1 /*++
2 /* NAME
3 /* smtp_proto 3
4 /* SUMMARY
5 /* client SMTP/LMTP protocol
6 /* SYNOPSIS
7 /* #include "smtp.h"
8 /*
9 /* int smtp_helo(state)
10 /* SMTP_STATE *state;
11 /*
12 /* int smtp_xfer(state)
13 /* SMTP_STATE *state;
14 /*
15 /* int smtp_rset(state)
16 /* SMTP_STATE *state;
17 /*
18 /* int smtp_quit(state)
19 /* SMTP_STATE *state;
20 /* DESCRIPTION
21 /* In the subsequent text, SMTP implies LMTP.
22 /* This module implements the client side of the SMTP protocol.
23 /*
24 /* smtp_helo() performs the initial handshake with the SMTP server.
25 /* When TLS is enabled, this includes STARTTLS negotiations.
26 /*
27 /* smtp_xfer() sends message envelope information followed by the
28 /* message data, and finishes the SMTP conversation. These operations
29 /* are combined in one function, in order to implement SMTP pipelining.
30 /* Recipients are marked as "done" in the mail queue file when
31 /* bounced or delivered. The message delivery status is updated
32 /* accordingly.
33 /*
34 /* smtp_rset() sends a single RSET command and waits for the
35 /* response. In case of a negative reply it sets the
36 /* CANT_RSET_THIS_SESSION flag.
37 /*
38 /* smtp_quit() sends a single QUIT command and waits for the
39 /* response if configured to do so. It always turns off connection
40 /* caching.
41 /* DIAGNOSTICS
42 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return
43 /* 0 in case of success, -1 in case of failure. For smtp_xfer(),
44 /* smtp_rset() and smtp_quit(), success means the ability to
45 /* perform an SMTP conversation, not necessarily the ability
46 /* to deliver mail, or the achievement of server happiness.
47 /*
48 /* In case of a rejected or failed connection, a connection
49 /* is marked as "bad, do not cache". Otherwise, connection
50 /* caching may be turned off (without being marked "bad") at
51 /* the discretion of the code that implements the individual
52 /* protocol steps.
53 /*
54 /* Warnings: corrupt message file. A corrupt message is marked
55 /* as "corrupt" by changing its queue file permissions.
56 /* BUGS
57 /* Some SMTP servers will abort when the number of recipients
58 /* for one message exceeds their capacity. This behavior violates
59 /* the SMTP protocol.
60 /* The only way around this is to limit the number of recipients
61 /* per transaction to an artificially-low value.
62 /* SEE ALSO
63 /* smtp(3h) internal data structures
64 /* smtp_chat(3) query/reply SMTP support
65 /* smtp_trouble(3) error handlers
66 /* LICENSE
67 /* .ad
68 /* .fi
69 /* The Secure Mailer license must be distributed with this software.
70 /* AUTHOR(S)
71 /* Wietse Venema
72 /* IBM T.J. Watson Research
73 /* P.O. Box 704
74 /* Yorktown Heights, NY 10598, USA
75 /*
76 /* Wietse Venema
77 /* Google, Inc.
78 /* 111 8th Avenue
79 /* New York, NY 10011, USA
80 /*
81 /* Pipelining code in cooperation with:
82 /* Jon Ribbens
83 /* Oaktree Internet Solutions Ltd.,
84 /* Internet House,
85 /* Canal Basin,
86 /* Coventry,
87 /* CV1 4LY, United Kingdom.
88 /*
89 /* Connection caching in cooperation with:
90 /* Victor Duchovni
91 /* Morgan Stanley
92 /*
93 /* TLS support originally by:
94 /* Lutz Jaenicke
95 /* BTU Cottbus
96 /* Allgemeine Elektrotechnik
97 /* Universitaetsplatz 3-4
98 /* D-03044 Cottbus, Germany
99 /*--*/
100
101 /* System library. */
102
103 #include <sys_defs.h>
104 #include <sys/stat.h>
105 #include <sys/socket.h> /* shutdown(2) */
106 #include <netinet/in.h> /* ntohs() */
107 #include <string.h>
108 #include <unistd.h>
109 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */
110 #include <stdarg.h>
111 #include <time.h>
112
113 #ifdef STRCASECMP_IN_STRINGS_H
114 #include <strings.h>
115 #endif
116
117 /* Utility library. */
118
119 #include <msg.h>
120 #include <vstring.h>
121 #include <vstream.h>
122 #include <vstring_vstream.h>
123 #include <stringops.h>
124 #include <mymalloc.h>
125 #include <iostuff.h>
126 #include <split_at.h>
127 #include <name_code.h>
128 #include <name_mask.h>
129
130 /* Global library. */
131
132 #include <mail_params.h>
133 #include <smtp_stream.h>
134 #include <mail_queue.h>
135 #include <recipient_list.h>
136 #include <deliver_request.h>
137 #include <defer.h>
138 #include <bounce.h>
139 #include <record.h>
140 #include <rec_type.h>
141 #include <off_cvt.h>
142 #include <mark_corrupt.h>
143 #include <quote_822_local.h>
144 #include <mail_proto.h>
145 #include <mime_state.h>
146 #include <ehlo_mask.h>
147 #include <maps.h>
148 #include <tok822.h>
149 #include <mail_addr_map.h>
150 #include <ext_prop.h>
151 #include <namadr_list.h>
152 #include <match_parent_style.h>
153 #include <lex_822.h>
154 #include <dsn_mask.h>
155 #include <xtext.h>
156 #include <uxtext.h>
157 #include <smtputf8.h>
158
159 /* Application-specific. */
160
161 #include "smtp.h"
162 #include "smtp_sasl.h"
163
164 /*
165 * Sender and receiver state. A session does not necessarily go through a
166 * linear progression, but states are guaranteed to not jump backwards.
167 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states
168 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST.
169 *
170 * When connection caching is enabled, the QUIT state is suppressed. Normal
171 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions
172 * end with ABORT->LAST. The connection is left open for a limited time. An
173 * RSET probe should be sent before attempting to reuse an open connection
174 * for a new transaction.
175 *
176 * The code to send an RSET probe is a special case with its own initial state
177 * and with its own dedicated state transitions. The session proceeds as
178 * RSET->LAST. This code is kept inside the main protocol engine for
179 * consistent error handling and error reporting. It is not to be confused
180 * with the code that sends RSET to abort a mail transaction in progress.
181 *
182 * The code to send QUIT without message delivery transaction jumps into the
183 * main state machine. If this introduces complications, then we should
184 * introduce a second QUIT state with its own dedicated state transitions,
185 * just like we did for RSET probes.
186 *
187 * By default, the receiver skips the QUIT response. Some SMTP servers
188 * disconnect after responding to ".", and some SMTP servers wait before
189 * responding to QUIT.
190 *
191 * Client states that are associated with sending mail (up to and including
192 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending
193 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST).
194 */
195 #define SMTP_STATE_XFORWARD_NAME_ADDR 0
196 #define SMTP_STATE_XFORWARD_PROTO_HELO 1
197 #define SMTP_STATE_MAIL 2
198 #define SMTP_STATE_RCPT 3
199 #define SMTP_STATE_DATA 4
200 #define SMTP_STATE_DOT 5
201 #define SMTP_STATE_ABORT 6
202 #define SMTP_STATE_RSET 7
203 #define SMTP_STATE_QUIT 8
204 #define SMTP_STATE_LAST 9
205
206 int *xfer_timeouts[SMTP_STATE_LAST] = {
207 &var_smtp_xfwd_tmout, /* name/addr */
208 &var_smtp_xfwd_tmout, /* helo/proto */
209 &var_smtp_mail_tmout,
210 &var_smtp_rcpt_tmout,
211 &var_smtp_data0_tmout,
212 &var_smtp_data2_tmout,
213 &var_smtp_rset_tmout,
214 &var_smtp_rset_tmout,
215 &var_smtp_quit_tmout,
216 };
217
218 char *xfer_states[SMTP_STATE_LAST] = {
219 "sending XFORWARD name/address",
220 "sending XFORWARD protocol/helo_name",
221 "sending MAIL FROM",
222 "sending RCPT TO",
223 "sending DATA command",
224 "sending end of data -- message may be sent more than once",
225 "sending final RSET",
226 "sending RSET probe",
227 "sending QUIT",
228 };
229
230 char *xfer_request[SMTP_STATE_LAST] = {
231 "XFORWARD name/address command",
232 "XFORWARD helo/protocol command",
233 "MAIL FROM command",
234 "RCPT TO command",
235 "DATA command",
236 "end of DATA command",
237 "final RSET command",
238 "RSET probe",
239 "QUIT command",
240 };
241
242 /*
243 * Note: MIME downgrade never happens for mail that must be delivered with
244 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request
245 * involves at least one UTF-8 envelope address or header value.
246 */
247 #define SMTP_MIME_DOWNGRADE(session, request) \
248 (var_disable_mime_oconv == 0 \
249 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \
250 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0)
251
252 #ifdef USE_TLS
253
254 static int smtp_start_tls(SMTP_STATE *);
255
256 #endif
257
258 /*
259 * Call-back information for header/body checks. We don't provide call-backs
260 * for actions that change the message delivery time or destination.
261 */
262 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *);
263 static void smtp_text_out(void *, int, const char *, ssize_t, off_t);
264
265 HBC_CALL_BACKS smtp_hbc_callbacks[1] = {
266 smtp_hbc_logger,
267 smtp_text_out,
268 };
269
270 static int smtp_vrfy_tgt;
271
272 /* smtp_vrfy_init - initialize */
273
smtp_vrfy_init(void)274 void smtp_vrfy_init(void)
275 {
276 static const NAME_CODE vrfy_init_table[] = {
277 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT,
278 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA,
279 0,
280 };
281
282 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE,
283 var_smtp_vrfy_tgt)) == 0)
284 msg_fatal("bad protocol stage: \"%s = %s\"",
285 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt);
286 }
287
288 /* smtp_helo - perform initial handshake with SMTP server */
289
smtp_helo(SMTP_STATE * state)290 int smtp_helo(SMTP_STATE *state)
291 {
292 const char *myname = "smtp_helo";
293 SMTP_SESSION *session = state->session;
294 DELIVER_REQUEST *request = state->request;
295 SMTP_ITERATOR *iter = state->iterator;
296 SMTP_RESP *resp;
297 SMTP_RESP fake;
298 int except;
299 char *lines;
300 char *words;
301 char *word;
302 int n;
303 static const NAME_CODE xforward_features[] = {
304 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME,
305 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR,
306 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT,
307 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO,
308 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
309 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT,
310 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN,
311 0, 0,
312 };
313 const char *ehlo_words;
314 int discard_mask;
315 static const NAME_MASK pix_bug_table[] = {
316 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP,
317 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF,
318 0,
319 };
320 const char *pix_bug_words;
321 const char *pix_bug_source;
322 int pix_bug_mask;
323
324 #ifdef USE_TLS
325 int saved_features = session->features;
326 int tls_helo_status;
327
328 #endif
329 const char *NOCLOBBER where;
330
331 /*
332 * Skip the plaintext SMTP handshake when connecting in SMTPS mode.
333 */
334 #ifdef USE_TLS
335 if (var_smtp_tls_wrappermode
336 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
337 /* XXX Mix-up of per-session and per-request flags. */
338 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
339 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
340 var_smtp_req_deadline, 0);
341 tls_helo_status = smtp_start_tls(state);
342 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
343 return (tls_helo_status);
344 }
345 #endif
346
347 /*
348 * Prepare for disaster.
349 */
350 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
351 var_smtp_req_deadline, 0);
352 if ((except = vstream_setjmp(state->session->stream)) != 0)
353 return (smtp_stream_except(state, except, where));
354
355 /*
356 * If not recursing after STARTTLS, examine the server greeting banner
357 * and decide if we are going to send EHLO as the next command.
358 */
359 if (var_smtp_tls_wrappermode
360 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
361
362 /*
363 * Read and parse the server's SMTP greeting banner.
364 */
365 where = "receiving the initial server greeting";
366 switch ((resp = smtp_chat_resp(session))->code / 100) {
367 case 2:
368 break;
369 case 5:
370 if (var_smtp_skip_5xx_greeting)
371 STR(resp->dsn_buf)[0] = '4';
372 /* FALLTHROUGH */
373 default:
374 return (smtp_site_fail(state, STR(iter->host), resp,
375 "host %s refused to talk to me: %s",
376 session->namaddr,
377 translit(resp->str, "\n", " ")));
378 }
379
380 /*
381 * If the policy table specifies a bogus TLS security level, fail
382 * now.
383 */
384 #ifdef USE_TLS
385 if (state->tls->level == TLS_LEV_INVALID)
386 /* Warning is already logged. */
387 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
388 SMTP_RESP_FAKE(&fake, "4.7.0"),
389 "client TLS configuration problem"));
390 #endif
391
392 /*
393 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so
394 * it does not span a packet boundary. This hurts performance so it
395 * is not on by default.
396 */
397 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) {
398 /* Best effort only. Ignore errors. */
399 if (smtp_pix_bug_maps != 0
400 && (pix_bug_words =
401 maps_find(smtp_pix_bug_maps,
402 STR(iter->addr), 0)) != 0) {
403 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS);
404 } else {
405 pix_bug_words = var_smtp_pix_bug_words;
406 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS);
407 }
408 if (*pix_bug_words) {
409 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table,
410 pix_bug_words,
411 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
412 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF)
413 && request->msg_stats.incoming_arrival.tv_sec
414 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh)
415 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF;
416 msg_info("%s: enabling PIX workarounds: %s for %s",
417 request->queue_id,
418 str_name_mask("pix workaround bitmask",
419 pix_bug_table, pix_bug_mask),
420 session->namaddrport);
421 session->features |= pix_bug_mask;
422 }
423 }
424
425 /*
426 * See if we are talking to ourself. This should not be possible with
427 * the way we implement DNS lookups. However, people are known to
428 * sometimes screw up the naming service. And, mailer loops are still
429 * possible when our own mailer routing tables are mis-configured.
430 */
431 words = resp->str;
432 (void) mystrtok(&words, "- \t\n");
433 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) {
434 if (n == 0 && strcasecmp(word, var_myhostname) == 0) {
435 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT)
436 msg_warn("host %s greeted me with my own hostname %s",
437 session->namaddrport, var_myhostname);
438 } else if (strcasecmp(word, "ESMTP") == 0)
439 session->features |= SMTP_FEATURE_ESMTP;
440 }
441 if (smtp_mode) {
442 if (var_smtp_always_ehlo
443 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0)
444 session->features |= SMTP_FEATURE_ESMTP;
445 if (var_smtp_never_ehlo
446 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0)
447 session->features &= ~SMTP_FEATURE_ESMTP;
448 } else {
449 session->features |= SMTP_FEATURE_ESMTP;
450 }
451 }
452
453 /*
454 * If recursing after STARTTLS, there is no server greeting banner.
455 * Always send EHLO as the next command.
456 */
457 else {
458 session->features |= SMTP_FEATURE_ESMTP;
459 }
460
461 /*
462 * Return the compliment. Fall back to SMTP if our ESMTP recognition
463 * heuristic failed.
464 */
465 if (smtp_mode) {
466 where = "performing the EHLO handshake";
467 if (session->features & SMTP_FEATURE_ESMTP) {
468 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name);
469 if ((resp = smtp_chat_resp(session))->code / 100 != 2) {
470 if (resp->code == 421)
471 return (smtp_site_fail(state, STR(iter->host), resp,
472 "host %s refused to talk to me: %s",
473 session->namaddr,
474 translit(resp->str, "\n", " ")));
475 else
476 session->features &= ~SMTP_FEATURE_ESMTP;
477 }
478 }
479 if ((session->features & SMTP_FEATURE_ESMTP) == 0) {
480 where = "performing the HELO handshake";
481 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name);
482 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
483 return (smtp_site_fail(state, STR(iter->host), resp,
484 "host %s refused to talk to me: %s",
485 session->namaddr,
486 translit(resp->str, "\n", " ")));
487 }
488 } else {
489 where = "performing the LHLO handshake";
490 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name);
491 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
492 return (smtp_site_fail(state, STR(iter->host), resp,
493 "host %s refused to talk to me: %s",
494 session->namaddr,
495 translit(resp->str, "\n", " ")));
496 }
497
498 /*
499 * No early returns allowed, to ensure consistent handling of TLS and
500 * SASL policies.
501 */
502 if (session->features & SMTP_FEATURE_ESMTP) {
503
504 /*
505 * Determine what server EHLO keywords to ignore, typically to avoid
506 * inter-operability problems.
507 */
508 if (smtp_ehlo_dis_maps == 0
509 || (ehlo_words = maps_find(smtp_ehlo_dis_maps,
510 STR(iter->addr), 0)) == 0)
511 ehlo_words = var_smtp_ehlo_dis_words;
512 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) {
513 msg_warn("%s: %s map lookup error for %s",
514 session->state->request->queue_id,
515 smtp_ehlo_dis_maps->title, STR(iter->addr));
516 vstream_longjmp(session->stream, SMTP_ERR_DATA);
517 }
518 discard_mask = ehlo_mask(ehlo_words);
519 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
520 msg_info("discarding EHLO keywords: %s",
521 str_ehlo_mask(discard_mask));
522
523 /*
524 * Pick up some useful features offered by the SMTP server. XXX Until
525 * we have a portable routine to convert from string to off_t with
526 * proper overflow detection, ignore the message size limit
527 * advertised by the SMTP server. Otherwise, we might do the wrong
528 * thing when the server advertises a really huge message size limit.
529 *
530 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...",
531 * because MicroSoft implemented AUTH based on an old draft.
532 */
533 lines = resp->str;
534 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
535 if (mystrtok(&words, "- ")
536 && (word = mystrtok(&words, " \t=")) != 0) {
537 if (n == 0) {
538 if (session->helo != 0)
539 myfree(session->helo);
540
541 /*
542 * XXX: Keep the original case: we don't expect a single
543 * SMTP server to randomly change the case of its helo
544 * response. If different capitalization is detected, we
545 * should assume disjoint TLS caches.
546 */
547 session->helo = mystrdup(word);
548 if (strcasecmp(word, var_myhostname) == 0
549 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
550 msg_warn("host %s replied to HELO/EHLO"
551 " with my own hostname %s",
552 session->namaddrport, var_myhostname);
553 if (session->features & SMTP_FEATURE_BEST_MX)
554 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
555 SMTP_RESP_FAKE(&fake, "5.4.6"),
556 "mail for %s loops back to myself",
557 request->nexthop));
558 else
559 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
560 SMTP_RESP_FAKE(&fake, "4.4.6"),
561 "mail for %s loops back to myself",
562 request->nexthop));
563 }
564 } else if (strcasecmp(word, "8BITMIME") == 0) {
565 if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
566 session->features |= SMTP_FEATURE_8BITMIME;
567 } else if (strcasecmp(word, "PIPELINING") == 0) {
568 if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
569 session->features |= SMTP_FEATURE_PIPELINING;
570 } else if (strcasecmp(word, "XFORWARD") == 0) {
571 if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
572 while ((word = mystrtok(&words, " \t")) != 0)
573 session->features |=
574 name_code(xforward_features,
575 NAME_CODE_FLAG_NONE, word);
576 } else if (strcasecmp(word, "SIZE") == 0) {
577 if ((discard_mask & EHLO_MASK_SIZE) == 0) {
578 session->features |= SMTP_FEATURE_SIZE;
579 if ((word = mystrtok(&words, " \t")) != 0) {
580 if (!alldig(word))
581 msg_warn("bad EHLO SIZE limit \"%s\" from %s",
582 word, session->namaddrport);
583 else
584 session->size_limit = off_cvt_string(word);
585 }
586 }
587 #ifdef USE_TLS
588 } else if (strcasecmp(word, "STARTTLS") == 0) {
589 /* Ignored later if we already sent STARTTLS. */
590 if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
591 session->features |= SMTP_FEATURE_STARTTLS;
592 #endif
593 #ifdef USE_SASL_AUTH
594 } else if (var_smtp_sasl_enable
595 && strcasecmp(word, "AUTH") == 0) {
596 if ((discard_mask & EHLO_MASK_AUTH) == 0)
597 smtp_sasl_helo_auth(session, words);
598 #endif
599 } else if (strcasecmp(word, "DSN") == 0) {
600 if ((discard_mask & EHLO_MASK_DSN) == 0)
601 session->features |= SMTP_FEATURE_DSN;
602 } else if (strcasecmp(word, "SMTPUTF8") == 0) {
603 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0)
604 session->features |= SMTP_FEATURE_SMTPUTF8;
605 }
606 n++;
607 }
608 }
609 }
610 if (msg_verbose)
611 msg_info("server features: 0x%x size %.0f",
612 session->features, (double) session->size_limit);
613
614 /*
615 * Decide if this delivery requires SMTPUTF8 server support.
616 *
617 * For now, we require that the remote SMTP server supports SMTPUTF8 when
618 * the sender requested SMTPUTF8 support.
619 *
620 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the
621 * delivery request involves at least one UTF-8 envelope address or
622 * header value.
623 *
624 * If the sender requested SMTPUTF8 support but the delivery request
625 * involves no UTF-8 envelope address or header value, then we could
626 * still deliver such mail to a non-SMTPUTF8 server, except that we must
627 * either uxtext-encode ORCPT parameters or not send them. We cannot
628 * encode the ORCPT in xtext, because legacy SMTP requires that the
629 * unencoded address consist entirely of printable (graphic and white
630 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A
631 * correct uxtext encoder will produce a result that an xtext decoder
632 * will pass through unchanged.
633 *
634 * XXX Should we try to encode headers with RFC 2047 when delivering to a
635 * non-SMTPUTF8 server? That could make life easier for mailing lists.
636 */
637 #define DELIVERY_REQUIRES_SMTPUTF8 \
638 ((request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) \
639 && (request->smtputf8 & ~SMTPUTF8_FLAG_REQUESTED))
640
641 /*
642 * Require that the server supports SMTPUTF8 when delivery requires
643 * SMTPUTF8.
644 *
645 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on.
646 */
647 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
648 && DELIVERY_REQUIRES_SMTPUTF8)
649 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
650 SMTP_RESP_FAKE(&fake, "5.6.7"),
651 "SMTPUTF8 is required, "
652 "but was not offered by host %s",
653 session->namaddr));
654
655 /*
656 * Fix 20140706: don't do silly things when the remote server announces
657 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver
658 * mail, not to force people into compliance.
659 */
660 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
661 && (session->features & SMTP_FEATURE_8BITMIME) == 0) {
662 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME",
663 session->namaddr);
664 session->features |= SMTP_FEATURE_8BITMIME;
665 }
666
667 /*
668 * We use SMTP command pipelining if the server said it supported it.
669 * Since we use blocking I/O, RFC 2197 says that we should inspect the
670 * TCP window size and not send more than this amount of information.
671 * Unfortunately this information is unavailable using the sockets
672 * interface. However, we *can* get the TCP send buffer size on the local
673 * TCP/IP stack. We should be able to fill this buffer without being
674 * blocked, and then the kernel will effectively do non-blocking I/O for
675 * us by automatically writing out the contents of its send buffer while
676 * we are reading in the responses. In addition to TCP buffering we have
677 * to be aware of application-level buffering by the vstream module,
678 * which is limited to a couple kbytes.
679 *
680 * XXX No need to do this before and after STARTTLS, but it's not a big deal
681 * if we do.
682 *
683 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as
684 * TLS messages. Thus, the TCP-level payload will be larger than the
685 * SMTP-level payload. This has implications for the PIPELINING engine.
686 *
687 * To avoid deadlock, the PIPELINING engine needs to request a TCP send
688 * buffer size that can hold the unacknowledged commands plus the TLS
689 * encapsulation overhead.
690 *
691 * The PIPELINING engine keeps the unacknowledged command size <= the
692 * default VSTREAM buffer size (to avoid small-write performance issues
693 * when the VSTREAM buffer size is at its default size). With a default
694 * VSTREAM buffer size of 4096 there is no reason to increase the
695 * unacknowledged command size as the TCP MSS increases. It's safer to
696 * spread the remote SMTP server's recipient processing load over time,
697 * than dumping a very large recipient list all at once.
698 *
699 * For TLS encapsulation overhead we make a conservative guess: take the
700 * current protocol overhead of ~40 bytes, double the number for future
701 * proofing (~80 bytes), then round up the result to the nearest power of
702 * 2 (128 bytes). Plus, be prepared for worst-case compression that
703 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS
704 * message becomes 15 kbytes.
705 */
706 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE
707 #ifdef USE_TLS
708 #define TLS_WORST_PAYLOAD 16384
709 #define TLS_WORST_COMP_OVERHD 1024
710 #define TLS_WORST_PROTO_OVERHD 128
711 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD)
712 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD)
713 #endif
714
715 if (session->features & SMTP_FEATURE_PIPELINING) {
716 SOCKOPT_SIZE optlen;
717 int tcp_bufsize;
718 int enc_overhead = 0;
719
720 optlen = sizeof(tcp_bufsize);
721 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET,
722 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0)
723 msg_fatal("%s: getsockopt: %m", myname);
724 #ifdef USE_TLS
725 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS)
726 enc_overhead +=
727 (1 + (PIPELINING_BUFSIZE - 1)
728 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD;
729 #endif
730 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) {
731 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead;
732 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET,
733 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0)
734 msg_fatal("%s: setsockopt: %m", myname);
735 }
736 if (msg_verbose)
737 msg_info("Using %s PIPELINING, TCP send buffer size is %d, "
738 "PIPELINING buffer size is %d",
739 smtp_mode ? "ESMTP" : "LMTP",
740 tcp_bufsize, PIPELINING_BUFSIZE);
741 }
742 #ifdef USE_TLS
743
744 /*
745 * Skip this part if we already sent STARTTLS.
746 */
747 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
748
749 /*
750 * Optionally log unused STARTTLS opportunities.
751 */
752 if ((session->features & SMTP_FEATURE_STARTTLS) &&
753 var_smtp_tls_note_starttls_offer &&
754 state->tls->level <= TLS_LEV_NONE)
755 msg_info("Host offered STARTTLS: [%s]", STR(iter->host));
756
757 /*
758 * Decide whether or not to send STARTTLS.
759 */
760 if ((session->features & SMTP_FEATURE_STARTTLS) != 0
761 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) {
762
763 /*
764 * Prepare for disaster.
765 */
766 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
767 var_smtp_req_deadline, 0);
768 if ((except = vstream_setjmp(state->session->stream)) != 0)
769 return (smtp_stream_except(state, except,
770 "receiving the STARTTLS response"));
771
772 /*
773 * Send STARTTLS. Recurse when the server accepts STARTTLS, after
774 * resetting the SASL and EHLO features lists.
775 *
776 * Reset the SASL mechanism list to avoid spurious warnings.
777 *
778 * Use the smtp_sasl_tls_security_options feature to allow SASL
779 * mechanisms that may not be allowed with plain-text
780 * connections.
781 */
782 smtp_chat_cmd(session, "STARTTLS");
783 if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
784 #ifdef USE_SASL_AUTH
785 if (session->features & SMTP_FEATURE_AUTH)
786 smtp_sasl_cleanup(session);
787 #endif
788 session->features = saved_features;
789 /* XXX Mix-up of per-session and per-request flags. */
790 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
791 tls_helo_status = smtp_start_tls(state);
792 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
793 return (tls_helo_status);
794 }
795
796 /*
797 * Give up if we must use TLS but the server rejects STARTTLS
798 * although support for it was announced in the EHLO response.
799 */
800 session->features &= ~SMTP_FEATURE_STARTTLS;
801 if (TLS_REQUIRED(state->tls->level))
802 return (smtp_site_fail(state, STR(iter->host), resp,
803 "TLS is required, but host %s refused to start TLS: %s",
804 session->namaddr,
805 translit(resp->str, "\n", " ")));
806 /* Else try to continue in plain-text mode. */
807 }
808
809 /*
810 * Give up if we must use TLS but can't for various reasons.
811 *
812 * 200412 Be sure to provide the default clause at the bottom of this
813 * block. When TLS is required we must never, ever, end up in
814 * plain-text mode.
815 */
816 if (TLS_REQUIRED(state->tls->level)) {
817 if (!(session->features & SMTP_FEATURE_STARTTLS)) {
818 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
819 SMTP_RESP_FAKE(&fake, "4.7.4"),
820 "TLS is required, but was not offered by host %s",
821 session->namaddr));
822 } else if (smtp_tls_ctx == 0) {
823 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
824 SMTP_RESP_FAKE(&fake, "4.7.5"),
825 "TLS is required, but our TLS engine is unavailable"));
826 } else {
827 msg_warn("%s: TLS is required but unavailable, don't know why",
828 myname);
829 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
830 SMTP_RESP_FAKE(&fake, "4.7.0"),
831 "TLS is required, but unavailable"));
832 }
833 }
834 }
835 #endif
836 #ifdef USE_SASL_AUTH
837 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
838 return (smtp_sasl_helo_login(state));
839 #endif
840
841 return (0);
842 }
843
844 #ifdef USE_TLS
845
846 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */
847
smtp_start_tls(SMTP_STATE * state)848 static int smtp_start_tls(SMTP_STATE *state)
849 {
850 SMTP_SESSION *session = state->session;
851 SMTP_ITERATOR *iter = state->iterator;
852 TLS_CLIENT_START_PROPS start_props;
853 VSTRING *serverid;
854 SMTP_RESP fake;
855 TLS_CLIENT_INIT_PROPS init_props;
856 VSTREAM *tlsproxy;
857 VSTRING *port_buf;
858
859 /*
860 * When the TLS handshake succeeds, we can reuse a connection only if TLS
861 * remains turned on for the lifetime of that connection. This requires
862 * that the TLS library state is maintained in some proxy process, for
863 * example, in tlsproxy(8). We then store the proxy file handle in the
864 * connection cache, and reuse that file handle.
865 *
866 * Otherwise, we must turn off connection caching. We can't turn off TLS in
867 * one SMTP client process, save the open connection to a cache which is
868 * shared with all SMTP clients, migrate the connection to another SMTP
869 * client, and resume TLS there. When the TLS handshake fails, we can't
870 * reuse the SMTP connection either, because the conversation is in an
871 * unknown state.
872 */
873 if (state->tls->conn_reuse == 0)
874 DONT_CACHE_THIS_SESSION;
875
876 /*
877 * The following assumes sites that use TLS in a perverse configuration:
878 * multiple hosts per hostname, or even multiple hosts per IP address.
879 * All this without a shared TLS session cache, and they still want to
880 * use TLS session caching???
881 *
882 * The TLS session cache records the trust chain verification status of
883 * cached sessions. Different transports may have different CAfile or
884 * CApath settings, perhaps to allow authenticated connections to sites
885 * with private CA certs without trusting said private certs for other
886 * sites. So we cannot assume that a trust chain valid for one transport
887 * is valid for another. Therefore the client session id must include
888 * either the transport name or the values of CAfile and CApath. We use
889 * the transport name.
890 *
891 * XXX: We store only one session per lookup key. Ideally the the key maps
892 * 1-to-1 to a server TLS session cache. We use the IP address, port and
893 * ehlo response name to build a lookup key that works for split caches
894 * (that announce distinct names) behind a load balancer.
895 *
896 * XXX: The TLS library will salt the serverid with further details of the
897 * protocol and cipher requirements including the server ehlo response.
898 * Deferring the helo to the digested suffix results in more predictable
899 * SSL session lookup key lengths.
900 */
901 serverid = vstring_alloc(10);
902 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE
903 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */
904 | SMTP_KEY_FLAG_HOSTNAME
905 | SMTP_KEY_FLAG_ADDR);
906
907 if (state->tls->conn_reuse) {
908 TLS_CLIENT_PARAMS tls_params;
909
910 /*
911 * Send all our wishes in one big request.
912 */
913 TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
914 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
915 log_level = var_smtp_tls_loglevel,
916 verifydepth = var_smtp_tls_scert_vd,
917 cache_type
918 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE),
919 chain_files = var_smtp_tls_chain_files,
920 cert_file = var_smtp_tls_cert_file,
921 key_file = var_smtp_tls_key_file,
922 dcert_file = var_smtp_tls_dcert_file,
923 dkey_file = var_smtp_tls_dkey_file,
924 eccert_file = var_smtp_tls_eccert_file,
925 eckey_file = var_smtp_tls_eckey_file,
926 CAfile = var_smtp_tls_CAfile,
927 CApath = var_smtp_tls_CApath,
928 mdalg = var_smtp_tls_fpt_dgst);
929 TLS_PROXY_CLIENT_START_PROPS(&start_props,
930 timeout = var_smtp_starttls_tmout,
931 tls_level = state->tls->level,
932 nexthop = session->tls_nexthop,
933 host = STR(iter->host),
934 namaddr = session->namaddrport,
935 sni = state->tls->sni,
936 serverid = vstring_str(serverid),
937 helo = session->helo,
938 protocols = state->tls->protocols,
939 cipher_grade = state->tls->grade,
940 cipher_exclusions
941 = vstring_str(state->tls->exclusions),
942 matchargv = state->tls->matchargv,
943 mdalg = var_smtp_tls_fpt_dgst,
944 dane = state->tls->dane);
945
946 /*
947 * The tlsproxy(8) server enforces timeouts that are larger than
948 * those specified by the tlsproxy(8) client. These timeouts are a
949 * safety net for the case that the tlsproxy(8) client fails to
950 * enforce time limits. Normally, the tlsproxy(8) client would time
951 * out and trigger a plaintext event in the tlsproxy(8) server, and
952 * cause it to tear down the session.
953 *
954 * However, the tlsproxy(8) server has no insight into the SMTP
955 * protocol, and therefore it cannot by itself support different
956 * timeouts at different SMTP protocol stages. Instead, we specify
957 * the largest timeout (end-of-data) and rely on the SMTP client to
958 * time out first, which normally results in a plaintext event in the
959 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext
960 * events during the TLS handshake, so we specify a separate timeout
961 * for that stage (the end-of-data timeout would be unreasonably
962 * large anyway).
963 */
964 #define PROXY_OPEN_FLAGS \
965 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
966
967 port_buf = vstring_alloc(100); /* minimize fragmentation */
968 vstring_sprintf(port_buf, "%d", ntohs(iter->port));
969 tlsproxy =
970 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
971 session->stream, STR(iter->addr),
972 STR(port_buf), var_smtp_starttls_tmout,
973 var_smtp_data2_tmout, state->service,
974 tls_proxy_client_param_from_config(&tls_params),
975 &init_props, &start_props);
976 vstring_free(port_buf);
977
978 /*
979 * To insert tlsproxy(8) between this process and the remote SMTP
980 * server, we swap the file descriptors between the tlsproxy and
981 * session->stream VSTREAMS, so that we don't lose all the
982 * user-configurable session->stream attributes (such as longjump
983 * buffers or timeouts).
984 *
985 * TODO: the tlsproxy RPCs should return more error detail than a "NO"
986 * result. OTOH, the in-process TLS engine does not return such info
987 * either.
988 *
989 * If the tlsproxy request fails we do not fall back to the in-process
990 * TLS stack. Reason: the admin enabled connection reuse to respect
991 * receiver policy; silently violating such policy would not be
992 * useful.
993 *
994 * We also don't fall back to the in-process TLS stack under low-traffic
995 * conditions, to avoid frustrating attempts to debug a problem with
996 * using the tlsproxy(8) service.
997 */
998 if (tlsproxy == 0) {
999 session->tls_context = 0;
1000 } else {
1001 vstream_control(tlsproxy,
1002 CA_VSTREAM_CTL_DOUBLE,
1003 CA_VSTREAM_CTL_END);
1004 vstream_control(session->stream,
1005 CA_VSTREAM_CTL_SWAP_FD(tlsproxy),
1006 CA_VSTREAM_CTL_END);
1007 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */
1008
1009 /*
1010 * There must not be any pending data in the stream buffers
1011 * before we read the TLS context attributes.
1012 */
1013 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1014
1015 /*
1016 * After plumbing the plaintext stream, receive the TLS context
1017 * object. For this we use the same VSTREAM buffer that we also
1018 * use to receive subsequent SMTP commands, therefore we must be
1019 * prepared for the possibility that the remote SMTP server
1020 * starts talking immediately. The tlsproxy implementation sends
1021 * the TLS context before remote content. The attribute protocol
1022 * is robust enough that an adversary cannot insert their own TLS
1023 * context attributes.
1024 */
1025 session->tls_context = tls_proxy_context_receive(session->stream);
1026 if (session->tls_context) {
1027 session->features |= SMTP_FEATURE_FROM_PROXY;
1028 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
1029 session->tls_context);
1030 }
1031 }
1032 } else { /* state->tls->conn_reuse */
1033
1034 /*
1035 * As of Postfix 2.5, tls_client_start() tries hard to always
1036 * complete the TLS handshake. It records the verification and match
1037 * status in the resulting TLScontext. It is now up to the
1038 * application to abort the TLS connection if it chooses.
1039 *
1040 * XXX When tls_client_start() fails then we don't know what state the
1041 * SMTP connection is in, so we give up on this connection even if we
1042 * are not required to use TLS.
1043 *
1044 * Large parameter lists are error-prone, so we emulate a language
1045 * feature that C does not have natively: named parameter lists.
1046 */
1047 session->tls_context =
1048 TLS_CLIENT_START(&start_props,
1049 ctx = smtp_tls_ctx,
1050 stream = session->stream,
1051 fd = -1,
1052 timeout = var_smtp_starttls_tmout,
1053 tls_level = state->tls->level,
1054 nexthop = session->tls_nexthop,
1055 host = STR(iter->host),
1056 namaddr = session->namaddrport,
1057 sni = state->tls->sni,
1058 serverid = vstring_str(serverid),
1059 helo = session->helo,
1060 protocols = state->tls->protocols,
1061 cipher_grade = state->tls->grade,
1062 cipher_exclusions
1063 = vstring_str(state->tls->exclusions),
1064 matchargv = state->tls->matchargv,
1065 mdalg = var_smtp_tls_fpt_dgst,
1066 dane = state->tls->dane);
1067
1068 /*
1069 * At this point there must not be any pending data in the stream
1070 * buffers.
1071 */
1072 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1073 } /* state->tls->conn_reuse */
1074
1075 vstring_free(serverid);
1076
1077 if (session->tls_context == 0) {
1078
1079 /*
1080 * We must avoid further I/O, the peer is in an undefined state.
1081 */
1082 DONT_USE_FORBIDDEN_SESSION;
1083
1084 /*
1085 * If TLS is optional, try delivery to the same server over a
1086 * plaintext connection. Otherwise we would defer mail forever with
1087 * destinations that have no alternate MX host.
1088 *
1089 * Don't fall back to plaintext if we were willing to use SASL-over-TLS
1090 * authentication. If the server doesn't announce SASL support over
1091 * plaintext connections, then we don't want delivery to fail with
1092 * "relay access denied".
1093 *
1094 * If TLS is opportunistic, don't throttle the destination, otherwise if
1095 * the mail is volume is high enough we may have difficulty ever
1096 * draining even the deferred mail, as new mail provides a constant
1097 * stream of negative feedback.
1098 */
1099 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
1100 RETRY_AS_PLAINTEXT;
1101 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ?
1102 SMTP_NOTHROTTLE : SMTP_THROTTLE,
1103 DSN_BY_LOCAL_MTA,
1104 SMTP_RESP_FAKE(&fake, "4.7.5"),
1105 "Cannot start TLS: handshake failure"));
1106 }
1107
1108 /*
1109 * If we are verifying the server certificate and are not happy with the
1110 * result, abort the delivery here. We have a usable TLS session with the
1111 * server, so no need to disable I/O, ... we can even be polite and send
1112 * "QUIT".
1113 *
1114 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require
1115 * matching.
1116 *
1117 * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log
1118 * effective security. Thus "half-dane" is never "Verified" only
1119 * "Trusted", but matching is enforced here.
1120 *
1121 * NOTE: When none of the TLSA records were usable, "dane" and "half-dane"
1122 * fall back to "encrypt", updating the tls_context level accordingly, so
1123 * we must check that here, and not state->tls->level.
1124 */
1125 if (TLS_MUST_MATCH(session->tls_context->level))
1126 if (!TLS_CERT_IS_MATCHED(session->tls_context))
1127 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
1128 SMTP_RESP_FAKE(&fake, "4.7.5"),
1129 "Server certificate not verified"));
1130
1131 /*
1132 * At this point we have to re-negotiate the "EHLO" to reget the
1133 * feature-list.
1134 */
1135 return (smtp_helo(state));
1136 }
1137
1138 #endif
1139
1140 /* smtp_hbc_logger - logging call-back for header/body checks */
1141
smtp_hbc_logger(void * context,const char * action,const char * where,const char * content,const char * text)1142 static void smtp_hbc_logger(void *context, const char *action,
1143 const char *where, const char *content,
1144 const char *text)
1145 {
1146 const SMTP_STATE *state = (SMTP_STATE *) context;
1147
1148 if (*text) {
1149 msg_info("%s: %s: %s %.60s: %s",
1150 state->request->queue_id, action, where, content, text);
1151 } else {
1152 msg_info("%s: %s: %s %.60s",
1153 state->request->queue_id, action, where, content);
1154 }
1155 }
1156
1157 /* smtp_text_out - output one header/body record */
1158
smtp_text_out(void * context,int rec_type,const char * text,ssize_t len,off_t unused_offset)1159 static void smtp_text_out(void *context, int rec_type,
1160 const char *text, ssize_t len,
1161 off_t unused_offset)
1162 {
1163 SMTP_STATE *state = (SMTP_STATE *) context;
1164 SMTP_SESSION *session = state->session;
1165 ssize_t data_left;
1166 const char *data_start;
1167
1168 /*
1169 * Deal with an impedance mismatch between Postfix queue files (record
1170 * length <= $message_line_length_limit) and SMTP (DATA record length <=
1171 * $smtp_line_length_limit). The code below does a little too much work
1172 * when the SMTP line length limit is disabled, but it avoids code
1173 * duplication, and thus, it avoids testing and maintenance problems.
1174 */
1175 data_left = len;
1176 data_start = text;
1177 do {
1178 if (state->space_left == var_smtp_line_limit
1179 && data_left > 0 && *data_start == '.')
1180 smtp_fputc('.', session->stream);
1181 if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
1182 && data_left >= state->space_left) {
1183 smtp_fputs(data_start, state->space_left, session->stream);
1184 data_start += state->space_left;
1185 data_left -= state->space_left;
1186 state->space_left = var_smtp_line_limit;
1187 if (data_left > 0 || rec_type == REC_TYPE_CONT) {
1188 smtp_fputc(' ', session->stream);
1189 state->space_left -= 1;
1190 }
1191 } else {
1192 if (rec_type == REC_TYPE_CONT) {
1193 smtp_fwrite(data_start, data_left, session->stream);
1194 state->space_left -= data_left;
1195 } else {
1196 smtp_fputs(data_start, data_left, session->stream);
1197 state->space_left = var_smtp_line_limit;
1198 }
1199 break;
1200 }
1201 } while (data_left > 0);
1202 }
1203
1204 /* smtp_format_out - output one header/body record */
1205
1206 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...);
1207
smtp_format_out(void * context,int rec_type,const char * fmt,...)1208 static void smtp_format_out(void *context, int rec_type, const char *fmt,...)
1209 {
1210 static VSTRING *vp;
1211 va_list ap;
1212
1213 if (vp == 0)
1214 vp = vstring_alloc(100);
1215 va_start(ap, fmt);
1216 vstring_vsprintf(vp, fmt, ap);
1217 va_end(ap);
1218 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0);
1219 }
1220
1221 /* smtp_header_out - output one message header */
1222
smtp_header_out(void * context,int unused_header_class,const HEADER_OPTS * unused_info,VSTRING * buf,off_t offset)1223 static void smtp_header_out(void *context, int unused_header_class,
1224 const HEADER_OPTS *unused_info,
1225 VSTRING *buf, off_t offset)
1226 {
1227 char *start = vstring_str(buf);
1228 char *line;
1229 char *next_line;
1230
1231 /*
1232 * This code destroys the header. We could try to avoid clobbering it,
1233 * but we're not going to use the data any further.
1234 */
1235 for (line = start; line; line = next_line) {
1236 next_line = split_at(line, '\n');
1237 smtp_text_out(context, REC_TYPE_NORM, line, next_line ?
1238 next_line - line - 1 : strlen(line), offset);
1239 }
1240 }
1241
1242 /* smtp_header_rewrite - rewrite message header before output */
1243
smtp_header_rewrite(void * context,int header_class,const HEADER_OPTS * header_info,VSTRING * buf,off_t offset)1244 static void smtp_header_rewrite(void *context, int header_class,
1245 const HEADER_OPTS *header_info,
1246 VSTRING *buf, off_t offset)
1247 {
1248 SMTP_STATE *state = (SMTP_STATE *) context;
1249 int did_rewrite = 0;
1250 char *line;
1251 char *start;
1252 char *next_line;
1253 char *end_line;
1254 char *result;
1255
1256 /*
1257 * Apply optional header filtering.
1258 */
1259 if (smtp_header_checks) {
1260 result = hbc_header_checks(context, smtp_header_checks, header_class,
1261 header_info, buf, offset);
1262 if (result == 0)
1263 return;
1264 if (result == HBC_CHECKS_STAT_ERROR) {
1265 msg_warn("%s: smtp header checks lookup error",
1266 state->request->queue_id);
1267 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1268 }
1269 if (result != STR(buf)) {
1270 vstring_strcpy(buf, result);
1271 myfree(result);
1272 }
1273 }
1274
1275 /*
1276 * Rewrite primary header addresses that match the smtp_generic_maps. The
1277 * cleanup server already enforces that all headers have proper lengths
1278 * and that all addresses are in proper form, so we don't have to repeat
1279 * that.
1280 */
1281 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY
1282 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) {
1283 TOK822 *tree;
1284 TOK822 **addr_list;
1285 TOK822 **tpp;
1286
1287 tree = tok822_parse(vstring_str(buf)
1288 + strlen(header_info->name) + 1);
1289 addr_list = tok822_grep(tree, TOK822_ADDR);
1290 for (tpp = addr_list; *tpp; tpp++)
1291 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps,
1292 smtp_ext_prop_mask & EXT_PROP_GENERIC);
1293 if (did_rewrite) {
1294 vstring_truncate(buf, strlen(header_info->name));
1295 vstring_strcat(buf, ": ");
1296 tok822_externalize(buf, tree, TOK822_STR_HEAD);
1297 }
1298 myfree((void *) addr_list);
1299 tok822_free_tree(tree);
1300 }
1301
1302 /*
1303 * Pass through unmodified headers without reconstruction.
1304 */
1305 if (did_rewrite == 0) {
1306 smtp_header_out(context, header_class, header_info, buf, offset);
1307 return;
1308 }
1309
1310 /*
1311 * A rewritten address list contains one address per line. The code below
1312 * replaces newlines by spaces, to fit as many addresses on a line as
1313 * possible (without rearranging the order of addresses). Prepending
1314 * white space to the beginning of lines is delegated to the output
1315 * routine.
1316 *
1317 * Code derived from cleanup_fold_header().
1318 */
1319 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1320 end_line = line + strcspn(line, "\n");
1321 if (line > start) {
1322 if (end_line - start < 70) { /* TAB counts as one */
1323 line[-1] = ' ';
1324 } else {
1325 start = line;
1326 }
1327 }
1328 next_line = *end_line ? end_line + 1 : 0;
1329 }
1330
1331 /*
1332 * Prepend a tab to continued header lines that went through the address
1333 * rewriting machinery. Just like smtp_header_out(), this code destroys
1334 * the header. We could try to avoid clobbering it, but we're not going
1335 * to use the data any further.
1336 *
1337 * Code derived from cleanup_out_header().
1338 */
1339 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1340 next_line = split_at(line, '\n');
1341 if (line == start || IS_SPACE_TAB(*line)) {
1342 smtp_text_out(state, REC_TYPE_NORM, line, next_line ?
1343 next_line - line - 1 : strlen(line), offset);
1344 } else {
1345 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line);
1346 }
1347 }
1348 }
1349
1350 /* smtp_body_rewrite - rewrite message body before output */
1351
smtp_body_rewrite(void * context,int type,const char * buf,ssize_t len,off_t offset)1352 static void smtp_body_rewrite(void *context, int type,
1353 const char *buf, ssize_t len,
1354 off_t offset)
1355 {
1356 SMTP_STATE *state = (SMTP_STATE *) context;
1357 char *result;
1358
1359 /*
1360 * Apply optional body filtering.
1361 */
1362 if (smtp_body_checks) {
1363 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset);
1364 if (result == buf) {
1365 smtp_text_out(state, type, buf, len, offset);
1366 } else if (result == HBC_CHECKS_STAT_ERROR) {
1367 msg_warn("%s: smtp body checks lookup error",
1368 state->request->queue_id);
1369 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1370 } else if (result != 0) {
1371 smtp_text_out(state, type, result, strlen(result), offset);
1372 myfree(result);
1373 }
1374 }
1375 }
1376
1377 /* smtp_mime_fail - MIME problem */
1378
smtp_mime_fail(SMTP_STATE * state,int mime_errs)1379 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs)
1380 {
1381 const MIME_STATE_DETAIL *detail;
1382 SMTP_RESP fake;
1383
1384 detail = mime_state_detail(mime_errs);
1385 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
1386 SMTP_RESP_FAKE(&fake, detail->dsn),
1387 "%s", detail->text);
1388 }
1389
1390 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */
1391
smtp_out_raw_or_mime(SMTP_STATE * state,int rec_type,VSTRING * buf)1392 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf)
1393 {
1394 SMTP_SESSION *session = state->session;
1395 int mime_errs;
1396
1397 if (session->mime_state == 0) {
1398 smtp_text_out((void *) state, rec_type, vstring_str(buf),
1399 VSTRING_LEN(buf), (off_t) 0);
1400 } else {
1401 mime_errs =
1402 mime_state_update(session->mime_state, rec_type,
1403 vstring_str(buf), VSTRING_LEN(buf));
1404 if (mime_errs) {
1405 smtp_mime_fail(state, mime_errs);
1406 return (-1);
1407 }
1408 }
1409 return (0);
1410 }
1411
1412 /* smtp_out_add_header - format address header, uses session->scratch* */
1413
smtp_out_add_header(SMTP_STATE * state,const char * label,const char * lt,const char * addr,const char * gt)1414 static int smtp_out_add_header(SMTP_STATE *state, const char *label,
1415 const char *lt, const char *addr,
1416 const char *gt)
1417 {
1418 SMTP_SESSION *session = state->session;
1419
1420 smtp_rewrite_generic_internal(session->scratch2, addr);
1421 vstring_sprintf(session->scratch, "%s: %s", label, lt);
1422 smtp_quote_822_address_flags(session->scratch,
1423 vstring_str(session->scratch2),
1424 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND);
1425 vstring_strcat(session->scratch, gt);
1426 return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch));
1427 }
1428
1429 /* smtp_out_add_headers - output additional headers, uses session->scratch* */
1430
smtp_out_add_headers(SMTP_STATE * state)1431 static int smtp_out_add_headers(SMTP_STATE *state)
1432 {
1433 /* Prepend headers in the same order as mail_copy.c. */
1434 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
1435 if (smtp_out_add_header(state, "Return-Path", "<",
1436 state->request->sender, ">") < 0)
1437 return (-1);
1438 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT)
1439 if (smtp_out_add_header(state, "X-Original-To", "",
1440 state->request->rcpt_list.info->orig_addr, "") < 0)
1441 return (-1);
1442 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
1443 if (smtp_out_add_header(state, "Delivered-To", "",
1444 state->request->rcpt_list.info->address, "") < 0)
1445 return (-1);
1446 return (0);
1447 }
1448
1449 /* smtp_loop - exercise the SMTP protocol engine */
1450
smtp_loop(SMTP_STATE * state,NOCLOBBER int send_state,NOCLOBBER int recv_state)1451 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
1452 NOCLOBBER int recv_state)
1453 {
1454 const char *myname = "smtp_loop";
1455 DELIVER_REQUEST *request = state->request;
1456 SMTP_SESSION *session = state->session;
1457 SMTP_ITERATOR *iter = state->iterator;
1458 SMTP_RESP *resp;
1459 RECIPIENT *rcpt;
1460 VSTRING *next_command = vstring_alloc(100);
1461 int *NOCLOBBER survivors = 0;
1462 NOCLOBBER int next_state;
1463 NOCLOBBER int next_rcpt;
1464 NOCLOBBER int send_rcpt;
1465 NOCLOBBER int recv_rcpt;
1466 NOCLOBBER int nrcpt;
1467 NOCLOBBER int recv_done;
1468 int except;
1469 int rec_type;
1470 NOCLOBBER int prev_type = 0;
1471 NOCLOBBER int mail_from_rejected;
1472 NOCLOBBER int downgrading;
1473 int mime_errs;
1474 SMTP_RESP fake;
1475 int fail_status;
1476
1477 /* Caution: changes to RETURN() also affect code outside the main loop. */
1478
1479 #define RETURN(x) do { \
1480 if (recv_state != SMTP_STATE_LAST) \
1481 DONT_CACHE_THIS_SESSION; \
1482 vstring_free(next_command); \
1483 if (survivors) \
1484 myfree((void *) survivors); \
1485 if (session->mime_state) \
1486 session->mime_state = mime_state_free(session->mime_state); \
1487 return (x); \
1488 } while (0)
1489
1490 #define SENDER_IS_AHEAD \
1491 (recv_state < send_state || recv_rcpt != send_rcpt)
1492
1493 #define SENDER_IN_WAIT_STATE \
1494 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST)
1495
1496 #define SENDING_MAIL \
1497 (recv_state <= SMTP_STATE_DOT)
1498
1499 #define CANT_RSET_THIS_SESSION \
1500 (session->features |= SMTP_FEATURE_RSET_REJECTED)
1501
1502 /*
1503 * Pipelining support requires two loops: one loop for sending and one
1504 * for receiving. Each loop has its own independent state. Most of the
1505 * time the sender can run ahead of the receiver by as much as the TCP
1506 * send buffer permits. There are only two places where the sender must
1507 * wait for status information from the receiver: once after sending DATA
1508 * and once after sending QUIT.
1509 *
1510 * The sender state advances until the TCP send buffer would overflow, or
1511 * until the sender needs status information from the receiver. At that
1512 * point the receiver starts processing responses. Once the receiver has
1513 * caught up with the sender, the sender resumes sending commands. If the
1514 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO
1515 * commands rejected, DATA rejected) it forces the sender to abort the
1516 * SMTP dialog with RSET and QUIT.
1517 */
1518 nrcpt = 0;
1519 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0;
1520 mail_from_rejected = 0;
1521
1522 /*
1523 * Prepare for disaster. This should not be needed because the design
1524 * guarantees that no output is flushed before smtp_chat_resp() is
1525 * called.
1526 *
1527 * 1) Every SMTP command fits entirely in a VSTREAM output buffer.
1528 *
1529 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that
1530 * there is sufficient space for the command in the output buffer.
1531 *
1532 * 3) smtp_loop() flushes the output buffer to avoid server timeouts.
1533 *
1534 * Changing any of these would violate the design, and would likely break
1535 * SMTP pipelining.
1536 *
1537 * We set up the error handler anyway (only upon entry to avoid wasting
1538 * resources) because 1) there is code below that expects that VSTREAM
1539 * timeouts are enabled, and 2) this allows us to detect if someone broke
1540 * Postfix by introducing spurious flush before read operations.
1541 */
1542 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR
1543 || send_state > SMTP_STATE_QUIT)
1544 msg_panic("%s: bad sender state %d (receiver state %d)",
1545 myname, send_state, recv_state);
1546 smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
1547 var_smtp_req_deadline, 0);
1548 if ((except = vstream_setjmp(session->stream)) != 0) {
1549 msg_warn("smtp_proto: spurious flush before read in send state %d",
1550 send_state);
1551 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1552 xfer_states[send_state]) : -1);
1553 }
1554
1555 /*
1556 * The main protocol loop.
1557 */
1558 do {
1559
1560 /*
1561 * Build the next command.
1562 */
1563 switch (send_state) {
1564
1565 /*
1566 * Sanity check.
1567 */
1568 default:
1569 msg_panic("%s: bad sender state %d", myname, send_state);
1570
1571 /*
1572 * Build the XFORWARD command. With properly sanitized
1573 * information, the command length stays within the 512 byte
1574 * command line length limit.
1575 *
1576 * XXX smtpd_xforward_preset() initializes some fields as "unknown"
1577 * and some as null; historically, pickup(8) does not send any of
1578 * these, and the queue manager presets absent fields to "not
1579 * available" except for the rewrite context which is preset to
1580 * local by way of migration aid. These definitions need to be
1581 * centralized for maintainability.
1582 */
1583 #ifndef CAN_FORWARD_CLIENT_NAME
1584 #define _ATTR_AVAIL_AND_KNOWN_(val) \
1585 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown"))
1586 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_
1587 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_
1588 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_
1589 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_
1590 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL
1591 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL
1592 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL
1593 #endif
1594
1595 case SMTP_STATE_XFORWARD_NAME_ADDR:
1596 vstring_strcpy(next_command, XFORWARD_CMD);
1597 if ((session->features & SMTP_FEATURE_XFORWARD_NAME)
1598 && CAN_FORWARD_CLIENT_NAME(request->client_name)) {
1599 vstring_strcat(next_command, " " XFORWARD_NAME "=");
1600 xtext_quote_append(next_command, request->client_name, "");
1601 }
1602 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
1603 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) {
1604 vstring_strcat(next_command, " " XFORWARD_ADDR "=");
1605 xtext_quote_append(next_command, request->client_addr, "");
1606 }
1607 if ((session->features & SMTP_FEATURE_XFORWARD_PORT)
1608 && CAN_FORWARD_CLIENT_PORT(request->client_port)) {
1609 vstring_strcat(next_command, " " XFORWARD_PORT "=");
1610 xtext_quote_append(next_command, request->client_port, "");
1611 }
1612 if (session->send_proto_helo)
1613 next_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1614 else
1615 next_state = SMTP_STATE_MAIL;
1616 break;
1617
1618 case SMTP_STATE_XFORWARD_PROTO_HELO:
1619 vstring_strcpy(next_command, XFORWARD_CMD);
1620 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO)
1621 && CAN_FORWARD_PROTO_NAME(request->client_proto)) {
1622 vstring_strcat(next_command, " " XFORWARD_PROTO "=");
1623 xtext_quote_append(next_command, request->client_proto, "");
1624 }
1625 if ((session->features & SMTP_FEATURE_XFORWARD_HELO)
1626 && CAN_FORWARD_HELO_NAME(request->client_helo)) {
1627 vstring_strcat(next_command, " " XFORWARD_HELO "=");
1628 xtext_quote_append(next_command, request->client_helo, "");
1629 }
1630 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
1631 && CAN_FORWARD_IDENT_NAME(request->log_ident)) {
1632 vstring_strcat(next_command, " " XFORWARD_IDENT "=");
1633 xtext_quote_append(next_command, request->log_ident, "");
1634 }
1635 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
1636 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) {
1637 vstring_strcat(next_command, " " XFORWARD_DOMAIN "=");
1638 xtext_quote_append(next_command,
1639 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ?
1640 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, "");
1641 }
1642 next_state = SMTP_STATE_MAIL;
1643 break;
1644
1645 /*
1646 * Build the MAIL FROM command.
1647 */
1648 case SMTP_STATE_MAIL:
1649 request->msg_stats.reuse_count = session->reuse_count;
1650 GETTIMEOFDAY(&request->msg_stats.conn_setup_done);
1651 smtp_rewrite_generic_internal(session->scratch2, request->sender);
1652 smtp_quote_821_address(session->scratch,
1653 vstring_str(session->scratch2));
1654 vstring_sprintf(next_command, "MAIL FROM:<%s>",
1655 vstring_str(session->scratch));
1656 /* XXX Don't announce SIZE if we're going to MIME downgrade. */
1657 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */
1658 && !SMTP_MIME_DOWNGRADE(session, request))
1659 vstring_sprintf_append(next_command, " SIZE=%lu",
1660 request->data_size);
1661 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */
1662 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0)
1663 vstring_strcat(next_command, " BODY=8BITMIME");
1664 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0)
1665 vstring_strcat(next_command, " BODY=7BIT");
1666 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0)
1667 msg_warn("%s: unknown content encoding: %s",
1668 request->queue_id, request->encoding);
1669 }
1670 if (session->features & SMTP_FEATURE_DSN) {
1671 if (request->dsn_envid[0]) {
1672 vstring_sprintf_append(next_command, " ENVID=");
1673 xtext_quote_append(next_command, request->dsn_envid, "+=");
1674 }
1675 if (request->dsn_ret)
1676 vstring_sprintf_append(next_command, " RET=%s",
1677 dsn_ret_str(request->dsn_ret));
1678 }
1679
1680 /*
1681 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8
1682 * and the sender requested SMTPUTF8 support.
1683 *
1684 * If the sender requested SMTPUTF8 but the remote SMTP server does
1685 * not support SMTPUTF8, then we have already determined earlier
1686 * that delivering this message without SMTPUTF8 will not break
1687 * the SMTPUTF8 promise that was made to the sender.
1688 */
1689 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
1690 && (request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) != 0)
1691 vstring_strcat(next_command, " SMTPUTF8");
1692
1693 /*
1694 * We authenticate the local MTA only, but not the sender.
1695 */
1696 #ifdef USE_SASL_AUTH
1697 if (var_smtp_sasl_enable
1698 && var_smtp_dummy_mail_auth
1699 && (session->features & SMTP_FEATURE_AUTH))
1700 vstring_strcat(next_command, " AUTH=<>");
1701 #endif
1702
1703 /*
1704 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail
1705 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
1706 * commands to our TLS session.
1707 *
1708 * For the attack to succeed, the remote SMTP server must reply to
1709 * the malicious EHLO/MAIL/RCPT/DATA commands after completing
1710 * TLS (re)negotiation, so that the replies arrive in our TLS
1711 * session (otherwise the Postfix SMTP client would time out
1712 * waiting for an answer). With some luck we can detect this
1713 * specific attack as a server MAIL reply that arrives before we
1714 * send our own MAIL command.
1715 *
1716 * We don't apply this test to the HELO command because the result
1717 * would be very timing sensitive, and we don't apply this test
1718 * to RCPT and DATA replies because these may be pipelined for
1719 * legitimate reasons.
1720 */
1721 #ifdef USE_TLS
1722 if (var_smtp_tls_blk_early_mail_reply
1723 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
1724 && (vstream_peek(session->stream) > 0
1725 || peekfd(vstream_fileno(session->stream)) > 0))
1726 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
1727 #endif
1728
1729 /*
1730 * We now return to our regular broadcast.
1731 */
1732 next_state = SMTP_STATE_RCPT;
1733 break;
1734
1735 /*
1736 * Build one RCPT TO command before we have seen the MAIL FROM
1737 * response.
1738 */
1739 case SMTP_STATE_RCPT:
1740 rcpt = request->rcpt_list.info + send_rcpt;
1741 smtp_rewrite_generic_internal(session->scratch2, rcpt->address);
1742 smtp_quote_821_address(session->scratch,
1743 vstring_str(session->scratch2));
1744 vstring_sprintf(next_command, "RCPT TO:<%s>",
1745 vstring_str(session->scratch));
1746 if (session->features & SMTP_FEATURE_DSN) {
1747 /* XXX DSN xtext encode address value not type. */
1748 const char *orcpt_type_addr = rcpt->dsn_orcpt;
1749
1750 /* Fix 20140706: don't use empty rcpt->orig_addr. */
1751 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) {
1752 quote_822_local(session->scratch, rcpt->orig_addr);
1753 vstring_sprintf(session->scratch2, "%s;%s",
1754 /* Fix 20140707: sender must request SMTPUTF8. */
1755 (request->smtputf8 != 0
1756 && !allascii(vstring_str(session->scratch))) ?
1757 "utf-8" : "rfc822",
1758 vstring_str(session->scratch));
1759 orcpt_type_addr = vstring_str(session->scratch2);
1760 }
1761 if (orcpt_type_addr[0] != 0) {
1762 /* Fix 20140706: don't send unquoted ORCPT. */
1763 /* Fix 20140707: quoting method must match orcpt type. */
1764 /* Fix 20140707: handle uxtext encoder errors. */
1765 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) {
1766 if (uxtext_quote(session->scratch,
1767 orcpt_type_addr, "+=") != 0)
1768 vstring_sprintf_append(next_command, " ORCPT=%s",
1769 vstring_str(session->scratch));
1770 } else {
1771 xtext_quote(session->scratch, orcpt_type_addr, "=");
1772 vstring_sprintf_append(next_command, " ORCPT=%s",
1773 vstring_str(session->scratch));
1774 }
1775 }
1776 if (rcpt->dsn_notify)
1777 vstring_sprintf_append(next_command, " NOTIFY=%s",
1778 dsn_notify_str(rcpt->dsn_notify));
1779 }
1780 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state))
1781 next_state = (DEL_REQ_TRACE_ONLY(request->flags)
1782 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
1783 SMTP_STATE_ABORT : SMTP_STATE_DATA;
1784 break;
1785
1786 /*
1787 * Build the DATA command before we have seen all the RCPT TO
1788 * responses.
1789 */
1790 case SMTP_STATE_DATA:
1791 vstring_strcpy(next_command, "DATA");
1792 next_state = SMTP_STATE_DOT;
1793 break;
1794
1795 /*
1796 * Build the "." command after we have seen the DATA response
1797 * (DATA is a protocol synchronization point).
1798 *
1799 * Changing the connection caching state here is safe because it
1800 * affects none of the not-yet processed replies to
1801 * already-generated commands.
1802 */
1803 case SMTP_STATE_DOT:
1804 vstring_strcpy(next_command, ".");
1805 if (THIS_SESSION_IS_EXPIRED)
1806 DONT_CACHE_THIS_SESSION;
1807 next_state = THIS_SESSION_IS_CACHED ?
1808 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1809 break;
1810
1811 /*
1812 * The SMTP_STATE_ABORT sender state is entered by the sender
1813 * when it has verified all recipients; or it is entered by the
1814 * receiver when all recipients are verified or rejected, and is
1815 * then left before the bottom of the main loop.
1816 *
1817 * Changing the connection caching state here is safe because there
1818 * are no not-yet processed replies to already-generated
1819 * commands.
1820 */
1821 case SMTP_STATE_ABORT:
1822 vstring_strcpy(next_command, "RSET");
1823 if (THIS_SESSION_IS_EXPIRED)
1824 DONT_CACHE_THIS_SESSION;
1825 next_state = THIS_SESSION_IS_CACHED ?
1826 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1827 break;
1828
1829 /*
1830 * Build the RSET command. This is entered as initial state from
1831 * smtp_rset() and has its own dedicated state transitions. It is
1832 * used to find out the status of a cached session before
1833 * attempting mail delivery.
1834 */
1835 case SMTP_STATE_RSET:
1836 vstring_strcpy(next_command, "RSET");
1837 next_state = SMTP_STATE_LAST;
1838 break;
1839
1840 /*
1841 * Build the QUIT command before we have seen the "." or RSET
1842 * response. This is entered as initial state from smtp_quit(),
1843 * or is reached near the end of any non-cached session.
1844 *
1845 * Changing the connection caching state here is safe. If this
1846 * command is pipelined together with a preceding command, then
1847 * connection caching was already turned off. Do not clobber the
1848 * "bad connection" flag.
1849 */
1850 case SMTP_STATE_QUIT:
1851 vstring_strcpy(next_command, "QUIT");
1852 next_state = SMTP_STATE_LAST;
1853 if (THIS_SESSION_IS_CACHED)
1854 DONT_CACHE_THIS_SESSION;
1855 break;
1856
1857 /*
1858 * The final sender state has no action associated with it.
1859 */
1860 case SMTP_STATE_LAST:
1861 VSTRING_RESET(next_command);
1862 break;
1863 }
1864 VSTRING_TERMINATE(next_command);
1865
1866 /*
1867 * Process responses until the receiver has caught up. Vstreams
1868 * automatically flush buffered output when reading new data.
1869 *
1870 * Flush unsent output if command pipelining is off or if no I/O
1871 * happened for a while. This limits the accumulation of client-side
1872 * delays in pipelined sessions.
1873 *
1874 * The PIPELINING engine will flush the VSTREAM buffer if the sender
1875 * could otherwise produce more output than fits the PIPELINING
1876 * buffer. This generally works because we know exactly how much
1877 * output we produced since the last time that the sender and
1878 * receiver synchronized the SMTP state. However this logic is not
1879 * applicable after the sender enters the DATA phase, where it does
1880 * not synchronize with the receiver until the <CR><LF>.<CR><LF>.
1881 * Thus, the PIPELINING engine no longer knows how much data is
1882 * pending in the TCP send buffer. For this reason, if PIPELINING is
1883 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is
1884 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP
1885 * stack either has already received the QUIT<CR><LF>, or else it
1886 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>,
1887 * making room in the sender's TCP stack for QUIT<CR><LF>.
1888 */
1889 #define CHECK_PIPELINING_BUFSIZE \
1890 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT)
1891
1892 if (SENDER_IN_WAIT_STATE
1893 || (SENDER_IS_AHEAD
1894 && ((session->features & SMTP_FEATURE_PIPELINING) == 0
1895 || (CHECK_PIPELINING_BUFSIZE
1896 && (VSTRING_LEN(next_command) + 2
1897 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND)
1898 > PIPELINING_BUFSIZE))
1899 || time((time_t *) 0)
1900 - vstream_ftime(session->stream) > 10))) {
1901 while (SENDER_IS_AHEAD) {
1902
1903 /*
1904 * Sanity check.
1905 */
1906 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR
1907 || recv_state > SMTP_STATE_QUIT)
1908 msg_panic("%s: bad receiver state %d (sender state %d)",
1909 myname, recv_state, send_state);
1910
1911 /*
1912 * Receive the next server response. Use the proper timeout,
1913 * and log the proper client state in case of trouble.
1914 *
1915 * XXX If we lose the connection before sending end-of-data,
1916 * find out if the server sent a premature end-of-data reply.
1917 * If this read attempt fails, report "lost connection while
1918 * sending message body", not "lost connection while sending
1919 * end-of-data".
1920 *
1921 * "except" becomes zero just above the protocol loop, and stays
1922 * zero or triggers an early return from the loop. In just
1923 * one case: loss of the connection when sending the message
1924 * body, we record the exception, and keep processing in the
1925 * hope of detecting a premature 5XX. We must be careful to
1926 * not clobber this non-zero value once it is set. The
1927 * variable need not survive longjmp() calls, since the only
1928 * setjmp() which does not return early is the one sets this
1929 * condition, subquent failures always return early.
1930 */
1931 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
1932
1933 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
1934 var_smtp_req_deadline, 0);
1935 if (LOST_CONNECTION_INSIDE_DATA) {
1936 if (vstream_setjmp(session->stream) != 0)
1937 RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
1938 "sending message body"));
1939 } else {
1940 if ((except = vstream_setjmp(session->stream)) != 0)
1941 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1942 xfer_states[recv_state]) : -1);
1943 }
1944 resp = smtp_chat_resp(session);
1945
1946 /*
1947 * Process the response.
1948 */
1949 switch (recv_state) {
1950
1951 /*
1952 * Process the XFORWARD response.
1953 */
1954 case SMTP_STATE_XFORWARD_NAME_ADDR:
1955 if (resp->code / 100 != 2)
1956 msg_warn("host %s said: %s (in reply to %s)",
1957 session->namaddrport,
1958 translit(resp->str, "\n", " "),
1959 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]);
1960 if (session->send_proto_helo)
1961 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1962 else
1963 recv_state = SMTP_STATE_MAIL;
1964 break;
1965
1966 case SMTP_STATE_XFORWARD_PROTO_HELO:
1967 if (resp->code / 100 != 2)
1968 msg_warn("host %s said: %s (in reply to %s)",
1969 session->namaddrport,
1970 translit(resp->str, "\n", " "),
1971 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]);
1972 recv_state = SMTP_STATE_MAIL;
1973 break;
1974
1975 /*
1976 * Process the MAIL FROM response. When the server
1977 * rejects the sender, set the mail_from_rejected flag so
1978 * that the receiver may apply a course correction.
1979 */
1980 case SMTP_STATE_MAIL:
1981 if (resp->code / 100 != 2) {
1982 smtp_mesg_fail(state, STR(iter->host), resp,
1983 "host %s said: %s (in reply to %s)",
1984 session->namaddr,
1985 translit(resp->str, "\n", " "),
1986 xfer_request[SMTP_STATE_MAIL]);
1987 mail_from_rejected = 1;
1988 }
1989
1990 /*
1991 * CVE-2009-3555 (TLS renegotiation). Whatever it was
1992 * that arrived before we sent our MAIL FROM command, it
1993 * was not a fatal-level TLS alert message. It could be a
1994 * warning-level TLS alert message, or a ChangeCipherSpec
1995 * message, but such messages are not normally sent in
1996 * the middle of a TLS session. We disconnect and try
1997 * again later.
1998 */
1999 #ifdef USE_TLS
2000 if (var_smtp_tls_blk_early_mail_reply
2001 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
2002 smtp_site_fail(state, DSN_BY_LOCAL_MTA,
2003 SMTP_RESP_FAKE(&fake, "4.7.0"),
2004 "unexpected server message");
2005 msg_warn("server %s violates %s policy",
2006 session->namaddr,
2007 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY));
2008 mail_from_rejected = 1;
2009 }
2010 #endif
2011
2012 /*
2013 * We now return to our regular broadcast.
2014 */
2015 recv_state = SMTP_STATE_RCPT;
2016 break;
2017
2018 /*
2019 * Process one RCPT TO response. If MAIL FROM was
2020 * rejected, ignore RCPT TO responses: all recipients are
2021 * dead already. When all recipients are rejected the
2022 * receiver may apply a course correction.
2023 *
2024 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply
2025 * must be treated as if the server replied with 452.
2026 * However, this causes "too much mail data" to be
2027 * treated as a recoverable error, which is wrong. I'll
2028 * stick with RFC 821.
2029 */
2030 case SMTP_STATE_RCPT:
2031 if (!mail_from_rejected) {
2032 #ifdef notdef
2033 if (resp->code == 552) {
2034 resp->code = 452;
2035 resp->dsn[0] = '4';
2036 }
2037 #endif
2038 rcpt = request->rcpt_list.info + recv_rcpt;
2039 if (resp->code / 100 == 2) {
2040 if (!smtp_mode) {
2041 if (survivors == 0)
2042 survivors = (int *)
2043 mymalloc(request->rcpt_list.len
2044 * sizeof(int));
2045 survivors[nrcpt] = recv_rcpt;
2046 }
2047 ++nrcpt;
2048 /* If trace-only, mark the recipient done. */
2049 if (DEL_REQ_TRACE_ONLY(request->flags)
2050 && smtp_vrfy_tgt == SMTP_STATE_RCPT) {
2051 translit(resp->str, "\n", " ");
2052 smtp_rcpt_done(state, resp, rcpt);
2053 }
2054 } else {
2055 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2056 "host %s said: %s (in reply to %s)",
2057 session->namaddr,
2058 translit(resp->str, "\n", " "),
2059 xfer_request[SMTP_STATE_RCPT]);
2060 }
2061 }
2062 /* If trace-only, send RSET instead of DATA. */
2063 if (++recv_rcpt == SMTP_RCPT_LEFT(state))
2064 recv_state = (DEL_REQ_TRACE_ONLY(request->flags)
2065 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
2066 SMTP_STATE_ABORT : SMTP_STATE_DATA;
2067 /* XXX Also: record if non-delivering session. */
2068 break;
2069
2070 /*
2071 * Process the DATA response. When the server rejects
2072 * DATA, set nrcpt to a negative value so that the
2073 * receiver can apply a course correction.
2074 */
2075 case SMTP_STATE_DATA:
2076 recv_state = SMTP_STATE_DOT;
2077 if (resp->code / 100 != 3) {
2078 if (nrcpt > 0)
2079 smtp_mesg_fail(state, STR(iter->host), resp,
2080 "host %s said: %s (in reply to %s)",
2081 session->namaddr,
2082 translit(resp->str, "\n", " "),
2083 xfer_request[SMTP_STATE_DATA]);
2084 nrcpt = -1;
2085 }
2086
2087 /*
2088 * In the case of a successful address probe with target
2089 * equal to DATA, the remote server is now in the DATA
2090 * state, and therefore we must not make any further
2091 * attempt to send or receive on this connection. This
2092 * means that we cannot not reuse the general-purpose
2093 * course-correction logic below which sends RSET (and
2094 * perhaps QUIT). Instead we "jump" straight to the exit
2095 * and force an unceremonious disconnect.
2096 */
2097 else if (DEL_REQ_TRACE_ONLY(request->flags)
2098 && smtp_vrfy_tgt == SMTP_STATE_DATA) {
2099 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2100 rcpt = request->rcpt_list.info + nrcpt;
2101 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2102 translit(resp->str, "\n", " ");
2103 SMTP_RESP_SET_DSN(resp, "2.0.0");
2104 smtp_rcpt_done(state, resp, rcpt);
2105 }
2106 }
2107 DONT_CACHE_THIS_SESSION;
2108 send_state = recv_state = SMTP_STATE_LAST;
2109 }
2110 break;
2111
2112 /*
2113 * Process the end of message response. Ignore the
2114 * response when no recipient was accepted: all
2115 * recipients are dead already, and the next receiver
2116 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise,
2117 * if the message transfer fails, bounce all remaining
2118 * recipients, else cross off the recipients that were
2119 * delivered.
2120 */
2121 case SMTP_STATE_DOT:
2122 GETTIMEOFDAY(&request->msg_stats.deliver_done);
2123 if (smtp_mode) {
2124 if (nrcpt > 0) {
2125 if (resp->code / 100 != 2) {
2126 smtp_mesg_fail(state, STR(iter->host), resp,
2127 "host %s said: %s (in reply to %s)",
2128 session->namaddr,
2129 translit(resp->str, "\n", " "),
2130 xfer_request[SMTP_STATE_DOT]);
2131 } else {
2132 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2133 rcpt = request->rcpt_list.info + nrcpt;
2134 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2135 translit(resp->str, "\n", " ");
2136 smtp_rcpt_done(state, resp, rcpt);
2137 }
2138 }
2139 }
2140 }
2141 }
2142
2143 /*
2144 * With LMTP we have one response per accepted RCPT TO
2145 * command. Stay in the SMTP_STATE_DOT state until we
2146 * have collected all responses.
2147 */
2148 else {
2149 if (nrcpt > 0) {
2150 rcpt = request->rcpt_list.info
2151 + survivors[recv_done++];
2152 if (resp->code / 100 != 2) {
2153 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2154 "host %s said: %s (in reply to %s)",
2155 session->namaddr,
2156 translit(resp->str, "\n", " "),
2157 xfer_request[SMTP_STATE_DOT]);
2158 } else {
2159 translit(resp->str, "\n", " ");
2160 smtp_rcpt_done(state, resp, rcpt);
2161 }
2162 }
2163 if (msg_verbose)
2164 msg_info("%s: got %d of %d end-of-data replies",
2165 myname, recv_done, nrcpt);
2166 if (recv_done < nrcpt)
2167 break;
2168 }
2169
2170 /*
2171 * XXX Do not change the connection caching state here,
2172 * even if the connection caching timer expired between
2173 * generating the command and processing the reply,
2174 * otherwise the sender and receiver loops get out of
2175 * sync. The caller will call smtp_quit() if appropriate.
2176 */
2177 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED
2178 || LOST_CONNECTION_INSIDE_DATA)
2179 recv_state = SMTP_STATE_LAST;
2180 else
2181 recv_state = SMTP_STATE_QUIT;
2182 break;
2183
2184 /*
2185 * Receive the RSET response.
2186 *
2187 * The SMTP_STATE_ABORT sender state is entered by the
2188 * sender when it has verified all recipients; or it is
2189 * entered by the receiver when all recipients are
2190 * verified or rejected, and is then left before the
2191 * bottom of the main loop.
2192 *
2193 * XXX Do not change the connection caching state here, even
2194 * if the server rejected RSET or if the connection
2195 * caching timer expired between generating the command
2196 * and processing the reply, otherwise the sender and
2197 * receiver loops get out of sync. The caller will call
2198 * smtp_quit() if appropriate.
2199 */
2200 case SMTP_STATE_ABORT:
2201 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ?
2202 SMTP_STATE_LAST : SMTP_STATE_QUIT);
2203 break;
2204
2205 /*
2206 * This is the initial receiver state from smtp_rset().
2207 * It is used to find out the status of a cached session
2208 * before attempting mail delivery.
2209 */
2210 case SMTP_STATE_RSET:
2211 if (resp->code / 100 != 2)
2212 CANT_RSET_THIS_SESSION;
2213 recv_state = SMTP_STATE_LAST;
2214 break;
2215
2216 /*
2217 * Receive, but otherwise ignore, the QUIT response.
2218 */
2219 case SMTP_STATE_QUIT:
2220 recv_state = SMTP_STATE_LAST;
2221 break;
2222 }
2223 }
2224
2225 /*
2226 * At this point, the sender and receiver are fully synchronized.
2227 */
2228
2229 /*
2230 * We know the server response to every command that was sent.
2231 * Apply a course correction if necessary: the sender wants to
2232 * send RCPT TO but MAIL FROM was rejected; the sender wants to
2233 * send DATA but all recipients were rejected; the sender wants
2234 * to deliver the message but DATA was rejected.
2235 */
2236 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected)
2237 || (send_state == SMTP_STATE_DATA && nrcpt == 0)
2238 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) {
2239 send_state = recv_state = SMTP_STATE_ABORT;
2240 send_rcpt = recv_rcpt = 0;
2241 vstring_strcpy(next_command, "RSET");
2242 if (THIS_SESSION_IS_EXPIRED)
2243 DONT_CACHE_THIS_SESSION;
2244 next_state = THIS_SESSION_IS_CACHED ?
2245 SMTP_STATE_LAST : SMTP_STATE_QUIT;
2246 /* XXX Also: record if non-delivering session. */
2247 next_rcpt = 0;
2248 }
2249 }
2250
2251 /*
2252 * Make the next sender state the current sender state.
2253 */
2254 if (send_state == SMTP_STATE_LAST)
2255 continue;
2256
2257 /*
2258 * Special case if the server accepted the DATA command. If the
2259 * server accepted at least one recipient send the entire message.
2260 * Otherwise, just send "." as per RFC 2197.
2261 *
2262 * XXX If there is a hard MIME error while downgrading to 7-bit mail,
2263 * disconnect ungracefully, because there is no other way to cancel a
2264 * transaction in progress.
2265 */
2266 if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
2267
2268 smtp_stream_setup(session->stream, var_smtp_data1_tmout,
2269 var_smtp_req_deadline, var_smtp_min_data_rate);
2270
2271 if ((except = vstream_setjmp(session->stream)) == 0) {
2272
2273 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0)
2274 msg_fatal("seek queue file: %m");
2275
2276 downgrading = SMTP_MIME_DOWNGRADE(session, request);
2277
2278 /*
2279 * XXX Don't downgrade just because generic_maps is turned
2280 * on.
2281 */
2282 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks)
2283
2284 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS)
2285 session->mime_state = mime_state_alloc(downgrading ?
2286 MIME_OPT_DOWNGRADE
2287 | MIME_OPT_REPORT_NESTING :
2288 SMTP_ANY_CHECKS == 0 ?
2289 MIME_OPT_DISABLE_MIME :
2290 0,
2291 smtp_generic_maps
2292 || smtp_header_checks ?
2293 smtp_header_rewrite :
2294 smtp_header_out,
2295 (MIME_STATE_ANY_END) 0,
2296 smtp_body_checks ?
2297 smtp_body_rewrite :
2298 smtp_text_out,
2299 (MIME_STATE_ANY_END) 0,
2300 (MIME_STATE_ERR_PRINT) 0,
2301 (void *) state);
2302 state->space_left = var_smtp_line_limit;
2303
2304 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0
2305 && smtp_out_add_headers(state) < 0)
2306 RETURN(0);
2307
2308 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) {
2309 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT)
2310 break;
2311 if (smtp_out_raw_or_mime(state, rec_type,
2312 session->scratch) < 0)
2313 RETURN(0);
2314 prev_type = rec_type;
2315 }
2316
2317 if (session->mime_state) {
2318
2319 /*
2320 * The cleanup server normally ends MIME content with a
2321 * normal text record. The following code is needed to
2322 * flush an internal buffer when someone submits 8-bit
2323 * mail not ending in newline via /usr/sbin/sendmail
2324 * while MIME input processing is turned off, and MIME
2325 * 8bit->7bit conversion is requested upon delivery.
2326 *
2327 * Or some error while doing generic address mapping.
2328 */
2329 mime_errs =
2330 mime_state_update(session->mime_state, rec_type, "", 0);
2331 if (mime_errs) {
2332 smtp_mime_fail(state, mime_errs);
2333 RETURN(0);
2334 }
2335 } else if (prev_type == REC_TYPE_CONT) /* missing newline */
2336 smtp_fputs("", 0, session->stream);
2337 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) {
2338 smtp_flush(session->stream);/* hurts performance */
2339 sleep(var_smtp_pix_delay); /* not to mention this */
2340 }
2341 if (vstream_ferror(state->src))
2342 msg_fatal("queue file read error");
2343 if (rec_type != REC_TYPE_XTRA) {
2344 msg_warn("%s: bad record type: %d in message content",
2345 request->queue_id, rec_type);
2346 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2347 SMTP_RESP_FAKE(&fake, "5.3.0"),
2348 "unreadable mail queue entry");
2349 /* Bailing out, abort stream with prejudice */
2350 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
2351 DONT_USE_FORBIDDEN_SESSION;
2352 /* If bounce_append() succeeded, status is still 0 */
2353 if (state->status == 0)
2354 (void) mark_corrupt(state->src);
2355 /* Don't override smtp_mesg_fail() here. */
2356 RETURN(fail_status);
2357 }
2358 } else {
2359 if (!LOST_CONNECTION_INSIDE_DATA)
2360 RETURN(smtp_stream_except(state, except,
2361 "sending message body"));
2362
2363 /*
2364 * We will clear the stream error flag to try and read a
2365 * premature 5XX response, so it is important to flush any
2366 * unwritten data. Otherwise, we will try to flush it again
2367 * before reading, which may incur an unnecessary delay and
2368 * will prevent the reading of any response that is not
2369 * already buffered (bundled with the DATA 354 response).
2370 *
2371 * Not much point in sending QUIT at this point, skip right to
2372 * SMTP_STATE_LAST. The read engine above will likewise avoid
2373 * looking for a QUIT response.
2374 */
2375 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE);
2376 next_state = SMTP_STATE_LAST;
2377 }
2378 }
2379
2380 /*
2381 * Copy the next command to the buffer and update the sender state.
2382 */
2383 if (except == 0) {
2384 smtp_chat_cmd(session, "%s", vstring_str(next_command));
2385 } else {
2386 DONT_CACHE_THIS_SESSION;
2387 }
2388 send_state = next_state;
2389 send_rcpt = next_rcpt;
2390 } while (recv_state != SMTP_STATE_LAST);
2391 RETURN(0);
2392 }
2393
2394 /* smtp_xfer - send a batch of envelope information and the message data */
2395
smtp_xfer(SMTP_STATE * state)2396 int smtp_xfer(SMTP_STATE *state)
2397 {
2398 DELIVER_REQUEST *request = state->request;
2399 SMTP_SESSION *session = state->session;
2400 SMTP_RESP fake;
2401 int send_state;
2402 int recv_state;
2403 int send_name_addr;
2404 int result;
2405
2406 /*
2407 * Sanity check. Recipients should be unmarked at this point.
2408 */
2409 if (SMTP_RCPT_LEFT(state) <= 0)
2410 msg_panic("smtp_xfer: bad recipient count: %d",
2411 SMTP_RCPT_LEFT(state));
2412 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info))
2413 msg_panic("smtp_xfer: bad recipient status: %d",
2414 request->rcpt_list.info->u.status);
2415
2416 /*
2417 * See if we should even try to send this message at all. This code sits
2418 * here rather than in the EHLO processing code, because of SMTP
2419 * connection caching.
2420 */
2421 if (session->size_limit > 0 && session->size_limit < request->data_size) {
2422 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2423 SMTP_RESP_FAKE(&fake, "5.3.4"),
2424 "message size %lu exceeds size limit %.0f of server %s",
2425 request->data_size, (double) session->size_limit,
2426 session->namaddr);
2427 /* Redundant. We abort this delivery attempt. */
2428 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2429 return (0);
2430 }
2431
2432 /*
2433 * Use XFORWARD to forward the origin of this email message across an
2434 * SMTP-based content filter. Send client attribute information only if
2435 * it exists (i.e. remote submission). Local submissions have no client
2436 * attributes; the mail will appear to originate from the content filter
2437 * which is acceptable.
2438 */
2439 send_name_addr =
2440 var_smtp_send_xforward
2441 && (((session->features & SMTP_FEATURE_XFORWARD_NAME)
2442 && CAN_FORWARD_CLIENT_NAME(request->client_name))
2443 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
2444 && CAN_FORWARD_CLIENT_ADDR(request->client_addr))
2445 || ((session->features & SMTP_FEATURE_XFORWARD_PORT)
2446 && CAN_FORWARD_CLIENT_PORT(request->client_port)));
2447 session->send_proto_helo =
2448 var_smtp_send_xforward
2449 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO)
2450 && CAN_FORWARD_PROTO_NAME(request->client_proto))
2451 || ((session->features & SMTP_FEATURE_XFORWARD_HELO)
2452 && CAN_FORWARD_HELO_NAME(request->client_helo))
2453 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
2454 && CAN_FORWARD_IDENT_NAME(request->log_ident))
2455 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
2456 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)));
2457 if (send_name_addr)
2458 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR;
2459 else if (session->send_proto_helo)
2460 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2461 else
2462 recv_state = send_state = SMTP_STATE_MAIL;
2463
2464 /*
2465 * Remember this session's "normal completion", even if the server 4xx-ed
2466 * some or all recipients. Connection or handshake errors with a later MX
2467 * host should not cause this destination be marked as unreachable.
2468 */
2469 result = smtp_loop(state, send_state, recv_state);
2470
2471 if (result == 0
2472 /* Just in case */
2473 && vstream_ferror(session->stream) == 0
2474 && vstream_feof(session->stream) == 0)
2475 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2476
2477 return (result);
2478 }
2479
2480 /* smtp_rset - send a lone RSET command */
2481
smtp_rset(SMTP_STATE * state)2482 int smtp_rset(SMTP_STATE *state)
2483 {
2484
2485 /*
2486 * This works because SMTP_STATE_RSET is a dedicated sender/recipient
2487 * entry state, with SMTP_STATE_LAST as next sender/recipient state.
2488 */
2489 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET));
2490 }
2491
2492 /* smtp_quit - send a lone QUIT command */
2493
smtp_quit(SMTP_STATE * state)2494 int smtp_quit(SMTP_STATE *state)
2495 {
2496
2497 /*
2498 * This works because SMTP_STATE_QUIT is the last state with a sender
2499 * action, with SMTP_STATE_LAST as the next sender/recipient state.
2500 */
2501 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ?
2502 SMTP_STATE_LAST : SMTP_STATE_QUIT));
2503 }
2504