1 /* $NetBSD: smtp_proto.c,v 1.6 2025/02/25 19:15:49 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* smtp_proto 3
6 /* SUMMARY
7 /* client SMTP/LMTP protocol
8 /* SYNOPSIS
9 /* #include "smtp.h"
10 /*
11 /* int smtp_helo(state)
12 /* SMTP_STATE *state;
13 /*
14 /* int smtp_xfer(state)
15 /* SMTP_STATE *state;
16 /*
17 /* int smtp_rset(state)
18 /* SMTP_STATE *state;
19 /*
20 /* int smtp_quit(state)
21 /* SMTP_STATE *state;
22 /* DESCRIPTION
23 /* In the subsequent text, SMTP implies LMTP.
24 /* This module implements the client side of the SMTP protocol.
25 /*
26 /* smtp_helo() performs the initial handshake with the SMTP server.
27 /* When TLS is enabled, this includes STARTTLS negotiations.
28 /*
29 /* smtp_xfer() sends message envelope information followed by the
30 /* message data, and finishes the SMTP conversation. These operations
31 /* are combined in one function, in order to implement SMTP pipelining.
32 /* Recipients are marked as "done" in the mail queue file when
33 /* bounced or delivered. The message delivery status is updated
34 /* accordingly.
35 /*
36 /* smtp_rset() sends a single RSET command and waits for the
37 /* response. In case of a negative reply it sets the
38 /* CANT_RSET_THIS_SESSION flag.
39 /*
40 /* smtp_quit() sends a single QUIT command and waits for the
41 /* response if configured to do so. It always turns off connection
42 /* caching.
43 /* DIAGNOSTICS
44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return
45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(),
46 /* smtp_rset() and smtp_quit(), success means the ability to
47 /* perform an SMTP conversation, not necessarily the ability
48 /* to deliver mail, or the achievement of server happiness.
49 /*
50 /* In case of a rejected or failed connection, a connection
51 /* is marked as "bad, do not cache". Otherwise, connection
52 /* caching may be turned off (without being marked "bad") at
53 /* the discretion of the code that implements the individual
54 /* protocol steps.
55 /*
56 /* Warnings: corrupt message file. A corrupt message is marked
57 /* as "corrupt" by changing its queue file permissions.
58 /* BUGS
59 /* Some SMTP servers will abort when the number of recipients
60 /* for one message exceeds their capacity. This behavior violates
61 /* the SMTP protocol.
62 /* The only way around this is to limit the number of recipients
63 /* per transaction to an artificially-low value.
64 /* SEE ALSO
65 /* smtp(3h) internal data structures
66 /* smtp_chat(3) query/reply SMTP support
67 /* smtp_trouble(3) error handlers
68 /* LICENSE
69 /* .ad
70 /* .fi
71 /* The Secure Mailer license must be distributed with this software.
72 /* AUTHOR(S)
73 /* Wietse Venema
74 /* IBM T.J. Watson Research
75 /* P.O. Box 704
76 /* Yorktown Heights, NY 10598, USA
77 /*
78 /* Wietse Venema
79 /* Google, Inc.
80 /* 111 8th Avenue
81 /* New York, NY 10011, USA
82 /*
83 /* Wietse Venema
84 /* porcupine.org
85 /*
86 /* Pipelining code in cooperation with:
87 /* Jon Ribbens
88 /* Oaktree Internet Solutions Ltd.,
89 /* Internet House,
90 /* Canal Basin,
91 /* Coventry,
92 /* CV1 4LY, United Kingdom.
93 /*
94 /* Connection caching in cooperation with:
95 /* Victor Duchovni
96 /* Morgan Stanley
97 /*
98 /* TLS support originally by:
99 /* Lutz Jaenicke
100 /* BTU Cottbus
101 /* Allgemeine Elektrotechnik
102 /* Universitaetsplatz 3-4
103 /* D-03044 Cottbus, Germany
104 /*--*/
105
106 /* System library. */
107
108 #include <sys_defs.h>
109 #include <sys/stat.h>
110 #include <sys/socket.h> /* shutdown(2) */
111 #include <netinet/in.h> /* ntohs() */
112 #include <string.h>
113 #include <unistd.h>
114 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */
115 #include <stdarg.h>
116 #include <time.h>
117
118 #ifdef STRCASECMP_IN_STRINGS_H
119 #include <strings.h>
120 #endif
121
122 /* Utility library. */
123
124 #include <msg.h>
125 #include <vstring.h>
126 #include <vstream.h>
127 #include <vstring_vstream.h>
128 #include <stringops.h>
129 #include <mymalloc.h>
130 #include <iostuff.h>
131 #include <split_at.h>
132 #include <name_code.h>
133 #include <name_mask.h>
134
135 /* Global library. */
136
137 #include <mail_params.h>
138 #include <smtp_stream.h>
139 #include <mail_queue.h>
140 #include <recipient_list.h>
141 #include <deliver_request.h>
142 #include <defer.h>
143 #include <bounce.h>
144 #include <record.h>
145 #include <rec_type.h>
146 #include <off_cvt.h>
147 #include <mark_corrupt.h>
148 #include <quote_822_local.h>
149 #include <mail_proto.h>
150 #include <mime_state.h>
151 #include <ehlo_mask.h>
152 #include <maps.h>
153 #include <tok822.h>
154 #include <mail_addr_map.h>
155 #include <ext_prop.h>
156 #include <namadr_list.h>
157 #include <match_parent_style.h>
158 #include <lex_822.h>
159 #include <dsn_mask.h>
160 #include <xtext.h>
161 #include <uxtext.h>
162 #include <smtputf8.h>
163 #if defined(USE_TLS) && defined(USE_TLSRPT)
164 #include <tlsrpt_wrapper.h>
165 #endif
166
167 /* Application-specific. */
168
169 #include "smtp.h"
170 #include "smtp_sasl.h"
171
172 /*
173 * Sender and receiver state. A session does not necessarily go through a
174 * linear progression, but states are guaranteed to not jump backwards.
175 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states
176 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST.
177 *
178 * When connection caching is enabled, the QUIT state is suppressed. Normal
179 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions
180 * end with ABORT->LAST. The connection is left open for a limited time. An
181 * RSET probe should be sent before attempting to reuse an open connection
182 * for a new transaction.
183 *
184 * The code to send an RSET probe is a special case with its own initial state
185 * and with its own dedicated state transitions. The session proceeds as
186 * RSET->LAST. This code is kept inside the main protocol engine for
187 * consistent error handling and error reporting. It is not to be confused
188 * with the code that sends RSET to abort a mail transaction in progress.
189 *
190 * The code to send QUIT without message delivery transaction jumps into the
191 * main state machine. If this introduces complications, then we should
192 * introduce a second QUIT state with its own dedicated state transitions,
193 * just like we did for RSET probes.
194 *
195 * By default, the receiver skips the QUIT response. Some SMTP servers
196 * disconnect after responding to ".", and some SMTP servers wait before
197 * responding to QUIT.
198 *
199 * Client states that are associated with sending mail (up to and including
200 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending
201 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST).
202 */
203 #define SMTP_STATE_XFORWARD_NAME_ADDR 0
204 #define SMTP_STATE_XFORWARD_PROTO_HELO 1
205 #define SMTP_STATE_MAIL 2
206 #define SMTP_STATE_RCPT 3
207 #define SMTP_STATE_DATA 4
208 #define SMTP_STATE_DOT 5
209 #define SMTP_STATE_ABORT 6
210 #define SMTP_STATE_RSET 7
211 #define SMTP_STATE_QUIT 8
212 #define SMTP_STATE_LAST 9
213
214 int *xfer_timeouts[SMTP_STATE_LAST] = {
215 &var_smtp_xfwd_tmout, /* name/addr */
216 &var_smtp_xfwd_tmout, /* helo/proto */
217 &var_smtp_mail_tmout,
218 &var_smtp_rcpt_tmout,
219 &var_smtp_data0_tmout,
220 &var_smtp_data2_tmout,
221 &var_smtp_rset_tmout,
222 &var_smtp_rset_tmout,
223 &var_smtp_quit_tmout,
224 };
225
226 char *xfer_states[SMTP_STATE_LAST] = {
227 "sending XFORWARD name/address",
228 "sending XFORWARD protocol/helo_name",
229 "sending MAIL FROM",
230 "sending RCPT TO",
231 "sending DATA command",
232 "sending end of data -- message may be sent more than once",
233 "sending final RSET",
234 "sending RSET probe",
235 "sending QUIT",
236 };
237
238 char *xfer_request[SMTP_STATE_LAST] = {
239 "XFORWARD name/address command",
240 "XFORWARD helo/protocol command",
241 "MAIL FROM command",
242 "RCPT TO command",
243 "DATA command",
244 "end of DATA command",
245 "final RSET command",
246 "RSET probe",
247 "QUIT command",
248 };
249
250 /*
251 * Note: MIME downgrade never happens for mail that must be delivered with
252 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request
253 * involves at least one UTF-8 envelope address or header value.
254 */
255 #define SMTP_MIME_DOWNGRADE(session, request) \
256 (var_disable_mime_oconv == 0 \
257 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \
258 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0)
259
260 #ifdef USE_TLS
261
262 static int smtp_start_tls(SMTP_STATE *);
263
264 #endif
265
266 /*
267 * Call-back information for header/body checks. We don't provide call-backs
268 * for actions that change the message delivery time or destination.
269 */
270 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *);
271 static void smtp_text_out(void *, int, const char *, ssize_t, off_t);
272
273 HBC_CALL_BACKS smtp_hbc_callbacks[1] = {
274 smtp_hbc_logger,
275 smtp_text_out,
276 };
277
278 static int smtp_vrfy_tgt;
279
280 /* smtp_vrfy_init - initialize */
281
smtp_vrfy_init(void)282 void smtp_vrfy_init(void)
283 {
284 static const NAME_CODE vrfy_init_table[] = {
285 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT,
286 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA,
287 0,
288 };
289
290 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE,
291 var_smtp_vrfy_tgt)) == 0)
292 msg_fatal("bad protocol stage: \"%s = %s\"",
293 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt);
294 }
295
296 /* smtp_helo - perform initial handshake with SMTP server */
297
smtp_helo(SMTP_STATE * state)298 int smtp_helo(SMTP_STATE *state)
299 {
300 const char *myname = "smtp_helo";
301 SMTP_SESSION *session = state->session;
302 DELIVER_REQUEST *request = state->request;
303 SMTP_ITERATOR *iter = state->iterator;
304 SMTP_RESP *resp;
305 SMTP_RESP fake;
306 int except;
307 char *lines;
308 char *words;
309 char *word;
310 int n;
311 static const NAME_CODE xforward_features[] = {
312 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME,
313 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR,
314 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT,
315 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO,
316 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO,
317 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT,
318 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN,
319 0, 0,
320 };
321 const char *ehlo_words;
322 int discard_mask;
323 static const NAME_MASK pix_bug_table[] = {
324 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP,
325 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF,
326 0,
327 };
328 const char *pix_bug_words;
329 const char *pix_bug_source;
330 int pix_bug_mask;
331
332 #ifdef USE_TLS
333 int saved_features = session->features;
334 int tls_helo_status;
335
336 #endif
337 const char *NOCLOBBER where;
338
339 /*
340 * Skip the plaintext SMTP handshake when connecting in SMTPS mode.
341 */
342 #ifdef USE_TLS
343 if (var_smtp_tls_wrappermode
344 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
345 /* XXX Mix-up of per-session and per-request flags. */
346 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
347 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
348 var_smtp_req_deadline, 0);
349 tls_helo_status = smtp_start_tls(state);
350 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
351 return (tls_helo_status);
352 }
353 #endif
354
355 /*
356 * Prepare for disaster.
357 */
358 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout,
359 var_smtp_req_deadline, 0);
360 if ((except = vstream_setjmp(state->session->stream)) != 0)
361 return (smtp_stream_except(state, except, where));
362
363 /*
364 * If not recursing after STARTTLS, examine the server greeting banner
365 * and decide if we are going to send EHLO as the next command.
366 */
367 if (var_smtp_tls_wrappermode
368 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
369
370 /*
371 * Read and parse the server's SMTP greeting banner.
372 */
373 where = "receiving the initial server greeting";
374 switch ((resp = smtp_chat_resp(session))->code / 100) {
375 case 2:
376 break;
377 case 5:
378 if (var_smtp_skip_5xx_greeting)
379 STR(resp->dsn_buf)[0] = '4';
380 /* FALLTHROUGH */
381 default:
382 return (smtp_site_fail(state, STR(iter->host), resp,
383 "host %s refused to talk to me: %s",
384 session->namaddr,
385 translit(resp->str, "\n", " ")));
386 }
387
388 /*
389 * If the policy table specifies a bogus TLS security level, fail
390 * now.
391 */
392 #ifdef USE_TLS
393 if (state->tls->level == TLS_LEV_INVALID)
394 /* Warning is already logged. */
395 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
396 SMTP_RESP_FAKE(&fake, "4.7.0"),
397 "client TLS configuration problem"));
398 #endif
399
400 /*
401 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so
402 * it does not span a packet boundary. This hurts performance so it
403 * is not on by default.
404 */
405 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) {
406 /* Best effort only. Ignore errors. */
407 if (smtp_pix_bug_maps != 0
408 && (pix_bug_words =
409 maps_find(smtp_pix_bug_maps,
410 STR(iter->addr), 0)) != 0) {
411 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS);
412 } else {
413 pix_bug_words = var_smtp_pix_bug_words;
414 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS);
415 }
416 if (*pix_bug_words) {
417 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table,
418 pix_bug_words,
419 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
420 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF)
421 && request->msg_stats.incoming_arrival.tv_sec
422 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh)
423 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF;
424 msg_info("%s: enabling PIX workarounds: %s for %s",
425 request->queue_id,
426 str_name_mask("pix workaround bitmask",
427 pix_bug_table, pix_bug_mask),
428 session->namaddrport);
429 session->features |= pix_bug_mask;
430 }
431 }
432
433 /*
434 * See if we are talking to ourself. This should not be possible with
435 * the way we implement DNS lookups. However, people are known to
436 * sometimes screw up the naming service. And, mailer loops are still
437 * possible when our own mailer routing tables are mis-configured.
438 */
439 words = resp->str;
440 (void) mystrtok(&words, "- \t\n");
441 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) {
442 if (n == 0 && strcasecmp(word, var_myhostname) == 0) {
443 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT)
444 msg_warn("host %s greeted me with my own hostname %s",
445 session->namaddrport, var_myhostname);
446 } else if (strcasecmp(word, "ESMTP") == 0)
447 session->features |= SMTP_FEATURE_ESMTP;
448 }
449 if (smtp_mode) {
450 if (var_smtp_always_ehlo
451 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0)
452 session->features |= SMTP_FEATURE_ESMTP;
453 if (var_smtp_never_ehlo
454 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0)
455 session->features &= ~SMTP_FEATURE_ESMTP;
456 } else {
457 session->features |= SMTP_FEATURE_ESMTP;
458 }
459 }
460
461 /*
462 * If recursing after STARTTLS, there is no server greeting banner.
463 * Always send EHLO as the next command.
464 */
465 else {
466 session->features |= SMTP_FEATURE_ESMTP;
467 }
468
469 /*
470 * Return the compliment. Fall back to SMTP if our ESMTP recognition
471 * heuristic failed.
472 */
473 if (smtp_mode) {
474 where = "performing the EHLO handshake";
475 if (session->features & SMTP_FEATURE_ESMTP) {
476 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name);
477 if ((resp = smtp_chat_resp(session))->code / 100 != 2) {
478 if (resp->code == 421)
479 return (smtp_site_fail(state, STR(iter->host), resp,
480 "host %s refused to talk to me: %s",
481 session->namaddr,
482 translit(resp->str, "\n", " ")));
483 else
484 session->features &= ~SMTP_FEATURE_ESMTP;
485 }
486 #ifdef USE_TLSRPT
487 if (state->tlsrpt
488 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0)
489 smtp_tlsrpt_set_ehlo_resp(state, resp->str);
490 #endif
491 }
492 if ((session->features & SMTP_FEATURE_ESMTP) == 0) {
493 where = "performing the HELO handshake";
494 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name);
495 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
496 return (smtp_site_fail(state, STR(iter->host), resp,
497 "host %s refused to talk to me: %s",
498 session->namaddr,
499 translit(resp->str, "\n", " ")));
500 #ifdef USE_TLSRPT
501 if (state->tlsrpt)
502 trw_set_ehlo_resp(state->tlsrpt, resp->str);
503 #endif
504 }
505 } else {
506 where = "performing the LHLO handshake";
507 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name);
508 if ((resp = smtp_chat_resp(session))->code / 100 != 2)
509 return (smtp_site_fail(state, STR(iter->host), resp,
510 "host %s refused to talk to me: %s",
511 session->namaddr,
512 translit(resp->str, "\n", " ")));
513 }
514
515 /*
516 * No early returns allowed, to ensure consistent handling of TLS and
517 * SASL policies.
518 */
519 if (session->features & SMTP_FEATURE_ESMTP) {
520
521 /*
522 * Determine what server EHLO keywords to ignore, typically to avoid
523 * inter-operability problems.
524 */
525 if (smtp_ehlo_dis_maps == 0
526 || (ehlo_words = maps_find(smtp_ehlo_dis_maps,
527 STR(iter->addr), 0)) == 0)
528 ehlo_words = var_smtp_ehlo_dis_words;
529 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) {
530 msg_warn("%s: %s map lookup error for %s",
531 session->state->request->queue_id,
532 smtp_ehlo_dis_maps->title, STR(iter->addr));
533 vstream_longjmp(session->stream, SMTP_ERR_DATA);
534 }
535 discard_mask = ehlo_mask(ehlo_words);
536 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
537 msg_info("discarding EHLO keywords: %s",
538 str_ehlo_mask(discard_mask));
539
540 /*
541 * Pick up some useful features offered by the SMTP server. XXX Until
542 * we have a portable routine to convert from string to off_t with
543 * proper overflow detection, ignore the message size limit
544 * advertised by the SMTP server. Otherwise, we might do the wrong
545 * thing when the server advertises a really huge message size limit.
546 *
547 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...",
548 * because MicroSoft implemented AUTH based on an old draft.
549 */
550 lines = resp->str;
551 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) {
552 if (mystrtok(&words, "- ")
553 && (word = mystrtok(&words, " \t=")) != 0) {
554 if (n == 0) {
555 if (session->helo != 0)
556 myfree(session->helo);
557
558 /*
559 * XXX: Keep the original case: we don't expect a single
560 * SMTP server to randomly change the case of its helo
561 * response. If different capitalization is detected, we
562 * should assume disjoint TLS caches.
563 */
564 session->helo = mystrdup(word);
565 if (strcasecmp(word, var_myhostname) == 0
566 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) {
567 msg_warn("host %s replied to HELO/EHLO"
568 " with my own hostname %s",
569 session->namaddrport, var_myhostname);
570 if (session->features & SMTP_FEATURE_BEST_MX)
571 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
572 SMTP_RESP_FAKE(&fake, "5.4.6"),
573 "mail for %s loops back to myself",
574 request->nexthop));
575 else
576 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
577 SMTP_RESP_FAKE(&fake, "4.4.6"),
578 "mail for %s loops back to myself",
579 request->nexthop));
580 }
581 } else if (strcasecmp(word, "8BITMIME") == 0) {
582 if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
583 session->features |= SMTP_FEATURE_8BITMIME;
584 } else if (strcasecmp(word, "PIPELINING") == 0) {
585 if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
586 session->features |= SMTP_FEATURE_PIPELINING;
587 } else if (strcasecmp(word, "XFORWARD") == 0) {
588 if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
589 while ((word = mystrtok(&words, " \t")) != 0)
590 session->features |=
591 name_code(xforward_features,
592 NAME_CODE_FLAG_NONE, word);
593 } else if (strcasecmp(word, "SIZE") == 0) {
594 if ((discard_mask & EHLO_MASK_SIZE) == 0) {
595 session->features |= SMTP_FEATURE_SIZE;
596 if ((word = mystrtok(&words, " \t")) != 0) {
597 if (!alldig(word))
598 msg_warn("bad EHLO SIZE limit \"%s\" from %s",
599 word, session->namaddrport);
600 else
601 session->size_limit = off_cvt_string(word);
602 }
603 }
604 #ifdef USE_TLS
605 } else if (strcasecmp(word, "STARTTLS") == 0) {
606 /* Ignored later if we already sent STARTTLS. */
607 if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
608 session->features |= SMTP_FEATURE_STARTTLS;
609 #endif
610 #ifdef USE_SASL_AUTH
611 } else if (var_smtp_sasl_enable
612 && strcasecmp(word, "AUTH") == 0) {
613 if ((discard_mask & EHLO_MASK_AUTH) == 0)
614 smtp_sasl_helo_auth(session, words);
615 #endif
616 } else if (strcasecmp(word, "DSN") == 0) {
617 if ((discard_mask & EHLO_MASK_DSN) == 0)
618 session->features |= SMTP_FEATURE_DSN;
619 } else if (strcasecmp(word, "SMTPUTF8") == 0) {
620 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0)
621 session->features |= SMTP_FEATURE_SMTPUTF8;
622 }
623 n++;
624 }
625 }
626 }
627 if (msg_verbose)
628 msg_info("server features: 0x%x size %.0f",
629 session->features, (double) session->size_limit);
630
631 /*
632 * Decide if this delivery requires SMTPUTF8 server support.
633 *
634 * For now, we require that the remote SMTP server supports SMTPUTF8 when
635 * the sender requested SMTPUTF8 support.
636 *
637 * XXX EAI Refine this to: the sender requested SMTPUTF8 support AND the
638 * delivery request involves at least one UTF-8 envelope address or
639 * header value.
640 *
641 * If the sender requested SMTPUTF8 support but the delivery request
642 * involves no UTF-8 envelope address or header value, then we could
643 * still deliver such mail to a non-SMTPUTF8 server, except that we must
644 * either uxtext-encode ORCPT parameters or not send them. We cannot
645 * encode the ORCPT in xtext, because legacy SMTP requires that the
646 * unencoded address consist entirely of printable (graphic and white
647 * space) characters from the US-ASCII repertoire (RFC 3461 section 4). A
648 * correct uxtext encoder will produce a result that an xtext decoder
649 * will pass through unchanged.
650 *
651 * XXX Should we try to encode headers with RFC 2047 when delivering to a
652 * non-SMTPUTF8 server? That could make life easier for mailing lists.
653 */
654 #define DELIVERY_REQUIRES_SMTPUTF8 \
655 ((request->sendopts & SMTPUTF8_FLAG_REQUESTED) \
656 && (request->sendopts & SMTPUTF8_FLAG_DERIVED))
657
658 /*
659 * Require that the server supports SMTPUTF8 when delivery requires
660 * SMTPUTF8.
661 *
662 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on.
663 */
664 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0
665 && DELIVERY_REQUIRES_SMTPUTF8)
666 return (smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
667 SMTP_RESP_FAKE(&fake, "5.6.7"),
668 "SMTPUTF8 is required, "
669 "but was not offered by host %s",
670 session->namaddr));
671
672 /*
673 * Fix 20140706: don't do silly things when the remote server announces
674 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver
675 * mail, not to force people into compliance.
676 */
677 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
678 && (session->features & SMTP_FEATURE_8BITMIME) == 0) {
679 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME",
680 session->namaddr);
681 session->features |= SMTP_FEATURE_8BITMIME;
682 }
683
684 /*
685 * We use SMTP command pipelining if the server said it supported it.
686 * Since we use blocking I/O, RFC 2197 says that we should inspect the
687 * TCP window size and not send more than this amount of information.
688 * Unfortunately this information is unavailable using the sockets
689 * interface. However, we *can* get the TCP send buffer size on the local
690 * TCP/IP stack. We should be able to fill this buffer without being
691 * blocked, and then the kernel will effectively do non-blocking I/O for
692 * us by automatically writing out the contents of its send buffer while
693 * we are reading in the responses. In addition to TCP buffering we have
694 * to be aware of application-level buffering by the vstream module,
695 * which is limited to a couple kbytes.
696 *
697 * XXX No need to do this before and after STARTTLS, but it's not a big deal
698 * if we do.
699 *
700 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as
701 * TLS messages. Thus, the TCP-level payload will be larger than the
702 * SMTP-level payload. This has implications for the PIPELINING engine.
703 *
704 * To avoid deadlock, the PIPELINING engine needs to request a TCP send
705 * buffer size that can hold the unacknowledged commands plus the TLS
706 * encapsulation overhead.
707 *
708 * The PIPELINING engine keeps the unacknowledged command size <= the
709 * default VSTREAM buffer size (to avoid small-write performance issues
710 * when the VSTREAM buffer size is at its default size). With a default
711 * VSTREAM buffer size of 4096 there is no reason to increase the
712 * unacknowledged command size as the TCP MSS increases. It's safer to
713 * spread the remote SMTP server's recipient processing load over time,
714 * than dumping a very large recipient list all at once.
715 *
716 * For TLS encapsulation overhead we make a conservative guess: take the
717 * current protocol overhead of ~40 bytes, double the number for future
718 * proofing (~80 bytes), then round up the result to the nearest power of
719 * 2 (128 bytes). Plus, be prepared for worst-case compression that
720 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS
721 * message becomes 15 kbytes.
722 */
723 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE
724 #ifdef USE_TLS
725 #define TLS_WORST_PAYLOAD 16384
726 #define TLS_WORST_COMP_OVERHD 1024
727 #define TLS_WORST_PROTO_OVERHD 128
728 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD)
729 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD)
730 #endif
731
732 if (session->features & SMTP_FEATURE_PIPELINING) {
733 SOCKOPT_SIZE optlen;
734 int tcp_bufsize;
735 int enc_overhead = 0;
736
737 optlen = sizeof(tcp_bufsize);
738 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET,
739 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0)
740 msg_fatal("%s: getsockopt: %m", myname);
741 #ifdef USE_TLS
742 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS)
743 enc_overhead +=
744 (1 + (PIPELINING_BUFSIZE - 1)
745 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD;
746 #endif
747 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) {
748 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead;
749 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET,
750 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0)
751 msg_fatal("%s: setsockopt: %m", myname);
752 }
753 if (msg_verbose)
754 msg_info("Using %s PIPELINING, TCP send buffer size is %d, "
755 "PIPELINING buffer size is %d",
756 smtp_mode ? "ESMTP" : "LMTP",
757 tcp_bufsize, PIPELINING_BUFSIZE);
758 }
759 #ifdef USE_TLS
760
761 /*
762 * Skip this part if we already sent STARTTLS.
763 */
764 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) {
765
766 /*
767 * Optionally log unused STARTTLS opportunities.
768 */
769 if ((session->features & SMTP_FEATURE_STARTTLS) &&
770 var_smtp_tls_note_starttls_offer &&
771 state->tls->level <= TLS_LEV_NONE)
772 msg_info("Host offered STARTTLS: [%s]", STR(iter->host));
773
774 /*
775 * Decide whether or not to send STARTTLS.
776 */
777 if ((session->features & SMTP_FEATURE_STARTTLS) != 0
778 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) {
779
780 /*
781 * Prepare for disaster.
782 */
783 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout,
784 var_smtp_req_deadline, 0);
785 if ((except = vstream_setjmp(state->session->stream)) != 0)
786 return (smtp_stream_except(state, except,
787 "receiving the STARTTLS response"));
788
789 /*
790 * Send STARTTLS. Recurse when the server accepts STARTTLS, after
791 * resetting the SASL and EHLO features lists.
792 *
793 * Reset the SASL mechanism list to avoid spurious warnings.
794 *
795 * Use the smtp_sasl_tls_security_options feature to allow SASL
796 * mechanisms that may not be allowed with plain-text
797 * connections.
798 */
799 smtp_chat_cmd(session, "STARTTLS");
800 if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
801 #ifdef USE_SASL_AUTH
802 if (session->features & SMTP_FEATURE_AUTH)
803 smtp_sasl_cleanup(session);
804 #endif
805 session->features = saved_features;
806 /* XXX Mix-up of per-session and per-request flags. */
807 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS;
808 tls_helo_status = smtp_start_tls(state);
809 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS;
810 return (tls_helo_status);
811 }
812
813 /*
814 * Give up if we must use TLS but the server rejects STARTTLS
815 * although support for it was announced in the EHLO response.
816 */
817 session->features &= ~SMTP_FEATURE_STARTTLS;
818 if (TLS_REQUIRED(state->tls->level)) {
819 #ifdef USE_TLSRPT
820 if (state->tlsrpt)
821 trw_report_failure(state->tlsrpt,
822 TLSRPT_STARTTLS_NOT_SUPPORTED,
823 /* additional_info= */ (char *) 0,
824 /* failure_reason= */ (char *) 0);
825 #endif
826 return (smtp_site_fail(state, STR(iter->host), resp,
827 "TLS is required, but host %s refused to start TLS: %s",
828 session->namaddr,
829 translit(resp->str, "\n", " ")));
830 }
831 /* Else try to continue in plain-text mode. */
832 }
833
834 /*
835 * Give up if we must use TLS but can't for various reasons.
836 *
837 * 200412 Be sure to provide the default clause at the bottom of this
838 * block. When TLS is required we must never, ever, end up in
839 * plain-text mode.
840 */
841 if (TLS_REQUIRED(state->tls->level)) {
842 if (!(session->features & SMTP_FEATURE_STARTTLS)) {
843 #ifdef USE_TLSRPT
844 if (state->tlsrpt)
845 trw_report_failure(state->tlsrpt,
846 TLSRPT_STARTTLS_NOT_SUPPORTED,
847 /* additional_info= */ (char *) 0,
848 /* failure_reason= */ (char *) 0);
849 #endif
850 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
851 SMTP_RESP_FAKE(&fake, "4.7.4"),
852 "TLS is required, but was not offered by host %s",
853 session->namaddr));
854 } else if (smtp_tls_ctx == 0) {
855 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
856 SMTP_RESP_FAKE(&fake, "4.7.5"),
857 "TLS is required, but our TLS engine is unavailable"));
858 } else {
859 msg_warn("%s: TLS is required but unavailable, don't know why",
860 myname);
861 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
862 SMTP_RESP_FAKE(&fake, "4.7.0"),
863 "TLS is required, but unavailable"));
864 }
865 }
866 }
867 #endif
868 #ifdef USE_SASL_AUTH
869 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH))
870 return (smtp_sasl_helo_login(state));
871 #endif
872
873 return (0);
874 }
875
876 #ifdef USE_TLS
877
878 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */
879
smtp_start_tls(SMTP_STATE * state)880 static int smtp_start_tls(SMTP_STATE *state)
881 {
882 SMTP_SESSION *session = state->session;
883 SMTP_ITERATOR *iter = state->iterator;
884 TLS_CLIENT_START_PROPS start_props;
885 VSTRING *serverid;
886 SMTP_RESP fake;
887 TLS_CLIENT_INIT_PROPS init_props;
888 VSTREAM *tlsproxy;
889 VSTRING *port_buf;
890
891 /*
892 * When the TLS handshake succeeds, we can reuse a connection only if TLS
893 * remains turned on for the lifetime of that connection. This requires
894 * that the TLS library state is maintained in some proxy process, for
895 * example, in tlsproxy(8). We then store the proxy file handle in the
896 * connection cache, and reuse that file handle.
897 *
898 * Otherwise, we must turn off connection caching. We can't turn off TLS in
899 * one SMTP client process, save the open connection to a cache which is
900 * shared with all SMTP clients, migrate the connection to another SMTP
901 * client, and resume TLS there. When the TLS handshake fails, we can't
902 * reuse the SMTP connection either, because the conversation is in an
903 * unknown state.
904 */
905 if (state->tls->conn_reuse == 0)
906 DONT_CACHE_THIS_SESSION;
907
908 /*
909 * The following assumes sites that use TLS in a perverse configuration:
910 * multiple hosts per hostname, or even multiple hosts per IP address.
911 * All this without a shared TLS session cache, and they still want to
912 * use TLS session caching???
913 *
914 * The TLS session cache records the trust chain verification status of
915 * cached sessions. Different transports may have different CAfile or
916 * CApath settings, perhaps to allow authenticated connections to sites
917 * with private CA certs without trusting said private certs for other
918 * sites. So we cannot assume that a trust chain valid for one transport
919 * is valid for another. Therefore the client session id must include
920 * either the transport name or the values of CAfile and CApath. We use
921 * the transport name.
922 *
923 * XXX: We store only one session per lookup key. Ideally the key maps
924 * 1-to-1 to a server TLS session cache. We use the IP address, port and
925 * ehlo response name to build a lookup key that works for split caches
926 * (that announce distinct names) behind a load balancer.
927 *
928 * XXX: The TLS library will salt the serverid with further details of the
929 * protocol and cipher requirements including the server ehlo response.
930 * Deferring the helo to the digested suffix results in more predictable
931 * SSL session lookup key lengths.
932 */
933 serverid = vstring_alloc(10);
934 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE
935 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */
936 | SMTP_KEY_FLAG_HOSTNAME
937 | SMTP_KEY_FLAG_ADDR);
938
939 if (state->tls->conn_reuse) {
940 TLS_CLIENT_PARAMS tls_params;
941
942 /*
943 * Send all our wishes in one big request.
944 */
945 TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
946 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
947 log_level = var_smtp_tls_loglevel,
948 verifydepth = var_smtp_tls_scert_vd,
949 cache_type
950 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE),
951 chain_files = var_smtp_tls_chain_files,
952 cert_file = var_smtp_tls_cert_file,
953 key_file = var_smtp_tls_key_file,
954 dcert_file = var_smtp_tls_dcert_file,
955 dkey_file = var_smtp_tls_dkey_file,
956 eccert_file = var_smtp_tls_eccert_file,
957 eckey_file = var_smtp_tls_eckey_file,
958 CAfile = var_smtp_tls_CAfile,
959 CApath = var_smtp_tls_CApath,
960 mdalg = var_smtp_tls_fpt_dgst);
961 TLS_PROXY_CLIENT_START_PROPS(&start_props,
962 timeout = var_smtp_starttls_tmout,
963 tls_level = state->tls->level,
964 enable_rpk = state->tls->enable_rpk,
965 nexthop = session->tls_nexthop,
966 host = STR(iter->host),
967 namaddr = session->namaddrport,
968 sni = state->tls->sni,
969 serverid = vstring_str(serverid),
970 helo = session->helo,
971 protocols = state->tls->protocols,
972 cipher_grade = state->tls->grade,
973 cipher_exclusions
974 = vstring_str(state->tls->exclusions),
975 matchargv = state->tls->matchargv,
976 mdalg = var_smtp_tls_fpt_dgst,
977 #ifdef USE_TLSRPT
978 tlsrpt = state->tlsrpt,
979 #else
980 tlsrpt = 0,
981 #endif
982 ffail_type = 0,
983 dane = state->tls->dane);
984
985 /*
986 * The tlsproxy(8) server enforces timeouts that are larger than
987 * those specified by the tlsproxy(8) client. These timeouts are a
988 * safety net for the case that the tlsproxy(8) client fails to
989 * enforce time limits. Normally, the tlsproxy(8) client would time
990 * out and trigger a plaintext event in the tlsproxy(8) server, and
991 * cause it to tear down the session.
992 *
993 * However, the tlsproxy(8) server has no insight into the SMTP
994 * protocol, and therefore it cannot by itself support different
995 * timeouts at different SMTP protocol stages. Instead, we specify
996 * the largest timeout (end-of-data) and rely on the SMTP client to
997 * time out first, which normally results in a plaintext event in the
998 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext
999 * events during the TLS handshake, so we specify a separate timeout
1000 * for that stage (the end-of-data timeout would be unreasonably
1001 * large anyway).
1002 */
1003 #define PROXY_OPEN_FLAGS \
1004 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT)
1005
1006 port_buf = vstring_alloc(100); /* minimize fragmentation */
1007 vstring_sprintf(port_buf, "%d", ntohs(iter->port));
1008 tlsproxy =
1009 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS,
1010 session->stream, STR(iter->addr),
1011 STR(port_buf), var_smtp_starttls_tmout,
1012 var_smtp_data2_tmout, state->service,
1013 tls_proxy_client_param_from_config(&tls_params),
1014 &init_props, &start_props);
1015 vstring_free(port_buf);
1016
1017 /*
1018 * To insert tlsproxy(8) between this process and the remote SMTP
1019 * server, we swap the file descriptors between the tlsproxy and
1020 * session->stream VSTREAMS, so that we don't lose all the
1021 * user-configurable session->stream attributes (such as longjump
1022 * buffers or timeouts).
1023 *
1024 * TODO: the tlsproxy RPCs should return more error detail than a "NO"
1025 * result. OTOH, the in-process TLS engine does not return such info
1026 * either.
1027 *
1028 * If the tlsproxy request fails we do not fall back to the in-process
1029 * TLS stack. Reason: the admin enabled connection reuse to respect
1030 * receiver policy; silently violating such policy would not be
1031 * useful.
1032 *
1033 * We also don't fall back to the in-process TLS stack under low-traffic
1034 * conditions, to avoid frustrating attempts to debug a problem with
1035 * using the tlsproxy(8) service.
1036 */
1037 if (tlsproxy == 0) {
1038 session->tls_context = 0;
1039 } else {
1040 vstream_control(tlsproxy,
1041 CA_VSTREAM_CTL_DOUBLE,
1042 CA_VSTREAM_CTL_END);
1043 vstream_control(session->stream,
1044 CA_VSTREAM_CTL_SWAP_FD(tlsproxy),
1045 CA_VSTREAM_CTL_END);
1046 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */
1047
1048 /*
1049 * There must not be any pending data in the stream buffers
1050 * before we read the TLS context attributes.
1051 */
1052 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1053
1054 /*
1055 * After plumbing the plaintext stream, receive the TLS context
1056 * object. For this we use the same VSTREAM buffer that we also
1057 * use to receive subsequent SMTP commands, therefore we must be
1058 * prepared for the possibility that the remote SMTP server
1059 * starts talking immediately. The tlsproxy implementation sends
1060 * the TLS context before remote content. The attribute protocol
1061 * is robust enough that an adversary cannot insert their own TLS
1062 * context attributes.
1063 */
1064 session->tls_context = tls_proxy_context_receive(session->stream);
1065 if (session->tls_context) {
1066 session->features |= SMTP_FEATURE_FROM_PROXY;
1067 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW,
1068 session->tls_context);
1069 }
1070 }
1071 } else { /* state->tls->conn_reuse */
1072
1073 /*
1074 * As of Postfix 2.5, tls_client_start() tries hard to always
1075 * complete the TLS handshake. It records the verification and match
1076 * status in the resulting TLScontext. It is now up to the
1077 * application to abort the TLS connection if it chooses.
1078 *
1079 * XXX When tls_client_start() fails then we don't know what state the
1080 * SMTP connection is in, so we give up on this connection even if we
1081 * are not required to use TLS.
1082 *
1083 * Large parameter lists are error-prone, so we emulate a language
1084 * feature that C does not have natively: named parameter lists.
1085 */
1086 session->tls_context =
1087 TLS_CLIENT_START(&start_props,
1088 ctx = smtp_tls_ctx,
1089 stream = session->stream,
1090 fd = -1,
1091 timeout = var_smtp_starttls_tmout,
1092 tls_level = state->tls->level,
1093 enable_rpk = state->tls->enable_rpk,
1094 nexthop = session->tls_nexthop,
1095 host = STR(iter->host),
1096 namaddr = session->namaddrport,
1097 sni = state->tls->sni,
1098 serverid = vstring_str(serverid),
1099 helo = session->helo,
1100 protocols = state->tls->protocols,
1101 cipher_grade = state->tls->grade,
1102 cipher_exclusions
1103 = vstring_str(state->tls->exclusions),
1104 matchargv = state->tls->matchargv,
1105 mdalg = var_smtp_tls_fpt_dgst,
1106 #ifdef USE_TLSRPT
1107 tlsrpt = state->tlsrpt,
1108 #else
1109 tlsrpt = 0,
1110 #endif
1111 ffail_type = state->tls->ext_policy_failure,
1112 dane = state->tls->dane);
1113
1114 /*
1115 * At this point there must not be any pending data in the stream
1116 * buffers.
1117 */
1118 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
1119 } /* state->tls->conn_reuse */
1120
1121 vstring_free(serverid);
1122
1123 if (session->tls_context == 0) {
1124
1125 /*
1126 * We must avoid further I/O, the peer is in an undefined state.
1127 */
1128 DONT_USE_FORBIDDEN_SESSION;
1129
1130 /*
1131 * If TLS is optional, try delivery to the same server over a
1132 * plaintext connection. Otherwise we would defer mail forever with
1133 * destinations that have no alternate MX host.
1134 *
1135 * Don't fall back to plaintext if we were willing to use SASL-over-TLS
1136 * authentication. If the server doesn't announce SASL support over
1137 * plaintext connections, then we don't want delivery to fail with
1138 * "relay access denied".
1139 *
1140 * If TLS is opportunistic, don't throttle the destination, otherwise if
1141 * the mail is volume is high enough we may have difficulty ever
1142 * draining even the deferred mail, as new mail provides a constant
1143 * stream of negative feedback.
1144 */
1145 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
1146 RETRY_AS_PLAINTEXT;
1147 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ?
1148 SMTP_NOTHROTTLE : SMTP_THROTTLE,
1149 DSN_BY_LOCAL_MTA,
1150 SMTP_RESP_FAKE(&fake, "4.7.5"),
1151 "Cannot start TLS: handshake failure"));
1152 }
1153
1154 /*
1155 * If we are verifying the server certificate and are not happy with the
1156 * result, abort the delivery here. We have a usable TLS session with the
1157 * server, so no need to disable I/O, ... we can even be polite and send
1158 * "QUIT".
1159 *
1160 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require
1161 * matching.
1162 *
1163 * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log
1164 * effective security. Thus "half-dane" is never "Verified" only
1165 * "Trusted", but matching is enforced here.
1166 *
1167 * NOTE: When none of the TLSA records were usable, "dane" and "half-dane"
1168 * fall back to "encrypt", updating the tls_context level accordingly, so
1169 * we must check that here, and not state->tls->level.
1170 */
1171 if (TLS_MUST_MATCH(session->tls_context->level))
1172 if (!TLS_CERT_IS_MATCHED(session->tls_context)) {
1173 #ifdef USE_TLSRPT
1174
1175 /*
1176 * Don't create a TLSRPT 'failure' event here, if the TLS engine
1177 * already reported a more specific reason.
1178 */
1179 if (state->tlsrpt && session->tls_context->rpt_reported == 0) {
1180 if (!TLS_CERT_IS_TRUSTED(session->tls_context)) {
1181 (void) trw_report_failure(state->tlsrpt,
1182 TLSRPT_CERTIFICATE_NOT_TRUSTED,
1183 /* additional_info= */ (char *) 0,
1184 /* failure_reason= */ (char *) 0);
1185 } else {
1186 (void) trw_report_failure(state->tlsrpt,
1187 TLSRPT_CERTIFICATE_HOST_MISMATCH,
1188 /* additional_info= */ (char *) 0,
1189 /* failure_reason= */ (char *) 0);
1190 }
1191 }
1192 #endif
1193 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA,
1194 SMTP_RESP_FAKE(&fake, "4.7.5"),
1195 "Server certificate not verified"));
1196 }
1197
1198 /*
1199 * Create a TLSRPT 'success' event only if the TLS engine has not created
1200 * TLSRPT event. For example, The TLS engine will create a TLSRPT
1201 * 'failure' event when the TLS handshake was be successful, but the
1202 * security level was downgraded from opportunistic "dane" to
1203 * unauthenticated "encrypt".
1204 */
1205 #ifdef USE_TLSRPT
1206 if (state->tlsrpt && session->tls_context->rpt_reported == 0)
1207 (void) trw_report_success(state->tlsrpt);
1208 #endif
1209
1210 /*
1211 * At this point we have to re-negotiate the "EHLO" to reget the
1212 * feature-list.
1213 */
1214 return (smtp_helo(state));
1215 }
1216
1217 #endif
1218
1219 /* smtp_hbc_logger - logging call-back for header/body checks */
1220
smtp_hbc_logger(void * context,const char * action,const char * where,const char * content,const char * text)1221 static void smtp_hbc_logger(void *context, const char *action,
1222 const char *where, const char *content,
1223 const char *text)
1224 {
1225 const SMTP_STATE *state = (SMTP_STATE *) context;
1226
1227 if (*text) {
1228 msg_info("%s: %s: %s %.200s: %s",
1229 state->request->queue_id, action, where, content, text);
1230 } else {
1231 msg_info("%s: %s: %s %.200s",
1232 state->request->queue_id, action, where, content);
1233 }
1234 }
1235
1236 /* smtp_text_out - output one header/body record */
1237
smtp_text_out(void * context,int rec_type,const char * text,ssize_t len,off_t unused_offset)1238 static void smtp_text_out(void *context, int rec_type,
1239 const char *text, ssize_t len,
1240 off_t unused_offset)
1241 {
1242 SMTP_STATE *state = (SMTP_STATE *) context;
1243 SMTP_SESSION *session = state->session;
1244 ssize_t data_left;
1245 const char *data_start;
1246
1247 /*
1248 * Deal with an impedance mismatch between Postfix queue files (record
1249 * length <= $message_line_length_limit) and SMTP (DATA record length <=
1250 * $smtp_line_length_limit). The code below does a little too much work
1251 * when the SMTP line length limit is disabled, but it avoids code
1252 * duplication, and thus, it avoids testing and maintenance problems.
1253 */
1254 data_left = len;
1255 data_start = text;
1256 do {
1257 if (state->space_left == var_smtp_line_limit
1258 && data_left > 0 && *data_start == '.')
1259 smtp_fputc('.', session->stream);
1260 if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit)
1261 && data_left >= state->space_left) {
1262 smtp_fputs(data_start, state->space_left, session->stream);
1263 data_start += state->space_left;
1264 data_left -= state->space_left;
1265 state->space_left = var_smtp_line_limit;
1266 if (data_left > 0 || rec_type == REC_TYPE_CONT) {
1267 smtp_fputc(' ', session->stream);
1268 state->space_left -= 1;
1269
1270 /*
1271 * XXX This can insert a line break into the middle of a
1272 * multi-byte character (not necessarily UTF-8). Note that
1273 * multibyte characters can span queue file records, for
1274 * example if line_length_limit == smtp_line_length_limit.
1275 */
1276 if (state->logged_line_length_limit == 0) {
1277 msg_info("%s: breaking line > %d bytes with <CR><LF>SPACE",
1278 state->request->queue_id, var_smtp_line_limit);
1279 state->logged_line_length_limit = 1;
1280 }
1281 }
1282 } else {
1283 if (rec_type == REC_TYPE_CONT) {
1284 smtp_fwrite(data_start, data_left, session->stream);
1285 state->space_left -= data_left;
1286 } else {
1287 smtp_fputs(data_start, data_left, session->stream);
1288 state->space_left = var_smtp_line_limit;
1289 }
1290 break;
1291 }
1292 } while (data_left > 0);
1293 }
1294
1295 /* smtp_format_out - output one header/body record */
1296
1297 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...);
1298
smtp_format_out(void * context,int rec_type,const char * fmt,...)1299 static void smtp_format_out(void *context, int rec_type, const char *fmt,...)
1300 {
1301 static VSTRING *vp;
1302 va_list ap;
1303
1304 if (vp == 0)
1305 vp = vstring_alloc(100);
1306 va_start(ap, fmt);
1307 vstring_vsprintf(vp, fmt, ap);
1308 va_end(ap);
1309 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0);
1310 }
1311
1312 /* smtp_header_out - output one message header */
1313
smtp_header_out(void * context,int unused_header_class,const HEADER_OPTS * unused_info,VSTRING * buf,off_t offset)1314 static void smtp_header_out(void *context, int unused_header_class,
1315 const HEADER_OPTS *unused_info,
1316 VSTRING *buf, off_t offset)
1317 {
1318 char *start = vstring_str(buf);
1319 char *line;
1320 char *next_line;
1321
1322 /*
1323 * This code destroys the header. We could try to avoid clobbering it,
1324 * but we're not going to use the data any further.
1325 */
1326 for (line = start; line; line = next_line) {
1327 next_line = split_at(line, '\n');
1328 smtp_text_out(context, REC_TYPE_NORM, line, next_line ?
1329 next_line - line - 1 : strlen(line), offset);
1330 }
1331 }
1332
1333 /* smtp_header_rewrite - rewrite message header before output */
1334
smtp_header_rewrite(void * context,int header_class,const HEADER_OPTS * header_info,VSTRING * buf,off_t offset)1335 static void smtp_header_rewrite(void *context, int header_class,
1336 const HEADER_OPTS *header_info,
1337 VSTRING *buf, off_t offset)
1338 {
1339 SMTP_STATE *state = (SMTP_STATE *) context;
1340 int did_rewrite = 0;
1341 char *line;
1342 char *start;
1343 char *next_line;
1344 char *end_line;
1345 char *result;
1346
1347 /*
1348 * Apply optional header filtering.
1349 */
1350 if (smtp_header_checks) {
1351 result = hbc_header_checks(context, smtp_header_checks, header_class,
1352 header_info, buf, offset);
1353 if (result == 0)
1354 return;
1355 if (result == HBC_CHECKS_STAT_ERROR) {
1356 msg_warn("%s: smtp header checks lookup error",
1357 state->request->queue_id);
1358 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1359 }
1360 if (result != STR(buf)) {
1361 vstring_strcpy(buf, result);
1362 myfree(result);
1363 }
1364 }
1365
1366 /*
1367 * Rewrite primary header addresses that match the smtp_generic_maps. The
1368 * cleanup server already enforces that all headers have proper lengths
1369 * and that all addresses are in proper form, so we don't have to repeat
1370 * that.
1371 */
1372 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY
1373 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) {
1374 TOK822 *tree;
1375 TOK822 **addr_list;
1376 TOK822 **tpp;
1377
1378 tree = tok822_parse(vstring_str(buf)
1379 + strlen(header_info->name) + 1);
1380 addr_list = tok822_grep(tree, TOK822_ADDR);
1381 for (tpp = addr_list; *tpp; tpp++)
1382 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps,
1383 smtp_ext_prop_mask & EXT_PROP_GENERIC);
1384 if (did_rewrite) {
1385 vstring_truncate(buf, strlen(header_info->name));
1386 vstring_strcat(buf, ": ");
1387 tok822_externalize(buf, tree, TOK822_STR_HEAD);
1388 }
1389 myfree((void *) addr_list);
1390 tok822_free_tree(tree);
1391 }
1392
1393 /*
1394 * Pass through unmodified headers without reconstruction.
1395 */
1396 if (did_rewrite == 0) {
1397 smtp_header_out(context, header_class, header_info, buf, offset);
1398 return;
1399 }
1400
1401 /*
1402 * A rewritten address list contains one address per line. The code below
1403 * replaces newlines by spaces, to fit as many addresses on a line as
1404 * possible (without rearranging the order of addresses). Prepending
1405 * white space to the beginning of lines is delegated to the output
1406 * routine.
1407 *
1408 * Code derived from cleanup_fold_header().
1409 */
1410 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1411 end_line = line + strcspn(line, "\n");
1412 if (line > start) {
1413 if (end_line - start < 70) { /* TAB counts as one */
1414 line[-1] = ' ';
1415 } else {
1416 start = line;
1417 }
1418 }
1419 next_line = *end_line ? end_line + 1 : 0;
1420 }
1421
1422 /*
1423 * Prepend a tab to continued header lines that went through the address
1424 * rewriting machinery. Just like smtp_header_out(), this code destroys
1425 * the header. We could try to avoid clobbering it, but we're not going
1426 * to use the data any further.
1427 *
1428 * Code derived from cleanup_out_header().
1429 */
1430 for (line = start = vstring_str(buf); line != 0; line = next_line) {
1431 next_line = split_at(line, '\n');
1432 if (line == start || IS_SPACE_TAB(*line)) {
1433 smtp_text_out(state, REC_TYPE_NORM, line, next_line ?
1434 next_line - line - 1 : strlen(line), offset);
1435 } else {
1436 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line);
1437 }
1438 }
1439 }
1440
1441 /* smtp_body_rewrite - rewrite message body before output */
1442
smtp_body_rewrite(void * context,int type,const char * buf,ssize_t len,off_t offset)1443 static void smtp_body_rewrite(void *context, int type,
1444 const char *buf, ssize_t len,
1445 off_t offset)
1446 {
1447 SMTP_STATE *state = (SMTP_STATE *) context;
1448 char *result;
1449
1450 /*
1451 * Apply optional body filtering.
1452 */
1453 if (smtp_body_checks) {
1454 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset);
1455 if (result == buf) {
1456 smtp_text_out(state, type, buf, len, offset);
1457 } else if (result == HBC_CHECKS_STAT_ERROR) {
1458 msg_warn("%s: smtp body checks lookup error",
1459 state->request->queue_id);
1460 vstream_longjmp(state->session->stream, SMTP_ERR_DATA);
1461 } else if (result != 0) {
1462 smtp_text_out(state, type, result, strlen(result), offset);
1463 myfree(result);
1464 }
1465 }
1466 }
1467
1468 /* smtp_mime_fail - MIME problem */
1469
smtp_mime_fail(SMTP_STATE * state,int mime_errs)1470 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs)
1471 {
1472 const MIME_STATE_DETAIL *detail;
1473 SMTP_RESP fake;
1474
1475 detail = mime_state_detail(mime_errs);
1476 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
1477 SMTP_RESP_FAKE(&fake, detail->dsn),
1478 "%s", detail->text);
1479 }
1480
1481 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */
1482
smtp_out_raw_or_mime(SMTP_STATE * state,int rec_type,VSTRING * buf)1483 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf)
1484 {
1485 SMTP_SESSION *session = state->session;
1486 int mime_errs;
1487
1488 if (session->mime_state == 0) {
1489 smtp_text_out((void *) state, rec_type, vstring_str(buf),
1490 VSTRING_LEN(buf), (off_t) 0);
1491 } else {
1492 mime_errs =
1493 mime_state_update(session->mime_state, rec_type,
1494 vstring_str(buf), VSTRING_LEN(buf));
1495 if (mime_errs) {
1496 smtp_mime_fail(state, mime_errs);
1497 return (-1);
1498 }
1499 }
1500 return (0);
1501 }
1502
1503 /* smtp_out_add_header - format address header, uses session->scratch* */
1504
smtp_out_add_header(SMTP_STATE * state,const char * label,const char * lt,const char * addr,const char * gt)1505 static int smtp_out_add_header(SMTP_STATE *state, const char *label,
1506 const char *lt, const char *addr,
1507 const char *gt)
1508 {
1509 SMTP_SESSION *session = state->session;
1510
1511 smtp_rewrite_generic_internal(session->scratch2, addr);
1512 vstring_sprintf(session->scratch, "%s: %s", label, lt);
1513 smtp_quote_822_address_flags(session->scratch,
1514 vstring_str(session->scratch2),
1515 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND);
1516 vstring_strcat(session->scratch, gt);
1517 return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch));
1518 }
1519
1520 /* smtp_out_add_headers - output additional headers, uses session->scratch* */
1521
smtp_out_add_headers(SMTP_STATE * state)1522 static int smtp_out_add_headers(SMTP_STATE *state)
1523 {
1524 /* Prepend headers in the same order as mail_copy.c. */
1525 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH)
1526 if (smtp_out_add_header(state, "Return-Path", "<",
1527 state->request->sender, ">") < 0)
1528 return (-1);
1529 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT)
1530 if (smtp_out_add_header(state, "X-Original-To", "",
1531 state->request->rcpt_list.info->orig_addr, "") < 0)
1532 return (-1);
1533 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO)
1534 if (smtp_out_add_header(state, "Delivered-To", "",
1535 state->request->rcpt_list.info->address, "") < 0)
1536 return (-1);
1537 return (0);
1538 }
1539
1540 /* smtp_loop - exercise the SMTP protocol engine */
1541
smtp_loop(SMTP_STATE * state,NOCLOBBER int send_state,NOCLOBBER int recv_state)1542 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
1543 NOCLOBBER int recv_state)
1544 {
1545 const char *myname = "smtp_loop";
1546 DELIVER_REQUEST *request = state->request;
1547 SMTP_SESSION *session = state->session;
1548 SMTP_ITERATOR *iter = state->iterator;
1549 SMTP_RESP *resp;
1550 RECIPIENT *rcpt;
1551 VSTRING *next_command = vstring_alloc(100);
1552 int *NOCLOBBER survivors = 0;
1553 NOCLOBBER int next_state;
1554 NOCLOBBER int next_rcpt;
1555 NOCLOBBER int send_rcpt;
1556 NOCLOBBER int recv_rcpt;
1557 NOCLOBBER int nrcpt;
1558 NOCLOBBER int recv_done;
1559 int except;
1560 int rec_type;
1561 NOCLOBBER int prev_type = 0;
1562 NOCLOBBER int mail_from_rejected;
1563 NOCLOBBER int downgrading;
1564 int mime_errs;
1565 SMTP_RESP fake;
1566 int fail_status;
1567
1568 /* Caution: changes to RETURN() also affect code outside the main loop. */
1569
1570 #define RETURN(x) do { \
1571 if (recv_state != SMTP_STATE_LAST) \
1572 DONT_CACHE_THIS_SESSION; \
1573 vstring_free(next_command); \
1574 if (survivors) \
1575 myfree((void *) survivors); \
1576 if (session->mime_state) \
1577 session->mime_state = mime_state_free(session->mime_state); \
1578 return (x); \
1579 } while (0)
1580
1581 #define SENDER_IS_AHEAD \
1582 (recv_state < send_state || recv_rcpt != send_rcpt)
1583
1584 #define SENDER_IN_WAIT_STATE \
1585 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST)
1586
1587 #define SENDING_MAIL \
1588 (recv_state <= SMTP_STATE_DOT)
1589
1590 #define CANT_RSET_THIS_SESSION \
1591 (session->features |= SMTP_FEATURE_RSET_REJECTED)
1592
1593 /*
1594 * Pipelining support requires two loops: one loop for sending and one
1595 * for receiving. Each loop has its own independent state. Most of the
1596 * time the sender can run ahead of the receiver by as much as the TCP
1597 * send buffer permits. There are only two places where the sender must
1598 * wait for status information from the receiver: once after sending DATA
1599 * and once after sending QUIT.
1600 *
1601 * The sender state advances until the TCP send buffer would overflow, or
1602 * until the sender needs status information from the receiver. At that
1603 * point the receiver starts processing responses. Once the receiver has
1604 * caught up with the sender, the sender resumes sending commands. If the
1605 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO
1606 * commands rejected, DATA rejected) it forces the sender to abort the
1607 * SMTP dialog with RSET and QUIT.
1608 */
1609 nrcpt = 0;
1610 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0;
1611 mail_from_rejected = 0;
1612
1613 /*
1614 * Prepare for disaster. This should not be needed because the design
1615 * guarantees that no output is flushed before smtp_chat_resp() is
1616 * called.
1617 *
1618 * 1) Every SMTP command fits entirely in a VSTREAM output buffer.
1619 *
1620 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that
1621 * there is sufficient space for the command in the output buffer.
1622 *
1623 * 3) smtp_loop() flushes the output buffer to avoid server timeouts.
1624 *
1625 * Changing any of these would violate the design, and would likely break
1626 * SMTP pipelining.
1627 *
1628 * We set up the error handler anyway (only upon entry to avoid wasting
1629 * resources) because 1) there is code below that expects that VSTREAM
1630 * timeouts are enabled, and 2) this allows us to detect if someone broke
1631 * Postfix by introducing spurious flush before read operations.
1632 */
1633 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR
1634 || send_state > SMTP_STATE_QUIT)
1635 msg_panic("%s: bad sender state %d (receiver state %d)",
1636 myname, send_state, recv_state);
1637 smtp_stream_setup(session->stream, *xfer_timeouts[send_state],
1638 var_smtp_req_deadline, 0);
1639 if ((except = vstream_setjmp(session->stream)) != 0) {
1640 msg_warn("smtp_proto: spurious flush before read in send state %d",
1641 send_state);
1642 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
1643 xfer_states[send_state]) : -1);
1644 }
1645
1646 /*
1647 * The main protocol loop.
1648 */
1649 do {
1650
1651 /*
1652 * Build the next command.
1653 */
1654 switch (send_state) {
1655
1656 /*
1657 * Sanity check.
1658 */
1659 default:
1660 msg_panic("%s: bad sender state %d", myname, send_state);
1661
1662 /*
1663 * Build the XFORWARD command. With properly sanitized
1664 * information, the command length stays within the 512 byte
1665 * command line length limit.
1666 *
1667 * XXX smtpd_xforward_preset() initializes some fields as "unknown"
1668 * and some as null; historically, pickup(8) does not send any of
1669 * these, and the queue manager presets absent fields to "not
1670 * available" except for the rewrite context which is preset to
1671 * local by way of migration aid. These definitions need to be
1672 * centralized for maintainability.
1673 */
1674 #ifndef CAN_FORWARD_CLIENT_NAME
1675 #define _ATTR_AVAIL_AND_KNOWN_(val) \
1676 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown"))
1677 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_
1678 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_
1679 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_
1680 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_
1681 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL
1682 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL
1683 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL
1684 #endif
1685
1686 case SMTP_STATE_XFORWARD_NAME_ADDR:
1687 vstring_strcpy(next_command, XFORWARD_CMD);
1688 if ((session->features & SMTP_FEATURE_XFORWARD_NAME)
1689 && CAN_FORWARD_CLIENT_NAME(request->client_name)) {
1690 vstring_strcat(next_command, " " XFORWARD_NAME "=");
1691 xtext_quote_append(next_command, request->client_name, "");
1692 }
1693 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
1694 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) {
1695 vstring_strcat(next_command, " " XFORWARD_ADDR "=");
1696 xtext_quote_append(next_command, request->client_addr, "");
1697 }
1698 if ((session->features & SMTP_FEATURE_XFORWARD_PORT)
1699 && CAN_FORWARD_CLIENT_PORT(request->client_port)) {
1700 vstring_strcat(next_command, " " XFORWARD_PORT "=");
1701 xtext_quote_append(next_command, request->client_port, "");
1702 }
1703 if (session->send_proto_helo)
1704 next_state = SMTP_STATE_XFORWARD_PROTO_HELO;
1705 else
1706 next_state = SMTP_STATE_MAIL;
1707 break;
1708
1709 case SMTP_STATE_XFORWARD_PROTO_HELO:
1710 vstring_strcpy(next_command, XFORWARD_CMD);
1711 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO)
1712 && CAN_FORWARD_PROTO_NAME(request->client_proto)) {
1713 vstring_strcat(next_command, " " XFORWARD_PROTO "=");
1714 xtext_quote_append(next_command, request->client_proto, "");
1715 }
1716 if ((session->features & SMTP_FEATURE_XFORWARD_HELO)
1717 && CAN_FORWARD_HELO_NAME(request->client_helo)) {
1718 vstring_strcat(next_command, " " XFORWARD_HELO "=");
1719 xtext_quote_append(next_command, request->client_helo, "");
1720 }
1721 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
1722 && CAN_FORWARD_IDENT_NAME(request->log_ident)) {
1723 vstring_strcat(next_command, " " XFORWARD_IDENT "=");
1724 xtext_quote_append(next_command, request->log_ident, "");
1725 }
1726 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
1727 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) {
1728 vstring_strcat(next_command, " " XFORWARD_DOMAIN "=");
1729 xtext_quote_append(next_command,
1730 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ?
1731 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, "");
1732 }
1733 next_state = SMTP_STATE_MAIL;
1734 break;
1735
1736 /*
1737 * Build the MAIL FROM command.
1738 */
1739 case SMTP_STATE_MAIL:
1740 request->msg_stats.reuse_count = session->reuse_count;
1741 GETTIMEOFDAY(&request->msg_stats.conn_setup_done);
1742 smtp_rewrite_generic_internal(session->scratch2, request->sender);
1743 smtp_quote_821_address(session->scratch,
1744 vstring_str(session->scratch2));
1745 vstring_sprintf(next_command, "MAIL FROM:<%s>",
1746 vstring_str(session->scratch));
1747 /* XXX Don't announce SIZE if we're going to MIME downgrade. */
1748 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */
1749 && !SMTP_MIME_DOWNGRADE(session, request))
1750 vstring_sprintf_append(next_command, " SIZE=%lu",
1751 request->data_size);
1752 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */
1753 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0)
1754 vstring_strcat(next_command, " BODY=8BITMIME");
1755 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0)
1756 vstring_strcat(next_command, " BODY=7BIT");
1757 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0)
1758 msg_warn("%s: unknown content encoding: %s",
1759 request->queue_id, request->encoding);
1760 }
1761 if (session->features & SMTP_FEATURE_DSN) {
1762 if (request->dsn_envid[0]) {
1763 vstring_sprintf_append(next_command, " ENVID=");
1764 xtext_quote_append(next_command, request->dsn_envid, "+=");
1765 }
1766 if (request->dsn_ret)
1767 vstring_sprintf_append(next_command, " RET=%s",
1768 dsn_ret_str(request->dsn_ret));
1769 }
1770
1771 /*
1772 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8
1773 * and the sender requested SMTPUTF8 support.
1774 *
1775 * If the sender requested SMTPUTF8 but the remote SMTP server does
1776 * not support SMTPUTF8, then we have already determined earlier
1777 * that delivering this message without SMTPUTF8 will not break
1778 * the SMTPUTF8 promise that was made to the sender.
1779 */
1780 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0
1781 && (request->sendopts & SMTPUTF8_FLAG_REQUESTED) != 0)
1782 vstring_strcat(next_command, " SMTPUTF8");
1783 /* TODO(wietse) REQUIRETLS. */
1784
1785 /*
1786 * We authenticate the local MTA only, but not the sender.
1787 */
1788 #ifdef USE_SASL_AUTH
1789 if (var_smtp_sasl_enable
1790 && var_smtp_dummy_mail_auth
1791 && (session->features & SMTP_FEATURE_AUTH))
1792 vstring_strcat(next_command, " AUTH=<>");
1793 #endif
1794
1795 /*
1796 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail
1797 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
1798 * commands to our TLS session.
1799 *
1800 * For the attack to succeed, the remote SMTP server must reply to
1801 * the malicious EHLO/MAIL/RCPT/DATA commands after completing
1802 * TLS (re)negotiation, so that the replies arrive in our TLS
1803 * session (otherwise the Postfix SMTP client would time out
1804 * waiting for an answer). With some luck we can detect this
1805 * specific attack as a server MAIL reply that arrives before we
1806 * send our own MAIL command.
1807 *
1808 * We don't apply this test to the HELO command because the result
1809 * would be very timing sensitive, and we don't apply this test
1810 * to RCPT and DATA replies because these may be pipelined for
1811 * legitimate reasons.
1812 */
1813 #ifdef USE_TLS
1814 if (var_smtp_tls_blk_early_mail_reply
1815 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
1816 && (vstream_peek(session->stream) > 0
1817 || peekfd(vstream_fileno(session->stream)) > 0))
1818 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
1819 #endif
1820
1821 /*
1822 * We now return to our regular broadcast.
1823 */
1824 next_state = SMTP_STATE_RCPT;
1825 break;
1826
1827 /*
1828 * Build one RCPT TO command before we have seen the MAIL FROM
1829 * response.
1830 */
1831 case SMTP_STATE_RCPT:
1832 rcpt = request->rcpt_list.info + send_rcpt;
1833 smtp_rewrite_generic_internal(session->scratch2, rcpt->address);
1834 smtp_quote_821_address(session->scratch,
1835 vstring_str(session->scratch2));
1836 vstring_sprintf(next_command, "RCPT TO:<%s>",
1837 vstring_str(session->scratch));
1838 if (session->features & SMTP_FEATURE_DSN) {
1839 /* XXX DSN xtext encode address value not type. */
1840 const char *orcpt_type_addr = rcpt->dsn_orcpt;
1841
1842 /* Fix 20140706: don't use empty rcpt->orig_addr. */
1843 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) {
1844 quote_822_local(session->scratch, rcpt->orig_addr);
1845 vstring_sprintf(session->scratch2, "%s;%s",
1846 /* Fix 20140707: sender must request SMTPUTF8. */
1847 ((request->sendopts & SMTPUTF8_FLAG_ALL)
1848 && !allascii(vstring_str(session->scratch))
1849 && valid_utf8_stringz(vstring_str(session->scratch))) ?
1850 "utf-8" : "rfc822",
1851 vstring_str(session->scratch));
1852 orcpt_type_addr = vstring_str(session->scratch2);
1853 }
1854 if (orcpt_type_addr[0] != 0) {
1855 /* Fix 20140706: don't send unquoted ORCPT. */
1856 /* Fix 20140707: quoting method must match orcpt type. */
1857 /* Fix 20140707: handle uxtext encoder errors. */
1858 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) {
1859 if (uxtext_quote(session->scratch,
1860 orcpt_type_addr, "+=") != 0)
1861 vstring_sprintf_append(next_command, " ORCPT=%s",
1862 vstring_str(session->scratch));
1863 } else {
1864 xtext_quote(session->scratch, orcpt_type_addr, "=");
1865 vstring_sprintf_append(next_command, " ORCPT=%s",
1866 vstring_str(session->scratch));
1867 }
1868 }
1869 if (rcpt->dsn_notify)
1870 vstring_sprintf_append(next_command, " NOTIFY=%s",
1871 dsn_notify_str(rcpt->dsn_notify));
1872 }
1873 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state))
1874 next_state = (DEL_REQ_TRACE_ONLY(request->flags)
1875 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
1876 SMTP_STATE_ABORT : SMTP_STATE_DATA;
1877 break;
1878
1879 /*
1880 * Build the DATA command before we have seen all the RCPT TO
1881 * responses.
1882 */
1883 case SMTP_STATE_DATA:
1884 vstring_strcpy(next_command, "DATA");
1885 next_state = SMTP_STATE_DOT;
1886 break;
1887
1888 /*
1889 * Build the "." command after we have seen the DATA response
1890 * (DATA is a protocol synchronization point).
1891 *
1892 * Changing the connection caching state here is safe because it
1893 * affects none of the not-yet processed replies to
1894 * already-generated commands.
1895 */
1896 case SMTP_STATE_DOT:
1897 vstring_strcpy(next_command, ".");
1898 if (THIS_SESSION_IS_EXPIRED)
1899 DONT_CACHE_THIS_SESSION;
1900 next_state = THIS_SESSION_IS_CACHED ?
1901 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1902 break;
1903
1904 /*
1905 * The SMTP_STATE_ABORT sender state is entered by the sender
1906 * when it has verified all recipients; or it is entered by the
1907 * receiver when all recipients are verified or rejected, and is
1908 * then left before the bottom of the main loop.
1909 *
1910 * Changing the connection caching state here is safe because there
1911 * are no not-yet processed replies to already-generated
1912 * commands.
1913 */
1914 case SMTP_STATE_ABORT:
1915 vstring_strcpy(next_command, "RSET");
1916 if (THIS_SESSION_IS_EXPIRED)
1917 DONT_CACHE_THIS_SESSION;
1918 next_state = THIS_SESSION_IS_CACHED ?
1919 SMTP_STATE_LAST : SMTP_STATE_QUIT;
1920 break;
1921
1922 /*
1923 * Build the RSET command. This is entered as initial state from
1924 * smtp_rset() and has its own dedicated state transitions. It is
1925 * used to find out the status of a cached session before
1926 * attempting mail delivery.
1927 */
1928 case SMTP_STATE_RSET:
1929 vstring_strcpy(next_command, "RSET");
1930 next_state = SMTP_STATE_LAST;
1931 break;
1932
1933 /*
1934 * Build the QUIT command before we have seen the "." or RSET
1935 * response. This is entered as initial state from smtp_quit(),
1936 * or is reached near the end of any non-cached session.
1937 *
1938 * Changing the connection caching state here is safe. If this
1939 * command is pipelined together with a preceding command, then
1940 * connection caching was already turned off. Do not clobber the
1941 * "bad connection" flag.
1942 */
1943 case SMTP_STATE_QUIT:
1944 vstring_strcpy(next_command, "QUIT");
1945 next_state = SMTP_STATE_LAST;
1946 if (THIS_SESSION_IS_CACHED)
1947 DONT_CACHE_THIS_SESSION;
1948 break;
1949
1950 /*
1951 * The final sender state has no action associated with it.
1952 */
1953 case SMTP_STATE_LAST:
1954 VSTRING_RESET(next_command);
1955 break;
1956 }
1957 VSTRING_TERMINATE(next_command);
1958
1959 /*
1960 * Process responses until the receiver has caught up. Vstreams
1961 * automatically flush buffered output when reading new data.
1962 *
1963 * Flush unsent output if command pipelining is off or if no I/O
1964 * happened for a while. This limits the accumulation of client-side
1965 * delays in pipelined sessions.
1966 *
1967 * The PIPELINING engine will flush the VSTREAM buffer if the sender
1968 * could otherwise produce more output than fits the PIPELINING
1969 * buffer. This generally works because we know exactly how much
1970 * output we produced since the last time that the sender and
1971 * receiver synchronized the SMTP state. However this logic is not
1972 * applicable after the sender enters the DATA phase, where it does
1973 * not synchronize with the receiver until the <CR><LF>.<CR><LF>.
1974 * Thus, the PIPELINING engine no longer knows how much data is
1975 * pending in the TCP send buffer. For this reason, if PIPELINING is
1976 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is
1977 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP
1978 * stack either has already received the QUIT<CR><LF>, or else it
1979 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>,
1980 * making room in the sender's TCP stack for QUIT<CR><LF>.
1981 */
1982 #define CHECK_PIPELINING_BUFSIZE \
1983 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT)
1984
1985 if (SENDER_IN_WAIT_STATE
1986 || (SENDER_IS_AHEAD
1987 && ((session->features & SMTP_FEATURE_PIPELINING) == 0
1988 || (CHECK_PIPELINING_BUFSIZE
1989 && (VSTRING_LEN(next_command) + 2
1990 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND)
1991 > PIPELINING_BUFSIZE))
1992 || time((time_t *) 0)
1993 - vstream_ftime(session->stream) > 10))) {
1994 while (SENDER_IS_AHEAD) {
1995
1996 /*
1997 * Sanity check.
1998 */
1999 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR
2000 || recv_state > SMTP_STATE_QUIT)
2001 msg_panic("%s: bad receiver state %d (sender state %d)",
2002 myname, recv_state, send_state);
2003
2004 /*
2005 * Receive the next server response. Use the proper timeout,
2006 * and log the proper client state in case of trouble.
2007 *
2008 * XXX If we lose the connection before sending end-of-data,
2009 * find out if the server sent a premature end-of-data reply.
2010 * If this read attempt fails, report "lost connection while
2011 * sending message body", not "lost connection while sending
2012 * end-of-data".
2013 *
2014 * "except" becomes zero just above the protocol loop, and stays
2015 * zero or triggers an early return from the loop. In just
2016 * one case: loss of the connection when sending the message
2017 * body, we record the exception, and keep processing in the
2018 * hope of detecting a premature 5XX. We must be careful to
2019 * not clobber this non-zero value once it is set. The
2020 * variable need not survive longjmp() calls, since the only
2021 * setjmp() which does not return early is the one sets this
2022 * condition, subsequent failures always return early.
2023 */
2024 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
2025
2026 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state],
2027 var_smtp_req_deadline, 0);
2028 if (LOST_CONNECTION_INSIDE_DATA) {
2029 if (vstream_setjmp(session->stream) != 0)
2030 RETURN(smtp_stream_except(state, SMTP_ERR_EOF,
2031 "sending message body"));
2032 } else {
2033 if ((except = vstream_setjmp(session->stream)) != 0)
2034 RETURN(SENDING_MAIL ? smtp_stream_except(state, except,
2035 xfer_states[recv_state]) : -1);
2036 }
2037 resp = smtp_chat_resp(session);
2038
2039 /*
2040 * Process the response.
2041 */
2042 switch (recv_state) {
2043
2044 /*
2045 * Process the XFORWARD response.
2046 */
2047 case SMTP_STATE_XFORWARD_NAME_ADDR:
2048 if (resp->code / 100 != 2)
2049 msg_warn("host %s said: %s (in reply to %s)",
2050 session->namaddrport,
2051 translit(resp->str, "\n", " "),
2052 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]);
2053 if (session->send_proto_helo)
2054 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2055 else
2056 recv_state = SMTP_STATE_MAIL;
2057 break;
2058
2059 case SMTP_STATE_XFORWARD_PROTO_HELO:
2060 if (resp->code / 100 != 2)
2061 msg_warn("host %s said: %s (in reply to %s)",
2062 session->namaddrport,
2063 translit(resp->str, "\n", " "),
2064 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]);
2065 recv_state = SMTP_STATE_MAIL;
2066 break;
2067
2068 /*
2069 * Process the MAIL FROM response. When the server
2070 * rejects the sender, set the mail_from_rejected flag so
2071 * that the receiver may apply a course correction.
2072 */
2073 case SMTP_STATE_MAIL:
2074 if (resp->code / 100 != 2) {
2075 smtp_mesg_fail(state, STR(iter->host), resp,
2076 "host %s said: %s (in reply to %s)",
2077 session->namaddr,
2078 translit(resp->str, "\n", " "),
2079 xfer_request[SMTP_STATE_MAIL]);
2080 mail_from_rejected = 1;
2081 }
2082
2083 /*
2084 * CVE-2009-3555 (TLS renegotiation). Whatever it was
2085 * that arrived before we sent our MAIL FROM command, it
2086 * was not a fatal-level TLS alert message. It could be a
2087 * warning-level TLS alert message, or a ChangeCipherSpec
2088 * message, but such messages are not normally sent in
2089 * the middle of a TLS session. We disconnect and try
2090 * again later.
2091 */
2092 #ifdef USE_TLS
2093 if (var_smtp_tls_blk_early_mail_reply
2094 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
2095 smtp_site_fail(state, DSN_BY_LOCAL_MTA,
2096 SMTP_RESP_FAKE(&fake, "4.7.0"),
2097 "unexpected server message");
2098 msg_warn("server %s violates %s policy",
2099 session->namaddr,
2100 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY));
2101 mail_from_rejected = 1;
2102 }
2103 #endif
2104
2105 /*
2106 * We now return to our regular broadcast.
2107 */
2108 recv_state = SMTP_STATE_RCPT;
2109 break;
2110
2111 /*
2112 * Process one RCPT TO response. If MAIL FROM was
2113 * rejected, ignore RCPT TO responses: all recipients are
2114 * dead already. When all recipients are rejected the
2115 * receiver may apply a course correction.
2116 *
2117 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply
2118 * must be treated as if the server replied with 452.
2119 * However, this causes "too much mail data" to be
2120 * treated as a recoverable error, which is wrong. I'll
2121 * stick with RFC 821.
2122 */
2123 case SMTP_STATE_RCPT:
2124 if (!mail_from_rejected) {
2125 #ifdef notdef
2126 if (resp->code == 552) {
2127 resp->code = 452;
2128 resp->dsn[0] = '4';
2129 }
2130 #endif
2131 rcpt = request->rcpt_list.info + recv_rcpt;
2132 if (resp->code / 100 == 2) {
2133 if (!smtp_mode) {
2134 if (survivors == 0)
2135 survivors = (int *)
2136 mymalloc(request->rcpt_list.len
2137 * sizeof(int));
2138 survivors[nrcpt] = recv_rcpt;
2139 }
2140 ++nrcpt;
2141 /* If trace-only, mark the recipient done. */
2142 if (DEL_REQ_TRACE_ONLY(request->flags)
2143 && smtp_vrfy_tgt == SMTP_STATE_RCPT) {
2144 translit(resp->str, "\n", " ");
2145 smtp_rcpt_done(state, resp, rcpt);
2146 }
2147 } else {
2148 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2149 "host %s said: %s (in reply to %s)",
2150 session->namaddr,
2151 translit(resp->str, "\n", " "),
2152 xfer_request[SMTP_STATE_RCPT]);
2153 }
2154 }
2155 /* If trace-only, send RSET instead of DATA. */
2156 if (++recv_rcpt == SMTP_RCPT_LEFT(state))
2157 recv_state = (DEL_REQ_TRACE_ONLY(request->flags)
2158 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ?
2159 SMTP_STATE_ABORT : SMTP_STATE_DATA;
2160 /* XXX Also: record if non-delivering session. */
2161 break;
2162
2163 /*
2164 * Process the DATA response. When the server rejects
2165 * DATA, set nrcpt to a negative value so that the
2166 * receiver can apply a course correction.
2167 */
2168 case SMTP_STATE_DATA:
2169 recv_state = SMTP_STATE_DOT;
2170 if (resp->code / 100 != 3) {
2171 if (nrcpt > 0)
2172 smtp_mesg_fail(state, STR(iter->host), resp,
2173 "host %s said: %s (in reply to %s)",
2174 session->namaddr,
2175 translit(resp->str, "\n", " "),
2176 xfer_request[SMTP_STATE_DATA]);
2177 nrcpt = -1;
2178 }
2179
2180 /*
2181 * In the case of a successful address probe with target
2182 * equal to DATA, the remote server is now in the DATA
2183 * state, and therefore we must not make any further
2184 * attempt to send or receive on this connection. This
2185 * means that we cannot not reuse the general-purpose
2186 * course-correction logic below which sends RSET (and
2187 * perhaps QUIT). Instead we "jump" straight to the exit
2188 * and force an unceremonious disconnect.
2189 */
2190 else if (DEL_REQ_TRACE_ONLY(request->flags)
2191 && smtp_vrfy_tgt == SMTP_STATE_DATA) {
2192 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2193 rcpt = request->rcpt_list.info + nrcpt;
2194 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2195 translit(resp->str, "\n", " ");
2196 SMTP_RESP_SET_DSN(resp, "2.0.0");
2197 smtp_rcpt_done(state, resp, rcpt);
2198 }
2199 }
2200 DONT_CACHE_THIS_SESSION;
2201 send_state = recv_state = SMTP_STATE_LAST;
2202 }
2203 break;
2204
2205 /*
2206 * Process the end of message response. Ignore the
2207 * response when no recipient was accepted: all
2208 * recipients are dead already, and the next receiver
2209 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise,
2210 * if the message transfer fails, bounce all remaining
2211 * recipients, else cross off the recipients that were
2212 * delivered.
2213 */
2214 case SMTP_STATE_DOT:
2215 GETTIMEOFDAY(&request->msg_stats.deliver_done);
2216 if (smtp_mode) {
2217 if (nrcpt > 0) {
2218 if (resp->code / 100 != 2) {
2219 smtp_mesg_fail(state, STR(iter->host), resp,
2220 "host %s said: %s (in reply to %s)",
2221 session->namaddr,
2222 translit(resp->str, "\n", " "),
2223 xfer_request[SMTP_STATE_DOT]);
2224 } else {
2225 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) {
2226 rcpt = request->rcpt_list.info + nrcpt;
2227 if (!SMTP_RCPT_ISMARKED(rcpt)) {
2228 translit(resp->str, "\n", " ");
2229 smtp_rcpt_done(state, resp, rcpt);
2230 }
2231 }
2232 }
2233 }
2234 }
2235
2236 /*
2237 * With LMTP we have one response per accepted RCPT TO
2238 * command. Stay in the SMTP_STATE_DOT state until we
2239 * have collected all responses.
2240 */
2241 else {
2242 if (nrcpt > 0) {
2243 rcpt = request->rcpt_list.info
2244 + survivors[recv_done++];
2245 if (resp->code / 100 != 2) {
2246 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp,
2247 "host %s said: %s (in reply to %s)",
2248 session->namaddr,
2249 translit(resp->str, "\n", " "),
2250 xfer_request[SMTP_STATE_DOT]);
2251 } else {
2252 translit(resp->str, "\n", " ");
2253 smtp_rcpt_done(state, resp, rcpt);
2254 }
2255 }
2256 if (msg_verbose)
2257 msg_info("%s: got %d of %d end-of-data replies",
2258 myname, recv_done, nrcpt);
2259 if (recv_done < nrcpt)
2260 break;
2261 }
2262
2263 /*
2264 * XXX Do not change the connection caching state here,
2265 * even if the connection caching timer expired between
2266 * generating the command and processing the reply,
2267 * otherwise the sender and receiver loops get out of
2268 * sync. The caller will call smtp_quit() if appropriate.
2269 */
2270 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED
2271 || LOST_CONNECTION_INSIDE_DATA)
2272 recv_state = SMTP_STATE_LAST;
2273 else
2274 recv_state = SMTP_STATE_QUIT;
2275 break;
2276
2277 /*
2278 * Receive the RSET response.
2279 *
2280 * The SMTP_STATE_ABORT sender state is entered by the
2281 * sender when it has verified all recipients; or it is
2282 * entered by the receiver when all recipients are
2283 * verified or rejected, and is then left before the
2284 * bottom of the main loop.
2285 *
2286 * XXX Do not change the connection caching state here, even
2287 * if the server rejected RSET or if the connection
2288 * caching timer expired between generating the command
2289 * and processing the reply, otherwise the sender and
2290 * receiver loops get out of sync. The caller will call
2291 * smtp_quit() if appropriate.
2292 */
2293 case SMTP_STATE_ABORT:
2294 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ?
2295 SMTP_STATE_LAST : SMTP_STATE_QUIT);
2296 break;
2297
2298 /*
2299 * This is the initial receiver state from smtp_rset().
2300 * It is used to find out the status of a cached session
2301 * before attempting mail delivery.
2302 */
2303 case SMTP_STATE_RSET:
2304 if (resp->code / 100 != 2)
2305 CANT_RSET_THIS_SESSION;
2306 recv_state = SMTP_STATE_LAST;
2307 break;
2308
2309 /*
2310 * Receive, but otherwise ignore, the QUIT response.
2311 */
2312 case SMTP_STATE_QUIT:
2313 recv_state = SMTP_STATE_LAST;
2314 break;
2315 }
2316 }
2317
2318 /*
2319 * At this point, the sender and receiver are fully synchronized.
2320 */
2321
2322 /*
2323 * We know the server response to every command that was sent.
2324 * Apply a course correction if necessary: the sender wants to
2325 * send RCPT TO but MAIL FROM was rejected; the sender wants to
2326 * send DATA but all recipients were rejected; the sender wants
2327 * to deliver the message but DATA was rejected.
2328 */
2329 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected)
2330 || (send_state == SMTP_STATE_DATA && nrcpt == 0)
2331 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) {
2332 send_state = recv_state = SMTP_STATE_ABORT;
2333 send_rcpt = recv_rcpt = 0;
2334 vstring_strcpy(next_command, "RSET");
2335 if (THIS_SESSION_IS_EXPIRED)
2336 DONT_CACHE_THIS_SESSION;
2337 next_state = THIS_SESSION_IS_CACHED ?
2338 SMTP_STATE_LAST : SMTP_STATE_QUIT;
2339 /* XXX Also: record if non-delivering session. */
2340 next_rcpt = 0;
2341 }
2342 }
2343
2344 /*
2345 * Make the next sender state the current sender state.
2346 */
2347 if (send_state == SMTP_STATE_LAST)
2348 continue;
2349
2350 /*
2351 * Special case if the server accepted the DATA command. If the
2352 * server accepted at least one recipient send the entire message.
2353 * Otherwise, just send "." as per RFC 2197.
2354 *
2355 * XXX If there is a hard MIME error while downgrading to 7-bit mail,
2356 * disconnect ungracefully, because there is no other way to cancel a
2357 * transaction in progress.
2358 */
2359 if (send_state == SMTP_STATE_DOT && nrcpt > 0) {
2360
2361 smtp_stream_setup(session->stream, var_smtp_data1_tmout,
2362 var_smtp_req_deadline, var_smtp_min_data_rate);
2363
2364 if ((except = vstream_setjmp(session->stream)) == 0) {
2365
2366 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0)
2367 msg_fatal("seek queue file: %m");
2368
2369 downgrading = SMTP_MIME_DOWNGRADE(session, request);
2370
2371 /*
2372 * XXX Don't downgrade just because generic_maps is turned
2373 * on.
2374 */
2375 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks)
2376
2377 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS)
2378 session->mime_state = mime_state_alloc(downgrading ?
2379 MIME_OPT_DOWNGRADE
2380 | MIME_OPT_REPORT_NESTING :
2381 SMTP_ANY_CHECKS == 0 ?
2382 MIME_OPT_DISABLE_MIME :
2383 0,
2384 smtp_generic_maps
2385 || smtp_header_checks ?
2386 smtp_header_rewrite :
2387 smtp_header_out,
2388 (MIME_STATE_ANY_END) 0,
2389 smtp_body_checks ?
2390 smtp_body_rewrite :
2391 smtp_text_out,
2392 (MIME_STATE_ANY_END) 0,
2393 (MIME_STATE_ERR_PRINT) 0,
2394 (void *) state);
2395 state->space_left = var_smtp_line_limit;
2396
2397 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0
2398 && smtp_out_add_headers(state) < 0)
2399 RETURN(0);
2400
2401 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) {
2402 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT)
2403 break;
2404 if (smtp_out_raw_or_mime(state, rec_type,
2405 session->scratch) < 0)
2406 RETURN(0);
2407 prev_type = rec_type;
2408 }
2409
2410 if (session->mime_state) {
2411
2412 /*
2413 * The cleanup server normally ends MIME content with a
2414 * normal text record. The following code is needed to
2415 * flush an internal buffer when someone submits 8-bit
2416 * mail not ending in newline via /usr/sbin/sendmail
2417 * while MIME input processing is turned off, and MIME
2418 * 8bit->7bit conversion is requested upon delivery.
2419 *
2420 * Or some error while doing generic address mapping.
2421 */
2422 mime_errs =
2423 mime_state_update(session->mime_state, rec_type, "", 0);
2424 if (mime_errs) {
2425 smtp_mime_fail(state, mime_errs);
2426 RETURN(0);
2427 }
2428 } else if (prev_type == REC_TYPE_CONT) /* missing newline */
2429 smtp_fputs("", 0, session->stream);
2430 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) {
2431 smtp_flush(session->stream);/* hurts performance */
2432 sleep(var_smtp_pix_delay); /* not to mention this */
2433 }
2434 if (vstream_ferror(state->src))
2435 msg_fatal("queue file read error");
2436 if (rec_type != REC_TYPE_XTRA) {
2437 msg_warn("%s: bad record type: %d in message content",
2438 request->queue_id, rec_type);
2439 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2440 SMTP_RESP_FAKE(&fake, "5.3.0"),
2441 "unreadable mail queue entry");
2442 /* Bailing out, abort stream with prejudice */
2443 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH);
2444 DONT_USE_FORBIDDEN_SESSION;
2445 /* If bounce_append() succeeded, status is still 0 */
2446 if (state->status == 0)
2447 (void) mark_corrupt(state->src);
2448 /* Don't override smtp_mesg_fail() here. */
2449 RETURN(fail_status);
2450 }
2451 } else {
2452 if (!LOST_CONNECTION_INSIDE_DATA)
2453 RETURN(smtp_stream_except(state, except,
2454 "sending message body"));
2455
2456 /*
2457 * We will clear the stream error flag to try and read a
2458 * premature 5XX response, so it is important to flush any
2459 * unwritten data. Otherwise, we will try to flush it again
2460 * before reading, which may incur an unnecessary delay and
2461 * will prevent the reading of any response that is not
2462 * already buffered (bundled with the DATA 354 response).
2463 *
2464 * Not much point in sending QUIT at this point, skip right to
2465 * SMTP_STATE_LAST. The read engine above will likewise avoid
2466 * looking for a QUIT response.
2467 */
2468 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE);
2469 next_state = SMTP_STATE_LAST;
2470 }
2471 }
2472
2473 /*
2474 * Copy the next command to the buffer and update the sender state.
2475 */
2476 if (except == 0) {
2477 smtp_chat_cmd(session, "%s", vstring_str(next_command));
2478 } else {
2479 DONT_CACHE_THIS_SESSION;
2480 }
2481 send_state = next_state;
2482 send_rcpt = next_rcpt;
2483 } while (recv_state != SMTP_STATE_LAST);
2484 RETURN(0);
2485 }
2486
2487 /* smtp_xfer - send a batch of envelope information and the message data */
2488
smtp_xfer(SMTP_STATE * state)2489 int smtp_xfer(SMTP_STATE *state)
2490 {
2491 DELIVER_REQUEST *request = state->request;
2492 SMTP_SESSION *session = state->session;
2493 SMTP_RESP fake;
2494 int send_state;
2495 int recv_state;
2496 int send_name_addr;
2497 int result;
2498
2499 /*
2500 * Sanity check. Recipients should be unmarked at this point.
2501 */
2502 if (SMTP_RCPT_LEFT(state) <= 0)
2503 msg_panic("smtp_xfer: bad recipient count: %d",
2504 SMTP_RCPT_LEFT(state));
2505 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info))
2506 msg_panic("smtp_xfer: bad recipient status: %d",
2507 request->rcpt_list.info->u.status);
2508
2509 /*
2510 * See if we should even try to send this message at all. This code sits
2511 * here rather than in the EHLO processing code, because of SMTP
2512 * connection caching.
2513 */
2514 if (session->size_limit > 0 && session->size_limit < request->data_size) {
2515 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA,
2516 SMTP_RESP_FAKE(&fake, "5.3.4"),
2517 "message size %lu exceeds size limit %.0f of server %s",
2518 request->data_size, (double) session->size_limit,
2519 session->namaddr);
2520 /* Redundant. We abort this delivery attempt. */
2521 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2522 return (0);
2523 }
2524
2525 /*
2526 * Use XFORWARD to forward the origin of this email message across an
2527 * SMTP-based content filter. Send client attribute information only if
2528 * it exists (i.e. remote submission). Local submissions have no client
2529 * attributes; the mail will appear to originate from the content filter
2530 * which is acceptable.
2531 */
2532 send_name_addr =
2533 var_smtp_send_xforward
2534 && (((session->features & SMTP_FEATURE_XFORWARD_NAME)
2535 && CAN_FORWARD_CLIENT_NAME(request->client_name))
2536 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR)
2537 && CAN_FORWARD_CLIENT_ADDR(request->client_addr))
2538 || ((session->features & SMTP_FEATURE_XFORWARD_PORT)
2539 && CAN_FORWARD_CLIENT_PORT(request->client_port)));
2540 session->send_proto_helo =
2541 var_smtp_send_xforward
2542 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO)
2543 && CAN_FORWARD_PROTO_NAME(request->client_proto))
2544 || ((session->features & SMTP_FEATURE_XFORWARD_HELO)
2545 && CAN_FORWARD_HELO_NAME(request->client_helo))
2546 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT)
2547 && CAN_FORWARD_IDENT_NAME(request->log_ident))
2548 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN)
2549 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)));
2550 if (send_name_addr)
2551 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR;
2552 else if (session->send_proto_helo)
2553 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO;
2554 else
2555 recv_state = send_state = SMTP_STATE_MAIL;
2556
2557 /*
2558 * Remember this session's "normal completion", even if the server 4xx-ed
2559 * some or all recipients. Connection or handshake errors with a later MX
2560 * host should not cause this destination be marked as unreachable.
2561 */
2562 result = smtp_loop(state, send_state, recv_state);
2563
2564 if (result == 0
2565 /* Just in case */
2566 && vstream_ferror(session->stream) == 0
2567 && vstream_feof(session->stream) == 0)
2568 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION;
2569
2570 return (result);
2571 }
2572
2573 /* smtp_rset - send a lone RSET command */
2574
smtp_rset(SMTP_STATE * state)2575 int smtp_rset(SMTP_STATE *state)
2576 {
2577
2578 /*
2579 * This works because SMTP_STATE_RSET is a dedicated sender/recipient
2580 * entry state, with SMTP_STATE_LAST as next sender/recipient state.
2581 */
2582 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET));
2583 }
2584
2585 /* smtp_quit - send a lone QUIT command */
2586
smtp_quit(SMTP_STATE * state)2587 int smtp_quit(SMTP_STATE *state)
2588 {
2589
2590 /*
2591 * This works because SMTP_STATE_QUIT is the last state with a sender
2592 * action, with SMTP_STATE_LAST as the next sender/recipient state.
2593 */
2594 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ?
2595 SMTP_STATE_LAST : SMTP_STATE_QUIT));
2596 }
2597