1 /*        $NetBSD: smtp_proto.c,v 1.6 2025/02/25 19:15:49 christos Exp $        */
2 
3 /*++
4 /* NAME
5 /*        smtp_proto 3
6 /* SUMMARY
7 /*        client SMTP/LMTP protocol
8 /* SYNOPSIS
9 /*        #include "smtp.h"
10 /*
11 /*        int       smtp_helo(state)
12 /*        SMTP_STATE *state;
13 /*
14 /*        int       smtp_xfer(state)
15 /*        SMTP_STATE *state;
16 /*
17 /*        int       smtp_rset(state)
18 /*        SMTP_STATE *state;
19 /*
20 /*        int       smtp_quit(state)
21 /*        SMTP_STATE *state;
22 /* DESCRIPTION
23 /*        In the subsequent text, SMTP implies LMTP.
24 /*        This module implements the client side of the SMTP protocol.
25 /*
26 /*        smtp_helo() performs the initial handshake with the SMTP server.
27 /*        When TLS is enabled, this includes STARTTLS negotiations.
28 /*
29 /*        smtp_xfer() sends message envelope information followed by the
30 /*        message data, and finishes the SMTP conversation. These operations
31 /*        are combined in one function, in order to implement SMTP pipelining.
32 /*        Recipients are marked as "done" in the mail queue file when
33 /*        bounced or delivered. The message delivery status is updated
34 /*        accordingly.
35 /*
36 /*        smtp_rset() sends a single RSET command and waits for the
37 /*        response. In case of a negative reply it sets the
38 /*        CANT_RSET_THIS_SESSION flag.
39 /*
40 /*        smtp_quit() sends a single QUIT command and waits for the
41 /*        response if configured to do so. It always turns off connection
42 /*        caching.
43 /* DIAGNOSTICS
44 /*        smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return
45 /*        0 in case of success, -1 in case of failure. For smtp_xfer(),
46 /*        smtp_rset() and smtp_quit(), success means the ability to
47 /*        perform an SMTP conversation, not necessarily the ability
48 /*        to deliver mail, or the achievement of server happiness.
49 /*
50 /*        In case of a rejected or failed connection, a connection
51 /*        is marked as "bad, do not cache". Otherwise, connection
52 /*        caching may be turned off (without being marked "bad") at
53 /*        the discretion of the code that implements the individual
54 /*        protocol steps.
55 /*
56 /*        Warnings: corrupt message file. A corrupt message is marked
57 /*        as "corrupt" by changing its queue file permissions.
58 /* BUGS
59 /*        Some SMTP servers will abort when the number of recipients
60 /*        for one message exceeds their capacity. This behavior violates
61 /*        the SMTP protocol.
62 /*        The only way around this is to limit the number of recipients
63 /*        per transaction to an artificially-low value.
64 /* SEE ALSO
65 /*        smtp(3h) internal data structures
66 /*        smtp_chat(3) query/reply SMTP support
67 /*        smtp_trouble(3) error handlers
68 /* LICENSE
69 /* .ad
70 /* .fi
71 /*        The Secure Mailer license must be distributed with this software.
72 /* AUTHOR(S)
73 /*        Wietse Venema
74 /*        IBM T.J. Watson Research
75 /*        P.O. Box 704
76 /*        Yorktown Heights, NY 10598, USA
77 /*
78 /*        Wietse Venema
79 /*        Google, Inc.
80 /*        111 8th Avenue
81 /*        New York, NY 10011, USA
82 /*
83 /*        Wietse Venema
84 /*        porcupine.org
85 /*
86 /*        Pipelining code in cooperation with:
87 /*        Jon Ribbens
88 /*        Oaktree Internet Solutions Ltd.,
89 /*        Internet House,
90 /*        Canal Basin,
91 /*        Coventry,
92 /*        CV1 4LY, United Kingdom.
93 /*
94 /*        Connection caching in cooperation with:
95 /*        Victor Duchovni
96 /*        Morgan Stanley
97 /*
98 /*        TLS support originally by:
99 /*        Lutz Jaenicke
100 /*        BTU Cottbus
101 /*        Allgemeine Elektrotechnik
102 /*        Universitaetsplatz 3-4
103 /*        D-03044 Cottbus, Germany
104 /*--*/
105 
106 /* System library. */
107 
108 #include <sys_defs.h>
109 #include <sys/stat.h>
110 #include <sys/socket.h>                           /* shutdown(2) */
111 #include <netinet/in.h>                           /* ntohs() */
112 #include <string.h>
113 #include <unistd.h>
114 #include <stdlib.h>                     /* 44BSD stdarg.h uses abort() */
115 #include <stdarg.h>
116 #include <time.h>
117 
118 #ifdef STRCASECMP_IN_STRINGS_H
119 #include <strings.h>
120 #endif
121 
122 /* Utility library. */
123 
124 #include <msg.h>
125 #include <vstring.h>
126 #include <vstream.h>
127 #include <vstring_vstream.h>
128 #include <stringops.h>
129 #include <mymalloc.h>
130 #include <iostuff.h>
131 #include <split_at.h>
132 #include <name_code.h>
133 #include <name_mask.h>
134 
135 /* Global library. */
136 
137 #include <mail_params.h>
138 #include <smtp_stream.h>
139 #include <mail_queue.h>
140 #include <recipient_list.h>
141 #include <deliver_request.h>
142 #include <defer.h>
143 #include <bounce.h>
144 #include <record.h>
145 #include <rec_type.h>
146 #include <off_cvt.h>
147 #include <mark_corrupt.h>
148 #include <quote_822_local.h>
149 #include <mail_proto.h>
150 #include <mime_state.h>
151 #include <ehlo_mask.h>
152 #include <maps.h>
153 #include <tok822.h>
154 #include <mail_addr_map.h>
155 #include <ext_prop.h>
156 #include <namadr_list.h>
157 #include <match_parent_style.h>
158 #include <lex_822.h>
159 #include <dsn_mask.h>
160 #include <xtext.h>
161 #include <uxtext.h>
162 #include <smtputf8.h>
163 #if defined(USE_TLS) && defined(USE_TLSRPT)
164 #include <tlsrpt_wrapper.h>
165 #endif
166 
167 /* Application-specific. */
168 
169 #include "smtp.h"
170 #include "smtp_sasl.h"
171 
172  /*
173   * Sender and receiver state. A session does not necessarily go through a
174   * linear progression, but states are guaranteed to not jump backwards.
175   * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states
176   * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST.
177   *
178   * When connection caching is enabled, the QUIT state is suppressed. Normal
179   * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions
180   * end with ABORT->LAST. The connection is left open for a limited time. An
181   * RSET probe should be sent before attempting to reuse an open connection
182   * for a new transaction.
183   *
184   * The code to send an RSET probe is a special case with its own initial state
185   * and with its own dedicated state transitions. The session proceeds as
186   * RSET->LAST. This code is kept inside the main protocol engine for
187   * consistent error handling and error reporting. It is not to be confused
188   * with the code that sends RSET to abort a mail transaction in progress.
189   *
190   * The code to send QUIT without message delivery transaction jumps into the
191   * main state machine. If this introduces complications, then we should
192   * introduce a second QUIT state with its own dedicated state transitions,
193   * just like we did for RSET probes.
194   *
195   * By default, the receiver skips the QUIT response. Some SMTP servers
196   * disconnect after responding to ".", and some SMTP servers wait before
197   * responding to QUIT.
198   *
199   * Client states that are associated with sending mail (up to and including
200   * SMTP_STATE_DOT) must have smaller numerical values than the non-sending
201   * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST).
202   */
203 #define SMTP_STATE_XFORWARD_NAME_ADDR 0
204 #define SMTP_STATE_XFORWARD_PROTO_HELO 1
205 #define SMTP_STATE_MAIL                 2
206 #define SMTP_STATE_RCPT                 3
207 #define SMTP_STATE_DATA                 4
208 #define SMTP_STATE_DOT                  5
209 #define SMTP_STATE_ABORT      6
210 #define SMTP_STATE_RSET                 7
211 #define SMTP_STATE_QUIT                 8
212 #define SMTP_STATE_LAST                 9
213 
214 int    *xfer_timeouts[SMTP_STATE_LAST] = {
215     &var_smtp_xfwd_tmout,               /* name/addr */
216     &var_smtp_xfwd_tmout,               /* helo/proto */
217     &var_smtp_mail_tmout,
218     &var_smtp_rcpt_tmout,
219     &var_smtp_data0_tmout,
220     &var_smtp_data2_tmout,
221     &var_smtp_rset_tmout,
222     &var_smtp_rset_tmout,
223     &var_smtp_quit_tmout,
224 };
225 
226 char   *xfer_states[SMTP_STATE_LAST] = {
227     "sending XFORWARD name/address",
228     "sending XFORWARD protocol/helo_name",
229     "sending MAIL FROM",
230     "sending RCPT TO",
231     "sending DATA command",
232     "sending end of data -- message may be sent more than once",
233     "sending final RSET",
234     "sending RSET probe",
235     "sending QUIT",
236 };
237 
238 char   *xfer_request[SMTP_STATE_LAST] = {
239     "XFORWARD name/address command",
240     "XFORWARD helo/protocol command",
241     "MAIL FROM command",
242     "RCPT TO command",
243     "DATA command",
244     "end of DATA command",
245     "final RSET command",
246     "RSET probe",
247     "QUIT command",
248 };
249 
250  /*
251   * Note: MIME downgrade never happens for mail that must be delivered with
252   * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request
253   * involves at least one UTF-8 envelope address or header value.
254   */
255 #define SMTP_MIME_DOWNGRADE(session, request) \
256     (var_disable_mime_oconv == 0 \
257      && (session->features & SMTP_FEATURE_8BITMIME) == 0 \
258      && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0)
259 
260 #ifdef USE_TLS
261 
262 static int smtp_start_tls(SMTP_STATE *);
263 
264 #endif
265 
266  /*
267   * Call-back information for header/body checks. We don't provide call-backs
268   * for actions that change the message delivery time or destination.
269   */
270 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *);
271 static void smtp_text_out(void *, int, const char *, ssize_t, off_t);
272 
273 HBC_CALL_BACKS smtp_hbc_callbacks[1] = {
274     smtp_hbc_logger,
275     smtp_text_out,
276 };
277 
278 static int smtp_vrfy_tgt;
279 
280 /* smtp_vrfy_init - initialize */
281 
smtp_vrfy_init(void)282 void    smtp_vrfy_init(void)
283 {
284     static const NAME_CODE vrfy_init_table[] = {
285           SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT,
286           SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA,
287           0,
288     };
289 
290     if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE,
291                                            var_smtp_vrfy_tgt)) == 0)
292           msg_fatal("bad protocol stage: \"%s = %s\"",
293                       VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt);
294 }
295 
296 /* smtp_helo - perform initial handshake with SMTP server */
297 
smtp_helo(SMTP_STATE * state)298 int     smtp_helo(SMTP_STATE *state)
299 {
300     const char *myname = "smtp_helo";
301     SMTP_SESSION *session = state->session;
302     DELIVER_REQUEST *request = state->request;
303     SMTP_ITERATOR *iter = state->iterator;
304     SMTP_RESP *resp;
305     SMTP_RESP fake;
306     int     except;
307     char   *lines;
308     char   *words;
309     char   *word;
310     int     n;
311     static const NAME_CODE xforward_features[] = {
312           XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME,
313           XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR,
314           XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT,
315           XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO,
316           XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
317           XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT,
318           XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN,
319           0, 0,
320     };
321     const char *ehlo_words;
322     int     discard_mask;
323     static const NAME_MASK pix_bug_table[] = {
324           PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP,
325           PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF,
326           0,
327     };
328     const char *pix_bug_words;
329     const char *pix_bug_source;
330     int     pix_bug_mask;
331 
332 #ifdef USE_TLS
333     int     saved_features = session->features;
334     int     tls_helo_status;
335 
336 #endif
337     const char *NOCLOBBER where;
338 
339     /*
340      * Skip the plaintext SMTP handshake when connecting in SMTPS mode.
341      */
342 #ifdef USE_TLS
343     if (var_smtp_tls_wrappermode
344           && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
345           /* XXX Mix-up of per-session and per-request flags. */
346           state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
347           smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
348                                 var_smtp_req_deadline, 0);
349           tls_helo_status = smtp_start_tls(state);
350           state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
351           return (tls_helo_status);
352     }
353 #endif
354 
355     /*
356      * Prepare for disaster.
357      */
358     smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
359                           var_smtp_req_deadline, 0);
360     if ((except = vstream_setjmp(state->session->stream)) != 0)
361           return (smtp_stream_except(state, except, where));
362 
363     /*
364      * If not recursing after STARTTLS, examine the server greeting banner
365      * and decide if we are going to send EHLO as the next command.
366      */
367     if (var_smtp_tls_wrappermode
368           || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
369 
370           /*
371            * Read and parse the server's SMTP greeting banner.
372            */
373           where = "receiving the initial server greeting";
374           switch ((resp = smtp_chat_resp(session))->code / 100) {
375           case 2:
376               break;
377           case 5:
378               if (var_smtp_skip_5xx_greeting)
379                     STR(resp->dsn_buf)[0] = '4';
380               /* FALLTHROUGH */
381           default:
382               return (smtp_site_fail(state, STR(iter->host), resp,
383                                            "host %s refused to talk to me: %s",
384                                            session->namaddr,
385                                            translit(resp->str, "\n", " ")));
386           }
387 
388           /*
389            * If the policy table specifies a bogus TLS security level, fail
390            * now.
391            */
392 #ifdef USE_TLS
393           if (state->tls->level == TLS_LEV_INVALID)
394               /* Warning is already logged. */
395               return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
396                                            SMTP_RESP_FAKE(&fake, "4.7.0"),
397                                            "client TLS configuration problem"));
398 #endif
399 
400           /*
401            * XXX Some PIX firewall versions require flush before ".<CR><LF>" so
402            * it does not span a packet boundary. This hurts performance so it
403            * is not on by default.
404            */
405           if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) {
406               /* Best effort only. Ignore errors. */
407               if (smtp_pix_bug_maps != 0
408                     && (pix_bug_words =
409                         maps_find(smtp_pix_bug_maps,
410                                     STR(iter->addr), 0)) != 0) {
411                     pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS);
412               } else {
413                     pix_bug_words = var_smtp_pix_bug_words;
414                     pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS);
415               }
416               if (*pix_bug_words) {
417                     pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table,
418                                                        pix_bug_words,
419                                              NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
420                     if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF)
421                         && request->msg_stats.incoming_arrival.tv_sec
422                         > vstream_ftime(state->session->stream) - var_smtp_pix_thresh)
423                         pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF;
424                     msg_info("%s: enabling PIX workarounds: %s for %s",
425                                request->queue_id,
426                                str_name_mask("pix workaround bitmask",
427                                                pix_bug_table, pix_bug_mask),
428                                session->namaddrport);
429                     session->features |= pix_bug_mask;
430               }
431           }
432 
433           /*
434            * See if we are talking to ourself. This should not be possible with
435            * the way we implement DNS lookups. However, people are known to
436            * sometimes screw up the naming service. And, mailer loops are still
437            * possible when our own mailer routing tables are mis-configured.
438            */
439           words = resp->str;
440           (void) mystrtok(&words, "- \t\n");
441           for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) {
442               if (n == 0 && strcasecmp(word, var_myhostname) == 0) {
443                     if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT)
444                         msg_warn("host %s greeted me with my own hostname %s",
445                                    session->namaddrport, var_myhostname);
446               } else if (strcasecmp(word, "ESMTP") == 0)
447                     session->features |= SMTP_FEATURE_ESMTP;
448           }
449           if (smtp_mode) {
450               if (var_smtp_always_ehlo
451                     && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0)
452                     session->features |= SMTP_FEATURE_ESMTP;
453               if (var_smtp_never_ehlo
454                     || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0)
455                     session->features &= ~SMTP_FEATURE_ESMTP;
456           } else {
457               session->features |= SMTP_FEATURE_ESMTP;
458           }
459     }
460 
461     /*
462      * If recursing after STARTTLS, there is no server greeting banner.
463      * Always send EHLO as the next command.
464      */
465     else {
466           session->features |= SMTP_FEATURE_ESMTP;
467     }
468 
469     /*
470      * Return the compliment. Fall back to SMTP if our ESMTP recognition
471      * heuristic failed.
472      */
473     if (smtp_mode) {
474           where = "performing the EHLO handshake";
475           if (session->features & SMTP_FEATURE_ESMTP) {
476               smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name);
477               if ((resp = smtp_chat_resp(session))->code / 100 != 2) {
478                     if (resp->code == 421)
479                         return (smtp_site_fail(state, STR(iter->host), resp,
480                                                   "host %s refused to talk to me: %s",
481                                                      session->namaddr,
482                                                      translit(resp->str, "\n", " ")));
483                     else
484                         session->features &= ~SMTP_FEATURE_ESMTP;
485               }
486 #ifdef USE_TLSRPT
487               if (state->tlsrpt
488                     && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0)
489                     smtp_tlsrpt_set_ehlo_resp(state, resp->str);
490 #endif
491           }
492           if ((session->features & SMTP_FEATURE_ESMTP) == 0) {
493               where = "performing the HELO handshake";
494               smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name);
495               if ((resp = smtp_chat_resp(session))->code / 100 != 2)
496                     return (smtp_site_fail(state, STR(iter->host), resp,
497                                                "host %s refused to talk to me: %s",
498                                                session->namaddr,
499                                                translit(resp->str, "\n", " ")));
500 #ifdef USE_TLSRPT
501               if (state->tlsrpt)
502                     trw_set_ehlo_resp(state->tlsrpt, resp->str);
503 #endif
504           }
505     } else {
506           where = "performing the LHLO handshake";
507           smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name);
508           if ((resp = smtp_chat_resp(session))->code / 100 != 2)
509               return (smtp_site_fail(state, STR(iter->host), resp,
510                                            "host %s refused to talk to me: %s",
511                                            session->namaddr,
512                                            translit(resp->str, "\n", " ")));
513     }
514 
515     /*
516      * No early returns allowed, to ensure consistent handling of TLS and
517      * SASL policies.
518      */
519     if (session->features & SMTP_FEATURE_ESMTP) {
520 
521           /*
522            * Determine what server EHLO keywords to ignore, typically to avoid
523            * inter-operability problems.
524            */
525           if (smtp_ehlo_dis_maps == 0
526               || (ehlo_words = maps_find(smtp_ehlo_dis_maps,
527                                                STR(iter->addr), 0)) == 0)
528               ehlo_words = var_smtp_ehlo_dis_words;
529           if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) {
530               msg_warn("%s: %s map lookup error for %s",
531                          session->state->request->queue_id,
532                          smtp_ehlo_dis_maps->title, STR(iter->addr));
533               vstream_longjmp(session->stream, SMTP_ERR_DATA);
534           }
535           discard_mask = ehlo_mask(ehlo_words);
536           if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
537               msg_info("discarding EHLO keywords: %s",
538                          str_ehlo_mask(discard_mask));
539 
540           /*
541            * Pick up some useful features offered by the SMTP server. XXX Until
542            * we have a portable routine to convert from string to off_t with
543            * proper overflow detection, ignore the message size limit
544            * advertised by the SMTP server. Otherwise, we might do the wrong
545            * thing when the server advertises a really huge message size limit.
546            *
547            * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...",
548            * because MicroSoft implemented AUTH based on an old draft.
549            */
550           lines = resp->str;
551           for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
552               if (mystrtok(&words, "- ")
553                     && (word = mystrtok(&words, " \t=")) != 0) {
554                     if (n == 0) {
555                         if (session->helo != 0)
556                               myfree(session->helo);
557 
558                         /*
559                          * XXX: Keep the original case: we don't expect a single
560                          * SMTP server to randomly change the case of its helo
561                          * response. If different capitalization is detected, we
562                          * should assume disjoint TLS caches.
563                          */
564                         session->helo = mystrdup(word);
565                         if (strcasecmp(word, var_myhostname) == 0
566                               && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
567                               msg_warn("host %s replied to HELO/EHLO"
568                                          " with my own hostname %s",
569                                          session->namaddrport, var_myhostname);
570                               if (session->features & SMTP_FEATURE_BEST_MX)
571                                   return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
572                                                        SMTP_RESP_FAKE(&fake, "5.4.6"),
573                                                    "mail for %s loops back to myself",
574                                                                request->nexthop));
575                               else
576                                   return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
577                                                        SMTP_RESP_FAKE(&fake, "4.4.6"),
578                                                    "mail for %s loops back to myself",
579                                                                request->nexthop));
580                         }
581                     } else if (strcasecmp(word, "8BITMIME") == 0) {
582                         if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
583                               session->features |= SMTP_FEATURE_8BITMIME;
584                     } else if (strcasecmp(word, "PIPELINING") == 0) {
585                         if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
586                               session->features |= SMTP_FEATURE_PIPELINING;
587                     } else if (strcasecmp(word, "XFORWARD") == 0) {
588                         if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
589                               while ((word = mystrtok(&words, " \t")) != 0)
590                                   session->features |=
591                                         name_code(xforward_features,
592                                                     NAME_CODE_FLAG_NONE, word);
593                     } else if (strcasecmp(word, "SIZE") == 0) {
594                         if ((discard_mask & EHLO_MASK_SIZE) == 0) {
595                               session->features |= SMTP_FEATURE_SIZE;
596                               if ((word = mystrtok(&words, " \t")) != 0) {
597                                   if (!alldig(word))
598                                         msg_warn("bad EHLO SIZE limit \"%s\" from %s",
599                                                    word, session->namaddrport);
600                                   else
601                                         session->size_limit = off_cvt_string(word);
602                               }
603                         }
604 #ifdef USE_TLS
605                     } else if (strcasecmp(word, "STARTTLS") == 0) {
606                         /* Ignored later if we already sent STARTTLS. */
607                         if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
608                               session->features |= SMTP_FEATURE_STARTTLS;
609 #endif
610 #ifdef USE_SASL_AUTH
611                     } else if (var_smtp_sasl_enable
612                                  && strcasecmp(word, "AUTH") == 0) {
613                         if ((discard_mask & EHLO_MASK_AUTH) == 0)
614                               smtp_sasl_helo_auth(session, words);
615 #endif
616                     } else if (strcasecmp(word, "DSN") == 0) {
617                         if ((discard_mask & EHLO_MASK_DSN) == 0)
618                               session->features |= SMTP_FEATURE_DSN;
619                     } else if (strcasecmp(word, "SMTPUTF8") == 0) {
620                         if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0)
621                               session->features |= SMTP_FEATURE_SMTPUTF8;
622                     }
623                     n++;
624               }
625           }
626     }
627     if (msg_verbose)
628           msg_info("server features: 0x%x size %.0f",
629                      session->features, (double) session->size_limit);
630 
631     /*
632      * Decide if this delivery requires SMTPUTF8 server support.
633      *
634      * For now, we require that the remote SMTP server supports SMTPUTF8 when
635      * the sender requested SMTPUTF8 support.
636      *
637      * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the
638      * delivery request involves at least one UTF-8 envelope address or
639      * header value.
640      *
641      * If the sender requested SMTPUTF8 support but the delivery request
642      * involves no UTF-8 envelope address or header value, then we could
643      * still deliver such mail to a non-SMTPUTF8 server, except that we must
644      * either uxtext-encode ORCPT parameters or not send them. We cannot
645      * encode the ORCPT in xtext, because legacy SMTP requires that the
646      * unencoded address consist entirely of printable (graphic and white
647      * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A
648      * correct uxtext encoder will produce a result that an xtext decoder
649      * will pass through unchanged.
650      *
651      * XXX Should we try to encode headers with RFC 2047 when delivering to a
652      * non-SMTPUTF8 server? That could make life easier for mailing lists.
653      */
654 #define DELIVERY_REQUIRES_SMTPUTF8 \
655           ((request->sendopts & SMTPUTF8_FLAG_REQUESTED) \
656           && (request->sendopts & SMTPUTF8_FLAG_DERIVED))
657 
658     /*
659      * Require that the server supports SMTPUTF8 when delivery requires
660      * SMTPUTF8.
661      *
662      * Fix 20140706: moved this before negotiating TLS, AUTH, and so on.
663      */
664     if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
665           && DELIVERY_REQUIRES_SMTPUTF8)
666           return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
667                                      SMTP_RESP_FAKE(&fake, "5.6.7"),
668                                      "SMTPUTF8 is required, "
669                                      "but was not offered by host %s",
670                                      session->namaddr));
671 
672     /*
673      * Fix 20140706: don't do silly things when the remote server announces
674      * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver
675      * mail, not to force people into compliance.
676      */
677     if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
678           && (session->features & SMTP_FEATURE_8BITMIME) == 0) {
679           msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME",
680                      session->namaddr);
681           session->features |= SMTP_FEATURE_8BITMIME;
682     }
683 
684     /*
685      * We use SMTP command pipelining if the server said it supported it.
686      * Since we use blocking I/O, RFC 2197 says that we should inspect the
687      * TCP window size and not send more than this amount of information.
688      * Unfortunately this information is unavailable using the sockets
689      * interface. However, we *can* get the TCP send buffer size on the local
690      * TCP/IP stack. We should be able to fill this buffer without being
691      * blocked, and then the kernel will effectively do non-blocking I/O for
692      * us by automatically writing out the contents of its send buffer while
693      * we are reading in the responses. In addition to TCP buffering we have
694      * to be aware of application-level buffering by the vstream module,
695      * which is limited to a couple kbytes.
696      *
697      * XXX No need to do this before and after STARTTLS, but it's not a big deal
698      * if we do.
699      *
700      * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as
701      * TLS messages. Thus, the TCP-level payload will be larger than the
702      * SMTP-level payload. This has implications for the PIPELINING engine.
703      *
704      * To avoid deadlock, the PIPELINING engine needs to request a TCP send
705      * buffer size that can hold the unacknowledged commands plus the TLS
706      * encapsulation overhead.
707      *
708      * The PIPELINING engine keeps the unacknowledged command size <= the
709      * default VSTREAM buffer size (to avoid small-write performance issues
710      * when the VSTREAM buffer size is at its default size). With a default
711      * VSTREAM buffer size of 4096 there is no reason to increase the
712      * unacknowledged command size as the TCP MSS increases. It's safer to
713      * spread the remote SMTP server's recipient processing load over time,
714      * than dumping a very large recipient list all at once.
715      *
716      * For TLS encapsulation overhead we make a conservative guess: take the
717      * current protocol overhead of ~40 bytes, double the number for future
718      * proofing (~80 bytes), then round up the result to the nearest power of
719      * 2 (128 bytes). Plus, be prepared for worst-case compression that
720      * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS
721      * message becomes 15 kbytes.
722      */
723 #define PIPELINING_BUFSIZE    VSTREAM_BUFSIZE
724 #ifdef USE_TLS
725 #define TLS_WORST_PAYLOAD     16384
726 #define TLS_WORST_COMP_OVERHD 1024
727 #define TLS_WORST_PROTO_OVERHD          128
728 #define TLS_WORST_SMTP_PAYLOAD          (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD)
729 #define TLS_WORST_TOTAL_OVERHD          (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD)
730 #endif
731 
732     if (session->features & SMTP_FEATURE_PIPELINING) {
733           SOCKOPT_SIZE optlen;
734           int     tcp_bufsize;
735           int     enc_overhead = 0;
736 
737           optlen = sizeof(tcp_bufsize);
738           if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET,
739                            SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0)
740               msg_fatal("%s: getsockopt: %m", myname);
741 #ifdef USE_TLS
742           if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS)
743               enc_overhead +=
744                     (1 + (PIPELINING_BUFSIZE - 1)
745                      / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD;
746 #endif
747           if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) {
748               tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead;
749               if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET,
750                                  SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0)
751                     msg_fatal("%s: setsockopt: %m", myname);
752           }
753           if (msg_verbose)
754               msg_info("Using %s PIPELINING, TCP send buffer size is %d, "
755                          "PIPELINING buffer size is %d",
756                          smtp_mode ? "ESMTP" : "LMTP",
757                          tcp_bufsize, PIPELINING_BUFSIZE);
758     }
759 #ifdef USE_TLS
760 
761     /*
762      * Skip this part if we already sent STARTTLS.
763      */
764     if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
765 
766           /*
767            * Optionally log unused STARTTLS opportunities.
768            */
769           if ((session->features & SMTP_FEATURE_STARTTLS) &&
770               var_smtp_tls_note_starttls_offer &&
771               state->tls->level <= TLS_LEV_NONE)
772               msg_info("Host offered STARTTLS: [%s]", STR(iter->host));
773 
774           /*
775            * Decide whether or not to send STARTTLS.
776            */
777           if ((session->features & SMTP_FEATURE_STARTTLS) != 0
778               && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) {
779 
780               /*
781                * Prepare for disaster.
782                */
783               smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
784                                     var_smtp_req_deadline, 0);
785               if ((except = vstream_setjmp(state->session->stream)) != 0)
786                     return (smtp_stream_except(state, except,
787                                                   "receiving the STARTTLS response"));
788 
789               /*
790                * Send STARTTLS. Recurse when the server accepts STARTTLS, after
791                * resetting the SASL and EHLO features lists.
792                *
793                * Reset the SASL mechanism list to avoid spurious warnings.
794                *
795                * Use the smtp_sasl_tls_security_options feature to allow SASL
796                * mechanisms that may not be allowed with plain-text
797                * connections.
798                */
799               smtp_chat_cmd(session, "STARTTLS");
800               if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
801 #ifdef USE_SASL_AUTH
802                     if (session->features & SMTP_FEATURE_AUTH)
803                         smtp_sasl_cleanup(session);
804 #endif
805                     session->features = saved_features;
806                     /* XXX Mix-up of per-session and per-request flags. */
807                     state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
808                     tls_helo_status = smtp_start_tls(state);
809                     state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
810                     return (tls_helo_status);
811               }
812 
813               /*
814                * Give up if we must use TLS but the server rejects STARTTLS
815                * although support for it was announced in the EHLO response.
816                */
817               session->features &= ~SMTP_FEATURE_STARTTLS;
818               if (TLS_REQUIRED(state->tls->level)) {
819 #ifdef USE_TLSRPT
820                     if (state->tlsrpt)
821                         trw_report_failure(state->tlsrpt,
822                                                TLSRPT_STARTTLS_NOT_SUPPORTED,
823                                                 /* additional_info= */ (char *) 0,
824                                                 /* failure_reason= */ (char *) 0);
825 #endif
826                     return (smtp_site_fail(state, STR(iter->host), resp,
827                         "TLS is required, but host %s refused to start TLS: %s",
828                                                session->namaddr,
829                                                translit(resp->str, "\n", " ")));
830               }
831               /* Else try to continue in plain-text mode. */
832           }
833 
834           /*
835            * Give up if we must use TLS but can't for various reasons.
836            *
837            * 200412 Be sure to provide the default clause at the bottom of this
838            * block. When TLS is required we must never, ever, end up in
839            * plain-text mode.
840            */
841           if (TLS_REQUIRED(state->tls->level)) {
842               if (!(session->features & SMTP_FEATURE_STARTTLS)) {
843 #ifdef USE_TLSRPT
844                     if (state->tlsrpt)
845                         trw_report_failure(state->tlsrpt,
846                                                TLSRPT_STARTTLS_NOT_SUPPORTED,
847                                                 /* additional_info= */ (char *) 0,
848                                                 /* failure_reason= */ (char *) 0);
849 #endif
850                     return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
851                                                SMTP_RESP_FAKE(&fake, "4.7.4"),
852                                 "TLS is required, but was not offered by host %s",
853                                                session->namaddr));
854               } else if (smtp_tls_ctx == 0) {
855                     return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
856                                                SMTP_RESP_FAKE(&fake, "4.7.5"),
857                          "TLS is required, but our TLS engine is unavailable"));
858               } else {
859                     msg_warn("%s: TLS is required but unavailable, don't know why",
860                                myname);
861                     return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
862                                                SMTP_RESP_FAKE(&fake, "4.7.0"),
863                                                "TLS is required, but unavailable"));
864               }
865           }
866     }
867 #endif
868 #ifdef USE_SASL_AUTH
869     if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
870           return (smtp_sasl_helo_login(state));
871 #endif
872 
873     return (0);
874 }
875 
876 #ifdef USE_TLS
877 
878 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */
879 
smtp_start_tls(SMTP_STATE * state)880 static int smtp_start_tls(SMTP_STATE *state)
881 {
882     SMTP_SESSION *session = state->session;
883     SMTP_ITERATOR *iter = state->iterator;
884     TLS_CLIENT_START_PROPS start_props;
885     VSTRING *serverid;
886     SMTP_RESP fake;
887     TLS_CLIENT_INIT_PROPS init_props;
888     VSTREAM *tlsproxy;
889     VSTRING *port_buf;
890 
891     /*
892      * When the TLS handshake succeeds, we can reuse a connection only if TLS
893      * remains turned on for the lifetime of that connection. This requires
894      * that the TLS library state is maintained in some proxy process, for
895      * example, in tlsproxy(8). We then store the proxy file handle in the
896      * connection cache, and reuse that file handle.
897      *
898      * Otherwise, we must turn off connection caching. We can't turn off TLS in
899      * one SMTP client process, save the open connection to a cache which is
900      * shared with all SMTP clients, migrate the connection to another SMTP
901      * client, and resume TLS there. When the TLS handshake fails, we can't
902      * reuse the SMTP connection either, because the conversation is in an
903      * unknown state.
904      */
905     if (state->tls->conn_reuse == 0)
906           DONT_CACHE_THIS_SESSION;
907 
908     /*
909      * The following assumes sites that use TLS in a perverse configuration:
910      * multiple hosts per hostname, or even multiple hosts per IP address.
911      * All this without a shared TLS session cache, and they still want to
912      * use TLS session caching???
913      *
914      * The TLS session cache records the trust chain verification status of
915      * cached sessions. Different transports may have different CAfile or
916      * CApath settings, perhaps to allow authenticated connections to sites
917      * with private CA certs without trusting said private certs for other
918      * sites. So we cannot assume that a trust chain valid for one transport
919      * is valid for another. Therefore the client session id must include
920      * either the transport name or the values of CAfile and CApath. We use
921      * the transport name.
922      *
923      * XXX: We store only one session per lookup key. Ideally the key maps
924      * 1-to-1 to a server TLS session cache. We use the IP address, port and
925      * ehlo response name to build a lookup key that works for split caches
926      * (that announce distinct names) behind a load balancer.
927      *
928      * XXX: The TLS library will salt the serverid with further details of the
929      * protocol and cipher requirements including the server ehlo response.
930      * Deferring the helo to the digested suffix results in more predictable
931      * SSL session lookup key lengths.
932      */
933     serverid = vstring_alloc(10);
934     smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE
935                         | SMTP_KEY_FLAG_CUR_NEXTHOP         /* With port */
936                         | SMTP_KEY_FLAG_HOSTNAME
937                         | SMTP_KEY_FLAG_ADDR);
938 
939     if (state->tls->conn_reuse) {
940           TLS_CLIENT_PARAMS tls_params;
941 
942           /*
943            * Send all our wishes in one big request.
944            */
945           TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
946                                             log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
947                                             log_level = var_smtp_tls_loglevel,
948                                             verifydepth = var_smtp_tls_scert_vd,
949                                             cache_type
950                                             = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE),
951                                             chain_files = var_smtp_tls_chain_files,
952                                             cert_file = var_smtp_tls_cert_file,
953                                             key_file = var_smtp_tls_key_file,
954                                             dcert_file = var_smtp_tls_dcert_file,
955                                             dkey_file = var_smtp_tls_dkey_file,
956                                             eccert_file = var_smtp_tls_eccert_file,
957                                             eckey_file = var_smtp_tls_eckey_file,
958                                             CAfile = var_smtp_tls_CAfile,
959                                             CApath = var_smtp_tls_CApath,
960                                             mdalg = var_smtp_tls_fpt_dgst);
961           TLS_PROXY_CLIENT_START_PROPS(&start_props,
962                                              timeout = var_smtp_starttls_tmout,
963                                              tls_level = state->tls->level,
964                                              enable_rpk = state->tls->enable_rpk,
965                                              nexthop = session->tls_nexthop,
966                                              host = STR(iter->host),
967                                              namaddr = session->namaddrport,
968                                              sni = state->tls->sni,
969                                              serverid = vstring_str(serverid),
970                                              helo = session->helo,
971                                              protocols = state->tls->protocols,
972                                              cipher_grade = state->tls->grade,
973                                              cipher_exclusions
974                                              = vstring_str(state->tls->exclusions),
975                                              matchargv = state->tls->matchargv,
976                                              mdalg = var_smtp_tls_fpt_dgst,
977 #ifdef USE_TLSRPT
978                                              tlsrpt = state->tlsrpt,
979 #else
980                                              tlsrpt = 0,
981 #endif
982                                              ffail_type = 0,
983                                              dane = state->tls->dane);
984 
985           /*
986            * The tlsproxy(8) server enforces timeouts that are larger than
987            * those specified by the tlsproxy(8) client. These timeouts are a
988            * safety net for the case that the tlsproxy(8) client fails to
989            * enforce time limits. Normally, the tlsproxy(8) client would time
990            * out and trigger a plaintext event in the tlsproxy(8) server, and
991            * cause it to tear down the session.
992            *
993            * However, the tlsproxy(8) server has no insight into the SMTP
994            * protocol, and therefore it cannot by itself support different
995            * timeouts at different SMTP protocol stages. Instead, we specify
996            * the largest timeout (end-of-data) and rely on the SMTP client to
997            * time out first, which normally results in a plaintext event in the
998            * tlsproxy(8) server. Unfortunately, we cannot permit plaintext
999            * events during the TLS handshake, so we specify a separate timeout
1000            * for that stage (the end-of-data timeout would be unreasonably
1001            * large anyway).
1002            */
1003 #define PROXY_OPEN_FLAGS \
1004         (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
1005 
1006           port_buf = vstring_alloc(100);                    /* minimize fragmentation */
1007           vstring_sprintf(port_buf, "%d", ntohs(iter->port));
1008           tlsproxy =
1009               tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
1010                                  session->stream, STR(iter->addr),
1011                                  STR(port_buf), var_smtp_starttls_tmout,
1012                                  var_smtp_data2_tmout, state->service,
1013                                  tls_proxy_client_param_from_config(&tls_params),
1014                                  &init_props, &start_props);
1015           vstring_free(port_buf);
1016 
1017           /*
1018            * To insert tlsproxy(8) between this process and the remote SMTP
1019            * server, we swap the file descriptors between the tlsproxy and
1020            * session->stream VSTREAMS, so that we don't lose all the
1021            * user-configurable session->stream attributes (such as longjump
1022            * buffers or timeouts).
1023            *
1024            * TODO: the tlsproxy RPCs should return more error detail than a "NO"
1025            * result. OTOH, the in-process TLS engine does not return such info
1026            * either.
1027            *
1028            * If the tlsproxy request fails we do not fall back to the in-process
1029            * TLS stack. Reason: the admin enabled connection reuse to respect
1030            * receiver policy; silently violating such policy would not be
1031            * useful.
1032            *
1033            * We also don't fall back to the in-process TLS stack under low-traffic
1034            * conditions, to avoid frustrating attempts to debug a problem with
1035            * using the tlsproxy(8) service.
1036            */
1037           if (tlsproxy == 0) {
1038               session->tls_context = 0;
1039           } else {
1040               vstream_control(tlsproxy,
1041                                   CA_VSTREAM_CTL_DOUBLE,
1042                                   CA_VSTREAM_CTL_END);
1043               vstream_control(session->stream,
1044                                   CA_VSTREAM_CTL_SWAP_FD(tlsproxy),
1045                                   CA_VSTREAM_CTL_END);
1046               (void) vstream_fclose(tlsproxy);    /* direct-to-server stream! */
1047 
1048               /*
1049                * There must not be any pending data in the stream buffers
1050                * before we read the TLS context attributes.
1051                */
1052               vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1053 
1054               /*
1055                * After plumbing the plaintext stream, receive the TLS context
1056                * object. For this we use the same VSTREAM buffer that we also
1057                * use to receive subsequent SMTP commands, therefore we must be
1058                * prepared for the possibility that the remote SMTP server
1059                * starts talking immediately. The tlsproxy implementation sends
1060                * the TLS context before remote content. The attribute protocol
1061                * is robust enough that an adversary cannot insert their own TLS
1062                * context attributes.
1063                */
1064               session->tls_context = tls_proxy_context_receive(session->stream);
1065               if (session->tls_context) {
1066                     session->features |= SMTP_FEATURE_FROM_PROXY;
1067                     tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
1068                                         session->tls_context);
1069               }
1070           }
1071     } else {                                                /* state->tls->conn_reuse */
1072 
1073           /*
1074            * As of Postfix 2.5, tls_client_start() tries hard to always
1075            * complete the TLS handshake. It records the verification and match
1076            * status in the resulting TLScontext. It is now up to the
1077            * application to abort the TLS connection if it chooses.
1078            *
1079            * XXX When tls_client_start() fails then we don't know what state the
1080            * SMTP connection is in, so we give up on this connection even if we
1081            * are not required to use TLS.
1082            *
1083            * Large parameter lists are error-prone, so we emulate a language
1084            * feature that C does not have natively: named parameter lists.
1085            */
1086           session->tls_context =
1087               TLS_CLIENT_START(&start_props,
1088                                    ctx = smtp_tls_ctx,
1089                                    stream = session->stream,
1090                                    fd = -1,
1091                                    timeout = var_smtp_starttls_tmout,
1092                                    tls_level = state->tls->level,
1093                                    enable_rpk = state->tls->enable_rpk,
1094                                    nexthop = session->tls_nexthop,
1095                                    host = STR(iter->host),
1096                                    namaddr = session->namaddrport,
1097                                    sni = state->tls->sni,
1098                                    serverid = vstring_str(serverid),
1099                                    helo = session->helo,
1100                                    protocols = state->tls->protocols,
1101                                    cipher_grade = state->tls->grade,
1102                                    cipher_exclusions
1103                                    = vstring_str(state->tls->exclusions),
1104                                    matchargv = state->tls->matchargv,
1105                                    mdalg = var_smtp_tls_fpt_dgst,
1106 #ifdef USE_TLSRPT
1107                                    tlsrpt = state->tlsrpt,
1108 #else
1109                                    tlsrpt = 0,
1110 #endif
1111                                    ffail_type = state->tls->ext_policy_failure,
1112                                    dane = state->tls->dane);
1113 
1114           /*
1115            * At this point there must not be any pending data in the stream
1116            * buffers.
1117            */
1118           vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1119     }                                                       /* state->tls->conn_reuse */
1120 
1121     vstring_free(serverid);
1122 
1123     if (session->tls_context == 0) {
1124 
1125           /*
1126            * We must avoid further I/O, the peer is in an undefined state.
1127            */
1128           DONT_USE_FORBIDDEN_SESSION;
1129 
1130           /*
1131            * If TLS is optional, try delivery to the same server over a
1132            * plaintext connection. Otherwise we would defer mail forever with
1133            * destinations that have no alternate MX host.
1134            *
1135            * Don't fall back to plaintext if we were willing to use SASL-over-TLS
1136            * authentication. If the server doesn't announce SASL support over
1137            * plaintext connections, then we don't want delivery to fail with
1138            * "relay access denied".
1139            *
1140            * If TLS is opportunistic, don't throttle the destination, otherwise if
1141            * the mail is volume is high enough we may have difficulty ever
1142            * draining even the deferred mail, as new mail provides a constant
1143            * stream of negative feedback.
1144            */
1145           if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
1146               RETRY_AS_PLAINTEXT;
1147           return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ?
1148                                      SMTP_NOTHROTTLE : SMTP_THROTTLE,
1149                                      DSN_BY_LOCAL_MTA,
1150                                      SMTP_RESP_FAKE(&fake, "4.7.5"),
1151                                      "Cannot start TLS: handshake failure"));
1152     }
1153 
1154     /*
1155      * If we are verifying the server certificate and are not happy with the
1156      * result, abort the delivery here. We have a usable TLS session with the
1157      * server, so no need to disable I/O, ... we can even be polite and send
1158      * "QUIT".
1159      *
1160      * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require
1161      * matching.
1162      *
1163      * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log
1164      * effective security.  Thus "half-dane" is never "Verified" only
1165      * "Trusted", but matching is enforced here.
1166      *
1167      * NOTE: When none of the TLSA records were usable, "dane" and "half-dane"
1168      * fall back to "encrypt", updating the tls_context level accordingly, so
1169      * we must check that here, and not state->tls->level.
1170      */
1171     if (TLS_MUST_MATCH(session->tls_context->level))
1172           if (!TLS_CERT_IS_MATCHED(session->tls_context)) {
1173 #ifdef USE_TLSRPT
1174 
1175               /*
1176                * Don't create a TLSRPT 'failure' event here, if the TLS engine
1177                * already reported a more specific reason.
1178                */
1179               if (state->tlsrpt && session->tls_context->rpt_reported == 0) {
1180                     if (!TLS_CERT_IS_TRUSTED(session->tls_context)) {
1181                         (void) trw_report_failure(state->tlsrpt,
1182                                                         TLSRPT_CERTIFICATE_NOT_TRUSTED,
1183                                                     /* additional_info= */ (char *) 0,
1184                                                     /* failure_reason= */ (char *) 0);
1185                     } else {
1186                         (void) trw_report_failure(state->tlsrpt,
1187                                                      TLSRPT_CERTIFICATE_HOST_MISMATCH,
1188                                                     /* additional_info= */ (char *) 0,
1189                                                     /* failure_reason= */ (char *) 0);
1190                     }
1191               }
1192 #endif
1193               return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
1194                                            SMTP_RESP_FAKE(&fake, "4.7.5"),
1195                                            "Server certificate not verified"));
1196           }
1197 
1198     /*
1199      * Create a TLSRPT 'success' event only if the TLS engine has not created
1200      * TLSRPT event. For example, The TLS engine will create a TLSRPT
1201      * 'failure' event when the TLS handshake was be successful, but the
1202      * security level was downgraded from opportunistic "dane" to
1203      * unauthenticated "encrypt".
1204      */
1205 #ifdef USE_TLSRPT
1206     if (state->tlsrpt && session->tls_context->rpt_reported == 0)
1207           (void) trw_report_success(state->tlsrpt);
1208 #endif
1209 
1210     /*
1211      * At this point we have to re-negotiate the "EHLO" to reget the
1212      * feature-list.
1213      */
1214     return (smtp_helo(state));
1215 }
1216 
1217 #endif
1218 
1219 /* smtp_hbc_logger - logging call-back for header/body checks */
1220 
smtp_hbc_logger(void * context,const char * action,const char * where,const char * content,const char * text)1221 static void smtp_hbc_logger(void *context, const char *action,
1222                                           const char *where, const char *content,
1223                                           const char *text)
1224 {
1225     const SMTP_STATE *state = (SMTP_STATE *) context;
1226 
1227     if (*text) {
1228           msg_info("%s: %s: %s %.200s: %s",
1229                      state->request->queue_id, action, where, content, text);
1230     } else {
1231           msg_info("%s: %s: %s %.200s",
1232                      state->request->queue_id, action, where, content);
1233     }
1234 }
1235 
1236 /* smtp_text_out - output one header/body record */
1237 
smtp_text_out(void * context,int rec_type,const char * text,ssize_t len,off_t unused_offset)1238 static void smtp_text_out(void *context, int rec_type,
1239                                         const char *text, ssize_t len,
1240                                         off_t unused_offset)
1241 {
1242     SMTP_STATE *state = (SMTP_STATE *) context;
1243     SMTP_SESSION *session = state->session;
1244     ssize_t data_left;
1245     const char *data_start;
1246 
1247     /*
1248      * Deal with an impedance mismatch between Postfix queue files (record
1249      * length <= $message_line_length_limit) and SMTP (DATA record length <=
1250      * $smtp_line_length_limit). The code below does a little too much work
1251      * when the SMTP line length limit is disabled, but it avoids code
1252      * duplication, and thus, it avoids testing and maintenance problems.
1253      */
1254     data_left = len;
1255     data_start = text;
1256     do {
1257           if (state->space_left == var_smtp_line_limit
1258               && data_left > 0 && *data_start == '.')
1259               smtp_fputc('.', session->stream);
1260           if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
1261               && data_left >= state->space_left) {
1262               smtp_fputs(data_start, state->space_left, session->stream);
1263               data_start += state->space_left;
1264               data_left -= state->space_left;
1265               state->space_left = var_smtp_line_limit;
1266               if (data_left > 0 || rec_type == REC_TYPE_CONT) {
1267                     smtp_fputc(' ', session->stream);
1268                     state->space_left -= 1;
1269 
1270                     /*
1271                      * XXX This can insert a line break into the middle of a
1272                      * multi-byte character (not necessarily UTF-8). Note that
1273                      * multibyte characters can span queue file records, for
1274                      * example if line_length_limit == smtp_line_length_limit.
1275                      */
1276                     if (state->logged_line_length_limit == 0) {
1277                         msg_info("%s: breaking line > %d bytes with <CR><LF>SPACE",
1278                                    state->request->queue_id, var_smtp_line_limit);
1279                         state->logged_line_length_limit = 1;
1280                     }
1281               }
1282           } else {
1283               if (rec_type == REC_TYPE_CONT) {
1284                     smtp_fwrite(data_start, data_left, session->stream);
1285                     state->space_left -= data_left;
1286               } else {
1287                     smtp_fputs(data_start, data_left, session->stream);
1288                     state->space_left = var_smtp_line_limit;
1289               }
1290               break;
1291           }
1292     } while (data_left > 0);
1293 }
1294 
1295 /* smtp_format_out - output one header/body record */
1296 
1297 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...);
1298 
smtp_format_out(void * context,int rec_type,const char * fmt,...)1299 static void smtp_format_out(void *context, int rec_type, const char *fmt,...)
1300 {
1301     static VSTRING *vp;
1302     va_list ap;
1303 
1304     if (vp == 0)
1305           vp = vstring_alloc(100);
1306     va_start(ap, fmt);
1307     vstring_vsprintf(vp, fmt, ap);
1308     va_end(ap);
1309     smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0);
1310 }
1311 
1312 /* smtp_header_out - output one message header */
1313 
smtp_header_out(void * context,int unused_header_class,const HEADER_OPTS * unused_info,VSTRING * buf,off_t offset)1314 static void smtp_header_out(void *context, int unused_header_class,
1315                                           const HEADER_OPTS *unused_info,
1316                                           VSTRING *buf, off_t offset)
1317 {
1318     char   *start = vstring_str(buf);
1319     char   *line;
1320     char   *next_line;
1321 
1322     /*
1323      * This code destroys the header. We could try to avoid clobbering it,
1324      * but we're not going to use the data any further.
1325      */
1326     for (line = start; line; line = next_line) {
1327           next_line = split_at(line, '\n');
1328           smtp_text_out(context, REC_TYPE_NORM, line, next_line ?
1329                           next_line - line - 1 : strlen(line), offset);
1330     }
1331 }
1332 
1333 /* smtp_header_rewrite - rewrite message header before output */
1334 
smtp_header_rewrite(void * context,int header_class,const HEADER_OPTS * header_info,VSTRING * buf,off_t offset)1335 static void smtp_header_rewrite(void *context, int header_class,
1336                                                 const HEADER_OPTS *header_info,
1337                                                 VSTRING *buf, off_t offset)
1338 {
1339     SMTP_STATE *state = (SMTP_STATE *) context;
1340     int     did_rewrite = 0;
1341     char   *line;
1342     char   *start;
1343     char   *next_line;
1344     char   *end_line;
1345     char   *result;
1346 
1347     /*
1348      * Apply optional header filtering.
1349      */
1350     if (smtp_header_checks) {
1351           result = hbc_header_checks(context, smtp_header_checks, header_class,
1352                                            header_info, buf, offset);
1353           if (result == 0)
1354               return;
1355           if (result == HBC_CHECKS_STAT_ERROR) {
1356               msg_warn("%s: smtp header checks lookup error",
1357                          state->request->queue_id);
1358               vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1359           }
1360           if (result != STR(buf)) {
1361               vstring_strcpy(buf, result);
1362               myfree(result);
1363           }
1364     }
1365 
1366     /*
1367      * Rewrite primary header addresses that match the smtp_generic_maps. The
1368      * cleanup server already enforces that all headers have proper lengths
1369      * and that all addresses are in proper form, so we don't have to repeat
1370      * that.
1371      */
1372     if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY
1373           && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) {
1374           TOK822 *tree;
1375           TOK822 **addr_list;
1376           TOK822 **tpp;
1377 
1378           tree = tok822_parse(vstring_str(buf)
1379                                   + strlen(header_info->name) + 1);
1380           addr_list = tok822_grep(tree, TOK822_ADDR);
1381           for (tpp = addr_list; *tpp; tpp++)
1382               did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps,
1383                                              smtp_ext_prop_mask & EXT_PROP_GENERIC);
1384           if (did_rewrite) {
1385               vstring_truncate(buf, strlen(header_info->name));
1386               vstring_strcat(buf, ": ");
1387               tok822_externalize(buf, tree, TOK822_STR_HEAD);
1388           }
1389           myfree((void *) addr_list);
1390           tok822_free_tree(tree);
1391     }
1392 
1393     /*
1394      * Pass through unmodified headers without reconstruction.
1395      */
1396     if (did_rewrite == 0) {
1397           smtp_header_out(context, header_class, header_info, buf, offset);
1398           return;
1399     }
1400 
1401     /*
1402      * A rewritten address list contains one address per line. The code below
1403      * replaces newlines by spaces, to fit as many addresses on a line as
1404      * possible (without rearranging the order of addresses). Prepending
1405      * white space to the beginning of lines is delegated to the output
1406      * routine.
1407      *
1408      * Code derived from cleanup_fold_header().
1409      */
1410     for (line = start = vstring_str(buf); line != 0; line = next_line) {
1411           end_line = line + strcspn(line, "\n");
1412           if (line > start) {
1413               if (end_line - start < 70) {        /* TAB counts as one */
1414                     line[-1] = ' ';
1415               } else {
1416                     start = line;
1417               }
1418           }
1419           next_line = *end_line ? end_line + 1 : 0;
1420     }
1421 
1422     /*
1423      * Prepend a tab to continued header lines that went through the address
1424      * rewriting machinery. Just like smtp_header_out(), this code destroys
1425      * the header. We could try to avoid clobbering it, but we're not going
1426      * to use the data any further.
1427      *
1428      * Code derived from cleanup_out_header().
1429      */
1430     for (line = start = vstring_str(buf); line != 0; line = next_line) {
1431           next_line = split_at(line, '\n');
1432           if (line == start || IS_SPACE_TAB(*line)) {
1433               smtp_text_out(state, REC_TYPE_NORM, line, next_line ?
1434                                 next_line - line - 1 : strlen(line), offset);
1435           } else {
1436               smtp_format_out(state, REC_TYPE_NORM, "\t%s", line);
1437           }
1438     }
1439 }
1440 
1441 /* smtp_body_rewrite - rewrite message body before output */
1442 
smtp_body_rewrite(void * context,int type,const char * buf,ssize_t len,off_t offset)1443 static void smtp_body_rewrite(void *context, int type,
1444                                             const char *buf, ssize_t len,
1445                                             off_t offset)
1446 {
1447     SMTP_STATE *state = (SMTP_STATE *) context;
1448     char   *result;
1449 
1450     /*
1451      * Apply optional body filtering.
1452      */
1453     if (smtp_body_checks) {
1454           result = hbc_body_checks(context, smtp_body_checks, buf, len, offset);
1455           if (result == buf) {
1456               smtp_text_out(state, type, buf, len, offset);
1457           } else if (result == HBC_CHECKS_STAT_ERROR) {
1458               msg_warn("%s: smtp body checks lookup error",
1459                          state->request->queue_id);
1460               vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1461           } else if (result != 0) {
1462               smtp_text_out(state, type, result, strlen(result), offset);
1463               myfree(result);
1464           }
1465     }
1466 }
1467 
1468 /* smtp_mime_fail - MIME problem */
1469 
smtp_mime_fail(SMTP_STATE * state,int mime_errs)1470 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs)
1471 {
1472     const MIME_STATE_DETAIL *detail;
1473     SMTP_RESP fake;
1474 
1475     detail = mime_state_detail(mime_errs);
1476     smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
1477                        SMTP_RESP_FAKE(&fake, detail->dsn),
1478                        "%s", detail->text);
1479 }
1480 
1481 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */
1482 
smtp_out_raw_or_mime(SMTP_STATE * state,int rec_type,VSTRING * buf)1483 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf)
1484 {
1485     SMTP_SESSION *session = state->session;
1486     int     mime_errs;
1487 
1488     if (session->mime_state == 0) {
1489           smtp_text_out((void *) state, rec_type, vstring_str(buf),
1490                           VSTRING_LEN(buf), (off_t) 0);
1491     } else {
1492           mime_errs =
1493               mime_state_update(session->mime_state, rec_type,
1494                                     vstring_str(buf), VSTRING_LEN(buf));
1495           if (mime_errs) {
1496               smtp_mime_fail(state, mime_errs);
1497               return (-1);
1498           }
1499     }
1500     return (0);
1501 }
1502 
1503 /* smtp_out_add_header - format address header, uses session->scratch* */
1504 
smtp_out_add_header(SMTP_STATE * state,const char * label,const char * lt,const char * addr,const char * gt)1505 static int smtp_out_add_header(SMTP_STATE *state, const char *label,
1506                                              const char *lt, const char *addr,
1507                                              const char *gt)
1508 {
1509     SMTP_SESSION *session = state->session;
1510 
1511     smtp_rewrite_generic_internal(session->scratch2, addr);
1512     vstring_sprintf(session->scratch, "%s: %s", label, lt);
1513     smtp_quote_822_address_flags(session->scratch,
1514                                          vstring_str(session->scratch2),
1515                                          QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND);
1516     vstring_strcat(session->scratch, gt);
1517     return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch));
1518 }
1519 
1520 /* smtp_out_add_headers - output additional headers, uses session->scratch* */
1521 
smtp_out_add_headers(SMTP_STATE * state)1522 static int smtp_out_add_headers(SMTP_STATE *state)
1523 {
1524     /* Prepend headers in the same order as mail_copy.c. */
1525     if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
1526           if (smtp_out_add_header(state, "Return-Path", "<",
1527                                         state->request->sender, ">") < 0)
1528               return (-1);
1529     if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT)
1530           if (smtp_out_add_header(state, "X-Original-To", "",
1531                                state->request->rcpt_list.info->orig_addr, "") < 0)
1532               return (-1);
1533     if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
1534           if (smtp_out_add_header(state, "Delivered-To", "",
1535                                  state->request->rcpt_list.info->address, "") < 0)
1536               return (-1);
1537     return (0);
1538 }
1539 
1540 /* smtp_loop - exercise the SMTP protocol engine */
1541 
smtp_loop(SMTP_STATE * state,NOCLOBBER int send_state,NOCLOBBER int recv_state)1542 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
1543                                  NOCLOBBER int recv_state)
1544 {
1545     const char *myname = "smtp_loop";
1546     DELIVER_REQUEST *request = state->request;
1547     SMTP_SESSION *session = state->session;
1548     SMTP_ITERATOR *iter = state->iterator;
1549     SMTP_RESP *resp;
1550     RECIPIENT *rcpt;
1551     VSTRING *next_command = vstring_alloc(100);
1552     int    *NOCLOBBER survivors = 0;
1553     NOCLOBBER int next_state;
1554     NOCLOBBER int next_rcpt;
1555     NOCLOBBER int send_rcpt;
1556     NOCLOBBER int recv_rcpt;
1557     NOCLOBBER int nrcpt;
1558     NOCLOBBER int recv_done;
1559     int     except;
1560     int     rec_type;
1561     NOCLOBBER int prev_type = 0;
1562     NOCLOBBER int mail_from_rejected;
1563     NOCLOBBER int downgrading;
1564     int     mime_errs;
1565     SMTP_RESP fake;
1566     int     fail_status;
1567 
1568     /* Caution: changes to RETURN() also affect code outside the main loop. */
1569 
1570 #define RETURN(x) do { \
1571           if (recv_state != SMTP_STATE_LAST) \
1572               DONT_CACHE_THIS_SESSION; \
1573           vstring_free(next_command); \
1574           if (survivors) \
1575               myfree((void *) survivors); \
1576           if (session->mime_state) \
1577               session->mime_state = mime_state_free(session->mime_state); \
1578           return (x); \
1579     } while (0)
1580 
1581 #define SENDER_IS_AHEAD \
1582           (recv_state < send_state || recv_rcpt != send_rcpt)
1583 
1584 #define SENDER_IN_WAIT_STATE \
1585           (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST)
1586 
1587 #define SENDING_MAIL \
1588           (recv_state <= SMTP_STATE_DOT)
1589 
1590 #define CANT_RSET_THIS_SESSION \
1591           (session->features |= SMTP_FEATURE_RSET_REJECTED)
1592 
1593     /*
1594      * Pipelining support requires two loops: one loop for sending and one
1595      * for receiving. Each loop has its own independent state. Most of the
1596      * time the sender can run ahead of the receiver by as much as the TCP
1597      * send buffer permits. There are only two places where the sender must
1598      * wait for status information from the receiver: once after sending DATA
1599      * and once after sending QUIT.
1600      *
1601      * The sender state advances until the TCP send buffer would overflow, or
1602      * until the sender needs status information from the receiver. At that
1603      * point the receiver starts processing responses. Once the receiver has
1604      * caught up with the sender, the sender resumes sending commands. If the
1605      * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO
1606      * commands rejected, DATA rejected) it forces the sender to abort the
1607      * SMTP dialog with RSET and QUIT.
1608      */
1609     nrcpt = 0;
1610     next_rcpt = send_rcpt = recv_rcpt = recv_done = 0;
1611     mail_from_rejected = 0;
1612 
1613     /*
1614      * Prepare for disaster. This should not be needed because the design
1615      * guarantees that no output is flushed before smtp_chat_resp() is
1616      * called.
1617      *
1618      * 1) Every SMTP command fits entirely in a VSTREAM output buffer.
1619      *
1620      * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that
1621      * there is sufficient space for the command in the output buffer.
1622      *
1623      * 3) smtp_loop() flushes the output buffer to avoid server timeouts.
1624      *
1625      * Changing any of these would violate the design, and would likely break
1626      * SMTP pipelining.
1627      *
1628      * We set up the error handler anyway (only upon entry to avoid wasting
1629      * resources) because 1) there is code below that expects that VSTREAM
1630      * timeouts are enabled, and 2) this allows us to detect if someone broke
1631      * Postfix by introducing spurious flush before read operations.
1632      */
1633     if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR
1634           || send_state > SMTP_STATE_QUIT)
1635           msg_panic("%s: bad sender state %d (receiver state %d)",
1636                       myname, send_state, recv_state);
1637     smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
1638                           var_smtp_req_deadline, 0);
1639     if ((except = vstream_setjmp(session->stream)) != 0) {
1640           msg_warn("smtp_proto: spurious flush before read in send state %d",
1641                      send_state);
1642           RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1643                                                        xfer_states[send_state]) : -1);
1644     }
1645 
1646     /*
1647      * The main protocol loop.
1648      */
1649     do {
1650 
1651           /*
1652            * Build the next command.
1653            */
1654           switch (send_state) {
1655 
1656               /*
1657                * Sanity check.
1658                */
1659           default:
1660               msg_panic("%s: bad sender state %d", myname, send_state);
1661 
1662               /*
1663                * Build the XFORWARD command. With properly sanitized
1664                * information, the command length stays within the 512 byte
1665                * command line length limit.
1666                *
1667                * XXX smtpd_xforward_preset() initializes some fields as "unknown"
1668                * and some as null; historically, pickup(8) does not send any of
1669                * these, and the queue manager presets absent fields to "not
1670                * available" except for the rewrite context which is preset to
1671                * local by way of migration aid.  These definitions need to be
1672                * centralized for maintainability.
1673                */
1674 #ifndef CAN_FORWARD_CLIENT_NAME
1675 #define _ATTR_AVAIL_AND_KNOWN_(val) \
1676           (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown"))
1677 #define CAN_FORWARD_CLIENT_NAME         _ATTR_AVAIL_AND_KNOWN_
1678 #define CAN_FORWARD_CLIENT_ADDR         _ATTR_AVAIL_AND_KNOWN_
1679 #define CAN_FORWARD_CLIENT_PORT         _ATTR_AVAIL_AND_KNOWN_
1680 #define CAN_FORWARD_PROTO_NAME          _ATTR_AVAIL_AND_KNOWN_
1681 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL
1682 #define CAN_FORWARD_IDENT_NAME          DEL_REQ_ATTR_AVAIL
1683 #define CAN_FORWARD_RWR_CONTEXT         DEL_REQ_ATTR_AVAIL
1684 #endif
1685 
1686           case SMTP_STATE_XFORWARD_NAME_ADDR:
1687               vstring_strcpy(next_command, XFORWARD_CMD);
1688               if ((session->features & SMTP_FEATURE_XFORWARD_NAME)
1689                     && CAN_FORWARD_CLIENT_NAME(request->client_name)) {
1690                     vstring_strcat(next_command, " " XFORWARD_NAME "=");
1691                     xtext_quote_append(next_command, request->client_name, "");
1692               }
1693               if ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
1694                     && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) {
1695                     vstring_strcat(next_command, " " XFORWARD_ADDR "=");
1696                     xtext_quote_append(next_command, request->client_addr, "");
1697               }
1698               if ((session->features & SMTP_FEATURE_XFORWARD_PORT)
1699                     && CAN_FORWARD_CLIENT_PORT(request->client_port)) {
1700                     vstring_strcat(next_command, " " XFORWARD_PORT "=");
1701                     xtext_quote_append(next_command, request->client_port, "");
1702               }
1703               if (session->send_proto_helo)
1704                     next_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1705               else
1706                     next_state = SMTP_STATE_MAIL;
1707               break;
1708 
1709           case SMTP_STATE_XFORWARD_PROTO_HELO:
1710               vstring_strcpy(next_command, XFORWARD_CMD);
1711               if ((session->features & SMTP_FEATURE_XFORWARD_PROTO)
1712                     && CAN_FORWARD_PROTO_NAME(request->client_proto)) {
1713                     vstring_strcat(next_command, " " XFORWARD_PROTO "=");
1714                     xtext_quote_append(next_command, request->client_proto, "");
1715               }
1716               if ((session->features & SMTP_FEATURE_XFORWARD_HELO)
1717                     && CAN_FORWARD_HELO_NAME(request->client_helo)) {
1718                     vstring_strcat(next_command, " " XFORWARD_HELO "=");
1719                     xtext_quote_append(next_command, request->client_helo, "");
1720               }
1721               if ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
1722                     && CAN_FORWARD_IDENT_NAME(request->log_ident)) {
1723                     vstring_strcat(next_command, " " XFORWARD_IDENT "=");
1724                     xtext_quote_append(next_command, request->log_ident, "");
1725               }
1726               if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
1727                     && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) {
1728                     vstring_strcat(next_command, " " XFORWARD_DOMAIN "=");
1729                     xtext_quote_append(next_command,
1730                          strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ?
1731                                     XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, "");
1732               }
1733               next_state = SMTP_STATE_MAIL;
1734               break;
1735 
1736               /*
1737                * Build the MAIL FROM command.
1738                */
1739           case SMTP_STATE_MAIL:
1740               request->msg_stats.reuse_count = session->reuse_count;
1741               GETTIMEOFDAY(&request->msg_stats.conn_setup_done);
1742               smtp_rewrite_generic_internal(session->scratch2, request->sender);
1743               smtp_quote_821_address(session->scratch,
1744                                            vstring_str(session->scratch2));
1745               vstring_sprintf(next_command, "MAIL FROM:<%s>",
1746                                   vstring_str(session->scratch));
1747               /* XXX Don't announce SIZE if we're going to MIME downgrade. */
1748               if (session->features & SMTP_FEATURE_SIZE     /* RFC 1870 */
1749                     && !SMTP_MIME_DOWNGRADE(session, request))
1750                     vstring_sprintf_append(next_command, " SIZE=%lu",
1751                                                request->data_size);
1752               if (session->features & SMTP_FEATURE_8BITMIME) {        /* RFC 1652 */
1753                     if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0)
1754                         vstring_strcat(next_command, " BODY=8BITMIME");
1755                     else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0)
1756                         vstring_strcat(next_command, " BODY=7BIT");
1757                     else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0)
1758                         msg_warn("%s: unknown content encoding: %s",
1759                                    request->queue_id, request->encoding);
1760               }
1761               if (session->features & SMTP_FEATURE_DSN) {
1762                     if (request->dsn_envid[0]) {
1763                         vstring_sprintf_append(next_command, " ENVID=");
1764                         xtext_quote_append(next_command, request->dsn_envid, "+=");
1765                     }
1766                     if (request->dsn_ret)
1767                         vstring_sprintf_append(next_command, " RET=%s",
1768                                                      dsn_ret_str(request->dsn_ret));
1769               }
1770 
1771               /*
1772                * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8
1773                * and the sender requested SMTPUTF8 support.
1774                *
1775                * If the sender requested SMTPUTF8 but the remote SMTP server does
1776                * not support SMTPUTF8, then we have already determined earlier
1777                * that delivering this message without SMTPUTF8 will not break
1778                * the SMTPUTF8 promise that was made to the sender.
1779                */
1780               if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
1781                     && (request->sendopts & SMTPUTF8_FLAG_REQUESTED) != 0)
1782                     vstring_strcat(next_command, " SMTPUTF8");
1783               /* TODO(wietse) REQUIRETLS. */
1784 
1785               /*
1786                * We authenticate the local MTA only, but not the sender.
1787                */
1788 #ifdef USE_SASL_AUTH
1789               if (var_smtp_sasl_enable
1790                     && var_smtp_dummy_mail_auth
1791                     && (session->features & SMTP_FEATURE_AUTH))
1792                     vstring_strcat(next_command, " AUTH=<>");
1793 #endif
1794 
1795               /*
1796                * CVE-2009-3555 (TLS renegotiation). Try to detect a mail
1797                * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
1798                * commands to our TLS session.
1799                *
1800                * For the attack to succeed, the remote SMTP server must reply to
1801                * the malicious EHLO/MAIL/RCPT/DATA commands after completing
1802                * TLS (re)negotiation, so that the replies arrive in our TLS
1803                * session (otherwise the Postfix SMTP client would time out
1804                * waiting for an answer). With some luck we can detect this
1805                * specific attack as a server MAIL reply that arrives before we
1806                * send our own MAIL command.
1807                *
1808                * We don't apply this test to the HELO command because the result
1809                * would be very timing sensitive, and we don't apply this test
1810                * to RCPT and DATA replies because these may be pipelined for
1811                * legitimate reasons.
1812                */
1813 #ifdef USE_TLS
1814               if (var_smtp_tls_blk_early_mail_reply
1815                     && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
1816                     && (vstream_peek(session->stream) > 0
1817                         || peekfd(vstream_fileno(session->stream)) > 0))
1818                     session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
1819 #endif
1820 
1821               /*
1822                * We now return to our regular broadcast.
1823                */
1824               next_state = SMTP_STATE_RCPT;
1825               break;
1826 
1827               /*
1828                * Build one RCPT TO command before we have seen the MAIL FROM
1829                * response.
1830                */
1831           case SMTP_STATE_RCPT:
1832               rcpt = request->rcpt_list.info + send_rcpt;
1833               smtp_rewrite_generic_internal(session->scratch2, rcpt->address);
1834               smtp_quote_821_address(session->scratch,
1835                                            vstring_str(session->scratch2));
1836               vstring_sprintf(next_command, "RCPT TO:<%s>",
1837                                   vstring_str(session->scratch));
1838               if (session->features & SMTP_FEATURE_DSN) {
1839                     /* XXX DSN xtext encode address value not type. */
1840                     const char *orcpt_type_addr = rcpt->dsn_orcpt;
1841 
1842                     /* Fix 20140706: don't use empty rcpt->orig_addr. */
1843                     if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) {
1844                         quote_822_local(session->scratch, rcpt->orig_addr);
1845                         vstring_sprintf(session->scratch2, "%s;%s",
1846                         /* Fix 20140707: sender must request SMTPUTF8. */
1847                                             ((request->sendopts & SMTPUTF8_FLAG_ALL)
1848                                          && !allascii(vstring_str(session->scratch))
1849                          && valid_utf8_stringz(vstring_str(session->scratch))) ?
1850                                             "utf-8" : "rfc822",
1851                                             vstring_str(session->scratch));
1852                         orcpt_type_addr = vstring_str(session->scratch2);
1853                     }
1854                     if (orcpt_type_addr[0] != 0) {
1855                         /* Fix 20140706: don't send unquoted ORCPT. */
1856                         /* Fix 20140707: quoting method must match orcpt type. */
1857                         /* Fix 20140707: handle uxtext encoder errors. */
1858                         if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) {
1859                               if (uxtext_quote(session->scratch,
1860                                                    orcpt_type_addr, "+=") != 0)
1861                                   vstring_sprintf_append(next_command, " ORCPT=%s",
1862                                                        vstring_str(session->scratch));
1863                         } else {
1864                               xtext_quote(session->scratch, orcpt_type_addr, "=");
1865                               vstring_sprintf_append(next_command, " ORCPT=%s",
1866                                                        vstring_str(session->scratch));
1867                         }
1868                     }
1869                     if (rcpt->dsn_notify)
1870                         vstring_sprintf_append(next_command, " NOTIFY=%s",
1871                                                      dsn_notify_str(rcpt->dsn_notify));
1872               }
1873               if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state))
1874                     next_state = (DEL_REQ_TRACE_ONLY(request->flags)
1875                                     && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
1876                         SMTP_STATE_ABORT : SMTP_STATE_DATA;
1877               break;
1878 
1879               /*
1880                * Build the DATA command before we have seen all the RCPT TO
1881                * responses.
1882                */
1883           case SMTP_STATE_DATA:
1884               vstring_strcpy(next_command, "DATA");
1885               next_state = SMTP_STATE_DOT;
1886               break;
1887 
1888               /*
1889                * Build the "." command after we have seen the DATA response
1890                * (DATA is a protocol synchronization point).
1891                *
1892                * Changing the connection caching state here is safe because it
1893                * affects none of the not-yet processed replies to
1894                * already-generated commands.
1895                */
1896           case SMTP_STATE_DOT:
1897               vstring_strcpy(next_command, ".");
1898               if (THIS_SESSION_IS_EXPIRED)
1899                     DONT_CACHE_THIS_SESSION;
1900               next_state = THIS_SESSION_IS_CACHED ?
1901                     SMTP_STATE_LAST : SMTP_STATE_QUIT;
1902               break;
1903 
1904               /*
1905                * The SMTP_STATE_ABORT sender state is entered by the sender
1906                * when it has verified all recipients; or it is entered by the
1907                * receiver when all recipients are verified or rejected, and is
1908                * then left before the bottom of the main loop.
1909                *
1910                * Changing the connection caching state here is safe because there
1911                * are no not-yet processed replies to already-generated
1912                * commands.
1913                */
1914           case SMTP_STATE_ABORT:
1915               vstring_strcpy(next_command, "RSET");
1916               if (THIS_SESSION_IS_EXPIRED)
1917                     DONT_CACHE_THIS_SESSION;
1918               next_state = THIS_SESSION_IS_CACHED ?
1919                     SMTP_STATE_LAST : SMTP_STATE_QUIT;
1920               break;
1921 
1922               /*
1923                * Build the RSET command. This is entered as initial state from
1924                * smtp_rset() and has its own dedicated state transitions. It is
1925                * used to find out the status of a cached session before
1926                * attempting mail delivery.
1927                */
1928           case SMTP_STATE_RSET:
1929               vstring_strcpy(next_command, "RSET");
1930               next_state = SMTP_STATE_LAST;
1931               break;
1932 
1933               /*
1934                * Build the QUIT command before we have seen the "." or RSET
1935                * response. This is entered as initial state from smtp_quit(),
1936                * or is reached near the end of any non-cached session.
1937                *
1938                * Changing the connection caching state here is safe. If this
1939                * command is pipelined together with a preceding command, then
1940                * connection caching was already turned off. Do not clobber the
1941                * "bad connection" flag.
1942                */
1943           case SMTP_STATE_QUIT:
1944               vstring_strcpy(next_command, "QUIT");
1945               next_state = SMTP_STATE_LAST;
1946               if (THIS_SESSION_IS_CACHED)
1947                     DONT_CACHE_THIS_SESSION;
1948               break;
1949 
1950               /*
1951                * The final sender state has no action associated with it.
1952                */
1953           case SMTP_STATE_LAST:
1954               VSTRING_RESET(next_command);
1955               break;
1956           }
1957           VSTRING_TERMINATE(next_command);
1958 
1959           /*
1960            * Process responses until the receiver has caught up. Vstreams
1961            * automatically flush buffered output when reading new data.
1962            *
1963            * Flush unsent output if command pipelining is off or if no I/O
1964            * happened for a while. This limits the accumulation of client-side
1965            * delays in pipelined sessions.
1966            *
1967            * The PIPELINING engine will flush the VSTREAM buffer if the sender
1968            * could otherwise produce more output than fits the PIPELINING
1969            * buffer. This generally works because we know exactly how much
1970            * output we produced since the last time that the sender and
1971            * receiver synchronized the SMTP state. However this logic is not
1972            * applicable after the sender enters the DATA phase, where it does
1973            * not synchronize with the receiver until the <CR><LF>.<CR><LF>.
1974            * Thus, the PIPELINING engine no longer knows how much data is
1975            * pending in the TCP send buffer. For this reason, if PIPELINING is
1976            * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is
1977            * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP
1978            * stack either has already received the QUIT<CR><LF>, or else it
1979            * acknowledges all bytes up to and including <CR><LF>.<CR><LF>,
1980            * making room in the sender's TCP stack for QUIT<CR><LF>.
1981            */
1982 #define CHECK_PIPELINING_BUFSIZE \
1983           (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT)
1984 
1985           if (SENDER_IN_WAIT_STATE
1986               || (SENDER_IS_AHEAD
1987                     && ((session->features & SMTP_FEATURE_PIPELINING) == 0
1988                         || (CHECK_PIPELINING_BUFSIZE
1989                               && (VSTRING_LEN(next_command) + 2
1990                         + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND)
1991                                   > PIPELINING_BUFSIZE))
1992                         || time((time_t *) 0)
1993                         - vstream_ftime(session->stream) > 10))) {
1994               while (SENDER_IS_AHEAD) {
1995 
1996                     /*
1997                      * Sanity check.
1998                      */
1999                     if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR
2000                         || recv_state > SMTP_STATE_QUIT)
2001                         msg_panic("%s: bad receiver state %d (sender state %d)",
2002                                     myname, recv_state, send_state);
2003 
2004                     /*
2005                      * Receive the next server response. Use the proper timeout,
2006                      * and log the proper client state in case of trouble.
2007                      *
2008                      * XXX If we lose the connection before sending end-of-data,
2009                      * find out if the server sent a premature end-of-data reply.
2010                      * If this read attempt fails, report "lost connection while
2011                      * sending message body", not "lost connection while sending
2012                      * end-of-data".
2013                      *
2014                      * "except" becomes zero just above the protocol loop, and stays
2015                      * zero or triggers an early return from the loop. In just
2016                      * one case: loss of the connection when sending the message
2017                      * body, we record the exception, and keep processing in the
2018                      * hope of detecting a premature 5XX. We must be careful to
2019                      * not clobber this non-zero value once it is set. The
2020                      * variable need not survive longjmp() calls, since the only
2021                      * setjmp() which does not return early is the one sets this
2022                      * condition, subsequent failures always return early.
2023                      */
2024 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
2025 
2026                     smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
2027                                           var_smtp_req_deadline, 0);
2028                     if (LOST_CONNECTION_INSIDE_DATA) {
2029                         if (vstream_setjmp(session->stream) != 0)
2030                               RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
2031                                                               "sending message body"));
2032                     } else {
2033                         if ((except = vstream_setjmp(session->stream)) != 0)
2034                               RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
2035                                                        xfer_states[recv_state]) : -1);
2036                     }
2037                     resp = smtp_chat_resp(session);
2038 
2039                     /*
2040                      * Process the response.
2041                      */
2042                     switch (recv_state) {
2043 
2044                         /*
2045                          * Process the XFORWARD response.
2046                          */
2047                     case SMTP_STATE_XFORWARD_NAME_ADDR:
2048                         if (resp->code / 100 != 2)
2049                               msg_warn("host %s said: %s (in reply to %s)",
2050                                          session->namaddrport,
2051                                          translit(resp->str, "\n", " "),
2052                                      xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]);
2053                         if (session->send_proto_helo)
2054                               recv_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2055                         else
2056                               recv_state = SMTP_STATE_MAIL;
2057                         break;
2058 
2059                     case SMTP_STATE_XFORWARD_PROTO_HELO:
2060                         if (resp->code / 100 != 2)
2061                               msg_warn("host %s said: %s (in reply to %s)",
2062                                          session->namaddrport,
2063                                          translit(resp->str, "\n", " "),
2064                                     xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]);
2065                         recv_state = SMTP_STATE_MAIL;
2066                         break;
2067 
2068                         /*
2069                          * Process the MAIL FROM response. When the server
2070                          * rejects the sender, set the mail_from_rejected flag so
2071                          * that the receiver may apply a course correction.
2072                          */
2073                     case SMTP_STATE_MAIL:
2074                         if (resp->code / 100 != 2) {
2075                               smtp_mesg_fail(state, STR(iter->host), resp,
2076                                                "host %s said: %s (in reply to %s)",
2077                                                session->namaddr,
2078                                                translit(resp->str, "\n", " "),
2079                                                xfer_request[SMTP_STATE_MAIL]);
2080                               mail_from_rejected = 1;
2081                         }
2082 
2083                         /*
2084                          * CVE-2009-3555 (TLS renegotiation). Whatever it was
2085                          * that arrived before we sent our MAIL FROM command, it
2086                          * was not a fatal-level TLS alert message. It could be a
2087                          * warning-level TLS alert message, or a ChangeCipherSpec
2088                          * message, but such messages are not normally sent in
2089                          * the middle of a TLS session. We disconnect and try
2090                          * again later.
2091                          */
2092 #ifdef USE_TLS
2093                         if (var_smtp_tls_blk_early_mail_reply
2094                               && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
2095                               smtp_site_fail(state, DSN_BY_LOCAL_MTA,
2096                                                SMTP_RESP_FAKE(&fake, "4.7.0"),
2097                                                "unexpected server message");
2098                               msg_warn("server %s violates %s policy",
2099                                          session->namaddr,
2100                                          VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY));
2101                               mail_from_rejected = 1;
2102                         }
2103 #endif
2104 
2105                         /*
2106                          * We now return to our regular broadcast.
2107                          */
2108                         recv_state = SMTP_STATE_RCPT;
2109                         break;
2110 
2111                         /*
2112                          * Process one RCPT TO response. If MAIL FROM was
2113                          * rejected, ignore RCPT TO responses: all recipients are
2114                          * dead already. When all recipients are rejected the
2115                          * receiver may apply a course correction.
2116                          *
2117                          * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply
2118                          * must be treated as if the server replied with 452.
2119                          * However, this causes "too much mail data" to be
2120                          * treated as a recoverable error, which is wrong. I'll
2121                          * stick with RFC 821.
2122                          */
2123                     case SMTP_STATE_RCPT:
2124                         if (!mail_from_rejected) {
2125 #ifdef notdef
2126                               if (resp->code == 552) {
2127                                   resp->code = 452;
2128                                   resp->dsn[0] = '4';
2129                               }
2130 #endif
2131                               rcpt = request->rcpt_list.info + recv_rcpt;
2132                               if (resp->code / 100 == 2) {
2133                                   if (!smtp_mode) {
2134                                         if (survivors == 0)
2135                                             survivors = (int *)
2136                                                   mymalloc(request->rcpt_list.len
2137                                                              * sizeof(int));
2138                                         survivors[nrcpt] = recv_rcpt;
2139                                   }
2140                                   ++nrcpt;
2141                                   /* If trace-only, mark the recipient done. */
2142                                   if (DEL_REQ_TRACE_ONLY(request->flags)
2143                                         && smtp_vrfy_tgt == SMTP_STATE_RCPT) {
2144                                         translit(resp->str, "\n", " ");
2145                                         smtp_rcpt_done(state, resp, rcpt);
2146                                   }
2147                               } else {
2148                                   smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2149                                                   "host %s said: %s (in reply to %s)",
2150                                                      session->namaddr,
2151                                                      translit(resp->str, "\n", " "),
2152                                                      xfer_request[SMTP_STATE_RCPT]);
2153                               }
2154                         }
2155                         /* If trace-only, send RSET instead of DATA. */
2156                         if (++recv_rcpt == SMTP_RCPT_LEFT(state))
2157                               recv_state = (DEL_REQ_TRACE_ONLY(request->flags)
2158                                               && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
2159                                   SMTP_STATE_ABORT : SMTP_STATE_DATA;
2160                         /* XXX Also: record if non-delivering session. */
2161                         break;
2162 
2163                         /*
2164                          * Process the DATA response. When the server rejects
2165                          * DATA, set nrcpt to a negative value so that the
2166                          * receiver can apply a course correction.
2167                          */
2168                     case SMTP_STATE_DATA:
2169                         recv_state = SMTP_STATE_DOT;
2170                         if (resp->code / 100 != 3) {
2171                               if (nrcpt > 0)
2172                                   smtp_mesg_fail(state, STR(iter->host), resp,
2173                                                   "host %s said: %s (in reply to %s)",
2174                                                      session->namaddr,
2175                                                      translit(resp->str, "\n", " "),
2176                                                      xfer_request[SMTP_STATE_DATA]);
2177                               nrcpt = -1;
2178                         }
2179 
2180                         /*
2181                          * In the case of a successful address probe with target
2182                          * equal to DATA, the remote server is now in the DATA
2183                          * state, and therefore we must not make any further
2184                          * attempt to send or receive on this connection. This
2185                          * means that we cannot not reuse the general-purpose
2186                          * course-correction logic below which sends RSET (and
2187                          * perhaps QUIT). Instead we "jump" straight to the exit
2188                          * and force an unceremonious disconnect.
2189                          */
2190                         else if (DEL_REQ_TRACE_ONLY(request->flags)
2191                                    && smtp_vrfy_tgt == SMTP_STATE_DATA) {
2192                               for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2193                                   rcpt = request->rcpt_list.info + nrcpt;
2194                                   if (!SMTP_RCPT_ISMARKED(rcpt)) {
2195                                         translit(resp->str, "\n", " ");
2196                                         SMTP_RESP_SET_DSN(resp, "2.0.0");
2197                                         smtp_rcpt_done(state, resp, rcpt);
2198                                   }
2199                               }
2200                               DONT_CACHE_THIS_SESSION;
2201                               send_state = recv_state = SMTP_STATE_LAST;
2202                         }
2203                         break;
2204 
2205                         /*
2206                          * Process the end of message response. Ignore the
2207                          * response when no recipient was accepted: all
2208                          * recipients are dead already, and the next receiver
2209                          * state is SMTP_STATE_LAST/QUIT regardless. Otherwise,
2210                          * if the message transfer fails, bounce all remaining
2211                          * recipients, else cross off the recipients that were
2212                          * delivered.
2213                          */
2214                     case SMTP_STATE_DOT:
2215                         GETTIMEOFDAY(&request->msg_stats.deliver_done);
2216                         if (smtp_mode) {
2217                               if (nrcpt > 0) {
2218                                   if (resp->code / 100 != 2) {
2219                                         smtp_mesg_fail(state, STR(iter->host), resp,
2220                                                   "host %s said: %s (in reply to %s)",
2221                                                          session->namaddr,
2222                                                        translit(resp->str, "\n", " "),
2223                                                          xfer_request[SMTP_STATE_DOT]);
2224                                   } else {
2225                                         for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2226                                             rcpt = request->rcpt_list.info + nrcpt;
2227                                             if (!SMTP_RCPT_ISMARKED(rcpt)) {
2228                                                   translit(resp->str, "\n", " ");
2229                                                   smtp_rcpt_done(state, resp, rcpt);
2230                                             }
2231                                         }
2232                                   }
2233                               }
2234                         }
2235 
2236                         /*
2237                          * With LMTP we have one response per accepted RCPT TO
2238                          * command. Stay in the SMTP_STATE_DOT state until we
2239                          * have collected all responses.
2240                          */
2241                         else {
2242                               if (nrcpt > 0) {
2243                                   rcpt = request->rcpt_list.info
2244                                         + survivors[recv_done++];
2245                                   if (resp->code / 100 != 2) {
2246                                         smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2247                                                   "host %s said: %s (in reply to %s)",
2248                                                          session->namaddr,
2249                                                        translit(resp->str, "\n", " "),
2250                                                          xfer_request[SMTP_STATE_DOT]);
2251                                   } else {
2252                                         translit(resp->str, "\n", " ");
2253                                         smtp_rcpt_done(state, resp, rcpt);
2254                                   }
2255                               }
2256                               if (msg_verbose)
2257                                   msg_info("%s: got %d of %d end-of-data replies",
2258                                              myname, recv_done, nrcpt);
2259                               if (recv_done < nrcpt)
2260                                   break;
2261                         }
2262 
2263                         /*
2264                          * XXX Do not change the connection caching state here,
2265                          * even if the connection caching timer expired between
2266                          * generating the command and processing the reply,
2267                          * otherwise the sender and receiver loops get out of
2268                          * sync. The caller will call smtp_quit() if appropriate.
2269                          */
2270                         if (var_skip_quit_resp || THIS_SESSION_IS_CACHED
2271                               || LOST_CONNECTION_INSIDE_DATA)
2272                               recv_state = SMTP_STATE_LAST;
2273                         else
2274                               recv_state = SMTP_STATE_QUIT;
2275                         break;
2276 
2277                         /*
2278                          * Receive the RSET response.
2279                          *
2280                          * The SMTP_STATE_ABORT sender state is entered by the
2281                          * sender when it has verified all recipients; or it is
2282                          * entered by the receiver when all recipients are
2283                          * verified or rejected, and is then left before the
2284                          * bottom of the main loop.
2285                          *
2286                          * XXX Do not change the connection caching state here, even
2287                          * if the server rejected RSET or if the connection
2288                          * caching timer expired between generating the command
2289                          * and processing the reply, otherwise the sender and
2290                          * receiver loops get out of sync. The caller will call
2291                          * smtp_quit() if appropriate.
2292                          */
2293                     case SMTP_STATE_ABORT:
2294                         recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ?
2295                                           SMTP_STATE_LAST : SMTP_STATE_QUIT);
2296                         break;
2297 
2298                         /*
2299                          * This is the initial receiver state from smtp_rset().
2300                          * It is used to find out the status of a cached session
2301                          * before attempting mail delivery.
2302                          */
2303                     case SMTP_STATE_RSET:
2304                         if (resp->code / 100 != 2)
2305                               CANT_RSET_THIS_SESSION;
2306                         recv_state = SMTP_STATE_LAST;
2307                         break;
2308 
2309                         /*
2310                          * Receive, but otherwise ignore, the QUIT response.
2311                          */
2312                     case SMTP_STATE_QUIT:
2313                         recv_state = SMTP_STATE_LAST;
2314                         break;
2315                     }
2316               }
2317 
2318               /*
2319                * At this point, the sender and receiver are fully synchronized.
2320                */
2321 
2322               /*
2323                * We know the server response to every command that was sent.
2324                * Apply a course correction if necessary: the sender wants to
2325                * send RCPT TO but MAIL FROM was rejected; the sender wants to
2326                * send DATA but all recipients were rejected; the sender wants
2327                * to deliver the message but DATA was rejected.
2328                */
2329               if ((send_state == SMTP_STATE_RCPT && mail_from_rejected)
2330                     || (send_state == SMTP_STATE_DATA && nrcpt == 0)
2331                     || (send_state == SMTP_STATE_DOT && nrcpt < 0)) {
2332                     send_state = recv_state = SMTP_STATE_ABORT;
2333                     send_rcpt = recv_rcpt = 0;
2334                     vstring_strcpy(next_command, "RSET");
2335                     if (THIS_SESSION_IS_EXPIRED)
2336                         DONT_CACHE_THIS_SESSION;
2337                     next_state = THIS_SESSION_IS_CACHED ?
2338                         SMTP_STATE_LAST : SMTP_STATE_QUIT;
2339                     /* XXX Also: record if non-delivering session. */
2340                     next_rcpt = 0;
2341               }
2342           }
2343 
2344           /*
2345            * Make the next sender state the current sender state.
2346            */
2347           if (send_state == SMTP_STATE_LAST)
2348               continue;
2349 
2350           /*
2351            * Special case if the server accepted the DATA command. If the
2352            * server accepted at least one recipient send the entire message.
2353            * Otherwise, just send "." as per RFC 2197.
2354            *
2355            * XXX If there is a hard MIME error while downgrading to 7-bit mail,
2356            * disconnect ungracefully, because there is no other way to cancel a
2357            * transaction in progress.
2358            */
2359           if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
2360 
2361               smtp_stream_setup(session->stream, var_smtp_data1_tmout,
2362                                     var_smtp_req_deadline, var_smtp_min_data_rate);
2363 
2364               if ((except = vstream_setjmp(session->stream)) == 0) {
2365 
2366                     if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0)
2367                         msg_fatal("seek queue file: %m");
2368 
2369                     downgrading = SMTP_MIME_DOWNGRADE(session, request);
2370 
2371                     /*
2372                      * XXX Don't downgrade just because generic_maps is turned
2373                      * on.
2374                      */
2375 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks)
2376 
2377                     if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS)
2378                         session->mime_state = mime_state_alloc(downgrading ?
2379                                                                          MIME_OPT_DOWNGRADE
2380                                                              | MIME_OPT_REPORT_NESTING :
2381                                                                   SMTP_ANY_CHECKS == 0 ?
2382                                                                  MIME_OPT_DISABLE_MIME :
2383                                                                          0,
2384                                                                          smtp_generic_maps
2385                                                                  || smtp_header_checks ?
2386                                                                    smtp_header_rewrite :
2387                                                                          smtp_header_out,
2388                                                                  (MIME_STATE_ANY_END) 0,
2389                                                                          smtp_body_checks ?
2390                                                                        smtp_body_rewrite :
2391                                                                          smtp_text_out,
2392                                                                  (MIME_STATE_ANY_END) 0,
2393                                                                (MIME_STATE_ERR_PRINT) 0,
2394                                                                          (void *) state);
2395                     state->space_left = var_smtp_line_limit;
2396 
2397                     if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0
2398                         && smtp_out_add_headers(state) < 0)
2399                         RETURN(0);
2400 
2401                     while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) {
2402                         if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT)
2403                               break;
2404                         if (smtp_out_raw_or_mime(state, rec_type,
2405                                                        session->scratch) < 0)
2406                               RETURN(0);
2407                         prev_type = rec_type;
2408                     }
2409 
2410                     if (session->mime_state) {
2411 
2412                         /*
2413                          * The cleanup server normally ends MIME content with a
2414                          * normal text record. The following code is needed to
2415                          * flush an internal buffer when someone submits 8-bit
2416                          * mail not ending in newline via /usr/sbin/sendmail
2417                          * while MIME input processing is turned off, and MIME
2418                          * 8bit->7bit conversion is requested upon delivery.
2419                          *
2420                          * Or some error while doing generic address mapping.
2421                          */
2422                         mime_errs =
2423                               mime_state_update(session->mime_state, rec_type, "", 0);
2424                         if (mime_errs) {
2425                               smtp_mime_fail(state, mime_errs);
2426                               RETURN(0);
2427                         }
2428                     } else if (prev_type == REC_TYPE_CONT)  /* missing newline */
2429                         smtp_fputs("", 0, session->stream);
2430                     if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) {
2431                         smtp_flush(session->stream);/* hurts performance */
2432                         sleep(var_smtp_pix_delay);          /* not to mention this */
2433                     }
2434                     if (vstream_ferror(state->src))
2435                         msg_fatal("queue file read error");
2436                     if (rec_type != REC_TYPE_XTRA) {
2437                         msg_warn("%s: bad record type: %d in message content",
2438                                    request->queue_id, rec_type);
2439                         fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2440                                                        SMTP_RESP_FAKE(&fake, "5.3.0"),
2441                                                        "unreadable mail queue entry");
2442                         /* Bailing out, abort stream with prejudice */
2443                         (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
2444                         DONT_USE_FORBIDDEN_SESSION;
2445                         /* If bounce_append() succeeded, status is still 0 */
2446                         if (state->status == 0)
2447                               (void) mark_corrupt(state->src);
2448                         /* Don't override smtp_mesg_fail() here. */
2449                         RETURN(fail_status);
2450                     }
2451               } else {
2452                     if (!LOST_CONNECTION_INSIDE_DATA)
2453                         RETURN(smtp_stream_except(state, except,
2454                                                         "sending message body"));
2455 
2456                     /*
2457                      * We will clear the stream error flag to try and read a
2458                      * premature 5XX response, so it is important to flush any
2459                      * unwritten data. Otherwise, we will try to flush it again
2460                      * before reading, which may incur an unnecessary delay and
2461                      * will prevent the reading of any response that is not
2462                      * already buffered (bundled with the DATA 354 response).
2463                      *
2464                      * Not much point in sending QUIT at this point, skip right to
2465                      * SMTP_STATE_LAST. The read engine above will likewise avoid
2466                      * looking for a QUIT response.
2467                      */
2468                     (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE);
2469                     next_state = SMTP_STATE_LAST;
2470               }
2471           }
2472 
2473           /*
2474            * Copy the next command to the buffer and update the sender state.
2475            */
2476           if (except == 0) {
2477               smtp_chat_cmd(session, "%s", vstring_str(next_command));
2478           } else {
2479               DONT_CACHE_THIS_SESSION;
2480           }
2481           send_state = next_state;
2482           send_rcpt = next_rcpt;
2483     } while (recv_state != SMTP_STATE_LAST);
2484     RETURN(0);
2485 }
2486 
2487 /* smtp_xfer - send a batch of envelope information and the message data */
2488 
smtp_xfer(SMTP_STATE * state)2489 int     smtp_xfer(SMTP_STATE *state)
2490 {
2491     DELIVER_REQUEST *request = state->request;
2492     SMTP_SESSION *session = state->session;
2493     SMTP_RESP fake;
2494     int     send_state;
2495     int     recv_state;
2496     int     send_name_addr;
2497     int     result;
2498 
2499     /*
2500      * Sanity check. Recipients should be unmarked at this point.
2501      */
2502     if (SMTP_RCPT_LEFT(state) <= 0)
2503           msg_panic("smtp_xfer: bad recipient count: %d",
2504                       SMTP_RCPT_LEFT(state));
2505     if (SMTP_RCPT_ISMARKED(request->rcpt_list.info))
2506           msg_panic("smtp_xfer: bad recipient status: %d",
2507                       request->rcpt_list.info->u.status);
2508 
2509     /*
2510      * See if we should even try to send this message at all. This code sits
2511      * here rather than in the EHLO processing code, because of SMTP
2512      * connection caching.
2513      */
2514     if (session->size_limit > 0 && session->size_limit < request->data_size) {
2515           smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2516                            SMTP_RESP_FAKE(&fake, "5.3.4"),
2517                         "message size %lu exceeds size limit %.0f of server %s",
2518                            request->data_size, (double) session->size_limit,
2519                            session->namaddr);
2520           /* Redundant. We abort this delivery attempt. */
2521           state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2522           return (0);
2523     }
2524 
2525     /*
2526      * Use XFORWARD to forward the origin of this email message across an
2527      * SMTP-based content filter. Send client attribute information only if
2528      * it exists (i.e. remote submission). Local submissions have no client
2529      * attributes; the mail will appear to originate from the content filter
2530      * which is acceptable.
2531      */
2532     send_name_addr =
2533           var_smtp_send_xforward
2534           && (((session->features & SMTP_FEATURE_XFORWARD_NAME)
2535                && CAN_FORWARD_CLIENT_NAME(request->client_name))
2536               || ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
2537                     && CAN_FORWARD_CLIENT_ADDR(request->client_addr))
2538               || ((session->features & SMTP_FEATURE_XFORWARD_PORT)
2539                     && CAN_FORWARD_CLIENT_PORT(request->client_port)));
2540     session->send_proto_helo =
2541           var_smtp_send_xforward
2542           && (((session->features & SMTP_FEATURE_XFORWARD_PROTO)
2543                && CAN_FORWARD_PROTO_NAME(request->client_proto))
2544               || ((session->features & SMTP_FEATURE_XFORWARD_HELO)
2545                     && CAN_FORWARD_HELO_NAME(request->client_helo))
2546               || ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
2547                     && CAN_FORWARD_IDENT_NAME(request->log_ident))
2548               || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
2549                     && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)));
2550     if (send_name_addr)
2551           recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR;
2552     else if (session->send_proto_helo)
2553           recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2554     else
2555           recv_state = send_state = SMTP_STATE_MAIL;
2556 
2557     /*
2558      * Remember this session's "normal completion", even if the server 4xx-ed
2559      * some or all recipients. Connection or handshake errors with a later MX
2560      * host should not cause this destination be marked as unreachable.
2561      */
2562     result = smtp_loop(state, send_state, recv_state);
2563 
2564     if (result == 0
2565     /* Just in case */
2566           && vstream_ferror(session->stream) == 0
2567           && vstream_feof(session->stream) == 0)
2568           state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2569 
2570     return (result);
2571 }
2572 
2573 /* smtp_rset - send a lone RSET command */
2574 
smtp_rset(SMTP_STATE * state)2575 int     smtp_rset(SMTP_STATE *state)
2576 {
2577 
2578     /*
2579      * This works because SMTP_STATE_RSET is a dedicated sender/recipient
2580      * entry state, with SMTP_STATE_LAST as next sender/recipient state.
2581      */
2582     return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET));
2583 }
2584 
2585 /* smtp_quit - send a lone QUIT command */
2586 
smtp_quit(SMTP_STATE * state)2587 int     smtp_quit(SMTP_STATE *state)
2588 {
2589 
2590     /*
2591      * This works because SMTP_STATE_QUIT is the last state with a sender
2592      * action, with SMTP_STATE_LAST as the next sender/recipient state.
2593      */
2594     return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ?
2595                           SMTP_STATE_LAST : SMTP_STATE_QUIT));
2596 }
2597