1 /* $NetBSD: smtp_proto.c,v 1.4 2022/10/08 16:12:49 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* smtp_proto 3
6 /* SUMMARY
7 /* client SMTP/LMTP protocol
8 /* SYNOPSIS
9 /* #include "smtp.h"
10 /*
11 /* int smtp_helo(state)
12 /* SMTP_STATE *state;
13 /*
14 /* int smtp_xfer(state)
15 /* SMTP_STATE *state;
16 /*
17 /* int smtp_rset(state)
18 /* SMTP_STATE *state;
19 /*
20 /* int smtp_quit(state)
21 /* SMTP_STATE *state;
22 /* DESCRIPTION
23 /* In the subsequent text, SMTP implies LMTP.
24 /* This module implements the client side of the SMTP protocol.
25 /*
26 /* smtp_helo() performs the initial handshake with the SMTP server.
27 /* When TLS is enabled, this includes STARTTLS negotiations.
28 /*
29 /* smtp_xfer() sends message envelope information followed by the
30 /* message data, and finishes the SMTP conversation. These operations
31 /* are combined in one function, in order to implement SMTP pipelining.
32 /* Recipients are marked as "done" in the mail queue file when
33 /* bounced or delivered. The message delivery status is updated
34 /* accordingly.
35 /*
36 /* smtp_rset() sends a single RSET command and waits for the
37 /* response. In case of a negative reply it sets the
38 /* CANT_RSET_THIS_SESSION flag.
39 /*
40 /* smtp_quit() sends a single QUIT command and waits for the
41 /* response if configured to do so. It always turns off connection
42 /* caching.
43 /* DIAGNOSTICS
44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return
45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(),
46 /* smtp_rset() and smtp_quit(), success means the ability to
47 /* perform an SMTP conversation, not necessarily the ability
48 /* to deliver mail, or the achievement of server happiness.
49 /*
50 /* In case of a rejected or failed connection, a connection
51 /* is marked as "bad, do not cache". Otherwise, connection
52 /* caching may be turned off (without being marked "bad") at
53 /* the discretion of the code that implements the individual
54 /* protocol steps.
55 /*
56 /* Warnings: corrupt message file. A corrupt message is marked
57 /* as "corrupt" by changing its queue file permissions.
58 /* BUGS
59 /* Some SMTP servers will abort when the number of recipients
60 /* for one message exceeds their capacity. This behavior violates
61 /* the SMTP protocol.
62 /* The only way around this is to limit the number of recipients
63 /* per transaction to an artificially-low value.
64 /* SEE ALSO
65 /* smtp(3h) internal data structures
66 /* smtp_chat(3) query/reply SMTP support
67 /* smtp_trouble(3) error handlers
68 /* LICENSE
69 /* .ad
70 /* .fi
71 /* The Secure Mailer license must be distributed with this software.
72 /* AUTHOR(S)
73 /* Wietse Venema
74 /* IBM T.J. Watson Research
75 /* P.O. Box 704
76 /* Yorktown Heights, NY 10598, USA
77 /*
78 /* Wietse Venema
79 /* Google, Inc.
80 /* 111 8th Avenue
81 /* New York, NY 10011, USA
82 /*
83 /* Pipelining code in cooperation with:
84 /* Jon Ribbens
85 /* Oaktree Internet Solutions Ltd.,
86 /* Internet House,
87 /* Canal Basin,
88 /* Coventry,
89 /* CV1 4LY, United Kingdom.
90 /*
91 /* Connection caching in cooperation with:
92 /* Victor Duchovni
93 /* Morgan Stanley
94 /*
95 /* TLS support originally by:
96 /* Lutz Jaenicke
97 /* BTU Cottbus
98 /* Allgemeine Elektrotechnik
99 /* Universitaetsplatz 3-4
100 /* D-03044 Cottbus, Germany
101 /*--*/
102
103 /* System library. */
104
105 #include <sys_defs.h>
106 #include <sys/stat.h>
107 #include <sys/socket.h> /* shutdown(2) */
108 #include <netinet/in.h> /* ntohs() */
109 #include <string.h>
110 #include <unistd.h>
111 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */
112 #include <stdarg.h>
113 #include <time.h>
114
115 #ifdef STRCASECMP_IN_STRINGS_H
116 #include <strings.h>
117 #endif
118
119 /* Utility library. */
120
121 #include <msg.h>
122 #include <vstring.h>
123 #include <vstream.h>
124 #include <vstring_vstream.h>
125 #include <stringops.h>
126 #include <mymalloc.h>
127 #include <iostuff.h>
128 #include <split_at.h>
129 #include <name_code.h>
130 #include <name_mask.h>
131
132 /* Global library. */
133
134 #include <mail_params.h>
135 #include <smtp_stream.h>
136 #include <mail_queue.h>
137 #include <recipient_list.h>
138 #include <deliver_request.h>
139 #include <defer.h>
140 #include <bounce.h>
141 #include <record.h>
142 #include <rec_type.h>
143 #include <off_cvt.h>
144 #include <mark_corrupt.h>
145 #include <quote_822_local.h>
146 #include <mail_proto.h>
147 #include <mime_state.h>
148 #include <ehlo_mask.h>
149 #include <maps.h>
150 #include <tok822.h>
151 #include <mail_addr_map.h>
152 #include <ext_prop.h>
153 #include <namadr_list.h>
154 #include <match_parent_style.h>
155 #include <lex_822.h>
156 #include <dsn_mask.h>
157 #include <xtext.h>
158 #include <uxtext.h>
159 #include <smtputf8.h>
160
161 /* Application-specific. */
162
163 #include "smtp.h"
164 #include "smtp_sasl.h"
165
166 /*
167 * Sender and receiver state. A session does not necessarily go through a
168 * linear progression, but states are guaranteed to not jump backwards.
169 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states
170 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST.
171 *
172 * When connection caching is enabled, the QUIT state is suppressed. Normal
173 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions
174 * end with ABORT->LAST. The connection is left open for a limited time. An
175 * RSET probe should be sent before attempting to reuse an open connection
176 * for a new transaction.
177 *
178 * The code to send an RSET probe is a special case with its own initial state
179 * and with its own dedicated state transitions. The session proceeds as
180 * RSET->LAST. This code is kept inside the main protocol engine for
181 * consistent error handling and error reporting. It is not to be confused
182 * with the code that sends RSET to abort a mail transaction in progress.
183 *
184 * The code to send QUIT without message delivery transaction jumps into the
185 * main state machine. If this introduces complications, then we should
186 * introduce a second QUIT state with its own dedicated state transitions,
187 * just like we did for RSET probes.
188 *
189 * By default, the receiver skips the QUIT response. Some SMTP servers
190 * disconnect after responding to ".", and some SMTP servers wait before
191 * responding to QUIT.
192 *
193 * Client states that are associated with sending mail (up to and including
194 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending
195 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST).
196 */
197 #define SMTP_STATE_XFORWARD_NAME_ADDR 0
198 #define SMTP_STATE_XFORWARD_PROTO_HELO 1
199 #define SMTP_STATE_MAIL 2
200 #define SMTP_STATE_RCPT 3
201 #define SMTP_STATE_DATA 4
202 #define SMTP_STATE_DOT 5
203 #define SMTP_STATE_ABORT 6
204 #define SMTP_STATE_RSET 7
205 #define SMTP_STATE_QUIT 8
206 #define SMTP_STATE_LAST 9
207
208 int *xfer_timeouts[SMTP_STATE_LAST] = {
209 &var_smtp_xfwd_tmout, /* name/addr */
210 &var_smtp_xfwd_tmout, /* helo/proto */
211 &var_smtp_mail_tmout,
212 &var_smtp_rcpt_tmout,
213 &var_smtp_data0_tmout,
214 &var_smtp_data2_tmout,
215 &var_smtp_rset_tmout,
216 &var_smtp_rset_tmout,
217 &var_smtp_quit_tmout,
218 };
219
220 char *xfer_states[SMTP_STATE_LAST] = {
221 "sending XFORWARD name/address",
222 "sending XFORWARD protocol/helo_name",
223 "sending MAIL FROM",
224 "sending RCPT TO",
225 "sending DATA command",
226 "sending end of data -- message may be sent more than once",
227 "sending final RSET",
228 "sending RSET probe",
229 "sending QUIT",
230 };
231
232 char *xfer_request[SMTP_STATE_LAST] = {
233 "XFORWARD name/address command",
234 "XFORWARD helo/protocol command",
235 "MAIL FROM command",
236 "RCPT TO command",
237 "DATA command",
238 "end of DATA command",
239 "final RSET command",
240 "RSET probe",
241 "QUIT command",
242 };
243
244 /*
245 * Note: MIME downgrade never happens for mail that must be delivered with
246 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request
247 * involves at least one UTF-8 envelope address or header value.
248 */
249 #define SMTP_MIME_DOWNGRADE(session, request) \
250 (var_disable_mime_oconv == 0 \
251 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \
252 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0)
253
254 #ifdef USE_TLS
255
256 static int smtp_start_tls(SMTP_STATE *);
257
258 #endif
259
260 /*
261 * Call-back information for header/body checks. We don't provide call-backs
262 * for actions that change the message delivery time or destination.
263 */
264 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *);
265 static void smtp_text_out(void *, int, const char *, ssize_t, off_t);
266
267 HBC_CALL_BACKS smtp_hbc_callbacks[1] = {
268 smtp_hbc_logger,
269 smtp_text_out,
270 };
271
272 static int smtp_vrfy_tgt;
273
274 /* smtp_vrfy_init - initialize */
275
smtp_vrfy_init(void)276 void smtp_vrfy_init(void)
277 {
278 static const NAME_CODE vrfy_init_table[] = {
279 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT,
280 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA,
281 0,
282 };
283
284 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE,
285 var_smtp_vrfy_tgt)) == 0)
286 msg_fatal("bad protocol stage: \"%s = %s\"",
287 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt);
288 }
289
290 /* smtp_helo - perform initial handshake with SMTP server */
291
smtp_helo(SMTP_STATE * state)292 int smtp_helo(SMTP_STATE *state)
293 {
294 const char *myname = "smtp_helo";
295 SMTP_SESSION *session = state->session;
296 DELIVER_REQUEST *request = state->request;
297 SMTP_ITERATOR *iter = state->iterator;
298 SMTP_RESP *resp;
299 SMTP_RESP fake;
300 int except;
301 char *lines;
302 char *words;
303 char *word;
304 int n;
305 static const NAME_CODE xforward_features[] = {
306 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME,
307 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR,
308 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT,
309 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO,
310 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
311 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT,
312 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN,
313 0, 0,
314 };
315 const char *ehlo_words;
316 int discard_mask;
317 static const NAME_MASK pix_bug_table[] = {
318 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP,
319 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF,
320 0,
321 };
322 const char *pix_bug_words;
323 const char *pix_bug_source;
324 int pix_bug_mask;
325
326 #ifdef USE_TLS
327 int saved_features = session->features;
328 int tls_helo_status;
329
330 #endif
331 const char *NOCLOBBER where;
332
333 /*
334 * Skip the plaintext SMTP handshake when connecting in SMTPS mode.
335 */
336 #ifdef USE_TLS
337 if (var_smtp_tls_wrappermode
338 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
339 /* XXX Mix-up of per-session and per-request flags. */
340 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
341 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
342 var_smtp_req_deadline, 0);
343 tls_helo_status = smtp_start_tls(state);
344 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
345 return (tls_helo_status);
346 }
347 #endif
348
349 /*
350 * Prepare for disaster.
351 */
352 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
353 var_smtp_req_deadline, 0);
354 if ((except = vstream_setjmp(state->session->stream)) != 0)
355 return (smtp_stream_except(state, except, where));
356
357 /*
358 * If not recursing after STARTTLS, examine the server greeting banner
359 * and decide if we are going to send EHLO as the next command.
360 */
361 if (var_smtp_tls_wrappermode
362 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
363
364 /*
365 * Read and parse the server's SMTP greeting banner.
366 */
367 where = "receiving the initial server greeting";
368 switch ((resp = smtp_chat_resp(session))->code / 100) {
369 case 2:
370 break;
371 case 5:
372 if (var_smtp_skip_5xx_greeting)
373 STR(resp->dsn_buf)[0] = '4';
374 /* FALLTHROUGH */
375 default:
376 return (smtp_site_fail(state, STR(iter->host), resp,
377 "host %s refused to talk to me: %s",
378 session->namaddr,
379 translit(resp->str, "\n", " ")));
380 }
381
382 /*
383 * If the policy table specifies a bogus TLS security level, fail
384 * now.
385 */
386 #ifdef USE_TLS
387 if (state->tls->level == TLS_LEV_INVALID)
388 /* Warning is already logged. */
389 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
390 SMTP_RESP_FAKE(&fake, "4.7.0"),
391 "client TLS configuration problem"));
392 #endif
393
394 /*
395 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so
396 * it does not span a packet boundary. This hurts performance so it
397 * is not on by default.
398 */
399 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) {
400 /* Best effort only. Ignore errors. */
401 if (smtp_pix_bug_maps != 0
402 && (pix_bug_words =
403 maps_find(smtp_pix_bug_maps,
404 STR(iter->addr), 0)) != 0) {
405 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS);
406 } else {
407 pix_bug_words = var_smtp_pix_bug_words;
408 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS);
409 }
410 if (*pix_bug_words) {
411 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table,
412 pix_bug_words,
413 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
414 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF)
415 && request->msg_stats.incoming_arrival.tv_sec
416 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh)
417 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF;
418 msg_info("%s: enabling PIX workarounds: %s for %s",
419 request->queue_id,
420 str_name_mask("pix workaround bitmask",
421 pix_bug_table, pix_bug_mask),
422 session->namaddrport);
423 session->features |= pix_bug_mask;
424 }
425 }
426
427 /*
428 * See if we are talking to ourself. This should not be possible with
429 * the way we implement DNS lookups. However, people are known to
430 * sometimes screw up the naming service. And, mailer loops are still
431 * possible when our own mailer routing tables are mis-configured.
432 */
433 words = resp->str;
434 (void) mystrtok(&words, "- \t\n");
435 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) {
436 if (n == 0 && strcasecmp(word, var_myhostname) == 0) {
437 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT)
438 msg_warn("host %s greeted me with my own hostname %s",
439 session->namaddrport, var_myhostname);
440 } else if (strcasecmp(word, "ESMTP") == 0)
441 session->features |= SMTP_FEATURE_ESMTP;
442 }
443 if (smtp_mode) {
444 if (var_smtp_always_ehlo
445 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0)
446 session->features |= SMTP_FEATURE_ESMTP;
447 if (var_smtp_never_ehlo
448 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0)
449 session->features &= ~SMTP_FEATURE_ESMTP;
450 } else {
451 session->features |= SMTP_FEATURE_ESMTP;
452 }
453 }
454
455 /*
456 * If recursing after STARTTLS, there is no server greeting banner.
457 * Always send EHLO as the next command.
458 */
459 else {
460 session->features |= SMTP_FEATURE_ESMTP;
461 }
462
463 /*
464 * Return the compliment. Fall back to SMTP if our ESMTP recognition
465 * heuristic failed.
466 */
467 if (smtp_mode) {
468 where = "performing the EHLO handshake";
469 if (session->features & SMTP_FEATURE_ESMTP) {
470 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name);
471 if ((resp = smtp_chat_resp(session))->code / 100 != 2) {
472 if (resp->code == 421)
473 return (smtp_site_fail(state, STR(iter->host), resp,
474 "host %s refused to talk to me: %s",
475 session->namaddr,
476 translit(resp->str, "\n", " ")));
477 else
478 session->features &= ~SMTP_FEATURE_ESMTP;
479 }
480 }
481 if ((session->features & SMTP_FEATURE_ESMTP) == 0) {
482 where = "performing the HELO handshake";
483 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name);
484 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
485 return (smtp_site_fail(state, STR(iter->host), resp,
486 "host %s refused to talk to me: %s",
487 session->namaddr,
488 translit(resp->str, "\n", " ")));
489 }
490 } else {
491 where = "performing the LHLO handshake";
492 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name);
493 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
494 return (smtp_site_fail(state, STR(iter->host), resp,
495 "host %s refused to talk to me: %s",
496 session->namaddr,
497 translit(resp->str, "\n", " ")));
498 }
499
500 /*
501 * No early returns allowed, to ensure consistent handling of TLS and
502 * SASL policies.
503 */
504 if (session->features & SMTP_FEATURE_ESMTP) {
505
506 /*
507 * Determine what server EHLO keywords to ignore, typically to avoid
508 * inter-operability problems.
509 */
510 if (smtp_ehlo_dis_maps == 0
511 || (ehlo_words = maps_find(smtp_ehlo_dis_maps,
512 STR(iter->addr), 0)) == 0)
513 ehlo_words = var_smtp_ehlo_dis_words;
514 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) {
515 msg_warn("%s: %s map lookup error for %s",
516 session->state->request->queue_id,
517 smtp_ehlo_dis_maps->title, STR(iter->addr));
518 vstream_longjmp(session->stream, SMTP_ERR_DATA);
519 }
520 discard_mask = ehlo_mask(ehlo_words);
521 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
522 msg_info("discarding EHLO keywords: %s",
523 str_ehlo_mask(discard_mask));
524
525 /*
526 * Pick up some useful features offered by the SMTP server. XXX Until
527 * we have a portable routine to convert from string to off_t with
528 * proper overflow detection, ignore the message size limit
529 * advertised by the SMTP server. Otherwise, we might do the wrong
530 * thing when the server advertises a really huge message size limit.
531 *
532 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...",
533 * because MicroSoft implemented AUTH based on an old draft.
534 */
535 lines = resp->str;
536 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
537 if (mystrtok(&words, "- ")
538 && (word = mystrtok(&words, " \t=")) != 0) {
539 if (n == 0) {
540 if (session->helo != 0)
541 myfree(session->helo);
542
543 /*
544 * XXX: Keep the original case: we don't expect a single
545 * SMTP server to randomly change the case of its helo
546 * response. If different capitalization is detected, we
547 * should assume disjoint TLS caches.
548 */
549 session->helo = mystrdup(word);
550 if (strcasecmp(word, var_myhostname) == 0
551 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
552 msg_warn("host %s replied to HELO/EHLO"
553 " with my own hostname %s",
554 session->namaddrport, var_myhostname);
555 if (session->features & SMTP_FEATURE_BEST_MX)
556 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
557 SMTP_RESP_FAKE(&fake, "5.4.6"),
558 "mail for %s loops back to myself",
559 request->nexthop));
560 else
561 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
562 SMTP_RESP_FAKE(&fake, "4.4.6"),
563 "mail for %s loops back to myself",
564 request->nexthop));
565 }
566 } else if (strcasecmp(word, "8BITMIME") == 0) {
567 if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
568 session->features |= SMTP_FEATURE_8BITMIME;
569 } else if (strcasecmp(word, "PIPELINING") == 0) {
570 if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
571 session->features |= SMTP_FEATURE_PIPELINING;
572 } else if (strcasecmp(word, "XFORWARD") == 0) {
573 if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
574 while ((word = mystrtok(&words, " \t")) != 0)
575 session->features |=
576 name_code(xforward_features,
577 NAME_CODE_FLAG_NONE, word);
578 } else if (strcasecmp(word, "SIZE") == 0) {
579 if ((discard_mask & EHLO_MASK_SIZE) == 0) {
580 session->features |= SMTP_FEATURE_SIZE;
581 if ((word = mystrtok(&words, " \t")) != 0) {
582 if (!alldig(word))
583 msg_warn("bad EHLO SIZE limit \"%s\" from %s",
584 word, session->namaddrport);
585 else
586 session->size_limit = off_cvt_string(word);
587 }
588 }
589 #ifdef USE_TLS
590 } else if (strcasecmp(word, "STARTTLS") == 0) {
591 /* Ignored later if we already sent STARTTLS. */
592 if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
593 session->features |= SMTP_FEATURE_STARTTLS;
594 #endif
595 #ifdef USE_SASL_AUTH
596 } else if (var_smtp_sasl_enable
597 && strcasecmp(word, "AUTH") == 0) {
598 if ((discard_mask & EHLO_MASK_AUTH) == 0)
599 smtp_sasl_helo_auth(session, words);
600 #endif
601 } else if (strcasecmp(word, "DSN") == 0) {
602 if ((discard_mask & EHLO_MASK_DSN) == 0)
603 session->features |= SMTP_FEATURE_DSN;
604 } else if (strcasecmp(word, "SMTPUTF8") == 0) {
605 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0)
606 session->features |= SMTP_FEATURE_SMTPUTF8;
607 }
608 n++;
609 }
610 }
611 }
612 if (msg_verbose)
613 msg_info("server features: 0x%x size %.0f",
614 session->features, (double) session->size_limit);
615
616 /*
617 * Decide if this delivery requires SMTPUTF8 server support.
618 *
619 * For now, we require that the remote SMTP server supports SMTPUTF8 when
620 * the sender requested SMTPUTF8 support.
621 *
622 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the
623 * delivery request involves at least one UTF-8 envelope address or
624 * header value.
625 *
626 * If the sender requested SMTPUTF8 support but the delivery request
627 * involves no UTF-8 envelope address or header value, then we could
628 * still deliver such mail to a non-SMTPUTF8 server, except that we must
629 * either uxtext-encode ORCPT parameters or not send them. We cannot
630 * encode the ORCPT in xtext, because legacy SMTP requires that the
631 * unencoded address consist entirely of printable (graphic and white
632 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A
633 * correct uxtext encoder will produce a result that an xtext decoder
634 * will pass through unchanged.
635 *
636 * XXX Should we try to encode headers with RFC 2047 when delivering to a
637 * non-SMTPUTF8 server? That could make life easier for mailing lists.
638 */
639 #define DELIVERY_REQUIRES_SMTPUTF8 \
640 ((request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) \
641 && (request->smtputf8 & ~SMTPUTF8_FLAG_REQUESTED))
642
643 /*
644 * Require that the server supports SMTPUTF8 when delivery requires
645 * SMTPUTF8.
646 *
647 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on.
648 */
649 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
650 && DELIVERY_REQUIRES_SMTPUTF8)
651 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
652 SMTP_RESP_FAKE(&fake, "5.6.7"),
653 "SMTPUTF8 is required, "
654 "but was not offered by host %s",
655 session->namaddr));
656
657 /*
658 * Fix 20140706: don't do silly things when the remote server announces
659 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver
660 * mail, not to force people into compliance.
661 */
662 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
663 && (session->features & SMTP_FEATURE_8BITMIME) == 0) {
664 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME",
665 session->namaddr);
666 session->features |= SMTP_FEATURE_8BITMIME;
667 }
668
669 /*
670 * We use SMTP command pipelining if the server said it supported it.
671 * Since we use blocking I/O, RFC 2197 says that we should inspect the
672 * TCP window size and not send more than this amount of information.
673 * Unfortunately this information is unavailable using the sockets
674 * interface. However, we *can* get the TCP send buffer size on the local
675 * TCP/IP stack. We should be able to fill this buffer without being
676 * blocked, and then the kernel will effectively do non-blocking I/O for
677 * us by automatically writing out the contents of its send buffer while
678 * we are reading in the responses. In addition to TCP buffering we have
679 * to be aware of application-level buffering by the vstream module,
680 * which is limited to a couple kbytes.
681 *
682 * XXX No need to do this before and after STARTTLS, but it's not a big deal
683 * if we do.
684 *
685 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as
686 * TLS messages. Thus, the TCP-level payload will be larger than the
687 * SMTP-level payload. This has implications for the PIPELINING engine.
688 *
689 * To avoid deadlock, the PIPELINING engine needs to request a TCP send
690 * buffer size that can hold the unacknowledged commands plus the TLS
691 * encapsulation overhead.
692 *
693 * The PIPELINING engine keeps the unacknowledged command size <= the
694 * default VSTREAM buffer size (to avoid small-write performance issues
695 * when the VSTREAM buffer size is at its default size). With a default
696 * VSTREAM buffer size of 4096 there is no reason to increase the
697 * unacknowledged command size as the TCP MSS increases. It's safer to
698 * spread the remote SMTP server's recipient processing load over time,
699 * than dumping a very large recipient list all at once.
700 *
701 * For TLS encapsulation overhead we make a conservative guess: take the
702 * current protocol overhead of ~40 bytes, double the number for future
703 * proofing (~80 bytes), then round up the result to the nearest power of
704 * 2 (128 bytes). Plus, be prepared for worst-case compression that
705 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS
706 * message becomes 15 kbytes.
707 */
708 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE
709 #ifdef USE_TLS
710 #define TLS_WORST_PAYLOAD 16384
711 #define TLS_WORST_COMP_OVERHD 1024
712 #define TLS_WORST_PROTO_OVERHD 128
713 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD)
714 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD)
715 #endif
716
717 if (session->features & SMTP_FEATURE_PIPELINING) {
718 SOCKOPT_SIZE optlen;
719 int tcp_bufsize;
720 int enc_overhead = 0;
721
722 optlen = sizeof(tcp_bufsize);
723 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET,
724 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0)
725 msg_fatal("%s: getsockopt: %m", myname);
726 #ifdef USE_TLS
727 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS)
728 enc_overhead +=
729 (1 + (PIPELINING_BUFSIZE - 1)
730 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD;
731 #endif
732 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) {
733 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead;
734 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET,
735 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0)
736 msg_fatal("%s: setsockopt: %m", myname);
737 }
738 if (msg_verbose)
739 msg_info("Using %s PIPELINING, TCP send buffer size is %d, "
740 "PIPELINING buffer size is %d",
741 smtp_mode ? "ESMTP" : "LMTP",
742 tcp_bufsize, PIPELINING_BUFSIZE);
743 }
744 #ifdef USE_TLS
745
746 /*
747 * Skip this part if we already sent STARTTLS.
748 */
749 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
750
751 /*
752 * Optionally log unused STARTTLS opportunities.
753 */
754 if ((session->features & SMTP_FEATURE_STARTTLS) &&
755 var_smtp_tls_note_starttls_offer &&
756 state->tls->level <= TLS_LEV_NONE)
757 msg_info("Host offered STARTTLS: [%s]", STR(iter->host));
758
759 /*
760 * Decide whether or not to send STARTTLS.
761 */
762 if ((session->features & SMTP_FEATURE_STARTTLS) != 0
763 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) {
764
765 /*
766 * Prepare for disaster.
767 */
768 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
769 var_smtp_req_deadline, 0);
770 if ((except = vstream_setjmp(state->session->stream)) != 0)
771 return (smtp_stream_except(state, except,
772 "receiving the STARTTLS response"));
773
774 /*
775 * Send STARTTLS. Recurse when the server accepts STARTTLS, after
776 * resetting the SASL and EHLO features lists.
777 *
778 * Reset the SASL mechanism list to avoid spurious warnings.
779 *
780 * Use the smtp_sasl_tls_security_options feature to allow SASL
781 * mechanisms that may not be allowed with plain-text
782 * connections.
783 */
784 smtp_chat_cmd(session, "STARTTLS");
785 if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
786 #ifdef USE_SASL_AUTH
787 if (session->features & SMTP_FEATURE_AUTH)
788 smtp_sasl_cleanup(session);
789 #endif
790 session->features = saved_features;
791 /* XXX Mix-up of per-session and per-request flags. */
792 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
793 tls_helo_status = smtp_start_tls(state);
794 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
795 return (tls_helo_status);
796 }
797
798 /*
799 * Give up if we must use TLS but the server rejects STARTTLS
800 * although support for it was announced in the EHLO response.
801 */
802 session->features &= ~SMTP_FEATURE_STARTTLS;
803 if (TLS_REQUIRED(state->tls->level))
804 return (smtp_site_fail(state, STR(iter->host), resp,
805 "TLS is required, but host %s refused to start TLS: %s",
806 session->namaddr,
807 translit(resp->str, "\n", " ")));
808 /* Else try to continue in plain-text mode. */
809 }
810
811 /*
812 * Give up if we must use TLS but can't for various reasons.
813 *
814 * 200412 Be sure to provide the default clause at the bottom of this
815 * block. When TLS is required we must never, ever, end up in
816 * plain-text mode.
817 */
818 if (TLS_REQUIRED(state->tls->level)) {
819 if (!(session->features & SMTP_FEATURE_STARTTLS)) {
820 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
821 SMTP_RESP_FAKE(&fake, "4.7.4"),
822 "TLS is required, but was not offered by host %s",
823 session->namaddr));
824 } else if (smtp_tls_ctx == 0) {
825 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
826 SMTP_RESP_FAKE(&fake, "4.7.5"),
827 "TLS is required, but our TLS engine is unavailable"));
828 } else {
829 msg_warn("%s: TLS is required but unavailable, don't know why",
830 myname);
831 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
832 SMTP_RESP_FAKE(&fake, "4.7.0"),
833 "TLS is required, but unavailable"));
834 }
835 }
836 }
837 #endif
838 #ifdef USE_SASL_AUTH
839 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
840 return (smtp_sasl_helo_login(state));
841 #endif
842
843 return (0);
844 }
845
846 #ifdef USE_TLS
847
848 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */
849
smtp_start_tls(SMTP_STATE * state)850 static int smtp_start_tls(SMTP_STATE *state)
851 {
852 SMTP_SESSION *session = state->session;
853 SMTP_ITERATOR *iter = state->iterator;
854 TLS_CLIENT_START_PROPS start_props;
855 VSTRING *serverid;
856 SMTP_RESP fake;
857 TLS_CLIENT_INIT_PROPS init_props;
858 VSTREAM *tlsproxy;
859 VSTRING *port_buf;
860
861 /*
862 * When the TLS handshake succeeds, we can reuse a connection only if TLS
863 * remains turned on for the lifetime of that connection. This requires
864 * that the TLS library state is maintained in some proxy process, for
865 * example, in tlsproxy(8). We then store the proxy file handle in the
866 * connection cache, and reuse that file handle.
867 *
868 * Otherwise, we must turn off connection caching. We can't turn off TLS in
869 * one SMTP client process, save the open connection to a cache which is
870 * shared with all SMTP clients, migrate the connection to another SMTP
871 * client, and resume TLS there. When the TLS handshake fails, we can't
872 * reuse the SMTP connection either, because the conversation is in an
873 * unknown state.
874 */
875 if (state->tls->conn_reuse == 0)
876 DONT_CACHE_THIS_SESSION;
877
878 /*
879 * The following assumes sites that use TLS in a perverse configuration:
880 * multiple hosts per hostname, or even multiple hosts per IP address.
881 * All this without a shared TLS session cache, and they still want to
882 * use TLS session caching???
883 *
884 * The TLS session cache records the trust chain verification status of
885 * cached sessions. Different transports may have different CAfile or
886 * CApath settings, perhaps to allow authenticated connections to sites
887 * with private CA certs without trusting said private certs for other
888 * sites. So we cannot assume that a trust chain valid for one transport
889 * is valid for another. Therefore the client session id must include
890 * either the transport name or the values of CAfile and CApath. We use
891 * the transport name.
892 *
893 * XXX: We store only one session per lookup key. Ideally the key maps
894 * 1-to-1 to a server TLS session cache. We use the IP address, port and
895 * ehlo response name to build a lookup key that works for split caches
896 * (that announce distinct names) behind a load balancer.
897 *
898 * XXX: The TLS library will salt the serverid with further details of the
899 * protocol and cipher requirements including the server ehlo response.
900 * Deferring the helo to the digested suffix results in more predictable
901 * SSL session lookup key lengths.
902 */
903 serverid = vstring_alloc(10);
904 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE
905 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */
906 | SMTP_KEY_FLAG_HOSTNAME
907 | SMTP_KEY_FLAG_ADDR);
908
909 if (state->tls->conn_reuse) {
910 TLS_CLIENT_PARAMS tls_params;
911
912 /*
913 * Send all our wishes in one big request.
914 */
915 TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
916 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
917 log_level = var_smtp_tls_loglevel,
918 verifydepth = var_smtp_tls_scert_vd,
919 cache_type
920 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE),
921 chain_files = var_smtp_tls_chain_files,
922 cert_file = var_smtp_tls_cert_file,
923 key_file = var_smtp_tls_key_file,
924 dcert_file = var_smtp_tls_dcert_file,
925 dkey_file = var_smtp_tls_dkey_file,
926 eccert_file = var_smtp_tls_eccert_file,
927 eckey_file = var_smtp_tls_eckey_file,
928 CAfile = var_smtp_tls_CAfile,
929 CApath = var_smtp_tls_CApath,
930 mdalg = var_smtp_tls_fpt_dgst);
931 TLS_PROXY_CLIENT_START_PROPS(&start_props,
932 timeout = var_smtp_starttls_tmout,
933 tls_level = state->tls->level,
934 nexthop = session->tls_nexthop,
935 host = STR(iter->host),
936 namaddr = session->namaddrport,
937 sni = state->tls->sni,
938 serverid = vstring_str(serverid),
939 helo = session->helo,
940 protocols = state->tls->protocols,
941 cipher_grade = state->tls->grade,
942 cipher_exclusions
943 = vstring_str(state->tls->exclusions),
944 matchargv = state->tls->matchargv,
945 mdalg = var_smtp_tls_fpt_dgst,
946 dane = state->tls->dane);
947
948 /*
949 * The tlsproxy(8) server enforces timeouts that are larger than
950 * those specified by the tlsproxy(8) client. These timeouts are a
951 * safety net for the case that the tlsproxy(8) client fails to
952 * enforce time limits. Normally, the tlsproxy(8) client would time
953 * out and trigger a plaintext event in the tlsproxy(8) server, and
954 * cause it to tear down the session.
955 *
956 * However, the tlsproxy(8) server has no insight into the SMTP
957 * protocol, and therefore it cannot by itself support different
958 * timeouts at different SMTP protocol stages. Instead, we specify
959 * the largest timeout (end-of-data) and rely on the SMTP client to
960 * time out first, which normally results in a plaintext event in the
961 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext
962 * events during the TLS handshake, so we specify a separate timeout
963 * for that stage (the end-of-data timeout would be unreasonably
964 * large anyway).
965 */
966 #define PROXY_OPEN_FLAGS \
967 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
968
969 port_buf = vstring_alloc(100); /* minimize fragmentation */
970 vstring_sprintf(port_buf, "%d", ntohs(iter->port));
971 tlsproxy =
972 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
973 session->stream, STR(iter->addr),
974 STR(port_buf), var_smtp_starttls_tmout,
975 var_smtp_data2_tmout, state->service,
976 tls_proxy_client_param_from_config(&tls_params),
977 &init_props, &start_props);
978 vstring_free(port_buf);
979
980 /*
981 * To insert tlsproxy(8) between this process and the remote SMTP
982 * server, we swap the file descriptors between the tlsproxy and
983 * session->stream VSTREAMS, so that we don't lose all the
984 * user-configurable session->stream attributes (such as longjump
985 * buffers or timeouts).
986 *
987 * TODO: the tlsproxy RPCs should return more error detail than a "NO"
988 * result. OTOH, the in-process TLS engine does not return such info
989 * either.
990 *
991 * If the tlsproxy request fails we do not fall back to the in-process
992 * TLS stack. Reason: the admin enabled connection reuse to respect
993 * receiver policy; silently violating such policy would not be
994 * useful.
995 *
996 * We also don't fall back to the in-process TLS stack under low-traffic
997 * conditions, to avoid frustrating attempts to debug a problem with
998 * using the tlsproxy(8) service.
999 */
1000 if (tlsproxy == 0) {
1001 session->tls_context = 0;
1002 } else {
1003 vstream_control(tlsproxy,
1004 CA_VSTREAM_CTL_DOUBLE,
1005 CA_VSTREAM_CTL_END);
1006 vstream_control(session->stream,
1007 CA_VSTREAM_CTL_SWAP_FD(tlsproxy),
1008 CA_VSTREAM_CTL_END);
1009 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */
1010
1011 /*
1012 * There must not be any pending data in the stream buffers
1013 * before we read the TLS context attributes.
1014 */
1015 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1016
1017 /*
1018 * After plumbing the plaintext stream, receive the TLS context
1019 * object. For this we use the same VSTREAM buffer that we also
1020 * use to receive subsequent SMTP commands, therefore we must be
1021 * prepared for the possibility that the remote SMTP server
1022 * starts talking immediately. The tlsproxy implementation sends
1023 * the TLS context before remote content. The attribute protocol
1024 * is robust enough that an adversary cannot insert their own TLS
1025 * context attributes.
1026 */
1027 session->tls_context = tls_proxy_context_receive(session->stream);
1028 if (session->tls_context) {
1029 session->features |= SMTP_FEATURE_FROM_PROXY;
1030 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
1031 session->tls_context);
1032 }
1033 }
1034 } else { /* state->tls->conn_reuse */
1035
1036 /*
1037 * As of Postfix 2.5, tls_client_start() tries hard to always
1038 * complete the TLS handshake. It records the verification and match
1039 * status in the resulting TLScontext. It is now up to the
1040 * application to abort the TLS connection if it chooses.
1041 *
1042 * XXX When tls_client_start() fails then we don't know what state the
1043 * SMTP connection is in, so we give up on this connection even if we
1044 * are not required to use TLS.
1045 *
1046 * Large parameter lists are error-prone, so we emulate a language
1047 * feature that C does not have natively: named parameter lists.
1048 */
1049 session->tls_context =
1050 TLS_CLIENT_START(&start_props,
1051 ctx = smtp_tls_ctx,
1052 stream = session->stream,
1053 fd = -1,
1054 timeout = var_smtp_starttls_tmout,
1055 tls_level = state->tls->level,
1056 nexthop = session->tls_nexthop,
1057 host = STR(iter->host),
1058 namaddr = session->namaddrport,
1059 sni = state->tls->sni,
1060 serverid = vstring_str(serverid),
1061 helo = session->helo,
1062 protocols = state->tls->protocols,
1063 cipher_grade = state->tls->grade,
1064 cipher_exclusions
1065 = vstring_str(state->tls->exclusions),
1066 matchargv = state->tls->matchargv,
1067 mdalg = var_smtp_tls_fpt_dgst,
1068 dane = state->tls->dane);
1069
1070 /*
1071 * At this point there must not be any pending data in the stream
1072 * buffers.
1073 */
1074 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1075 } /* state->tls->conn_reuse */
1076
1077 vstring_free(serverid);
1078
1079 if (session->tls_context == 0) {
1080
1081 /*
1082 * We must avoid further I/O, the peer is in an undefined state.
1083 */
1084 DONT_USE_FORBIDDEN_SESSION;
1085
1086 /*
1087 * If TLS is optional, try delivery to the same server over a
1088 * plaintext connection. Otherwise we would defer mail forever with
1089 * destinations that have no alternate MX host.
1090 *
1091 * Don't fall back to plaintext if we were willing to use SASL-over-TLS
1092 * authentication. If the server doesn't announce SASL support over
1093 * plaintext connections, then we don't want delivery to fail with
1094 * "relay access denied".
1095 *
1096 * If TLS is opportunistic, don't throttle the destination, otherwise if
1097 * the mail is volume is high enough we may have difficulty ever
1098 * draining even the deferred mail, as new mail provides a constant
1099 * stream of negative feedback.
1100 */
1101 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
1102 RETRY_AS_PLAINTEXT;
1103 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ?
1104 SMTP_NOTHROTTLE : SMTP_THROTTLE,
1105 DSN_BY_LOCAL_MTA,
1106 SMTP_RESP_FAKE(&fake, "4.7.5"),
1107 "Cannot start TLS: handshake failure"));
1108 }
1109
1110 /*
1111 * If we are verifying the server certificate and are not happy with the
1112 * result, abort the delivery here. We have a usable TLS session with the
1113 * server, so no need to disable I/O, ... we can even be polite and send
1114 * "QUIT".
1115 *
1116 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require
1117 * matching.
1118 *
1119 * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log
1120 * effective security. Thus "half-dane" is never "Verified" only
1121 * "Trusted", but matching is enforced here.
1122 *
1123 * NOTE: When none of the TLSA records were usable, "dane" and "half-dane"
1124 * fall back to "encrypt", updating the tls_context level accordingly, so
1125 * we must check that here, and not state->tls->level.
1126 */
1127 if (TLS_MUST_MATCH(session->tls_context->level))
1128 if (!TLS_CERT_IS_MATCHED(session->tls_context))
1129 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
1130 SMTP_RESP_FAKE(&fake, "4.7.5"),
1131 "Server certificate not verified"));
1132
1133 /*
1134 * At this point we have to re-negotiate the "EHLO" to reget the
1135 * feature-list.
1136 */
1137 return (smtp_helo(state));
1138 }
1139
1140 #endif
1141
1142 /* smtp_hbc_logger - logging call-back for header/body checks */
1143
smtp_hbc_logger(void * context,const char * action,const char * where,const char * content,const char * text)1144 static void smtp_hbc_logger(void *context, const char *action,
1145 const char *where, const char *content,
1146 const char *text)
1147 {
1148 const SMTP_STATE *state = (SMTP_STATE *) context;
1149
1150 if (*text) {
1151 msg_info("%s: %s: %s %.60s: %s",
1152 state->request->queue_id, action, where, content, text);
1153 } else {
1154 msg_info("%s: %s: %s %.60s",
1155 state->request->queue_id, action, where, content);
1156 }
1157 }
1158
1159 /* smtp_text_out - output one header/body record */
1160
smtp_text_out(void * context,int rec_type,const char * text,ssize_t len,off_t unused_offset)1161 static void smtp_text_out(void *context, int rec_type,
1162 const char *text, ssize_t len,
1163 off_t unused_offset)
1164 {
1165 SMTP_STATE *state = (SMTP_STATE *) context;
1166 SMTP_SESSION *session = state->session;
1167 ssize_t data_left;
1168 const char *data_start;
1169
1170 /*
1171 * Deal with an impedance mismatch between Postfix queue files (record
1172 * length <= $message_line_length_limit) and SMTP (DATA record length <=
1173 * $smtp_line_length_limit). The code below does a little too much work
1174 * when the SMTP line length limit is disabled, but it avoids code
1175 * duplication, and thus, it avoids testing and maintenance problems.
1176 */
1177 data_left = len;
1178 data_start = text;
1179 do {
1180 if (state->space_left == var_smtp_line_limit
1181 && data_left > 0 && *data_start == '.')
1182 smtp_fputc('.', session->stream);
1183 if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
1184 && data_left >= state->space_left) {
1185 smtp_fputs(data_start, state->space_left, session->stream);
1186 data_start += state->space_left;
1187 data_left -= state->space_left;
1188 state->space_left = var_smtp_line_limit;
1189 if (data_left > 0 || rec_type == REC_TYPE_CONT) {
1190 smtp_fputc(' ', session->stream);
1191 state->space_left -= 1;
1192
1193 /*
1194 * XXX This can insert a line break into the middle of a
1195 * multi-byte character (not necessarily UTF-8). Note that
1196 * multibyte characters can span queue file records, for
1197 * example if line_length_limit == smtp_line_length_limit.
1198 */
1199 if (state->logged_line_length_limit == 0) {
1200 msg_info("%s: breaking line > %d bytes with <CR><LF>SPACE",
1201 state->request->queue_id, var_smtp_line_limit);
1202 state->logged_line_length_limit = 1;
1203 }
1204 }
1205 } else {
1206 if (rec_type == REC_TYPE_CONT) {
1207 smtp_fwrite(data_start, data_left, session->stream);
1208 state->space_left -= data_left;
1209 } else {
1210 smtp_fputs(data_start, data_left, session->stream);
1211 state->space_left = var_smtp_line_limit;
1212 }
1213 break;
1214 }
1215 } while (data_left > 0);
1216 }
1217
1218 /* smtp_format_out - output one header/body record */
1219
1220 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...);
1221
smtp_format_out(void * context,int rec_type,const char * fmt,...)1222 static void smtp_format_out(void *context, int rec_type, const char *fmt,...)
1223 {
1224 static VSTRING *vp;
1225 va_list ap;
1226
1227 if (vp == 0)
1228 vp = vstring_alloc(100);
1229 va_start(ap, fmt);
1230 vstring_vsprintf(vp, fmt, ap);
1231 va_end(ap);
1232 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0);
1233 }
1234
1235 /* smtp_header_out - output one message header */
1236
smtp_header_out(void * context,int unused_header_class,const HEADER_OPTS * unused_info,VSTRING * buf,off_t offset)1237 static void smtp_header_out(void *context, int unused_header_class,
1238 const HEADER_OPTS *unused_info,
1239 VSTRING *buf, off_t offset)
1240 {
1241 char *start = vstring_str(buf);
1242 char *line;
1243 char *next_line;
1244
1245 /*
1246 * This code destroys the header. We could try to avoid clobbering it,
1247 * but we're not going to use the data any further.
1248 */
1249 for (line = start; line; line = next_line) {
1250 next_line = split_at(line, '\n');
1251 smtp_text_out(context, REC_TYPE_NORM, line, next_line ?
1252 next_line - line - 1 : strlen(line), offset);
1253 }
1254 }
1255
1256 /* smtp_header_rewrite - rewrite message header before output */
1257
smtp_header_rewrite(void * context,int header_class,const HEADER_OPTS * header_info,VSTRING * buf,off_t offset)1258 static void smtp_header_rewrite(void *context, int header_class,
1259 const HEADER_OPTS *header_info,
1260 VSTRING *buf, off_t offset)
1261 {
1262 SMTP_STATE *state = (SMTP_STATE *) context;
1263 int did_rewrite = 0;
1264 char *line;
1265 char *start;
1266 char *next_line;
1267 char *end_line;
1268 char *result;
1269
1270 /*
1271 * Apply optional header filtering.
1272 */
1273 if (smtp_header_checks) {
1274 result = hbc_header_checks(context, smtp_header_checks, header_class,
1275 header_info, buf, offset);
1276 if (result == 0)
1277 return;
1278 if (result == HBC_CHECKS_STAT_ERROR) {
1279 msg_warn("%s: smtp header checks lookup error",
1280 state->request->queue_id);
1281 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1282 }
1283 if (result != STR(buf)) {
1284 vstring_strcpy(buf, result);
1285 myfree(result);
1286 }
1287 }
1288
1289 /*
1290 * Rewrite primary header addresses that match the smtp_generic_maps. The
1291 * cleanup server already enforces that all headers have proper lengths
1292 * and that all addresses are in proper form, so we don't have to repeat
1293 * that.
1294 */
1295 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY
1296 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) {
1297 TOK822 *tree;
1298 TOK822 **addr_list;
1299 TOK822 **tpp;
1300
1301 tree = tok822_parse(vstring_str(buf)
1302 + strlen(header_info->name) + 1);
1303 addr_list = tok822_grep(tree, TOK822_ADDR);
1304 for (tpp = addr_list; *tpp; tpp++)
1305 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps,
1306 smtp_ext_prop_mask & EXT_PROP_GENERIC);
1307 if (did_rewrite) {
1308 vstring_truncate(buf, strlen(header_info->name));
1309 vstring_strcat(buf, ": ");
1310 tok822_externalize(buf, tree, TOK822_STR_HEAD);
1311 }
1312 myfree((void *) addr_list);
1313 tok822_free_tree(tree);
1314 }
1315
1316 /*
1317 * Pass through unmodified headers without reconstruction.
1318 */
1319 if (did_rewrite == 0) {
1320 smtp_header_out(context, header_class, header_info, buf, offset);
1321 return;
1322 }
1323
1324 /*
1325 * A rewritten address list contains one address per line. The code below
1326 * replaces newlines by spaces, to fit as many addresses on a line as
1327 * possible (without rearranging the order of addresses). Prepending
1328 * white space to the beginning of lines is delegated to the output
1329 * routine.
1330 *
1331 * Code derived from cleanup_fold_header().
1332 */
1333 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1334 end_line = line + strcspn(line, "\n");
1335 if (line > start) {
1336 if (end_line - start < 70) { /* TAB counts as one */
1337 line[-1] = ' ';
1338 } else {
1339 start = line;
1340 }
1341 }
1342 next_line = *end_line ? end_line + 1 : 0;
1343 }
1344
1345 /*
1346 * Prepend a tab to continued header lines that went through the address
1347 * rewriting machinery. Just like smtp_header_out(), this code destroys
1348 * the header. We could try to avoid clobbering it, but we're not going
1349 * to use the data any further.
1350 *
1351 * Code derived from cleanup_out_header().
1352 */
1353 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1354 next_line = split_at(line, '\n');
1355 if (line == start || IS_SPACE_TAB(*line)) {
1356 smtp_text_out(state, REC_TYPE_NORM, line, next_line ?
1357 next_line - line - 1 : strlen(line), offset);
1358 } else {
1359 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line);
1360 }
1361 }
1362 }
1363
1364 /* smtp_body_rewrite - rewrite message body before output */
1365
smtp_body_rewrite(void * context,int type,const char * buf,ssize_t len,off_t offset)1366 static void smtp_body_rewrite(void *context, int type,
1367 const char *buf, ssize_t len,
1368 off_t offset)
1369 {
1370 SMTP_STATE *state = (SMTP_STATE *) context;
1371 char *result;
1372
1373 /*
1374 * Apply optional body filtering.
1375 */
1376 if (smtp_body_checks) {
1377 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset);
1378 if (result == buf) {
1379 smtp_text_out(state, type, buf, len, offset);
1380 } else if (result == HBC_CHECKS_STAT_ERROR) {
1381 msg_warn("%s: smtp body checks lookup error",
1382 state->request->queue_id);
1383 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1384 } else if (result != 0) {
1385 smtp_text_out(state, type, result, strlen(result), offset);
1386 myfree(result);
1387 }
1388 }
1389 }
1390
1391 /* smtp_mime_fail - MIME problem */
1392
smtp_mime_fail(SMTP_STATE * state,int mime_errs)1393 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs)
1394 {
1395 const MIME_STATE_DETAIL *detail;
1396 SMTP_RESP fake;
1397
1398 detail = mime_state_detail(mime_errs);
1399 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
1400 SMTP_RESP_FAKE(&fake, detail->dsn),
1401 "%s", detail->text);
1402 }
1403
1404 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */
1405
smtp_out_raw_or_mime(SMTP_STATE * state,int rec_type,VSTRING * buf)1406 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf)
1407 {
1408 SMTP_SESSION *session = state->session;
1409 int mime_errs;
1410
1411 if (session->mime_state == 0) {
1412 smtp_text_out((void *) state, rec_type, vstring_str(buf),
1413 VSTRING_LEN(buf), (off_t) 0);
1414 } else {
1415 mime_errs =
1416 mime_state_update(session->mime_state, rec_type,
1417 vstring_str(buf), VSTRING_LEN(buf));
1418 if (mime_errs) {
1419 smtp_mime_fail(state, mime_errs);
1420 return (-1);
1421 }
1422 }
1423 return (0);
1424 }
1425
1426 /* smtp_out_add_header - format address header, uses session->scratch* */
1427
smtp_out_add_header(SMTP_STATE * state,const char * label,const char * lt,const char * addr,const char * gt)1428 static int smtp_out_add_header(SMTP_STATE *state, const char *label,
1429 const char *lt, const char *addr,
1430 const char *gt)
1431 {
1432 SMTP_SESSION *session = state->session;
1433
1434 smtp_rewrite_generic_internal(session->scratch2, addr);
1435 vstring_sprintf(session->scratch, "%s: %s", label, lt);
1436 smtp_quote_822_address_flags(session->scratch,
1437 vstring_str(session->scratch2),
1438 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND);
1439 vstring_strcat(session->scratch, gt);
1440 return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch));
1441 }
1442
1443 /* smtp_out_add_headers - output additional headers, uses session->scratch* */
1444
smtp_out_add_headers(SMTP_STATE * state)1445 static int smtp_out_add_headers(SMTP_STATE *state)
1446 {
1447 /* Prepend headers in the same order as mail_copy.c. */
1448 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
1449 if (smtp_out_add_header(state, "Return-Path", "<",
1450 state->request->sender, ">") < 0)
1451 return (-1);
1452 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT)
1453 if (smtp_out_add_header(state, "X-Original-To", "",
1454 state->request->rcpt_list.info->orig_addr, "") < 0)
1455 return (-1);
1456 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
1457 if (smtp_out_add_header(state, "Delivered-To", "",
1458 state->request->rcpt_list.info->address, "") < 0)
1459 return (-1);
1460 return (0);
1461 }
1462
1463 /* smtp_loop - exercise the SMTP protocol engine */
1464
smtp_loop(SMTP_STATE * state,NOCLOBBER int send_state,NOCLOBBER int recv_state)1465 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
1466 NOCLOBBER int recv_state)
1467 {
1468 const char *myname = "smtp_loop";
1469 DELIVER_REQUEST *request = state->request;
1470 SMTP_SESSION *session = state->session;
1471 SMTP_ITERATOR *iter = state->iterator;
1472 SMTP_RESP *resp;
1473 RECIPIENT *rcpt;
1474 VSTRING *next_command = vstring_alloc(100);
1475 int *NOCLOBBER survivors = 0;
1476 NOCLOBBER int next_state;
1477 NOCLOBBER int next_rcpt;
1478 NOCLOBBER int send_rcpt;
1479 NOCLOBBER int recv_rcpt;
1480 NOCLOBBER int nrcpt;
1481 NOCLOBBER int recv_done;
1482 int except;
1483 int rec_type;
1484 NOCLOBBER int prev_type = 0;
1485 NOCLOBBER int mail_from_rejected;
1486 NOCLOBBER int downgrading;
1487 int mime_errs;
1488 SMTP_RESP fake;
1489 int fail_status;
1490
1491 /* Caution: changes to RETURN() also affect code outside the main loop. */
1492
1493 #define RETURN(x) do { \
1494 if (recv_state != SMTP_STATE_LAST) \
1495 DONT_CACHE_THIS_SESSION; \
1496 vstring_free(next_command); \
1497 if (survivors) \
1498 myfree((void *) survivors); \
1499 if (session->mime_state) \
1500 session->mime_state = mime_state_free(session->mime_state); \
1501 return (x); \
1502 } while (0)
1503
1504 #define SENDER_IS_AHEAD \
1505 (recv_state < send_state || recv_rcpt != send_rcpt)
1506
1507 #define SENDER_IN_WAIT_STATE \
1508 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST)
1509
1510 #define SENDING_MAIL \
1511 (recv_state <= SMTP_STATE_DOT)
1512
1513 #define CANT_RSET_THIS_SESSION \
1514 (session->features |= SMTP_FEATURE_RSET_REJECTED)
1515
1516 /*
1517 * Pipelining support requires two loops: one loop for sending and one
1518 * for receiving. Each loop has its own independent state. Most of the
1519 * time the sender can run ahead of the receiver by as much as the TCP
1520 * send buffer permits. There are only two places where the sender must
1521 * wait for status information from the receiver: once after sending DATA
1522 * and once after sending QUIT.
1523 *
1524 * The sender state advances until the TCP send buffer would overflow, or
1525 * until the sender needs status information from the receiver. At that
1526 * point the receiver starts processing responses. Once the receiver has
1527 * caught up with the sender, the sender resumes sending commands. If the
1528 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO
1529 * commands rejected, DATA rejected) it forces the sender to abort the
1530 * SMTP dialog with RSET and QUIT.
1531 */
1532 nrcpt = 0;
1533 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0;
1534 mail_from_rejected = 0;
1535
1536 /*
1537 * Prepare for disaster. This should not be needed because the design
1538 * guarantees that no output is flushed before smtp_chat_resp() is
1539 * called.
1540 *
1541 * 1) Every SMTP command fits entirely in a VSTREAM output buffer.
1542 *
1543 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that
1544 * there is sufficient space for the command in the output buffer.
1545 *
1546 * 3) smtp_loop() flushes the output buffer to avoid server timeouts.
1547 *
1548 * Changing any of these would violate the design, and would likely break
1549 * SMTP pipelining.
1550 *
1551 * We set up the error handler anyway (only upon entry to avoid wasting
1552 * resources) because 1) there is code below that expects that VSTREAM
1553 * timeouts are enabled, and 2) this allows us to detect if someone broke
1554 * Postfix by introducing spurious flush before read operations.
1555 */
1556 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR
1557 || send_state > SMTP_STATE_QUIT)
1558 msg_panic("%s: bad sender state %d (receiver state %d)",
1559 myname, send_state, recv_state);
1560 smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
1561 var_smtp_req_deadline, 0);
1562 if ((except = vstream_setjmp(session->stream)) != 0) {
1563 msg_warn("smtp_proto: spurious flush before read in send state %d",
1564 send_state);
1565 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1566 xfer_states[send_state]) : -1);
1567 }
1568
1569 /*
1570 * The main protocol loop.
1571 */
1572 do {
1573
1574 /*
1575 * Build the next command.
1576 */
1577 switch (send_state) {
1578
1579 /*
1580 * Sanity check.
1581 */
1582 default:
1583 msg_panic("%s: bad sender state %d", myname, send_state);
1584
1585 /*
1586 * Build the XFORWARD command. With properly sanitized
1587 * information, the command length stays within the 512 byte
1588 * command line length limit.
1589 *
1590 * XXX smtpd_xforward_preset() initializes some fields as "unknown"
1591 * and some as null; historically, pickup(8) does not send any of
1592 * these, and the queue manager presets absent fields to "not
1593 * available" except for the rewrite context which is preset to
1594 * local by way of migration aid. These definitions need to be
1595 * centralized for maintainability.
1596 */
1597 #ifndef CAN_FORWARD_CLIENT_NAME
1598 #define _ATTR_AVAIL_AND_KNOWN_(val) \
1599 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown"))
1600 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_
1601 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_
1602 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_
1603 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_
1604 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL
1605 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL
1606 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL
1607 #endif
1608
1609 case SMTP_STATE_XFORWARD_NAME_ADDR:
1610 vstring_strcpy(next_command, XFORWARD_CMD);
1611 if ((session->features & SMTP_FEATURE_XFORWARD_NAME)
1612 && CAN_FORWARD_CLIENT_NAME(request->client_name)) {
1613 vstring_strcat(next_command, " " XFORWARD_NAME "=");
1614 xtext_quote_append(next_command, request->client_name, "");
1615 }
1616 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
1617 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) {
1618 vstring_strcat(next_command, " " XFORWARD_ADDR "=");
1619 xtext_quote_append(next_command, request->client_addr, "");
1620 }
1621 if ((session->features & SMTP_FEATURE_XFORWARD_PORT)
1622 && CAN_FORWARD_CLIENT_PORT(request->client_port)) {
1623 vstring_strcat(next_command, " " XFORWARD_PORT "=");
1624 xtext_quote_append(next_command, request->client_port, "");
1625 }
1626 if (session->send_proto_helo)
1627 next_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1628 else
1629 next_state = SMTP_STATE_MAIL;
1630 break;
1631
1632 case SMTP_STATE_XFORWARD_PROTO_HELO:
1633 vstring_strcpy(next_command, XFORWARD_CMD);
1634 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO)
1635 && CAN_FORWARD_PROTO_NAME(request->client_proto)) {
1636 vstring_strcat(next_command, " " XFORWARD_PROTO "=");
1637 xtext_quote_append(next_command, request->client_proto, "");
1638 }
1639 if ((session->features & SMTP_FEATURE_XFORWARD_HELO)
1640 && CAN_FORWARD_HELO_NAME(request->client_helo)) {
1641 vstring_strcat(next_command, " " XFORWARD_HELO "=");
1642 xtext_quote_append(next_command, request->client_helo, "");
1643 }
1644 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
1645 && CAN_FORWARD_IDENT_NAME(request->log_ident)) {
1646 vstring_strcat(next_command, " " XFORWARD_IDENT "=");
1647 xtext_quote_append(next_command, request->log_ident, "");
1648 }
1649 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
1650 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) {
1651 vstring_strcat(next_command, " " XFORWARD_DOMAIN "=");
1652 xtext_quote_append(next_command,
1653 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ?
1654 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, "");
1655 }
1656 next_state = SMTP_STATE_MAIL;
1657 break;
1658
1659 /*
1660 * Build the MAIL FROM command.
1661 */
1662 case SMTP_STATE_MAIL:
1663 request->msg_stats.reuse_count = session->reuse_count;
1664 GETTIMEOFDAY(&request->msg_stats.conn_setup_done);
1665 smtp_rewrite_generic_internal(session->scratch2, request->sender);
1666 smtp_quote_821_address(session->scratch,
1667 vstring_str(session->scratch2));
1668 vstring_sprintf(next_command, "MAIL FROM:<%s>",
1669 vstring_str(session->scratch));
1670 /* XXX Don't announce SIZE if we're going to MIME downgrade. */
1671 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */
1672 && !SMTP_MIME_DOWNGRADE(session, request))
1673 vstring_sprintf_append(next_command, " SIZE=%lu",
1674 request->data_size);
1675 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */
1676 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0)
1677 vstring_strcat(next_command, " BODY=8BITMIME");
1678 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0)
1679 vstring_strcat(next_command, " BODY=7BIT");
1680 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0)
1681 msg_warn("%s: unknown content encoding: %s",
1682 request->queue_id, request->encoding);
1683 }
1684 if (session->features & SMTP_FEATURE_DSN) {
1685 if (request->dsn_envid[0]) {
1686 vstring_sprintf_append(next_command, " ENVID=");
1687 xtext_quote_append(next_command, request->dsn_envid, "+=");
1688 }
1689 if (request->dsn_ret)
1690 vstring_sprintf_append(next_command, " RET=%s",
1691 dsn_ret_str(request->dsn_ret));
1692 }
1693
1694 /*
1695 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8
1696 * and the sender requested SMTPUTF8 support.
1697 *
1698 * If the sender requested SMTPUTF8 but the remote SMTP server does
1699 * not support SMTPUTF8, then we have already determined earlier
1700 * that delivering this message without SMTPUTF8 will not break
1701 * the SMTPUTF8 promise that was made to the sender.
1702 */
1703 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
1704 && (request->smtputf8 & SMTPUTF8_FLAG_REQUESTED) != 0)
1705 vstring_strcat(next_command, " SMTPUTF8");
1706
1707 /*
1708 * We authenticate the local MTA only, but not the sender.
1709 */
1710 #ifdef USE_SASL_AUTH
1711 if (var_smtp_sasl_enable
1712 && var_smtp_dummy_mail_auth
1713 && (session->features & SMTP_FEATURE_AUTH))
1714 vstring_strcat(next_command, " AUTH=<>");
1715 #endif
1716
1717 /*
1718 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail
1719 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
1720 * commands to our TLS session.
1721 *
1722 * For the attack to succeed, the remote SMTP server must reply to
1723 * the malicious EHLO/MAIL/RCPT/DATA commands after completing
1724 * TLS (re)negotiation, so that the replies arrive in our TLS
1725 * session (otherwise the Postfix SMTP client would time out
1726 * waiting for an answer). With some luck we can detect this
1727 * specific attack as a server MAIL reply that arrives before we
1728 * send our own MAIL command.
1729 *
1730 * We don't apply this test to the HELO command because the result
1731 * would be very timing sensitive, and we don't apply this test
1732 * to RCPT and DATA replies because these may be pipelined for
1733 * legitimate reasons.
1734 */
1735 #ifdef USE_TLS
1736 if (var_smtp_tls_blk_early_mail_reply
1737 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
1738 && (vstream_peek(session->stream) > 0
1739 || peekfd(vstream_fileno(session->stream)) > 0))
1740 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
1741 #endif
1742
1743 /*
1744 * We now return to our regular broadcast.
1745 */
1746 next_state = SMTP_STATE_RCPT;
1747 break;
1748
1749 /*
1750 * Build one RCPT TO command before we have seen the MAIL FROM
1751 * response.
1752 */
1753 case SMTP_STATE_RCPT:
1754 rcpt = request->rcpt_list.info + send_rcpt;
1755 smtp_rewrite_generic_internal(session->scratch2, rcpt->address);
1756 smtp_quote_821_address(session->scratch,
1757 vstring_str(session->scratch2));
1758 vstring_sprintf(next_command, "RCPT TO:<%s>",
1759 vstring_str(session->scratch));
1760 if (session->features & SMTP_FEATURE_DSN) {
1761 /* XXX DSN xtext encode address value not type. */
1762 const char *orcpt_type_addr = rcpt->dsn_orcpt;
1763
1764 /* Fix 20140706: don't use empty rcpt->orig_addr. */
1765 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) {
1766 quote_822_local(session->scratch, rcpt->orig_addr);
1767 vstring_sprintf(session->scratch2, "%s;%s",
1768 /* Fix 20140707: sender must request SMTPUTF8. */
1769 (request->smtputf8 != 0
1770 && !allascii(vstring_str(session->scratch))) ?
1771 "utf-8" : "rfc822",
1772 vstring_str(session->scratch));
1773 orcpt_type_addr = vstring_str(session->scratch2);
1774 }
1775 if (orcpt_type_addr[0] != 0) {
1776 /* Fix 20140706: don't send unquoted ORCPT. */
1777 /* Fix 20140707: quoting method must match orcpt type. */
1778 /* Fix 20140707: handle uxtext encoder errors. */
1779 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) {
1780 if (uxtext_quote(session->scratch,
1781 orcpt_type_addr, "+=") != 0)
1782 vstring_sprintf_append(next_command, " ORCPT=%s",
1783 vstring_str(session->scratch));
1784 } else {
1785 xtext_quote(session->scratch, orcpt_type_addr, "=");
1786 vstring_sprintf_append(next_command, " ORCPT=%s",
1787 vstring_str(session->scratch));
1788 }
1789 }
1790 if (rcpt->dsn_notify)
1791 vstring_sprintf_append(next_command, " NOTIFY=%s",
1792 dsn_notify_str(rcpt->dsn_notify));
1793 }
1794 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state))
1795 next_state = (DEL_REQ_TRACE_ONLY(request->flags)
1796 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
1797 SMTP_STATE_ABORT : SMTP_STATE_DATA;
1798 break;
1799
1800 /*
1801 * Build the DATA command before we have seen all the RCPT TO
1802 * responses.
1803 */
1804 case SMTP_STATE_DATA:
1805 vstring_strcpy(next_command, "DATA");
1806 next_state = SMTP_STATE_DOT;
1807 break;
1808
1809 /*
1810 * Build the "." command after we have seen the DATA response
1811 * (DATA is a protocol synchronization point).
1812 *
1813 * Changing the connection caching state here is safe because it
1814 * affects none of the not-yet processed replies to
1815 * already-generated commands.
1816 */
1817 case SMTP_STATE_DOT:
1818 vstring_strcpy(next_command, ".");
1819 if (THIS_SESSION_IS_EXPIRED)
1820 DONT_CACHE_THIS_SESSION;
1821 next_state = THIS_SESSION_IS_CACHED ?
1822 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1823 break;
1824
1825 /*
1826 * The SMTP_STATE_ABORT sender state is entered by the sender
1827 * when it has verified all recipients; or it is entered by the
1828 * receiver when all recipients are verified or rejected, and is
1829 * then left before the bottom of the main loop.
1830 *
1831 * Changing the connection caching state here is safe because there
1832 * are no not-yet processed replies to already-generated
1833 * commands.
1834 */
1835 case SMTP_STATE_ABORT:
1836 vstring_strcpy(next_command, "RSET");
1837 if (THIS_SESSION_IS_EXPIRED)
1838 DONT_CACHE_THIS_SESSION;
1839 next_state = THIS_SESSION_IS_CACHED ?
1840 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1841 break;
1842
1843 /*
1844 * Build the RSET command. This is entered as initial state from
1845 * smtp_rset() and has its own dedicated state transitions. It is
1846 * used to find out the status of a cached session before
1847 * attempting mail delivery.
1848 */
1849 case SMTP_STATE_RSET:
1850 vstring_strcpy(next_command, "RSET");
1851 next_state = SMTP_STATE_LAST;
1852 break;
1853
1854 /*
1855 * Build the QUIT command before we have seen the "." or RSET
1856 * response. This is entered as initial state from smtp_quit(),
1857 * or is reached near the end of any non-cached session.
1858 *
1859 * Changing the connection caching state here is safe. If this
1860 * command is pipelined together with a preceding command, then
1861 * connection caching was already turned off. Do not clobber the
1862 * "bad connection" flag.
1863 */
1864 case SMTP_STATE_QUIT:
1865 vstring_strcpy(next_command, "QUIT");
1866 next_state = SMTP_STATE_LAST;
1867 if (THIS_SESSION_IS_CACHED)
1868 DONT_CACHE_THIS_SESSION;
1869 break;
1870
1871 /*
1872 * The final sender state has no action associated with it.
1873 */
1874 case SMTP_STATE_LAST:
1875 VSTRING_RESET(next_command);
1876 break;
1877 }
1878 VSTRING_TERMINATE(next_command);
1879
1880 /*
1881 * Process responses until the receiver has caught up. Vstreams
1882 * automatically flush buffered output when reading new data.
1883 *
1884 * Flush unsent output if command pipelining is off or if no I/O
1885 * happened for a while. This limits the accumulation of client-side
1886 * delays in pipelined sessions.
1887 *
1888 * The PIPELINING engine will flush the VSTREAM buffer if the sender
1889 * could otherwise produce more output than fits the PIPELINING
1890 * buffer. This generally works because we know exactly how much
1891 * output we produced since the last time that the sender and
1892 * receiver synchronized the SMTP state. However this logic is not
1893 * applicable after the sender enters the DATA phase, where it does
1894 * not synchronize with the receiver until the <CR><LF>.<CR><LF>.
1895 * Thus, the PIPELINING engine no longer knows how much data is
1896 * pending in the TCP send buffer. For this reason, if PIPELINING is
1897 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is
1898 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP
1899 * stack either has already received the QUIT<CR><LF>, or else it
1900 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>,
1901 * making room in the sender's TCP stack for QUIT<CR><LF>.
1902 */
1903 #define CHECK_PIPELINING_BUFSIZE \
1904 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT)
1905
1906 if (SENDER_IN_WAIT_STATE
1907 || (SENDER_IS_AHEAD
1908 && ((session->features & SMTP_FEATURE_PIPELINING) == 0
1909 || (CHECK_PIPELINING_BUFSIZE
1910 && (VSTRING_LEN(next_command) + 2
1911 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND)
1912 > PIPELINING_BUFSIZE))
1913 || time((time_t *) 0)
1914 - vstream_ftime(session->stream) > 10))) {
1915 while (SENDER_IS_AHEAD) {
1916
1917 /*
1918 * Sanity check.
1919 */
1920 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR
1921 || recv_state > SMTP_STATE_QUIT)
1922 msg_panic("%s: bad receiver state %d (sender state %d)",
1923 myname, recv_state, send_state);
1924
1925 /*
1926 * Receive the next server response. Use the proper timeout,
1927 * and log the proper client state in case of trouble.
1928 *
1929 * XXX If we lose the connection before sending end-of-data,
1930 * find out if the server sent a premature end-of-data reply.
1931 * If this read attempt fails, report "lost connection while
1932 * sending message body", not "lost connection while sending
1933 * end-of-data".
1934 *
1935 * "except" becomes zero just above the protocol loop, and stays
1936 * zero or triggers an early return from the loop. In just
1937 * one case: loss of the connection when sending the message
1938 * body, we record the exception, and keep processing in the
1939 * hope of detecting a premature 5XX. We must be careful to
1940 * not clobber this non-zero value once it is set. The
1941 * variable need not survive longjmp() calls, since the only
1942 * setjmp() which does not return early is the one sets this
1943 * condition, subsequent failures always return early.
1944 */
1945 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
1946
1947 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
1948 var_smtp_req_deadline, 0);
1949 if (LOST_CONNECTION_INSIDE_DATA) {
1950 if (vstream_setjmp(session->stream) != 0)
1951 RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
1952 "sending message body"));
1953 } else {
1954 if ((except = vstream_setjmp(session->stream)) != 0)
1955 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1956 xfer_states[recv_state]) : -1);
1957 }
1958 resp = smtp_chat_resp(session);
1959
1960 /*
1961 * Process the response.
1962 */
1963 switch (recv_state) {
1964
1965 /*
1966 * Process the XFORWARD response.
1967 */
1968 case SMTP_STATE_XFORWARD_NAME_ADDR:
1969 if (resp->code / 100 != 2)
1970 msg_warn("host %s said: %s (in reply to %s)",
1971 session->namaddrport,
1972 translit(resp->str, "\n", " "),
1973 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]);
1974 if (session->send_proto_helo)
1975 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1976 else
1977 recv_state = SMTP_STATE_MAIL;
1978 break;
1979
1980 case SMTP_STATE_XFORWARD_PROTO_HELO:
1981 if (resp->code / 100 != 2)
1982 msg_warn("host %s said: %s (in reply to %s)",
1983 session->namaddrport,
1984 translit(resp->str, "\n", " "),
1985 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]);
1986 recv_state = SMTP_STATE_MAIL;
1987 break;
1988
1989 /*
1990 * Process the MAIL FROM response. When the server
1991 * rejects the sender, set the mail_from_rejected flag so
1992 * that the receiver may apply a course correction.
1993 */
1994 case SMTP_STATE_MAIL:
1995 if (resp->code / 100 != 2) {
1996 smtp_mesg_fail(state, STR(iter->host), resp,
1997 "host %s said: %s (in reply to %s)",
1998 session->namaddr,
1999 translit(resp->str, "\n", " "),
2000 xfer_request[SMTP_STATE_MAIL]);
2001 mail_from_rejected = 1;
2002 }
2003
2004 /*
2005 * CVE-2009-3555 (TLS renegotiation). Whatever it was
2006 * that arrived before we sent our MAIL FROM command, it
2007 * was not a fatal-level TLS alert message. It could be a
2008 * warning-level TLS alert message, or a ChangeCipherSpec
2009 * message, but such messages are not normally sent in
2010 * the middle of a TLS session. We disconnect and try
2011 * again later.
2012 */
2013 #ifdef USE_TLS
2014 if (var_smtp_tls_blk_early_mail_reply
2015 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
2016 smtp_site_fail(state, DSN_BY_LOCAL_MTA,
2017 SMTP_RESP_FAKE(&fake, "4.7.0"),
2018 "unexpected server message");
2019 msg_warn("server %s violates %s policy",
2020 session->namaddr,
2021 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY));
2022 mail_from_rejected = 1;
2023 }
2024 #endif
2025
2026 /*
2027 * We now return to our regular broadcast.
2028 */
2029 recv_state = SMTP_STATE_RCPT;
2030 break;
2031
2032 /*
2033 * Process one RCPT TO response. If MAIL FROM was
2034 * rejected, ignore RCPT TO responses: all recipients are
2035 * dead already. When all recipients are rejected the
2036 * receiver may apply a course correction.
2037 *
2038 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply
2039 * must be treated as if the server replied with 452.
2040 * However, this causes "too much mail data" to be
2041 * treated as a recoverable error, which is wrong. I'll
2042 * stick with RFC 821.
2043 */
2044 case SMTP_STATE_RCPT:
2045 if (!mail_from_rejected) {
2046 #ifdef notdef
2047 if (resp->code == 552) {
2048 resp->code = 452;
2049 resp->dsn[0] = '4';
2050 }
2051 #endif
2052 rcpt = request->rcpt_list.info + recv_rcpt;
2053 if (resp->code / 100 == 2) {
2054 if (!smtp_mode) {
2055 if (survivors == 0)
2056 survivors = (int *)
2057 mymalloc(request->rcpt_list.len
2058 * sizeof(int));
2059 survivors[nrcpt] = recv_rcpt;
2060 }
2061 ++nrcpt;
2062 /* If trace-only, mark the recipient done. */
2063 if (DEL_REQ_TRACE_ONLY(request->flags)
2064 && smtp_vrfy_tgt == SMTP_STATE_RCPT) {
2065 translit(resp->str, "\n", " ");
2066 smtp_rcpt_done(state, resp, rcpt);
2067 }
2068 } else {
2069 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2070 "host %s said: %s (in reply to %s)",
2071 session->namaddr,
2072 translit(resp->str, "\n", " "),
2073 xfer_request[SMTP_STATE_RCPT]);
2074 }
2075 }
2076 /* If trace-only, send RSET instead of DATA. */
2077 if (++recv_rcpt == SMTP_RCPT_LEFT(state))
2078 recv_state = (DEL_REQ_TRACE_ONLY(request->flags)
2079 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
2080 SMTP_STATE_ABORT : SMTP_STATE_DATA;
2081 /* XXX Also: record if non-delivering session. */
2082 break;
2083
2084 /*
2085 * Process the DATA response. When the server rejects
2086 * DATA, set nrcpt to a negative value so that the
2087 * receiver can apply a course correction.
2088 */
2089 case SMTP_STATE_DATA:
2090 recv_state = SMTP_STATE_DOT;
2091 if (resp->code / 100 != 3) {
2092 if (nrcpt > 0)
2093 smtp_mesg_fail(state, STR(iter->host), resp,
2094 "host %s said: %s (in reply to %s)",
2095 session->namaddr,
2096 translit(resp->str, "\n", " "),
2097 xfer_request[SMTP_STATE_DATA]);
2098 nrcpt = -1;
2099 }
2100
2101 /*
2102 * In the case of a successful address probe with target
2103 * equal to DATA, the remote server is now in the DATA
2104 * state, and therefore we must not make any further
2105 * attempt to send or receive on this connection. This
2106 * means that we cannot not reuse the general-purpose
2107 * course-correction logic below which sends RSET (and
2108 * perhaps QUIT). Instead we "jump" straight to the exit
2109 * and force an unceremonious disconnect.
2110 */
2111 else if (DEL_REQ_TRACE_ONLY(request->flags)
2112 && smtp_vrfy_tgt == SMTP_STATE_DATA) {
2113 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2114 rcpt = request->rcpt_list.info + nrcpt;
2115 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2116 translit(resp->str, "\n", " ");
2117 SMTP_RESP_SET_DSN(resp, "2.0.0");
2118 smtp_rcpt_done(state, resp, rcpt);
2119 }
2120 }
2121 DONT_CACHE_THIS_SESSION;
2122 send_state = recv_state = SMTP_STATE_LAST;
2123 }
2124 break;
2125
2126 /*
2127 * Process the end of message response. Ignore the
2128 * response when no recipient was accepted: all
2129 * recipients are dead already, and the next receiver
2130 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise,
2131 * if the message transfer fails, bounce all remaining
2132 * recipients, else cross off the recipients that were
2133 * delivered.
2134 */
2135 case SMTP_STATE_DOT:
2136 GETTIMEOFDAY(&request->msg_stats.deliver_done);
2137 if (smtp_mode) {
2138 if (nrcpt > 0) {
2139 if (resp->code / 100 != 2) {
2140 smtp_mesg_fail(state, STR(iter->host), resp,
2141 "host %s said: %s (in reply to %s)",
2142 session->namaddr,
2143 translit(resp->str, "\n", " "),
2144 xfer_request[SMTP_STATE_DOT]);
2145 } else {
2146 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2147 rcpt = request->rcpt_list.info + nrcpt;
2148 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2149 translit(resp->str, "\n", " ");
2150 smtp_rcpt_done(state, resp, rcpt);
2151 }
2152 }
2153 }
2154 }
2155 }
2156
2157 /*
2158 * With LMTP we have one response per accepted RCPT TO
2159 * command. Stay in the SMTP_STATE_DOT state until we
2160 * have collected all responses.
2161 */
2162 else {
2163 if (nrcpt > 0) {
2164 rcpt = request->rcpt_list.info
2165 + survivors[recv_done++];
2166 if (resp->code / 100 != 2) {
2167 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2168 "host %s said: %s (in reply to %s)",
2169 session->namaddr,
2170 translit(resp->str, "\n", " "),
2171 xfer_request[SMTP_STATE_DOT]);
2172 } else {
2173 translit(resp->str, "\n", " ");
2174 smtp_rcpt_done(state, resp, rcpt);
2175 }
2176 }
2177 if (msg_verbose)
2178 msg_info("%s: got %d of %d end-of-data replies",
2179 myname, recv_done, nrcpt);
2180 if (recv_done < nrcpt)
2181 break;
2182 }
2183
2184 /*
2185 * XXX Do not change the connection caching state here,
2186 * even if the connection caching timer expired between
2187 * generating the command and processing the reply,
2188 * otherwise the sender and receiver loops get out of
2189 * sync. The caller will call smtp_quit() if appropriate.
2190 */
2191 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED
2192 || LOST_CONNECTION_INSIDE_DATA)
2193 recv_state = SMTP_STATE_LAST;
2194 else
2195 recv_state = SMTP_STATE_QUIT;
2196 break;
2197
2198 /*
2199 * Receive the RSET response.
2200 *
2201 * The SMTP_STATE_ABORT sender state is entered by the
2202 * sender when it has verified all recipients; or it is
2203 * entered by the receiver when all recipients are
2204 * verified or rejected, and is then left before the
2205 * bottom of the main loop.
2206 *
2207 * XXX Do not change the connection caching state here, even
2208 * if the server rejected RSET or if the connection
2209 * caching timer expired between generating the command
2210 * and processing the reply, otherwise the sender and
2211 * receiver loops get out of sync. The caller will call
2212 * smtp_quit() if appropriate.
2213 */
2214 case SMTP_STATE_ABORT:
2215 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ?
2216 SMTP_STATE_LAST : SMTP_STATE_QUIT);
2217 break;
2218
2219 /*
2220 * This is the initial receiver state from smtp_rset().
2221 * It is used to find out the status of a cached session
2222 * before attempting mail delivery.
2223 */
2224 case SMTP_STATE_RSET:
2225 if (resp->code / 100 != 2)
2226 CANT_RSET_THIS_SESSION;
2227 recv_state = SMTP_STATE_LAST;
2228 break;
2229
2230 /*
2231 * Receive, but otherwise ignore, the QUIT response.
2232 */
2233 case SMTP_STATE_QUIT:
2234 recv_state = SMTP_STATE_LAST;
2235 break;
2236 }
2237 }
2238
2239 /*
2240 * At this point, the sender and receiver are fully synchronized.
2241 */
2242
2243 /*
2244 * We know the server response to every command that was sent.
2245 * Apply a course correction if necessary: the sender wants to
2246 * send RCPT TO but MAIL FROM was rejected; the sender wants to
2247 * send DATA but all recipients were rejected; the sender wants
2248 * to deliver the message but DATA was rejected.
2249 */
2250 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected)
2251 || (send_state == SMTP_STATE_DATA && nrcpt == 0)
2252 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) {
2253 send_state = recv_state = SMTP_STATE_ABORT;
2254 send_rcpt = recv_rcpt = 0;
2255 vstring_strcpy(next_command, "RSET");
2256 if (THIS_SESSION_IS_EXPIRED)
2257 DONT_CACHE_THIS_SESSION;
2258 next_state = THIS_SESSION_IS_CACHED ?
2259 SMTP_STATE_LAST : SMTP_STATE_QUIT;
2260 /* XXX Also: record if non-delivering session. */
2261 next_rcpt = 0;
2262 }
2263 }
2264
2265 /*
2266 * Make the next sender state the current sender state.
2267 */
2268 if (send_state == SMTP_STATE_LAST)
2269 continue;
2270
2271 /*
2272 * Special case if the server accepted the DATA command. If the
2273 * server accepted at least one recipient send the entire message.
2274 * Otherwise, just send "." as per RFC 2197.
2275 *
2276 * XXX If there is a hard MIME error while downgrading to 7-bit mail,
2277 * disconnect ungracefully, because there is no other way to cancel a
2278 * transaction in progress.
2279 */
2280 if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
2281
2282 smtp_stream_setup(session->stream, var_smtp_data1_tmout,
2283 var_smtp_req_deadline, var_smtp_min_data_rate);
2284
2285 if ((except = vstream_setjmp(session->stream)) == 0) {
2286
2287 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0)
2288 msg_fatal("seek queue file: %m");
2289
2290 downgrading = SMTP_MIME_DOWNGRADE(session, request);
2291
2292 /*
2293 * XXX Don't downgrade just because generic_maps is turned
2294 * on.
2295 */
2296 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks)
2297
2298 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS)
2299 session->mime_state = mime_state_alloc(downgrading ?
2300 MIME_OPT_DOWNGRADE
2301 | MIME_OPT_REPORT_NESTING :
2302 SMTP_ANY_CHECKS == 0 ?
2303 MIME_OPT_DISABLE_MIME :
2304 0,
2305 smtp_generic_maps
2306 || smtp_header_checks ?
2307 smtp_header_rewrite :
2308 smtp_header_out,
2309 (MIME_STATE_ANY_END) 0,
2310 smtp_body_checks ?
2311 smtp_body_rewrite :
2312 smtp_text_out,
2313 (MIME_STATE_ANY_END) 0,
2314 (MIME_STATE_ERR_PRINT) 0,
2315 (void *) state);
2316 state->space_left = var_smtp_line_limit;
2317
2318 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0
2319 && smtp_out_add_headers(state) < 0)
2320 RETURN(0);
2321
2322 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) {
2323 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT)
2324 break;
2325 if (smtp_out_raw_or_mime(state, rec_type,
2326 session->scratch) < 0)
2327 RETURN(0);
2328 prev_type = rec_type;
2329 }
2330
2331 if (session->mime_state) {
2332
2333 /*
2334 * The cleanup server normally ends MIME content with a
2335 * normal text record. The following code is needed to
2336 * flush an internal buffer when someone submits 8-bit
2337 * mail not ending in newline via /usr/sbin/sendmail
2338 * while MIME input processing is turned off, and MIME
2339 * 8bit->7bit conversion is requested upon delivery.
2340 *
2341 * Or some error while doing generic address mapping.
2342 */
2343 mime_errs =
2344 mime_state_update(session->mime_state, rec_type, "", 0);
2345 if (mime_errs) {
2346 smtp_mime_fail(state, mime_errs);
2347 RETURN(0);
2348 }
2349 } else if (prev_type == REC_TYPE_CONT) /* missing newline */
2350 smtp_fputs("", 0, session->stream);
2351 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) {
2352 smtp_flush(session->stream);/* hurts performance */
2353 sleep(var_smtp_pix_delay); /* not to mention this */
2354 }
2355 if (vstream_ferror(state->src))
2356 msg_fatal("queue file read error");
2357 if (rec_type != REC_TYPE_XTRA) {
2358 msg_warn("%s: bad record type: %d in message content",
2359 request->queue_id, rec_type);
2360 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2361 SMTP_RESP_FAKE(&fake, "5.3.0"),
2362 "unreadable mail queue entry");
2363 /* Bailing out, abort stream with prejudice */
2364 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
2365 DONT_USE_FORBIDDEN_SESSION;
2366 /* If bounce_append() succeeded, status is still 0 */
2367 if (state->status == 0)
2368 (void) mark_corrupt(state->src);
2369 /* Don't override smtp_mesg_fail() here. */
2370 RETURN(fail_status);
2371 }
2372 } else {
2373 if (!LOST_CONNECTION_INSIDE_DATA)
2374 RETURN(smtp_stream_except(state, except,
2375 "sending message body"));
2376
2377 /*
2378 * We will clear the stream error flag to try and read a
2379 * premature 5XX response, so it is important to flush any
2380 * unwritten data. Otherwise, we will try to flush it again
2381 * before reading, which may incur an unnecessary delay and
2382 * will prevent the reading of any response that is not
2383 * already buffered (bundled with the DATA 354 response).
2384 *
2385 * Not much point in sending QUIT at this point, skip right to
2386 * SMTP_STATE_LAST. The read engine above will likewise avoid
2387 * looking for a QUIT response.
2388 */
2389 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE);
2390 next_state = SMTP_STATE_LAST;
2391 }
2392 }
2393
2394 /*
2395 * Copy the next command to the buffer and update the sender state.
2396 */
2397 if (except == 0) {
2398 smtp_chat_cmd(session, "%s", vstring_str(next_command));
2399 } else {
2400 DONT_CACHE_THIS_SESSION;
2401 }
2402 send_state = next_state;
2403 send_rcpt = next_rcpt;
2404 } while (recv_state != SMTP_STATE_LAST);
2405 RETURN(0);
2406 }
2407
2408 /* smtp_xfer - send a batch of envelope information and the message data */
2409
smtp_xfer(SMTP_STATE * state)2410 int smtp_xfer(SMTP_STATE *state)
2411 {
2412 DELIVER_REQUEST *request = state->request;
2413 SMTP_SESSION *session = state->session;
2414 SMTP_RESP fake;
2415 int send_state;
2416 int recv_state;
2417 int send_name_addr;
2418 int result;
2419
2420 /*
2421 * Sanity check. Recipients should be unmarked at this point.
2422 */
2423 if (SMTP_RCPT_LEFT(state) <= 0)
2424 msg_panic("smtp_xfer: bad recipient count: %d",
2425 SMTP_RCPT_LEFT(state));
2426 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info))
2427 msg_panic("smtp_xfer: bad recipient status: %d",
2428 request->rcpt_list.info->u.status);
2429
2430 /*
2431 * See if we should even try to send this message at all. This code sits
2432 * here rather than in the EHLO processing code, because of SMTP
2433 * connection caching.
2434 */
2435 if (session->size_limit > 0 && session->size_limit < request->data_size) {
2436 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2437 SMTP_RESP_FAKE(&fake, "5.3.4"),
2438 "message size %lu exceeds size limit %.0f of server %s",
2439 request->data_size, (double) session->size_limit,
2440 session->namaddr);
2441 /* Redundant. We abort this delivery attempt. */
2442 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2443 return (0);
2444 }
2445
2446 /*
2447 * Use XFORWARD to forward the origin of this email message across an
2448 * SMTP-based content filter. Send client attribute information only if
2449 * it exists (i.e. remote submission). Local submissions have no client
2450 * attributes; the mail will appear to originate from the content filter
2451 * which is acceptable.
2452 */
2453 send_name_addr =
2454 var_smtp_send_xforward
2455 && (((session->features & SMTP_FEATURE_XFORWARD_NAME)
2456 && CAN_FORWARD_CLIENT_NAME(request->client_name))
2457 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
2458 && CAN_FORWARD_CLIENT_ADDR(request->client_addr))
2459 || ((session->features & SMTP_FEATURE_XFORWARD_PORT)
2460 && CAN_FORWARD_CLIENT_PORT(request->client_port)));
2461 session->send_proto_helo =
2462 var_smtp_send_xforward
2463 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO)
2464 && CAN_FORWARD_PROTO_NAME(request->client_proto))
2465 || ((session->features & SMTP_FEATURE_XFORWARD_HELO)
2466 && CAN_FORWARD_HELO_NAME(request->client_helo))
2467 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
2468 && CAN_FORWARD_IDENT_NAME(request->log_ident))
2469 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
2470 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)));
2471 if (send_name_addr)
2472 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR;
2473 else if (session->send_proto_helo)
2474 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2475 else
2476 recv_state = send_state = SMTP_STATE_MAIL;
2477
2478 /*
2479 * Remember this session's "normal completion", even if the server 4xx-ed
2480 * some or all recipients. Connection or handshake errors with a later MX
2481 * host should not cause this destination be marked as unreachable.
2482 */
2483 result = smtp_loop(state, send_state, recv_state);
2484
2485 if (result == 0
2486 /* Just in case */
2487 && vstream_ferror(session->stream) == 0
2488 && vstream_feof(session->stream) == 0)
2489 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2490
2491 return (result);
2492 }
2493
2494 /* smtp_rset - send a lone RSET command */
2495
smtp_rset(SMTP_STATE * state)2496 int smtp_rset(SMTP_STATE *state)
2497 {
2498
2499 /*
2500 * This works because SMTP_STATE_RSET is a dedicated sender/recipient
2501 * entry state, with SMTP_STATE_LAST as next sender/recipient state.
2502 */
2503 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET));
2504 }
2505
2506 /* smtp_quit - send a lone QUIT command */
2507
smtp_quit(SMTP_STATE * state)2508 int smtp_quit(SMTP_STATE *state)
2509 {
2510
2511 /*
2512 * This works because SMTP_STATE_QUIT is the last state with a sender
2513 * action, with SMTP_STATE_LAST as the next sender/recipient state.
2514 */
2515 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ?
2516 SMTP_STATE_LAST : SMTP_STATE_QUIT));
2517 }
2518