recive smtp command
[exim.git] / src / src / smtp_in.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Functions for handling an incoming SMTP call. */
9
10
11#include "exim.h"
2ef7ed08 12#include <assert.h>
059ec3d9
PH
13
14
15/* Initialize for TCP wrappers if so configured. It appears that the macro
16HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
17including that header, and restore its value afterwards. */
18
19#ifdef USE_TCP_WRAPPERS
20
21 #if HAVE_IPV6
22 #define EXIM_HAVE_IPV6
23 #endif
24 #undef HAVE_IPV6
25 #include <tcpd.h>
26 #undef HAVE_IPV6
27 #ifdef EXIM_HAVE_IPV6
28 #define HAVE_IPV6 TRUE
29 #endif
30
31int allow_severity = LOG_INFO;
32int deny_severity = LOG_NOTICE;
5dc43717 33uschar *tcp_wrappers_name;
059ec3d9
PH
34#endif
35
36
8d67ada3
PH
37/* Size of buffer for reading SMTP commands. We used to use 512, as defined
38by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
39commands that accept arguments, and this in particular applies to AUTH, where
94431adb 40the data can be quite long. More recently this value was 2048 in Exim;
e2ca7082 41however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients
94431adb
HSHR
42such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
43The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
e2ca7082
PP
44we need room to handle large base64-encoded AUTHs for GSSAPI.
45*/
46
47#define smtp_cmd_buffer_size 16384
059ec3d9
PH
48
49/* Size of buffer for reading SMTP incoming packets */
50
51#define in_buffer_size 8192
52
53/* Structure for SMTP command list */
54
55typedef struct {
1ba28e2b 56 const char *name;
059ec3d9
PH
57 int len;
58 short int cmd;
59 short int has_arg;
60 short int is_mail_cmd;
61} smtp_cmd_list;
62
63/* Codes for identifying commands. We order them so that those that come first
64are those for which synchronization is always required. Checking this can help
65block some spam. */
66
67enum {
68 /* These commands are required to be synchronized, i.e. to be the last in a
69 block of commands when pipelining. */
70
71 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
72 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
73 ETRN_CMD, /* This by analogy with TURN from the RFC */
74 STARTTLS_CMD, /* Required by the STARTTLS RFC */
b3ef41c9 75 TLS_AUTH_CMD, /* auto-command at start of SSL */
18481de3 76 BDAT_CMD, /* Implied by RFC3030 "After all MAIL and..." */
059ec3d9
PH
77
78 /* This is a dummy to identify the non-sync commands when pipelining */
79
80 NON_SYNC_CMD_PIPELINING,
81
82 /* These commands need not be synchronized when pipelining */
83
84 MAIL_CMD, RCPT_CMD, RSET_CMD,
85
86 /* This is a dummy to identify the non-sync commands when not pipelining */
87
88 NON_SYNC_CMD_NON_PIPELINING,
89
90 /* I have been unable to find a statement about the use of pipelining
91 with AUTH, so to be on the safe side it is here, though I kind of feel
92 it should be up there with the synchronized commands. */
93
94 AUTH_CMD,
95
96 /* I'm not sure about these, but I don't think they matter. */
97
98 QUIT_CMD, HELP_CMD,
99
cee5f132 100#ifdef SUPPORT_PROXY
a3c86431
TL
101 PROXY_FAIL_IGNORE_CMD,
102#endif
103
059ec3d9
PH
104 /* These are specials that don't correspond to actual commands */
105
106 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
107 TOO_MANY_NONMAIL_CMD };
108
109
b4ed4da0
PH
110/* This is a convenience macro for adding the identity of an SMTP command
111to the circular buffer that holds a list of the last n received. */
112
113#define HAD(n) \
114 smtp_connection_had[smtp_ch_index++] = n; \
115 if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
116
059ec3d9
PH
117
118/*************************************************
119* Local static variables *
120*************************************************/
121
122static auth_instance *authenticated_by;
123static BOOL auth_advertised;
124#ifdef SUPPORT_TLS
125static BOOL tls_advertised;
126#endif
6c1c3d1d 127static BOOL dsn_advertised;
059ec3d9
PH
128static BOOL esmtp;
129static BOOL helo_required = FALSE;
130static BOOL helo_verify = FALSE;
131static BOOL helo_seen;
132static BOOL helo_accept_junk;
133static BOOL count_nonmail;
134static BOOL pipelining_advertised;
2679d413
PH
135static BOOL rcpt_smtp_response_same;
136static BOOL rcpt_in_progress;
059ec3d9 137static int nonmail_command_count;
8f128379 138static BOOL smtp_exit_function_called = 0;
8c5d388a 139#ifdef SUPPORT_I18N
d1a13eea
JH
140static BOOL smtputf8_advertised;
141#endif
059ec3d9
PH
142static int synprot_error_count;
143static int unknown_command_count;
144static int sync_cmd_limit;
145static int smtp_write_error = 0;
146
2679d413 147static uschar *rcpt_smtp_response;
ca86f471
PH
148static uschar *smtp_data_buffer;
149static uschar *smtp_cmd_data;
150
059ec3d9
PH
151/* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
152final fields of all except AUTH are forced TRUE at the start of a new message
153setup, to allow one of each between messages that is not counted as a nonmail
154command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
155allow a new EHLO after starting up TLS.
156
157AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
158counted. However, the flag is changed when AUTH is received, so that multiple
159failing AUTHs will eventually hit the limit. After a successful AUTH, another
160AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
161forced TRUE, to allow for the re-authentication that can happen at that point.
162
163QUIT is also "falsely" labelled as a mail command so that it doesn't up the
2f460950
JH
164count of non-mail commands and possibly provoke an error.
165
166tls_auth is a pseudo-command, never expected in input. It is activated
167on TLS startup and looks for a tls authenticator. */
059ec3d9
PH
168
169static smtp_cmd_list cmd_list[] = {
d1a13eea
JH
170 /* name len cmd has_arg is_mail_cmd */
171
059ec3d9
PH
172 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
173 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
174 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
175 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
176 #ifdef SUPPORT_TLS
177 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
b3ef41c9 178 { "tls_auth", 0, TLS_AUTH_CMD, FALSE, TRUE },
059ec3d9
PH
179 #endif
180
181/* If you change anything above here, also fix the definitions below. */
182
183 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
184 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
185 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
18481de3 186 { "bdat", sizeof("bdat")-1, BDAT_CMD, TRUE, TRUE },
059ec3d9
PH
187 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
188 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
189 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
190 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
191 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
192 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
193};
194
195static smtp_cmd_list *cmd_list_end =
196 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
197
198#define CMD_LIST_RSET 0
199#define CMD_LIST_HELO 1
200#define CMD_LIST_EHLO 2
201#define CMD_LIST_AUTH 3
202#define CMD_LIST_STARTTLS 4
b3ef41c9 203#define CMD_LIST_TLS_AUTH 5
059ec3d9 204
b4ed4da0
PH
205/* This list of names is used for performing the smtp_no_mail logging action.
206It must be kept in step with the SCH_xxx enumerations. */
207
208static uschar *smtp_names[] =
209 {
18481de3
JH
210 US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
211 US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
212 US"STARTTLS", US"VRFY" };
b4ed4da0 213
e524074d 214static uschar *protocols_local[] = {
981756db
PH
215 US"local-smtp", /* HELO */
216 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
217 US"local-esmtp", /* EHLO */
218 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
219 US"local-esmtpa", /* EHLO->AUTH */
220 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
059ec3d9 221 };
e524074d
JH
222static uschar *protocols[] = {
223 US"smtp", /* HELO */
224 US"smtps", /* The rare case EHLO->STARTTLS->HELO */
225 US"esmtp", /* EHLO */
226 US"esmtps", /* EHLO->STARTTLS->EHLO */
227 US"esmtpa", /* EHLO->AUTH */
228 US"esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
229 };
059ec3d9
PH
230
231#define pnormal 0
981756db
PH
232#define pextend 2
233#define pcrpted 1 /* added to pextend or pnormal */
234#define pauthed 2 /* added to pextend */
059ec3d9 235
d27f98fe
TL
236/* Sanity check and validate optional args to MAIL FROM: envelope */
237enum {
2ef7ed08 238 ENV_MAIL_OPT_NULL,
d27f98fe 239 ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
8ccd00b1 240#ifndef DISABLE_PRDR
fd98a5c6
JH
241 ENV_MAIL_OPT_PRDR,
242#endif
6c1c3d1d 243 ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
8c5d388a 244#ifdef SUPPORT_I18N
d1a13eea
JH
245 ENV_MAIL_OPT_UTF8,
246#endif
d27f98fe
TL
247 };
248typedef struct {
249 uschar * name; /* option requested during MAIL cmd */
250 int value; /* enum type */
251 BOOL need_value; /* TRUE requires value (name=value pair format)
252 FALSE is a singleton */
253 } env_mail_type_t;
254static env_mail_type_t env_mail_type_list[] = {
255 { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
256 { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
257 { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
8ccd00b1 258#ifndef DISABLE_PRDR
fd98a5c6
JH
259 { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
260#endif
6c1c3d1d
WB
261 { US"RET", ENV_MAIL_OPT_RET, TRUE },
262 { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
8c5d388a 263#ifdef SUPPORT_I18N
d1a13eea
JH
264 { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
265#endif
2ef7ed08
HSHR
266 /* keep this the last entry */
267 { US"NULL", ENV_MAIL_OPT_NULL, FALSE },
d27f98fe
TL
268 };
269
059ec3d9
PH
270/* When reading SMTP from a remote host, we have to use our own versions of the
271C input-reading functions, in order to be able to flush the SMTP output only
272when about to read more data from the socket. This is the only way to get
273optimal performance when the client is using pipelining. Flushing for every
274command causes a separate packet and reply packet each time; saving all the
275responses up (when pipelining) combines them into one packet and one response.
276
277For simplicity, these functions are used for *all* SMTP input, not only when
278receiving over a socket. However, after setting up a secure socket (SSL), input
279is read via the OpenSSL library, and another set of functions is used instead
280(see tls.c).
281
282These functions are set in the receive_getc etc. variables and called with the
283same interface as the C functions. However, since there can only ever be
284one incoming SMTP call, we just use a single buffer and flags. There is no need
285to implement a complicated private FILE-like structure.*/
286
287static uschar *smtp_inbuffer;
288static uschar *smtp_inptr;
289static uschar *smtp_inend;
290static int smtp_had_eof;
291static int smtp_had_error;
292
293
294/*************************************************
295* SMTP version of getc() *
296*************************************************/
297
298/* This gets the next byte from the SMTP input buffer. If the buffer is empty,
299it flushes the output, and refills the buffer, with a timeout. The signal
300handler is set appropriately by the calling function. This function is not used
301after a connection has negotated itself into an TLS/SSL state.
302
303Arguments: none
304Returns: the next character or EOF
305*/
306
307int
308smtp_getc(void)
309{
310if (smtp_inptr >= smtp_inend)
311 {
312 int rc, save_errno;
313 fflush(smtp_out);
314 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
315 rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
316 save_errno = errno;
317 alarm(0);
318 if (rc <= 0)
319 {
320 /* Must put the error text in fixed store, because this might be during
321 header reading, where it releases unused store above the header. */
322 if (rc < 0)
323 {
324 smtp_had_error = save_errno;
325 smtp_read_error = string_copy_malloc(
326 string_sprintf(" (error: %s)", strerror(save_errno)));
327 }
328 else smtp_had_eof = 1;
329 return EOF;
330 }
80a47a2c
TK
331#ifndef DISABLE_DKIM
332 dkim_exim_verify_feed(smtp_inbuffer, rc);
333#endif
059ec3d9
PH
334 smtp_inend = smtp_inbuffer + rc;
335 smtp_inptr = smtp_inbuffer;
336 }
337return *smtp_inptr++;
338}
339
340
341
342/*************************************************
343* SMTP version of ungetc() *
344*************************************************/
345
346/* Puts a character back in the input buffer. Only ever
347called once.
348
349Arguments:
350 ch the character
351
352Returns: the character
353*/
354
355int
356smtp_ungetc(int ch)
357{
358*(--smtp_inptr) = ch;
359return ch;
360}
361
362
363
364
365/*************************************************
366* SMTP version of feof() *
367*************************************************/
368
369/* Tests for a previous EOF
370
371Arguments: none
372Returns: non-zero if the eof flag is set
373*/
374
375int
376smtp_feof(void)
377{
378return smtp_had_eof;
379}
380
381
382
383
384/*************************************************
385* SMTP version of ferror() *
386*************************************************/
387
388/* Tests for a previous read error, and returns with errno
389restored to what it was when the error was detected.
390
391Arguments: none
392Returns: non-zero if the error flag is set
393*/
394
395int
396smtp_ferror(void)
397{
398errno = smtp_had_error;
399return smtp_had_error;
400}
401
402
403
58eb016e
PH
404/*************************************************
405* Test for characters in the SMTP buffer *
406*************************************************/
407
408/* Used at the end of a message
409
410Arguments: none
411Returns: TRUE/FALSE
412*/
413
414BOOL
415smtp_buffered(void)
416{
417return smtp_inptr < smtp_inend;
418}
419
420
059ec3d9
PH
421
422/*************************************************
423* Write formatted string to SMTP channel *
424*************************************************/
425
426/* This is a separate function so that we don't have to repeat everything for
427TLS support or debugging. It is global so that the daemon and the
428authentication functions can use it. It does not return any error indication,
429because major problems such as dropped connections won't show up till an output
430flush for non-TLS connections. The smtp_fflush() function is available for
431checking that: for convenience, TLS output errors are remembered here so that
432they are also picked up later by smtp_fflush().
433
434Arguments:
435 format format string
436 ... optional arguments
437
438Returns: nothing
439*/
440
441void
1ba28e2b 442smtp_printf(const char *format, ...)
059ec3d9
PH
443{
444va_list ap;
445
ce552449
NM
446va_start(ap, format);
447smtp_vprintf(format, ap);
448va_end(ap);
449}
450
451/* This is split off so that verify.c:respond_printf() can, in effect, call
452smtp_printf(), bearing in mind that in C a vararg function can't directly
fb08281f 453call another vararg function, only a function which accepts a va_list. */
ce552449
NM
454
455void
1ba28e2b 456smtp_vprintf(const char *format, va_list ap)
ce552449 457{
fb08281f
DW
458BOOL yield;
459
460yield = string_vformat(big_buffer, big_buffer_size, format, ap);
ce552449 461
059ec3d9
PH
462DEBUG(D_receive)
463 {
fb08281f
DW
464 void *reset_point = store_get(0);
465 uschar *msg_copy, *cr, *end;
466 msg_copy = string_copy(big_buffer);
467 end = msg_copy + Ustrlen(msg_copy);
468 while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
469 memmove(cr, cr + 1, (end--) - cr);
470 debug_printf("SMTP>> %s", msg_copy);
471 store_reset(reset_point);
059ec3d9
PH
472 }
473
fb08281f 474if (!yield)
2679d413
PH
475 {
476 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
477 smtp_closedown(US"Unexpected error");
478 exim_exit(EXIT_FAILURE);
479 }
2679d413
PH
480
481/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
482have had the same. Note: this code is also present in smtp_respond(). It would
483be tidier to have it only in one place, but when it was added, it was easier to
484do it that way, so as not to have to mess with the code for the RCPT command,
485which sometimes uses smtp_printf() and sometimes smtp_respond(). */
486
487if (rcpt_in_progress)
488 {
489 if (rcpt_smtp_response == NULL)
490 rcpt_smtp_response = string_copy(big_buffer);
491 else if (rcpt_smtp_response_same &&
492 Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
493 rcpt_smtp_response_same = FALSE;
494 rcpt_in_progress = FALSE;
495 }
059ec3d9 496
2679d413 497/* Now write the string */
059ec3d9
PH
498
499#ifdef SUPPORT_TLS
817d9f57 500if (tls_in.active >= 0)
059ec3d9 501 {
817d9f57
JH
502 if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer)) < 0)
503 smtp_write_error = -1;
059ec3d9
PH
504 }
505else
506#endif
507
2679d413 508if (fprintf(smtp_out, "%s", big_buffer) < 0) smtp_write_error = -1;
059ec3d9
PH
509}
510
511
512
513/*************************************************
514* Flush SMTP out and check for error *
515*************************************************/
516
517/* This function isn't currently used within Exim (it detects errors when it
518tries to read the next SMTP input), but is available for use in local_scan().
519For non-TLS connections, it flushes the output and checks for errors. For
520TLS-connections, it checks for a previously-detected TLS write error.
521
522Arguments: none
523Returns: 0 for no error; -1 after an error
524*/
525
526int
527smtp_fflush(void)
528{
817d9f57 529if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
059ec3d9
PH
530return smtp_write_error;
531}
532
533
534
535/*************************************************
536* SMTP command read timeout *
537*************************************************/
538
539/* Signal handler for timing out incoming SMTP commands. This attempts to
540finish off tidily.
541
542Argument: signal number (SIGALRM)
543Returns: nothing
544*/
545
546static void
547command_timeout_handler(int sig)
548{
549sig = sig; /* Keep picky compilers happy */
550log_write(L_lost_incoming_connection,
551 LOG_MAIN, "SMTP command timeout on%s connection from %s",
817d9f57 552 (tls_in.active >= 0)? " TLS" : "",
059ec3d9
PH
553 host_and_ident(FALSE));
554if (smtp_batched_input)
555 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
8f128379
PH
556smtp_notquit_exit(US"command-timeout", US"421",
557 US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
059ec3d9
PH
558exim_exit(EXIT_FAILURE);
559}
560
561
562
563/*************************************************
564* SIGTERM received *
565*************************************************/
566
567/* Signal handler for handling SIGTERM. Again, try to finish tidily.
568
569Argument: signal number (SIGTERM)
570Returns: nothing
571*/
572
573static void
574command_sigterm_handler(int sig)
575{
576sig = sig; /* Keep picky compilers happy */
577log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
578if (smtp_batched_input)
579 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
8f128379
PH
580smtp_notquit_exit(US"signal-exit", US"421",
581 US"%s: Service not available - closing connection", smtp_active_hostname);
059ec3d9
PH
582exim_exit(EXIT_FAILURE);
583}
584
585
586
a14e5636 587
cee5f132 588#ifdef SUPPORT_PROXY
a3c86431 589/*************************************************
a3bddaa8
TL
590* Restore socket timeout to previous value *
591*************************************************/
592/* If the previous value was successfully retrieved, restore
593it before returning control to the non-proxy routines
594
595Arguments: fd - File descriptor for input
596 get_ok - Successfully retrieved previous values
597 tvtmp - Time struct with previous values
598 vslen - Length of time struct
599Returns: none
600*/
601static void
602restore_socket_timeout(int fd, int get_ok, struct timeval tvtmp, socklen_t vslen)
603{
604if (get_ok == 0)
605 setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, vslen);
606}
607
608/*************************************************
a3c86431
TL
609* Check if host is required proxy host *
610*************************************************/
611/* The function determines if inbound host will be a regular smtp host
612or if it is configured that it must use Proxy Protocol.
613
614Arguments: none
615Returns: bool
616*/
617
618static BOOL
619check_proxy_protocol_host()
620{
621int rc;
622/* Cannot configure local connection as a proxy inbound */
623if (sender_host_address == NULL) return proxy_session;
624
7a2fa0bc 625rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
a3c86431
TL
626 sender_host_address, NULL);
627if (rc == OK)
628 {
629 DEBUG(D_receive)
630 debug_printf("Detected proxy protocol configured host\n");
631 proxy_session = TRUE;
632 }
633return proxy_session;
634}
635
636
637/*************************************************
a3c86431
TL
638* Setup host for proxy protocol *
639*************************************************/
640/* The function configures the connection based on a header from the
641inbound host to use Proxy Protocol. The specification is very exact
642so exit with an error if do not find the exact required pieces. This
643includes an incorrect number of spaces separating args.
644
645Arguments: none
646Returns: int
647*/
648
649static BOOL
650setup_proxy_protocol_host()
651{
652union {
653 struct {
654 uschar line[108];
655 } v1;
656 struct {
657 uschar sig[12];
36719342
TL
658 uint8_t ver_cmd;
659 uint8_t fam;
660 uint16_t len;
a3c86431
TL
661 union {
662 struct { /* TCP/UDP over IPv4, len = 12 */
663 uint32_t src_addr;
664 uint32_t dst_addr;
665 uint16_t src_port;
666 uint16_t dst_port;
667 } ip4;
668 struct { /* TCP/UDP over IPv6, len = 36 */
669 uint8_t src_addr[16];
670 uint8_t dst_addr[16];
671 uint16_t src_port;
672 uint16_t dst_port;
673 } ip6;
674 struct { /* AF_UNIX sockets, len = 216 */
675 uschar src_addr[108];
676 uschar dst_addr[108];
677 } unx;
678 } addr;
679 } v2;
680} hdr;
681
eb57651e
TL
682/* Temp variables used in PPv2 address:port parsing */
683uint16_t tmpport;
684char tmpip[INET_ADDRSTRLEN];
685struct sockaddr_in tmpaddr;
686char tmpip6[INET6_ADDRSTRLEN];
687struct sockaddr_in6 tmpaddr6;
688
689int get_ok = 0;
a3c86431 690int size, ret, fd;
36719342 691const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
a3c86431
TL
692uschar *iptype; /* To display debug info */
693struct timeval tv;
a3bddaa8
TL
694socklen_t vslen = 0;
695struct timeval tvtmp;
696
697vslen = sizeof(struct timeval);
a3c86431
TL
698
699fd = fileno(smtp_in);
700
a3bddaa8
TL
701/* Save current socket timeout values */
702get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp,
703 &vslen);
704
a3c86431
TL
705/* Proxy Protocol host must send header within a short time
706(default 3 seconds) or it's considered invalid */
707tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
708tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
709setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,
710 sizeof(struct timeval));
a3bddaa8 711
a3c86431
TL
712do
713 {
eb57651e
TL
714 /* The inbound host was declared to be a Proxy Protocol host, so
715 don't do a PEEK into the data, actually slurp it up. */
716 ret = recv(fd, &hdr, sizeof(hdr), 0);
a3c86431
TL
717 }
718 while (ret == -1 && errno == EINTR);
719
720if (ret == -1)
a3bddaa8
TL
721 {
722 restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 723 return (errno == EAGAIN) ? 0 : ERRNO_PROXYFAIL;
a3bddaa8 724 }
a3c86431
TL
725
726if (ret >= 16 &&
36719342 727 memcmp(&hdr.v2, v2sig, 12) == 0)
a3c86431 728 {
36719342
TL
729 uint8_t ver, cmd;
730
731 /* May 2014: haproxy combined the version and command into one byte to
732 allow two full bytes for the length field in order to proxy SSL
733 connections. SSL Proxy is not supported in this version of Exim, but
734 must still seperate values here. */
735 ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
736 cmd = (hdr.v2.ver_cmd & 0x0f);
737
738 if (ver != 0x02)
739 {
740 DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
741 goto proxyfail;
742 }
a3c86431 743 DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n");
36719342 744 /* The v2 header will always be 16 bytes per the spec. */
a3c86431
TL
745 size = 16 + hdr.v2.len;
746 if (ret < size)
747 {
36719342
TL
748 DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n",
749 ret, size);
a3c86431
TL
750 goto proxyfail;
751 }
36719342 752 switch (cmd)
a3c86431
TL
753 {
754 case 0x01: /* PROXY command */
755 switch (hdr.v2.fam)
756 {
eb57651e
TL
757 case 0x11: /* TCPv4 address type */
758 iptype = US"IPv4";
759 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
760 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
761 if (!string_is_ip_address(US tmpip,NULL))
762 {
763 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
a3c86431 764 return ERRNO_PROXYFAIL;
eb57651e 765 }
e6d2a989 766 proxy_local_address = sender_host_address;
eb57651e
TL
767 sender_host_address = string_copy(US tmpip);
768 tmpport = ntohs(hdr.v2.addr.ip4.src_port);
e6d2a989 769 proxy_local_port = sender_host_port;
eb57651e
TL
770 sender_host_port = tmpport;
771 /* Save dest ip/port */
772 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
773 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
774 if (!string_is_ip_address(US tmpip,NULL))
775 {
776 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
777 return ERRNO_PROXYFAIL;
778 }
7a2fa0bc 779 proxy_external_address = string_copy(US tmpip);
eb57651e 780 tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
7a2fa0bc 781 proxy_external_port = tmpport;
a3c86431 782 goto done;
eb57651e
TL
783 case 0x21: /* TCPv6 address type */
784 iptype = US"IPv6";
785 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
786 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
787 if (!string_is_ip_address(US tmpip6,NULL))
788 {
789 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
790 return ERRNO_PROXYFAIL;
791 }
e6d2a989 792 proxy_local_address = sender_host_address;
eb57651e
TL
793 sender_host_address = string_copy(US tmpip6);
794 tmpport = ntohs(hdr.v2.addr.ip6.src_port);
e6d2a989 795 proxy_local_port = sender_host_port;
eb57651e
TL
796 sender_host_port = tmpport;
797 /* Save dest ip/port */
798 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
799 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
800 if (!string_is_ip_address(US tmpip6,NULL))
801 {
802 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
a3c86431 803 return ERRNO_PROXYFAIL;
eb57651e 804 }
7a2fa0bc 805 proxy_external_address = string_copy(US tmpip6);
eb57651e 806 tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
7a2fa0bc 807 proxy_external_port = tmpport;
a3c86431 808 goto done;
eb57651e
TL
809 default:
810 DEBUG(D_receive)
811 debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
812 hdr.v2.fam);
813 goto proxyfail;
a3c86431
TL
814 }
815 /* Unsupported protocol, keep local connection address */
816 break;
817 case 0x00: /* LOCAL command */
818 /* Keep local connection address for LOCAL */
819 break;
820 default:
eb57651e 821 DEBUG(D_receive)
36719342 822 debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
a3c86431
TL
823 goto proxyfail;
824 }
825 }
826else if (ret >= 8 &&
827 memcmp(hdr.v1.line, "PROXY", 5) == 0)
828 {
829 uschar *p = string_copy(hdr.v1.line);
830 uschar *end = memchr(p, '\r', ret - 1);
831 uschar *sp; /* Utility variables follow */
832 int tmp_port;
833 char *endc;
834
835 if (!end || end[1] != '\n')
836 {
837 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
838 goto proxyfail;
839 }
840 *end = '\0'; /* Terminate the string */
841 size = end + 2 - hdr.v1.line; /* Skip header + CRLF */
842 DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
843 /* Step through the string looking for the required fields. Ensure
844 strict adherance to required formatting, exit for any error. */
845 p += 5;
846 if (!isspace(*(p++)))
847 {
848 DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
849 goto proxyfail;
850 }
851 if (!Ustrncmp(p, CCS"TCP4", 4))
852 iptype = US"IPv4";
853 else if (!Ustrncmp(p,CCS"TCP6", 4))
854 iptype = US"IPv6";
855 else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
856 {
857 iptype = US"Unknown";
858 goto done;
859 }
860 else
861 {
862 DEBUG(D_receive) debug_printf("Invalid TCP type\n");
863 goto proxyfail;
864 }
865
866 p += Ustrlen(iptype);
867 if (!isspace(*(p++)))
868 {
869 DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
870 goto proxyfail;
871 }
872 /* Find the end of the arg */
873 if ((sp = Ustrchr(p, ' ')) == NULL)
874 {
875 DEBUG(D_receive)
876 debug_printf("Did not find proxied src %s\n", iptype);
877 goto proxyfail;
878 }
879 *sp = '\0';
880 if(!string_is_ip_address(p,NULL))
881 {
882 DEBUG(D_receive)
883 debug_printf("Proxied src arg is not an %s address\n", iptype);
884 goto proxyfail;
885 }
e6d2a989 886 proxy_local_address = sender_host_address;
a3c86431
TL
887 sender_host_address = p;
888 p = sp + 1;
889 if ((sp = Ustrchr(p, ' ')) == NULL)
890 {
891 DEBUG(D_receive)
892 debug_printf("Did not find proxy dest %s\n", iptype);
893 goto proxyfail;
894 }
895 *sp = '\0';
896 if(!string_is_ip_address(p,NULL))
897 {
898 DEBUG(D_receive)
899 debug_printf("Proxy dest arg is not an %s address\n", iptype);
900 goto proxyfail;
901 }
7a2fa0bc 902 proxy_external_address = p;
a3c86431
TL
903 p = sp + 1;
904 if ((sp = Ustrchr(p, ' ')) == NULL)
905 {
906 DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
907 goto proxyfail;
908 }
909 *sp = '\0';
910 tmp_port = strtol(CCS p,&endc,10);
911 if (*endc || tmp_port == 0)
912 {
913 DEBUG(D_receive)
914 debug_printf("Proxied src port '%s' not an integer\n", p);
915 goto proxyfail;
916 }
e6d2a989 917 proxy_local_port = sender_host_port;
a3c86431
TL
918 sender_host_port = tmp_port;
919 p = sp + 1;
920 if ((sp = Ustrchr(p, '\0')) == NULL)
921 {
922 DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
923 goto proxyfail;
924 }
925 tmp_port = strtol(CCS p,&endc,10);
926 if (*endc || tmp_port == 0)
927 {
928 DEBUG(D_receive)
929 debug_printf("Proxy dest port '%s' not an integer\n", p);
930 goto proxyfail;
931 }
7a2fa0bc 932 proxy_external_port = tmp_port;
a3c86431
TL
933 /* Already checked for /r /n above. Good V1 header received. */
934 goto done;
935 }
936else
937 {
938 /* Wrong protocol */
eb57651e 939 DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
a3c86431
TL
940 goto proxyfail;
941 }
942
943proxyfail:
a3bddaa8 944restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 945/* Don't flush any potential buffer contents. Any input should cause a
eb57651e 946 synchronization failure */
a3c86431
TL
947return FALSE;
948
949done:
a3bddaa8 950restore_socket_timeout(fd, get_ok, tvtmp, vslen);
a3c86431 951DEBUG(D_receive)
eb57651e 952 debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
a3c86431
TL
953return proxy_session;
954}
955#endif
956
059ec3d9
PH
957/*************************************************
958* Read one command line *
959*************************************************/
960
961/* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
962There are sites that don't do this, and in any case internal SMTP probably
963should check only for LF. Consequently, we check here for LF only. The line
964ends up with [CR]LF removed from its end. If we get an overlong line, treat as
3ee512ff
PH
965an unknown command. The command is read into the global smtp_cmd_buffer so that
966it is available via $smtp_command.
059ec3d9
PH
967
968The character reading routine sets up a timeout for each block actually read
969from the input (which may contain more than one command). We set up a special
970signal handler that closes down the session on a timeout. Control does not
971return when it runs.
972
973Arguments:
974 check_sync if TRUE, check synchronization rules if global option is TRUE
975
976Returns: a code identifying the command (enumerated above)
977*/
978
979static int
980smtp_read_command(BOOL check_sync)
981{
982int c;
983int ptr = 0;
984smtp_cmd_list *p;
985BOOL hadnull = FALSE;
986
987os_non_restarting_signal(SIGALRM, command_timeout_handler);
988
989while ((c = (receive_getc)()) != '\n' && c != EOF)
990 {
3ee512ff 991 if (ptr >= smtp_cmd_buffer_size)
059ec3d9
PH
992 {
993 os_non_restarting_signal(SIGALRM, sigalrm_handler);
994 return OTHER_CMD;
995 }
996 if (c == 0)
997 {
998 hadnull = TRUE;
999 c = '?';
1000 }
3ee512ff 1001 smtp_cmd_buffer[ptr++] = c;
059ec3d9
PH
1002 }
1003
1004receive_linecount++; /* For BSMTP errors */
1005os_non_restarting_signal(SIGALRM, sigalrm_handler);
1006
1007/* If hit end of file, return pseudo EOF command. Whether we have a
1008part-line already read doesn't matter, since this is an error state. */
1009
1010if (c == EOF) return EOF_CMD;
1011
1012/* Remove any CR and white space at the end of the line, and terminate the
1013string. */
1014
3ee512ff
PH
1015while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
1016smtp_cmd_buffer[ptr] = 0;
059ec3d9 1017
3ee512ff 1018DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
059ec3d9
PH
1019
1020/* NULLs are not allowed in SMTP commands */
1021
1022if (hadnull) return BADCHAR_CMD;
1023
1024/* Scan command list and return identity, having set the data pointer
1025to the start of the actual data characters. Check for SMTP synchronization
1026if required. */
1027
1028for (p = cmd_list; p < cmd_list_end; p++)
1029 {
cee5f132 1030 #ifdef SUPPORT_PROXY
a3c86431
TL
1031 /* Only allow QUIT command if Proxy Protocol parsing failed */
1032 if (proxy_session && proxy_session_failed)
1033 {
1034 if (p->cmd != QUIT_CMD)
1035 continue;
1036 }
1037 #endif
2f460950
JH
1038 if ( p->len
1039 && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
1040 && ( smtp_cmd_buffer[p->len-1] == ':' /* "mail from:" or "rcpt to:" */
1041 || smtp_cmd_buffer[p->len] == 0
1042 || smtp_cmd_buffer[p->len] == ' '
1043 ) )
059ec3d9
PH
1044 {
1045 if (smtp_inptr < smtp_inend && /* Outstanding input */
1046 p->cmd < sync_cmd_limit && /* Command should sync */
1047 check_sync && /* Local flag set */
1048 smtp_enforce_sync && /* Global flag set */
1049 sender_host_address != NULL && /* Not local input */
1050 !sender_host_notsocket) /* Really is a socket */
1051 return BADSYN_CMD;
1052
ca86f471
PH
1053 /* The variables $smtp_command and $smtp_command_argument point into the
1054 unmodified input buffer. A copy of the latter is taken for actual
1055 processing, so that it can be chopped up into separate parts if necessary,
1056 for example, when processing a MAIL command options such as SIZE that can
1057 follow the sender address. */
059ec3d9 1058
3ee512ff 1059 smtp_cmd_argument = smtp_cmd_buffer + p->len;
ca86f471
PH
1060 while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
1061 Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
1062 smtp_cmd_data = smtp_data_buffer;
059ec3d9
PH
1063
1064 /* Count non-mail commands from those hosts that are controlled in this
1065 way. The default is all hosts. We don't waste effort checking the list
1066 until we get a non-mail command, but then cache the result to save checking
1067 again. If there's a DEFER while checking the host, assume it's in the list.
1068
1069 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
1070 start of each incoming message by fiddling with the value in the table. */
1071
1072 if (!p->is_mail_cmd)
1073 {
1074 if (count_nonmail == TRUE_UNSET) count_nonmail =
1075 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
1076 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
1077 return TOO_MANY_NONMAIL_CMD;
1078 }
1079
ca86f471
PH
1080 /* If there is data for a command that does not expect it, generate the
1081 error here. */
059ec3d9 1082
ca86f471 1083 return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
059ec3d9
PH
1084 }
1085 }
1086
cee5f132 1087#ifdef SUPPORT_PROXY
a3c86431
TL
1088/* Only allow QUIT command if Proxy Protocol parsing failed */
1089if (proxy_session && proxy_session_failed)
1090 return PROXY_FAIL_IGNORE_CMD;
1091#endif
1092
059ec3d9
PH
1093/* Enforce synchronization for unknown commands */
1094
1095if (smtp_inptr < smtp_inend && /* Outstanding input */
1096 check_sync && /* Local flag set */
1097 smtp_enforce_sync && /* Global flag set */
1098 sender_host_address != NULL && /* Not local input */
1099 !sender_host_notsocket) /* Really is a socket */
1100 return BADSYN_CMD;
1101
1102return OTHER_CMD;
1103}
1104
1105
1106
1107/*************************************************
a14e5636
PH
1108* Recheck synchronization *
1109*************************************************/
1110
1111/* Synchronization checks can never be perfect because a packet may be on its
1112way but not arrived when the check is done. Such checks can in any case only be
1113done when TLS is not in use. Normally, the checks happen when commands are
1114read: Exim ensures that there is no more input in the input buffer. In normal
1115cases, the response to the command will be fast, and there is no further check.
1116
1117However, for some commands an ACL is run, and that can include delays. In those
1118cases, it is useful to do another check on the input just before sending the
1119response. This also applies at the start of a connection. This function does
1120that check by means of the select() function, as long as the facility is not
1121disabled or inappropriate. A failure of select() is ignored.
1122
1123When there is unwanted input, we read it so that it appears in the log of the
1124error.
1125
1126Arguments: none
1127Returns: TRUE if all is well; FALSE if there is input pending
1128*/
1129
1130static BOOL
1131check_sync(void)
1132{
1133int fd, rc;
1134fd_set fds;
1135struct timeval tzero;
1136
1137if (!smtp_enforce_sync || sender_host_address == NULL ||
817d9f57 1138 sender_host_notsocket || tls_in.active >= 0)
a14e5636
PH
1139 return TRUE;
1140
1141fd = fileno(smtp_in);
1142FD_ZERO(&fds);
1143FD_SET(fd, &fds);
1144tzero.tv_sec = 0;
1145tzero.tv_usec = 0;
1146rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
1147
1148if (rc <= 0) return TRUE; /* Not ready to read */
1149rc = smtp_getc();
1150if (rc < 0) return TRUE; /* End of file or error */
1151
1152smtp_ungetc(rc);
1153rc = smtp_inend - smtp_inptr;
1154if (rc > 150) rc = 150;
1155smtp_inptr[rc] = 0;
1156return FALSE;
1157}
1158
1159
1160
1161/*************************************************
059ec3d9
PH
1162* Forced closedown of call *
1163*************************************************/
1164
1165/* This function is called from log.c when Exim is dying because of a serious
1166disaster, and also from some other places. If an incoming non-batched SMTP
1167channel is open, it swallows the rest of the incoming message if in the DATA
1168phase, sends the reply string, and gives an error to all subsequent commands
1169except QUIT. The existence of an SMTP call is detected by the non-NULLness of
1170smtp_in.
1171
8f128379
PH
1172Arguments:
1173 message SMTP reply string to send, excluding the code
1174
059ec3d9
PH
1175Returns: nothing
1176*/
1177
1178void
1179smtp_closedown(uschar *message)
1180{
1181if (smtp_in == NULL || smtp_batched_input) return;
1182receive_swallow_smtp();
1183smtp_printf("421 %s\r\n", message);
1184
1185for (;;)
1186 {
1187 switch(smtp_read_command(FALSE))
1188 {
1189 case EOF_CMD:
1190 return;
1191
1192 case QUIT_CMD:
1193 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
1194 mac_smtp_fflush();
1195 return;
1196
1197 case RSET_CMD:
1198 smtp_printf("250 Reset OK\r\n");
1199 break;
1200
1201 default:
1202 smtp_printf("421 %s\r\n", message);
1203 break;
1204 }
1205 }
1206}
1207
1208
1209
1210
1211/*************************************************
1212* Set up connection info for logging *
1213*************************************************/
1214
1215/* This function is called when logging information about an SMTP connection.
1216It sets up appropriate source information, depending on the type of connection.
dac79d3e
PH
1217If sender_fullhost is NULL, we are at a very early stage of the connection;
1218just use the IP address.
059ec3d9
PH
1219
1220Argument: none
1221Returns: a string describing the connection
1222*/
1223
1224uschar *
1225smtp_get_connection_info(void)
1226{
dac79d3e
PH
1227uschar *hostname = (sender_fullhost == NULL)?
1228 sender_host_address : sender_fullhost;
1229
059ec3d9 1230if (host_checking)
dac79d3e 1231 return string_sprintf("SMTP connection from %s", hostname);
059ec3d9
PH
1232
1233if (sender_host_unknown || sender_host_notsocket)
1234 return string_sprintf("SMTP connection from %s", sender_ident);
1235
1236if (is_inetd)
dac79d3e 1237 return string_sprintf("SMTP connection from %s (via inetd)", hostname);
059ec3d9 1238
6c6d6e48 1239if (LOGGING(incoming_interface) && interface_address != NULL)
dac79d3e 1240 return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
059ec3d9
PH
1241 interface_address, interface_port);
1242
dac79d3e 1243return string_sprintf("SMTP connection from %s", hostname);
059ec3d9
PH
1244}
1245
1246
1247
e45a1c37 1248#ifdef SUPPORT_TLS
887291d2
JH
1249/* Append TLS-related information to a log line
1250
1251Arguments:
1252 s String under construction: allocated string to extend, or NULL
1253 sizep Pointer to current allocation size (update on return), or NULL
1254 ptrp Pointer to index for new entries in string (update on return), or NULL
1255
1256Returns: Allocated string or NULL
1257*/
e45a1c37
JH
1258static uschar *
1259s_tlslog(uschar * s, int * sizep, int * ptrp)
1260{
1261 int size = sizep ? *sizep : 0;
1262 int ptr = ptrp ? *ptrp : 0;
1263
6c6d6e48 1264 if (LOGGING(tls_cipher) && tls_in.cipher != NULL)
e45a1c37 1265 s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
6c6d6e48 1266 if (LOGGING(tls_certificate_verified) && tls_in.cipher != NULL)
e45a1c37
JH
1267 s = string_append(s, &size, &ptr, 2, US" CV=",
1268 tls_in.certificate_verified? "yes":"no");
6c6d6e48 1269 if (LOGGING(tls_peerdn) && tls_in.peerdn != NULL)
e45a1c37
JH
1270 s = string_append(s, &size, &ptr, 3, US" DN=\"",
1271 string_printing(tls_in.peerdn), US"\"");
6c6d6e48 1272 if (LOGGING(tls_sni) && tls_in.sni != NULL)
e45a1c37
JH
1273 s = string_append(s, &size, &ptr, 3, US" SNI=\"",
1274 string_printing(tls_in.sni), US"\"");
1275
67d81c10
JH
1276 if (s)
1277 {
1278 s[ptr] = '\0';
1279 if (sizep) *sizep = size;
1280 if (ptrp) *ptrp = ptr;
1281 }
e45a1c37
JH
1282 return s;
1283}
1284#endif
1285
059ec3d9 1286/*************************************************
b4ed4da0
PH
1287* Log lack of MAIL if so configured *
1288*************************************************/
1289
1290/* This function is called when an SMTP session ends. If the log selector
1291smtp_no_mail is set, write a log line giving some details of what has happened
1292in the SMTP session.
1293
1294Arguments: none
1295Returns: nothing
1296*/
1297
1298void
1299smtp_log_no_mail(void)
1300{
1301int size, ptr, i;
1302uschar *s, *sep;
1303
6c6d6e48 1304if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
b4ed4da0
PH
1305 return;
1306
1307s = NULL;
1308size = ptr = 0;
1309
1310if (sender_host_authenticated != NULL)
1311 {
1312 s = string_append(s, &size, &ptr, 2, US" A=", sender_host_authenticated);
1313 if (authenticated_id != NULL)
1314 s = string_append(s, &size, &ptr, 2, US":", authenticated_id);
1315 }
1316
1317#ifdef SUPPORT_TLS
e45a1c37 1318s = s_tlslog(s, &size, &ptr);
3f0945ff 1319#endif
b4ed4da0
PH
1320
1321sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
1322 US" C=..." : US" C=";
1323for (i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1324 {
1325 if (smtp_connection_had[i] != SCH_NONE)
1326 {
1327 s = string_append(s, &size, &ptr, 2, sep,
1328 smtp_names[smtp_connection_had[i]]);
1329 sep = US",";
1330 }
1331 }
1332
1333for (i = 0; i < smtp_ch_index; i++)
1334 {
1335 s = string_append(s, &size, &ptr, 2, sep, smtp_names[smtp_connection_had[i]]);
1336 sep = US",";
1337 }
1338
1339if (s != NULL) s[ptr] = 0; else s = US"";
1340log_write(0, LOG_MAIN, "no MAIL in SMTP connection from %s D=%s%s",
1341 host_and_ident(FALSE),
19050083
JH
1342 readconf_printtime( (int) ((long)time(NULL) - (long)smtp_connection_start)),
1343 s);
b4ed4da0
PH
1344}
1345
1346
1347
1348/*************************************************
059ec3d9
PH
1349* Check HELO line and set sender_helo_name *
1350*************************************************/
1351
1352/* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
1353the domain name of the sending host, or an ip literal in square brackets. The
1354arrgument is placed in sender_helo_name, which is in malloc store, because it
1355must persist over multiple incoming messages. If helo_accept_junk is set, this
1356host is permitted to send any old junk (needed for some broken hosts).
1357Otherwise, helo_allow_chars can be used for rogue characters in general
1358(typically people want to let in underscores).
1359
1360Argument:
1361 s the data portion of the line (already past any white space)
1362
1363Returns: TRUE or FALSE
1364*/
1365
1366static BOOL
1367check_helo(uschar *s)
1368{
1369uschar *start = s;
1370uschar *end = s + Ustrlen(s);
1371BOOL yield = helo_accept_junk;
1372
1373/* Discard any previous helo name */
1374
1375if (sender_helo_name != NULL)
1376 {
1377 store_free(sender_helo_name);
1378 sender_helo_name = NULL;
1379 }
1380
1381/* Skip tests if junk is permitted. */
1382
1383if (!yield)
1384 {
1385 /* Allow the new standard form for IPv6 address literals, namely,
1386 [IPv6:....], and because someone is bound to use it, allow an equivalent
1387 IPv4 form. Allow plain addresses as well. */
1388
1389 if (*s == '[')
1390 {
1391 if (end[-1] == ']')
1392 {
1393 end[-1] = 0;
1394 if (strncmpic(s, US"[IPv6:", 6) == 0)
1395 yield = (string_is_ip_address(s+6, NULL) == 6);
1396 else if (strncmpic(s, US"[IPv4:", 6) == 0)
1397 yield = (string_is_ip_address(s+6, NULL) == 4);
1398 else
1399 yield = (string_is_ip_address(s+1, NULL) != 0);
1400 end[-1] = ']';
1401 }
1402 }
1403
1404 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
1405 that have been configured (usually underscore - sigh). */
1406
1407 else if (*s != 0)
1408 {
1409 yield = TRUE;
1410 while (*s != 0)
1411 {
1412 if (!isalnum(*s) && *s != '.' && *s != '-' &&
1413 Ustrchr(helo_allow_chars, *s) == NULL)
1414 {
1415 yield = FALSE;
1416 break;
1417 }
1418 s++;
1419 }
1420 }
1421 }
1422
1423/* Save argument if OK */
1424
1425if (yield) sender_helo_name = string_copy_malloc(start);
1426return yield;
1427}
1428
1429
1430
1431
1432
1433/*************************************************
1434* Extract SMTP command option *
1435*************************************************/
1436
ca86f471 1437/* This function picks the next option setting off the end of smtp_cmd_data. It
059ec3d9
PH
1438is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
1439things that can appear there.
1440
1441Arguments:
1442 name point this at the name
1443 value point this at the data string
1444
1445Returns: TRUE if found an option
1446*/
1447
1448static BOOL
1449extract_option(uschar **name, uschar **value)
1450{
1451uschar *n;
ca86f471 1452uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
059ec3d9
PH
1453while (isspace(*v)) v--;
1454v[1] = 0;
ca86f471 1455while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) v--;
059ec3d9
PH
1456
1457n = v;
fd98a5c6
JH
1458if (*v == '=')
1459{
1460 while(isalpha(n[-1])) n--;
1461 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
1462 if (!isspace(n[-1])) return FALSE;
1463 n[-1] = 0;
1464}
1465else
1466{
1467 n++;
1468 if (v == smtp_cmd_data) return FALSE;
1469}
059ec3d9 1470*v++ = 0;
fd98a5c6 1471*name = n;
059ec3d9
PH
1472*value = v;
1473return TRUE;
1474}
1475
1476
1477
1478
1479
059ec3d9
PH
1480/*************************************************
1481* Reset for new message *
1482*************************************************/
1483
1484/* This function is called whenever the SMTP session is reset from
1485within either of the setup functions.
1486
1487Argument: the stacking pool storage reset point
1488Returns: nothing
1489*/
1490
1491static void
1492smtp_reset(void *reset_point)
1493{
059ec3d9
PH
1494store_reset(reset_point);
1495recipients_list = NULL;
1496rcpt_count = rcpt_defer_count = rcpt_fail_count =
1497 raw_recipients_count = recipients_count = recipients_list_max = 0;
2e5b33cd 1498cancel_cutthrough_connection("smtp reset");
2e0c1448 1499message_linecount = 0;
059ec3d9 1500message_size = -1;
71fafd95 1501acl_added_headers = NULL;
e7568d51 1502acl_removed_headers = NULL;
059ec3d9 1503queue_only_policy = FALSE;
2679d413
PH
1504rcpt_smtp_response = NULL;
1505rcpt_smtp_response_same = TRUE;
1506rcpt_in_progress = FALSE;
69358f02 1507deliver_freeze = FALSE; /* Can be set by ACL */
6a3f1455 1508freeze_tell = freeze_tell_config; /* Can be set by ACL */
29aba418 1509fake_response = OK; /* Can be set by ACL */
6951ac6c 1510#ifdef WITH_CONTENT_SCAN
8523533c
TK
1511no_mbox_unspool = FALSE; /* Can be set by ACL */
1512#endif
69358f02 1513submission_mode = FALSE; /* Can be set by ACL */
f4ee74ac 1514suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
69358f02
PH
1515active_local_from_check = local_from_check; /* Can be set by ACL */
1516active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
059ec3d9 1517sender_address = NULL;
2fe1a124 1518submission_name = NULL; /* Can be set by ACL */
059ec3d9
PH
1519raw_sender = NULL; /* After SMTP rewrite, before qualifying */
1520sender_address_unrewritten = NULL; /* Set only after verify rewrite */
1521sender_verified_list = NULL; /* No senders verified */
1522memset(sender_address_cache, 0, sizeof(sender_address_cache));
1523memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
6c1c3d1d 1524
059ec3d9 1525authenticated_sender = NULL;
8523533c
TK
1526#ifdef EXPERIMENTAL_BRIGHTMAIL
1527bmi_run = 0;
1528bmi_verdicts = NULL;
1529#endif
18481de3 1530chunking_state = CHUNKING_NOT_OFFERED;
80a47a2c 1531#ifndef DISABLE_DKIM
9e5d6b55 1532dkim_signers = NULL;
80a47a2c
TK
1533dkim_disable_verify = FALSE;
1534dkim_collect_input = FALSE;
f7572e5a 1535#endif
aa368db3
JH
1536dsn_ret = 0;
1537dsn_envid = NULL;
1538#ifndef DISABLE_PRDR
1539prdr_requested = FALSE;
1540#endif
8523533c
TK
1541#ifdef EXPERIMENTAL_SPF
1542spf_header_comment = NULL;
1543spf_received = NULL;
8e669ac1 1544spf_result = NULL;
8523533c
TK
1545spf_smtp_comment = NULL;
1546#endif
8c5d388a 1547#ifdef SUPPORT_I18N
d1a13eea
JH
1548message_smtputf8 = FALSE;
1549#endif
059ec3d9
PH
1550body_linecount = body_zerocount = 0;
1551
870f6ba8
TF
1552sender_rate = sender_rate_limit = sender_rate_period = NULL;
1553ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
1554 /* Note that ratelimiters_conn persists across resets. */
1555
38a0a95f 1556/* Reset message ACL variables */
47ca6d6c 1557
38a0a95f 1558acl_var_m = NULL;
059ec3d9
PH
1559
1560/* The message body variables use malloc store. They may be set if this is
1561not the first message in an SMTP session and the previous message caused them
1562to be referenced in an ACL. */
1563
1564if (message_body != NULL)
1565 {
1566 store_free(message_body);
1567 message_body = NULL;
1568 }
1569
1570if (message_body_end != NULL)
1571 {
1572 store_free(message_body_end);
1573 message_body_end = NULL;
1574 }
1575
1576/* Warning log messages are also saved in malloc store. They are saved to avoid
1577repetition in the same message, but it seems right to repeat them for different
4e88a19f 1578messages. */
059ec3d9
PH
1579
1580while (acl_warn_logged != NULL)
1581 {
1582 string_item *this = acl_warn_logged;
1583 acl_warn_logged = acl_warn_logged->next;
1584 store_free(this);
1585 }
1586}
1587
1588
1589
1590
1591
1592/*************************************************
1593* Initialize for incoming batched SMTP message *
1594*************************************************/
1595
1596/* This function is called from smtp_setup_msg() in the case when
1597smtp_batched_input is true. This happens when -bS is used to pass a whole batch
1598of messages in one file with SMTP commands between them. All errors must be
1599reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
1600relevant. After an error on a sender, or an invalid recipient, the remainder
1601of the message is skipped. The value of received_protocol is already set.
1602
1603Argument: none
1604Returns: > 0 message successfully started (reached DATA)
1605 = 0 QUIT read or end of file reached
1606 < 0 should not occur
1607*/
1608
1609static int
1610smtp_setup_batch_msg(void)
1611{
1612int done = 0;
1613void *reset_point = store_get(0);
1614
1615/* Save the line count at the start of each transaction - single commands
1616like HELO and RSET count as whole transactions. */
1617
1618bsmtp_transaction_linecount = receive_linecount;
1619
1620if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
1621
1622smtp_reset(reset_point); /* Reset for start of message */
1623
1624/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
1625value. The values are 2 larger than the required yield of the function. */
1626
1627while (done <= 0)
1628 {
1629 uschar *errmess;
1630 uschar *recipient = NULL;
1631 int start, end, sender_domain, recipient_domain;
1632
1633 switch(smtp_read_command(FALSE))
1634 {
1635 /* The HELO/EHLO commands set sender_address_helo if they have
1636 valid data; otherwise they are ignored, except that they do
1637 a reset of the state. */
1638
1639 case HELO_CMD:
1640 case EHLO_CMD:
1641
ca86f471 1642 check_helo(smtp_cmd_data);
059ec3d9
PH
1643 /* Fall through */
1644
1645 case RSET_CMD:
1646 smtp_reset(reset_point);
1647 bsmtp_transaction_linecount = receive_linecount;
1648 break;
1649
1650
1651 /* The MAIL FROM command requires an address as an operand. All we
1652 do here is to parse it for syntactic correctness. The form "<>" is
1653 a special case which converts into an empty string. The start/end
1654 pointers in the original are not used further for this address, as
1655 it is the canonical extracted address which is all that is kept. */
1656
1657 case MAIL_CMD:
474f71bf 1658 smtp_mailcmd_count++; /* Count for no-mail log */
059ec3d9
PH
1659 if (sender_address != NULL)
1660 /* The function moan_smtp_batch() does not return. */
3ee512ff 1661 moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
059ec3d9 1662
ca86f471 1663 if (smtp_cmd_data[0] == 0)
059ec3d9 1664 /* The function moan_smtp_batch() does not return. */
3ee512ff 1665 moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
059ec3d9
PH
1666
1667 /* Reset to start of message */
1668
1669 smtp_reset(reset_point);
1670
1671 /* Apply SMTP rewrite */
1672
1673 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
ca86f471
PH
1674 rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
1675 US"", global_rewrite_rules) : smtp_cmd_data;
059ec3d9
PH
1676
1677 /* Extract the address; the TRUE flag allows <> as valid */
1678
1679 raw_sender =
1680 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
1681 TRUE);
1682
1683 if (raw_sender == NULL)
1684 /* The function moan_smtp_batch() does not return. */
3ee512ff 1685 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
059ec3d9
PH
1686
1687 sender_address = string_copy(raw_sender);
1688
1689 /* Qualify unqualified sender addresses if permitted to do so. */
1690
1691 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
1692 {
1693 if (allow_unqualified_sender)
1694 {
1695 sender_address = rewrite_address_qualify(sender_address, FALSE);
1696 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
1697 "and rewritten\n", raw_sender);
1698 }
1699 /* The function moan_smtp_batch() does not return. */
3ee512ff 1700 else moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
059ec3d9
PH
1701 "a domain");
1702 }
1703 break;
1704
1705
1706 /* The RCPT TO command requires an address as an operand. All we do
1707 here is to parse it for syntactic correctness. There may be any number
1708 of RCPT TO commands, specifying multiple senders. We build them all into
1709 a data structure that is in argc/argv format. The start/end values
1710 given by parse_extract_address are not used, as we keep only the
1711 extracted address. */
1712
1713 case RCPT_CMD:
1714 if (sender_address == NULL)
1715 /* The function moan_smtp_batch() does not return. */
3ee512ff 1716 moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
059ec3d9 1717
ca86f471 1718 if (smtp_cmd_data[0] == 0)
059ec3d9 1719 /* The function moan_smtp_batch() does not return. */
3ee512ff 1720 moan_smtp_batch(smtp_cmd_buffer, "501 RCPT TO must have an address operand");
059ec3d9
PH
1721
1722 /* Check maximum number allowed */
1723
1724 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
1725 /* The function moan_smtp_batch() does not return. */
3ee512ff 1726 moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
059ec3d9
PH
1727 recipients_max_reject? "552": "452");
1728
1729 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
1730 recipient address */
1731
2685d6e0
JH
1732 recipient = rewrite_existflags & rewrite_smtp
1733 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
1734 global_rewrite_rules)
1735 : smtp_cmd_data;
059ec3d9 1736
059ec3d9
PH
1737 recipient = parse_extract_address(recipient, &errmess, &start, &end,
1738 &recipient_domain, FALSE);
059ec3d9 1739
2685d6e0 1740 if (!recipient)
059ec3d9 1741 /* The function moan_smtp_batch() does not return. */
3ee512ff 1742 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
059ec3d9
PH
1743
1744 /* If the recipient address is unqualified, qualify it if permitted. Then
1745 add it to the list of recipients. */
1746
1747 if (recipient_domain == 0)
1748 {
1749 if (allow_unqualified_recipient)
1750 {
1751 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
1752 recipient);
1753 recipient = rewrite_address_qualify(recipient, TRUE);
1754 }
1755 /* The function moan_smtp_batch() does not return. */
3ee512ff 1756 else moan_smtp_batch(smtp_cmd_buffer, "501 recipient address must contain "
059ec3d9
PH
1757 "a domain");
1758 }
1759 receive_add_recipient(recipient, -1);
1760 break;
1761
1762
1763 /* The DATA command is legal only if it follows successful MAIL FROM
1764 and RCPT TO commands. This function is complete when a valid DATA
1765 command is encountered. */
1766
1767 case DATA_CMD:
1768 if (sender_address == NULL || recipients_count <= 0)
1769 {
1770 /* The function moan_smtp_batch() does not return. */
1771 if (sender_address == NULL)
3ee512ff 1772 moan_smtp_batch(smtp_cmd_buffer,
059ec3d9
PH
1773 "503 MAIL FROM:<sender> command must precede DATA");
1774 else
3ee512ff 1775 moan_smtp_batch(smtp_cmd_buffer,
059ec3d9
PH
1776 "503 RCPT TO:<recipient> must precede DATA");
1777 }
1778 else
1779 {
1780 done = 3; /* DATA successfully achieved */
1781 message_ended = END_NOTENDED; /* Indicate in middle of message */
1782 }
1783 break;
1784
1785
1786 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
1787
1788 case VRFY_CMD:
1789 case EXPN_CMD:
1790 case HELP_CMD:
1791 case NOOP_CMD:
1792 case ETRN_CMD:
1793 bsmtp_transaction_linecount = receive_linecount;
1794 break;
1795
1796
1797 case EOF_CMD:
1798 case QUIT_CMD:
1799 done = 2;
1800 break;
1801
1802
1803 case BADARG_CMD:
1804 /* The function moan_smtp_batch() does not return. */
3ee512ff 1805 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
059ec3d9
PH
1806 break;
1807
1808
1809 case BADCHAR_CMD:
1810 /* The function moan_smtp_batch() does not return. */
3ee512ff 1811 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
059ec3d9
PH
1812 break;
1813
1814
1815 default:
1816 /* The function moan_smtp_batch() does not return. */
3ee512ff 1817 moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
059ec3d9
PH
1818 break;
1819 }
1820 }
1821
1822return done - 2; /* Convert yield values */
1823}
1824
1825
1826
1827
1828/*************************************************
1829* Start an SMTP session *
1830*************************************************/
1831
1832/* This function is called at the start of an SMTP session. Thereafter,
1833smtp_setup_msg() is called to initiate each separate message. This
1834function does host-specific testing, and outputs the banner line.
1835
1836Arguments: none
1837Returns: FALSE if the session can not continue; something has
1838 gone wrong, or the connection to the host is blocked
1839*/
1840
1841BOOL
1842smtp_start_session(void)
1843{
1844int size = 256;
4e88a19f
PH
1845int ptr, esclen;
1846uschar *user_msg, *log_msg;
1847uschar *code, *esc;
059ec3d9
PH
1848uschar *p, *s, *ss;
1849
b4ed4da0
PH
1850smtp_connection_start = time(NULL);
1851for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
1852 smtp_connection_had[smtp_ch_index] = SCH_NONE;
1853smtp_ch_index = 0;
1854
00f00ca5
PH
1855/* Default values for certain variables */
1856
059ec3d9 1857helo_seen = esmtp = helo_accept_junk = FALSE;
b4ed4da0 1858smtp_mailcmd_count = 0;
059ec3d9
PH
1859count_nonmail = TRUE_UNSET;
1860synprot_error_count = unknown_command_count = nonmail_command_count = 0;
1861smtp_delay_mail = smtp_rlm_base;
1862auth_advertised = FALSE;
1863pipelining_advertised = FALSE;
cf8b11a5 1864pipelining_enable = TRUE;
059ec3d9 1865sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
8f128379 1866smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
059ec3d9 1867
33d73e3b
PH
1868/* If receiving by -bs from a trusted user, or testing with -bh, we allow
1869authentication settings from -oMaa to remain in force. */
1870
1871if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
059ec3d9
PH
1872authenticated_by = NULL;
1873
1874#ifdef SUPPORT_TLS
817d9f57 1875tls_in.cipher = tls_in.peerdn = NULL;
9d1c15ef
JH
1876tls_in.ourcert = tls_in.peercert = NULL;
1877tls_in.sni = NULL;
44662487 1878tls_in.ocsp = OCSP_NOT_REQ;
059ec3d9
PH
1879tls_advertised = FALSE;
1880#endif
6c1c3d1d 1881dsn_advertised = FALSE;
8c5d388a 1882#ifdef SUPPORT_I18N
d1a13eea
JH
1883smtputf8_advertised = FALSE;
1884#endif
059ec3d9
PH
1885
1886/* Reset ACL connection variables */
1887
38a0a95f 1888acl_var_c = NULL;
059ec3d9 1889
ca86f471 1890/* Allow for trailing 0 in the command and data buffers. */
3ee512ff 1891
ca86f471 1892smtp_cmd_buffer = (uschar *)malloc(2*smtp_cmd_buffer_size + 2);
3ee512ff 1893if (smtp_cmd_buffer == NULL)
059ec3d9
PH
1894 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1895 "malloc() failed for SMTP command buffer");
2416c261 1896smtp_cmd_buffer[0] = 0;
ca86f471 1897smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
059ec3d9
PH
1898
1899/* For batched input, the protocol setting can be overridden from the
1900command line by a trusted caller. */
1901
1902if (smtp_batched_input)
1903 {
1904 if (received_protocol == NULL) received_protocol = US"local-bsmtp";
1905 }
1906
1907/* For non-batched SMTP input, the protocol setting is forced here. It will be
1908reset later if any of EHLO/AUTH/STARTTLS are received. */
1909
1910else
1911 received_protocol =
e524074d 1912 (sender_host_address ? protocols : protocols_local) [pnormal];
059ec3d9
PH
1913
1914/* Set up the buffer for inputting using direct read() calls, and arrange to
1915call the local functions instead of the standard C ones. */
1916
1917smtp_inbuffer = (uschar *)malloc(in_buffer_size);
1918if (smtp_inbuffer == NULL)
1919 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
1920receive_getc = smtp_getc;
1921receive_ungetc = smtp_ungetc;
1922receive_feof = smtp_feof;
1923receive_ferror = smtp_ferror;
58eb016e 1924receive_smtp_buffered = smtp_buffered;
059ec3d9
PH
1925smtp_inptr = smtp_inend = smtp_inbuffer;
1926smtp_had_eof = smtp_had_error = 0;
1927
1928/* Set up the message size limit; this may be host-specific */
1929
d45b1de8
PH
1930thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
1931if (expand_string_message != NULL)
059ec3d9
PH
1932 {
1933 if (thismessage_size_limit == -1)
1934 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
1935 "%s", expand_string_message);
1936 else
1937 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
1938 "%s", expand_string_message);
1939 smtp_closedown(US"Temporary local problem - please try later");
1940 return FALSE;
1941 }
1942
1943/* When a message is input locally via the -bs or -bS options, sender_host_
1944unknown is set unless -oMa was used to force an IP address, in which case it
1945is checked like a real remote connection. When -bs is used from inetd, this
1946flag is not set, causing the sending host to be checked. The code that deals
1947with IP source routing (if configured) is never required for -bs or -bS and
1948the flag sender_host_notsocket is used to suppress it.
1949
1950If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
1951reserve for certain hosts and/or networks. */
1952
1953if (!sender_host_unknown)
1954 {
1955 int rc;
1956 BOOL reserved_host = FALSE;
1957
1958 /* Look up IP options (source routing info) on the socket if this is not an
1959 -oMa "host", and if any are found, log them and drop the connection.
1960
1961 Linux (and others now, see below) is different to everyone else, so there
1962 has to be some conditional compilation here. Versions of Linux before 2.1.15
1963 used a structure whose name was "options". Somebody finally realized that
1964 this name was silly, and it got changed to "ip_options". I use the
1965 newer name here, but there is a fudge in the script that sets up os.h
1966 to define a macro in older Linux systems.
1967
1968 Sigh. Linux is a fast-moving target. Another generation of Linux uses
1969 glibc 2, which has chosen ip_opts for the structure name. This is now
1970 really a glibc thing rather than a Linux thing, so the condition name
1971 has been changed to reflect this. It is relevant also to GNU/Hurd.
1972
1973 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
1974 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
1975 a special macro defined in the os.h file.
1976
1977 Some DGUX versions on older hardware appear not to support IP options at
1978 all, so there is now a general macro which can be set to cut out this
1979 support altogether.
1980
1981 How to do this properly in IPv6 is not yet known. */
1982
1983 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
1984
1985 #ifdef GLIBC_IP_OPTIONS
1986 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
1987 #define OPTSTYLE 1
1988 #else
1989 #define OPTSTYLE 2
1990 #endif
1991 #elif defined DARWIN_IP_OPTIONS
1992 #define OPTSTYLE 2
1993 #else
1994 #define OPTSTYLE 3
1995 #endif
1996
1997 if (!host_checking && !sender_host_notsocket)
1998 {
1999 #if OPTSTYLE == 1
36a3b041 2000 EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
059ec3d9
PH
2001 struct ip_options *ipopt = store_get(optlen);
2002 #elif OPTSTYLE == 2
2003 struct ip_opts ipoptblock;
2004 struct ip_opts *ipopt = &ipoptblock;
36a3b041 2005 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
059ec3d9
PH
2006 #else
2007 struct ipoption ipoptblock;
2008 struct ipoption *ipopt = &ipoptblock;
36a3b041 2009 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
059ec3d9
PH
2010 #endif
2011
2012 /* Occasional genuine failures of getsockopt() have been seen - for
2013 example, "reset by peer". Therefore, just log and give up on this
2014 call, unless the error is ENOPROTOOPT. This error is given by systems
2015 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
2016 of writing. So for that error, carry on - we just can't do an IP options
2017 check. */
2018
2019 DEBUG(D_receive) debug_printf("checking for IP options\n");
2020
2021 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
2022 &optlen) < 0)
2023 {
2024 if (errno != ENOPROTOOPT)
2025 {
2026 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
2027 host_and_ident(FALSE), strerror(errno));
2028 smtp_printf("451 SMTP service not available\r\n");
2029 return FALSE;
2030 }
2031 }
2032
2033 /* Deal with any IP options that are set. On the systems I have looked at,
2034 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
2035 more logging data than will fit in big_buffer. Nevertheless, after somebody
2036 questioned this code, I've added in some paranoid checking. */
2037
2038 else if (optlen > 0)
2039 {
2040 uschar *p = big_buffer;
2041 uschar *pend = big_buffer + big_buffer_size;
2042 uschar *opt, *adptr;
2043 int optcount;
2044 struct in_addr addr;
2045
2046 #if OPTSTYLE == 1
2047 uschar *optstart = (uschar *)(ipopt->__data);
2048 #elif OPTSTYLE == 2
2049 uschar *optstart = (uschar *)(ipopt->ip_opts);
2050 #else
2051 uschar *optstart = (uschar *)(ipopt->ipopt_list);
2052 #endif
2053
2054 DEBUG(D_receive) debug_printf("IP options exist\n");
2055
2056 Ustrcpy(p, "IP options on incoming call:");
2057 p += Ustrlen(p);
2058
2059 for (opt = optstart; opt != NULL &&
2060 opt < (uschar *)(ipopt) + optlen;)
2061 {
2062 switch (*opt)
2063 {
2064 case IPOPT_EOL:
2065 opt = NULL;
2066 break;
2067
2068 case IPOPT_NOP:
2069 opt++;
2070 break;
2071
2072 case IPOPT_SSRR:
2073 case IPOPT_LSRR:
2074 if (!string_format(p, pend-p, " %s [@%s",
2075 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
2076 #if OPTSTYLE == 1
2077 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
2078 #elif OPTSTYLE == 2
2079 inet_ntoa(ipopt->ip_dst)))
2080 #else
2081 inet_ntoa(ipopt->ipopt_dst)))
2082 #endif
2083 {
2084 opt = NULL;
2085 break;
2086 }
2087
2088 p += Ustrlen(p);
2089 optcount = (opt[1] - 3) / sizeof(struct in_addr);
2090 adptr = opt + 3;
2091 while (optcount-- > 0)
2092 {
2093 memcpy(&addr, adptr, sizeof(addr));
2094 if (!string_format(p, pend - p - 1, "%s%s",
2095 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
2096 {
2097 opt = NULL;
2098 break;
2099 }
2100 p += Ustrlen(p);
2101 adptr += sizeof(struct in_addr);
2102 }
2103 *p++ = ']';
2104 opt += opt[1];
2105 break;
2106
2107 default:
2108 {
2109 int i;
2110 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
2111 Ustrcat(p, "[ ");
2112 p += 2;
2113 for (i = 0; i < opt[1]; i++)
2114 {
2115 sprintf(CS p, "%2.2x ", opt[i]);
2116 p += 3;
2117 }
2118 *p++ = ']';
2119 }
2120 opt += opt[1];
2121 break;
2122 }
2123 }
2124
2125 *p = 0;
2126 log_write(0, LOG_MAIN, "%s", big_buffer);
2127
2128 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
2129
2130 log_write(0, LOG_MAIN|LOG_REJECT,
2131 "connection from %s refused (IP options)", host_and_ident(FALSE));
2132
2133 smtp_printf("554 SMTP service not available\r\n");
2134 return FALSE;
2135 }
2136
2137 /* Length of options = 0 => there are no options */
2138
2139 else DEBUG(D_receive) debug_printf("no IP options found\n");
2140 }
2141 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
2142
2143 /* Set keep-alive in socket options. The option is on by default. This
2144 setting is an attempt to get rid of some hanging connections that stick in
2145 read() when the remote end (usually a dialup) goes away. */
2146
2147 if (smtp_accept_keepalive && !sender_host_notsocket)
2148 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
2149
2150 /* If the current host matches host_lookup, set the name by doing a
2151 reverse lookup. On failure, sender_host_name will be NULL and
2152 host_lookup_failed will be TRUE. This may or may not be serious - optional
2153 checks later. */
2154
2155 if (verify_check_host(&host_lookup) == OK)
2156 {
2157 (void)host_name_lookup();
2158 host_build_sender_fullhost();
2159 }
2160
2161 /* Delay this until we have the full name, if it is looked up. */
2162
2163 set_process_info("handling incoming connection from %s",
2164 host_and_ident(FALSE));
2165
1ad6489e
JH
2166 /* Expand smtp_receive_timeout, if needed */
2167
2168 if (smtp_receive_timeout_s)
2169 {
2170 uschar * exp;
2171 if ( !(exp = expand_string(smtp_receive_timeout_s))
2172 || !(*exp)
2173 || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
2174 )
2175 log_write(0, LOG_MAIN|LOG_PANIC,
2176 "bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
2177 }
2178
059ec3d9
PH
2179 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
2180 smtps port for use with older style SSL MTAs. */
2181
2182 #ifdef SUPPORT_TLS
817d9f57 2183 if (tls_in.on_connect && tls_server_start(tls_require_ciphers) != OK)
059ec3d9
PH
2184 return FALSE;
2185 #endif
2186
2187 /* Test for explicit connection rejection */
2188
2189 if (verify_check_host(&host_reject_connection) == OK)
2190 {
2191 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
2192 "from %s (host_reject_connection)", host_and_ident(FALSE));
2193 smtp_printf("554 SMTP service not available\r\n");
2194 return FALSE;
2195 }
2196
afb3eaaf
PH
2197 /* Test with TCP Wrappers if so configured. There is a problem in that
2198 hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
2199 such as disks dying. In these cases, it is desirable to reject with a 4xx
2200 error instead of a 5xx error. There isn't a "right" way to detect such
2201 problems. The following kludge is used: errno is zeroed before calling
2202 hosts_ctl(). If the result is "reject", a 5xx error is given only if the
2203 value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
2204 not exist). */
059ec3d9
PH
2205
2206 #ifdef USE_TCP_WRAPPERS
afb3eaaf 2207 errno = 0;
5dc43717
JJ
2208 tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name);
2209 if (tcp_wrappers_name == NULL)
2210 {
2211 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
2212 "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
2213 expand_string_message);
2214 }
2215 if (!hosts_ctl(tcp_wrappers_name,
059ec3d9
PH
2216 (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
2217 (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
2218 (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
2219 {
afb3eaaf
PH
2220 if (errno == 0 || errno == ENOENT)
2221 {
2222 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
2223 log_write(L_connection_reject,
2224 LOG_MAIN|LOG_REJECT, "refused connection from %s "
2225 "(tcp wrappers)", host_and_ident(FALSE));
2226 smtp_printf("554 SMTP service not available\r\n");
2227 }
2228 else
2229 {
2230 int save_errno = errno;
2231 HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
2232 "errno value %d\n", save_errno);
2233 log_write(L_connection_reject,
2234 LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
2235 "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
2236 smtp_printf("451 Temporary local problem - please try later\r\n");
2237 }
059ec3d9
PH
2238 return FALSE;
2239 }
2240 #endif
2241
b01dd148
PH
2242 /* Check for reserved slots. The value of smtp_accept_count has already been
2243 incremented to include this process. */
059ec3d9
PH
2244
2245 if (smtp_accept_max > 0 &&
b01dd148 2246 smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
059ec3d9
PH
2247 {
2248 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
2249 {
2250 log_write(L_connection_reject,
2251 LOG_MAIN, "temporarily refused connection from %s: not in "
2252 "reserve list: connected=%d max=%d reserve=%d%s",
b01dd148 2253 host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
059ec3d9
PH
2254 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
2255 smtp_printf("421 %s: Too many concurrent SMTP connections; "
2256 "please try again later\r\n", smtp_active_hostname);
2257 return FALSE;
2258 }
2259 reserved_host = TRUE;
2260 }
2261
2262 /* If a load level above which only messages from reserved hosts are
2263 accepted is set, check the load. For incoming calls via the daemon, the
2264 check is done in the superior process if there are no reserved hosts, to
2265 save a fork. In all cases, the load average will already be available
2266 in a global variable at this point. */
2267
2268 if (smtp_load_reserve >= 0 &&
2269 load_average > smtp_load_reserve &&
2270 !reserved_host &&
2271 verify_check_host(&smtp_reserve_hosts) != OK)
2272 {
2273 log_write(L_connection_reject,
2274 LOG_MAIN, "temporarily refused connection from %s: not in "
2275 "reserve list and load average = %.2f", host_and_ident(FALSE),
2276 (double)load_average/1000.0);
2277 smtp_printf("421 %s: Too much load; please try again later\r\n",
2278 smtp_active_hostname);
2279 return FALSE;
2280 }
2281
2282 /* Determine whether unqualified senders or recipients are permitted
2283 for this host. Unfortunately, we have to do this every time, in order to
2284 set the flags so that they can be inspected when considering qualifying
2285 addresses in the headers. For a site that permits no qualification, this
2286 won't take long, however. */
2287
2288 allow_unqualified_sender =
2289 verify_check_host(&sender_unqualified_hosts) == OK;
2290
2291 allow_unqualified_recipient =
2292 verify_check_host(&recipient_unqualified_hosts) == OK;
2293
2294 /* Determine whether HELO/EHLO is required for this host. The requirement
2295 can be hard or soft. */
2296
2297 helo_required = verify_check_host(&helo_verify_hosts) == OK;
2298 if (!helo_required)
2299 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
2300
2301 /* Determine whether this hosts is permitted to send syntactic junk
2302 after a HELO or EHLO command. */
2303
2304 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
2305 }
2306
2307/* For batch SMTP input we are now done. */
2308
2309if (smtp_batched_input) return TRUE;
2310
cee5f132 2311#ifdef SUPPORT_PROXY
a3c86431
TL
2312/* If valid Proxy Protocol source is connecting, set up session.
2313 * Failure will not allow any SMTP function other than QUIT. */
2314proxy_session = FALSE;
2315proxy_session_failed = FALSE;
2316if (check_proxy_protocol_host())
2317 {
2318 if (setup_proxy_protocol_host() == FALSE)
2319 {
2320 proxy_session_failed = TRUE;
2321 DEBUG(D_receive)
2322 debug_printf("Failure to extract proxied host, only QUIT allowed\n");
2323 }
2324 else
2325 {
2326 sender_host_name = NULL;
2327 (void)host_name_lookup();
2328 host_build_sender_fullhost();
2329 }
2330 }
2331#endif
2332
059ec3d9
PH
2333/* Run the ACL if it exists */
2334
4e88a19f 2335user_msg = NULL;
059ec3d9
PH
2336if (acl_smtp_connect != NULL)
2337 {
2338 int rc;
64ffc24f 2339 rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
059ec3d9
PH
2340 &log_msg);
2341 if (rc != OK)
2342 {
2343 (void)smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
2344 return FALSE;
2345 }
2346 }
2347
2348/* Output the initial message for a two-way SMTP connection. It may contain
2349newlines, which then cause a multi-line response to be given. */
2350
4e88a19f
PH
2351code = US"220"; /* Default status code */
2352esc = US""; /* Default extended status code */
2353esclen = 0; /* Length of esc */
2354
d4ff61d1 2355if (!user_msg)
4e88a19f 2356 {
d4ff61d1 2357 if (!(s = expand_string(smtp_banner)))
4e88a19f
PH
2358 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
2359 "failed: %s", smtp_banner, expand_string_message);
2360 }
2361else
2362 {
2363 int codelen = 3;
2364 s = user_msg;
4f6ae5c3 2365 smtp_message_code(&code, &codelen, &s, NULL, TRUE);
d6a96edc 2366 if (codelen > 4)
4e88a19f
PH
2367 {
2368 esc = code + 4;
2369 esclen = codelen - 4;
2370 }
2371 }
059ec3d9
PH
2372
2373/* Remove any terminating newlines; might as well remove trailing space too */
2374
2375p = s + Ustrlen(s);
2376while (p > s && isspace(p[-1])) p--;
2377*p = 0;
2378
2379/* It seems that CC:Mail is braindead, and assumes that the greeting message
2380is all contained in a single IP packet. The original code wrote out the
2381greeting using several calls to fprint/fputc, and on busy servers this could
2382cause it to be split over more than one packet - which caused CC:Mail to fall
2383over when it got the second part of the greeting after sending its first
2384command. Sigh. To try to avoid this, build the complete greeting message
2385first, and output it in one fell swoop. This gives a better chance of it
2386ending up as a single packet. */
2387
2388ss = store_get(size);
2389ptr = 0;
2390
2391p = s;
2392do /* At least once, in case we have an empty string */
2393 {
2394 int len;
2395 uschar *linebreak = Ustrchr(p, '\n');
c2f669a4 2396 ss = string_catn(ss, &size, &ptr, code, 3);
059ec3d9
PH
2397 if (linebreak == NULL)
2398 {
2399 len = Ustrlen(p);
c2f669a4 2400 ss = string_catn(ss, &size, &ptr, US" ", 1);
059ec3d9
PH
2401 }
2402 else
2403 {
2404 len = linebreak - p;
c2f669a4 2405 ss = string_catn(ss, &size, &ptr, US"-", 1);
059ec3d9 2406 }
c2f669a4
JH
2407 ss = string_catn(ss, &size, &ptr, esc, esclen);
2408 ss = string_catn(ss, &size, &ptr, p, len);
2409 ss = string_catn(ss, &size, &ptr, US"\r\n", 2);
059ec3d9
PH
2410 p += len;
2411 if (linebreak != NULL) p++;
2412 }
2413while (*p != 0);
2414
2415ss[ptr] = 0; /* string_cat leaves room for this */
2416
2417/* Before we write the banner, check that there is no input pending, unless
2418this synchronisation check is disabled. */
2419
a14e5636 2420if (!check_sync())
059ec3d9 2421 {
a14e5636
PH
2422 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
2423 "synchronization error (input sent without waiting for greeting): "
2424 "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
2425 string_printing(smtp_inptr));
2426 smtp_printf("554 SMTP synchronization error\r\n");
2427 return FALSE;
059ec3d9
PH
2428 }
2429
2430/* Now output the banner */
2431
2432smtp_printf("%s", ss);
2433return TRUE;
2434}
2435
2436
2437
2438
2439
2440/*************************************************
2441* Handle SMTP syntax and protocol errors *
2442*************************************************/
2443
2444/* Write to the log for SMTP syntax errors in incoming commands, if configured
2445to do so. Then transmit the error response. The return value depends on the
2446number of syntax and protocol errors in this SMTP session.
2447
2448Arguments:
2449 type error type, given as a log flag bit
2450 code response code; <= 0 means don't send a response
2451 data data to reflect in the response (can be NULL)
2452 errmess the error message
2453
2454Returns: -1 limit of syntax/protocol errors NOT exceeded
2455 +1 limit of syntax/protocol errors IS exceeded
2456
2457These values fit in with the values of the "done" variable in the main
2458processing loop in smtp_setup_msg(). */
2459
2460static int
2461synprot_error(int type, int code, uschar *data, uschar *errmess)
2462{
2463int yield = -1;
2464
2465log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
2466 (type == L_smtp_syntax_error)? "syntax" : "protocol",
3ee512ff 2467 string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
059ec3d9
PH
2468
2469if (++synprot_error_count > smtp_max_synprot_errors)
2470 {
2471 yield = 1;
2472 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2473 "syntax or protocol errors (last command was \"%s\")",
0ebc4d69 2474 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
059ec3d9
PH
2475 }
2476
2477if (code > 0)
2478 {
2479 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
2480 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
2481 if (yield == 1)
2482 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
2483 }
2484
2485return yield;
2486}
2487
2488
2489
2490
2491/*************************************************
2492* Log incomplete transactions *
2493*************************************************/
2494
2495/* This function is called after a transaction has been aborted by RSET, QUIT,
2496connection drops or other errors. It logs the envelope information received
2497so far in order to preserve address verification attempts.
2498
2499Argument: string to indicate what aborted the transaction
2500Returns: nothing
2501*/
2502
2503static void
2504incomplete_transaction_log(uschar *what)
2505{
2506if (sender_address == NULL || /* No transaction in progress */
6c6d6e48
TF
2507 !LOGGING(smtp_incomplete_transaction))
2508 return;
059ec3d9
PH
2509
2510/* Build list of recipients for logging */
2511
2512if (recipients_count > 0)
2513 {
2514 int i;
2515 raw_recipients = store_get(recipients_count * sizeof(uschar *));
2516 for (i = 0; i < recipients_count; i++)
2517 raw_recipients[i] = recipients_list[i].address;
2518 raw_recipients_count = recipients_count;
2519 }
2520
2521log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
2522 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
2523}
2524
2525
2526
2527
2528/*************************************************
2529* Send SMTP response, possibly multiline *
2530*************************************************/
2531
2532/* There are, it seems, broken clients out there that cannot handle multiline
2533responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
2534output nothing for non-final calls, and only the first line for anything else.
2535
2536Arguments:
a5bd321b 2537 code SMTP code, may involve extended status codes
d6a96edc 2538 codelen length of smtp code; if > 4 there's an ESC
059ec3d9
PH
2539 final FALSE if the last line isn't the final line
2540 msg message text, possibly containing newlines
2541
2542Returns: nothing
2543*/
2544
2545void
a5bd321b 2546smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
059ec3d9 2547{
a5bd321b
PH
2548int esclen = 0;
2549uschar *esc = US"";
2550
059ec3d9
PH
2551if (!final && no_multiline_responses) return;
2552
d6a96edc 2553if (codelen > 4)
a5bd321b
PH
2554 {
2555 esc = code + 4;
2556 esclen = codelen - 4;
2557 }
2558
2679d413
PH
2559/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
2560have had the same. Note: this code is also present in smtp_printf(). It would
2561be tidier to have it only in one place, but when it was added, it was easier to
2562do it that way, so as not to have to mess with the code for the RCPT command,
2563which sometimes uses smtp_printf() and sometimes smtp_respond(). */
2564
2565if (rcpt_in_progress)
2566 {
2567 if (rcpt_smtp_response == NULL)
2568 rcpt_smtp_response = string_copy(msg);
2569 else if (rcpt_smtp_response_same &&
2570 Ustrcmp(rcpt_smtp_response, msg) != 0)
2571 rcpt_smtp_response_same = FALSE;
2572 rcpt_in_progress = FALSE;
2573 }
2574
2575/* Not output the message, splitting it up into multiple lines if necessary. */
2576
059ec3d9
PH
2577for (;;)
2578 {
2579 uschar *nl = Ustrchr(msg, '\n');
2580 if (nl == NULL)
2581 {
a5bd321b 2582 smtp_printf("%.3s%c%.*s%s\r\n", code, final? ' ':'-', esclen, esc, msg);
059ec3d9
PH
2583 return;
2584 }
2585 else if (nl[1] == 0 || no_multiline_responses)
2586 {
a5bd321b
PH
2587 smtp_printf("%.3s%c%.*s%.*s\r\n", code, final? ' ':'-', esclen, esc,
2588 (int)(nl - msg), msg);
059ec3d9
PH
2589 return;
2590 }
2591 else
2592 {
a5bd321b 2593 smtp_printf("%.3s-%.*s%.*s\r\n", code, esclen, esc, (int)(nl - msg), msg);
059ec3d9
PH
2594 msg = nl + 1;
2595 while (isspace(*msg)) msg++;
2596 }
2597 }
2598}
2599
2600
2601
2602
2603/*************************************************
4e88a19f
PH
2604* Parse user SMTP message *
2605*************************************************/
2606
2607/* This function allows for user messages overriding the response code details
2608by providing a suitable response code string at the start of the message
2609user_msg. Check the message for starting with a response code and optionally an
2610extended status code. If found, check that the first digit is valid, and if so,
2611change the code pointer and length to use the replacement. An invalid code
2612causes a panic log; in this case, if the log messages is the same as the user
2613message, we must also adjust the value of the log message to show the code that
2614is actually going to be used (the original one).
2615
2616This function is global because it is called from receive.c as well as within
2617this module.
2618
d6a96edc
PH
2619Note that the code length returned includes the terminating whitespace
2620character, which is always included in the regex match.
2621
4e88a19f
PH
2622Arguments:
2623 code SMTP code, may involve extended status codes
d6a96edc 2624 codelen length of smtp code; if > 4 there's an ESC
4e88a19f
PH
2625 msg message text
2626 log_msg optional log message, to be adjusted with the new SMTP code
4f6ae5c3 2627 check_valid if true, verify the response code
4e88a19f
PH
2628
2629Returns: nothing
2630*/
2631
2632void
4f6ae5c3
JH
2633smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
2634 BOOL check_valid)
4e88a19f
PH
2635{
2636int n;
2637int ovector[3];
2638
4f6ae5c3 2639if (!msg || !*msg) return;
4e88a19f 2640
4f6ae5c3
JH
2641if ((n = pcre_exec(regex_smtp_code, NULL, CS *msg, Ustrlen(*msg), 0,
2642 PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int))) < 0) return;
4e88a19f 2643
4f6ae5c3 2644if (check_valid && (*msg)[0] != (*code)[0])
4e88a19f
PH
2645 {
2646 log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
2647 "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
2648 if (log_msg != NULL && *log_msg == *msg)
2649 *log_msg = string_sprintf("%s %s", *code, *log_msg + ovector[1]);
2650 }
2651else
2652 {
2653 *code = *msg;
2654 *codelen = ovector[1]; /* Includes final space */
2655 }
2656*msg += ovector[1]; /* Chop the code off the message */
2657return;
2658}
2659
2660
2661
2662
2663/*************************************************
059ec3d9
PH
2664* Handle an ACL failure *
2665*************************************************/
2666
2667/* This function is called when acl_check() fails. As well as calls from within
2668this module, it is called from receive.c for an ACL after DATA. It sorts out
2669logging the incident, and sets up the error response. A message containing
2670newlines is turned into a multiline SMTP response, but for logging, only the
2671first line is used.
2672
a5bd321b
PH
2673There's a table of default permanent failure response codes to use in
2674globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
2675defaults disabled in Exim. However, discussion in connection with RFC 821bis
2676(aka RFC 2821) has concluded that the response should be 252 in the disabled
2677state, because there are broken clients that try VRFY before RCPT. A 5xx
2678response should be given only when the address is positively known to be
4f6ae5c3
JH
2679undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
2680no explicit code, but if there is one we let it know best.
2681Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
a5bd321b
PH
2682
2683From Exim 4.63, it is possible to override the response code details by
2684providing a suitable response code string at the start of the message provided
2685in user_msg. The code's first digit is checked for validity.
059ec3d9
PH
2686
2687Arguments:
4f6ae5c3
JH
2688 where where the ACL was called from
2689 rc the failure code
2690 user_msg a message that can be included in an SMTP response
2691 log_msg a message for logging
059ec3d9
PH
2692
2693Returns: 0 in most cases
2694 2 if the failure code was FAIL_DROP, in which case the
2695 SMTP connection should be dropped (this value fits with the
2696 "done" variable in smtp_setup_msg() below)
2697*/
2698
2699int
2700smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
2701{
059ec3d9 2702BOOL drop = rc == FAIL_DROP;
a5bd321b 2703int codelen = 3;
a5bd321b 2704uschar *smtp_code;
059ec3d9
PH
2705uschar *lognl;
2706uschar *sender_info = US"";
64ffc24f 2707uschar *what =
8523533c 2708#ifdef WITH_CONTENT_SCAN
64ffc24f 2709 (where == ACL_WHERE_MIME)? US"during MIME ACL checks" :
8e669ac1 2710#endif
64ffc24f
PH
2711 (where == ACL_WHERE_PREDATA)? US"DATA" :
2712 (where == ACL_WHERE_DATA)? US"after DATA" :
8ccd00b1 2713#ifndef DISABLE_PRDR
fd98a5c6
JH
2714 (where == ACL_WHERE_PRDR)? US"after DATA PRDR" :
2715#endif
ca86f471 2716 (smtp_cmd_data == NULL)?
64ffc24f 2717 string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]) :
ca86f471 2718 string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data);
059ec3d9
PH
2719
2720if (drop) rc = FAIL;
2721
4e88a19f 2722/* Set the default SMTP code, and allow a user message to change it. */
a5bd321b 2723
4f6ae5c3
JH
2724smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
2725smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
2726 where != ACL_WHERE_VRFY);
a5bd321b 2727
059ec3d9
PH
2728/* We used to have sender_address here; however, there was a bug that was not
2729updating sender_address after a rewrite during a verify. When this bug was
2730fixed, sender_address at this point became the rewritten address. I'm not sure
2731this is what should be logged, so I've changed to logging the unrewritten
2732address to retain backward compatibility. */
2733
8523533c 2734#ifndef WITH_CONTENT_SCAN
059ec3d9 2735if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
8523533c
TK
2736#else
2737if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
2738#endif
059ec3d9 2739 {
b98bb9ac
PP
2740 sender_info = string_sprintf("F=<%s>%s%s%s%s ",
2741 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
2742 sender_host_authenticated ? US" A=" : US"",
2743 sender_host_authenticated ? sender_host_authenticated : US"",
2744 sender_host_authenticated && authenticated_id ? US":" : US"",
2745 sender_host_authenticated && authenticated_id ? authenticated_id : US""
2746 );
059ec3d9
PH
2747 }
2748
2749/* If there's been a sender verification failure with a specific message, and
2750we have not sent a response about it yet, do so now, as a preliminary line for
278c6e6c
PH
2751failures, but not defers. However, always log it for defer, and log it for fail
2752unless the sender_verify_fail log selector has been turned off. */
059ec3d9
PH
2753
2754if (sender_verified_failed != NULL &&
2755 !testflag(sender_verified_failed, af_sverify_told))
2756 {
2679d413
PH
2757 BOOL save_rcpt_in_progress = rcpt_in_progress;
2758 rcpt_in_progress = FALSE; /* So as not to treat these as the error */
2759
059ec3d9
PH
2760 setflag(sender_verified_failed, af_sverify_told);
2761
6c6d6e48 2762 if (rc != FAIL || LOGGING(sender_verify_fail))
278c6e6c
PH
2763 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
2764 host_and_ident(TRUE),
2765 ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
2766 sender_verified_failed->address,
2767 (sender_verified_failed->message == NULL)? US"" :
2768 string_sprintf(": %s", sender_verified_failed->message));
059ec3d9
PH
2769
2770 if (rc == FAIL && sender_verified_failed->user_message != NULL)
a5bd321b 2771 smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
059ec3d9
PH
2772 testflag(sender_verified_failed, af_verify_pmfail)?
2773 "Postmaster verification failed while checking <%s>\n%s\n"
2774 "Several RFCs state that you are required to have a postmaster\n"
2775 "mailbox for each mail domain. This host does not accept mail\n"
2776 "from domains whose servers reject the postmaster address."
2777 :
2778 testflag(sender_verified_failed, af_verify_nsfail)?
2779 "Callback setup failed while verifying <%s>\n%s\n"
2780 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
2781 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
2782 "RFC requirements, and stops you from receiving standard bounce\n"
2783 "messages. This host does not accept mail from domains whose servers\n"
2784 "refuse bounces."
2785 :
2786 "Verification failed for <%s>\n%s",
2787 sender_verified_failed->address,
2788 sender_verified_failed->user_message));
2679d413
PH
2789
2790 rcpt_in_progress = save_rcpt_in_progress;
059ec3d9
PH
2791 }
2792
2793/* Sort out text for logging */
2794
2795log_msg = (log_msg == NULL)? US"" : string_sprintf(": %s", log_msg);
2796lognl = Ustrchr(log_msg, '\n');
2797if (lognl != NULL) *lognl = 0;
2798
2799/* Send permanent failure response to the command, but the code used isn't
2800always a 5xx one - see comments at the start of this function. If the original
2801rc was FAIL_DROP we drop the connection and yield 2. */
2802
a5bd321b 2803if (rc == FAIL) smtp_respond(smtp_code, codelen, TRUE, (user_msg == NULL)?
059ec3d9
PH
2804 US"Administrative prohibition" : user_msg);
2805
2806/* Send temporary failure response to the command. Don't give any details,
2807unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
2808verb, and for a header verify when smtp_return_error_details is set.
2809
2810This conditional logic is all somewhat of a mess because of the odd
2811interactions between temp_details and return_error_details. One day it should
2812be re-implemented in a tidier fashion. */
2813
2814else
2815 {
2816 if (acl_temp_details && user_msg != NULL)
2817 {
2818 if (smtp_return_error_details &&
2819 sender_verified_failed != NULL &&
2820 sender_verified_failed->message != NULL)
2821 {
a5bd321b 2822 smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
059ec3d9 2823 }
a5bd321b 2824 smtp_respond(smtp_code, codelen, TRUE, user_msg);
059ec3d9
PH
2825 }
2826 else
a5bd321b
PH
2827 smtp_respond(smtp_code, codelen, TRUE,
2828 US"Temporary local problem - please try later");
059ec3d9
PH
2829 }
2830
6ea85e9a
PH
2831/* Log the incident to the logs that are specified by log_reject_target
2832(default main, reject). This can be empty to suppress logging of rejections. If
2833the connection is not forcibly to be dropped, return 0. Otherwise, log why it
2834is closing if required and return 2. */
059ec3d9 2835
6ea85e9a 2836if (log_reject_target != 0)
887291d2 2837 {
e45a1c37 2838#ifdef SUPPORT_TLS
fc16abb4
JH
2839 uschar * tls = s_tlslog(NULL, NULL, NULL);
2840 if (!tls) tls = US"";
e45a1c37 2841#else
fc16abb4 2842 uschar * tls = US"";
e45a1c37 2843#endif
fc16abb4
JH
2844 log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s",
2845 LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
2846 host_and_ident(TRUE),
2847 tls,
2848 sender_info,
2849 rc == FAIL ? US"" : US"temporarily ",
2850 what, log_msg);
887291d2 2851 }
059ec3d9
PH
2852
2853if (!drop) return 0;
2854
2855log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
2856 smtp_get_connection_info());
8f128379
PH
2857
2858/* Run the not-quit ACL, but without any custom messages. This should not be a
2859problem, because we get here only if some other ACL has issued "drop", and
2860in that case, *its* custom messages will have been used above. */
2861
2862smtp_notquit_exit(US"acl-drop", NULL, NULL);
059ec3d9
PH
2863return 2;
2864}
2865
2866
2867
2868
2869/*************************************************
8f128379
PH
2870* Handle SMTP exit when QUIT is not given *
2871*************************************************/
2872
2873/* This function provides a logging/statistics hook for when an SMTP connection
2874is dropped on the floor or the other end goes away. It's a global function
2875because it's called from receive.c as well as this module. As well as running
2876the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
2877response, either with a custom message from the ACL, or using a default. There
2878is one case, however, when no message is output - after "drop". In that case,
2879the ACL that obeyed "drop" has already supplied the custom message, and NULL is
2880passed to this function.
2881
2882In case things go wrong while processing this function, causing an error that
2883may re-enter this funtion, there is a recursion check.
2884
2885Arguments:
2886 reason What $smtp_notquit_reason will be set to in the ACL;
2887 if NULL, the ACL is not run
2888 code The error code to return as part of the response
2889 defaultrespond The default message if there's no user_msg
2890
2891Returns: Nothing
2892*/
2893
2894void
2895smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
2896{
2897int rc;
2898uschar *user_msg = NULL;
2899uschar *log_msg = NULL;
2900
2901/* Check for recursive acll */
2902
2903if (smtp_exit_function_called)
2904 {
2905 log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
2906 reason);
2907 return;
2908 }
2909smtp_exit_function_called = TRUE;
2910
2911/* Call the not-QUIT ACL, if there is one, unless no reason is given. */
2912
2913if (acl_smtp_notquit != NULL && reason != NULL)
2914 {
2915 smtp_notquit_reason = reason;
2916 rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
2917 &log_msg);
2918 if (rc == ERROR)
2919 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
2920 log_msg);
2921 }
2922
2923/* Write an SMTP response if we are expected to give one. As the default
2924responses are all internal, they should always fit in the buffer, but code a
2925warning, just in case. Note that string_vformat() still leaves a complete
2926string, even if it is incomplete. */
2927
2928if (code != NULL && defaultrespond != NULL)
2929 {
2930 if (user_msg == NULL)
2931 {
2932 uschar buffer[128];
2933 va_list ap;
2934 va_start(ap, defaultrespond);
2935 if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
2936 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
2937 smtp_printf("%s %s\r\n", code, buffer);
2938 va_end(ap);
2939 }
2940 else
2941 smtp_respond(code, 3, TRUE, user_msg);
2942 mac_smtp_fflush();
2943 }
2944}
2945
2946
2947
2948
2949/*************************************************
d7b47fd0
PH
2950* Verify HELO argument *
2951*************************************************/
2952
2953/* This function is called if helo_verify_hosts or helo_try_verify_hosts is
2954matched. It is also called from ACL processing if verify = helo is used and
2955verification was not previously tried (i.e. helo_try_verify_hosts was not
2956matched). The result of its processing is to set helo_verified and
2957helo_verify_failed. These variables should both be FALSE for this function to
2958be called.
2959
2960Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
2961for IPv6 ::ffff: literals.
2962
2963Argument: none
2964Returns: TRUE if testing was completed;
2965 FALSE on a temporary failure
2966*/
2967
2968BOOL
2969smtp_verify_helo(void)
2970{
2971BOOL yield = TRUE;
2972
2973HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
2974 sender_helo_name);
2975
2976if (sender_helo_name == NULL)
2977 {
2978 HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
2979 }
2980
d1d5595c
PH
2981/* Deal with the case of -bs without an IP address */
2982
2983else if (sender_host_address == NULL)
2984 {
2985 HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
2986 helo_verified = TRUE;
2987 }
2988
2989/* Deal with the more common case when there is a sending IP address */
2990
d7b47fd0
PH
2991else if (sender_helo_name[0] == '[')
2992 {
2993 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
2994 Ustrlen(sender_host_address)) == 0;
2995
2996 #if HAVE_IPV6
2997 if (!helo_verified)
2998 {
2999 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
3000 helo_verified = Ustrncmp(sender_helo_name + 1,
3001 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
3002 }
3003 #endif
3004
3005 HDEBUG(D_receive)
3006 { if (helo_verified) debug_printf("matched host address\n"); }
3007 }
3008
3009/* Do a reverse lookup if one hasn't already given a positive or negative
3010response. If that fails, or the name doesn't match, try checking with a forward
3011lookup. */
3012
3013else
3014 {
3015 if (sender_host_name == NULL && !host_lookup_failed)
3016 yield = host_name_lookup() != DEFER;
3017
3018 /* If a host name is known, check it and all its aliases. */
3019
1705dd20
JH
3020 if (sender_host_name)
3021 if ((helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
d7b47fd0 3022 {
1705dd20 3023 sender_helo_dnssec = sender_host_dnssec;
d7b47fd0
PH
3024 HDEBUG(D_receive) debug_printf("matched host name\n");
3025 }
3026 else
3027 {
3028 uschar **aliases = sender_host_aliases;
1705dd20
JH
3029 while (*aliases)
3030 if ((helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
3031 {
3032 sender_helo_dnssec = sender_host_dnssec;
3033 break;
3034 }
3035
3036 HDEBUG(D_receive) if (helo_verified)
d7b47fd0 3037 debug_printf("matched alias %s\n", *(--aliases));
d7b47fd0 3038 }
d7b47fd0
PH
3039
3040 /* Final attempt: try a forward lookup of the helo name */
3041
3042 if (!helo_verified)
3043 {
3044 int rc;
3045 host_item h;
1705dd20
JH
3046 dnssec_domains d;
3047 host_item *hh;
3048
d7b47fd0
PH
3049 h.name = sender_helo_name;
3050 h.address = NULL;
3051 h.mx = MX_NONE;
3052 h.next = NULL;
1705dd20
JH
3053 d.request = US"*";
3054 d.require = US"";
3055
d7b47fd0
PH
3056 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
3057 sender_helo_name);
1705dd20
JH
3058 rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A,
3059 NULL, NULL, NULL, &d, NULL, NULL);
d7b47fd0 3060 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
1705dd20 3061 for (hh = &h; hh; hh = hh->next)
d7b47fd0
PH
3062 if (Ustrcmp(hh->address, sender_host_address) == 0)
3063 {
3064 helo_verified = TRUE;
1705dd20 3065 if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
d7b47fd0 3066 HDEBUG(D_receive)
1705dd20
JH
3067 {
3068 debug_printf("IP address for %s matches calling address\n"
3069 "Forward DNS security status: %sverified\n",
3070 sender_helo_name, sender_helo_dnssec ? "" : "un");
3071 }
d7b47fd0
PH
3072 break;
3073 }
d7b47fd0
PH
3074 }
3075 }
3076
d1d5595c 3077if (!helo_verified) helo_verify_failed = TRUE; /* We've tried ... */
d7b47fd0
PH
3078return yield;
3079}
3080
3081
3082
3083
3084/*************************************************
4e88a19f
PH
3085* Send user response message *
3086*************************************************/
3087
3088/* This function is passed a default response code and a user message. It calls
3089smtp_message_code() to check and possibly modify the response code, and then
3090calls smtp_respond() to transmit the response. I put this into a function
3091just to avoid a lot of repetition.
3092
3093Arguments:
3094 code the response code
3095 user_msg the user message
3096
3097Returns: nothing
3098*/
3099
3100static void
3101smtp_user_msg(uschar *code, uschar *user_msg)
3102{
3103int len = 3;
4f6ae5c3 3104smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
4e88a19f
PH
3105smtp_respond(code, len, TRUE, user_msg);
3106}
3107
3108
3109
b3ef41c9
JH
3110static int
3111smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
3112{
3113const uschar *set_id = NULL;
3114int rc, i;
3115
3116/* Run the checking code, passing the remainder of the command line as
3117data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
3118it as the only set numerical variable. The authenticator may set $auth<n>
3119and also set other numeric variables. The $auth<n> variables are preferred
3120nowadays; the numerical variables remain for backwards compatibility.
3121
3122Afterwards, have a go at expanding the set_id string, even if
3123authentication failed - for bad passwords it can be useful to log the
3124userid. On success, require set_id to expand and exist, and put it in
3125authenticated_id. Save this in permanent store, as the working store gets
3126reset at HELO, RSET, etc. */
3127
3128for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
3129expand_nmax = 0;
3130expand_nlength[0] = 0; /* $0 contains nothing */
3131
3132rc = (au->info->servercode)(au, smtp_cmd_data);
3133if (au->set_id) set_id = expand_string(au->set_id);
3134expand_nmax = -1; /* Reset numeric variables */
3135for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; /* Reset $auth<n> */
3136
3137/* The value of authenticated_id is stored in the spool file and printed in
3138log lines. It must not contain binary zeros or newline characters. In
3139normal use, it never will, but when playing around or testing, this error
3140can (did) happen. To guard against this, ensure that the id contains only
3141printing characters. */
3142
3143if (set_id) set_id = string_printing(set_id);
3144
3145/* For the non-OK cases, set up additional logging data if set_id
3146is not empty. */
3147
3148if (rc != OK)
3149 set_id = set_id && *set_id
3150 ? string_sprintf(" (set_id=%s)", set_id) : US"";
3151
3152/* Switch on the result */
3153
3154switch(rc)
3155 {
3156 case OK:
3157 if (!au->set_id || set_id) /* Complete success */
3158 {
3159 if (set_id) authenticated_id = string_copy_malloc(set_id);
3160 sender_host_authenticated = au->name;
3161 authentication_failed = FALSE;
3162 authenticated_fail_id = NULL; /* Impossible to already be set? */
3163
3164 received_protocol =
3165 (sender_host_address ? protocols : protocols_local)
3166 [pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)];
3167 *s = *ss = US"235 Authentication succeeded";
3168 authenticated_by = au;
3169 break;
3170 }
3171
3172 /* Authentication succeeded, but we failed to expand the set_id string.
3173 Treat this as a temporary error. */
3174
3175 auth_defer_msg = expand_string_message;
3176 /* Fall through */
3177
3178 case DEFER:
3179 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3180 *s = string_sprintf("435 Unable to authenticate at present%s",
3181 auth_defer_user_msg);
3182 *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
3183 set_id, auth_defer_msg);
3184 break;
3185
3186 case BAD64:
3187 *s = *ss = US"501 Invalid base64 data";
3188 break;
3189
3190 case CANCELLED:
3191 *s = *ss = US"501 Authentication cancelled";
3192 break;
3193
3194 case UNEXPECTED:
3195 *s = *ss = US"553 Initial data not expected";
3196 break;
3197
3198 case FAIL:
3199 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3200 *s = US"535 Incorrect authentication data";
3201 *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
3202 break;
3203
3204 default:
3205 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3206 *s = US"435 Internal error";
3207 *ss = string_sprintf("435 Internal error%s: return %d from authentication "
3208 "check", set_id, rc);
3209 break;
3210 }
3211
3212return rc;
3213}
3214
3215
3216
2685d6e0
JH
3217
3218
3219static int
3220qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
3221{
3222int rd;
3223if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
3224 {
3225 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
3226 *recipient);
3227 rd = Ustrlen(recipient) + 1;
3228 *recipient = rewrite_address_qualify(*recipient, TRUE);
3229 return rd;
3230 }
3231smtp_printf("501 %s: recipient address must contain a domain\r\n",
3232 smtp_cmd_data);
3233log_write(L_smtp_syntax_error,
3234 LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
3235 tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
3236return 0;
3237}
3238
3239
3240
3241
4e88a19f 3242/*************************************************
059ec3d9
PH
3243* Initialize for SMTP incoming message *
3244*************************************************/
3245
3246/* This function conducts the initial dialogue at the start of an incoming SMTP
3247message, and builds a list of recipients. However, if the incoming message
3248is part of a batch (-bS option) a separate function is called since it would
3249be messy having tests splattered about all over this function. This function
3250therefore handles the case where interaction is occurring. The input and output
3251files are set up in smtp_in and smtp_out.
3252
3253The global recipients_list is set to point to a vector of recipient_item
3254blocks, whose number is given by recipients_count. This is extended by the
3255receive_add_recipient() function. The global variable sender_address is set to
3256the sender's address. The yield is +1 if a message has been successfully
3257started, 0 if a QUIT command was encountered or the connection was refused from
3258the particular host, or -1 if the connection was lost.
3259
3260Argument: none
3261
3262Returns: > 0 message successfully started (reached DATA)
3263 = 0 QUIT read or end of file reached or call refused
3264 < 0 lost connection
3265*/
3266
3267int
3268smtp_setup_msg(void)
3269{
3270int done = 0;
3271BOOL toomany = FALSE;
3272BOOL discarded = FALSE;
3273BOOL last_was_rej_mail = FALSE;
3274BOOL last_was_rcpt = FALSE;
3275void *reset_point = store_get(0);
3276
3277DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
3278
3279/* Reset for start of new message. We allow one RSET not to be counted as a
3280nonmail command, for those MTAs that insist on sending it between every
3281message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
3282TLS between messages (an Exim client may do this if it has messages queued up
3283for the host). Note: we do NOT reset AUTH at this point. */
3284
3285smtp_reset(reset_point);
3286message_ended = END_NOTSTARTED;
3287
3288cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
3289cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
3290cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3291#ifdef SUPPORT_TLS
3292cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
b3ef41c9 3293cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
059ec3d9
PH
3294#endif
3295
3296/* Set the local signal handler for SIGTERM - it tries to end off tidily */
3297
3298os_non_restarting_signal(SIGTERM, command_sigterm_handler);
3299
3300/* Batched SMTP is handled in a different function. */
3301
3302if (smtp_batched_input) return smtp_setup_batch_msg();
3303
3304/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
3305value. The values are 2 larger than the required yield of the function. */
3306
3307while (done <= 0)
3308 {
55414b25 3309 const uschar **argv;
059ec3d9
PH
3310 uschar *etrn_command;
3311 uschar *etrn_serialize_key;
3312 uschar *errmess;
4e88a19f
PH
3313 uschar *log_msg, *smtp_code;
3314 uschar *user_msg = NULL;
059ec3d9
PH
3315 uschar *recipient = NULL;
3316 uschar *hello = NULL;
059ec3d9
PH
3317 uschar *s, *ss;
3318 BOOL was_rej_mail = FALSE;
3319 BOOL was_rcpt = FALSE;
3320 void (*oldsignal)(int);
3321 pid_t pid;
3322 int start, end, sender_domain, recipient_domain;
3323 int ptr, size, rc;
aa7751be 3324 int c;
059ec3d9 3325 auth_instance *au;
6c1c3d1d
WB
3326 uschar *orcpt = NULL;
3327 int flags;
059ec3d9 3328
b3ef41c9
JH
3329#if defined(SUPPORT_TLS) && defined(AUTH_TLS)
3330 /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
3331 if ( tls_in.active >= 0
3332 && tls_in.peercert
3333 && tls_in.certificate_verified
3334 && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
3335 )
3336 {
3337 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
4f6ae5c3
JH
3338 if ( acl_smtp_auth
3339 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3340 &user_msg, &log_msg)) != OK
3341 )
b3ef41c9 3342 {
4f6ae5c3
JH
3343 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3344 continue;
b3ef41c9
JH
3345 }
3346
3347 for (au = auths; au; au = au->next)
3348 if (strcmpic(US"tls", au->driver_name) == 0)
3349 {
3350 smtp_cmd_data = NULL;
3351
805bb5c3 3352 if (smtp_in_auth(au, &s, &ss) == OK)
cb570b5e 3353 { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
805bb5c3 3354 else
cb570b5e 3355 { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
b3ef41c9
JH
3356 break;
3357 }
3358 }
3359#endif
3360
059ec3d9
PH
3361 switch(smtp_read_command(TRUE))
3362 {
3363 /* The AUTH command is not permitted to occur inside a transaction, and may
c46782ef
PH
3364 occur successfully only once per connection. Actually, that isn't quite
3365 true. When TLS is started, all previous information about a connection must
3366 be discarded, so a new AUTH is permitted at that time.
3367
3368 AUTH may only be used when it has been advertised. However, it seems that
3369 there are clients that send AUTH when it hasn't been advertised, some of
3370 them even doing this after HELO. And there are MTAs that accept this. Sigh.
3371 So there's a get-out that allows this to happen.
059ec3d9
PH
3372
3373 AUTH is initially labelled as a "nonmail command" so that one occurrence
3374 doesn't get counted. We change the label here so that multiple failing
3375 AUTHS will eventually hit the nonmail threshold. */
3376
3377 case AUTH_CMD:
b4ed4da0 3378 HAD(SCH_AUTH);
059ec3d9
PH
3379 authentication_failed = TRUE;
3380 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
3381
c46782ef 3382 if (!auth_advertised && !allow_auth_unadvertised)
059ec3d9
PH
3383 {
3384 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3385 US"AUTH command used when not advertised");
3386 break;
3387 }
b3ef41c9 3388 if (sender_host_authenticated)
059ec3d9
PH
3389 {
3390 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3391 US"already authenticated");
3392 break;
3393 }
b3ef41c9 3394 if (sender_address)
059ec3d9
PH
3395 {
3396 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3397 US"not permitted in mail transaction");
3398 break;
3399 }
3400
3401 /* Check the ACL */
3402
4f6ae5c3
JH
3403 if ( acl_smtp_auth
3404 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3405 &user_msg, &log_msg)) != OK
3406 )
059ec3d9 3407 {
4f6ae5c3
JH
3408 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3409 break;
059ec3d9
PH
3410 }
3411
3412 /* Find the name of the requested authentication mechanism. */
3413
ca86f471
PH
3414 s = smtp_cmd_data;
3415 while ((c = *smtp_cmd_data) != 0 && !isspace(c))
059ec3d9
PH
3416 {
3417 if (!isalnum(c) && c != '-' && c != '_')
3418 {
3419 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3420 US"invalid character in authentication mechanism name");
3421 goto COMMAND_LOOP;
3422 }
ca86f471 3423 smtp_cmd_data++;
059ec3d9
PH
3424 }
3425
3426 /* If not at the end of the line, we must be at white space. Terminate the
3427 name and move the pointer on to any data that may be present. */
3428
ca86f471 3429 if (*smtp_cmd_data != 0)
059ec3d9 3430 {
ca86f471
PH
3431 *smtp_cmd_data++ = 0;
3432 while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
059ec3d9
PH
3433 }
3434
3435 /* Search for an authentication mechanism which is configured for use
c46782ef
PH
3436 as a server and which has been advertised (unless, sigh, allow_auth_
3437 unadvertised is set). */
059ec3d9 3438
b3ef41c9 3439 for (au = auths; au; au = au->next)
059ec3d9 3440 if (strcmpic(s, au->public_name) == 0 && au->server &&
b3ef41c9
JH
3441 (au->advertised || allow_auth_unadvertised))
3442 break;
059ec3d9 3443
b3ef41c9 3444 if (au)
059ec3d9 3445 {
b3ef41c9 3446 c = smtp_in_auth(au, &s, &ss);
059ec3d9 3447
b3ef41c9
JH
3448 smtp_printf("%s\r\n", s);
3449 if (c != OK)
3450 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
3451 au->name, host_and_ident(FALSE), ss);
059ec3d9 3452 }
b3ef41c9
JH
3453 else
3454 done = synprot_error(L_smtp_protocol_error, 504, NULL,
3455 string_sprintf("%s authentication mechanism not supported", s));
059ec3d9
PH
3456
3457 break; /* AUTH_CMD */
3458
3459 /* The HELO/EHLO commands are permitted to appear in the middle of a
3460 session as well as at the beginning. They have the effect of a reset in
3461 addition to their other functions. Their absence at the start cannot be
3462 taken to be an error.
3463
3464 RFC 2821 says:
3465
3466 If the EHLO command is not acceptable to the SMTP server, 501, 500,
3467 or 502 failure replies MUST be returned as appropriate. The SMTP
3468 server MUST stay in the same state after transmitting these replies
3469 that it was in before the EHLO was received.
3470
3471 Therefore, we do not do the reset until after checking the command for
3472 acceptability. This change was made for Exim release 4.11. Previously
3473 it did the reset first. */
3474
3475 case HELO_CMD:
b4ed4da0 3476 HAD(SCH_HELO);
059ec3d9
PH
3477 hello = US"HELO";
3478 esmtp = FALSE;
3479 goto HELO_EHLO;
3480
3481 case EHLO_CMD:
b4ed4da0 3482 HAD(SCH_EHLO);
059ec3d9
PH
3483 hello = US"EHLO";
3484 esmtp = TRUE;
3485
3486 HELO_EHLO: /* Common code for HELO and EHLO */
3487 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
3488 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
3489
3490 /* Reject the HELO if its argument was invalid or non-existent. A
3491 successful check causes the argument to be saved in malloc store. */
3492
ca86f471 3493 if (!check_helo(smtp_cmd_data))
059ec3d9
PH
3494 {
3495 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
3496
3497 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
3498 "invalid argument(s): %s", hello, host_and_ident(FALSE),
3ee512ff
PH
3499 (*smtp_cmd_argument == 0)? US"(no argument given)" :
3500 string_printing(smtp_cmd_argument));
059ec3d9
PH
3501
3502 if (++synprot_error_count > smtp_max_synprot_errors)
3503 {
3504 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3505 "syntax or protocol errors (last command was \"%s\")",
0ebc4d69 3506 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
059ec3d9
PH
3507 done = 1;
3508 }
3509
3510 break;
3511 }
3512
3513 /* If sender_host_unknown is true, we have got here via the -bs interface,
3514 not called from inetd. Otherwise, we are running an IP connection and the
3515 host address will be set. If the helo name is the primary name of this
3516 host and we haven't done a reverse lookup, force one now. If helo_required
3517 is set, ensure that the HELO name matches the actual host. If helo_verify
3518 is set, do the same check, but softly. */
3519
3520 if (!sender_host_unknown)
3521 {
3522 BOOL old_helo_verified = helo_verified;
ca86f471 3523 uschar *p = smtp_cmd_data;
059ec3d9
PH
3524
3525 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
3526 *p = 0;
3527
3528 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
3529 because otherwise the log can be confusing. */
3530
3531 if (sender_host_name == NULL &&
3532 (deliver_domain = sender_helo_name, /* set $domain */
55414b25 3533 match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
059ec3d9
PH
3534 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
3535 (void)host_name_lookup();
3536
3537 /* Rebuild the fullhost info to include the HELO name (and the real name
3538 if it was looked up.) */
3539
3540 host_build_sender_fullhost(); /* Rebuild */
3541 set_process_info("handling%s incoming connection from %s",
817d9f57 3542 (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
059ec3d9
PH
3543
3544 /* Verify if configured. This doesn't give much security, but it does
d7b47fd0
PH
3545 make some people happy to be able to do it. If helo_required is set,
3546 (host matches helo_verify_hosts) failure forces rejection. If helo_verify
3547 is set (host matches helo_try_verify_hosts), it does not. This is perhaps
3548 now obsolescent, since the verification can now be requested selectively
3549 at ACL time. */
059ec3d9 3550
1705dd20 3551 helo_verified = helo_verify_failed = sender_helo_dnssec = FALSE;
059ec3d9
PH
3552 if (helo_required || helo_verify)
3553 {
d7b47fd0 3554 BOOL tempfail = !smtp_verify_helo();
059ec3d9
PH
3555 if (!helo_verified)
3556 {
3557 if (helo_required)
3558 {
3559 smtp_printf("%d %s argument does not match calling host\r\n",
3560 tempfail? 451 : 550, hello);
3561 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
3562 tempfail? "temporarily " : "",
3563 hello, sender_helo_name, host_and_ident(FALSE));
3564 helo_verified = old_helo_verified;
3565 break; /* End of HELO/EHLO processing */
3566 }
3567 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
3568 "helo_try_verify_hosts\n", hello);
3569 }
3570 }
3571 }
3572
8523533c
TK
3573#ifdef EXPERIMENTAL_SPF
3574 /* set up SPF context */
3575 spf_init(sender_helo_name, sender_host_address);
3576#endif
3577
a14e5636
PH
3578 /* Apply an ACL check if one is defined; afterwards, recheck
3579 synchronization in case the client started sending in a delay. */
059ec3d9 3580
4f6ae5c3
JH
3581 if (acl_smtp_helo)
3582 if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
3583 &user_msg, &log_msg)) != OK)
059ec3d9
PH
3584 {
3585 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
3586 sender_helo_name = NULL;
3587 host_build_sender_fullhost(); /* Rebuild */
3588 break;
3589 }
a14e5636 3590 else if (!check_sync()) goto SYNC_FAILURE;
059ec3d9 3591
4e88a19f
PH
3592 /* Generate an OK reply. The default string includes the ident if present,
3593 and also the IP address if present. Reflecting back the ident is intended
3594 as a deterrent to mail forgers. For maximum efficiency, and also because
3595 some broken systems expect each response to be in a single packet, arrange
3596 that the entire reply is sent in one write(). */
059ec3d9
PH
3597
3598 auth_advertised = FALSE;
3599 pipelining_advertised = FALSE;
d1a13eea 3600#ifdef SUPPORT_TLS
059ec3d9 3601 tls_advertised = FALSE;
d1a13eea 3602#endif
6c1c3d1d 3603 dsn_advertised = FALSE;
8c5d388a 3604#ifdef SUPPORT_I18N
d1a13eea
JH
3605 smtputf8_advertised = FALSE;
3606#endif
059ec3d9 3607
d6a96edc 3608 smtp_code = US"250 "; /* Default response code plus space*/
4e88a19f
PH
3609 if (user_msg == NULL)
3610 {
3611 s = string_sprintf("%.3s %s Hello %s%s%s",
3612 smtp_code,
3613 smtp_active_hostname,
3614 (sender_ident == NULL)? US"" : sender_ident,
3615 (sender_ident == NULL)? US"" : US" at ",
3616 (sender_host_name == NULL)? sender_helo_name : sender_host_name);
3617
3618 ptr = Ustrlen(s);
3619 size = ptr + 1;
059ec3d9 3620
4e88a19f
PH
3621 if (sender_host_address != NULL)
3622 {
c2f669a4
JH
3623 s = string_catn(s, &size, &ptr, US" [", 2);
3624 s = string_cat (s, &size, &ptr, sender_host_address);
3625 s = string_catn(s, &size, &ptr, US"]", 1);
4e88a19f
PH
3626 }
3627 }
3628
d6a96edc
PH
3629 /* A user-supplied EHLO greeting may not contain more than one line. Note
3630 that the code returned by smtp_message_code() includes the terminating
3631 whitespace character. */
059ec3d9 3632
4e88a19f 3633 else
059ec3d9 3634 {
4e88a19f 3635 char *ss;
d6a96edc 3636 int codelen = 4;
4f6ae5c3 3637 smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
d6a96edc 3638 s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
4e88a19f
PH
3639 if ((ss = strpbrk(CS s, "\r\n")) != NULL)
3640 {
3641 log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
3642 "newlines: message truncated: %s", string_printing(s));
3643 *ss = 0;
3644 }
3645 ptr = Ustrlen(s);
3646 size = ptr + 1;
059ec3d9
PH
3647 }
3648
c2f669a4 3649 s = string_catn(s, &size, &ptr, US"\r\n", 2);
059ec3d9
PH
3650
3651 /* If we received EHLO, we must create a multiline response which includes
3652 the functions supported. */
3653
3654 if (esmtp)
3655 {
3656 s[3] = '-';
3657
3658 /* I'm not entirely happy with this, as an MTA is supposed to check
3659 that it has enough room to accept a message of maximum size before
3660 it sends this. However, there seems little point in not sending it.
3661 The actual size check happens later at MAIL FROM time. By postponing it
3662 till then, VRFY and EXPN can be used after EHLO when space is short. */
3663
3664 if (thismessage_size_limit > 0)
3665 {
4e88a19f
PH
3666 sprintf(CS big_buffer, "%.3s-SIZE %d\r\n", smtp_code,
3667 thismessage_size_limit);
c2f669a4 3668 s = string_cat(s, &size, &ptr, big_buffer);
059ec3d9
PH
3669 }
3670 else
3671 {
c2f669a4
JH
3672 s = string_catn(s, &size, &ptr, smtp_code, 3);
3673 s = string_catn(s, &size, &ptr, US"-SIZE\r\n", 7);
059ec3d9
PH
3674 }
3675
3676 /* Exim does not do protocol conversion or data conversion. It is 8-bit
3677 clean; if it has an 8-bit character in its hand, it just sends it. It
3678 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
3679 However, some users want this option simply in order to stop MUAs
3680 mangling messages that contain top-bit-set characters. It is therefore
3681 provided as an option. */
3682
3683 if (accept_8bitmime)
4e88a19f 3684 {
c2f669a4
JH
3685 s = string_catn(s, &size, &ptr, smtp_code, 3);
3686 s = string_catn(s, &size, &ptr, US"-8BITMIME\r\n", 11);
4e88a19f 3687 }
059ec3d9 3688
6c1c3d1d 3689 /* Advertise DSN support if configured to do so. */
94431adb 3690 if (verify_check_host(&dsn_advertise_hosts) != FAIL)
6c1c3d1d 3691 {
c2f669a4
JH
3692 s = string_catn(s, &size, &ptr, smtp_code, 3);
3693 s = string_catn(s, &size, &ptr, US"-DSN\r\n", 6);
6c1c3d1d
WB
3694 dsn_advertised = TRUE;
3695 }
6c1c3d1d 3696
059ec3d9
PH
3697 /* Advertise ETRN if there's an ACL checking whether a host is
3698 permitted to issue it; a check is made when any host actually tries. */
3699
3700 if (acl_smtp_etrn != NULL)
3701 {
c2f669a4
JH
3702 s = string_catn(s, &size, &ptr, smtp_code, 3);
3703 s = string_catn(s, &size, &ptr, US"-ETRN\r\n", 7);
059ec3d9
PH
3704 }
3705
3706 /* Advertise EXPN if there's an ACL checking whether a host is
3707 permitted to issue it; a check is made when any host actually tries. */
3708
3709 if (acl_smtp_expn != NULL)
3710 {
c2f669a4
JH
3711 s = string_catn(s, &size, &ptr, smtp_code, 3);
3712 s = string_catn(s, &size, &ptr, US"-EXPN\r\n", 7);
059ec3d9
PH
3713 }
3714
3715 /* Exim is quite happy with pipelining, so let the other end know that
3716 it is safe to use it, unless advertising is disabled. */
3717
cf8b11a5
PH
3718 if (pipelining_enable &&
3719 verify_check_host(&pipelining_advertise_hosts) == OK)
059ec3d9 3720 {
c2f669a4
JH
3721 s = string_catn(s, &size, &ptr, smtp_code, 3);
3722 s = string_catn(s, &size, &ptr, US"-PIPELINING\r\n", 13);
059ec3d9
PH
3723 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
3724 pipelining_advertised = TRUE;
3725 }
3726
fd98a5c6 3727
059ec3d9
PH
3728 /* If any server authentication mechanisms are configured, advertise
3729 them if the current host is in auth_advertise_hosts. The problem with
3730 advertising always is that some clients then require users to
3731 authenticate (and aren't configurable otherwise) even though it may not
3732 be necessary (e.g. if the host is in host_accept_relay).
3733
3734 RFC 2222 states that SASL mechanism names contain only upper case
3735 letters, so output the names in upper case, though we actually recognize
3736 them in either case in the AUTH command. */