1 /* $NetBSD: smtpd.c,v 1.11 2014/07/06 19:45:50 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtpd 8 6 /* SUMMARY 7 /* Postfix SMTP server 8 /* SYNOPSIS 9 /* \fBsmtpd\fR [generic Postfix daemon options] 10 /* 11 /* \fBsendmail -bs\fR 12 /* DESCRIPTION 13 /* The SMTP server accepts network connection requests 14 /* and performs zero or more SMTP transactions per connection. 15 /* Each received message is piped through the \fBcleanup\fR(8) 16 /* daemon, and is placed into the \fBincoming\fR queue as one 17 /* single queue file. For this mode of operation, the program 18 /* expects to be run from the \fBmaster\fR(8) process manager. 19 /* 20 /* Alternatively, the SMTP server be can run in stand-alone 21 /* mode; this is traditionally obtained with "\fBsendmail 22 /* -bs\fR". When the SMTP server runs stand-alone with non 23 /* $\fBmail_owner\fR privileges, it receives mail even while 24 /* the mail system is not running, deposits messages directly 25 /* into the \fBmaildrop\fR queue, and disables the SMTP server's 26 /* access policies. As of Postfix version 2.3, the SMTP server 27 /* refuses to receive mail from the network when it runs with 28 /* non $\fBmail_owner\fR privileges. 29 /* 30 /* The SMTP server implements a variety of policies for connection 31 /* requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR 32 /* and \fBRCPT TO\fR commands. They are detailed below and in the 33 /* \fBmain.cf\fR configuration file. 34 /* SECURITY 35 /* .ad 36 /* .fi 37 /* The SMTP server is moderately security-sensitive. It talks to SMTP 38 /* clients and to DNS servers on the network. The SMTP server can be 39 /* run chrooted at fixed low privilege. 40 /* STANDARDS 41 /* RFC 821 (SMTP protocol) 42 /* RFC 1123 (Host requirements) 43 /* RFC 1652 (8bit-MIME transport) 44 /* RFC 1869 (SMTP service extensions) 45 /* RFC 1870 (Message size declaration) 46 /* RFC 1985 (ETRN command) 47 /* RFC 2034 (SMTP enhanced status codes) 48 /* RFC 2554 (AUTH command) 49 /* RFC 2821 (SMTP protocol) 50 /* RFC 2920 (SMTP pipelining) 51 /* RFC 3207 (STARTTLS command) 52 /* RFC 3461 (SMTP DSN extension) 53 /* RFC 3463 (Enhanced status codes) 54 /* RFC 3848 (ESMTP transmission types) 55 /* RFC 4409 (Message submission) 56 /* RFC 4954 (AUTH command) 57 /* RFC 5321 (SMTP protocol) 58 /* DIAGNOSTICS 59 /* Problems and transactions are logged to \fBsyslogd\fR(8). 60 /* 61 /* Depending on the setting of the \fBnotify_classes\fR parameter, 62 /* the postmaster is notified of bounces, protocol problems, 63 /* policy violations, and of other trouble. 64 /* CONFIGURATION PARAMETERS 65 /* .ad 66 /* .fi 67 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8) 68 /* processes run for only a limited amount of time. Use the command 69 /* "\fBpostfix reload\fR" to speed up a change. 70 /* 71 /* The text below provides only a parameter summary. See 72 /* \fBpostconf\fR(5) for more details including examples. 73 /* COMPATIBILITY CONTROLS 74 /* .ad 75 /* .fi 76 /* The following parameters work around implementation errors in other 77 /* software, and/or allow you to override standards in order to prevent 78 /* undesirable use. 79 /* .ad 80 /* .fi 81 /* .IP "\fBbroken_sasl_auth_clients (no)\fR" 82 /* Enable inter-operability with remote SMTP clients that implement an obsolete 83 /* version of the AUTH command (RFC 4954). 84 /* .IP "\fBdisable_vrfy_command (no)\fR" 85 /* Disable the SMTP VRFY command. 86 /* .IP "\fBsmtpd_noop_commands (empty)\fR" 87 /* List of commands that the Postfix SMTP server replies to with "250 88 /* Ok", without doing any syntax checks and without changing state. 89 /* .IP "\fBstrict_rfc821_envelopes (no)\fR" 90 /* Require that addresses received in SMTP MAIL FROM and RCPT TO 91 /* commands are enclosed with <>, and that those addresses do 92 /* not contain RFC 822 style comments or phrases. 93 /* .PP 94 /* Available in Postfix version 2.1 and later: 95 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR" 96 /* Request that the Postfix SMTP server rejects mail from unknown 97 /* sender addresses, even when no explicit reject_unlisted_sender 98 /* access restriction is specified. 99 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" 100 /* What remote SMTP clients the Postfix SMTP server will not offer 101 /* AUTH support to. 102 /* .PP 103 /* Available in Postfix version 2.2 and later: 104 /* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR" 105 /* Lookup tables, indexed by the remote SMTP client address, with 106 /* case insensitive lists of EHLO keywords (pipelining, starttls, auth, 107 /* etc.) that the Postfix SMTP server will not send in the EHLO response 108 /* to a 109 /* remote SMTP client. 110 /* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR" 111 /* A case insensitive list of EHLO keywords (pipelining, starttls, 112 /* auth, etc.) that the Postfix SMTP server will not send in the EHLO 113 /* response 114 /* to a remote SMTP client. 115 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR" 116 /* Postpone the start of an SMTP mail transaction until a valid 117 /* RCPT TO command is received. 118 /* .PP 119 /* Available in Postfix version 2.3 and later: 120 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR" 121 /* Force the Postfix SMTP server to issue a TLS session id, even 122 /* when TLS session caching is turned off (smtpd_tls_session_cache_database 123 /* is empty). 124 /* .PP 125 /* Available in Postfix version 2.6 and later: 126 /* .IP "\fBtcp_windowsize (0)\fR" 127 /* An optional workaround for routers that break TCP window scaling. 128 /* .PP 129 /* Available in Postfix version 2.7 and later: 130 /* .IP "\fBsmtpd_command_filter (empty)\fR" 131 /* A mechanism to transform commands from remote SMTP clients. 132 /* .PP 133 /* Available in Postfix version 2.9 and later: 134 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR" 135 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 136 /* time limits, from a 137 /* time limit per read or write system call, to a time limit to send 138 /* or receive a complete record (an SMTP command line, SMTP response 139 /* line, SMTP message content line, or TLS protocol message). 140 /* ADDRESS REWRITING CONTROLS 141 /* .ad 142 /* .fi 143 /* See the ADDRESS_REWRITING_README document for a detailed 144 /* discussion of Postfix address rewriting. 145 /* .IP "\fBreceive_override_options (empty)\fR" 146 /* Enable or disable recipient validation, built-in content 147 /* filtering, or address mapping. 148 /* .PP 149 /* Available in Postfix version 2.2 and later: 150 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR" 151 /* Rewrite message header addresses in mail from these clients and 152 /* update incomplete addresses with the domain name in $myorigin or 153 /* $mydomain; either don't rewrite message headers from other clients 154 /* at all, or rewrite message headers and update incomplete addresses 155 /* with the domain specified in the remote_header_rewrite_domain 156 /* parameter. 157 /* BEFORE-SMTPD PROXY AGENT 158 /* .ad 159 /* .fi 160 /* Available in Postfix version 2.10 and later: 161 /* .IP "\fBsmtpd_upstream_proxy_protocol (empty)\fR" 162 /* The name of the proxy protocol used by an optional before-smtpd 163 /* proxy agent. 164 /* .IP "\fBsmtpd_upstream_proxy_timeout (5s)\fR" 165 /* The time limit for the proxy protocol specified with the 166 /* smtpd_upstream_proxy_protocol parameter. 167 /* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS 168 /* .ad 169 /* .fi 170 /* As of version 1.0, Postfix can be configured to send new mail to 171 /* an external content filter AFTER the mail is queued. This content 172 /* filter is expected to inject mail back into a (Postfix or other) 173 /* MTA for further delivery. See the FILTER_README document for details. 174 /* .IP "\fBcontent_filter (empty)\fR" 175 /* After the message is queued, send the entire message to the 176 /* specified \fItransport:destination\fR. 177 /* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS 178 /* .ad 179 /* .fi 180 /* As of version 2.1, the Postfix SMTP server can be configured 181 /* to send incoming mail to a real-time SMTP-based content filter 182 /* BEFORE mail is queued. This content filter is expected to inject 183 /* mail back into Postfix. See the SMTPD_PROXY_README document for 184 /* details on how to configure and operate this feature. 185 /* .IP "\fBsmtpd_proxy_filter (empty)\fR" 186 /* The hostname and TCP port of the mail filtering proxy server. 187 /* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR" 188 /* How the Postfix SMTP server announces itself to the proxy filter. 189 /* .IP "\fBsmtpd_proxy_options (empty)\fR" 190 /* List of options that control how the Postfix SMTP server 191 /* communicates with a before-queue content filter. 192 /* .IP "\fBsmtpd_proxy_timeout (100s)\fR" 193 /* The time limit for connecting to a proxy filter and for sending or 194 /* receiving information. 195 /* BEFORE QUEUE MILTER CONTROLS 196 /* .ad 197 /* .fi 198 /* As of version 2.3, Postfix supports the Sendmail version 8 199 /* Milter (mail filter) protocol. These content filters run 200 /* outside Postfix. They can inspect the SMTP command stream 201 /* and the message content, and can request modifications before 202 /* mail is queued. For details see the MILTER_README document. 203 /* .IP "\fBsmtpd_milters (empty)\fR" 204 /* A list of Milter (mail filter) applications for new mail that 205 /* arrives via the Postfix \fBsmtpd\fR(8) server. 206 /* .IP "\fBmilter_protocol (6)\fR" 207 /* The mail filter protocol version and optional protocol extensions 208 /* for communication with a Milter application; prior to Postfix 2.6 209 /* the default protocol is 2. 210 /* .IP "\fBmilter_default_action (tempfail)\fR" 211 /* The default action when a Milter (mail filter) application is 212 /* unavailable or mis-configured. 213 /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR" 214 /* The {daemon_name} macro value for Milter (mail filter) applications. 215 /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR" 216 /* The {v} macro value for Milter (mail filter) applications. 217 /* .IP "\fBmilter_connect_timeout (30s)\fR" 218 /* The time limit for connecting to a Milter (mail filter) 219 /* application, and for negotiating protocol options. 220 /* .IP "\fBmilter_command_timeout (30s)\fR" 221 /* The time limit for sending an SMTP command to a Milter (mail 222 /* filter) application, and for receiving the response. 223 /* .IP "\fBmilter_content_timeout (300s)\fR" 224 /* The time limit for sending message content to a Milter (mail 225 /* filter) application, and for receiving the response. 226 /* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR" 227 /* The macros that are sent to Milter (mail filter) applications 228 /* after completion of an SMTP connection. 229 /* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR" 230 /* The macros that are sent to Milter (mail filter) applications 231 /* after the SMTP HELO or EHLO command. 232 /* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR" 233 /* The macros that are sent to Milter (mail filter) applications 234 /* after the SMTP MAIL FROM command. 235 /* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR" 236 /* The macros that are sent to Milter (mail filter) applications 237 /* after the SMTP RCPT TO command. 238 /* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR" 239 /* The macros that are sent to version 4 or higher Milter (mail 240 /* filter) applications after the SMTP DATA command. 241 /* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR" 242 /* The macros that are sent to version 3 or higher Milter (mail 243 /* filter) applications after an unknown SMTP command. 244 /* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR" 245 /* The macros that are sent to Milter (mail filter) applications 246 /* after the end of the message header. 247 /* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR" 248 /* The macros that are sent to Milter (mail filter) applications 249 /* after the message end-of-data. 250 /* GENERAL CONTENT INSPECTION CONTROLS 251 /* .ad 252 /* .fi 253 /* The following parameters are applicable for both built-in 254 /* and external content filters. 255 /* .PP 256 /* Available in Postfix version 2.1 and later: 257 /* .IP "\fBreceive_override_options (empty)\fR" 258 /* Enable or disable recipient validation, built-in content 259 /* filtering, or address mapping. 260 /* EXTERNAL CONTENT INSPECTION CONTROLS 261 /* .ad 262 /* .fi 263 /* The following parameters are applicable for both before-queue 264 /* and after-queue content filtering. 265 /* .PP 266 /* Available in Postfix version 2.1 and later: 267 /* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR" 268 /* What remote SMTP clients are allowed to use the XFORWARD feature. 269 /* SASL AUTHENTICATION CONTROLS 270 /* .ad 271 /* .fi 272 /* Postfix SASL support (RFC 4954) can be used to authenticate remote 273 /* SMTP clients to the Postfix SMTP server, and to authenticate the 274 /* Postfix SMTP client to a remote SMTP server. 275 /* See the SASL_README document for details. 276 /* .IP "\fBbroken_sasl_auth_clients (no)\fR" 277 /* Enable inter-operability with remote SMTP clients that implement an obsolete 278 /* version of the AUTH command (RFC 4954). 279 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR" 280 /* Enable SASL authentication in the Postfix SMTP server. 281 /* .IP "\fBsmtpd_sasl_local_domain (empty)\fR" 282 /* The name of the Postfix SMTP server's local SASL authentication 283 /* realm. 284 /* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR" 285 /* Postfix SMTP server SASL security options; as of Postfix 2.3 286 /* the list of available 287 /* features depends on the SASL server implementation that is selected 288 /* with \fBsmtpd_sasl_type\fR. 289 /* .IP "\fBsmtpd_sender_login_maps (empty)\fR" 290 /* Optional lookup table with the SASL login names that own sender 291 /* (MAIL FROM) addresses. 292 /* .PP 293 /* Available in Postfix version 2.1 and later: 294 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR" 295 /* What remote SMTP clients the Postfix SMTP server will not offer 296 /* AUTH support to. 297 /* .PP 298 /* Available in Postfix version 2.1 and 2.2: 299 /* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR" 300 /* The application name that the Postfix SMTP server uses for SASL 301 /* server initialization. 302 /* .PP 303 /* Available in Postfix version 2.3 and later: 304 /* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR" 305 /* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received 306 /* message header. 307 /* .IP "\fBsmtpd_sasl_path (smtpd)\fR" 308 /* Implementation-specific information that the Postfix SMTP server 309 /* passes through to 310 /* the SASL plug-in implementation that is selected with 311 /* \fBsmtpd_sasl_type\fR. 312 /* .IP "\fBsmtpd_sasl_type (cyrus)\fR" 313 /* The SASL plug-in type that the Postfix SMTP server should use 314 /* for authentication. 315 /* .PP 316 /* Available in Postfix version 2.5 and later: 317 /* .IP "\fBcyrus_sasl_config_path (empty)\fR" 318 /* Search path for Cyrus SASL application configuration files, 319 /* currently used only to locate the $smtpd_sasl_path.conf file. 320 /* .PP 321 /* Available in Postfix version 2.11 and later: 322 /* .IP "\fBsmtpd_sasl_service (smtp)\fR" 323 /* The service name that is passed to the SASL plug-in that is 324 /* selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR. 325 /* STARTTLS SUPPORT CONTROLS 326 /* .ad 327 /* .fi 328 /* Detailed information about STARTTLS configuration may be 329 /* found in the TLS_README document. 330 /* .IP "\fBsmtpd_tls_security_level (empty)\fR" 331 /* The SMTP TLS security level for the Postfix SMTP server; when 332 /* a non-empty value is specified, this overrides the obsolete parameters 333 /* smtpd_use_tls and smtpd_enforce_tls. 334 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR" 335 /* The SASL authentication security options that the Postfix SMTP 336 /* server uses for TLS encrypted SMTP sessions. 337 /* .IP "\fBsmtpd_starttls_timeout (see 'postconf -d' output)\fR" 338 /* The time limit for Postfix SMTP server write and read operations 339 /* during TLS startup and shutdown handshake procedures. 340 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR" 341 /* A file containing (PEM format) CA certificates of root CAs trusted 342 /* to sign either remote SMTP client certificates or intermediate CA 343 /* certificates. 344 /* .IP "\fBsmtpd_tls_CApath (empty)\fR" 345 /* A directory containing (PEM format) CA certificates of root CAs 346 /* trusted to sign either remote SMTP client certificates or intermediate CA 347 /* certificates. 348 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR" 349 /* Force the Postfix SMTP server to issue a TLS session id, even 350 /* when TLS session caching is turned off (smtpd_tls_session_cache_database 351 /* is empty). 352 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR" 353 /* Ask a remote SMTP client for a client certificate. 354 /* .IP "\fBsmtpd_tls_auth_only (no)\fR" 355 /* When TLS encryption is optional in the Postfix SMTP server, do 356 /* not announce or accept SASL authentication over unencrypted 357 /* connections. 358 /* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR" 359 /* The verification depth for remote SMTP client certificates. 360 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR" 361 /* File with the Postfix SMTP server RSA certificate in PEM format. 362 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR" 363 /* List of ciphers or cipher types to exclude from the SMTP server 364 /* cipher list at all TLS security levels. 365 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR" 366 /* File with the Postfix SMTP server DSA certificate in PEM format. 367 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR" 368 /* File with DH parameters that the Postfix SMTP server should 369 /* use with non-export EDH ciphers. 370 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR" 371 /* File with DH parameters that the Postfix SMTP server should 372 /* use with export-grade EDH ciphers. 373 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR" 374 /* File with the Postfix SMTP server DSA private key in PEM format. 375 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR" 376 /* File with the Postfix SMTP server RSA private key in PEM format. 377 /* .IP "\fBsmtpd_tls_loglevel (0)\fR" 378 /* Enable additional Postfix SMTP server logging of TLS activity. 379 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR" 380 /* The minimum TLS cipher grade that the Postfix SMTP server will 381 /* use with mandatory TLS encryption. 382 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR" 383 /* Additional list of ciphers or cipher types to exclude from the 384 /* Postfix SMTP server cipher list at mandatory TLS security levels. 385 /* .IP "\fBsmtpd_tls_mandatory_protocols (!SSLv2)\fR" 386 /* The SSL/TLS protocols accepted by the Postfix SMTP server with 387 /* mandatory TLS encryption. 388 /* .IP "\fBsmtpd_tls_received_header (no)\fR" 389 /* Request that the Postfix SMTP server produces Received: message 390 /* headers that include information about the protocol and cipher used, 391 /* as well as the remote SMTP client CommonName and client certificate issuer 392 /* CommonName. 393 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR" 394 /* With mandatory TLS encryption, require a trusted remote SMTP client 395 /* certificate in order to allow TLS connections to proceed. 396 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR" 397 /* Run the Postfix SMTP server in the non-standard "wrapper" mode, 398 /* instead of using the STARTTLS command. 399 /* .IP "\fBtls_daemon_random_bytes (32)\fR" 400 /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8) 401 /* process requests from the \fBtlsmgr\fR(8) server in order to seed its 402 /* internal pseudo random number generator (PRNG). 403 /* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR" 404 /* The OpenSSL cipherlist for "HIGH" grade ciphers. 405 /* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR" 406 /* The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. 407 /* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR" 408 /* The OpenSSL cipherlist for "LOW" or higher grade ciphers. 409 /* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR" 410 /* The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. 411 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR" 412 /* The OpenSSL cipherlist for "NULL" grade ciphers that provide 413 /* authentication without encryption. 414 /* .PP 415 /* Available in Postfix version 2.5 and later: 416 /* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR" 417 /* The message digest algorithm to construct remote SMTP 418 /* client-certificate 419 /* fingerprints or public key fingerprints (Postfix 2.9 and later) 420 /* for \fBcheck_ccert_access\fR and \fBpermit_tls_clientcerts\fR. 421 /* .PP 422 /* Available in Postfix version 2.6 and later: 423 /* .IP "\fBsmtpd_tls_protocols (empty)\fR" 424 /* List of TLS protocols that the Postfix SMTP server will exclude 425 /* or include with opportunistic TLS encryption. 426 /* .IP "\fBsmtpd_tls_ciphers (export)\fR" 427 /* The minimum TLS cipher grade that the Postfix SMTP server 428 /* will use with opportunistic TLS encryption. 429 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR" 430 /* File with the Postfix SMTP server ECDSA certificate in PEM format. 431 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR" 432 /* File with the Postfix SMTP server ECDSA private key in PEM format. 433 /* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR" 434 /* The Postfix SMTP server security grade for ephemeral elliptic-curve 435 /* Diffie-Hellman (EECDH) key exchange. 436 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR" 437 /* The elliptic curve used by the Postfix SMTP server for sensibly 438 /* strong 439 /* ephemeral ECDH key exchange. 440 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR" 441 /* The elliptic curve used by the Postfix SMTP server for maximally 442 /* strong 443 /* ephemeral ECDH key exchange. 444 /* .PP 445 /* Available in Postfix version 2.8 and later: 446 /* .IP "\fBtls_preempt_cipherlist (no)\fR" 447 /* With SSLv3 and later, use the Postfix SMTP server's cipher 448 /* preference order instead of the remote client's cipher preference 449 /* order. 450 /* .IP "\fBtls_disable_workarounds (see 'postconf -d' output)\fR" 451 /* List or bit-mask of OpenSSL bug work-arounds to disable. 452 /* .PP 453 /* Available in Postfix version 2.11 and later: 454 /* .IP "\fBtlsmgr_service_name (tlsmgr)\fR" 455 /* The name of the \fBtlsmgr\fR(8) service entry in master.cf. 456 /* OBSOLETE STARTTLS CONTROLS 457 /* .ad 458 /* .fi 459 /* The following configuration parameters exist for compatibility 460 /* with Postfix versions before 2.3. Support for these will 461 /* be removed in a future release. 462 /* .IP "\fBsmtpd_use_tls (no)\fR" 463 /* Opportunistic TLS: announce STARTTLS support to remote SMTP clients, 464 /* but do not require that clients use TLS encryption. 465 /* .IP "\fBsmtpd_enforce_tls (no)\fR" 466 /* Mandatory TLS: announce STARTTLS support to remote SMTP clients, 467 /* and require that clients use TLS encryption. 468 /* .IP "\fBsmtpd_tls_cipherlist (empty)\fR" 469 /* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS 470 /* cipher list. 471 /* VERP SUPPORT CONTROLS 472 /* .ad 473 /* .fi 474 /* With VERP style delivery, each recipient of a message receives a 475 /* customized copy of the message with his/her own recipient address 476 /* encoded in the envelope sender address. The VERP_README file 477 /* describes configuration and operation details of Postfix support 478 /* for variable envelope return path addresses. VERP style delivery 479 /* is requested with the SMTP XVERP command or with the "sendmail 480 /* -V" command-line option and is available in Postfix version 1.1 481 /* and later. 482 /* .IP "\fBdefault_verp_delimiters (+=)\fR" 483 /* The two default VERP delimiter characters. 484 /* .IP "\fBverp_delimiter_filter (-=+)\fR" 485 /* The characters Postfix accepts as VERP delimiter characters on the 486 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands. 487 /* .PP 488 /* Available in Postfix version 1.1 and 2.0: 489 /* .IP "\fBauthorized_verp_clients ($mynetworks)\fR" 490 /* What remote SMTP clients are allowed to specify the XVERP command. 491 /* .PP 492 /* Available in Postfix version 2.1 and later: 493 /* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR" 494 /* What remote SMTP clients are allowed to specify the XVERP command. 495 /* TROUBLE SHOOTING CONTROLS 496 /* .ad 497 /* .fi 498 /* The DEBUG_README document describes how to debug parts of the 499 /* Postfix mail system. The methods vary from making the software log 500 /* a lot of detail, to running some daemon processes under control of 501 /* a call tracer or debugger. 502 /* .IP "\fBdebug_peer_level (2)\fR" 503 /* The increment in verbose logging level when a remote client or 504 /* server matches a pattern in the debug_peer_list parameter. 505 /* .IP "\fBdebug_peer_list (empty)\fR" 506 /* Optional list of remote client or server hostname or network 507 /* address patterns that cause the verbose logging level to increase 508 /* by the amount specified in $debug_peer_level. 509 /* .IP "\fBerror_notice_recipient (postmaster)\fR" 510 /* The recipient of postmaster notifications about mail delivery 511 /* problems that are caused by policy, resource, software or protocol 512 /* errors. 513 /* .IP "\fBinternal_mail_filter_classes (empty)\fR" 514 /* What categories of Postfix-generated mail are subject to 515 /* before-queue content inspection by non_smtpd_milters, header_checks 516 /* and body_checks. 517 /* .IP "\fBnotify_classes (resource, software)\fR" 518 /* The list of error classes that are reported to the postmaster. 519 /* .IP "\fBsmtpd_reject_footer (empty)\fR" 520 /* Optional information that is appended after each Postfix SMTP 521 /* server 522 /* 4XX or 5XX response. 523 /* .IP "\fBsoft_bounce (no)\fR" 524 /* Safety net to keep mail queued that would otherwise be returned to 525 /* the sender. 526 /* .PP 527 /* Available in Postfix version 2.1 and later: 528 /* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR" 529 /* What remote SMTP clients are allowed to use the XCLIENT feature. 530 /* .PP 531 /* Available in Postfix version 2.10 and later: 532 /* .IP "\fBsmtpd_log_access_permit_actions (empty)\fR" 533 /* Enable logging of the named "permit" actions in SMTP server 534 /* access lists (by default, the SMTP server logs "reject" actions but 535 /* not "permit" actions). 536 /* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS 537 /* .ad 538 /* .fi 539 /* As of Postfix version 2.0, the SMTP server rejects mail for 540 /* unknown recipients. This prevents the mail queue from clogging up 541 /* with undeliverable MAILER-DAEMON messages. Additional information 542 /* on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README 543 /* documents. 544 /* .IP "\fBshow_user_unknown_table_name (yes)\fR" 545 /* Display the name of the recipient table in the "User unknown" 546 /* responses. 547 /* .IP "\fBcanonical_maps (empty)\fR" 548 /* Optional address mapping lookup tables for message headers and 549 /* envelopes. 550 /* .IP "\fBrecipient_canonical_maps (empty)\fR" 551 /* Optional address mapping lookup tables for envelope and header 552 /* recipient addresses. 553 /* .PP 554 /* Parameters concerning known/unknown local recipients: 555 /* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR" 556 /* The list of domains that are delivered via the $local_transport 557 /* mail delivery transport. 558 /* .IP "\fBinet_interfaces (all)\fR" 559 /* The network interface addresses that this mail system receives 560 /* mail on. 561 /* .IP "\fBproxy_interfaces (empty)\fR" 562 /* The network interface addresses that this mail system receives mail 563 /* on by way of a proxy or network address translation unit. 564 /* .IP "\fBinet_protocols (all)\fR" 565 /* The Internet protocols Postfix will attempt to use when making 566 /* or accepting connections. 567 /* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR" 568 /* Lookup tables with all names or addresses of local recipients: 569 /* a recipient address is local when its domain matches $mydestination, 570 /* $inet_interfaces or $proxy_interfaces. 571 /* .IP "\fBunknown_local_recipient_reject_code (550)\fR" 572 /* The numerical Postfix SMTP server response code when a recipient 573 /* address is local, and $local_recipient_maps specifies a list of 574 /* lookup tables that does not match the recipient. 575 /* .PP 576 /* Parameters concerning known/unknown recipients of relay destinations: 577 /* .IP "\fBrelay_domains ($mydestination)\fR" 578 /* What destination domains (and subdomains thereof) this system 579 /* will relay mail to. 580 /* .IP "\fBrelay_recipient_maps (empty)\fR" 581 /* Optional lookup tables with all valid addresses in the domains 582 /* that match $relay_domains. 583 /* .IP "\fBunknown_relay_recipient_reject_code (550)\fR" 584 /* The numerical Postfix SMTP server reply code when a recipient 585 /* address matches $relay_domains, and relay_recipient_maps specifies 586 /* a list of lookup tables that does not match the recipient address. 587 /* .PP 588 /* Parameters concerning known/unknown recipients in virtual alias 589 /* domains: 590 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR" 591 /* Postfix is final destination for the specified list of virtual 592 /* alias domains, that is, domains for which all addresses are aliased 593 /* to addresses in other local or remote domains. 594 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR" 595 /* Optional lookup tables that alias specific mail addresses or domains 596 /* to other local or remote address. 597 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR" 598 /* The Postfix SMTP server reply code when a recipient address matches 599 /* $virtual_alias_domains, and $virtual_alias_maps specifies a list 600 /* of lookup tables that does not match the recipient address. 601 /* .PP 602 /* Parameters concerning known/unknown recipients in virtual mailbox 603 /* domains: 604 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR" 605 /* Postfix is final destination for the specified list of domains; 606 /* mail is delivered via the $virtual_transport mail delivery transport. 607 /* .IP "\fBvirtual_mailbox_maps (empty)\fR" 608 /* Optional lookup tables with all valid addresses in the domains that 609 /* match $virtual_mailbox_domains. 610 /* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR" 611 /* The Postfix SMTP server reply code when a recipient address matches 612 /* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list 613 /* of lookup tables that does not match the recipient address. 614 /* RESOURCE AND RATE CONTROLS 615 /* .ad 616 /* .fi 617 /* The following parameters limit resource usage by the SMTP 618 /* server and/or control client request rates. 619 /* .IP "\fBline_length_limit (2048)\fR" 620 /* Upon input, long lines are chopped up into pieces of at most 621 /* this length; upon delivery, long lines are reconstructed. 622 /* .IP "\fBqueue_minfree (0)\fR" 623 /* The minimal amount of free space in bytes in the queue file system 624 /* that is needed to receive mail. 625 /* .IP "\fBmessage_size_limit (10240000)\fR" 626 /* The maximal size in bytes of a message, including envelope information. 627 /* .IP "\fBsmtpd_recipient_limit (1000)\fR" 628 /* The maximal number of recipients that the Postfix SMTP server 629 /* accepts per message delivery request. 630 /* .IP "\fBsmtpd_timeout (normal: 300s, overload: 10s)\fR" 631 /* The time limit for sending a Postfix SMTP server response and for 632 /* receiving a remote SMTP client request. 633 /* .IP "\fBsmtpd_history_flush_threshold (100)\fR" 634 /* The maximal number of lines in the Postfix SMTP server command history 635 /* before it is flushed upon receipt of EHLO, RSET, or end of DATA. 636 /* .PP 637 /* Available in Postfix version 2.3 and later: 638 /* .IP "\fBsmtpd_peername_lookup (yes)\fR" 639 /* Attempt to look up the remote SMTP client hostname, and verify that 640 /* the name matches the client IP address. 641 /* .PP 642 /* The per SMTP client connection count and request rate limits are 643 /* implemented in co-operation with the \fBanvil\fR(8) service, and 644 /* are available in Postfix version 2.2 and later. 645 /* .IP "\fBsmtpd_client_connection_count_limit (50)\fR" 646 /* How many simultaneous connections any client is allowed to 647 /* make to this service. 648 /* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR" 649 /* The maximal number of connection attempts any client is allowed to 650 /* make to this service per time unit. 651 /* .IP "\fBsmtpd_client_message_rate_limit (0)\fR" 652 /* The maximal number of message delivery requests that any client is 653 /* allowed to make to this service per time unit, regardless of whether 654 /* or not Postfix actually accepts those messages. 655 /* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR" 656 /* The maximal number of recipient addresses that any client is allowed 657 /* to send to this service per time unit, regardless of whether or not 658 /* Postfix actually accepts those recipients. 659 /* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR" 660 /* Clients that are excluded from smtpd_client_*_count/rate_limit 661 /* restrictions. 662 /* .PP 663 /* Available in Postfix version 2.3 and later: 664 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR" 665 /* The maximal number of new (i.e., uncached) TLS sessions that a 666 /* remote SMTP client is allowed to negotiate with this service per 667 /* time unit. 668 /* .PP 669 /* Available in Postfix version 2.9 and later: 670 /* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR" 671 /* Change the behavior of the smtpd_timeout and smtpd_starttls_timeout 672 /* time limits, from a 673 /* time limit per read or write system call, to a time limit to send 674 /* or receive a complete record (an SMTP command line, SMTP response 675 /* line, SMTP message content line, or TLS protocol message). 676 /* TARPIT CONTROLS 677 /* .ad 678 /* .fi 679 /* When a remote SMTP client makes errors, the Postfix SMTP server 680 /* can insert delays before responding. This can help to slow down 681 /* run-away software. The behavior is controlled by an error counter 682 /* that counts the number of errors within an SMTP session that a 683 /* client makes without delivering mail. 684 /* .IP "\fBsmtpd_error_sleep_time (1s)\fR" 685 /* With Postfix version 2.1 and later: the SMTP server response delay after 686 /* a client has made more than $smtpd_soft_error_limit errors, and 687 /* fewer than $smtpd_hard_error_limit errors, without delivering mail. 688 /* .IP "\fBsmtpd_soft_error_limit (10)\fR" 689 /* The number of errors a remote SMTP client is allowed to make without 690 /* delivering mail before the Postfix SMTP server slows down all its 691 /* responses. 692 /* .IP "\fBsmtpd_hard_error_limit (normal: 20, overload: 1)\fR" 693 /* The maximal number of errors a remote SMTP client is allowed to 694 /* make without delivering mail. 695 /* .IP "\fBsmtpd_junk_command_limit (normal: 100, overload: 1)\fR" 696 /* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote 697 /* SMTP client can send before the Postfix SMTP server starts to 698 /* increment the error counter with each junk command. 699 /* .PP 700 /* Available in Postfix version 2.1 and later: 701 /* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR" 702 /* The number of recipients that a remote SMTP client can send in 703 /* excess of the limit specified with $smtpd_recipient_limit, before 704 /* the Postfix SMTP server increments the per-session error count 705 /* for each excess recipient. 706 /* ACCESS POLICY DELEGATION CONTROLS 707 /* .ad 708 /* .fi 709 /* As of version 2.1, Postfix can be configured to delegate access 710 /* policy decisions to an external server that runs outside Postfix. 711 /* See the file SMTPD_POLICY_README for more information. 712 /* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR" 713 /* The time after which an idle SMTPD policy service connection is 714 /* closed. 715 /* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR" 716 /* The time after which an active SMTPD policy service connection is 717 /* closed. 718 /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR" 719 /* The time limit for connecting to, writing to or receiving from a 720 /* delegated SMTPD policy server. 721 /* ACCESS CONTROLS 722 /* .ad 723 /* .fi 724 /* The SMTPD_ACCESS_README document gives an introduction to all the 725 /* SMTP server access control features. 726 /* .IP "\fBsmtpd_delay_reject (yes)\fR" 727 /* Wait until the RCPT TO command before evaluating 728 /* $smtpd_client_restrictions, $smtpd_helo_restrictions and 729 /* $smtpd_sender_restrictions, or wait until the ETRN command before 730 /* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. 731 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR" 732 /* What Postfix features match subdomains of "domain.tld" automatically, 733 /* instead of requiring an explicit ".domain.tld" pattern. 734 /* .IP "\fBsmtpd_client_restrictions (empty)\fR" 735 /* Optional restrictions that the Postfix SMTP server applies in the 736 /* context of a client connection request. 737 /* .IP "\fBsmtpd_helo_required (no)\fR" 738 /* Require that a remote SMTP client introduces itself with the HELO 739 /* or EHLO command before sending the MAIL command or other commands 740 /* that require EHLO negotiation. 741 /* .IP "\fBsmtpd_helo_restrictions (empty)\fR" 742 /* Optional restrictions that the Postfix SMTP server applies in the 743 /* context of a client HELO command. 744 /* .IP "\fBsmtpd_sender_restrictions (empty)\fR" 745 /* Optional restrictions that the Postfix SMTP server applies in the 746 /* context of a client MAIL FROM command. 747 /* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR" 748 /* Optional restrictions that the Postfix SMTP server applies in the 749 /* context of a client RCPT TO command, after smtpd_relay_restrictions. 750 /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR" 751 /* Optional restrictions that the Postfix SMTP server applies in the 752 /* context of a client ETRN command. 753 /* .IP "\fBallow_untrusted_routing (no)\fR" 754 /* Forward mail with sender-specified routing (user[@%!]remote[@%!]site) 755 /* from untrusted clients to destinations matching $relay_domains. 756 /* .IP "\fBsmtpd_restriction_classes (empty)\fR" 757 /* User-defined aliases for groups of access restrictions. 758 /* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR" 759 /* The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the 760 /* null sender address. 761 /* .IP "\fBpermit_mx_backup_networks (empty)\fR" 762 /* Restrict the use of the permit_mx_backup SMTP access feature to 763 /* only domains whose primary MX hosts match the listed networks. 764 /* .PP 765 /* Available in Postfix version 2.0 and later: 766 /* .IP "\fBsmtpd_data_restrictions (empty)\fR" 767 /* Optional access restrictions that the Postfix SMTP server applies 768 /* in the context of the SMTP DATA command. 769 /* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR" 770 /* What characters are allowed in $name expansions of RBL reply 771 /* templates. 772 /* .PP 773 /* Available in Postfix version 2.1 and later: 774 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR" 775 /* Request that the Postfix SMTP server rejects mail from unknown 776 /* sender addresses, even when no explicit reject_unlisted_sender 777 /* access restriction is specified. 778 /* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR" 779 /* Request that the Postfix SMTP server rejects mail for unknown 780 /* recipient addresses, even when no explicit reject_unlisted_recipient 781 /* access restriction is specified. 782 /* .PP 783 /* Available in Postfix version 2.2 and later: 784 /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR" 785 /* Optional access restrictions that the Postfix SMTP server 786 /* applies in the context of the SMTP END-OF-DATA command. 787 /* .PP 788 /* Available in Postfix version 2.10 and later: 789 /* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination)\fR" 790 /* Access restrictions for mail relay control that the Postfix 791 /* SMTP server applies in the context of the RCPT TO command, before 792 /* smtpd_recipient_restrictions. 793 /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS 794 /* .ad 795 /* .fi 796 /* Postfix version 2.1 introduces sender and recipient address verification. 797 /* This feature is implemented by sending probe email messages that 798 /* are not actually delivered. 799 /* This feature is requested via the reject_unverified_sender and 800 /* reject_unverified_recipient access restrictions. The status of 801 /* verification probes is maintained by the \fBverify\fR(8) server. 802 /* See the file ADDRESS_VERIFICATION_README for information 803 /* about how to configure and operate the Postfix sender/recipient 804 /* address verification service. 805 /* .IP "\fBaddress_verify_poll_count (normal: 3, overload: 1)\fR" 806 /* How many times to query the \fBverify\fR(8) service for the completion 807 /* of an address verification request in progress. 808 /* .IP "\fBaddress_verify_poll_delay (3s)\fR" 809 /* The delay between queries for the completion of an address 810 /* verification request in progress. 811 /* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR" 812 /* The sender address to use in address verification probes; prior 813 /* to Postfix 2.5 the default was "postmaster". 814 /* .IP "\fBunverified_sender_reject_code (450)\fR" 815 /* The numerical Postfix SMTP server response code when a recipient 816 /* address is rejected by the reject_unverified_sender restriction. 817 /* .IP "\fBunverified_recipient_reject_code (450)\fR" 818 /* The numerical Postfix SMTP server response when a recipient address 819 /* is rejected by the reject_unverified_recipient restriction. 820 /* .PP 821 /* Available in Postfix version 2.6 and later: 822 /* .IP "\fBunverified_sender_defer_code (450)\fR" 823 /* The numerical Postfix SMTP server response code when a sender address 824 /* probe fails due to a temporary error condition. 825 /* .IP "\fBunverified_recipient_defer_code (450)\fR" 826 /* The numerical Postfix SMTP server response when a recipient address 827 /* probe fails due to a temporary error condition. 828 /* .IP "\fBunverified_sender_reject_reason (empty)\fR" 829 /* The Postfix SMTP server's reply when rejecting mail with 830 /* reject_unverified_sender. 831 /* .IP "\fBunverified_recipient_reject_reason (empty)\fR" 832 /* The Postfix SMTP server's reply when rejecting mail with 833 /* reject_unverified_recipient. 834 /* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR" 835 /* The Postfix SMTP server's action when reject_unverified_sender 836 /* fails due to a temporary error condition. 837 /* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR" 838 /* The Postfix SMTP server's action when reject_unverified_recipient 839 /* fails due to a temporary error condition. 840 /* .PP 841 /* Available with Postfix 2.9 and later: 842 /* .IP "\fBaddress_verify_sender_ttl (0s)\fR" 843 /* The time between changes in the time-dependent portion of address 844 /* verification probe sender addresses. 845 /* ACCESS CONTROL RESPONSES 846 /* .ad 847 /* .fi 848 /* The following parameters control numerical SMTP reply codes 849 /* and/or text responses. 850 /* .IP "\fBaccess_map_reject_code (554)\fR" 851 /* The numerical Postfix SMTP server response code for 852 /* an \fBaccess\fR(5) map "reject" action. 853 /* .IP "\fBdefer_code (450)\fR" 854 /* The numerical Postfix SMTP server response code when a remote SMTP 855 /* client request is rejected by the "defer" restriction. 856 /* .IP "\fBinvalid_hostname_reject_code (501)\fR" 857 /* The numerical Postfix SMTP server response code when the client 858 /* HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname 859 /* restriction. 860 /* .IP "\fBmaps_rbl_reject_code (554)\fR" 861 /* The numerical Postfix SMTP server response code when a remote SMTP 862 /* client request is blocked by the reject_rbl_client, reject_rhsbl_client, 863 /* reject_rhsbl_reverse_client, reject_rhsbl_sender or 864 /* reject_rhsbl_recipient restriction. 865 /* .IP "\fBnon_fqdn_reject_code (504)\fR" 866 /* The numerical Postfix SMTP server reply code when a client request 867 /* is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender 868 /* or reject_non_fqdn_recipient restriction. 869 /* .IP "\fBplaintext_reject_code (450)\fR" 870 /* The numerical Postfix SMTP server response code when a request 871 /* is rejected by the \fBreject_plaintext_session\fR restriction. 872 /* .IP "\fBreject_code (554)\fR" 873 /* The numerical Postfix SMTP server response code when a remote SMTP 874 /* client request is rejected by the "reject" restriction. 875 /* .IP "\fBrelay_domains_reject_code (554)\fR" 876 /* The numerical Postfix SMTP server response code when a client 877 /* request is rejected by the reject_unauth_destination recipient 878 /* restriction. 879 /* .IP "\fBunknown_address_reject_code (450)\fR" 880 /* The numerical Postfix SMTP server response code when a sender or 881 /* recipient address is rejected by the reject_unknown_sender_domain 882 /* or reject_unknown_recipient_domain restriction. 883 /* .IP "\fBunknown_client_reject_code (450)\fR" 884 /* The numerical Postfix SMTP server response code when a client 885 /* without valid address <=> name mapping is rejected by the 886 /* reject_unknown_client_hostname restriction. 887 /* .IP "\fBunknown_hostname_reject_code (450)\fR" 888 /* The numerical Postfix SMTP server response code when the hostname 889 /* specified with the HELO or EHLO command is rejected by the 890 /* reject_unknown_helo_hostname restriction. 891 /* .PP 892 /* Available in Postfix version 2.0 and later: 893 /* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR" 894 /* The default Postfix SMTP server response template for a request that is 895 /* rejected by an RBL-based restriction. 896 /* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR" 897 /* The numerical Postfix SMTP server response code when a remote SMTP 898 /* client request is blocked by the reject_multi_recipient_bounce 899 /* restriction. 900 /* .IP "\fBrbl_reply_maps (empty)\fR" 901 /* Optional lookup tables with RBL response templates. 902 /* .PP 903 /* Available in Postfix version 2.6 and later: 904 /* .IP "\fBaccess_map_defer_code (450)\fR" 905 /* The numerical Postfix SMTP server response code for 906 /* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit" 907 /* or "defer_if_reject". 908 /* .IP "\fBreject_tempfail_action (defer_if_permit)\fR" 909 /* The Postfix SMTP server's action when a reject-type restriction 910 /* fails due to a temporary error condition. 911 /* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR" 912 /* The Postfix SMTP server's action when reject_unknown_helo_hostname 913 /* fails due to an temporary error condition. 914 /* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR" 915 /* The Postfix SMTP server's action when reject_unknown_sender_domain 916 /* or reject_unknown_recipient_domain fail due to a temporary error 917 /* condition. 918 /* MISCELLANEOUS CONTROLS 919 /* .ad 920 /* .fi 921 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 922 /* The default location of the Postfix main.cf and master.cf 923 /* configuration files. 924 /* .IP "\fBdaemon_timeout (18000s)\fR" 925 /* How much time a Postfix daemon process may take to handle a 926 /* request before it is terminated by a built-in watchdog timer. 927 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 928 /* The location of all postfix administrative commands. 929 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR" 930 /* The sender address of postmaster notifications that are generated 931 /* by the mail system. 932 /* .IP "\fBipc_timeout (3600s)\fR" 933 /* The time limit for sending or receiving information over an internal 934 /* communication channel. 935 /* .IP "\fBmail_name (Postfix)\fR" 936 /* The mail system name that is displayed in Received: headers, in 937 /* the SMTP greeting banner, and in bounced mail. 938 /* .IP "\fBmail_owner (postfix)\fR" 939 /* The UNIX system account that owns the Postfix queue and most Postfix 940 /* daemon processes. 941 /* .IP "\fBmax_idle (100s)\fR" 942 /* The maximum amount of time that an idle Postfix daemon process waits 943 /* for an incoming connection before terminating voluntarily. 944 /* .IP "\fBmax_use (100)\fR" 945 /* The maximal number of incoming connections that a Postfix daemon 946 /* process will service before terminating voluntarily. 947 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR" 948 /* The internet hostname of this mail system. 949 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR" 950 /* The list of "trusted" remote SMTP clients that have more privileges than 951 /* "strangers". 952 /* .IP "\fBmyorigin ($myhostname)\fR" 953 /* The domain name that locally-posted mail appears to come 954 /* from, and that locally posted mail is delivered to. 955 /* .IP "\fBprocess_id (read-only)\fR" 956 /* The process ID of a Postfix command or daemon process. 957 /* .IP "\fBprocess_name (read-only)\fR" 958 /* The process name of a Postfix command or daemon process. 959 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 960 /* The location of the Postfix top-level queue directory. 961 /* .IP "\fBrecipient_delimiter (empty)\fR" 962 /* The set of characters that can separate a user name from its 963 /* extension (example: user+foo), or a .forward file name from its 964 /* extension (example: .forward+foo). 965 /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR" 966 /* The text that follows the 220 status code in the SMTP greeting 967 /* banner. 968 /* .IP "\fBsyslog_facility (mail)\fR" 969 /* The syslog facility of Postfix logging. 970 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 971 /* The mail system name that is prepended to the process name in syslog 972 /* records, so that "smtpd" becomes, for example, "postfix/smtpd". 973 /* .PP 974 /* Available in Postfix version 2.2 and later: 975 /* .IP "\fBsmtpd_forbidden_commands (CONNECT, GET, POST)\fR" 976 /* List of commands that cause the Postfix SMTP server to immediately 977 /* terminate the session with a 221 code. 978 /* .PP 979 /* Available in Postfix version 2.5 and later: 980 /* .IP "\fBsmtpd_client_port_logging (no)\fR" 981 /* Enable logging of the remote SMTP client port in addition to 982 /* the hostname and IP address. 983 /* SEE ALSO 984 /* anvil(8), connection/rate limiting 985 /* cleanup(8), message canonicalization 986 /* tlsmgr(8), TLS session and PRNG management 987 /* trivial-rewrite(8), address resolver 988 /* verify(8), address verification service 989 /* postconf(5), configuration parameters 990 /* master(5), generic daemon options 991 /* master(8), process manager 992 /* syslogd(8), system logging 993 /* README FILES 994 /* .ad 995 /* .fi 996 /* Use "\fBpostconf readme_directory\fR" or 997 /* "\fBpostconf html_directory\fR" to locate this information. 998 /* .na 999 /* .nf 1000 /* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients 1001 /* ADDRESS_REWRITING_README Postfix address manipulation 1002 /* FILTER_README, external after-queue content filter 1003 /* LOCAL_RECIPIENT_README, blocking unknown local recipients 1004 /* MILTER_README, before-queue mail filter applications 1005 /* SMTPD_ACCESS_README, built-in access policies 1006 /* SMTPD_POLICY_README, external policy server 1007 /* SMTPD_PROXY_README, external before-queue content filter 1008 /* SASL_README, Postfix SASL howto 1009 /* TLS_README, Postfix STARTTLS howto 1010 /* VERP_README, Postfix XVERP extension 1011 /* XCLIENT_README, Postfix XCLIENT extension 1012 /* XFORWARD_README, Postfix XFORWARD extension 1013 /* LICENSE 1014 /* .ad 1015 /* .fi 1016 /* The Secure Mailer license must be distributed with this software. 1017 /* AUTHOR(S) 1018 /* Wietse Venema 1019 /* IBM T.J. Watson Research 1020 /* P.O. Box 704 1021 /* Yorktown Heights, NY 10598, USA 1022 /* 1023 /* SASL support originally by: 1024 /* Till Franke 1025 /* SuSE Rhein/Main AG 1026 /* 65760 Eschborn, Germany 1027 /* 1028 /* TLS support originally by: 1029 /* Lutz Jaenicke 1030 /* BTU Cottbus 1031 /* Allgemeine Elektrotechnik 1032 /* Universitaetsplatz 3-4 1033 /* D-03044 Cottbus, Germany 1034 /* 1035 /* Revised TLS support by: 1036 /* Victor Duchovni 1037 /* Morgan Stanley 1038 /*--*/ 1039 1040 /* System library. */ 1041 1042 #include <sys_defs.h> 1043 #include <sys/socket.h> 1044 #include <sys/stat.h> 1045 #include <netinet/in.h> 1046 #include <arpa/inet.h> 1047 #include <netdb.h> 1048 #include <string.h> 1049 #include <stdio.h> /* remove() */ 1050 #include <unistd.h> 1051 #include <stdlib.h> 1052 #include <errno.h> 1053 #include <ctype.h> 1054 #include <signal.h> 1055 #include <stddef.h> /* offsetof() */ 1056 1057 #ifdef STRCASECMP_IN_STRINGS_H 1058 #include <strings.h> 1059 #endif 1060 1061 /* Utility library. */ 1062 1063 #include <msg.h> 1064 #include <mymalloc.h> 1065 #include <vstring.h> 1066 #include <vstream.h> 1067 #include <vstring_vstream.h> 1068 #include <stringops.h> 1069 #include <events.h> 1070 #include <smtp_stream.h> 1071 #include <valid_hostname.h> 1072 #include <dict.h> 1073 #include <watchdog.h> 1074 #include <iostuff.h> 1075 #include <split_at.h> 1076 #include <name_code.h> 1077 #include <inet_proto.h> 1078 1079 /* Global library. */ 1080 1081 #include <mail_params.h> 1082 #include <mail_version.h> /* milter_macro_v */ 1083 #include <record.h> 1084 #include <rec_type.h> 1085 #include <mail_proto.h> 1086 #include <cleanup_user.h> 1087 #include <mail_date.h> 1088 #include <mail_conf.h> 1089 #include <off_cvt.h> 1090 #include <debug_peer.h> 1091 #include <mail_error.h> 1092 #include <flush_clnt.h> 1093 #include <mail_stream.h> 1094 #include <mail_queue.h> 1095 #include <tok822.h> 1096 #include <verp_sender.h> 1097 #include <string_list.h> 1098 #include <quote_822_local.h> 1099 #include <lex_822.h> 1100 #include <namadr_list.h> 1101 #include <input_transp.h> 1102 #include <is_header.h> 1103 #include <anvil_clnt.h> 1104 #include <flush_clnt.h> 1105 #include <ehlo_mask.h> /* ehlo filter */ 1106 #include <maps.h> /* ehlo filter */ 1107 #include <valid_mailhost_addr.h> 1108 #include <dsn_mask.h> 1109 #include <xtext.h> 1110 #include <tls_proxy.h> 1111 #include <verify_sender_addr.h> 1112 1113 /* Single-threaded server skeleton. */ 1114 1115 #include <mail_server.h> 1116 1117 /* Mail filter library. */ 1118 1119 #include <milter.h> 1120 1121 /* Application-specific */ 1122 1123 #include <smtpd_token.h> 1124 #include <smtpd.h> 1125 #include <smtpd_check.h> 1126 #include <smtpd_chat.h> 1127 #include <smtpd_sasl_proto.h> 1128 #include <smtpd_sasl_glue.h> 1129 #include <smtpd_proxy.h> 1130 #include <smtpd_milter.h> 1131 #include <smtpd_expand.h> 1132 1133 /* 1134 * Tunable parameters. Make sure that there is some bound on the length of 1135 * an SMTP command, so that the mail system stays in control even when a 1136 * malicious client sends commands of unreasonable length (qmail-dos-1). 1137 * Make sure there is some bound on the number of recipients, so that the 1138 * mail system stays in control even when a malicious client sends an 1139 * unreasonable number of recipients (qmail-dos-2). 1140 */ 1141 int var_smtpd_rcpt_limit; 1142 int var_smtpd_tmout; 1143 int var_smtpd_soft_erlim; 1144 int var_smtpd_hard_erlim; 1145 int var_queue_minfree; /* XXX use off_t */ 1146 char *var_smtpd_banner; 1147 char *var_notify_classes; 1148 char *var_client_checks; 1149 char *var_helo_checks; 1150 char *var_mail_checks; 1151 char *var_relay_checks; 1152 char *var_rcpt_checks; 1153 char *var_etrn_checks; 1154 char *var_data_checks; 1155 char *var_eod_checks; 1156 int var_unk_client_code; 1157 int var_bad_name_code; 1158 int var_unk_name_code; 1159 int var_unk_addr_code; 1160 int var_relay_code; 1161 int var_maps_rbl_code; 1162 int var_map_reject_code; 1163 int var_map_defer_code; 1164 char *var_maps_rbl_domains; 1165 char *var_rbl_reply_maps; 1166 int var_helo_required; 1167 int var_reject_code; 1168 int var_defer_code; 1169 int var_smtpd_err_sleep; 1170 int var_non_fqdn_code; 1171 char *var_error_rcpt; 1172 int var_smtpd_delay_reject; 1173 char *var_rest_classes; 1174 int var_strict_rfc821_env; 1175 bool var_disable_vrfy_cmd; 1176 char *var_canonical_maps; 1177 char *var_rcpt_canon_maps; 1178 char *var_virt_alias_maps; 1179 char *var_virt_mailbox_maps; 1180 char *var_alias_maps; 1181 char *var_local_rcpt_maps; 1182 bool var_allow_untrust_route; 1183 int var_smtpd_junk_cmd_limit; 1184 int var_smtpd_rcpt_overlim; 1185 bool var_smtpd_sasl_enable; 1186 bool var_smtpd_sasl_auth_hdr; 1187 char *var_smtpd_sasl_opts; 1188 char *var_smtpd_sasl_path; 1189 char *var_smtpd_sasl_service; 1190 char *var_cyrus_conf_path; 1191 char *var_smtpd_sasl_realm; 1192 char *var_smtpd_sasl_exceptions_networks; 1193 char *var_smtpd_sasl_type; 1194 char *var_filter_xport; 1195 bool var_broken_auth_clients; 1196 char *var_perm_mx_networks; 1197 char *var_smtpd_snd_auth_maps; 1198 char *var_smtpd_noop_cmds; 1199 char *var_smtpd_null_key; 1200 int var_smtpd_hist_thrsh; 1201 char *var_smtpd_exp_filter; 1202 char *var_def_rbl_reply; 1203 int var_unv_from_rcode; 1204 int var_unv_rcpt_rcode; 1205 int var_unv_from_dcode; 1206 int var_unv_rcpt_dcode; 1207 char *var_unv_from_why; 1208 char *var_unv_rcpt_why; 1209 int var_mul_rcpt_code; 1210 char *var_relay_rcpt_maps; 1211 int var_local_rcpt_code; 1212 int var_virt_alias_code; 1213 int var_virt_mailbox_code; 1214 int var_relay_rcpt_code; 1215 char *var_verp_clients; 1216 int var_show_unk_rcpt_table; 1217 int var_verify_poll_count; 1218 int var_verify_poll_delay; 1219 char *var_smtpd_proxy_filt; 1220 int var_smtpd_proxy_tmout; 1221 char *var_smtpd_proxy_ehlo; 1222 char *var_smtpd_proxy_opts; 1223 char *var_input_transp; 1224 int var_smtpd_policy_tmout; 1225 int var_smtpd_policy_idle; 1226 int var_smtpd_policy_ttl; 1227 char *var_xclient_hosts; 1228 char *var_xforward_hosts; 1229 bool var_smtpd_rej_unl_from; 1230 bool var_smtpd_rej_unl_rcpt; 1231 char *var_smtpd_forbid_cmds; 1232 int var_smtpd_crate_limit; 1233 int var_smtpd_cconn_limit; 1234 int var_smtpd_cmail_limit; 1235 int var_smtpd_crcpt_limit; 1236 int var_smtpd_cntls_limit; 1237 char *var_smtpd_hoggers; 1238 char *var_local_rwr_clients; 1239 char *var_smtpd_ehlo_dis_words; 1240 char *var_smtpd_ehlo_dis_maps; 1241 1242 char *var_smtpd_tls_level; 1243 bool var_smtpd_use_tls; 1244 bool var_smtpd_enforce_tls; 1245 bool var_smtpd_tls_wrappermode; 1246 bool var_smtpd_tls_auth_only; 1247 char *var_smtpd_cmd_filter; 1248 char *var_smtpd_rej_footer; 1249 char *var_smtpd_acl_perm_log; 1250 1251 #ifdef USE_TLS 1252 char *var_smtpd_relay_ccerts; 1253 char *var_smtpd_sasl_tls_opts; 1254 int var_smtpd_starttls_tmout; 1255 char *var_smtpd_tls_CAfile; 1256 char *var_smtpd_tls_CApath; 1257 bool var_smtpd_tls_ask_ccert; 1258 int var_smtpd_tls_ccert_vd; 1259 char *var_smtpd_tls_cert_file; 1260 char *var_smtpd_tls_mand_ciph; 1261 char *var_smtpd_tls_excl_ciph; 1262 char *var_smtpd_tls_mand_excl; 1263 char *var_smtpd_tls_dcert_file; 1264 char *var_smtpd_tls_dh1024_param_file; 1265 char *var_smtpd_tls_dh512_param_file; 1266 char *var_smtpd_tls_dkey_file; 1267 char *var_smtpd_tls_key_file; 1268 char *var_smtpd_tls_loglevel; 1269 char *var_smtpd_tls_mand_proto; 1270 bool var_smtpd_tls_received_header; 1271 bool var_smtpd_tls_req_ccert; 1272 bool var_smtpd_tls_set_sessid; 1273 char *var_smtpd_tls_fpt_dgst; 1274 char *var_smtpd_tls_ciph; 1275 char *var_smtpd_tls_proto; 1276 char *var_smtpd_tls_eecdh; 1277 char *var_smtpd_tls_eccert_file; 1278 char *var_smtpd_tls_eckey_file; 1279 1280 #endif 1281 1282 bool var_smtpd_peername_lookup; 1283 int var_plaintext_code; 1284 bool var_smtpd_delay_open; 1285 char *var_smtpd_milters; 1286 int var_milt_conn_time; 1287 int var_milt_cmd_time; 1288 int var_milt_msg_time; 1289 char *var_milt_protocol; 1290 char *var_milt_def_action; 1291 char *var_milt_daemon_name; 1292 char *var_milt_v; 1293 char *var_milt_conn_macros; 1294 char *var_milt_helo_macros; 1295 char *var_milt_mail_macros; 1296 char *var_milt_rcpt_macros; 1297 char *var_milt_data_macros; 1298 char *var_milt_eoh_macros; 1299 char *var_milt_eod_macros; 1300 char *var_milt_unk_macros; 1301 bool var_smtpd_client_port_log; 1302 char *var_stress; 1303 1304 char *var_reject_tmpf_act; 1305 char *var_unk_name_tf_act; 1306 char *var_unk_addr_tf_act; 1307 char *var_unv_rcpt_tf_act; 1308 char *var_unv_from_tf_act; 1309 bool var_smtpd_rec_deadline; 1310 1311 int smtpd_proxy_opts; 1312 1313 #ifdef USE_TLSPROXY 1314 char *var_tlsproxy_service; 1315 1316 #endif 1317 1318 char *var_smtpd_uproxy_proto; 1319 int var_smtpd_uproxy_tmout; 1320 1321 /* 1322 * Silly little macros. 1323 */ 1324 #define STR(x) vstring_str(x) 1325 #define LEN(x) VSTRING_LEN(x) 1326 1327 /* 1328 * EHLO keyword filter 1329 */ 1330 static MAPS *ehlo_discard_maps; 1331 1332 /* 1333 * VERP command name. 1334 */ 1335 #define VERP_CMD "XVERP" 1336 #define VERP_CMD_LEN 5 1337 1338 static NAMADR_LIST *verp_clients; 1339 1340 /* 1341 * XCLIENT command. Access control is cached, so that XCLIENT can't override 1342 * its own access control. 1343 */ 1344 static NAMADR_LIST *xclient_hosts; 1345 static int xclient_allowed; /* XXX should be SMTPD_STATE member */ 1346 1347 /* 1348 * XFORWARD command. Access control is cached. 1349 */ 1350 static NAMADR_LIST *xforward_hosts; 1351 static int xforward_allowed; /* XXX should be SMTPD_STATE member */ 1352 1353 /* 1354 * Client connection and rate limiting. 1355 */ 1356 ANVIL_CLNT *anvil_clnt; 1357 static NAMADR_LIST *hogger_list; 1358 1359 /* 1360 * Other application-specific globals. 1361 */ 1362 int smtpd_input_transp_mask; 1363 1364 /* 1365 * Forward declarations. 1366 */ 1367 static void helo_reset(SMTPD_STATE *); 1368 static void mail_reset(SMTPD_STATE *); 1369 static void rcpt_reset(SMTPD_STATE *); 1370 static void tls_reset(SMTPD_STATE *); 1371 static void chat_reset(SMTPD_STATE *, int); 1372 1373 /* 1374 * This filter is applied after printable(). 1375 */ 1376 #define NEUTER_CHARACTERS " <>()\\\";@" 1377 1378 /* 1379 * Reasons for losing the client. 1380 */ 1381 #define REASON_TIMEOUT "timeout" 1382 #define REASON_LOST_CONNECTION "lost connection" 1383 #define REASON_ERROR_LIMIT "too many errors" 1384 1385 /* 1386 * Mail filter initialization status. 1387 */ 1388 MILTERS *smtpd_milters; 1389 1390 #ifdef USE_TLS 1391 1392 /* 1393 * TLS initialization status. 1394 */ 1395 static TLS_APPL_STATE *smtpd_tls_ctx; 1396 static int ask_client_cert; 1397 1398 #endif 1399 1400 /* 1401 * SMTP command mapping for broken clients. 1402 */ 1403 static DICT *smtpd_cmd_filter; 1404 1405 #ifdef USE_SASL_AUTH 1406 1407 /* 1408 * SASL exceptions. 1409 */ 1410 static NAMADR_LIST *sasl_exceptions_networks; 1411 1412 /* sasl_client_exception - can we offer AUTH for this client */ 1413 1414 static int sasl_client_exception(SMTPD_STATE *state) 1415 { 1416 int match; 1417 1418 /* 1419 * This is to work around a Netscape mail client bug where it tries to 1420 * use AUTH if available, even if user has not configured it. Returns 1421 * TRUE if AUTH should be offered in the EHLO. 1422 */ 1423 if (sasl_exceptions_networks == 0) 1424 return (0); 1425 1426 if ((match = namadr_list_match(sasl_exceptions_networks, 1427 state->name, state->addr)) == 0) 1428 match = sasl_exceptions_networks->error; 1429 1430 if (msg_verbose) 1431 msg_info("sasl_exceptions: %s, match=%d", 1432 state->namaddr, match); 1433 1434 return (match); 1435 } 1436 1437 #endif 1438 1439 /* smtpd_whatsup - gather available evidence for logging */ 1440 1441 static const char *smtpd_whatsup(SMTPD_STATE *state) 1442 { 1443 static VSTRING *buf = 0; 1444 1445 if (buf == 0) 1446 buf = vstring_alloc(100); 1447 else 1448 VSTRING_RESET(buf); 1449 if (state->sender) 1450 vstring_sprintf_append(buf, " from=<%s>", state->sender); 1451 if (state->recipient) 1452 vstring_sprintf_append(buf, " to=<%s>", state->recipient); 1453 if (state->protocol) 1454 vstring_sprintf_append(buf, " proto=%s", state->protocol); 1455 if (state->helo_name) 1456 vstring_sprintf_append(buf, " helo=<%s>", state->helo_name); 1457 return (STR(buf)); 1458 } 1459 1460 /* collapse_args - put arguments together again */ 1461 1462 static void collapse_args(int argc, SMTPD_TOKEN *argv) 1463 { 1464 int i; 1465 1466 for (i = 1; i < argc; i++) { 1467 vstring_strcat(argv[0].vstrval, " "); 1468 vstring_strcat(argv[0].vstrval, argv[i].strval); 1469 } 1470 argv[0].strval = STR(argv[0].vstrval); 1471 } 1472 1473 /* check_milter_reply - process reply from Milter */ 1474 1475 static const char *check_milter_reply(SMTPD_STATE *state, const char *reply) 1476 { 1477 const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE"; 1478 const char *action; 1479 const char *text; 1480 1481 /* 1482 * The syntax of user-specified SMTP replies is checked by the Milter 1483 * module, because the replies are also used in the cleanup server. 1484 * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8 1485 * Milter quarantine action is not final, so it is not included in 1486 * MILTER_SKIP_FLAGS. 1487 */ 1488 #define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD) 1489 1490 switch (reply[0]) { 1491 case 'H': 1492 state->saved_flags |= CLEANUP_FLAG_HOLD; 1493 action = "milter-hold"; 1494 reply = 0; 1495 text = "milter triggers HOLD action"; 1496 break; 1497 case 'D': 1498 state->saved_flags |= CLEANUP_FLAG_DISCARD; 1499 action = "milter-discard"; 1500 reply = 0; 1501 text = "milter triggers DISCARD action"; 1502 break; 1503 case 'S': 1504 state->error_mask |= MAIL_ERROR_POLICY; 1505 action = "milter-reject"; 1506 reply = "421 4.7.0 Server closing connection"; 1507 text = 0; 1508 break; 1509 case '4': 1510 case '5': 1511 state->error_mask |= MAIL_ERROR_POLICY; 1512 action = "milter-reject"; 1513 text = 0; 1514 break; 1515 default: 1516 state->error_mask |= MAIL_ERROR_SOFTWARE; 1517 action = "reject"; 1518 reply = "421 4.3.5 Server configuration error"; 1519 text = 0; 1520 break; 1521 } 1522 msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where, 1523 state->namaddr, reply ? reply : text, smtpd_whatsup(state)); 1524 return (reply); 1525 } 1526 1527 /* helo_cmd - process HELO command */ 1528 1529 static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 1530 { 1531 const char *err; 1532 1533 /* 1534 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other 1535 * than the initial greeting and any response to HELO or EHLO are 1536 * prefaced with a status code as defined in RFC 3463. 1537 */ 1538 if (argc < 2) { 1539 state->error_mask |= MAIL_ERROR_PROTOCOL; 1540 smtpd_chat_reply(state, "501 Syntax: HELO hostname"); 1541 return (-1); 1542 } 1543 if (argc > 2) 1544 collapse_args(argc - 1, argv + 1); 1545 if (SMTPD_STAND_ALONE(state) == 0 1546 && var_smtpd_delay_reject == 0 1547 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) { 1548 smtpd_chat_reply(state, "%s", err); 1549 return (-1); 1550 } 1551 1552 /* 1553 * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or 1554 * HELO, reply with 250 except in case of 421 (disconnect). The reply 1555 * persists so it will apply to MAIL FROM and to other commands such as 1556 * AUTH, STARTTLS, and VRFY. 1557 */ 1558 #define PUSH_STRING(old, curr, new) { char *old = (curr); (curr) = (new); 1559 #define POP_STRING(old, curr) (curr) = old; } 1560 1561 if (smtpd_milters != 0 1562 && SMTPD_STAND_ALONE(state) == 0 1563 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 1564 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 0)) != 0) { 1565 /* Log reject etc. with correct HELO information. */ 1566 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval); 1567 err = check_milter_reply(state, err); 1568 POP_STRING(saved_helo, state->helo_name); 1569 if (err != 0 && strncmp(err, "421", 3) == 0) { 1570 smtpd_chat_reply(state, "%s", err); 1571 return (-1); 1572 } 1573 } 1574 if (state->helo_name != 0) 1575 helo_reset(state); 1576 chat_reset(state, var_smtpd_hist_thrsh); 1577 mail_reset(state); 1578 rcpt_reset(state); 1579 state->helo_name = mystrdup(printable(argv[1].strval, '?')); 1580 neuter(state->helo_name, NEUTER_CHARACTERS, '?'); 1581 /* Downgrading the protocol name breaks the unauthorized pipelining test. */ 1582 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 1583 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) { 1584 myfree(state->protocol); 1585 state->protocol = mystrdup(MAIL_PROTO_SMTP); 1586 } 1587 smtpd_chat_reply(state, "250 %s", var_myhostname); 1588 return (0); 1589 } 1590 1591 /* cant_announce_feature - explain and terminate this session */ 1592 1593 static NORETURN cant_announce_feature(SMTPD_STATE *state, const char *feature) 1594 { 1595 msg_warn("don't know if EHLO feature %s should be announced to %s", 1596 feature, state->namaddr); 1597 vstream_longjmp(state->client, SMTP_ERR_DATA); 1598 } 1599 1600 /* cant_permit_command - explain and terminate this session */ 1601 1602 static NORETURN cant_permit_command(SMTPD_STATE *state, const char *command) 1603 { 1604 msg_warn("don't know if command %s should be allowed from %s", 1605 command, state->namaddr); 1606 vstream_longjmp(state->client, SMTP_ERR_DATA); 1607 } 1608 1609 /* ehlo_cmd - process EHLO command */ 1610 1611 static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 1612 { 1613 const char *err; 1614 int discard_mask; 1615 char **cpp; 1616 1617 /* 1618 * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear 1619 * all buffers and reset the state exactly as if a RSET command had been 1620 * issued. 1621 * 1622 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other 1623 * than the initial greeting and any response to HELO or EHLO are 1624 * prefaced with a status code as defined in RFC 3463. 1625 */ 1626 if (argc < 2) { 1627 state->error_mask |= MAIL_ERROR_PROTOCOL; 1628 smtpd_chat_reply(state, "501 Syntax: EHLO hostname"); 1629 return (-1); 1630 } 1631 if (argc > 2) 1632 collapse_args(argc - 1, argv + 1); 1633 if (SMTPD_STAND_ALONE(state) == 0 1634 && var_smtpd_delay_reject == 0 1635 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) { 1636 smtpd_chat_reply(state, "%s", err); 1637 return (-1); 1638 } 1639 1640 /* 1641 * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or 1642 * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate 1643 * disconnect. The reply persists so it will apply to MAIL FROM and to 1644 * other commands such as AUTH, STARTTLS, and VRFY. 1645 */ 1646 err = 0; 1647 if (smtpd_milters != 0 1648 && SMTPD_STAND_ALONE(state) == 0 1649 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 1650 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 1)) != 0) { 1651 /* Log reject etc. with correct HELO information. */ 1652 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval); 1653 err = check_milter_reply(state, err); 1654 POP_STRING(saved_helo, state->helo_name); 1655 if (err != 0 && strncmp(err, "421", 3) == 0) { 1656 smtpd_chat_reply(state, "%s", err); 1657 return (-1); 1658 } 1659 } 1660 if (state->helo_name != 0) 1661 helo_reset(state); 1662 chat_reset(state, var_smtpd_hist_thrsh); 1663 mail_reset(state); 1664 rcpt_reset(state); 1665 state->helo_name = mystrdup(printable(argv[1].strval, '?')); 1666 neuter(state->helo_name, NEUTER_CHARACTERS, '?'); 1667 1668 /* 1669 * XXX reject_unauth_pipelining depends on the following. If the user 1670 * sends EHLO then we announce PIPELINING and we can't accuse them of 1671 * using pipelining in places where it is allowed. 1672 * 1673 * XXX The reject_unauth_pipelining test needs to change and also account 1674 * for mechanisms that disable PIPELINING selectively. 1675 */ 1676 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) { 1677 myfree(state->protocol); 1678 state->protocol = mystrdup(MAIL_PROTO_ESMTP); 1679 } 1680 1681 /* 1682 * Build the EHLO response, producing no output until we know what to 1683 * send - this simplifies exception handling. The CRLF record boundaries 1684 * don't exist at this level in the code, so we represent multi-line 1685 * output as an array of single-line responses. 1686 */ 1687 #define EHLO_APPEND(state, cmd) \ 1688 do { \ 1689 vstring_sprintf((state)->ehlo_buf, (cmd)); \ 1690 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \ 1691 } while (0) 1692 1693 #define EHLO_APPEND1(state, cmd, arg) \ 1694 do { \ 1695 vstring_sprintf((state)->ehlo_buf, (cmd), (arg)); \ 1696 argv_add((state)->ehlo_argv, STR((state)->ehlo_buf), (char *) 0); \ 1697 } while (0) 1698 1699 /* 1700 * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or 1701 * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it 1702 * will apply to MAIL FROM, but we currently don't have a proper 1703 * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other 1704 * commands while still allowing HELO/EHLO. 1705 */ 1706 discard_mask = state->ehlo_discard_mask; 1707 if (err != 0 && err[0] == '5') 1708 discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES; 1709 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0) 1710 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 1711 msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask)); 1712 if (ehlo_discard_maps && ehlo_discard_maps->error) { 1713 msg_warn("don't know what EHLO features to announce to %s", 1714 state->namaddr); 1715 vstream_longjmp(state->client, SMTP_ERR_DATA); 1716 } 1717 1718 /* 1719 * These may still exist after a prior exception. 1720 */ 1721 if (state->ehlo_argv == 0) { 1722 state->ehlo_argv = argv_alloc(10); 1723 state->ehlo_buf = vstring_alloc(10); 1724 } else 1725 argv_truncate(state->ehlo_argv, 0); 1726 1727 EHLO_APPEND1(state, "%s", var_myhostname); 1728 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 1729 EHLO_APPEND(state, "PIPELINING"); 1730 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 1731 if (var_message_limit) 1732 EHLO_APPEND1(state, "SIZE %lu", 1733 (unsigned long) var_message_limit); /* XXX */ 1734 else 1735 EHLO_APPEND(state, "SIZE"); 1736 } 1737 if ((discard_mask & EHLO_MASK_VRFY) == 0) 1738 if (var_disable_vrfy_cmd == 0) 1739 EHLO_APPEND(state, SMTPD_CMD_VRFY); 1740 if ((discard_mask & EHLO_MASK_ETRN) == 0) 1741 EHLO_APPEND(state, SMTPD_CMD_ETRN); 1742 #ifdef USE_TLS 1743 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 1744 if (var_smtpd_use_tls && (!state->tls_context)) 1745 EHLO_APPEND(state, SMTPD_CMD_STARTTLS); 1746 #endif 1747 #ifdef USE_SASL_AUTH 1748 #ifndef AUTH_CMD 1749 #define AUTH_CMD "AUTH" 1750 #endif 1751 if ((discard_mask & EHLO_MASK_AUTH) == 0) { 1752 if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) { 1753 EHLO_APPEND1(state, "AUTH %s", state->sasl_mechanism_list); 1754 if (var_broken_auth_clients) 1755 EHLO_APPEND1(state, "AUTH=%s", state->sasl_mechanism_list); 1756 } else if (sasl_exceptions_networks && sasl_exceptions_networks->error) 1757 cant_announce_feature(state, AUTH_CMD); 1758 } 1759 #define XCLIENT_LOGIN_KLUDGE " " XCLIENT_LOGIN 1760 #else 1761 #define XCLIENT_LOGIN_KLUDGE "" 1762 #endif 1763 if ((discard_mask & EHLO_MASK_VERP) == 0) { 1764 if (namadr_list_match(verp_clients, state->name, state->addr)) 1765 EHLO_APPEND(state, VERP_CMD); 1766 else if (verp_clients && verp_clients->error) 1767 cant_announce_feature(state, VERP_CMD); 1768 } 1769 /* XCLIENT must not override its own access control. */ 1770 if ((discard_mask & EHLO_MASK_XCLIENT) == 0) { 1771 if (xclient_allowed) 1772 EHLO_APPEND(state, XCLIENT_CMD 1773 " " XCLIENT_NAME " " XCLIENT_ADDR 1774 " " XCLIENT_PROTO " " XCLIENT_HELO 1775 " " XCLIENT_REVERSE_NAME " " XCLIENT_PORT 1776 XCLIENT_LOGIN_KLUDGE); 1777 else if (xclient_hosts && xclient_hosts->error) 1778 cant_announce_feature(state, XCLIENT_CMD); 1779 } 1780 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) { 1781 if (xforward_allowed) 1782 EHLO_APPEND(state, XFORWARD_CMD 1783 " " XFORWARD_NAME " " XFORWARD_ADDR 1784 " " XFORWARD_PROTO " " XFORWARD_HELO 1785 " " XFORWARD_DOMAIN " " XFORWARD_PORT 1786 " " XFORWARD_IDENT); 1787 else if (xforward_hosts && xforward_hosts->error) 1788 cant_announce_feature(state, XFORWARD_CMD); 1789 } 1790 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0) 1791 EHLO_APPEND(state, "ENHANCEDSTATUSCODES"); 1792 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 1793 EHLO_APPEND(state, "8BITMIME"); 1794 if ((discard_mask & EHLO_MASK_DSN) == 0) 1795 EHLO_APPEND(state, "DSN"); 1796 1797 /* 1798 * Send the reply. 1799 */ 1800 for (cpp = state->ehlo_argv->argv; *cpp; cpp++) 1801 smtpd_chat_reply(state, "250%c%s", cpp[1] ? '-' : ' ', *cpp); 1802 1803 /* 1804 * Clean up. 1805 */ 1806 argv_free(state->ehlo_argv); 1807 state->ehlo_argv = 0; 1808 vstring_free(state->ehlo_buf); 1809 state->ehlo_buf = 0; 1810 1811 return (0); 1812 } 1813 1814 /* helo_reset - reset HELO/EHLO command stuff */ 1815 1816 static void helo_reset(SMTPD_STATE *state) 1817 { 1818 if (state->helo_name) { 1819 myfree(state->helo_name); 1820 state->helo_name = 0; 1821 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0) 1822 milter_abort(smtpd_milters); 1823 } 1824 if (state->ehlo_argv) { 1825 argv_free(state->ehlo_argv); 1826 state->ehlo_argv = 0; 1827 } 1828 if (state->ehlo_buf) { 1829 vstring_free(state->ehlo_buf); 1830 state->ehlo_buf = 0; 1831 } 1832 } 1833 1834 /* mail_open_stream - open mail queue file or IPC stream */ 1835 1836 static int mail_open_stream(SMTPD_STATE *state) 1837 { 1838 1839 /* 1840 * Connect to the before-queue filter when one is configured. The MAIL 1841 * FROM and RCPT TO commands are forwarded as received (including DSN 1842 * attributes), with the exception that the before-filter smtpd process 1843 * handles all authentication, encryption, access control and relay 1844 * control, and that the before-filter smtpd process does not forward 1845 * blocked commands. If the after-filter smtp server does not support 1846 * some of Postfix's ESMTP features, then they must be turned off in the 1847 * before-filter smtpd process with the smtpd_discard_ehlo_keywords 1848 * feature. 1849 */ 1850 if (state->proxy_mail) { 1851 if (smtpd_proxy_create(state, smtpd_proxy_opts, var_smtpd_proxy_filt, 1852 var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo, 1853 state->proxy_mail) != 0) { 1854 smtpd_chat_reply(state, "%s", STR(state->proxy->reply)); 1855 smtpd_proxy_free(state); 1856 return (-1); 1857 } 1858 } 1859 1860 /* 1861 * If running from the master or from inetd, connect to the cleanup 1862 * service. 1863 * 1864 * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the 1865 * case of original submissions. 1866 * 1867 * We implement this by distinguishing between mail that we are willing to 1868 * rewrite (the local rewrite context) and mail from elsewhere. 1869 */ 1870 else if (SMTPD_STAND_ALONE(state) == 0) { 1871 int cleanup_flags; 1872 1873 cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL, 1874 smtpd_input_transp_mask) 1875 | CLEANUP_FLAG_SMTP_REPLY; 1876 state->dest = mail_stream_service(MAIL_CLASS_PUBLIC, 1877 var_cleanup_service); 1878 if (state->dest == 0 1879 || attr_print(state->dest->stream, ATTR_FLAG_NONE, 1880 ATTR_TYPE_INT, MAIL_ATTR_FLAGS, cleanup_flags, 1881 ATTR_TYPE_END) != 0) 1882 msg_fatal("unable to connect to the %s %s service", 1883 MAIL_CLASS_PUBLIC, var_cleanup_service); 1884 } 1885 1886 /* 1887 * Otherwise, pipe the message through the privileged postdrop helper. 1888 * XXX Make postdrop a manifest constant. 1889 */ 1890 else { 1891 char *postdrop_command; 1892 1893 postdrop_command = concatenate(var_command_dir, "/postdrop", 1894 msg_verbose ? " -v" : (char *) 0, (char *) 0); 1895 state->dest = mail_stream_command(postdrop_command); 1896 if (state->dest == 0) 1897 msg_fatal("unable to execute %s", postdrop_command); 1898 myfree(postdrop_command); 1899 } 1900 1901 /* 1902 * Record the time of arrival, the SASL-related stuff if applicable, the 1903 * sender envelope address, some session information, and some additional 1904 * attributes. 1905 * 1906 * XXX Send Milter information first, because this will hang when cleanup 1907 * goes into "throw away" mode. Also, cleanup needs to know early on 1908 * whether or not it has to do its own SMTP event emulation. 1909 * 1910 * XXX At this point we send only dummy information to keep the cleanup 1911 * server from using its non_smtpd_milters settings. We have to send 1912 * up-to-date Milter information after DATA so that the cleanup server 1913 * knows the actual Milter state. 1914 */ 1915 if (state->dest) { 1916 state->cleanup = state->dest->stream; 1917 state->queue_id = mystrdup(state->dest->id); 1918 if (SMTPD_STAND_ALONE(state) == 0) { 1919 if (smtpd_milters != 0 1920 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) 1921 /* Send place-holder smtpd_milters list. */ 1922 (void) milter_dummy(smtpd_milters, state->cleanup); 1923 rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT, 1924 REC_TYPE_TIME_ARG(state->arrival_time)); 1925 if (*var_filter_xport) 1926 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", var_filter_xport); 1927 if (FORWARD_IDENT(state)) 1928 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1929 MAIL_ATTR_LOG_IDENT, FORWARD_IDENT(state)); 1930 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1931 MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state)); 1932 #ifdef USE_SASL_AUTH 1933 /* Make external authentication painless (e.g., XCLIENT). */ 1934 if (state->sasl_method) 1935 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1936 MAIL_ATTR_SASL_METHOD, state->sasl_method); 1937 if (state->sasl_username) 1938 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1939 MAIL_ATTR_SASL_USERNAME, state->sasl_username); 1940 if (state->sasl_sender) 1941 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1942 MAIL_ATTR_SASL_SENDER, state->sasl_sender); 1943 #endif 1944 1945 /* 1946 * Record DSN related information that was received with the MAIL 1947 * FROM command. 1948 * 1949 * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the 1950 * MAIL command when the message was received, the ENVID 1951 * parameter MUST NOT be supplied when the message is relayed. 1952 * Ditto for the RET parameter. 1953 * 1954 * In other words, we can't simply make up our default ENVID or RET 1955 * values. We have to remember whether the client sent any. 1956 * 1957 * We store DSN information as named attribute records so that we 1958 * don't have to pollute the queue file with records that are 1959 * incompatible with past Postfix versions. Preferably, people 1960 * should be able to back out from an upgrade without losing 1961 * mail. 1962 */ 1963 if (state->dsn_envid) 1964 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1965 MAIL_ATTR_DSN_ENVID, state->dsn_envid); 1966 if (state->dsn_ret) 1967 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 1968 MAIL_ATTR_DSN_RET, state->dsn_ret); 1969 } 1970 rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender); 1971 if (state->encoding != 0) 1972 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1973 MAIL_ATTR_ENCODING, state->encoding); 1974 1975 /* 1976 * Store client attributes. 1977 */ 1978 if (SMTPD_STAND_ALONE(state) == 0) { 1979 1980 /* 1981 * Attributes for logging, also used for XFORWARD. 1982 * 1983 * We store all client attributes, including ones with unknown 1984 * values. Otherwise, an unknown client hostname would be treated 1985 * as a non-existent hostname (i.e. local submission). 1986 */ 1987 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1988 MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state)); 1989 /* XXX Note: state->rfc_addr, not state->addr. */ 1990 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1991 MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state)); 1992 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1993 MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state)); 1994 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1995 MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state)); 1996 if (FORWARD_HELO(state)) 1997 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 1998 MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state)); 1999 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2000 MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state)); 2001 2002 /* 2003 * Attributes with actual client information. These are used by 2004 * the smtpd Milter client for policy decisions. Mail that is 2005 * requeued with "postsuper -r" is not subject to processing by 2006 * the cleanup Milter client, because a) it has already been 2007 * filtered, and b) we don't have sufficient information to 2008 * reproduce the exact same SMTP events and Sendmail macros that 2009 * the smtpd Milter client received when the message originally 2010 * arrived in Postfix. 2011 */ 2012 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2013 MAIL_ATTR_ACT_CLIENT_NAME, state->name); 2014 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2015 MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name); 2016 /* XXX Note: state->addr, not state->rfc_addr. */ 2017 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2018 MAIL_ATTR_ACT_CLIENT_ADDR, state->addr); 2019 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2020 MAIL_ATTR_ACT_CLIENT_PORT, state->port); 2021 if (state->helo_name) 2022 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2023 MAIL_ATTR_ACT_HELO_NAME, state->helo_name); 2024 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s", 2025 MAIL_ATTR_ACT_PROTO_NAME, state->protocol); 2026 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u", 2027 MAIL_ATTR_ACT_CLIENT_AF, state->addr_family); 2028 2029 /* 2030 * Don't send client certificate down the pipeline unless it is 2031 * a) verified or b) just a fingerprint. 2032 */ 2033 } 2034 if (state->verp_delims) 2035 rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims); 2036 } 2037 2038 /* 2039 * Log the queue ID with the message origin. 2040 */ 2041 #ifdef USE_SASL_AUTH 2042 if (state->sasl_username) 2043 smtpd_sasl_mail_log(state); 2044 else 2045 #endif 2046 2047 /* 2048 * See also: smtpd_sasl_proto.c, for a longer client= logfile record. 2049 */ 2050 #define PRINT_OR_NULL(cond, str) \ 2051 ((cond) ? (str) : "") 2052 #define PRINT2_OR_NULL(cond, name, value) \ 2053 PRINT_OR_NULL((cond), (name)), PRINT_OR_NULL((cond), (value)) 2054 2055 msg_info("%s: client=%s%s%s%s%s", 2056 (state->queue_id ? state->queue_id : "NOQUEUE"), 2057 state->namaddr, 2058 PRINT2_OR_NULL(HAVE_FORWARDED_IDENT(state), 2059 ", orig_queue_id=", FORWARD_IDENT(state)), 2060 PRINT2_OR_NULL(HAVE_FORWARDED_CLIENT_ATTR(state), 2061 ", orig_client=", FORWARD_NAMADDR(state))); 2062 return (0); 2063 } 2064 2065 /* extract_addr - extract address from rubble */ 2066 2067 static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg, 2068 int allow_empty_addr, int strict_rfc821) 2069 { 2070 const char *myname = "extract_addr"; 2071 TOK822 *tree; 2072 TOK822 *tp; 2073 TOK822 *addr = 0; 2074 int naddr; 2075 int non_addr; 2076 int err = 0; 2077 char *junk = 0; 2078 char *text; 2079 char *colon; 2080 2081 /* 2082 * Special case. 2083 */ 2084 #define PERMIT_EMPTY_ADDR 1 2085 #define REJECT_EMPTY_ADDR 0 2086 2087 /* 2088 * Some mailers send RFC822-style address forms (with comments and such) 2089 * in SMTP envelopes. We cannot blame users for this: the blame is with 2090 * programmers violating the RFC, and with sendmail for being permissive. 2091 * 2092 * XXX The SMTP command tokenizer must leave the address in externalized 2093 * (quoted) form, so that the address parser can correctly extract the 2094 * address from surrounding junk. 2095 * 2096 * XXX We have only one address parser, written according to the rules of 2097 * RFC 822. That standard differs subtly from RFC 821. 2098 */ 2099 if (msg_verbose) 2100 msg_info("%s: input: %s", myname, STR(arg->vstrval)); 2101 if (STR(arg->vstrval)[0] == '<' 2102 && STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') { 2103 junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2); 2104 } else 2105 text = STR(arg->vstrval); 2106 2107 /* 2108 * Truncate deprecated route address form. 2109 */ 2110 if (*text == '@' && (colon = strchr(text, ':')) != 0) 2111 text = colon + 1; 2112 tree = tok822_parse(text); 2113 2114 if (junk) 2115 myfree(junk); 2116 2117 /* 2118 * Find trouble. 2119 */ 2120 for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) { 2121 if (tp->type == TOK822_ADDR) { 2122 addr = tp; 2123 naddr += 1; /* count address forms */ 2124 } else if (tp->type == '<' || tp->type == '>') { 2125 /* void */ ; /* ignore brackets */ 2126 } else { 2127 non_addr += 1; /* count non-address forms */ 2128 } 2129 } 2130 2131 /* 2132 * Report trouble. XXX Should log a warning only if we are going to 2133 * sleep+reject so that attackers can't flood our logfiles. 2134 * 2135 * XXX Unfortunately, the sleep-before-reject feature had to be abandoned 2136 * (at least for small error counts) because servers were DOS-ing 2137 * themselves when flooded by backscatter traffic. 2138 */ 2139 if (naddr > 1 2140 || (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) { 2141 msg_warn("Illegal address syntax from %s in %s command: %s", 2142 state->namaddr, state->where, 2143 printable(STR(arg->vstrval), '?')); 2144 err = 1; 2145 } 2146 2147 /* 2148 * Don't overwrite the input with the extracted address. We need the 2149 * original (external) form in case the client does not send ORCPT 2150 * information; and error messages are more accurate if we log the 2151 * unmodified form. We need the internal form for all other purposes. 2152 */ 2153 if (addr) 2154 tok822_internalize(state->addr_buf, addr->head, TOK822_STR_DEFL); 2155 else 2156 vstring_strcpy(state->addr_buf, ""); 2157 2158 /* 2159 * Report trouble. XXX Should log a warning only if we are going to 2160 * sleep+reject so that attackers can't flood our logfiles. Log the 2161 * original address. 2162 */ 2163 if (err == 0) 2164 if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr) 2165 || (strict_rfc821 && STR(state->addr_buf)[0] == '@') 2166 || (SMTPD_STAND_ALONE(state) == 0 2167 && smtpd_check_addr(STR(state->addr_buf)) != 0)) { 2168 msg_warn("Illegal address syntax from %s in %s command: %s", 2169 state->namaddr, state->where, 2170 printable(STR(arg->vstrval), '?')); 2171 err = 1; 2172 } 2173 2174 /* 2175 * Cleanup. 2176 */ 2177 tok822_free_tree(tree); 2178 if (msg_verbose) 2179 msg_info("%s: in: %s, result: %s", 2180 myname, STR(arg->vstrval), STR(state->addr_buf)); 2181 return (err); 2182 } 2183 2184 /* milter_argv - impedance adapter */ 2185 2186 static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2187 { 2188 int n; 2189 ssize_t len = argc + 1; 2190 2191 if (state->milter_argc < len) { 2192 if (state->milter_argc > 0) 2193 state->milter_argv = (const char **) 2194 myrealloc((char *) state->milter_argv, 2195 sizeof(const char *) * len); 2196 else 2197 state->milter_argv = (const char **) 2198 mymalloc(sizeof(const char *) * len); 2199 state->milter_argc = len; 2200 } 2201 for (n = 0; n < argc; n++) 2202 state->milter_argv[n] = argv[n].strval; 2203 state->milter_argv[n] = 0; 2204 return (state->milter_argv); 2205 } 2206 2207 /* mail_cmd - process MAIL command */ 2208 2209 static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2210 { 2211 const char *err; 2212 int narg; 2213 char *arg; 2214 char *verp_delims = 0; 2215 int rate; 2216 int dsn_envid = 0; 2217 2218 state->encoding = 0; 2219 state->dsn_ret = 0; 2220 2221 /* 2222 * Sanity checks. 2223 * 2224 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a 2225 * command in which invalid character codes have been employed, and for 2226 * which there are no other reasons for rejection, MUST reject that 2227 * command with a 501 response. Postfix attempts to be 8-bit clean. 2228 */ 2229 if (var_helo_required && state->helo_name == 0) { 2230 state->error_mask |= MAIL_ERROR_POLICY; 2231 smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first"); 2232 return (-1); 2233 } 2234 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 2235 state->error_mask |= MAIL_ERROR_PROTOCOL; 2236 smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command"); 2237 return (-1); 2238 } 2239 if (argc < 3 2240 || strcasecmp(argv[1].strval, "from:") != 0) { 2241 state->error_mask |= MAIL_ERROR_PROTOCOL; 2242 smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>"); 2243 return (-1); 2244 } 2245 2246 /* 2247 * XXX The client event count/rate control must be consistent in its use 2248 * of client address information in connect and disconnect events. For 2249 * now we exclude xclient authorized hosts from event count/rate control. 2250 */ 2251 if (SMTPD_STAND_ALONE(state) == 0 2252 && !xclient_allowed 2253 && anvil_clnt 2254 && var_smtpd_cmail_limit > 0 2255 && !namadr_list_match(hogger_list, state->name, state->addr) 2256 && anvil_clnt_mail(anvil_clnt, state->service, state->addr, 2257 &rate) == ANVIL_STAT_OK 2258 && rate > var_smtpd_cmail_limit) { 2259 state->error_mask |= MAIL_ERROR_POLICY; 2260 smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s", 2261 state->addr); 2262 msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s", 2263 rate, state->namaddr, state->service); 2264 return (-1); 2265 } 2266 if (argv[2].tokval == SMTPD_TOK_ERROR) { 2267 state->error_mask |= MAIL_ERROR_PROTOCOL; 2268 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax"); 2269 return (-1); 2270 } 2271 if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR, var_strict_rfc821_env) != 0) { 2272 state->error_mask |= MAIL_ERROR_PROTOCOL; 2273 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax"); 2274 return (-1); 2275 } 2276 for (narg = 3; narg < argc; narg++) { 2277 arg = argv[narg].strval; 2278 if (strcasecmp(arg, "BODY=8BITMIME") == 0) { /* RFC 1652 */ 2279 state->encoding = MAIL_ATTR_ENC_8BIT; 2280 } else if (strcasecmp(arg, "BODY=7BIT") == 0) { /* RFC 1652 */ 2281 state->encoding = MAIL_ATTR_ENC_7BIT; 2282 } else if (strncasecmp(arg, "SIZE=", 5) == 0) { /* RFC 1870 */ 2283 /* Reject non-numeric size. */ 2284 if (!alldig(arg + 5)) { 2285 state->error_mask |= MAIL_ERROR_PROTOCOL; 2286 smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax"); 2287 return (-1); 2288 } 2289 /* Reject size overflow. */ 2290 if ((state->msg_size = off_cvt_string(arg + 5)) < 0) { 2291 state->error_mask |= MAIL_ERROR_POLICY; 2292 smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit"); 2293 return (-1); 2294 } 2295 #ifdef USE_SASL_AUTH 2296 } else if (strncasecmp(arg, "AUTH=", 5) == 0) { 2297 if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) { 2298 smtpd_chat_reply(state, "%s", err); 2299 return (-1); 2300 } 2301 #endif 2302 } else if (namadr_list_match(verp_clients, state->name, state->addr) 2303 && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0 2304 && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) { 2305 if (arg[VERP_CMD_LEN] == 0) { 2306 verp_delims = var_verp_delims; 2307 } else { 2308 verp_delims = arg + VERP_CMD_LEN + 1; 2309 if (verp_delims_verify(verp_delims) != 0) { 2310 state->error_mask |= MAIL_ERROR_PROTOCOL; 2311 smtpd_chat_reply(state, 2312 "501 5.5.4 Error: %s needs two characters from %s", 2313 VERP_CMD, var_verp_filter); 2314 return (-1); 2315 } 2316 } 2317 } else if (strncasecmp(arg, "RET=", 4) == 0) { /* RFC 3461 */ 2318 /* Sanitized on input. */ 2319 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2320 state->error_mask |= MAIL_ERROR_PROTOCOL; 2321 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2322 return (-1); 2323 } 2324 if (state->dsn_ret 2325 || (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) { 2326 state->error_mask |= MAIL_ERROR_PROTOCOL; 2327 smtpd_chat_reply(state, 2328 "501 5.5.4 Bad RET parameter syntax"); 2329 return (-1); 2330 } 2331 } else if (strncasecmp(arg, "ENVID=", 6) == 0) { /* RFC 3461 */ 2332 /* Sanitized by bounce server. */ 2333 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2334 state->error_mask |= MAIL_ERROR_PROTOCOL; 2335 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2336 return (-1); 2337 } 2338 if (dsn_envid 2339 || xtext_unquote(state->dsn_buf, arg + 6) == 0 2340 || !allprint(STR(state->dsn_buf))) { 2341 state->error_mask |= MAIL_ERROR_PROTOCOL; 2342 smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax"); 2343 return (-1); 2344 } 2345 dsn_envid = 1; 2346 } else { 2347 state->error_mask |= MAIL_ERROR_PROTOCOL; 2348 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg); 2349 return (-1); 2350 } 2351 } 2352 if ((err = smtpd_check_size(state, state->msg_size)) != 0) { 2353 smtpd_chat_reply(state, "%s", err); 2354 return (-1); 2355 } 2356 if (verp_delims && STR(state->addr_buf)[0] == 0) { 2357 smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender", 2358 VERP_CMD); 2359 return (-1); 2360 } 2361 if (SMTPD_STAND_ALONE(state) == 0) { 2362 const char *verify_sender; 2363 2364 /* 2365 * XXX Don't reject the address when we're probed with our own 2366 * address verification sender address. Otherwise, some timeout or 2367 * some UCE block may result in mutual negative caching, making it 2368 * painful to get the mail through. Unfortunately we still have to 2369 * send the address to the Milters otherwise they may bail out with a 2370 * "missing recipient" protocol error. 2371 */ 2372 verify_sender = valid_verify_sender_addr(STR(state->addr_buf)); 2373 if (verify_sender != 0) 2374 vstring_strcpy(state->addr_buf, verify_sender); 2375 } 2376 if (SMTPD_STAND_ALONE(state) == 0 2377 && var_smtpd_delay_reject == 0 2378 && (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) { 2379 /* XXX Reset access map side effects. */ 2380 mail_reset(state); 2381 smtpd_chat_reply(state, "%s", err); 2382 return (-1); 2383 } 2384 if (smtpd_milters != 0 2385 && SMTPD_STAND_ALONE(state) == 0 2386 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) { 2387 PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf)); 2388 err = milter_mail_event(smtpd_milters, 2389 milter_argv(state, argc - 2, argv + 2)); 2390 if (err != 0) { 2391 /* Log reject etc. with correct sender information. */ 2392 err = check_milter_reply(state, err); 2393 } 2394 POP_STRING(saved_sender, state->sender); 2395 if (err != 0) { 2396 /* XXX Reset access map side effects. */ 2397 mail_reset(state); 2398 smtpd_chat_reply(state, "%s", err); 2399 return (-1); 2400 } 2401 } 2402 if (SMTPD_STAND_ALONE(state) == 0) { 2403 err = smtpd_check_rewrite(state); 2404 if (err != 0) { 2405 /* XXX Reset access map side effects. */ 2406 mail_reset(state); 2407 smtpd_chat_reply(state, "%s", err); 2408 return (-1); 2409 } 2410 } 2411 2412 /* 2413 * Check the queue file space, if applicable. The optional before-filter 2414 * speed-adjust buffers use disk space. However, we don't know if they 2415 * compete for storage space with the after-filter queue, so we can't 2416 * simply bump up the free space requirement to 2.5 * message_size_limit. 2417 */ 2418 if (!USE_SMTPD_PROXY(state) 2419 || (smtpd_proxy_opts & SMTPD_PROXY_FLAG_SPEED_ADJUST)) { 2420 if (SMTPD_STAND_ALONE(state) == 0 2421 && (err = smtpd_check_queue(state)) != 0) { 2422 /* XXX Reset access map side effects. */ 2423 mail_reset(state); 2424 smtpd_chat_reply(state, "%s", err); 2425 return (-1); 2426 } 2427 } 2428 2429 /* 2430 * No more early returns. The mail transaction is in progress. 2431 */ 2432 GETTIMEOFDAY(&state->arrival_time); 2433 state->sender = mystrdup(STR(state->addr_buf)); 2434 vstring_sprintf(state->instance, "%x.%lx.%lx.%x", 2435 var_pid, (unsigned long) state->arrival_time.tv_sec, 2436 (unsigned long) state->arrival_time.tv_usec, state->seqno++); 2437 if (verp_delims) 2438 state->verp_delims = mystrdup(verp_delims); 2439 if (dsn_envid) 2440 state->dsn_envid = mystrdup(STR(state->dsn_buf)); 2441 if (USE_SMTPD_PROXY(state)) 2442 state->proxy_mail = mystrdup(STR(state->buffer)); 2443 if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) { 2444 /* XXX Reset access map side effects. */ 2445 mail_reset(state); 2446 return (-1); 2447 } 2448 smtpd_chat_reply(state, "250 2.1.0 Ok"); 2449 return (0); 2450 } 2451 2452 /* mail_reset - reset MAIL command stuff */ 2453 2454 static void mail_reset(SMTPD_STATE *state) 2455 { 2456 state->msg_size = 0; 2457 state->act_size = 0; 2458 state->flags &= SMTPD_MASK_MAIL_KEEP; 2459 2460 /* 2461 * Unceremoniously close the pipe to the cleanup service. The cleanup 2462 * service will delete the queue file when it detects a premature 2463 * end-of-file condition on input. 2464 */ 2465 if (state->cleanup != 0) { 2466 mail_stream_cleanup(state->dest); 2467 state->dest = 0; 2468 state->cleanup = 0; 2469 } 2470 state->err = 0; 2471 if (state->queue_id != 0) { 2472 myfree(state->queue_id); 2473 state->queue_id = 0; 2474 } 2475 if (state->sender) { 2476 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0) 2477 milter_abort(smtpd_milters); 2478 myfree(state->sender); 2479 state->sender = 0; 2480 } 2481 if (state->verp_delims) { 2482 myfree(state->verp_delims); 2483 state->verp_delims = 0; 2484 } 2485 if (state->proxy_mail) { 2486 myfree(state->proxy_mail); 2487 state->proxy_mail = 0; 2488 } 2489 if (state->saved_filter) { 2490 myfree(state->saved_filter); 2491 state->saved_filter = 0; 2492 } 2493 if (state->saved_redirect) { 2494 myfree(state->saved_redirect); 2495 state->saved_redirect = 0; 2496 } 2497 if (state->saved_bcc) { 2498 myfree(state->saved_bcc); 2499 state->saved_bcc = 0; 2500 } 2501 state->saved_flags = 0; 2502 #ifdef DELAY_ACTION 2503 state->saved_delay = 0; 2504 #endif 2505 #ifdef USE_SASL_AUTH 2506 if (state->sasl_sender) 2507 smtpd_sasl_mail_reset(state); 2508 #endif 2509 state->discard = 0; 2510 VSTRING_RESET(state->instance); 2511 VSTRING_TERMINATE(state->instance); 2512 2513 if (state->proxy) 2514 smtpd_proxy_free(state); 2515 if (state->xforward.flags) 2516 smtpd_xforward_reset(state); 2517 if (state->prepend) 2518 state->prepend = argv_free(state->prepend); 2519 if (state->dsn_envid) { 2520 myfree(state->dsn_envid); 2521 state->dsn_envid = 0; 2522 } 2523 if (state->milter_argv) { 2524 myfree((char *) state->milter_argv); 2525 state->milter_argv = 0; 2526 state->milter_argc = 0; 2527 } 2528 } 2529 2530 /* rcpt_cmd - process RCPT TO command */ 2531 2532 static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 2533 { 2534 SMTPD_PROXY *proxy; 2535 const char *err; 2536 int narg; 2537 char *arg; 2538 int rate; 2539 const char *dsn_orcpt_addr = 0; 2540 ssize_t dsn_orcpt_addr_len = 0; 2541 const char *dsn_orcpt_type = 0; 2542 int dsn_notify = 0; 2543 const char *coded_addr; 2544 const char *milter_err; 2545 2546 /* 2547 * Sanity checks. 2548 * 2549 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a 2550 * command in which invalid character codes have been employed, and for 2551 * which there are no other reasons for rejection, MUST reject that 2552 * command with a 501 response. So much for the principle of "be liberal 2553 * in what you accept, be strict in what you send". 2554 */ 2555 if (!SMTPD_IN_MAIL_TRANSACTION(state)) { 2556 state->error_mask |= MAIL_ERROR_PROTOCOL; 2557 smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command"); 2558 return (-1); 2559 } 2560 if (argc < 3 2561 || strcasecmp(argv[1].strval, "to:") != 0) { 2562 state->error_mask |= MAIL_ERROR_PROTOCOL; 2563 smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>"); 2564 return (-1); 2565 } 2566 2567 /* 2568 * XXX The client event count/rate control must be consistent in its use 2569 * of client address information in connect and disconnect events. For 2570 * now we exclude xclient authorized hosts from event count/rate control. 2571 */ 2572 if (SMTPD_STAND_ALONE(state) == 0 2573 && !xclient_allowed 2574 && anvil_clnt 2575 && var_smtpd_crcpt_limit > 0 2576 && !namadr_list_match(hogger_list, state->name, state->addr) 2577 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, 2578 &rate) == ANVIL_STAT_OK 2579 && rate > var_smtpd_crcpt_limit) { 2580 state->error_mask |= MAIL_ERROR_POLICY; 2581 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", 2582 rate, state->namaddr, state->service); 2583 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", 2584 state->addr); 2585 return (-1); 2586 } 2587 if (argv[2].tokval == SMTPD_TOK_ERROR) { 2588 state->error_mask |= MAIL_ERROR_PROTOCOL; 2589 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 2590 return (-1); 2591 } 2592 if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env) != 0) { 2593 state->error_mask |= MAIL_ERROR_PROTOCOL; 2594 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 2595 return (-1); 2596 } 2597 for (narg = 3; narg < argc; narg++) { 2598 arg = argv[narg].strval; 2599 if (strncasecmp(arg, "NOTIFY=", 7) == 0) { /* RFC 3461 */ 2600 /* Sanitized on input. */ 2601 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2602 state->error_mask |= MAIL_ERROR_PROTOCOL; 2603 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2604 return (-1); 2605 } 2606 if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) { 2607 state->error_mask |= MAIL_ERROR_PROTOCOL; 2608 smtpd_chat_reply(state, 2609 "501 5.5.4 Error: Bad NOTIFY parameter syntax"); 2610 return (-1); 2611 } 2612 } else if (strncasecmp(arg, "ORCPT=", 6) == 0) { /* RFC 3461 */ 2613 /* Sanitized by bounce server. */ 2614 if (state->ehlo_discard_mask & EHLO_MASK_DSN) { 2615 state->error_mask |= MAIL_ERROR_PROTOCOL; 2616 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled"); 2617 return (-1); 2618 } 2619 vstring_strcpy(state->dsn_orcpt_buf, arg + 6); 2620 if (dsn_orcpt_addr 2621 || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0 2622 || xtext_unquote(state->dsn_buf, coded_addr) == 0 2623 || *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0) { 2624 state->error_mask |= MAIL_ERROR_PROTOCOL; 2625 smtpd_chat_reply(state, 2626 "501 5.5.4 Error: Bad ORCPT parameter syntax"); 2627 return (-1); 2628 } 2629 dsn_orcpt_addr = STR(state->dsn_buf); 2630 dsn_orcpt_addr_len = LEN(state->dsn_buf); 2631 } else { 2632 state->error_mask |= MAIL_ERROR_PROTOCOL; 2633 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg); 2634 return (-1); 2635 } 2636 } 2637 if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) { 2638 smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients"); 2639 if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim) 2640 return (0); 2641 state->error_mask |= MAIL_ERROR_POLICY; 2642 return (-1); 2643 } 2644 if (SMTPD_STAND_ALONE(state) == 0) { 2645 const char *verify_sender; 2646 2647 /* 2648 * XXX Don't reject the address when we're probed with our own 2649 * address verification sender address. Otherwise, some timeout or 2650 * some UCE block may result in mutual negative caching, making it 2651 * painful to get the mail through. Unfortunately we still have to 2652 * send the address to the Milters otherwise they may bail out with a 2653 * "missing recipient" protocol error. 2654 */ 2655 verify_sender = valid_verify_sender_addr(STR(state->addr_buf)); 2656 if (verify_sender != 0) { 2657 vstring_strcpy(state->addr_buf, verify_sender); 2658 err = 0; 2659 } else { 2660 err = smtpd_check_rcpt(state, STR(state->addr_buf)); 2661 } 2662 if (smtpd_milters != 0 2663 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) { 2664 PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf)); 2665 state->milter_reject_text = err; 2666 milter_err = milter_rcpt_event(smtpd_milters, 2667 err == 0 ? MILTER_FLAG_NONE : 2668 MILTER_FLAG_WANT_RCPT_REJ, 2669 milter_argv(state, argc - 2, argv + 2)); 2670 if (err == 0 && milter_err != 0) { 2671 /* Log reject etc. with correct recipient information. */ 2672 err = check_milter_reply(state, milter_err); 2673 } 2674 POP_STRING(saved_rcpt, state->recipient); 2675 } 2676 if (err != 0) { 2677 smtpd_chat_reply(state, "%s", err); 2678 return (-1); 2679 } 2680 } 2681 2682 /* 2683 * Don't access the proxy, queue file, or queue file writer process until 2684 * we have a valid recipient address. 2685 */ 2686 if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0) 2687 return (-1); 2688 2689 /* 2690 * Proxy the recipient. OK, so we lied. If the real-time proxy rejects 2691 * the recipient then we can have a proxy connection without having 2692 * accepted a recipient. 2693 */ 2694 proxy = state->proxy; 2695 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_OK, 2696 "%s", STR(state->buffer)) != 0) { 2697 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 2698 return (-1); 2699 } 2700 2701 /* 2702 * Store the recipient. Remember the first one. 2703 * 2704 * Flush recipients to maintain a stiffer coupling with the next stage and 2705 * to better utilize parallelism. 2706 * 2707 * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a 2708 * recipient when the message was received, the NOTIFY parameter MUST NOT 2709 * be supplied for that recipient when the message is relayed. 2710 * 2711 * In other words, we can't simply make up our default NOTIFY value. We have 2712 * to remember whether the client sent any. 2713 * 2714 * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the 2715 * message was received, an ORCPT parameter MAY be added to the RCPT 2716 * command when the message is relayed. If an ORCPT parameter is added 2717 * by the relaying MTA, it MUST contain the recipient address from the 2718 * RCPT command used when the message was received by that MTA. 2719 * 2720 * In other words, it is OK to make up our own DSN original recipient when 2721 * the client didn't send one. Although the RFC mentions mail relaying 2722 * only, we also make up our own original recipient for the purpose of 2723 * final delivery. For now, we do this here, rather than on the fly. 2724 * 2725 * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though 2726 * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named 2727 * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr) 2728 * requires that we map attributes with rec_attr_map() in order to 2729 * simplify the recipient record processing loops in the cleanup and qmgr 2730 * servers. 2731 * 2732 * Another possibility, yet to be explored, is to leave the additional 2733 * recipient information in the queue file and just pass queue file 2734 * offsets along with the delivery request. This is a trade off between 2735 * memory allocation versus numeric conversion overhead. 2736 * 2737 * Since we have no record grouping mechanism, all recipient-specific 2738 * parameters must be sent to the cleanup server before the actual 2739 * recipient address. 2740 */ 2741 state->rcpt_count++; 2742 if (state->recipient == 0) 2743 state->recipient = mystrdup(STR(state->addr_buf)); 2744 if (state->cleanup) { 2745 /* Note: RFC(2)821 externalized address! */ 2746 if (dsn_orcpt_addr == 0) { 2747 dsn_orcpt_type = "rfc822"; 2748 dsn_orcpt_addr = argv[2].strval; 2749 dsn_orcpt_addr_len = strlen(argv[2].strval); 2750 if (dsn_orcpt_addr[0] == '<' 2751 && dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') { 2752 dsn_orcpt_addr += 1; 2753 dsn_orcpt_addr_len -= 2; 2754 } 2755 } 2756 if (dsn_notify) 2757 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 2758 MAIL_ATTR_DSN_NOTIFY, dsn_notify); 2759 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s", 2760 MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type, 2761 (int) dsn_orcpt_addr_len, dsn_orcpt_addr); 2762 rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf)); 2763 vstream_fflush(state->cleanup); 2764 } 2765 smtpd_chat_reply(state, "250 2.1.5 Ok"); 2766 return (0); 2767 } 2768 2769 /* rcpt_reset - reset RCPT stuff */ 2770 2771 static void rcpt_reset(SMTPD_STATE *state) 2772 { 2773 if (state->recipient) { 2774 myfree(state->recipient); 2775 state->recipient = 0; 2776 } 2777 state->rcpt_count = 0; 2778 /* XXX Must flush the command history. */ 2779 state->rcpt_overshoot = 0; 2780 } 2781 2782 #if 0 2783 2784 /* rfc2047_comment_encode - encode comment string */ 2785 2786 static VSTRING *rfc2047_comment_encode(const char *str, const char *charset) 2787 { 2788 VSTRING *buf = vstring_alloc(30); 2789 const unsigned char *cp; 2790 int ch; 2791 2792 /* 2793 * XXX This is problematic code. 2794 * 2795 * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments, 2796 * but we encode them anyway to avoid complaints. 2797 * 2798 * XXX In Received: header comments we enclose peer and issuer common names 2799 * with "" quotes (inherited from the Lutz Jaenicke patch). This is the 2800 * cause of several quirks. 2801 * 2802 * 1) We encode text that contains the " character, even though that 2803 * character is not special for RFC*822 comments. 2804 * 2805 * 2) We ignore the recommended limit of 75 characters per encoded word, 2806 * because long comments look ugly when folded in-between quotes. 2807 * 2808 * 3) We encode the enclosing quotes, to avoid producing invalid encoded 2809 * words. Microsoft abuses RFC 2047 encoding with attachment names, but 2810 * we have no information on what decoders do with malformed encoding in 2811 * comments. This means the comments are Jaenicke-compatible only after 2812 * decoding. 2813 */ 2814 #define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */ 2815 #define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */ 2816 #define CSPECIALS "\\\"()" /* Special in our comments */ 2817 2818 /* Don't encode if not needed. */ 2819 for (cp = (unsigned char *) str; /* see below */ ; ++cp) { 2820 if ((ch = *cp) == 0) { 2821 vstring_sprintf(buf, "\"%s\"", str); 2822 return (buf); 2823 } 2824 if (!ISPRINT(ch) || strchr(CSPECIALS, ch)) 2825 break; 2826 } 2827 2828 /* 2829 * Use quoted-printable (like) encoding with spaces mapped to underscore. 2830 */ 2831 vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"'); 2832 for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) { 2833 if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) { 2834 vstring_sprintf_append(buf, "=%02X", ch); 2835 } else if (ch == ' ') { 2836 VSTRING_ADDCH(buf, '_'); 2837 } else { 2838 VSTRING_ADDCH(buf, ch); 2839 } 2840 } 2841 vstring_sprintf_append(buf, "=%02X?=", '"'); 2842 return (buf); 2843 } 2844 2845 #endif 2846 2847 /* comment_sanitize - clean up comment string */ 2848 2849 static void comment_sanitize(VSTRING *comment_string) 2850 { 2851 unsigned char *cp; 2852 int ch; 2853 int pc; 2854 2855 /* 2856 * Postfix Received: headers can be configured to include a comment with 2857 * the CN (CommonName) of the peer and its issuer, or the login name of a 2858 * SASL authenticated user. To avoid problems with RFC 822 etc. syntax, 2859 * we limit this information to printable ASCII text, and neutralize 2860 * characters that affect comment parsing: the backslash and unbalanced 2861 * parentheses. 2862 */ 2863 for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) { 2864 if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') { 2865 *cp = '?'; 2866 } else if (ch == '(') { 2867 pc++; 2868 } else if (ch == ')') { 2869 if (pc > 0) 2870 pc--; 2871 else 2872 *cp = '?'; 2873 } 2874 } 2875 while (pc-- > 0) 2876 VSTRING_ADDCH(comment_string, ')'); 2877 VSTRING_TERMINATE(comment_string); 2878 } 2879 2880 /* data_cmd - process DATA command */ 2881 2882 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 2883 { 2884 SMTPD_PROXY *proxy; 2885 const char *err; 2886 char *start; 2887 int len; 2888 int curr_rec_type; 2889 int prev_rec_type; 2890 int first = 1; 2891 VSTRING *why = 0; 2892 int saved_err; 2893 int (*out_record) (VSTREAM *, int, const char *, ssize_t); 2894 int (*out_fprintf) (VSTREAM *, int, const char *,...); 2895 VSTREAM *out_stream; 2896 int out_error; 2897 char **cpp; 2898 const CLEANUP_STAT_DETAIL *detail; 2899 const char *rfc3848_sess; 2900 const char *rfc3848_auth; 2901 2902 #ifdef USE_TLS 2903 VSTRING *peer_CN; 2904 VSTRING *issuer_CN; 2905 2906 #endif 2907 #ifdef USE_SASL_AUTH 2908 VSTRING *username; 2909 2910 #endif 2911 2912 /* 2913 * Sanity checks. With ESMTP command pipelining the client can send DATA 2914 * before all recipients are rejected, so don't report that as a protocol 2915 * error. 2916 */ 2917 if (state->rcpt_count == 0) { 2918 if (!SMTPD_IN_MAIL_TRANSACTION(state)) { 2919 state->error_mask |= MAIL_ERROR_PROTOCOL; 2920 smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command"); 2921 } else { 2922 smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients"); 2923 } 2924 return (-1); 2925 } 2926 if (argc != 1) { 2927 state->error_mask |= MAIL_ERROR_PROTOCOL; 2928 smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA"); 2929 return (-1); 2930 } 2931 if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) { 2932 smtpd_chat_reply(state, "%s", err); 2933 return (-1); 2934 } 2935 if (smtpd_milters != 0 2936 && SMTPD_STAND_ALONE(state) == 0 2937 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0 2938 && (err = milter_data_event(smtpd_milters)) != 0 2939 && (err = check_milter_reply(state, err)) != 0) { 2940 smtpd_chat_reply(state, "%s", err); 2941 return (-1); 2942 } 2943 proxy = state->proxy; 2944 if (proxy != 0 && proxy->cmd(state, SMTPD_PROX_WANT_MORE, 2945 "%s", STR(state->buffer)) != 0) { 2946 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 2947 return (-1); 2948 } 2949 2950 /* 2951 * One level of indirection to choose between normal or proxied 2952 * operation. We want to avoid massive code duplication within tons of 2953 * if-else clauses. 2954 */ 2955 if (proxy) { 2956 out_stream = proxy->stream; 2957 out_record = proxy->rec_put; 2958 out_fprintf = proxy->rec_fprintf; 2959 out_error = CLEANUP_STAT_PROXY; 2960 } else { 2961 out_stream = state->cleanup; 2962 out_record = rec_put; 2963 out_fprintf = rec_fprintf; 2964 out_error = CLEANUP_STAT_WRITE; 2965 } 2966 2967 /* 2968 * Flush out a first batch of access table actions that are delegated to 2969 * the cleanup server, and that may trigger before we accept the first 2970 * valid recipient. There will be more after end-of-data. 2971 * 2972 * Terminate the message envelope segment. Start the message content 2973 * segment, and prepend our own Received: header. If there is only one 2974 * recipient, list the recipient address. 2975 */ 2976 if (state->cleanup) { 2977 if (SMTPD_STAND_ALONE(state) == 0) { 2978 if (smtpd_milters != 0 2979 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) 2980 /* Send actual smtpd_milters list. */ 2981 (void) milter_send(smtpd_milters, state->cleanup); 2982 if (state->saved_flags) 2983 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d", 2984 state->saved_flags); 2985 } 2986 rec_fputs(state->cleanup, REC_TYPE_MESG, ""); 2987 } 2988 2989 /* 2990 * PREPEND message headers. 2991 */ 2992 if (state->prepend) 2993 for (cpp = state->prepend->argv; *cpp; cpp++) 2994 out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp); 2995 2996 /* 2997 * Suppress our own Received: header in the unlikely case that we are an 2998 * intermediate proxy. 2999 */ 3000 if (!proxy || state->xforward.flags == 0) { 3001 out_fprintf(out_stream, REC_TYPE_NORM, 3002 "Received: from %s (%s [%s])", 3003 state->helo_name ? state->helo_name : state->name, 3004 state->name, state->rfc_addr); 3005 3006 #define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s)) 3007 3008 #ifdef USE_TLS 3009 if (var_smtpd_tls_received_header && state->tls_context) { 3010 out_fprintf(out_stream, REC_TYPE_NORM, 3011 "\t(using %s with cipher %s (%d/%d bits))", 3012 state->tls_context->protocol, 3013 state->tls_context->cipher_name, 3014 state->tls_context->cipher_usebits, 3015 state->tls_context->cipher_algbits); 3016 if (TLS_CERT_IS_PRESENT(state->tls_context)) { 3017 peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN); 3018 comment_sanitize(peer_CN); 3019 issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ? 3020 state->tls_context->issuer_CN : ""); 3021 comment_sanitize(issuer_CN); 3022 out_fprintf(out_stream, REC_TYPE_NORM, 3023 "\t(Client CN \"%s\", Issuer \"%s\" (%s))", 3024 STR(peer_CN), STR(issuer_CN), 3025 TLS_CERT_IS_TRUSTED(state->tls_context) ? 3026 "verified OK" : "not verified"); 3027 vstring_free(issuer_CN); 3028 vstring_free(peer_CN); 3029 } else if (var_smtpd_tls_ask_ccert) 3030 out_fprintf(out_stream, REC_TYPE_NORM, 3031 "\t(Client did not present a certificate)"); 3032 else 3033 out_fprintf(out_stream, REC_TYPE_NORM, 3034 "\t(No client certificate requested)"); 3035 } 3036 /* RFC 3848 is defined for ESMTP only. */ 3037 if (state->tls_context != 0 3038 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) 3039 rfc3848_sess = "S"; 3040 else 3041 #endif 3042 rfc3848_sess = ""; 3043 #ifdef USE_SASL_AUTH 3044 if (var_smtpd_sasl_auth_hdr && state->sasl_username) { 3045 username = VSTRING_STRDUP(state->sasl_username); 3046 comment_sanitize(username); 3047 out_fprintf(out_stream, REC_TYPE_NORM, 3048 "\t(Authenticated sender: %s)", STR(username)); 3049 vstring_free(username); 3050 } 3051 /* RFC 3848 is defined for ESMTP only. */ 3052 if (state->sasl_username 3053 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0) 3054 rfc3848_auth = "A"; 3055 else 3056 #endif 3057 rfc3848_auth = ""; 3058 if (state->rcpt_count == 1 && state->recipient) { 3059 out_fprintf(out_stream, REC_TYPE_NORM, 3060 state->cleanup ? "\tby %s (%s) with %s%s%s id %s" : 3061 "\tby %s (%s) with %s%s%s", 3062 var_myhostname, var_mail_name, 3063 state->protocol, rfc3848_sess, 3064 rfc3848_auth, state->queue_id); 3065 quote_822_local(state->buffer, state->recipient); 3066 out_fprintf(out_stream, REC_TYPE_NORM, 3067 "\tfor <%s>; %s", STR(state->buffer), 3068 mail_date(state->arrival_time.tv_sec)); 3069 } else { 3070 out_fprintf(out_stream, REC_TYPE_NORM, 3071 state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" : 3072 "\tby %s (%s) with %s%s%s;", 3073 var_myhostname, var_mail_name, 3074 state->protocol, rfc3848_sess, 3075 rfc3848_auth, state->queue_id); 3076 out_fprintf(out_stream, REC_TYPE_NORM, 3077 "\t%s", mail_date(state->arrival_time.tv_sec)); 3078 } 3079 #ifdef RECEIVED_ENVELOPE_FROM 3080 quote_822_local(state->buffer, state->sender); 3081 out_fprintf(out_stream, REC_TYPE_NORM, 3082 "\t(envelope-from %s)", STR(state->buffer)); 3083 #endif 3084 } 3085 smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>"); 3086 state->where = SMTPD_AFTER_DATA; 3087 3088 /* 3089 * Copy the message content. If the cleanup process has a problem, keep 3090 * reading until the remote stops sending, then complain. Produce typed 3091 * records from the SMTP stream so we can handle data that spans buffers. 3092 * 3093 * XXX Force an empty record when the queue file content begins with 3094 * whitespace, so that it won't be considered as being part of our own 3095 * Received: header. What an ugly Kluge. 3096 * 3097 * XXX Deal with UNIX-style From_ lines at the start of message content 3098 * because sendmail permits it. 3099 */ 3100 for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) { 3101 if (smtp_get(state->buffer, state->client, var_line_limit, 3102 SMTP_GET_FLAG_NONE) == '\n') 3103 curr_rec_type = REC_TYPE_NORM; 3104 else 3105 curr_rec_type = REC_TYPE_CONT; 3106 start = vstring_str(state->buffer); 3107 len = VSTRING_LEN(state->buffer); 3108 if (first) { 3109 if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) { 3110 out_fprintf(out_stream, curr_rec_type, 3111 "X-Mailbox-Line: %s", start); 3112 continue; 3113 } 3114 first = 0; 3115 if (len > 0 && IS_SPACE_TAB(start[0])) 3116 out_record(out_stream, REC_TYPE_NORM, "", 0); 3117 } 3118 if (prev_rec_type != REC_TYPE_CONT && *start == '.' 3119 && (proxy == 0 ? (++start, --len) == 0 : len == 1)) 3120 break; 3121 if (state->err == CLEANUP_STAT_OK) { 3122 if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2) { 3123 state->err = CLEANUP_STAT_SIZE; 3124 msg_warn("%s: queue file size limit exceeded", 3125 state->queue_id ? state->queue_id : "NOQUEUE"); 3126 } else { 3127 state->act_size += len + 2; 3128 if (out_record(out_stream, curr_rec_type, start, len) < 0) 3129 state->err = out_error; 3130 } 3131 } 3132 } 3133 state->where = SMTPD_AFTER_DOT; 3134 if (state->err == CLEANUP_STAT_OK 3135 && SMTPD_STAND_ALONE(state) == 0 3136 && (err = smtpd_check_eod(state)) != 0) { 3137 smtpd_chat_reply(state, "%s", err); 3138 if (proxy) { 3139 smtpd_proxy_close(state); 3140 } else { 3141 mail_stream_cleanup(state->dest); 3142 state->dest = 0; 3143 state->cleanup = 0; 3144 } 3145 return (-1); 3146 } 3147 3148 /* 3149 * Send the end of DATA and finish the proxy connection. Set the 3150 * CLEANUP_STAT_PROXY error flag in case of trouble. 3151 */ 3152 if (proxy) { 3153 if (state->err == CLEANUP_STAT_OK) { 3154 (void) proxy->cmd(state, SMTPD_PROX_WANT_ANY, "."); 3155 if (state->err == CLEANUP_STAT_OK && 3156 *STR(proxy->reply) != '2') 3157 state->err = CLEANUP_STAT_CONT; 3158 } 3159 } 3160 3161 /* 3162 * Flush out access table actions that are delegated to the cleanup 3163 * server. There is similar code at the beginning of the DATA command. 3164 * 3165 * Send the end-of-segment markers and finish the queue file record stream. 3166 */ 3167 else { 3168 if (state->err == CLEANUP_STAT_OK) { 3169 rec_fputs(state->cleanup, REC_TYPE_XTRA, ""); 3170 if (state->saved_filter) 3171 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", 3172 state->saved_filter); 3173 if (state->saved_redirect) 3174 rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s", 3175 state->saved_redirect); 3176 if (state->saved_bcc) { 3177 rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s", 3178 state->saved_bcc); 3179 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d", 3180 MAIL_ATTR_DSN_NOTIFY, DSN_NOTIFY_NEVER); 3181 } 3182 if (state->saved_flags) 3183 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d", 3184 state->saved_flags); 3185 #ifdef DELAY_ACTION 3186 if (state->saved_delay) 3187 rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d", 3188 state->saved_delay); 3189 #endif 3190 if (vstream_ferror(state->cleanup)) 3191 state->err = CLEANUP_STAT_WRITE; 3192 } 3193 if (state->err == CLEANUP_STAT_OK) 3194 if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0 3195 || vstream_fflush(state->cleanup)) 3196 state->err = CLEANUP_STAT_WRITE; 3197 if (state->err == 0) { 3198 why = vstring_alloc(10); 3199 state->err = mail_stream_finish(state->dest, why); 3200 printable(STR(why), ' '); 3201 } else 3202 mail_stream_cleanup(state->dest); 3203 state->dest = 0; 3204 state->cleanup = 0; 3205 } 3206 3207 /* 3208 * XXX If we lose the cleanup server while it is editing a queue file, 3209 * the Postfix SMTP server will be out of sync with Milter applications. 3210 * Sending an ABORT to the Milters is not sufficient to restore 3211 * synchronization, because there may be any number of Milter replies 3212 * already in flight. Destroying and recreating the Milters (and faking 3213 * the connect and ehlo events) is too much trouble for testing and 3214 * maintenance. Workaround: force the Postfix SMTP server to hang up with 3215 * a 421 response in the rare case that the cleanup server breaks AND 3216 * that the remote SMTP client continues the session after end-of-data. 3217 * 3218 * XXX Should use something other than CLEANUP_STAT_WRITE when we lose 3219 * contact with the cleanup server. This requires changes to the 3220 * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail). 3221 * 3222 * XXX See exception below in code that overrides state->access_denied for 3223 * compliance with RFC 2821 Sec 3.1. 3224 */ 3225 if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0) 3226 state->access_denied = mystrdup("421 4.3.0 Mail system error"); 3227 3228 /* 3229 * Handle any errors. One message may suffer from multiple errors, so 3230 * complain only about the most severe error. Forgive any previous client 3231 * errors when a message was received successfully. 3232 * 3233 * See also: qmqpd.c 3234 */ 3235 #define IS_SMTP_REJECT(s) \ 3236 (((s)[0] == '4' || (s)[0] == '5') \ 3237 && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \ 3238 && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-')) 3239 3240 if (state->err == CLEANUP_STAT_OK) { 3241 state->error_count = 0; 3242 state->error_mask = 0; 3243 state->junk_cmds = 0; 3244 if (proxy) 3245 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3246 else 3247 smtpd_chat_reply(state, 3248 "250 2.0.0 Ok: queued as %s", state->queue_id); 3249 } else if (why && IS_SMTP_REJECT(STR(why))) { 3250 state->error_mask |= MAIL_ERROR_POLICY; 3251 smtpd_chat_reply(state, "%s", STR(why)); 3252 } else if ((state->err & CLEANUP_STAT_DEFER) != 0) { 3253 state->error_mask |= MAIL_ERROR_POLICY; 3254 detail = cleanup_stat_detail(CLEANUP_STAT_DEFER); 3255 if (why && LEN(why) > 0) { 3256 /* Allow address-specific DSN status in header/body_checks. */ 3257 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why)); 3258 } else { 3259 smtpd_chat_reply(state, "%d %s Error: %s", 3260 detail->smtp, detail->dsn, detail->text); 3261 } 3262 } else if ((state->err & CLEANUP_STAT_BAD) != 0) { 3263 state->error_mask |= MAIL_ERROR_SOFTWARE; 3264 detail = cleanup_stat_detail(CLEANUP_STAT_BAD); 3265 smtpd_chat_reply(state, "%d %s Error: internal error %d", 3266 detail->smtp, detail->dsn, state->err); 3267 } else if ((state->err & CLEANUP_STAT_SIZE) != 0) { 3268 state->error_mask |= MAIL_ERROR_BOUNCE; 3269 detail = cleanup_stat_detail(CLEANUP_STAT_SIZE); 3270 smtpd_chat_reply(state, "%d %s Error: %s", 3271 detail->smtp, detail->dsn, detail->text); 3272 } else if ((state->err & CLEANUP_STAT_HOPS) != 0) { 3273 state->error_mask |= MAIL_ERROR_BOUNCE; 3274 detail = cleanup_stat_detail(CLEANUP_STAT_HOPS); 3275 smtpd_chat_reply(state, "%d %s Error: %s", 3276 detail->smtp, detail->dsn, detail->text); 3277 } else if ((state->err & CLEANUP_STAT_CONT) != 0) { 3278 state->error_mask |= MAIL_ERROR_POLICY; 3279 detail = cleanup_stat_detail(CLEANUP_STAT_CONT); 3280 if (proxy) { 3281 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3282 } else if (why && LEN(why) > 0) { 3283 /* Allow address-specific DSN status in header/body_checks. */ 3284 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why)); 3285 } else { 3286 smtpd_chat_reply(state, "%d %s Error: %s", 3287 detail->smtp, detail->dsn, detail->text); 3288 } 3289 } else if ((state->err & CLEANUP_STAT_WRITE) != 0) { 3290 state->error_mask |= MAIL_ERROR_RESOURCE; 3291 detail = cleanup_stat_detail(CLEANUP_STAT_WRITE); 3292 smtpd_chat_reply(state, "%d %s Error: %s", 3293 detail->smtp, detail->dsn, detail->text); 3294 } else if ((state->err & CLEANUP_STAT_PROXY) != 0) { 3295 state->error_mask |= MAIL_ERROR_SOFTWARE; 3296 smtpd_chat_reply(state, "%s", STR(proxy->reply)); 3297 } else { 3298 state->error_mask |= MAIL_ERROR_SOFTWARE; 3299 detail = cleanup_stat_detail(CLEANUP_STAT_BAD); 3300 smtpd_chat_reply(state, "%d %s Error: internal error %d", 3301 detail->smtp, detail->dsn, state->err); 3302 } 3303 3304 /* 3305 * By popular command: the proxy's end-of-data reply. 3306 */ 3307 if (proxy) 3308 msg_info("proxy-%s: %s: %s;%s", 3309 (state->err == CLEANUP_STAT_OK) ? "accept" : "reject", 3310 state->where, STR(proxy->reply), smtpd_whatsup(state)); 3311 3312 /* 3313 * Cleanup. The client may send another MAIL command. 3314 */ 3315 saved_err = state->err; 3316 chat_reset(state, var_smtpd_hist_thrsh); 3317 mail_reset(state); 3318 rcpt_reset(state); 3319 if (why) 3320 vstring_free(why); 3321 return (saved_err); 3322 } 3323 3324 /* rset_cmd - process RSET */ 3325 3326 static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 3327 { 3328 3329 /* 3330 * Sanity checks. 3331 */ 3332 if (argc != 1) { 3333 state->error_mask |= MAIL_ERROR_PROTOCOL; 3334 smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET"); 3335 return (-1); 3336 } 3337 3338 /* 3339 * Restore state to right after HELO/EHLO command. 3340 */ 3341 chat_reset(state, var_smtpd_hist_thrsh); 3342 mail_reset(state); 3343 rcpt_reset(state); 3344 smtpd_chat_reply(state, "250 2.0.0 Ok"); 3345 return (0); 3346 } 3347 3348 /* noop_cmd - process NOOP */ 3349 3350 static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 3351 { 3352 3353 /* 3354 * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a 3355 * parameter string which is to be ignored. NOOP instructions with 3356 * parameters? Go figure. 3357 * 3358 * RFC 2821 violates RFC 821, which says that NOOP takes no parameters. 3359 */ 3360 #ifdef RFC821_SYNTAX 3361 3362 /* 3363 * Sanity checks. 3364 */ 3365 if (argc != 1) { 3366 state->error_mask |= MAIL_ERROR_PROTOCOL; 3367 smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP"); 3368 return (-1); 3369 } 3370 #endif 3371 smtpd_chat_reply(state, "250 2.0.0 Ok"); 3372 return (0); 3373 } 3374 3375 /* vrfy_cmd - process VRFY */ 3376 3377 static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3378 { 3379 const char *err = 0; 3380 int rate; 3381 3382 /* 3383 * The SMTP standard (RFC 821) disallows unquoted special characters in 3384 * the VRFY argument. Common practice violates the standard, however. 3385 * Postfix accomodates common practice where it violates the standard. 3386 * 3387 * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting, 3388 * whereas the recipient restrictions checks expect unquoted (internal) 3389 * address forms. Therefore we must parse out the address, or we must 3390 * stop doing recipient restriction checks and lose the opportunity to 3391 * say "user unknown" at the SMTP port. 3392 * 3393 * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that 3394 * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets 3395 * even worse: section 3.5.3 says that a 502 (command recognized but not 3396 * implemented) reply is not fully compliant. 3397 * 3398 * Thus, an RFC 2821 compliant implementation cannot refuse to supply 3399 * information in reply to VRFY queries. That is simply bogus. The only 3400 * reply we could supply is a generic 252 reply. This causes spammers to 3401 * add tons of bogus addresses to their mailing lists (spam harvesting by 3402 * trying out large lists of potential recipient names with VRFY). 3403 */ 3404 #define SLOPPY 0 3405 3406 if (var_disable_vrfy_cmd) { 3407 state->error_mask |= MAIL_ERROR_POLICY; 3408 smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled"); 3409 return (-1); 3410 } 3411 if (argc < 2) { 3412 state->error_mask |= MAIL_ERROR_PROTOCOL; 3413 smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address"); 3414 return (-1); 3415 } 3416 3417 /* 3418 * XXX The client event count/rate control must be consistent in its use 3419 * of client address information in connect and disconnect events. For 3420 * now we exclude xclient authorized hosts from event count/rate control. 3421 */ 3422 if (SMTPD_STAND_ALONE(state) == 0 3423 && !xclient_allowed 3424 && anvil_clnt 3425 && var_smtpd_crcpt_limit > 0 3426 && !namadr_list_match(hogger_list, state->name, state->addr) 3427 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr, 3428 &rate) == ANVIL_STAT_OK 3429 && rate > var_smtpd_crcpt_limit) { 3430 state->error_mask |= MAIL_ERROR_POLICY; 3431 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s", 3432 rate, state->namaddr, state->service); 3433 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s", 3434 state->addr); 3435 return (-1); 3436 } 3437 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0 3438 && (err[0] == '5' || err[0] == '4')) { 3439 state->error_mask |= MAIL_ERROR_POLICY; 3440 smtpd_chat_reply(state, "%s", err); 3441 return (-1); 3442 } 3443 if (argc > 2) 3444 collapse_args(argc - 1, argv + 1); 3445 if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY) != 0) { 3446 state->error_mask |= MAIL_ERROR_PROTOCOL; 3447 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax"); 3448 return (-1); 3449 } 3450 /* Use state->addr_buf, with the unquoted result from extract_addr() */ 3451 if (SMTPD_STAND_ALONE(state) == 0 3452 && (err = smtpd_check_rcpt(state, STR(state->addr_buf))) != 0) { 3453 smtpd_chat_reply(state, "%s", err); 3454 return (-1); 3455 } 3456 3457 /* 3458 * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is 3459 * either "full name <user@domain>" or "user@domain". Postfix replies 3460 * with the string that was provided by the client, whether or not it is 3461 * in fully qualified domain form and the address is in <>. 3462 * 3463 * Reply code 250 is reserved for the case where the address is verified; 3464 * reply code 252 should be used when no definitive certainty exists. 3465 */ 3466 smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval); 3467 return (0); 3468 } 3469 3470 /* etrn_cmd - process ETRN command */ 3471 3472 static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3473 { 3474 const char *err; 3475 3476 /* 3477 * Sanity checks. 3478 */ 3479 if (var_helo_required && state->helo_name == 0) { 3480 state->error_mask |= MAIL_ERROR_POLICY; 3481 smtpd_chat_reply(state, "503 Error: send HELO/EHLO first"); 3482 return (-1); 3483 } 3484 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0 3485 && (err[0] == '5' || err[0] == '4')) { 3486 state->error_mask |= MAIL_ERROR_POLICY; 3487 smtpd_chat_reply(state, "%s", err); 3488 return (-1); 3489 } 3490 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 3491 state->error_mask |= MAIL_ERROR_PROTOCOL; 3492 smtpd_chat_reply(state, "503 Error: MAIL transaction in progress"); 3493 return (-1); 3494 } 3495 if (argc != 2) { 3496 state->error_mask |= MAIL_ERROR_PROTOCOL; 3497 smtpd_chat_reply(state, "500 Syntax: ETRN domain"); 3498 return (-1); 3499 } 3500 if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#') 3501 argv[1].strval++; 3502 3503 /* 3504 * As an extension to RFC 1985 we also allow an RFC 2821 address literal 3505 * enclosed in []. 3506 */ 3507 if (!valid_hostname(argv[1].strval, DONT_GRIPE) 3508 && !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) { 3509 state->error_mask |= MAIL_ERROR_PROTOCOL; 3510 smtpd_chat_reply(state, "501 Error: invalid parameter syntax"); 3511 return (-1); 3512 } 3513 3514 /* 3515 * XXX The implementation borrows heavily from the code that implements 3516 * UCE restrictions. These typically return 450 or 550 when a request is 3517 * rejected. RFC 1985 requires that 459 be sent when the server refuses 3518 * to perform the request. 3519 */ 3520 if (SMTPD_STAND_ALONE(state)) { 3521 msg_warn("do not use ETRN in \"sendmail -bs\" mode"); 3522 smtpd_chat_reply(state, "458 Unable to queue messages"); 3523 return (-1); 3524 } 3525 if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) { 3526 smtpd_chat_reply(state, "%s", err); 3527 return (-1); 3528 } 3529 switch (flush_send_site(argv[1].strval)) { 3530 case FLUSH_STAT_OK: 3531 smtpd_chat_reply(state, "250 Queuing started"); 3532 return (0); 3533 case FLUSH_STAT_DENY: 3534 msg_warn("reject: ETRN %.100s... from %s", 3535 argv[1].strval, state->namaddr); 3536 smtpd_chat_reply(state, "459 <%s>: service unavailable", 3537 argv[1].strval); 3538 return (-1); 3539 case FLUSH_STAT_BAD: 3540 msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr); 3541 smtpd_chat_reply(state, "458 Unable to queue messages"); 3542 return (-1); 3543 default: 3544 msg_warn("unable to talk to fast flush service"); 3545 smtpd_chat_reply(state, "458 Unable to queue messages"); 3546 return (-1); 3547 } 3548 } 3549 3550 /* quit_cmd - process QUIT command */ 3551 3552 static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv) 3553 { 3554 int out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND); 3555 3556 /* 3557 * Don't bother checking the syntax. 3558 */ 3559 smtpd_chat_reply(state, "221 2.0.0 Bye"); 3560 3561 /* 3562 * When the "." and quit replies are pipelined, make sure they are 3563 * flushed now, to avoid repeated mail deliveries in case of a crash in 3564 * the "clean up before disconnect" code. 3565 * 3566 * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of 3567 * Postfix 2.3 we use smtp_flush() for better error reporting. 3568 */ 3569 if (out_pending > 0) 3570 smtp_flush(state->client); 3571 return (0); 3572 } 3573 3574 /* xclient_cmd - override SMTP client attributes */ 3575 3576 static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3577 { 3578 SMTPD_TOKEN *argp; 3579 char *raw_value; 3580 char *attr_value; 3581 const char *bare_value; 3582 char *attr_name; 3583 int update_namaddr = 0; 3584 int name_status; 3585 static const NAME_CODE peer_codes[] = { 3586 XCLIENT_UNAVAILABLE, SMTPD_PEER_CODE_PERM, 3587 XCLIENT_TEMPORARY, SMTPD_PEER_CODE_TEMP, 3588 0, SMTPD_PEER_CODE_OK, 3589 }; 3590 static const NAME_CODE proto_names[] = { 3591 MAIL_PROTO_SMTP, 1, 3592 MAIL_PROTO_ESMTP, 2, 3593 0, -1, 3594 }; 3595 int got_helo = 0; 3596 int got_proto = 0; 3597 int got_login = 0; 3598 3599 /* 3600 * Sanity checks. 3601 * 3602 * XXX The XCLIENT command will override its own access control, so that 3603 * connection count/rate restrictions can be correctly simulated. 3604 */ 3605 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 3606 state->error_mask |= MAIL_ERROR_PROTOCOL; 3607 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress"); 3608 return (-1); 3609 } 3610 if (argc < 2) { 3611 state->error_mask |= MAIL_ERROR_PROTOCOL; 3612 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...", 3613 XCLIENT_CMD); 3614 return (-1); 3615 } 3616 if (xclient_hosts && xclient_hosts->error) 3617 cant_permit_command(state, XCLIENT_CMD); 3618 if (!xclient_allowed) { 3619 state->error_mask |= MAIL_ERROR_POLICY; 3620 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization"); 3621 return (-1); 3622 } 3623 #define STREQ(x,y) (strcasecmp((x), (y)) == 0) 3624 #define UPDATE_STR(s, v) do { \ 3625 const char *_v = (v); \ 3626 if (s) myfree(s); \ 3627 s = (_v) ? mystrdup(_v) : 0; \ 3628 } while(0) 3629 3630 /* 3631 * Initialize. 3632 */ 3633 if (state->expand_buf == 0) 3634 state->expand_buf = vstring_alloc(100); 3635 3636 /* 3637 * Iterate over all attribute=value elements. 3638 */ 3639 for (argp = argv + 1; argp < argv + argc; argp++) { 3640 attr_name = argp->strval; 3641 3642 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) { 3643 state->error_mask |= MAIL_ERROR_PROTOCOL; 3644 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected"); 3645 return (-1); 3646 } 3647 if (strlen(raw_value) > 255) { 3648 state->error_mask |= MAIL_ERROR_PROTOCOL; 3649 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long"); 3650 return (-1); 3651 } 3652 3653 /* 3654 * Backwards compatibility: Postfix prior to version 2.3 does not 3655 * xtext encode attribute values. 3656 */ 3657 attr_value = xtext_unquote(state->expand_buf, raw_value) ? 3658 STR(state->expand_buf) : raw_value; 3659 3660 /* 3661 * For safety's sake mask non-printable characters. We'll do more 3662 * specific censoring later. 3663 */ 3664 printable(attr_value, '?'); 3665 3666 /* 3667 * NAME=substitute SMTP client hostname (and reverse/forward name, in 3668 * case of success). Also updates the client hostname lookup status 3669 * code. 3670 */ 3671 if (STREQ(attr_name, XCLIENT_NAME)) { 3672 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value); 3673 if (name_status != SMTPD_PEER_CODE_OK) { 3674 attr_value = CLIENT_NAME_UNKNOWN; 3675 } else { 3676 if (!valid_hostname(attr_value, DONT_GRIPE)) { 3677 state->error_mask |= MAIL_ERROR_PROTOCOL; 3678 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3679 XCLIENT_NAME, attr_value); 3680 return (-1); 3681 } 3682 } 3683 state->name_status = name_status; 3684 UPDATE_STR(state->name, attr_value); 3685 update_namaddr = 1; 3686 if (name_status == SMTPD_PEER_CODE_OK) { 3687 UPDATE_STR(state->reverse_name, attr_value); 3688 state->reverse_name_status = name_status; 3689 } 3690 } 3691 3692 /* 3693 * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates 3694 * the client reverse hostname lookup status code. 3695 */ 3696 else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) { 3697 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value); 3698 if (name_status != SMTPD_PEER_CODE_OK) { 3699 attr_value = CLIENT_NAME_UNKNOWN; 3700 } else { 3701 if (!valid_hostname(attr_value, DONT_GRIPE)) { 3702 state->error_mask |= MAIL_ERROR_PROTOCOL; 3703 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3704 XCLIENT_REVERSE_NAME, attr_value); 3705 return (-1); 3706 } 3707 } 3708 state->reverse_name_status = name_status; 3709 UPDATE_STR(state->reverse_name, attr_value); 3710 } 3711 3712 /* 3713 * ADDR=substitute SMTP client network address. 3714 */ 3715 else if (STREQ(attr_name, XCLIENT_ADDR)) { 3716 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 3717 attr_value = CLIENT_ADDR_UNKNOWN; 3718 bare_value = attr_value; 3719 } else { 3720 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) { 3721 state->error_mask |= MAIL_ERROR_PROTOCOL; 3722 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3723 XCLIENT_ADDR, attr_value); 3724 return (-1); 3725 } 3726 } 3727 UPDATE_STR(state->addr, bare_value); 3728 UPDATE_STR(state->rfc_addr, attr_value); 3729 #ifdef HAS_IPV6 3730 if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":", 3731 sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0) 3732 state->addr_family = AF_INET6; 3733 else 3734 #endif 3735 state->addr_family = AF_INET; 3736 update_namaddr = 1; 3737 } 3738 3739 /* 3740 * PORT=substitute SMTP client port number. 3741 */ 3742 else if (STREQ(attr_name, XCLIENT_PORT)) { 3743 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 3744 attr_value = CLIENT_PORT_UNKNOWN; 3745 } else { 3746 if (!alldig(attr_value) 3747 || strlen(attr_value) > sizeof("65535") - 1) { 3748 state->error_mask |= MAIL_ERROR_PROTOCOL; 3749 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3750 XCLIENT_PORT, attr_value); 3751 return (-1); 3752 } 3753 } 3754 UPDATE_STR(state->port, attr_value); 3755 update_namaddr = 1; 3756 } 3757 3758 /* 3759 * HELO=substitute SMTP client HELO parameter. Censor special 3760 * characters that could mess up message headers. 3761 */ 3762 else if (STREQ(attr_name, XCLIENT_HELO)) { 3763 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) { 3764 attr_value = CLIENT_HELO_UNKNOWN; 3765 } else { 3766 if (strlen(attr_value) > VALID_HOSTNAME_LEN) { 3767 state->error_mask |= MAIL_ERROR_PROTOCOL; 3768 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3769 XCLIENT_HELO, attr_value); 3770 return (-1); 3771 } 3772 neuter(attr_value, NEUTER_CHARACTERS, '?'); 3773 } 3774 UPDATE_STR(state->helo_name, attr_value); 3775 got_helo = 1; 3776 } 3777 3778 /* 3779 * PROTO=SMTP protocol name. 3780 */ 3781 else if (STREQ(attr_name, XCLIENT_PROTO)) { 3782 if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) { 3783 state->error_mask |= MAIL_ERROR_PROTOCOL; 3784 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3785 XCLIENT_PROTO, attr_value); 3786 return (-1); 3787 } 3788 UPDATE_STR(state->protocol, uppercase(attr_value)); 3789 got_proto = 1; 3790 } 3791 3792 /* 3793 * LOGIN=sasl_username. Sets the authentication method as XCLIENT. 3794 * This can be used even if SASL authentication is turned off in 3795 * main.cf. We can't make it easier than that. 3796 */ 3797 #ifdef USE_SASL_AUTH 3798 else if (STREQ(attr_name, XCLIENT_LOGIN)) { 3799 if (STREQ(attr_value, XCLIENT_UNAVAILABLE) == 0) { 3800 smtpd_sasl_auth_extern(state, attr_value, XCLIENT_CMD); 3801 got_login = 1; 3802 } 3803 } 3804 #endif 3805 3806 /* 3807 * Unknown attribute name. Complain. 3808 */ 3809 else { 3810 state->error_mask |= MAIL_ERROR_PROTOCOL; 3811 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s", 3812 XCLIENT_CMD, attr_name); 3813 return (-1); 3814 } 3815 } 3816 3817 /* 3818 * Update the combined name and address when either has changed. 3819 */ 3820 if (update_namaddr) { 3821 if (state->namaddr) 3822 myfree(state->namaddr); 3823 state->namaddr = 3824 SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port); 3825 } 3826 3827 /* 3828 * XXX Compatibility: when the client issues XCLIENT then we have to go 3829 * back to initial server greeting stage, otherwise we can't correctly 3830 * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and 3831 * Milter connect restrictions. 3832 * 3833 * XXX Compatibility: for accurate simulation we must also reset the HELO 3834 * information. We keep the information if it was specified in the 3835 * XCLIENT command. 3836 * 3837 * XXX The client connection count/rate control must be consistent in its 3838 * use of client address information in connect and disconnect events. We 3839 * re-evaluate xclient so that we correctly simulate connection 3840 * concurrency and connection rate restrictions. 3841 * 3842 * XXX Duplicated from smtpd_proto(). 3843 */ 3844 xclient_allowed = 3845 namadr_list_match(xclient_hosts, state->name, state->addr); 3846 /* NOT: tls_reset() */ 3847 if (got_helo == 0) 3848 helo_reset(state); 3849 if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) { 3850 myfree(state->protocol); 3851 state->protocol = mystrdup(MAIL_PROTO_SMTP); 3852 } 3853 #ifdef USE_SASL_AUTH 3854 if (got_login == 0) 3855 smtpd_sasl_auth_reset(state); 3856 #endif 3857 chat_reset(state, 0); 3858 mail_reset(state); 3859 rcpt_reset(state); 3860 if (smtpd_milters) 3861 milter_disc_event(smtpd_milters); 3862 vstream_longjmp(state->client, SMTP_ERR_NONE); 3863 return (0); 3864 } 3865 3866 /* xforward_cmd - forward logging attributes */ 3867 3868 static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv) 3869 { 3870 SMTPD_TOKEN *argp; 3871 char *raw_value; 3872 char *attr_value; 3873 const char *bare_value; 3874 char *attr_name; 3875 int updated = 0; 3876 static const NAME_CODE xforward_flags[] = { 3877 XFORWARD_NAME, SMTPD_STATE_XFORWARD_NAME, 3878 XFORWARD_ADDR, SMTPD_STATE_XFORWARD_ADDR, 3879 XFORWARD_PORT, SMTPD_STATE_XFORWARD_PORT, 3880 XFORWARD_PROTO, SMTPD_STATE_XFORWARD_PROTO, 3881 XFORWARD_HELO, SMTPD_STATE_XFORWARD_HELO, 3882 XFORWARD_IDENT, SMTPD_STATE_XFORWARD_IDENT, 3883 XFORWARD_DOMAIN, SMTPD_STATE_XFORWARD_DOMAIN, 3884 0, 0, 3885 }; 3886 static const char *context_name[] = { 3887 MAIL_ATTR_RWR_LOCAL, /* Postfix internal form */ 3888 MAIL_ATTR_RWR_REMOTE, /* Postfix internal form */ 3889 }; 3890 static const NAME_CODE xforward_to_context[] = { 3891 XFORWARD_DOM_LOCAL, 0, /* XFORWARD representation */ 3892 XFORWARD_DOM_REMOTE, 1, /* XFORWARD representation */ 3893 0, -1, 3894 }; 3895 int flag; 3896 int context_code; 3897 3898 /* 3899 * Sanity checks. 3900 */ 3901 if (SMTPD_IN_MAIL_TRANSACTION(state)) { 3902 state->error_mask |= MAIL_ERROR_PROTOCOL; 3903 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress"); 3904 return (-1); 3905 } 3906 if (argc < 2) { 3907 state->error_mask |= MAIL_ERROR_PROTOCOL; 3908 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...", 3909 XFORWARD_CMD); 3910 return (-1); 3911 } 3912 if (xforward_hosts && xforward_hosts->error) 3913 cant_permit_command(state, XFORWARD_CMD); 3914 if (!xforward_allowed) { 3915 state->error_mask |= MAIL_ERROR_POLICY; 3916 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization"); 3917 return (-1); 3918 } 3919 3920 /* 3921 * Initialize. 3922 */ 3923 if (state->xforward.flags == 0) 3924 smtpd_xforward_preset(state); 3925 if (state->expand_buf == 0) 3926 state->expand_buf = vstring_alloc(100); 3927 3928 /* 3929 * Iterate over all attribute=value elements. 3930 */ 3931 for (argp = argv + 1; argp < argv + argc; argp++) { 3932 attr_name = argp->strval; 3933 3934 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) { 3935 state->error_mask |= MAIL_ERROR_PROTOCOL; 3936 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected"); 3937 return (-1); 3938 } 3939 if (strlen(raw_value) > 255) { 3940 state->error_mask |= MAIL_ERROR_PROTOCOL; 3941 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long"); 3942 return (-1); 3943 } 3944 3945 /* 3946 * Backwards compatibility: Postfix prior to version 2.3 does not 3947 * xtext encode attribute values. 3948 */ 3949 attr_value = xtext_unquote(state->expand_buf, raw_value) ? 3950 STR(state->expand_buf) : raw_value; 3951 3952 /* 3953 * For safety's sake mask non-printable characters. We'll do more 3954 * specific censoring later. 3955 */ 3956 printable(attr_value, '?'); 3957 3958 flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name); 3959 switch (flag) { 3960 3961 /* 3962 * NAME=up-stream host name, not necessarily in the DNS. Censor 3963 * special characters that could mess up message headers. 3964 */ 3965 case SMTPD_STATE_XFORWARD_NAME: 3966 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 3967 attr_value = CLIENT_NAME_UNKNOWN; 3968 } else { 3969 neuter(attr_value, NEUTER_CHARACTERS, '?'); 3970 if (!valid_hostname(attr_value, DONT_GRIPE)) { 3971 state->error_mask |= MAIL_ERROR_PROTOCOL; 3972 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3973 XFORWARD_NAME, attr_value); 3974 return (-1); 3975 } 3976 } 3977 UPDATE_STR(state->xforward.name, attr_value); 3978 break; 3979 3980 /* 3981 * ADDR=up-stream host network address, not necessarily on the 3982 * Internet. Censor special characters that could mess up message 3983 * headers. 3984 */ 3985 case SMTPD_STATE_XFORWARD_ADDR: 3986 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 3987 attr_value = CLIENT_ADDR_UNKNOWN; 3988 bare_value = attr_value; 3989 } else { 3990 neuter(attr_value, NEUTER_CHARACTERS, '?'); 3991 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) { 3992 state->error_mask |= MAIL_ERROR_PROTOCOL; 3993 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 3994 XFORWARD_ADDR, attr_value); 3995 return (-1); 3996 } 3997 } 3998 UPDATE_STR(state->xforward.addr, bare_value); 3999 UPDATE_STR(state->xforward.rfc_addr, attr_value); 4000 break; 4001 4002 /* 4003 * PORT=up-stream port number. 4004 */ 4005 case SMTPD_STATE_XFORWARD_PORT: 4006 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4007 attr_value = CLIENT_PORT_UNKNOWN; 4008 } else { 4009 if (!alldig(attr_value) 4010 || strlen(attr_value) > sizeof("65535") - 1) { 4011 state->error_mask |= MAIL_ERROR_PROTOCOL; 4012 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4013 XFORWARD_PORT, attr_value); 4014 return (-1); 4015 } 4016 } 4017 UPDATE_STR(state->xforward.port, attr_value); 4018 break; 4019 4020 /* 4021 * HELO=hostname that the up-stream MTA introduced itself with 4022 * (not necessarily SMTP HELO). Censor special characters that 4023 * could mess up message headers. 4024 */ 4025 case SMTPD_STATE_XFORWARD_HELO: 4026 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4027 attr_value = CLIENT_HELO_UNKNOWN; 4028 } else { 4029 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4030 } 4031 UPDATE_STR(state->xforward.helo_name, attr_value); 4032 break; 4033 4034 /* 4035 * PROTO=up-stream protocol, not necessarily SMTP or ESMTP. 4036 * Censor special characters that could mess up message headers. 4037 */ 4038 case SMTPD_STATE_XFORWARD_PROTO: 4039 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4040 attr_value = CLIENT_PROTO_UNKNOWN; 4041 } else { 4042 if (strlen(attr_value) > 64) { 4043 state->error_mask |= MAIL_ERROR_PROTOCOL; 4044 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4045 XFORWARD_PROTO, attr_value); 4046 return (-1); 4047 } 4048 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4049 } 4050 UPDATE_STR(state->xforward.protocol, attr_value); 4051 break; 4052 4053 /* 4054 * IDENT=local message identifier on the up-stream MTA. Censor 4055 * special characters that could mess up logging or macro 4056 * expansions. 4057 */ 4058 case SMTPD_STATE_XFORWARD_IDENT: 4059 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) { 4060 attr_value = CLIENT_IDENT_UNKNOWN; 4061 } else { 4062 neuter(attr_value, NEUTER_CHARACTERS, '?'); 4063 } 4064 UPDATE_STR(state->xforward.ident, attr_value); 4065 break; 4066 4067 /* 4068 * DOMAIN=local or remote. 4069 */ 4070 case SMTPD_STATE_XFORWARD_DOMAIN: 4071 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) 4072 attr_value = XFORWARD_DOM_LOCAL; 4073 if ((context_code = name_code(xforward_to_context, 4074 NAME_CODE_FLAG_NONE, 4075 attr_value)) < 0) { 4076 state->error_mask |= MAIL_ERROR_PROTOCOL; 4077 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s", 4078 XFORWARD_DOMAIN, attr_value); 4079 return (-1); 4080 } 4081 UPDATE_STR(state->xforward.domain, context_name[context_code]); 4082 break; 4083 4084 /* 4085 * Unknown attribute name. Complain. 4086 */ 4087 default: 4088 state->error_mask |= MAIL_ERROR_PROTOCOL; 4089 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s", 4090 XFORWARD_CMD, attr_name); 4091 return (-1); 4092 } 4093 updated |= flag; 4094 } 4095 state->xforward.flags |= updated; 4096 4097 /* 4098 * Update the combined name and address when either has changed. Use only 4099 * the name when no address is available. 4100 */ 4101 if (updated & (SMTPD_STATE_XFORWARD_NAME | SMTPD_STATE_XFORWARD_ADDR)) { 4102 if (state->xforward.namaddr) 4103 myfree(state->xforward.namaddr); 4104 state->xforward.namaddr = 4105 IS_AVAIL_CLIENT_ADDR(state->xforward.addr) ? 4106 SMTPD_BUILD_NAMADDRPORT(state->xforward.name, 4107 state->xforward.addr, 4108 state->xforward.port) : 4109 mystrdup(state->xforward.name); 4110 } 4111 smtpd_chat_reply(state, "250 2.0.0 Ok"); 4112 return (0); 4113 } 4114 4115 /* chat_reset - notify postmaster and reset conversation log */ 4116 4117 static void chat_reset(SMTPD_STATE *state, int threshold) 4118 { 4119 4120 /* 4121 * Notify the postmaster if there were errors. This usually indicates a 4122 * client configuration problem, or that someone is trying nasty things. 4123 * Either is significant enough to bother the postmaster. XXX Can't 4124 * report problems when running in stand-alone mode: postmaster notices 4125 * require availability of the cleanup service. 4126 */ 4127 if (state->history != 0 && state->history->argc > threshold) { 4128 if (SMTPD_STAND_ALONE(state) == 0 4129 && (state->error_mask & state->notify_mask)) 4130 smtpd_chat_notify(state); 4131 state->error_mask = 0; 4132 smtpd_chat_reset(state); 4133 } 4134 } 4135 4136 #ifdef USE_TLS 4137 4138 /* smtpd_start_tls - turn on TLS or force disconnect */ 4139 4140 static void smtpd_start_tls(SMTPD_STATE *state) 4141 { 4142 int rate; 4143 int cert_present; 4144 int requirecert; 4145 4146 #ifdef USE_TLSPROXY 4147 4148 /* 4149 * This is non-production code, for tlsproxy(8) load testing only. It 4150 * implements enough to enable some Postfix features that depend on TLS 4151 * encryption. 4152 * 4153 * To insert tlsproxy(8) between this process and the SMTP client, we swap 4154 * the file descriptors between the state->tlsproxy and state->client 4155 * VSTREAMS, so that we don't lose all the user-configurable 4156 * state->client attributes (such as longjump buffers or timeouts). 4157 * 4158 * As we implement tlsproy support in the Postfix SMTP client we should 4159 * develop a usable abstraction that encapsulates this stream plumbing in 4160 * a library module. 4161 */ 4162 vstream_control(state->tlsproxy, VSTREAM_CTL_DOUBLE, VSTREAM_CTL_END); 4163 vstream_control(state->client, VSTREAM_CTL_SWAP_FD, state->tlsproxy, 4164 VSTREAM_CTL_END); 4165 (void) vstream_fclose(state->tlsproxy); /* direct-to-client stream! */ 4166 state->tlsproxy = 0; 4167 4168 /* 4169 * After plumbing the plaintext stream, receive the TLS context object. 4170 * For this we must use the same VSTREAM buffer that we also use to 4171 * receive subsequent SMTP commands. The attribute protocol is robust 4172 * enough that an adversary cannot inject their own bogus TLS context 4173 * attributes into the stream. 4174 */ 4175 state->tls_context = tls_proxy_context_receive(state->client); 4176 4177 /* 4178 * XXX Maybe it is better to send this information to tlsproxy(8) when 4179 * requesting service, effectively making a remote tls_server_start() 4180 * call. 4181 */ 4182 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); 4183 4184 #else /* USE_TLSPROXY */ 4185 TLS_SERVER_START_PROPS props; 4186 static char *cipher_grade; 4187 static VSTRING *cipher_exclusions; 4188 4189 /* 4190 * Wrapper mode uses a dedicated port and always requires TLS. 4191 * 4192 * XXX In non-wrapper mode, it is possible to require client certificate 4193 * verification without requiring TLS. Since certificates can be verified 4194 * only while TLS is turned on, this means that Postfix will happily 4195 * perform SMTP transactions when the client does not use the STARTTLS 4196 * command. For this reason, Postfix does not require client certificate 4197 * verification unless TLS is required. 4198 * 4199 * The cipher grade and exclusions don't change between sessions. Compute 4200 * just once and cache. 4201 */ 4202 #define ADD_EXCLUDE(vstr, str) \ 4203 do { \ 4204 if (*(str)) \ 4205 vstring_sprintf_append((vstr), "%s%s", \ 4206 VSTRING_LEN(vstr) ? " " : "", (str)); \ 4207 } while (0) 4208 4209 if (cipher_grade == 0) { 4210 cipher_grade = var_smtpd_enforce_tls ? 4211 var_smtpd_tls_mand_ciph : var_smtpd_tls_ciph; 4212 cipher_exclusions = vstring_alloc(10); 4213 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph); 4214 if (var_smtpd_enforce_tls) 4215 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl); 4216 if (ask_client_cert) 4217 ADD_EXCLUDE(cipher_exclusions, "aNULL"); 4218 } 4219 4220 /* 4221 * Perform the TLS handshake now. Check the client certificate 4222 * requirements later, if necessary. 4223 */ 4224 requirecert = (var_smtpd_tls_req_ccert && var_smtpd_enforce_tls); 4225 4226 state->tls_context = 4227 TLS_SERVER_START(&props, 4228 ctx = smtpd_tls_ctx, 4229 stream = state->client, 4230 fd = -1, 4231 timeout = var_smtpd_starttls_tmout, 4232 requirecert = requirecert, 4233 serverid = state->service, 4234 namaddr = state->namaddr, 4235 cipher_grade = cipher_grade, 4236 cipher_exclusions = STR(cipher_exclusions), 4237 mdalg = var_smtpd_tls_fpt_dgst); 4238 4239 #endif /* USE_TLSPROXY */ 4240 4241 /* 4242 * For new (i.e. not re-used) TLS sessions, increment the client's new 4243 * TLS session rate counter. We enforce the limit here only for human 4244 * factors reasons (reduce the WTF factor), even though it is too late to 4245 * save the CPU that was already burnt on PKI ops. The real safety 4246 * mechanism applies with future STARTTLS commands (or wrappermode 4247 * connections), prior to the SSL handshake. 4248 * 4249 * XXX The client event count/rate control must be consistent in its use of 4250 * client address information in connect and disconnect events. For now 4251 * we exclude xclient authorized hosts from event count/rate control. 4252 */ 4253 if (var_smtpd_cntls_limit > 0 4254 && (state->tls_context == 0 || state->tls_context->session_reused == 0) 4255 && SMTPD_STAND_ALONE(state) == 0 4256 && !xclient_allowed 4257 && anvil_clnt 4258 && !namadr_list_match(hogger_list, state->name, state->addr) 4259 && anvil_clnt_newtls(anvil_clnt, state->service, state->addr, 4260 &rate) == ANVIL_STAT_OK 4261 && rate > var_smtpd_cntls_limit) { 4262 state->error_mask |= MAIL_ERROR_POLICY; 4263 msg_warn("New TLS session rate limit exceeded: %d from %s for service %s", 4264 rate, state->namaddr, state->service); 4265 if (state->tls_context) 4266 smtpd_chat_reply(state, 4267 "421 4.7.0 %s Error: too many new TLS sessions from %s", 4268 var_myhostname, state->namaddr); 4269 /* XXX Use regular return to signal end of session. */ 4270 vstream_longjmp(state->client, SMTP_ERR_QUIET); 4271 } 4272 4273 /* 4274 * When the TLS handshake fails, the conversation is in an unknown state. 4275 * There is nothing we can do except to disconnect from the client. 4276 */ 4277 if (state->tls_context == 0) 4278 vstream_longjmp(state->client, SMTP_ERR_EOF); 4279 4280 /* 4281 * If we are requiring verified client certs, enforce the constraint 4282 * here. We have a usable TLS session with the client, so no need to 4283 * disable I/O, ... we can even be polite and send "421 ...". 4284 */ 4285 if (requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) { 4286 4287 /* 4288 * Fetch and reject the next command (should be EHLO), then 4289 * disconnect (side-effect of returning "421 ...". 4290 */ 4291 cert_present = TLS_CERT_IS_PRESENT(state->tls_context); 4292 msg_info("NOQUEUE: abort: TLS from %s: %s", 4293 state->namaddr, cert_present ? 4294 "Client certificate not trusted" : 4295 "No client certificate presented"); 4296 smtpd_chat_query(state); 4297 smtpd_chat_reply(state, "421 4.7.1 %s Error: %s", 4298 var_myhostname, cert_present ? 4299 "Client certificate not trusted" : 4300 "No client certificate presented"); 4301 state->error_mask |= MAIL_ERROR_POLICY; 4302 return; 4303 } 4304 4305 /* 4306 * When TLS is turned on, we may offer AUTH methods that would not be 4307 * offered within a plain-text session. 4308 * 4309 * XXX Always refresh SASL the mechanism list after STARTTLS. Dovecot 4310 * responses may depend on whether the SMTP connection is encrypted. 4311 */ 4312 #ifdef USE_SASL_AUTH 4313 if (var_smtpd_sasl_enable) { 4314 /* Non-wrappermode, presumably. */ 4315 if (smtpd_sasl_is_active(state)) { 4316 smtpd_sasl_auth_reset(state); 4317 smtpd_sasl_deactivate(state); 4318 } 4319 /* Wrappermode and non-wrappermode. */ 4320 if (smtpd_sasl_is_active(state) == 0) 4321 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS, 4322 var_smtpd_sasl_tls_opts); 4323 } 4324 #endif 4325 } 4326 4327 /* starttls_cmd - respond to STARTTLS */ 4328 4329 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv) 4330 { 4331 const char *err; 4332 int rate; 4333 4334 if (argc != 1) { 4335 state->error_mask |= MAIL_ERROR_PROTOCOL; 4336 smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS"); 4337 return (-1); 4338 } 4339 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) { 4340 if (err[0] == '5') { 4341 state->error_mask |= MAIL_ERROR_POLICY; 4342 smtpd_chat_reply(state, "%s", err); 4343 return (-1); 4344 } 4345 /* Sendmail compatibility: map 4xx into 454. */ 4346 else if (err[0] == '4') { 4347 state->error_mask |= MAIL_ERROR_POLICY; 4348 smtpd_chat_reply(state, "454 4.3.0 Try again later"); 4349 return (-1); 4350 } 4351 } 4352 if (state->tls_context != 0) { 4353 state->error_mask |= MAIL_ERROR_PROTOCOL; 4354 smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active"); 4355 return (-1); 4356 } 4357 if (var_smtpd_use_tls == 0 4358 || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) { 4359 state->error_mask |= MAIL_ERROR_PROTOCOL; 4360 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented"); 4361 return (-1); 4362 } 4363 #ifdef USE_TLSPROXY 4364 4365 /* 4366 * Note: state->tlsproxy is left open when smtp_flush() calls longjmp(), 4367 * so we garbage-collect the VSTREAM in smtpd_state_reset(). 4368 */ 4369 #define PROXY_OPEN_FLAGS \ 4370 (TLS_PROXY_FLAG_ROLE_SERVER | TLS_PROXY_FLAG_SEND_CONTEXT) 4371 4372 state->tlsproxy = tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, 4373 state->client, state->addr, 4374 state->port, var_smtpd_tmout); 4375 if (state->tlsproxy == 0) { 4376 state->error_mask |= MAIL_ERROR_SOFTWARE; 4377 /* RFC 3207 Section 4. */ 4378 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); 4379 return (-1); 4380 } 4381 #else /* USE_TLSPROXY */ 4382 if (smtpd_tls_ctx == 0) { 4383 state->error_mask |= MAIL_ERROR_SOFTWARE; 4384 /* RFC 3207 Section 4. */ 4385 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem"); 4386 return (-1); 4387 } 4388 #endif /* USE_TLSPROXY */ 4389 4390 /* 4391 * Enforce TLS handshake rate limit when this client negotiated too many 4392 * new TLS sessions in the recent past. 4393 * 4394 * XXX The client event count/rate control must be consistent in its use of 4395 * client address information in connect and disconnect events. For now 4396 * we exclude xclient authorized hosts from event count/rate control. 4397 */ 4398 if (var_smtpd_cntls_limit > 0 4399 && SMTPD_STAND_ALONE(state) == 0 4400 && !xclient_allowed 4401 && anvil_clnt 4402 && !namadr_list_match(hogger_list, state->name, state->addr) 4403 && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr, 4404 &rate) == ANVIL_STAT_OK 4405 && rate > var_smtpd_cntls_limit) { 4406 state->error_mask |= MAIL_ERROR_POLICY; 4407 msg_warn("Refusing STARTTLS request from %s for service %s", 4408 state->namaddr, state->service); 4409 smtpd_chat_reply(state, 4410 "454 4.7.0 Error: too many new TLS sessions from %s", 4411 state->namaddr); 4412 #ifdef USE_TLSPROXY 4413 (void) vstream_fclose(state->tlsproxy); 4414 state->tlsproxy = 0; 4415 #endif 4416 return (-1); 4417 } 4418 smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS"); 4419 /* Flush before we switch read/write routines or file descriptors. */ 4420 smtp_flush(state->client); 4421 /* At this point there must not be any pending plaintext. */ 4422 vstream_fpurge(state->client, VSTREAM_PURGE_BOTH); 4423 4424 /* 4425 * Reset all inputs to the initial state. 4426 * 4427 * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is 4428 * in progress, so we have to allow it even when it makes no sense. 4429 */ 4430 helo_reset(state); 4431 mail_reset(state); 4432 rcpt_reset(state); 4433 4434 /* 4435 * Turn on TLS, using code that is shared with TLS wrapper mode. This 4436 * code does not return when the handshake fails. 4437 */ 4438 smtpd_start_tls(state); 4439 return (0); 4440 } 4441 4442 /* tls_reset - undo STARTTLS */ 4443 4444 static void tls_reset(SMTPD_STATE *state) 4445 { 4446 int failure = 0; 4447 4448 /* 4449 * Don't waste time when we lost contact. 4450 */ 4451 if (state->tls_context) { 4452 if (vstream_feof(state->client) || vstream_ferror(state->client)) 4453 failure = 1; 4454 vstream_fflush(state->client); /* NOT: smtp_flush() */ 4455 #ifdef USE_TLSPROXY 4456 tls_proxy_context_free(state->tls_context); 4457 #else 4458 tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout, 4459 failure, state->tls_context); 4460 #endif 4461 state->tls_context = 0; 4462 } 4463 } 4464 4465 #endif 4466 4467 /* 4468 * The table of all SMTP commands that we know. Set the junk limit flag on 4469 * any command that can be repeated an arbitrary number of times without 4470 * triggering a tarpit delay of some sort. 4471 */ 4472 typedef struct SMTPD_CMD { 4473 char *name; 4474 int (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *); 4475 int flags; 4476 } SMTPD_CMD; 4477 4478 #define SMTPD_CMD_FLAG_LIMIT (1<<0) /* limit usage */ 4479 #define SMTPD_CMD_FLAG_PRE_TLS (1<<1) /* allow before STARTTLS */ 4480 #define SMTPD_CMD_FLAG_LAST (1<<2) /* last in PIPELINING command group */ 4481 4482 static SMTPD_CMD smtpd_cmd_table[] = { 4483 SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST, 4484 SMTPD_CMD_EHLO, ehlo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST, 4485 #ifdef USE_TLS 4486 SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS, 4487 #endif 4488 #ifdef USE_SASL_AUTH 4489 SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd, 0, 4490 #endif 4491 SMTPD_CMD_MAIL, mail_cmd, 0, 4492 SMTPD_CMD_RCPT, rcpt_cmd, 0, 4493 SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST, 4494 SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT, 4495 SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS | SMTPD_CMD_FLAG_LAST, 4496 SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_LAST, 4497 SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT, 4498 SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS, 4499 SMTPD_CMD_XCLIENT, xclient_cmd, 0, 4500 SMTPD_CMD_XFORWARD, xforward_cmd, 0, 4501 0, 4502 }; 4503 4504 static STRING_LIST *smtpd_noop_cmds; 4505 static STRING_LIST *smtpd_forbid_cmds; 4506 4507 /* smtpd_proto - talk the SMTP protocol */ 4508 4509 static void smtpd_proto(SMTPD_STATE *state) 4510 { 4511 int argc; 4512 SMTPD_TOKEN *argv; 4513 SMTPD_CMD *cmdp; 4514 int tls_rate; 4515 const char *ehlo_words; 4516 const char *err; 4517 int status; 4518 const char *cp; 4519 4520 /* 4521 * Print a greeting banner and run the state machine. Read SMTP commands 4522 * one line at a time. According to the standard, a sender or recipient 4523 * address could contain an escaped newline. I think this is perverse, 4524 * and anyone depending on this is really asking for trouble. 4525 * 4526 * In case of mail protocol trouble, the program jumps back to this place, 4527 * so that it can perform the necessary cleanup before talking to the 4528 * next client. The setjmp/longjmp primitives are like a sharp tool: use 4529 * with care. I would certainly recommend against the use of 4530 * setjmp/longjmp in programs that change privilege levels. 4531 * 4532 * In case of file system trouble the program terminates after logging the 4533 * error and after informing the client. In all other cases (out of 4534 * memory, panic) the error is logged, and the msg_cleanup() exit handler 4535 * cleans up, but no attempt is made to inform the client of the nature 4536 * of the problem. 4537 */ 4538 smtp_stream_setup(state->client, var_smtpd_tmout, var_smtpd_rec_deadline); 4539 4540 while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE) 4541 /* void */ ; 4542 switch (status) { 4543 4544 default: 4545 msg_panic("smtpd_proto: unknown error reading from %s", 4546 state->namaddr); 4547 break; 4548 4549 case SMTP_ERR_TIME: 4550 state->reason = REASON_TIMEOUT; 4551 if (vstream_setjmp(state->client) == 0) 4552 smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded", 4553 var_myhostname); 4554 break; 4555 4556 case SMTP_ERR_EOF: 4557 state->reason = REASON_LOST_CONNECTION; 4558 break; 4559 4560 case SMTP_ERR_QUIET: 4561 break; 4562 4563 case SMTP_ERR_DATA: 4564 msg_info("%s: reject: %s from %s: " 4565 "421 4.3.0 %s Server local data error", 4566 (state->queue_id ? state->queue_id : "NOQUEUE"), 4567 state->where, state->namaddr, var_myhostname); 4568 state->error_mask |= MAIL_ERROR_DATA; 4569 if (vstream_setjmp(state->client) == 0) 4570 smtpd_chat_reply(state, "421 4.3.0 %s Server local data error", 4571 var_myhostname); 4572 break; 4573 4574 case 0: 4575 4576 /* 4577 * In TLS wrapper mode, turn on TLS using code that is shared with 4578 * the STARTTLS command. This code does not return when the handshake 4579 * fails. 4580 * 4581 * Enforce TLS handshake rate limit when this client negotiated too many 4582 * new TLS sessions in the recent past. 4583 * 4584 * XXX This means we don't complete a TLS handshake just to tell the 4585 * client that we don't provide service. TLS wrapper mode is 4586 * obsolete, so we don't have to provide perfect support. 4587 */ 4588 #ifdef USE_TLS 4589 if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) { 4590 #ifdef USE_TLSPROXY 4591 /* We garbage-collect the VSTREAM in smtpd_state_reset() */ 4592 state->tlsproxy = tls_proxy_open(var_tlsproxy_service, 4593 PROXY_OPEN_FLAGS, 4594 state->client, state->addr, 4595 state->port, var_smtpd_tmout); 4596 if (state->tlsproxy == 0) { 4597 msg_warn("Wrapper-mode request dropped from %s for service %s." 4598 " TLS context initialization failed. For details see" 4599 " earlier warnings in your logs.", 4600 state->namaddr, state->service); 4601 break; 4602 } 4603 #else /* USE_TLSPROXY */ 4604 if (smtpd_tls_ctx == 0) { 4605 msg_warn("Wrapper-mode request dropped from %s for service %s." 4606 " TLS context initialization failed. For details see" 4607 " earlier warnings in your logs.", 4608 state->namaddr, state->service); 4609 break; 4610 } 4611 #endif /* USE_TLSPROXY */ 4612 if (var_smtpd_cntls_limit > 0 4613 && !xclient_allowed 4614 && anvil_clnt 4615 && !namadr_list_match(hogger_list, state->name, state->addr) 4616 && anvil_clnt_newtls_stat(anvil_clnt, state->service, 4617 state->addr, &tls_rate) == ANVIL_STAT_OK 4618 && tls_rate > var_smtpd_cntls_limit) { 4619 state->error_mask |= MAIL_ERROR_POLICY; 4620 msg_warn("Refusing TLS service request from %s for service %s", 4621 state->namaddr, state->service); 4622 break; 4623 } 4624 smtpd_start_tls(state); 4625 } 4626 #endif 4627 4628 /* 4629 * XXX The client connection count/rate control must be consistent in 4630 * its use of client address information in connect and disconnect 4631 * events. For now we exclude xclient authorized hosts from 4632 * connection count/rate control. 4633 * 4634 * XXX Must send connect/disconnect events to the anvil server even when 4635 * this service is not connection count or rate limited, otherwise it 4636 * will discard client message or recipient rate information too 4637 * early or too late. 4638 */ 4639 if (SMTPD_STAND_ALONE(state) == 0 4640 && !xclient_allowed 4641 && anvil_clnt 4642 && !namadr_list_match(hogger_list, state->name, state->addr) 4643 && anvil_clnt_connect(anvil_clnt, state->service, state->addr, 4644 &state->conn_count, &state->conn_rate) 4645 == ANVIL_STAT_OK) { 4646 if (var_smtpd_cconn_limit > 0 4647 && state->conn_count > var_smtpd_cconn_limit) { 4648 state->error_mask |= MAIL_ERROR_POLICY; 4649 msg_warn("Connection concurrency limit exceeded: %d from %s for service %s", 4650 state->conn_count, state->namaddr, state->service); 4651 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s", 4652 var_myhostname, state->addr); 4653 break; 4654 } 4655 if (var_smtpd_crate_limit > 0 4656 && state->conn_rate > var_smtpd_crate_limit) { 4657 msg_warn("Connection rate limit exceeded: %d from %s for service %s", 4658 state->conn_rate, state->namaddr, state->service); 4659 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s", 4660 var_myhostname, state->addr); 4661 break; 4662 } 4663 } 4664 4665 /* 4666 * Determine what server ESMTP features to suppress, typically to 4667 * avoid inter-operability problems. Moved up so we don't send 421 4668 * immediately after sending the initial server response. 4669 */ 4670 if (ehlo_discard_maps == 0 4671 || (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0) 4672 ehlo_words = var_smtpd_ehlo_dis_words; 4673 state->ehlo_discard_mask = ehlo_mask(ehlo_words); 4674 4675 /* XXX We use the real client for connect access control. */ 4676 if (SMTPD_STAND_ALONE(state) == 0 4677 && var_smtpd_delay_reject == 0 4678 && (err = smtpd_check_client(state)) != 0) { 4679 state->error_mask |= MAIL_ERROR_POLICY; 4680 state->access_denied = mystrdup(err); 4681 smtpd_chat_reply(state, "%s", state->access_denied); 4682 state->error_count++; 4683 } 4684 4685 /* 4686 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses 4687 * other than the initial greeting and any response to HELO or EHLO 4688 * are prefaced with a status code as defined in RFC 3463. 4689 */ 4690 4691 /* 4692 * XXX If a Milter rejects CONNECT, reply with 220 except in case of 4693 * hard reject or 421 (disconnect). The reply persists so it will 4694 * apply to MAIL FROM and to other commands such as AUTH, STARTTLS, 4695 * and VRFY. Note: after a Milter CONNECT reject, we must not reject 4696 * HELO or EHLO, but we do change the feature list that is announced 4697 * in the EHLO response. 4698 */ 4699 else { 4700 err = 0; 4701 if (smtpd_milters != 0 && SMTPD_STAND_ALONE(state) == 0) { 4702 milter_macro_callback(smtpd_milters, smtpd_milter_eval, 4703 (void *) state); 4704 if ((err = milter_conn_event(smtpd_milters, state->name, 4705 state->addr, 4706 strcmp(state->port, CLIENT_PORT_UNKNOWN) ? 4707 state->port : "0", 4708 state->addr_family)) != 0) 4709 err = check_milter_reply(state, err); 4710 } 4711 if (err && err[0] == '5') { 4712 state->error_mask |= MAIL_ERROR_POLICY; 4713 smtpd_chat_reply(state, "554 %s ESMTP not accepting connections", 4714 var_myhostname); 4715 state->error_count++; 4716 } else if (err && strncmp(err, "421", 3) == 0) { 4717 state->error_mask |= MAIL_ERROR_POLICY; 4718 smtpd_chat_reply(state, "421 %s Service unavailable - try again later", 4719 var_myhostname); 4720 /* Not: state->error_count++; */ 4721 } else { 4722 smtpd_chat_reply(state, "220 %s", var_smtpd_banner); 4723 } 4724 } 4725 4726 /* 4727 * SASL initialization for plaintext mode. 4728 * 4729 * XXX Backwards compatibility: allow AUTH commands when the AUTH 4730 * announcement is suppressed via smtpd_sasl_exceptions_networks. 4731 * 4732 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and 4733 * non-TLS build. 4734 */ 4735 #ifdef USE_SASL_AUTH 4736 if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0 4737 #ifdef USE_TLS 4738 && state->tls_context == 0 && !var_smtpd_tls_auth_only 4739 #else 4740 && var_smtpd_tls_auth_only == 0 4741 #endif 4742 ) 4743 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS, 4744 var_smtpd_sasl_opts); 4745 #endif 4746 4747 for (;;) { 4748 if (state->flags & SMTPD_FLAG_HANGUP) 4749 break; 4750 if (state->error_count >= var_smtpd_hard_erlim) { 4751 state->reason = REASON_ERROR_LIMIT; 4752 state->error_mask |= MAIL_ERROR_PROTOCOL; 4753 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", 4754 var_myhostname); 4755 break; 4756 } 4757 watchdog_pat(); 4758 smtpd_chat_query(state); 4759 /* Move into smtpd_chat_query() and update session transcript. */ 4760 if (smtpd_cmd_filter != 0) { 4761 for (cp = STR(state->buffer); *cp && IS_SPACE_TAB(*cp); cp++) 4762 /* void */ ; 4763 if ((cp = dict_get(smtpd_cmd_filter, cp)) != 0) { 4764 msg_info("%s: replacing command \"%.100s\" with \"%.100s\"", 4765 state->namaddr, STR(state->buffer), cp); 4766 vstring_strcpy(state->buffer, cp); 4767 } else if (smtpd_cmd_filter->error != 0) { 4768 msg_warn("%s:%s lookup error for \"%.100s\"", 4769 smtpd_cmd_filter->type, smtpd_cmd_filter->name, 4770 printable(STR(state->buffer), '?')); 4771 vstream_longjmp(state->client, SMTP_ERR_DATA); 4772 } 4773 } 4774 if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) { 4775 state->error_mask |= MAIL_ERROR_PROTOCOL; 4776 smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax"); 4777 state->error_count++; 4778 continue; 4779 } 4780 /* Ignore smtpd_noop_cmds lookup errors. Non-critical feature. */ 4781 if (*var_smtpd_noop_cmds 4782 && string_list_match(smtpd_noop_cmds, argv[0].strval)) { 4783 smtpd_chat_reply(state, "250 2.0.0 Ok"); 4784 if (state->junk_cmds++ > var_smtpd_junk_cmd_limit) 4785 state->error_count++; 4786 continue; 4787 } 4788 for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++) 4789 if (strcasecmp(argv[0].strval, cmdp->name) == 0) 4790 break; 4791 /* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */ 4792 if (cmdp->name == 0) { 4793 state->where = SMTPD_CMD_UNKNOWN; 4794 if (is_header(argv[0].strval) 4795 || (*var_smtpd_forbid_cmds 4796 && string_list_match(smtpd_forbid_cmds, argv[0].strval))) { 4797 msg_warn("non-SMTP command from %s: %.100s", 4798 state->namaddr, vstring_str(state->buffer)); 4799 smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye."); 4800 break; 4801 } 4802 } 4803 /* XXX We use the real client for connect access control. */ 4804 if (state->access_denied && cmdp->action != quit_cmd) { 4805 /* XXX Exception for Milter override. */ 4806 if (strncmp(state->access_denied + 1, "21", 2) == 0) { 4807 smtpd_chat_reply(state, "%s", state->access_denied); 4808 continue; 4809 } 4810 smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s", 4811 state->namaddr); /* RFC 2821 Sec 3.1 */ 4812 state->error_count++; 4813 continue; 4814 } 4815 /* state->access_denied == 0 || cmdp->action == quit_cmd */ 4816 if (cmdp->name == 0) { 4817 if (smtpd_milters != 0 4818 && SMTPD_STAND_ALONE(state) == 0 4819 && (err = milter_unknown_event(smtpd_milters, 4820 argv[0].strval)) != 0 4821 && (err = check_milter_reply(state, err)) != 0) { 4822 smtpd_chat_reply(state, "%s", err); 4823 } else 4824 smtpd_chat_reply(state, "502 5.5.2 Error: command not recognized"); 4825 state->error_mask |= MAIL_ERROR_PROTOCOL; 4826 state->error_count++; 4827 continue; 4828 } 4829 #ifdef USE_TLS 4830 if (var_smtpd_enforce_tls && 4831 !state->tls_context && 4832 (cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) { 4833 smtpd_chat_reply(state, 4834 "530 5.7.0 Must issue a STARTTLS command first"); 4835 state->error_count++; 4836 continue; 4837 } 4838 #endif 4839 state->where = cmdp->name; 4840 if (SMTPD_STAND_ALONE(state) == 0 4841 && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0 4842 || (cmdp->flags & SMTPD_CMD_FLAG_LAST)) 4843 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0 4844 && (vstream_peek(state->client) > 0 4845 || peekfd(vstream_fileno(state->client)) > 0)) { 4846 if (state->expand_buf == 0) 4847 state->expand_buf = vstring_alloc(100); 4848 escape(state->expand_buf, vstream_peek_data(state->client), 4849 vstream_peek(state->client) < 100 ? 4850 vstream_peek(state->client) : 100); 4851 msg_info("improper command pipelining after %s from %s: %s", 4852 cmdp->name, state->namaddr, STR(state->expand_buf)); 4853 state->flags |= SMTPD_FLAG_ILL_PIPELINING; 4854 } 4855 if (cmdp->action(state, argc, argv) != 0) 4856 state->error_count++; 4857 if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT) 4858 && state->junk_cmds++ > var_smtpd_junk_cmd_limit) 4859 state->error_count++; 4860 if (cmdp->action == quit_cmd) 4861 break; 4862 } 4863 break; 4864 } 4865 4866 /* 4867 * XXX The client connection count/rate control must be consistent in its 4868 * use of client address information in connect and disconnect events. 4869 * For now we exclude xclient authorized hosts from connection count/rate 4870 * control. 4871 * 4872 * XXX Must send connect/disconnect events to the anvil server even when 4873 * this service is not connection count or rate limited, otherwise it 4874 * will discard client message or recipient rate information too early or 4875 * too late. 4876 */ 4877 if (SMTPD_STAND_ALONE(state) == 0 4878 && !xclient_allowed 4879 && anvil_clnt 4880 && !namadr_list_match(hogger_list, state->name, state->addr)) 4881 anvil_clnt_disconnect(anvil_clnt, state->service, state->addr); 4882 4883 /* 4884 * Log abnormal session termination, in case postmaster notification has 4885 * been turned off. In the log, indicate the last recognized state before 4886 * things went wrong. Don't complain about clients that go away without 4887 * sending QUIT. Log the byte count after DATA to help diagnose MTU 4888 * troubles. 4889 */ 4890 if (state->reason && state->where) { 4891 if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) { 4892 msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */ 4893 state->reason, SMTPD_CMD_DATA, /* 2.5 compat */ 4894 (long) (state->act_size + vstream_peek(state->client)), 4895 state->namaddr); 4896 } else if (strcmp(state->where, SMTPD_AFTER_DOT) 4897 || strcmp(state->reason, REASON_LOST_CONNECTION)) { 4898 msg_info("%s after %s from %s", 4899 state->reason, state->where, state->namaddr); 4900 } 4901 } 4902 4903 /* 4904 * Cleanup whatever information the client gave us during the SMTP 4905 * dialog. 4906 * 4907 * XXX Duplicated in xclient_cmd(). 4908 */ 4909 #ifdef USE_TLS 4910 tls_reset(state); 4911 #endif 4912 helo_reset(state); 4913 #ifdef USE_SASL_AUTH 4914 smtpd_sasl_auth_reset(state); 4915 if (smtpd_sasl_is_active(state)) { 4916 smtpd_sasl_deactivate(state); 4917 } 4918 #endif 4919 chat_reset(state, 0); 4920 mail_reset(state); 4921 rcpt_reset(state); 4922 if (smtpd_milters) 4923 milter_disc_event(smtpd_milters); 4924 } 4925 4926 /* smtpd_service - service one client */ 4927 4928 static void smtpd_service(VSTREAM *stream, char *service, char **argv) 4929 { 4930 SMTPD_STATE state; 4931 4932 /* 4933 * Sanity check. This service takes no command-line arguments. 4934 */ 4935 if (argv[0]) 4936 msg_fatal("unexpected command-line argument: %s", argv[0]); 4937 4938 /* 4939 * For sanity, require that at least one of INET or INET6 is enabled. 4940 * Otherwise, we can't look up interface information, and we can't 4941 * convert names or addresses. 4942 */ 4943 if (SMTPD_STAND_ALONE_STREAM(stream) == 0 4944 && inet_proto_info()->ai_family_list[0] == 0) 4945 msg_fatal("all network protocols are disabled (%s = %s)", 4946 VAR_INET_PROTOCOLS, var_inet_protocols); 4947 4948 /* 4949 * This routine runs when a client has connected to our network port, or 4950 * when the smtp server is run in stand-alone mode (input from pipe). 4951 * 4952 * Look up and sanitize the peer name, then initialize some connection- 4953 * specific state. When the name service is hosed, hostname lookup will 4954 * take a while. This is why I always run a local name server on critical 4955 * machines. 4956 */ 4957 smtpd_state_init(&state, stream, service); 4958 msg_info("connect from %s", state.namaddr); 4959 4960 /* 4961 * Disable TLS when running in stand-alone mode via "sendmail -bs". 4962 */ 4963 if (SMTPD_STAND_ALONE((&state))) { 4964 var_smtpd_use_tls = 0; 4965 var_smtpd_enforce_tls = 0; 4966 var_smtpd_tls_auth_only = 0; 4967 } 4968 4969 /* 4970 * XCLIENT must not override its own access control. 4971 */ 4972 xclient_allowed = SMTPD_STAND_ALONE((&state)) == 0 && 4973 namadr_list_match(xclient_hosts, state.name, state.addr); 4974 4975 /* 4976 * Overriding XFORWARD access control makes no sense, either. 4977 */ 4978 xforward_allowed = SMTPD_STAND_ALONE((&state)) == 0 && 4979 namadr_list_match(xforward_hosts, state.name, state.addr); 4980 4981 /* 4982 * See if we need to turn on verbose logging for this client. 4983 */ 4984 debug_peer_check(state.name, state.addr); 4985 4986 /* 4987 * Provide the SMTP service. 4988 */ 4989 if ((state.flags & SMTPD_FLAG_HANGUP) == 0) 4990 smtpd_proto(&state); 4991 4992 /* 4993 * After the client has gone away, clean up whatever we have set up at 4994 * connection time. 4995 */ 4996 msg_info("disconnect from %s", state.namaddr); 4997 smtpd_state_reset(&state); 4998 debug_peer_restore(); 4999 } 5000 5001 /* pre_accept - see if tables have changed */ 5002 5003 static void pre_accept(char *unused_name, char **unused_argv) 5004 { 5005 const char *table; 5006 5007 if ((table = dict_changed_name()) != 0) { 5008 msg_info("table %s has changed -- restarting", table); 5009 exit(0); 5010 } 5011 } 5012 5013 /* pre_jail_init - pre-jail initialization */ 5014 5015 static void pre_jail_init(char *unused_name, char **unused_argv) 5016 { 5017 5018 /* 5019 * Initialize blacklist/etc. patterns before entering the chroot jail, in 5020 * case they specify a filename pattern. 5021 */ 5022 smtpd_noop_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_noop_cmds); 5023 smtpd_forbid_cmds = string_list_init(MATCH_FLAG_RETURN, var_smtpd_forbid_cmds); 5024 verp_clients = namadr_list_init(MATCH_FLAG_RETURN, var_verp_clients); 5025 xclient_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xclient_hosts); 5026 xforward_hosts = namadr_list_init(MATCH_FLAG_RETURN, var_xforward_hosts); 5027 hogger_list = namadr_list_init(MATCH_FLAG_RETURN, var_smtpd_hoggers); 5028 5029 /* 5030 * Open maps before dropping privileges so we can read passwords etc. 5031 * 5032 * XXX We should not do this in stand-alone (sendmail -bs) mode, but we 5033 * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs" 5034 * will try to connect to proxymap when invoked by root for mail 5035 * submission. To fix, we would have to pass stand-alone mode information 5036 * via different means. For now we have to tell people not to run mail 5037 * clients as root. 5038 */ 5039 if (getuid() == 0 || getuid() == var_owner_uid) 5040 smtpd_check_init(); 5041 smtpd_expand_init(); 5042 debug_peer_init(); 5043 5044 if (var_smtpd_sasl_enable) 5045 #ifdef USE_SASL_AUTH 5046 smtpd_sasl_initialize(); 5047 5048 if (*var_smtpd_sasl_exceptions_networks) 5049 sasl_exceptions_networks = 5050 namadr_list_init(MATCH_FLAG_RETURN, 5051 var_smtpd_sasl_exceptions_networks); 5052 #else 5053 msg_warn("%s is true, but SASL support is not compiled in", 5054 VAR_SMTPD_SASL_ENABLE); 5055 #endif 5056 5057 if (*var_smtpd_cmd_filter) 5058 smtpd_cmd_filter = dict_open(var_smtpd_cmd_filter, O_RDONLY, 5059 DICT_FLAG_LOCK | DICT_FLAG_FOLD_FIX); 5060 5061 /* 5062 * XXX Temporary fix to pretend that we consistently implement TLS 5063 * security levels. We implement only a subset for now. If we implement 5064 * more levels, wrappermode should override only weaker TLS security 5065 * levels. 5066 * 5067 * Note: tls_level_lookup() logs no warning. 5068 */ 5069 if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) { 5070 switch (tls_level_lookup(var_smtpd_tls_level)) { 5071 default: 5072 msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level); 5073 /* NOTREACHED */ 5074 break; 5075 case TLS_LEV_SECURE: 5076 case TLS_LEV_VERIFY: 5077 case TLS_LEV_FPRINT: 5078 msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"", 5079 VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level); 5080 /* FALLTHROUGH */ 5081 case TLS_LEV_ENCRYPT: 5082 var_smtpd_enforce_tls = var_smtpd_use_tls = 1; 5083 break; 5084 case TLS_LEV_MAY: 5085 var_smtpd_enforce_tls = 0; 5086 var_smtpd_use_tls = 1; 5087 break; 5088 case TLS_LEV_NONE: 5089 var_smtpd_enforce_tls = var_smtpd_use_tls = 0; 5090 break; 5091 } 5092 } 5093 5094 /* 5095 * With TLS wrapper mode, we run on a dedicated port and turn on TLS 5096 * before actually speaking the SMTP protocol. This implies TLS enforce 5097 * mode. 5098 * 5099 * With non-wrapper mode, TLS enforce mode implies that we don't advertise 5100 * AUTH before the client issues STARTTLS. 5101 */ 5102 var_smtpd_enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls; 5103 var_smtpd_tls_auth_only = var_smtpd_tls_auth_only || var_smtpd_enforce_tls; 5104 var_smtpd_use_tls = var_smtpd_use_tls || var_smtpd_enforce_tls; 5105 5106 /* 5107 * Keys can only be loaded when running with suitable permissions. When 5108 * called from "sendmail -bs" this is not the case, so we must not 5109 * announce STARTTLS support. 5110 */ 5111 if (getuid() == 0 || getuid() == var_owner_uid) { 5112 if (var_smtpd_use_tls) { 5113 #ifdef USE_TLS 5114 #ifndef USE_TLSPROXY 5115 TLS_SERVER_INIT_PROPS props; 5116 const char *cert_file; 5117 int have_server_cert; 5118 int no_server_cert_ok; 5119 int require_server_cert; 5120 5121 /* 5122 * Can't use anonymous ciphers if we want client certificates. 5123 * Must use anonymous ciphers if we have no certificates. 5124 * 5125 * XXX: Ugh! Too many booleans! 5126 */ 5127 ask_client_cert = require_server_cert = 5128 (var_smtpd_tls_ask_ccert 5129 || (var_smtpd_enforce_tls && var_smtpd_tls_req_ccert)); 5130 if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) { 5131 no_server_cert_ok = 1; 5132 cert_file = ""; 5133 } else { 5134 no_server_cert_ok = 0; 5135 cert_file = var_smtpd_tls_cert_file; 5136 } 5137 have_server_cert = 5138 (*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file); 5139 5140 /* Some TLS configuration errors are not show stoppers. */ 5141 if (!have_server_cert && require_server_cert) 5142 msg_warn("Need a server cert to request client certs"); 5143 if (!var_smtpd_enforce_tls && var_smtpd_tls_req_ccert) 5144 msg_warn("Can't require client certs unless TLS is required"); 5145 /* After a show-stopper error, reply with 454 to STARTTLS. */ 5146 if (have_server_cert || (no_server_cert_ok && !require_server_cert)) 5147 5148 /* 5149 * Large parameter lists are error-prone, so we emulate a 5150 * language feature that C does not have natively: named 5151 * parameter lists. 5152 */ 5153 smtpd_tls_ctx = 5154 TLS_SERVER_INIT(&props, 5155 log_param = VAR_SMTPD_TLS_LOGLEVEL, 5156 log_level = var_smtpd_tls_loglevel, 5157 verifydepth = var_smtpd_tls_ccert_vd, 5158 cache_type = TLS_MGR_SCACHE_SMTPD, 5159 set_sessid = var_smtpd_tls_set_sessid, 5160 cert_file = cert_file, 5161 key_file = var_smtpd_tls_key_file, 5162 dcert_file = var_smtpd_tls_dcert_file, 5163 dkey_file = var_smtpd_tls_dkey_file, 5164 eccert_file = var_smtpd_tls_eccert_file, 5165 eckey_file = var_smtpd_tls_eckey_file, 5166 CAfile = var_smtpd_tls_CAfile, 5167 CApath = var_smtpd_tls_CApath, 5168 dh1024_param_file 5169 = var_smtpd_tls_dh1024_param_file, 5170 dh512_param_file 5171 = var_smtpd_tls_dh512_param_file, 5172 eecdh_grade = var_smtpd_tls_eecdh, 5173 protocols = var_smtpd_enforce_tls ? 5174 var_smtpd_tls_mand_proto : 5175 var_smtpd_tls_proto, 5176 ask_ccert = ask_client_cert, 5177 mdalg = var_smtpd_tls_fpt_dgst); 5178 else 5179 msg_warn("No server certs available. TLS won't be enabled"); 5180 #endif /* USE_TLSPROXY */ 5181 #else 5182 msg_warn("TLS has been selected, but TLS support is not compiled in"); 5183 #endif 5184 } 5185 } 5186 5187 /* 5188 * flush client. 5189 */ 5190 flush_init(); 5191 5192 /* 5193 * EHLO keyword filter. 5194 */ 5195 if (*var_smtpd_ehlo_dis_maps) 5196 ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS, 5197 var_smtpd_ehlo_dis_maps, 5198 DICT_FLAG_LOCK); 5199 } 5200 5201 /* post_jail_init - post-jail initialization */ 5202 5203 static void post_jail_init(char *unused_name, char **unused_argv) 5204 { 5205 5206 /* 5207 * Initialize the receive transparency options: do we want unknown 5208 * recipient checks, address mapping, header_body_checks?. 5209 */ 5210 smtpd_input_transp_mask = 5211 input_transp_mask(VAR_INPUT_TRANSP, var_input_transp); 5212 5213 /* 5214 * Initialize before-queue filter options: do we want speed-matching 5215 * support so that the entire message is received before we contact a 5216 * before-queue content filter? 5217 */ 5218 if (*var_smtpd_proxy_filt) 5219 smtpd_proxy_opts = 5220 smtpd_proxy_parse_opts(VAR_SMTPD_PROXY_OPTS, var_smtpd_proxy_opts); 5221 5222 /* 5223 * Sendmail mail filters. 5224 * 5225 * XXX Should not do this when running in stand-alone mode. But that test 5226 * looks at VSTREAM_IN which is not available at this point. 5227 * 5228 * XXX Disable non_smtpd_milters when not sending our own mail filter list. 5229 */ 5230 if ((smtpd_input_transp_mask & INPUT_TRANSP_MILTER) == 0) { 5231 if (*var_smtpd_milters) 5232 smtpd_milters = milter_create(var_smtpd_milters, 5233 var_milt_conn_time, 5234 var_milt_cmd_time, 5235 var_milt_msg_time, 5236 var_milt_protocol, 5237 var_milt_def_action, 5238 var_milt_conn_macros, 5239 var_milt_helo_macros, 5240 var_milt_mail_macros, 5241 var_milt_rcpt_macros, 5242 var_milt_data_macros, 5243 var_milt_eoh_macros, 5244 var_milt_eod_macros, 5245 var_milt_unk_macros); 5246 else 5247 smtpd_input_transp_mask |= INPUT_TRANSP_MILTER; 5248 } 5249 5250 /* 5251 * Sanity checks. The queue_minfree value should be at least as large as 5252 * (process_limit * message_size_limit) but that is unpractical, so we 5253 * arbitrarily pick a small multiple of the per-message size limit. This 5254 * helps to avoid many unneeded (re)transmissions. 5255 */ 5256 if (var_queue_minfree > 0 5257 && var_message_limit > 0 5258 && var_queue_minfree / 1.5 < var_message_limit) 5259 msg_warn("%s(%lu) should be at least 1.5*%s(%lu)", 5260 VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree, 5261 VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit); 5262 5263 /* 5264 * Connection rate management. 5265 */ 5266 if (var_smtpd_crate_limit || var_smtpd_cconn_limit 5267 || var_smtpd_cmail_limit || var_smtpd_crcpt_limit 5268 || var_smtpd_cntls_limit) 5269 anvil_clnt = anvil_clnt_create(); 5270 } 5271 5272 MAIL_VERSION_STAMP_DECLARE; 5273 5274 /* main - the main program */ 5275 5276 int main(int argc, char **argv) 5277 { 5278 static const CONFIG_NINT_TABLE nint_table[] = { 5279 VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0, 5280 VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0, 5281 VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0, 5282 VAR_VERIFY_POLL_COUNT, DEF_VERIFY_POLL_COUNT, &var_verify_poll_count, 1, 0, 5283 0, 5284 }; 5285 static const CONFIG_INT_TABLE int_table[] = { 5286 VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0, 5287 VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0, 5288 VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0, 5289 VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0, 5290 VAR_UNK_NAME_CODE, DEF_UNK_NAME_CODE, &var_unk_name_code, 0, 0, 5291 VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0, 5292 VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0, 5293 VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0, 5294 VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0, 5295 VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0, 5296 VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0, 5297 VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0, 5298 VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0, 5299 VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0, 5300 VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0, 5301 VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599, 5302 VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599, 5303 VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499, 5304 VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499, 5305 VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0, 5306 VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0, 5307 VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0, 5308 VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0, 5309 VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0, 5310 VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0, 5311 VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0, 5312 VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0, 5313 VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0, 5314 VAR_SMTPD_CRCPT_LIMIT, DEF_SMTPD_CRCPT_LIMIT, &var_smtpd_crcpt_limit, 0, 0, 5315 VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0, 5316 #ifdef USE_TLS 5317 VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0, 5318 #endif 5319 0, 5320 }; 5321 static const CONFIG_TIME_TABLE time_table[] = { 5322 VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0, 5323 VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0, 5324 VAR_SMTPD_PROXY_TMOUT, DEF_SMTPD_PROXY_TMOUT, &var_smtpd_proxy_tmout, 1, 0, 5325 VAR_VERIFY_POLL_DELAY, DEF_VERIFY_POLL_DELAY, &var_verify_poll_delay, 1, 0, 5326 VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0, 5327 VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0, 5328 VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0, 5329 #ifdef USE_TLS 5330 VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0, 5331 #endif 5332 VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0, 5333 VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0, 5334 VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0, 5335 VAR_VERIFY_SENDER_TTL, DEF_VERIFY_SENDER_TTL, &var_verify_sender_ttl, 0, 0, 5336 VAR_SMTPD_UPROXY_TMOUT, DEF_SMTPD_UPROXY_TMOUT, &var_smtpd_uproxy_tmout, 1, 0, 5337 0, 5338 }; 5339 static const CONFIG_BOOL_TABLE bool_table[] = { 5340 VAR_HELO_REQUIRED, DEF_HELO_REQUIRED, &var_helo_required, 5341 VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject, 5342 VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env, 5343 VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd, 5344 VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route, 5345 VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable, 5346 VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr, 5347 VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients, 5348 VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table, 5349 VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from, 5350 VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt, 5351 VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls, 5352 VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls, 5353 VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode, 5354 VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only, 5355 #ifdef USE_TLS 5356 VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert, 5357 VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert, 5358 VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header, 5359 VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid, 5360 #endif 5361 VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup, 5362 VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open, 5363 VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log, 5364 0, 5365 }; 5366 static const CONFIG_NBOOL_TABLE nbool_table[] = { 5367 VAR_SMTPD_REC_DEADLINE, DEF_SMTPD_REC_DEADLINE, &var_smtpd_rec_deadline, 5368 0, 5369 }; 5370 static const CONFIG_STR_TABLE str_table[] = { 5371 VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0, 5372 VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0, 5373 VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0, 5374 VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0, 5375 VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0, 5376 VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0, 5377 VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0, 5378 VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0, 5379 VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0, 5380 VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0, 5381 VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0, 5382 VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0, 5383 VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, 5384 VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0, 5385 VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0, 5386 VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0, 5387 VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0, 5388 VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0, 5389 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0, 5390 VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0, 5391 VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0, 5392 VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0, 5393 VAR_SMTPD_SASL_SERVICE, DEF_SMTPD_SASL_SERVICE, &var_smtpd_sasl_service, 1, 0, 5394 VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0, 5395 VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0, 5396 VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0, 5397 VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0, 5398 VAR_PERM_MX_NETWORKS, DEF_PERM_MX_NETWORKS, &var_perm_mx_networks, 0, 0, 5399 VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0, 5400 VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0, 5401 VAR_SMTPD_FORBID_CMDS, DEF_SMTPD_FORBID_CMDS, &var_smtpd_forbid_cmds, 0, 0, 5402 VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0, 5403 VAR_RELAY_RCPT_MAPS, DEF_RELAY_RCPT_MAPS, &var_relay_rcpt_maps, 0, 0, 5404 VAR_VERIFY_SENDER, DEF_VERIFY_SENDER, &var_verify_sender, 0, 0, 5405 VAR_VERP_CLIENTS, DEF_VERP_CLIENTS, &var_verp_clients, 0, 0, 5406 VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0, 5407 VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0, 5408 VAR_SMTPD_PROXY_OPTS, DEF_SMTPD_PROXY_OPTS, &var_smtpd_proxy_opts, 0, 0, 5409 VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0, 5410 VAR_XCLIENT_HOSTS, DEF_XCLIENT_HOSTS, &var_xclient_hosts, 0, 0, 5411 VAR_XFORWARD_HOSTS, DEF_XFORWARD_HOSTS, &var_xforward_hosts, 0, 0, 5412 VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0, 5413 VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0, 5414 VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0, 5415 VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0, 5416 #ifdef USE_TLS 5417 VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, 0, 5418 VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0, 5419 VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0, 5420 VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0, 5421 VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0, 5422 VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0, 5423 VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0, 5424 VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0, 5425 VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0, 5426 VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0, 5427 VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0, 5428 VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0, 5429 VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0, 5430 VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0, 5431 VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0, 5432 VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0, 5433 VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0, 5434 VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0, 5435 VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0, 5436 VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0, 5437 VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0, 5438 #endif 5439 VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0, 5440 VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0, 5441 VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0, 5442 VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0, 5443 VAR_MILT_HELO_MACROS, DEF_MILT_HELO_MACROS, &var_milt_helo_macros, 0, 0, 5444 VAR_MILT_MAIL_MACROS, DEF_MILT_MAIL_MACROS, &var_milt_mail_macros, 0, 0, 5445 VAR_MILT_RCPT_MACROS, DEF_MILT_RCPT_MACROS, &var_milt_rcpt_macros, 0, 0, 5446 VAR_MILT_DATA_MACROS, DEF_MILT_DATA_MACROS, &var_milt_data_macros, 0, 0, 5447 VAR_MILT_EOH_MACROS, DEF_MILT_EOH_MACROS, &var_milt_eoh_macros, 0, 0, 5448 VAR_MILT_EOD_MACROS, DEF_MILT_EOD_MACROS, &var_milt_eod_macros, 0, 0, 5449 VAR_MILT_UNK_MACROS, DEF_MILT_UNK_MACROS, &var_milt_unk_macros, 0, 0, 5450 VAR_MILT_PROTOCOL, DEF_MILT_PROTOCOL, &var_milt_protocol, 1, 0, 5451 VAR_MILT_DEF_ACTION, DEF_MILT_DEF_ACTION, &var_milt_def_action, 1, 0, 5452 VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0, 5453 VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0, 5454 VAR_STRESS, DEF_STRESS, &var_stress, 0, 0, 5455 VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0, 5456 VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0, 5457 VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0, 5458 VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0, 5459 VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0, 5460 VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0, 5461 VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0, 5462 VAR_SMTPD_CMD_FILTER, DEF_SMTPD_CMD_FILTER, &var_smtpd_cmd_filter, 0, 0, 5463 #ifdef USE_TLSPROXY 5464 VAR_TLSPROXY_SERVICE, DEF_TLSPROXY_SERVICE, &var_tlsproxy_service, 1, 0, 5465 #endif 5466 VAR_SMTPD_ACL_PERM_LOG, DEF_SMTPD_ACL_PERM_LOG, &var_smtpd_acl_perm_log, 0, 0, 5467 VAR_SMTPD_UPROXY_PROTO, DEF_SMTPD_UPROXY_PROTO, &var_smtpd_uproxy_proto, 0, 0, 5468 0, 5469 }; 5470 static const CONFIG_RAW_TABLE raw_table[] = { 5471 VAR_SMTPD_EXP_FILTER, DEF_SMTPD_EXP_FILTER, &var_smtpd_exp_filter, 1, 0, 5472 VAR_DEF_RBL_REPLY, DEF_DEF_RBL_REPLY, &var_def_rbl_reply, 1, 0, 5473 VAR_SMTPD_REJ_FOOTER, DEF_SMTPD_REJ_FOOTER, &var_smtpd_rej_footer, 0, 0, 5474 0, 5475 }; 5476 5477 /* 5478 * Fingerprint executables and core dumps. 5479 */ 5480 MAIL_VERSION_STAMP_ALLOCATE; 5481 5482 /* 5483 * Pass control to the single-threaded service skeleton. 5484 */ 5485 single_server_main(argc, argv, smtpd_service, 5486 MAIL_SERVER_NINT_TABLE, nint_table, 5487 MAIL_SERVER_INT_TABLE, int_table, 5488 MAIL_SERVER_STR_TABLE, str_table, 5489 MAIL_SERVER_RAW_TABLE, raw_table, 5490 MAIL_SERVER_BOOL_TABLE, bool_table, 5491 MAIL_SERVER_NBOOL_TABLE, nbool_table, 5492 MAIL_SERVER_TIME_TABLE, time_table, 5493 MAIL_SERVER_PRE_INIT, pre_jail_init, 5494 MAIL_SERVER_PRE_ACCEPT, pre_accept, 5495 MAIL_SERVER_POST_INIT, post_jail_init, 5496 0); 5497 } 5498