projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Make BOOL unsigned; fix resulting latent bugs
[exim.git] / src / src / smtp_in.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for handling an incoming SMTP call. */
9
10
11#include "exim.h"
2ef7ed08 12#include <assert.h>
059ec3d9
PH		 13
14
15/* Initialize for TCP wrappers if so configured. It appears that the macro
16HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
17including that header, and restore its value afterwards. */
18
19#ifdef USE_TCP_WRAPPERS
20
21 #if HAVE_IPV6
22 #define EXIM_HAVE_IPV6
23 #endif
24 #undef HAVE_IPV6
25 #include <tcpd.h>
26 #undef HAVE_IPV6
27 #ifdef EXIM_HAVE_IPV6
28 #define HAVE_IPV6 TRUE
29 #endif
30
31int allow_severity = LOG_INFO;
32int deny_severity = LOG_NOTICE;
5dc43717 33uschar *tcp_wrappers_name;
059ec3d9
PH		 34#endif
35
36
8d67ada3
PH		 37/* Size of buffer for reading SMTP commands. We used to use 512, as defined
38by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
39commands that accept arguments, and this in particular applies to AUTH, where
94431adb 40the data can be quite long. More recently this value was 2048 in Exim;
e2ca7082 41however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients
94431adb
HSHR		 42such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
43The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
e2ca7082
PP		 44we need room to handle large base64-encoded AUTHs for GSSAPI.
45*/
46
47#define smtp_cmd_buffer_size 16384
059ec3d9
PH		 48
49/* Size of buffer for reading SMTP incoming packets */
50
51#define in_buffer_size 8192
52
53/* Structure for SMTP command list */
54
55typedef struct {
1ba28e2b 56 const char *name;
059ec3d9
PH		 57 int len;
58 short int cmd;
59 short int has_arg;
60 short int is_mail_cmd;
61} smtp_cmd_list;
62
63/* Codes for identifying commands. We order them so that those that come first
64are those for which synchronization is always required. Checking this can help
65block some spam. */
66
67enum {
68 /* These commands are required to be synchronized, i.e. to be the last in a
69 block of commands when pipelining. */
70
71 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
72 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
73 ETRN_CMD, /* This by analogy with TURN from the RFC */
74 STARTTLS_CMD, /* Required by the STARTTLS RFC */
b3ef41c9 75 TLS_AUTH_CMD, /* auto-command at start of SSL */
059ec3d9
PH		 76
77 /* This is a dummy to identify the non-sync commands when pipelining */
78
79 NON_SYNC_CMD_PIPELINING,
80
81 /* These commands need not be synchronized when pipelining */
82
83 MAIL_CMD, RCPT_CMD, RSET_CMD,
84
6d5c916c
JH		 85 /* RFC3030 section 2: "After all MAIL and RCPT responses are collected and
86 processed the message is sent using a series of BDAT commands"
87 implies that BDAT should be synchronized. However, we see Google, at least,
88 sending MAIL,RCPT,BDAT-LAST in a single packet, clearly not waiting for
89 processing of the RPCT response(s). We shall do the same, and not require
90 synch for BDAT. */
91
92 BDAT_CMD,
93
059ec3d9
PH		 94 /* This is a dummy to identify the non-sync commands when not pipelining */
95
96 NON_SYNC_CMD_NON_PIPELINING,
97
98 /* I have been unable to find a statement about the use of pipelining
99 with AUTH, so to be on the safe side it is here, though I kind of feel
100 it should be up there with the synchronized commands. */
101
102 AUTH_CMD,
103
104 /* I'm not sure about these, but I don't think they matter. */
105
106 QUIT_CMD, HELP_CMD,
107
cee5f132 108#ifdef SUPPORT_PROXY
a3c86431
TL		 109 PROXY_FAIL_IGNORE_CMD,
110#endif
111
059ec3d9
PH		 112 /* These are specials that don't correspond to actual commands */
113
114 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
115 TOO_MANY_NONMAIL_CMD };
116
117
b4ed4da0
PH		 118/* This is a convenience macro for adding the identity of an SMTP command
119to the circular buffer that holds a list of the last n received. */
120
121#define HAD(n) \
122 smtp_connection_had[smtp_ch_index++] = n; \
123 if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
124
059ec3d9
PH		 125
126/*************************************************
127* Local static variables *
128*************************************************/
129
130static auth_instance *authenticated_by;
131static BOOL auth_advertised;
132#ifdef SUPPORT_TLS
133static BOOL tls_advertised;
134#endif
6c1c3d1d 135static BOOL dsn_advertised;
059ec3d9
PH		 136static BOOL esmtp;
137static BOOL helo_required = FALSE;
138static BOOL helo_verify = FALSE;
139static BOOL helo_seen;
140static BOOL helo_accept_junk;
141static BOOL count_nonmail;
142static BOOL pipelining_advertised;
2679d413
PH		 143static BOOL rcpt_smtp_response_same;
144static BOOL rcpt_in_progress;
059ec3d9 145static int nonmail_command_count;
8f128379 146static BOOL smtp_exit_function_called = 0;
8c5d388a 147#ifdef SUPPORT_I18N
d1a13eea
JH		 148static BOOL smtputf8_advertised;
149#endif
059ec3d9
PH		 150static int synprot_error_count;
151static int unknown_command_count;
152static int sync_cmd_limit;
153static int smtp_write_error = 0;
154
2679d413 155static uschar *rcpt_smtp_response;
ca86f471
PH		 156static uschar *smtp_data_buffer;
157static uschar *smtp_cmd_data;
158
059ec3d9
PH		 159/* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
160final fields of all except AUTH are forced TRUE at the start of a new message
161setup, to allow one of each between messages that is not counted as a nonmail
162command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
163allow a new EHLO after starting up TLS.
164
165AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
166counted. However, the flag is changed when AUTH is received, so that multiple
167failing AUTHs will eventually hit the limit. After a successful AUTH, another
168AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
169forced TRUE, to allow for the re-authentication that can happen at that point.
170
171QUIT is also "falsely" labelled as a mail command so that it doesn't up the
2f460950
JH		 172count of non-mail commands and possibly provoke an error.
173
174tls_auth is a pseudo-command, never expected in input. It is activated
175on TLS startup and looks for a tls authenticator. */
059ec3d9
PH		 176
177static smtp_cmd_list cmd_list[] = {
d1a13eea
JH		 178 /* name len cmd has_arg is_mail_cmd */
179
059ec3d9
PH		 180 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
181 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
182 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
183 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
184 #ifdef SUPPORT_TLS
185 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
b3ef41c9 186 { "tls_auth", 0, TLS_AUTH_CMD, FALSE, TRUE },
059ec3d9
PH		 187 #endif
188
189/* If you change anything above here, also fix the definitions below. */
190
191 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
192 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
193 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
18481de3 194 { "bdat", sizeof("bdat")-1, BDAT_CMD, TRUE, TRUE },
059ec3d9
PH		 195 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
196 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
197 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
198 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
199 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
200 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
201};
202
203static smtp_cmd_list *cmd_list_end =
204 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
205
206#define CMD_LIST_RSET 0
207#define CMD_LIST_HELO 1
208#define CMD_LIST_EHLO 2
209#define CMD_LIST_AUTH 3
210#define CMD_LIST_STARTTLS 4
b3ef41c9 211#define CMD_LIST_TLS_AUTH 5
059ec3d9 212
b4ed4da0
PH		 213/* This list of names is used for performing the smtp_no_mail logging action.
214It must be kept in step with the SCH_xxx enumerations. */
215
216static uschar *smtp_names[] =
217 {
18481de3
JH		 218 US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
219 US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
220 US"STARTTLS", US"VRFY" };
b4ed4da0 221
e524074d 222static uschar *protocols_local[] = {
981756db
PH		 223 US"local-smtp", /* HELO */
224 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
225 US"local-esmtp", /* EHLO */
226 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
227 US"local-esmtpa", /* EHLO->AUTH */
228 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
059ec3d9 229 };
e524074d
JH		 230static uschar *protocols[] = {
231 US"smtp", /* HELO */
232 US"smtps", /* The rare case EHLO->STARTTLS->HELO */
233 US"esmtp", /* EHLO */
234 US"esmtps", /* EHLO->STARTTLS->EHLO */
235 US"esmtpa", /* EHLO->AUTH */
236 US"esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
237 };
059ec3d9
PH		 238
239#define pnormal 0
981756db
PH		 240#define pextend 2
241#define pcrpted 1 /* added to pextend or pnormal */
242#define pauthed 2 /* added to pextend */
059ec3d9 243
d27f98fe
TL		 244/* Sanity check and validate optional args to MAIL FROM: envelope */
245enum {
2ef7ed08 246 ENV_MAIL_OPT_NULL,
d27f98fe 247 ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
8ccd00b1 248#ifndef DISABLE_PRDR
fd98a5c6 249 ENV_MAIL_OPT_PRDR,
6c1c3d1d 250#endif
6c1c3d1d 251 ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
8c5d388a 252#ifdef SUPPORT_I18N
d1a13eea
JH		 253 ENV_MAIL_OPT_UTF8,
254#endif
d27f98fe
TL		 255 };
256typedef struct {
257 uschar * name; /* option requested during MAIL cmd */
258 int value; /* enum type */
259 BOOL need_value; /* TRUE requires value (name=value pair format)
260 FALSE is a singleton */
261 } env_mail_type_t;
262static env_mail_type_t env_mail_type_list[] = {
263 { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
264 { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
265 { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
8ccd00b1 266#ifndef DISABLE_PRDR
fd98a5c6 267 { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
6c1c3d1d 268#endif
6c1c3d1d
WB		 269 { US"RET", ENV_MAIL_OPT_RET, TRUE },
270 { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
8c5d388a 271#ifdef SUPPORT_I18N
d1a13eea
JH		 272 { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
273#endif
2ef7ed08
HSHR		 274 /* keep this the last entry */
275 { US"NULL", ENV_MAIL_OPT_NULL, FALSE },
d27f98fe
TL		 276 };
277
059ec3d9
PH		 278/* When reading SMTP from a remote host, we have to use our own versions of the
279C input-reading functions, in order to be able to flush the SMTP output only
280when about to read more data from the socket. This is the only way to get
281optimal performance when the client is using pipelining. Flushing for every
282command causes a separate packet and reply packet each time; saving all the
283responses up (when pipelining) combines them into one packet and one response.
284
285For simplicity, these functions are used for *all* SMTP input, not only when
286receiving over a socket. However, after setting up a secure socket (SSL), input
287is read via the OpenSSL library, and another set of functions is used instead
288(see tls.c).
289
290These functions are set in the receive_getc etc. variables and called with the
291same interface as the C functions. However, since there can only ever be
292one incoming SMTP call, we just use a single buffer and flags. There is no need
293to implement a complicated private FILE-like structure.*/
294
295static uschar *smtp_inbuffer;
296static uschar *smtp_inptr;
297static uschar *smtp_inend;
298static int smtp_had_eof;
299static int smtp_had_error;
300
301
7e3ce68e
JH		 302/* forward declarations */
303int bdat_ungetc(int ch);
304static int smtp_read_command(BOOL check_sync);
305static int synprot_error(int type, int code, uschar *data, uschar *errmess);
306static void smtp_quit_handler(uschar **, uschar **);
307static void smtp_rset_handler(void);
308
059ec3d9
PH		 309/*************************************************
310* SMTP version of getc() *
311*************************************************/
312
313/* This gets the next byte from the SMTP input buffer. If the buffer is empty,
314it flushes the output, and refills the buffer, with a timeout. The signal
315handler is set appropriately by the calling function. This function is not used
316after a connection has negotated itself into an TLS/SSL state.
317
318Arguments: none
319Returns: the next character or EOF
320*/
321
322int
323smtp_getc(void)
324{
325if (smtp_inptr >= smtp_inend)
326 {
327 int rc, save_errno;
328 fflush(smtp_out);
329 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
330 rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
331 save_errno = errno;
332 alarm(0);
333 if (rc <= 0)
334 {
335 /* Must put the error text in fixed store, because this might be during
336 header reading, where it releases unused store above the header. */
337 if (rc < 0)
338 {
339 smtp_had_error = save_errno;
340 smtp_read_error = string_copy_malloc(
341 string_sprintf(" (error: %s)", strerror(save_errno)));
342 }
343 else smtp_had_eof = 1;
344 return EOF;
345 }
80a47a2c
TK		 346#ifndef DISABLE_DKIM
347 dkim_exim_verify_feed(smtp_inbuffer, rc);
348#endif
059ec3d9
PH		 349 smtp_inend = smtp_inbuffer + rc;
350 smtp_inptr = smtp_inbuffer;
351 }
352return *smtp_inptr++;
353}
354
584e96c6
JH		 355void
356smtp_get_cache(void)
357{
9960d1e5 358#ifndef DISABLE_DKIM
584e96c6
JH		 359int n = smtp_inend - smtp_inptr;
360if (n > 0)
361 dkim_exim_verify_feed(smtp_inptr, n);
584e96c6 362#endif
9960d1e5 363}
059ec3d9
PH		 364
365
7e3ce68e
JH		 366/* Get a byte from the smtp input, in CHUNKING mode. Handle ack of the
367previous BDAT chunk and getting new ones when we run out. Uses the
368underlying smtp_getc or tls_getc both for that and for getting the
369(buffered) data byte. EOD signals (an expected) no further data.
370ERR signals a protocol error, and EOF a closed input stream.
371
372Called from read_bdat_smtp() in receive.c for the message body, but also
373by the headers read loop in receive_msg(); manipulates chunking_state
374to handle the BDAT command/response.
375Placed here due to the correlation with the above smtp_getc(), which it wraps,
376and also by the need to do smtp command/response handling.
377
378Arguments: none
379Returns: the next character or ERR, EOD or EOF
380*/
381
382int
383bdat_getc(void)
384{
385uschar * user_msg = NULL;
386uschar * log_msg;
387
388for(;;)
389 {
390 if (chunking_data_left-- > 0)
391 return lwr_receive_getc();
392
393 receive_getc = lwr_receive_getc;
394 receive_ungetc = lwr_receive_ungetc;
395
396 /* If not the last, ack the received chunk. The last response is delayed
397 until after the data ACL decides on it */
7e3ce68e
JH		 398
399 if (chunking_state == CHUNKING_LAST)
584e96c6
JH		 400 {
401#ifndef DISABLE_DKIM
e983e85a 402 dkim_exim_verify_feed(NULL, 0); /* notify EOD */
584e96c6 403#endif
7e3ce68e 404 return EOD;
584e96c6 405 }
7e3ce68e
JH		 406
407 chunking_state = CHUNKING_OFFERED;
408 smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
409
410 /* Expect another BDAT cmd from input. RFC 3030 says nothing about
411 QUIT, RSET or NOOP but handling them seems obvious */
412
413next_cmd:
414 switch(smtp_read_command(TRUE))
415 {
416 default:
417 (void) synprot_error(L_smtp_protocol_error, 503, NULL,
418 US"only BDAT permissible after non-LAST BDAT");
419
420 repeat_until_rset:
421 switch(smtp_read_command(TRUE))
422 {
423 case QUIT_CMD: smtp_quit_handler(&user_msg, &log_msg); /*FALLTHROUGH */
424 case EOF_CMD: return EOF;
425 case RSET_CMD: smtp_rset_handler(); return ERR;
426 default: if (synprot_error(L_smtp_protocol_error, 503, NULL,
427 US"only RSET accepted now") > 0)
428 return EOF;
429 goto repeat_until_rset;
430 }
431
432 case QUIT_CMD:
433 smtp_quit_handler(&user_msg, &log_msg);
434 /*FALLTHROUGH*/
435 case EOF_CMD:
436 return EOF;
437
438 case RSET_CMD:
439 smtp_rset_handler();
440 return ERR;
441
442 case NOOP_CMD:
443 HAD(SCH_NOOP);
444 smtp_printf("250 OK\r\n");
445 goto next_cmd;
446
447 case BDAT_CMD:
448 {
449 int n;
450
451 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
452 {
453 (void) synprot_error(L_smtp_protocol_error, 501, NULL,
454 US"missing size for BDAT command");
455 return ERR;
456 }
457 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
458 ? CHUNKING_LAST : CHUNKING_ACTIVE;
459 chunking_data_left = chunking_datasize;
460
461 if (chunking_datasize == 0)
462 if (chunking_state == CHUNKING_LAST)
463 return EOD;
464 else
465 {
466 (void) synprot_error(L_smtp_protocol_error, 504, NULL,
467 US"zero size for BDAT command");
468 goto repeat_until_rset;
469 }
470
471 receive_getc = bdat_getc;
472 receive_ungetc = bdat_ungetc;
473 break; /* to top of main loop */
474 }
475 }
476 }
477}
478
45bd315d
JH		 479static void
480bdat_flush_data(void)
481{
482while (chunking_data_left-- > 0)
483 if (lwr_receive_getc() < 0)
484 break;
485
486receive_getc = lwr_receive_getc;
487receive_ungetc = lwr_receive_ungetc;
488
489if (chunking_state != CHUNKING_LAST)
490 chunking_state = CHUNKING_OFFERED;
491}
492
7e3ce68e
JH		 493
494
495
059ec3d9
PH		 496/*************************************************
497* SMTP version of ungetc() *
498*************************************************/
499
500/* Puts a character back in the input buffer. Only ever
501called once.
502
503Arguments:
504 ch the character
505
506Returns: the character
507*/
508
509int
510smtp_ungetc(int ch)
511{
7e3ce68e 512*--smtp_inptr = ch;
059ec3d9
PH		 513return ch;
514}
515
516
7e3ce68e
JH		 517int
518bdat_ungetc(int ch)
519{
520chunking_data_left++;
521return lwr_receive_ungetc(ch);
522}
523
059ec3d9
PH		 524
525
526/*************************************************
527* SMTP version of feof() *
528*************************************************/
529
530/* Tests for a previous EOF
531
532Arguments: none
533Returns: non-zero if the eof flag is set
534*/
535
536int
537smtp_feof(void)
538{
539return smtp_had_eof;
540}
541
542
543
544
545/*************************************************
546* SMTP version of ferror() *
547*************************************************/
548
549/* Tests for a previous read error, and returns with errno
550restored to what it was when the error was detected.
551
552Arguments: none
553Returns: non-zero if the error flag is set
554*/
555
556int
557smtp_ferror(void)
558{
559errno = smtp_had_error;
560return smtp_had_error;
561}
562
563
564
58eb016e
PH		 565/*************************************************
566* Test for characters in the SMTP buffer *
567*************************************************/
568
569/* Used at the end of a message
570
571Arguments: none
572Returns: TRUE/FALSE
573*/
574
575BOOL
576smtp_buffered(void)
577{
578return smtp_inptr < smtp_inend;
579}
580
581
059ec3d9
PH		 582
583/*************************************************
584* Write formatted string to SMTP channel *
585*************************************************/
586
587/* This is a separate function so that we don't have to repeat everything for
588TLS support or debugging. It is global so that the daemon and the
589authentication functions can use it. It does not return any error indication,
590because major problems such as dropped connections won't show up till an output
591flush for non-TLS connections. The smtp_fflush() function is available for
592checking that: for convenience, TLS output errors are remembered here so that
593they are also picked up later by smtp_fflush().
594
595Arguments:
596 format format string
597 ... optional arguments
598
599Returns: nothing
600*/
601
602void
1ba28e2b 603smtp_printf(const char *format, ...)
059ec3d9
PH		 604{
605va_list ap;
606
ce552449
NM		 607va_start(ap, format);
608smtp_vprintf(format, ap);
609va_end(ap);
610}
611
612/* This is split off so that verify.c:respond_printf() can, in effect, call
613smtp_printf(), bearing in mind that in C a vararg function can't directly
fb08281f 614call another vararg function, only a function which accepts a va_list. */
ce552449
NM		 615
616void
1ba28e2b 617smtp_vprintf(const char *format, va_list ap)
ce552449 618{
fb08281f
DW		 619BOOL yield;
620
621yield = string_vformat(big_buffer, big_buffer_size, format, ap);
ce552449 622
059ec3d9
PH		 623DEBUG(D_receive)
624 {
fb08281f
DW		 625 void *reset_point = store_get(0);
626 uschar *msg_copy, *cr, *end;
627 msg_copy = string_copy(big_buffer);
628 end = msg_copy + Ustrlen(msg_copy);
629 while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
630 memmove(cr, cr + 1, (end--) - cr);
631 debug_printf("SMTP>> %s", msg_copy);
632 store_reset(reset_point);
059ec3d9
PH		 633 }
634
fb08281f 635if (!yield)
2679d413
PH		 636 {
637 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
638 smtp_closedown(US"Unexpected error");
639 exim_exit(EXIT_FAILURE);
640 }
2679d413
PH		 641
642/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
643have had the same. Note: this code is also present in smtp_respond(). It would
644be tidier to have it only in one place, but when it was added, it was easier to
645do it that way, so as not to have to mess with the code for the RCPT command,
646which sometimes uses smtp_printf() and sometimes smtp_respond(). */
647
648if (rcpt_in_progress)
649 {
650 if (rcpt_smtp_response == NULL)
651 rcpt_smtp_response = string_copy(big_buffer);
652 else if (rcpt_smtp_response_same &&
653 Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
654 rcpt_smtp_response_same = FALSE;
655 rcpt_in_progress = FALSE;
656 }
059ec3d9 657
2679d413 658/* Now write the string */
059ec3d9
PH		 659
660#ifdef SUPPORT_TLS
817d9f57 661if (tls_in.active >= 0)
059ec3d9 662 {
817d9f57
JH		 663 if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer)) < 0)
664 smtp_write_error = -1;
059ec3d9
PH		 665 }
666else
667#endif
668
2679d413 669if (fprintf(smtp_out, "%s", big_buffer) < 0) smtp_write_error = -1;
059ec3d9
PH		 670}
671
672
673
674/*************************************************
675* Flush SMTP out and check for error *
676*************************************************/
677
678/* This function isn't currently used within Exim (it detects errors when it
679tries to read the next SMTP input), but is available for use in local_scan().
680For non-TLS connections, it flushes the output and checks for errors. For
681TLS-connections, it checks for a previously-detected TLS write error.
682
683Arguments: none
684Returns: 0 for no error; -1 after an error
685*/
686
687int
688smtp_fflush(void)
689{
817d9f57 690if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
059ec3d9
PH		 691return smtp_write_error;
692}
693
694
695
696/*************************************************
697* SMTP command read timeout *
698*************************************************/
699
700/* Signal handler for timing out incoming SMTP commands. This attempts to
701finish off tidily.
702
703Argument: signal number (SIGALRM)
704Returns: nothing
705*/
706
707static void
708command_timeout_handler(int sig)
709{
710sig = sig; /* Keep picky compilers happy */
711log_write(L_lost_incoming_connection,
712 LOG_MAIN, "SMTP command timeout on%s connection from %s",
817d9f57 713 (tls_in.active >= 0)? " TLS" : "",
059ec3d9
PH		 714 host_and_ident(FALSE));
715if (smtp_batched_input)
716 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
8f128379
PH		 717smtp_notquit_exit(US"command-timeout", US"421",
718 US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
059ec3d9
PH		 719exim_exit(EXIT_FAILURE);
720}
721
722
723
724/*************************************************
725* SIGTERM received *
726*************************************************/
727
728/* Signal handler for handling SIGTERM. Again, try to finish tidily.
729
730Argument: signal number (SIGTERM)
731Returns: nothing
732*/
733
734static void
735command_sigterm_handler(int sig)
736{
737sig = sig; /* Keep picky compilers happy */
738log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
739if (smtp_batched_input)
740 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
8f128379
PH		 741smtp_notquit_exit(US"signal-exit", US"421",
742 US"%s: Service not available - closing connection", smtp_active_hostname);
059ec3d9
PH		 743exim_exit(EXIT_FAILURE);
744}
745
746
747
a14e5636 748
cee5f132 749#ifdef SUPPORT_PROXY
a3bddaa8
TL		 750/*************************************************
751* Restore socket timeout to previous value *
752*************************************************/
753/* If the previous value was successfully retrieved, restore
754it before returning control to the non-proxy routines
755
756Arguments: fd - File descriptor for input
757 get_ok - Successfully retrieved previous values
758 tvtmp - Time struct with previous values
759 vslen - Length of time struct
760Returns: none
761*/
762static void
763restore_socket_timeout(int fd, int get_ok, struct timeval tvtmp, socklen_t vslen)
764{
765if (get_ok == 0)
766 setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, vslen);
767}
768
a3c86431
TL		 769/*************************************************
770* Check if host is required proxy host *
771*************************************************/
772/* The function determines if inbound host will be a regular smtp host
773or if it is configured that it must use Proxy Protocol.
774
775Arguments: none
776Returns: bool
777*/
778
779static BOOL
780check_proxy_protocol_host()
781{
782int rc;
783/* Cannot configure local connection as a proxy inbound */
784if (sender_host_address == NULL) return proxy_session;
785
7a2fa0bc 786rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
a3c86431
TL		 787 sender_host_address, NULL);
788if (rc == OK)
789 {
790 DEBUG(D_receive)
791 debug_printf("Detected proxy protocol configured host\n");
792 proxy_session = TRUE;
793 }
794return proxy_session;
795}
796
797
a3c86431
TL		 798/*************************************************
799* Setup host for proxy protocol *
800*************************************************/
801/* The function configures the connection based on a header from the
802inbound host to use Proxy Protocol. The specification is very exact
803so exit with an error if do not find the exact required pieces. This
804includes an incorrect number of spaces separating args.
805
806Arguments: none
807Returns: int
808*/
809
810static BOOL
811setup_proxy_protocol_host()
812{
813union {
814 struct {
815 uschar line[108];
816 } v1;
817 struct {
818 uschar sig[12];
36719342
TL		 819 uint8_t ver_cmd;
820 uint8_t fam;
821 uint16_t len;
a3c86431
TL		 822 union {
823 struct { /* TCP/UDP over IPv4, len = 12 */
824 uint32_t src_addr;
825 uint32_t dst_addr;
826 uint16_t src_port;
827 uint16_t dst_port;
828 } ip4;
829 struct { /* TCP/UDP over IPv6, len = 36 */
830 uint8_t src_addr[16];
831 uint8_t dst_addr[16];
832 uint16_t src_port;
833 uint16_t dst_port;
834 } ip6;
835 struct { /* AF_UNIX sockets, len = 216 */
836 uschar src_addr[108];
837 uschar dst_addr[108];
838 } unx;
839 } addr;
840 } v2;
841} hdr;
842
eb57651e
TL		 843/* Temp variables used in PPv2 address:port parsing */
844uint16_t tmpport;
845char tmpip[INET_ADDRSTRLEN];
846struct sockaddr_in tmpaddr;
847char tmpip6[INET6_ADDRSTRLEN];
848struct sockaddr_in6 tmpaddr6;
849
850int get_ok = 0;
a3c86431 851int size, ret, fd;
36719342 852const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
a3c86431
TL		 853uschar *iptype; /* To display debug info */
854struct timeval tv;
a3bddaa8
TL		 855socklen_t vslen = 0;
856struct timeval tvtmp;
857
858vslen = sizeof(struct timeval);
a3c86431
TL		 859
860fd = fileno(smtp_in);
861
a3bddaa8
TL		 862/* Save current socket timeout values */
863get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp,
864 &vslen);
865
a3c86431
TL		 866/* Proxy Protocol host must send header within a short time
867(default 3 seconds) or it's considered invalid */
868tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
869tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
870setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,
871 sizeof(struct timeval));
a3bddaa8 872
a3c86431
TL		 873do
874 {
eb57651e
TL		 875 /* The inbound host was declared to be a Proxy Protocol host, so
876 don't do a PEEK into the data, actually slurp it up. */
877 ret = recv(fd, &hdr, sizeof(hdr), 0);
a3c86431
TL		 878 }
879 while (ret == -1 && errno == EINTR);
880
881if (ret == -1)
a3bddaa8
TL		 882 {
883 restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 884 return (errno == EAGAIN) ? 0 : ERRNO_PROXYFAIL;
a3bddaa8 885 }
a3c86431
TL		 886
887if (ret >= 16 &&
36719342 888 memcmp(&hdr.v2, v2sig, 12) == 0)
a3c86431 889 {
36719342
TL		 890 uint8_t ver, cmd;
891
892 /* May 2014: haproxy combined the version and command into one byte to
893 allow two full bytes for the length field in order to proxy SSL
894 connections. SSL Proxy is not supported in this version of Exim, but
895 must still seperate values here. */
896 ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
897 cmd = (hdr.v2.ver_cmd & 0x0f);
898
899 if (ver != 0x02)
900 {
901 DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
902 goto proxyfail;
903 }
a3c86431 904 DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n");
36719342 905 /* The v2 header will always be 16 bytes per the spec. */
a3c86431
TL		 906 size = 16 + hdr.v2.len;
907 if (ret < size)
908 {
36719342
TL		 909 DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n",
910 ret, size);
a3c86431
TL		 911 goto proxyfail;
912 }
36719342 913 switch (cmd)
a3c86431
TL		 914 {
915 case 0x01: /* PROXY command */
916 switch (hdr.v2.fam)
917 {
eb57651e
TL		 918 case 0x11: /* TCPv4 address type */
919 iptype = US"IPv4";
920 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
921 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
922 if (!string_is_ip_address(US tmpip,NULL))
923 {
924 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
a3c86431 925 return ERRNO_PROXYFAIL;
eb57651e 926 }
e6d2a989 927 proxy_local_address = sender_host_address;
eb57651e
TL		 928 sender_host_address = string_copy(US tmpip);
929 tmpport = ntohs(hdr.v2.addr.ip4.src_port);
e6d2a989 930 proxy_local_port = sender_host_port;
eb57651e
TL		 931 sender_host_port = tmpport;
932 /* Save dest ip/port */
933 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
934 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
935 if (!string_is_ip_address(US tmpip,NULL))
936 {
937 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
938 return ERRNO_PROXYFAIL;
939 }
7a2fa0bc 940 proxy_external_address = string_copy(US tmpip);
eb57651e 941 tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
7a2fa0bc 942 proxy_external_port = tmpport;
a3c86431 943 goto done;
eb57651e
TL		 944 case 0x21: /* TCPv6 address type */
945 iptype = US"IPv6";
946 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
947 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
948 if (!string_is_ip_address(US tmpip6,NULL))
949 {
950 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
951 return ERRNO_PROXYFAIL;
952 }
e6d2a989 953 proxy_local_address = sender_host_address;
eb57651e
TL		 954 sender_host_address = string_copy(US tmpip6);
955 tmpport = ntohs(hdr.v2.addr.ip6.src_port);
e6d2a989 956 proxy_local_port = sender_host_port;
eb57651e
TL		 957 sender_host_port = tmpport;
958 /* Save dest ip/port */
959 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
960 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
961 if (!string_is_ip_address(US tmpip6,NULL))
962 {
963 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
a3c86431 964 return ERRNO_PROXYFAIL;
eb57651e 965 }
7a2fa0bc 966 proxy_external_address = string_copy(US tmpip6);
eb57651e 967 tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
7a2fa0bc 968 proxy_external_port = tmpport;
a3c86431 969 goto done;
eb57651e
TL		 970 default:
971 DEBUG(D_receive)
972 debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
973 hdr.v2.fam);
974 goto proxyfail;
a3c86431
TL		 975 }
976 /* Unsupported protocol, keep local connection address */
977 break;
978 case 0x00: /* LOCAL command */
979 /* Keep local connection address for LOCAL */
980 break;
981 default:
eb57651e 982 DEBUG(D_receive)
36719342 983 debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
a3c86431
TL		 984 goto proxyfail;
985 }
986 }
987else if (ret >= 8 &&
988 memcmp(hdr.v1.line, "PROXY", 5) == 0)
989 {
990 uschar *p = string_copy(hdr.v1.line);
991 uschar *end = memchr(p, '\r', ret - 1);
992 uschar *sp; /* Utility variables follow */
993 int tmp_port;
994 char *endc;
995
996 if (!end || end[1] != '\n')
997 {
998 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
999 goto proxyfail;
1000 }
1001 *end = '\0'; /* Terminate the string */
1002 size = end + 2 - hdr.v1.line; /* Skip header + CRLF */
1003 DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
1004 /* Step through the string looking for the required fields. Ensure
1005 strict adherance to required formatting, exit for any error. */
1006 p += 5;
1007 if (!isspace(*(p++)))
1008 {
1009 DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
1010 goto proxyfail;
1011 }
1012 if (!Ustrncmp(p, CCS"TCP4", 4))
1013 iptype = US"IPv4";
1014 else if (!Ustrncmp(p,CCS"TCP6", 4))
1015 iptype = US"IPv6";
1016 else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
1017 {
1018 iptype = US"Unknown";
1019 goto done;
1020 }
1021 else
1022 {
1023 DEBUG(D_receive) debug_printf("Invalid TCP type\n");
1024 goto proxyfail;
1025 }
1026
1027 p += Ustrlen(iptype);
1028 if (!isspace(*(p++)))
1029 {
1030 DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
1031 goto proxyfail;
1032 }
1033 /* Find the end of the arg */
1034 if ((sp = Ustrchr(p, ' ')) == NULL)
1035 {
1036 DEBUG(D_receive)
1037 debug_printf("Did not find proxied src %s\n", iptype);
1038 goto proxyfail;
1039 }
1040 *sp = '\0';
1041 if(!string_is_ip_address(p,NULL))
1042 {
1043 DEBUG(D_receive)
1044 debug_printf("Proxied src arg is not an %s address\n", iptype);
1045 goto proxyfail;
1046 }
e6d2a989 1047 proxy_local_address = sender_host_address;
a3c86431
TL		 1048 sender_host_address = p;
1049 p = sp + 1;
1050 if ((sp = Ustrchr(p, ' ')) == NULL)
1051 {
1052 DEBUG(D_receive)
1053 debug_printf("Did not find proxy dest %s\n", iptype);
1054 goto proxyfail;
1055 }
1056 *sp = '\0';
1057 if(!string_is_ip_address(p,NULL))
1058 {
1059 DEBUG(D_receive)
1060 debug_printf("Proxy dest arg is not an %s address\n", iptype);
1061 goto proxyfail;
1062 }
7a2fa0bc 1063 proxy_external_address = p;
a3c86431
TL		 1064 p = sp + 1;
1065 if ((sp = Ustrchr(p, ' ')) == NULL)
1066 {
1067 DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
1068 goto proxyfail;
1069 }
1070 *sp = '\0';
1071 tmp_port = strtol(CCS p,&endc,10);
1072 if (*endc || tmp_port == 0)
1073 {
1074 DEBUG(D_receive)
1075 debug_printf("Proxied src port '%s' not an integer\n", p);
1076 goto proxyfail;
1077 }
e6d2a989 1078 proxy_local_port = sender_host_port;
a3c86431
TL		 1079 sender_host_port = tmp_port;
1080 p = sp + 1;
1081 if ((sp = Ustrchr(p, '\0')) == NULL)
1082 {
1083 DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
1084 goto proxyfail;
1085 }
1086 tmp_port = strtol(CCS p,&endc,10);
1087 if (*endc || tmp_port == 0)
1088 {
1089 DEBUG(D_receive)
1090 debug_printf("Proxy dest port '%s' not an integer\n", p);
1091 goto proxyfail;
1092 }
7a2fa0bc 1093 proxy_external_port = tmp_port;
a3c86431
TL		 1094 /* Already checked for /r /n above. Good V1 header received. */
1095 goto done;
1096 }
1097else
1098 {
1099 /* Wrong protocol */
eb57651e 1100 DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
a3c86431
TL		 1101 goto proxyfail;
1102 }
1103
1104proxyfail:
a3bddaa8 1105restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 1106/* Don't flush any potential buffer contents. Any input should cause a
eb57651e 1107 synchronization failure */
a3c86431
TL		 1108return FALSE;
1109
1110done:
a3bddaa8 1111restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 1112DEBUG(D_receive)
eb57651e 1113 debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
a3c86431
TL		 1114return proxy_session;
1115}
1116#endif
1117
059ec3d9
PH		 1118/*************************************************
1119* Read one command line *
1120*************************************************/
1121
1122/* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
1123There are sites that don't do this, and in any case internal SMTP probably
1124should check only for LF. Consequently, we check here for LF only. The line
1125ends up with [CR]LF removed from its end. If we get an overlong line, treat as
3ee512ff
PH		 1126an unknown command. The command is read into the global smtp_cmd_buffer so that
1127it is available via $smtp_command.
059ec3d9
PH		 1128
1129The character reading routine sets up a timeout for each block actually read
1130from the input (which may contain more than one command). We set up a special
1131signal handler that closes down the session on a timeout. Control does not
1132return when it runs.
1133
1134Arguments:
1135 check_sync if TRUE, check synchronization rules if global option is TRUE
1136
1137Returns: a code identifying the command (enumerated above)
1138*/
1139
1140static int
1141smtp_read_command(BOOL check_sync)
1142{
1143int c;
1144int ptr = 0;
1145smtp_cmd_list *p;
1146BOOL hadnull = FALSE;
1147
1148os_non_restarting_signal(SIGALRM, command_timeout_handler);
1149
1150while ((c = (receive_getc)()) != '\n' && c != EOF)
1151 {
3ee512ff 1152 if (ptr >= smtp_cmd_buffer_size)
059ec3d9
PH		 1153 {
1154 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1155 return OTHER_CMD;
1156 }
1157 if (c == 0)
1158 {
1159 hadnull = TRUE;
1160 c = '?';
1161 }
3ee512ff 1162 smtp_cmd_buffer[ptr++] = c;
059ec3d9
PH		 1163 }
1164
1165receive_linecount++; /* For BSMTP errors */
1166os_non_restarting_signal(SIGALRM, sigalrm_handler);
1167
1168/* If hit end of file, return pseudo EOF command. Whether we have a
1169part-line already read doesn't matter, since this is an error state. */
1170
1171if (c == EOF) return EOF_CMD;
1172
1173/* Remove any CR and white space at the end of the line, and terminate the
1174string. */
1175
3ee512ff
PH		 1176while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
1177smtp_cmd_buffer[ptr] = 0;
059ec3d9 1178
3ee512ff 1179DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
059ec3d9
PH		 1180
1181/* NULLs are not allowed in SMTP commands */
1182
1183if (hadnull) return BADCHAR_CMD;
1184
1185/* Scan command list and return identity, having set the data pointer
1186to the start of the actual data characters. Check for SMTP synchronization
1187if required. */
1188
1189for (p = cmd_list; p < cmd_list_end; p++)
1190 {
cee5f132 1191 #ifdef SUPPORT_PROXY
a3c86431
TL		 1192 /* Only allow QUIT command if Proxy Protocol parsing failed */
1193 if (proxy_session && proxy_session_failed)
1194 {
1195 if (p->cmd != QUIT_CMD)
1196 continue;
1197 }
1198 #endif
2f460950
JH		 1199 if ( p->len
1200 && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
1201 && ( smtp_cmd_buffer[p->len-1] == ':' /* "mail from:" or "rcpt to:" */
1202 || smtp_cmd_buffer[p->len] == 0
1203 || smtp_cmd_buffer[p->len] == ' '
1204 ) )
059ec3d9
PH		 1205 {
1206 if (smtp_inptr < smtp_inend && /* Outstanding input */
1207 p->cmd < sync_cmd_limit && /* Command should sync */
1208 check_sync && /* Local flag set */
1209 smtp_enforce_sync && /* Global flag set */
1210 sender_host_address != NULL && /* Not local input */
1211 !sender_host_notsocket) /* Really is a socket */
1212 return BADSYN_CMD;
1213
ca86f471
PH		 1214 /* The variables $smtp_command and $smtp_command_argument point into the
1215 unmodified input buffer. A copy of the latter is taken for actual
1216 processing, so that it can be chopped up into separate parts if necessary,
1217 for example, when processing a MAIL command options such as SIZE that can
1218 follow the sender address. */
059ec3d9 1219
3ee512ff 1220 smtp_cmd_argument = smtp_cmd_buffer + p->len;
ca86f471
PH		 1221 while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
1222 Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
1223 smtp_cmd_data = smtp_data_buffer;
059ec3d9
PH		 1224
1225 /* Count non-mail commands from those hosts that are controlled in this
1226 way. The default is all hosts. We don't waste effort checking the list
1227 until we get a non-mail command, but then cache the result to save checking
1228 again. If there's a DEFER while checking the host, assume it's in the list.
1229
1230 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
1231 start of each incoming message by fiddling with the value in the table. */
1232
1233 if (!p->is_mail_cmd)
1234 {
1235 if (count_nonmail == TRUE_UNSET) count_nonmail =
1236 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
1237 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
1238 return TOO_MANY_NONMAIL_CMD;
1239 }
1240
ca86f471
PH		 1241 /* If there is data for a command that does not expect it, generate the
1242 error here. */
059ec3d9 1243
ca86f471 1244 return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
059ec3d9
PH		 1245 }
1246 }
1247
cee5f132 1248#ifdef SUPPORT_PROXY
a3c86431
TL		 1249/* Only allow QUIT command if Proxy Protocol parsing failed */
1250if (proxy_session && proxy_session_failed)
1251 return PROXY_FAIL_IGNORE_CMD;
1252#endif
1253
059ec3d9
PH		 1254/* Enforce synchronization for unknown commands */
1255
1256if (smtp_inptr < smtp_inend && /* Outstanding input */
1257 check_sync && /* Local flag set */
1258 smtp_enforce_sync && /* Global flag set */
1259 sender_host_address != NULL && /* Not local input */
1260 !sender_host_notsocket) /* Really is a socket */
1261 return BADSYN_CMD;
1262
1263return OTHER_CMD;
1264}
1265
1266
1267
a14e5636
PH		 1268/*************************************************
1269* Recheck synchronization *
1270*************************************************/
1271
1272/* Synchronization checks can never be perfect because a packet may be on its
1273way but not arrived when the check is done. Such checks can in any case only be
1274done when TLS is not in use. Normally, the checks happen when commands are
1275read: Exim ensures that there is no more input in the input buffer. In normal
1276cases, the response to the command will be fast, and there is no further check.
1277
1278However, for some commands an ACL is run, and that can include delays. In those
1279cases, it is useful to do another check on the input just before sending the
1280response. This also applies at the start of a connection. This function does
1281that check by means of the select() function, as long as the facility is not
1282disabled or inappropriate. A failure of select() is ignored.
1283
1284When there is unwanted input, we read it so that it appears in the log of the
1285error.
1286
1287Arguments: none
1288Returns: TRUE if all is well; FALSE if there is input pending
1289*/
1290
1291static BOOL
1292check_sync(void)
1293{
1294int fd, rc;
1295fd_set fds;
1296struct timeval tzero;
1297
1298if (!smtp_enforce_sync || sender_host_address == NULL ||
817d9f57 1299 sender_host_notsocket || tls_in.active >= 0)
a14e5636
PH		 1300 return TRUE;
1301
1302fd = fileno(smtp_in);
1303FD_ZERO(&fds);
1304FD_SET(fd, &fds);
1305tzero.tv_sec = 0;
1306tzero.tv_usec = 0;
1307rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
1308
1309if (rc <= 0) return TRUE; /* Not ready to read */
1310rc = smtp_getc();
1311if (rc < 0) return TRUE; /* End of file or error */
1312
1313smtp_ungetc(rc);
1314rc = smtp_inend - smtp_inptr;
1315if (rc > 150) rc = 150;
1316smtp_inptr[rc] = 0;
1317return FALSE;
1318}
1319
1320
1321
059ec3d9
PH		 1322/*************************************************
1323* Forced closedown of call *
1324*************************************************/
1325
1326/* This function is called from log.c when Exim is dying because of a serious
1327disaster, and also from some other places. If an incoming non-batched SMTP
1328channel is open, it swallows the rest of the incoming message if in the DATA
1329phase, sends the reply string, and gives an error to all subsequent commands
1330except QUIT. The existence of an SMTP call is detected by the non-NULLness of
1331smtp_in.
1332
8f128379
PH		 1333Arguments:
1334 message SMTP reply string to send, excluding the code
1335
059ec3d9
PH		 1336Returns: nothing
1337*/
1338
1339void
1340smtp_closedown(uschar *message)
1341{
1342if (smtp_in == NULL || smtp_batched_input) return;
1343receive_swallow_smtp();
1344smtp_printf("421 %s\r\n", message);
1345
1346for (;;)
1347 {
1348 switch(smtp_read_command(FALSE))
1349 {
1350 case EOF_CMD:
1351 return;
1352
1353 case QUIT_CMD:
1354 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
1355 mac_smtp_fflush();
1356 return;
1357
1358 case RSET_CMD:
1359 smtp_printf("250 Reset OK\r\n");
1360 break;
1361
1362 default:
1363 smtp_printf("421 %s\r\n", message);
1364 break;
1365 }
1366 }
1367}
1368
1369
1370
1371
1372/*************************************************
1373* Set up connection info for logging *
1374*************************************************/
1375
1376/* This function is called when logging information about an SMTP connection.
1377It sets up appropriate source information, depending on the type of connection.
dac79d3e
PH		 1378If sender_fullhost is NULL, we are at a very early stage of the connection;
1379just use the IP address.
059ec3d9
PH		 1380
1381Argument: none
1382Returns: a string describing the connection
1383*/
1384
1385uschar *
1386smtp_get_connection_info(void)
1387{
dac79d3e
PH		 1388uschar *hostname = (sender_fullhost == NULL)?
1389 sender_host_address : sender_fullhost;
1390
059ec3d9 1391if (host_checking)
dac79d3e 1392 return string_sprintf("SMTP connection from %s", hostname);
059ec3d9
PH		 1393
1394if (sender_host_unknown || sender_host_notsocket)
1395 return string_sprintf("SMTP connection from %s", sender_ident);
1396
1397if (is_inetd)
dac79d3e 1398 return string_sprintf("SMTP connection from %s (via inetd)", hostname);
059ec3d9 1399
6c6d6e48 1400if (LOGGING(incoming_interface) && interface_address != NULL)
dac79d3e 1401 return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
059ec3d9
PH		 1402 interface_address, interface_port);
1403
dac79d3e 1404return string_sprintf("SMTP connection from %s", hostname);
059ec3d9
PH		 1405}
1406
1407
1408
e45a1c37 1409#ifdef SUPPORT_TLS
887291d2
JH		 1410/* Append TLS-related information to a log line
1411
1412Arguments:
1413 s String under construction: allocated string to extend, or NULL
1414 sizep Pointer to current allocation size (update on return), or NULL
1415 ptrp Pointer to index for new entries in string (update on return), or NULL
1416
1417Returns: Allocated string or NULL
1418*/
e45a1c37
JH		 1419static uschar *
1420s_tlslog(uschar * s, int * sizep, int * ptrp)
1421{
1422 int size = sizep ? *sizep : 0;
1423 int ptr = ptrp ? *ptrp : 0;
1424
6c6d6e48 1425 if (LOGGING(tls_cipher) && tls_in.cipher != NULL)
e45a1c37 1426 s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
6c6d6e48 1427 if (LOGGING(tls_certificate_verified) && tls_in.cipher != NULL)
e45a1c37
JH		 1428 s = string_append(s, &size, &ptr, 2, US" CV=",
1429 tls_in.certificate_verified? "yes":"no");
6c6d6e48 1430 if (LOGGING(tls_peerdn) && tls_in.peerdn != NULL)
e45a1c37
JH		 1431 s = string_append(s, &size, &ptr, 3, US" DN=\"",
1432 string_printing(tls_in.peerdn), US"\"");
6c6d6e48 1433 if (LOGGING(tls_sni) && tls_in.sni != NULL)
e45a1c37
JH		 1434 s = string_append(s, &size, &ptr, 3, US" SNI=\"",
1435 string_printing(tls_in.sni), US"\"");
1436
67d81c10
JH		 1437 if (s)
1438 {
1439 s[ptr] = '\0';
1440 if (sizep) *sizep = size;
1441 if (ptrp) *ptrp = ptr;
1442 }
e45a1c37
JH		 1443 return s;
1444}
1445#endif
1446
b4ed4da0
PH		 1447/*************************************************
1448* Log lack of MAIL if so configured *
1449*************************************************/
1450
1451/* This function is called when an SMTP session ends. If the log selector
1452smtp_no_mail is set, write a log line giving some details of what has happened
1453in the SMTP session.
1454
1455Arguments: none
1456Returns: nothing
1457*/
1458
1459void
1460smtp_log_no_mail(void)
1461{
1462int size, ptr, i;
1463uschar *s, *sep;
1464
6c6d6e48 1465if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
b4ed4da0
PH		 1466 return;
1467
1468s = NULL;
1469size = ptr = 0;
1470
1471if (sender_host_authenticated != NULL)
1472 {
1473 s = string_append(s, &size, &ptr, 2, US" A=", sender_host_authenticated);
1474 if (authenticated_id != NULL)
1475 s = string_append(s, &size, &ptr, 2, US":", authenticated_id);
1476 }
1477
1478#ifdef SUPPORT_TLS
e45a1c37 1479s = s_tlslog(s, &size, &ptr);
3f0945ff 1480#endif
b4ed4da0
PH		 1481
1482sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
1483 US" C=..." : US" C=";
1484for (i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1485 {
1486 if (smtp_connection_had[i] != SCH_NONE)
1487 {
1488 s = string_append(s, &size, &ptr, 2, sep,
1489 smtp_names[smtp_connection_had[i]]);
1490 sep = US",";
1491 }
1492 }
1493
1494for (i = 0; i < smtp_ch_index; i++)
1495 {
1496 s = string_append(s, &size, &ptr, 2, sep, smtp_names[smtp_connection_had[i]]);
1497 sep = US",";
1498 }
1499
1500if (s != NULL) s[ptr] = 0; else s = US"";
1501log_write(0, LOG_MAIN, "no MAIL in SMTP connection from %s D=%s%s",
1502 host_and_ident(FALSE),
19050083
JH		 1503 readconf_printtime( (int) ((long)time(NULL) - (long)smtp_connection_start)),
1504 s);
b4ed4da0
PH		 1505}
1506
1507
1508
059ec3d9
PH		 1509/*************************************************
1510* Check HELO line and set sender_helo_name *
1511*************************************************/
1512
1513/* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
1514the domain name of the sending host, or an ip literal in square brackets. The
1515arrgument is placed in sender_helo_name, which is in malloc store, because it
1516must persist over multiple incoming messages. If helo_accept_junk is set, this
1517host is permitted to send any old junk (needed for some broken hosts).
1518Otherwise, helo_allow_chars can be used for rogue characters in general
1519(typically people want to let in underscores).
1520
1521Argument:
1522 s the data portion of the line (already past any white space)
1523
1524Returns: TRUE or FALSE
1525*/
1526
1527static BOOL
1528check_helo(uschar *s)
1529{
1530uschar *start = s;
1531uschar *end = s + Ustrlen(s);
1532BOOL yield = helo_accept_junk;
1533
1534/* Discard any previous helo name */
1535
1536if (sender_helo_name != NULL)
1537 {
1538 store_free(sender_helo_name);
1539 sender_helo_name = NULL;
1540 }
1541
1542/* Skip tests if junk is permitted. */
1543
1544if (!yield)
1545 {
1546 /* Allow the new standard form for IPv6 address literals, namely,
1547 [IPv6:....], and because someone is bound to use it, allow an equivalent
1548 IPv4 form. Allow plain addresses as well. */
1549
1550 if (*s == '[')
1551 {
1552 if (end[-1] == ']')
1553 {
1554 end[-1] = 0;
1555 if (strncmpic(s, US"[IPv6:", 6) == 0)
1556 yield = (string_is_ip_address(s+6, NULL) == 6);
1557 else if (strncmpic(s, US"[IPv4:", 6) == 0)
1558 yield = (string_is_ip_address(s+6, NULL) == 4);
1559 else
1560 yield = (string_is_ip_address(s+1, NULL) != 0);
1561 end[-1] = ']';
1562 }
1563 }
1564
1565 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
1566 that have been configured (usually underscore - sigh). */
1567
1568 else if (*s != 0)
1569 {
1570 yield = TRUE;
1571 while (*s != 0)
1572 {
1573 if (!isalnum(*s) && *s != '.' && *s != '-' &&
1574 Ustrchr(helo_allow_chars, *s) == NULL)
1575 {
1576 yield = FALSE;
1577 break;
1578 }
1579 s++;
1580 }
1581 }
1582 }
1583
1584/* Save argument if OK */
1585
1586if (yield) sender_helo_name = string_copy_malloc(start);
1587return yield;
1588}
1589
1590
1591
1592
1593
1594/*************************************************
1595* Extract SMTP command option *
1596*************************************************/
1597
ca86f471 1598/* This function picks the next option setting off the end of smtp_cmd_data. It
059ec3d9
PH		 1599is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
1600things that can appear there.
1601
1602Arguments:
1603 name point this at the name
1604 value point this at the data string
1605
1606Returns: TRUE if found an option
1607*/
1608
1609static BOOL
1610extract_option(uschar **name, uschar **value)
1611{
1612uschar *n;
ca86f471 1613uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
059ec3d9
PH		 1614while (isspace(*v)) v--;
1615v[1] = 0;
ca86f471 1616while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) v--;
059ec3d9
PH		 1617
1618n = v;
fd98a5c6
JH		 1619if (*v == '=')
1620{
1621 while(isalpha(n[-1])) n--;
1622 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
1623 if (!isspace(n[-1])) return FALSE;
1624 n[-1] = 0;
1625}
1626else
1627{
1628 n++;
1629 if (v == smtp_cmd_data) return FALSE;
1630}
059ec3d9 1631*v++ = 0;
fd98a5c6 1632*name = n;
059ec3d9
PH		 1633*value = v;
1634return TRUE;
1635}
1636
1637
1638
1639
1640
059ec3d9
PH		 1641/*************************************************
1642* Reset for new message *
1643*************************************************/
1644
1645/* This function is called whenever the SMTP session is reset from
1646within either of the setup functions.
1647
1648Argument: the stacking pool storage reset point
1649Returns: nothing
1650*/
1651
1652static void
1653smtp_reset(void *reset_point)
1654{
059ec3d9
PH		 1655store_reset(reset_point);
1656recipients_list = NULL;
1657rcpt_count = rcpt_defer_count = rcpt_fail_count =
1658 raw_recipients_count = recipients_count = recipients_list_max = 0;
2e5b33cd 1659cancel_cutthrough_connection("smtp reset");
2e0c1448 1660message_linecount = 0;
059ec3d9 1661message_size = -1;
71fafd95 1662acl_added_headers = NULL;
e7568d51 1663acl_removed_headers = NULL;
059ec3d9 1664queue_only_policy = FALSE;
2679d413
PH		 1665rcpt_smtp_response = NULL;
1666rcpt_smtp_response_same = TRUE;
1667rcpt_in_progress = FALSE;
69358f02 1668deliver_freeze = FALSE; /* Can be set by ACL */
6a3f1455 1669freeze_tell = freeze_tell_config; /* Can be set by ACL */
29aba418 1670fake_response = OK; /* Can be set by ACL */
6951ac6c 1671#ifdef WITH_CONTENT_SCAN
8523533c
TK		 1672no_mbox_unspool = FALSE; /* Can be set by ACL */
1673#endif
69358f02 1674submission_mode = FALSE; /* Can be set by ACL */
f4ee74ac 1675suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
69358f02
PH		 1676active_local_from_check = local_from_check; /* Can be set by ACL */
1677active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
059ec3d9 1678sender_address = NULL;
2fe1a124 1679submission_name = NULL; /* Can be set by ACL */
059ec3d9
PH		 1680raw_sender = NULL; /* After SMTP rewrite, before qualifying */
1681sender_address_unrewritten = NULL; /* Set only after verify rewrite */
1682sender_verified_list = NULL; /* No senders verified */
1683memset(sender_address_cache, 0, sizeof(sender_address_cache));
1684memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
6c1c3d1d 1685
059ec3d9 1686authenticated_sender = NULL;
8523533c
TK		 1687#ifdef EXPERIMENTAL_BRIGHTMAIL
1688bmi_run = 0;
1689bmi_verdicts = NULL;
1690#endif
80a47a2c 1691#ifndef DISABLE_DKIM
9e5d6b55 1692dkim_signers = NULL;
80a47a2c
TK		 1693dkim_disable_verify = FALSE;
1694dkim_collect_input = FALSE;
f7572e5a 1695#endif
aa368db3
JH		 1696dsn_ret = 0;
1697dsn_envid = NULL;
1698#ifndef DISABLE_PRDR
1699prdr_requested = FALSE;
1700#endif
8523533c
TK		 1701#ifdef EXPERIMENTAL_SPF
1702spf_header_comment = NULL;
1703spf_received = NULL;
8e669ac1 1704spf_result = NULL;
8523533c
TK		 1705spf_smtp_comment = NULL;
1706#endif
8c5d388a 1707#ifdef SUPPORT_I18N
d1a13eea
JH		 1708message_smtputf8 = FALSE;
1709#endif
059ec3d9
PH		 1710body_linecount = body_zerocount = 0;
1711
870f6ba8
TF		 1712sender_rate = sender_rate_limit = sender_rate_period = NULL;
1713ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
1714 /* Note that ratelimiters_conn persists across resets. */
1715
38a0a95f 1716/* Reset message ACL variables */
47ca6d6c 1717
38a0a95f 1718acl_var_m = NULL;
059ec3d9
PH		 1719
1720/* The message body variables use malloc store. They may be set if this is
1721not the first message in an SMTP session and the previous message caused them
1722to be referenced in an ACL. */
1723
1724if (message_body != NULL)
1725 {
1726 store_free(message_body);
1727 message_body = NULL;
1728 }
1729
1730if (message_body_end != NULL)
1731 {
1732 store_free(message_body_end);
1733 message_body_end = NULL;
1734 }
1735
1736/* Warning log messages are also saved in malloc store. They are saved to avoid
1737repetition in the same message, but it seems right to repeat them for different
4e88a19f 1738messages. */
059ec3d9
PH		 1739
1740while (acl_warn_logged != NULL)
1741 {
1742 string_item *this = acl_warn_logged;
1743 acl_warn_logged = acl_warn_logged->next;
1744 store_free(this);
1745 }
1746}
1747
1748
1749
1750
1751
1752/*************************************************
1753* Initialize for incoming batched SMTP message *
1754*************************************************/
1755
1756/* This function is called from smtp_setup_msg() in the case when
1757smtp_batched_input is true. This happens when -bS is used to pass a whole batch
1758of messages in one file with SMTP commands between them. All errors must be
1759reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
1760relevant. After an error on a sender, or an invalid recipient, the remainder
1761of the message is skipped. The value of received_protocol is already set.
1762
1763Argument: none
1764Returns: > 0 message successfully started (reached DATA)
1765 = 0 QUIT read or end of file reached
1766 < 0 should not occur
1767*/
1768
1769static int
1770smtp_setup_batch_msg(void)
1771{
1772int done = 0;
1773void *reset_point = store_get(0);
1774
1775/* Save the line count at the start of each transaction - single commands
1776like HELO and RSET count as whole transactions. */
1777
1778bsmtp_transaction_linecount = receive_linecount;
1779
1780if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
1781
1782smtp_reset(reset_point); /* Reset for start of message */
1783
1784/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
1785value. The values are 2 larger than the required yield of the function. */
1786
1787while (done <= 0)
1788 {
1789 uschar *errmess;
1790 uschar *recipient = NULL;
1791 int start, end, sender_domain, recipient_domain;
1792
1793 switch(smtp_read_command(FALSE))
1794 {
1795 /* The HELO/EHLO commands set sender_address_helo if they have
1796 valid data; otherwise they are ignored, except that they do
1797 a reset of the state. */
1798
1799 case HELO_CMD:
1800 case EHLO_CMD:
1801
ca86f471 1802 check_helo(smtp_cmd_data);
059ec3d9
PH		 1803 /* Fall through */
1804
1805 case RSET_CMD:
1806 smtp_reset(reset_point);
1807 bsmtp_transaction_linecount = receive_linecount;
1808 break;
1809
1810
1811 /* The MAIL FROM command requires an address as an operand. All we
1812 do here is to parse it for syntactic correctness. The form "<>" is
1813 a special case which converts into an empty string. The start/end
1814 pointers in the original are not used further for this address, as
1815 it is the canonical extracted address which is all that is kept. */
1816
1817 case MAIL_CMD:
474f71bf 1818 smtp_mailcmd_count++; /* Count for no-mail log */
059ec3d9
PH		 1819 if (sender_address != NULL)
1820 /* The function moan_smtp_batch() does not return. */
3ee512ff 1821 moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
059ec3d9 1822
ca86f471 1823 if (smtp_cmd_data[0] == 0)
059ec3d9 1824 /* The function moan_smtp_batch() does not return. */
3ee512ff 1825 moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
059ec3d9
PH		 1826
1827 /* Reset to start of message */
1828
1829 smtp_reset(reset_point);
1830
1831 /* Apply SMTP rewrite */
1832
1833 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
ca86f471
PH		 1834 rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
1835 US"", global_rewrite_rules) : smtp_cmd_data;
059ec3d9
PH		 1836
1837 /* Extract the address; the TRUE flag allows <> as valid */
1838
1839 raw_sender =
1840 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
1841 TRUE);
1842
1843 if (raw_sender == NULL)
1844 /* The function moan_smtp_batch() does not return. */
3ee512ff 1845 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
059ec3d9
PH		 1846
1847 sender_address = string_copy(raw_sender);
1848
1849 /* Qualify unqualified sender addresses if permitted to do so. */
1850
1851 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
1852 {
1853 if (allow_unqualified_sender)
1854 {
1855 sender_address = rewrite_address_qualify(sender_address, FALSE);
1856 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
1857 "and rewritten\n", raw_sender);
1858 }
1859 /* The function moan_smtp_batch() does not return. */
3ee512ff 1860 else moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
059ec3d9
PH		 1861 "a domain");
1862 }
1863 break;
1864
1865
1866 /* The RCPT TO command requires an address as an operand. All we do
1867 here is to parse it for syntactic correctness. There may be any number
1868 of RCPT TO commands, specifying multiple senders. We build them all into
1869 a data structure that is in argc/argv format. The start/end values
1870 given by parse_extract_address are not used, as we keep only the
1871 extracted address. */
1872
1873 case RCPT_CMD:
1874 if (sender_address == NULL)
1875 /* The function moan_smtp_batch() does not return. */
3ee512ff 1876 moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
059ec3d9 1877
ca86f471 1878 if (smtp_cmd_data[0] == 0)
059ec3d9 1879 /* The function moan_smtp_batch() does not return. */
3ee512ff 1880 moan_smtp_batch(smtp_cmd_buffer, "501 RCPT TO must have an address operand");
059ec3d9
PH		 1881
1882 /* Check maximum number allowed */
1883
1884 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
1885 /* The function moan_smtp_batch() does not return. */
3ee512ff 1886 moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
059ec3d9
PH		 1887 recipients_max_reject? "552": "452");
1888
1889 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
1890 recipient address */
1891
2685d6e0
JH		 1892 recipient = rewrite_existflags & rewrite_smtp
1893 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
1894 global_rewrite_rules)
1895 : smtp_cmd_data;
059ec3d9 1896
059ec3d9
PH		 1897 recipient = parse_extract_address(recipient, &errmess, &start, &end,
1898 &recipient_domain, FALSE);
059ec3d9 1899
2685d6e0 1900 if (!recipient)
059ec3d9 1901 /* The function moan_smtp_batch() does not return. */
3ee512ff 1902 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
059ec3d9
PH		 1903
1904 /* If the recipient address is unqualified, qualify it if permitted. Then
1905 add it to the list of recipients. */
1906
1907 if (recipient_domain == 0)
1908 {
1909 if (allow_unqualified_recipient)
1910 {
1911 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
1912 recipient);
1913 recipient = rewrite_address_qualify(recipient, TRUE);
1914 }
1915 /* The function moan_smtp_batch() does not return. */
3ee512ff 1916 else moan_smtp_batch(smtp_cmd_buffer, "501 recipient address must contain "
059ec3d9
PH		 1917 "a domain");
1918 }
1919 receive_add_recipient(recipient, -1);
1920 break;
1921
1922
1923 /* The DATA command is legal only if it follows successful MAIL FROM
1924 and RCPT TO commands. This function is complete when a valid DATA
1925 command is encountered. */
1926
1927 case DATA_CMD:
1928 if (sender_address == NULL || recipients_count <= 0)
1929 {
1930 /* The function moan_smtp_batch() does not return. */
1931 if (sender_address == NULL)
3ee512ff 1932 moan_smtp_batch(smtp_cmd_buffer,
059ec3d9
PH		 1933 "503 MAIL FROM:<sender> command must precede DATA");
1934 else
3ee512ff 1935 moan_smtp_batch(smtp_cmd_buffer,
059ec3d9
PH		 1936 "503 RCPT TO:<recipient> must precede DATA");
1937 }
1938 else
1939 {
1940 done = 3; /* DATA successfully achieved */
1941 message_ended = END_NOTENDED; /* Indicate in middle of message */
1942 }
1943 break;
1944
1945
1946 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
1947
1948 case VRFY_CMD:
1949 case EXPN_CMD:
1950 case HELP_CMD:
1951 case NOOP_CMD:
1952 case ETRN_CMD:
1953 bsmtp_transaction_linecount = receive_linecount;
1954 break;
1955
1956
1957 case EOF_CMD:
1958 case QUIT_CMD:
1959 done = 2;
1960 break;
1961
1962
1963 case BADARG_CMD:
1964 /* The function moan_smtp_batch() does not return. */
3ee512ff 1965 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
059ec3d9
PH		 1966 break;
1967
1968
1969 case BADCHAR_CMD:
1970 /* The function moan_smtp_batch() does not return. */
3ee512ff 1971 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
059ec3d9
PH		 1972 break;
1973
1974
1975 default:
1976 /* The function moan_smtp_batch() does not return. */
3ee512ff 1977 moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
059ec3d9
PH		 1978 break;
1979 }
1980 }
1981
1982return done - 2; /* Convert yield values */
1983}
1984
1985
1986
1987
1988/*************************************************
1989* Start an SMTP session *
1990*************************************************/
1991
1992/* This function is called at the start of an SMTP session. Thereafter,
1993smtp_setup_msg() is called to initiate each separate message. This
1994function does host-specific testing, and outputs the banner line.
1995
1996Arguments: none
1997Returns: FALSE if the session can not continue; something has
1998 gone wrong, or the connection to the host is blocked
1999*/
2000
2001BOOL
2002smtp_start_session(void)
2003{
2004int size = 256;
4e88a19f
PH		 2005int ptr, esclen;
2006uschar *user_msg, *log_msg;
2007uschar *code, *esc;
059ec3d9
PH		 2008uschar *p, *s, *ss;
2009
b4ed4da0
PH		 2010smtp_connection_start = time(NULL);
2011for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
2012 smtp_connection_had[smtp_ch_index] = SCH_NONE;
2013smtp_ch_index = 0;
2014
00f00ca5
PH		 2015/* Default values for certain variables */
2016
059ec3d9 2017helo_seen = esmtp = helo_accept_junk = FALSE;
b4ed4da0 2018smtp_mailcmd_count = 0;
059ec3d9
PH		 2019count_nonmail = TRUE_UNSET;
2020synprot_error_count = unknown_command_count = nonmail_command_count = 0;
2021smtp_delay_mail = smtp_rlm_base;
2022auth_advertised = FALSE;
2023pipelining_advertised = FALSE;
cf8b11a5 2024pipelining_enable = TRUE;
059ec3d9 2025sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
8f128379 2026smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
059ec3d9 2027
33d73e3b
PH		 2028/* If receiving by -bs from a trusted user, or testing with -bh, we allow
2029authentication settings from -oMaa to remain in force. */
2030
2031if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
059ec3d9
PH		 2032authenticated_by = NULL;
2033
2034#ifdef SUPPORT_TLS
817d9f57 2035tls_in.cipher = tls_in.peerdn = NULL;
9d1c15ef
JH		 2036tls_in.ourcert = tls_in.peercert = NULL;
2037tls_in.sni = NULL;
44662487 2038tls_in.ocsp = OCSP_NOT_REQ;
059ec3d9
PH		 2039tls_advertised = FALSE;
2040#endif
6c1c3d1d 2041dsn_advertised = FALSE;
8c5d388a 2042#ifdef SUPPORT_I18N
d1a13eea
JH		 2043smtputf8_advertised = FALSE;
2044#endif
059ec3d9
PH		 2045
2046/* Reset ACL connection variables */
2047
38a0a95f 2048acl_var_c = NULL;
059ec3d9 2049
ca86f471 2050/* Allow for trailing 0 in the command and data buffers. */
3ee512ff 2051
ca86f471 2052smtp_cmd_buffer = (uschar *)malloc(2*smtp_cmd_buffer_size + 2);
3ee512ff 2053if (smtp_cmd_buffer == NULL)
059ec3d9
PH		 2054 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2055 "malloc() failed for SMTP command buffer");
2416c261 2056smtp_cmd_buffer[0] = 0;
ca86f471 2057smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
059ec3d9
PH		 2058
2059/* For batched input, the protocol setting can be overridden from the
2060command line by a trusted caller. */
2061
2062if (smtp_batched_input)
2063 {
2064 if (received_protocol == NULL) received_protocol = US"local-bsmtp";
2065 }
2066
2067/* For non-batched SMTP input, the protocol setting is forced here. It will be
2068reset later if any of EHLO/AUTH/STARTTLS are received. */
2069
2070else
2071 received_protocol =
e524074d 2072 (sender_host_address ? protocols : protocols_local) [pnormal];
059ec3d9
PH		 2073
2074/* Set up the buffer for inputting using direct read() calls, and arrange to
2075call the local functions instead of the standard C ones. */
2076
2077smtp_inbuffer = (uschar *)malloc(in_buffer_size);
2078if (smtp_inbuffer == NULL)
2079 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
2080receive_getc = smtp_getc;
584e96c6 2081receive_get_cache = smtp_get_cache;
059ec3d9
PH		 2082receive_ungetc = smtp_ungetc;
2083receive_feof = smtp_feof;
2084receive_ferror = smtp_ferror;
58eb016e 2085receive_smtp_buffered = smtp_buffered;
059ec3d9
PH		 2086smtp_inptr = smtp_inend = smtp_inbuffer;
2087smtp_had_eof = smtp_had_error = 0;
2088
2089/* Set up the message size limit; this may be host-specific */
2090
d45b1de8
PH		 2091thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
2092if (expand_string_message != NULL)
059ec3d9
PH		 2093 {
2094 if (thismessage_size_limit == -1)
2095 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
2096 "%s", expand_string_message);
2097 else
2098 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
2099 "%s", expand_string_message);
2100 smtp_closedown(US"Temporary local problem - please try later");
2101 return FALSE;
2102 }
2103
2104/* When a message is input locally via the -bs or -bS options, sender_host_
2105unknown is set unless -oMa was used to force an IP address, in which case it
2106is checked like a real remote connection. When -bs is used from inetd, this
2107flag is not set, causing the sending host to be checked. The code that deals
2108with IP source routing (if configured) is never required for -bs or -bS and
2109the flag sender_host_notsocket is used to suppress it.
2110
2111If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
2112reserve for certain hosts and/or networks. */
2113
2114if (!sender_host_unknown)
2115 {
2116 int rc;
2117 BOOL reserved_host = FALSE;
2118
2119 /* Look up IP options (source routing info) on the socket if this is not an
2120 -oMa "host", and if any are found, log them and drop the connection.
2121
2122 Linux (and others now, see below) is different to everyone else, so there
2123 has to be some conditional compilation here. Versions of Linux before 2.1.15
2124 used a structure whose name was "options". Somebody finally realized that
2125 this name was silly, and it got changed to "ip_options". I use the
2126 newer name here, but there is a fudge in the script that sets up os.h
2127 to define a macro in older Linux systems.
2128
2129 Sigh. Linux is a fast-moving target. Another generation of Linux uses
2130 glibc 2, which has chosen ip_opts for the structure name. This is now
2131 really a glibc thing rather than a Linux thing, so the condition name
2132 has been changed to reflect this. It is relevant also to GNU/Hurd.
2133
2134 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
2135 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
2136 a special macro defined in the os.h file.
2137
2138 Some DGUX versions on older hardware appear not to support IP options at
2139 all, so there is now a general macro which can be set to cut out this
2140 support altogether.
2141
2142 How to do this properly in IPv6 is not yet known. */
2143
2144 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
2145
2146 #ifdef GLIBC_IP_OPTIONS
2147 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
2148 #define OPTSTYLE 1
2149 #else
2150 #define OPTSTYLE 2
2151 #endif
2152 #elif defined DARWIN_IP_OPTIONS
2153 #define OPTSTYLE 2
2154 #else
2155 #define OPTSTYLE 3
2156 #endif
2157
2158 if (!host_checking && !sender_host_notsocket)
2159 {
2160 #if OPTSTYLE == 1
36a3b041 2161 EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
059ec3d9
PH		 2162 struct ip_options *ipopt = store_get(optlen);
2163 #elif OPTSTYLE == 2
2164 struct ip_opts ipoptblock;
2165 struct ip_opts *ipopt = &ipoptblock;
36a3b041 2166 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
059ec3d9
PH		 2167 #else
2168 struct ipoption ipoptblock;
2169 struct ipoption *ipopt = &ipoptblock;
36a3b041 2170 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
059ec3d9
PH		 2171 #endif
2172
2173 /* Occasional genuine failures of getsockopt() have been seen - for
2174 example, "reset by peer". Therefore, just log and give up on this
2175 call, unless the error is ENOPROTOOPT. This error is given by systems
2176 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
2177 of writing. So for that error, carry on - we just can't do an IP options
2178 check. */
2179
2180 DEBUG(D_receive) debug_printf("checking for IP options\n");
2181
2182 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
2183 &optlen) < 0)
2184 {
2185 if (errno != ENOPROTOOPT)
2186 {
2187 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
2188 host_and_ident(FALSE), strerror(errno));
2189 smtp_printf("451 SMTP service not available\r\n");
2190 return FALSE;
2191 }
2192 }
2193
2194 /* Deal with any IP options that are set. On the systems I have looked at,
2195 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
2196 more logging data than will fit in big_buffer. Nevertheless, after somebody
2197 questioned this code, I've added in some paranoid checking. */
2198
2199 else if (optlen > 0)
2200 {
2201 uschar *p = big_buffer;
2202 uschar *pend = big_buffer + big_buffer_size;
2203 uschar *opt, *adptr;
2204 int optcount;
2205 struct in_addr addr;
2206
2207 #if OPTSTYLE == 1
2208 uschar *optstart = (uschar *)(ipopt->__data);
2209 #elif OPTSTYLE == 2
2210 uschar *optstart = (uschar *)(ipopt->ip_opts);
2211 #else
2212 uschar *optstart = (uschar *)(ipopt->ipopt_list);
2213 #endif
2214
2215 DEBUG(D_receive) debug_printf("IP options exist\n");
2216
2217 Ustrcpy(p, "IP options on incoming call:");
2218 p += Ustrlen(p);
2219
2220 for (opt = optstart; opt != NULL &&
2221 opt < (uschar *)(ipopt) + optlen;)
2222 {
2223 switch (*opt)
2224 {
2225 case IPOPT_EOL:
2226 opt = NULL;
2227 break;
2228
2229 case IPOPT_NOP:
2230 opt++;
2231 break;
2232
2233 case IPOPT_SSRR:
2234 case IPOPT_LSRR:
2235 if (!string_format(p, pend-p, " %s [@%s",
2236 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
2237 #if OPTSTYLE == 1
2238 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
2239 #elif OPTSTYLE == 2
2240 inet_ntoa(ipopt->ip_dst)))
2241 #else
2242 inet_ntoa(ipopt->ipopt_dst)))
2243 #endif
2244 {
2245 opt = NULL;
2246 break;
2247 }
2248
2249 p += Ustrlen(p);
2250 optcount = (opt[1] - 3) / sizeof(struct in_addr);
2251 adptr = opt + 3;
2252 while (optcount-- > 0)
2253 {
2254 memcpy(&addr, adptr, sizeof(addr));
2255 if (!string_format(p, pend - p - 1, "%s%s",
2256 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
2257 {
2258 opt = NULL;
2259 break;
2260 }
2261 p += Ustrlen(p);
2262 adptr += sizeof(struct in_addr);
2263 }
2264 *p++ = ']';
2265 opt += opt[1];
2266 break;
2267
2268 default:
2269 {
2270 int i;
2271 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
2272 Ustrcat(p, "[ ");
2273 p += 2;
2274 for (i = 0; i < opt[1]; i++)
2275 {
2276 sprintf(CS p, "%2.2x ", opt[i]);
2277 p += 3;
2278 }
2279 *p++ = ']';
2280 }
2281 opt += opt[1];
2282 break;
2283 }
2284 }
2285
2286 *p = 0;
2287 log_write(0, LOG_MAIN, "%s", big_buffer);
2288
2289 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
2290
2291 log_write(0, LOG_MAIN|LOG_REJECT,
2292 "connection from %s refused (IP options)", host_and_ident(FALSE));
2293
2294 smtp_printf("554 SMTP service not available\r\n");
2295 return FALSE;
2296 }
2297
2298 /* Length of options = 0 => there are no options */
2299
2300 else DEBUG(D_receive) debug_printf("no IP options found\n");
2301 }
2302 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
2303
2304 /* Set keep-alive in socket options. The option is on by default. This
2305 setting is an attempt to get rid of some hanging connections that stick in
2306 read() when the remote end (usually a dialup) goes away. */
2307
2308 if (smtp_accept_keepalive && !sender_host_notsocket)
2309 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
2310
2311 /* If the current host matches host_lookup, set the name by doing a
2312 reverse lookup. On failure, sender_host_name will be NULL and
2313 host_lookup_failed will be TRUE. This may or may not be serious - optional
2314 checks later. */
2315
2316 if (verify_check_host(&host_lookup) == OK)
2317 {
2318 (void)host_name_lookup();
2319 host_build_sender_fullhost();
2320 }
2321
2322 /* Delay this until we have the full name, if it is looked up. */
2323
2324 set_process_info("handling incoming connection from %s",
2325 host_and_ident(FALSE));
2326
1ad6489e
JH		 2327 /* Expand smtp_receive_timeout, if needed */
2328
2329 if (smtp_receive_timeout_s)
2330 {
2331 uschar * exp;
2332 if ( !(exp = expand_string(smtp_receive_timeout_s))
2333 || !(*exp)
2334 || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
2335 )
2336 log_write(0, LOG_MAIN|LOG_PANIC,
2337 "bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
2338 }
2339
059ec3d9
PH		 2340 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
2341 smtps port for use with older style SSL MTAs. */
2342
2343 #ifdef SUPPORT_TLS
817d9f57 2344 if (tls_in.on_connect && tls_server_start(tls_require_ciphers) != OK)
059ec3d9
PH		 2345 return FALSE;
2346 #endif
2347
2348 /* Test for explicit connection rejection */
2349
2350 if (verify_check_host(&host_reject_connection) == OK)
2351 {
2352 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
2353 "from %s (host_reject_connection)", host_and_ident(FALSE));
2354 smtp_printf("554 SMTP service not available\r\n");
2355 return FALSE;
2356 }
2357
afb3eaaf
PH		 2358 /* Test with TCP Wrappers if so configured. There is a problem in that
2359 hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
2360 such as disks dying. In these cases, it is desirable to reject with a 4xx
2361 error instead of a 5xx error. There isn't a "right" way to detect such
2362 problems. The following kludge is used: errno is zeroed before calling
2363 hosts_ctl(). If the result is "reject", a 5xx error is given only if the
2364 value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
2365 not exist). */
059ec3d9
PH		 2366
2367 #ifdef USE_TCP_WRAPPERS
afb3eaaf 2368 errno = 0;
5dc43717
JJ		 2369 tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name);
2370 if (tcp_wrappers_name == NULL)
2371 {
2372 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
2373 "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
2374 expand_string_message);
2375 }
2376 if (!hosts_ctl(tcp_wrappers_name,
059ec3d9
PH		 2377 (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
2378 (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
2379 (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
2380 {
afb3eaaf
PH		 2381 if (errno == 0 || errno == ENOENT)
2382 {
2383 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
2384 log_write(L_connection_reject,
2385 LOG_MAIN|LOG_REJECT, "refused connection from %s "
2386 "(tcp wrappers)", host_and_ident(FALSE));
2387 smtp_printf("554 SMTP service not available\r\n");
2388 }
2389 else
2390 {
2391 int save_errno = errno;
2392 HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
2393 "errno value %d\n", save_errno);
2394 log_write(L_connection_reject,
2395 LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
2396 "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
2397 smtp_printf("451 Temporary local problem - please try later\r\n");
2398 }
059ec3d9
PH		 2399 return FALSE;
2400 }
2401 #endif
2402
b01dd148
PH		 2403 /* Check for reserved slots. The value of smtp_accept_count has already been
2404 incremented to include this process. */
059ec3d9
PH		 2405
2406 if (smtp_accept_max > 0 &&
b01dd148 2407 smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
059ec3d9
PH		 2408 {
2409 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
2410 {
2411 log_write(L_connection_reject,
2412 LOG_MAIN, "temporarily refused connection from %s: not in "
2413 "reserve list: connected=%d max=%d reserve=%d%s",
b01dd148 2414 host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
059ec3d9
PH		 2415 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
2416 smtp_printf("421 %s: Too many concurrent SMTP connections; "
2417 "please try again later\r\n", smtp_active_hostname);
2418 return FALSE;
2419 }
2420 reserved_host = TRUE;
2421 }
2422
2423 /* If a load level above which only messages from reserved hosts are
2424 accepted is set, check the load. For incoming calls via the daemon, the
2425 check is done in the superior process if there are no reserved hosts, to
2426 save a fork. In all cases, the load average will already be available
2427 in a global variable at this point. */
2428
2429 if (smtp_load_reserve >= 0 &&
2430 load_average > smtp_load_reserve &&
2431 !reserved_host &&
2432 verify_check_host(&smtp_reserve_hosts) != OK)
2433 {
2434 log_write(L_connection_reject,
2435 LOG_MAIN, "temporarily refused connection from %s: not in "
2436 "reserve list and load average = %.2f", host_and_ident(FALSE),
2437 (double)load_average/1000.0);
2438 smtp_printf("421 %s: Too much load; please try again later\r\n",
2439 smtp_active_hostname);
2440 return FALSE;
2441 }
2442
2443 /* Determine whether unqualified senders or recipients are permitted
2444 for this host. Unfortunately, we have to do this every time, in order to
2445 set the flags so that they can be inspected when considering qualifying
2446 addresses in the headers. For a site that permits no qualification, this
2447 won't take long, however. */
2448
2449 allow_unqualified_sender =
2450 verify_check_host(&sender_unqualified_hosts) == OK;
2451
2452 allow_unqualified_recipient =
2453 verify_check_host(&recipient_unqualified_hosts) == OK;
2454
2455 /* Determine whether HELO/EHLO is required for this host. The requirement
2456 can be hard or soft. */
2457
2458 helo_required = verify_check_host(&helo_verify_hosts) == OK;
2459 if (!helo_required)
2460 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
2461
2462 /* Determine whether this hosts is permitted to send syntactic junk
2463 after a HELO or EHLO command. */
2464
2465 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
2466 }
2467
2468/* For batch SMTP input we are now done. */
2469
2470if (smtp_batched_input) return TRUE;
2471
cee5f132 2472#ifdef SUPPORT_PROXY
a3c86431
TL		 2473/* If valid Proxy Protocol source is connecting, set up session.
2474 * Failure will not allow any SMTP function other than QUIT. */
2475proxy_session = FALSE;
2476proxy_session_failed = FALSE;
2477if (check_proxy_protocol_host())
2478 {
2479 if (setup_proxy_protocol_host() == FALSE)
2480 {
2481 proxy_session_failed = TRUE;
2482 DEBUG(D_receive)
2483 debug_printf("Failure to extract proxied host, only QUIT allowed\n");
2484 }
2485 else
2486 {
2487 sender_host_name = NULL;
2488 (void)host_name_lookup();
2489 host_build_sender_fullhost();
2490 }
2491 }
2492#endif
2493
059ec3d9
PH		 2494/* Run the ACL if it exists */
2495
4e88a19f 2496user_msg = NULL;
059ec3d9
PH		 2497if (acl_smtp_connect != NULL)
2498 {
2499 int rc;
64ffc24f 2500 rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
059ec3d9
PH		 2501 &log_msg);
2502 if (rc != OK)
2503 {
2504 (void)smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
2505 return FALSE;
2506 }
2507 }
2508
2509/* Output the initial message for a two-way SMTP connection. It may contain
2510newlines, which then cause a multi-line response to be given. */
2511
4e88a19f
PH		 2512code = US"220"; /* Default status code */
2513esc = US""; /* Default extended status code */
2514esclen = 0; /* Length of esc */
2515
d4ff61d1 2516if (!user_msg)
4e88a19f 2517 {
d4ff61d1 2518 if (!(s = expand_string(smtp_banner)))
4e88a19f
PH		 2519 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
2520 "failed: %s", smtp_banner, expand_string_message);
2521 }
2522else
2523 {
2524 int codelen = 3;
2525 s = user_msg;
4f6ae5c3 2526 smtp_message_code(&code, &codelen, &s, NULL, TRUE);
d6a96edc 2527 if (codelen > 4)
4e88a19f
PH		 2528 {
2529 esc = code + 4;
2530 esclen = codelen - 4;
2531 }
2532 }
059ec3d9
PH		 2533
2534/* Remove any terminating newlines; might as well remove trailing space too */
2535
2536p = s + Ustrlen(s);
2537while (p > s && isspace(p[-1])) p--;
2538*p = 0;
2539
2540/* It seems that CC:Mail is braindead, and assumes that the greeting message
2541is all contained in a single IP packet. The original code wrote out the
2542greeting using several calls to fprint/fputc, and on busy servers this could
2543cause it to be split over more than one packet - which caused CC:Mail to fall
2544over when it got the second part of the greeting after sending its first
2545command. Sigh. To try to avoid this, build the complete greeting message
2546first, and output it in one fell swoop. This gives a better chance of it
2547ending up as a single packet. */
2548
2549ss = store_get(size);
2550ptr = 0;
2551
2552p = s;
2553do /* At least once, in case we have an empty string */
2554 {
2555 int len;
2556 uschar *linebreak = Ustrchr(p, '\n');
c2f669a4 2557 ss = string_catn(ss, &size, &ptr, code, 3);
059ec3d9
PH		 2558 if (linebreak == NULL)
2559 {
2560 len = Ustrlen(p);
c2f669a4 2561 ss = string_catn(ss, &size, &ptr, US" ", 1);
059ec3d9
PH		 2562 }
2563 else
2564 {
2565 len = linebreak - p;
c2f669a4 2566 ss = string_catn(ss, &size, &ptr, US"-", 1);
059ec3d9 2567 }
c2f669a4
JH		 2568 ss = string_catn(ss, &size, &ptr, esc, esclen);
2569 ss = string_catn(ss, &size, &ptr, p, len);
2570 ss = string_catn(ss, &size, &ptr, US"\r\n", 2);
059ec3d9
PH		 2571 p += len;
2572 if (linebreak != NULL) p++;
2573 }
2574while (*p != 0);
2575
2576ss[ptr] = 0; /* string_cat leaves room for this */
2577
2578/* Before we write the banner, check that there is no input pending, unless
2579this synchronisation check is disabled. */
2580
a14e5636 2581if (!check_sync())
059ec3d9 2582 {
a14e5636
PH		 2583 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
2584 "synchronization error (input sent without waiting for greeting): "
2585 "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
2586 string_printing(smtp_inptr));
2587 smtp_printf("554 SMTP synchronization error\r\n");
2588 return FALSE;
059ec3d9
PH		 2589 }
2590
2591/* Now output the banner */
2592
2593smtp_printf("%s", ss);
2594return TRUE;
2595}
2596
2597
2598
2599
2600
2601/*************************************************
2602* Handle SMTP syntax and protocol errors *
2603*************************************************/
2604
2605/* Write to the log for SMTP syntax errors in incoming commands, if configured
2606to do so. Then transmit the error response. The return value depends on the
2607number of syntax and protocol errors in this SMTP session.
2608
2609Arguments:
2610 type error type, given as a log flag bit
2611 code response code; <= 0 means don't send a response
2612 data data to reflect in the response (can be NULL)
2613 errmess the error message
2614
2615Returns: -1 limit of syntax/protocol errors NOT exceeded
2616 +1 limit of syntax/protocol errors IS exceeded
2617
2618These values fit in with the values of the "done" variable in the main
2619processing loop in smtp_setup_msg(). */
2620
2621static int
2622synprot_error(int type, int code, uschar *data, uschar *errmess)
2623{
2624int yield = -1;
2625
2626log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
2627 (type == L_smtp_syntax_error)? "syntax" : "protocol",
3ee512ff 2628 string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
059ec3d9
PH		 2629
2630if (++synprot_error_count > smtp_max_synprot_errors)
2631 {
2632 yield = 1;
2633 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2634 "syntax or protocol errors (last command was \"%s\")",
0ebc4d69 2635 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
059ec3d9
PH		 2636 }
2637
2638if (code > 0)
2639 {
2640 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
2641 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
2642 if (yield == 1)
2643 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
2644 }
2645
2646return yield;
2647}
2648
2649
2650
2651
2652/*************************************************
2653* Log incomplete transactions *
2654*************************************************/
2655
2656/* This function is called after a transaction has been aborted by RSET, QUIT,
2657connection drops or other errors. It logs the envelope information received
2658so far in order to preserve address verification attempts.
2659
2660Argument: string to indicate what aborted the transaction
2661Returns: nothing
2662*/
2663
2664static void
2665incomplete_transaction_log(uschar *what)
2666{
2667if (sender_address == NULL || /* No transaction in progress */
6c6d6e48
TF		 2668 !LOGGING(smtp_incomplete_transaction))
2669 return;
059ec3d9
PH		 2670
2671/* Build list of recipients for logging */
2672
2673if (recipients_count > 0)
2674 {
2675 int i;
2676 raw_recipients = store_get(recipients_count * sizeof(uschar *));
2677 for (i = 0; i < recipients_count; i++)
2678 raw_recipients[i] = recipients_list[i].address;
2679 raw_recipients_count = recipients_count;
2680 }
2681
2682log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
2683 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
2684}
2685
2686
2687
2688
2689/*************************************************
2690* Send SMTP response, possibly multiline *
2691*************************************************/
2692
2693/* There are, it seems, broken clients out there that cannot handle multiline
2694responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
2695output nothing for non-final calls, and only the first line for anything else.
2696
2697Arguments:
a5bd321b 2698 code SMTP code, may involve extended status codes
d6a96edc 2699 codelen length of smtp code; if > 4 there's an ESC
059ec3d9
PH		 2700 final FALSE if the last line isn't the final line
2701 msg message text, possibly containing newlines
2702
2703Returns: nothing
2704*/
2705
2706void
a5bd321b 2707smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
059ec3d9 2708{
a5bd321b
PH		 2709int esclen = 0;
2710uschar *esc = US"";
2711
059ec3d9
PH		 2712if (!final && no_multiline_responses) return;
2713
d6a96edc 2714if (codelen > 4)
a5bd321b
PH		 2715 {
2716 esc = code + 4;
2717 esclen = codelen - 4;
2718 }
2719
2679d413
PH		 2720/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
2721have had the same. Note: this code is also present in smtp_printf(). It would
2722be tidier to have it only in one place, but when it was added, it was easier to
2723do it that way, so as not to have to mess with the code for the RCPT command,
2724which sometimes uses smtp_printf() and sometimes smtp_respond(). */
2725
2726if (rcpt_in_progress)
2727 {
2728 if (rcpt_smtp_response == NULL)
2729 rcpt_smtp_response = string_copy(msg);
2730 else if (rcpt_smtp_response_same &&
2731 Ustrcmp(rcpt_smtp_response, msg) != 0)
2732 rcpt_smtp_response_same = FALSE;
2733 rcpt_in_progress = FALSE;
2734 }
2735
2736/* Not output the message, splitting it up into multiple lines if necessary. */
2737
059ec3d9
PH		 2738for (;;)
2739 {
2740 uschar *nl = Ustrchr(msg, '\n');
2741 if (nl == NULL)
2742 {
a5bd321b 2743 smtp_printf("%.3s%c%.*s%s\r\n", code, final? ' ':'-', esclen, esc, msg);
059ec3d9
PH		 2744 return;
2745 }
2746 else if (nl[1] == 0 || no_multiline_responses)
2747 {
a5bd321b
PH		 2748 smtp_printf("%.3s%c%.*s%.*s\r\n", code, final? ' ':'-', esclen, esc,
2749 (int)(nl - msg), msg);
059ec3d9
PH		 2750 return;
2751 }
2752 else
2753 {
a5bd321b 2754 smtp_printf("%.3s-%.*s%.*s\r\n", code, esclen, esc, (int)(nl - msg), msg);
059ec3d9
PH		 2755 msg = nl + 1;
2756 while (isspace(*msg)) msg++;
2757 }
2758 }
2759}
2760
2761
2762
2763
4e88a19f
PH		 2764/*************************************************
2765* Parse user SMTP message *
2766*************************************************/
2767
2768/* This function allows for user messages overriding the response code details
2769by providing a suitable response code string at the start of the message
2770user_msg. Check the message for starting with a response code and optionally an
2771extended status code. If found, check that the first digit is valid, and if so,
2772change the code pointer and length to use the replacement. An invalid code
2773causes a panic log; in this case, if the log messages is the same as the user
2774message, we must also adjust the value of the log message to show the code that
2775is actually going to be used (the original one).
2776
2777This function is global because it is called from receive.c as well as within
2778this module.
2779
d6a96edc
PH		 2780Note that the code length returned includes the terminating whitespace
2781character, which is always included in the regex match.
2782
4e88a19f
PH		 2783Arguments:
2784 code SMTP code, may involve extended status codes
d6a96edc 2785 codelen length of smtp code; if > 4 there's an ESC
4e88a19f
PH		 2786 msg message text
2787 log_msg optional log message, to be adjusted with the new SMTP code
4f6ae5c3 2788 check_valid if true, verify the response code
4e88a19f
PH		 2789
2790Returns: nothing
2791*/
2792
2793void
4f6ae5c3
JH		 2794smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
2795 BOOL check_valid)
4e88a19f
PH		 2796{
2797int n;
2798int ovector[3];
2799
4f6ae5c3 2800if (!msg || !*msg) return;
4e88a19f 2801
4f6ae5c3
JH		 2802if ((n = pcre_exec(regex_smtp_code, NULL, CS *msg, Ustrlen(*msg), 0,
2803 PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int))) < 0) return;
4e88a19f 2804
4f6ae5c3 2805if (check_valid && (*msg)[0] != (*code)[0])
4e88a19f
PH		 2806 {
2807 log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
2808 "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
2809 if (log_msg != NULL && *log_msg == *msg)
2810 *log_msg = string_sprintf("%s %s", *code, *log_msg + ovector[1]);
2811 }
2812else
2813 {
2814 *code = *msg;
2815 *codelen = ovector[1]; /* Includes final space */
2816 }
2817*msg += ovector[1]; /* Chop the code off the message */
2818return;
2819}
2820
2821
2822
2823
059ec3d9
PH		 2824/*************************************************
2825* Handle an ACL failure *
2826*************************************************/
2827
2828/* This function is called when acl_check() fails. As well as calls from within
2829this module, it is called from receive.c for an ACL after DATA. It sorts out
2830logging the incident, and sets up the error response. A message containing
2831newlines is turned into a multiline SMTP response, but for logging, only the
2832first line is used.
2833
a5bd321b
PH		 2834There's a table of default permanent failure response codes to use in
2835globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
2836defaults disabled in Exim. However, discussion in connection with RFC 821bis
2837(aka RFC 2821) has concluded that the response should be 252 in the disabled
2838state, because there are broken clients that try VRFY before RCPT. A 5xx
2839response should be given only when the address is positively known to be
4f6ae5c3
JH		 2840undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
2841no explicit code, but if there is one we let it know best.
2842Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
a5bd321b
PH		 2843
2844From Exim 4.63, it is possible to override the response code details by
2845providing a suitable response code string at the start of the message provided
2846in user_msg. The code's first digit is checked for validity.
059ec3d9
PH		 2847
2848Arguments:
4f6ae5c3
JH		 2849 where where the ACL was called from
2850 rc the failure code
2851 user_msg a message that can be included in an SMTP response
2852 log_msg a message for logging
059ec3d9
PH		 2853
2854Returns: 0 in most cases
2855 2 if the failure code was FAIL_DROP, in which case the
2856 SMTP connection should be dropped (this value fits with the
2857 "done" variable in smtp_setup_msg() below)
2858*/
2859
2860int
2861smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
2862{
059ec3d9 2863BOOL drop = rc == FAIL_DROP;
a5bd321b 2864int codelen = 3;
a5bd321b 2865uschar *smtp_code;
059ec3d9
PH		 2866uschar *lognl;
2867uschar *sender_info = US"";
64ffc24f 2868uschar *what =
8523533c 2869#ifdef WITH_CONTENT_SCAN
64ffc24f 2870 (where == ACL_WHERE_MIME)? US"during MIME ACL checks" :
8e669ac1 2871#endif
64ffc24f
PH		 2872 (where == ACL_WHERE_PREDATA)? US"DATA" :
2873 (where == ACL_WHERE_DATA)? US"after DATA" :
8ccd00b1 2874#ifndef DISABLE_PRDR
fd98a5c6
JH		 2875 (where == ACL_WHERE_PRDR)? US"after DATA PRDR" :
2876#endif
ca86f471 2877 (smtp_cmd_data == NULL)?
64ffc24f 2878 string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]) :
ca86f471 2879 string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data);
059ec3d9
PH		 2880
2881if (drop) rc = FAIL;
2882
4e88a19f 2883/* Set the default SMTP code, and allow a user message to change it. */
a5bd321b 2884
4f6ae5c3
JH		 2885smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
2886smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
2887 where != ACL_WHERE_VRFY);
a5bd321b 2888
059ec3d9
PH		 2889/* We used to have sender_address here; however, there was a bug that was not
2890updating sender_address after a rewrite during a verify. When this bug was
2891fixed, sender_address at this point became the rewritten address. I'm not sure
2892this is what should be logged, so I've changed to logging the unrewritten
2893address to retain backward compatibility. */
2894
8523533c 2895#ifndef WITH_CONTENT_SCAN
059ec3d9 2896if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
8523533c
TK		 2897#else
2898if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
2899#endif
059ec3d9 2900 {
b98bb9ac
PP		 2901 sender_info = string_sprintf("F=<%s>%s%s%s%s ",
2902 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
2903 sender_host_authenticated ? US" A=" : US"",
2904 sender_host_authenticated ? sender_host_authenticated : US"",
2905 sender_host_authenticated && authenticated_id ? US":" : US"",
2906 sender_host_authenticated && authenticated_id ? authenticated_id : US""
2907 );
059ec3d9
PH		 2908 }
2909
2910/* If there's been a sender verification failure with a specific message, and
2911we have not sent a response about it yet, do so now, as a preliminary line for
278c6e6c
PH		 2912failures, but not defers. However, always log it for defer, and log it for fail
2913unless the sender_verify_fail log selector has been turned off. */
059ec3d9
PH		 2914
2915if (sender_verified_failed != NULL &&
2916 !testflag(sender_verified_failed, af_sverify_told))
2917 {
2679d413
PH		 2918 BOOL save_rcpt_in_progress = rcpt_in_progress;
2919 rcpt_in_progress = FALSE; /* So as not to treat these as the error */
2920
059ec3d9
PH		 2921 setflag(sender_verified_failed, af_sverify_told);
2922
6c6d6e48 2923 if (rc != FAIL || LOGGING(sender_verify_fail))
278c6e6c
PH		 2924 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
2925 host_and_ident(TRUE),
2926 ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
2927 sender_verified_failed->address,
2928 (sender_verified_failed->message == NULL)? US"" :
2929 string_sprintf(": %s", sender_verified_failed->message));
059ec3d9
PH		 2930
2931 if (rc == FAIL && sender_verified_failed->user_message != NULL)
a5bd321b 2932 smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
059ec3d9
PH		 2933 testflag(sender_verified_failed, af_verify_pmfail)?
2934 "Postmaster verification failed while checking <%s>\n%s\n"
2935 "Several RFCs state that you are required to have a postmaster\n"
2936 "mailbox for each mail domain. This host does not accept mail\n"
2937 "from domains whose servers reject the postmaster address."
2938 :
2939 testflag(sender_verified_failed, af_verify_nsfail)?
2940 "Callback setup failed while verifying <%s>\n%s\n"
2941 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
2942 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
2943 "RFC requirements, and stops you from receiving standard bounce\n"
2944 "messages. This host does not accept mail from domains whose servers\n"
2945 "refuse bounces."
2946 :
2947 "Verification failed for <%s>\n%s",
2948 sender_verified_failed->address,
2949 sender_verified_failed->user_message));
2679d413
PH		 2950
2951 rcpt_in_progress = save_rcpt_in_progress;
059ec3d9
PH		 2952 }
2953
2954/* Sort out text for logging */
2955
2956log_msg = (log_msg == NULL)? US"" : string_sprintf(": %s", log_msg);
2957lognl = Ustrchr(log_msg, '\n');
2958if (lognl != NULL) *lognl = 0;
2959
2960/* Send permanent failure response to the command, but the code used isn't
2961always a 5xx one - see comments at the start of this function. If the original
2962rc was FAIL_DROP we drop the connection and yield 2. */
2963
ff5929e3
JH		 2964if (rc == FAIL)
2965 smtp_respond(smtp_code, codelen, TRUE,
2966 user_msg ? user_msg : US"Administrative prohibition");
059ec3d9
PH		 2967
2968/* Send temporary failure response to the command. Don't give any details,
2969unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
2970verb, and for a header verify when smtp_return_error_details is set.
2971
2972This conditional logic is all somewhat of a mess because of the odd
2973interactions between temp_details and return_error_details. One day it should
2974be re-implemented in a tidier fashion. */
2975
2976else
ff5929e3 2977 if (acl_temp_details && user_msg)
059ec3d9 2978 {
ff5929e3
JH		 2979 if ( smtp_return_error_details
2980 && sender_verified_failed
2981 && sender_verified_failed->message
2982 )
a5bd321b 2983 smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
ff5929e3 2984
a5bd321b 2985 smtp_respond(smtp_code, codelen, TRUE, user_msg);
059ec3d9
PH		 2986 }
2987 else
a5bd321b
PH		 2988 smtp_respond(smtp_code, codelen, TRUE,
2989 US"Temporary local problem - please try later");
059ec3d9 2990
6ea85e9a
PH		 2991/* Log the incident to the logs that are specified by log_reject_target
2992(default main, reject). This can be empty to suppress logging of rejections. If
2993the connection is not forcibly to be dropped, return 0. Otherwise, log why it
2994is closing if required and return 2. */
059ec3d9 2995
6ea85e9a 2996if (log_reject_target != 0)
887291d2 2997 {
e45a1c37 2998#ifdef SUPPORT_TLS
fc16abb4
JH		 2999 uschar * tls = s_tlslog(NULL, NULL, NULL);
3000 if (!tls) tls = US"";
e45a1c37 3001#else
fc16abb4 3002 uschar * tls = US"";
e45a1c37 3003#endif
fc16abb4
JH		 3004 log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s",
3005 LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
3006 host_and_ident(TRUE),
3007 tls,
3008 sender_info,
3009 rc == FAIL ? US"" : US"temporarily ",
3010 what, log_msg);
887291d2 3011 }
059ec3d9
PH		 3012
3013if (!drop) return 0;
3014
3015log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
3016 smtp_get_connection_info());
8f128379
PH		 3017
3018/* Run the not-quit ACL, but without any custom messages. This should not be a
3019problem, because we get here only if some other ACL has issued "drop", and
3020in that case, *its* custom messages will have been used above. */
3021
3022smtp_notquit_exit(US"acl-drop", NULL, NULL);
059ec3d9
PH		 3023return 2;
3024}
3025
3026
3027
3028
8f128379
PH		 3029/*************************************************
3030* Handle SMTP exit when QUIT is not given *
3031*************************************************/
3032
3033/* This function provides a logging/statistics hook for when an SMTP connection
3034is dropped on the floor or the other end goes away. It's a global function
3035because it's called from receive.c as well as this module. As well as running
3036the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
3037response, either with a custom message from the ACL, or using a default. There
3038is one case, however, when no message is output - after "drop". In that case,
3039the ACL that obeyed "drop" has already supplied the custom message, and NULL is
3040passed to this function.
3041
3042In case things go wrong while processing this function, causing an error that
3043may re-enter this funtion, there is a recursion check.
3044
3045Arguments:
3046 reason What $smtp_notquit_reason will be set to in the ACL;
3047 if NULL, the ACL is not run
3048 code The error code to return as part of the response
3049 defaultrespond The default message if there's no user_msg
3050
3051Returns: Nothing
3052*/
3053
3054void
3055smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
3056{
3057int rc;
3058uschar *user_msg = NULL;
3059uschar *log_msg = NULL;
3060
3061/* Check for recursive acll */
3062
3063if (smtp_exit_function_called)
3064 {
3065 log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
3066 reason);
3067 return;
3068 }
3069smtp_exit_function_called = TRUE;
3070
3071/* Call the not-QUIT ACL, if there is one, unless no reason is given. */
3072
eea0defe 3073if (acl_smtp_notquit && reason)
8f128379
PH		 3074 {
3075 smtp_notquit_reason = reason;
eea0defe
JB		 3076 if ((rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
3077 &log_msg)) == ERROR)
8f128379
PH		 3078 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
3079 log_msg);
3080 }
3081
3082/* Write an SMTP response if we are expected to give one. As the default
3083responses are all internal, they should always fit in the buffer, but code a
3084warning, just in case. Note that string_vformat() still leaves a complete
3085string, even if it is incomplete. */
3086
eea0defe 3087if (code && defaultrespond)
8f128379 3088 {
eea0defe
JB		 3089 if (user_msg)
3090 smtp_respond(code, 3, TRUE, user_msg);
3091 else
8f128379
PH		 3092 {
3093 uschar buffer[128];
3094 va_list ap;
3095 va_start(ap, defaultrespond);
3096 if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
3097 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
3098 smtp_printf("%s %s\r\n", code, buffer);
3099 va_end(ap);
3100 }
8f128379
PH		 3101 mac_smtp_fflush();
3102 }
3103}
3104
3105
3106
3107
d7b47fd0
PH		 3108/*************************************************
3109* Verify HELO argument *
3110*************************************************/
3111
3112/* This function is called if helo_verify_hosts or helo_try_verify_hosts is
3113matched. It is also called from ACL processing if verify = helo is used and
3114verification was not previously tried (i.e. helo_try_verify_hosts was not
3115matched). The result of its processing is to set helo_verified and
3116helo_verify_failed. These variables should both be FALSE for this function to
3117be called.
3118
3119Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
3120for IPv6 ::ffff: literals.
3121
3122Argument: none
3123Returns: TRUE if testing was completed;
3124 FALSE on a temporary failure
3125*/
3126
3127BOOL
3128smtp_verify_helo(void)
3129{
3130BOOL yield = TRUE;
3131
3132HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
3133 sender_helo_name);
3134
3135if (sender_helo_name == NULL)
3136 {
3137 HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
3138 }
3139
d1d5595c
PH		 3140/* Deal with the case of -bs without an IP address */
3141
3142else if (sender_host_address == NULL)
3143 {
3144 HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
3145 helo_verified = TRUE;
3146 }
3147
3148/* Deal with the more common case when there is a sending IP address */
3149
d7b47fd0
PH		 3150else if (sender_helo_name[0] == '[')
3151 {
3152 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
3153 Ustrlen(sender_host_address)) == 0;
3154
3155 #if HAVE_IPV6
3156 if (!helo_verified)
3157 {
3158 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
3159 helo_verified = Ustrncmp(sender_helo_name + 1,
3160 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
3161 }
3162 #endif
3163
3164 HDEBUG(D_receive)
3165 { if (helo_verified) debug_printf("matched host address\n"); }
3166 }
3167
3168/* Do a reverse lookup if one hasn't already given a positive or negative
3169response. If that fails, or the name doesn't match, try checking with a forward
3170lookup. */
3171
3172else
3173 {
3174 if (sender_host_name == NULL && !host_lookup_failed)
3175 yield = host_name_lookup() != DEFER;
3176
3177 /* If a host name is known, check it and all its aliases. */
3178
1705dd20
JH		 3179 if (sender_host_name)
3180 if ((helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
d7b47fd0 3181 {
1705dd20 3182 sender_helo_dnssec = sender_host_dnssec;
d7b47fd0
PH		 3183 HDEBUG(D_receive) debug_printf("matched host name\n");
3184 }
3185 else
3186 {
3187 uschar **aliases = sender_host_aliases;
1705dd20
JH		 3188 while (*aliases)
3189 if ((helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
3190 {
3191 sender_helo_dnssec = sender_host_dnssec;
3192 break;
3193 }
3194
3195 HDEBUG(D_receive) if (helo_verified)
d7b47fd0 3196 debug_printf("matched alias %s\n", *(--aliases));
d7b47fd0 3197 }
d7b47fd0
PH		 3198
3199 /* Final attempt: try a forward lookup of the helo name */
3200
3201 if (!helo_verified)
3202 {
3203 int rc;
3204 host_item h;
1705dd20
JH		 3205 dnssec_domains d;
3206 host_item *hh;
3207
d7b47fd0
PH		 3208 h.name = sender_helo_name;
3209 h.address = NULL;
3210 h.mx = MX_NONE;
3211 h.next = NULL;
1705dd20
JH		 3212 d.request = US"*";
3213 d.require = US"";
3214
d7b47fd0
PH		 3215 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
3216 sender_helo_name);
1705dd20
JH		 3217 rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A,
3218 NULL, NULL, NULL, &d, NULL, NULL);
d7b47fd0 3219 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
1705dd20 3220 for (hh = &h; hh; hh = hh->next)
d7b47fd0
PH		 3221 if (Ustrcmp(hh->address, sender_host_address) == 0)
3222 {
3223 helo_verified = TRUE;
1705dd20 3224 if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
d7b47fd0 3225 HDEBUG(D_receive)
1705dd20
JH		 3226 {
3227 debug_printf("IP address for %s matches calling address\n"
3228 "Forward DNS security status: %sverified\n",
3229 sender_helo_name, sender_helo_dnssec ? "" : "un");
3230 }
d7b47fd0
PH		 3231 break;
3232 }
d7b47fd0
PH		 3233 }
3234 }
3235
d1d5595c 3236if (!helo_verified) helo_verify_failed = TRUE; /* We've tried ... */
d7b47fd0
PH		 3237return yield;
3238}
3239
3240
3241
3242
4e88a19f
PH		 3243/*************************************************
3244* Send user response message *
3245*************************************************/
3246
3247/* This function is passed a default response code and a user message. It calls
3248smtp_message_code() to check and possibly modify the response code, and then
3249calls smtp_respond() to transmit the response. I put this into a function
3250just to avoid a lot of repetition.
3251
3252Arguments:
3253 code the response code
3254 user_msg the user message
3255
3256Returns: nothing
3257*/
3258
3259static void
3260smtp_user_msg(uschar *code, uschar *user_msg)
3261{
3262int len = 3;
4f6ae5c3 3263smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
4e88a19f
PH		 3264smtp_respond(code, len, TRUE, user_msg);
3265}
3266
3267
3268
b3ef41c9
JH		 3269static int
3270smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
3271{
3272const uschar *set_id = NULL;
3273int rc, i;
3274
3275/* Run the checking code, passing the remainder of the command line as
3276data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
3277it as the only set numerical variable. The authenticator may set $auth<n>
3278and also set other numeric variables. The $auth<n> variables are preferred
3279nowadays; the numerical variables remain for backwards compatibility.
3280
3281Afterwards, have a go at expanding the set_id string, even if
3282authentication failed - for bad passwords it can be useful to log the
3283userid. On success, require set_id to expand and exist, and put it in
3284authenticated_id. Save this in permanent store, as the working store gets
3285reset at HELO, RSET, etc. */
3286
3287for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
3288expand_nmax = 0;
3289expand_nlength[0] = 0; /* $0 contains nothing */
3290
3291rc = (au->info->servercode)(au, smtp_cmd_data);
3292if (au->set_id) set_id = expand_string(au->set_id);
3293expand_nmax = -1; /* Reset numeric variables */
3294for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; /* Reset $auth<n> */
3295
3296/* The value of authenticated_id is stored in the spool file and printed in
3297log lines. It must not contain binary zeros or newline characters. In
3298normal use, it never will, but when playing around or testing, this error
3299can (did) happen. To guard against this, ensure that the id contains only
3300printing characters. */
3301
3302if (set_id) set_id = string_printing(set_id);
3303
3304/* For the non-OK cases, set up additional logging data if set_id
3305is not empty. */
3306
3307if (rc != OK)
3308 set_id = set_id && *set_id
3309 ? string_sprintf(" (set_id=%s)", set_id) : US"";
3310
3311/* Switch on the result */
3312
3313switch(rc)
3314 {
3315 case OK:
3316 if (!au->set_id || set_id) /* Complete success */
3317 {
3318 if (set_id) authenticated_id = string_copy_malloc(set_id);
3319 sender_host_authenticated = au->name;
3320 authentication_failed = FALSE;
3321 authenticated_fail_id = NULL; /* Impossible to already be set? */
3322
3323 received_protocol =
3324 (sender_host_address ? protocols : protocols_local)
3325 [pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)];
3326 *s = *ss = US"235 Authentication succeeded";
3327 authenticated_by = au;
3328 break;
3329 }
3330
3331 /* Authentication succeeded, but we failed to expand the set_id string.
3332 Treat this as a temporary error. */
3333
3334 auth_defer_msg = expand_string_message;
3335 /* Fall through */
3336
3337 case DEFER:
3338 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3339 *s = string_sprintf("435 Unable to authenticate at present%s",
3340 auth_defer_user_msg);
3341 *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
3342 set_id, auth_defer_msg);
3343 break;
3344
3345 case BAD64:
3346 *s = *ss = US"501 Invalid base64 data";
3347 break;
3348
3349 case CANCELLED:
3350 *s = *ss = US"501 Authentication cancelled";
3351 break;
3352
3353 case UNEXPECTED:
3354 *s = *ss = US"553 Initial data not expected";
3355 break;
3356
3357 case FAIL:
3358 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3359 *s = US"535 Incorrect authentication data";
3360 *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
3361 break;
3362
3363 default:
3364 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3365 *s = US"435 Internal error";
3366 *ss = string_sprintf("435 Internal error%s: return %d from authentication "
3367 "check", set_id, rc);
3368 break;
3369 }
3370
3371return rc;
3372}
3373
3374
3375
2685d6e0
JH		 3376
3377
3378static int
3379qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
3380{
3381int rd;
3382if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
3383 {
3384 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
3385 *recipient);
3386 rd = Ustrlen(recipient) + 1;
3387 *recipient = rewrite_address_qualify(*recipient, TRUE);
3388 return rd;
3389 }
3390smtp_printf("501 %s: recipient address must contain a domain\r\n",
3391 smtp_cmd_data);
3392log_write(L_smtp_syntax_error,
3393 LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
3394 tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
3395return 0;
3396}
3397
3398
3399
3400
7e3ce68e
JH		 3401static void
3402smtp_quit_handler(uschar ** user_msgp, uschar ** log_msgp)
3403{
3404HAD(SCH_QUIT);
3405incomplete_transaction_log(US"QUIT");
3406if (acl_smtp_quit != NULL)
3407 {
3408 int rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, user_msgp, log_msgp);
3409 if (rc == ERROR)
3410 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3411 *log_msgp);
3412 }
3413if (*user_msgp)
3414 smtp_respond(US"221", 3, TRUE, *user_msgp);
3415else
3416 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3417
3418#ifdef SUPPORT_TLS
3419tls_close(TRUE, TRUE);
3420#endif
3421
3422log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3423 smtp_get_connection_info());
3424}
3425
3426
3427static void
3428smtp_rset_handler(void)
3429{
3430HAD(SCH_RSET);
3431incomplete_transaction_log(US"RSET");
3432smtp_printf("250 Reset OK\r\n");
3433cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3434}
3435
3436
3437
059ec3d9
PH		 3438/*************************************************
3439* Initialize for SMTP incoming message *
3440*************************************************/
3441
3442/* This function conducts the initial dialogue at the start of an incoming SMTP
3443message, and builds a list of recipients. However, if the incoming message
3444is part of a batch (-bS option) a separate function is called since it would
3445be messy having tests splattered about all over this function. This function
3446therefore handles the case where interaction is occurring. The input and output
3447files are set up in smtp_in and smtp_out.
3448
3449The global recipients_list is set to point to a vector of recipient_item
3450blocks, whose number is given by recipients_count. This is extended by the
3451receive_add_recipient() function. The global variable sender_address is set to
3452the sender's address. The yield is +1 if a message has been successfully
3453started, 0 if a QUIT command was encountered or the connection was refused from
3454the particular host, or -1 if the connection was lost.
3455
3456Argument: none
3457
3458Returns: > 0 message successfully started (reached DATA)
3459 = 0 QUIT read or end of file reached or call refused
3460 < 0 lost connection
3461*/
3462
3463int
3464smtp_setup_msg(void)
3465{
3466int done = 0;
3467BOOL toomany = FALSE;
3468BOOL discarded = FALSE;
3469BOOL last_was_rej_mail = FALSE;
3470BOOL last_was_rcpt = FALSE;
3471void *reset_point = store_get(0);
3472
3473DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
3474
3475/* Reset for start of new message. We allow one RSET not to be counted as a
3476nonmail command, for those MTAs that insist on sending it between every
3477message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
3478TLS between messages (an Exim client may do this if it has messages queued up
3479for the host). Note: we do NOT reset AUTH at this point. */
3480
3481smtp_reset(reset_point);
3482message_ended = END_NOTSTARTED;
3483
7e3ce68e
JH		 3484chunking_state = chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
3485
059ec3d9
PH		 3486cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
3487cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
3488cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3489#ifdef SUPPORT_TLS
3490cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
b3ef41c9 3491cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
059ec3d9
PH		 3492#endif
3493
3494/* Set the local signal handler for SIGTERM - it tries to end off tidily */
3495
3496os_non_restarting_signal(SIGTERM, command_sigterm_handler);
3497
3498/* Batched SMTP is handled in a different function. */
3499
3500if (smtp_batched_input) return smtp_setup_batch_msg();
3501
3502/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
3503value. The values are 2 larger than the required yield of the function. */
3504
3505while (done <= 0)
3506 {
55414b25 3507 const uschar **argv;
059ec3d9
PH		 3508 uschar *etrn_command;
3509 uschar *etrn_serialize_key;
3510 uschar *errmess;
4e88a19f
PH		 3511 uschar *log_msg, *smtp_code;
3512 uschar *user_msg = NULL;
059ec3d9
PH		 3513 uschar *recipient = NULL;
3514 uschar *hello = NULL;
059ec3d9
PH		 3515 uschar *s, *ss;
3516 BOOL was_rej_mail = FALSE;
3517 BOOL was_rcpt = FALSE;
3518 void (*oldsignal)(int);
3519 pid_t pid;
3520 int start, end, sender_domain, recipient_domain;
3521 int ptr, size, rc;
aa7751be 3522 int c;
059ec3d9 3523 auth_instance *au;
6c1c3d1d
WB		 3524 uschar *orcpt = NULL;
3525 int flags;
059ec3d9 3526
b3ef41c9
JH		 3527#if defined(SUPPORT_TLS) && defined(AUTH_TLS)
3528 /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
3529 if ( tls_in.active >= 0
3530 && tls_in.peercert
3531 && tls_in.certificate_verified
3532 && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
3533 )
3534 {
3535 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
4f6ae5c3
JH		 3536 if ( acl_smtp_auth
3537 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3538 &user_msg, &log_msg)) != OK
3539 )
b3ef41c9 3540 {
4f6ae5c3
JH		 3541 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3542 continue;
b3ef41c9
JH		 3543 }
3544
3545 for (au = auths; au; au = au->next)
3546 if (strcmpic(US"tls", au->driver_name) == 0)
3547 {
3548 smtp_cmd_data = NULL;
3549
805bb5c3 3550 if (smtp_in_auth(au, &s, &ss) == OK)
cb570b5e 3551 { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
805bb5c3 3552 else
cb570b5e 3553 { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
b3ef41c9
JH		 3554 break;
3555 }
3556 }
3557#endif
3558
059ec3d9
PH		 3559 switch(smtp_read_command(TRUE))
3560 {
3561 /* The AUTH command is not permitted to occur inside a transaction, and may
c46782ef
PH		 3562 occur successfully only once per connection. Actually, that isn't quite
3563 true. When TLS is started, all previous information about a connection must
3564 be discarded, so a new AUTH is permitted at that time.
3565
3566 AUTH may only be used when it has been advertised. However, it seems that
3567 there are clients that send AUTH when it hasn't been advertised, some of
3568 them even doing this after HELO. And there are MTAs that accept this. Sigh.
3569 So there's a get-out that allows this to happen.
059ec3d9
PH		 3570
3571 AUTH is initially labelled as a "nonmail command" so that one occurrence
3572 doesn't get counted. We change the label here so that multiple failing
3573 AUTHS will eventually hit the nonmail threshold. */
3574
3575 case AUTH_CMD:
b4ed4da0 3576 HAD(SCH_AUTH);
059ec3d9
PH		 3577 authentication_failed = TRUE;
3578 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
3579
c46782ef 3580 if (!auth_advertised && !allow_auth_unadvertised)
059ec3d9
PH		 3581 {
3582 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3583 US"AUTH command used when not advertised");
3584 break;
3585 }
b3ef41c9 3586 if (sender_host_authenticated)
059ec3d9
PH		 3587 {
3588 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3589 US"already authenticated");
3590 break;
3591 }
b3ef41c9 3592 if (sender_address)
059ec3d9
PH		 3593 {
3594 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3595 US"not permitted in mail transaction");
3596 break;
3597 }
3598
3599 /* Check the ACL */
3600
4f6ae5c3
JH		 3601 if ( acl_smtp_auth
3602 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3603 &user_msg, &log_msg)) != OK
3604 )
059ec3d9 3605 {
4f6ae5c3
JH		 3606 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3607 break;
059ec3d9
PH		 3608 }
3609
3610 /* Find the name of the requested authentication mechanism. */
3611
ca86f471
PH		 3612 s = smtp_cmd_data;
3613 while ((c = *smtp_cmd_data) != 0 && !isspace(c))
059ec3d9
PH		 3614 {
3615 if (!isalnum(c) && c != '-' && c != '_')
3616 {
3617 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3618 US"invalid character in authentication mechanism name");
3619 goto COMMAND_LOOP;
3620 }
ca86f471 3621 smtp_cmd_data++;
059ec3d9
PH		 3622 }
3623
3624 /* If not at the end of the line, we must be at white space. Terminate the
3625 name and move the pointer on to any data that may be present. */
3626
ca86f471 3627 if (*smtp_cmd_data != 0)
059ec3d9 3628 {
ca86f471
PH		 3629 *smtp_cmd_data++ = 0;
3630 while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
059ec3d9
PH		 3631 }
3632
3633 /* Search for an authentication mechanism which is configured for use
c46782ef
PH		 3634 as a server and which has been advertised (unless, sigh, allow_auth_
3635 unadvertised is set). */
059ec3d9 3636
b3ef41c9 3637 for (au = auths; au; au = au->next)
059ec3d9 3638 if (strcmpic(s, au->public_name) == 0 && au->server &&
b3ef41c9
JH		 3639 (au->advertised || allow_auth_unadvertised))
3640 break;
059ec3d9 3641
b3ef41c9 3642 if (au)
059ec3d9 3643 {
b3ef41c9 3644 c = smtp_in_auth(au, &s, &ss);
059ec3d9 3645
b3ef41c9
JH		 3646 smtp_printf("%s\r\n", s);
3647 if (c != OK)
3648 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
3649 au->name, host_and_ident(FALSE), ss);
059ec3d9 3650 }
b3ef41c9
JH		 3651 else
3652 done = synprot_error(L_smtp_protocol_error, 504, NULL,
3653 string_sprintf("%s authentication mechanism not supported", s));
059ec3d9
PH		 3654
3655 break; /* AUTH_CMD */
3656
3657 /* The HELO/EHLO commands are permitted to appear in the middle of a
3658 session as well as at the beginning. They have the effect of a reset in
3659 addition to their other functions. Their absence at the start cannot be
3660 taken to be an error.
3661
3662 RFC 2821 says:
3663
3664 If the EHLO command is not acceptable to the SMTP server, 501, 500,
3665 or 502 failure replies MUST be returned as appropriate. The SMTP
3666 server MUST stay in the same state after transmitting these replies
3667 that it was in before the EHLO was received.
3668
3669 Therefore, we do not do the reset until after checking the command for
3670 acceptability. This change was made for Exim release 4.11. Previously
3671 it did the reset first. */
3672
3673 case HELO_CMD:
b4ed4da0 3674 HAD(SCH_HELO);
059ec3d9
PH		 3675 hello = US"HELO";
3676 esmtp = FALSE;
3677 goto HELO_EHLO;
3678
3679 case EHLO_CMD:
b4ed4da0 3680 HAD(SCH_EHLO);
059ec3d9
PH		 3681 hello = US"EHLO";
3682 esmtp = TRUE;
3683
3684 HELO_EHLO: /* Common code for HELO and EHLO */
3685 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
3686 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
3687
3688 /* Reject the HELO if its argument was invalid or non-existent. A
3689 successful check causes the argument to be saved in malloc store. */
3690
ca86f471 3691 if (!check_helo(smtp_cmd_data))
059ec3d9
PH		 3692 {
3693 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
3694
3695 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
3696 "invalid argument(s): %s", hello, host_and_ident(FALSE),
3ee512ff
PH		 3697 (*smtp_cmd_argument == 0)? US"(no argument given)" :
3698 string_printing(smtp_cmd_argument));
059ec3d9
PH		 3699
3700 if (++synprot_error_count > smtp_max_synprot_errors)
3701 {
3702 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3703 "syntax or protocol errors (last command was \"%s\")",
0ebc4d69 3704 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
059ec3d9
PH		 3705 done = 1;
3706 }
3707
3708 break;
3709 }
3710
3711 /* If sender_host_unknown is true, we have got here via the -bs interface,
3712 not called from inetd. Otherwise, we are running an IP connection and the
3713 host address will be set. If the helo name is the primary name of this
3714 host and we haven't done a reverse lookup, force one now. If helo_required
3715 is set, ensure that the HELO name matches the actual host. If helo_verify
3716 is set, do the same check, but softly. */
3717
3718 if (!sender_host_unknown)
3719 {
3720 BOOL old_helo_verified = helo_verified;
ca86f471 3721 uschar *p = smtp_cmd_data;
059ec3d9
PH		 3722
3723 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
3724 *p = 0;
3725
3726 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
3727 because otherwise the log can be confusing. */
3728
3729 if (sender_host_name == NULL &&
3730 (deliver_domain = sender_helo_name, /* set $domain */
55414b25 3731 match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
059ec3d9
PH		 3732 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
3733 (void)host_name_lookup();
3734
3735 /* Rebuild the fullhost info to include the HELO name (and the real name
3736 if it was looked up.) */
3737
3738 host_build_sender_fullhost(); /* Rebuild */
3739 set_process_info("handling%s incoming connection from %s",
817d9f57 3740 (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
059ec3d9
PH		 3741
3742 /* Verify if configured. This doesn't give much security, but it does
d7b47fd0
PH		 3743 make some people happy to be able to do it. If helo_required is set,
3744 (host matches helo_verify_hosts) failure forces rejection. If helo_verify
3745 is set (host matches helo_try_verify_hosts), it does not. This is perhaps
3746 now obsolescent, since the verification can now be requested selectively
3747 at ACL time. */
059ec3d9 3748
1705dd20 3749 helo_verified = helo_verify_failed = sender_helo_dnssec = FALSE;
059ec3d9
PH		 3750 if (helo_required || helo_verify)
3751 {
d7b47fd0 3752 BOOL tempfail = !smtp_verify_helo();
059ec3d9
PH		 3753 if (!helo_verified)
3754 {
3755 if (helo_required)
3756 {
3757 smtp_printf("%d %s argument does not match calling host\r\n",
3758 tempfail? 451 : 550, hello);
3759 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
3760 tempfail? "temporarily " : "",
3761 hello, sender_helo_name, host_and_ident(FALSE));
3762 helo_verified = old_helo_verified;
3763 break; /* End of HELO/EHLO processing */
3764 }
3765 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
3766 "helo_try_verify_hosts\n", hello);
3767 }
3768 }
3769 }
3770
8523533c
TK		 3771#ifdef EXPERIMENTAL_SPF
3772 /* set up SPF context */
3773 spf_init(sender_helo_name, sender_host_address);
3774#endif
3775
a14e5636
PH		 3776 /* Apply an ACL check if one is defined; afterwards, recheck
3777 synchronization in case the client started sending in a delay. */
059ec3d9 3778
4f6ae5c3
JH		 3779 if (acl_smtp_helo)
3780 if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
3781 &user_msg, &log_msg)) != OK)
059ec3d9
PH		 3782 {
3783 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
3784 sender_helo_name = NULL;
3785 host_build_sender_fullhost(); /* Rebuild */
3786 break;
3787 }
a14e5636 3788 else if (!check_sync()) goto SYNC_FAILURE;
059ec3d9 3789
4e88a19f
PH		 3790 /* Generate an OK reply. The default string includes the ident if present,
3791 and also the IP address if present. Reflecting back the ident is intended
3792 as a deterrent to mail forgers. For maximum efficiency, and also because
3793 some broken systems expect each response to be in a single packet, arrange
3794 that the entire reply is sent in one write(). */
059ec3d9
PH		 3795
3796 auth_advertised = FALSE;
3797 pipelining_advertised = FALSE;
d1a13eea 3798#ifdef SUPPORT_TLS
059ec3d9 3799 tls_advertised = FALSE;
d1a13eea 3800#endif
6c1c3d1d 3801 dsn_advertised = FALSE;
8c5d388a 3802#ifdef SUPPORT_I18N
d1a13eea
JH		 3803 smtputf8_advertised = FALSE;
3804#endif
059ec3d9 3805
d6a96edc 3806 smtp_code = US"250 "; /* Default response code plus space*/
4e88a19f
PH		 3807 if (user_msg == NULL)
3808 {
3809 s = string_sprintf("%.3s %s Hello %s%s%s",
3810 smtp_code,
3811 smtp_active_hostname,
3812 (sender_ident == NULL)? US"" : sender_ident,
3813 (sender_ident == NULL)? US"" : US" at ",
3814 (sender_host_name == NULL)? sender_helo_name : sender_host_name);
3815
3816 ptr = Ustrlen(s);
3817 size = ptr + 1;
059ec3d9 3818
4e88a19f
PH		 3819 if (sender_host_address != NULL)
3820 {
c2f669a4
JH		 3821 s = string_catn(s, &size, &ptr, US" [", 2);
3822 s = string_cat (s, &size, &ptr, sender_host_address);
3823 s = string_catn(s, &size, &ptr, US"]", 1);
4e88a19f
PH		 3824 }
3825 }
3826
d6a96edc
PH		 3827 /* A user-supplied EHLO greeting may not contain more than one line. Note
3828 that the code returned by smtp_message_code() includes the terminating
3829 whitespace character. */
059ec3d9 3830
4e88a19f 3831 else
059ec3d9 3832 {
4e88a19f 3833 char *ss;
d6a96edc 3834 int codelen = 4;
4f6ae5c3 3835 smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
d6a96edc 3836 s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
4e88a19f
PH		 3837 if ((ss = strpbrk(CS s, "\r\n")) != NULL)
3838 {
3839 log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
3840 "newlines: message truncated: %s", string_printing(s));
3841 *ss = 0;
3842 }
3843 ptr = Ustrlen(s);
3844 size = ptr + 1;
059ec3d9
PH		 3845 }
3846
c2f669a4 3847 s = string_catn(s, &size, &ptr, US"\r\n", 2);
059ec3d9
PH		 3848
3849 /* If we received EHLO, we must create a multiline response which includes
3850 the functions supported. */
3851
3852 if (esmtp)
3853 {
3854 s[3] = '-';
3855
3856 /* I'm not entirely happy with this, as an MTA is supposed to check
3857 that it has enough room to accept a message of maximum size before
3858 it sends this. However, there seems little point in not sending it.
3859 The actual size check happens later at MAIL FROM time. By postponing it
3860 till then, VRFY and EXPN can be used after EHLO when space is short. */
3861
3862 if (thismessage_size_limit > 0)
3863 {
4e88a19f
PH		 3864 sprintf(CS big_buffer, "%.3s-SIZE %d\r\n", smtp_code,
3865 thismessage_size_limit);
c2f669a4 3866 s = string_cat(s, &size, &ptr, big_buffer);
059ec3d9
PH		 3867 }
3868 else
3869 {
c2f669a4
JH		 3870 s = string_catn(s, &size, &ptr, smtp_code, 3);
3871 s = string_catn(s, &size, &ptr, US"-SIZE\r\n", 7);
059ec3d9
PH		 3872 }
3873
3874 /* Exim does not do protocol conversion or data conversion. It is 8-bit
3875 clean; if it has an 8-bit character in its hand, it just sends it. It
3876 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
3877 However, some users want this option simply in order to stop MUAs
3878 mangling messages that contain top-bit-set characters. It is therefore
3879 provided as an option. */
3880
3881 if (accept_8bitmime)
4e88a19f 3882 {
c2f669a4
JH		 3883 s = string_catn(s, &size, &ptr, smtp_code, 3);
3884 s = string_catn(s, &size, &ptr, US"-8BITMIME\r\n", 11);
4e88a19f 3885 }
059ec3d9 3886
6c1c3d1d 3887 /* Advertise DSN support if configured to do so. */
94431adb 3888 if (verify_check_host(&dsn_advertise_hosts) != FAIL)
6c1c3d1d 3889 {
c2f669a4
JH		 3890 s = string_catn(s, &size, &ptr, smtp_code, 3);
3891 s = string_catn(s, &size, &ptr, US"-DSN\r\n", 6);
6c1c3d1d
WB		 3892 dsn_advertised = TRUE;
3893 }
6c1c3d1d 3894
059ec3d9
PH		 3895 /* Advertise ETRN if there's an ACL checking whether a host is
3896 permitted to issue it; a check is made when any host actually tries. */
3897
3898 if (acl_smtp_etrn != NULL)
3899 {
c2f669a4
JH		 3900 s = string_catn(s, &size, &ptr, smtp_code, 3);
3901 s = string_catn(s, &size, &ptr, US"-ETRN\r\n", 7);
059ec3d9
PH		 3902 }
3903
3904 /* Advertise EXPN if there's an ACL checking whether a host is
3905 permitted to issue it; a check is made when any host actually tries. */
3906
3907 if (acl_smtp_expn != NULL)
3908 {
c2f669a4
JH		 3909 s = string_catn(s, &size, &ptr, smtp_code, 3);
3910 s = string_catn(s, &size, &ptr, US"-EXPN\r\n", 7);
059ec3d9
PH		 3911 }
3912
3913 /* Exim is quite happy with pipelining, so let the other end know that
3914 it is safe to use it, unless advertising is disabled. */
3915
cf8b11a5
PH		 3916 if (pipelining_enable &&
3917 verify_check_host(&pipelining_advertise_hosts) == OK)
059ec3d9 3918 {
c2f669a4
JH		 3919 s = string_catn(s, &size, &ptr, smtp_code, 3);
3920 s = string_catn(s, &size, &ptr, US"-PIPELINING\r\n", 13);
059ec3d9
PH		 3921 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
3922 pipelining_advertised = TRUE;
3923 }
3924
fd98a5c6 3925
059ec3d9
PH		 3926 /* If any server authentication mechanisms are configured, advertise
3927 them if the current host is in auth_advertise_hosts. The problem with
3928 advertising always is that some clients then require users to
3929 authenticate (and aren't configurable otherwise) even though it may not
3930 be necessary (e.g. if the host is in host_accept_relay).
3931
3932 RFC 2222 states that SASL mechanism names contain only upper case
3933 letters, so output the names in upper case, though we actually recognize
3934 them in either case in the AUTH command. */
3935
b3ef41c9
JH		 3936 if ( auths
3937#if defined(SUPPORT_TLS) && defined(AUTH_TLS)
3938 && !sender_host_authenticated
3939#endif
3940 && verify_check_host(&auth_advertise_hosts) == OK
3941 )
3942 {
3943 auth_instance *au;
3944 BOOL first = TRUE;
3945 for (au = auths; au; au = au->next)
3946 if (au->server && (au->advertise_condition == NULL ||
3947 expand_check_condition(au->advertise_condition, au->name,
3948 US"authenticator")))
3949 {
3950 int saveptr;
3951 if (first)
3952 {
c2f669a4
JH		 3953 s = string_catn(s, &size, &ptr, smtp_code, 3);
3954 s = string_catn(s, &size, &ptr, US"-AUTH", 5);
b3ef41c9
JH		 3955 first = FALSE;
3956 auth_advertised = TRUE;
3957 }
3958 saveptr = ptr;
c2f669a4
JH		 3959 s = string_catn(s, &size, &ptr, US" ", 1);
3960 s = string_cat (s, &size, &ptr, au->public_name);
b3ef41c9
JH		 3961 while (++saveptr < ptr) s[saveptr] = toupper(s[saveptr]);
3962 au->advertised = TRUE;
3963 }
3964 else
3965 au->advertised = FALSE;
3966
c2f669a4 3967 if (!first) s = string_catn(s, &size, &ptr, US"\r\n", 2);
b3ef41c9 3968 }
059ec3d9 3969
18481de3 3970 /* RFC 3030 CHUNKING */
059ec3d9 3971
aa368db3
JH		 3972 if (verify_check_host(&chunking_advertise_hosts) != FAIL)
3973 {
3974 s = string_catn(s, &size, &ptr, smtp_code, 3);
3975 s = string_catn(s, &size, &ptr, US"-CHUNKING\r\n", 11);
7e3ce68e 3976 chunking_offered = TRUE;
18481de3 3977 chunking_state = CHUNKING_OFFERED;
aa368db3
JH		 3978 }
3979
18481de3
JH		 3980 /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
3981 if it has been included in the binary, and the host matches
3982 tls_advertise_hosts. We must *not* advertise if we are already in a
3983 secure connection. */
3984
d1a13eea 3985#ifdef SUPPORT_TLS
817d9f57 3986 if (tls_in.active < 0 &&
059ec3d9
PH		 3987 verify_check_host(&tls_advertise_hosts) != FAIL)
3988 {
c2f669a4
JH		 3989 s = string_catn(s, &size, &ptr, smtp_code, 3);
3990 s = string_catn(s, &size, &ptr, US"-STARTTLS\r\n", 11);
059ec3d9
PH		 3991 tls_advertised = TRUE;
3992 }
d1a13eea 3993#endif
059ec3d9 3994
d1a13eea 3995#ifndef DISABLE_PRDR
fd98a5c6 3996 /* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
8ccd00b1
JH		 3997 if (prdr_enable)
3998 {
c2f669a4
JH		 3999 s = string_catn(s, &size, &ptr, smtp_code, 3);
4000 s = string_catn(s, &size, &ptr, US"-PRDR\r\n", 7);
8ccd00b1 4001 }
d1a13eea
JH		 4002#endif
4003
8c5d388a 4004#ifdef SUPPORT_I18N
d1a13eea
JH		 4005 if ( accept_8bitmime
4006 && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
4007 {
c2f669a4
JH		 4008 s = string_catn(s, &size, &ptr, smtp_code, 3);
4009 s = string_catn(s, &size, &ptr, US"-SMTPUTF8\r\n", 11);
d1a13eea
JH		 4010 smtputf8_advertised = TRUE;
4011 }
4012#endif
fd98a5c6 4013
059ec3d9
PH		 4014 /* Finish off the multiline reply with one that is always available. */
4015
c2f669a4
JH		 4016 s = string_catn(s, &size, &ptr, smtp_code, 3);
4017 s = string_catn(s, &size, &ptr, US" HELP\r\n", 7);
059ec3d9
PH		 4018 }
4019
4020 /* Terminate the string (for debug), write it, and note that HELO/EHLO
4021 has been seen. */
4022
4023 s[ptr] = 0;
4024
d1a13eea 4025#ifdef SUPPORT_TLS
817d9f57 4026 if (tls_in.active >= 0) (void)tls_write(TRUE, s, ptr); else
d1a13eea 4027#endif
059ec3d9 4028
1ac6b2e7
JH		 4029 {
4030 int i = fwrite(s, 1, ptr, smtp_out); i = i; /* compiler quietening */
4031 }
898d150f
PH		 4032 DEBUG(D_receive)
4033 {
4034 uschar *cr;
4035 while ((cr = Ustrchr(s, '\r')) != NULL) /* lose CRs */
4036 memmove(cr, cr + 1, (ptr--) - (cr - s));
4037 debug_printf("SMTP>> %s", s);
4038 }
059ec3d9 4039 helo_seen = TRUE;
4e88a19f
PH		 4040
4041 /* Reset the protocol and the state, abandoning any previous message. */
e524074d
JH		 4042 received_protocol =
4043 (sender_host_address ? protocols : protocols_local)
4044 [ (esmtp
4045 ? pextend + (sender_host_authenticated ? pauthed : 0)
4046 : pnormal)
4047 + (tls_in.active >= 0 ? pcrpted : 0)
4048 ];
4e88a19f
PH		 4049 smtp_reset(reset_point);
4050 toomany = FALSE;
059ec3d9
PH		 4051 break; /* HELO/EHLO */
4052
4053
4054 /* The MAIL command requires an address as an operand. All we do
4055 here is to parse it for syntactic correctness. The form "<>" is
4056 a special case which converts into an empty string. The start/end
4057 pointers in the original are not used further for this address, as
4058 it is the canonical extracted address which is all that is kept. */
4059
4060 case MAIL_CMD:
b4ed4da0 4061 HAD(SCH_MAIL);
059ec3d9
PH		 4062 smtp_mailcmd_count++; /* Count for limit and ratelimit */
4063 was_rej_mail = TRUE; /* Reset if accepted */
d27f98fe 4064 env_mail_type_t * mail_args; /* Sanity check & validate args */
059ec3d9
PH		 4065
4066 if (helo_required && !helo_seen)
4067 {
4068 smtp_printf("503 HELO or EHLO required\r\n");
4069 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
4070 "HELO/EHLO given", host_and_ident(FALSE));
4071 break;
4072 }
4073
4074 if (sender_address != NULL)
4075 {
4076 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4077 US"sender already given");
4078 break;
4079 }
4080
ca86f471 4081 if (smtp_cmd_data[0] == 0)
059ec3d9
PH		 4082 {
4083 done = synprot_error(L_smtp_protocol_error, 501, NULL,
4084 US"MAIL must have an address operand");
4085 break;
4086 }
4087
4088 /* Check to see if the limit for messages per connection would be
4089 exceeded by accepting further messages. */
4090
4091 if (smtp_accept_max_per_connection > 0 &&
4092 smtp_mailcmd_count > smtp_accept_max_per_connection)
4093 {
4094 smtp_printf("421 too many messages in this connection\r\n");
4095 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
4096 "messages in one connection", host_and_ident(TRUE));
4097 break;
4098 }
4099
4100 /* Reset for start of message - even if this is going to fail, we
4101 obviously need to throw away any previous data. */
4102
4103 smtp_reset(reset_point);
4104 toomany = FALSE;
4105 sender_data = recipient_data = NULL;
4106
4107 /* Loop, checking for ESMTP additions to the MAIL FROM command. */
4108
4109 if (esmtp) for(;;)
4110 {
4111 uschar *name, *value, *end;
4112 unsigned long int size;
d27f98fe 4113 BOOL arg_error = FALSE;
059ec3d9
PH		 4114
4115 if (!extract_option(&name, &value)) break;
4116
d27f98fe 4117 for (mail_args = env_mail_type_list;
2ef7ed08 4118 mail_args->value != ENV_MAIL_OPT_NULL;
d27f98fe
TL		 4119 mail_args++
4120 )
d27f98fe
TL		 4121 if (strcmpic(name, mail_args->name) == 0)
4122 break;
d27f98fe
TL		 4123 if (mail_args->need_value && strcmpic(value, US"") == 0)
4124 break;
059ec3d9 4125
d27f98fe 4126 switch(mail_args->value)
059ec3d9 4127 {
d27f98fe
TL		 4128 /* Handle SIZE= by reading the value. We don't do the check till later,
4129 in order to be able to log the sender address on failure. */
4130 case ENV_MAIL_OPT_SIZE:
d27f98fe 4131 if (((size = Ustrtoul(value, &end, 10)), *end == 0))
059ec3d9 4132 {
d27f98fe
TL		 4133 if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
4134 size = INT_MAX;
4135 message_size = (int)size;
059ec3d9
PH		 4136 }
4137 else
d27f98fe
TL		 4138 arg_error = TRUE;
4139 break;
059ec3d9 4140
d27f98fe
TL		 4141 /* If this session was initiated with EHLO and accept_8bitmime is set,
4142 Exim will have indicated that it supports the BODY=8BITMIME option. In
4143 fact, it does not support this according to the RFCs, in that it does not
4144 take any special action for forwarding messages containing 8-bit
4145 characters. That is why accept_8bitmime is not the default setting, but
4146 some sites want the action that is provided. We recognize both "8BITMIME"
4147 and "7BIT" as body types, but take no action. */
4148 case ENV_MAIL_OPT_BODY:
3c0a92dc 4149 if (accept_8bitmime) {
9d4319df 4150 if (strcmpic(value, US"8BITMIME") == 0)
3c0a92dc 4151 body_8bitmime = 8;
9d4319df 4152 else if (strcmpic(value, US"7BIT") == 0)
3c0a92dc 4153 body_8bitmime = 7;
9d4319df
JH		 4154 else
4155 {
3c0a92dc
JH		 4156 body_8bitmime = 0;
4157 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4158 US"invalid data for BODY");
4159 goto COMMAND_LOOP;
9d4319df 4160 }
3c0a92dc
JH		 4161 DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
4162 break;
4163 }
d27f98fe
TL		 4164 arg_error = TRUE;
4165 break;
059ec3d9 4166
6c1c3d1d
WB		 4167 /* Handle the two DSN options, but only if configured to do so (which
4168 will have caused "DSN" to be given in the EHLO response). The code itself
4169 is included only if configured in at build time. */
4170
4171 case ENV_MAIL_OPT_RET:
9d4319df
JH		 4172 if (dsn_advertised)
4173 {
6c1c3d1d 4174 /* Check if RET has already been set */
9d4319df
JH		 4175 if (dsn_ret > 0)
4176 {
6c1c3d1d
WB		 4177 synprot_error(L_smtp_syntax_error, 501, NULL,
4178 US"RET can be specified once only");
4179 goto COMMAND_LOOP;
9d4319df
JH		 4180 }
4181 dsn_ret = strcmpic(value, US"HDRS") == 0
4182 ? dsn_ret_hdrs
4183 : strcmpic(value, US"FULL") == 0
4184 ? dsn_ret_full
4185 : 0;
6c1c3d1d
WB		 4186 DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
4187 /* Check for invalid invalid value, and exit with error */
9d4319df
JH		 4188 if (dsn_ret == 0)
4189 {
6c1c3d1d
WB		 4190 synprot_error(L_smtp_syntax_error, 501, NULL,
4191 US"Value for RET is invalid");
4192 goto COMMAND_LOOP;
9d4319df
JH		 4193 }
4194 }
6c1c3d1d
WB		 4195 break;
4196 case ENV_MAIL_OPT_ENVID:
9d4319df
JH		 4197 if (dsn_advertised)
4198 {
6c1c3d1d 4199 /* Check if the dsn envid has been already set */
9d4319df
JH		 4200 if (dsn_envid != NULL)
4201 {
6c1c3d1d
WB		 4202 synprot_error(L_smtp_syntax_error, 501, NULL,
4203 US"ENVID can be specified once only");
4204 goto COMMAND_LOOP;
9d4319df 4205 }
6c1c3d1d
WB		 4206 dsn_envid = string_copy(value);
4207 DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
9d4319df 4208 }
6c1c3d1d 4209 break;
6c1c3d1d 4210
d27f98fe
TL		 4211 /* Handle the AUTH extension. If the value given is not "<>" and either
4212 the ACL says "yes" or there is no ACL but the sending host is
4213 authenticated, we set it up as the authenticated sender. However, if the
4214 authenticator set a condition to be tested, we ignore AUTH on MAIL unless
4215 the condition is met. The value of AUTH is an xtext, which means that +,
4216 = and cntrl chars are coded in hex; however "<>" is unaffected by this
4217 coding. */
4218 case ENV_MAIL_OPT_AUTH:
4219 if (Ustrcmp(value, "<>") != 0)
4220 {
4221 int rc;
4222 uschar *ignore_msg;
059ec3d9 4223
d27f98fe
TL		 4224 if (auth_xtextdecode(value, &authenticated_sender) < 0)
4225 {
4226 /* Put back terminator overrides for error message */
d27f98fe 4227 value[-1] = '=';
fd98a5c6 4228 name[-1] = ' ';
d27f98fe
TL		 4229 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4230 US"invalid data for AUTH");
4231 goto COMMAND_LOOP;
4232 }
4233 if (acl_smtp_mailauth == NULL)
4234 {
4235 ignore_msg = US"client not authenticated";
4236 rc = (sender_host_authenticated != NULL)? OK : FAIL;
4237 }
4238 else
4239 {
4240 ignore_msg = US"rejected by ACL";
4241 rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
4242 &user_msg, &log_msg);
4243 }
94431adb 4244
d27f98fe
TL		 4245 switch (rc)
4246 {
4247 case OK:
9d4319df
JH		 4248 if (authenticated_by == NULL ||
4249 authenticated_by->mail_auth_condition == NULL ||
4250 expand_check_condition(authenticated_by->mail_auth_condition,
4251 authenticated_by->name, US"authenticator"))
4252 break; /* Accept the AUTH */
94431adb 4253
9d4319df
JH		 4254 ignore_msg = US"server_mail_auth_condition failed";
4255 if (authenticated_id != NULL)
4256 ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
4257 ignore_msg, authenticated_id);
94431adb 4258
d27f98fe 4259 /* Fall through */
94431adb 4260
d27f98fe 4261 case FAIL:
9d4319df
JH		 4262 authenticated_sender = NULL;
4263 log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
4264 value, host_and_ident(TRUE), ignore_msg);
4265 break;
94431adb 4266
d27f98fe
TL		 4267 /* Should only get DEFER or ERROR here. Put back terminator
4268 overrides for error message */
94431adb 4269
d27f98fe 4270 default:
9d4319df
JH		 4271 value[-1] = '=';
4272 name[-1] = ' ';
4273 (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
4274 log_msg);
4275 goto COMMAND_LOOP;
d27f98fe 4276 }
059ec3d9 4277 }
d27f98fe 4278 break;
fd98a5c6 4279
8ccd00b1 4280#ifndef DISABLE_PRDR
fd98a5c6 4281 case ENV_MAIL_OPT_PRDR:
8ccd00b1 4282 if (prdr_enable)
fd98a5c6
JH		 4283 prdr_requested = TRUE;
4284 break;
4285#endif
4286
8c5d388a 4287#ifdef SUPPORT_I18N
d1a13eea
JH		 4288 case ENV_MAIL_OPT_UTF8:
4289 if (smtputf8_advertised)
e524074d
JH		 4290 {
4291 DEBUG(D_receive) debug_printf("smtputf8 requested\n");
9d4319df 4292 message_smtputf8 = allow_utf8_domains = TRUE;
5a886ce7 4293 received_protocol = string_sprintf("utf8%s", received_protocol);
e524074d 4294 }
d1a13eea
JH		 4295 break;
4296#endif
2ef7ed08 4297 /* No valid option. Stick back the terminator characters and break
fd98a5c6 4298 the loop. Do the name-terminator second as extract_option sets
2ef7ed08
HSHR		 4299 value==name when it found no equal-sign.
4300 An error for a malformed address will occur. */
4301 case ENV_MAIL_OPT_NULL:
d27f98fe 4302 value[-1] = '=';
fd98a5c6
JH		 4303 name[-1] = ' ';
4304 arg_error = TRUE;
d27f98fe 4305 break;
2ef7ed08
HSHR		 4306
4307 default: assert(0);
059ec3d9 4308 }
d27f98fe
TL		 4309 /* Break out of for loop if switch() had bad argument or
4310 when start of the email address is reached */
4311 if (arg_error) break;
059ec3d9
PH		 4312 }
4313
4314 /* If we have passed the threshold for rate limiting, apply the current
4315 delay, and update it for next time, provided this is a limited host. */
4316
4317 if (smtp_mailcmd_count > smtp_rlm_threshold &&
4318 verify_check_host(&smtp_ratelimit_hosts) == OK)
4319 {
4320 DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
4321 smtp_delay_mail/1000.0);
4322 millisleep((int)smtp_delay_mail);
4323 smtp_delay_mail *= smtp_rlm_factor;
4324 if (smtp_delay_mail > (double)smtp_rlm_limit)
4325 smtp_delay_mail = (double)smtp_rlm_limit;
4326 }
4327
4328 /* Now extract the address, first applying any SMTP-time rewriting. The
4329 TRUE flag allows "<>" as a sender address. */
4330
9d4319df
JH		 4331 raw_sender = rewrite_existflags & rewrite_smtp
4332 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
4333 global_rewrite_rules)
4334 : smtp_cmd_data;
059ec3d9 4335
059ec3d9
PH		 4336 raw_sender =
4337 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
4338 TRUE);
059ec3d9 4339
2685d6e0 4340 if (!raw_sender)
059ec3d9 4341 {
ca86f471 4342 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
059ec3d9
PH		 4343 break;
4344 }
4345
4346 sender_address = raw_sender;
4347
4348 /* If there is a configured size limit for mail, check that this message
4349 doesn't exceed it. The check is postponed to this point so that the sender
4350 can be logged. */
4351
4352 if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
4353 {
4354 smtp_printf("552 Message size exceeds maximum permitted\r\n");
4355 log_write(L_size_reject,
4356 LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
4357 "message too big: size%s=%d max=%d",
4358 sender_address,
4359 host_and_ident(TRUE),
4360 (message_size == INT_MAX)? ">" : "",
4361 message_size,
4362 thismessage_size_limit);
4363 sender_address = NULL;
4364 break;
4365 }
4366
4367 /* Check there is enough space on the disk unless configured not to.
4368 When smtp_check_spool_space is set, the check is for thismessage_size_limit
4369 plus the current message - i.e. we accept the message only if it won't
4370 reduce the space below the threshold. Add 5000 to the size to allow for
4371 overheads such as the Received: line and storing of recipients, etc.
4372 By putting the check here, even when SIZE is not given, it allow VRFY
4373 and EXPN etc. to be used when space is short. */
4374
4375 if (!receive_check_fs(
4376 (smtp_check_spool_space && message_size >= 0)?
4377 message_size + 5000 : 0))
4378 {
4379 smtp_printf("452 Space shortage, please try later\r\n");
4380 sender_address = NULL;
4381 break;
4382 }
4383
4384 /* If sender_address is unqualified, reject it, unless this is a locally
4385 generated message, or the sending host or net is permitted to send
4386 unqualified addresses - typically local machines behaving as MUAs -
4387 in which case just qualify the address. The flag is set above at the start
4388 of the SMTP connection. */
4389
4390 if (sender_domain == 0 && sender_address[0] != 0)
4391 {
4392 if (allow_unqualified_sender)
4393 {
4394 sender_domain = Ustrlen(sender_address) + 1;
4395 sender_address = rewrite_address_qualify(sender_address, FALSE);
4396 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
4397 raw_sender);
4398 }
4399 else
4400 {
4401 smtp_printf("501 %s: sender address must contain a domain\r\n",
ca86f471 4402 smtp_cmd_data);
059ec3d9
PH		 4403 log_write(L_smtp_syntax_error,
4404 LOG_MAIN|LOG_REJECT,
4405 "unqualified sender rejected: <%s> %s%s",
4406 raw_sender,
4407 host_and_ident(TRUE),
4408 host_lookup_msg);
4409 sender_address = NULL;
4410 break;
4411 }
4412 }
4413
a14e5636
PH		 4414 /* Apply an ACL check if one is defined, before responding. Afterwards,
4415 when pipelining is not advertised, do another sync check in case the ACL
4416 delayed and the client started sending in the meantime. */
059ec3d9 4417
8ccd00b1 4418 if (acl_smtp_mail)
a14e5636
PH		 4419 {
4420 rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
4421 if (rc == OK && !pipelining_advertised && !check_sync())
4422 goto SYNC_FAILURE;
4423 }
8ccd00b1
JH		 4424 else
4425 rc = OK;
059ec3d9
PH		 4426
4427 if (rc == OK || rc == DISCARD)
4428 {
8ccd00b1 4429 if (!user_msg)
fd98a5c6 4430 smtp_printf("%s%s%s", US"250 OK",
8ccd00b1
JH		 4431 #ifndef DISABLE_PRDR
4432 prdr_requested ? US", PRDR Requested" : US"",
4433 #else
fd98a5c6 4434 US"",
8ccd00b1 4435 #endif
fd98a5c6 4436 US"\r\n");
94431adb 4437 else
fd98a5c6 4438 {
8ccd00b1
JH		 4439 #ifndef DISABLE_PRDR
4440 if (prdr_requested)
fd98a5c6
JH		 4441 user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
4442 #endif
8ccd00b1 4443 smtp_user_msg(US"250", user_msg);
fd98a5c6 4444 }
059ec3d9
PH		 4445 smtp_delay_rcpt = smtp_rlr_base;
4446 recipients_discarded = (rc == DISCARD);
4447 was_rej_mail = FALSE;
4448 }
059ec3d9
PH		 4449 else
4450 {
4451 done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
4452 sender_address = NULL;
4453 }
4454 break;
4455
4456
2679d413
PH		 4457 /* The RCPT command requires an address as an operand. There may be any
4458 number of RCPT commands, specifying multiple recipients. We build them all
4459 into a data structure. The start/end values given by parse_extract_address
4460 are not used, as we keep only the extracted address. */
059ec3d9
PH		 4461
4462 case RCPT_CMD:
b4ed4da0 4463 HAD(SCH_RCPT);
059ec3d9 4464 rcpt_count++;
2679d413 4465 was_rcpt = rcpt_in_progress = TRUE;
059ec3d9
PH		 4466
4467 /* There must be a sender address; if the sender was rejected and
4468 pipelining was advertised, we assume the client was pipelining, and do not
4469 count this as a protocol error. Reset was_rej_mail so that further RCPTs
4470 get the same treatment. */
4471
4472 if (sender_address == NULL)
4473 {
4474 if (pipelining_advertised && last_was_rej_mail)
4475 {
4476 smtp_printf("503 sender not yet given\r\n");
4477 was_rej_mail = TRUE;
4478 }
4479 else
4480 {
4481 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4482 US"sender not yet given");
4483 was_rcpt = FALSE; /* Not a valid RCPT */
4484 }
4485 rcpt_fail_count++;
4486 break;
4487 }
4488
4489 /* Check for an operand */
4490
ca86f471 4491 if (smtp_cmd_data[0] == 0)
059ec3d9
PH		 4492 {
4493 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4494 US"RCPT must have an address operand");
4495 rcpt_fail_count++;
4496 break;
4497 }
50dc7409 4498
6c1c3d1d
WB		 4499 /* Set the DSN flags orcpt and dsn_flags from the session*/
4500 orcpt = NULL;
4501 flags = 0;
4502
4503 if (esmtp) for(;;)
4504 {
45500060 4505 uschar *name, *value;
6c1c3d1d
WB		 4506
4507 if (!extract_option(&name, &value))
6c1c3d1d 4508 break;
6c1c3d1d
WB		 4509
4510 if (dsn_advertised && strcmpic(name, US"ORCPT") == 0)
4511 {
4512 /* Check whether orcpt has been already set */
45500060
JH		 4513 if (orcpt)
4514 {
6c1c3d1d
WB		 4515 synprot_error(L_smtp_syntax_error, 501, NULL,
4516 US"ORCPT can be specified once only");
4517 goto COMMAND_LOOP;
4518 }
4519 orcpt = string_copy(value);
4520 DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
4521 }
4522
4523 else if (dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
4524 {
4525 /* Check if the notify flags have been already set */
45500060
JH		 4526 if (flags > 0)
4527 {
6c1c3d1d
WB		 4528 synprot_error(L_smtp_syntax_error, 501, NULL,
4529 US"NOTIFY can be specified once only");
4530 goto COMMAND_LOOP;
4531 }
45500060
JH		 4532 if (strcmpic(value, US"NEVER") == 0)
4533 flags |= rf_notify_never;
4534 else
6c1c3d1d
WB		 4535 {
4536 uschar *p = value;
4537 while (*p != 0)
4538 {
4539 uschar *pp = p;
4540 while (*pp != 0 && *pp != ',') pp++;
45500060
JH		 4541 if (*pp == ',') *pp++ = 0;
4542 if (strcmpic(p, US"SUCCESS") == 0)
4543 {
4544 DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
4545 flags |= rf_notify_success;
6c1c3d1d 4546 }
45500060
JH		 4547 else if (strcmpic(p, US"FAILURE") == 0)
4548 {
4549 DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
4550 flags |= rf_notify_failure;
6c1c3d1d 4551 }
45500060
JH		 4552 else if (strcmpic(p, US"DELAY") == 0)
4553 {
4554 DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
4555 flags |= rf_notify_delay;
6c1c3d1d 4556 }
45500060
JH		 4557 else
4558 {
6c1c3d1d
WB		 4559 /* Catch any strange values */
4560 synprot_error(L_smtp_syntax_error, 501, NULL,
4561 US"Invalid value for NOTIFY parameter");
4562 goto COMMAND_LOOP;
4563 }
4564 p = pp;
4565 }
4566 DEBUG(D_receive) debug_printf("DSN Flags: %x\n", flags);
4567 }
4568 }
4569
4570 /* Unknown option. Stick back the terminator characters and break
4571 the loop. An error for a malformed address will occur. */
4572
4573 else
4574 {
4575 DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
4576 name[-1] = ' ';
4577 value[-1] = '=';
4578 break;
4579 }
4580 }
059ec3d9
PH		 4581
4582 /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
4583 as a recipient address */
4584
05392bbc
JH		 4585 recipient = rewrite_existflags & rewrite_smtp
4586 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
4587 global_rewrite_rules)
4588 : smtp_cmd_data;
059ec3d9 4589
2685d6e0
JH		 4590 if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
4591 &recipient_domain, FALSE)))
059ec3d9 4592 {
ca86f471 4593 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
059ec3d9
PH		 4594 rcpt_fail_count++;
4595 break;
4596 }
4597
4598 /* If the recipient address is unqualified, reject it, unless this is a
4599 locally generated message. However, unqualified addresses are permitted
4600 from a configured list of hosts and nets - typically when behaving as
4601 MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
4602 really. The flag is set at the start of the SMTP connection.
4603
4604 RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
4605 assumed this meant "reserved local part", but the revision of RFC 821 and
4606 friends now makes it absolutely clear that it means *mailbox*. Consequently
4607 we must always qualify this address, regardless. */
4608
4609 if (recipient_domain == 0)
2685d6e0
JH		 4610 if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
4611 US"recipient")))
059ec3d9
PH		 4612 {
4613 rcpt_fail_count++;
059ec3d9
PH		 4614 break;
4615 }
059ec3d9
PH		 4616
4617 /* Check maximum allowed */
4618
4619 if (rcpt_count > recipients_max && recipients_max > 0)
4620 {
4621 if (recipients_max_reject)
4622 {
4623 rcpt_fail_count++;
4624 smtp_printf("552 too many recipients\r\n");
4625 if (!toomany)
4626 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
4627 "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
4628 }
4629 else
4630 {
4631 rcpt_defer_count++;
4632 smtp_printf("452 too many recipients\r\n");
4633 if (!toomany)
4634 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
4635 "temporarily rejected: sender=<%s> %s", sender_address,
4636 host_and_ident(TRUE));
4637 }
4638
4639 toomany = TRUE;
4640 break;
4641 }
4642
4643 /* If we have passed the threshold for rate limiting, apply the current
4644 delay, and update it for next time, provided this is a limited host. */
4645
4646 if (rcpt_count > smtp_rlr_threshold &&
4647 verify_check_host(&smtp_ratelimit_hosts) == OK)
4648 {
4649 DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
4650 smtp_delay_rcpt/1000.0);
4651 millisleep((int)smtp_delay_rcpt);
4652 smtp_delay_rcpt *= smtp_rlr_factor;
4653 if (smtp_delay_rcpt > (double)smtp_rlr_limit)
4654 smtp_delay_rcpt = (double)smtp_rlr_limit;
4655 }
4656
4657 /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
a14e5636
PH		 4658 for them. Otherwise, check the access control list for this recipient. As
4659 there may be a delay in this, re-check for a synchronization error
4660 afterwards, unless pipelining was advertised. */
059ec3d9 4661
a14e5636
PH		 4662 if (recipients_discarded) rc = DISCARD; else
4663 {
4664 rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
4665 &log_msg);
4666 if (rc == OK && !pipelining_advertised && !check_sync())
4667 goto SYNC_FAILURE;
4668 }
059ec3d9
PH		 4669
4670 /* The ACL was happy */
4671
4672 if (rc == OK)
4673 {
4e88a19f
PH		 4674 if (user_msg == NULL) smtp_printf("250 Accepted\r\n");
4675 else smtp_user_msg(US"250", user_msg);
059ec3d9 4676 receive_add_recipient(recipient, -1);
94431adb 4677
6c1c3d1d 4678 /* Set the dsn flags in the recipients_list */
7ade712c
JH		 4679 recipients_list[recipients_count-1].orcpt = orcpt;
4680 recipients_list[recipients_count-1].dsn_flags = flags;
6c1c3d1d 4681
7ade712c
JH		 4682 DEBUG(D_receive) debug_printf("DSN: orcpt: %s flags: %d\n",
4683 recipients_list[recipients_count-1].orcpt,
4684 recipients_list[recipients_count-1].dsn_flags);
059ec3d9
PH		 4685 }
4686
4687 /* The recipient was discarded */
4688
4689 else if (rc == DISCARD)
4690 {
4e88a19f
PH		 4691 if (user_msg == NULL) smtp_printf("250 Accepted\r\n");
4692 else smtp_user_msg(US"250", user_msg);
059ec3d9
PH		 4693 rcpt_fail_count++;
4694 discarded = TRUE;
1f12df4d 4695 log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
059ec3d9 4696 "discarded by %s ACL%s%s", host_and_ident(TRUE),
1f12df4d 4697 sender_address_unrewritten? sender_address_unrewritten : sender_address,
3ee512ff 4698 smtp_cmd_argument, recipients_discarded? "MAIL" : "RCPT",
1f12df4d 4699 log_msg ? US": " : US"", log_msg ? log_msg : US"");
059ec3d9
PH		 4700 }
4701
4702 /* Either the ACL failed the address, or it was deferred. */
4703
4704 else
4705 {
4706 if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
4707 done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
4708 }
4709 break;
4710
4711
4712 /* The DATA command is legal only if it follows successful MAIL FROM
4713 and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
4714 not counted as a protocol error if it follows RCPT (which must have been
4715 rejected if there are no recipients.) This function is complete when a
4716 valid DATA command is encountered.
4717
4718 Note concerning the code used: RFC 2821 says this:
4719
4720 - If there was no MAIL, or no RCPT, command, or all such commands
4721 were rejected, the server MAY return a "command out of sequence"
4722 (503) or "no valid recipients" (554) reply in response to the
4723 DATA command.
4724
4725 The example in the pipelining RFC 2920 uses 554, but I use 503 here
2679d413
PH		 4726 because it is the same whether pipelining is in use or not.
4727
4728 If all the RCPT commands that precede DATA provoked the same error message
4729 (often indicating some kind of system error), it is helpful to include it
4730 with the DATA rejection (an idea suggested by Tony Finch). */
059ec3d9 4731
18481de3
JH		 4732 case BDAT_CMD:
4733 HAD(SCH_BDAT);
4734 {
4735 int n;
4736
4737 if (chunking_state != CHUNKING_OFFERED)
4738 {
4739 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4740 US"BDAT command used when CHUNKING not advertised");
4741 break;
4742 }
4743
4744 /* grab size, endmarker */
4745
4746 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
4747 {
7e3ce68e 4748 done = synprot_error(L_smtp_protocol_error, 501, NULL,
18481de3
JH		 4749 US"missing size for BDAT command");
4750 break;
4751 }
4752 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
4753 ? CHUNKING_LAST : CHUNKING_ACTIVE;
7e3ce68e
JH		 4754 chunking_data_left = chunking_datasize;
4755
4756 lwr_receive_getc = receive_getc;
4757 lwr_receive_ungetc = receive_ungetc;
4758 receive_getc = bdat_getc;
4759 receive_ungetc = bdat_ungetc;
18481de3
JH		 4760
4761 DEBUG(D_any)
4762 debug_printf("chunking state %d\n", (int)chunking_state);
4763 goto DATA_BDAT;
4764 }
4765
059ec3d9 4766 case DATA_CMD:
b4ed4da0 4767 HAD(SCH_DATA);
18481de3
JH		 4768
4769 DATA_BDAT: /* Common code for DATA and BDAT */
059ec3d9
PH		 4770 if (!discarded && recipients_count <= 0)
4771 {
2679d413
PH		 4772 if (rcpt_smtp_response_same && rcpt_smtp_response != NULL)
4773 {
4774 uschar *code = US"503";
4775 int len = Ustrlen(rcpt_smtp_response);
4776 smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
4777 "this error:");
4778 /* Responses from smtp_printf() will have \r\n on the end */
4779 if (len > 2 && rcpt_smtp_response[len-2] == '\r')
4780 rcpt_smtp_response[len-2] = 0;
4781 smtp_respond(code, 3, FALSE, rcpt_smtp_response);
4782 }
059ec3d9 4783 if (pipelining_advertised && last_was_rcpt)
18481de3
JH		 4784 smtp_printf("503 Valid RCPT command must precede %s\r\n",
4785 smtp_names[smtp_connection_had[smtp_ch_index-1]]);
059ec3d9
PH		 4786 else
4787 done = synprot_error(L_smtp_protocol_error, 503, NULL,
18481de3
JH		 4788 smtp_connection_had[smtp_ch_index-1] == SCH_DATA
4789 ? US"valid RCPT command must precede DATA"
4790 : US"valid RCPT command must precede BDAT");
45bd315d
JH		 4791
4792 if (chunking_state > CHUNKING_OFFERED)
4793 bdat_flush_data();
059ec3d9
PH		 4794 break;
4795 }
4796
4797 if (toomany && recipients_max_reject)
4798 {
4799 sender_address = NULL; /* This will allow a new MAIL without RSET */
4800 sender_address_unrewritten = NULL;
4801 smtp_printf("554 Too many recipients\r\n");
4802 break;
4803 }
8e669ac1 4804
7e3ce68e
JH		 4805 if (chunking_state > CHUNKING_OFFERED)
4806 { /* No predata ACL or go-ahead output for BDAT */
18481de3 4807 rc = OK;
18481de3 4808 }
18481de3 4809 else
8e669ac1 4810 {
7e3ce68e
JH		 4811 /* If there is an ACL, re-check the synchronization afterwards, since the
4812 ACL may have delayed. To handle cutthrough delivery enforce a dummy call
4813 to get the DATA command sent. */
059ec3d9 4814
7e3ce68e
JH		 4815 if (acl_smtp_predata == NULL && cutthrough.fd < 0)
4816 rc = OK;
4817 else
4818 {
4819 uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
4820 enable_dollar_recipients = TRUE;
4821 rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
4822 &log_msg);
4823 enable_dollar_recipients = FALSE;
4824 if (rc == OK && !check_sync())
4825 goto SYNC_FAILURE;
4826
4827 if (rc != OK)
4828 { /* Either the ACL failed the address, or it was deferred. */
4829 done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
4830 break;
4831 }
4832 }
4833
4834 if (user_msg)
4835 smtp_user_msg(US"354", user_msg);
4836 else
4837 smtp_printf(
4838 "354 Enter message, ending with \".\" on a line by itself\r\n");
059ec3d9
PH		 4839 }
4840
7e3ce68e
JH		 4841 done = 3;
4842 message_ended = END_NOTENDED; /* Indicate in middle of data */
059ec3d9 4843
059ec3d9
PH		 4844 break;
4845
4846
4847 case VRFY_CMD:
059ec3d9 4848 {
4f6ae5c3 4849 uschar * address;
059ec3d9 4850
4f6ae5c3 4851 HAD(SCH_VRFY);
059ec3d9 4852
05392bbc
JH		 4853 if (!(address = parse_extract_address(smtp_cmd_data, &errmess,
4854 &start, &end, &recipient_domain, FALSE)))
4855 {
4f6ae5c3 4856 smtp_printf("501 %s\r\n", errmess);
05392bbc
JH		 4857 break;
4858 }
4859
4860 if (recipient_domain == 0)
2685d6e0
JH		 4861 if (!(recipient_domain = qualify_recipient(&address, smtp_cmd_data,
4862 US"verify")))
05392bbc 4863 break;
4f6ae5c3 4864
05392bbc 4865 if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy,
4f6ae5c3
JH		 4866 &user_msg, &log_msg)) != OK)
4867 done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
059ec3d9 4868 else
4f6ae5c3 4869 {
05392bbc
JH		 4870 uschar * s = NULL;
4871 address_item * addr = deliver_make_addr(address, FALSE);
059ec3d9 4872
4f6ae5c3
JH		 4873 switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
4874 -1, -1, NULL, NULL, NULL))
4875 {
4876 case OK:
4877 s = string_sprintf("250 <%s> is deliverable", address);
4878 break;
059ec3d9 4879
4f6ae5c3
JH		 4880 case DEFER:
4881 s = (addr->user_message != NULL)?
4882 string_sprintf("451 <%s> %s", address, addr->user_message) :
4883 string_sprintf("451 Cannot resolve <%s> at this time", address);
4884 break;
059ec3d9 4885
4f6ae5c3
JH		 4886 case FAIL:
4887 s = (addr->user_message != NULL)?
4888 string_sprintf("550 <%s> %s", address, addr->user_message) :
4889 string_sprintf("550 <%s> is not deliverable", address);
4890 log_write(0, LOG_MAIN, "VRFY failed for %s %s",
4891 smtp_cmd_argument, host_and_ident(TRUE));
4892 break;
4893 }
4894
4895 smtp_printf("%s\r\n", s);
4896 }
4897 break;
059ec3d9 4898 }
059ec3d9
PH		 4899
4900
4901 case EXPN_CMD:
b4ed4da0 4902 HAD(SCH_EXPN);
64ffc24f 4903 rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
059ec3d9
PH		 4904 if (rc != OK)
4905 done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
4906 else
4907 {
4908 BOOL save_log_testing_mode = log_testing_mode;
4909 address_test_mode = log_testing_mode = TRUE;
ca86f471 4910 (void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
64ffc24f
PH		 4911 smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
4912 NULL, NULL, NULL);
059ec3d9
PH		 4913 address_test_mode = FALSE;
4914 log_testing_mode = save_log_testing_mode; /* true for -bh */
4915 }
4916 break;
4917
4918
4919 #ifdef SUPPORT_TLS
4920
4921 case STARTTLS_CMD:
b4ed4da0 4922 HAD(SCH_STARTTLS);
059ec3d9
PH		 4923 if (!tls_advertised)
4924 {
4925 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4926 US"STARTTLS command used when not advertised");
4927 break;
4928 }
4929
4930 /* Apply an ACL check if one is defined */
4931
4f6ae5c3
JH		 4932 if ( acl_smtp_starttls
4933 && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
4934 &user_msg, &log_msg)) != OK
4935 )
059ec3d9 4936 {
4f6ae5c3
JH		 4937 done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
4938 break;
059ec3d9
PH		 4939 }
4940
4941 /* RFC 2487 is not clear on when this command may be sent, though it
4942 does state that all information previously obtained from the client
4943 must be discarded if a TLS session is started. It seems reasonble to
4944 do an implied RSET when STARTTLS is received. */
4945
4946 incomplete_transaction_log(US"STARTTLS");
4947 smtp_reset(reset_point);
4948 toomany = FALSE;
4949 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
4950
da80c2a8
PP		 4951 /* There's an attack where more data is read in past the STARTTLS command
4952 before TLS is negotiated, then assumed to be part of the secure session
4953 when used afterwards; we use segregated input buffers, so are not
4954 vulnerable, but we want to note when it happens and, for sheer paranoia,
4955 ensure that the buffer is "wiped".
4956 Pipelining sync checks will normally have protected us too, unless disabled
4957 by configuration. */
4958
4959 if (receive_smtp_buffered())
4960 {
4961 DEBUG(D_any)
18481de3 4962 debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
817d9f57 4963 if (tls_in.active < 0)
da80c2a8
PP		 4964 smtp_inend = smtp_inptr = smtp_inbuffer;
4965 /* and if TLS is already active, tls_server_start() should fail */
4966 }
4967
4e7ee012
PP		 4968 /* There is nothing we value in the input buffer and if TLS is succesfully
4969 negotiated, we won't use this buffer again; if TLS fails, we'll just read
4970 fresh content into it. The buffer contains arbitrary content from an
4971 untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
4972 It seems safest to just wipe away the content rather than leave it as a
4973 target to jump to. */
4974
4975 memset(smtp_inbuffer, 0, in_buffer_size);
4976
059ec3d9
PH		 4977 /* Attempt to start up a TLS session, and if successful, discard all
4978 knowledge that was obtained previously. At least, that's what the RFC says,
4979 and that's what happens by default. However, in order to work round YAEB,
4980 there is an option to remember the esmtp state. Sigh.
4981
4982 We must allow for an extra EHLO command and an extra AUTH command after
4983 STARTTLS that don't add to the nonmail command count. */
4984
17c76198 4985 if ((rc = tls_server_start(tls_require_ciphers)) == OK)
059ec3d9
PH		 4986 {
4987 if (!tls_remember_esmtp)
4988 helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
4989 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
4990 cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
b3ef41c9 4991 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
059ec3d9
PH		 4992 if (sender_helo_name != NULL)
4993 {
4994 store_free(sender_helo_name);
4995 sender_helo_name = NULL;
4996 host_build_sender_fullhost(); /* Rebuild */
4997 set_process_info("handling incoming TLS connection from %s",
4998 host_and_ident(FALSE));
4999 }
e524074d
JH		 5000 received_protocol =
5001 (sender_host_address ? protocols : protocols_local)
5002 [ (esmtp
5003 ? pextend + (sender_host_authenticated ? pauthed : 0)
5004 : pnormal)
5005 + (tls_in.active >= 0 ? pcrpted : 0)
5006 ];
059ec3d9
PH		 5007
5008 sender_host_authenticated = NULL;
5009 authenticated_id = NULL;
5010 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
5011 DEBUG(D_tls) debug_printf("TLS active\n");
5012 break; /* Successful STARTTLS */
5013 }
5014
5015 /* Some local configuration problem was discovered before actually trying
5016 to do a TLS handshake; give a temporary error. */
5017
5018 else if (rc == DEFER)
5019 {
5020 smtp_printf("454 TLS currently unavailable\r\n");
5021 break;
5022 }
5023
5024 /* Hard failure. Reject everything except QUIT or closed connection. One
817d9f57 5025 cause for failure is a nested STARTTLS, in which case tls_in.active remains
059ec3d9
PH		 5026 set, but we must still reject all incoming commands. */
5027
5028 DEBUG(D_tls) debug_printf("TLS failed to start\n");
5029 while (done <= 0)
5030 {
5031 switch(smtp_read_command(FALSE))
5032 {
5033 case EOF_CMD:
5034 log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
5035 smtp_get_connection_info());
8f128379 5036 smtp_notquit_exit(US"tls-failed", NULL, NULL);
059ec3d9
PH		 5037 done = 2;
5038 break;
5039
8f128379 5040 /* It is perhaps arguable as to which exit ACL should be called here,
24f66b4d 5041 but as it is probably a situation that almost never arises, it
8f128379
PH		 5042 probably doesn't matter. We choose to call the real QUIT ACL, which in
5043 some sense is perhaps "right". */
5044
059ec3d9 5045 case QUIT_CMD:
8f128379
PH		 5046 user_msg = NULL;
5047 if (acl_smtp_quit != NULL)
5048 {
5049 rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
5050 &log_msg);
5051 if (rc == ERROR)
5052 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
5053 log_msg);
5054 }
5055 if (user_msg == NULL)
5056 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
5057 else
5058 smtp_respond(US"221", 3, TRUE, user_msg);
059ec3d9
PH		 5059 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
5060 smtp_get_connection_info());
5061 done = 2;
5062 break;
5063
5064 default:
5065 smtp_printf("554 Security failure\r\n");
5066 break;
5067 }
5068 }
817d9f57 5069 tls_close(TRUE, TRUE);
059ec3d9
PH		 5070 break;
5071 #endif
5072
5073
5074 /* The ACL for QUIT is provided for gathering statistical information or
5075 similar; it does not affect the response code, but it can supply a custom
5076 message. */
5077
5078 case QUIT_CMD:
7e3ce68e 5079 smtp_quit_handler(&user_msg, &log_msg);
059ec3d9 5080 done = 2;
059ec3d9
PH		 5081 break;
5082
5083
5084 case RSET_CMD:
7e3ce68e 5085 smtp_rset_handler();
059ec3d9
PH		 5086 smtp_reset(reset_point);
5087 toomany = FALSE;
059ec3d9
PH		 5088 break;
5089
5090
5091 case NOOP_CMD:
b4ed4da0 5092 HAD(SCH_NOOP);
059ec3d9
PH		 5093 smtp_printf("250 OK\r\n");
5094 break;
5095
5096
b43a74ea
PH		 5097 /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
5098 used, a check will be done for permitted hosts. Show STARTTLS only if not
5099 already in a TLS session and if it would be advertised in the EHLO
5100 response. */
059ec3d9
PH		 5101
5102 case HELP_CMD:
b4ed4da0 5103 HAD(SCH_HELP);
059ec3d9
PH		 5104 smtp_printf("214-Commands supported:\r\n");
5105 {
5106 uschar buffer[256];
5107 buffer[0] = 0;
5108 Ustrcat(buffer, " AUTH");
5109 #ifdef SUPPORT_TLS
817d9f57 5110 if (tls_in.active < 0 &&
b43a74ea
PH		 5111 verify_check_host(&tls_advertise_hosts) != FAIL)
5112 Ustrcat(buffer, " STARTTLS");
059ec3d9 5113 #endif
7e3ce68e 5114 Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA BDAT");
059ec3d9
PH		 5115 Ustrcat(buffer, " NOOP QUIT RSET HELP");
5116 if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
5117 if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
5118 if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
5119 smtp_printf("214%s\r\n", buffer);
5120 }
5121 break;
5122
5123
5124 case EOF_CMD:
5125 incomplete_transaction_log(US"connection lost");
8f128379
PH		 5126 smtp_notquit_exit(US"connection-lost", US"421",
5127 US"%s lost input connection", smtp_active_hostname);
059ec3d9
PH		 5128
5129 /* Don't log by default unless in the middle of a message, as some mailers
5130 just drop the call rather than sending QUIT, and it clutters up the logs.
5131 */
5132
5133 if (sender_address != NULL || recipients_count > 0)
5134 log_write(L_lost_incoming_connection,
5135 LOG_MAIN,
5136 "unexpected %s while reading SMTP command from %s%s",
5137 sender_host_unknown? "EOF" : "disconnection",
5138 host_and_ident(FALSE), smtp_read_error);
5139
5140 else log_write(L_smtp_connection, LOG_MAIN, "%s lost%s",
5141 smtp_get_connection_info(), smtp_read_error);
5142
5143 done = 1;
5144 break;
5145
5146
5147 case ETRN_CMD:
b4ed4da0 5148 HAD(SCH_ETRN);
059ec3d9
PH		 5149 if (sender_address != NULL)
5150 {
5151 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5152 US"ETRN is not permitted inside a transaction");
5153 break;
5154 }
5155
3ee512ff 5156 log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
059ec3d9
PH		 5157 host_and_ident(FALSE));
5158
4f6ae5c3
JH		 5159 if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
5160 &user_msg, &log_msg)) != OK)
059ec3d9
PH		 5161 {
5162 done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
5163 break;
5164 }
5165
5166 /* Compute the serialization key for this command. */
5167
ca86f471 5168 etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
059ec3d9
PH		 5169
5170 /* If a command has been specified for running as a result of ETRN, we
5171 permit any argument to ETRN. If not, only the # standard form is permitted,
5172 since that is strictly the only kind of ETRN that can be implemented
5173 according to the RFC. */
5174
5175 if (smtp_etrn_command != NULL)
5176 {
5177 uschar *error;
5178 BOOL rc;
5179 etrn_command = smtp_etrn_command;
ca86f471 5180 deliver_domain = smtp_cmd_data;
059ec3d9
PH		 5181 rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
5182 US"ETRN processing", &error);
5183 deliver_domain = NULL;
5184 if (!rc)
5185 {
5186 log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
5187 error);
5188 smtp_printf("458 Internal failure\r\n");
5189 break;
5190 }
5191 }
5192
5193 /* Else set up to call Exim with the -R option. */
5194
5195 else
5196 {
ca86f471 5197 if (*smtp_cmd_data++ != '#')
059ec3d9
PH		 5198 {
5199 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5200 US"argument must begin with #");
5201 break;
5202 }
5203 etrn_command = US"exim -R";
e37f8a84
JH		 5204 argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
5205 *queue_name ? 4 : 2,
5206 US"-R", smtp_cmd_data,
5207 US"-MCG", queue_name);
059ec3d9
PH		 5208 }
5209
5210 /* If we are host-testing, don't actually do anything. */
5211
5212 if (host_checking)
5213 {
5214 HDEBUG(D_any)
5215 {
5216 debug_printf("ETRN command is: %s\n", etrn_command);
5217 debug_printf("ETRN command execution skipped\n");
5218 }
4e88a19f
PH		 5219 if (user_msg == NULL) smtp_printf("250 OK\r\n");
5220 else smtp_user_msg(US"250", user_msg);
059ec3d9
PH		 5221 break;
5222 }
5223
5224
5225 /* If ETRN queue runs are to be serialized, check the database to
5226 ensure one isn't already running. */
5227
e8ae7214 5228 if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
059ec3d9 5229 {
ca86f471 5230 smtp_printf("458 Already processing %s\r\n", smtp_cmd_data);
059ec3d9
PH		 5231 break;
5232 }
5233
5234 /* Fork a child process and run the command. We don't want to have to
5235 wait for the process at any point, so set SIGCHLD to SIG_IGN before
5236 forking. It should be set that way anyway for external incoming SMTP,
5237 but we save and restore to be tidy. If serialization is required, we
5238 actually run the command in yet another process, so we can wait for it
5239 to complete and then remove the serialization lock. */
5240
5241 oldsignal = signal(SIGCHLD, SIG_IGN);
5242
5243 if ((pid = fork()) == 0)
5244 {
f1e894f3
PH		 5245 smtp_input = FALSE; /* This process is not associated with the */
5246 (void)fclose(smtp_in); /* SMTP call any more. */
5247 (void)fclose(smtp_out);
059ec3d9
PH		 5248
5249 signal(SIGCHLD, SIG_DFL); /* Want to catch child */
5250
5251 /* If not serializing, do the exec right away. Otherwise, fork down
5252 into another process. */
5253
5254 if (!smtp_etrn_serialize || (pid = fork()) == 0)
5255 {
5256 DEBUG(D_exec) debug_print_argv(argv);
5257 exim_nullstd(); /* Ensure std{in,out,err} exist */
5258 execv(CS argv[0], (char *const *)argv);
5259 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
5260 etrn_command, strerror(errno));
5261 _exit(EXIT_FAILURE); /* paranoia */
5262 }
5263
5264 /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
5265 is, we are in the first subprocess, after forking again. All we can do
5266 for a failing fork is to log it. Otherwise, wait for the 2nd process to
5267 complete, before removing the serialization. */
5268
5269 if (pid < 0)
5270 log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
5271 "failed: %s", strerror(errno));
5272 else
5273 {
5274 int status;
5275 DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
5276 (int)pid);
5277 (void)wait(&status);
5278 DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
5279 (int)pid);
5280 }
5281
5282 enq_end(etrn_serialize_key);
5283 _exit(EXIT_SUCCESS);
5284 }
5285
5286 /* Back in the top level SMTP process. Check that we started a subprocess
5287 and restore the signal state. */
5288
5289 if (pid < 0)
5290 {
5291 log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
5292 strerror(errno));
5293 smtp_printf("458 Unable to fork process\r\n");
5294 if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
5295 }
4e88a19f
PH		 5296 else
5297 {
5298 if (user_msg == NULL) smtp_printf("250 OK\r\n");
5299 else smtp_user_msg(US"250", user_msg);
5300 }
059ec3d9
PH		 5301
5302 signal(SIGCHLD, oldsignal);
5303 break;
5304
5305
5306 case BADARG_CMD:
5307 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5308 US"unexpected argument data");
5309 break;
5310
5311
5312 /* This currently happens only for NULLs, but could be extended. */
5313
5314 case BADCHAR_CMD:
5315 done = synprot_error(L_smtp_syntax_error, 0, NULL, /* Just logs */
5316 US"NULL character(s) present (shown as '?')");
5317 smtp_printf("501 NULL characters are not allowed in SMTP commands\r\n");
5318 break;
5319
5320
5321 case BADSYN_CMD:
a14e5636 5322 SYNC_FAILURE:
059ec3d9
PH		 5323 if (smtp_inend >= smtp_inbuffer + in_buffer_size)
5324 smtp_inend = smtp_inbuffer + in_buffer_size - 1;
5325 c = smtp_inend - smtp_inptr;
5326 if (c > 150) c = 150;
5327 smtp_inptr[c] = 0;
5328 incomplete_transaction_log(US"sync failure");
3af76a81 5329 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
059ec3d9
PH		 5330 "(next input sent too soon: pipelining was%s advertised): "
5331 "rejected \"%s\" %s next input=\"%s\"",
5332 pipelining_advertised? "" : " not",
3ee512ff 5333 smtp_cmd_buffer, host_and_ident(TRUE),
059ec3d9 5334 string_printing(smtp_inptr));
8f128379
PH		 5335 smtp_notquit_exit(US"synchronization-error", US"554",
5336 US"SMTP synchronization error");
059ec3d9
PH		 5337 done = 1; /* Pretend eof - drops connection */
5338 break;
5339
5340
5341 case TOO_MANY_NONMAIL_CMD:
ca86f471
PH		 5342 s = smtp_cmd_buffer;
5343 while (*s != 0 && !isspace(*s)) s++;
059ec3d9
PH		 5344 incomplete_transaction_log(US"too many non-mail commands");
5345 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5346 "nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
6d9cfc47 5347 (int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
8f128379 5348 smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
059ec3d9
PH		 5349 done = 1; /* Pretend eof - drops connection */
5350 break;
5351
cee5f132 5352#ifdef SUPPORT_PROXY
a3c86431
TL		 5353 case PROXY_FAIL_IGNORE_CMD:
5354 smtp_printf("503 Command refused, required Proxy negotiation failed\r\n");
5355 break;
cee5f132 5356#endif
059ec3d9
PH		 5357
5358 default:
5359 if (unknown_command_count++ >= smtp_max_unknown_commands)
5360 {
5361 log_write(L_smtp_syntax_error, LOG_MAIN,
5362 "SMTP syntax error in \"%s\" %s %s",
3ee512ff 5363 string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
059ec3d9
PH		 5364 US"unrecognized command");
5365 incomplete_transaction_log(US"unrecognized command");
8f128379
PH		 5366 smtp_notquit_exit(US"bad-commands", US"500",
5367 US"Too many unrecognized commands");
059ec3d9
PH		 5368 done = 2;
5369 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5370 "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
0ebc4d69 5371 string_printing(smtp_cmd_buffer));
059ec3d9
PH		 5372 }
5373 else
5374 done = synprot_error(L_smtp_syntax_error, 500, NULL,
5375 US"unrecognized command");
5376 break;
5377 }
5378
5379 /* This label is used by goto's inside loops that want to break out to
5380 the end of the command-processing loop. */
5381
5382 COMMAND_LOOP:
5383 last_was_rej_mail = was_rej_mail; /* Remember some last commands for */
5384 last_was_rcpt = was_rcpt; /* protocol error handling */
5385 continue;
5386 }
5387
5388return done - 2; /* Convert yield values */
5389}
5390
e45a1c37
JH		 5391/* vi: aw ai sw=2
5392*/
059ec3d9 5393/* End of smtp_in.c */
Unnamed repository; edit this file 'description' to name the repository.