1/*++ 2/* NAME 3/* smtp_proto 3 4/* SUMMARY 5/* client SMTP/LMTP protocol 6/* SYNOPSIS 7/* #include "smtp.h" 8/* 9/* int smtp_helo(state) 10/* SMTP_STATE *state; 11/* 12/* int smtp_xfer(state) 13/* SMTP_STATE *state; 14/* 15/* int smtp_rset(state) 16/* SMTP_STATE *state; 17/* 18/* int smtp_quit(state) 19/* SMTP_STATE *state; 20/* DESCRIPTION 21/* In the subsequent text, SMTP implies LMTP. 22/* This module implements the client side of the SMTP protocol. 23/* 24/* smtp_helo() performs the initial handshake with the SMTP server. 25/* When TLS is enabled, this includes STARTTLS negotiations. 26/* 27/* smtp_xfer() sends message envelope information followed by the 28/* message data, and finishes the SMTP conversation. These operations 29/* are combined in one function, in order to implement SMTP pipelining. 30/* Recipients are marked as "done" in the mail queue file when 31/* bounced or delivered. The message delivery status is updated 32/* accordingly. 33/* 34/* smtp_rset() sends a single RSET command and waits for the 35/* response. In case of a negative reply it sets the 36/* CANT_RSET_THIS_SESSION flag. 37/* 38/* smtp_quit() sends a single QUIT command and waits for the 39/* response if configured to do so. It always turns off connection 40/* caching. 41/* DIAGNOSTICS 42/* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 43/* 0 in case of success, -1 in case of failure. For smtp_xfer(), 44/* smtp_rset() and smtp_quit(), success means the ability to 45/* perform an SMTP conversation, not necessarily the ability 46/* to deliver mail, or the achievement of server happiness. 47/* 48/* In case of a rejected or failed connection, a connection 49/* is marked as "bad, do not cache". Otherwise, connection 50/* caching may be turned off (without being marked "bad") at 51/* the discretion of the code that implements the individual 52/* protocol steps. 53/* 54/* Warnings: corrupt message file. A corrupt message is marked 55/* as "corrupt" by changing its queue file permissions. 56/* BUGS 57/* Some SMTP servers will abort when the number of recipients 58/* for one message exceeds their capacity. This behavior violates 59/* the SMTP protocol. 60/* The only way around this is to limit the number of recipients 61/* per transaction to an artificially-low value. 62/* SEE ALSO 63/* smtp(3h) internal data structures 64/* smtp_chat(3) query/reply SMTP support 65/* smtp_trouble(3) error handlers 66/* LICENSE 67/* .ad 68/* .fi 69/* The Secure Mailer license must be distributed with this software. 70/* AUTHOR(S) 71/* Wietse Venema 72/* IBM T.J. Watson Research 73/* P.O. Box 704 74/* Yorktown Heights, NY 10598, USA 75/* 76/* Pipelining code in cooperation with: 77/* Jon Ribbens 78/* Oaktree Internet Solutions Ltd., 79/* Internet House, 80/* Canal Basin, 81/* Coventry, 82/* CV1 4LY, United Kingdom. 83/* 84/* Connection caching in cooperation with: 85/* Victor Duchovni 86/* Morgan Stanley 87/* 88/* TLS support originally by: 89/* Lutz Jaenicke 90/* BTU Cottbus 91/* Allgemeine Elektrotechnik 92/* Universitaetsplatz 3-4 93/* D-03044 Cottbus, Germany 94/*--*/ 95 96/* System library. */ 97 98#include <sys_defs.h> 99#include <sys/stat.h> 100#include <sys/socket.h> /* shutdown(2) */ 101#include <netinet/in.h> /* ntohs() */ 102#include <string.h> 103#include <unistd.h> 104#include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 105#include <stdarg.h> 106#include <time.h> 107 108#ifdef STRCASECMP_IN_STRINGS_H 109#include <strings.h> 110#endif 111 112/* Utility library. */ 113 114#include <msg.h> 115#include <vstring.h> 116#include <vstream.h> 117#include <vstring_vstream.h> 118#include <stringops.h> 119#include <mymalloc.h> 120#include <iostuff.h> 121#include <split_at.h> 122#include <name_code.h> 123#include <name_mask.h> 124 125/* Global library. */ 126 127#include <mail_params.h> 128#include <smtp_stream.h> 129#include <mail_queue.h> 130#include <recipient_list.h> 131#include <deliver_request.h> 132#include <defer.h> 133#include <bounce.h> 134#include <record.h> 135#include <rec_type.h> 136#include <off_cvt.h> 137#include <mark_corrupt.h> 138#include <quote_821_local.h> 139#include <quote_822_local.h> 140#include <mail_proto.h> 141#include <mime_state.h> 142#include <ehlo_mask.h> 143#include <maps.h> 144#include <tok822.h> 145#include <mail_addr_map.h> 146#include <ext_prop.h> 147#include <lex_822.h> 148#include <dsn_mask.h> 149#include <xtext.h> 150 151/* Application-specific. */ 152 153#include "smtp.h" 154#include "smtp_sasl.h" 155 156 /* 157 * Sender and receiver state. A session does not necessarily go through a 158 * linear progression, but states are guaranteed to not jump backwards. 159 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 160 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 161 * 162 * When connection caching is enabled, the QUIT state is suppressed. Normal 163 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 164 * end with ABORT->LAST. The connection is left open for a limited time. An 165 * RSET probe should be sent before attempting to reuse an open connection 166 * for a new transaction. 167 * 168 * The code to send an RSET probe is a special case with its own initial state 169 * and with its own dedicated state transitions. The session proceeds as 170 * RSET->LAST. This code is kept inside the main protocol engine for 171 * consistent error handling and error reporting. It is not to be confused 172 * with the code that sends RSET to abort a mail transaction in progress. 173 * 174 * The code to send QUIT without message delivery transaction jumps into the 175 * main state machine. If this introduces complications, then we should 176 * introduce a second QUIT state with its own dedicated state transitions, 177 * just like we did for RSET probes. 178 * 179 * By default, the receiver skips the QUIT response. Some SMTP servers 180 * disconnect after responding to ".", and some SMTP servers wait before 181 * responding to QUIT. 182 * 183 * Client states that are associated with sending mail (up to and including 184 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 185 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 186 */ 187#define SMTP_STATE_XFORWARD_NAME_ADDR 0 188#define SMTP_STATE_XFORWARD_PROTO_HELO 1 189#define SMTP_STATE_MAIL 2 190#define SMTP_STATE_RCPT 3 191#define SMTP_STATE_DATA 4 192#define SMTP_STATE_DOT 5 193#define SMTP_STATE_ABORT 6 194#define SMTP_STATE_RSET 7 195#define SMTP_STATE_QUIT 8 196#define SMTP_STATE_LAST 9 197 198int *xfer_timeouts[SMTP_STATE_LAST] = { 199 &var_smtp_xfwd_tmout, /* name/addr */ 200 &var_smtp_xfwd_tmout, /* helo/proto */ 201 &var_smtp_mail_tmout, 202 &var_smtp_rcpt_tmout, 203 &var_smtp_data0_tmout, 204 &var_smtp_data2_tmout, 205 &var_smtp_rset_tmout, 206 &var_smtp_rset_tmout, 207 &var_smtp_quit_tmout, 208}; 209 210char *xfer_states[SMTP_STATE_LAST] = { 211 "sending XFORWARD name/address", 212 "sending XFORWARD protocol/helo_name", 213 "sending MAIL FROM", 214 "sending RCPT TO", 215 "sending DATA command", 216 "sending end of data -- message may be sent more than once", 217 "sending final RSET", 218 "sending RSET probe", 219 "sending QUIT", 220}; 221 222char *xfer_request[SMTP_STATE_LAST] = { 223 "XFORWARD name/address command", 224 "XFORWARD helo/protocol command", 225 "MAIL FROM command", 226 "RCPT TO command", 227 "DATA command", 228 "end of DATA command", 229 "final RSET command", 230 "RSET probe", 231 "QUIT command", 232}; 233 234#define SMTP_MIME_DOWNGRADE(session, request) \ 235 (var_disable_mime_oconv == 0 \ 236 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 237 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 238 239#ifdef USE_TLS 240 241static int smtp_start_tls(SMTP_STATE *); 242 243#endif 244 245 /* 246 * Call-back information for header/body checks. We don't provide call-backs 247 * for actions that change the message delivery time or destination. 248 */ 249static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 250static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 251 252HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 253 smtp_hbc_logger, 254 smtp_text_out, 255}; 256 257/* smtp_helo - perform initial handshake with SMTP server */ 258 259int smtp_helo(SMTP_STATE *state) 260{ 261 const char *myname = "smtp_helo"; 262 SMTP_SESSION *session = state->session; 263 DELIVER_REQUEST *request = state->request; 264 SMTP_ITERATOR *iter = state->iterator; 265 SMTP_RESP *resp; 266 SMTP_RESP fake; 267 int except; 268 char *lines; 269 char *words; 270 char *word; 271 int n; 272 static const NAME_CODE xforward_features[] = { 273 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 274 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 275 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 276 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 277 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 278 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 279 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 280 0, 0, 281 }; 282 const char *ehlo_words; 283 int discard_mask; 284 static const NAME_MASK pix_bug_table[] = { 285 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 286 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 287 0, 288 }; 289 const char *pix_bug_words; 290 const char *pix_bug_source; 291 int pix_bug_mask; 292 293#ifdef USE_TLS 294 int saved_features = session->features; 295 int tls_helo_status; 296 297#endif 298 const char *NOCLOBBER where; 299 300 /* 301 * Prepare for disaster. 302 */ 303 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 304 var_smtp_rec_deadline); 305 if ((except = vstream_setjmp(state->session->stream)) != 0) 306 return (smtp_stream_except(state, except, where)); 307 308 /* 309 * If not recursing after STARTTLS, examine the server greeting banner 310 * and decide if we are going to send EHLO as the next command. 311 */ 312 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 313 314 /* 315 * Read and parse the server's SMTP greeting banner. 316 */ 317 where = "receiving the initial server greeting"; 318 switch ((resp = smtp_chat_resp(session))->code / 100) { 319 case 2: 320 break; 321 case 5: 322 if (var_smtp_skip_5xx_greeting) 323 STR(resp->dsn_buf)[0] = '4'; 324 /* FALLTHROUGH */ 325 default: 326 return (smtp_site_fail(state, STR(iter->host), resp, 327 "host %s refused to talk to me: %s", 328 session->namaddr, 329 translit(resp->str, "\n", " "))); 330 } 331 332 /* 333 * If the policy table specifies a bogus TLS security level, fail 334 * now. 335 */ 336#ifdef USE_TLS 337 if (session->tls->level == TLS_LEV_INVALID) 338 /* Warning is already logged. */ 339 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 340 SMTP_RESP_FAKE(&fake, "4.7.0"), 341 "client TLS configuration problem")); 342#endif 343 344 /* 345 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 346 * it does not span a packet boundary. This hurts performance so it 347 * is not on by default. 348 */ 349 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 350 /* Best effort only. Ignore errors. */ 351 if (smtp_pix_bug_maps != 0 352 && (pix_bug_words = 353 maps_find(smtp_pix_bug_maps, 354 STR(iter->addr), 0)) != 0) { 355 pix_bug_source = SMTP_X(PIX_BUG_MAPS); 356 } else { 357 pix_bug_words = var_smtp_pix_bug_words; 358 pix_bug_source = SMTP_X(PIX_BUG_WORDS); 359 } 360 if (*pix_bug_words) { 361 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 362 pix_bug_words, 363 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 364 msg_info("%s: enabling PIX workarounds: %s for %s", 365 request->queue_id, 366 str_name_mask("pix workaround bitmask", 367 pix_bug_table, pix_bug_mask), 368 session->namaddrport); 369 session->features |= pix_bug_mask; 370 } 371 } 372 373 /* 374 * See if we are talking to ourself. This should not be possible with 375 * the way we implement DNS lookups. However, people are known to 376 * sometimes screw up the naming service. And, mailer loops are still 377 * possible when our own mailer routing tables are mis-configured. 378 */ 379 words = resp->str; 380 (void) mystrtok(&words, "- \t\n"); 381 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 382 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 383 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 384 msg_warn("host %s greeted me with my own hostname %s", 385 session->namaddrport, var_myhostname); 386 } else if (strcasecmp(word, "ESMTP") == 0) 387 session->features |= SMTP_FEATURE_ESMTP; 388 } 389 if (smtp_mode) { 390 if (var_smtp_always_ehlo 391 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 392 session->features |= SMTP_FEATURE_ESMTP; 393 if (var_smtp_never_ehlo 394 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 395 session->features &= ~SMTP_FEATURE_ESMTP; 396 } else { 397 session->features |= SMTP_FEATURE_ESMTP; 398 } 399 } 400 401 /* 402 * If recursing after STARTTLS, there is no server greeting banner. 403 * Always send EHLO as the next command. 404 */ 405 else { 406 session->features |= SMTP_FEATURE_ESMTP; 407 } 408 409 /* 410 * Return the compliment. Fall back to SMTP if our ESMTP recognition 411 * heuristic failed. 412 */ 413 if (smtp_mode) { 414 where = "performing the EHLO handshake"; 415 if (session->features & SMTP_FEATURE_ESMTP) { 416 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 417 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 418 if (resp->code == 421) 419 return (smtp_site_fail(state, STR(iter->host), resp, 420 "host %s refused to talk to me: %s", 421 session->namaddr, 422 translit(resp->str, "\n", " "))); 423 else 424 session->features &= ~SMTP_FEATURE_ESMTP; 425 } 426 } 427 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 428 where = "performing the HELO handshake"; 429 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 430 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 431 return (smtp_site_fail(state, STR(iter->host), resp, 432 "host %s refused to talk to me: %s", 433 session->namaddr, 434 translit(resp->str, "\n", " "))); 435 } 436 } else { 437 where = "performing the LHLO handshake"; 438 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 439 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 440 return (smtp_site_fail(state, STR(iter->host), resp, 441 "host %s refused to talk to me: %s", 442 session->namaddr, 443 translit(resp->str, "\n", " "))); 444 } 445 446 /* 447 * No early returns allowed, to ensure consistent handling of TLS and 448 * SASL policies. 449 */ 450 if (session->features & SMTP_FEATURE_ESMTP) { 451 452 /* 453 * Determine what server EHLO keywords to ignore, typically to avoid 454 * inter-operability problems. 455 */ 456 if (smtp_ehlo_dis_maps == 0 457 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 458 STR(iter->addr), 0)) == 0) 459 ehlo_words = var_smtp_ehlo_dis_words; 460 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 461 msg_warn("%s: %s map lookup error for %s", 462 session->state->request->queue_id, 463 smtp_ehlo_dis_maps->title, STR(iter->addr)); 464 vstream_longjmp(session->stream, SMTP_ERR_DATA); 465 } 466 discard_mask = ehlo_mask(ehlo_words); 467 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 468 msg_info("discarding EHLO keywords: %s", 469 str_ehlo_mask(discard_mask)); 470 471 /* 472 * Pick up some useful features offered by the SMTP server. XXX Until 473 * we have a portable routine to convert from string to off_t with 474 * proper overflow detection, ignore the message size limit 475 * advertised by the SMTP server. Otherwise, we might do the wrong 476 * thing when the server advertises a really huge message size limit. 477 * 478 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 479 * because MicroSoft implemented AUTH based on an old draft. 480 */ 481 lines = resp->str; 482 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 483 if (mystrtok(&words, "- ") 484 && (word = mystrtok(&words, " \t=")) != 0) { 485 if (n == 0) { 486 if (session->helo != 0) 487 myfree(session->helo); 488 489 /* 490 * XXX: Keep the original case: we don't expect a single 491 * SMTP server to randomly change the case of its helo 492 * response. If different capitalization is detected, we 493 * should assume disjoint TLS caches. 494 */ 495 session->helo = mystrdup(word); 496 if (strcasecmp(word, var_myhostname) == 0 497 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 498 msg_warn("host %s replied to HELO/EHLO" 499 " with my own hostname %s", 500 session->namaddrport, var_myhostname); 501 if (session->features & SMTP_FEATURE_BEST_MX) 502 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 503 SMTP_RESP_FAKE(&fake, "5.4.6"), 504 "mail for %s loops back to myself", 505 request->nexthop)); 506 else 507 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 508 SMTP_RESP_FAKE(&fake, "4.4.6"), 509 "mail for %s loops back to myself", 510 request->nexthop)); 511 } 512 } else if (strcasecmp(word, "8BITMIME") == 0) { 513 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 514 session->features |= SMTP_FEATURE_8BITMIME; 515 } else if (strcasecmp(word, "PIPELINING") == 0) { 516 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 517 session->features |= SMTP_FEATURE_PIPELINING; 518 } else if (strcasecmp(word, "XFORWARD") == 0) { 519 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 520 while ((word = mystrtok(&words, " \t")) != 0) 521 session->features |= 522 name_code(xforward_features, 523 NAME_CODE_FLAG_NONE, word); 524 } else if (strcasecmp(word, "SIZE") == 0) { 525 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 526 session->features |= SMTP_FEATURE_SIZE; 527 if ((word = mystrtok(&words, " \t")) != 0) { 528 if (!alldig(word)) 529 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 530 word, session->namaddrport); 531 else 532 session->size_limit = off_cvt_string(word); 533 } 534 } 535#ifdef USE_TLS 536 } else if (strcasecmp(word, "STARTTLS") == 0) { 537 /* Ignored later if we already sent STARTTLS. */ 538 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 539 session->features |= SMTP_FEATURE_STARTTLS; 540#endif 541#ifdef USE_SASL_AUTH 542 } else if (var_smtp_sasl_enable 543 && strcasecmp(word, "AUTH") == 0) { 544 if ((discard_mask & EHLO_MASK_AUTH) == 0) 545 smtp_sasl_helo_auth(session, words); 546#endif 547 } else if (strcasecmp(word, "DSN") == 0) { 548 if ((discard_mask & EHLO_MASK_DSN) == 0) 549 session->features |= SMTP_FEATURE_DSN; 550 } 551 n++; 552 } 553 } 554 } 555 if (msg_verbose) 556 msg_info("server features: 0x%x size %.0f", 557 session->features, (double) session->size_limit); 558 559 /* 560 * We use SMTP command pipelining if the server said it supported it. 561 * Since we use blocking I/O, RFC 2197 says that we should inspect the 562 * TCP window size and not send more than this amount of information. 563 * Unfortunately this information is unavailable using the sockets 564 * interface. However, we *can* get the TCP send buffer size on the local 565 * TCP/IP stack. We should be able to fill this buffer without being 566 * blocked, and then the kernel will effectively do non-blocking I/O for 567 * us by automatically writing out the contents of its send buffer while 568 * we are reading in the responses. In addition to TCP buffering we have 569 * to be aware of application-level buffering by the vstream module, 570 * which is limited to a couple kbytes. 571 * 572 * XXX No need to do this before and after STARTTLS, but it's not a big deal 573 * if we do. 574 * 575 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 576 * TLS messages. Thus, the TCP-level payload will be larger than the 577 * SMTP-level payload. This has implications for the PIPELINING engine. 578 * 579 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 580 * buffer size that can hold the unacknowledged commands plus the TLS 581 * encapsulation overhead. 582 * 583 * The PIPELINING engine keeps the unacknowledged command size <= the 584 * default VSTREAM buffer size (to avoid small-write performance issues 585 * when the VSTREAM buffer size is at its default size). With a default 586 * VSTREAM buffer size of 4096 there is no reason to increase the 587 * unacknowledged command size as the TCP MSS increases. It's safer to 588 * spread the remote SMTP server's recipient processing load over time, 589 * than dumping a very large recipient list all at once. 590 * 591 * For TLS encapsulation overhead we make a conservative guess: take the 592 * current protocol overhead of ~40 bytes, double the number for future 593 * proofing (~80 bytes), then round up the result to the nearest power of 594 * 2 (128 bytes). Plus, be prepared for worst-case compression that 595 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 596 * message becomes 15 kbytes. 597 */ 598#define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 599#ifdef USE_TLS 600#define TLS_WORST_PAYLOAD 16384 601#define TLS_WORST_COMP_OVERHD 1024 602#define TLS_WORST_PROTO_OVERHD 128 603#define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 604#define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 605#endif 606 607 if (session->features & SMTP_FEATURE_PIPELINING) { 608 SOCKOPT_SIZE optlen; 609 int tcp_bufsize; 610 int enc_overhead = 0; 611 612 optlen = sizeof(tcp_bufsize); 613 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 614 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 615 msg_fatal("%s: getsockopt: %m", myname); 616#ifdef USE_TLS 617 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 618 enc_overhead += 619 (1 + (PIPELINING_BUFSIZE - 1) 620 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 621#endif 622 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 623 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 624 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 625 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 626 msg_fatal("%s: setsockopt: %m", myname); 627 } 628 if (msg_verbose) 629 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 630 "PIPELINING buffer size is %d", 631 smtp_mode ? "ESMTP" : "LMTP", 632 tcp_bufsize, PIPELINING_BUFSIZE); 633 } 634#ifdef USE_TLS 635 636 /* 637 * Skip this part if we already sent STARTTLS. 638 */ 639 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 640 641 /* 642 * Optionally log unused STARTTLS opportunities. 643 */ 644 if ((session->features & SMTP_FEATURE_STARTTLS) && 645 var_smtp_tls_note_starttls_offer && 646 session->tls->level <= TLS_LEV_NONE) 647 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 648 649 /* 650 * Decide whether or not to send STARTTLS. 651 */ 652 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 653 && smtp_tls_ctx != 0 && session->tls->level >= TLS_LEV_MAY) { 654 655 /* 656 * Prepare for disaster. 657 */ 658 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 659 var_smtp_rec_deadline); 660 if ((except = vstream_setjmp(state->session->stream)) != 0) 661 return (smtp_stream_except(state, except, 662 "receiving the STARTTLS response")); 663 664 /* 665 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 666 * resetting the SASL and EHLO features lists. 667 * 668 * Reset the SASL mechanism list to avoid spurious warnings. 669 * 670 * Use the smtp_sasl_tls_security_options feature to allow SASL 671 * mechanisms that may not be allowed with plain-text 672 * connections. 673 */ 674 smtp_chat_cmd(session, "STARTTLS"); 675 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 676#ifdef USE_SASL_AUTH 677 if (session->features & SMTP_FEATURE_AUTH) 678 smtp_sasl_cleanup(session); 679#endif 680 session->features = saved_features; 681 /* XXX Mix-up of per-session and per-request flags. */ 682 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 683 tls_helo_status = smtp_start_tls(state); 684 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 685 return (tls_helo_status); 686 } 687 688 /* 689 * Give up if we must use TLS but the server rejects STARTTLS 690 * although support for it was announced in the EHLO response. 691 */ 692 session->features &= ~SMTP_FEATURE_STARTTLS; 693 if (TLS_REQUIRED(session->tls->level)) 694 return (smtp_site_fail(state, STR(iter->host), resp, 695 "TLS is required, but host %s refused to start TLS: %s", 696 session->namaddr, 697 translit(resp->str, "\n", " "))); 698 /* Else try to continue in plain-text mode. */ 699 } 700 701 /* 702 * Give up if we must use TLS but can't for various reasons. 703 * 704 * 200412 Be sure to provide the default clause at the bottom of this 705 * block. When TLS is required we must never, ever, end up in 706 * plain-text mode. 707 */ 708 if (TLS_REQUIRED(session->tls->level)) { 709 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 710 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 711 SMTP_RESP_FAKE(&fake, "4.7.4"), 712 "TLS is required, but was not offered by host %s", 713 session->namaddr)); 714 } else if (smtp_tls_ctx == 0) { 715 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 716 SMTP_RESP_FAKE(&fake, "4.7.5"), 717 "TLS is required, but our TLS engine is unavailable")); 718 } else { 719 msg_warn("%s: TLS is required but unavailable, don't know why", 720 myname); 721 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 722 SMTP_RESP_FAKE(&fake, "4.7.0"), 723 "TLS is required, but unavailable")); 724 } 725 } 726 } 727#endif 728#ifdef USE_SASL_AUTH 729 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 730 return (smtp_sasl_helo_login(state)); 731#endif 732 733 return (0); 734} 735 736#ifdef USE_TLS 737 738/* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 739 740static int smtp_start_tls(SMTP_STATE *state) 741{ 742 SMTP_SESSION *session = state->session; 743 SMTP_ITERATOR *iter = state->iterator; 744 TLS_CLIENT_START_PROPS tls_props; 745 VSTRING *serverid; 746 SMTP_RESP fake; 747 748 /* 749 * Turn off SMTP connection caching. When the TLS handshake succeeds, we 750 * can't reuse the SMTP connection. Reason: we can't turn off TLS in one 751 * process, save the connection to the cache which is shared with all 752 * SMTP clients, migrate the connection to another SMTP client, and 753 * resume TLS there. When the TLS handshake fails, we can't reuse the 754 * SMTP connection either, because the conversation is in an unknown 755 * state. 756 */ 757 DONT_CACHE_THIS_SESSION; 758 759 /* 760 * The following assumes sites that use TLS in a perverse configuration: 761 * multiple hosts per hostname, or even multiple hosts per IP address. 762 * All this without a shared TLS session cache, and they still want to 763 * use TLS session caching??? 764 * 765 * The TLS session cache records the trust chain verification status of 766 * cached sessions. Different transports may have different CAfile or 767 * CApath settings, perhaps to allow authenticated connections to sites 768 * with private CA certs without trusting said private certs for other 769 * sites. So we cannot assume that a trust chain valid for one transport 770 * is valid for another. Therefore the client session id must include 771 * either the transport name or the values of CAfile and CApath. We use 772 * the transport name. 773 * 774 * XXX: We store only one session per lookup key. Ideally the the key maps 775 * 1-to-1 to a server TLS session cache. We use the IP address, port and 776 * ehlo response name to build a lookup key that works for split caches 777 * (that announce distinct names) behind a load balancer. 778 * 779 * XXX: The TLS library will salt the serverid with further details of the 780 * protocol and cipher requirements including the server ehlo response. 781 * Deferring the helo to the digested suffix results in more predictable 782 * SSL session lookup key lengths. 783 */ 784 serverid = vstring_alloc(10); 785 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 786 | SMTP_KEY_FLAG_NEXTHOP /* With port */ 787 | SMTP_KEY_FLAG_HOSTNAME 788 | SMTP_KEY_FLAG_ADDR); 789 790 /* 791 * As of Postfix 2.5, tls_client_start() tries hard to always complete 792 * the TLS handshake. It records the verification and match status in the 793 * resulting TLScontext. It is now up to the application to abort the TLS 794 * connection if it chooses. 795 * 796 * XXX When tls_client_start() fails then we don't know what state the SMTP 797 * connection is in, so we give up on this connection even if we are not 798 * required to use TLS. 799 * 800 * Large parameter lists are error-prone, so we emulate a language feature 801 * that C does not have natively: named parameter lists. 802 */ 803 session->tls_context = 804 TLS_CLIENT_START(&tls_props, 805 ctx = smtp_tls_ctx, 806 stream = session->stream, 807 timeout = var_smtp_starttls_tmout, 808 tls_level = session->tls->level, 809 nexthop = session->tls_nexthop, 810 host = STR(iter->host), 811 namaddr = session->namaddrport, 812 serverid = vstring_str(serverid), 813 helo = session->helo, 814 protocols = session->tls->protocols, 815 cipher_grade = session->tls->grade, 816 cipher_exclusions 817 = vstring_str(session->tls->exclusions), 818 matchargv = session->tls->matchargv, 819 mdalg = var_smtp_tls_fpt_dgst, 820 dane = session->tls->dane); 821 vstring_free(serverid); 822 823 if (session->tls_context == 0) { 824 825 /* 826 * We must avoid further I/O, the peer is in an undefined state. 827 */ 828 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 829 DONT_USE_DEAD_SESSION; 830 831 /* 832 * If TLS is optional, try delivery to the same server over a 833 * plaintext connection. Otherwise we would defer mail forever with 834 * destinations that have no alternate MX host. 835 * 836 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 837 * authentication. If the server doesn't announce SASL support over 838 * plaintext connections, then we don't want delivery to fail with 839 * "relay access denied". 840 */ 841 if (session->tls->level == TLS_LEV_MAY 842#ifdef USE_SASL_AUTH 843 && !(var_smtp_sasl_enable 844 && *var_smtp_sasl_passwd 845 && smtp_sasl_passwd_lookup(session)) 846#endif 847 ) 848 RETRY_AS_PLAINTEXT; 849 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 850 SMTP_RESP_FAKE(&fake, "4.7.5"), 851 "Cannot start TLS: handshake failure")); 852 } 853 854 /* 855 * If we are verifying the server certificate and are not happy with the 856 * result, abort the delivery here. We have a usable TLS session with the 857 * server, so no need to disable I/O, ... we can even be polite and send 858 * "QUIT". 859 * 860 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 861 * matching. Levels >= "dane" require CA or DNSSEC trust. 862 * 863 * When DANE TLSA records specify an end-entity certificate, the trust and 864 * match bits always coincide, but it is fine to report the wrong 865 * end-entity certificate as untrusted rather than unmatched. 866 */ 867 if (TLS_MUST_TRUST(session->tls->level)) 868 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) 869 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 870 SMTP_RESP_FAKE(&fake, "4.7.5"), 871 "Server certificate not trusted")); 872 if (TLS_MUST_MATCH(session->tls->level)) 873 if (!TLS_CERT_IS_MATCHED(session->tls_context)) 874 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 875 SMTP_RESP_FAKE(&fake, "4.7.5"), 876 "Server certificate not verified")); 877 878 /* At this point there must not be any pending plaintext. */ 879 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 880 881 /* 882 * At this point we have to re-negotiate the "EHLO" to reget the 883 * feature-list. 884 */ 885 return (smtp_helo(state)); 886} 887 888#endif 889 890/* smtp_hbc_logger - logging call-back for header/body checks */ 891 892static void smtp_hbc_logger(void *context, const char *action, 893 const char *where, const char *content, 894 const char *text) 895{ 896 const SMTP_STATE *state = (SMTP_STATE *) context; 897 898 if (*text) { 899 msg_info("%s: %s: %s %.60s: %s", 900 state->request->queue_id, action, where, content, text); 901 } else { 902 msg_info("%s: %s: %s %.60s", 903 state->request->queue_id, action, where, content); 904 } 905} 906 907/* smtp_text_out - output one header/body record */ 908 909static void smtp_text_out(void *context, int rec_type, 910 const char *text, ssize_t len, 911 off_t unused_offset) 912{ 913 SMTP_STATE *state = (SMTP_STATE *) context; 914 SMTP_SESSION *session = state->session; 915 ssize_t data_left; 916 const char *data_start; 917 918 /* 919 * Deal with an impedance mismatch between Postfix queue files (record 920 * length <= $message_line_length_limit) and SMTP (DATA record length <= 921 * $smtp_line_length_limit). The code below does a little too much work 922 * when the SMTP line length limit is disabled, but it avoids code 923 * duplication, and thus, it avoids testing and maintenance problems. 924 */ 925 data_left = len; 926 data_start = text; 927 do { 928 if (state->space_left == var_smtp_line_limit 929 && data_left > 0 && *data_start == '.') 930 smtp_fputc('.', session->stream); 931 if (var_smtp_line_limit > 0 && data_left >= state->space_left) { 932 smtp_fputs(data_start, state->space_left, session->stream); 933 data_start += state->space_left; 934 data_left -= state->space_left; 935 state->space_left = var_smtp_line_limit; 936 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 937 smtp_fputc(' ', session->stream); 938 state->space_left -= 1; 939 } 940 } else { 941 if (rec_type == REC_TYPE_CONT) { 942 smtp_fwrite(data_start, data_left, session->stream); 943 state->space_left -= data_left; 944 } else { 945 smtp_fputs(data_start, data_left, session->stream); 946 state->space_left = var_smtp_line_limit; 947 } 948 break; 949 } 950 } while (data_left > 0); 951} 952 953/* smtp_format_out - output one header/body record */ 954 955static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 956 957static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 958{ 959 static VSTRING *vp; 960 va_list ap; 961 962 if (vp == 0) 963 vp = vstring_alloc(100); 964 va_start(ap, fmt); 965 vstring_vsprintf(vp, fmt, ap); 966 va_end(ap); 967 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 968} 969 970/* smtp_header_out - output one message header */ 971 972static void smtp_header_out(void *context, int unused_header_class, 973 const HEADER_OPTS *unused_info, 974 VSTRING *buf, off_t offset) 975{ 976 char *start = vstring_str(buf); 977 char *line; 978 char *next_line; 979 980 /* 981 * This code destroys the header. We could try to avoid clobbering it, 982 * but we're not going to use the data any further. 983 */ 984 for (line = start; line; line = next_line) { 985 next_line = split_at(line, '\n'); 986 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 987 next_line - line - 1 : strlen(line), offset); 988 } 989} 990 991/* smtp_header_rewrite - rewrite message header before output */ 992 993static void smtp_header_rewrite(void *context, int header_class, 994 const HEADER_OPTS *header_info, 995 VSTRING *buf, off_t offset) 996{ 997 SMTP_STATE *state = (SMTP_STATE *) context; 998 int did_rewrite = 0; 999 char *line; 1000 char *start; 1001 char *next_line; 1002 char *end_line; 1003 char *result; 1004 1005 /* 1006 * Apply optional header filtering. 1007 */ 1008 if (smtp_header_checks) { 1009 result = hbc_header_checks(context, smtp_header_checks, header_class, 1010 header_info, buf, offset); 1011 if (result == 0) 1012 return; 1013 if (result == HBC_CHECKS_STAT_ERROR) { 1014 msg_warn("%s: smtp header checks lookup error", 1015 state->request->queue_id); 1016 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1017 } 1018 if (result != STR(buf)) { 1019 vstring_strcpy(buf, result); 1020 myfree(result); 1021 } 1022 } 1023 1024 /* 1025 * Rewrite primary header addresses that match the smtp_generic_maps. The 1026 * cleanup server already enforces that all headers have proper lengths 1027 * and that all addresses are in proper form, so we don't have to repeat 1028 * that. 1029 */ 1030 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1031 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1032 TOK822 *tree; 1033 TOK822 **addr_list; 1034 TOK822 **tpp; 1035 1036 tree = tok822_parse(vstring_str(buf) 1037 + strlen(header_info->name) + 1); 1038 addr_list = tok822_grep(tree, TOK822_ADDR); 1039 for (tpp = addr_list; *tpp; tpp++) 1040 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1041 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1042 if (did_rewrite) { 1043 vstring_truncate(buf, strlen(header_info->name)); 1044 vstring_strcat(buf, ": "); 1045 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1046 } 1047 myfree((char *) addr_list); 1048 tok822_free_tree(tree); 1049 } 1050 1051 /* 1052 * Pass through unmodified headers without reconstruction. 1053 */ 1054 if (did_rewrite == 0) { 1055 smtp_header_out(context, header_class, header_info, buf, offset); 1056 return; 1057 } 1058 1059 /* 1060 * A rewritten address list contains one address per line. The code below 1061 * replaces newlines by spaces, to fit as many addresses on a line as 1062 * possible (without rearranging the order of addresses). Prepending 1063 * white space to the beginning of lines is delegated to the output 1064 * routine. 1065 * 1066 * Code derived from cleanup_fold_header(). 1067 */ 1068 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1069 end_line = line + strcspn(line, "\n"); 1070 if (line > start) { 1071 if (end_line - start < 70) { /* TAB counts as one */ 1072 line[-1] = ' '; 1073 } else { 1074 start = line; 1075 } 1076 } 1077 next_line = *end_line ? end_line + 1 : 0; 1078 } 1079 1080 /* 1081 * Prepend a tab to continued header lines that went through the address 1082 * rewriting machinery. Just like smtp_header_out(), this code destroys 1083 * the header. We could try to avoid clobbering it, but we're not going 1084 * to use the data any further. 1085 * 1086 * Code derived from cleanup_out_header(). 1087 */ 1088 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1089 next_line = split_at(line, '\n'); 1090 if (line == start || IS_SPACE_TAB(*line)) { 1091 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1092 next_line - line - 1 : strlen(line), offset); 1093 } else { 1094 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1095 } 1096 } 1097} 1098 1099/* smtp_body_rewrite - rewrite message body before output */ 1100 1101static void smtp_body_rewrite(void *context, int type, 1102 const char *buf, ssize_t len, 1103 off_t offset) 1104{ 1105 SMTP_STATE *state = (SMTP_STATE *) context; 1106 char *result; 1107 1108 /* 1109 * Apply optional body filtering. 1110 */ 1111 if (smtp_body_checks) { 1112 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1113 if (result == buf) { 1114 smtp_text_out(state, type, buf, len, offset); 1115 } else if (result == HBC_CHECKS_STAT_ERROR) { 1116 msg_warn("%s: smtp body checks lookup error", 1117 state->request->queue_id); 1118 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1119 } else if (result != 0) { 1120 smtp_text_out(state, type, result, strlen(result), offset); 1121 myfree(result); 1122 } 1123 } 1124} 1125 1126/* smtp_mime_fail - MIME problem */ 1127 1128static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1129{ 1130 const MIME_STATE_DETAIL *detail; 1131 SMTP_RESP fake; 1132 1133 detail = mime_state_detail(mime_errs); 1134 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1135 SMTP_RESP_FAKE(&fake, detail->dsn), 1136 "%s", detail->text); 1137} 1138 1139/* smtp_loop - exercise the SMTP protocol engine */ 1140 1141static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1142 NOCLOBBER int recv_state) 1143{ 1144 const char *myname = "smtp_loop"; 1145 DELIVER_REQUEST *request = state->request; 1146 SMTP_SESSION *session = state->session; 1147 SMTP_ITERATOR *iter = state->iterator; 1148 SMTP_RESP *resp; 1149 RECIPIENT *rcpt; 1150 VSTRING *next_command = vstring_alloc(100); 1151 int *NOCLOBBER survivors = 0; 1152 NOCLOBBER int next_state; 1153 NOCLOBBER int next_rcpt; 1154 NOCLOBBER int send_rcpt; 1155 NOCLOBBER int recv_rcpt; 1156 NOCLOBBER int nrcpt; 1157 NOCLOBBER int recv_done; 1158 int except; 1159 int rec_type; 1160 NOCLOBBER int prev_type = 0; 1161 NOCLOBBER int mail_from_rejected; 1162 NOCLOBBER int downgrading; 1163 int mime_errs; 1164 SMTP_RESP fake; 1165 int fail_status; 1166 1167 /* 1168 * Macros for readability. 1169 */ 1170#define REWRITE_ADDRESS(dst, src) do { \ 1171 vstring_strcpy(dst, src); \ 1172 if (*(src) && smtp_generic_maps) \ 1173 smtp_map11_internal(dst, smtp_generic_maps, \ 1174 smtp_ext_prop_mask & EXT_PROP_GENERIC); \ 1175 } while (0) 1176 1177#define QUOTE_ADDRESS(dst, src) do { \ 1178 if (*(src) && var_smtp_quote_821_env) { \ 1179 quote_821_local(dst, src); \ 1180 } else { \ 1181 vstring_strcpy(dst, src); \ 1182 } \ 1183 } while (0) 1184 1185 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1186 1187#define RETURN(x) do { \ 1188 if (recv_state != SMTP_STATE_LAST) \ 1189 DONT_CACHE_THIS_SESSION; \ 1190 vstring_free(next_command); \ 1191 if (survivors) \ 1192 myfree((char *) survivors); \ 1193 if (session->mime_state) \ 1194 session->mime_state = mime_state_free(session->mime_state); \ 1195 return (x); \ 1196 } while (0) 1197 1198#define SENDER_IS_AHEAD \ 1199 (recv_state < send_state || recv_rcpt != send_rcpt) 1200 1201#define SENDER_IN_WAIT_STATE \ 1202 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1203 1204#define SENDING_MAIL \ 1205 (recv_state <= SMTP_STATE_DOT) 1206 1207#define CANT_RSET_THIS_SESSION \ 1208 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1209 1210 /* 1211 * Pipelining support requires two loops: one loop for sending and one 1212 * for receiving. Each loop has its own independent state. Most of the 1213 * time the sender can run ahead of the receiver by as much as the TCP 1214 * send buffer permits. There are only two places where the sender must 1215 * wait for status information from the receiver: once after sending DATA 1216 * and once after sending QUIT. 1217 * 1218 * The sender state advances until the TCP send buffer would overflow, or 1219 * until the sender needs status information from the receiver. At that 1220 * point the receiver starts processing responses. Once the receiver has 1221 * caught up with the sender, the sender resumes sending commands. If the 1222 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1223 * commands rejected, DATA rejected) it forces the sender to abort the 1224 * SMTP dialog with RSET and QUIT. 1225 */ 1226 nrcpt = 0; 1227 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1228 mail_from_rejected = 0; 1229 1230 /* 1231 * Prepare for disaster. This should not be needed because the design 1232 * guarantees that no output is flushed before smtp_chat_resp() is 1233 * called. 1234 * 1235 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1236 * 1237 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1238 * there is sufficient space for the command in the output buffer. 1239 * 1240 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1241 * 1242 * Changing any of these would violate the design, and would likely break 1243 * SMTP pipelining. 1244 * 1245 * We set up the error handler anyway (only upon entry to avoid wasting 1246 * resources) because 1) there is code below that expects that VSTREAM 1247 * timeouts are enabled, and 2) this allows us to detect if someone broke 1248 * Postfix by introducing spurious flush before read operations. 1249 */ 1250 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1251 || send_state > SMTP_STATE_QUIT) 1252 msg_panic("%s: bad sender state %d (receiver state %d)", 1253 myname, send_state, recv_state); 1254 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1255 var_smtp_rec_deadline); 1256 if ((except = vstream_setjmp(session->stream)) != 0) { 1257 msg_warn("smtp_proto: spurious flush before read in send state %d", 1258 send_state); 1259 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1260 xfer_states[send_state]) : -1); 1261 } 1262 1263 /* 1264 * The main protocol loop. 1265 */ 1266 do { 1267 1268 /* 1269 * Build the next command. 1270 */ 1271 switch (send_state) { 1272 1273 /* 1274 * Sanity check. 1275 */ 1276 default: 1277 msg_panic("%s: bad sender state %d", myname, send_state); 1278 1279 /* 1280 * Build the XFORWARD command. With properly sanitized 1281 * information, the command length stays within the 512 byte 1282 * command line length limit. 1283 * 1284 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1285 * and some as null; historically, pickup(8) does not send any of 1286 * these, and the queue manager presets absent fields to "not 1287 * available" except for the rewrite context which is preset to 1288 * local by way of migration aid. These definitions need to be 1289 * centralized for maintainability. 1290 */ 1291#ifndef CAN_FORWARD_CLIENT_NAME 1292#define _ATTR_AVAIL_AND_KNOWN_(val) \ 1293 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1294#define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1295#define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1296#define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1297#define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1298#define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1299#define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1300#define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1301#endif 1302 1303 case SMTP_STATE_XFORWARD_NAME_ADDR: 1304 vstring_strcpy(next_command, XFORWARD_CMD); 1305 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1306 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1307 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1308 xtext_quote_append(next_command, request->client_name, ""); 1309 } 1310 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1311 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1312 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1313 xtext_quote_append(next_command, request->client_addr, ""); 1314 } 1315 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1316 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1317 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1318 xtext_quote_append(next_command, request->client_port, ""); 1319 } 1320 if (session->send_proto_helo) 1321 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1322 else 1323 next_state = SMTP_STATE_MAIL; 1324 break; 1325 1326 case SMTP_STATE_XFORWARD_PROTO_HELO: 1327 vstring_strcpy(next_command, XFORWARD_CMD); 1328 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1329 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1330 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1331 xtext_quote_append(next_command, request->client_proto, ""); 1332 } 1333 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1334 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1335 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1336 xtext_quote_append(next_command, request->client_helo, ""); 1337 } 1338 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1339 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1340 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1341 xtext_quote_append(next_command, request->log_ident, ""); 1342 } 1343 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1344 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1345 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1346 xtext_quote_append(next_command, 1347 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1348 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1349 } 1350 next_state = SMTP_STATE_MAIL; 1351 break; 1352 1353 /* 1354 * Build the MAIL FROM command. 1355 */ 1356 case SMTP_STATE_MAIL: 1357 request->msg_stats.reuse_count = session->reuse_count; 1358 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1359 REWRITE_ADDRESS(session->scratch2, request->sender); 1360 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1361 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1362 vstring_str(session->scratch)); 1363 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1364 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1365 && !SMTP_MIME_DOWNGRADE(session, request)) 1366 vstring_sprintf_append(next_command, " SIZE=%lu", 1367 request->data_size); 1368 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1369 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1370 vstring_strcat(next_command, " BODY=8BITMIME"); 1371 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1372 vstring_strcat(next_command, " BODY=7BIT"); 1373 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1374 msg_warn("%s: unknown content encoding: %s", 1375 request->queue_id, request->encoding); 1376 } 1377 if (session->features & SMTP_FEATURE_DSN) { 1378 if (request->dsn_envid[0]) { 1379 vstring_sprintf_append(next_command, " ENVID="); 1380 xtext_quote_append(next_command, request->dsn_envid, "+="); 1381 } 1382 if (request->dsn_ret) 1383 vstring_sprintf_append(next_command, " RET=%s", 1384 dsn_ret_str(request->dsn_ret)); 1385 } 1386 1387 /* 1388 * We authenticate the local MTA only, but not the sender. 1389 */ 1390#ifdef USE_SASL_AUTH 1391 if (var_smtp_sasl_enable 1392 && var_smtp_dummy_mail_auth 1393 && (session->features & SMTP_FEATURE_AUTH)) 1394 vstring_strcat(next_command, " AUTH=<>"); 1395#endif 1396 1397 /* 1398 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1399 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1400 * commands to our TLS session. 1401 * 1402 * For the attack to succeed, the remote SMTP server must reply to 1403 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1404 * TLS (re)negotiation, so that the replies arrive in our TLS 1405 * session (otherwise the Postfix SMTP client would time out 1406 * waiting for an answer). With some luck we can detect this 1407 * specific attack as a server MAIL reply that arrives before we 1408 * send our own MAIL command. 1409 * 1410 * We don't apply this test to the HELO command because the result 1411 * would be very timing sensitive, and we don't apply this test 1412 * to RCPT and DATA replies because these may be pipelined for 1413 * legitimate reasons. 1414 */ 1415#ifdef USE_TLS 1416 if (var_smtp_tls_blk_early_mail_reply 1417 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1418 && (vstream_peek(session->stream) > 0 1419 || peekfd(vstream_fileno(session->stream)) > 0)) 1420 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1421#endif 1422 1423 /* 1424 * We now return to our regular broadcast. 1425 */ 1426 next_state = SMTP_STATE_RCPT; 1427 break; 1428 1429 /* 1430 * Build one RCPT TO command before we have seen the MAIL FROM 1431 * response. 1432 */ 1433 case SMTP_STATE_RCPT: 1434 rcpt = request->rcpt_list.info + send_rcpt; 1435 REWRITE_ADDRESS(session->scratch2, rcpt->address); 1436 QUOTE_ADDRESS(session->scratch, vstring_str(session->scratch2)); 1437 vstring_sprintf(next_command, "RCPT TO:<%s>", 1438 vstring_str(session->scratch)); 1439 if (session->features & SMTP_FEATURE_DSN) { 1440 /* XXX DSN xtext encode address value not type. */ 1441 if (rcpt->dsn_orcpt[0]) { 1442 xtext_quote(session->scratch, rcpt->dsn_orcpt, "+="); 1443 vstring_sprintf_append(next_command, " ORCPT=%s", 1444 vstring_str(session->scratch)); 1445 } else if (rcpt->orig_addr[0]) { 1446 quote_822_local(session->scratch, rcpt->orig_addr); 1447 vstring_sprintf(session->scratch2, "rfc822;%s", 1448 vstring_str(session->scratch)); 1449 xtext_quote(session->scratch, vstring_str(session->scratch2), "+="); 1450 vstring_sprintf_append(next_command, " ORCPT=%s", 1451 vstring_str(session->scratch)); 1452 } 1453 if (rcpt->dsn_notify) 1454 vstring_sprintf_append(next_command, " NOTIFY=%s", 1455 dsn_notify_str(rcpt->dsn_notify)); 1456 } 1457 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 1458 next_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1459 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1460 break; 1461 1462 /* 1463 * Build the DATA command before we have seen all the RCPT TO 1464 * responses. 1465 */ 1466 case SMTP_STATE_DATA: 1467 vstring_strcpy(next_command, "DATA"); 1468 next_state = SMTP_STATE_DOT; 1469 break; 1470 1471 /* 1472 * Build the "." command after we have seen the DATA response 1473 * (DATA is a protocol synchronization point). 1474 * 1475 * Changing the connection caching state here is safe because it 1476 * affects none of the not-yet processed replies to 1477 * already-generated commands. 1478 */ 1479 case SMTP_STATE_DOT: 1480 vstring_strcpy(next_command, "."); 1481 if (THIS_SESSION_IS_EXPIRED) 1482 DONT_CACHE_THIS_SESSION; 1483 next_state = THIS_SESSION_IS_CACHED ? 1484 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1485 break; 1486 1487 /* 1488 * The SMTP_STATE_ABORT sender state is entered by the sender 1489 * when it has verified all recipients; or it is entered by the 1490 * receiver when all recipients are verified or rejected, and is 1491 * then left before the bottom of the main loop. 1492 * 1493 * Changing the connection caching state here is safe because there 1494 * are no not-yet processed replies to already-generated 1495 * commands. 1496 */ 1497 case SMTP_STATE_ABORT: 1498 vstring_strcpy(next_command, "RSET"); 1499 if (THIS_SESSION_IS_EXPIRED) 1500 DONT_CACHE_THIS_SESSION; 1501 next_state = THIS_SESSION_IS_CACHED ? 1502 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1503 break; 1504 1505 /* 1506 * Build the RSET command. This is entered as initial state from 1507 * smtp_rset() and has its own dedicated state transitions. It is 1508 * used to find out the status of a cached session before 1509 * attempting mail delivery. 1510 */ 1511 case SMTP_STATE_RSET: 1512 vstring_strcpy(next_command, "RSET"); 1513 next_state = SMTP_STATE_LAST; 1514 break; 1515 1516 /* 1517 * Build the QUIT command before we have seen the "." or RSET 1518 * response. This is entered as initial state from smtp_quit(), 1519 * or is reached near the end of any non-cached session. 1520 * 1521 * Changing the connection caching state here is safe. If this 1522 * command is pipelined together with a preceding command, then 1523 * connection caching was already turned off. Do not clobber the 1524 * "bad connection" flag. 1525 */ 1526 case SMTP_STATE_QUIT: 1527 vstring_strcpy(next_command, "QUIT"); 1528 next_state = SMTP_STATE_LAST; 1529 if (THIS_SESSION_IS_CACHED) 1530 DONT_CACHE_THIS_SESSION; 1531 break; 1532 1533 /* 1534 * The final sender state has no action associated with it. 1535 */ 1536 case SMTP_STATE_LAST: 1537 VSTRING_RESET(next_command); 1538 break; 1539 } 1540 VSTRING_TERMINATE(next_command); 1541 1542 /* 1543 * Process responses until the receiver has caught up. Vstreams 1544 * automatically flush buffered output when reading new data. 1545 * 1546 * Flush unsent output if command pipelining is off or if no I/O 1547 * happened for a while. This limits the accumulation of client-side 1548 * delays in pipelined sessions. 1549 * 1550 * The PIPELINING engine will flush the VSTREAM buffer if the sender 1551 * could otherwise produce more output than fits the PIPELINING 1552 * buffer. This generally works because we know exactly how much 1553 * output we produced since the last time that the sender and 1554 * receiver synchronized the SMTP state. However this logic is not 1555 * applicable after the sender enters the DATA phase, where it does 1556 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 1557 * Thus, the PIPELINING engine no longer knows how much data is 1558 * pending in the TCP send buffer. For this reason, if PIPELINING is 1559 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 1560 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 1561 * stack either has already received the QUIT<CR><LF>, or else it 1562 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 1563 * making room in the sender's TCP stack for QUIT<CR><LF>. 1564 */ 1565#define CHECK_PIPELINING_BUFSIZE \ 1566 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 1567 1568 if (SENDER_IN_WAIT_STATE 1569 || (SENDER_IS_AHEAD 1570 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 1571 || (CHECK_PIPELINING_BUFSIZE 1572 && (VSTRING_LEN(next_command) + 2 1573 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 1574 > PIPELINING_BUFSIZE)) 1575 || time((time_t *) 0) 1576 - vstream_ftime(session->stream) > 10))) { 1577 while (SENDER_IS_AHEAD) { 1578 1579 /* 1580 * Sanity check. 1581 */ 1582 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 1583 || recv_state > SMTP_STATE_QUIT) 1584 msg_panic("%s: bad receiver state %d (sender state %d)", 1585 myname, recv_state, send_state); 1586 1587 /* 1588 * Receive the next server response. Use the proper timeout, 1589 * and log the proper client state in case of trouble. 1590 * 1591 * XXX If we lose the connection before sending end-of-data, 1592 * find out if the server sent a premature end-of-data reply. 1593 * If this read attempt fails, report "lost connection while 1594 * sending message body", not "lost connection while sending 1595 * end-of-data". 1596 * 1597 * "except" becomes zero just above the protocol loop, and stays 1598 * zero or triggers an early return from the loop. In just 1599 * one case: loss of the connection when sending the message 1600 * body, we record the exception, and keep processing in the 1601 * hope of detecting a premature 5XX. We must be careful to 1602 * not clobber this non-zero value once it is set. The 1603 * variable need not survive longjmp() calls, since the only 1604 * setjmp() which does not return early is the one sets this 1605 * condition, subquent failures always return early. 1606 */ 1607#define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 1608 1609 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 1610 var_smtp_rec_deadline); 1611 if (LOST_CONNECTION_INSIDE_DATA) { 1612 if (vstream_setjmp(session->stream) != 0) 1613 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 1614 "sending message body")); 1615 } else { 1616 if ((except = vstream_setjmp(session->stream)) != 0) 1617 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1618 xfer_states[recv_state]) : -1); 1619 } 1620 resp = smtp_chat_resp(session); 1621 1622 /* 1623 * Process the response. 1624 */ 1625 switch (recv_state) { 1626 1627 /* 1628 * Process the XFORWARD response. 1629 */ 1630 case SMTP_STATE_XFORWARD_NAME_ADDR: 1631 if (resp->code / 100 != 2) 1632 msg_warn("host %s said: %s (in reply to %s)", 1633 session->namaddrport, 1634 translit(resp->str, "\n", " "), 1635 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 1636 if (session->send_proto_helo) 1637 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1638 else 1639 recv_state = SMTP_STATE_MAIL; 1640 break; 1641 1642 case SMTP_STATE_XFORWARD_PROTO_HELO: 1643 if (resp->code / 100 != 2) 1644 msg_warn("host %s said: %s (in reply to %s)", 1645 session->namaddrport, 1646 translit(resp->str, "\n", " "), 1647 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 1648 recv_state = SMTP_STATE_MAIL; 1649 break; 1650 1651 /* 1652 * Process the MAIL FROM response. When the server 1653 * rejects the sender, set the mail_from_rejected flag so 1654 * that the receiver may apply a course correction. 1655 */ 1656 case SMTP_STATE_MAIL: 1657 if (resp->code / 100 != 2) { 1658 smtp_mesg_fail(state, STR(iter->host), resp, 1659 "host %s said: %s (in reply to %s)", 1660 session->namaddr, 1661 translit(resp->str, "\n", " "), 1662 xfer_request[SMTP_STATE_MAIL]); 1663 mail_from_rejected = 1; 1664 } 1665 1666 /* 1667 * CVE-2009-3555 (TLS renegotiation). Whatever it was 1668 * that arrived before we sent our MAIL FROM command, it 1669 * was not a fatal-level TLS alert message. It could be a 1670 * warning-level TLS alert message, or a ChangeCipherSpec 1671 * message, but such messages are not normally sent in 1672 * the middle of a TLS session. We disconnect and try 1673 * again later. 1674 */ 1675#ifdef USE_TLS 1676 if (var_smtp_tls_blk_early_mail_reply 1677 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 1678 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1679 SMTP_RESP_FAKE(&fake, "4.7.0"), 1680 "unexpected server message"); 1681 msg_warn("server %s violates %s policy", 1682 session->namaddr, 1683 SMTP_X(TLS_BLK_EARLY_MAIL_REPLY)); 1684 mail_from_rejected = 1; 1685 } 1686#endif 1687 1688 /* 1689 * We now return to our regular broadcast. 1690 */ 1691 recv_state = SMTP_STATE_RCPT; 1692 break; 1693 1694 /* 1695 * Process one RCPT TO response. If MAIL FROM was 1696 * rejected, ignore RCPT TO responses: all recipients are 1697 * dead already. When all recipients are rejected the 1698 * receiver may apply a course correction. 1699 * 1700 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 1701 * must be treated as if the server replied with 452. 1702 * However, this causes "too much mail data" to be 1703 * treated as a recoverable error, which is wrong. I'll 1704 * stick with RFC 821. 1705 */ 1706 case SMTP_STATE_RCPT: 1707 if (!mail_from_rejected) { 1708#ifdef notdef 1709 if (resp->code == 552) { 1710 resp->code = 452; 1711 resp->dsn[0] = '4'; 1712 } 1713#endif 1714 rcpt = request->rcpt_list.info + recv_rcpt; 1715 if (resp->code / 100 == 2) { 1716 if (!smtp_mode) { 1717 if (survivors == 0) 1718 survivors = (int *) 1719 mymalloc(request->rcpt_list.len 1720 * sizeof(int)); 1721 survivors[nrcpt] = recv_rcpt; 1722 } 1723 ++nrcpt; 1724 /* If trace-only, mark the recipient done. */ 1725 if (DEL_REQ_TRACE_ONLY(request->flags)) { 1726 translit(resp->str, "\n", " "); 1727 smtp_rcpt_done(state, resp, rcpt); 1728 } 1729 } else { 1730 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1731 "host %s said: %s (in reply to %s)", 1732 session->namaddr, 1733 translit(resp->str, "\n", " "), 1734 xfer_request[SMTP_STATE_RCPT]); 1735 } 1736 } 1737 /* If trace-only, send RSET instead of DATA. */ 1738 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 1739 recv_state = DEL_REQ_TRACE_ONLY(request->flags) ? 1740 SMTP_STATE_ABORT : SMTP_STATE_DATA; 1741 /* XXX Also: record if non-delivering session. */ 1742 break; 1743 1744 /* 1745 * Process the DATA response. When the server rejects 1746 * DATA, set nrcpt to a negative value so that the 1747 * receiver can apply a course correction. 1748 */ 1749 case SMTP_STATE_DATA: 1750 if (resp->code / 100 != 3) { 1751 if (nrcpt > 0) 1752 smtp_mesg_fail(state, STR(iter->host), resp, 1753 "host %s said: %s (in reply to %s)", 1754 session->namaddr, 1755 translit(resp->str, "\n", " "), 1756 xfer_request[SMTP_STATE_DATA]); 1757 nrcpt = -1; 1758 } 1759 recv_state = SMTP_STATE_DOT; 1760 break; 1761 1762 /* 1763 * Process the end of message response. Ignore the 1764 * response when no recipient was accepted: all 1765 * recipients are dead already, and the next receiver 1766 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 1767 * if the message transfer fails, bounce all remaining 1768 * recipients, else cross off the recipients that were 1769 * delivered. 1770 */ 1771 case SMTP_STATE_DOT: 1772 GETTIMEOFDAY(&request->msg_stats.deliver_done); 1773 if (smtp_mode) { 1774 if (nrcpt > 0) { 1775 if (resp->code / 100 != 2) { 1776 smtp_mesg_fail(state, STR(iter->host), resp, 1777 "host %s said: %s (in reply to %s)", 1778 session->namaddr, 1779 translit(resp->str, "\n", " "), 1780 xfer_request[SMTP_STATE_DOT]); 1781 } else { 1782 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 1783 rcpt = request->rcpt_list.info + nrcpt; 1784 if (!SMTP_RCPT_ISMARKED(rcpt)) { 1785 translit(resp->str, "\n", " "); 1786 smtp_rcpt_done(state, resp, rcpt); 1787 } 1788 } 1789 } 1790 } 1791 } 1792 1793 /* 1794 * With LMTP we have one response per accepted RCPT TO 1795 * command. Stay in the SMTP_STATE_DOT state until we 1796 * have collected all responses. 1797 */ 1798 else { 1799 if (nrcpt > 0) { 1800 rcpt = request->rcpt_list.info 1801 + survivors[recv_done++]; 1802 if (resp->code / 100 != 2) { 1803 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 1804 "host %s said: %s (in reply to %s)", 1805 session->namaddr, 1806 translit(resp->str, "\n", " "), 1807 xfer_request[SMTP_STATE_DOT]); 1808 } else { 1809 translit(resp->str, "\n", " "); 1810 smtp_rcpt_done(state, resp, rcpt); 1811 } 1812 } 1813 if (msg_verbose) 1814 msg_info("%s: got %d of %d end-of-data replies", 1815 myname, recv_done, nrcpt); 1816 if (recv_done < nrcpt) 1817 break; 1818 } 1819 1820 /* 1821 * XXX Do not change the connection caching state here, 1822 * even if the connection caching timer expired between 1823 * generating the command and processing the reply, 1824 * otherwise the sender and receiver loops get out of 1825 * sync. The caller will call smtp_quit() if appropriate. 1826 */ 1827 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 1828 || LOST_CONNECTION_INSIDE_DATA) 1829 recv_state = SMTP_STATE_LAST; 1830 else 1831 recv_state = SMTP_STATE_QUIT; 1832 break; 1833 1834 /* 1835 * Receive the RSET response. 1836 * 1837 * The SMTP_STATE_ABORT sender state is entered by the 1838 * sender when it has verified all recipients; or it is 1839 * entered by the receiver when all recipients are 1840 * verified or rejected, and is then left before the 1841 * bottom of the main loop. 1842 * 1843 * XXX Do not change the connection caching state here, even 1844 * if the server rejected RSET or if the connection 1845 * caching timer expired between generating the command 1846 * and processing the reply, otherwise the sender and 1847 * receiver loops get out of sync. The caller will call 1848 * smtp_quit() if appropriate. 1849 */ 1850 case SMTP_STATE_ABORT: 1851 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 1852 SMTP_STATE_LAST : SMTP_STATE_QUIT); 1853 break; 1854 1855 /* 1856 * This is the initial receiver state from smtp_rset(). 1857 * It is used to find out the status of a cached session 1858 * before attempting mail delivery. 1859 */ 1860 case SMTP_STATE_RSET: 1861 if (resp->code / 100 != 2) 1862 CANT_RSET_THIS_SESSION; 1863 recv_state = SMTP_STATE_LAST; 1864 break; 1865 1866 /* 1867 * Receive, but otherwise ignore, the QUIT response. 1868 */ 1869 case SMTP_STATE_QUIT: 1870 recv_state = SMTP_STATE_LAST; 1871 break; 1872 } 1873 } 1874 1875 /* 1876 * At this point, the sender and receiver are fully synchronized. 1877 */ 1878 1879 /* 1880 * We know the server response to every command that was sent. 1881 * Apply a course correction if necessary: the sender wants to 1882 * send RCPT TO but MAIL FROM was rejected; the sender wants to 1883 * send DATA but all recipients were rejected; the sender wants 1884 * to deliver the message but DATA was rejected. 1885 */ 1886 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 1887 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 1888 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 1889 send_state = recv_state = SMTP_STATE_ABORT; 1890 send_rcpt = recv_rcpt = 0; 1891 vstring_strcpy(next_command, "RSET"); 1892 if (THIS_SESSION_IS_EXPIRED) 1893 DONT_CACHE_THIS_SESSION; 1894 next_state = THIS_SESSION_IS_CACHED ? 1895 SMTP_STATE_LAST : SMTP_STATE_QUIT; 1896 /* XXX Also: record if non-delivering session. */ 1897 next_rcpt = 0; 1898 } 1899 } 1900 1901 /* 1902 * Make the next sender state the current sender state. 1903 */ 1904 if (send_state == SMTP_STATE_LAST) 1905 continue; 1906 1907 /* 1908 * Special case if the server accepted the DATA command. If the 1909 * server accepted at least one recipient send the entire message. 1910 * Otherwise, just send "." as per RFC 2197. 1911 * 1912 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 1913 * disconnect ungracefully, because there is no other way to cancel a 1914 * transaction in progress. 1915 */ 1916 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 1917 1918 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 1919 var_smtp_rec_deadline); 1920 1921 if ((except = vstream_setjmp(session->stream)) == 0) { 1922 1923 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 1924 msg_fatal("seek queue file: %m"); 1925 1926 downgrading = SMTP_MIME_DOWNGRADE(session, request); 1927 1928 /* 1929 * XXX Don't downgrade just because generic_maps is turned 1930 * on. 1931 */ 1932#define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 1933 1934 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 1935 session->mime_state = mime_state_alloc(downgrading ? 1936 MIME_OPT_DOWNGRADE 1937 | MIME_OPT_REPORT_NESTING : 1938 SMTP_ANY_CHECKS == 0 ? 1939 MIME_OPT_DISABLE_MIME : 1940 0, 1941 smtp_generic_maps 1942 || smtp_header_checks ? 1943 smtp_header_rewrite : 1944 smtp_header_out, 1945 (MIME_STATE_ANY_END) 0, 1946 smtp_body_checks ? 1947 smtp_body_rewrite : 1948 smtp_text_out, 1949 (MIME_STATE_ANY_END) 0, 1950 (MIME_STATE_ERR_PRINT) 0, 1951 (void *) state); 1952 state->space_left = var_smtp_line_limit; 1953 1954 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 1955 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 1956 break; 1957 if (session->mime_state == 0) { 1958 smtp_text_out((void *) state, rec_type, 1959 vstring_str(session->scratch), 1960 VSTRING_LEN(session->scratch), 1961 (off_t) 0); 1962 } else { 1963 mime_errs = 1964 mime_state_update(session->mime_state, rec_type, 1965 vstring_str(session->scratch), 1966 VSTRING_LEN(session->scratch)); 1967 if (mime_errs) { 1968 smtp_mime_fail(state, mime_errs); 1969 RETURN(0); 1970 } 1971 } 1972 prev_type = rec_type; 1973 } 1974 1975 if (session->mime_state) { 1976 1977 /* 1978 * The cleanup server normally ends MIME content with a 1979 * normal text record. The following code is needed to 1980 * flush an internal buffer when someone submits 8-bit 1981 * mail not ending in newline via /usr/sbin/sendmail 1982 * while MIME input processing is turned off, and MIME 1983 * 8bit->7bit conversion is requested upon delivery. 1984 * 1985 * Or some error while doing generic address mapping. 1986 */ 1987 mime_errs = 1988 mime_state_update(session->mime_state, rec_type, "", 0); 1989 if (mime_errs) { 1990 smtp_mime_fail(state, mime_errs); 1991 RETURN(0); 1992 } 1993 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 1994 smtp_fputs("", 0, session->stream); 1995 if ((session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) != 0 1996 && request->msg_stats.incoming_arrival.tv_sec 1997 <= vstream_ftime(session->stream) - var_smtp_pix_thresh) { 1998 smtp_flush(session->stream);/* hurts performance */ 1999 sleep(var_smtp_pix_delay); /* not to mention this */ 2000 } 2001 if (vstream_ferror(state->src)) 2002 msg_fatal("queue file read error"); 2003 if (rec_type != REC_TYPE_XTRA) { 2004 msg_warn("%s: bad record type: %d in message content", 2005 request->queue_id, rec_type); 2006 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2007 SMTP_RESP_FAKE(&fake, "5.3.0"), 2008 "unreadable mail queue entry"); 2009 /* Bailing out, abort stream with prejudice */ 2010 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2011 DONT_USE_DEAD_SESSION; 2012 /* If bounce_append() succeeded, status is still 0 */ 2013 if (state->status == 0) 2014 (void) mark_corrupt(state->src); 2015 /* Don't override smtp_mesg_fail() here. */ 2016 RETURN(fail_status); 2017 } 2018 } else { 2019 if (!LOST_CONNECTION_INSIDE_DATA) 2020 RETURN(smtp_stream_except(state, except, 2021 "sending message body")); 2022 2023 /* 2024 * We will clear the stream error flag to try and read a 2025 * premature 5XX response, so it is important to flush any 2026 * unwritten data. Otherwise, we will try to flush it again 2027 * before reading, which may incur an unnecessary delay and 2028 * will prevent the reading of any response that is not 2029 * already buffered (bundled with the DATA 354 response). 2030 * 2031 * Not much point in sending QUIT at this point, skip right to 2032 * SMTP_STATE_LAST. The read engine above will likewise avoid 2033 * looking for a QUIT response. 2034 */ 2035 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2036 next_state = SMTP_STATE_LAST; 2037 } 2038 } 2039 2040 /* 2041 * Copy the next command to the buffer and update the sender state. 2042 */ 2043 if (except == 0) { 2044 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2045 } else { 2046 DONT_CACHE_THIS_SESSION; 2047 } 2048 send_state = next_state; 2049 send_rcpt = next_rcpt; 2050 } while (recv_state != SMTP_STATE_LAST); 2051 RETURN(0); 2052} 2053 2054/* smtp_xfer - send a batch of envelope information and the message data */ 2055 2056int smtp_xfer(SMTP_STATE *state) 2057{ 2058 DELIVER_REQUEST *request = state->request; 2059 SMTP_SESSION *session = state->session; 2060 SMTP_RESP fake; 2061 int send_state; 2062 int recv_state; 2063 int send_name_addr; 2064 int result; 2065 2066 /* 2067 * Sanity check. Recipients should be unmarked at this point. 2068 */ 2069 if (SMTP_RCPT_LEFT(state) <= 0) 2070 msg_panic("smtp_xfer: bad recipient count: %d", 2071 SMTP_RCPT_LEFT(state)); 2072 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2073 msg_panic("smtp_xfer: bad recipient status: %d", 2074 request->rcpt_list.info->u.status); 2075 2076 /* 2077 * See if we should even try to send this message at all. This code sits 2078 * here rather than in the EHLO processing code, because of SMTP 2079 * connection caching. 2080 */ 2081 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2082 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2083 SMTP_RESP_FAKE(&fake, "5.3.4"), 2084 "message size %lu exceeds size limit %.0f of server %s", 2085 request->data_size, (double) session->size_limit, 2086 session->namaddr); 2087 /* Redundant. We abort this delivery attempt. */ 2088 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2089 return (0); 2090 } 2091 2092 /* 2093 * Use XFORWARD to forward the origin of this email message across an 2094 * SMTP-based content filter. Send client attribute information only if 2095 * it exists (i.e. remote submission). Local submissions have no client 2096 * attributes; the mail will appear to originate from the content filter 2097 * which is acceptable. 2098 */ 2099 send_name_addr = 2100 var_smtp_send_xforward 2101 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2102 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2103 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2104 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2105 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2106 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2107 session->send_proto_helo = 2108 var_smtp_send_xforward 2109 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2110 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2111 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2112 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2113 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2114 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2115 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2116 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2117 if (send_name_addr) 2118 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2119 else if (session->send_proto_helo) 2120 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2121 else 2122 recv_state = send_state = SMTP_STATE_MAIL; 2123 2124 /* 2125 * Remember this session's "normal completion", even if the server 4xx-ed 2126 * some or all recipients. Connection or handshake errors with a later MX 2127 * host should not cause this destination be marked as unreachable. 2128 */ 2129 result = smtp_loop(state, send_state, recv_state); 2130 2131 if (result == 0 2132 /* Just in case */ 2133 && vstream_ferror(session->stream) == 0 2134 && vstream_feof(session->stream) == 0) 2135 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2136 2137 return (result); 2138} 2139 2140/* smtp_rset - send a lone RSET command */ 2141 2142int smtp_rset(SMTP_STATE *state) 2143{ 2144 2145 /* 2146 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2147 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2148 */ 2149 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2150} 2151 2152/* smtp_quit - send a lone QUIT command */ 2153 2154int smtp_quit(SMTP_STATE *state) 2155{ 2156 2157 /* 2158 * This works because SMTP_STATE_QUIT is the last state with a sender 2159 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2160 */ 2161 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2162 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2163} 2164