 status code in the SMTP greeting 1022 /* banner. 1023 /* .IP "\fBsyslog_facility (mail)\fR" 1024 /* The syslog facility of Postfix logging. 1025 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 1026 /* The mail system name that is prepended to the process name in syslog 1027 /* records, so that "smtpd" becomes, for example, "postfix/smtpd". 1028 /* .PP 1029 /* Available in Postfix version 2.2 and later: 1030 /* .IP "\fBsmtpd_forbidden_commands (CONNECT, GET, POST)\fR" 1031 /* List of commands that cause the Postfix SMTP server to immediately 1032 /* terminate the session with a 221 code. 1033 /* .PP 1034 /* Available in Postfix version 2.5 and later: 1035 /* .IP "\fBsmtpd_client_port_logging (no)\fR" 1036 /* Enable logging of the remote SMTP client port in addition to 1037 /* the hostname and IP address. 1038 /* SEE ALSO 1039 /* anvil(8), connection/rate limiting 1040 /* cleanup(8), message canonicalization 1041 /* tlsmgr(8), TLS session and PRNG management 1042 /* trivial-rewrite(8), address resolver 1043 /* verify(8), address verification service 1044 /* postconf(5), configuration parameters 1045 /* master(5), generic daemon options 1046 /* master(8), process manager 1047 /* syslogd(8), system logging 1048 /* README FILES 1049 /* .ad 1050 /* .fi 1051 /* Use "\fBpostconf readme_directory\fR" or 1052 /* "\fBpostconf html_directory\fR" to locate this information. 1053 /* .na 1054 /* .nf 1055 /* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients 1056 /* ADDRESS_REWRITING_README Postfix address manipulation 1057 /* FILTER_README, external after-queue content filter 1058 /* LOCAL_RECIPIENT_README, blocking unknown local recipients 1059 /* MILTER_README, before-queue mail filter applications 1060 /* SMTPD_ACCESS_README, built-in access policies 1061 /* SMTPD_POLICY_README, external policy server 1062 /* SMTPD_PROXY_README, external before-queue content filter 1063 /* SASL_README, Postfix SASL howto 1064 /* TLS_README, Postfix STARTTLS howto 1065 /* VERP_README, Postfix XVERP extension 1066 /* XCLIENT_README, Postfix XCLIENT extension 1067 /* XFORWARD_README, Postfix XFORWARD extension 1068 /* LICENSE 1069 /* .ad 1070 /* .fi 1071 /* The Secure Mailer license must be distributed with this software. 1072 /* AUTHOR(S) 1073 /* Wietse Venema 1074 /* IBM T.J. Watson Research 1075 /* P.O. Box 704 1076 /* Yorktown Heights, NY 10598, USA 1077 /* 1078 /* Wietse Venema 1079 /* Google, Inc. 1080 /* 111 8th Avenue 1081 /* New York, NY 10011, USA 1082 /* 1083 /* SASL support originally by: 1084 /* Till Franke 1085 /* SuSE Rhein/Main AG 1086 /* 65760 Eschborn, Germany 1087 /* 1088 /* TLS support originally by: 1089 /* Lutz Jaenicke 1090 /* BTU Cottbus 1091 /* Allgemeine Elektrotechnik 1092 /* Universitaetsplatz 3-4 1093 /* D-03044 Cottbus, Germany 1094 /* 1095 /* Revised TLS support by: 1096 /* Victor Duchovni 1097 /* Morgan Stanley 1098 /*--*/ 1099 1100 /* System library. */ 1101 1102 #include <sys_defs.h> 1103 #include <sys/socket.h> 1104 #include <sys/stat.h> 1105 #include <netinet/in.h> 1106 #include <arpa/inet.h> 1107 #include <netdb.h> 1108 #include <string.h> 1109 #include <stdio.h> /* remove() */ 1110 #include <unistd.h> 1111 #include <stdlib.h> 1112 #include <errno.h> 1113 #include <ctype.h> 1114 #include <signal.h> 1115 #include <stddef.h> /* offsetof() */ 1116 1117 #ifdef STRCASECMP_IN_STRINGS_H 1118 #include <strings.h> 1119 #endif 1120 1121 /* Utility library. */ 1122 1123 #include <msg.h> 1124 #include <mymalloc.h> 1125 #include <vstring.h> 1126 #include <vstream.h> 1127 #include <vstring_vstream.h> 1128 #include <stringops.h> 1129 #include <events.h> 1130 #include <smtp_stream.h> 1131 #include <valid_hostname.h> 1132 #include <dict.h> 1133 #include <watchdog.h> 1134 #include <iostuff.h> 1135 #include <split_at.h> 1136 #include <name_code.h> 1137 #include <inet_proto.h> 1138 1139 /* Global library. */ 1140 1141 #include <mail_params.h> 1142 #include <mail_version.h> /* milter_macro_v */ 1143 #include <record.h> 1144 #include <rec_type.h> 1145 #include <mail_proto.h> 1146 #include <cleanup_user.h> 1147 #include <mail_date.h> 1148 #include <mail_conf.h> 1149 #include <off_cvt.h> 1150 #include <debug_peer.h> 1151 #include <mail_error.h> 1152 #include <flush_clnt.h> 1153 #include <mail_stream.h> 1154 #include <mail_queue.h> 1155 #include <tok822.h> 1156 #include <verp_sender.h> 1157 #include <string_list.h> 1158 #include <quote_822_local.h> 1159 #include <lex_822.h> 1160 #include <namadr_list.h> 1161 #include <input_transp.h> 1162 #include <is_header.h> 1163 #include <anvil_clnt.h> 1164 #include <flush_clnt.h> 1165 #include <ehlo_mask.h> /* ehlo filter */ 1166 #include <maps.h> /* ehlo filter */ 1167 #include <valid_mailhost_addr.h> 1168 #include <dsn_mask.h> 1169 #include <xtext.h> 1170 #include <uxtext.h> 1171 #include <tls_proxy.h> 1172 #include <verify_sender_addr.h> 1173 #include <smtputf8.h> 1174 #include <match_parent_style.h> 1175 1176 /* Single-threaded server skeleton. */ 1177 1178 #include <mail_server.h> 1179 1180 /* Mail filter library. */ 1181 1182 #include <milter.h> 1183 1184 /* DNS library. */ 1185 1186 #include <dns.h> 1187 1188 /* Application-specific */ 1189 1190 #include <smtpd_token.h> 1191 #include <smtpd.h> 1192 #include <smtpd_check.h> 1193 #include <smtpd_chat.h> 1194 #include <smtpd_sasl_proto.h> 1195 #include <smtpd_sasl_glue.h> 1196 #include <smtpd_proxy.h> 1197 #include <smtpd_milter.h> 1198 #include <smtpd_expand.h> 1199 1200 /* 1201 * Tunable parameters. Make sure that there is some bound on the length of 1202 * an SMTP command, so that the mail system stays in control even when a 1203 * malicious client sends commands of unreasonable length (qmail-dos-1). 1204 * Make sure there is some bound on the number of recipients, so that the 1205 * mail system stays in control even when a malicious client sends an 1206 * unreasonable number of recipients (qmail-dos-2). 1207 */ 1208 int var_smtpd_rcpt_limit; 1209 int var_smtpd_tmout; 1210 int var_smtpd_soft_erlim; 1211 int var_smtpd_hard_erlim; 1212 int var_queue_minfree; /* XXX use off_t */ 1213 char *var_smtpd_banner; 1214 char *var_notify_classes; 1215 char *var_client_checks; 1216 char *var_helo_checks; 1217 char *var_mail_checks; 1218 char *var_relay_checks; 1219 char *var_rcpt_checks; 1220 char *var_etrn_checks; 1221 char *var_data_checks; 1222 char *var_eod_checks; 1223 int var_unk_client_code; 1224 int var_bad_name_code; 1225 int var_unk_name_code; 1226 int var_unk_addr_code; 1227 int var_relay_code; 1228 int var_maps_rbl_code; 1229 int var_map_reject_code; 1230 int var_map_defer_code; 1231 char *var_maps_rbl_domains; 1232 char *var_rbl_reply_maps; 1233 int var_helo_required; 1234 int var_reject_code; 1235 int var_defer_code; 1236 int var_smtpd_err_sleep; 1237 int var_non_fqdn_code; 1238 char *var_error_rcpt; 1239 int var_smtpd_delay_reject; 1240 char *var_rest_classes; 1241 int var_strict_rfc821_env; 1242 bool var_disable_vrfy_cmd; 1243 char *var_canonical_maps; 1244 char *var_send_canon_maps; 1245 char *var_rcpt_canon_maps; 1246 char *var_virt_alias_maps; 1247 char *var_virt_mailbox_maps; 1248 char *var_alias_maps; 1249 char *var_local_rcpt_maps; 1250 bool var_allow_untrust_route; 1251 int var_smtpd_junk_cmd_limit; 1252 int var_smtpd_rcpt_overlim; 1253 bool var_smtpd_sasl_enable; 1254 bool var_smtpd_sasl_auth_hdr; 1255 char *var_smtpd_sasl_opts; 1256 char *var_smtpd_sasl_path; 1257 char *var_smtpd_sasl_service; 1258 char *var_cyrus_conf_path; 1259 char *var_smtpd_sasl_realm; 1260 char *var_smtpd_sasl_exceptions_networks; 1261 char *var_smtpd_sasl_type; 1262 char *var_filter_xport; 1263 bool var_broken_auth_clients; 1264 char *var_perm_mx_networks; 1265 char *var_smtpd_snd_auth_maps; 1266 char *var_smtpd_noop_cmds; 1267 char *var_smtpd_null_key; 1268 int var_smtpd_hist_thrsh; 1269 char *var_smtpd_exp_filter; 1270 char *var_def_rbl_reply; 1271 int var_unv_from_rcode; 1272 int var_unv_rcpt_rcode; 1273 int var_unv_from_dcode; 1274 int var_unv_rcpt_dcode; 1275 char *var_unv_from_why; 1276 char *var_unv_rcpt_why; 1277 int var_mul_rcpt_code; 1278 char *var_relay_rcpt_maps; 1279 int var_local_rcpt_code; 1280 int var_virt_alias_code; 1281 int var_virt_mailbox_code; 1282 int var_relay_rcpt_code; 1283 char *var_verp_clients; 1284 int var_show_unk_rcpt_table; 1285 int var_verify_poll_count; 1286 int var_verify_poll_delay; 1287 char *var_smtpd_proxy_filt; 1288 int var_smtpd_proxy_tmout; 1289 char *var_smtpd_proxy_ehlo; 1290 char *var_smtpd_proxy_opts; 1291 char *var_input_transp; 1292 int var_smtpd_policy_tmout; 1293 int var_smtpd_policy_req_limit; 1294 int var_smtpd_policy_try_limit; 1295 int var_smtpd_policy_try_delay; 1296 char *var_smtpd_policy_def_action; 1297 char *var_smtpd_policy_context; 1298 int var_smtpd_policy_idle; 1299 int var_smtpd_policy_ttl; 1300 char *var_xclient_hosts; 1301 char *var_xforward_hosts; 1302 bool var_smtpd_rej_unl_from; 1303 bool var_smtpd_rej_unl_rcpt; 1304 char *var_smtpd_forbid_cmds; 1305 int var_smtpd_crate_limit; 1306 int var_smtpd_cconn_limit; 1307 int var_smtpd_cmail_limit; 1308 int var_smtpd_crcpt_limit; 1309 int var_smtpd_cntls_limit; 1310 int var_smtpd_cauth_limit; 1311 char *var_smtpd_hoggers; 1312 char *var_local_rwr_clients; 1313 char *var_smtpd_ehlo_dis_words; 1314 char *var_smtpd_ehlo_dis_maps; 1315 1316 char *var_smtpd_tls_level; 1317 bool var_smtpd_use_tls; 1318 bool var_smtpd_enforce_tls; 1319 bool var_smtpd_tls_wrappermode; 1320 bool var_smtpd_tls_auth_only; 1321 char *var_smtpd_cmd_filter; 1322 char *var_smtpd_rej_footer; 1323 char *var_smtpd_acl_perm_log; 1324 char *var_smtpd_dns_re_filter; 1325 1326 #ifdef USE_TLS 1327 char *var_smtpd_relay_ccerts; 1328 char *var_smtpd_sasl_tls_opts; 1329 int var_smtpd_starttls_tmout; 1330 char *var_smtpd_tls_CAfile; 1331 char *var_smtpd_tls_CApath; 1332 bool var_smtpd_tls_ask_ccert; 1333 int var_smtpd_tls_ccert_vd; 1334 char *var_smtpd_tls_cert_file; 1335 char *var_smtpd_tls_mand_ciph; 1336 char *var_smtpd_tls_excl_ciph; 1337 char *var_smtpd_tls_mand_excl; 1338 char *var_smtpd_tls_dcert_file; 1339 char *var_smtpd_tls_dh1024_param_file; 1340 char *var_smtpd_tls_dh512_param_file; 1341 char *var_smtpd_tls_dkey_file; 1342 char *var_smtpd_tls_key_file; 1343 char *var_smtpd_tls_loglevel; 1344 char *var_smtpd_tls_mand_proto; 1345 bool var_smtpd_tls_received_header; 1346 bool var_smtpd_tls_req_ccert; 1347 bool var_smtpd_tls_set_sessid; 1348 char *var_smtpd_tls_fpt_dgst; 1349 char *var_smtpd_tls_ciph; 1350 char *var_smtpd_tls_proto; 1351 char *var_smtpd_tls_eecdh; 1352 char *var_smtpd_tls_eccert_file; 1353 char *var_smtpd_tls_eckey_file; 1354 1355 #endif 1356 1357 bool var_smtpd_peername_lookup; 1358 int var_plaintext_code; 1359 bool var_smtpd_delay_open; 1360 char *var_smtpd_milters; 1361 int var_milt_conn_time; 1362 int var_milt_cmd_time; 1363 int var_milt_msg_time; 1364 char *var_milt_protocol; 1365 char *var_milt_def_action; 1366 char *var_milt_daemon_name; 1367 char *var_milt_v; 1368 char *var_milt_conn_macros; 1369 char *var_milt_helo_macros; 1370 char *var_milt_mail_macros; 1371 char *var_milt_rcpt_macros; 1372 char *var_milt_data_macros; 1373 char *var_milt_eoh_macros; 1374 char *var_milt_eod_macros; 1375 char *var_milt_unk_macros; 1376 char *var_milt_macro_deflts; 1377 bool var_smtpd_client_port_log; 1378 char *var_stress; 1379 1380 char *var_reject_tmpf_act; 1381 char *var_unk_name_tf_act; 1382 char *var_unk_addr_tf_act; 1383 char *var_unv_rcpt_tf_act; 1384 char *var_unv_from_tf_act; 1385 bool var_smtpd_rec_deadline; 1386 1387 int smtpd_proxy_opts; 1388 1389 #ifdef USE_TLSPROXY 1390 char *var_tlsproxy_service; 1391 1392 #endif 1393 1394 char *var_smtpd_uproxy_proto; 1395 int var_smtpd_uproxy_tmout; 1396 1397 /* 1398 * Silly little macros. 1399 */ 1400 #define STR(x) vstring_str(x) 1401 #define LEN(x) VSTRING_LEN(x) 1402 1403 /* 1404 * EHLO keyword filter 1405 */ 1406 static MAPS *ehlo_discard_maps; 1407 1408 /* 1409 * VERP command name. 1410 */ 1411 #define VERP_CMD "XVERP" 1412 #define VERP_CMD_LEN 5 1413 1414 static NAMADR_LIST *verp_clients; 1415 1416 /* 1417 * XCLIENT command. Access control is cached, so that XCLIENT can't override 1418 * its own access control. 1419 */ 1420 static NAMADR_LIST *xclient_hosts; 1421 static int xclient_allowed; /* XXX should be SMTPD_STATE member */ 1422 1423 /* 1424 * XFORWARD command. Access control is cached. 1425 */ 1426 static NAMADR_LIST *xforward_hosts; 1427 static int xforward_allowed; /* XXX should be SMTPD_STATE member */ 1428 1429 /* 1430 * Client connection and rate limiting. 1431 */ 1432 ANVIL_CLNT *anvil_clnt; 1433 static NAMADR_LIST *hogger_list; 1434 1435 /* 1436 * Other application-specific globals. 1437 */ 1438 int smtpd_input_transp_mask; 1439 1440 /* 1441 * Forward declarations. 1442 */ 1443 static void helo_reset(SMTPD_STATE *); 1444 static void mail_reset(SMTPD_STATE *); 1445 static void rcpt_reset(SMTPD_STATE *); 1446 static void chat_reset(SMTPD_STATE *, int); 1447 1448 #ifdef USE_TLS 1449 static void tls_reset(SMTPD_STATE *); 1450 1451 #endif 1452 1453 /* 1454 * This filter is applied after printable(). 1455 */ 1456 #define NEUTER_CHARACTERS " <>()\\\";@" 1457 1458 /* 1459 * Reasons for losing the client. 1460 */ 1461 #define REASON_TIMEOUT "timeout" 1462 #define REASON_LOST_CONNECTION "lost connection" 1463 #define REASON_ERROR_LIMIT "too many errors" 1464 1465 /* 1466 * Mail filter initialization status. 1467 */ 1468 MILTERS *smtpd_milters; 1469 1470 #ifdef USE_TLS 1471 1472 /* 1473 * TLS initialization status. 1474 */ 1475 static TLS_APPL_STATE *smtpd_tls_ctx; 1476 static int ask_client_cert; 1477 1478 #endif 1479 1480 /* 1481 * SMTP command mapping for broken clients. 1482 */ 1483 static DICT *smtpd_cmd_filter; 1484 1485 #ifdef USE_SASL_AUTH 1486 1487 /* 1488 * SASL exceptions. 1489 */ 1490 static NAMADR_LIST *sasl_exceptions_networks; 1491 1492 /* sasl_client_exception - can we offer AUTH for this client */ 1493 1494 static int sasl_client_exception(SMTPD_STATE *state) 1495 { 1496 int match; 1497 1498 /* 1499 * This is to work around a Netscape mail client bug where it tries to 1500 * use AUTH if available, even if user has not configured it. Returns 1501 * TRUE if AUTH should be offered in the EHLO. 1502 */ 1503 if (sasl_exceptions_networks == 0) 1504 return (0); 1505 1506 if ((match = namadr_list_match(sasl_exceptions_networks, 1507 state->name, state->addr)) == 0) 1508 match = sasl_exceptions_networks->error; 1509 1510 if (msg_verbose) 1511 msg_info("sasl_exceptions: %s, match=%d", 1512 state->namaddr, match); 1513 1514 return (match); 1515 } 1516 1517 #endif 1518 1519 /* smtpd_whatsup - gather available evidence for logging */ 1520 1521 static const char *smtpd_whatsup(SMTPD_STATE *state) 1522 { 1523 static VSTRING *buf = 0; 1524 1525 if (buf == 0) 1526 buf = vstring_alloc(100); 1527 else 1528 VSTRING_RESET(buf); 1529 if (state->sender) 1530 vstring_sprintf_append(buf, " from=<%s>", state->sender); 1531 if (state->recipient) 1532 vstring_sprintf_append(buf, " to=<%s>", state->recipient); 1533 if (state->protocol) 1534 vstring_sprintf_append(buf, " proto=%s", state->protocol); 1535 if (state->helo_name) 1536 vstring_sprintf_append(buf, " helo=<%s>", state->helo_name); 1537 return (STR(buf)); 1538 } 1539 1540 /* collapse_args - put arguments together again */ 1541 1542 static void collapse_args(int argc, SMTPD_TOKEN *argv) 1543 { 1544 int i; 1545 1546 for (i = 1; i < argc; i++) { 1547 vstring_strcat(argv[0].vstrval, " "); 1548 vstring_strcat(argv[0].vstrval, argv[i].strval); 1549 } 1550 argv[0].strval = STR(argv[0].vstrval); 1551 } 1552 1553 /* check_milter_reply - process reply from Milter */ 1554 1555 static const char *check_milter_reply(SMTPD_STATE *state, const char *reply) 1556 { 1557 const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE"; 1558 const char *action; 1559 const char *text; 1560 1561 /* 1562 * The syntax of user-specified SMTP replies is checked by the Milter 1563 * module, because the replies are also used in the cleanup server. 1564 * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8 1565 * Milter quarantine action is not final, so it is not included in 1566 * MILTER_SKIP_FLAGS. 1567 */ 1568 #define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD) 1569 1570 switch (reply[0]) { 1571 case 'H': 1572 state->saved_flags |= CLEANUP_FLAG_HOLD; 1573 action = "milter-hold"; 1574 reply = 0; 1575 text = "milter triggers HOLD action"; 1576 break; 1577 case 'D': 1578 state->saved_flags |= CLEANUP_FLAG_DISCARD; 1579 action = "milter-discard"; 1580 reply = 0; 1581 text = "milter triggers DISCARD action"; 1582 break; 1583 case 'S': 1584 state->error_mask |= MAIL_ERROR_POLICY; 1585 action = "milter-reject"; 1586 reply = "421 4.7.0 Server closing connection"; 1587 text = 0; 1588 break; 1589 case '4': 1590 case '5': 1591 state->error_mask |= MAIL_ERROR_POLICY; 1592 action = "milter-reject"; 1593 text = 0; 1594 break; 1595 default: 1596 state->error_mask |= MAIL_ERROR_SOFTWARE; 1597 action = "reject"; 1598 reply = "421 4.3.5 Server configuration error"; 1599 text = 0; 1600 break; 1601 } 1602 msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where, 1603 state->namaddr, reply ? reply : text, smtpd_whatsup(state)); 1604 return (reply); 1605 } 1606 1607 /* helo_cmd - process HELO command */ 1608 1609 static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 1610 { 1611 const char *err; 1612 1613 /* 1614 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other 1615 * than the initial greeting and any response to HELO or EHLO are 1616 * prefaced with a status code as defined in RFC 3463. 1617 */ 1618 if (argc < 2) { 1619 state->error_mask |= MAIL_ERROR_PROTOCOL; 1620 smtpd_chat_reply(state, "501 Syntax: HELO hostname"); 1621 return (-1); 1622 } 1623 if (argc > 2) 1624 collapse_args(argc - 1, argv + 1); 1625 if (SMTPD_STAND_ALONE(state) == 0 1626 && var_smtpd_delay_reject == 0 1627 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) { 1628 smtpd_chat_reply(state, "%s", err); 1629 return (-1); 1630 } 1631 1632 /* 1633 * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or 1634 * HELO, reply with 250 except in case of 421 (disconnect). The reply 1635 * persists so it will apply to MAIL FROM and to other commands such as 1636 * AUTH, STARTTLS, and VRFY. 1637 */ 1638 #define PUSH_STRING(old, curr, new) { char *old = (curr); (curr) = (new); 1639 #define POP_STRING(old, curr) (curr) = old; } 1640 1641 if (smtpd_milters != 0 1642 && SMTPD_STAND_ALONE(state) == 0 1643 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 1644 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 0)) != 0) { 1645 /* Log reject etc. with correct HELO information. */ 1646 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval); 1647 err = check_milter_reply(state, err); 1648 POP_STRING(saved_helo, state->helo_name); 1649 if (err != 0 && strncmp(err, "421", 3) == 0) { 1650 smtpd_chat_reply(state, "%s", err); 1651 return (-1); 1652 } 1653 } 1654 if (state->helo_name != 0) 1655 helo_reset(state); 1656 chat_reset(state, var_smtpd_hist_thrsh); 1657 mail_reset(state); 1658 rcpt_reset(state); 1659 state->helo_name = mystrdup(printable(argv[1].strval, '?')); 1660 neuter(state->helo_name, NEUTER_CHARACTERS, '?'); 1661 /* Downgrading the protocol name breaks the unauthorized pipelining test. */ 1662 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 1663 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) { 1664 myfree(state->protocol); 1665 state->protocol = mystrdup(MAIL_PROTO_SMTP); 1666 } 1667 smtpd_chat_reply(state, "250 %s", var_myhostname); 1668 return (0); 1669 } 1670 1671 /* cant_announce_feature - explain and terminate this session */ 1672 1673 static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature) 1674 { 1675 msg_warn("don't know if EHLO feature %s should be announced to %s", 1676 feature, state->namaddr); 1677 vstream_longjmp(state->client, SMTP_ERR_DATA); 1678 } 1679 1680 /* cant_permit_command - explain and terminate this session */ 1681 1682 static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command) 1683 { 1684 msg_warn("don't know if command %s should be allowed from %s", 1685 command, state->namaddr); 1686 vstream_longjmp(state->client, SMTP_ERR_DATA); 1687 } 1688 1689 /* ehlo_cmd - process EHLO command */ 1690 1691 static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 1692 { 1693 const char *err; 1694 int discard_mask; 1695 char **cpp; 1696 1697 /* 1698 * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear 1699 * all buffers and reset the state exactly as if a RSET command had been 1700 * issued. 1701 * 1702 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other 1703 * than the initial greeting and any response to HELO or EHLO are 1704 * prefaced with a status code as defined in RFC 3463. 1705 */ 1706 if (argc < 2) { 1707 state->error_mask |= MAIL_ERROR_PROTOCOL; 1708 smtpd_chat_reply(state, "501 Syntax: EHLO hostname"); 1709 return (-1); 1710 } 1711 if (argc > 2) 1712 collapse_args(argc - 1, argv + 1); 1713 if (SMTPD_STAND_ALONE(state) == 0 1714 && var_smtpd_delay_reject == 0 1715 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) { 1716 smtpd_chat_reply(state, "%s", err); 1717 return (-1); 1718 } 1719 1720 /* 1721 * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or 1722 * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate 1723 * disconnect. The reply persists so it will apply to MAIL FROM and to 1724 * other commands such as AUTH, STARTTLS, and VRFY. 1725 */ 1726 err = 0; 1727 if (smtpd_milters != 0 1728 && SMTPD_STAND_ALONE(state) == 0 1729 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 1730 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 1)) != 0) { 1731 /* Log reject etc. with correct HELO information. */ 1732 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval); 1733 err = check_milter_reply(state, err); 1734 POP_STRING(saved_helo, state->helo_name); 1735 if (err != 0 && strncmp(err, "421", 3) == 0) { 1736 smtpd_chat_reply(state, "%s", err); 1737 return (-1); 1738 } 1739 } 1740 if (state->helo_name != 0) 1741 helo_reset(state); 1742 chat_reset(state, var_smtpd_hist_thrsh); 1743 mail_reset(state); 1744 rcpt_reset(state); 1745 state->helo_name = mystrdup(printable(argv[1].strval, '?')); 1746 neuter(state->helo_name, NEUTER_CHARACTERS, '?'); 1747 1748 /* 1749 * XXX reject_unauth_pipelining depends on the following. If the user 1750 * sends EHLO then we announce PIPELINING and we can't accuse them of 1751 * using pipelining in places where it is allowed. 1752 * 1753 * XXX The reject_unauth_pipelining test needs to change and also account 1754 * for mechanisms that disable PIPELINING selectively. 1755 */ 1756 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) { 1757 myfree(state->protocol); 1758 state->protocol = mystrdup(MAIL_PROTO_ESMTP); 1759 } 1760 1761 /* 1762 * Build the EHLO response, producing no output until we know what to 1763 * send - this simplifies exception handling. The CRLF record boundaries 1764 * don't exist at this level in the code, so we represent multi-line 1765 * output as an array of single-line responses. 1766 */ 1767 #define EHLO_APPEND(state, cmd) \ 1768 do { \ 1769 vstring_sprintf((state)->ehlo_buf, (cmd)); \ 1770 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \ 1771 } while (0) 1772 1773 #define EHLO_APPEND1(state, cmd, arg) \ 1774 do { \ 1775 vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \ 1776 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \ 1777 } while (0) 1778 1779 /* 1780 * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or 1781 * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it 1782 * will apply to MAIL FROM, but we currently don't have a proper 1783 * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other 1784 * commands while still allowing HELO/EHLO. 1785 */ 1786 discard_mask = state->ehlo_discard_mask; 1787 if (err != 0 && err[0] == '5') 1788 discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES; 1789 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0) 1790 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 1791 msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask)); 1792 if (ehlo_discard_maps && ehlo_discard_maps->error) { 1793 msg_warn("don't know what EHLO features to announce to %s", 1794 state->namaddr); 1795 vstream_longjmp(state->client, SMTP_ERR_DATA); 1796 } 1797 1798 /* 1799 * These may still exist after a prior exception. 1800 */ 1801 if (state->ehlo_argv == 0) { 1802 state->ehlo_argv = argv_alloc(10); 1803 state->ehlo_buf = vstring_alloc(10); 1804 } else 1805 argv_truncate(state->ehlo_argv, 0); 1806 1807 EHLO_APPEND1(state, "%s", var_myhostname); 1808 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 1809 EHLO_APPEND(state, "PIPELINING"); 1810 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 1811 if (var_message_limit) 1812 EHLO_APPEND1(state, "SIZE %lu", 1813 (unsigned long) var_message_limit); /* XXX */ 1814 else 1815 EHLO_APPEND(state, "SIZE"); 1816 } 1817 if ((discard_mask & EHLO_MASK_VRFY) == 0) 1818 if (var_disable_vrfy_cmd == 0) 1819 EHLO_APPEND(state, SMTPD_CMD_VRFY); 1820 if ((discard_mask & EHLO_MASK_ETRN) == 0) 1821 EHLO_APPEND(state, SMTPD_CMD_ETRN); 1822 #ifdef USE_TLS 1823 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 1824 if (var_smtpd_use_tls && (!state->tls_context)) 1825 EHLO_APPEND(state, SMTPD_CMD_STARTTLS); 1826 #endif 1827 #ifdef USE_SASL_AUTH 1828 #ifndef AUTH_CMD 1829 #define AUTH_CMD "AUTH" 1830 #endif 1831 if ((discard_mask & EHLO_MASK_AUTH) == 0) { 1832 if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) { 1833 EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list); 1834 if (var_broken_auth_clients) 1835 EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list); 1836 } else if (sasl_exceptions_networks && sasl_exceptions_networks->error) 1837 cant_announce_feature(state, AUTH_CMD); 1838 } 1839 #define XCLIENT_LOGIN_KLUDGE " " XCLIENT_LOGIN 1840 #else 1841 #define XCLIENT_LOGIN_KLUDGE "" 1842 #endif 1843 if ((discard_mask & EHLO_MASK_VERP) == 0) { 1844 if (namadr_list_match(verp_clients, state->name, state->addr)) 1845 EHLO_APPEND(state, VERP_CMD); 1846 else if (verp_clients && verp_clients->error) 1847 cant_announce_feature(state, VERP_CMD); 1848 } 1849 /* XCLIENT must not override its own access control. */ 1850 if ((discard_mask & EHLO_MASK_XCLIENT) == 0) { 1851 if (xclient_allowed) 1852 EHLO_APPEND(state, XCLIENT_CMD 1853 " " XCLIENT_NAME " " XCLIENT_ADDR 1854 " " XCLIENT_PROTO " " XCLIENT_HELO 1855 " " XCLIENT_REVERSE_NAME " " XCLIENT_PORT 1856 XCLIENT_LOGIN_KLUDGE); 1857 else if (xclient_hosts && xclient_hosts->error) 1858 cant_announce_feature(state, XCLIENT_CMD); 1859 } 1860 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) { 1861 if (xforward_allowed) 1862 EHLO_APPEND(state, XFORWARD_CMD 1863 " " XFORWARD_NAME " " XFORWARD_ADDR 1864 " " XFORWARD_PROTO " " XFORWARD_HELO 1865 " " XFORWARD_DOMAIN " " XFORWARD_PORT 1866 " " XFORWARD_IDENT); 1867 else if (xforward_hosts && xforward_hosts->error) 1868 cant_announce_feature(state, XFORWARD_CMD); 1869 } 1870 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0) 1871 EHLO_APPEND(state, "ENHANCEDSTATUSCODES"); 1872 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 1873 EHLO_APPEND(state, "8BITMIME"); 1874 if ((discard_mask & EHLO_MASK_DSN) == 0) 1875 EHLO_APPEND(state, "DSN"); 1876 if (var_smtputf8_enable && (discard_mask & EHLO_MASK_SMTPUTF8) == 0) 1877 EHLO_APPEND(state, "SMTPUTF8"); 1878 1879 /* 1880 * Send the reply. 1881 */ 1882 for (cpp = state->ehlo_argv->argv; *cpp; cpp++) 1883 smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp); 1884 1885 /* 1886 * Clean up. 1887 */ 1888 argv_free(state->ehlo_argv); 1889 state->ehlo_argv = 0; 1890 vstring_free(state->ehlo_buf); 1891 state->ehlo_buf = 0; 1892 1893 return (0); 1894 } 1895 1896 /* helo_reset - reset HELO/EHLO command stuff */ 1897 1898 static void helo_reset(SMTPD_STATE *state) 1899 { 1900 if (state->helo_name) { 1901 myfree(state->helo_name); 1902 state->helo_name = 0; 1903 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0) 1904 milter_abort(smtpd_milters); 1905 } 1906 if (state->ehlo_argv) { 1907 argv_free(state->ehlo_argv); 1908 state->ehlo_argv = 0; 1909 } 1910 if (state->ehlo_buf) { 1911 vstring_free(state->ehlo_buf); 1912 state->ehlo_buf = 0; 1913 } 1914 } 1915 1916 #ifdef USE_SASL_AUTH 1917 1918 /* smtpd_sasl_auth_cmd_wrapper - smtpd_sasl_auth_cmd front-end */ 1919 1920 static int smtpd_sasl_auth_cmd_wrapper(SMTPD_STATE *state, int argc, 1921 SMTPD_TOKEN *argv) 1922 { 1923 int rate; 1924 1925 if (SMTPD_STAND_ALONE(state) == 0 1926 && !xclient_allowed 1927 && anvil_clnt 1928 && var_smtpd_cauth_limit > 0 1929 && !namadr_list_match(hogger_list, state->name, state->addr) 1930 && anvil_clnt_auth(anvil_clnt, state->service, state->addr, 1931 &rate) == ANVIL_STAT_OK 1932 && rate > var_smtpd_cauth_limit) { 1933 state->error_mask |= MAIL_ERROR_POLICY; 1934 msg_warn("AUTH command rate limit exceeded: %d from %s for service %s", 1935 rate, state->namaddr, state->service); 1936 smtpd_chat_reply(state, 1937 "450 4.7.1 Error: too many AUTH commands from %s", 1938 state->addr); 1939 return (-1); 1940 } 1941 return (smtpd_sasl_auth_cmd(state, argc, argv)); 1942 } 1943 1944 #endif 1945 1946 /* mail_open_stream - open mail queue file or IPC stream */ 1947 1948 static int mail_open_stream(SMTPD_STATE *state) 1949 { 1950 1951 /* 1952 * Connect to the before-queue filter when one is configured. The MAIL 1953 * FROM and RCPT TO commands are forwarded as received (including DSN 1954 * attributes), with the exception that the before-filter smtpd process 1955 * handles all authentication, encryption, access control and relay 1956 * control, and that the before-filter smtpd process does not forward 1957 * blocked commands. If the after-filter smtp server does not support 1958 * some of Postfix's ESMTP features, then they must be turned off in the 1959 * before-filter smtpd process with the smtpd_discard_ehlo_keywords 1960 * feature. 1961 */ 1962 if (state->proxy_mail) { 1963 if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt, 1964 var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo, 1965 state->proxy_mail) != 0) { 1966 smtpd_chat_reply(state, "%s", STR(state->proxy->reply)); 1967 smtpd_proxy_free(state); 1968 return (-1); 1969 } 1970 } 1971 1972 /* 1973 * If running from the master or from inetd, connect to the cleanup 1974 * service. 1975 * 1976 * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the 1977 * case of original submissions. 1978 * 1979 * We implement this by distinguishing between mail that we are willing to 1980 * rewrite (the local rewrite context) and mail from elsewhere. 1981 */ 1982 else if (SMTPD_STAND_ALONE(state) == 0) { 1983 int cleanup_flags; 1984 1985 cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL, 1986 smtpd_input_transp_mask) 1987 | CLEANUP_FLAG_SMTP_REPLY; 1988 if (state->flags & SMTPD_FLAG_SMTPUTF8) 1989 cleanup_flags |= CLEANUP_FLAG_SMTPUTF8; 1990 else 1991 cleanup_flags |= smtputf8_autodetect(MAIL_SRC_MASK_SMTPD); 1992 state->dest = mail_stream_service(MAIL_CLASS_PUBLIC, 1993 var_cleanup_service); 1994 if (state->dest == 0 1995 || attr_print(state->dest->stream, ATTR_FLAG_NONE, 1996 SEND_ATTR_INT(MAIL_ATTR_FLAGS, cleanup_flags), 1997 ATTR_TYPE_END) != 0) 1998 msg_fatal("unable to connect to the %s %s service", 1999 MAIL_CLASS_PUBLIC, var_cleanup_service); 2000 } 2001 2002 /* 2003 * Otherwise, pipe the message through the privileged postdrop helper. 2004 * XXX Make postdrop a manifest constant. 2005 */ 2006 else { 2007 char *postdrop_command; 2008 2009 postdrop_command = concatenate(var_command_dir, "/postdrop", 2010 msg_verbose ? " -v" : (char *) 0, (char *) 0); 2011 state->dest = mail_stream_command(postdrop_command); 2012 if (state->dest == 0) 2013 msg_fatal("unable to execute %s", postdrop_command); 2014 myfree(postdrop_command); 2015 } 2016 2017 /* 2018 * Record the time of arrival, the SASL-related stuff if applicable, the 2019 * sender envelope address, some session information, and some additional 2020 * attributes. 2021 * 2022 * XXX Send Milter information first, because this will hang when cleanup 2023 * goes into "throw away" mode. Also, cleanup needs to know early on 2024 * whether or not it has to do its own SMTP event emulation. 2025 * 2026 * XXX At this point we send only dummy information to keep the cleanup 2027 * server from using its non_smtpd_milters settings. We have to send 2028 * up-to-date Milter information after DATA so that the cleanup server 2029 * knows the actual Milter state. 2030 */ 2031 if (state->dest) { 2032 state->cleanup = state->dest->stream; 2033 state->queue_id = mystrdup(state->dest->id); 2034 if (SMTPD_STAND_ALONE(state) == 0) { 2035 if (smtpd_milters != 0 2036 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) 2037 /* Send place-holder smtpd_milters list. */ 2038 (void) milter_dummy(smtpd_milters, state->cleanup); 2039 rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT, 2040 REC_TYPE_TIME_ARG(state->arrival_time)); 2041 if (*var_filter_xport) 2042 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", var_filter_xport); 2043 if (FORWARD_IDENT(state)) 2044 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2045 MAIL_ATTR_LOG_IDENT, FORWARD_IDENT(state)); 2046 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2047 MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state)); 2048 #ifdef USE_SASL_AUTH 2049 /* Make external authentication painless (e.g., XCLIENT). */ 2050 if (state->sasl_method) 2051 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2052 MAIL_ATTR_SASL_METHOD, state->sasl_method); 2053 if (state->sasl_username) 2054 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2055 MAIL_ATTR_SASL_USERNAME, state->sasl_username); 2056 if (state->sasl_sender) 2057 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2058 MAIL_ATTR_SASL_SENDER, state->sasl_sender); 2059 #endif 2060 2061 /* 2062 * Record DSN related information that was received with the MAIL 2063 * FROM command. 2064 * 2065 * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the 2066 * MAIL command when the message was received, the ENVID 2067 * parameter MUST NOT be supplied when the message is relayed. 2068 * Ditto for the RET parameter. 2069 * 2070 * In other words, we can't simply make up our default ENVID or RET 2071 * values. We have to remember whether the client sent any. 2072 * 2073 * We store DSN information as named attribute records so that we 2074 * don't have to pollute the queue file with records that are 2075 * incompatible with past Postfix versions. Preferably, people 2076 * should be able to back out from an upgrade without losing 2077 * mail. 2078 */ 2079 if (state->dsn_envid) 2080 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2081 MAIL_ATTR_DSN_ENVID, state->dsn_envid); 2082 if (state->dsn_ret) 2083 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 2084 MAIL_ATTR_DSN_RET, state->dsn_ret); 2085 } 2086 rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender); 2087 if (state->encoding != 0) 2088 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2089 MAIL_ATTR_ENCODING, state->encoding); 2090 2091 /* 2092 * Store client attributes. 2093 */ 2094 if (SMTPD_STAND_ALONE(state) == 0) { 2095 2096 /* 2097 * Attributes for logging, also used for XFORWARD. 2098 * 2099 * We store all client attributes, including ones with unknown 2100 * values. Otherwise, an unknown client hostname would be treated 2101 * as a non-existent hostname (i.e. local submission). 2102 */ 2103 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2104 MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state)); 2105 /* XXX Note: state->rfc_addr, not state->addr. */ 2106 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2107 MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state)); 2108 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2109 MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state)); 2110 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2111 MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state)); 2112 if (FORWARD_HELO(state)) 2113 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2114 MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state)); 2115 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2116 MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state)); 2117 2118 /* 2119 * Attributes with actual client information. These are used by 2120 * the smtpd Milter client for policy decisions. Mail that is 2121 * requeued with "postsuper -r" is not subject to processing by 2122 * the cleanup Milter client, because a) it has already been 2123 * filtered, and b) we don't have sufficient information to 2124 * reproduce the exact same SMTP events and Sendmail macros that 2125 * the smtpd Milter client received when the message originally 2126 * arrived in Postfix. 2127 */ 2128 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2129 MAIL_ATTR_ACT_CLIENT_NAME, state->name); 2130 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2131 MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name); 2132 /* XXX Note: state->addr, not state->rfc_addr. */ 2133 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2134 MAIL_ATTR_ACT_CLIENT_ADDR, state->addr); 2135 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2136 MAIL_ATTR_ACT_CLIENT_PORT, state->port); 2137 if (state->helo_name) 2138 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2139 MAIL_ATTR_ACT_HELO_NAME, state->helo_name); 2140 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2141 MAIL_ATTR_ACT_PROTO_NAME, state->protocol); 2142 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u", 2143 MAIL_ATTR_ACT_CLIENT_AF, state->addr_family); 2144 2145 /* 2146 * Don't send client certificate down the pipeline unless it is 2147 * a) verified or b) just a fingerprint. 2148 */ 2149 } 2150 if (state->verp_delims) 2151 rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims); 2152 } 2153 2154 /* 2155 * Log the queue ID with the message origin. 2156 */ 2157 #define PRINT_OR_NULL(cond, str) \ 2158 ((cond) ? (str) : "") 2159 #define PRINT2_OR_NULL(cond, name, value) \ 2160 PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) 2161 2162 msg_info("%s: client=%s%s%s%s%s%s%s%s%s%s%s", 2163 (state->queue_id ? state->queue_id : "NOQUEUE"), 2164 state->namaddr, 2165 #ifdef USE_SASL_AUTH 2166 PRINT2_OR_NULL(state->sasl_method, 2167 ", sasl_method=", state->sasl_method), 2168 PRINT2_OR_NULL(state->sasl_username, 2169 ", sasl_username=", state->sasl_username), 2170 PRINT2_OR_NULL(state->sasl_sender, 2171 ", sasl_sender=", state->sasl_sender), 2172 #else 2173 "", "", "", "", "", "", 2174 #endif 2175 /* Insert transaction TLS status here. */ 2176 PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), 2177 ", orig_queue_id=", FORWARD_IDENT(state)), 2178 PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), 2179 ", orig_client=", FORWARD_NAMADDR(state))); 2180 return (0); 2181 } 2182 2183 /* extract_addr - extract address from rubble */ 2184 2185 static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg, 2186 int allow_empty_addr, int strict_rfc821, 2187 int smtputf8) 2188 { 2189 const char *myname = "extract_addr"; 2190 TOK822 *tree; 2191 TOK822 *tp; 2192 TOK822 *addr = 0; 2193 int naddr; 2194 int non_addr; 2195 int err = 0; 2196 char *junk = 0; 2197 char *text; 2198 char *colon; 2199 2200 /* 2201 * Special case. 2202 */ 2203 #define PERMIT_EMPTY_ADDR 1 2204 #define REJECT_EMPTY_ADDR 0 2205 2206 /* 2207 * Some mailers send RFC822-style address forms (with comments and such) 2208 * in SMTP envelopes. We cannot blame users for this: the blame is with 2209 * programmers violating the RFC, and with sendmail for being permissive. 2210 * 2211 * XXX The SMTP command tokenizer must leave the address in externalized 2212 * (quoted) form, so that the address parser can correctly extract the 2213 * address from surrounding junk. 2214 * 2215 * XXX We have only one address parser, written according to the rules of 2216 * RFC 822. That standard differs subtly from RFC 821. 2217 */ 2218 if (msg_verbose) 2219 msg_info("%s: input: %s", myname, STR(arg->vstrval)); 2220 if (STR(arg->vstrval)[0] == '<' 2221 && STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') { 2222 junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2); 2223 } else 2224 text = STR(arg->vstrval); 2225 2226 /* 2227 * Truncate deprecated route address form. 2228 */ 2229 if (*text == '@' && (colon = strchr(text, ':')) != 0) 2230 text = colon + 1; 2231 tree = tok822_parse(text); 2232 2233 if (junk) 2234 myfree(junk); 2235 2236 /* 2237 * Find trouble. 2238 */ 2239 for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) { 2240 if (tp->type == TOK822_ADDR) { 2241 addr = tp; 2242 naddr += 1; /* count address forms */ 2243 } else if (tp->type == '<' || tp->type == '>') { 2244 /* void */ ; /* ignore brackets */ 2245 } else { 2246 non_addr += 1; /* count non-address forms */ 2247 } 2248 } 2249 2250 /* 2251 * Report trouble. XXX Should log a warning only if we are going to 2252 * sleep+reject so that attackers can't flood our logfiles. 2253 * 2254 * XXX Unfortunately, the sleep-before-reject feature had to be abandoned 2255 * (at least for small error counts) because servers were DOS-ing 2256 * themselves when flooded by backscatter traffic. 2257 */ 2258 if (naddr > 1 2259 || (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) { 2260 msg_warn("Illegal address syntax from %s in %s command: %s", 2261 state->namaddr, state->where, 2262 printable(STR(arg->vstrval), '?')); 2263 err = 1; 2264 } 2265 2266 /* 2267 * Don't overwrite the input with the extracted address. We need the 2268 * original (external) form in case the client does not send ORCPT 2269 * information; and error messages are more accurate if we log the 2270 * unmodified form. We need the internal form for all other purposes. 2271 */ 2272 if (addr) 2273 tok822_internalize(state->addr_buf, addr->head, TOK822_STR_DEFL); 2274 else 2275 vstring_strcpy(state->addr_buf, ""); 2276 2277 /* 2278 * Report trouble. XXX Should log a warning only if we are going to 2279 * sleep+reject so that attackers can't flood our logfiles. Log the 2280 * original address. 2281 */ 2282 if (err == 0) 2283 if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr) 2284 || (strict_rfc821 && STR(state->addr_buf)[0] == '@') 2285 || (SMTPD_STAND_ALONE(state) == 0 2286 && smtpd_check_addr(strcmp(state->where, SMTPD_CMD_MAIL) == 0 ? 2287 state->recipient : state->sender, 2288 STR(state->addr_buf), smtputf8) != 0)) { 2289 msg_warn("Illegal address syntax from %s in %s command: %s", 2290 state->namaddr, state->where, 2291 printable(STR(arg->vstrval), '?')); 2292 err = 1; 2293 } 2294 2295 /* 2296 * Cleanup. 2297 */ 2298 tok822_free_tree(tree); 2299 if (msg_verbose) 2300 msg_info("%s: in: %s, result: %s", 2301 myname, STR(arg->vstrval), STR(state->addr_buf)); 2302 return (err); 2303 } 2304 2305 /* milter_argv - impedance adapter */ 2306 2307 static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2308 { 2309 int n; 2310 ssize_t len = argc + 1; 2311 2312 if (state->milter_argc < len) { 2313 if (state->milter_argc > 0) 2314 state->milter_argv = (const char **) 2315 myrealloc((void *) state->milter_argv, 2316 sizeof(const char *) * len); 2317 else 2318 state->milter_argv = (const char **) 2319 mymalloc(sizeof(const char *) * len); 2320 state->milter_argc = len; 2321 } 2322 for (n = 0; n < argc; n++) 2323 state->milter_argv[n] = argv[n].strval; 2324 state->milter_argv[n] = 0; 2325 return (state->milter_argv); 2326 } 2327 2328 /* mail_cmd - process MAIL command */ 2329 2330 static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2331 { 2332 const char *err; 2333 int narg; 2334 char *arg; 2335 char *verp_delims = 0; 2336 int rate; 2337 int dsn_envid = 0; 2338 2339 state->flags &= ~SMTPD_FLAG_SMTPUTF8; 2340 state->encoding = 0; 2341 state->dsn_ret = 0; 2342 2343 /* 2344 * Sanity checks. 2345 * 2346 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a 2347 * command in which invalid character codes have been employed, and for 2348 * which there are no other reasons for rejection, MUST reject that 2349 * command with a 501 response. Postfix attempts to be 8-bit clean. 2350 */ 2351 if (var_helo_required && state->helo_name == 0) { 2352 state->error_mask |= MAIL_ERROR_POLICY; 2353 smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first"); 2354 return (-1); 2355 } 2356 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 2357 state->error_mask |= MAIL_ERROR_PROTOCOL; 2358 smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command"); 2359 return (-1); 2360 } 2361 if (argc < 3 2362 || strcasecmp(argv[1].strval, "from:") != 0) { 2363 state->error_mask |= MAIL_ERROR_PROTOCOL; 2364 smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>"); 2365 return (-1); 2366 } 2367 2368 /* 2369 * XXX The client event count/rate control must be consistent in its use 2370 * of client address information in connect and disconnect events. For 2371 * now we exclude xclient authorized hosts from event count/rate control. 2372 */ 2373 if (SMTPD_STAND_ALONE(state) == 0 2374 && !xclient_allowed 2375 && anvil_clnt 2376 && var_smtpd_cmail_limit > 0 2377 && !namadr_list_match(hogger_list, state->name, state->addr) 2378 && anvil_clnt_mail(anvil_clnt, state->service, state->addr, 2379 &rate) == ANVIL_STAT_OK 2380 && rate > var_smtpd_cmail_limit) { 2381 state->error_mask |= MAIL_ERROR_POLICY; 2382 smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s", 2383 state->addr); 2384 msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s", 2385 rate, state->namaddr, state->service); 2386 return (-1); 2387 } 2388 if (argv[2].tokval == SMTPD_TOK_ERROR) { 2389 state->error_mask |= MAIL_ERROR_PROTOCOL; 2390 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax"); 2391 return (-1); 2392 } 2393 2394 /* 2395 * XXX The sender address comes first, but the optional SMTPUTF8 2396 * parameter determines what address syntax is permitted. We must process 2397 * this parameter early. 2398 */ 2399 if (var_smtputf8_enable 2400 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0) { 2401 for (narg = 3; narg < argc; narg++) { 2402 arg = argv[narg].strval; 2403 if (strcasecmp(arg, "SMTPUTF8") == 0) { /* RFC 6531 */ 2404 /* Fix 20161206: allow UTF8 in smtpd_sender_restrictions. */ 2405 state->flags |= SMTPD_FLAG_SMTPUTF8; 2406 break; 2407 } 2408 } 2409 } 2410 if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR, 2411 var_strict_rfc821_env, 2412 state->flags & SMTPD_FLAG_SMTPUTF8) != 0) { 2413 state->error_mask |= MAIL_ERROR_PROTOCOL; 2414 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax"); 2415 return (-1); 2416 } 2417 for (narg = 3; narg < argc; narg++) { 2418 arg = argv[narg].strval; 2419 if (strcasecmp(arg, "BODY=8BITMIME") == 0) { /* RFC 1652 */ 2420 state->encoding = MAIL_ATTR_ENC_8BIT; 2421 } else if (strcasecmp(arg, "BODY=7BIT") == 0) { /* RFC 1652 */ 2422 state->encoding = MAIL_ATTR_ENC_7BIT; 2423 } else if (strncasecmp(arg, "SIZE=", 5) == 0) { /* RFC 1870 */ 2424 /* Reject non-numeric size. */ 2425 if (!alldig(arg + 5)) { 2426 state->error_mask |= MAIL_ERROR_PROTOCOL; 2427 smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax"); 2428 return (-1); 2429 } 2430 /* Reject size overflow. */ 2431 if ((state->msg_size = off_cvt_string(arg + 5)) < 0) { 2432 state->error_mask |= MAIL_ERROR_POLICY; 2433 smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit"); 2434 return (-1); 2435 } 2436 } else if (var_smtputf8_enable 2437 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0 2438 && strcasecmp(arg, "SMTPUTF8") == 0) { /* RFC 6531 */ 2439 /* Already processed early. */ ; 2440 #ifdef USE_SASL_AUTH 2441 } else if (strncasecmp(arg, "AUTH=", 5) == 0) { 2442 if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) { 2443 smtpd_chat_reply(state, "%s", err); 2444 return (-1); 2445 } 2446 #endif 2447 } else if (namadr_list_match(verp_clients, state->name, state->addr) 2448 && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0 2449 && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) { 2450 if (arg[VERP_CMD_LEN] == 0) { 2451 verp_delims = var_verp_delims; 2452 } else { 2453 verp_delims = arg + VERP_CMD_LEN + 1; 2454 if (verp_delims_verify(verp_delims) != 0) { 2455 state->error_mask |= MAIL_ERROR_PROTOCOL; 2456 smtpd_chat_reply(state, 2457 "501 5.5.4 Error: %s needs two characters from %s", 2458 VERP_CMD, var_verp_filter); 2459 return (-1); 2460 } 2461 } 2462 } else if (strncasecmp(arg, "RET=", 4) == 0) { /* RFC 3461 */ 2463 /* Sanitized on input. */ 2464 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2465 state->error_mask |= MAIL_ERROR_PROTOCOL; 2466 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2467 return (-1); 2468 } 2469 if (state->dsn_ret 2470 || (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) { 2471 state->error_mask |= MAIL_ERROR_PROTOCOL; 2472 smtpd_chat_reply(state, 2473 "501 5.5.4 Bad RET parameter syntax"); 2474 return (-1); 2475 } 2476 } else if (strncasecmp(arg, "ENVID=", 6) == 0) { /* RFC 3461 */ 2477 /* Sanitized by bounce server. */ 2478 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2479 state->error_mask |= MAIL_ERROR_PROTOCOL; 2480 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2481 return (-1); 2482 } 2483 if (dsn_envid 2484 || xtext_unquote(state->dsn_buf, arg + 6) == 0 2485 || !allprint(STR(state->dsn_buf))) { 2486 state->error_mask |= MAIL_ERROR_PROTOCOL; 2487 smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax"); 2488 return (-1); 2489 } 2490 dsn_envid = 1; 2491 } else { 2492 state->error_mask |= MAIL_ERROR_PROTOCOL; 2493 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg); 2494 return (-1); 2495 } 2496 } 2497 if ((err = smtpd_check_size(state, state->msg_size)) != 0) { 2498 smtpd_chat_reply(state, "%s", err); 2499 return (-1); 2500 } 2501 if (verp_delims && STR(state->addr_buf)[0] == 0) { 2502 smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender", 2503 VERP_CMD); 2504 return (-1); 2505 } 2506 if (SMTPD_STAND_ALONE(state) == 0) { 2507 const char *verify_sender; 2508 2509 /* 2510 * XXX Don't reject the address when we're probed with our own 2511 * address verification sender address. Otherwise, some timeout or 2512 * some UCE block may result in mutual negative caching, making it 2513 * painful to get the mail through. Unfortunately we still have to 2514 * send the address to the Milters otherwise they may bail out with a 2515 * "missing recipient" protocol error. 2516 */ 2517 verify_sender = valid_verify_sender_addr(STR(state->addr_buf)); 2518 if (verify_sender != 0) 2519 vstring_strcpy(state->addr_buf, verify_sender); 2520 } 2521 if (SMTPD_STAND_ALONE(state) == 0 2522 && var_smtpd_delay_reject == 0 2523 && (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) { 2524 /* XXX Reset access map side effects. */ 2525 mail_reset(state); 2526 smtpd_chat_reply(state, "%s", err); 2527 return (-1); 2528 } 2529 if (smtpd_milters != 0 2530 && SMTPD_STAND_ALONE(state) == 0 2531 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) { 2532 PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf)); 2533 err = milter_mail_event(smtpd_milters, 2534 milter_argv(state, argc - 2, argv + 2)); 2535 if (err != 0) { 2536 /* Log reject etc. with correct sender information. */ 2537 err = check_milter_reply(state, err); 2538 } 2539 POP_STRING(saved_sender, state->sender); 2540 if (err != 0) { 2541 /* XXX Reset access map side effects. */ 2542 mail_reset(state); 2543 smtpd_chat_reply(state, "%s", err); 2544 return (-1); 2545 } 2546 } 2547 if (SMTPD_STAND_ALONE(state) == 0) { 2548 err = smtpd_check_rewrite(state); 2549 if (err != 0) { 2550 /* XXX Reset access map side effects. */ 2551 mail_reset(state); 2552 smtpd_chat_reply(state, "%s", err); 2553 return (-1); 2554 } 2555 } 2556 2557 /* 2558 * Historically, Postfix does not forbid 8-bit envelope localparts. 2559 * Changing this would be a compatibility break. That can't happen in the 2560 * forseeable future. 2561 */ 2562 if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable) 2563 && (state->flags & SMTPD_FLAG_SMTPUTF8) == 0 2564 && *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) { 2565 if (var_strict_smtputf8) { 2566 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to " 2567 "send unicode address"); 2568 return (-1); 2569 } 2570 2571 /* 2572 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a 2573 * warning message is logged, so that they don't suddenly start to 2574 * lose mail after Postfix is built with EAI support. 2575 */ 2576 if (warn_compat_break_smtputf8_enable) 2577 msg_info("using backwards-compatible default setting " 2578 VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII sender " 2579 "address \"%s\" from %s", STR(state->addr_buf), 2580 state->namaddr); 2581 } 2582 2583 /* 2584 * Check the queue file space, if applicable. The optional before-filter 2585 * speed-adjust buffers use disk space. However, we don't know if they 2586 * compete for storage space with the after-filter queue, so we can't 2587 * simply bump up the free space requirement to 2.5 * message_size_limit. 2588 */ 2589 if (!USE_SMTPD_PROXY(state) 2590 || (smtpd_proxy_opts & SMTPD_PROXY_FLAG_SPEED_ADJUST)) { 2591 if (SMTPD_STAND_ALONE(state) == 0 2592 && (err = smtpd_check_queue(state)) != 0) { 2593 /* XXX Reset access map side effects. */ 2594 mail_reset(state); 2595 smtpd_chat_reply(state, "%s", err); 2596 return (-1); 2597 } 2598 } 2599 2600 /* 2601 * No more early returns. The mail transaction is in progress. 2602 */ 2603 GETTIMEOFDAY(&state->arrival_time); 2604 state->sender = mystrdup(STR(state->addr_buf)); 2605 vstring_sprintf(state->instance, "%x.%lx.%lx.%x", 2606 var_pid, (unsigned long) state->arrival_time.tv_sec, 2607 (unsigned long) state->arrival_time.tv_usec, state->seqno++); 2608 if (verp_delims) 2609 state->verp_delims = mystrdup(verp_delims); 2610 if (dsn_envid) 2611 state->dsn_envid = mystrdup(STR(state->dsn_buf)); 2612 if (USE_SMTPD_PROXY(state)) 2613 state->proxy_mail = mystrdup(STR(state->buffer)); 2614 if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) { 2615 /* XXX Reset access map side effects. */ 2616 mail_reset(state); 2617 return (-1); 2618 } 2619 smtpd_chat_reply(state, "250 2.1.0 Ok"); 2620 return (0); 2621 } 2622 2623 /* mail_reset - reset MAIL command stuff */ 2624 2625 static void mail_reset(SMTPD_STATE *state) 2626 { 2627 state->msg_size = 0; 2628 state->act_size = 0; 2629 state->flags &= SMTPD_MASK_MAIL_KEEP; 2630 2631 /* 2632 * Unceremoniously close the pipe to the cleanup service. The cleanup 2633 * service will delete the queue file when it detects a premature 2634 * end-of-file condition on input. 2635 */ 2636 if (state->cleanup != 0) { 2637 mail_stream_cleanup(state->dest); 2638 state->dest = 0; 2639 state->cleanup = 0; 2640 } 2641 state->err = 0; 2642 if (state->queue_id != 0) { 2643 myfree(state->queue_id); 2644 state->queue_id = 0; 2645 } 2646 if (state->sender) { 2647 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0) 2648 milter_abort(smtpd_milters); 2649 myfree(state->sender); 2650 state->sender = 0; 2651 } 2652 if (state->verp_delims) { 2653 myfree(state->verp_delims); 2654 state->verp_delims = 0; 2655 } 2656 if (state->proxy_mail) { 2657 myfree(state->proxy_mail); 2658 state->proxy_mail = 0; 2659 } 2660 if (state->saved_filter) { 2661 myfree(state->saved_filter); 2662 state->saved_filter = 0; 2663 } 2664 if (state->saved_redirect) { 2665 myfree(state->saved_redirect); 2666 state->saved_redirect = 0; 2667 } 2668 if (state->saved_bcc) { 2669 myfree(state->saved_bcc); 2670 state->saved_bcc = 0; 2671 } 2672 state->saved_flags = 0; 2673 #ifdef DELAY_ACTION 2674 state->saved_delay = 0; 2675 #endif 2676 #ifdef USE_SASL_AUTH 2677 if (state->sasl_sender) 2678 smtpd_sasl_mail_reset(state); 2679 #endif 2680 state->discard = 0; 2681 VSTRING_RESET(state->instance); 2682 VSTRING_TERMINATE(state->instance); 2683 2684 if (state->proxy) 2685 smtpd_proxy_free(state); 2686 if (state->xforward.flags) 2687 smtpd_xforward_reset(state); 2688 if (state->prepend) 2689 state->prepend = argv_free(state->prepend); 2690 if (state->dsn_envid) { 2691 myfree(state->dsn_envid); 2692 state->dsn_envid = 0; 2693 } 2694 if (state->milter_argv) { 2695 myfree((void *) state->milter_argv); 2696 state->milter_argv = 0; 2697 state->milter_argc = 0; 2698 } 2699 } 2700 2701 /* rcpt_cmd - process RCPT TO command */ 2702 2703 static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2704 { 2705 SMTPD_PROXY *proxy; 2706 const char *err; 2707 int narg; 2708 char *arg; 2709 int rate; 2710 const char *dsn_orcpt_addr = 0; 2711 ssize_t dsn_orcpt_addr_len = 0; 2712 const char *dsn_orcpt_type = 0; 2713 int dsn_notify = 0; 2714 const char *coded_addr; 2715 const char *milter_err; 2716 2717 /* 2718 * Sanity checks. 2719 * 2720 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a 2721 * command in which invalid character codes have been employed, and for 2722 * which there are no other reasons for rejection, MUST reject that 2723 * command with a 501 response. So much for the principle of "be liberal 2724 * in what you accept, be strict in what you send". 2725 */ 2726 if (!SMTPD_IN_MAIL_TRANSACTION(state)) { 2727 state->error_mask |= MAIL_ERROR_PROTOCOL; 2728 smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command"); 2729 return (-1); 2730 } 2731 if (argc < 3 2732 || strcasecmp(argv[1].strval, "to:") != 0) { 2733 state->error_mask |= MAIL_ERROR_PROTOCOL; 2734 smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>"); 2735 return (-1); 2736 } 2737 2738 /* 2739 * XXX The client event count/rate control must be consistent in its use 2740 * of client address information in connect and disconnect events. For 2741 * now we exclude xclient authorized hosts from event count/rate control. 2742 */ 2743 if (SMTPD_STAND_ALONE(state) == 0 2744 && !xclient_allowed 2745 && anvil_clnt 2746 && var_smtpd_crcpt_limit > 0 2747 && !namadr_list_match(hogger_list, state->name, state->addr) 2748 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, 2749 &rate) == ANVIL_STAT_OK 2750 && rate > var_smtpd_crcpt_limit) { 2751 state->error_mask |= MAIL_ERROR_POLICY; 2752 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", 2753 rate, state->namaddr, state->service); 2754 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", 2755 state->addr); 2756 return (-1); 2757 } 2758 if (argv[2].tokval == SMTPD_TOK_ERROR) { 2759 state->error_mask |= MAIL_ERROR_PROTOCOL; 2760 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 2761 return (-1); 2762 } 2763 if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env, 2764 state->flags & SMTPD_FLAG_SMTPUTF8) != 0) { 2765 state->error_mask |= MAIL_ERROR_PROTOCOL; 2766 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 2767 return (-1); 2768 } 2769 for (narg = 3; narg < argc; narg++) { 2770 arg = argv[narg].strval; 2771 if (strncasecmp(arg, "NOTIFY=", 7) == 0) { /* RFC 3461 */ 2772 /* Sanitized on input. */ 2773 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2774 state->error_mask |= MAIL_ERROR_PROTOCOL; 2775 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2776 return (-1); 2777 } 2778 if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) { 2779 state->error_mask |= MAIL_ERROR_PROTOCOL; 2780 smtpd_chat_reply(state, 2781 "501 5.5.4 Error: Bad NOTIFY parameter syntax"); 2782 return (-1); 2783 } 2784 } else if (strncasecmp(arg, "ORCPT=", 6) == 0) { /* RFC 3461 */ 2785 /* Sanitized by bounce server. */ 2786 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2787 state->error_mask |= MAIL_ERROR_PROTOCOL; 2788 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2789 return (-1); 2790 } 2791 vstring_strcpy(state->dsn_orcpt_buf, arg + 6); 2792 if (dsn_orcpt_addr 2793 || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0 2794 || *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0 2795 || (strcasecmp(dsn_orcpt_type, "utf-8") == 0 ? 2796 uxtext_unquote(state->dsn_buf, coded_addr) == 0 : 2797 xtext_unquote(state->dsn_buf, coded_addr) == 0)) { 2798 state->error_mask |= MAIL_ERROR_PROTOCOL; 2799 smtpd_chat_reply(state, 2800 "501 5.5.4 Error: Bad ORCPT parameter syntax"); 2801 return (-1); 2802 } 2803 dsn_orcpt_addr = STR(state->dsn_buf); 2804 dsn_orcpt_addr_len = LEN(state->dsn_buf); 2805 } else { 2806 state->error_mask |= MAIL_ERROR_PROTOCOL; 2807 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg); 2808 return (-1); 2809 } 2810 } 2811 if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) { 2812 smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients"); 2813 if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim) 2814 return (0); 2815 state->error_mask |= MAIL_ERROR_POLICY; 2816 return (-1); 2817 } 2818 2819 /* 2820 * Historically, Postfix does not forbid 8-bit envelope localparts. 2821 * Changing this would be a compatibility break. That can't happen in the 2822 * forseeable future. 2823 */ 2824 if ((var_strict_smtputf8 || warn_compat_break_smtputf8_enable) 2825 && (state->flags & SMTPD_FLAG_SMTPUTF8) == 0 2826 && *STR(state->addr_buf) && !allascii(STR(state->addr_buf))) { 2827 if (var_strict_smtputf8) { 2828 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to " 2829 "send unicode address"); 2830 return (-1); 2831 } 2832 2833 /* 2834 * Not: #ifndef NO_EAI. They must configure SMTPUTF8_ENABLE=no if a 2835 * warning message is logged, so that they don't suddenly start to 2836 * lose mail after Postfix is built with EAI support. 2837 */ 2838 if (warn_compat_break_smtputf8_enable) 2839 msg_info("using backwards-compatible default setting " 2840 VAR_SMTPUTF8_ENABLE "=no to accept non-ASCII recipient " 2841 "address \"%s\" from %s", STR(state->addr_buf), 2842 state->namaddr); 2843 } 2844 if (SMTPD_STAND_ALONE(state) == 0) { 2845 const char *verify_sender; 2846 2847 /* 2848 * XXX Don't reject the address when we're probed with our own 2849 * address verification sender address. Otherwise, some timeout or 2850 * some UCE block may result in mutual negative caching, making it 2851 * painful to get the mail through. Unfortunately we still have to 2852 * send the address to the Milters otherwise they may bail out with a 2853 * "missing recipient" protocol error. 2854 */ 2855 verify_sender = valid_verify_sender_addr(STR(state->addr_buf)); 2856 if (verify_sender != 0) { 2857 vstring_strcpy(state->addr_buf, verify_sender); 2858 err = 0; 2859 } else { 2860 err = smtpd_check_rcpt(state, STR(state->addr_buf)); 2861 } 2862 if (smtpd_milters != 0 2863 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) { 2864 PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf)); 2865 state->milter_reject_text = err; 2866 milter_err = milter_rcpt_event(smtpd_milters, 2867 err == 0 ? MILTER_FLAG_NONE : 2868 MILTER_FLAG_WANT_RCPT_REJ, 2869 milter_argv(state, argc - 2, argv + 2)); 2870 if (err == 0 && milter_err != 0) { 2871 /* Log reject etc. with correct recipient information. */ 2872 err = check_milter_reply(state, milter_err); 2873 } 2874 POP_STRING(saved_rcpt, state->recipient); 2875 } 2876 if (err != 0) { 2877 smtpd_chat_reply(state, "%s", err); 2878 return (-1); 2879 } 2880 } 2881 2882 /* 2883 * Don't access the proxy, queue file, or queue file writer process until 2884 * we have a valid recipient address. 2885 */ 2886 if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0) 2887 return (-1); 2888 2889 /* 2890 * Proxy the recipient. OK, so we lied. If the real-time proxy rejects 2891 * the recipient then we can have a proxy connection without having 2892 * accepted a recipient. 2893 */ 2894 proxy = state->proxy; 2895 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK, 2896 "%s", STR(state->buffer)) != 0) { 2897 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 2898 return (-1); 2899 } 2900 2901 /* 2902 * Store the recipient. Remember the first one. 2903 * 2904 * Flush recipients to maintain a stiffer coupling with the next stage and 2905 * to better utilize parallelism. 2906 * 2907 * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a 2908 * recipient when the message was received, the NOTIFY parameter MUST NOT 2909 * be supplied for that recipient when the message is relayed. 2910 * 2911 * In other words, we can't simply make up our default NOTIFY value. We have 2912 * to remember whether the client sent any. 2913 * 2914 * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the 2915 * message was received, an ORCPT parameter MAY be added to the RCPT 2916 * command when the message is relayed. If an ORCPT parameter is added 2917 * by the relaying MTA, it MUST contain the recipient address from the 2918 * RCPT command used when the message was received by that MTA. 2919 * 2920 * In other words, it is OK to make up our own DSN original recipient when 2921 * the client didn't send one. Although the RFC mentions mail relaying 2922 * only, we also make up our own original recipient for the purpose of 2923 * final delivery. For now, we do this here, rather than on the fly. 2924 * 2925 * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though 2926 * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named 2927 * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr) 2928 * requires that we map attributes with rec_attr_map() in order to 2929 * simplify the recipient record processing loops in the cleanup and qmgr 2930 * servers. 2931 * 2932 * Another possibility, yet to be explored, is to leave the additional 2933 * recipient information in the queue file and just pass queue file 2934 * offsets along with the delivery request. This is a trade off between 2935 * memory allocation versus numeric conversion overhead. 2936 * 2937 * Since we have no record grouping mechanism, all recipient-specific 2938 * parameters must be sent to the cleanup server before the actual 2939 * recipient address. 2940 */ 2941 state->rcpt_count++; 2942 if (state->recipient == 0) 2943 state->recipient = mystrdup(STR(state->addr_buf)); 2944 if (state->cleanup) { 2945 /* Note: RFC(2)821 externalized address! */ 2946 if (dsn_orcpt_addr == 0) { 2947 dsn_orcpt_type = "rfc822"; 2948 dsn_orcpt_addr = argv[2].strval; 2949 dsn_orcpt_addr_len = strlen(argv[2].strval); 2950 if (dsn_orcpt_addr[0] == '<' 2951 && dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') { 2952 dsn_orcpt_addr += 1; 2953 dsn_orcpt_addr_len -= 2; 2954 } 2955 } 2956 if (dsn_notify) 2957 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 2958 MAIL_ATTR_DSN_NOTIFY, dsn_notify); 2959 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s", 2960 MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type, 2961 (int) dsn_orcpt_addr_len, dsn_orcpt_addr); 2962 rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf)); 2963 vstream_fflush(state->cleanup); 2964 } 2965 smtpd_chat_reply(state, "250 2.1.5 Ok"); 2966 return (0); 2967 } 2968 2969 /* rcpt_reset - reset RCPT stuff */ 2970 2971 static void rcpt_reset(SMTPD_STATE *state) 2972 { 2973 if (state->recipient) { 2974 myfree(state->recipient); 2975 state->recipient = 0; 2976 } 2977 state->rcpt_count = 0; 2978 /* XXX Must flush the command history. */ 2979 state->rcpt_overshoot = 0; 2980 } 2981 2982 #if 0 2983 2984 /* rfc2047_comment_encode - encode comment string */ 2985 2986 static VSTRING *rfc2047_comment_encode(const char *str, const char *charset) 2987 { 2988 VSTRING *buf = vstring_alloc(30); 2989 const unsigned char *cp; 2990 int ch; 2991 2992 /* 2993 * XXX This is problematic code. 2994 * 2995 * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments, 2996 * but we encode them anyway to avoid complaints. 2997 * 2998 * XXX In Received: header comments we enclose peer and issuer common names 2999 * with "" quotes (inherited from the Lutz Jaenicke patch). This is the 3000 * cause of several quirks. 3001 * 3002 * 1) We encode text that contains the " character, even though that 3003 * character is not special for RFC*822 comments. 3004 * 3005 * 2) We ignore the recommended limit of 75 characters per encoded word, 3006 * because long comments look ugly when folded in-between quotes. 3007 * 3008 * 3) We encode the enclosing quotes, to avoid producing invalid encoded 3009 * words. Microsoft abuses RFC 2047 encoding with attachment names, but 3010 * we have no information on what decoders do with malformed encoding in 3011 * comments. This means the comments are Jaenicke-compatible only after 3012 * decoding. 3013 */ 3014 #define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */ 3015 #define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */ 3016 #define CSPECIALS "\\\"()" /* Special in our comments */ 3017 3018 /* Don't encode if not needed. */ 3019 for (cp = (unsigned char *) str; /* see below */ ; ++cp) { 3020 if ((ch = *cp) == 0) { 3021 vstring_sprintf(buf, "\"%s\"", str); 3022 return (buf); 3023 } 3024 if (!ISPRINT(ch) || strchr(CSPECIALS, ch)) 3025 break; 3026 } 3027 3028 /* 3029 * Use quoted-printable (like) encoding with spaces mapped to underscore. 3030 */ 3031 vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"'); 3032 for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) { 3033 if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) { 3034 vstring_sprintf_append(buf, "=%02X", ch); 3035 } else if (ch == ' ') { 3036 VSTRING_ADDCH(buf, '_'); 3037 } else { 3038 VSTRING_ADDCH(buf, ch); 3039 } 3040 } 3041 vstring_sprintf_append(buf, "=%02X?=", '"'); 3042 return (buf); 3043 } 3044 3045 #endif 3046 3047 /* comment_sanitize - clean up comment string */ 3048 3049 static void comment_sanitize(VSTRING *comment_string) 3050 { 3051 unsigned char *cp; 3052 int ch; 3053 int pc; 3054 3055 /* 3056 * Postfix Received: headers can be configured to include a comment with 3057 * the CN (CommonName) of the peer and its issuer, or the login name of a 3058 * SASL authenticated user. To avoid problems with RFC 822 etc. syntax, 3059 * we limit this information to printable ASCII text, and neutralize 3060 * characters that affect comment parsing: the backslash and unbalanced 3061 * parentheses. 3062 */ 3063 for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) { 3064 if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') { 3065 *cp = '?'; 3066 } else if (ch == '(') { 3067 pc++; 3068 } else if (ch == ')') { 3069 if (pc > 0) 3070 pc--; 3071 else 3072 *cp = '?'; 3073 } 3074 } 3075 while (pc-- > 0) 3076 VSTRING_ADDCH(comment_string, ')'); 3077 VSTRING_TERMINATE(comment_string); 3078 } 3079 3080 /* data_cmd - process DATA command */ 3081 3082 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 3083 { 3084 SMTPD_PROXY *proxy; 3085 const char *err; 3086 char *start; 3087 int len; 3088 int curr_rec_type; 3089 int prev_rec_type; 3090 int first = 1; 3091 VSTRING *why = 0; 3092 int saved_err; 3093 int (*out_record) (VSTREAM *, int, const char *, ssize_t); 3094 int (*out_fprintf) (VSTREAM *, int, const char *,...); 3095 VSTREAM *out_stream; 3096 int out_error; 3097 char **cpp; 3098 const CLEANUP_STAT_DETAIL *detail; 3099 const char *rfc3848_sess; 3100 const char *rfc3848_auth; 3101 const char *with_protocol = (state->flags & SMTPD_FLAG_SMTPUTF8) ? 3102 "UTF8SMTP" : state->protocol; 3103 3104 #ifdef USE_TLS 3105 VSTRING *peer_CN; 3106 VSTRING *issuer_CN; 3107 3108 #endif 3109 #ifdef USE_SASL_AUTH 3110 VSTRING *username; 3111 3112 #endif 3113 3114 /* 3115 * Sanity checks. With ESMTP command pipelining the client can send DATA 3116 * before all recipients are rejected, so don't report that as a protocol 3117 * error. 3118 */ 3119 if (state->rcpt_count == 0) { 3120 if (!SMTPD_IN_MAIL_TRANSACTION(state)) { 3121 state->error_mask |= MAIL_ERROR_PROTOCOL; 3122 smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command"); 3123 } else { 3124 smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients"); 3125 } 3126 return (-1); 3127 } 3128 if (argc != 1) { 3129 state->error_mask |= MAIL_ERROR_PROTOCOL; 3130 smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA"); 3131 return (-1); 3132 } 3133 if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) { 3134 smtpd_chat_reply(state, "%s", err); 3135 return (-1); 3136 } 3137 if (smtpd_milters != 0 3138 && SMTPD_STAND_ALONE(state) == 0 3139 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 3140 && (err = milter_data_event(smtpd_milters)) != 0 3141 && (err = check_milter_reply(state, err)) != 0) { 3142 smtpd_chat_reply(state, "%s", err); 3143 return (-1); 3144 } 3145 proxy = state->proxy; 3146 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE, 3147 "%s", STR(state->buffer)) != 0) { 3148 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3149 return (-1); 3150 } 3151 3152 /* 3153 * One level of indirection to choose between normal or proxied 3154 * operation. We want to avoid massive code duplication within tons of 3155 * if-else clauses. 3156 */ 3157 if (proxy) { 3158 out_stream = proxy->stream; 3159 out_record = proxy->rec_put; 3160 out_fprintf = proxy->rec_fprintf; 3161 out_error = CLEANUP_STAT_PROXY; 3162 } else { 3163 out_stream = state->cleanup; 3164 out_record = rec_put; 3165 out_fprintf = rec_fprintf; 3166 out_error = CLEANUP_STAT_WRITE; 3167 } 3168 3169 /* 3170 * Flush out a first batch of access table actions that are delegated to 3171 * the cleanup server, and that may trigger before we accept the first 3172 * valid recipient. There will be more after end-of-data. 3173 * 3174 * Terminate the message envelope segment. Start the message content 3175 * segment, and prepend our own Received: header. If there is only one 3176 * recipient, list the recipient address. 3177 */ 3178 if (state->cleanup) { 3179 if (SMTPD_STAND_ALONE(state) == 0) { 3180 if (smtpd_milters != 0 3181 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) 3182 /* Send actual smtpd_milters list. */ 3183 (void) milter_send(smtpd_milters, state->cleanup); 3184 if (state->saved_flags) 3185 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d", 3186 state->saved_flags); 3187 } 3188 rec_fputs(state->cleanup, REC_TYPE_MESG, ""); 3189 } 3190 3191 /* 3192 * PREPEND message headers above our own Received: header. 3193 */ 3194 if (state->prepend) 3195 for (cpp = state->prepend->argv; *cpp; cpp++) 3196 out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); 3197 3198 /* 3199 * Suppress our own Received: header in the unlikely case that we are an 3200 * intermediate proxy. 3201 */ 3202 if (!proxy || state->xforward.flags == 0) { 3203 out_fprintf(out_stream, REC_TYPE_NORM, 3204 "Received: from %s (%s [%s])", 3205 state->helo_name ? state->helo_name : state->name, 3206 state->name, state->rfc_addr); 3207 3208 #define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s)) 3209 3210 #ifdef USE_TLS 3211 if (var_smtpd_tls_received_header && state->tls_context) { 3212 out_fprintf(out_stream, REC_TYPE_NORM, 3213 "\t(using %s with cipher %s (%d/%d bits))", 3214 state->tls_context->protocol, 3215 state->tls_context->cipher_name, 3216 state->tls_context->cipher_usebits, 3217 state->tls_context->cipher_algbits); 3218 if (TLS_CERT_IS_PRESENT(state->tls_context)) { 3219 peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN); 3220 comment_sanitize(peer_CN); 3221 issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ? 3222 state->tls_context->issuer_CN : ""); 3223 comment_sanitize(issuer_CN); 3224 out_fprintf(out_stream, REC_TYPE_NORM, 3225 "\t(Client CN \"%s\", Issuer \"%s\" (%s))", 3226 STR(peer_CN), STR(issuer_CN), 3227 TLS_CERT_IS_TRUSTED(state->tls_context) ? 3228 "verified OK" : "not verified"); 3229 vstring_free(issuer_CN); 3230 vstring_free(peer_CN); 3231 } else if (var_smtpd_tls_ask_ccert) 3232 out_fprintf(out_stream, REC_TYPE_NORM, 3233 "\t(Client did not present a certificate)"); 3234 else 3235 out_fprintf(out_stream, REC_TYPE_NORM, 3236 "\t(No client certificate requested)"); 3237 } 3238 /* RFC 3848 is defined for ESMTP only. */ 3239 if (state->tls_context != 0 3240 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) 3241 rfc3848_sess = "S"; 3242 else 3243 #endif 3244 rfc3848_sess = ""; 3245 #ifdef USE_SASL_AUTH 3246 if (var_smtpd_sasl_auth_hdr && state->sasl_username) { 3247 username = VSTRING_STRDUP(state->sasl_username); 3248 comment_sanitize(username); 3249 out_fprintf(out_stream, REC_TYPE_NORM, 3250 "\t(Authenticated sender: %s)", STR(username)); 3251 vstring_free(username); 3252 } 3253 /* RFC 3848 is defined for ESMTP only. */ 3254 if (state->sasl_username 3255 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) 3256 rfc3848_auth = "A"; 3257 else 3258 #endif 3259 rfc3848_auth = ""; 3260 if (state->rcpt_count == 1 && state->recipient) { 3261 out_fprintf(out_stream, REC_TYPE_NORM, 3262 state->cleanup ? "\tby %s (%s) with %s%s%s id %s" : 3263 "\tby %s (%s) with %s%s%s", 3264 var_myhostname, var_mail_name, 3265 with_protocol, rfc3848_sess, 3266 rfc3848_auth, state->queue_id); 3267 quote_822_local(state->buffer, state->recipient); 3268 out_fprintf(out_stream, REC_TYPE_NORM, 3269 "\tfor <%s>; %s", STR(state->buffer), 3270 mail_date(state->arrival_time.tv_sec)); 3271 } else { 3272 out_fprintf(out_stream, REC_TYPE_NORM, 3273 state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" : 3274 "\tby %s (%s) with %s%s%s;", 3275 var_myhostname, var_mail_name, 3276 with_protocol, rfc3848_sess, 3277 rfc3848_auth, state->queue_id); 3278 out_fprintf(out_stream, REC_TYPE_NORM, 3279 "\t%s", mail_date(state->arrival_time.tv_sec)); 3280 } 3281 #ifdef RECEIVED_ENVELOPE_FROM 3282 quote_822_local(state->buffer, state->sender); 3283 out_fprintf(out_stream, REC_TYPE_NORM, 3284 "\t(envelope-from %s)", STR(state->buffer)); 3285 #endif 3286 } 3287 smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>"); 3288 state->where = SMTPD_AFTER_DATA; 3289 3290 /* 3291 * Copy the message content. If the cleanup process has a problem, keep 3292 * reading until the remote stops sending, then complain. Produce typed 3293 * records from the SMTP stream so we can handle data that spans buffers. 3294 * 3295 * XXX Force an empty record when the queue file content begins with 3296 * whitespace, so that it won't be considered as being part of our own 3297 * Received: header. What an ugly Kluge. 3298 * 3299 * XXX Deal with UNIX-style From_ lines at the start of message content 3300 * because sendmail permits it. 3301 */ 3302 for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) { 3303 if (smtp_get(state->buffer, state->client, var_line_limit, 3304 SMTP_GET_FLAG_NONE) == '\n') 3305 curr_rec_type = REC_TYPE_NORM; 3306 else 3307 curr_rec_type = REC_TYPE_CONT; 3308 start = vstring_str(state->buffer); 3309 len = VSTRING_LEN(state->buffer); 3310 if (first) { 3311 if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) { 3312 out_fprintf(out_stream, curr_rec_type, 3313 "X-Mailbox-Line: %s", start); 3314 continue; 3315 } 3316 first = 0; 3317 if (len > 0 && IS_SPACE_TAB(start[0])) 3318 out_record(out_stream, REC_TYPE_NORM, "", 0); 3319 } 3320 if (prev_rec_type != REC_TYPE_CONT && *start == '.' 3321 && (proxy == 0 ? (++start, --len) == 0 : len == 1)) 3322 break; 3323 if (state->err == CLEANUP_STAT_OK) { 3324 if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2) { 3325 state->err = CLEANUP_STAT_SIZE; 3326 msg_warn("%s: queue file size limit exceeded", 3327 state->queue_id ? state->queue_id : "NOQUEUE"); 3328 } else { 3329 state->act_size += len + 2; 3330 if (out_record(out_stream, curr_rec_type, start, len) < 0) 3331 state->err = out_error; 3332 } 3333 } 3334 } 3335 state->where = SMTPD_AFTER_DOT; 3336 if (state->err == CLEANUP_STAT_OK 3337 && SMTPD_STAND_ALONE(state) == 0 3338 && (err = smtpd_check_eod(state)) != 0) { 3339 smtpd_chat_reply(state, "%s", err); 3340 if (proxy) { 3341 smtpd_proxy_close(state); 3342 } else { 3343 mail_stream_cleanup(state->dest); 3344 state->dest = 0; 3345 state->cleanup = 0; 3346 } 3347 return (-1); 3348 } 3349 3350 /* 3351 * Send the end of DATA and finish the proxy connection. Set the 3352 * CLEANUP_STAT_PROXY error flag in case of trouble. 3353 */ 3354 if (proxy) { 3355 if (state->err == CLEANUP_STAT_OK) { 3356 (void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, "."); 3357 if (state->err == CLEANUP_STAT_OK && 3358 *STR(proxy->reply) != '2') 3359 state->err = CLEANUP_STAT_CONT; 3360 } 3361 } 3362 3363 /* 3364 * Flush out access table actions that are delegated to the cleanup 3365 * server. There is similar code at the beginning of the DATA command. 3366 * 3367 * Send the end-of-segment markers and finish the queue file record stream. 3368 */ 3369 else { 3370 if (state->err == CLEANUP_STAT_OK) { 3371 rec_fputs(state->cleanup, REC_TYPE_XTRA, ""); 3372 if (state->saved_filter) 3373 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", 3374 state->saved_filter); 3375 if (state->saved_redirect) 3376 rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s", 3377 state->saved_redirect); 3378 if (state->saved_bcc) { 3379 rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s", 3380 state->saved_bcc); 3381 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 3382 MAIL_ATTR_DSN_NOTIFY, DSN_NOTIFY_NEVER); 3383 } 3384 if (state->saved_flags) 3385 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d", 3386 state->saved_flags); 3387 #ifdef DELAY_ACTION 3388 if (state->saved_delay) 3389 rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d", 3390 state->saved_delay); 3391 #endif 3392 if (vstream_ferror(state->cleanup)) 3393 state->err = CLEANUP_STAT_WRITE; 3394 } 3395 if (state->err == CLEANUP_STAT_OK) 3396 if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0 3397 || vstream_fflush(state->cleanup)) 3398 state->err = CLEANUP_STAT_WRITE; 3399 if (state->err == 0) { 3400 why = vstring_alloc(10); 3401 state->err = mail_stream_finish(state->dest, why); 3402 printable(STR(why), ' '); 3403 } else 3404 mail_stream_cleanup(state->dest); 3405 state->dest = 0; 3406 state->cleanup = 0; 3407 } 3408 3409 /* 3410 * XXX If we lose the cleanup server while it is editing a queue file, 3411 * the Postfix SMTP server will be out of sync with Milter applications. 3412 * Sending an ABORT to the Milters is not sufficient to restore 3413 * synchronization, because there may be any number of Milter replies 3414 * already in flight. Destroying and recreating the Milters (and faking 3415 * the connect and ehlo events) is too much trouble for testing and 3416 * maintenance. Workaround: force the Postfix SMTP server to hang up with 3417 * a 421 response in the rare case that the cleanup server breaks AND 3418 * that the remote SMTP client continues the session after end-of-data. 3419 * 3420 * XXX Should use something other than CLEANUP_STAT_WRITE when we lose 3421 * contact with the cleanup server. This requires changes to the 3422 * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail). 3423 * 3424 * XXX See exception below in code that overrides state->access_denied for 3425 * compliance with RFC 2821 Sec 3.1. 3426 */ 3427 if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0) 3428 state->access_denied = mystrdup("421 4.3.0 Mail system error"); 3429 3430 /* 3431 * Handle any errors. One message may suffer from multiple errors, so 3432 * complain only about the most severe error. Forgive any previous client 3433 * errors when a message was received successfully. 3434 * 3435 * See also: qmqpd.c 3436 */ 3437 #define IS_SMTP_REJECT(s) \ 3438 (((s)[0] == '4' || (s)[0] == '5') \ 3439 && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \ 3440 && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-')) 3441 3442 if (state->err == CLEANUP_STAT_OK) { 3443 state->error_count = 0; 3444 state->error_mask = 0; 3445 state->junk_cmds = 0; 3446 if (proxy) 3447 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3448 else 3449 smtpd_chat_reply(state, 3450 "250 2.0.0 Ok: queued as %s", state->queue_id); 3451 } else if (why && IS_SMTP_REJECT(STR(why))) { 3452 state->error_mask |= MAIL_ERROR_POLICY; 3453 smtpd_chat_reply(state, "%s", STR(why)); 3454 } else if ((state->err & CLEANUP_STAT_DEFER) != 0) { 3455 state->error_mask |= MAIL_ERROR_POLICY; 3456 detail = cleanup_stat_detail(CLEANUP_STAT_DEFER); 3457 if (why && LEN(why) > 0) { 3458 /* Allow address-specific DSN status in header/body_checks. */ 3459 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why)); 3460 } else { 3461 smtpd_chat_reply(state, "%d %s Error: %s", 3462 detail->smtp, detail->dsn, detail->text); 3463 } 3464 } else if ((state->err & CLEANUP_STAT_BAD) != 0) { 3465 state->error_mask |= MAIL_ERROR_SOFTWARE; 3466 detail = cleanup_stat_detail(CLEANUP_STAT_BAD); 3467 smtpd_chat_reply(state, "%d %s Error: internal error %d", 3468 detail->smtp, detail->dsn, state->err); 3469 } else if ((state->err & CLEANUP_STAT_SIZE) != 0) { 3470 state->error_mask |= MAIL_ERROR_BOUNCE; 3471 detail = cleanup_stat_detail(CLEANUP_STAT_SIZE); 3472 smtpd_chat_reply(state, "%d %s Error: %s", 3473 detail->smtp, detail->dsn, detail->text); 3474 } else if ((state->err & CLEANUP_STAT_HOPS) != 0) { 3475 state->error_mask |= MAIL_ERROR_BOUNCE; 3476 detail = cleanup_stat_detail(CLEANUP_STAT_HOPS); 3477 smtpd_chat_reply(state, "%d %s Error: %s", 3478 detail->smtp, detail->dsn, detail->text); 3479 } else if ((state->err & CLEANUP_STAT_CONT) != 0) { 3480 state->error_mask |= MAIL_ERROR_POLICY; 3481 detail = cleanup_stat_detail(CLEANUP_STAT_CONT); 3482 if (proxy) { 3483 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3484 } else if (why && LEN(why) > 0) { 3485 /* Allow address-specific DSN status in header/body_checks. */ 3486 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why)); 3487 } else { 3488 smtpd_chat_reply(state, "%d %s Error: %s", 3489 detail->smtp, detail->dsn, detail->text); 3490 } 3491 } else if ((state->err & CLEANUP_STAT_WRITE) != 0) { 3492 state->error_mask |= MAIL_ERROR_RESOURCE; 3493 detail = cleanup_stat_detail(CLEANUP_STAT_WRITE); 3494 smtpd_chat_reply(state, "%d %s Error: %s", 3495 detail->smtp, detail->dsn, detail->text); 3496 } else if ((state->err & CLEANUP_STAT_PROXY) != 0) { 3497 state->error_mask |= MAIL_ERROR_SOFTWARE; 3498 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3499 } else { 3500 state->error_mask |= MAIL_ERROR_SOFTWARE; 3501 detail = cleanup_stat_detail(CLEANUP_STAT_BAD); 3502 smtpd_chat_reply(state, "%d %s Error: internal error %d", 3503 detail->smtp, detail->dsn, state->err); 3504 } 3505 3506 /* 3507 * By popular command: the proxy's end-of-data reply. 3508 */ 3509 if (proxy) 3510 msg_info("proxy-%s: %s: %s;%s", 3511 (state->err == CLEANUP_STAT_OK) ? "accept" : "reject", 3512 state->where, STR(proxy->reply), smtpd_whatsup(state)); 3513 3514 /* 3515 * Cleanup. The client may send another MAIL command. 3516 */ 3517 saved_err = state->err; 3518 chat_reset(state, var_smtpd_hist_thrsh); 3519 mail_reset(state); 3520 rcpt_reset(state); 3521 if (why) 3522 vstring_free(why); 3523 return (saved_err); 3524 } 3525 3526 /* rset_cmd - process RSET */ 3527 3528 static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 3529 { 3530 3531 /* 3532 * Sanity checks. 3533 */ 3534 if (argc != 1) { 3535 state->error_mask |= MAIL_ERROR_PROTOCOL; 3536 smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET"); 3537 return (-1); 3538 } 3539 3540 /* 3541 * Restore state to right after HELO/EHLO command. 3542 */ 3543 chat_reset(state, var_smtpd_hist_thrsh); 3544 mail_reset(state); 3545 rcpt_reset(state); 3546 smtpd_chat_reply(state, "250 2.0.0 Ok"); 3547 return (0); 3548 } 3549 3550 /* noop_cmd - process NOOP */ 3551 3552 static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 3553 { 3554 3555 /* 3556 * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a 3557 * parameter string which is to be ignored. NOOP instructions with 3558 * parameters? Go figure. 3559 * 3560 * RFC 2821 violates RFC 821, which says that NOOP takes no parameters. 3561 */ 3562 #ifdef RFC821_SYNTAX 3563 3564 /* 3565 * Sanity checks. 3566 */ 3567 if (argc != 1) { 3568 state->error_mask |= MAIL_ERROR_PROTOCOL; 3569 smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP"); 3570 return (-1); 3571 } 3572 #endif 3573 smtpd_chat_reply(state, "250 2.0.0 Ok"); 3574 return (0); 3575 } 3576 3577 /* vrfy_cmd - process VRFY */ 3578 3579 static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3580 { 3581 const char *err = 0; 3582 int rate; 3583 int smtputf8 = 0; 3584 int saved_flags; 3585 3586 /* 3587 * The SMTP standard (RFC 821) disallows unquoted special characters in 3588 * the VRFY argument. Common practice violates the standard, however. 3589 * Postfix accomodates common practice where it violates the standard. 3590 * 3591 * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting, 3592 * whereas the recipient restrictions checks expect unquoted (internal) 3593 * address forms. Therefore we must parse out the address, or we must 3594 * stop doing recipient restriction checks and lose the opportunity to 3595 * say "user unknown" at the SMTP port. 3596 * 3597 * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that 3598 * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets 3599 * even worse: section 3.5.3 says that a 502 (command recognized but not 3600 * implemented) reply is not fully compliant. 3601 * 3602 * Thus, an RFC 2821 compliant implementation cannot refuse to supply 3603 * information in reply to VRFY queries. That is simply bogus. The only 3604 * reply we could supply is a generic 252 reply. This causes spammers to 3605 * add tons of bogus addresses to their mailing lists (spam harvesting by 3606 * trying out large lists of potential recipient names with VRFY). 3607 */ 3608 #define SLOPPY 0 3609 3610 if (var_disable_vrfy_cmd) { 3611 state->error_mask |= MAIL_ERROR_POLICY; 3612 smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled"); 3613 return (-1); 3614 } 3615 /* Fix 20140707: handle missing address. */ 3616 if (var_smtputf8_enable 3617 && (state->ehlo_discard_mask & EHLO_MASK_SMTPUTF8) == 0 3618 && argc > 1 && strcasecmp(argv[argc - 1].strval, "SMTPUTF8") == 0) { 3619 argc--; /* RFC 6531 */ 3620 smtputf8 = 1; 3621 } 3622 if (argc < 2) { 3623 state->error_mask |= MAIL_ERROR_PROTOCOL; 3624 smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address%s", 3625 var_smtputf8_enable ? " [SMTPUTF8]" : ""); 3626 return (-1); 3627 } 3628 3629 /* 3630 * XXX The client event count/rate control must be consistent in its use 3631 * of client address information in connect and disconnect events. For 3632 * now we exclude xclient authorized hosts from event count/rate control. 3633 */ 3634 if (SMTPD_STAND_ALONE(state) == 0 3635 && !xclient_allowed 3636 && anvil_clnt 3637 && var_smtpd_crcpt_limit > 0 3638 && !namadr_list_match(hogger_list, state->name, state->addr) 3639 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, 3640 &rate) == ANVIL_STAT_OK 3641 && rate > var_smtpd_crcpt_limit) { 3642 state->error_mask |= MAIL_ERROR_POLICY; 3643 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", 3644 rate, state->namaddr, state->service); 3645 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", 3646 state->addr); 3647 return (-1); 3648 } 3649 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0 3650 && (err[0] == '5' || err[0] == '4')) { 3651 state->error_mask |= MAIL_ERROR_POLICY; 3652 smtpd_chat_reply(state, "%s", err); 3653 return (-1); 3654 } 3655 if (argc > 2) 3656 collapse_args(argc - 1, argv + 1); 3657 if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY, smtputf8) != 0) { 3658 state->error_mask |= MAIL_ERROR_PROTOCOL; 3659 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 3660 return (-1); 3661 } 3662 /* Fix 20140707: Check the VRFY command. */ 3663 if (smtputf8 == 0 && var_strict_smtputf8) { 3664 if (*STR(state->addr_buf) && !allascii(STR(state->addr_buf))) { 3665 mail_reset(state); 3666 smtpd_chat_reply(state, "553 5.6.7 Must declare SMTPUTF8 to send unicode address"); 3667 return (-1); 3668 } 3669 } 3670 /* Use state->addr_buf, with the unquoted result from extract_addr() */ 3671 if (SMTPD_STAND_ALONE(state) == 0) { 3672 /* Fix 20161206: allow UTF8 in smtpd_recipient_restrictions. */ 3673 saved_flags = state->flags; 3674 if (smtputf8) 3675 state->flags |= SMTPD_FLAG_SMTPUTF8; 3676 err = smtpd_check_rcpt(state, STR(state->addr_buf)); 3677 state->flags = saved_flags; 3678 if (err != 0) { 3679 smtpd_chat_reply(state, "%s", err); 3680 return (-1); 3681 } 3682 } 3683 3684 /* 3685 * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is 3686 * either "full name <user@domain>" or "user@domain". Postfix replies 3687 * with the string that was provided by the client, whether or not it is 3688 * in fully qualified domain form and the address is in <>. 3689 * 3690 * Reply code 250 is reserved for the case where the address is verified; 3691 * reply code 252 should be used when no definitive certainty exists. 3692 */ 3693 smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval); 3694 return (0); 3695 } 3696 3697 /* etrn_cmd - process ETRN command */ 3698 3699 static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3700 { 3701 const char *err; 3702 3703 /* 3704 * Sanity checks. 3705 */ 3706 if (var_helo_required && state->helo_name == 0) { 3707 state->error_mask |= MAIL_ERROR_POLICY; 3708 smtpd_chat_reply(state, "503 Error: send HELO/EHLO first"); 3709 return (-1); 3710 } 3711 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0 3712 && (err[0] == '5' || err[0] == '4')) { 3713 state->error_mask |= MAIL_ERROR_POLICY; 3714 smtpd_chat_reply(state, "%s", err); 3715 return (-1); 3716 } 3717 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 3718 state->error_mask |= MAIL_ERROR_PROTOCOL; 3719 smtpd_chat_reply(state, "503 Error: MAIL transaction in progress"); 3720 return (-1); 3721 } 3722 if (argc != 2) { 3723 state->error_mask |= MAIL_ERROR_PROTOCOL; 3724 smtpd_chat_reply(state, "500 Syntax: ETRN domain"); 3725 return (-1); 3726 } 3727 if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#') 3728 argv[1].strval++; 3729 3730 /* 3731 * As an extension to RFC 1985 we also allow an RFC 2821 address literal 3732 * enclosed in []. 3733 * 3734 * XXX There does not appear to be an ETRN parameter to indicate that the 3735 * domain name is UTF-8. 3736 */ 3737 if (!valid_hostname(argv[1].strval, DONT_GRIPE) 3738 && !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) { 3739 state->error_mask |= MAIL_ERROR_PROTOCOL; 3740 smtpd_chat_reply(state, "501 Error: invalid parameter syntax"); 3741 return (-1); 3742 } 3743 3744 /* 3745 * XXX The implementation borrows heavily from the code that implements 3746 * UCE restrictions. These typically return 450 or 550 when a request is 3747 * rejected. RFC 1985 requires that 459 be sent when the server refuses 3748 * to perform the request. 3749 */ 3750 if (SMTPD_STAND_ALONE(state)) { 3751 msg_warn("do not use ETRN in \"sendmail -bs\" mode"); 3752 smtpd_chat_reply(state, "458 Unable to queue messages"); 3753 return (-1); 3754 } 3755 if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) { 3756 smtpd_chat_reply(state, "%s", err); 3757 return (-1); 3758 } 3759 switch (flush_send_site(argv[1].strval)) { 3760 case FLUSH_STAT_OK: 3761 smtpd_chat_reply(state, "250 Queuing started"); 3762 return (0); 3763 case FLUSH_STAT_DENY: 3764 msg_warn("reject: ETRN %.100s... from %s", 3765 argv[1].strval, state->namaddr); 3766 smtpd_chat_reply(state, "459 <%s>: service unavailable", 3767 argv[1].strval); 3768 return (-1); 3769 case FLUSH_STAT_BAD: 3770 msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr); 3771 smtpd_chat_reply(state, "458 Unable to queue messages"); 3772 return (-1); 3773 default: 3774 msg_warn("unable to talk to fast flush service"); 3775 smtpd_chat_reply(state, "458 Unable to queue messages"); 3776 return (-1); 3777 } 3778 } 3779 3780 /* quit_cmd - process QUIT command */ 3781 3782 static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv) 3783 { 3784 int out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND); 3785 3786 /* 3787 * Don't bother checking the syntax. 3788 */ 3789 smtpd_chat_reply(state, "221 2.0.0 Bye"); 3790 3791 /* 3792 * When the "." and quit replies are pipelined, make sure they are 3793 * flushed now, to avoid repeated mail deliveries in case of a crash in 3794 * the "clean up before disconnect" code. 3795 * 3796 * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of 3797 * Postfix 2.3 we use smtp_flush() for better error reporting. 3798 */ 3799 if (out_pending > 0) 3800 smtp_flush(state->client); 3801 return (0); 3802 } 3803 3804 /* xclient_cmd - override SMTP client attributes */ 3805 3806 static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3807 { 3808 SMTPD_TOKEN *argp; 3809 char *raw_value; 3810 char *attr_value; 3811 const char *bare_value; 3812 char *attr_name; 3813 int update_namaddr = 0; 3814 int name_status; 3815 static const NAME_CODE peer_codes[] = { 3816 XCLIENT_UNAVAILABLE, SMTPD_PEER_CODE_PERM, 3817 XCLIENT_TEMPORARY, SMTPD_PEER_CODE_TEMP, 3818 0, SMTPD_PEER_CODE_OK, 3819 }; 3820 static const NAME_CODE proto_names[] = { 3821 MAIL_PROTO_SMTP, 1, 3822 MAIL_PROTO_ESMTP, 2, 3823 0, -1, 3824 }; 3825 int got_helo = 0; 3826 int got_proto = 0; 3827 3828 #ifdef USE_SASL_AUTH 3829 int got_login = 0; 3830 char *saved_username; 3831 3832 #endif 3833 3834 /* 3835 * Sanity checks. 3836 * 3837 * XXX The XCLIENT command will override its own access control, so that 3838 * connection count/rate restrictions can be correctly simulated. 3839 */ 3840 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 3841 state->error_mask |= MAIL_ERROR_PROTOCOL; 3842 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress"); 3843 return (-1); 3844 } 3845 if (argc < 2) { 3846 state->error_mask |= MAIL_ERROR_PROTOCOL; 3847 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...", 3848 XCLIENT_CMD); 3849 return (-1); 3850 } 3851 if (xclient_hosts && xclient_hosts->error) 3852 cant_permit_command(state, XCLIENT_CMD); 3853 if (!xclient_allowed) { 3854 state->error_mask |= MAIL_ERROR_POLICY; 3855 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization"); 3856 return (-1); 3857 } 3858 #define STREQ(x,y) (strcasecmp((x), (y)) == 0) 3859 #define UPDATE_STR(s, v) do { \ 3860 const char *_v = (v); \ 3861 if (s) myfree(s); \ 3862 s = (_v) ? mystrdup(_v) : 0; \ 3863 } while(0) 3864 3865 /* 3866 * Initialize. 3867 */ 3868 if (state->expand_buf == 0) 3869 state->expand_buf = vstring_alloc(100); 3870 3871 /* 3872 * Iterate over all attribute=value elements. 3873 */ 3874 for (argp = argv + 1; argp < argv + argc; argp++) { 3875 attr_name = argp->strval; 3876 3877 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) { 3878 state->error_mask |= MAIL_ERROR_PROTOCOL; 3879 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected"); 3880 return (-1); 3881 } 3882 if (strlen(raw_value) > 255) { 3883 state->error_mask |= MAIL_ERROR_PROTOCOL; 3884 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long"); 3885 return (-1); 3886 } 3887 3888 /* 3889 * Backwards compatibility: Postfix prior to version 2.3 does not 3890 * xtext encode attribute values. 3891 */ 3892 attr_value = xtext_unquote(state->expand_buf, raw_value) ? 3893 STR(state->expand_buf) : raw_value; 3894 3895 /* 3896 * For safety's sake mask non-printable characters. We'll do more 3897 * specific censoring later. 3898 */ 3899 printable(attr_value, '?'); 3900 3901 /* 3902 * NAME=substitute SMTP client hostname (and reverse/forward name, in 3903 * case of success). Also updates the client hostname lookup status 3904 * code. 3905 */ 3906 if (STREQ(attr_name, XCLIENT_NAME)) { 3907 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value); 3908 if (name_status != SMTPD_PEER_CODE_OK) { 3909 attr_value = CLIENT_NAME_UNKNOWN; 3910 } else { 3911 /* XXX EAI */ 3912 if (!valid_hostname(attr_value, DONT_GRIPE)) { 3913 state->error_mask |= MAIL_ERROR_PROTOCOL; 3914 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3915 XCLIENT_NAME, attr_value); 3916 return (-1); 3917 } 3918 } 3919 state->name_status = name_status; 3920 UPDATE_STR(state->name, attr_value); 3921 update_namaddr = 1; 3922 if (name_status == SMTPD_PEER_CODE_OK) { 3923 UPDATE_STR(state->reverse_name, attr_value); 3924 state->reverse_name_status = name_status; 3925 } 3926 } 3927 3928 /* 3929 * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates 3930 * the client reverse hostname lookup status code. 3931 */ 3932 else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) { 3933 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value); 3934 if (name_status != SMTPD_PEER_CODE_OK) { 3935 attr_value = CLIENT_NAME_UNKNOWN; 3936 } else { 3937 /* XXX EAI */ 3938 if (!valid_hostname(attr_value, DONT_GRIPE)) { 3939 state->error_mask |= MAIL_ERROR_PROTOCOL; 3940 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3941 XCLIENT_REVERSE_NAME, attr_value); 3942 return (-1); 3943 } 3944 } 3945 state->reverse_name_status = name_status; 3946 UPDATE_STR(state->reverse_name, attr_value); 3947 } 3948 3949 /* 3950 * ADDR=substitute SMTP client network address. 3951 */ 3952 else if (STREQ(attr_name, XCLIENT_ADDR)) { 3953 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 3954 attr_value = CLIENT_ADDR_UNKNOWN; 3955 bare_value = attr_value; 3956 } else { 3957 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) { 3958 state->error_mask |= MAIL_ERROR_PROTOCOL; 3959 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3960 XCLIENT_ADDR, attr_value); 3961 return (-1); 3962 } 3963 } 3964 UPDATE_STR(state->addr, bare_value); 3965 UPDATE_STR(state->rfc_addr, attr_value); 3966 #ifdef HAS_IPV6 3967 if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":", 3968 sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0) 3969 state->addr_family = AF_INET6; 3970 else 3971 #endif 3972 state->addr_family = AF_INET; 3973 update_namaddr = 1; 3974 } 3975 3976 /* 3977 * PORT=substitute SMTP client port number. 3978 */ 3979 else if (STREQ(attr_name, XCLIENT_PORT)) { 3980 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 3981 attr_value = CLIENT_PORT_UNKNOWN; 3982 } else { 3983 if (!alldig(attr_value) 3984 || strlen(attr_value) > sizeof("65535") - 1) { 3985 state->error_mask |= MAIL_ERROR_PROTOCOL; 3986 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3987 XCLIENT_PORT, attr_value); 3988 return (-1); 3989 } 3990 } 3991 UPDATE_STR(state->port, attr_value); 3992 update_namaddr = 1; 3993 } 3994 3995 /* 3996 * HELO=substitute SMTP client HELO parameter. Censor special 3997 * characters that could mess up message headers. 3998 */ 3999 else if (STREQ(attr_name, XCLIENT_HELO)) { 4000 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 4001 attr_value = CLIENT_HELO_UNKNOWN; 4002 } else { 4003 if (strlen(attr_value) > VALID_HOSTNAME_LEN) { 4004 state->error_mask |= MAIL_ERROR_PROTOCOL; 4005 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4006 XCLIENT_HELO, attr_value); 4007 return (-1); 4008 } 4009 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4010 } 4011 UPDATE_STR(state->helo_name, attr_value); 4012 got_helo = 1; 4013 } 4014 4015 /* 4016 * PROTO=SMTP protocol name. 4017 */ 4018 else if (STREQ(attr_name, XCLIENT_PROTO)) { 4019 if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) { 4020 state->error_mask |= MAIL_ERROR_PROTOCOL; 4021 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4022 XCLIENT_PROTO, attr_value); 4023 return (-1); 4024 } 4025 UPDATE_STR(state->protocol, uppercase(attr_value)); 4026 got_proto = 1; 4027 } 4028 4029 /* 4030 * LOGIN=sasl_username. Sets the authentication method as XCLIENT. 4031 * This can be used even if SASL authentication is turned off in 4032 * main.cf. We can't make it easier than that. 4033 */ 4034 #ifdef USE_SASL_AUTH 4035 else if (STREQ(attr_name, XCLIENT_LOGIN)) { 4036 if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) { 4037 smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD); 4038 got_login = 1; 4039 } 4040 } 4041 #endif 4042 4043 /* 4044 * Unknown attribute name. Complain. 4045 */ 4046 else { 4047 state->error_mask |= MAIL_ERROR_PROTOCOL; 4048 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s", 4049 XCLIENT_CMD, attr_name); 4050 return (-1); 4051 } 4052 } 4053 4054 /* 4055 * Update the combined name and address when either has changed. 4056 */ 4057 if (update_namaddr) { 4058 if (state->namaddr) 4059 myfree(state->namaddr); 4060 state->namaddr = 4061 SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port); 4062 } 4063 4064 /* 4065 * XXX Compatibility: when the client issues XCLIENT then we have to go 4066 * back to initial server greeting stage, otherwise we can't correctly 4067 * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and 4068 * Milter connect restrictions. 4069 * 4070 * XXX Compatibility: for accurate simulation we must also reset the HELO 4071 * information. We keep the information if it was specified in the 4072 * XCLIENT command. 4073 * 4074 * XXX The client connection count/rate control must be consistent in its 4075 * use of client address information in connect and disconnect events. We 4076 * re-evaluate xclient so that we correctly simulate connection 4077 * concurrency and connection rate restrictions. 4078 * 4079 * XXX Duplicated from smtpd_proto(). 4080 */ 4081 xclient_allowed = 4082 namadr_list_match(xclient_hosts, state->name, state->addr); 4083 /* NOT: tls_reset() */ 4084 if (got_helo == 0) 4085 helo_reset(state); 4086 if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) { 4087 myfree(state->protocol); 4088 state->protocol = mystrdup(MAIL_PROTO_SMTP); 4089 } 4090 #ifdef USE_SASL_AUTH 4091 /* XXX What if they send the parameters via multiple commands? */ 4092 if (got_login == 0) 4093 smtpd_sasl_auth_reset(state); 4094 if (smtpd_sasl_is_active(state)) { 4095 if (got_login) 4096 saved_username = mystrdup(state->sasl_username); 4097 smtpd_sasl_deactivate(state); 4098 #ifdef USE_TLS 4099 if (state->tls_context != 0) /* TLS from XCLIENT proxy? */ 4100 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 4101 var_smtpd_sasl_tls_opts); 4102 else 4103 #endif 4104 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 4105 var_smtpd_sasl_opts); 4106 if (got_login) { 4107 smtpd_sasl_auth_extern(state, saved_username, XCLIENT_CMD); 4108 myfree(saved_username); 4109 } 4110 } 4111 #endif 4112 chat_reset(state, 0); 4113 mail_reset(state); 4114 rcpt_reset(state); 4115 if (smtpd_milters) 4116 milter_disc_event(smtpd_milters); 4117 vstream_longjmp(state->client, SMTP_ERR_NONE); 4118 return (0); 4119 } 4120 4121 /* xforward_cmd - forward logging attributes */ 4122 4123 static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 4124 { 4125 SMTPD_TOKEN *argp; 4126 char *raw_value; 4127 char *attr_value; 4128 const char *bare_value; 4129 char *attr_name; 4130 int updated = 0; 4131 static const NAME_CODE xforward_flags[] = { 4132 XFORWARD_NAME, SMTPD_STATE_XFORWARD_NAME, 4133 XFORWARD_ADDR, SMTPD_STATE_XFORWARD_ADDR, 4134 XFORWARD_PORT, SMTPD_STATE_XFORWARD_PORT, 4135 XFORWARD_PROTO, SMTPD_STATE_XFORWARD_PROTO, 4136 XFORWARD_HELO, SMTPD_STATE_XFORWARD_HELO, 4137 XFORWARD_IDENT, SMTPD_STATE_XFORWARD_IDENT, 4138 XFORWARD_DOMAIN, SMTPD_STATE_XFORWARD_DOMAIN, 4139 0, 0, 4140 }; 4141 static const char *context_name[] = { 4142 MAIL_ATTR_RWR_LOCAL, /* Postfix internal form */ 4143 MAIL_ATTR_RWR_REMOTE, /* Postfix internal form */ 4144 }; 4145 static const NAME_CODE xforward_to_context[] = { 4146 XFORWARD_DOM_LOCAL, 0, /* XFORWARD representation */ 4147 XFORWARD_DOM_REMOTE, 1, /* XFORWARD representation */ 4148 0, -1, 4149 }; 4150 int flag; 4151 int context_code; 4152 4153 /* 4154 * Sanity checks. 4155 */ 4156 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 4157 state->error_mask |= MAIL_ERROR_PROTOCOL; 4158 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress"); 4159 return (-1); 4160 } 4161 if (argc < 2) { 4162 state->error_mask |= MAIL_ERROR_PROTOCOL; 4163 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...", 4164 XFORWARD_CMD); 4165 return (-1); 4166 } 4167 if (xforward_hosts && xforward_hosts->error) 4168 cant_permit_command(state, XFORWARD_CMD); 4169 if (!xforward_allowed) { 4170 state->error_mask |= MAIL_ERROR_POLICY; 4171 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization"); 4172 return (-1); 4173 } 4174 4175 /* 4176 * Initialize. 4177 */ 4178 if (state->xforward.flags == 0) 4179 smtpd_xforward_preset(state); 4180 if (state->expand_buf == 0) 4181 state->expand_buf = vstring_alloc(100); 4182 4183 /* 4184 * Iterate over all attribute=value elements. 4185 */ 4186 for (argp = argv + 1; argp < argv + argc; argp++) { 4187 attr_name = argp->strval; 4188 4189 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) { 4190 state->error_mask |= MAIL_ERROR_PROTOCOL; 4191 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected"); 4192 return (-1); 4193 } 4194 if (strlen(raw_value) > 255) { 4195 state->error_mask |= MAIL_ERROR_PROTOCOL; 4196 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long"); 4197 return (-1); 4198 } 4199 4200 /* 4201 * Backwards compatibility: Postfix prior to version 2.3 does not 4202 * xtext encode attribute values. 4203 */ 4204 attr_value = xtext_unquote(state->expand_buf, raw_value) ? 4205 STR(state->expand_buf) : raw_value; 4206 4207 /* 4208 * For safety's sake mask non-printable characters. We'll do more 4209 * specific censoring later. 4210 */ 4211 printable(attr_value, '?'); 4212 4213 flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name); 4214 switch (flag) { 4215 4216 /* 4217 * NAME=up-stream host name, not necessarily in the DNS. Censor 4218 * special characters that could mess up message headers. 4219 */ 4220 case SMTPD_STATE_XFORWARD_NAME: 4221 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4222 attr_value = CLIENT_NAME_UNKNOWN; 4223 } else { 4224 /* XXX EAI */ 4225 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4226 if (!valid_hostname(attr_value, DONT_GRIPE)) { 4227 state->error_mask |= MAIL_ERROR_PROTOCOL; 4228 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4229 XFORWARD_NAME, attr_value); 4230 return (-1); 4231 } 4232 } 4233 UPDATE_STR(state->xforward.name, attr_value); 4234 break; 4235 4236 /* 4237 * ADDR=up-stream host network address, not necessarily on the 4238 * Internet. Censor special characters that could mess up message 4239 * headers. 4240 */ 4241 case SMTPD_STATE_XFORWARD_ADDR: 4242 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4243 attr_value = CLIENT_ADDR_UNKNOWN; 4244 bare_value = attr_value; 4245 } else { 4246 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4247 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) { 4248 state->error_mask |= MAIL_ERROR_PROTOCOL; 4249 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4250 XFORWARD_ADDR, attr_value); 4251 return (-1); 4252 } 4253 } 4254 UPDATE_STR(state->xforward.addr, bare_value); 4255 UPDATE_STR(state->xforward.rfc_addr, attr_value); 4256 break; 4257 4258 /* 4259 * PORT=up-stream port number. 4260 */ 4261 case SMTPD_STATE_XFORWARD_PORT: 4262 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4263 attr_value = CLIENT_PORT_UNKNOWN; 4264 } else { 4265 if (!alldig(attr_value) 4266 || strlen(attr_value) > sizeof("65535") - 1) { 4267 state->error_mask |= MAIL_ERROR_PROTOCOL; 4268 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4269 XFORWARD_PORT, attr_value); 4270 return (-1); 4271 } 4272 } 4273 UPDATE_STR(state->xforward.port, attr_value); 4274 break; 4275 4276 /* 4277 * HELO=hostname that the up-stream MTA introduced itself with 4278 * (not necessarily SMTP HELO). Censor special characters that 4279 * could mess up message headers. 4280 */ 4281 case SMTPD_STATE_XFORWARD_HELO: 4282 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4283 attr_value = CLIENT_HELO_UNKNOWN; 4284 } else { 4285 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4286 } 4287 UPDATE_STR(state->xforward.helo_name, attr_value); 4288 break; 4289 4290 /* 4291 * PROTO=up-stream protocol, not necessarily SMTP or ESMTP. 4292 * Censor special characters that could mess up message headers. 4293 */ 4294 case SMTPD_STATE_XFORWARD_PROTO: 4295 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4296 attr_value = CLIENT_PROTO_UNKNOWN; 4297 } else { 4298 if (strlen(attr_value) > 64) { 4299 state->error_mask |= MAIL_ERROR_PROTOCOL; 4300 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4301 XFORWARD_PROTO, attr_value); 4302 return (-1); 4303 } 4304 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4305 } 4306 UPDATE_STR(state->xforward.protocol, attr_value); 4307 break; 4308 4309 /* 4310 * IDENT=local message identifier on the up-stream MTA. Censor 4311 * special characters that could mess up logging or macro 4312 * expansions. 4313 */ 4314 case SMTPD_STATE_XFORWARD_IDENT: 4315 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4316 attr_value = CLIENT_IDENT_UNKNOWN; 4317 } else { 4318 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4319 } 4320 UPDATE_STR(state->xforward.ident, attr_value); 4321 break; 4322 4323 /* 4324 * DOMAIN=local or remote. 4325 */ 4326 case SMTPD_STATE_XFORWARD_DOMAIN: 4327 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) 4328 attr_value = XFORWARD_DOM_LOCAL; 4329 if ((context_code = name_code(xforward_to_context, 4330 NAME_CODE_FLAG_NONE, 4331 attr_value)) < 0) { 4332 state->error_mask |= MAIL_ERROR_PROTOCOL; 4333 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4334 XFORWARD_DOMAIN, attr_value); 4335 return (-1); 4336 } 4337 UPDATE_STR(state->xforward.domain, context_name[context_code]); 4338 break; 4339 4340 /* 4341 * Unknown attribute name. Complain. 4342 */ 4343 default: 4344 state->error_mask |= MAIL_ERROR_PROTOCOL; 4345 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s", 4346 XFORWARD_CMD, attr_name); 4347 return (-1); 4348 } 4349 updated |= flag; 4350 } 4351 state->xforward.flags |= updated; 4352 4353 /* 4354 * Update the combined name and address when either has changed. Use only 4355 * the name when no address is available. 4356 */ 4357 if (updated & (SMTPD_STATE_XFORWARD_NAME | SMTPD_STATE_XFORWARD_ADDR)) { 4358 if (state->xforward.namaddr) 4359 myfree(state->xforward.namaddr); 4360 state->xforward.namaddr = 4361 IS_AVAIL_CLIENT_ADDR(state->xforward.addr) ? 4362 SMTPD_BUILD_NAMADDRPORT(state->xforward.name, 4363 state->xforward.addr, 4364 state->xforward.port) : 4365 mystrdup(state->xforward.name); 4366 } 4367 smtpd_chat_reply(state, "250 2.0.0 Ok"); 4368 return (0); 4369 } 4370 4371 /* chat_reset - notify postmaster and reset conversation log */ 4372 4373 static void chat_reset(SMTPD_STATE *state, int threshold) 4374 { 4375 4376 /* 4377 * Notify the postmaster if there were errors. This usually indicates a 4378 * client configuration problem, or that someone is trying nasty things. 4379 * Either is significant enough to bother the postmaster. XXX Can't 4380 * report problems when running in stand-alone mode: postmaster notices 4381 * require availability of the cleanup service. 4382 */ 4383 if (state->history != 0 && state->history->argc > threshold) { 4384 if (SMTPD_STAND_ALONE(state) == 0 4385 && (state->error_mask & state->notify_mask)) 4386 smtpd_chat_notify(state); 4387 state->error_mask = 0; 4388 smtpd_chat_reset(state); 4389 } 4390 } 4391 4392 #ifdef USE_TLS 4393 4394 /* smtpd_start_tls - turn on TLS or force disconnect */ 4395 4396 static void smtpd_start_tls(SMTPD_STATE *state) 4397 { 4398 int rate; 4399 int cert_present; 4400 int requirecert; 4401 4402 #ifdef USE_TLSPROXY 4403 4404 /* 4405 * This is non-production code, for tlsproxy(8) load testing only. It 4406 * implements enough to enable some Postfix features that depend on TLS 4407 * encryption. 4408 * 4409 * To insert tlsproxy(8) between this process and the SMTP client, we swap 4410 * the file descriptors between the state->tlsproxy and state->client 4411 * VSTREAMS, so that we don't lose all the user-configurable 4412 * state->client attributes (such as longjump buffers or timeouts). 4413 * 4414 * As we implement tlsproxy support in the Postfix SMTP client we should 4415 * develop a usable abstraction that encapsulates this stream plumbing in 4416 * a library module. 4417 */ 4418 vstream_control(state->tlsproxy, CA_VSTREAM_CTL_DOUBLE, CA_VSTREAM_CTL_END); 4419 vstream_control(state->client, CA_VSTREAM_CTL_SWAP_FD(state->tlsproxy), 4420 CA_VSTREAM_CTL_END); 4421 (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */ 4422 state->tlsproxy = 0; 4423 4424 /* 4425 * After plumbing the plaintext stream, receive the TLS context object. 4426 * For this we must use the same VSTREAM buffer that we also use to 4427 * receive subsequent SMTP commands. The attribute protocol is robust 4428 * enough that an adversary cannot inject their own bogus TLS context 4429 * attributes into the stream. 4430 */ 4431 state->tls_context = tls_proxy_context_receive(state->client); 4432 4433 /* 4434 * XXX Maybe it is better to send this information to tlsproxy(8) when 4435 * requesting service, effectively making a remote tls_server_start() 4436 * call. 4437 */ 4438 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); 4439 4440 #else /* USE_TLSPROXY */ 4441 TLS_SERVER_START_PROPS props; 4442 static char *cipher_grade; 4443 static VSTRING *cipher_exclusions; 4444 4445 /* 4446 * Wrapper mode uses a dedicated port and always requires TLS. 4447 * 4448 * XXX In non-wrapper mode, it is possible to require client certificate 4449 * verification without requiring TLS. Since certificates can be verified 4450 * only while TLS is turned on, this means that Postfix will happily 4451 * perform SMTP transactions when the client does not use the STARTTLS 4452 * command. For this reason, Postfix does not require client certificate 4453 * verification unless TLS is required. 4454 * 4455 * The cipher grade and exclusions don't change between sessions. Compute 4456 * just once and cache. 4457 */ 4458 #define ADD_EXCLUDE(vstr, str) \ 4459 do { \ 4460 if (*(str)) \ 4461 vstring_sprintf_append((vstr), "%s%s", \ 4462 VSTRING_LEN(vstr) ? " " : "", (str)); \ 4463 } while (0) 4464 4465 if (cipher_grade == 0) { 4466 cipher_grade = var_smtpd_enforce_tls ? 4467 var_smtpd_tls_mand_ciph : var_smtpd_tls_ciph; 4468 cipher_exclusions = vstring_alloc(10); 4469 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph); 4470 if (var_smtpd_enforce_tls) 4471 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl); 4472 if (ask_client_cert) 4473 ADD_EXCLUDE(cipher_exclusions, "aNULL"); 4474 } 4475 4476 /* 4477 * Perform the TLS handshake now. Check the client certificate 4478 * requirements later, if necessary. 4479 */ 4480 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); 4481 4482 state->tls_context = 4483 TLS_SERVER_START(&props, 4484 ctx = smtpd_tls_ctx, 4485 stream = state->client, 4486 fd = -1, 4487 timeout = var_smtpd_starttls_tmout, 4488 requirecert = requirecert, 4489 serverid = state->service, 4490 namaddr = state->namaddr, 4491 cipher_grade = cipher_grade, 4492 cipher_exclusions = STR(cipher_exclusions), 4493 mdalg = var_smtpd_tls_fpt_dgst); 4494 4495 #endif /* USE_TLSPROXY */ 4496 4497 /* 4498 * For new (i.e. not re-used) TLS sessions, increment the client's new 4499 * TLS session rate counter. We enforce the limit here only for human 4500 * factors reasons (reduce the WTF factor), even though it is too late to 4501 * save the CPU that was already burnt on PKI ops. The real safety 4502 * mechanism applies with future STARTTLS commands (or wrappermode 4503 * connections), prior to the SSL handshake. 4504 * 4505 * XXX The client event count/rate control must be consistent in its use of 4506 * client address information in connect and disconnect events. For now 4507 * we exclude xclient authorized hosts from event count/rate control. 4508 */ 4509 if (var_smtpd_cntls_limit > 0 4510 && (state->tls_context == 0 || state->tls_context->session_reused == 0) 4511 && SMTPD_STAND_ALONE(state) == 0 4512 && !xclient_allowed 4513 && anvil_clnt 4514 && !namadr_list_match(hogger_list, state->name, state->addr) 4515 && anvil_clnt_newtls(anvil_clnt, state->service, state->addr, 4516 &rate) == ANVIL_STAT_OK 4517 && rate > var_smtpd_cntls_limit) { 4518 state->error_mask |= MAIL_ERROR_POLICY; 4519 msg_warn("New TLS session rate limit exceeded: %d from %s for service %s", 4520 rate, state->namaddr, state->service); 4521 if (state->tls_context) 4522 smtpd_chat_reply(state, 4523 "421 4.7.0 %s Error: too many new TLS sessions from %s", 4524 var_myhostname, state->namaddr); 4525 /* XXX Use regular return to signal end of session. */ 4526 vstream_longjmp(state->client, SMTP_ERR_QUIET); 4527 } 4528 4529 /* 4530 * When the TLS handshake fails, the conversation is in an unknown state. 4531 * There is nothing we can do except to disconnect from the client. 4532 */ 4533 if (state->tls_context == 0) 4534 vstream_longjmp(state->client, SMTP_ERR_EOF); 4535 4536 /* 4537 * If we are requiring verified client certs, enforce the constraint 4538 * here. We have a usable TLS session with the client, so no need to 4539 * disable I/O, ... we can even be polite and send "421 ...". 4540 */ 4541 if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) { 4542 4543 /* 4544 * Fetch and reject the next command (should be EHLO), then 4545 * disconnect (side-effect of returning "421 ...". 4546 */ 4547 cert_present = TLS_CERT_IS_PRESENT(state->tls_context); 4548 msg_info("NOQUEUE: abort: TLS from %s: %s", 4549 state->namaddr, cert_present ? 4550 "Client certificate not trusted" : 4551 "No client certificate presented"); 4552 smtpd_chat_query(state); 4553 smtpd_chat_reply(state, "421 4.7.1 %s Error: %s", 4554 var_myhostname, cert_present ? 4555 "Client certificate not trusted" : 4556 "No client certificate presented"); 4557 state->error_mask |= MAIL_ERROR_POLICY; 4558 return; 4559 } 4560 4561 /* 4562 * When TLS is turned on, we may offer AUTH methods that would not be 4563 * offered within a plain-text session. 4564 * 4565 * XXX Always refresh SASL the mechanism list after STARTTLS. Dovecot 4566 * responses may depend on whether the SMTP connection is encrypted. 4567 */ 4568 #ifdef USE_SASL_AUTH 4569 if (var_smtpd_sasl_enable) { 4570 /* Non-wrappermode, presumably. */ 4571 if (smtpd_sasl_is_active(state)) { 4572 smtpd_sasl_auth_reset(state); 4573 smtpd_sasl_deactivate(state); 4574 } 4575 /* Wrappermode and non-wrappermode. */ 4576 if (smtpd_sasl_is_active(state) == 0) 4577 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 4578 var_smtpd_sasl_tls_opts); 4579 } 4580 #endif 4581 } 4582 4583 /* starttls_cmd - respond to STARTTLS */ 4584 4585 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 4586 { 4587 const char *err; 4588 int rate; 4589 4590 if (argc != 1) { 4591 state->error_mask |= MAIL_ERROR_PROTOCOL; 4592 smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS"); 4593 return (-1); 4594 } 4595 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) { 4596 if (err[0] == '5') { 4597 state->error_mask |= MAIL_ERROR_POLICY; 4598 smtpd_chat_reply(state, "%s", err); 4599 return (-1); 4600 } 4601 /* Sendmail compatibility: map 4xx into 454. */ 4602 else if (err[0] == '4') { 4603 state->error_mask |= MAIL_ERROR_POLICY; 4604 smtpd_chat_reply(state, "454 4.3.0 Try again later"); 4605 return (-1); 4606 } 4607 } 4608 if (state->tls_context != 0) { 4609 state->error_mask |= MAIL_ERROR_PROTOCOL; 4610 smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active"); 4611 return (-1); 4612 } 4613 if (var_smtpd_use_tls == 0 4614 || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) { 4615 state->error_mask |= MAIL_ERROR_PROTOCOL; 4616 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented"); 4617 return (-1); 4618 } 4619 #ifdef USE_TLSPROXY 4620 4621 /* 4622 * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(), 4623 * so we garbage-collect the VSTREAM in smtpd_state_reset(). 4624 */ 4625 #define PROXY_OPEN_FLAGS \ 4626 (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT) 4627 4628 state->tlsproxy = tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, 4629 state->client, state->addr, 4630 state->port, var_smtpd_tmout); 4631 if (state->tlsproxy == 0) { 4632 state->error_mask |= MAIL_ERROR_SOFTWARE; 4633 /* RFC 3207 Section 4. */ 4634 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); 4635 return (-1); 4636 } 4637 #else /* USE_TLSPROXY */ 4638 if (smtpd_tls_ctx == 0) { 4639 state->error_mask |= MAIL_ERROR_SOFTWARE; 4640 /* RFC 3207 Section 4. */ 4641 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); 4642 return (-1); 4643 } 4644 #endif /* USE_TLSPROXY */ 4645 4646 /* 4647 * Enforce TLS handshake rate limit when this client negotiated too many 4648 * new TLS sessions in the recent past. 4649 * 4650 * XXX The client event count/rate control must be consistent in its use of 4651 * client address information in connect and disconnect events. For now 4652 * we exclude xclient authorized hosts from event count/rate control. 4653 */ 4654 if (var_smtpd_cntls_limit > 0 4655 && SMTPD_STAND_ALONE(state) == 0 4656 && !xclient_allowed 4657 && anvil_clnt 4658 && !namadr_list_match(hogger_list, state->name, state->addr) 4659 && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr, 4660 &rate) == ANVIL_STAT_OK 4661 && rate > var_smtpd_cntls_limit) { 4662 state->error_mask |= MAIL_ERROR_POLICY; 4663 msg_warn("Refusing STARTTLS request from %s for service %s", 4664 state->namaddr, state->service); 4665 smtpd_chat_reply(state, 4666 "454 4.7.0 Error: too many new TLS sessions from %s", 4667 state->namaddr); 4668 #ifdef USE_TLSPROXY 4669 (void) vstream_fclose(state->tlsproxy); 4670 state->tlsproxy = 0; 4671 #endif 4672 return (-1); 4673 } 4674 smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS"); 4675 /* Flush before we switch read/write routines or file descriptors. */ 4676 smtp_flush(state->client); 4677 /* At this point there must not be any pending plaintext. */ 4678 vstream_fpurge(state->client, VSTREAM_PURGE_BOTH); 4679 4680 /* 4681 * Reset all inputs to the initial state. 4682 * 4683 * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is 4684 * in progress, so we have to allow it even when it makes no sense. 4685 */ 4686 helo_reset(state); 4687 mail_reset(state); 4688 rcpt_reset(state); 4689 4690 /* 4691 * Turn on TLS, using code that is shared with TLS wrapper mode. This 4692 * code does not return when the handshake fails. 4693 */ 4694 smtpd_start_tls(state); 4695 return (0); 4696 } 4697 4698 /* tls_reset - undo STARTTLS */ 4699 4700 static void tls_reset(SMTPD_STATE *state) 4701 { 4702 int failure = 0; 4703 4704 /* 4705 * Don't waste time when we lost contact. 4706 */ 4707 if (state->tls_context) { 4708 if (vstream_feof(state->client) || vstream_ferror(state->client)) 4709 failure = 1; 4710 vstream_fflush(state->client); /* NOT: smtp_flush() */ 4711 #ifdef USE_TLSPROXY 4712 tls_proxy_context_free(state->tls_context); 4713 #else 4714 tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout, 4715 failure, state->tls_context); 4716 #endif 4717 state->tls_context = 0; 4718 } 4719 } 4720 4721 #endif 4722 4723 #if !defined(USE_TLS) || !defined(USE_SASL_AUTH) 4724 4725 /* unimpl_cmd - dummy for functionality that is not compiled in */ 4726 4727 static int unimpl_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 4728 { 4729 4730 /* 4731 * When a connection is closed we want to log the request counts for 4732 * unimplemented STARTTLS or AUTH commands separately, instead of logging 4733 * those commands as "unknown". By handling unimplemented commands with 4734 * this dummy function, we avoid messing up the command processing loop. 4735 */ 4736 state->error_mask |= MAIL_ERROR_PROTOCOL; 4737 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented"); 4738 return (-1); 4739 } 4740 4741 #endif 4742 4743 /* 4744 * The table of all SMTP commands that we know. Set the junk limit flag on 4745 * any command that can be repeated an arbitrary number of times without 4746 * triggering a tarpit delay of some sort. 4747 */ 4748 typedef struct SMTPD_CMD { 4749 char *name; 4750 int (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *); 4751 int flags; 4752 int success_count; 4753 int total_count; 4754 } SMTPD_CMD; 4755 4756 #define SMTPD_CMD_FLAG_LIMIT (1<<0) /* limit usage */ 4757 #define SMTPD_CMD_FLAG_PRE_TLS (1<<1) /* allow before STARTTLS */ 4758 #define SMTPD_CMD_FLAG_LAST (1<<2) /* last in PIPELINING command group */ 4759 4760 static SMTPD_CMD smtpd_cmd_table[] = { 4761 {SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,}, 4762 {SMTPD_CMD_EHLO, ehlo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,}, 4763 {SMTPD_CMD_XCLIENT, xclient_cmd,}, 4764 {SMTPD_CMD_XFORWARD, xforward_cmd,}, 4765 #ifdef USE_TLS 4766 {SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS,}, 4767 #else 4768 {SMTPD_CMD_STARTTLS, unimpl_cmd, SMTPD_CMD_FLAG_PRE_TLS,}, 4769 #endif 4770 #ifdef USE_SASL_AUTH 4771 {SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd_wrapper,}, 4772 #else 4773 {SMTPD_CMD_AUTH, unimpl_cmd,}, 4774 #endif 4775 {SMTPD_CMD_MAIL, mail_cmd,}, 4776 {SMTPD_CMD_RCPT, rcpt_cmd,}, 4777 {SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST,}, 4778 {SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT,}, 4779 {SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST,}, 4780 {SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_LAST,}, 4781 {SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT,}, 4782 {SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS,}, 4783 {0,}, 4784 }; 4785 4786 static STRING_LIST *smtpd_noop_cmds; 4787 static STRING_LIST *smtpd_forbid_cmds; 4788 4789 /* smtpd_proto - talk the SMTP protocol */ 4790 4791 static void smtpd_proto(SMTPD_STATE *state) 4792 { 4793 int argc; 4794 SMTPD_TOKEN *argv; 4795 SMTPD_CMD *cmdp; 4796 const char *ehlo_words; 4797 const char *err; 4798 int status; 4799 const char *cp; 4800 4801 #ifdef USE_TLS 4802 int tls_rate; 4803 4804 #endif 4805 4806 /* 4807 * Print a greeting banner and run the state machine. Read SMTP commands 4808 * one line at a time. According to the standard, a sender or recipient 4809 * address could contain an escaped newline. I think this is perverse, 4810 * and anyone depending on this is really asking for trouble. 4811 * 4812 * In case of mail protocol trouble, the program jumps back to this place, 4813 * so that it can perform the necessary cleanup before talking to the 4814 * next client. The setjmp/longjmp primitives are like a sharp tool: use 4815 * with care. I would certainly recommend against the use of 4816 * setjmp/longjmp in programs that change privilege levels. 4817 * 4818 * In case of file system trouble the program terminates after logging the 4819 * error and after informing the client. In all other cases (out of 4820 * memory, panic) the error is logged, and the msg_cleanup() exit handler 4821 * cleans up, but no attempt is made to inform the client of the nature 4822 * of the problem. 4823 */ 4824 smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline); 4825 4826 while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE) 4827 /* void */ ; 4828 switch (status) { 4829 4830 default: 4831 msg_panic("smtpd_proto: unknown error reading from %s", 4832 state->namaddr); 4833 break; 4834 4835 case SMTP_ERR_TIME: 4836 state->reason = REASON_TIMEOUT; 4837 if (vstream_setjmp(state->client) == 0) 4838 smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded", 4839 var_myhostname); 4840 break; 4841 4842 case SMTP_ERR_EOF: 4843 state->reason = REASON_LOST_CONNECTION; 4844 break; 4845 4846 case SMTP_ERR_QUIET: 4847 break; 4848 4849 case SMTP_ERR_DATA: 4850 msg_info("%s: reject: %s from %s: " 4851 "421 4.3.0 %s Server local data error", 4852 (state->queue_id ? state->queue_id : "NOQUEUE"), 4853 state->where, state->namaddr, var_myhostname); 4854 state->error_mask |= MAIL_ERROR_DATA; 4855 if (vstream_setjmp(state->client) == 0) 4856 smtpd_chat_reply(state, "421 4.3.0 %s Server local data error", 4857 var_myhostname); 4858 break; 4859 4860 case 0: 4861 4862 /* 4863 * Reset the per-command counters. 4864 */ 4865 for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) { 4866 cmdp->success_count = cmdp->total_count = 0; 4867 if (cmdp->name == 0) 4868 break; 4869 } 4870 4871 /* 4872 * In TLS wrapper mode, turn on TLS using code that is shared with 4873 * the STARTTLS command. This code does not return when the handshake 4874 * fails. 4875 * 4876 * Enforce TLS handshake rate limit when this client negotiated too many 4877 * new TLS sessions in the recent past. 4878 * 4879 * XXX This means we don't complete a TLS handshake just to tell the 4880 * client that we don't provide service. TLS wrapper mode is 4881 * obsolete, so we don't have to provide perfect support. 4882 */ 4883 #ifdef USE_TLS 4884 if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) { 4885 #ifdef USE_TLSPROXY 4886 /* We garbage-collect the VSTREAM in smtpd_state_reset() */ 4887 state->tlsproxy = tls_proxy_open(var_tlsproxy_service, 4888 PROXY_OPEN_FLAGS, 4889 state->client, state->addr, 4890 state->port, var_smtpd_tmout); 4891 if (state->tlsproxy == 0) { 4892 msg_warn("Wrapper-mode request dropped from %s for service %s." 4893 " TLS context initialization failed. For details see" 4894 " earlier warnings in your logs.", 4895 state->namaddr, state->service); 4896 break; 4897 } 4898 #else /* USE_TLSPROXY */ 4899 if (smtpd_tls_ctx == 0) { 4900 msg_warn("Wrapper-mode request dropped from %s for service %s." 4901 " TLS context initialization failed. For details see" 4902 " earlier warnings in your logs.", 4903 state->namaddr, state->service); 4904 break; 4905 } 4906 #endif /* USE_TLSPROXY */ 4907 if (var_smtpd_cntls_limit > 0 4908 && !xclient_allowed 4909 && anvil_clnt 4910 && !namadr_list_match(hogger_list, state->name, state->addr) 4911 && anvil_clnt_newtls_stat(anvil_clnt, state->service, 4912 state->addr, &tls_rate) == ANVIL_STAT_OK 4913 && tls_rate > var_smtpd_cntls_limit) { 4914 state->error_mask |= MAIL_ERROR_POLICY; 4915 msg_warn("Refusing TLS service request from %s for service %s", 4916 state->namaddr, state->service); 4917 break; 4918 } 4919 smtpd_start_tls(state); 4920 } 4921 #endif 4922 4923 /* 4924 * XXX The client connection count/rate control must be consistent in 4925 * its use of client address information in connect and disconnect 4926 * events. For now we exclude xclient authorized hosts from 4927 * connection count/rate control. 4928 * 4929 * XXX Must send connect/disconnect events to the anvil server even when 4930 * this service is not connection count or rate limited, otherwise it 4931 * will discard client message or recipient rate information too 4932 * early or too late. 4933 */ 4934 if (SMTPD_STAND_ALONE(state) == 0 4935 && !xclient_allowed 4936 && anvil_clnt 4937 && !namadr_list_match(hogger_list, state->name, state->addr) 4938 && anvil_clnt_connect(anvil_clnt, state->service, state->addr, 4939 &state->conn_count, &state->conn_rate) 4940 == ANVIL_STAT_OK) { 4941 if (var_smtpd_cconn_limit > 0 4942 && state->conn_count > var_smtpd_cconn_limit) { 4943 state->error_mask |= MAIL_ERROR_POLICY; 4944 msg_warn("Connection concurrency limit exceeded: %d from %s for service %s", 4945 state->conn_count, state->namaddr, state->service); 4946 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s", 4947 var_myhostname, state->addr); 4948 break; 4949 } 4950 if (var_smtpd_crate_limit > 0 4951 && state->conn_rate > var_smtpd_crate_limit) { 4952 msg_warn("Connection rate limit exceeded: %d from %s for service %s", 4953 state->conn_rate, state->namaddr, state->service); 4954 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s", 4955 var_myhostname, state->addr); 4956 break; 4957 } 4958 } 4959 4960 /* 4961 * Determine what server ESMTP features to suppress, typically to 4962 * avoid inter-operability problems. Moved up so we don't send 421 4963 * immediately after sending the initial server response. 4964 */ 4965 if (ehlo_discard_maps == 0 4966 || (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0) 4967 ehlo_words = var_smtpd_ehlo_dis_words; 4968 state->ehlo_discard_mask = ehlo_mask(ehlo_words); 4969 4970 /* XXX We use the real client for connect access control. */ 4971 if (SMTPD_STAND_ALONE(state) == 0 4972 && var_smtpd_delay_reject == 0 4973 && (err = smtpd_check_client(state)) != 0) { 4974 state->error_mask |= MAIL_ERROR_POLICY; 4975 state->access_denied = mystrdup(err); 4976 smtpd_chat_reply(state, "%s", state->access_denied); 4977 state->error_count++; 4978 } 4979 4980 /* 4981 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses 4982 * other than the initial greeting and any response to HELO or EHLO 4983 * are prefaced with a status code as defined in RFC 3463. 4984 */ 4985 4986 /* 4987 * XXX If a Milter rejects CONNECT, reply with 220 except in case of 4988 * hard reject or 421 (disconnect). The reply persists so it will 4989 * apply to MAIL FROM and to other commands such as AUTH, STARTTLS, 4990 * and VRFY. Note: after a Milter CONNECT reject, we must not reject 4991 * HELO or EHLO, but we do change the feature list that is announced 4992 * in the EHLO response. 4993 */ 4994 else { 4995 err = 0; 4996 if (smtpd_milters != 0 && SMTPD_STAND_ALONE(state) == 0) { 4997 milter_macro_callback(smtpd_milters, smtpd_milter_eval, 4998 (void *) state); 4999 if ((err = milter_conn_event(smtpd_milters, state->name, 5000 state->addr, 5001 strcmp(state->port, CLIENT_PORT_UNKNOWN) ? 5002 state->port : "0", 5003 state->addr_family)) != 0) 5004 err = check_milter_reply(state, err); 5005 } 5006 if (err && err[0] == '5') { 5007 state->error_mask |= MAIL_ERROR_POLICY; 5008 smtpd_chat_reply(state, "554 %s ESMTP not accepting connections", 5009 var_myhostname); 5010 state->error_count++; 5011 } else if (err && strncmp(err, "421", 3) == 0) { 5012 state->error_mask |= MAIL_ERROR_POLICY; 5013 smtpd_chat_reply(state, "421 %s Service unavailable - try again later", 5014 var_myhostname); 5015 /* Not: state->error_count++; */ 5016 } else { 5017 smtpd_chat_reply(state, "220 %s", var_smtpd_banner); 5018 } 5019 } 5020 5021 /* 5022 * SASL initialization for plaintext mode. 5023 * 5024 * XXX Backwards compatibility: allow AUTH commands when the AUTH 5025 * announcement is suppressed via smtpd_sasl_exceptions_networks. 5026 * 5027 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and 5028 * non-TLS build. 5029 */ 5030 #ifdef USE_SASL_AUTH 5031 if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0 5032 #ifdef USE_TLS 5033 && state->tls_context == 0 && !var_smtpd_tls_auth_only 5034 #else 5035 && var_smtpd_tls_auth_only == 0 5036 #endif 5037 ) 5038 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 5039 var_smtpd_sasl_opts); 5040 #endif 5041 5042 /* 5043 * The command read/execute loop. 5044 */ 5045 for (;;) { 5046 if (state->flags & SMTPD_FLAG_HANGUP) 5047 break; 5048 if (state->error_count >= var_smtpd_hard_erlim) { 5049 state->reason = REASON_ERROR_LIMIT; 5050 state->error_mask |= MAIL_ERROR_PROTOCOL; 5051 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", 5052 var_myhostname); 5053 break; 5054 } 5055 watchdog_pat(); 5056 smtpd_chat_query(state); 5057 /* Safety: protect internal interfaces against malformed UTF-8. */ 5058 if (var_smtputf8_enable && valid_utf8_string(STR(state->buffer), 5059 LEN(state->buffer)) == 0) { 5060 state->error_mask |= MAIL_ERROR_PROTOCOL; 5061 smtpd_chat_reply(state, "500 5.5.2 Error: bad UTF-8 syntax"); 5062 state->error_count++; 5063 continue; 5064 } 5065 /* Move into smtpd_chat_query() and update session transcript. */ 5066 if (smtpd_cmd_filter != 0) { 5067 for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++) 5068 /* void */ ; 5069 if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) { 5070 msg_info("%s: replacing command \"%.100s\" with \"%.100s\"", 5071 state->namaddr, STR(state->buffer), cp); 5072 vstring_strcpy(state->buffer, cp); 5073 } else if (smtpd_cmd_filter->error != 0) { 5074 msg_warn("%s:%s lookup error for \"%.100s\"", 5075 smtpd_cmd_filter->type, smtpd_cmd_filter->name, 5076 printable(STR(state->buffer), '?')); 5077 vstream_longjmp(state->client, SMTP_ERR_DATA); 5078 } 5079 } 5080 if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) { 5081 state->error_mask |= MAIL_ERROR_PROTOCOL; 5082 smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax"); 5083 state->error_count++; 5084 continue; 5085 } 5086 /* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */ 5087 if (*var_smtpd_noop_cmds 5088 && string_list_match(smtpd_noop_cmds, argv[0].strval)) { 5089 smtpd_chat_reply(state, "250 2.0.0 Ok"); 5090 if (state->junk_cmds++ > var_smtpd_junk_cmd_limit) 5091 state->error_count++; 5092 continue; 5093 } 5094 for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++) 5095 if (strcasecmp(argv[0].strval, cmdp->name) == 0) 5096 break; 5097 cmdp->total_count += 1; 5098 /* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */ 5099 if (cmdp->name == 0) { 5100 state->where = SMTPD_CMD_UNKNOWN; 5101 if (is_header(argv[0].strval) 5102 || (*var_smtpd_forbid_cmds 5103 && string_list_match(smtpd_forbid_cmds, argv[0].strval))) { 5104 msg_warn("non-SMTP command from %s: %.100s", 5105 state->namaddr, vstring_str(state->buffer)); 5106 smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye."); 5107 break; 5108 } 5109 } 5110 /* XXX We use the real client for connect access control. */ 5111 if (state->access_denied && cmdp->action != quit_cmd) { 5112 /* XXX Exception for Milter override. */ 5113 if (strncmp(state->access_denied + 1, "21", 2) == 0) { 5114 smtpd_chat_reply(state, "%s", state->access_denied); 5115 continue; 5116 } 5117 smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s", 5118 state->namaddr); /* RFC 2821 Sec 3.1 */ 5119 state->error_count++; 5120 continue; 5121 } 5122 /* state->access_denied == 0 || cmdp->action == quit_cmd */ 5123 if (cmdp->name == 0) { 5124 if (smtpd_milters != 0 5125 && SMTPD_STAND_ALONE(state) == 0 5126 && (err = milter_unknown_event(smtpd_milters, 5127 argv[0].strval)) != 0 5128 && (err = check_milter_reply(state, err)) != 0) { 5129 smtpd_chat_reply(state, "%s", err); 5130 } else 5131 smtpd_chat_reply(state, "502 5.5.2 Error: command not recognized"); 5132 state->error_mask |= MAIL_ERROR_PROTOCOL; 5133 state->error_count++; 5134 continue; 5135 } 5136 #ifdef USE_TLS 5137 if (var_smtpd_enforce_tls && 5138 !state->tls_context && 5139 (cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) { 5140 smtpd_chat_reply(state, 5141 "530 5.7.0 Must issue a STARTTLS command first"); 5142 state->error_count++; 5143 continue; 5144 } 5145 #endif 5146 state->where = cmdp->name; 5147 if (SMTPD_STAND_ALONE(state) == 0 5148 && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 5149 || (cmdp->flags & SMTPD_CMD_FLAG_LAST)) 5150 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 5151 && (vstream_peek(state->client) > 0 5152 || peekfd(vstream_fileno(state->client)) > 0)) { 5153 if (state->expand_buf == 0) 5154 state->expand_buf = vstring_alloc(100); 5155 escape(state->expand_buf, vstream_peek_data(state->client), 5156 vstream_peek(state->client) < 100 ? 5157 vstream_peek(state->client) : 100); 5158 msg_info("improper command pipelining after %s from %s: %s", 5159 cmdp->name, state->namaddr, STR(state->expand_buf)); 5160 state->flags |= SMTPD_FLAG_ILL_PIPELINING; 5161 } 5162 if (cmdp->action(state, argc, argv) != 0) 5163 state->error_count++; 5164 else 5165 cmdp->success_count += 1; 5166 if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT) 5167 && state->junk_cmds++ > var_smtpd_junk_cmd_limit) 5168 state->error_count++; 5169 if (cmdp->action == quit_cmd) 5170 break; 5171 } 5172 break; 5173 } 5174 5175 /* 5176 * XXX The client connection count/rate control must be consistent in its 5177 * use of client address information in connect and disconnect events. 5178 * For now we exclude xclient authorized hosts from connection count/rate 5179 * control. 5180 * 5181 * XXX Must send connect/disconnect events to the anvil server even when 5182 * this service is not connection count or rate limited, otherwise it 5183 * will discard client message or recipient rate information too early or 5184 * too late. 5185 */ 5186 if (SMTPD_STAND_ALONE(state) == 0 5187 && !xclient_allowed 5188 && anvil_clnt 5189 && !namadr_list_match(hogger_list, state->name, state->addr)) 5190 anvil_clnt_disconnect(anvil_clnt, state->service, state->addr); 5191 5192 /* 5193 * Log abnormal session termination, in case postmaster notification has 5194 * been turned off. In the log, indicate the last recognized state before 5195 * things went wrong. Don't complain about clients that go away without 5196 * sending QUIT. Log the byte count after DATA to help diagnose MTU 5197 * troubles. 5198 */ 5199 if (state->reason && state->where) { 5200 if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) { 5201 msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */ 5202 state->reason, SMTPD_CMD_DATA, /* 2.5 compat */ 5203 (long) (state->act_size + vstream_peek(state->client)), 5204 state->namaddr); 5205 } else if (strcmp(state->where, SMTPD_AFTER_DOT) 5206 || strcmp(state->reason, REASON_LOST_CONNECTION)) { 5207 msg_info("%s after %s from %s", 5208 state->reason, state->where, state->namaddr); 5209 } 5210 } 5211 5212 /* 5213 * Cleanup whatever information the client gave us during the SMTP 5214 * dialog. 5215 * 5216 * XXX Duplicated in xclient_cmd(). 5217 */ 5218 #ifdef USE_TLS 5219 tls_reset(state); 5220 #endif 5221 helo_reset(state); 5222 #ifdef USE_SASL_AUTH 5223 smtpd_sasl_auth_reset(state); 5224 if (smtpd_sasl_is_active(state)) { 5225 smtpd_sasl_deactivate(state); 5226 } 5227 #endif 5228 chat_reset(state, 0); 5229 mail_reset(state); 5230 rcpt_reset(state); 5231 if (smtpd_milters) 5232 milter_disc_event(smtpd_milters); 5233 } 5234 5235 /* smtpd_format_cmd_stats - format per-command statistics */ 5236 5237 static char *smtpd_format_cmd_stats(VSTRING *buf) 5238 { 5239 SMTPD_CMD *cmdp; 5240 int all_success = 0; 5241 int all_total = 0; 5242 5243 /* 5244 * Log the statistics. Note that this loop produces no output when no 5245 * command was received. We address that after the loop. 5246 */ 5247 VSTRING_RESET(buf); 5248 for (cmdp = smtpd_cmd_table; /* see below */ ; cmdp++) { 5249 if (cmdp->total_count > 0) { 5250 vstring_sprintf_append(buf, " %s=%d", 5251 cmdp->name ? cmdp->name : "unknown", 5252 cmdp->success_count); 5253 if (cmdp->success_count != cmdp->total_count) 5254 vstring_sprintf_append(buf, "/%d", cmdp->total_count); 5255 all_success += cmdp->success_count; 5256 all_total += cmdp->total_count; 5257 } 5258 if (cmdp->name == 0) 5259 break; 5260 } 5261 5262 /* 5263 * Log total numbers, so that logfile analyzers will see something even 5264 * if the above loop produced no output. When no commands were received 5265 * log "0/0" to simplify the identification of abnormal sessions: any 5266 * statistics with [0-9]/ indicate that there was a problem. 5267 */ 5268 vstring_sprintf_append(buf, " commands=%d", all_success); 5269 if (all_success != all_total || all_total == 0) 5270 vstring_sprintf_append(buf, "/%d", all_total); 5271 return (lowercase(STR(buf))); 5272 } 5273 5274 5275 /* smtpd_service - service one client */ 5276 5277 static void smtpd_service(VSTREAM *stream, char *service, char **argv) 5278 { 5279 SMTPD_STATE state; 5280 5281 /* 5282 * Sanity check. This service takes no command-line arguments. 5283 */ 5284 if (argv[0]) 5285 msg_fatal("unexpected command-line argument: %s", argv[0]); 5286 5287 /* 5288 * For sanity, require that at least one of INET or INET6 is enabled. 5289 * Otherwise, we can't look up interface information, and we can't 5290 * convert names or addresses. 5291 */ 5292 if (SMTPD_STAND_ALONE_STREAM(stream) == 0 5293 && inet_proto_info()->ai_family_list[0] == 0) 5294 msg_fatal("all network protocols are disabled (%s = %s)", 5295 VAR_INET_PROTOCOLS, var_inet_protocols); 5296 5297 /* 5298 * This routine runs when a client has connected to our network port, or 5299 * when the smtp server is run in stand-alone mode (input from pipe). 5300 * 5301 * Look up and sanitize the peer name, then initialize some connection- 5302 * specific state. When the name service is hosed, hostname lookup will 5303 * take a while. This is why I always run a local name server on critical 5304 * machines. 5305 */ 5306 smtpd_state_init(&state, stream, service); 5307 msg_info("connect from %s", state.namaddr); 5308 5309 /* 5310 * Disable TLS when running in stand-alone mode via "sendmail -bs". 5311 */ 5312 if (SMTPD_STAND_ALONE((&state))) { 5313 var_smtpd_use_tls = 0; 5314 var_smtpd_enforce_tls = 0; 5315 var_smtpd_tls_auth_only = 0; 5316 } 5317 5318 /* 5319 * XCLIENT must not override its own access control. 5320 */ 5321 xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 && 5322 namadr_list_match(xclient_hosts, state.name, state.addr); 5323 5324 /* 5325 * Overriding XFORWARD access control makes no sense, either. 5326 */ 5327 xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 && 5328 namadr_list_match(xforward_hosts, state.name, state.addr); 5329 5330 /* 5331 * See if we need to turn on verbose logging for this client. 5332 */ 5333 debug_peer_check(state.name, state.addr); 5334 5335 /* 5336 * Provide the SMTP service. 5337 */ 5338 if ((state.flags & SMTPD_FLAG_HANGUP) == 0) 5339 smtpd_proto(&state); 5340 5341 /* 5342 * After the client has gone away, clean up whatever we have set up at 5343 * connection time. 5344 */ 5345 msg_info("disconnect from %s%s", state.namaddr, 5346 smtpd_format_cmd_stats(state.buffer)); 5347 smtpd_state_reset(&state); 5348 debug_peer_restore(); 5349 } 5350 5351 /* pre_accept - see if tables have changed */ 5352 5353 static void pre_accept(char *unused_name, char **unused_argv) 5354 { 5355 const char *table; 5356 5357 if ((table = dict_changed_name()) != 0) { 5358 msg_info("table %s has changed -- restarting", table); 5359 exit(0); 5360 } 5361 } 5362 5363 /* pre_jail_init - pre-jail initialization */ 5364 5365 static void pre_jail_init(char *unused_name, char **unused_argv) 5366 { 5367 5368 /* 5369 * Initialize blacklist/etc. patterns before entering the chroot jail, in 5370 * case they specify a filename pattern. 5371 */ 5372 smtpd_noop_cmds = string_list_init(VAR_SMTPD_NOOP_CMDS, MATCH_FLAG_RETURN, 5373 var_smtpd_noop_cmds); 5374 smtpd_forbid_cmds = string_list_init(VAR_SMTPD_FORBID_CMDS, 5375 MATCH_FLAG_RETURN, 5376 var_smtpd_forbid_cmds); 5377 verp_clients = namadr_list_init(VAR_VERP_CLIENTS, MATCH_FLAG_RETURN, 5378 var_verp_clients); 5379 xclient_hosts = namadr_list_init(VAR_XCLIENT_HOSTS, MATCH_FLAG_RETURN, 5380 var_xclient_hosts); 5381 xforward_hosts = namadr_list_init(VAR_XFORWARD_HOSTS, MATCH_FLAG_RETURN, 5382 var_xforward_hosts); 5383 hogger_list = namadr_list_init(VAR_SMTPD_HOGGERS, MATCH_FLAG_RETURN 5384 | match_parent_style(VAR_SMTPD_HOGGERS), 5385 var_smtpd_hoggers); 5386 5387 /* 5388 * Open maps before dropping privileges so we can read passwords etc. 5389 * 5390 * XXX We should not do this in stand-alone (sendmail -bs) mode, but we 5391 * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs" 5392 * will try to connect to proxymap when invoked by root for mail 5393 * submission. To fix, we would have to pass stand-alone mode information 5394 * via different means. For now we have to tell people not to run mail 5395 * clients as root. 5396 */ 5397 if (getuid() == 0 || getuid() == var_owner_uid) 5398 smtpd_check_init(); 5399 smtpd_expand_init(); 5400 debug_peer_init(); 5401 5402 if (var_smtpd_sasl_enable) 5403 #ifdef USE_SASL_AUTH 5404 smtpd_sasl_initialize(); 5405 5406 if (*var_smtpd_sasl_exceptions_networks) 5407 sasl_exceptions_networks = 5408 namadr_list_init(VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, 5409 MATCH_FLAG_RETURN, 5410 var_smtpd_sasl_exceptions_networks); 5411 #else 5412 msg_warn("%s is true, but SASL support is not compiled in", 5413 VAR_SMTPD_SASL_ENABLE); 5414 #endif 5415 5416 if (*var_smtpd_cmd_filter) 5417 smtpd_cmd_filter = dict_open(var_smtpd_cmd_filter, O_RDONLY, 5418 DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX); 5419 5420 /* 5421 * XXX Temporary fix to pretend that we consistently implement TLS 5422 * security levels. We implement only a subset for now. If we implement 5423 * more levels, wrappermode should override only weaker TLS security 5424 * levels. 5425 * 5426 * Note: tls_level_lookup() logs no warning. 5427 */ 5428 if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) { 5429 switch (tls_level_lookup(var_smtpd_tls_level)) { 5430 default: 5431 msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level); 5432 /* NOTREACHED */ 5433 break; 5434 case TLS_LEV_SECURE: 5435 case TLS_LEV_VERIFY: 5436 case TLS_LEV_FPRINT: 5437 msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"", 5438 VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level); 5439 /* FALLTHROUGH */ 5440 case TLS_LEV_ENCRYPT: 5441 var_smtpd_enforce_tls = var_smtpd_use_tls = 1; 5442 break; 5443 case TLS_LEV_MAY: 5444 var_smtpd_enforce_tls = 0; 5445 var_smtpd_use_tls = 1; 5446 break; 5447 case TLS_LEV_NONE: 5448 var_smtpd_enforce_tls = var_smtpd_use_tls = 0; 5449 break; 5450 } 5451 } 5452 5453 /* 5454 * With TLS wrapper mode, we run on a dedicated port and turn on TLS 5455 * before actually speaking the SMTP protocol. This implies TLS enforce 5456 * mode. 5457 * 5458 * With non-wrapper mode, TLS enforce mode implies that we don't advertise 5459 * AUTH before the client issues STARTTLS. 5460 */ 5461 var_smtpd_enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls; 5462 var_smtpd_tls_auth_only = var_smtpd_tls_auth_only || var_smtpd_enforce_tls; 5463 var_smtpd_use_tls = var_smtpd_use_tls || var_smtpd_enforce_tls; 5464 5465 /* 5466 * Keys can only be loaded when running with suitable permissions. When 5467 * called from "sendmail -bs" this is not the case, so we must not 5468 * announce STARTTLS support. 5469 */ 5470 if (getuid() == 0 || getuid() == var_owner_uid) { 5471 if (var_smtpd_use_tls) { 5472 #ifdef USE_TLS 5473 #ifndef USE_TLSPROXY 5474 TLS_SERVER_INIT_PROPS props; 5475 const char *cert_file; 5476 int have_server_cert; 5477 int no_server_cert_ok; 5478 int require_server_cert; 5479 5480 /* 5481 * Can't use anonymous ciphers if we want client certificates. 5482 * Must use anonymous ciphers if we have no certificates. 5483 * 5484 * XXX: Ugh! Too many booleans! 5485 */ 5486 ask_client_cert = require_server_cert = 5487 (var_smtpd_tls_ask_ccert 5488 || (var_smtpd_enforce_tls && var_smtpd_tls_req_ccert)); 5489 if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) { 5490 no_server_cert_ok = 1; 5491 cert_file = ""; 5492 } else { 5493 no_server_cert_ok = 0; 5494 cert_file = var_smtpd_tls_cert_file; 5495 } 5496 have_server_cert = 5497 (*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file); 5498 5499 /* Some TLS configuration errors are not show stoppers. */ 5500 if (!have_server_cert && require_server_cert) 5501 msg_warn("Need a server cert to request client certs"); 5502 if (!var_smtpd_enforce_tls && var_smtpd_tls_req_ccert) 5503 msg_warn("Can't require client certs unless TLS is required"); 5504 /* After a show-stopper error, reply with 454 to STARTTLS. */ 5505 if (have_server_cert || (no_server_cert_ok && !require_server_cert)) 5506 5507 /* 5508 * Large parameter lists are error-prone, so we emulate a 5509 * language feature that C does not have natively: named 5510 * parameter lists. 5511 */ 5512 smtpd_tls_ctx = 5513 TLS_SERVER_INIT(&props, 5514 log_param = VAR_SMTPD_TLS_LOGLEVEL, 5515 log_level = var_smtpd_tls_loglevel, 5516 verifydepth = var_smtpd_tls_ccert_vd, 5517 cache_type = TLS_MGR_SCACHE_SMTPD, 5518 set_sessid = var_smtpd_tls_set_sessid, 5519 cert_file = cert_file, 5520 key_file = var_smtpd_tls_key_file, 5521 dcert_file = var_smtpd_tls_dcert_file, 5522 dkey_file = var_smtpd_tls_dkey_file, 5523 eccert_file = var_smtpd_tls_eccert_file, 5524 eckey_file = var_smtpd_tls_eckey_file, 5525 CAfile = var_smtpd_tls_CAfile, 5526 CApath = var_smtpd_tls_CApath, 5527 dh1024_param_file 5528 = var_smtpd_tls_dh1024_param_file, 5529 dh512_param_file 5530 = var_smtpd_tls_dh512_param_file, 5531 eecdh_grade = var_smtpd_tls_eecdh, 5532 protocols = var_smtpd_enforce_tls ? 5533 var_smtpd_tls_mand_proto : 5534 var_smtpd_tls_proto, 5535 ask_ccert = ask_client_cert, 5536 mdalg = var_smtpd_tls_fpt_dgst); 5537 else 5538 msg_warn("No server certs available. TLS won't be enabled"); 5539 #endif /* USE_TLSPROXY */ 5540 #else 5541 msg_warn("TLS has been selected, but TLS support is not compiled in"); 5542 #endif 5543 } 5544 } 5545 5546 /* 5547 * flush client. 5548 */ 5549 flush_init(); 5550 5551 /* 5552 * EHLO keyword filter. 5553 */ 5554 if (*var_smtpd_ehlo_dis_maps) 5555 ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS, 5556 var_smtpd_ehlo_dis_maps, 5557 DICT_FLAG_LOCK); 5558 5559 /* 5560 * DNS reply filter. 5561 */ 5562 if (*var_smtpd_dns_re_filter) 5563 dns_rr_filter_compile(VAR_SMTPD_DNS_RE_FILTER, 5564 var_smtpd_dns_re_filter); 5565 } 5566 5567 /* post_jail_init - post-jail initialization */ 5568 5569 static void post_jail_init(char *unused_name, char **unused_argv) 5570 { 5571 5572 /* 5573 * Initialize the receive transparency options: do we want unknown 5574 * recipient checks, address mapping, header_body_checks?. 5575 */ 5576 smtpd_input_transp_mask = 5577 input_transp_mask(VAR_INPUT_TRANSP, var_input_transp); 5578 5579 /* 5580 * Initialize before-queue filter options: do we want speed-matching 5581 * support so that the entire message is received before we contact a 5582 * before-queue content filter? 5583 */ 5584 if (*var_smtpd_proxy_filt) 5585 smtpd_proxy_opts = 5586 smtpd_proxy_parse_opts(VAR_SMTPD_PROXY_OPTS, var_smtpd_proxy_opts); 5587 5588 /* 5589 * Sendmail mail filters. 5590 * 5591 * XXX Should not do this when running in stand-alone mode. But that test 5592 * looks at VSTREAM_IN which is not available at this point. 5593 * 5594 * XXX Disable non_smtpd_milters when not sending our own mail filter list. 5595 */ 5596 if ((smtpd_input_transp_mask & INPUT_TRANSP_MILTER) == 0) { 5597 if (*var_smtpd_milters) 5598 smtpd_milters = milter_create(var_smtpd_milters, 5599 var_milt_conn_time, 5600 var_milt_cmd_time, 5601 var_milt_msg_time, 5602 var_milt_protocol, 5603 var_milt_def_action, 5604 var_milt_conn_macros, 5605 var_milt_helo_macros, 5606 var_milt_mail_macros, 5607 var_milt_rcpt_macros, 5608 var_milt_data_macros, 5609 var_milt_eoh_macros, 5610 var_milt_eod_macros, 5611 var_milt_unk_macros, 5612 var_milt_macro_deflts); 5613 else 5614 smtpd_input_transp_mask |= INPUT_TRANSP_MILTER; 5615 } 5616 5617 /* 5618 * Sanity checks. The queue_minfree value should be at least as large as 5619 * (process_limit * message_size_limit) but that is unpractical, so we 5620 * arbitrarily pick a small multiple of the per-message size limit. This 5621 * helps to avoid many unneeded (re)transmissions. 5622 */ 5623 if (var_queue_minfree > 0 5624 && var_message_limit > 0 5625 && var_queue_minfree / 1.5 < var_message_limit) 5626 msg_warn("%s(%lu) should be at least 1.5*%s(%lu)", 5627 VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree, 5628 VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit); 5629 5630 /* 5631 * Connection rate management. 5632 */ 5633 if (var_smtpd_crate_limit || var_smtpd_cconn_limit 5634 || var_smtpd_cmail_limit || var_smtpd_crcpt_limit 5635 || var_smtpd_cntls_limit || var_smtpd_cauth_limit) 5636 anvil_clnt = anvil_clnt_create(); 5637 } 5638 5639 MAIL_VERSION_STAMP_DECLARE; 5640 5641 /* main - the main program */ 5642 5643 int main(int argc, char **argv) 5644 { 5645 static const CONFIG_NINT_TABLE nint_table[] = { 5646 VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0, 5647 VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0, 5648 VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0, 5649 VAR_VERIFY_POLL_COUNT, DEF_VERIFY_POLL_COUNT, &var_verify_poll_count, 1, 0, 5650 0, 5651 }; 5652 static const CONFIG_INT_TABLE int_table[] = { 5653 VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0, 5654 VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0, 5655 VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0, 5656 VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0, 5657 VAR_UNK_NAME_CODE, DEF_UNK_NAME_CODE, &var_unk_name_code, 0, 0, 5658 VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0, 5659 VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0, 5660 VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0, 5661 VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0, 5662 VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0, 5663 VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0, 5664 VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0, 5665 VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0, 5666 VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0, 5667 VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0, 5668 VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599, 5669 VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599, 5670 VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499, 5671 VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499, 5672 VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0, 5673 VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0, 5674 VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0, 5675 VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0, 5676 VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0, 5677 VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0, 5678 VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0, 5679 VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0, 5680 VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0, 5681 VAR_SMTPD_CRCPT_LIMIT, DEF_SMTPD_CRCPT_LIMIT, &var_smtpd_crcpt_limit, 0, 0, 5682 VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0, 5683 VAR_SMTPD_CAUTH_LIMIT, DEF_SMTPD_CAUTH_LIMIT, &var_smtpd_cauth_limit, 0, 0, 5684 #ifdef USE_TLS 5685 VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, 5686 #endif 5687 VAR_SMTPD_POLICY_REQ_LIMIT, DEF_SMTPD_POLICY_REQ_LIMIT, &var_smtpd_policy_req_limit, 0, 0, 5688 VAR_SMTPD_POLICY_TRY_LIMIT, DEF_SMTPD_POLICY_TRY_LIMIT, &var_smtpd_policy_try_limit, 1, 0, 5689 0, 5690 }; 5691 static const CONFIG_TIME_TABLE time_table[] = { 5692 VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0, 5693 VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0, 5694 VAR_SMTPD_PROXY_TMOUT, DEF_SMTPD_PROXY_TMOUT, &var_smtpd_proxy_tmout, 1, 0, 5695 VAR_VERIFY_POLL_DELAY, DEF_VERIFY_POLL_DELAY, &var_verify_poll_delay, 1, 0, 5696 VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0, 5697 VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0, 5698 VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0, 5699 #ifdef USE_TLS 5700 VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0, 5701 #endif 5702 VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0, 5703 VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0, 5704 VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0, 5705 VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0, 5706 VAR_SMTPD_UPROXY_TMOUT, DEF_SMTPD_UPROXY_TMOUT, &var_smtpd_uproxy_tmout, 1, 0, 5707 VAR_SMTPD_POLICY_TRY_DELAY, DEF_SMTPD_POLICY_TRY_DELAY, &var_smtpd_policy_try_delay, 1, 0, 5708 0, 5709 }; 5710 static const CONFIG_BOOL_TABLE bool_table[] = { 5711 VAR_HELO_REQUIRED, DEF_HELO_REQUIRED, &var_helo_required, 5712 VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject, 5713 VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env, 5714 VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd, 5715 VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route, 5716 VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable, 5717 VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr, 5718 VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients, 5719 VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table, 5720 VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from, 5721 VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt, 5722 VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls, 5723 VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls, 5724 VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode, 5725 VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only, 5726 #ifdef USE_TLS 5727 VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert, 5728 VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, 5729 VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header, 5730 VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, 5731 #endif 5732 VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, 5733 VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, 5734 VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, 5735 0, 5736 }; 5737 static const CONFIG_NBOOL_TABLE nbool_table[] = { 5738 VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline, 5739 0, 5740 }; 5741 static const CONFIG_STR_TABLE str_table[] = { 5742 VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0, 5743 VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0, 5744 VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0, 5745 VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0, 5746 VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0, 5747 VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0, 5748 VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0, 5749 VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0, 5750 VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0, 5751 VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0, 5752 VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0, 5753 VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0, 5754 VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, 5755 VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0, 5756 VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0, 5757 VAR_SEND_CANON_MAPS, DEF_SEND_CANON_MAPS, &var_send_canon_maps, 0, 0, 5758 VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0, 5759 VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0, 5760 VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0, 5761 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0, 5762 VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0, 5763 VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0, 5764 VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0, 5765 VAR_SMTPD_SASL_SERVICE, DEF_SMTPD_SASL_SERVICE, &var_smtpd_sasl_service, 1, 0, 5766 VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0, 5767 VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0, 5768 VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0, 5769 VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0, 5770 VAR_PERM_MX_NETWORKS, DEF_PERM_MX_NETWORKS, &var_perm_mx_networks, 0, 0, 5771 VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0, 5772 VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0, 5773 VAR_SMTPD_FORBID_CMDS, DEF_SMTPD_FORBID_CMDS, &var_smtpd_forbid_cmds, 0, 0, 5774 VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0, 5775 VAR_RELAY_RCPT_MAPS, DEF_RELAY_RCPT_MAPS, &var_relay_rcpt_maps, 0, 0, 5776 VAR_VERIFY_SENDER, DEF_VERIFY_SENDER, &var_verify_sender, 0, 0, 5777 VAR_VERP_CLIENTS, DEF_VERP_CLIENTS, &var_verp_clients, 0, 0, 5778 VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0, 5779 VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0, 5780 VAR_SMTPD_PROXY_OPTS, DEF_SMTPD_PROXY_OPTS, &var_smtpd_proxy_opts, 0, 0, 5781 VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0, 5782 VAR_XCLIENT_HOSTS, DEF_XCLIENT_HOSTS, &var_xclient_hosts, 0, 0, 5783 VAR_XFORWARD_HOSTS, DEF_XFORWARD_HOSTS, &var_xforward_hosts, 0, 0, 5784 VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0, 5785 VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0, 5786 VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0, 5787 VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0, 5788 #ifdef USE_TLS 5789 VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, 0, 5790 VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0, 5791 VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0, 5792 VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0, 5793 VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0, 5794 VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0, 5795 VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0, 5796 VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0, 5797 VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0, 5798 VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0, 5799 VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0, 5800 VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0, 5801 VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0, 5802 VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0, 5803 VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0, 5804 VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0, 5805 VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0, 5806 VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0, 5807 VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0, 5808 VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0, 5809 VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0, 5810 #endif 5811 VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0, 5812 VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0, 5813 VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0, 5814 VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0, 5815 VAR_MILT_HELO_MACROS, DEF_MILT_HELO_MACROS, &var_milt_helo_macros, 0, 0, 5816 VAR_MILT_MAIL_MACROS, DEF_MILT_MAIL_MACROS, &var_milt_mail_macros, 0, 0, 5817 VAR_MILT_RCPT_MACROS, DEF_MILT_RCPT_MACROS, &var_milt_rcpt_macros, 0, 0, 5818 VAR_MILT_DATA_MACROS, DEF_MILT_DATA_MACROS, &var_milt_data_macros, 0, 0, 5819 VAR_MILT_EOH_MACROS, DEF_MILT_EOH_MACROS, &var_milt_eoh_macros, 0, 0, 5820 VAR_MILT_EOD_MACROS, DEF_MILT_EOD_MACROS, &var_milt_eod_macros, 0, 0, 5821 VAR_MILT_UNK_MACROS, DEF_MILT_UNK_MACROS, &var_milt_unk_macros, 0, 0, 5822 VAR_MILT_PROTOCOL, DEF_MILT_PROTOCOL, &var_milt_protocol, 1, 0, 5823 VAR_MILT_DEF_ACTION, DEF_MILT_DEF_ACTION, &var_milt_def_action, 1, 0, 5824 VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0, 5825 VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0, 5826 VAR_MILT_MACRO_DEFLTS, DEF_MILT_MACRO_DEFLTS, &var_milt_macro_deflts, 0, 0, 5827 VAR_STRESS, DEF_STRESS, &var_stress, 0, 0, 5828 VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0, 5829 VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0, 5830 VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0, 5831 VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0, 5832 VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0, 5833 VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0, 5834 VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0, 5835 VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0, 5836 #ifdef USE_TLSPROXY 5837 VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0, 5838 #endif 5839 VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0, 5840 VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0, 5841 VAR_SMTPD_POLICY_DEF_ACTION, DEF_SMTPD_POLICY_DEF_ACTION, &var_smtpd_policy_def_action, 1, 0, 5842 VAR_SMTPD_POLICY_CONTEXT, DEF_SMTPD_POLICY_CONTEXT, &var_smtpd_policy_context, 0, 0, 5843 VAR_SMTPD_DNS_RE_FILTER, DEF_SMTPD_DNS_RE_FILTER, &var_smtpd_dns_re_filter, 0, 0, 5844 0, 5845 }; 5846 static const CONFIG_RAW_TABLE raw_table[] = { 5847 VAR_SMTPD_EXP_FILTER, DEF_SMTPD_EXP_FILTER, &var_smtpd_exp_filter, 1, 0, 5848 VAR_DEF_RBL_REPLY, DEF_DEF_RBL_REPLY, &var_def_rbl_reply, 1, 0, 5849 VAR_SMTPD_REJ_FOOTER, DEF_SMTPD_REJ_FOOTER, &var_smtpd_rej_footer, 0, 0, 5850 0, 5851 }; 5852 5853 /* 5854 * Fingerprint executables and core dumps. 5855 */ 5856 MAIL_VERSION_STAMP_ALLOCATE; 5857 5858 /* 5859 * Pass control to the single-threaded service skeleton. 5860 */ 5861 single_server_main(argc, argv, smtpd_service, 5862 CA_MAIL_SERVER_NINT_TABLE(nint_table), 5863 CA_MAIL_SERVER_INT_TABLE(int_table), 5864 CA_MAIL_SERVER_STR_TABLE(str_table), 5865 CA_MAIL_SERVER_RAW_TABLE(raw_table), 5866 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 5867 CA_MAIL_SERVER_NBOOL_TABLE(nbool_table), 5868 CA_MAIL_SERVER_TIME_TABLE(time_table), 5869 CA_MAIL_SERVER_PRE_INIT(pre_jail_init), 5870 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 5871 CA_MAIL_SERVER_POST_INIT(post_jail_init), 5872 0); 5873 } 5874