1/*++ 2/* NAME 3/* smtp_connect 3 4/* SUMMARY 5/* connect to SMTP/LMTP server and deliver 6/* SYNOPSIS 7/* #include "smtp.h" 8/* 9/* int smtp_connect(state) 10/* SMTP_STATE *state; 11/* DESCRIPTION 12/* This module implements SMTP/LMTP connection management and controls 13/* mail delivery. 14/* 15/* smtp_connect() attempts to establish an SMTP/LMTP session with a host 16/* that represents the destination domain, or with an optional fallback 17/* relay when {the destination cannot be found, or when all the 18/* destination servers are unavailable}. It skips over IP addresses 19/* that fail to complete the SMTP/LMTP handshake and tries to find 20/* an alternate server when an SMTP/LMTP session fails to deliver. 21/* 22/* This layer also controls what connections are retrieved from 23/* the connection cache, and what connections are saved to the cache. 24/* 25/* The destination is either a host (or domain) name or a numeric 26/* address. Symbolic or numeric service port information may be 27/* appended, separated by a colon (":"). In the case of LMTP, 28/* destinations may be specified as "unix:pathname", "inet:host" 29/* or "inet:host:port". 30/* 31/* With SMTP, the Internet domain name service is queried for mail 32/* exchanger hosts. Quote the domain name with `[' and `]' to 33/* suppress mail exchanger lookups. 34/* 35/* Numerical address information should always be quoted with `[]'. 36/* DIAGNOSTICS 37/* The delivery status is the result value. 38/* SEE ALSO 39/* smtp_proto(3) SMTP client protocol 40/* LICENSE 41/* .ad 42/* .fi 43/* The Secure Mailer license must be distributed with this software. 44/* AUTHOR(S) 45/* Wietse Venema 46/* IBM T.J. Watson Research 47/* P.O. Box 704 48/* Yorktown Heights, NY 10598, USA 49/* 50/* Connection caching in cooperation with: 51/* Victor Duchovni 52/* Morgan Stanley 53/*--*/ 54 55/* System library. */ 56 57#include <sys_defs.h> 58#include <stdlib.h> 59#include <sys/socket.h> 60#include <sys/un.h> 61#include <netinet/in.h> 62#include <arpa/inet.h> 63#include <errno.h> 64#include <netdb.h> 65#include <stdlib.h> 66#include <string.h> 67#include <unistd.h> 68#include <fcntl.h> 69#include <ctype.h> 70 71#ifndef IPPORT_SMTP 72#define IPPORT_SMTP 25 73#endif 74 75/* Utility library. */ 76 77#include <msg.h> 78#include <vstream.h> 79#include <vstring.h> 80#include <split_at.h> 81#include <mymalloc.h> 82#include <inet_addr_list.h> 83#include <iostuff.h> 84#include <timed_connect.h> 85#include <stringops.h> 86#include <host_port.h> 87#include <sane_connect.h> 88#include <myaddrinfo.h> 89#include <sock_addr.h> 90#include <inet_proto.h> 91 92/* Global library. */ 93 94#include <mail_params.h> 95#include <own_inet_addr.h> 96#include <deliver_pass.h> 97#include <mail_error.h> 98#include <dsn_buf.h> 99#include <mail_addr.h> 100 101/* DNS library. */ 102 103#include <dns.h> 104 105/* Application-specific. */ 106 107#include <smtp.h> 108#include <smtp_addr.h> 109#include <smtp_reuse.h> 110 111 /* 112 * Forward declaration. 113 */ 114static SMTP_SESSION *smtp_connect_sock(int, struct sockaddr *, int, 115 const char *, const char *, 116 unsigned, 117 const char *, DSN_BUF *, 118 int); 119 120/* smtp_connect_unix - connect to UNIX-domain address */ 121 122static SMTP_SESSION *smtp_connect_unix(const char *addr, 123 DSN_BUF *why, 124 int sess_flags) 125{ 126 const char *myname = "smtp_connect_unix"; 127 struct sockaddr_un sock_un; 128 int len = strlen(addr); 129 int sock; 130 131 dsb_reset(why); /* Paranoia */ 132 133 /* 134 * Sanity checks. 135 */ 136 if (len >= (int) sizeof(sock_un.sun_path)) { 137 msg_warn("unix-domain name too long: %s", addr); 138 dsb_simple(why, "4.3.5", "Server configuration error"); 139 return (0); 140 } 141 142 /* 143 * Initialize. 144 */ 145 memset((char *) &sock_un, 0, sizeof(sock_un)); 146 sock_un.sun_family = AF_UNIX; 147#ifdef HAS_SUN_LEN 148 sock_un.sun_len = len + 1; 149#endif 150 memcpy(sock_un.sun_path, addr, len + 1); 151 152 /* 153 * Create a client socket. 154 */ 155 if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) 156 msg_fatal("%s: socket: %m", myname); 157 158 /* 159 * Connect to the server. 160 */ 161 if (msg_verbose) 162 msg_info("%s: trying: %s...", myname, addr); 163 164 return (smtp_connect_sock(sock, (struct sockaddr *) & sock_un, 165 sizeof(sock_un), var_myhostname, addr, 166 0, addr, why, sess_flags)); 167} 168 169/* smtp_connect_addr - connect to explicit address */ 170 171static SMTP_SESSION *smtp_connect_addr(const char *destination, DNS_RR *addr, 172 unsigned port, DSN_BUF *why, 173 int sess_flags) 174{ 175 const char *myname = "smtp_connect_addr"; 176 struct sockaddr_storage ss; /* remote */ 177 struct sockaddr *sa = (struct sockaddr *) & ss; 178 SOCKADDR_SIZE salen = sizeof(ss); 179 MAI_HOSTADDR_STR hostaddr; 180 int sock; 181 char *bind_addr; 182 char *bind_var; 183 184 dsb_reset(why); /* Paranoia */ 185 186 /* 187 * Sanity checks. 188 */ 189 if (dns_rr_to_sa(addr, port, sa, &salen) != 0) { 190 msg_warn("%s: skip address type %s: %m", 191 myname, dns_strtype(addr->type)); 192 dsb_simple(why, "4.4.0", "network address conversion failed: %m"); 193 return (0); 194 } 195 196 /* 197 * Initialize. 198 */ 199 if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0) 200 msg_fatal("%s: socket: %m", myname); 201 202 if (inet_windowsize > 0) 203 set_inet_windowsize(sock, inet_windowsize); 204 205 /* 206 * Allow the sysadmin to specify the source address, for example, as "-o 207 * smtp_bind_address=x.x.x.x" in the master.cf file. 208 */ 209#ifdef HAS_IPV6 210 if (sa->sa_family == AF_INET6) { 211 bind_addr = var_smtp_bind_addr6; 212 bind_var = VAR_SMTP_BIND_ADDR6; 213 } else 214#endif 215 if (sa->sa_family == AF_INET) { 216 bind_addr = var_smtp_bind_addr; 217 bind_var = VAR_SMTP_BIND_ADDR; 218 } else 219 bind_var = bind_addr = ""; 220 if (*bind_addr) { 221 int aierr; 222 struct addrinfo *res0; 223 224 if ((aierr = hostaddr_to_sockaddr(bind_addr, (char *) 0, 0, &res0)) != 0) 225 msg_fatal("%s: bad %s parameter: %s: %s", 226 myname, bind_var, bind_addr, MAI_STRERROR(aierr)); 227 if (bind(sock, res0->ai_addr, res0->ai_addrlen) < 0) 228 msg_warn("%s: bind %s: %m", myname, bind_addr); 229 else if (msg_verbose) 230 msg_info("%s: bind %s", myname, bind_addr); 231 freeaddrinfo(res0); 232 } 233 234 /* 235 * When running as a virtual host, bind to the virtual interface so that 236 * the mail appears to come from the "right" machine address. 237 * 238 * XXX The IPv6 patch expands the null host (as client endpoint) and uses 239 * the result as the loopback address list. 240 */ 241 else { 242 int count = 0; 243 struct sockaddr *own_addr = 0; 244 INET_ADDR_LIST *addr_list = own_inet_addr_list(); 245 struct sockaddr_storage *s; 246 247 for (s = addr_list->addrs; s < addr_list->addrs + addr_list->used; s++) { 248 if (SOCK_ADDR_FAMILY(s) == sa->sa_family) { 249 if (count++ > 0) 250 break; 251 own_addr = SOCK_ADDR_PTR(s); 252 } 253 } 254 if (count == 1 && !sock_addr_in_loopback(own_addr)) { 255 if (bind(sock, own_addr, SOCK_ADDR_LEN(own_addr)) < 0) { 256 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 257 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 258 msg_warn("%s: bind %s: %m", myname, hostaddr.buf); 259 } else if (msg_verbose) { 260 SOCKADDR_TO_HOSTADDR(own_addr, SOCK_ADDR_LEN(own_addr), 261 &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 262 msg_info("%s: bind %s", myname, hostaddr.buf); 263 } 264 } 265 } 266 267 /* 268 * Connect to the server. 269 */ 270 SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0); 271 if (msg_verbose) 272 msg_info("%s: trying: %s[%s] port %d...", 273 myname, SMTP_HNAME(addr), hostaddr.buf, ntohs(port)); 274 275 return (smtp_connect_sock(sock, sa, salen, SMTP_HNAME(addr), hostaddr.buf, 276 port, destination, why, sess_flags)); 277} 278 279/* smtp_connect_sock - connect a socket over some transport */ 280 281static SMTP_SESSION *smtp_connect_sock(int sock, struct sockaddr * sa, 282 int salen, const char *name, 283 const char *addr, 284 unsigned port, 285 const char *destination, 286 DSN_BUF *why, 287 int sess_flags) 288{ 289 int conn_stat; 290 int saved_errno; 291 VSTREAM *stream; 292 time_t start_time; 293 294 start_time = time((time_t *) 0); 295 if (var_smtp_conn_tmout > 0) { 296 non_blocking(sock, NON_BLOCKING); 297 conn_stat = timed_connect(sock, sa, salen, var_smtp_conn_tmout); 298 saved_errno = errno; 299 non_blocking(sock, BLOCKING); 300 errno = saved_errno; 301 } else { 302 conn_stat = sane_connect(sock, sa, salen); 303 } 304 if (conn_stat < 0) { 305 if (port) 306 dsb_simple(why, "4.4.1", "connect to %s[%s]:%d: %m", 307 name, addr, ntohs(port)); 308 else 309 dsb_simple(why, "4.4.1", "connect to %s[%s]: %m", name, addr); 310 close(sock); 311 return (0); 312 } 313 stream = vstream_fdopen(sock, O_RDWR); 314 315 /* 316 * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. 317 */ 318 if (sa->sa_family == AF_INET 319#ifdef AF_INET6 320 || sa->sa_family == AF_INET6 321#endif 322 ) 323 vstream_tweak_tcp(stream); 324 325 /* 326 * Bundle up what we have into a nice SMTP_SESSION object. 327 */ 328 return (smtp_session_alloc(stream, destination, name, addr, 329 port, start_time, sess_flags)); 330} 331 332/* smtp_parse_destination - parse host/port destination */ 333 334static char *smtp_parse_destination(char *destination, char *def_service, 335 char **hostp, unsigned *portp) 336{ 337 char *buf = mystrdup(destination); 338 char *service; 339 struct servent *sp; 340 char *protocol = "tcp"; /* XXX configurable? */ 341 unsigned port; 342 const char *err; 343 344 if (msg_verbose) 345 msg_info("smtp_parse_destination: %s %s", destination, def_service); 346 347 /* 348 * Parse the host/port information. We're working with a copy of the 349 * destination argument so the parsing can be destructive. 350 */ 351 if ((err = host_port(buf, hostp, (char *) 0, &service, def_service)) != 0) 352 msg_fatal("%s in server description: %s", err, destination); 353 354 /* 355 * Convert service to port number, network byte order. 356 */ 357 if (alldig(service)) { 358 if ((port = atoi(service)) >= 65536 || port == 0) 359 msg_fatal("bad network port in destination: %s", destination); 360 *portp = htons(port); 361 } else { 362 if ((sp = getservbyname(service, protocol)) == 0) 363 msg_fatal("unknown service: %s/%s", service, protocol); 364 *portp = sp->s_port; 365 } 366 return (buf); 367} 368 369/* smtp_cleanup_session - clean up after using a session */ 370 371static void smtp_cleanup_session(SMTP_STATE *state) 372{ 373 DELIVER_REQUEST *request = state->request; 374 SMTP_SESSION *session = state->session; 375 int bad_session; 376 377 /* 378 * Inform the postmaster of trouble. 379 * 380 * XXX Don't send notifications about errors while sending notifications. 381 */ 382#define POSSIBLE_NOTIFICATION(sender) \ 383 (*sender == 0 || strcmp(sender, mail_addr_double_bounce()) == 0) 384 385 if (session->history != 0 386 && (session->error_mask & name_mask(VAR_NOTIFY_CLASSES, 387 mail_error_masks, 388 var_notify_classes)) != 0 389 && POSSIBLE_NOTIFICATION(request->sender) == 0) 390 smtp_chat_notify(session); 391 392 /* 393 * When session caching is enabled, cache the first good session for this 394 * delivery request under the next-hop destination, and cache all good 395 * sessions under their server network address (destroying the session in 396 * the process). 397 * 398 * Caching under the next-hop destination name (rather than the fall-back 399 * destination) allows us to skip over non-responding primary or backup 400 * hosts. In fact, this is the only benefit of caching logical to 401 * physical bindings; caching a session under its own hostname provides 402 * no performance benefit, given the way smtp_connect() works. 403 */ 404 bad_session = THIS_SESSION_IS_BAD; /* smtp_quit() may fail */ 405 if (THIS_SESSION_IS_EXPIRED) 406 smtp_quit(state); /* also disables caching */ 407 if (THIS_SESSION_IS_CACHED 408 /* Redundant tests for safety... */ 409 && vstream_ferror(session->stream) == 0 410 && vstream_feof(session->stream) == 0) { 411 smtp_save_session(state); 412 } else { 413 smtp_session_free(session); 414 } 415 state->session = 0; 416 417 /* 418 * If this session was good, reset the logical next-hop state, so that we 419 * won't cache connections to alternate servers under the logical 420 * next-hop destination. Otherwise we could end up skipping over the 421 * available and more preferred servers. 422 */ 423 if (HAVE_NEXTHOP_STATE(state) && !bad_session) 424 FREE_NEXTHOP_STATE(state); 425 426 /* 427 * Clean up the lists with todo and dropped recipients. 428 */ 429 smtp_rcpt_cleanup(state); 430 431 /* 432 * Reset profiling info. 433 * 434 * XXX When one delivery request results in multiple sessions, the set-up 435 * and transmission latencies of the earlier sessions will count as 436 * connection set-up time for the later sessions. 437 * 438 * XXX On the other hand, when we first try to connect to one or more dead 439 * hosts before we reach a good host, then all that time must be counted 440 * as connection set-up time for the session with the good host. 441 * 442 * XXX So this set-up attribution problem exists only when we actually 443 * engage in a session, spend a lot of time delivering a message, find 444 * that it fails, and then connect to an alternate host. 445 */ 446 memset((char *) &request->msg_stats.conn_setup_done, 0, 447 sizeof(request->msg_stats.conn_setup_done)); 448 memset((char *) &request->msg_stats.deliver_done, 0, 449 sizeof(request->msg_stats.deliver_done)); 450 request->msg_stats.reuse_count = 0; 451} 452 453static void smtp_cache_policy(SMTP_STATE *state, const char *dest) 454{ 455 DELIVER_REQUEST *request = state->request; 456 457 state->misc_flags &= ~SMTP_MISC_FLAG_CONN_CACHE_MASK; 458 459 /* 460 * XXX Disable connection caching when sender-dependent authentication is 461 * enabled. We must not send someone elses mail over an authenticated 462 * connection, and we must not send mail that requires authentication 463 * over a connection that wasn't authenticated. 464 */ 465 if (var_smtp_sender_auth) 466 return; 467 468 if (smtp_cache_dest && string_list_match(smtp_cache_dest, dest)) { 469 state->misc_flags |= SMTP_MISC_FLAG_CONN_CACHE_MASK; 470 } else if (var_smtp_cache_demand) { 471 if (request->flags & DEL_REQ_FLAG_CONN_LOAD) 472 state->misc_flags |= SMTP_MISC_FLAG_CONN_LOAD; 473 if (request->flags & DEL_REQ_FLAG_CONN_STORE) 474 state->misc_flags |= SMTP_MISC_FLAG_CONN_STORE; 475 } 476} 477 478/* smtp_connect_local - connect to local server */ 479 480static void smtp_connect_local(SMTP_STATE *state, const char *path) 481{ 482 const char *myname = "smtp_connect_local"; 483 SMTP_SESSION *session; 484 DSN_BUF *why = state->why; 485 486 /* 487 * It's too painful to weave this code into the SMTP connection 488 * management routine. 489 * 490 * Connection cache management is based on the UNIX-domain pathname, without 491 * the "unix:" prefix. 492 */ 493 smtp_cache_policy(state, path); 494 495 /* 496 * XXX We assume that the session->addr member refers to a copy of the 497 * UNIX-domain pathname, so that smtp_save_session() will cache the 498 * connection using the pathname as the physical endpoint name. 499 */ 500#define NO_PORT 0 501 502 /* 503 * Opportunistic TLS for unix domain sockets does not make much sense, 504 * since the channel is private, mere encryption without authentication 505 * is just wasted cycles and opportunity for breakage. Since we are not 506 * willing to retry after TLS handshake failures here, we downgrade "may" 507 * no "none". Nothing is lost, and much waste is avoided. 508 * 509 * We don't know who is authenticating whom, so if a client cert is 510 * available, "encrypt" may be a sensible policy. Otherwise, we also 511 * downgrade "encrypt" to "none", this time just to avoid waste. 512 */ 513 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 514 || (session = smtp_reuse_addr(state, path, NO_PORT)) == 0) 515 session = smtp_connect_unix(path, why, state->misc_flags); 516 if ((state->session = session) != 0) { 517 session->state = state; 518#ifdef USE_TLS 519 session->tls_nexthop = var_myhostname; /* for TLS_LEV_SECURE */ 520 if (session->tls_level == TLS_LEV_MAY) { 521 msg_warn("%s: opportunistic TLS encryption is not appropriate " 522 "for unix-domain destinations.", myname); 523 session->tls_level = TLS_LEV_NONE; 524 } 525#endif 526 /* All delivery errors bounce or defer. */ 527 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 528 529 /* 530 * When a TLS handshake fails, the stream is marked "dead" to avoid 531 * further I/O over a broken channel. 532 */ 533 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 534 && smtp_helo(state) != 0) { 535 if (!THIS_SESSION_IS_DEAD 536 && vstream_ferror(session->stream) == 0 537 && vstream_feof(session->stream) == 0) 538 smtp_quit(state); 539 } else { 540 smtp_xfer(state); 541 } 542 543 /* 544 * With opportunistic TLS disabled we don't expect to be asked to 545 * retry connections without TLS, and so we expect the final server 546 * flag to stay on. 547 */ 548 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_SERVER) == 0) 549 msg_panic("%s: unix-domain destination not final!", myname); 550 smtp_cleanup_session(state); 551 } 552} 553 554/* smtp_scrub_address_list - delete all cached addresses from list */ 555 556static void smtp_scrub_addr_list(HTABLE *cached_addr, DNS_RR **addr_list) 557{ 558 MAI_HOSTADDR_STR hostaddr; 559 DNS_RR *addr; 560 DNS_RR *next; 561 562 /* 563 * XXX Extend the DNS_RR structure with fields for the printable address 564 * and/or binary sockaddr representations, so that we can avoid repeated 565 * binary->string transformations for the same address. 566 */ 567 for (addr = *addr_list; addr; addr = next) { 568 next = addr->next; 569 if (dns_rr_to_pa(addr, &hostaddr) == 0) { 570 msg_warn("cannot convert type %s resource record to socket address", 571 dns_strtype(addr->type)); 572 continue; 573 } 574 if (htable_locate(cached_addr, hostaddr.buf)) 575 *addr_list = dns_rr_remove(*addr_list, addr); 576 } 577} 578 579/* smtp_update_addr_list - common address list update */ 580 581static void smtp_update_addr_list(DNS_RR **addr_list, const char *server_addr, 582 int session_count) 583{ 584 DNS_RR *addr; 585 DNS_RR *next; 586 int aierr; 587 struct addrinfo *res0; 588 589 if (*addr_list == 0) 590 return; 591 592 /* 593 * Truncate the address list if we are not going to use it anyway. 594 */ 595 if (session_count == var_smtp_mxsess_limit 596 || session_count == var_smtp_mxaddr_limit) { 597 dns_rr_free(*addr_list); 598 *addr_list = 0; 599 return; 600 } 601 602 /* 603 * Convert server address to internal form, and look it up in the address 604 * list. 605 * 606 * XXX smtp_reuse_session() breaks if we remove two or more adjacent list 607 * elements but do not truncate the list to zero length. 608 * 609 * XXX Extend the SMTP_SESSION structure with sockaddr information so that 610 * we can avoid repeated string->binary transformations for the same 611 * address. 612 */ 613 if ((aierr = hostaddr_to_sockaddr(server_addr, (char *) 0, 0, &res0)) != 0) { 614 msg_warn("hostaddr_to_sockaddr %s: %s", 615 server_addr, MAI_STRERROR(aierr)); 616 } else { 617 for (addr = *addr_list; addr; addr = next) { 618 next = addr->next; 619 if (DNS_RR_EQ_SA(addr, (struct sockaddr *) res0->ai_addr)) { 620 *addr_list = dns_rr_remove(*addr_list, addr); 621 break; 622 } 623 } 624 freeaddrinfo(res0); 625 } 626} 627 628/* smtp_reuse_session - try to use existing connection, return session count */ 629 630static int smtp_reuse_session(SMTP_STATE *state, int lookup_mx, 631 const char *domain, unsigned port, 632 DNS_RR **addr_list, int domain_best_pref) 633{ 634 int session_count = 0; 635 DNS_RR *addr; 636 DNS_RR *next; 637 MAI_HOSTADDR_STR hostaddr; 638 SMTP_SESSION *session; 639 640 /* 641 * First, search the cache by logical destination. We truncate the server 642 * address list when all the sessions for this destination are used up, 643 * to reduce the number of variables that need to be checked later. 644 * 645 * Note: lookup by logical destination restores the "best MX" bit. 646 */ 647 if (*addr_list && SMTP_RCPT_LEFT(state) > 0 648 && (session = smtp_reuse_domain(state, lookup_mx, domain, port)) != 0) { 649 session_count = 1; 650 smtp_update_addr_list(addr_list, session->addr, session_count); 651 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 652 && *addr_list == 0) 653 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 654 smtp_xfer(state); 655 smtp_cleanup_session(state); 656 } 657 658 /* 659 * Second, search the cache by primary MX address. Again, we use address 660 * list truncation so that we have to check fewer variables later. 661 * 662 * XXX This loop is safe because smtp_update_addr_list() either truncates 663 * the list to zero length, or removes at most one list element. 664 */ 665 for (addr = *addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 666 if (addr->pref != domain_best_pref) 667 break; 668 next = addr->next; 669 if (dns_rr_to_pa(addr, &hostaddr) != 0 670 && (session = smtp_reuse_addr(state, hostaddr.buf, port)) != 0) { 671 session->features |= SMTP_FEATURE_BEST_MX; 672 session_count += 1; 673 smtp_update_addr_list(addr_list, session->addr, session_count); 674 if (*addr_list == 0) 675 next = 0; 676 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 677 && next == 0) 678 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 679 smtp_xfer(state); 680 smtp_cleanup_session(state); 681 } 682 } 683 return (session_count); 684} 685 686/* smtp_connect_inet - establish network connection */ 687 688static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop, 689 char *def_service) 690{ 691 DELIVER_REQUEST *request = state->request; 692 ARGV *sites; 693 char *dest; 694 char **cpp; 695 int non_fallback_sites; 696 int retry_plain = 0; 697 DSN_BUF *why = state->why; 698 699 /* 700 * For sanity, require that at least one of INET or INET6 is enabled. 701 * Otherwise, we can't look up interface information, and we can't 702 * convert names or addresses. 703 */ 704 if (inet_proto_info()->ai_family_list[0] == 0) { 705 dsb_simple(why, "4.4.4", "all network protocols are disabled"); 706 return; 707 } 708 709 /* 710 * First try to deliver to the indicated destination, then try to deliver 711 * to the optional fall-back relays. 712 * 713 * Future proofing: do a null destination sanity check in case we allow the 714 * primary destination to be a list (it could be just separators). 715 */ 716 sites = argv_alloc(1); 717 argv_add(sites, nexthop, (char *) 0); 718 if (sites->argc == 0) 719 msg_panic("null destination: \"%s\"", nexthop); 720 non_fallback_sites = sites->argc; 721 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) 722 argv_split_append(sites, var_fallback_relay, ", \t\r\n"); 723 724 /* 725 * Don't give up after a hard host lookup error until we have tried the 726 * fallback relay servers. 727 * 728 * Don't bounce mail after a host lookup problem with a relayhost or with a 729 * fallback relay. 730 * 731 * Don't give up after a qualifying soft error until we have tried all 732 * qualifying backup mail servers. 733 * 734 * All this means that error handling and error reporting depends on whether 735 * the error qualifies for trying to deliver to a backup mail server, or 736 * whether we're looking up a relayhost or fallback relay. The challenge 737 * then is to build this into the pre-existing SMTP client without 738 * getting lost in the complexity. 739 */ 740#define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \ 741 (*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites)) 742 743 for (cpp = sites->argv, (state->misc_flags |= SMTP_MISC_FLAG_FIRST_NEXTHOP); 744 SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0; 745 cpp++, (state->misc_flags &= ~SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 746 char *dest_buf; 747 char *domain; 748 unsigned port; 749 DNS_RR *addr_list; 750 DNS_RR *addr; 751 DNS_RR *next; 752 int addr_count; 753 int sess_count; 754 SMTP_SESSION *session; 755 int lookup_mx; 756 unsigned domain_best_pref; 757 MAI_HOSTADDR_STR hostaddr; 758 759 if (cpp[1] == 0) 760 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 761 762 /* 763 * Parse the destination. Default is to use the SMTP port. Look up 764 * the address instead of the mail exchanger when a quoted host is 765 * specified, or when DNS lookups are disabled. 766 */ 767 dest_buf = smtp_parse_destination(dest, def_service, &domain, &port); 768 if (var_helpful_warnings && ntohs(port) == 465) { 769 msg_info("CLIENT wrappermode (port smtps/465) is unimplemented"); 770 msg_info("instead, send to (port submission/587) with STARTTLS"); 771 } 772 773 /* 774 * Resolve an SMTP server. Skip mail exchanger lookups when a quoted 775 * host is specified, or when DNS lookups are disabled. 776 */ 777 if (msg_verbose) 778 msg_info("connecting to %s port %d", domain, ntohs(port)); 779 if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 780 if (ntohs(port) == IPPORT_SMTP) 781 state->misc_flags |= SMTP_MISC_FLAG_LOOP_DETECT; 782 else 783 state->misc_flags &= ~SMTP_MISC_FLAG_LOOP_DETECT; 784 lookup_mx = (var_disable_dns == 0 && *dest != '['); 785 } else 786 lookup_mx = 0; 787 if (!lookup_mx) { 788 addr_list = smtp_host_addr(domain, state->misc_flags, why); 789 /* XXX We could be an MX host for this destination... */ 790 } else { 791 int i_am_mx = 0; 792 793 addr_list = smtp_domain_addr(domain, state->misc_flags, 794 why, &i_am_mx); 795 /* If we're MX host, don't connect to non-MX backups. */ 796 if (i_am_mx) 797 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 798 } 799 800 /* 801 * Don't try fall-back hosts if mail loops to myself. That would just 802 * make the problem worse. 803 */ 804 if (addr_list == 0 && SMTP_HAS_LOOP_DSN(why)) 805 state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP; 806 807 /* 808 * No early loop exit or we have a memory leak with dest_buf. 809 */ 810 if (addr_list) 811 domain_best_pref = addr_list->pref; 812 813 /* 814 * When session caching is enabled, store the first good session for 815 * this delivery request under the next-hop destination name. All 816 * good sessions will be stored under their specific server IP 817 * address. 818 * 819 * XXX Replace sites->argv by (lookup_mx, domain, port) triples so we 820 * don't have to make clumsy ad-hoc copies and keep track of who 821 * free()s the memory. 822 * 823 * XXX smtp_session_cache_destinations specifies domain names without 824 * :port, because : is already used for maptype:mapname. Because of 825 * this limitation we use the bare domain without the optional [] or 826 * non-default TCP port. 827 * 828 * Opportunistic (a.k.a. on-demand) session caching on request by the 829 * queue manager. This is turned temporarily when a destination has a 830 * high volume of mail in the active queue. 831 * 832 * XXX Disable connection caching when sender-dependent authentication 833 * is enabled. We must not send someone elses mail over an 834 * authenticated connection, and we must not send mail that requires 835 * authentication over a connection that wasn't authenticated. 836 */ 837 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_FIRST_NEXTHOP)) { 838 smtp_cache_policy(state, domain); 839 if (state->misc_flags & SMTP_MISC_FLAG_CONN_STORE) 840 SET_NEXTHOP_STATE(state, lookup_mx, domain, port); 841 } 842 843 /* 844 * Delete visited cached hosts from the address list. 845 * 846 * Optionally search the connection cache by domain name or by primary 847 * MX address before we try to create new connections. 848 * 849 * Enforce the MX session and MX address counts per next-hop or 850 * fall-back destination. smtp_reuse_session() will truncate the 851 * address list when either limit is reached. 852 */ 853 if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD)) { 854 if (state->cache_used->used > 0) 855 smtp_scrub_addr_list(state->cache_used, &addr_list); 856 sess_count = addr_count = 857 smtp_reuse_session(state, lookup_mx, domain, port, 858 &addr_list, domain_best_pref); 859 } else 860 sess_count = addr_count = 0; 861 862 /* 863 * Connect to an SMTP server: create primary MX connections, and 864 * reuse or create backup MX connections. 865 * 866 * At the start of an SMTP session, all recipients are unmarked. In the 867 * course of an SMTP session, recipients are marked as KEEP (deliver 868 * to alternate mail server) or DROP (remove from recipient list). At 869 * the end of an SMTP session, weed out the recipient list. Unmark 870 * any left-over recipients and try to deliver them to a backup mail 871 * server. 872 * 873 * Cache the first good session under the next-hop destination name. 874 * Cache all good sessions under their physical endpoint. 875 * 876 * Don't query the session cache for primary MX hosts. We already did 877 * that in smtp_reuse_session(), and if any were found in the cache, 878 * they were already deleted from the address list. 879 */ 880 for (addr = addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) { 881 next = addr->next; 882 if (++addr_count == var_smtp_mxaddr_limit) 883 next = 0; 884 if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0 885 || addr->pref == domain_best_pref 886 || dns_rr_to_pa(addr, &hostaddr) == 0 887 || !(session = smtp_reuse_addr(state, hostaddr.buf, port))) 888 session = smtp_connect_addr(dest, addr, port, why, 889 state->misc_flags); 890 if ((state->session = session) != 0) { 891 session->state = state; 892 if (addr->pref == domain_best_pref) 893 session->features |= SMTP_FEATURE_BEST_MX; 894 /* Don't count handshake errors towards the session limit. */ 895 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 896 && next == 0) 897 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 898#ifdef USE_TLS 899 /* Disable TLS when retrying after a handshake failure */ 900 if (retry_plain) { 901 if (session->tls_level >= TLS_LEV_ENCRYPT) 902 msg_panic("Plain-text retry wrong for mandatory TLS"); 903 session->tls_level = TLS_LEV_NONE; 904 retry_plain = 0; 905 } 906 session->tls_nexthop = domain; /* for TLS_LEV_SECURE */ 907#endif 908 if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0 909 && smtp_helo(state) != 0) { 910#ifdef USE_TLS 911 912 /* 913 * When an opportunistic TLS handshake fails, try the 914 * same address again, with TLS disabled. See also the 915 * RETRY_AS_PLAINTEXT macro. 916 */ 917 if ((retry_plain = session->tls_retry_plain) != 0) { 918 --addr_count; 919 next = addr; 920 } 921#endif 922 923 /* 924 * When a TLS handshake fails, the stream is marked 925 * "dead" to avoid further I/O over a broken channel. 926 */ 927 if (!THIS_SESSION_IS_DEAD 928 && vstream_ferror(session->stream) == 0 929 && vstream_feof(session->stream) == 0) 930 smtp_quit(state); 931 } else { 932 /* Do count delivery errors towards the session limit. */ 933 if (++sess_count == var_smtp_mxsess_limit) 934 next = 0; 935 if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 936 && next == 0) 937 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; 938 smtp_xfer(state); 939 } 940 smtp_cleanup_session(state); 941 } else { 942 /* The reason already includes the IP address and TCP port. */ 943 msg_info("%s", STR(why->reason)); 944 } 945 /* Insert: test if we must skip the remaining MX hosts. */ 946 } 947 dns_rr_free(addr_list); 948 myfree(dest_buf); 949 if (state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP) 950 break; 951 } 952 953 /* 954 * We still need to deliver, bounce or defer some left-over recipients: 955 * either mail loops or some backup mail server was unavailable. 956 */ 957 if (SMTP_RCPT_LEFT(state) > 0) { 958 959 /* 960 * In case of a "no error" indication we make up an excuse: we did 961 * find the host address, but we did not attempt to connect to it. 962 * This can happen when the fall-back relay was already tried via a 963 * cached connection, so that the address list scrubber left behind 964 * an empty list. 965 */ 966 if (!SMTP_HAS_DSN(why)) { 967 dsb_simple(why, "4.3.0", 968 "server unavailable or unable to receive mail"); 969 } 970 971 /* 972 * Pay attention to what could be configuration problems, and pretend 973 * that these are recoverable rather than bouncing the mail. 974 */ 975 else if (!SMTP_HAS_SOFT_DSN(why) 976 && (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) { 977 978 /* 979 * The fall-back destination did not resolve as expected, or it 980 * is refusing to talk to us, or mail for it loops back to us. 981 */ 982 if (IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites)) { 983 msg_warn("%s configuration problem", VAR_SMTP_FALLBACK); 984 vstring_strcpy(why->status, "4.3.5"); 985 /* XXX Keep the diagnostic code and MTA. */ 986 } 987 988 /* 989 * The next-hop relayhost did not resolve as expected, or it is 990 * refusing to talk to us, or mail for it loops back to us. 991 */ 992 else if (strcmp(sites->argv[0], var_relayhost) == 0) { 993 msg_warn("%s configuration problem", VAR_RELAYHOST); 994 vstring_strcpy(why->status, "4.3.5"); 995 /* XXX Keep the diagnostic code and MTA. */ 996 } 997 998 /* 999 * Mail for the next-hop destination loops back to myself. Pass 1000 * the mail to the best_mx_transport or bounce it. 1001 */ 1002 else if (SMTP_HAS_LOOP_DSN(why) && *var_bestmx_transp) { 1003 dsb_reset(why); /* XXX */ 1004 state->status = deliver_pass_all(MAIL_CLASS_PRIVATE, 1005 var_bestmx_transp, 1006 request); 1007 SMTP_RCPT_LEFT(state) = 0; /* XXX */ 1008 } 1009 } 1010 } 1011 1012 /* 1013 * Cleanup. 1014 */ 1015 if (HAVE_NEXTHOP_STATE(state)) 1016 FREE_NEXTHOP_STATE(state); 1017 argv_free(sites); 1018} 1019 1020/* smtp_connect - establish SMTP connection */ 1021 1022int smtp_connect(SMTP_STATE *state) 1023{ 1024 DELIVER_REQUEST *request = state->request; 1025 char *destination = request->nexthop; 1026 1027 /* 1028 * All deliveries proceed along the same lines, whether they are over TCP 1029 * or UNIX-domain sockets, and whether they use SMTP or LMTP: get a 1030 * connection from the cache or create a new connection; deliver mail; 1031 * update the connection cache or disconnect. 1032 * 1033 * The major differences appear at a higher level: the expansion from 1034 * destination to address list, and whether to stop before we reach the 1035 * end of that list. 1036 */ 1037#define DEF_LMTP_SERVICE var_lmtp_tcp_port 1038#define DEF_SMTP_SERVICE "smtp" 1039 1040 /* 1041 * With LMTP we have direct-to-host delivery only. The destination may 1042 * have multiple IP addresses. 1043 */ 1044 if (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) { 1045 if (strncmp(destination, "unix:", 5) == 0) { 1046 smtp_connect_local(state, destination + 5); 1047 } else { 1048 if (strncmp(destination, "inet:", 5) == 0) 1049 destination += 5; 1050 smtp_connect_inet(state, destination, DEF_LMTP_SERVICE); 1051 } 1052 } 1053 1054 /* 1055 * With SMTP we can have indirection via MX host lookup, as well as an 1056 * optional fall-back relayhost that we must avoid when we are MX host. 1057 * 1058 * XXX We don't add support for "unix:" or "inet:" prefixes in SMTP 1059 * destinations, because that would break compatibility with existing 1060 * Postfix configurations that have a host with such a name. 1061 */ 1062 else { 1063 smtp_connect_inet(state, destination, DEF_SMTP_SERVICE); 1064 } 1065 1066 /* 1067 * We still need to bounce or defer some left-over recipients: either 1068 * (SMTP) mail loops or some server was unavailable. 1069 * 1070 * We could avoid this (and the "final server" complexity) by keeping one 1071 * DSN structure per recipient in memory, by updating those in-memory 1072 * structures with each delivery attempt, and by always flushing all 1073 * deferred recipients at the end. We'd probably still want to bounce 1074 * recipients immediately, so we'd end up with another chunk of code for 1075 * defer logging only. 1076 */ 1077 if (SMTP_RCPT_LEFT(state) > 0) { 1078 state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER; /* XXX */ 1079 smtp_sess_fail(state); 1080 1081 /* 1082 * Sanity check. Don't silently lose recipients. 1083 */ 1084 smtp_rcpt_cleanup(state); 1085 if (SMTP_RCPT_LEFT(state) > 0) 1086 msg_panic("smtp_connect: left-over recipients"); 1087 } 1088 return (state->status); 1089} 1090