1/*++ 2/* NAME 3/* smtp_connect 3 4/* SUMMARY 5/* connect to SMTP/LMTP server and deliver 6/* SYNOPSIS 7/* #include "smtp.h" 8/* 9/* int smtp_connect(state) 10/* SMTP_STATE *state; 11/* DESCRIPTION 12/* This module implements SMTP/LMTP connection management and controls 13/* mail delivery. 14/* 15/* smtp_connect() attempts to establish an SMTP/LMTP session with a host 16/* that represents the destination domain, or with an optional fallback 17/* relay when {the destination cannot be found, or when all the 18/* destination servers are unavailable}. It skips over IP addresses 19/* that fail to complete the SMTP/LMTP handshake and tries to find 20/* an alternate server when an SMTP/LMTP session fails to deliver. 21/* 22/* This layer also controls what connections are retrieved from 23/* the connection cache, and what connections are saved to the cache. 24/* 25/* The destination is either a host (or domain) name or a numeric 26/* address. Symbolic or numeric service port information may be 27/* appended, separated by a colon (":"). In the case of LMTP, 28/* destinations may be specified as "unix:pathname", "inet:host" 29/* or "inet:host:port". 30/* 31/* With SMTP, the Internet domain name service is queried for mail 32/* exchanger hosts. Quote the domain name with `[' and `]' to 33/* suppress mail exchanger lookups. 34/* 35/* Numerical address information should always be quoted with `[]'. 36/* DIAGNOSTICS 37/* The delivery status is the result value. 38/* SEE ALSO 39/* smtp_proto(3) SMTP client protocol 40/* LICENSE 41/* .ad 42/* .fi 43/* The Secure Mailer license must be distributed with this software. 44/* AUTHOR(S) 45/* Wietse Venema 46/* IBM T.J. Watson Research 47/* P.O. Box 704 48/* Yorktown Heights, NY 10598, USA 49/* 50/* Connection caching in cooperation with: 51/* Victor Duchovni 52/* Morgan Stanley 53/*--*/ 54 55/* System library. */ 56 57#include <sys_defs.h> 58#include <stdlib.h> 59#include <sys/socket.h> 60#include <sys/un.h> 61#include <netinet/in.h> 62#include <arpa/inet.h> 63#include <errno.h> 64#include <netdb.h> 65#include <stdlib.h> 66#include <string.h> 67#include <unistd.h> 68#include <fcntl.h> 69#include <ctype.h> 70 71#ifndef IPPORT_SMTP 72#define IPPORT_SMTP 25 73#endif 74 75/* Utility library. */ 76 77#include <msg.h> 78#include <vstream.h> 79#include <vstring.h> 80#include <split_at.h> 81#include <mymalloc.h> 82#include <inet_addr_list.h> 83#include <iostuff.h> 84#include <timed_connect.h> 85#include <stringops.h> 86#include <host_port.h> 87#include <sane_connect.h> 88#include <myaddrinfo.h> 89#include <sock_addr.h> 90#include <inet_proto.h> 91 92/* Global library. */ 93 94#include <mail_params.h> 95#include <own_inet_addr.h> 96#include <deliver_pass.h> 97#include <mail_error.h> 98#include <dsn_buf.h> 99#include <mail_addr.h> 100 101/* DNS library. */ 102 103#include <dns.h> 104 105/* Application-specific. */ 106 107#include <smtp.h> 108#include <smtp_addr.h> 109#include <smtp_reuse.h> 110 111 /* 112 * Forward declaration. 113 */ 114static SMTP_SESSION *smtp_connect_sock(int, struct sockaddr *, int, 115 SMTP_ITERATOR *, DSN_BUF *, 116 int); 117 118/* smtp_connect_unix - connect to UNIX-domain address */ 119 120static SMTP_SESSION *smtp_connect_unix(SMTP_ITERATOR *iter, DSN_BUF *why, 121 int sess_flags) 122{ 123 const char *myname = "smtp_connect_unix"; 124 struct sockaddr_un sock_un; 125 const char *addr = STR(iter->addr); 126 int len = strlen(addr); 127 int sock; 128 129 dsb_reset(why); /* Paranoia */ 130 131 /* 132 * Sanity checks. 133 */ 134 if (len >= (int) sizeof(sock_un.sun_path)) { 135 msg_warn("unix-domain name too long: %s", addr); 136 dsb_simple(why, "4.3.5", "Server configuration error"); 137 return (0); 138 } 139 140 /* 141 * Initialize. 142 */ 143 memset((char *) &sock_un, 0, sizeof(sock_un)); 144 sock_un.sun_family = AF_UNIX; 145#ifdef HAS_SUN_LEN 146 sock_un.sun_len = len + 1; 147#endif 148 memcpy(sock_un.sun_path, addr, len + 1); 149 150 /* 151 * Create a client socket. 152 */ 153 if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) 154 msg_fatal("%s: socket: %m", myname); 155 156 /* 157 * Connect to the server. 158 */ 159 if (msg_verbose) 160 msg_info("%s: trying: %s...", myname, addr); 161 162 return (smtp_connect_sock(sock, (struct sockaddr *) &sock_un, 163 sizeof(sock_un), iter, why, sess_flags)); 164} 165 166/* smtp_connect_addr - connect to explicit address */ 167 168static SMTP_SESSION *smtp_connect_addr(SMTP_ITERATOR *iter, DSN_BUF *why, 169 int sess_flags) 170{ 171 const char *myname = "smtp_connect_addr"; 172 struct sockaddr_storage ss; /* remote */ 173 struct sockaddr *sa = (struct sockaddr *) &ss; 174 SOCKADDR_SIZE salen = sizeof(ss); 175 MAI_HOSTADDR_STR hostaddr; 176 DNS_RR *addr = iter->rr; 177 unsigned port = iter->port; 178 int sock; 179 char *bind_addr; 180 char *bind_var; 181 182 dsb_reset(why); /* Paranoia */ 183 184 /* 185 * Sanity checks. 186 */ 187 if (dns_rr_to_sa(addr, port, sa, &salen) != 0) { 188 msg_warn("%s: skip address type %s: %m", 189 myname, dns_strtype(addr->type)); 190 dsb_simple(why, "4.4.0", "network address conversion failed: %m"); 191 return (0); 192 } 193 194 /* 195 * Initialize. 196 */ 197 if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) 198 msg_fatal("%s: socket: %m", myname); 199 200 if (inet_windowsize > 0) 201 set_inet_windowsize(sock, inet_windowsize); 202 203 /* 204 * Allow the sysadmin to specify the source address, for example, as "-o 205 * smtp_bind_address=x.x.x.x" in the master.cf file. 206 */ 207#ifdef HAS_IPV6 208 if (sa->sa_family == AF_INET6) { 209 bind_addr = var_smtp_bind_addr6; 210 bind_var = SMTP_X(BIND_ADDR6); 211 } else 212#endif 213 if (sa->sa_family == AF_INET) { 214 bind_addr = var_smtp_bind_addr; 215 bind_var = SMTP_X(BIND_ADDR); 216 } else 217 bind_var = bind_addr = ""; 218 if (*bind_addr) { 219 int aierr; 220 struct addrinfo *res0; 221 222 if ((aierr = hostaddr_to_sockaddr(bind_addr, (char *) 0, 0, &res0)) != 0) 223 msg_fatal("%s: bad %s parameter: %s: %s", 224 myname, bind_var, bind_addr, MAI_STRERROR(aierr)); 225 if (bind(sock, res0->ai_addr, res0->ai_addrlen) < 0) 226 msg_warn("%s: bind %s: %m", myname, bind_addr); 227 else if (msg_verbose) 228 msg_info("%s: bind %s", myname, bind_addr); 229 freeaddrinfo(res0); 230 } 231 232 /* 233 * When running as a virtual host, bind to the virtual interface so that 234 * the mail appears to come from the "right" machine address. 235 * 236 * XXX The IPv6 patch expands the null host (as client endpoint) and uses 237 * the result as the loopback address list. 238 */ 239 else { 240 int count = 0; 241 struct sockaddr *own_addr = 0; 242 INET_ADDR_LIST *addr_list = own_inet_addr_list(); 243 struct sockaddr_storage *s; 244 245 for (s = addr_list->addrs; s < addr_list->addrs + addr_list->used; s++) { 246 if (SOCK_ADDR_FAMILY(s) == sa->sa_family) { 247 if (count++ > 0) 248 break; 249 own_addr = SOCK_ADDR_PTR(s); 250 } 251 } 252 if (count == 1 && !sock_addr_in_loopback(own_addr)) { 253 if (bind(sock, own_addr, SOCK_ADDR_LEN(own_addr)) < 0) { 254 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 255 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 256 msg_warn("%s: bind %s: %m", myname, hostaddr.buf); 257 } else if (msg_verbose) { 258 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 259 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 260 msg_info("%s: bind %s", myname, hostaddr.buf); 261 } 262 } 263 } 264 265 /* 266 * Connect to the server. 267 */ 268 if (msg_verbose) 269 msg_info("%s: trying: %s[%s] port %d...", 270 myname, STR(iter->host), STR(iter->addr), ntohs(port)); 271 272 return (smtp_connect_sock(sock, sa, salen, iter, why, sess_flags)); 273} 274 275/* smtp_connect_sock - connect a socket over some transport */ 276 277static SMTP_SESSION *smtp_connect_sock(int sock, struct sockaddr *sa, 278 int salen, 279 SMTP_ITERATOR *iter, 280 DSN_BUF *why, 281 int sess_flags) 282{ 283 int conn_stat; 284 int saved_errno; 285 VSTREAM *stream; 286 time_t start_time; 287 const char *name = STR(iter->host); 288 const char *addr = STR(iter->addr); 289 unsigned port = iter->port; 290 291 start_time = time((time_t *) 0); 292 if (var_smtp_conn_tmout > 0) { 293 non_blocking(sock, NON_BLOCKING); 294 conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout); 295 saved_errno = errno; 296 non_blocking(sock, BLOCKING); 297 errno = saved_errno; 298 } else { 299 conn_stat = sane_connect(sock, sa, salen); 300 } 301 if (conn_stat < 0) { 302 if (port) 303 dsb_simple(why, "4.4.1", "connect to %s[%s]:%d: %m", 304 name, addr, ntohs(port)); 305 else 306 dsb_simple(why, "4.4.1", "connect to %s[%s]: %m", name, addr); 307 close(sock); 308 return (0); 309 } 310 stream = vstream_fdopen(sock, O_RDWR); 311 312 /* 313 * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. 314 */ 315 if (sa->sa_family == AF_INET 316#ifdef AF_INET6 317 || sa->sa_family == AF_INET6 318#endif 319 ) 320 vstream_tweak_tcp(stream); 321 322 /* 323 * Bundle up what we have into a nice SMTP_SESSION object. 324 */ 325 return (smtp_session_alloc(stream, iter, start_time, sess_flags)); 326} 327 328/* smtp_parse_destination - parse host/port destination */ 329 330static char *smtp_parse_destination(char *destination, char *def_service, 331 char **hostp, unsigned *portp) 332{ 333 char *buf = mystrdup(destination); 334 char *service; 335 struct servent *sp; 336 char *protocol = "tcp"; /* XXX configurable? */ 337 unsigned port; 338 const char *err; 339 340 if (msg_verbose) 341 msg_info("smtp_parse_destination: %s %s", destination, def_service); 342 343 /* 344 * Parse the host/port information. We're working with a copy of the 345 * destination argument so the parsing can be destructive. 346 */ 347 if ((err = host_port(buf, hostp, (char *) 0, &service, def_service)) != 0) 348 msg_fatal("%s in server description: %s", err, destination); 349 350 /* 351 * Convert service to port number, network byte order. 352 */ 353 if (alldig(service)) { 354 if ((port = atoi(service)) >= 65536 || port == 0) 355 msg_fatal("bad network port in destination: %s", destination); 356 *portp = htons(port); 357 } else { 358 if ((sp = getservbyname(service, protocol)) == 0) 359 msg_fatal("unknown service: %s/%s", service, protocol); 360 *portp = sp->s_port; 361 } 362 return (buf); 363} 364 365/* smtp_cleanup_session - clean up after using a session */ 366 367static void smtp_cleanup_session(SMTP_STATE *state) 368{ 369 DELIVER_REQUEST *request = state->request; 370 SMTP_SESSION *session = state->session; 371 int bad_session; 372 373 /* 374 * Inform the postmaster of trouble. 375 * 376 * XXX Don't send notifications about errors while sending notifications. 377 */ 378#define POSSIBLE_NOTIFICATION(sender) \ 379 (*sender == 0 || strcmp(sender, mail_addr_double_bounce()) == 0) 380 381 if (session->history != 0 382 && (session->error_mask & name_mask(VAR_NOTIFY_CLASSES, 383 mail_error_masks, 384 var_notify_classes)) != 0 385 && POSSIBLE_NOTIFICATION(request->sender) == 0) 386 smtp_chat_notify(session); 387 388 /* 389 * When session caching is enabled, cache the first good session for this 390 * delivery request under the next-hop destination, and cache all good 391 * sessions under their server network address (destroying the session in 392 * the process). 393 * 394 * Caching under the next-hop destination name (rather than the fall-back 395 * destination) allows us to skip over non-responding primary or backup 396 * hosts. In fact, this is the only benefit of caching logical to 397 * physical bindings; caching a session under its own hostname provides 398 * no performance benefit, given the way smtp_connect() works. 399 */ 400 bad_session = THIS_SESSION_IS_BAD; /* smtp_quit() may fail */ 401 if (THIS_SESSION_IS_EXPIRED) 402 smtp_quit(state); /* also disables caching */ 403 if (THIS_SESSION_IS_CACHED 404 /* Redundant tests for safety... */ 405 && vstream_ferror(session->stream) == 0 406 && vstream_feof(session->stream) == 0) { 407 smtp_save_session(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL, 408 SMTP_KEY_MASK_SCACHE_ENDP_LABEL); 409 } else { 410 smtp_session_free(session); 411 } 412 state->session = 0; 413 414 /* 415 * If this session was good, reset the logical next-hop state, so that we 416 * won't cache connections to alternate servers under the logical 417 * next-hop destination. Otherwise we could end up skipping over the 418 * available and more preferred servers. 419 */ 420 if (HAVE_NEXTHOP_STATE(state) && !bad_session) 421 FREE_NEXTHOP_STATE(state); 422 423 /* 424 * Clean up the lists with todo and dropped recipients. 425 */ 426 smtp_rcpt_cleanup(state); 427 428 /* 429 * Reset profiling info. 430 * 431 * XXX When one delivery request results in multiple sessions, the set-up 432 * and transmission latencies of the earlier sessions will count as 433 * connection set-up time for the later sessions. 434 * 435 * XXX On the other hand, when we first try to connect to one or more dead 436 * hosts before we reach a good host, then all that time must be counted 437 * as connection set-up time for the session with the good host. 438 * 439 * XXX So this set-up attribution problem exists only when we actually 440 * engage in a session, spend a lot of time delivering a message, find 441 * that it fails, and then connect to an alternate host. 442 */ 443 memset((char *) &request->msg_stats.conn_setup_done, 0, 444 sizeof(request->msg_stats.conn_setup_done)); 445 memset((char *) &request->msg_stats.deliver_done, 0, 446 sizeof(request->msg_stats.deliver_done)); 447 request->msg_stats.reuse_count = 0; 448} 449 450static void smtp_cache_policy(SMTP_STATE *state, const char *dest) 451{ 452 DELIVER_REQUEST *request = state->request; 453 454 state->misc_flags &= ~SMTP_MISC_FLAG_CONN_CACHE_MASK; 455 456 if (smtp_cache_dest && string_list_match(smtp_cache_dest, dest)) { 457 state->misc_flags |= SMTP_MISC_FLAG_CONN_CACHE_MASK; 458 } else if (var_smtp_cache_demand) { 459 if (request->flags & DEL_REQ_FLAG_CONN_LOAD) 460 state->misc_flags |= SMTP_MISC_FLAG_CONN_LOAD; 461 if (request->flags & DEL_REQ_FLAG_CONN_STORE) 462 state->misc_flags |= SMTP_MISC_FLAG_CONN_STORE; 463 } 464} 465 466/* smtp_connect_local - connect to local server */ 467 468static void smtp_connect_local(SMTP_STATE *state, const char *path) 469{ 470 const char *myname = "smtp_connect_local"; 471 SMTP_ITERATOR *iter = state->iterator; 472 SMTP_SESSION *session; 473 DSN_BUF *why = state->why; 474 475 /* 476 * It's too painful to weave this code into the SMTP connection 477 * management routine. 478 * 479 * Connection cache management is based on the UNIX-domain pathname, without 480 * the "unix:" prefix. 481 */ 482 smtp_cache_policy(state, path); 483 484 /* 485 * Here we ensure that the iter->addr member refers to a copy of the 486 * UNIX-domain pathname, so that smtp_save_session() will cache the 487 * connection using the pathname as the physical endpoint name. 488 * 489 * We set dest=path for backwards compatibility. 490 */ 491#define NO_PORT 0 492 493 SMTP_ITER_INIT(iter, path, var_myhostname, path, NO_PORT, state); 494 495 /* 496 * Opportunistic TLS for unix domain sockets does not make much sense, 497 * since the channel is private, mere encryption without authentication 498 * is just wasted cycles and opportunity for breakage. Since we are not 499 * willing to retry after TLS handshake failures here, we downgrade "may" 500 * no "none". Nothing is lost, and much waste is avoided. 501 * 502 * We don't know who is authenticating whom, so if a client cert is 503 * available, "encrypt" may be a sensible policy. Otherwise, we also 504 * downgrade "encrypt" to "none", this time just to avoid waste. 505 * 506 * We use smtp_reuse_nexthop() instead of smtp_reuse_addr(), so that we can 507 * reuse a SASL-authenticated connection (however unlikely this scenario 508 * may be). The smtp_reuse_addr() interface currently supports only reuse 509 * of SASL-unauthenticated connections. 510 */ 511#ifdef USE_TLS 512 if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { 513 msg_info("TLS policy lookup error for %s/%s: %s", 514 STR(iter->host), STR(iter->addr), STR(why->reason)); 515 return; 516 } 517#endif 518 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 519 || (session = smtp_reuse_nexthop(state, 520 SMTP_KEY_MASK_SCACHE_DEST_LABEL)) == 0) 521 session = smtp_connect_unix(iter, why, state->misc_flags); 522 if ((state->session = session) != 0) { 523 session->state = state; 524#ifdef USE_TLS 525 session->tls = state->tls; /* TEMPORARY */ 526 session->tls_nexthop = var_myhostname; /* for TLS_LEV_SECURE */ 527 if (session->tls->level == TLS_LEV_MAY) { 528 msg_warn("%s: opportunistic TLS encryption is not appropriate " 529 "for unix-domain destinations.", myname); 530 session->tls->level = TLS_LEV_NONE; 531 } 532#endif 533 /* All delivery errors bounce or defer. */ 534 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 535 536 /* 537 * When a TLS handshake fails, the stream is marked "dead" to avoid 538 * further I/O over a broken channel. 539 */ 540 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 541 && smtp_helo(state) != 0) { 542 if (!THIS_SESSION_IS_DEAD 543 && vstream_ferror(session->stream) == 0 544 && vstream_feof(session->stream) == 0) 545 smtp_quit(state); 546 } else { 547 smtp_xfer(state); 548 } 549 550 /* 551 * With opportunistic TLS disabled we don't expect to be asked to 552 * retry connections without TLS, and so we expect the final server 553 * flag to stay on. 554 */ 555 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) 556 msg_panic("%s: unix-domain destination not final!", myname); 557 smtp_cleanup_session(state); 558 } 559} 560 561/* smtp_scrub_address_list - delete all cached addresses from list */ 562 563static void smtp_scrub_addr_list(HTABLE *cached_addr, DNS_RR **addr_list) 564{ 565 MAI_HOSTADDR_STR hostaddr; 566 DNS_RR *addr; 567 DNS_RR *next; 568 569 /* 570 * XXX Extend the DNS_RR structure with fields for the printable address 571 * and/or binary sockaddr representations, so that we can avoid repeated 572 * binary->string transformations for the same address. 573 */ 574 for (addr = *addr_list; addr; addr = next) { 575 next = addr->next; 576 if (dns_rr_to_pa(addr, &hostaddr) == 0) { 577 msg_warn("cannot convert type %s record to printable address", 578 dns_strtype(addr->type)); 579 continue; 580 } 581 if (htable_locate(cached_addr, hostaddr.buf)) 582 *addr_list = dns_rr_remove(*addr_list, addr); 583 } 584} 585 586/* smtp_update_addr_list - common address list update */ 587 588static void smtp_update_addr_list(DNS_RR **addr_list, const char *server_addr, 589 int session_count) 590{ 591 DNS_RR *addr; 592 DNS_RR *next; 593 int aierr; 594 struct addrinfo *res0; 595 596 if (*addr_list == 0) 597 return; 598 599 /* 600 * Truncate the address list if we are not going to use it anyway. 601 */ 602 if (session_count == var_smtp_mxsess_limit 603 || session_count == var_smtp_mxaddr_limit) { 604 dns_rr_free(*addr_list); 605 *addr_list = 0; 606 return; 607 } 608 609 /* 610 * Convert server address to internal form, and look it up in the address 611 * list. 612 * 613 * XXX smtp_reuse_session() breaks if we remove two or more adjacent list 614 * elements but do not truncate the list to zero length. 615 * 616 * XXX Extend the SMTP_SESSION structure with sockaddr information so that 617 * we can avoid repeated string->binary transformations for the same 618 * address. 619 */ 620 if ((aierr = hostaddr_to_sockaddr(server_addr, (char *) 0, 0, &res0)) != 0) { 621 msg_warn("hostaddr_to_sockaddr %s: %s", 622 server_addr, MAI_STRERROR(aierr)); 623 } else { 624 for (addr = *addr_list; addr; addr = next) { 625 next = addr->next; 626 if (DNS_RR_EQ_SA(addr, (struct sockaddr *) res0->ai_addr)) { 627 *addr_list = dns_rr_remove(*addr_list, addr); 628 break; 629 } 630 } 631 freeaddrinfo(res0); 632 } 633} 634 635/* smtp_reuse_session - try to use existing connection, return session count */ 636 637static int smtp_reuse_session(SMTP_STATE *state, DNS_RR **addr_list, 638 int domain_best_pref) 639{ 640 int session_count = 0; 641 DNS_RR *addr; 642 DNS_RR *next; 643 MAI_HOSTADDR_STR hostaddr; 644 SMTP_SESSION *session; 645 SMTP_ITERATOR *iter = state->iterator; 646 DSN_BUF *why = state->why; 647 648 /* 649 * First, search the cache by request nexthop. We truncate the server 650 * address list when all the sessions for this destination are used up, 651 * to reduce the number of variables that need to be checked later. 652 * 653 * Note: lookup by logical destination restores the "best MX" bit. 654 * 655 * smtp_reuse_nexthop() clobbers the iterators's "dest" attribute. We save 656 * and restore it here, so that subsequent connections will use the 657 * proper nexthop information. 658 * 659 * We request a dummy "TLS disabled" policy for connection-cache lookup by 660 * request nexthop only. If we find a saved connection, then we know that 661 * plaintext was permitted, because we never save a connection after 662 * turning on TLS. 663 */ 664#ifdef USE_TLS 665 smtp_tls_policy_dummy(state->tls); 666#endif 667 SMTP_ITER_SAVE_DEST(state->iterator); 668 if (*addr_list && SMTP_RCPT_LEFT(state) > 0 669 && (session = smtp_reuse_nexthop(state, SMTP_KEY_MASK_SCACHE_DEST_LABEL)) != 0) { 670 session_count = 1; 671 smtp_update_addr_list(addr_list, STR(iter->addr), session_count); 672 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 673 && *addr_list == 0) 674 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 675#ifdef USE_TLS 676 session->tls = state->tls; /* TEMPORARY */ 677#endif 678 smtp_xfer(state); 679 smtp_cleanup_session(state); 680 } 681 SMTP_ITER_RESTORE_DEST(state->iterator); 682 683 /* 684 * Second, search the cache by primary MX address. Again, we use address 685 * list truncation so that we have to check fewer variables later. 686 * 687 * XXX This loop is safe because smtp_update_addr_list() either truncates 688 * the list to zero length, or removes at most one list element. 689 * 690 * Currently, we use smtp_reuse_addr() only for SASL-unauthenticated 691 * connections. Furthermore, we rely on smtp_reuse_addr() to look up an 692 * existing SASL-unauthenticated connection only when a new connection 693 * would be guaranteed not to require SASL authentication. 694 * 695 * In addition, we rely on smtp_reuse_addr() to look up an existing 696 * plaintext connection only when a new connection would be guaranteed 697 * not to use TLS. 698 * 699 * For more precise control over reuse, the iterator should look up SASL and 700 * TLS policy as it evaluates mail exchangers in order, instead of 701 * relying on duplicate lookup request code in smtp_reuse(3) and 702 * smtp_session(3). 703 */ 704 for (addr = *addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 705 if (addr->pref != domain_best_pref) 706 break; 707 next = addr->next; 708 if (dns_rr_to_pa(addr, &hostaddr) == 0) { 709 msg_warn("cannot convert type %s record to printable address", 710 dns_strtype(addr->type)); 711 /* XXX Assume there is no code at the end of this loop. */ 712 continue; 713 } 714 vstring_strcpy(iter->addr, hostaddr.buf); 715 vstring_strcpy(iter->host, SMTP_HNAME(addr)); 716 iter->rr = addr; 717#ifdef USE_TLS 718 if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { 719 msg_info("TLS policy lookup error for %s/%s: %s", 720 STR(iter->dest), STR(iter->host), STR(why->reason)); 721 continue; 722 /* XXX Assume there is no code at the end of this loop. */ 723 } 724#endif 725 if ((session = smtp_reuse_addr(state, 726 SMTP_KEY_MASK_SCACHE_ENDP_LABEL)) != 0) { 727 session->features |= SMTP_FEATURE_BEST_MX; 728 session_count += 1; 729 smtp_update_addr_list(addr_list, STR(iter->addr), session_count); 730 if (*addr_list == 0) 731 next = 0; 732 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 733 && next == 0) 734 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 735#ifdef USE_TLS 736 session->tls = state->tls; /* TEMPORARY */ 737#endif 738 smtp_xfer(state); 739 smtp_cleanup_session(state); 740 } 741 } 742 return (session_count); 743} 744 745/* smtp_connect_inet - establish network connection */ 746 747static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, 748 char *def_service) 749{ 750 DELIVER_REQUEST *request = state->request; 751 SMTP_ITERATOR *iter = state->iterator; 752 ARGV *sites; 753 char *dest; 754 char **cpp; 755 int non_fallback_sites; 756 int retry_plain = 0; 757 DSN_BUF *why = state->why; 758 759 /* 760 * For sanity, require that at least one of INET or INET6 is enabled. 761 * Otherwise, we can't look up interface information, and we can't 762 * convert names or addresses. 763 */ 764 if (inet_proto_info()->ai_family_list[0] == 0) { 765 dsb_simple(why, "4.4.4", "all network protocols are disabled"); 766 return; 767 } 768 769 /* 770 * First try to deliver to the indicated destination, then try to deliver 771 * to the optional fall-back relays. 772 * 773 * Future proofing: do a null destination sanity check in case we allow the 774 * primary destination to be a list (it could be just separators). 775 */ 776 sites = argv_alloc(1); 777 argv_add(sites, nexthop, (char *) 0); 778 if (sites->argc == 0) 779 msg_panic("null destination: \"%s\"", nexthop); 780 non_fallback_sites = sites->argc; 781 /* When we are lmtp(8) var_fallback_relay is null */ 782 if (smtp_mode) 783 argv_split_append(sites, var_fallback_relay, ", \t\r\n"); 784 785 /* 786 * Don't give up after a hard host lookup error until we have tried the 787 * fallback relay servers. 788 * 789 * Don't bounce mail after a host lookup problem with a relayhost or with a 790 * fallback relay. 791 * 792 * Don't give up after a qualifying soft error until we have tried all 793 * qualifying backup mail servers. 794 * 795 * All this means that error handling and error reporting depends on whether 796 * the error qualifies for trying to deliver to a backup mail server, or 797 * whether we're looking up a relayhost or fallback relay. The challenge 798 * then is to build this into the pre-existing SMTP client without 799 * getting lost in the complexity. 800 */ 801#define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \ 802 (*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites)) 803 804 for (cpp = sites->argv, (state->misc_flags |= SMTP_MISC_FLAG_FIRST_NEXTHOP); 805 SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0; 806 cpp++, (state->misc_flags &= ~SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 807 char *dest_buf; 808 char *domain; 809 unsigned port; 810 DNS_RR *addr_list; 811 DNS_RR *addr; 812 DNS_RR *next; 813 int addr_count; 814 int sess_count; 815 SMTP_SESSION *session; 816 int lookup_mx; 817 unsigned domain_best_pref; 818 MAI_HOSTADDR_STR hostaddr; 819 820 if (cpp[1] == 0) 821 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 822 823 /* 824 * Parse the destination. Default is to use the SMTP port. Look up 825 * the address instead of the mail exchanger when a quoted host is 826 * specified, or when DNS lookups are disabled. 827 */ 828 dest_buf = smtp_parse_destination(dest, def_service, &domain, &port); 829 if (var_helpful_warnings && ntohs(port) == 465) { 830 msg_info("CLIENT wrappermode (port smtps/465) is unimplemented"); 831 msg_info("instead, send to (port submission/587) with STARTTLS"); 832 } 833#define NO_HOST "" /* safety */ 834#define NO_ADDR "" /* safety */ 835 836 SMTP_ITER_INIT(iter, dest, NO_HOST, NO_ADDR, port, state); 837 838 /* 839 * Resolve an SMTP server. Skip mail exchanger lookups when a quoted 840 * host is specified, or when DNS lookups are disabled. 841 */ 842 if (msg_verbose) 843 msg_info("connecting to %s port %d", domain, ntohs(port)); 844 if (smtp_mode) { 845 if (ntohs(port) == IPPORT_SMTP) 846 state->misc_flags |= SMTP_MISC_FLAG_LOOP_DETECT; 847 else 848 state->misc_flags &= ~SMTP_MISC_FLAG_LOOP_DETECT; 849 lookup_mx = (smtp_dns_support != SMTP_DNS_DISABLED && *dest != '['); 850 } else 851 lookup_mx = 0; 852 if (!lookup_mx) { 853 addr_list = smtp_host_addr(domain, state->misc_flags, why); 854 /* XXX We could be an MX host for this destination... */ 855 } else { 856 int i_am_mx = 0; 857 858 addr_list = smtp_domain_addr(domain, &iter->mx, state->misc_flags, 859 why, &i_am_mx); 860 /* If we're MX host, don't connect to non-MX backups. */ 861 if (i_am_mx) 862 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 863 } 864 865 /* 866 * Don't try fall-back hosts if mail loops to myself. That would just 867 * make the problem worse. 868 */ 869 if (addr_list == 0 && SMTP_HAS_LOOP_DSN(why)) 870 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 871 872 /* 873 * No early loop exit or we have a memory leak with dest_buf. 874 */ 875 if (addr_list) 876 domain_best_pref = addr_list->pref; 877 878 /* 879 * When session caching is enabled, store the first good session for 880 * this delivery request under the next-hop destination name. All 881 * good sessions will be stored under their specific server IP 882 * address. 883 * 884 * XXX smtp_session_cache_destinations specifies domain names without 885 * :port, because : is already used for maptype:mapname. Because of 886 * this limitation we use the bare domain without the optional [] or 887 * non-default TCP port. 888 * 889 * Opportunistic (a.k.a. on-demand) session caching on request by the 890 * queue manager. This is turned temporarily when a destination has a 891 * high volume of mail in the active queue. 892 */ 893 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 894 smtp_cache_policy(state, domain); 895 if (state->misc_flags & SMTP_MISC_FLAG_CONN_STORE) 896 SET_NEXTHOP_STATE(state, dest); 897 } 898 899 /* 900 * Delete visited cached hosts from the address list. 901 * 902 * Optionally search the connection cache by domain name or by primary 903 * MX address before we try to create new connections. 904 * 905 * Enforce the MX session and MX address counts per next-hop or 906 * fall-back destination. smtp_reuse_session() will truncate the 907 * address list when either limit is reached. 908 */ 909 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD)) { 910 if (state->cache_used->used > 0) 911 smtp_scrub_addr_list(state->cache_used, &addr_list); 912 sess_count = addr_count = 913 smtp_reuse_session(state, &addr_list, domain_best_pref); 914 } else 915 sess_count = addr_count = 0; 916 917 /* 918 * Connect to an SMTP server: create primary MX connections, and 919 * reuse or create backup MX connections. 920 * 921 * At the start of an SMTP session, all recipients are unmarked. In the 922 * course of an SMTP session, recipients are marked as KEEP (deliver 923 * to alternate mail server) or DROP (remove from recipient list). At 924 * the end of an SMTP session, weed out the recipient list. Unmark 925 * any left-over recipients and try to deliver them to a backup mail 926 * server. 927 * 928 * Cache the first good session under the next-hop destination name. 929 * Cache all good sessions under their physical endpoint. 930 * 931 * Don't query the session cache for primary MX hosts. We already did 932 * that in smtp_reuse_session(), and if any were found in the cache, 933 * they were already deleted from the address list. 934 * 935 * Currently, we use smtp_reuse_addr() only for SASL-unauthenticated 936 * connections. Furthermore, we rely on smtp_reuse_addr() to look up 937 * an existing SASL-unauthenticated connection only when a new 938 * connection would be guaranteed not to require SASL authentication. 939 * 940 * In addition, we rely on smtp_reuse_addr() to look up an existing 941 * plaintext connection only when a new connection would be 942 * guaranteed not to use TLS. 943 */ 944 for (addr = addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 945 next = addr->next; 946 if (++addr_count == var_smtp_mxaddr_limit) 947 next = 0; 948 if (dns_rr_to_pa(addr, &hostaddr) == 0) { 949 msg_warn("cannot convert type %s record to printable address", 950 dns_strtype(addr->type)); 951 /* XXX Assume there is no code at the end of this loop. */ 952 continue; 953 } 954 vstring_strcpy(iter->addr, hostaddr.buf); 955 vstring_strcpy(iter->host, SMTP_HNAME(addr)); 956 iter->rr = addr; 957#ifdef USE_TLS 958 if (!smtp_tls_policy_cache_query(why, state->tls, iter)) { 959 msg_info("TLS policy lookup for %s/%s: %s", 960 STR(iter->dest), STR(iter->host), STR(why->reason)); 961 continue; 962 /* XXX Assume there is no code at the end of this loop. */ 963 } 964 /* Disable TLS when retrying after a handshake failure */ 965 if (retry_plain) { 966 state->tls->level = TLS_LEV_NONE; 967 retry_plain = 0; 968 } 969#endif 970 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 971 || addr->pref == domain_best_pref 972 || !(session = smtp_reuse_addr(state, 973 SMTP_KEY_MASK_SCACHE_ENDP_LABEL))) 974 session = smtp_connect_addr(iter, why, state->misc_flags); 975 if ((state->session = session) != 0) { 976 session->state = state; 977#ifdef USE_TLS 978 session->tls = state->tls; /* TEMPORARY */ 979 session->tls_nexthop = domain; /* for TLS_LEV_SECURE */ 980#endif 981 if (addr->pref == domain_best_pref) 982 session->features |= SMTP_FEATURE_BEST_MX; 983 /* Don't count handshake errors towards the session limit. */ 984 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 985 && next == 0) 986 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 987 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 988 && smtp_helo(state) != 0) { 989#ifdef USE_TLS 990 991 /* 992 * When an opportunistic TLS handshake fails, try the 993 * same address again, with TLS disabled. See also the 994 * RETRY_AS_PLAINTEXT macro. 995 */ 996 if ((retry_plain = session->tls_retry_plain) != 0) { 997 --addr_count; 998 next = addr; 999 } 1000#endif 1001 1002 /* 1003 * When a TLS handshake fails, the stream is marked 1004 * "dead" to avoid further I/O over a broken channel. 1005 */ 1006 if (!THIS_SESSION_IS_DEAD 1007 && vstream_ferror(session->stream) == 0 1008 && vstream_feof(session->stream) == 0) 1009 smtp_quit(state); 1010 } else { 1011 /* Do count delivery errors towards the session limit. */ 1012 if (++sess_count == var_smtp_mxsess_limit) 1013 next = 0; 1014 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 1015 && next == 0) 1016 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 1017 smtp_xfer(state); 1018 } 1019 smtp_cleanup_session(state); 1020 } else { 1021 /* The reason already includes the IP address and TCP port. */ 1022 msg_info("%s", STR(why->reason)); 1023 } 1024 /* XXX Code above assumes there is no code at this loop ending. */ 1025 } 1026 dns_rr_free(addr_list); 1027 if (iter->mx) { 1028 dns_rr_free(iter->mx); 1029 iter->mx = 0; /* Just in case */ 1030 } 1031 myfree(dest_buf); 1032 if (state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 1033 break; 1034 } 1035 1036 /* 1037 * We still need to deliver, bounce or defer some left-over recipients: 1038 * either mail loops or some backup mail server was unavailable. 1039 */ 1040 if (SMTP_RCPT_LEFT(state) > 0) { 1041 1042 /* 1043 * In case of a "no error" indication we make up an excuse: we did 1044 * find the host address, but we did not attempt to connect to it. 1045 * This can happen when the fall-back relay was already tried via a 1046 * cached connection, so that the address list scrubber left behind 1047 * an empty list. 1048 */ 1049 if (!SMTP_HAS_DSN(why)) { 1050 dsb_simple(why, "4.3.0", 1051 "server unavailable or unable to receive mail"); 1052 } 1053 1054 /* 1055 * Pay attention to what could be configuration problems, and pretend 1056 * that these are recoverable rather than bouncing the mail. 1057 */ 1058 else if (!SMTP_HAS_SOFT_DSN(why) && smtp_mode) { 1059 1060 /* 1061 * The fall-back destination did not resolve as expected, or it 1062 * is refusing to talk to us, or mail for it loops back to us. 1063 */ 1064 if (IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites)) { 1065 msg_warn("%s configuration problem", VAR_SMTP_FALLBACK); 1066 vstring_strcpy(why->status, "4.3.5"); 1067 /* XXX Keep the diagnostic code and MTA. */ 1068 } 1069 1070 /* 1071 * The next-hop relayhost did not resolve as expected, or it is 1072 * refusing to talk to us, or mail for it loops back to us. 1073 */ 1074 else if (strcmp(sites->argv[0], var_relayhost) == 0) { 1075 msg_warn("%s configuration problem", VAR_RELAYHOST); 1076 vstring_strcpy(why->status, "4.3.5"); 1077 /* XXX Keep the diagnostic code and MTA. */ 1078 } 1079 1080 /* 1081 * Mail for the next-hop destination loops back to myself. Pass 1082 * the mail to the best_mx_transport or bounce it. 1083 */ 1084 else if (SMTP_HAS_LOOP_DSN(why) && *var_bestmx_transp) { 1085 dsb_reset(why); /* XXX */ 1086 state->status = deliver_pass_all(MAIL_CLASS_PRIVATE, 1087 var_bestmx_transp, 1088 request); 1089 SMTP_RCPT_LEFT(state) = 0; /* XXX */ 1090 } 1091 } 1092 } 1093 1094 /* 1095 * Cleanup. 1096 */ 1097 if (HAVE_NEXTHOP_STATE(state)) 1098 FREE_NEXTHOP_STATE(state); 1099 argv_free(sites); 1100} 1101 1102/* smtp_connect - establish SMTP connection */ 1103 1104int smtp_connect(SMTP_STATE *state) 1105{ 1106 DELIVER_REQUEST *request = state->request; 1107 char *destination = request->nexthop; 1108 1109 /* 1110 * All deliveries proceed along the same lines, whether they are over TCP 1111 * or UNIX-domain sockets, and whether they use SMTP or LMTP: get a 1112 * connection from the cache or create a new connection; deliver mail; 1113 * update the connection cache or disconnect. 1114 * 1115 * The major differences appear at a higher level: the expansion from 1116 * destination to address list, and whether to stop before we reach the 1117 * end of that list. 1118 */ 1119#define DEF_LMTP_SERVICE var_lmtp_tcp_port 1120#define DEF_SMTP_SERVICE "smtp" 1121 1122 /* 1123 * With LMTP we have direct-to-host delivery only. The destination may 1124 * have multiple IP addresses. 1125 */ 1126 if (!smtp_mode) { 1127 if (strncmp(destination, "unix:", 5) == 0) { 1128 smtp_connect_local(state, destination + 5); 1129 } else { 1130 if (strncmp(destination, "inet:", 5) == 0) 1131 destination += 5; 1132 smtp_connect_inet(state, destination, DEF_LMTP_SERVICE); 1133 } 1134 } 1135 1136 /* 1137 * With SMTP we can have indirection via MX host lookup, as well as an 1138 * optional fall-back relayhost that we must avoid when we are MX host. 1139 * 1140 * XXX We don't add support for "unix:" or "inet:" prefixes in SMTP 1141 * destinations, because that would break compatibility with existing 1142 * Postfix configurations that have a host with such a name. 1143 */ 1144 else { 1145 smtp_connect_inet(state, destination, DEF_SMTP_SERVICE); 1146 } 1147 1148 /* 1149 * We still need to bounce or defer some left-over recipients: either 1150 * (SMTP) mail loops or some server was unavailable. 1151 * 1152 * We could avoid this (and the "final server" complexity) by keeping one 1153 * DSN structure per recipient in memory, by updating those in-memory 1154 * structures with each delivery attempt, and by always flushing all 1155 * deferred recipients at the end. We'd probably still want to bounce 1156 * recipients immediately, so we'd end up with another chunk of code for 1157 * defer logging only. 1158 */ 1159 if (SMTP_RCPT_LEFT(state) > 0) { 1160 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; /* XXX */ 1161 smtp_sess_fail(state); 1162 1163 /* 1164 * Sanity check. Don't silently lose recipients. 1165 */ 1166 smtp_rcpt_cleanup(state); 1167 if (SMTP_RCPT_LEFT(state) > 0) 1168 msg_panic("smtp_connect: left-over recipients"); 1169 } 1170 return (state->status); 1171} 1172