1 /* $NetBSD: smtp_proto.c,v 1.7 2026/05/09 18:49:20 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* smtp_proto 3 6 /* SUMMARY 7 /* client SMTP/LMTP protocol 8 /* SYNOPSIS 9 /* #include "smtp.h" 10 /* 11 /* int smtp_helo(state) 12 /* SMTP_STATE *state; 13 /* 14 /* int smtp_xfer(state) 15 /* SMTP_STATE *state; 16 /* 17 /* int smtp_rset(state) 18 /* SMTP_STATE *state; 19 /* 20 /* int smtp_quit(state) 21 /* SMTP_STATE *state; 22 /* DESCRIPTION 23 /* In the subsequent text, SMTP implies LMTP. 24 /* This module implements the client side of the SMTP protocol. 25 /* 26 /* smtp_helo() performs the initial handshake with the SMTP server. 27 /* When TLS is enabled, this includes STARTTLS negotiations. 28 /* 29 /* smtp_xfer() sends message envelope information followed by the 30 /* message data, and finishes the SMTP conversation. These operations 31 /* are combined in one function, in order to implement SMTP pipelining. 32 /* Recipients are marked as "done" in the mail queue file when 33 /* bounced or delivered. The message delivery status is updated 34 /* accordingly. 35 /* 36 /* smtp_rset() sends a single RSET command and waits for the 37 /* response. In case of a negative reply it sets the 38 /* CANT_RSET_THIS_SESSION flag. 39 /* 40 /* smtp_quit() sends a single QUIT command and waits for the 41 /* response if configured to do so. It always turns off connection 42 /* caching. 43 /* DIAGNOSTICS 44 /* smtp_helo(), smtp_xfer(), smtp_rset() and smtp_quit() return 45 /* 0 in case of success, -1 in case of failure. For smtp_xfer(), 46 /* smtp_rset() and smtp_quit(), success means the ability to 47 /* perform an SMTP conversation, not necessarily the ability 48 /* to deliver mail, or the achievement of server happiness. 49 /* 50 /* In case of a rejected or failed connection, a connection 51 /* is marked as "bad, do not cache". Otherwise, connection 52 /* caching may be turned off (without being marked "bad") at 53 /* the discretion of the code that implements the individual 54 /* protocol steps. 55 /* 56 /* Warnings: corrupt message file. A corrupt message is marked 57 /* as "corrupt" by changing its queue file permissions. 58 /* BUGS 59 /* Some SMTP servers will abort when the number of recipients 60 /* for one message exceeds their capacity. This behavior violates 61 /* the SMTP protocol. 62 /* The only way around this is to limit the number of recipients 63 /* per transaction to an artificially-low value. 64 /* SEE ALSO 65 /* smtp(3h) internal data structures 66 /* smtp_chat(3) query/reply SMTP support 67 /* smtp_trouble(3) error handlers 68 /* LICENSE 69 /* .ad 70 /* .fi 71 /* The Secure Mailer license must be distributed with this software. 72 /* AUTHOR(S) 73 /* Wietse Venema 74 /* IBM T.J. Watson Research 75 /* P.O. Box 704 76 /* Yorktown Heights, NY 10598, USA 77 /* 78 /* Wietse Venema 79 /* Google, Inc. 80 /* 111 8th Avenue 81 /* New York, NY 10011, USA 82 /* 83 /* Wietse Venema 84 /* porcupine.org 85 /* 86 /* Pipelining code in cooperation with: 87 /* Jon Ribbens 88 /* Oaktree Internet Solutions Ltd., 89 /* Internet House, 90 /* Canal Basin, 91 /* Coventry, 92 /* CV1 4LY, United Kingdom. 93 /* 94 /* Connection caching in cooperation with: 95 /* Victor Duchovni 96 /* Morgan Stanley 97 /* 98 /* TLS support originally by: 99 /* Lutz Jaenicke 100 /* BTU Cottbus 101 /* Allgemeine Elektrotechnik 102 /* Universitaetsplatz 3-4 103 /* D-03044 Cottbus, Germany 104 /*--*/ 105 106 /* System library. */ 107 108 #include <sys_defs.h> 109 #include <sys/stat.h> 110 #include <sys/socket.h> /* shutdown(2) */ 111 #include <netinet/in.h> /* ntohs() */ 112 #include <string.h> 113 #include <unistd.h> 114 #include <stdlib.h> /* 44BSD stdarg.h uses abort() */ 115 #include <stdarg.h> 116 #include <time.h> 117 118 #ifdef STRCASECMP_IN_STRINGS_H 119 #include <strings.h> 120 #endif 121 122 /* Utility library. */ 123 124 #include <msg.h> 125 #include <vstring.h> 126 #include <vstream.h> 127 #include <vstring_vstream.h> 128 #include <stringops.h> 129 #include <mymalloc.h> 130 #include <iostuff.h> 131 #include <split_at.h> 132 #include <name_code.h> 133 #include <name_mask.h> 134 135 /* Global library. */ 136 137 #include <mail_params.h> 138 #include <smtp_stream.h> 139 #include <mail_queue.h> 140 #include <recipient_list.h> 141 #include <deliver_request.h> 142 #include <defer.h> 143 #include <bounce.h> 144 #include <record.h> 145 #include <rec_type.h> 146 #include <off_cvt.h> 147 #include <mark_corrupt.h> 148 #include <quote_822_local.h> 149 #include <mail_proto.h> 150 #include <mime_state.h> 151 #include <ehlo_mask.h> 152 #include <maps.h> 153 #include <tok822.h> 154 #include <mail_addr_map.h> 155 #include <ext_prop.h> 156 #include <namadr_list.h> 157 #include <lex_822.h> 158 #include <dsn_mask.h> 159 #include <xtext.h> 160 #include <uxtext.h> 161 #include <smtputf8.h> 162 #if defined(USE_TLS) && defined(USE_TLSRPT) 163 #include <tlsrpt_wrapper.h> 164 #endif 165 166 /* Application-specific. */ 167 168 #include "smtp.h" 169 #include "smtp_sasl.h" 170 171 /* 172 * Sender and receiver state. A session does not necessarily go through a 173 * linear progression, but states are guaranteed to not jump backwards. 174 * Normal sessions go from MAIL->RCPT->DATA->DOT->QUIT->LAST. The states 175 * MAIL, RCPT, and DATA may also be followed by ABORT->QUIT->LAST. 176 * 177 * When connection caching is enabled, the QUIT state is suppressed. Normal 178 * sessions proceed as MAIL->RCPT->DATA->DOT->LAST, while aborted sessions 179 * end with ABORT->LAST. The connection is left open for a limited time. An 180 * RSET probe should be sent before attempting to reuse an open connection 181 * for a new transaction. 182 * 183 * The code to send an RSET probe is a special case with its own initial state 184 * and with its own dedicated state transitions. The session proceeds as 185 * RSET->LAST. This code is kept inside the main protocol engine for 186 * consistent error handling and error reporting. It is not to be confused 187 * with the code that sends RSET to abort a mail transaction in progress. 188 * 189 * The code to send QUIT without message delivery transaction jumps into the 190 * main state machine. If this introduces complications, then we should 191 * introduce a second QUIT state with its own dedicated state transitions, 192 * just like we did for RSET probes. 193 * 194 * By default, the receiver skips the QUIT response. Some SMTP servers 195 * disconnect after responding to ".", and some SMTP servers wait before 196 * responding to QUIT. 197 * 198 * Client states that are associated with sending mail (up to and including 199 * SMTP_STATE_DOT) must have smaller numerical values than the non-sending 200 * states (SMTP_STATE_ABORT .. SMTP_STATE_LAST). 201 */ 202 #define SMTP_STATE_XFORWARD_NAME_ADDR 0 203 #define SMTP_STATE_XFORWARD_PROTO_HELO 1 204 #define SMTP_STATE_MAIL 2 205 #define SMTP_STATE_RCPT 3 206 #define SMTP_STATE_DATA 4 207 #define SMTP_STATE_DOT 5 208 #define SMTP_STATE_ABORT 6 209 #define SMTP_STATE_RSET 7 210 #define SMTP_STATE_QUIT 8 211 #define SMTP_STATE_LAST 9 212 213 int *xfer_timeouts[SMTP_STATE_LAST] = { 214 &var_smtp_xfwd_tmout, /* name/addr */ 215 &var_smtp_xfwd_tmout, /* helo/proto */ 216 &var_smtp_mail_tmout, 217 &var_smtp_rcpt_tmout, 218 &var_smtp_data0_tmout, 219 &var_smtp_data2_tmout, 220 &var_smtp_rset_tmout, 221 &var_smtp_rset_tmout, 222 &var_smtp_quit_tmout, 223 }; 224 225 char *xfer_states[SMTP_STATE_LAST] = { 226 "sending XFORWARD name/address", 227 "sending XFORWARD protocol/helo_name", 228 "sending MAIL FROM", 229 "sending RCPT TO", 230 "sending DATA command", 231 "sending end of data -- message may be sent more than once", 232 "sending final RSET", 233 "sending RSET probe", 234 "sending QUIT", 235 }; 236 237 char *xfer_request[SMTP_STATE_LAST] = { 238 "XFORWARD name/address command", 239 "XFORWARD helo/protocol command", 240 "MAIL FROM command", 241 "RCPT TO command", 242 "DATA command", 243 "end of DATA command", 244 "final RSET command", 245 "RSET probe", 246 "QUIT command", 247 }; 248 249 /* 250 * Note: MIME downgrade never happens for mail that must be delivered with 251 * SMTPUTF8 (the sender requested SMTPUTF8, AND the delivery request 252 * involves at least one UTF-8 envelope address or header value. 253 */ 254 #define SMTP_MIME_DOWNGRADE(session, request) \ 255 (var_disable_mime_oconv == 0 \ 256 && (session->features & SMTP_FEATURE_8BITMIME) == 0 \ 257 && strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) != 0) 258 259 #ifdef USE_TLS 260 261 static int smtp_start_tls(SMTP_STATE *); 262 263 #endif 264 265 /* 266 * Call-back information for header/body checks. We don't provide call-backs 267 * for actions that change the message delivery time or destination. 268 */ 269 static void smtp_hbc_logger(void *, const char *, const char *, const char *, const char *); 270 static void smtp_text_out(void *, int, const char *, ssize_t, off_t); 271 272 HBC_CALL_BACKS smtp_hbc_callbacks[1] = { 273 smtp_hbc_logger, 274 smtp_text_out, 275 }; 276 277 static int smtp_vrfy_tgt; 278 279 /* smtp_vrfy_init - initialize */ 280 281 void smtp_vrfy_init(void) 282 { 283 static const NAME_CODE vrfy_init_table[] = { 284 SMTP_VRFY_TGT_RCPT, SMTP_STATE_RCPT, 285 SMTP_VRFY_TGT_DATA, SMTP_STATE_DATA, 286 0, 287 }; 288 289 if ((smtp_vrfy_tgt = name_code(vrfy_init_table, NAME_CODE_FLAG_NONE, 290 var_smtp_vrfy_tgt)) == 0) 291 msg_fatal("bad protocol stage: \"%s = %s\"", 292 VAR_SMTP_VRFY_TGT, var_smtp_vrfy_tgt); 293 } 294 295 /* smtp_helo - perform initial handshake with SMTP server */ 296 297 int smtp_helo(SMTP_STATE *state) 298 { 299 const char *myname = "smtp_helo"; 300 SMTP_SESSION *session = state->session; 301 DELIVER_REQUEST *request = state->request; 302 SMTP_ITERATOR *iter = state->iterator; 303 SMTP_RESP *resp; 304 SMTP_RESP fake; 305 int except; 306 char *lines; 307 char *words; 308 char *word; 309 int n; 310 static const NAME_CODE xforward_features[] = { 311 XFORWARD_NAME, SMTP_FEATURE_XFORWARD_NAME, 312 XFORWARD_ADDR, SMTP_FEATURE_XFORWARD_ADDR, 313 XFORWARD_PORT, SMTP_FEATURE_XFORWARD_PORT, 314 XFORWARD_PROTO, SMTP_FEATURE_XFORWARD_PROTO, 315 XFORWARD_HELO, SMTP_FEATURE_XFORWARD_HELO, 316 XFORWARD_IDENT, SMTP_FEATURE_XFORWARD_IDENT, 317 XFORWARD_DOMAIN, SMTP_FEATURE_XFORWARD_DOMAIN, 318 0, 0, 319 }; 320 const char *ehlo_words; 321 int discard_mask; 322 static const NAME_MASK pix_bug_table[] = { 323 PIX_BUG_DISABLE_ESMTP, SMTP_FEATURE_PIX_NO_ESMTP, 324 PIX_BUG_DELAY_DOTCRLF, SMTP_FEATURE_PIX_DELAY_DOTCRLF, 325 0, 326 }; 327 const char *pix_bug_words; 328 const char *pix_bug_source; 329 int pix_bug_mask; 330 331 #ifdef USE_TLS 332 int saved_features = session->features; 333 int tls_helo_status; 334 335 #endif 336 const char *NOCLOBBER where; 337 338 /* 339 * Skip the plaintext SMTP handshake when connecting in SMTPS mode. 340 */ 341 #ifdef USE_TLS 342 if (var_smtp_tls_wrappermode 343 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 344 /* XXX Mix-up of per-session and per-request flags. */ 345 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 346 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 347 var_smtp_req_deadline, 0); 348 tls_helo_status = smtp_start_tls(state); 349 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 350 return (tls_helo_status); 351 } 352 #endif 353 354 /* 355 * Prepare for disaster. 356 */ 357 smtp_stream_setup(state->session->stream, var_smtp_helo_tmout, 358 var_smtp_req_deadline, 0); 359 if ((except = vstream_setjmp(state->session->stream)) != 0) 360 return (smtp_stream_except(state, except, where)); 361 362 /* 363 * If not recursing after STARTTLS, examine the server greeting banner 364 * and decide if we are going to send EHLO as the next command. 365 */ 366 if (var_smtp_tls_wrappermode 367 || (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 368 369 /* 370 * Read and parse the server's SMTP greeting banner. 371 */ 372 where = "receiving the initial server greeting"; 373 switch ((resp = smtp_chat_resp(session))->code / 100) { 374 case 2: 375 break; 376 case 5: 377 if (var_smtp_skip_5xx_greeting) 378 STR(resp->dsn_buf)[0] = '4'; 379 /* FALLTHROUGH */ 380 default: 381 return (smtp_site_fail(state, STR(iter->host), resp, 382 "host %s refused to talk to me: %s", 383 session->namaddr, 384 translit(resp->str, "\n", " "))); 385 } 386 387 /* 388 * If the policy table specifies a bogus TLS security level, fail 389 * now. 390 */ 391 #ifdef USE_TLS 392 if (state->tls->level == TLS_LEV_INVALID) 393 /* Warning is already logged. */ 394 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 395 SMTP_RESP_FAKE(&fake, "4.7.0"), 396 "client TLS configuration problem")); 397 #endif 398 399 /* 400 * XXX Some PIX firewall versions require flush before ".<CR><LF>" so 401 * it does not span a packet boundary. This hurts performance so it 402 * is not on by default. 403 */ 404 if (resp->str[strspn(resp->str, "20 *\t\n")] == 0) { 405 /* Best effort only. Ignore errors. */ 406 if (smtp_pix_bug_maps != 0 407 && (pix_bug_words = 408 maps_find(smtp_pix_bug_maps, 409 STR(iter->addr), 0)) != 0) { 410 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_MAPS); 411 } else { 412 pix_bug_words = var_smtp_pix_bug_words; 413 pix_bug_source = VAR_LMTP_SMTP(PIX_BUG_WORDS); 414 } 415 if (*pix_bug_words) { 416 pix_bug_mask = name_mask_opt(pix_bug_source, pix_bug_table, 417 pix_bug_words, 418 NAME_MASK_ANY_CASE | NAME_MASK_IGNORE); 419 if ((pix_bug_mask & SMTP_FEATURE_PIX_DELAY_DOTCRLF) 420 && request->msg_stats.incoming_arrival.tv_sec 421 > vstream_ftime(state->session->stream) - var_smtp_pix_thresh) 422 pix_bug_mask &= ~SMTP_FEATURE_PIX_DELAY_DOTCRLF; 423 msg_info("%s: enabling PIX workarounds: %s for %s", 424 request->queue_id, 425 str_name_mask("pix workaround bitmask", 426 pix_bug_table, pix_bug_mask), 427 session->namaddrport); 428 session->features |= pix_bug_mask; 429 } 430 } 431 432 /* 433 * See if we are talking to ourself. This should not be possible with 434 * the way we implement DNS lookups. However, people are known to 435 * sometimes screw up the naming service. And, mailer loops are still 436 * possible when our own mailer routing tables are mis-configured. 437 */ 438 words = resp->str; 439 (void) mystrtok(&words, "- \t\n"); 440 for (n = 0; (word = mystrtok(&words, " \t\n")) != 0; n++) { 441 if (n == 0 && strcasecmp(word, var_myhostname) == 0) { 442 if (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) 443 msg_warn("host %s greeted me with my own hostname %s", 444 session->namaddrport, var_myhostname); 445 } else if (strcasecmp(word, "ESMTP") == 0) 446 session->features |= SMTP_FEATURE_ESMTP; 447 } 448 if (smtp_mode) { 449 if (var_smtp_always_ehlo 450 && (session->features & SMTP_FEATURE_PIX_NO_ESMTP) == 0) 451 session->features |= SMTP_FEATURE_ESMTP; 452 if (var_smtp_never_ehlo 453 || (session->features & SMTP_FEATURE_PIX_NO_ESMTP) != 0) 454 session->features &= ~SMTP_FEATURE_ESMTP; 455 } else { 456 session->features |= SMTP_FEATURE_ESMTP; 457 } 458 } 459 460 /* 461 * If recursing after STARTTLS, there is no server greeting banner. 462 * Always send EHLO as the next command. 463 */ 464 else { 465 session->features |= SMTP_FEATURE_ESMTP; 466 } 467 468 /* 469 * Return the compliment. Fall back to SMTP if our ESMTP recognition 470 * heuristic failed. 471 */ 472 if (smtp_mode) { 473 where = "performing the EHLO handshake"; 474 if (session->features & SMTP_FEATURE_ESMTP) { 475 smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name); 476 if ((resp = smtp_chat_resp(session))->code / 100 != 2) { 477 if (resp->code == 421) 478 return (smtp_site_fail(state, STR(iter->host), resp, 479 "host %s refused to talk to me: %s", 480 session->namaddr, 481 translit(resp->str, "\n", " "))); 482 else 483 session->features &= ~SMTP_FEATURE_ESMTP; 484 } 485 #ifdef USE_TLSRPT 486 if (state->tlsrpt 487 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) 488 smtp_tlsrpt_set_ehlo_resp(state, resp->str); 489 #endif 490 } 491 if ((session->features & SMTP_FEATURE_ESMTP) == 0) { 492 where = "performing the HELO handshake"; 493 smtp_chat_cmd(session, "HELO %s", var_smtp_helo_name); 494 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 495 return (smtp_site_fail(state, STR(iter->host), resp, 496 "host %s refused to talk to me: %s", 497 session->namaddr, 498 translit(resp->str, "\n", " "))); 499 #ifdef USE_TLSRPT 500 if (state->tlsrpt) 501 trw_set_ehlo_resp(state->tlsrpt, resp->str); 502 #endif 503 } 504 } else { 505 where = "performing the LHLO handshake"; 506 smtp_chat_cmd(session, "LHLO %s", var_smtp_helo_name); 507 if ((resp = smtp_chat_resp(session))->code / 100 != 2) 508 return (smtp_site_fail(state, STR(iter->host), resp, 509 "host %s refused to talk to me: %s", 510 session->namaddr, 511 translit(resp->str, "\n", " "))); 512 } 513 514 /* 515 * No early returns allowed, to ensure consistent handling of TLS and 516 * SASL policies. 517 */ 518 if (session->features & SMTP_FEATURE_ESMTP) { 519 520 /* 521 * Determine what server EHLO keywords to ignore, typically to avoid 522 * inter-operability problems. 523 */ 524 if (smtp_ehlo_dis_maps == 0 525 || (ehlo_words = maps_find(smtp_ehlo_dis_maps, 526 STR(iter->addr), 0)) == 0) 527 ehlo_words = var_smtp_ehlo_dis_words; 528 if (smtp_ehlo_dis_maps && smtp_ehlo_dis_maps->error) { 529 msg_warn("%s: %s map lookup error for %s", 530 session->state->request->queue_id, 531 smtp_ehlo_dis_maps->title, STR(iter->addr)); 532 vstream_longjmp(session->stream, SMTP_ERR_DATA); 533 } 534 discard_mask = ehlo_mask(ehlo_words); 535 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT)) 536 msg_info("discarding EHLO keywords: %s", 537 str_ehlo_mask(discard_mask)); 538 539 /* 540 * Pick up some useful features offered by the SMTP server. XXX Until 541 * we have a portable routine to convert from string to off_t with 542 * proper overflow detection, ignore the message size limit 543 * advertised by the SMTP server. Otherwise, we might do the wrong 544 * thing when the server advertises a really huge message size limit. 545 * 546 * XXX Allow for "code (SP|-) ehlo-keyword (SP|=) ehlo-param...", 547 * because MicroSoft implemented AUTH based on an old draft. 548 */ 549 lines = resp->str; 550 for (n = 0; (words = mystrtok(&lines, "\n")) != 0; /* see below */ ) { 551 if (mystrtok(&words, "- ") 552 && (word = mystrtok(&words, " \t=")) != 0) { 553 if (n == 0) { 554 if (session->helo != 0) 555 myfree(session->helo); 556 557 /* 558 * XXX: Keep the original case: we don't expect a single 559 * SMTP server to randomly change the case of its helo 560 * response. If different capitalization is detected, we 561 * should assume disjoint TLS caches. 562 */ 563 session->helo = mystrdup(word); 564 if (strcasecmp(word, var_myhostname) == 0 565 && (state->misc_flags & SMTP_MISC_FLAG_LOOP_DETECT) != 0) { 566 msg_warn("host %s replied to HELO/EHLO" 567 " with my own hostname %s", 568 session->namaddrport, var_myhostname); 569 if (session->features & SMTP_FEATURE_BEST_MX) 570 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 571 SMTP_RESP_FAKE(&fake, "5.4.6"), 572 "mail for %s loops back to myself", 573 request->nexthop)); 574 else 575 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 576 SMTP_RESP_FAKE(&fake, "4.4.6"), 577 "mail for %s loops back to myself", 578 request->nexthop)); 579 } 580 } else if (strcasecmp(word, "8BITMIME") == 0) { 581 if ((discard_mask & EHLO_MASK_8BITMIME) == 0) 582 session->features |= SMTP_FEATURE_8BITMIME; 583 } else if (strcasecmp(word, "PIPELINING") == 0) { 584 if ((discard_mask & EHLO_MASK_PIPELINING) == 0) 585 session->features |= SMTP_FEATURE_PIPELINING; 586 } else if (strcasecmp(word, "XFORWARD") == 0) { 587 if ((discard_mask & EHLO_MASK_XFORWARD) == 0) 588 while ((word = mystrtok(&words, " \t")) != 0) 589 session->features |= 590 name_code(xforward_features, 591 NAME_CODE_FLAG_NONE, word); 592 } else if (strcasecmp(word, "SIZE") == 0) { 593 if ((discard_mask & EHLO_MASK_SIZE) == 0) { 594 session->features |= SMTP_FEATURE_SIZE; 595 if ((word = mystrtok(&words, " \t")) != 0) { 596 if (!alldig(word)) 597 msg_warn("bad EHLO SIZE limit \"%s\" from %s", 598 word, session->namaddrport); 599 else 600 session->size_limit = off_cvt_string(word); 601 } 602 } 603 #ifdef USE_TLS 604 } else if (strcasecmp(word, "STARTTLS") == 0) { 605 /* Ignored later if we already sent STARTTLS. */ 606 if ((discard_mask & EHLO_MASK_STARTTLS) == 0) 607 session->features |= SMTP_FEATURE_STARTTLS; 608 } else if (strcasecmp(word, "REQUIRETLS") == 0) { 609 if ((discard_mask & EHLO_MASK_REQTLS) == 0 610 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS)) 611 session->features |= SMTP_FEATURE_REQTLS; 612 #endif 613 #ifdef USE_SASL_AUTH 614 } else if (var_smtp_sasl_enable 615 && strcasecmp(word, "AUTH") == 0) { 616 if ((discard_mask & EHLO_MASK_AUTH) == 0) 617 smtp_sasl_helo_auth(session, words); 618 #endif 619 } else if (strcasecmp(word, "DSN") == 0) { 620 if ((discard_mask & EHLO_MASK_DSN) == 0) 621 session->features |= SMTP_FEATURE_DSN; 622 } else if (strcasecmp(word, "SMTPUTF8") == 0) { 623 if ((discard_mask & EHLO_MASK_SMTPUTF8) == 0) 624 session->features |= SMTP_FEATURE_SMTPUTF8; 625 } 626 n++; 627 } 628 } 629 } 630 if (msg_verbose) 631 msg_info("server features: 0x%x size %.0f", 632 session->features, (double) session->size_limit); 633 634 /* 635 * Require that the server supports SMTPUTF8 when delivery requires 636 * SMTPUTF8. 637 * 638 * Fix 20140706: moved this before negotiating TLS, AUTH, and so on. 639 * 640 * Fix 20250824: try multiple servers before giving up. 641 * 642 * Fix 20250911: do not cache this session because it does not satisfy the 643 * requirement expressed in the cache storage key. 644 */ 645 if ((session->features & SMTP_FEATURE_SMTPUTF8) == 0 646 && DELIVERY_REQUIRES_SMTPUTF8(request)) 647 return (smtp_misc_fail(state, SMTP_MISC_FAIL_DONT_CACHE 648 | SMTP_MISC_FAIL_SOFT_NON_FINAL, 649 DSN_BY_LOCAL_MTA, 650 SMTP_RESP_FAKE(&fake, "5.6.7"), 651 "message requires SMTPUTF8, but no " 652 "server was found that supports " 653 "SMTPUTF8. The last attempted server " 654 "was %s", session->namaddr)); 655 656 /* 657 * Fix 20140706: don't do silly things when the remote server announces 658 * SMTPUTF8 but not 8BITMIME support. Our primary mission is to deliver 659 * mail, not to force people into compliance. 660 */ 661 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 662 && (session->features & SMTP_FEATURE_8BITMIME) == 0) { 663 msg_info("host %s offers SMTPUTF8 support, but not 8BITMIME", 664 session->namaddr); 665 session->features |= SMTP_FEATURE_8BITMIME; 666 } 667 668 /* 669 * Require that the server announces REQUIRETLS when the sender requested 670 * REQUIRETLS. Return the message as undeliverable only when there are no 671 * more alternative MX hosts. With opportunistic REQUIRETLS, only log 672 * that the server does not offer REQUIRETLS. 673 */ 674 #ifdef USE_TLS 675 if (state->reqtls_level > SMTP_REQTLS_POLICY_ACT_DISABLE 676 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0) { 677 if ((session->features & SMTP_FEATURE_REQTLS) != 0) { 678 if (state->tls_stats) 679 smtp_tls_stat_decide_reqtls(state->tls_stats, 680 TLS_CERT_IS_MATCHED(session->tls_context) ? 681 SMTP_TLS_STAT_NAME_REQTLS : 682 SMTP_TLS_STAT_NAME_NOCMATCH, 683 POL_STAT_COMPLIANT); 684 } else if (state->reqtls_level == SMTP_REQTLS_POLICY_ACT_ENFORCE) { 685 if (state->tls_stats) 686 smtp_tls_stat_decide_reqtls(state->tls_stats, 687 SMTP_TLS_STAT_NAME_NONE, 688 POL_STAT_VIOLATION); 689 return (smtp_misc_fail(state, SMTP_MISC_FAIL_DONT_CACHE 690 | SMTP_MISC_FAIL_SOFT_NON_FINAL, 691 DSN_BY_LOCAL_MTA, 692 SMTP_RESP_FAKE(&fake, "5.7.30"), 693 "Sender requested REQUIRETLS, " 694 "but no server was found that " 695 "supports REQUIRETLS. The last " 696 "attempted server was %s", 697 session->namaddr)); 698 } else { 699 if (state->tls_stats) 700 smtp_tls_stat_decide_reqtls(state->tls_stats, 701 SMTP_TLS_STAT_NAME_NONE, 702 POL_STAT_COMPLIANT); 703 msg_info("%s: Sender requested REQUIRETLS, but REQUIRETLS " 704 "support was not offered by host %s", 705 request->queue_id, session->namaddr); 706 } 707 } 708 709 /* 710 * TODO(wietse) Maybe log servers that announce REQUIRETLS and whether 711 * the connection is authenticated? 712 */ 713 #endif 714 715 /* 716 * We use SMTP command pipelining if the server said it supported it. 717 * Since we use blocking I/O, RFC 2197 says that we should inspect the 718 * TCP window size and not send more than this amount of information. 719 * Unfortunately this information is unavailable using the sockets 720 * interface. However, we *can* get the TCP send buffer size on the local 721 * TCP/IP stack. We should be able to fill this buffer without being 722 * blocked, and then the kernel will effectively do non-blocking I/O for 723 * us by automatically writing out the contents of its send buffer while 724 * we are reading in the responses. In addition to TCP buffering we have 725 * to be aware of application-level buffering by the vstream module, 726 * which is limited to a couple kbytes. 727 * 728 * XXX No need to do this before and after STARTTLS, but it's not a big deal 729 * if we do. 730 * 731 * XXX When TLS is turned on, the SMTP-level writes will be encapsulated as 732 * TLS messages. Thus, the TCP-level payload will be larger than the 733 * SMTP-level payload. This has implications for the PIPELINING engine. 734 * 735 * To avoid deadlock, the PIPELINING engine needs to request a TCP send 736 * buffer size that can hold the unacknowledged commands plus the TLS 737 * encapsulation overhead. 738 * 739 * The PIPELINING engine keeps the unacknowledged command size <= the 740 * default VSTREAM buffer size (to avoid small-write performance issues 741 * when the VSTREAM buffer size is at its default size). With a default 742 * VSTREAM buffer size of 4096 there is no reason to increase the 743 * unacknowledged command size as the TCP MSS increases. It's safer to 744 * spread the remote SMTP server's recipient processing load over time, 745 * than dumping a very large recipient list all at once. 746 * 747 * For TLS encapsulation overhead we make a conservative guess: take the 748 * current protocol overhead of ~40 bytes, double the number for future 749 * proofing (~80 bytes), then round up the result to the nearest power of 750 * 2 (128 bytes). Plus, be prepared for worst-case compression that 751 * expands data by 1 kbyte, so that the worst-case SMTP payload per TLS 752 * message becomes 15 kbytes. 753 */ 754 #define PIPELINING_BUFSIZE VSTREAM_BUFSIZE 755 #ifdef USE_TLS 756 #define TLS_WORST_PAYLOAD 16384 757 #define TLS_WORST_COMP_OVERHD 1024 758 #define TLS_WORST_PROTO_OVERHD 128 759 #define TLS_WORST_SMTP_PAYLOAD (TLS_WORST_PAYLOAD - TLS_WORST_COMP_OVERHD) 760 #define TLS_WORST_TOTAL_OVERHD (TLS_WORST_COMP_OVERHD + TLS_WORST_PROTO_OVERHD) 761 #endif 762 763 if (session->features & SMTP_FEATURE_PIPELINING) { 764 SOCKOPT_SIZE optlen; 765 int tcp_bufsize; 766 int enc_overhead = 0; 767 768 optlen = sizeof(tcp_bufsize); 769 if (getsockopt(vstream_fileno(session->stream), SOL_SOCKET, 770 SO_SNDBUF, (char *) &tcp_bufsize, &optlen) < 0) 771 msg_fatal("%s: getsockopt: %m", myname); 772 #ifdef USE_TLS 773 if (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) 774 enc_overhead += 775 (1 + (PIPELINING_BUFSIZE - 1) 776 / TLS_WORST_SMTP_PAYLOAD) * TLS_WORST_TOTAL_OVERHD; 777 #endif 778 if (tcp_bufsize < PIPELINING_BUFSIZE + enc_overhead) { 779 tcp_bufsize = PIPELINING_BUFSIZE + enc_overhead; 780 if (setsockopt(vstream_fileno(session->stream), SOL_SOCKET, 781 SO_SNDBUF, (char *) &tcp_bufsize, optlen) < 0) 782 msg_fatal("%s: setsockopt: %m", myname); 783 } 784 if (msg_verbose) 785 msg_info("Using %s PIPELINING, TCP send buffer size is %d, " 786 "PIPELINING buffer size is %d", 787 smtp_mode ? "ESMTP" : "LMTP", 788 tcp_bufsize, PIPELINING_BUFSIZE); 789 } 790 #ifdef USE_TLS 791 792 /* 793 * Skip this part if we already sent STARTTLS. 794 */ 795 if ((state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { 796 797 /* 798 * Optionally log unused STARTTLS opportunities. 799 */ 800 if ((session->features & SMTP_FEATURE_STARTTLS) && 801 var_smtp_tls_note_starttls_offer && 802 state->tls->level <= TLS_LEV_NONE) 803 msg_info("Host offered STARTTLS: [%s]", STR(iter->host)); 804 805 /* 806 * Decide whether or not to send STARTTLS. 807 */ 808 if ((session->features & SMTP_FEATURE_STARTTLS) != 0 809 && smtp_tls_ctx != 0 && state->tls->level >= TLS_LEV_MAY) { 810 811 /* 812 * Prepare for disaster. 813 */ 814 smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, 815 var_smtp_req_deadline, 0); 816 if ((except = vstream_setjmp(state->session->stream)) != 0) 817 return (smtp_stream_except(state, except, 818 "receiving the STARTTLS response")); 819 820 /* 821 * Send STARTTLS. Recurse when the server accepts STARTTLS, after 822 * resetting the SASL and EHLO features lists. 823 * 824 * Reset the SASL mechanism list to avoid spurious warnings. 825 * 826 * Use the smtp_sasl_tls_security_options feature to allow SASL 827 * mechanisms that may not be allowed with plain-text 828 * connections. 829 */ 830 smtp_chat_cmd(session, "STARTTLS"); 831 if ((resp = smtp_chat_resp(session))->code / 100 == 2) { 832 #ifdef USE_SASL_AUTH 833 if (session->features & SMTP_FEATURE_AUTH) 834 smtp_sasl_cleanup(session); 835 #endif 836 session->features = saved_features; 837 /* XXX Mix-up of per-session and per-request flags. */ 838 state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; 839 tls_helo_status = smtp_start_tls(state); 840 state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; 841 return (tls_helo_status); 842 } 843 #ifdef USE_TLSRPT 844 if (state->tlsrpt) 845 trw_report_failure(state->tlsrpt, 846 TLSRPT_STARTTLS_NOT_SUPPORTED, 847 /* additional_info= */ (char *) 0, 848 /* failure_reason= */ (char *) 0); 849 #endif 850 851 /* 852 * Give up if we must use TLS but the server rejects STARTTLS 853 * although support for it was announced in the EHLO response. 854 * 855 * When the sender requested REQUIRETLS, and the REQUIRETLS policy 856 * requires TLS, return the message as undeliverable only when 857 * there are no more alternative MX hosts. 858 */ 859 session->features &= ~SMTP_FEATURE_STARTTLS; 860 if (TLS_REQUIRED_BY_SECURITY_LEVEL(state->tls->level) 861 || TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) { 862 /* Before returning, decide all relevant policy status info. */ 863 if (TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) { 864 if (state->tls_stats) 865 smtp_tls_stat_decide_reqtls(state->tls_stats, 866 SMTP_TLS_STAT_NAME_NOSTTLS, 867 POL_STAT_VIOLATION); 868 } 869 if (TLS_REQUIRED_BY_SECURITY_LEVEL(state->tls->level)) { 870 if (state->tls_stats) 871 smtp_tls_stat_decide_sec_level(state->tls_stats, 872 state->tls->level, 873 POL_STAT_VIOLATION); 874 } 875 /* Then, REQUIRETLS failure must take precedence over other. */ 876 if (TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) { 877 return (smtp_misc_fail(state, SMTP_MISC_FAIL_DONT_CACHE 878 | SMTP_MISC_FAIL_SOFT_NON_FINAL, 879 DSN_BY_LOCAL_MTA, 880 SMTP_RESP_FAKE(&fake, "5.7.10"), 881 "Sender requested REQUIRETLS, " 882 "but host %s refused to " 883 "start TLS: %s", session->namaddr, 884 translit(resp->str, "\n", " "))); 885 } 886 /* TLS_REQUIRED_BY_SECURITY_LEVEL */ 887 return (smtp_site_fail(state, STR(iter->host), resp, 888 "TLS is required, but host %s refused to start TLS: %s", 889 session->namaddr, 890 translit(resp->str, "\n", " "))); 891 } 892 /* Else try to continue in plain-text mode. */ 893 } 894 895 /* 896 * Give up if we must use TLS but can't for various reasons. 897 * 898 * 200412 Be sure to provide the default clause at the bottom of this 899 * block. When TLS is required we must never, ever, end up in 900 * plain-text mode. 901 * 902 * When the sender requested REQUIRETLS, and the REQUIRETLS policy 903 * requires TLS, return the message as undeliverable only when there 904 * are no more alternative MX hosts. 905 */ 906 if (TLS_REQUIRED_BY_SECURITY_LEVEL(state->tls->level) 907 || TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) { 908 if (!(session->features & SMTP_FEATURE_STARTTLS)) { 909 #ifdef USE_TLSRPT 910 if (state->tlsrpt) 911 trw_report_failure(state->tlsrpt, 912 TLSRPT_STARTTLS_NOT_SUPPORTED, 913 /* additional_info= */ (char *) 0, 914 /* failure_reason= */ (char *) 0); 915 #endif 916 /* Before returning, decide all relevant policy status info. */ 917 if (TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) { 918 if (state->tls_stats) 919 smtp_tls_stat_decide_reqtls(state->tls_stats, 920 SMTP_TLS_STAT_NAME_NOSTTLS, 921 POL_STAT_VIOLATION); 922 } 923 if (TLS_REQUIRED_BY_SECURITY_LEVEL(state->tls->level)) 924 if (state->tls_stats) 925 smtp_tls_stat_decide_sec_level(state->tls_stats, 926 state->tls->level, 927 POL_STAT_VIOLATION); 928 /* Then, REQUIRETLS failure must take precedence over other. */ 929 if (TLS_REQUIRED_BY_REQTLS_POLICY(state->reqtls_level)) 930 return (smtp_misc_fail(state, SMTP_MISC_FAIL_DONT_CACHE 931 | SMTP_MISC_FAIL_SOFT_NON_FINAL, 932 DSN_BY_LOCAL_MTA, 933 SMTP_RESP_FAKE(&fake, "5.7.30"), 934 "Sender requested REQUIRETLS, " 935 "but TLS service was not " 936 "offered by host %s", 937 session->namaddr)); 938 /* TLS_REQUIRED_BY_SECURITY_LEVEL */ 939 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 940 SMTP_RESP_FAKE(&fake, "4.7.4"), 941 "TLS is required, but was not offered by host %s", 942 session->namaddr)); 943 } else if (smtp_tls_ctx == 0) { 944 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 945 SMTP_RESP_FAKE(&fake, "4.7.5"), 946 "TLS is required, but our TLS engine is unavailable")); 947 } else { 948 msg_warn("%s: TLS is required but unavailable, don't know why", 949 myname); 950 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 951 SMTP_RESP_FAKE(&fake, "4.7.0"), 952 "TLS is required, but unavailable")); 953 } 954 } 955 /* Continue in plain-text mode. */ 956 if (state->tls_stats) { 957 smtp_tls_stat_decide_sec_level(state->tls_stats, TLS_LEV_NONE, 958 POL_STAT_COMPLIANT); 959 if (state->reqtls_level > SMTP_REQTLS_POLICY_ACT_DISABLE) 960 smtp_tls_stat_decide_reqtls(state->tls_stats, 961 SMTP_TLS_STAT_NAME_NONE, 962 POL_STAT_COMPLIANT); 963 } 964 } 965 #endif 966 #ifdef USE_SASL_AUTH 967 if (var_smtp_sasl_enable && (session->features & SMTP_FEATURE_AUTH)) 968 return (smtp_sasl_helo_login(state)); 969 #endif 970 971 return (0); 972 } 973 974 #ifdef USE_TLS 975 976 /* smtp_start_tls - turn on TLS and recurse into the HELO dialog */ 977 978 static int smtp_start_tls(SMTP_STATE *state) 979 { 980 SMTP_SESSION *session = state->session; 981 SMTP_ITERATOR *iter = state->iterator; 982 TLS_CLIENT_START_PROPS start_props; 983 VSTRING *serverid; 984 SMTP_RESP fake; 985 TLS_CLIENT_INIT_PROPS init_props; 986 VSTREAM *tlsproxy; 987 VSTRING *port_buf; 988 989 /* 990 * When the TLS handshake succeeds, we can reuse a connection only if TLS 991 * remains turned on for the lifetime of that connection. This requires 992 * that the TLS library state is maintained in some proxy process, for 993 * example, in tlsproxy(8). We then store the proxy file handle in the 994 * connection cache, and reuse that file handle. 995 * 996 * Otherwise, we must turn off connection caching. We can't turn off TLS in 997 * one SMTP client process, save the open connection to a cache which is 998 * shared with all SMTP clients, migrate the connection to another SMTP 999 * client, and resume TLS there. When the TLS handshake fails, we can't 1000 * reuse the SMTP connection either, because the conversation is in an 1001 * unknown state. 1002 */ 1003 if (state->tls->conn_reuse == 0) 1004 DONT_CACHE_THIS_SESSION; 1005 1006 /* 1007 * The following assumes sites that use TLS in a perverse configuration: 1008 * multiple hosts per hostname, or even multiple hosts per IP address. 1009 * All this without a shared TLS session cache, and they still want to 1010 * use TLS session caching??? 1011 * 1012 * The TLS session cache records the trust chain verification status of 1013 * cached sessions. Different transports may have different CAfile or 1014 * CApath settings, perhaps to allow authenticated connections to sites 1015 * with private CA certs without trusting said private certs for other 1016 * sites. So we cannot assume that a trust chain valid for one transport 1017 * is valid for another. Therefore the client session id must include 1018 * either the transport name or the values of CAfile and CApath. We use 1019 * the transport name. 1020 * 1021 * XXX: We store only one session per lookup key. Ideally the key maps 1022 * 1-to-1 to a server TLS session cache. We use the IP address, port and 1023 * ehlo response name to build a lookup key that works for split caches 1024 * (that announce distinct names) behind a load balancer. 1025 * 1026 * XXX: The TLS library will salt the serverid with further details of the 1027 * protocol and cipher requirements including the server ehlo response. 1028 * Deferring the helo to the digested suffix results in more predictable 1029 * SSL session lookup key lengths. Add the current TLS security level to 1030 * account for TLS level overrides based on message content or envelope 1031 * metadata. 1032 */ 1033 serverid = vstring_alloc(10); 1034 smtp_key_prefix(serverid, "&", state->iterator, SMTP_KEY_FLAG_SERVICE 1035 | SMTP_KEY_FLAG_CUR_NEXTHOP /* With port */ 1036 | SMTP_KEY_FLAG_HOSTNAME 1037 | SMTP_KEY_FLAG_ADDR 1038 | SMTP_KEY_FLAG_TLS_LEVEL); 1039 1040 if (state->tls->conn_reuse) { 1041 TLS_CLIENT_PARAMS tls_params; 1042 1043 /* 1044 * Send all our wishes in one big request. 1045 */ 1046 TLS_PROXY_CLIENT_INIT_PROPS(&init_props, 1047 log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), 1048 log_level = var_smtp_tls_loglevel, 1049 verifydepth = var_smtp_tls_scert_vd, 1050 cache_type 1051 = LMTP_SMTP_SUFFIX(TLS_MGR_SCACHE), 1052 chain_files = var_smtp_tls_chain_files, 1053 cert_file = var_smtp_tls_cert_file, 1054 key_file = var_smtp_tls_key_file, 1055 dcert_file = var_smtp_tls_dcert_file, 1056 dkey_file = var_smtp_tls_dkey_file, 1057 eccert_file = var_smtp_tls_eccert_file, 1058 eckey_file = var_smtp_tls_eckey_file, 1059 CAfile = var_smtp_tls_CAfile, 1060 CApath = var_smtp_tls_CApath, 1061 mdalg = var_smtp_tls_fpt_dgst); 1062 TLS_PROXY_CLIENT_START_PROPS(&start_props, 1063 timeout = var_smtp_starttls_tmout, 1064 tls_level = state->tls->level, 1065 enable_rpk = state->tls->enable_rpk, 1066 nexthop = session->tls_nexthop, 1067 host = STR(iter->host), 1068 namaddr = session->namaddrport, 1069 sni = state->tls->sni, 1070 serverid = vstring_str(serverid), 1071 helo = session->helo, 1072 protocols = state->tls->protocols, 1073 cipher_grade = state->tls->grade, 1074 cipher_exclusions 1075 = vstring_str(state->tls->exclusions), 1076 matchargv = state->tls->matchargv, 1077 mdalg = var_smtp_tls_fpt_dgst, 1078 #ifdef USE_TLSRPT 1079 tlsrpt = state->tlsrpt, 1080 #else 1081 tlsrpt = 0, 1082 #endif 1083 ffail_type = 0, 1084 dane = state->tls->dane); 1085 1086 /* 1087 * The tlsproxy(8) server enforces timeouts that are larger than 1088 * those specified by the tlsproxy(8) client. These timeouts are a 1089 * safety net for the case that the tlsproxy(8) client fails to 1090 * enforce time limits. Normally, the tlsproxy(8) client would time 1091 * out and trigger a plaintext event in the tlsproxy(8) server, and 1092 * cause it to tear down the session. 1093 * 1094 * However, the tlsproxy(8) server has no insight into the SMTP 1095 * protocol, and therefore it cannot by itself support different 1096 * timeouts at different SMTP protocol stages. Instead, we specify 1097 * the largest timeout (end-of-data) and rely on the SMTP client to 1098 * time out first, which normally results in a plaintext event in the 1099 * tlsproxy(8) server. Unfortunately, we cannot permit plaintext 1100 * events during the TLS handshake, so we specify a separate timeout 1101 * for that stage (the end-of-data timeout would be unreasonably 1102 * large anyway). 1103 */ 1104 #define PROXY_OPEN_FLAGS \ 1105 (TLS_PROXY_FLAG_ROLE_CLIENT | TLS_PROXY_FLAG_SEND_CONTEXT) 1106 1107 port_buf = vstring_alloc(100); /* minimize fragmentation */ 1108 vstring_sprintf(port_buf, "%d", ntohs(iter->port)); 1109 tlsproxy = 1110 tls_proxy_open(var_tlsproxy_service, PROXY_OPEN_FLAGS, 1111 session->stream, STR(iter->addr), 1112 STR(port_buf), var_smtp_starttls_tmout, 1113 var_smtp_data2_tmout, state->service, 1114 tls_proxy_client_param_from_config(&tls_params), 1115 &init_props, &start_props); 1116 vstring_free(port_buf); 1117 1118 /* 1119 * To insert tlsproxy(8) between this process and the remote SMTP 1120 * server, we swap the file descriptors between the tlsproxy and 1121 * session->stream VSTREAMS, so that we don't lose all the 1122 * user-configurable session->stream attributes (such as longjump 1123 * buffers or timeouts). 1124 * 1125 * TODO: the tlsproxy RPCs should return more error detail than a "NO" 1126 * result. OTOH, the in-process TLS engine does not return such info 1127 * either. 1128 * 1129 * If the tlsproxy request fails we do not fall back to the in-process 1130 * TLS stack. Reason: the admin enabled connection reuse to respect 1131 * receiver policy; silently violating such policy would not be 1132 * useful. 1133 * 1134 * We also don't fall back to the in-process TLS stack under low-traffic 1135 * conditions, to avoid frustrating attempts to debug a problem with 1136 * using the tlsproxy(8) service. 1137 */ 1138 if (tlsproxy == 0) { 1139 session->tls_context = 0; 1140 } else { 1141 vstream_control(tlsproxy, 1142 CA_VSTREAM_CTL_DOUBLE, 1143 CA_VSTREAM_CTL_END); 1144 vstream_control(session->stream, 1145 CA_VSTREAM_CTL_SWAP_FD(tlsproxy), 1146 CA_VSTREAM_CTL_END); 1147 (void) vstream_fclose(tlsproxy); /* direct-to-server stream! */ 1148 1149 /* 1150 * There must not be any pending data in the stream buffers 1151 * before we read the TLS context attributes. 1152 */ 1153 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1154 1155 /* 1156 * After plumbing the plaintext stream, receive the TLS context 1157 * object. For this we use the same VSTREAM buffer that we also 1158 * use to receive subsequent SMTP commands, therefore we must be 1159 * prepared for the possibility that the remote SMTP server 1160 * starts talking immediately. The tlsproxy implementation sends 1161 * the TLS context before remote content. The attribute protocol 1162 * is robust enough that an adversary cannot insert their own TLS 1163 * context attributes. 1164 */ 1165 session->tls_context = tls_proxy_context_receive(session->stream); 1166 if (session->tls_context) { 1167 session->features |= SMTP_FEATURE_FROM_PROXY; 1168 tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, 1169 session->tls_context); 1170 } 1171 } 1172 } else { /* state->tls->conn_reuse */ 1173 1174 /* 1175 * As of Postfix 2.5, tls_client_start() tries hard to always 1176 * complete the TLS handshake. It records the verification and match 1177 * status in the resulting TLScontext. It is now up to the 1178 * application to abort the TLS connection if it chooses. 1179 * 1180 * XXX When tls_client_start() fails then we don't know what state the 1181 * SMTP connection is in, so we give up on this connection even if we 1182 * are not required to use TLS. 1183 * 1184 * Large parameter lists are error-prone, so we emulate a language 1185 * feature that C does not have natively: named parameter lists. 1186 */ 1187 session->tls_context = 1188 TLS_CLIENT_START(&start_props, 1189 ctx = smtp_tls_ctx, 1190 stream = session->stream, 1191 fd = -1, 1192 timeout = var_smtp_starttls_tmout, 1193 tls_level = state->tls->level, 1194 enable_rpk = state->tls->enable_rpk, 1195 nexthop = session->tls_nexthop, 1196 host = STR(iter->host), 1197 namaddr = session->namaddrport, 1198 sni = state->tls->sni, 1199 serverid = vstring_str(serverid), 1200 helo = session->helo, 1201 protocols = state->tls->protocols, 1202 cipher_grade = state->tls->grade, 1203 cipher_exclusions 1204 = vstring_str(state->tls->exclusions), 1205 matchargv = state->tls->matchargv, 1206 mdalg = var_smtp_tls_fpt_dgst, 1207 #ifdef USE_TLSRPT 1208 tlsrpt = state->tlsrpt, 1209 #else 1210 tlsrpt = 0, 1211 #endif 1212 ffail_type = state->tls->ext_policy_failure, 1213 dane = state->tls->dane); 1214 1215 /* 1216 * At this point there must not be any pending data in the stream 1217 * buffers. 1218 */ 1219 vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 1220 } /* state->tls->conn_reuse */ 1221 1222 vstring_free(serverid); 1223 1224 if (session->tls_context == 0) { 1225 1226 /* 1227 * We must avoid further I/O, the peer is in an undefined state. 1228 */ 1229 DONT_USE_FORBIDDEN_SESSION; 1230 1231 /* 1232 * If TLS is optional, try delivery to the same server over a 1233 * plaintext connection. Otherwise we would defer mail forever with 1234 * destinations that have no alternate MX host. 1235 * 1236 * Don't fall back to plaintext if we were willing to use SASL-over-TLS 1237 * authentication. If the server doesn't announce SASL support over 1238 * plaintext connections, then we don't want delivery to fail with 1239 * "relay access denied". 1240 * 1241 * If TLS is opportunistic, don't throttle the destination, otherwise if 1242 * the mail is volume is high enough we may have difficulty ever 1243 * draining even the deferred mail, as new mail provides a constant 1244 * stream of negative feedback. 1245 */ 1246 if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE) 1247 RETRY_AS_PLAINTEXT; 1248 /* Leave all TLS feature policy status info as 'undecided'. */ 1249 return (smtp_misc_fail(state, state->tls->level == TLS_LEV_MAY ? 1250 SMTP_MISC_FAIL_NONE : SMTP_MISC_FAIL_THROTTLE, 1251 DSN_BY_LOCAL_MTA, 1252 SMTP_RESP_FAKE(&fake, "4.7.5"), 1253 "Cannot start TLS: handshake failure")); 1254 } 1255 1256 /* 1257 * If we are verifying the server certificate and are not happy with the 1258 * result, abort the delivery here. We have a usable TLS session with the 1259 * server, so no need to disable I/O, ... we can even be polite and send 1260 * "QUIT". 1261 * 1262 * See src/tls/tls_level.c and src/tls/tls.h. Levels above "encrypt" require 1263 * matching. 1264 * 1265 * NOTE: We use "IS_MATCHED" to satisfy policy, but "IS_SECURED" to log 1266 * effective security. Thus "half-dane" is never "Verified" only 1267 * "Trusted", but matching is enforced here. 1268 * 1269 * NOTE: When none of the TLSA records were usable, "dane" and "half-dane" 1270 * fall back to "encrypt", updating the tls_context level accordingly, so 1271 * we must check that here, and not state->tls->level. 1272 */ 1273 if (TLS_MUST_MATCH(session->tls_context->level)) { 1274 if (!TLS_CERT_IS_MATCHED(session->tls_context)) { 1275 int trusted = TLS_CERT_IS_TRUSTED(session->tls_context); 1276 1277 #ifdef USE_TLSRPT 1278 1279 /* 1280 * Don't create a TLSRPT 'failure' event here, if the TLS engine 1281 * already reported a more specific reason. 1282 */ 1283 if (state->tlsrpt && session->tls_context->rpt_reported == 0) { 1284 (void) trw_report_failure(state->tlsrpt, trusted ? 1285 TLSRPT_CERTIFICATE_HOST_MISMATCH : 1286 TLSRPT_CERTIFICATE_NOT_TRUSTED, 1287 /* additional_info= */ (char *) 0, 1288 /* failure_reason= */ (char *) 0); 1289 } 1290 #endif 1291 /* Finalize TLS feature policy status info before giving up. */ 1292 if (state->tls_stats) 1293 smtp_tls_stat_decide_sec_level(state->tls_stats, 1294 session->tls_context->level, 1295 POL_STAT_VIOLATION); 1296 1297 /* 1298 * When the sender requested REQUIRETLS, and REQUIRETLS is 1299 * enforced, return the message as undeliverable only when there 1300 * are no more alternative MX hosts. 1301 */ 1302 if (state->reqtls_level == SMTP_REQTLS_POLICY_ACT_ENFORCE) { 1303 if (state->tls_stats) 1304 smtp_tls_stat_decide_reqtls(state->tls_stats, 1305 SMTP_TLS_STAT_NAME_NOCMATCH, 1306 POL_STAT_VIOLATION); 1307 return (smtp_misc_fail(state, SMTP_MISC_FAIL_DONT_CACHE 1308 | SMTP_MISC_FAIL_SOFT_NON_FINAL, 1309 DSN_BY_LOCAL_MTA, 1310 SMTP_RESP_FAKE(&fake, "5.7.10"), 1311 "Sender requested REQUIRETLS, " 1312 "but no %s server certificate " 1313 "was found. The last attempted " 1314 "server was %s", trusted ? 1315 "matching" : "trusted", 1316 session->namaddr)); 1317 } else if (state->reqtls_level > SMTP_REQTLS_POLICY_ACT_DISABLE) { 1318 if (state->tls_stats) 1319 smtp_tls_stat_decide_reqtls(state->tls_stats, 1320 SMTP_TLS_STAT_NAME_NOCMATCH, 1321 POL_STAT_COMPLIANT); 1322 } 1323 return (smtp_site_fail(state, DSN_BY_LOCAL_MTA, 1324 SMTP_RESP_FAKE(&fake, "4.7.5"), 1325 "Server certificate not verified")); 1326 } 1327 } 1328 1329 /* 1330 * Create a TLSRPT 'success' event only if the TLS engine has not created 1331 * a TLSRPT event. For example, The TLS engine will create a TLSRPT 1332 * 'failure' event when the TLS handshake was be successful, but the 1333 * security level was downgraded from opportunistic "dane" to 1334 * unauthenticated "encrypt". 1335 */ 1336 #ifdef USE_TLSRPT 1337 if (state->tlsrpt && session->tls_context->rpt_reported == 0) 1338 (void) trw_report_success(state->tlsrpt); 1339 #endif 1340 1341 /* 1342 * Report relaxed enforcement if the initial TLS level was degraded. 1343 */ 1344 if (state->tls_stats) 1345 smtp_tls_stat_decide_sec_level(state->tls_stats, 1346 session->tls_context->level, 1347 POL_STAT_COMPLIANT); 1348 1349 /* 1350 * At this point we have to re-negotiate the "EHLO" to reget the 1351 * feature-list. 1352 */ 1353 return (smtp_helo(state)); 1354 } 1355 1356 #endif 1357 1358 /* smtp_hbc_logger - logging call-back for header/body checks */ 1359 1360 static void smtp_hbc_logger(void *context, const char *action, 1361 const char *where, const char *content, 1362 const char *text) 1363 { 1364 const SMTP_STATE *state = (SMTP_STATE *) context; 1365 1366 if (*text) { 1367 msg_info("%s: %s: %s %.200s: %s", 1368 state->request->queue_id, action, where, content, text); 1369 } else { 1370 msg_info("%s: %s: %s %.200s", 1371 state->request->queue_id, action, where, content); 1372 } 1373 } 1374 1375 /* smtp_text_out - output one header/body record */ 1376 1377 static void smtp_text_out(void *context, int rec_type, 1378 const char *text, ssize_t len, 1379 off_t unused_offset) 1380 { 1381 SMTP_STATE *state = (SMTP_STATE *) context; 1382 SMTP_SESSION *session = state->session; 1383 ssize_t data_left; 1384 const char *data_start; 1385 1386 /* 1387 * Deal with an impedance mismatch between Postfix queue files (record 1388 * length <= $message_line_length_limit) and SMTP (DATA record length <= 1389 * $smtp_line_length_limit). The code below does a little too much work 1390 * when the SMTP line length limit is disabled, but it avoids code 1391 * duplication, and thus, it avoids testing and maintenance problems. 1392 */ 1393 data_left = len; 1394 data_start = text; 1395 do { 1396 if (state->space_left == var_smtp_line_limit 1397 && data_left > 0 && *data_start == '.') 1398 smtp_fputc('.', session->stream); 1399 if (ENFORCING_SIZE_LIMIT(var_smtp_line_limit) 1400 && data_left >= state->space_left) { 1401 smtp_fputs(data_start, state->space_left, session->stream); 1402 data_start += state->space_left; 1403 data_left -= state->space_left; 1404 state->space_left = var_smtp_line_limit; 1405 if (data_left > 0 || rec_type == REC_TYPE_CONT) { 1406 smtp_fputc(' ', session->stream); 1407 state->space_left -= 1; 1408 1409 /* 1410 * XXX This can insert a line break into the middle of a 1411 * multi-byte character (not necessarily UTF-8). Note that 1412 * multibyte characters can span queue file records, for 1413 * example if line_length_limit == smtp_line_length_limit. 1414 */ 1415 if (state->logged_line_length_limit == 0) { 1416 msg_info("%s: breaking line > %d bytes with <CR><LF>SPACE", 1417 state->request->queue_id, var_smtp_line_limit); 1418 state->logged_line_length_limit = 1; 1419 } 1420 } 1421 } else { 1422 if (rec_type == REC_TYPE_CONT) { 1423 smtp_fwrite(data_start, data_left, session->stream); 1424 state->space_left -= data_left; 1425 } else { 1426 smtp_fputs(data_start, data_left, session->stream); 1427 state->space_left = var_smtp_line_limit; 1428 } 1429 break; 1430 } 1431 } while (data_left > 0); 1432 } 1433 1434 /* smtp_format_out - output one header/body record */ 1435 1436 static void PRINTFLIKE(3, 4) smtp_format_out(void *, int, const char *,...); 1437 1438 static void smtp_format_out(void *context, int rec_type, const char *fmt,...) 1439 { 1440 static VSTRING *vp; 1441 va_list ap; 1442 1443 if (vp == 0) 1444 vp = vstring_alloc(100); 1445 va_start(ap, fmt); 1446 vstring_vsprintf(vp, fmt, ap); 1447 va_end(ap); 1448 smtp_text_out(context, rec_type, vstring_str(vp), VSTRING_LEN(vp), 0); 1449 } 1450 1451 /* smtp_header_out - output one message header */ 1452 1453 static void smtp_header_out(void *context, int unused_header_class, 1454 const HEADER_OPTS *unused_info, 1455 VSTRING *buf, off_t offset) 1456 { 1457 char *start = vstring_str(buf); 1458 char *line; 1459 char *next_line; 1460 1461 /* 1462 * This code destroys the header. We could try to avoid clobbering it, 1463 * but we're not going to use the data any further. 1464 */ 1465 for (line = start; line; line = next_line) { 1466 next_line = split_at(line, '\n'); 1467 smtp_text_out(context, REC_TYPE_NORM, line, next_line ? 1468 next_line - line - 1 : strlen(line), offset); 1469 } 1470 } 1471 1472 /* smtp_header_rewrite - rewrite message header before output */ 1473 1474 static void smtp_header_rewrite(void *context, int header_class, 1475 const HEADER_OPTS *header_info, 1476 VSTRING *buf, off_t offset) 1477 { 1478 SMTP_STATE *state = (SMTP_STATE *) context; 1479 int did_rewrite = 0; 1480 char *line; 1481 char *start; 1482 char *next_line; 1483 char *end_line; 1484 char *result; 1485 1486 /* 1487 * Apply optional header filtering. 1488 */ 1489 if (smtp_header_checks) { 1490 result = hbc_header_checks(context, smtp_header_checks, header_class, 1491 header_info, buf, offset); 1492 if (result == 0) 1493 return; 1494 if (result == HBC_CHECKS_STAT_ERROR) { 1495 msg_warn("%s: smtp header checks lookup error", 1496 state->request->queue_id); 1497 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1498 } 1499 if (result != STR(buf)) { 1500 vstring_strcpy(buf, result); 1501 myfree(result); 1502 } 1503 } 1504 1505 /* 1506 * Rewrite primary header addresses that match the smtp_generic_maps. The 1507 * cleanup server already enforces that all headers have proper lengths 1508 * and that all addresses are in proper form, so we don't have to repeat 1509 * that. 1510 */ 1511 if (smtp_generic_maps && header_info && header_class == MIME_HDR_PRIMARY 1512 && (header_info->flags & (HDR_OPT_SENDER | HDR_OPT_RECIP)) != 0) { 1513 TOK822 *tree; 1514 TOK822 **addr_list; 1515 TOK822 **tpp; 1516 1517 tree = tok822_parse(vstring_str(buf) 1518 + strlen(header_info->name) + 1); 1519 addr_list = tok822_grep(tree, TOK822_ADDR); 1520 for (tpp = addr_list; *tpp; tpp++) 1521 did_rewrite |= smtp_map11_tree(tpp[0], smtp_generic_maps, 1522 smtp_ext_prop_mask & EXT_PROP_GENERIC); 1523 if (did_rewrite) { 1524 vstring_truncate(buf, strlen(header_info->name)); 1525 vstring_strcat(buf, ": "); 1526 tok822_externalize(buf, tree, TOK822_STR_HEAD); 1527 } 1528 myfree((void *) addr_list); 1529 tok822_free_tree(tree); 1530 } 1531 1532 /* 1533 * Pass through unmodified headers without reconstruction. 1534 */ 1535 if (did_rewrite == 0) { 1536 smtp_header_out(context, header_class, header_info, buf, offset); 1537 return; 1538 } 1539 1540 /* 1541 * A rewritten address list contains one address per line. The code below 1542 * replaces newlines by spaces, to fit as many addresses on a line as 1543 * possible (without rearranging the order of addresses). Prepending 1544 * white space to the beginning of lines is delegated to the output 1545 * routine. 1546 * 1547 * Code derived from cleanup_fold_header(). 1548 */ 1549 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1550 end_line = line + strcspn(line, "\n"); 1551 if (line > start) { 1552 if (end_line - start < 70) { /* TAB counts as one */ 1553 line[-1] = ' '; 1554 } else { 1555 start = line; 1556 } 1557 } 1558 next_line = *end_line ? end_line + 1 : 0; 1559 } 1560 1561 /* 1562 * Prepend a tab to continued header lines that went through the address 1563 * rewriting machinery. Just like smtp_header_out(), this code destroys 1564 * the header. We could try to avoid clobbering it, but we're not going 1565 * to use the data any further. 1566 * 1567 * Code derived from cleanup_out_header(). 1568 */ 1569 for (line = start = vstring_str(buf); line != 0; line = next_line) { 1570 next_line = split_at(line, '\n'); 1571 if (line == start || IS_SPACE_TAB(*line)) { 1572 smtp_text_out(state, REC_TYPE_NORM, line, next_line ? 1573 next_line - line - 1 : strlen(line), offset); 1574 } else { 1575 smtp_format_out(state, REC_TYPE_NORM, "\t%s", line); 1576 } 1577 } 1578 } 1579 1580 /* smtp_body_rewrite - rewrite message body before output */ 1581 1582 static void smtp_body_rewrite(void *context, int type, 1583 const char *buf, ssize_t len, 1584 off_t offset) 1585 { 1586 SMTP_STATE *state = (SMTP_STATE *) context; 1587 char *result; 1588 1589 /* 1590 * Apply optional body filtering. 1591 */ 1592 if (smtp_body_checks) { 1593 result = hbc_body_checks(context, smtp_body_checks, buf, len, offset); 1594 if (result == buf) { 1595 smtp_text_out(state, type, buf, len, offset); 1596 } else if (result == HBC_CHECKS_STAT_ERROR) { 1597 msg_warn("%s: smtp body checks lookup error", 1598 state->request->queue_id); 1599 vstream_longjmp(state->session->stream, SMTP_ERR_DATA); 1600 } else if (result != 0) { 1601 smtp_text_out(state, type, result, strlen(result), offset); 1602 myfree(result); 1603 } 1604 } 1605 } 1606 1607 /* smtp_mime_fail - MIME problem */ 1608 1609 static void smtp_mime_fail(SMTP_STATE *state, int mime_errs) 1610 { 1611 const MIME_STATE_DETAIL *detail; 1612 SMTP_RESP fake; 1613 1614 detail = mime_state_detail(mime_errs); 1615 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 1616 SMTP_RESP_FAKE(&fake, detail->dsn), 1617 "%s", detail->text); 1618 } 1619 1620 /* smtp_out_raw_or_mime - output buffer, raw output or MIME-aware */ 1621 1622 static int smtp_out_raw_or_mime(SMTP_STATE *state, int rec_type, VSTRING *buf) 1623 { 1624 SMTP_SESSION *session = state->session; 1625 int mime_errs; 1626 1627 if (session->mime_state == 0) { 1628 smtp_text_out((void *) state, rec_type, vstring_str(buf), 1629 VSTRING_LEN(buf), (off_t) 0); 1630 } else { 1631 mime_errs = 1632 mime_state_update(session->mime_state, rec_type, 1633 vstring_str(buf), VSTRING_LEN(buf)); 1634 if (mime_errs) { 1635 smtp_mime_fail(state, mime_errs); 1636 return (-1); 1637 } 1638 } 1639 return (0); 1640 } 1641 1642 /* smtp_out_add_header - format address header, uses session->scratch* */ 1643 1644 static int smtp_out_add_header(SMTP_STATE *state, const char *label, 1645 const char *lt, const char *addr, 1646 const char *gt) 1647 { 1648 SMTP_SESSION *session = state->session; 1649 1650 smtp_rewrite_generic_internal(session->scratch2, addr); 1651 vstring_sprintf(session->scratch, "%s: %s", label, lt); 1652 smtp_quote_822_address_flags(session->scratch, 1653 vstring_str(session->scratch2), 1654 QUOTE_FLAG_DEFAULT | QUOTE_FLAG_APPEND); 1655 vstring_strcat(session->scratch, gt); 1656 return (smtp_out_raw_or_mime(state, REC_TYPE_NORM, session->scratch)); 1657 } 1658 1659 /* smtp_out_add_headers - output additional headers, uses session->scratch* */ 1660 1661 static int smtp_out_add_headers(SMTP_STATE *state) 1662 { 1663 /* Prepend headers in the same order as mail_copy.c. */ 1664 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_RETURN_PATH) 1665 if (smtp_out_add_header(state, "Return-Path", "<", 1666 state->request->sender, ">") < 0) 1667 return (-1); 1668 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_ORIG_RCPT) 1669 if (smtp_out_add_header(state, "X-Original-To", "", 1670 state->request->rcpt_list.info->orig_addr, "") < 0) 1671 return (-1); 1672 if (smtp_cli_attr.flags & SMTP_CLI_FLAG_DELIVERED_TO) 1673 if (smtp_out_add_header(state, "Delivered-To", "", 1674 state->request->rcpt_list.info->address, "") < 0) 1675 return (-1); 1676 return (0); 1677 } 1678 1679 /* smtp_loop - exercise the SMTP protocol engine */ 1680 1681 static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state, 1682 NOCLOBBER int recv_state) 1683 { 1684 const char *myname = "smtp_loop"; 1685 DELIVER_REQUEST *request = state->request; 1686 SMTP_SESSION *session = state->session; 1687 SMTP_ITERATOR *iter = state->iterator; 1688 SMTP_RESP *resp; 1689 RECIPIENT *rcpt; 1690 VSTRING *next_command = vstring_alloc(100); 1691 int *NOCLOBBER survivors = 0; 1692 NOCLOBBER int next_state; 1693 NOCLOBBER int next_rcpt; 1694 NOCLOBBER int send_rcpt; 1695 NOCLOBBER int recv_rcpt; 1696 NOCLOBBER int nrcpt; 1697 NOCLOBBER int recv_done; 1698 int except; 1699 int rec_type; 1700 NOCLOBBER int prev_type = 0; 1701 NOCLOBBER int mail_from_rejected; 1702 NOCLOBBER int downgrading; 1703 int mime_errs; 1704 SMTP_RESP fake; 1705 int fail_status; 1706 1707 /* Caution: changes to RETURN() also affect code outside the main loop. */ 1708 1709 #define RETURN(x) do { \ 1710 if (recv_state != SMTP_STATE_LAST) \ 1711 DONT_CACHE_THIS_SESSION; \ 1712 vstring_free(next_command); \ 1713 if (survivors) \ 1714 myfree((void *) survivors); \ 1715 if (session->mime_state) \ 1716 session->mime_state = mime_state_free(session->mime_state); \ 1717 return (x); \ 1718 } while (0) 1719 1720 #define SENDER_IS_AHEAD \ 1721 (recv_state < send_state || recv_rcpt != send_rcpt) 1722 1723 #define SENDER_IN_WAIT_STATE \ 1724 (send_state == SMTP_STATE_DOT || send_state == SMTP_STATE_LAST) 1725 1726 #define SENDING_MAIL \ 1727 (recv_state <= SMTP_STATE_DOT) 1728 1729 #define CANT_RSET_THIS_SESSION \ 1730 (session->features |= SMTP_FEATURE_RSET_REJECTED) 1731 1732 /* 1733 * Pipelining support requires two loops: one loop for sending and one 1734 * for receiving. Each loop has its own independent state. Most of the 1735 * time the sender can run ahead of the receiver by as much as the TCP 1736 * send buffer permits. There are only two places where the sender must 1737 * wait for status information from the receiver: once after sending DATA 1738 * and once after sending QUIT. 1739 * 1740 * The sender state advances until the TCP send buffer would overflow, or 1741 * until the sender needs status information from the receiver. At that 1742 * point the receiver starts processing responses. Once the receiver has 1743 * caught up with the sender, the sender resumes sending commands. If the 1744 * receiver detects a serious problem (MAIL FROM rejected, all RCPT TO 1745 * commands rejected, DATA rejected) it forces the sender to abort the 1746 * SMTP dialog with RSET and QUIT. 1747 */ 1748 nrcpt = 0; 1749 next_rcpt = send_rcpt = recv_rcpt = recv_done = 0; 1750 mail_from_rejected = 0; 1751 1752 /* 1753 * Prepare for disaster. This should not be needed because the design 1754 * guarantees that no output is flushed before smtp_chat_resp() is 1755 * called. 1756 * 1757 * 1) Every SMTP command fits entirely in a VSTREAM output buffer. 1758 * 1759 * 2) smtp_loop() never invokes smtp_chat_cmd() without making sure that 1760 * there is sufficient space for the command in the output buffer. 1761 * 1762 * 3) smtp_loop() flushes the output buffer to avoid server timeouts. 1763 * 1764 * Changing any of these would violate the design, and would likely break 1765 * SMTP pipelining. 1766 * 1767 * We set up the error handler anyway (only upon entry to avoid wasting 1768 * resources) because 1) there is code below that expects that VSTREAM 1769 * timeouts are enabled, and 2) this allows us to detect if someone broke 1770 * Postfix by introducing spurious flush before read operations. 1771 */ 1772 if (send_state < SMTP_STATE_XFORWARD_NAME_ADDR 1773 || send_state > SMTP_STATE_QUIT) 1774 msg_panic("%s: bad sender state %d (receiver state %d)", 1775 myname, send_state, recv_state); 1776 smtp_stream_setup(session->stream, *xfer_timeouts[send_state], 1777 var_smtp_req_deadline, 0); 1778 if ((except = vstream_setjmp(session->stream)) != 0) { 1779 msg_warn("smtp_proto: spurious flush before read in send state %d", 1780 send_state); 1781 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 1782 xfer_states[send_state]) : -1); 1783 } 1784 1785 /* 1786 * The main protocol loop. 1787 */ 1788 do { 1789 1790 /* 1791 * Build the next command. 1792 */ 1793 switch (send_state) { 1794 1795 /* 1796 * Sanity check. 1797 */ 1798 default: 1799 msg_panic("%s: bad sender state %d", myname, send_state); 1800 1801 /* 1802 * Build the XFORWARD command. With properly sanitized 1803 * information, the command length stays within the 512 byte 1804 * command line length limit. 1805 * 1806 * XXX smtpd_xforward_preset() initializes some fields as "unknown" 1807 * and some as null; historically, pickup(8) does not send any of 1808 * these, and the queue manager presets absent fields to "not 1809 * available" except for the rewrite context which is preset to 1810 * local by way of migration aid. These definitions need to be 1811 * centralized for maintainability. 1812 */ 1813 #ifndef CAN_FORWARD_CLIENT_NAME 1814 #define _ATTR_AVAIL_AND_KNOWN_(val) \ 1815 (DEL_REQ_ATTR_AVAIL(val) && strcasecmp((val), "unknown")) 1816 #define CAN_FORWARD_CLIENT_NAME _ATTR_AVAIL_AND_KNOWN_ 1817 #define CAN_FORWARD_CLIENT_ADDR _ATTR_AVAIL_AND_KNOWN_ 1818 #define CAN_FORWARD_CLIENT_PORT _ATTR_AVAIL_AND_KNOWN_ 1819 #define CAN_FORWARD_PROTO_NAME _ATTR_AVAIL_AND_KNOWN_ 1820 #define CAN_FORWARD_HELO_NAME DEL_REQ_ATTR_AVAIL 1821 #define CAN_FORWARD_IDENT_NAME DEL_REQ_ATTR_AVAIL 1822 #define CAN_FORWARD_RWR_CONTEXT DEL_REQ_ATTR_AVAIL 1823 #endif 1824 1825 case SMTP_STATE_XFORWARD_NAME_ADDR: 1826 vstring_strcpy(next_command, XFORWARD_CMD); 1827 if ((session->features & SMTP_FEATURE_XFORWARD_NAME) 1828 && CAN_FORWARD_CLIENT_NAME(request->client_name)) { 1829 vstring_strcat(next_command, " " XFORWARD_NAME "="); 1830 xtext_quote_append(next_command, request->client_name, ""); 1831 } 1832 if ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 1833 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) { 1834 vstring_strcat(next_command, " " XFORWARD_ADDR "="); 1835 xtext_quote_append(next_command, request->client_addr, ""); 1836 } 1837 if ((session->features & SMTP_FEATURE_XFORWARD_PORT) 1838 && CAN_FORWARD_CLIENT_PORT(request->client_port)) { 1839 vstring_strcat(next_command, " " XFORWARD_PORT "="); 1840 xtext_quote_append(next_command, request->client_port, ""); 1841 } 1842 if (session->send_proto_helo) 1843 next_state = SMTP_STATE_XFORWARD_PROTO_HELO; 1844 else 1845 next_state = SMTP_STATE_MAIL; 1846 break; 1847 1848 case SMTP_STATE_XFORWARD_PROTO_HELO: 1849 vstring_strcpy(next_command, XFORWARD_CMD); 1850 if ((session->features & SMTP_FEATURE_XFORWARD_PROTO) 1851 && CAN_FORWARD_PROTO_NAME(request->client_proto)) { 1852 vstring_strcat(next_command, " " XFORWARD_PROTO "="); 1853 xtext_quote_append(next_command, request->client_proto, ""); 1854 } 1855 if ((session->features & SMTP_FEATURE_XFORWARD_HELO) 1856 && CAN_FORWARD_HELO_NAME(request->client_helo)) { 1857 vstring_strcat(next_command, " " XFORWARD_HELO "="); 1858 xtext_quote_append(next_command, request->client_helo, ""); 1859 } 1860 if ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 1861 && CAN_FORWARD_IDENT_NAME(request->log_ident)) { 1862 vstring_strcat(next_command, " " XFORWARD_IDENT "="); 1863 xtext_quote_append(next_command, request->log_ident, ""); 1864 } 1865 if ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 1866 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context)) { 1867 vstring_strcat(next_command, " " XFORWARD_DOMAIN "="); 1868 xtext_quote_append(next_command, 1869 strcmp(request->rewrite_context, MAIL_ATTR_RWR_LOCAL) ? 1870 XFORWARD_DOM_REMOTE : XFORWARD_DOM_LOCAL, ""); 1871 } 1872 next_state = SMTP_STATE_MAIL; 1873 break; 1874 1875 /* 1876 * Build the MAIL FROM command. 1877 */ 1878 case SMTP_STATE_MAIL: 1879 request->msg_stats.reuse_count = session->reuse_count; 1880 GETTIMEOFDAY(&request->msg_stats.conn_setup_done); 1881 smtp_rewrite_generic_internal(session->scratch2, request->sender); 1882 smtp_quote_821_address(session->scratch, 1883 vstring_str(session->scratch2)); 1884 vstring_sprintf(next_command, "MAIL FROM:<%s>", 1885 vstring_str(session->scratch)); 1886 /* XXX Don't announce SIZE if we're going to MIME downgrade. */ 1887 if (session->features & SMTP_FEATURE_SIZE /* RFC 1870 */ 1888 && !SMTP_MIME_DOWNGRADE(session, request)) 1889 vstring_sprintf_append(next_command, " SIZE=%lu", 1890 request->data_size); 1891 if (session->features & SMTP_FEATURE_8BITMIME) { /* RFC 1652 */ 1892 if (strcmp(request->encoding, MAIL_ATTR_ENC_8BIT) == 0) 1893 vstring_strcat(next_command, " BODY=8BITMIME"); 1894 else if (strcmp(request->encoding, MAIL_ATTR_ENC_7BIT) == 0) 1895 vstring_strcat(next_command, " BODY=7BIT"); 1896 else if (strcmp(request->encoding, MAIL_ATTR_ENC_NONE) != 0) 1897 msg_warn("%s: unknown content encoding: %s", 1898 request->queue_id, request->encoding); 1899 } 1900 if (session->features & SMTP_FEATURE_DSN) { 1901 if (request->dsn_envid[0]) { 1902 vstring_sprintf_append(next_command, " ENVID="); 1903 xtext_quote_append(next_command, request->dsn_envid, "+="); 1904 } 1905 /* Fix 20250825: limit content exposure in bounce. */ 1906 #ifdef USE_TLS 1907 if (state->reqtls_level > SMTP_REQTLS_POLICY_ACT_DISABLE 1908 && (session->features & SMTP_FEATURE_REQTLS) == 0) 1909 vstring_sprintf_append(next_command, " RET=%s", 1910 dsn_ret_str(DSN_RET_HDRS)); 1911 else 1912 #endif 1913 if (request->dsn_ret) 1914 vstring_sprintf_append(next_command, " RET=%s", 1915 dsn_ret_str(request->dsn_ret)); 1916 } 1917 1918 /* 1919 * Request SMTPUTF8 when the remote SMTP server supports SMTPUTF8 1920 * and the sender requested SMTPUTF8 support. 1921 * 1922 * If the sender requested SMTPUTF8 but the remote SMTP server does 1923 * not support SMTPUTF8, then we have already determined earlier 1924 * that delivering this message without SMTPUTF8 will not break 1925 * the SMTPUTF8 promise that was made to the sender. 1926 */ 1927 if ((session->features & SMTP_FEATURE_SMTPUTF8) != 0 1928 && (request->sendopts & SMTPUTF8_FLAG_REQUESTED) != 0) 1929 vstring_strcat(next_command, " SMTPUTF8"); 1930 1931 /* 1932 * Request REQUIRETLS when the remote SMTP server supports 1933 * REQUIRETLS and the sender requested REQUIRETLS. 1934 */ 1935 #ifdef USE_TLS 1936 if (state->reqtls_level > SMTP_REQTLS_POLICY_ACT_DISABLE) { 1937 if ((session->features & SMTP_FEATURE_REQTLS) != 0) { 1938 vstring_strcat(next_command, " REQUIRETLS"); 1939 } else if (state->reqtls_level 1940 == SMTP_REQTLS_POLICY_ACT_ENFORCE) { 1941 msg_panic("Can't happen: must enforce REQUIRETLS, but " 1942 "host %s did not announce REQUIRETLS support", 1943 session->namaddr); 1944 } 1945 } 1946 #endif 1947 1948 /* 1949 * We authenticate the local MTA only, but not the sender. 1950 */ 1951 #ifdef USE_SASL_AUTH 1952 if (var_smtp_sasl_enable 1953 && var_smtp_dummy_mail_auth 1954 && (session->features & SMTP_FEATURE_AUTH)) 1955 vstring_strcat(next_command, " AUTH=<>"); 1956 #endif 1957 1958 /* 1959 * CVE-2009-3555 (TLS renegotiation). Try to detect a mail 1960 * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA 1961 * commands to our TLS session. 1962 * 1963 * For the attack to succeed, the remote SMTP server must reply to 1964 * the malicious EHLO/MAIL/RCPT/DATA commands after completing 1965 * TLS (re)negotiation, so that the replies arrive in our TLS 1966 * session (otherwise the Postfix SMTP client would time out 1967 * waiting for an answer). With some luck we can detect this 1968 * specific attack as a server MAIL reply that arrives before we 1969 * send our own MAIL command. 1970 * 1971 * We don't apply this test to the HELO command because the result 1972 * would be very timing sensitive, and we don't apply this test 1973 * to RCPT and DATA replies because these may be pipelined for 1974 * legitimate reasons. 1975 */ 1976 #ifdef USE_TLS 1977 if (var_smtp_tls_blk_early_mail_reply 1978 && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0 1979 && (vstream_peek(session->stream) > 0 1980 || peekfd(vstream_fileno(session->stream)) > 0)) 1981 session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY; 1982 #endif 1983 1984 /* 1985 * We now return to our regular broadcast. 1986 */ 1987 next_state = SMTP_STATE_RCPT; 1988 break; 1989 1990 /* 1991 * Build one RCPT TO command before we have seen the MAIL FROM 1992 * response. 1993 */ 1994 case SMTP_STATE_RCPT: 1995 rcpt = request->rcpt_list.info + send_rcpt; 1996 smtp_rewrite_generic_internal(session->scratch2, rcpt->address); 1997 smtp_quote_821_address(session->scratch, 1998 vstring_str(session->scratch2)); 1999 vstring_sprintf(next_command, "RCPT TO:<%s>", 2000 vstring_str(session->scratch)); 2001 if (session->features & SMTP_FEATURE_DSN) { 2002 /* XXX DSN xtext encode address value not type. */ 2003 const char *orcpt_type_addr = rcpt->dsn_orcpt; 2004 2005 /* Fix 20140706: don't use empty rcpt->orig_addr. */ 2006 if (orcpt_type_addr[0] == 0 && rcpt->orig_addr[0] != 0) { 2007 quote_822_local(session->scratch, rcpt->orig_addr); 2008 vstring_sprintf(session->scratch2, "%s;%s", 2009 /* Fix 20140707: sender must request SMTPUTF8. */ 2010 ((request->sendopts & SMTPUTF8_FLAG_ALL) 2011 && !allascii(vstring_str(session->scratch)) 2012 && valid_utf8_stringz(vstring_str(session->scratch))) ? 2013 "utf-8" : "rfc822", 2014 vstring_str(session->scratch)); 2015 orcpt_type_addr = vstring_str(session->scratch2); 2016 } 2017 if (orcpt_type_addr[0] != 0) { 2018 /* Fix 20140706: don't send unquoted ORCPT. */ 2019 /* Fix 20140707: quoting method must match orcpt type. */ 2020 /* Fix 20140707: handle uxtext encoder errors. */ 2021 if (strncasecmp(orcpt_type_addr, "utf-8;", 6) == 0) { 2022 if (uxtext_quote(session->scratch, 2023 orcpt_type_addr, "+=") != 0) 2024 vstring_sprintf_append(next_command, " ORCPT=%s", 2025 vstring_str(session->scratch)); 2026 } else { 2027 xtext_quote(session->scratch, orcpt_type_addr, "="); 2028 vstring_sprintf_append(next_command, " ORCPT=%s", 2029 vstring_str(session->scratch)); 2030 } 2031 } 2032 if (rcpt->dsn_notify) 2033 vstring_sprintf_append(next_command, " NOTIFY=%s", 2034 dsn_notify_str(rcpt->dsn_notify)); 2035 } 2036 if ((next_rcpt = send_rcpt + 1) == SMTP_RCPT_LEFT(state)) 2037 next_state = (DEL_REQ_TRACE_ONLY(request->flags) 2038 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 2039 SMTP_STATE_ABORT : SMTP_STATE_DATA; 2040 break; 2041 2042 /* 2043 * Build the DATA command before we have seen all the RCPT TO 2044 * responses. 2045 */ 2046 case SMTP_STATE_DATA: 2047 vstring_strcpy(next_command, "DATA"); 2048 next_state = SMTP_STATE_DOT; 2049 break; 2050 2051 /* 2052 * Build the "." command after we have seen the DATA response 2053 * (DATA is a protocol synchronization point). 2054 * 2055 * Changing the connection caching state here is safe because it 2056 * affects none of the not-yet processed replies to 2057 * already-generated commands. 2058 */ 2059 case SMTP_STATE_DOT: 2060 vstring_strcpy(next_command, "."); 2061 if (THIS_SESSION_IS_EXPIRED) 2062 DONT_CACHE_THIS_SESSION; 2063 next_state = THIS_SESSION_IS_CACHED ? 2064 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2065 break; 2066 2067 /* 2068 * The SMTP_STATE_ABORT sender state is entered by the sender 2069 * when it has verified all recipients; or it is entered by the 2070 * receiver when all recipients are verified or rejected, and is 2071 * then left before the bottom of the main loop. 2072 * 2073 * Changing the connection caching state here is safe because there 2074 * are no not-yet processed replies to already-generated 2075 * commands. 2076 */ 2077 case SMTP_STATE_ABORT: 2078 vstring_strcpy(next_command, "RSET"); 2079 if (THIS_SESSION_IS_EXPIRED) 2080 DONT_CACHE_THIS_SESSION; 2081 next_state = THIS_SESSION_IS_CACHED ? 2082 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2083 break; 2084 2085 /* 2086 * Build the RSET command. This is entered as initial state from 2087 * smtp_rset() and has its own dedicated state transitions. It is 2088 * used to find out the status of a cached session before 2089 * attempting mail delivery. 2090 */ 2091 case SMTP_STATE_RSET: 2092 vstring_strcpy(next_command, "RSET"); 2093 next_state = SMTP_STATE_LAST; 2094 break; 2095 2096 /* 2097 * Build the QUIT command before we have seen the "." or RSET 2098 * response. This is entered as initial state from smtp_quit(), 2099 * or is reached near the end of any non-cached session. 2100 * 2101 * Changing the connection caching state here is safe. If this 2102 * command is pipelined together with a preceding command, then 2103 * connection caching was already turned off. Do not clobber the 2104 * "bad connection" flag. 2105 */ 2106 case SMTP_STATE_QUIT: 2107 vstring_strcpy(next_command, "QUIT"); 2108 next_state = SMTP_STATE_LAST; 2109 if (THIS_SESSION_IS_CACHED) 2110 DONT_CACHE_THIS_SESSION; 2111 break; 2112 2113 /* 2114 * The final sender state has no action associated with it. 2115 */ 2116 case SMTP_STATE_LAST: 2117 VSTRING_RESET(next_command); 2118 break; 2119 } 2120 VSTRING_TERMINATE(next_command); 2121 2122 /* 2123 * Process responses until the receiver has caught up. Vstreams 2124 * automatically flush buffered output when reading new data. 2125 * 2126 * Flush unsent output if command pipelining is off or if no I/O 2127 * happened for a while. This limits the accumulation of client-side 2128 * delays in pipelined sessions. 2129 * 2130 * The PIPELINING engine will flush the VSTREAM buffer if the sender 2131 * could otherwise produce more output than fits the PIPELINING 2132 * buffer. This generally works because we know exactly how much 2133 * output we produced since the last time that the sender and 2134 * receiver synchronized the SMTP state. However this logic is not 2135 * applicable after the sender enters the DATA phase, where it does 2136 * not synchronize with the receiver until the <CR><LF>.<CR><LF>. 2137 * Thus, the PIPELINING engine no longer knows how much data is 2138 * pending in the TCP send buffer. For this reason, if PIPELINING is 2139 * enabled, we always pipeline QUIT after <CR><LF>.<CR><LF>. This is 2140 * safe because once the receiver reads <CR><LF>.<CR><LF>, its TCP 2141 * stack either has already received the QUIT<CR><LF>, or else it 2142 * acknowledges all bytes up to and including <CR><LF>.<CR><LF>, 2143 * making room in the sender's TCP stack for QUIT<CR><LF>. 2144 */ 2145 #define CHECK_PIPELINING_BUFSIZE \ 2146 (recv_state != SMTP_STATE_DOT || send_state != SMTP_STATE_QUIT) 2147 2148 if (SENDER_IN_WAIT_STATE 2149 || (SENDER_IS_AHEAD 2150 && ((session->features & SMTP_FEATURE_PIPELINING) == 0 2151 || (CHECK_PIPELINING_BUFSIZE 2152 && (VSTRING_LEN(next_command) + 2 2153 + vstream_bufstat(session->stream, VSTREAM_BST_OUT_PEND) 2154 > PIPELINING_BUFSIZE)) 2155 || time((time_t *) 0) 2156 - vstream_ftime(session->stream) > 10))) { 2157 while (SENDER_IS_AHEAD) { 2158 2159 /* 2160 * Sanity check. 2161 */ 2162 if (recv_state < SMTP_STATE_XFORWARD_NAME_ADDR 2163 || recv_state > SMTP_STATE_QUIT) 2164 msg_panic("%s: bad receiver state %d (sender state %d)", 2165 myname, recv_state, send_state); 2166 2167 /* 2168 * Receive the next server response. Use the proper timeout, 2169 * and log the proper client state in case of trouble. 2170 * 2171 * XXX If we lose the connection before sending end-of-data, 2172 * find out if the server sent a premature end-of-data reply. 2173 * If this read attempt fails, report "lost connection while 2174 * sending message body", not "lost connection while sending 2175 * end-of-data". 2176 * 2177 * "except" becomes zero just above the protocol loop, and stays 2178 * zero or triggers an early return from the loop. In just 2179 * one case: loss of the connection when sending the message 2180 * body, we record the exception, and keep processing in the 2181 * hope of detecting a premature 5XX. We must be careful to 2182 * not clobber this non-zero value once it is set. The 2183 * variable need not survive longjmp() calls, since the only 2184 * setjmp() which does not return early is the one sets this 2185 * condition, subsequent failures always return early. 2186 */ 2187 #define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF) 2188 2189 smtp_stream_setup(session->stream, *xfer_timeouts[recv_state], 2190 var_smtp_req_deadline, 0); 2191 if (LOST_CONNECTION_INSIDE_DATA) { 2192 if (vstream_setjmp(session->stream) != 0) 2193 RETURN(smtp_stream_except(state, SMTP_ERR_EOF, 2194 "sending message body")); 2195 } else { 2196 if ((except = vstream_setjmp(session->stream)) != 0) 2197 RETURN(SENDING_MAIL ? smtp_stream_except(state, except, 2198 xfer_states[recv_state]) : -1); 2199 } 2200 resp = smtp_chat_resp(session); 2201 2202 /* 2203 * Process the response. 2204 */ 2205 switch (recv_state) { 2206 2207 /* 2208 * Process the XFORWARD response. 2209 */ 2210 case SMTP_STATE_XFORWARD_NAME_ADDR: 2211 if (resp->code / 100 != 2) 2212 msg_warn("host %s said: %s (in reply to %s)", 2213 session->namaddrport, 2214 translit(resp->str, "\n", " "), 2215 xfer_request[SMTP_STATE_XFORWARD_NAME_ADDR]); 2216 if (session->send_proto_helo) 2217 recv_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2218 else 2219 recv_state = SMTP_STATE_MAIL; 2220 break; 2221 2222 case SMTP_STATE_XFORWARD_PROTO_HELO: 2223 if (resp->code / 100 != 2) 2224 msg_warn("host %s said: %s (in reply to %s)", 2225 session->namaddrport, 2226 translit(resp->str, "\n", " "), 2227 xfer_request[SMTP_STATE_XFORWARD_PROTO_HELO]); 2228 recv_state = SMTP_STATE_MAIL; 2229 break; 2230 2231 /* 2232 * Process the MAIL FROM response. When the server 2233 * rejects the sender, set the mail_from_rejected flag so 2234 * that the receiver may apply a course correction. 2235 */ 2236 case SMTP_STATE_MAIL: 2237 if (resp->code / 100 != 2) { 2238 smtp_mesg_fail(state, STR(iter->host), resp, 2239 "host %s said: %s (in reply to %s)", 2240 session->namaddr, 2241 translit(resp->str, "\n", " "), 2242 xfer_request[SMTP_STATE_MAIL]); 2243 mail_from_rejected = 1; 2244 } 2245 2246 /* 2247 * CVE-2009-3555 (TLS renegotiation). Whatever it was 2248 * that arrived before we sent our MAIL FROM command, it 2249 * was not a fatal-level TLS alert message. It could be a 2250 * warning-level TLS alert message, or a ChangeCipherSpec 2251 * message, but such messages are not normally sent in 2252 * the middle of a TLS session. We disconnect and try 2253 * again later. 2254 */ 2255 #ifdef USE_TLS 2256 if (var_smtp_tls_blk_early_mail_reply 2257 && (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) { 2258 smtp_site_fail(state, DSN_BY_LOCAL_MTA, 2259 SMTP_RESP_FAKE(&fake, "4.7.0"), 2260 "unexpected server message"); 2261 msg_warn("server %s violates %s policy", 2262 session->namaddr, 2263 VAR_LMTP_SMTP(TLS_BLK_EARLY_MAIL_REPLY)); 2264 mail_from_rejected = 1; 2265 } 2266 #endif 2267 2268 /* 2269 * We now return to our regular broadcast. 2270 */ 2271 recv_state = SMTP_STATE_RCPT; 2272 break; 2273 2274 /* 2275 * Process one RCPT TO response. If MAIL FROM was 2276 * rejected, ignore RCPT TO responses: all recipients are 2277 * dead already. When all recipients are rejected the 2278 * receiver may apply a course correction. 2279 * 2280 * XXX 2821: Section 4.5.3.1 says that a 552 RCPT TO reply 2281 * must be treated as if the server replied with 452. 2282 * However, this causes "too much mail data" to be 2283 * treated as a recoverable error, which is wrong. I'll 2284 * stick with RFC 821. 2285 */ 2286 case SMTP_STATE_RCPT: 2287 if (!mail_from_rejected) { 2288 #ifdef notdef 2289 if (resp->code == 552) { 2290 resp->code = 452; 2291 resp->dsn[0] = '4'; 2292 } 2293 #endif 2294 rcpt = request->rcpt_list.info + recv_rcpt; 2295 if (resp->code / 100 == 2) { 2296 if (!smtp_mode) { 2297 if (survivors == 0) 2298 survivors = (int *) 2299 mymalloc(request->rcpt_list.len 2300 * sizeof(int)); 2301 survivors[nrcpt] = recv_rcpt; 2302 } 2303 ++nrcpt; 2304 /* If trace-only, mark the recipient done. */ 2305 if (DEL_REQ_TRACE_ONLY(request->flags) 2306 && smtp_vrfy_tgt == SMTP_STATE_RCPT) { 2307 translit(resp->str, "\n", " "); 2308 smtp_rcpt_done(state, resp, rcpt); 2309 } 2310 } else { 2311 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2312 "host %s said: %s (in reply to %s)", 2313 session->namaddr, 2314 translit(resp->str, "\n", " "), 2315 xfer_request[SMTP_STATE_RCPT]); 2316 } 2317 } 2318 /* If trace-only, send RSET instead of DATA. */ 2319 if (++recv_rcpt == SMTP_RCPT_LEFT(state)) 2320 recv_state = (DEL_REQ_TRACE_ONLY(request->flags) 2321 && smtp_vrfy_tgt == SMTP_STATE_RCPT) ? 2322 SMTP_STATE_ABORT : SMTP_STATE_DATA; 2323 /* XXX Also: record if non-delivering session. */ 2324 break; 2325 2326 /* 2327 * Process the DATA response. When the server rejects 2328 * DATA, set nrcpt to a negative value so that the 2329 * receiver can apply a course correction. 2330 */ 2331 case SMTP_STATE_DATA: 2332 recv_state = SMTP_STATE_DOT; 2333 if (resp->code / 100 != 3) { 2334 if (nrcpt > 0) 2335 smtp_mesg_fail(state, STR(iter->host), resp, 2336 "host %s said: %s (in reply to %s)", 2337 session->namaddr, 2338 translit(resp->str, "\n", " "), 2339 xfer_request[SMTP_STATE_DATA]); 2340 nrcpt = -1; 2341 } 2342 2343 /* 2344 * In the case of a successful address probe with target 2345 * equal to DATA, the remote server is now in the DATA 2346 * state, and therefore we must not make any further 2347 * attempt to send or receive on this connection. This 2348 * means that we cannot not reuse the general-purpose 2349 * course-correction logic below which sends RSET (and 2350 * perhaps QUIT). Instead we "jump" straight to the exit 2351 * and force an unceremonious disconnect. 2352 */ 2353 else if (DEL_REQ_TRACE_ONLY(request->flags) 2354 && smtp_vrfy_tgt == SMTP_STATE_DATA) { 2355 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2356 rcpt = request->rcpt_list.info + nrcpt; 2357 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2358 translit(resp->str, "\n", " "); 2359 SMTP_RESP_SET_DSN(resp, "2.0.0"); 2360 smtp_rcpt_done(state, resp, rcpt); 2361 } 2362 } 2363 DONT_CACHE_THIS_SESSION; 2364 send_state = recv_state = SMTP_STATE_LAST; 2365 } 2366 break; 2367 2368 /* 2369 * Process the end of message response. Ignore the 2370 * response when no recipient was accepted: all 2371 * recipients are dead already, and the next receiver 2372 * state is SMTP_STATE_LAST/QUIT regardless. Otherwise, 2373 * if the message transfer fails, bounce all remaining 2374 * recipients, else cross off the recipients that were 2375 * delivered. 2376 */ 2377 case SMTP_STATE_DOT: 2378 GETTIMEOFDAY(&request->msg_stats.deliver_done); 2379 if (smtp_mode) { 2380 if (nrcpt > 0) { 2381 if (resp->code / 100 != 2) { 2382 smtp_mesg_fail(state, STR(iter->host), resp, 2383 "host %s said: %s (in reply to %s)", 2384 session->namaddr, 2385 translit(resp->str, "\n", " "), 2386 xfer_request[SMTP_STATE_DOT]); 2387 } else { 2388 for (nrcpt = 0; nrcpt < recv_rcpt; nrcpt++) { 2389 rcpt = request->rcpt_list.info + nrcpt; 2390 if (!SMTP_RCPT_ISMARKED(rcpt)) { 2391 translit(resp->str, "\n", " "); 2392 smtp_rcpt_done(state, resp, rcpt); 2393 } 2394 } 2395 } 2396 } 2397 } 2398 2399 /* 2400 * With LMTP we have one response per accepted RCPT TO 2401 * command. Stay in the SMTP_STATE_DOT state until we 2402 * have collected all responses. 2403 */ 2404 else { 2405 if (nrcpt > 0) { 2406 rcpt = request->rcpt_list.info 2407 + survivors[recv_done++]; 2408 if (resp->code / 100 != 2) { 2409 smtp_rcpt_fail(state, rcpt, STR(iter->host), resp, 2410 "host %s said: %s (in reply to %s)", 2411 session->namaddr, 2412 translit(resp->str, "\n", " "), 2413 xfer_request[SMTP_STATE_DOT]); 2414 } else { 2415 translit(resp->str, "\n", " "); 2416 smtp_rcpt_done(state, resp, rcpt); 2417 } 2418 } 2419 if (msg_verbose) 2420 msg_info("%s: got %d of %d end-of-data replies", 2421 myname, recv_done, nrcpt); 2422 if (recv_done < nrcpt) 2423 break; 2424 } 2425 2426 /* 2427 * XXX Do not change the connection caching state here, 2428 * even if the connection caching timer expired between 2429 * generating the command and processing the reply, 2430 * otherwise the sender and receiver loops get out of 2431 * sync. The caller will call smtp_quit() if appropriate. 2432 */ 2433 if (var_skip_quit_resp || THIS_SESSION_IS_CACHED 2434 || LOST_CONNECTION_INSIDE_DATA) 2435 recv_state = SMTP_STATE_LAST; 2436 else 2437 recv_state = SMTP_STATE_QUIT; 2438 break; 2439 2440 /* 2441 * Receive the RSET response. 2442 * 2443 * The SMTP_STATE_ABORT sender state is entered by the 2444 * sender when it has verified all recipients; or it is 2445 * entered by the receiver when all recipients are 2446 * verified or rejected, and is then left before the 2447 * bottom of the main loop. 2448 * 2449 * XXX Do not change the connection caching state here, even 2450 * if the server rejected RSET or if the connection 2451 * caching timer expired between generating the command 2452 * and processing the reply, otherwise the sender and 2453 * receiver loops get out of sync. The caller will call 2454 * smtp_quit() if appropriate. 2455 */ 2456 case SMTP_STATE_ABORT: 2457 recv_state = (var_skip_quit_resp || THIS_SESSION_IS_CACHED ? 2458 SMTP_STATE_LAST : SMTP_STATE_QUIT); 2459 break; 2460 2461 /* 2462 * This is the initial receiver state from smtp_rset(). 2463 * It is used to find out the status of a cached session 2464 * before attempting mail delivery. 2465 */ 2466 case SMTP_STATE_RSET: 2467 if (resp->code / 100 != 2) 2468 CANT_RSET_THIS_SESSION; 2469 recv_state = SMTP_STATE_LAST; 2470 break; 2471 2472 /* 2473 * Receive, but otherwise ignore, the QUIT response. 2474 */ 2475 case SMTP_STATE_QUIT: 2476 recv_state = SMTP_STATE_LAST; 2477 break; 2478 } 2479 } 2480 2481 /* 2482 * At this point, the sender and receiver are fully synchronized. 2483 */ 2484 2485 /* 2486 * We know the server response to every command that was sent. 2487 * Apply a course correction if necessary: the sender wants to 2488 * send RCPT TO but MAIL FROM was rejected; the sender wants to 2489 * send DATA but all recipients were rejected; the sender wants 2490 * to deliver the message but DATA was rejected. 2491 */ 2492 if ((send_state == SMTP_STATE_RCPT && mail_from_rejected) 2493 || (send_state == SMTP_STATE_DATA && nrcpt == 0) 2494 || (send_state == SMTP_STATE_DOT && nrcpt < 0)) { 2495 send_state = recv_state = SMTP_STATE_ABORT; 2496 send_rcpt = recv_rcpt = 0; 2497 vstring_strcpy(next_command, "RSET"); 2498 if (THIS_SESSION_IS_EXPIRED) 2499 DONT_CACHE_THIS_SESSION; 2500 next_state = THIS_SESSION_IS_CACHED ? 2501 SMTP_STATE_LAST : SMTP_STATE_QUIT; 2502 /* XXX Also: record if non-delivering session. */ 2503 next_rcpt = 0; 2504 } 2505 } 2506 2507 /* 2508 * Make the next sender state the current sender state. 2509 */ 2510 if (send_state == SMTP_STATE_LAST) 2511 continue; 2512 2513 /* 2514 * Special case if the server accepted the DATA command. If the 2515 * server accepted at least one recipient send the entire message. 2516 * Otherwise, just send "." as per RFC 2197. 2517 * 2518 * XXX If there is a hard MIME error while downgrading to 7-bit mail, 2519 * disconnect ungracefully, because there is no other way to cancel a 2520 * transaction in progress. 2521 */ 2522 if (send_state == SMTP_STATE_DOT && nrcpt > 0) { 2523 2524 smtp_stream_setup(session->stream, var_smtp_data1_tmout, 2525 var_smtp_req_deadline, var_smtp_min_data_rate); 2526 2527 if ((except = vstream_setjmp(session->stream)) == 0) { 2528 2529 if (vstream_fseek(state->src, request->data_offset, SEEK_SET) < 0) 2530 msg_fatal("seek queue file: %m"); 2531 2532 downgrading = SMTP_MIME_DOWNGRADE(session, request); 2533 2534 /* 2535 * XXX Don't downgrade just because generic_maps is turned 2536 * on. 2537 */ 2538 #define SMTP_ANY_CHECKS (smtp_header_checks || smtp_body_checks) 2539 2540 if (downgrading || smtp_generic_maps || SMTP_ANY_CHECKS) 2541 session->mime_state = mime_state_alloc(downgrading ? 2542 MIME_OPT_DOWNGRADE 2543 | MIME_OPT_REPORT_NESTING : 2544 SMTP_ANY_CHECKS == 0 ? 2545 MIME_OPT_DISABLE_MIME : 2546 0, 2547 smtp_generic_maps 2548 || smtp_header_checks ? 2549 smtp_header_rewrite : 2550 smtp_header_out, 2551 (MIME_STATE_ANY_END) 0, 2552 smtp_body_checks ? 2553 smtp_body_rewrite : 2554 smtp_text_out, 2555 (MIME_STATE_ANY_END) 0, 2556 (MIME_STATE_ERR_PRINT) 0, 2557 (void *) state); 2558 state->space_left = var_smtp_line_limit; 2559 2560 if ((smtp_cli_attr.flags & SMTP_CLI_MASK_ADD_HEADERS) != 0 2561 && smtp_out_add_headers(state) < 0) 2562 RETURN(0); 2563 2564 while ((rec_type = rec_get(state->src, session->scratch, 0)) > 0) { 2565 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT) 2566 break; 2567 if (smtp_out_raw_or_mime(state, rec_type, 2568 session->scratch) < 0) 2569 RETURN(0); 2570 prev_type = rec_type; 2571 } 2572 2573 if (session->mime_state) { 2574 2575 /* 2576 * The cleanup server normally ends MIME content with a 2577 * normal text record. The following code is needed to 2578 * flush an internal buffer when someone submits 8-bit 2579 * mail not ending in newline via /usr/sbin/sendmail 2580 * while MIME input processing is turned off, and MIME 2581 * 8bit->7bit conversion is requested upon delivery. 2582 * 2583 * Or some error while doing generic address mapping. 2584 */ 2585 mime_errs = 2586 mime_state_update(session->mime_state, rec_type, "", 0); 2587 if (mime_errs) { 2588 smtp_mime_fail(state, mime_errs); 2589 RETURN(0); 2590 } 2591 } else if (prev_type == REC_TYPE_CONT) /* missing newline */ 2592 smtp_fputs("", 0, session->stream); 2593 if (session->features & SMTP_FEATURE_PIX_DELAY_DOTCRLF) { 2594 smtp_flush(session->stream);/* hurts performance */ 2595 sleep(var_smtp_pix_delay); /* not to mention this */ 2596 } 2597 if (vstream_ferror(state->src)) 2598 msg_fatal("queue file read error"); 2599 if (rec_type != REC_TYPE_XTRA) { 2600 msg_warn("%s: bad record type: %d in message content", 2601 request->queue_id, rec_type); 2602 fail_status = smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2603 SMTP_RESP_FAKE(&fake, "5.3.0"), 2604 "unreadable mail queue entry"); 2605 /* Bailing out, abort stream with prejudice */ 2606 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_BOTH); 2607 DONT_USE_FORBIDDEN_SESSION; 2608 /* If bounce_append() succeeded, status is still 0 */ 2609 if (state->status == 0) 2610 (void) mark_corrupt(state->src); 2611 /* Don't override smtp_mesg_fail() here. */ 2612 RETURN(fail_status); 2613 } 2614 } else { 2615 if (!LOST_CONNECTION_INSIDE_DATA) 2616 RETURN(smtp_stream_except(state, except, 2617 "sending message body")); 2618 2619 /* 2620 * We will clear the stream error flag to try and read a 2621 * premature 5XX response, so it is important to flush any 2622 * unwritten data. Otherwise, we will try to flush it again 2623 * before reading, which may incur an unnecessary delay and 2624 * will prevent the reading of any response that is not 2625 * already buffered (bundled with the DATA 354 response). 2626 * 2627 * Not much point in sending QUIT at this point, skip right to 2628 * SMTP_STATE_LAST. The read engine above will likewise avoid 2629 * looking for a QUIT response. 2630 */ 2631 (void) vstream_fpurge(session->stream, VSTREAM_PURGE_WRITE); 2632 next_state = SMTP_STATE_LAST; 2633 } 2634 } 2635 2636 /* 2637 * Copy the next command to the buffer and update the sender state. 2638 */ 2639 if (except == 0) { 2640 smtp_chat_cmd(session, "%s", vstring_str(next_command)); 2641 } else { 2642 DONT_CACHE_THIS_SESSION; 2643 } 2644 send_state = next_state; 2645 send_rcpt = next_rcpt; 2646 } while (recv_state != SMTP_STATE_LAST); 2647 RETURN(0); 2648 } 2649 2650 /* smtp_xfer - send a batch of envelope information and the message data */ 2651 2652 int smtp_xfer(SMTP_STATE *state) 2653 { 2654 DELIVER_REQUEST *request = state->request; 2655 SMTP_SESSION *session = state->session; 2656 SMTP_RESP fake; 2657 int send_state; 2658 int recv_state; 2659 int send_name_addr; 2660 int result; 2661 2662 /* 2663 * Sanity check. Recipients should be unmarked at this point. 2664 */ 2665 if (SMTP_RCPT_LEFT(state) <= 0) 2666 msg_panic("smtp_xfer: bad recipient count: %d", 2667 SMTP_RCPT_LEFT(state)); 2668 if (SMTP_RCPT_ISMARKED(request->rcpt_list.info)) 2669 msg_panic("smtp_xfer: bad recipient status: %d", 2670 request->rcpt_list.info->u.status); 2671 2672 /* 2673 * See if we should even try to send this message at all. This code sits 2674 * here rather than in the EHLO processing code, because of SMTP 2675 * connection caching. 2676 */ 2677 if (session->size_limit > 0 && session->size_limit < request->data_size) { 2678 smtp_mesg_fail(state, DSN_BY_LOCAL_MTA, 2679 SMTP_RESP_FAKE(&fake, "5.3.4"), 2680 "message size %lu exceeds size limit %.0f of server %s", 2681 request->data_size, (double) session->size_limit, 2682 session->namaddr); 2683 /* Redundant. We abort this delivery attempt. */ 2684 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2685 return (0); 2686 } 2687 2688 /* 2689 * Use XFORWARD to forward the origin of this email message across an 2690 * SMTP-based content filter. Send client attribute information only if 2691 * it exists (i.e. remote submission). Local submissions have no client 2692 * attributes; the mail will appear to originate from the content filter 2693 * which is acceptable. 2694 */ 2695 send_name_addr = 2696 var_smtp_send_xforward 2697 && (((session->features & SMTP_FEATURE_XFORWARD_NAME) 2698 && CAN_FORWARD_CLIENT_NAME(request->client_name)) 2699 || ((session->features & SMTP_FEATURE_XFORWARD_ADDR) 2700 && CAN_FORWARD_CLIENT_ADDR(request->client_addr)) 2701 || ((session->features & SMTP_FEATURE_XFORWARD_PORT) 2702 && CAN_FORWARD_CLIENT_PORT(request->client_port))); 2703 session->send_proto_helo = 2704 var_smtp_send_xforward 2705 && (((session->features & SMTP_FEATURE_XFORWARD_PROTO) 2706 && CAN_FORWARD_PROTO_NAME(request->client_proto)) 2707 || ((session->features & SMTP_FEATURE_XFORWARD_HELO) 2708 && CAN_FORWARD_HELO_NAME(request->client_helo)) 2709 || ((session->features & SMTP_FEATURE_XFORWARD_IDENT) 2710 && CAN_FORWARD_IDENT_NAME(request->log_ident)) 2711 || ((session->features & SMTP_FEATURE_XFORWARD_DOMAIN) 2712 && CAN_FORWARD_RWR_CONTEXT(request->rewrite_context))); 2713 if (send_name_addr) 2714 recv_state = send_state = SMTP_STATE_XFORWARD_NAME_ADDR; 2715 else if (session->send_proto_helo) 2716 recv_state = send_state = SMTP_STATE_XFORWARD_PROTO_HELO; 2717 else 2718 recv_state = send_state = SMTP_STATE_MAIL; 2719 2720 /* 2721 * Remember this session's "normal completion", even if the server 4xx-ed 2722 * some or all recipients. Connection or handshake errors with a later MX 2723 * host should not cause this destination be marked as unreachable. 2724 */ 2725 result = smtp_loop(state, send_state, recv_state); 2726 2727 if (result == 0 2728 /* Just in case */ 2729 && vstream_ferror(session->stream) == 0 2730 && vstream_feof(session->stream) == 0) 2731 state->misc_flags |= SMTP_MISC_FLAG_COMPLETE_SESSION; 2732 2733 return (result); 2734 } 2735 2736 /* smtp_rset - send a lone RSET command */ 2737 2738 int smtp_rset(SMTP_STATE *state) 2739 { 2740 2741 /* 2742 * This works because SMTP_STATE_RSET is a dedicated sender/recipient 2743 * entry state, with SMTP_STATE_LAST as next sender/recipient state. 2744 */ 2745 return (smtp_loop(state, SMTP_STATE_RSET, SMTP_STATE_RSET)); 2746 } 2747 2748 /* smtp_quit - send a lone QUIT command */ 2749 2750 int smtp_quit(SMTP_STATE *state) 2751 { 2752 2753 /* 2754 * This works because SMTP_STATE_QUIT is the last state with a sender 2755 * action, with SMTP_STATE_LAST as the next sender/recipient state. 2756 */ 2757 return (smtp_loop(state, SMTP_STATE_QUIT, var_skip_quit_resp ? 2758 SMTP_STATE_LAST : SMTP_STATE_QUIT)); 2759 } 2760
Indexes created Sat Jun 20 00:25:23 UTC 2026