projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Added a "connect=<time>" option to callouts, for a separate timeout
[exim.git] / src / src / smtp_in.c
CommitLineData
4deaf07d 1/* $Cambridge: exim/src/src/smtp_in.c,v 1.4 2004/11/04 12:19:48 ph10 Exp $ */
059ec3d9
PH		 2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
7/* Copyright (c) University of Cambridge 1995 - 2004 */
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* Functions for handling an incoming SMTP call. */
11
12
13#include "exim.h"
14
15
16/* Initialize for TCP wrappers if so configured. It appears that the macro
17HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
18including that header, and restore its value afterwards. */
19
20#ifdef USE_TCP_WRAPPERS
21
22 #if HAVE_IPV6
23 #define EXIM_HAVE_IPV6
24 #endif
25 #undef HAVE_IPV6
26 #include <tcpd.h>
27 #undef HAVE_IPV6
28 #ifdef EXIM_HAVE_IPV6
29 #define HAVE_IPV6 TRUE
30 #endif
31
32int allow_severity = LOG_INFO;
33int deny_severity = LOG_NOTICE;
34#endif
35
36
37/* Size of buffer for reading SMTP commands */
38
39#define cmd_buffer_size 512 /* Ref. RFC 821 */
40
41/* Size of buffer for reading SMTP incoming packets */
42
43#define in_buffer_size 8192
44
45/* Structure for SMTP command list */
46
47typedef struct {
48 char *name;
49 int len;
50 short int cmd;
51 short int has_arg;
52 short int is_mail_cmd;
53} smtp_cmd_list;
54
55/* Codes for identifying commands. We order them so that those that come first
56are those for which synchronization is always required. Checking this can help
57block some spam. */
58
59enum {
60 /* These commands are required to be synchronized, i.e. to be the last in a
61 block of commands when pipelining. */
62
63 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
64 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
65 ETRN_CMD, /* This by analogy with TURN from the RFC */
66 STARTTLS_CMD, /* Required by the STARTTLS RFC */
67
68 /* This is a dummy to identify the non-sync commands when pipelining */
69
70 NON_SYNC_CMD_PIPELINING,
71
72 /* These commands need not be synchronized when pipelining */
73
74 MAIL_CMD, RCPT_CMD, RSET_CMD,
75
76 /* This is a dummy to identify the non-sync commands when not pipelining */
77
78 NON_SYNC_CMD_NON_PIPELINING,
79
80 /* I have been unable to find a statement about the use of pipelining
81 with AUTH, so to be on the safe side it is here, though I kind of feel
82 it should be up there with the synchronized commands. */
83
84 AUTH_CMD,
85
86 /* I'm not sure about these, but I don't think they matter. */
87
88 QUIT_CMD, HELP_CMD,
89
90 /* These are specials that don't correspond to actual commands */
91
92 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
93 TOO_MANY_NONMAIL_CMD };
94
95
96
97/*************************************************
98* Local static variables *
99*************************************************/
100
101static auth_instance *authenticated_by;
102static BOOL auth_advertised;
103#ifdef SUPPORT_TLS
104static BOOL tls_advertised;
105#endif
106static BOOL esmtp;
107static BOOL helo_required = FALSE;
108static BOOL helo_verify = FALSE;
109static BOOL helo_seen;
110static BOOL helo_accept_junk;
111static BOOL count_nonmail;
112static BOOL pipelining_advertised;
113static int nonmail_command_count;
114static int synprot_error_count;
115static int unknown_command_count;
116static int sync_cmd_limit;
117static int smtp_write_error = 0;
118
119static uschar *smtp_data;
120
121static uschar *cmd_buffer;
122
123/* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
124final fields of all except AUTH are forced TRUE at the start of a new message
125setup, to allow one of each between messages that is not counted as a nonmail
126command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
127allow a new EHLO after starting up TLS.
128
129AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
130counted. However, the flag is changed when AUTH is received, so that multiple
131failing AUTHs will eventually hit the limit. After a successful AUTH, another
132AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
133forced TRUE, to allow for the re-authentication that can happen at that point.
134
135QUIT is also "falsely" labelled as a mail command so that it doesn't up the
136count of non-mail commands and possibly provoke an error. */
137
138static smtp_cmd_list cmd_list[] = {
139 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
140 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
141 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
142 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
143 #ifdef SUPPORT_TLS
144 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
145 #endif
146
147/* If you change anything above here, also fix the definitions below. */
148
149 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
150 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
151 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
152 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
153 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
154 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
155 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
156 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
157 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
158};
159
160static smtp_cmd_list *cmd_list_end =
161 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
162
163#define CMD_LIST_RSET 0
164#define CMD_LIST_HELO 1
165#define CMD_LIST_EHLO 2
166#define CMD_LIST_AUTH 3
167#define CMD_LIST_STARTTLS 4
168
169static uschar *protocols[] = {
170 US"local-smtp",
171 US"local-esmtp",
172 US"local-esmtpa",
173 US"local-esmtps",
174 US"local-esmtpsa"
175 };
176
177#define pnormal 0
178#define pextend 1
179#define pauthed 1 /* added to pextend */
180#define pcrpted 2 /* added to pextend */
181#define pnlocal 6 /* offset to remove "local" */
182
183/* When reading SMTP from a remote host, we have to use our own versions of the
184C input-reading functions, in order to be able to flush the SMTP output only
185when about to read more data from the socket. This is the only way to get
186optimal performance when the client is using pipelining. Flushing for every
187command causes a separate packet and reply packet each time; saving all the
188responses up (when pipelining) combines them into one packet and one response.
189
190For simplicity, these functions are used for *all* SMTP input, not only when
191receiving over a socket. However, after setting up a secure socket (SSL), input
192is read via the OpenSSL library, and another set of functions is used instead
193(see tls.c).
194
195These functions are set in the receive_getc etc. variables and called with the
196same interface as the C functions. However, since there can only ever be
197one incoming SMTP call, we just use a single buffer and flags. There is no need
198to implement a complicated private FILE-like structure.*/
199
200static uschar *smtp_inbuffer;
201static uschar *smtp_inptr;
202static uschar *smtp_inend;
203static int smtp_had_eof;
204static int smtp_had_error;
205
206
207/*************************************************
208* SMTP version of getc() *
209*************************************************/
210
211/* This gets the next byte from the SMTP input buffer. If the buffer is empty,
212it flushes the output, and refills the buffer, with a timeout. The signal
213handler is set appropriately by the calling function. This function is not used
214after a connection has negotated itself into an TLS/SSL state.
215
216Arguments: none
217Returns: the next character or EOF
218*/
219
220int
221smtp_getc(void)
222{
223if (smtp_inptr >= smtp_inend)
224 {
225 int rc, save_errno;
226 fflush(smtp_out);
227 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
228 rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
229 save_errno = errno;
230 alarm(0);
231 if (rc <= 0)
232 {
233 /* Must put the error text in fixed store, because this might be during
234 header reading, where it releases unused store above the header. */
235 if (rc < 0)
236 {
237 smtp_had_error = save_errno;
238 smtp_read_error = string_copy_malloc(
239 string_sprintf(" (error: %s)", strerror(save_errno)));
240 }
241 else smtp_had_eof = 1;
242 return EOF;
243 }
244 smtp_inend = smtp_inbuffer + rc;
245 smtp_inptr = smtp_inbuffer;
246 }
247return *smtp_inptr++;
248}
249
250
251
252/*************************************************
253* SMTP version of ungetc() *
254*************************************************/
255
256/* Puts a character back in the input buffer. Only ever
257called once.
258
259Arguments:
260 ch the character
261
262Returns: the character
263*/
264
265int
266smtp_ungetc(int ch)
267{
268*(--smtp_inptr) = ch;
269return ch;
270}
271
272
273
274
275/*************************************************
276* SMTP version of feof() *
277*************************************************/
278
279/* Tests for a previous EOF
280
281Arguments: none
282Returns: non-zero if the eof flag is set
283*/
284
285int
286smtp_feof(void)
287{
288return smtp_had_eof;
289}
290
291
292
293
294/*************************************************
295* SMTP version of ferror() *
296*************************************************/
297
298/* Tests for a previous read error, and returns with errno
299restored to what it was when the error was detected.
300
301Arguments: none
302Returns: non-zero if the error flag is set
303*/
304
305int
306smtp_ferror(void)
307{
308errno = smtp_had_error;
309return smtp_had_error;
310}
311
312
313
314
315/*************************************************
316* Write formatted string to SMTP channel *
317*************************************************/
318
319/* This is a separate function so that we don't have to repeat everything for
320TLS support or debugging. It is global so that the daemon and the
321authentication functions can use it. It does not return any error indication,
322because major problems such as dropped connections won't show up till an output
323flush for non-TLS connections. The smtp_fflush() function is available for
324checking that: for convenience, TLS output errors are remembered here so that
325they are also picked up later by smtp_fflush().
326
327Arguments:
328 format format string
329 ... optional arguments
330
331Returns: nothing
332*/
333
334void
335smtp_printf(char *format, ...)
336{
337va_list ap;
338
339DEBUG(D_receive)
340 {
341 va_start(ap, format);
342 (void) string_vformat(big_buffer, big_buffer_size, format, ap);
343 debug_printf("SMTP>> %s", big_buffer);
344 }
345
346va_start(ap, format);
347
348/* If in a TLS session we have to format the string, and then write it using a
349TLS function. */
350
351#ifdef SUPPORT_TLS
352if (tls_active >= 0)
353 {
354 if (!string_vformat(big_buffer, big_buffer_size, format, ap))
355 {
356 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf");
357 smtp_closedown(US"Unexpected error");
358 exim_exit(EXIT_FAILURE);
359 }
360 if (tls_write(big_buffer, Ustrlen(big_buffer)) < 0) smtp_write_error = -1;
361 }
362else
363#endif
364
365/* Otherwise, just use the standard library function. */
366
367if (vfprintf(smtp_out, format, ap) < 0) smtp_write_error = -1;
368va_end(ap);
369}
370
371
372
373/*************************************************
374* Flush SMTP out and check for error *
375*************************************************/
376
377/* This function isn't currently used within Exim (it detects errors when it
378tries to read the next SMTP input), but is available for use in local_scan().
379For non-TLS connections, it flushes the output and checks for errors. For
380TLS-connections, it checks for a previously-detected TLS write error.
381
382Arguments: none
383Returns: 0 for no error; -1 after an error
384*/
385
386int
387smtp_fflush(void)
388{
389if (tls_active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
390return smtp_write_error;
391}
392
393
394
395/*************************************************
396* SMTP command read timeout *
397*************************************************/
398
399/* Signal handler for timing out incoming SMTP commands. This attempts to
400finish off tidily.
401
402Argument: signal number (SIGALRM)
403Returns: nothing
404*/
405
406static void
407command_timeout_handler(int sig)
408{
409sig = sig; /* Keep picky compilers happy */
410log_write(L_lost_incoming_connection,
411 LOG_MAIN, "SMTP command timeout on%s connection from %s",
412 (tls_active >= 0)? " TLS" : "",
413 host_and_ident(FALSE));
414if (smtp_batched_input)
415 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
416smtp_printf("421 %s: SMTP command timeout - closing connection\r\n",
417 smtp_active_hostname);
418mac_smtp_fflush();
419exim_exit(EXIT_FAILURE);
420}
421
422
423
424/*************************************************
425* SIGTERM received *
426*************************************************/
427
428/* Signal handler for handling SIGTERM. Again, try to finish tidily.
429
430Argument: signal number (SIGTERM)
431Returns: nothing
432*/
433
434static void
435command_sigterm_handler(int sig)
436{
437sig = sig; /* Keep picky compilers happy */
438log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
439if (smtp_batched_input)
440 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
441smtp_printf("421 %s: Service not available - closing connection\r\n",
442 smtp_active_hostname);
443exim_exit(EXIT_FAILURE);
444}
445
446
447
448/*************************************************
449* Read one command line *
450*************************************************/
451
452/* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
453There are sites that don't do this, and in any case internal SMTP probably
454should check only for LF. Consequently, we check here for LF only. The line
455ends up with [CR]LF removed from its end. If we get an overlong line, treat as
456an unknown command. The command is read into the static cmd_buffer.
457
458The character reading routine sets up a timeout for each block actually read
459from the input (which may contain more than one command). We set up a special
460signal handler that closes down the session on a timeout. Control does not
461return when it runs.
462
463Arguments:
464 check_sync if TRUE, check synchronization rules if global option is TRUE
465
466Returns: a code identifying the command (enumerated above)
467*/
468
469static int
470smtp_read_command(BOOL check_sync)
471{
472int c;
473int ptr = 0;
474smtp_cmd_list *p;
475BOOL hadnull = FALSE;
476
477os_non_restarting_signal(SIGALRM, command_timeout_handler);
478
479while ((c = (receive_getc)()) != '\n' && c != EOF)
480 {
481 if (ptr >= cmd_buffer_size)
482 {
483 os_non_restarting_signal(SIGALRM, sigalrm_handler);
484 return OTHER_CMD;
485 }
486 if (c == 0)
487 {
488 hadnull = TRUE;
489 c = '?';
490 }
491 cmd_buffer[ptr++] = c;
492 }
493
494receive_linecount++; /* For BSMTP errors */
495os_non_restarting_signal(SIGALRM, sigalrm_handler);
496
497/* If hit end of file, return pseudo EOF command. Whether we have a
498part-line already read doesn't matter, since this is an error state. */
499
500if (c == EOF) return EOF_CMD;
501
502/* Remove any CR and white space at the end of the line, and terminate the
503string. */
504
505while (ptr > 0 && isspace(cmd_buffer[ptr-1])) ptr--;
506cmd_buffer[ptr] = 0;
507
508DEBUG(D_receive) debug_printf("SMTP<< %s\n", cmd_buffer);
509
510/* NULLs are not allowed in SMTP commands */
511
512if (hadnull) return BADCHAR_CMD;
513
514/* Scan command list and return identity, having set the data pointer
515to the start of the actual data characters. Check for SMTP synchronization
516if required. */
517
518for (p = cmd_list; p < cmd_list_end; p++)
519 {
520 if (strncmpic(cmd_buffer, US p->name, p->len) == 0)
521 {
522 if (smtp_inptr < smtp_inend && /* Outstanding input */
523 p->cmd < sync_cmd_limit && /* Command should sync */
524 check_sync && /* Local flag set */
525 smtp_enforce_sync && /* Global flag set */
526 sender_host_address != NULL && /* Not local input */
527 !sender_host_notsocket) /* Really is a socket */
528 return BADSYN_CMD;
529
530 /* Point after the command, but don't skip over leading spaces till after
531 the following test, so that if it fails, the command name can easily be
532 logged. */
533
534 smtp_data = cmd_buffer + p->len;
535
536 /* Count non-mail commands from those hosts that are controlled in this
537 way. The default is all hosts. We don't waste effort checking the list
538 until we get a non-mail command, but then cache the result to save checking
539 again. If there's a DEFER while checking the host, assume it's in the list.
540
541 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
542 start of each incoming message by fiddling with the value in the table. */
543
544 if (!p->is_mail_cmd)
545 {
546 if (count_nonmail == TRUE_UNSET) count_nonmail =
547 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
548 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
549 return TOO_MANY_NONMAIL_CMD;
550 }
551
552 /* Get the data pointer over leading spaces and return; if there is no data
553 for a command that expects it, we give the error centrally here. */
554
555 while (isspace(*smtp_data)) smtp_data++;
556 return (p->has_arg || *smtp_data == 0)? p->cmd : BADARG_CMD;
557 }
558 }
559
560/* Enforce synchronization for unknown commands */
561
562if (smtp_inptr < smtp_inend && /* Outstanding input */
563 check_sync && /* Local flag set */
564 smtp_enforce_sync && /* Global flag set */
565 sender_host_address != NULL && /* Not local input */
566 !sender_host_notsocket) /* Really is a socket */
567 return BADSYN_CMD;
568
569return OTHER_CMD;
570}
571
572
573
574/*************************************************
575* Forced closedown of call *
576*************************************************/
577
578/* This function is called from log.c when Exim is dying because of a serious
579disaster, and also from some other places. If an incoming non-batched SMTP
580channel is open, it swallows the rest of the incoming message if in the DATA
581phase, sends the reply string, and gives an error to all subsequent commands
582except QUIT. The existence of an SMTP call is detected by the non-NULLness of
583smtp_in.
584
585Argument: SMTP reply string to send, excluding the code
586Returns: nothing
587*/
588
589void
590smtp_closedown(uschar *message)
591{
592if (smtp_in == NULL || smtp_batched_input) return;
593receive_swallow_smtp();
594smtp_printf("421 %s\r\n", message);
595
596for (;;)
597 {
598 switch(smtp_read_command(FALSE))
599 {
600 case EOF_CMD:
601 return;
602
603 case QUIT_CMD:
604 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
605 mac_smtp_fflush();
606 return;
607
608 case RSET_CMD:
609 smtp_printf("250 Reset OK\r\n");
610 break;
611
612 default:
613 smtp_printf("421 %s\r\n", message);
614 break;
615 }
616 }
617}
618
619
620
621
622/*************************************************
623* Set up connection info for logging *
624*************************************************/
625
626/* This function is called when logging information about an SMTP connection.
627It sets up appropriate source information, depending on the type of connection.
628
629Argument: none
630Returns: a string describing the connection
631*/
632
633uschar *
634smtp_get_connection_info(void)
635{
636if (host_checking)
637 return string_sprintf("SMTP connection from %s", sender_fullhost);
638
639if (sender_host_unknown || sender_host_notsocket)
640 return string_sprintf("SMTP connection from %s", sender_ident);
641
642if (is_inetd)
643 return string_sprintf("SMTP connection from %s (via inetd)", sender_fullhost);
644
645if ((log_extra_selector & LX_incoming_interface) != 0 &&
646 interface_address != NULL)
647 return string_sprintf("SMTP connection from %s I=[%s]:%d", sender_fullhost,
648 interface_address, interface_port);
649
650return string_sprintf("SMTP connection from %s", sender_fullhost);
651}
652
653
654
655/*************************************************
656* Check HELO line and set sender_helo_name *
657*************************************************/
658
659/* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
660the domain name of the sending host, or an ip literal in square brackets. The
661arrgument is placed in sender_helo_name, which is in malloc store, because it
662must persist over multiple incoming messages. If helo_accept_junk is set, this
663host is permitted to send any old junk (needed for some broken hosts).
664Otherwise, helo_allow_chars can be used for rogue characters in general
665(typically people want to let in underscores).
666
667Argument:
668 s the data portion of the line (already past any white space)
669
670Returns: TRUE or FALSE
671*/
672
673static BOOL
674check_helo(uschar *s)
675{
676uschar *start = s;
677uschar *end = s + Ustrlen(s);
678BOOL yield = helo_accept_junk;
679
680/* Discard any previous helo name */
681
682if (sender_helo_name != NULL)
683 {
684 store_free(sender_helo_name);
685 sender_helo_name = NULL;
686 }
687
688/* Skip tests if junk is permitted. */
689
690if (!yield)
691 {
692 /* Allow the new standard form for IPv6 address literals, namely,
693 [IPv6:....], and because someone is bound to use it, allow an equivalent
694 IPv4 form. Allow plain addresses as well. */
695
696 if (*s == '[')
697 {
698 if (end[-1] == ']')
699 {
700 end[-1] = 0;
701 if (strncmpic(s, US"[IPv6:", 6) == 0)
702 yield = (string_is_ip_address(s+6, NULL) == 6);
703 else if (strncmpic(s, US"[IPv4:", 6) == 0)
704 yield = (string_is_ip_address(s+6, NULL) == 4);
705 else
706 yield = (string_is_ip_address(s+1, NULL) != 0);
707 end[-1] = ']';
708 }
709 }
710
711 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
712 that have been configured (usually underscore - sigh). */
713
714 else if (*s != 0)
715 {
716 yield = TRUE;
717 while (*s != 0)
718 {
719 if (!isalnum(*s) && *s != '.' && *s != '-' &&
720 Ustrchr(helo_allow_chars, *s) == NULL)
721 {
722 yield = FALSE;
723 break;
724 }
725 s++;
726 }
727 }
728 }
729
730/* Save argument if OK */
731
732if (yield) sender_helo_name = string_copy_malloc(start);
733return yield;
734}
735
736
737
738
739
740/*************************************************
741* Extract SMTP command option *
742*************************************************/
743
744/* This function picks the next option setting off the end of smtp_data. It
745is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
746things that can appear there.
747
748Arguments:
749 name point this at the name
750 value point this at the data string
751
752Returns: TRUE if found an option
753*/
754
755static BOOL
756extract_option(uschar **name, uschar **value)
757{
758uschar *n;
759uschar *v = smtp_data + Ustrlen(smtp_data) -1;
760while (isspace(*v)) v--;
761v[1] = 0;
762
763while (v > smtp_data && *v != '=' && !isspace(*v)) v--;
764if (*v != '=') return FALSE;
765
766n = v;
767while(isalpha(n[-1])) n--;
768
769if (n[-1] != ' ') return FALSE;
770
771n[-1] = 0;
772*name = n;
773*v++ = 0;
774*value = v;
775return TRUE;
776}
777
778
779
780
781
782
783
784/*************************************************
785* Reset for new message *
786*************************************************/
787
788/* This function is called whenever the SMTP session is reset from
789within either of the setup functions.
790
791Argument: the stacking pool storage reset point
792Returns: nothing
793*/
794
795static void
796smtp_reset(void *reset_point)
797{
798int i;
799store_reset(reset_point);
800recipients_list = NULL;
801rcpt_count = rcpt_defer_count = rcpt_fail_count =
802 raw_recipients_count = recipients_count = recipients_list_max = 0;
803message_size = -1;
804acl_warn_headers = NULL;
805queue_only_policy = FALSE;
69358f02
PH		 806deliver_freeze = FALSE; /* Can be set by ACL */
807submission_mode = FALSE; /* Can be set by ACL */
808active_local_from_check = local_from_check; /* Can be set by ACL */
809active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
059ec3d9
PH		 810sender_address = NULL;
811raw_sender = NULL; /* After SMTP rewrite, before qualifying */
812sender_address_unrewritten = NULL; /* Set only after verify rewrite */
813sender_verified_list = NULL; /* No senders verified */
814memset(sender_address_cache, 0, sizeof(sender_address_cache));
815memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
816authenticated_sender = NULL;
817body_linecount = body_zerocount = 0;
818
819for (i = 0; i < ACL_M_MAX; i++) acl_var[ACL_C_MAX + i] = NULL;
820
821/* The message body variables use malloc store. They may be set if this is
822not the first message in an SMTP session and the previous message caused them
823to be referenced in an ACL. */
824
825if (message_body != NULL)
826 {
827 store_free(message_body);
828 message_body = NULL;
829 }
830
831if (message_body_end != NULL)
832 {
833 store_free(message_body_end);
834 message_body_end = NULL;
835 }
836
837/* Warning log messages are also saved in malloc store. They are saved to avoid
838repetition in the same message, but it seems right to repeat them for different
839messagess. */
840
841while (acl_warn_logged != NULL)
842 {
843 string_item *this = acl_warn_logged;
844 acl_warn_logged = acl_warn_logged->next;
845 store_free(this);
846 }
847}
848
849
850
851
852
853/*************************************************
854* Initialize for incoming batched SMTP message *
855*************************************************/
856
857/* This function is called from smtp_setup_msg() in the case when
858smtp_batched_input is true. This happens when -bS is used to pass a whole batch
859of messages in one file with SMTP commands between them. All errors must be
860reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
861relevant. After an error on a sender, or an invalid recipient, the remainder
862of the message is skipped. The value of received_protocol is already set.
863
864Argument: none
865Returns: > 0 message successfully started (reached DATA)
866 = 0 QUIT read or end of file reached
867 < 0 should not occur
868*/
869
870static int
871smtp_setup_batch_msg(void)
872{
873int done = 0;
874void *reset_point = store_get(0);
875
876/* Save the line count at the start of each transaction - single commands
877like HELO and RSET count as whole transactions. */
878
879bsmtp_transaction_linecount = receive_linecount;
880
881if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
882
883smtp_reset(reset_point); /* Reset for start of message */
884
885/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
886value. The values are 2 larger than the required yield of the function. */
887
888while (done <= 0)
889 {
890 uschar *errmess;
891 uschar *recipient = NULL;
892 int start, end, sender_domain, recipient_domain;
893
894 switch(smtp_read_command(FALSE))
895 {
896 /* The HELO/EHLO commands set sender_address_helo if they have
897 valid data; otherwise they are ignored, except that they do
898 a reset of the state. */
899
900 case HELO_CMD:
901 case EHLO_CMD:
902
903 check_helo(smtp_data);
904 /* Fall through */
905
906 case RSET_CMD:
907 smtp_reset(reset_point);
908 bsmtp_transaction_linecount = receive_linecount;
909 break;
910
911
912 /* The MAIL FROM command requires an address as an operand. All we
913 do here is to parse it for syntactic correctness. The form "<>" is
914 a special case which converts into an empty string. The start/end
915 pointers in the original are not used further for this address, as
916 it is the canonical extracted address which is all that is kept. */
917
918 case MAIL_CMD:
919 if (sender_address != NULL)
920 /* The function moan_smtp_batch() does not return. */
921 moan_smtp_batch(cmd_buffer, "503 Sender already given");
922
923 if (smtp_data[0] == 0)
924 /* The function moan_smtp_batch() does not return. */
925 moan_smtp_batch(cmd_buffer, "501 MAIL FROM must have an address operand");
926
927 /* Reset to start of message */
928
929 smtp_reset(reset_point);
930
931 /* Apply SMTP rewrite */
932
933 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
934 rewrite_one(smtp_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
935 US"", global_rewrite_rules) : smtp_data;
936
937 /* Extract the address; the TRUE flag allows <> as valid */
938
939 raw_sender =
940 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
941 TRUE);
942
943 if (raw_sender == NULL)
944 /* The function moan_smtp_batch() does not return. */
945 moan_smtp_batch(cmd_buffer, "501 %s", errmess);
946
947 sender_address = string_copy(raw_sender);
948
949 /* Qualify unqualified sender addresses if permitted to do so. */
950
951 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
952 {
953 if (allow_unqualified_sender)
954 {
955 sender_address = rewrite_address_qualify(sender_address, FALSE);
956 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
957 "and rewritten\n", raw_sender);
958 }
959 /* The function moan_smtp_batch() does not return. */
960 else moan_smtp_batch(cmd_buffer, "501 sender address must contain "
961 "a domain");
962 }
963 break;
964
965
966 /* The RCPT TO command requires an address as an operand. All we do
967 here is to parse it for syntactic correctness. There may be any number
968 of RCPT TO commands, specifying multiple senders. We build them all into
969 a data structure that is in argc/argv format. The start/end values
970 given by parse_extract_address are not used, as we keep only the
971 extracted address. */
972
973 case RCPT_CMD:
974 if (sender_address == NULL)
975 /* The function moan_smtp_batch() does not return. */
976 moan_smtp_batch(cmd_buffer, "503 No sender yet given");
977
978 if (smtp_data[0] == 0)
979 /* The function moan_smtp_batch() does not return. */
980 moan_smtp_batch(cmd_buffer, "501 RCPT TO must have an address operand");
981
982 /* Check maximum number allowed */
983
984 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
985 /* The function moan_smtp_batch() does not return. */
986 moan_smtp_batch(cmd_buffer, "%s too many recipients",
987 recipients_max_reject? "552": "452");
988
989 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
990 recipient address */
991
992 recipient = ((rewrite_existflags & rewrite_smtp) != 0)?
993 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
994 global_rewrite_rules) : smtp_data;
995
996 /* rfc821_domains = TRUE; << no longer needed */
997 recipient = parse_extract_address(recipient, &errmess, &start, &end,
998 &recipient_domain, FALSE);
999 /* rfc821_domains = FALSE; << no longer needed */
1000
1001 if (recipient == NULL)
1002 /* The function moan_smtp_batch() does not return. */
1003 moan_smtp_batch(cmd_buffer, "501 %s", errmess);
1004
1005 /* If the recipient address is unqualified, qualify it if permitted. Then
1006 add it to the list of recipients. */
1007
1008 if (recipient_domain == 0)
1009 {
1010 if (allow_unqualified_recipient)
1011 {
1012 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
1013 recipient);
1014 recipient = rewrite_address_qualify(recipient, TRUE);
1015 }
1016 /* The function moan_smtp_batch() does not return. */
1017 else moan_smtp_batch(cmd_buffer, "501 recipient address must contain "
1018 "a domain");
1019 }
1020 receive_add_recipient(recipient, -1);
1021 break;
1022
1023
1024 /* The DATA command is legal only if it follows successful MAIL FROM
1025 and RCPT TO commands. This function is complete when a valid DATA
1026 command is encountered. */
1027
1028 case DATA_CMD:
1029 if (sender_address == NULL || recipients_count <= 0)
1030 {
1031 /* The function moan_smtp_batch() does not return. */
1032 if (sender_address == NULL)
1033 moan_smtp_batch(cmd_buffer,
1034 "503 MAIL FROM:<sender> command must precede DATA");
1035 else
1036 moan_smtp_batch(cmd_buffer,
1037 "503 RCPT TO:<recipient> must precede DATA");
1038 }
1039 else
1040 {
1041 done = 3; /* DATA successfully achieved */
1042 message_ended = END_NOTENDED; /* Indicate in middle of message */
1043 }
1044 break;
1045
1046
1047 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
1048
1049 case VRFY_CMD:
1050 case EXPN_CMD:
1051 case HELP_CMD:
1052 case NOOP_CMD:
1053 case ETRN_CMD:
1054 bsmtp_transaction_linecount = receive_linecount;
1055 break;
1056
1057
1058 case EOF_CMD:
1059 case QUIT_CMD:
1060 done = 2;
1061 break;
1062
1063
1064 case BADARG_CMD:
1065 /* The function moan_smtp_batch() does not return. */
1066 moan_smtp_batch(cmd_buffer, "501 Unexpected argument data");
1067 break;
1068
1069
1070 case BADCHAR_CMD:
1071 /* The function moan_smtp_batch() does not return. */
1072 moan_smtp_batch(cmd_buffer, "501 Unexpected NULL in SMTP command");
1073 break;
1074
1075
1076 default:
1077 /* The function moan_smtp_batch() does not return. */
1078 moan_smtp_batch(cmd_buffer, "500 Command unrecognized");
1079 break;
1080 }
1081 }
1082
1083return done - 2; /* Convert yield values */
1084}
1085
1086
1087
1088
1089/*************************************************
1090* Start an SMTP session *
1091*************************************************/
1092
1093/* This function is called at the start of an SMTP session. Thereafter,
1094smtp_setup_msg() is called to initiate each separate message. This
1095function does host-specific testing, and outputs the banner line.
1096
1097Arguments: none
1098Returns: FALSE if the session can not continue; something has
1099 gone wrong, or the connection to the host is blocked
1100*/
1101
1102BOOL
1103smtp_start_session(void)
1104{
1105int size = 256;
1106int i, ptr;
1107uschar *p, *s, *ss;
1108
1109helo_seen = esmtp = helo_accept_junk = FALSE;
1110count_nonmail = TRUE_UNSET;
1111synprot_error_count = unknown_command_count = nonmail_command_count = 0;
1112smtp_delay_mail = smtp_rlm_base;
1113auth_advertised = FALSE;
1114pipelining_advertised = FALSE;
1115sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
1116
1117memset(sender_host_cache, 0, sizeof(sender_host_cache));
1118
1119sender_host_authenticated = NULL;
1120authenticated_by = NULL;
1121
1122#ifdef SUPPORT_TLS
1123tls_cipher = tls_peerdn = NULL;
1124tls_advertised = FALSE;
1125#endif
1126
1127/* Reset ACL connection variables */
1128
1129for (i = 0; i < ACL_C_MAX; i++) acl_var[i] = NULL;
1130
1131cmd_buffer = (uschar *)malloc(cmd_buffer_size + 1); /* allow for trailing 0 */
1132if (cmd_buffer == NULL)
1133 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1134 "malloc() failed for SMTP command buffer");
1135
1136/* For batched input, the protocol setting can be overridden from the
1137command line by a trusted caller. */
1138
1139if (smtp_batched_input)
1140 {
1141 if (received_protocol == NULL) received_protocol = US"local-bsmtp";
1142 }
1143
1144/* For non-batched SMTP input, the protocol setting is forced here. It will be
1145reset later if any of EHLO/AUTH/STARTTLS are received. */
1146
1147else
1148 received_protocol =
1149 protocols[pnormal] + ((sender_host_address != NULL)? pnlocal : 0);
1150
1151/* Set up the buffer for inputting using direct read() calls, and arrange to
1152call the local functions instead of the standard C ones. */
1153
1154smtp_inbuffer = (uschar *)malloc(in_buffer_size);
1155if (smtp_inbuffer == NULL)
1156 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
1157receive_getc = smtp_getc;
1158receive_ungetc = smtp_ungetc;
1159receive_feof = smtp_feof;
1160receive_ferror = smtp_ferror;
1161smtp_inptr = smtp_inend = smtp_inbuffer;
1162smtp_had_eof = smtp_had_error = 0;
1163
1164/* Set up the message size limit; this may be host-specific */
1165
1166thismessage_size_limit = expand_string_integer(message_size_limit);
1167if (thismessage_size_limit < 0)
1168 {
1169 if (thismessage_size_limit == -1)
1170 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
1171 "%s", expand_string_message);
1172 else
1173 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
1174 "%s", expand_string_message);
1175 smtp_closedown(US"Temporary local problem - please try later");
1176 return FALSE;
1177 }
1178
1179/* When a message is input locally via the -bs or -bS options, sender_host_
1180unknown is set unless -oMa was used to force an IP address, in which case it
1181is checked like a real remote connection. When -bs is used from inetd, this
1182flag is not set, causing the sending host to be checked. The code that deals
1183with IP source routing (if configured) is never required for -bs or -bS and
1184the flag sender_host_notsocket is used to suppress it.
1185
1186If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
1187reserve for certain hosts and/or networks. */
1188
1189if (!sender_host_unknown)
1190 {
1191 int rc;
1192 BOOL reserved_host = FALSE;
1193
1194 /* Look up IP options (source routing info) on the socket if this is not an
1195 -oMa "host", and if any are found, log them and drop the connection.
1196
1197 Linux (and others now, see below) is different to everyone else, so there
1198 has to be some conditional compilation here. Versions of Linux before 2.1.15
1199 used a structure whose name was "options". Somebody finally realized that
1200 this name was silly, and it got changed to "ip_options". I use the
1201 newer name here, but there is a fudge in the script that sets up os.h
1202 to define a macro in older Linux systems.
1203
1204 Sigh. Linux is a fast-moving target. Another generation of Linux uses
1205 glibc 2, which has chosen ip_opts for the structure name. This is now
1206 really a glibc thing rather than a Linux thing, so the condition name
1207 has been changed to reflect this. It is relevant also to GNU/Hurd.
1208
1209 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
1210 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
1211 a special macro defined in the os.h file.
1212
1213 Some DGUX versions on older hardware appear not to support IP options at
1214 all, so there is now a general macro which can be set to cut out this
1215 support altogether.
1216
1217 How to do this properly in IPv6 is not yet known. */
1218
1219 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
1220
1221 #ifdef GLIBC_IP_OPTIONS
1222 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
1223 #define OPTSTYLE 1
1224 #else
1225 #define OPTSTYLE 2
1226 #endif
1227 #elif defined DARWIN_IP_OPTIONS
1228 #define OPTSTYLE 2
1229 #else
1230 #define OPTSTYLE 3
1231 #endif
1232
1233 if (!host_checking && !sender_host_notsocket)
1234 {
1235 #if OPTSTYLE == 1
1236 SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
1237 struct ip_options *ipopt = store_get(optlen);
1238 #elif OPTSTYLE == 2
1239 struct ip_opts ipoptblock;
1240 struct ip_opts *ipopt = &ipoptblock;
1241 SOCKLEN_T optlen = sizeof(ipoptblock);
1242 #else
1243 struct ipoption ipoptblock;
1244 struct ipoption *ipopt = &ipoptblock;
1245 SOCKLEN_T optlen = sizeof(ipoptblock);
1246 #endif
1247
1248 /* Occasional genuine failures of getsockopt() have been seen - for
1249 example, "reset by peer". Therefore, just log and give up on this
1250 call, unless the error is ENOPROTOOPT. This error is given by systems
1251 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
1252 of writing. So for that error, carry on - we just can't do an IP options
1253 check. */
1254
1255 DEBUG(D_receive) debug_printf("checking for IP options\n");
1256
1257 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
1258 &optlen) < 0)
1259 {
1260 if (errno != ENOPROTOOPT)
1261 {
1262 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
1263 host_and_ident(FALSE), strerror(errno));
1264 smtp_printf("451 SMTP service not available\r\n");
1265 return FALSE;
1266 }
1267 }
1268
1269 /* Deal with any IP options that are set. On the systems I have looked at,
1270 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
1271 more logging data than will fit in big_buffer. Nevertheless, after somebody
1272 questioned this code, I've added in some paranoid checking. */
1273
1274 else if (optlen > 0)
1275 {
1276 uschar *p = big_buffer;
1277 uschar *pend = big_buffer + big_buffer_size;
1278 uschar *opt, *adptr;
1279 int optcount;
1280 struct in_addr addr;
1281
1282 #if OPTSTYLE == 1
1283 uschar *optstart = (uschar *)(ipopt->__data);
1284 #elif OPTSTYLE == 2
1285 uschar *optstart = (uschar *)(ipopt->ip_opts);
1286 #else
1287 uschar *optstart = (uschar *)(ipopt->ipopt_list);
1288 #endif
1289
1290 DEBUG(D_receive) debug_printf("IP options exist\n");
1291
1292 Ustrcpy(p, "IP options on incoming call:");
1293 p += Ustrlen(p);
1294
1295 for (opt = optstart; opt != NULL &&
1296 opt < (uschar *)(ipopt) + optlen;)
1297 {
1298 switch (*opt)
1299 {
1300 case IPOPT_EOL:
1301 opt = NULL;
1302 break;
1303
1304 case IPOPT_NOP:
1305 opt++;
1306 break;
1307
1308 case IPOPT_SSRR:
1309 case IPOPT_LSRR:
1310 if (!string_format(p, pend-p, " %s [@%s",
1311 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
1312 #if OPTSTYLE == 1
1313 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
1314 #elif OPTSTYLE == 2
1315 inet_ntoa(ipopt->ip_dst)))
1316 #else
1317 inet_ntoa(ipopt->ipopt_dst)))
1318 #endif
1319 {
1320 opt = NULL;
1321 break;
1322 }
1323
1324 p += Ustrlen(p);
1325 optcount = (opt[1] - 3) / sizeof(struct in_addr);
1326 adptr = opt + 3;
1327 while (optcount-- > 0)
1328 {
1329 memcpy(&addr, adptr, sizeof(addr));
1330 if (!string_format(p, pend - p - 1, "%s%s",
1331 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
1332 {
1333 opt = NULL;
1334 break;
1335 }
1336 p += Ustrlen(p);
1337 adptr += sizeof(struct in_addr);
1338 }
1339 *p++ = ']';
1340 opt += opt[1];
1341 break;
1342
1343 default:
1344 {
1345 int i;
1346 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
1347 Ustrcat(p, "[ ");
1348 p += 2;
1349 for (i = 0; i < opt[1]; i++)
1350 {
1351 sprintf(CS p, "%2.2x ", opt[i]);
1352 p += 3;
1353 }
1354 *p++ = ']';
1355 }
1356 opt += opt[1];
1357 break;
1358 }
1359 }
1360
1361 *p = 0;
1362 log_write(0, LOG_MAIN, "%s", big_buffer);
1363
1364 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
1365
1366 log_write(0, LOG_MAIN|LOG_REJECT,
1367 "connection from %s refused (IP options)", host_and_ident(FALSE));
1368
1369 smtp_printf("554 SMTP service not available\r\n");
1370 return FALSE;
1371 }
1372
1373 /* Length of options = 0 => there are no options */
1374
1375 else DEBUG(D_receive) debug_printf("no IP options found\n");
1376 }
1377 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
1378
1379 /* Set keep-alive in socket options. The option is on by default. This
1380 setting is an attempt to get rid of some hanging connections that stick in
1381 read() when the remote end (usually a dialup) goes away. */
1382
1383 if (smtp_accept_keepalive && !sender_host_notsocket)
1384 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
1385
1386 /* If the current host matches host_lookup, set the name by doing a
1387 reverse lookup. On failure, sender_host_name will be NULL and
1388 host_lookup_failed will be TRUE. This may or may not be serious - optional
1389 checks later. */
1390
1391 if (verify_check_host(&host_lookup) == OK)
1392 {
1393 (void)host_name_lookup();
1394 host_build_sender_fullhost();
1395 }
1396
1397 /* Delay this until we have the full name, if it is looked up. */
1398
1399 set_process_info("handling incoming connection from %s",
1400 host_and_ident(FALSE));
1401
1402 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
1403 smtps port for use with older style SSL MTAs. */
1404
1405 #ifdef SUPPORT_TLS
1406 if (tls_on_connect && tls_server_start(tls_require_ciphers) != OK)
1407 return FALSE;
1408 #endif
1409
1410 /* Test for explicit connection rejection */
1411
1412 if (verify_check_host(&host_reject_connection) == OK)
1413 {
1414 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
1415 "from %s (host_reject_connection)", host_and_ident(FALSE));
1416 smtp_printf("554 SMTP service not available\r\n");
1417 return FALSE;
1418 }
1419
1420 /* Test with TCP Wrappers if so configured */
1421
1422 #ifdef USE_TCP_WRAPPERS
1423 if (!hosts_ctl("exim",
1424 (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
1425 (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
1426 (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
1427 {
1428 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
1429 log_write(L_connection_reject,
1430 LOG_MAIN|LOG_REJECT, "refused connection from %s "
1431 "(tcp wrappers)", host_and_ident(FALSE));
1432 smtp_printf("554 SMTP service not available\r\n");
1433 return FALSE;
1434 }
1435 #endif
1436
1437 /* Check for reserved slots. Note that the count value doesn't include
1438 this process, as it gets upped in the parent process. */
1439
1440 if (smtp_accept_max > 0 &&
1441 smtp_accept_count + 1 > smtp_accept_max - smtp_accept_reserve)
1442 {
1443 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
1444 {
1445 log_write(L_connection_reject,
1446 LOG_MAIN, "temporarily refused connection from %s: not in "
1447 "reserve list: connected=%d max=%d reserve=%d%s",
1448 host_and_ident(FALSE), smtp_accept_count, smtp_accept_max,
1449 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
1450 smtp_printf("421 %s: Too many concurrent SMTP connections; "
1451 "please try again later\r\n", smtp_active_hostname);
1452 return FALSE;
1453 }
1454 reserved_host = TRUE;
1455 }
1456
1457 /* If a load level above which only messages from reserved hosts are
1458 accepted is set, check the load. For incoming calls via the daemon, the
1459 check is done in the superior process if there are no reserved hosts, to
1460 save a fork. In all cases, the load average will already be available
1461 in a global variable at this point. */
1462
1463 if (smtp_load_reserve >= 0 &&
1464 load_average > smtp_load_reserve &&
1465 !reserved_host &&
1466 verify_check_host(&smtp_reserve_hosts) != OK)
1467 {
1468 log_write(L_connection_reject,
1469 LOG_MAIN, "temporarily refused connection from %s: not in "
1470 "reserve list and load average = %.2f", host_and_ident(FALSE),
1471 (double)load_average/1000.0);
1472 smtp_printf("421 %s: Too much load; please try again later\r\n",
1473 smtp_active_hostname);
1474 return FALSE;
1475 }
1476
1477 /* Determine whether unqualified senders or recipients are permitted
1478 for this host. Unfortunately, we have to do this every time, in order to
1479 set the flags so that they can be inspected when considering qualifying
1480 addresses in the headers. For a site that permits no qualification, this
1481 won't take long, however. */
1482
1483 allow_unqualified_sender =
1484 verify_check_host(&sender_unqualified_hosts) == OK;
1485
1486 allow_unqualified_recipient =
1487 verify_check_host(&recipient_unqualified_hosts) == OK;
1488
1489 /* Determine whether HELO/EHLO is required for this host. The requirement
1490 can be hard or soft. */
1491
1492 helo_required = verify_check_host(&helo_verify_hosts) == OK;
1493 if (!helo_required)
1494 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
1495
1496 /* Determine whether this hosts is permitted to send syntactic junk
1497 after a HELO or EHLO command. */
1498
1499 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
1500 }
1501
1502/* For batch SMTP input we are now done. */
1503
1504if (smtp_batched_input) return TRUE;
1505
1506/* Run the ACL if it exists */
1507
1508if (acl_smtp_connect != NULL)
1509 {
1510 int rc;
1511 uschar *user_msg, *log_msg;
1512 smtp_data = US"in \"connect\" ACL"; /* For logged failure message */
1513 rc = acl_check(ACL_WHERE_CONNECT, US"", acl_smtp_connect, &user_msg,
1514 &log_msg);
1515 if (rc != OK)
1516 {
1517 (void)smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
1518 return FALSE;
1519 }
1520 }
1521
1522/* Output the initial message for a two-way SMTP connection. It may contain
1523newlines, which then cause a multi-line response to be given. */
1524
1525s = expand_string(smtp_banner);
1526if (s == NULL)
1527 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
1528 "failed: %s", smtp_banner, expand_string_message);
1529
1530/* Remove any terminating newlines; might as well remove trailing space too */
1531
1532p = s + Ustrlen(s);
1533while (p > s && isspace(p[-1])) p--;
1534*p = 0;
1535
1536/* It seems that CC:Mail is braindead, and assumes that the greeting message
1537is all contained in a single IP packet. The original code wrote out the
1538greeting using several calls to fprint/fputc, and on busy servers this could
1539cause it to be split over more than one packet - which caused CC:Mail to fall
1540over when it got the second part of the greeting after sending its first
1541command. Sigh. To try to avoid this, build the complete greeting message
1542first, and output it in one fell swoop. This gives a better chance of it
1543ending up as a single packet. */
1544
1545ss = store_get(size);
1546ptr = 0;
1547
1548p = s;
1549do /* At least once, in case we have an empty string */
1550 {
1551 int len;
1552 uschar *linebreak = Ustrchr(p, '\n');
1553 if (linebreak == NULL)
1554 {
1555 len = Ustrlen(p);
1556 ss = string_cat(ss, &size, &ptr, US"220 ", 4);
1557 }
1558 else
1559 {
1560 len = linebreak - p;
1561 ss = string_cat(ss, &size, &ptr, US"220-", 4);
1562 }
1563 ss = string_cat(ss, &size, &ptr, p, len);
1564 ss = string_cat(ss, &size, &ptr, US"\r\n", 2);
1565 p += len;
1566 if (linebreak != NULL) p++;
1567 }
1568while (*p != 0);
1569
1570ss[ptr] = 0; /* string_cat leaves room for this */
1571
1572/* Before we write the banner, check that there is no input pending, unless
1573this synchronisation check is disabled. */
1574
1575if (smtp_enforce_sync && sender_host_address != NULL && !sender_host_notsocket)
1576 {
1577 fd_set fds;
1578 struct timeval tzero;
1579 tzero.tv_sec = 0;
1580 tzero.tv_usec = 0;
1581 FD_ZERO(&fds);
1582 FD_SET(fileno(smtp_in), &fds);
1583 if (select(fileno(smtp_in) + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL,
1584 &tzero) > 0)
1585 {
1586 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
1587 "synchronization error (input sent without waiting for greeting): "
1588 "rejected connection from %s", host_and_ident(TRUE));
1589 smtp_printf("554 SMTP synchronization error\r\n");
1590 return FALSE;
1591 }
1592 }
1593
1594/* Now output the banner */
1595
1596smtp_printf("%s", ss);
1597return TRUE;
1598}
1599
1600
1601
1602
1603
1604/*************************************************
1605* Handle SMTP syntax and protocol errors *
1606*************************************************/
1607
1608/* Write to the log for SMTP syntax errors in incoming commands, if configured
1609to do so. Then transmit the error response. The return value depends on the
1610number of syntax and protocol errors in this SMTP session.
1611
1612Arguments:
1613 type error type, given as a log flag bit
1614 code response code; <= 0 means don't send a response
1615 data data to reflect in the response (can be NULL)
1616 errmess the error message
1617
1618Returns: -1 limit of syntax/protocol errors NOT exceeded
1619 +1 limit of syntax/protocol errors IS exceeded
1620
1621These values fit in with the values of the "done" variable in the main
1622processing loop in smtp_setup_msg(). */
1623
1624static int
1625synprot_error(int type, int code, uschar *data, uschar *errmess)
1626{
1627int yield = -1;
1628
1629log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
1630 (type == L_smtp_syntax_error)? "syntax" : "protocol",
1631 string_printing(cmd_buffer), host_and_ident(TRUE), errmess);
1632
1633if (++synprot_error_count > smtp_max_synprot_errors)
1634 {
1635 yield = 1;
1636 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
1637 "syntax or protocol errors (last command was \"%s\")",
1638 host_and_ident(FALSE), cmd_buffer);
1639 }
1640
1641if (code > 0)
1642 {
1643 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
1644 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
1645 if (yield == 1)
1646 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
1647 }
1648
1649return yield;
1650}
1651
1652
1653
1654
1655/*************************************************
1656* Log incomplete transactions *
1657*************************************************/
1658
1659/* This function is called after a transaction has been aborted by RSET, QUIT,
1660connection drops or other errors. It logs the envelope information received
1661so far in order to preserve address verification attempts.
1662
1663Argument: string to indicate what aborted the transaction
1664Returns: nothing
1665*/
1666
1667static void
1668incomplete_transaction_log(uschar *what)
1669{
1670if (sender_address == NULL || /* No transaction in progress */
1671 (log_write_selector & L_smtp_incomplete_transaction) == 0 /* Not logging */
1672 ) return;
1673
1674/* Build list of recipients for logging */
1675
1676if (recipients_count > 0)
1677 {
1678 int i;
1679 raw_recipients = store_get(recipients_count * sizeof(uschar *));
1680 for (i = 0; i < recipients_count; i++)
1681 raw_recipients[i] = recipients_list[i].address;
1682 raw_recipients_count = recipients_count;
1683 }
1684
1685log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
1686 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
1687}
1688
1689
1690
1691
1692/*************************************************
1693* Send SMTP response, possibly multiline *
1694*************************************************/
1695
1696/* There are, it seems, broken clients out there that cannot handle multiline
1697responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
1698output nothing for non-final calls, and only the first line for anything else.
1699
1700Arguments:
1701 code SMTP code
1702 final FALSE if the last line isn't the final line
1703 msg message text, possibly containing newlines
1704
1705Returns: nothing
1706*/
1707
1708void
1709smtp_respond(int code, BOOL final, uschar *msg)
1710{
1711if (!final && no_multiline_responses) return;
1712
1713for (;;)
1714 {
1715 uschar *nl = Ustrchr(msg, '\n');
1716 if (nl == NULL)
1717 {
1718 smtp_printf("%d%c%s\r\n", code, final? ' ':'-', msg);
1719 return;
1720 }
1721 else if (nl[1] == 0 || no_multiline_responses)
1722 {
1723 smtp_printf("%d%c%.*s\r\n", code, final? ' ':'-', (int)(nl - msg), msg);
1724 return;
1725 }
1726 else
1727 {
1728 smtp_printf("%d-%.*s\r\n", code, (int)(nl - msg), msg);
1729 msg = nl + 1;
1730 while (isspace(*msg)) msg++;
1731 }
1732 }
1733}
1734
1735
1736
1737
1738/*************************************************
1739* Handle an ACL failure *
1740*************************************************/
1741
1742/* This function is called when acl_check() fails. As well as calls from within
1743this module, it is called from receive.c for an ACL after DATA. It sorts out
1744logging the incident, and sets up the error response. A message containing
1745newlines is turned into a multiline SMTP response, but for logging, only the
1746first line is used.
1747
1748There's a table of the response codes to use in globals.c, along with the table
1749of names. VFRY is special. Despite RFC1123 it defaults disabled in Exim.
1750However, discussion in connection with RFC 821bis (aka RFC 2821) has concluded
1751that the response should be 252 in the disabled state, because there are broken
1752clients that try VRFY before RCPT. A 5xx response should be given only when the
1753address is positively known to be undeliverable. Sigh. Also, for ETRN, 458 is
1754given on refusal, and for AUTH, 503.
1755
1756Arguments:
1757 where where the ACL was called from
1758 rc the failure code
1759 user_msg a message that can be included in an SMTP response
1760 log_msg a message for logging
1761
1762Returns: 0 in most cases
1763 2 if the failure code was FAIL_DROP, in which case the
1764 SMTP connection should be dropped (this value fits with the
1765 "done" variable in smtp_setup_msg() below)
1766*/
1767
1768int
1769smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
1770{
1771int code = acl_wherecodes[where];
1772BOOL drop = rc == FAIL_DROP;
1773uschar *lognl;
1774uschar *sender_info = US"";
1775uschar *what = (where == ACL_WHERE_PREDATA)? US"DATA" :
1776 (where == ACL_WHERE_DATA)? US"after DATA" :
1777 string_sprintf("%s %s", acl_wherenames[where], smtp_data);
1778
1779if (drop) rc = FAIL;
1780
1781/* We used to have sender_address here; however, there was a bug that was not
1782updating sender_address after a rewrite during a verify. When this bug was
1783fixed, sender_address at this point became the rewritten address. I'm not sure
1784this is what should be logged, so I've changed to logging the unrewritten
1785address to retain backward compatibility. */
1786
1787if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
1788 {
1789 sender_info = string_sprintf("F=<%s> ", (sender_address_unrewritten != NULL)?
1790 sender_address_unrewritten : sender_address);
1791 }
1792
1793/* If there's been a sender verification failure with a specific message, and
1794we have not sent a response about it yet, do so now, as a preliminary line for
1795failures, but not defers. However, log it in both cases. */
1796
1797if (sender_verified_failed != NULL &&
1798 !testflag(sender_verified_failed, af_sverify_told))
1799 {
1800 setflag(sender_verified_failed, af_sverify_told);
1801
1802 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
1803 host_and_ident(TRUE),
1804 ((sender_verified_failed->special_action & 255) == DEFER)? "defer" : "fail",
1805 sender_verified_failed->address,
1806 (sender_verified_failed->message == NULL)? US"" :
1807 string_sprintf(": %s", sender_verified_failed->message));
1808
1809 if (rc == FAIL && sender_verified_failed->user_message != NULL)
1810 smtp_respond(code, FALSE, string_sprintf(
1811 testflag(sender_verified_failed, af_verify_pmfail)?
1812 "Postmaster verification failed while checking <%s>\n%s\n"
1813 "Several RFCs state that you are required to have a postmaster\n"
1814 "mailbox for each mail domain. This host does not accept mail\n"
1815 "from domains whose servers reject the postmaster address."
1816 :
1817 testflag(sender_verified_failed, af_verify_nsfail)?
1818 "Callback setup failed while verifying <%s>\n%s\n"
1819 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
1820 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
1821 "RFC requirements, and stops you from receiving standard bounce\n"
1822 "messages. This host does not accept mail from domains whose servers\n"
1823 "refuse bounces."
1824 :
1825 "Verification failed for <%s>\n%s",
1826 sender_verified_failed->address,
1827 sender_verified_failed->user_message));
1828 }
1829
1830/* Sort out text for logging */
1831
1832log_msg = (log_msg == NULL)? US"" : string_sprintf(": %s", log_msg);
1833lognl = Ustrchr(log_msg, '\n');
1834if (lognl != NULL) *lognl = 0;
1835
1836/* Send permanent failure response to the command, but the code used isn't
1837always a 5xx one - see comments at the start of this function. If the original
1838rc was FAIL_DROP we drop the connection and yield 2. */
1839
1840if (rc == FAIL) smtp_respond(code, TRUE, (user_msg == NULL)?
1841 US"Administrative prohibition" : user_msg);
1842
1843/* Send temporary failure response to the command. Don't give any details,
1844unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
1845verb, and for a header verify when smtp_return_error_details is set.
1846
1847This conditional logic is all somewhat of a mess because of the odd
1848interactions between temp_details and return_error_details. One day it should
1849be re-implemented in a tidier fashion. */
1850
1851else
1852 {
1853 if (acl_temp_details && user_msg != NULL)
1854 {
1855 if (smtp_return_error_details &&
1856 sender_verified_failed != NULL &&
1857 sender_verified_failed->message != NULL)
1858 {
1859 smtp_respond(451, FALSE, sender_verified_failed->message);
1860 }
1861 smtp_respond(451, TRUE, user_msg);
1862 }
1863 else
1864 smtp_printf("451 Temporary local problem - please try later\r\n");
1865 }
1866
1867/* Log the incident. If the connection is not forcibly to be dropped, return 0.
1868Otherwise, log why it is closing if required and return 2. */
1869
1870log_write(0, LOG_MAIN|LOG_REJECT, "%s %s%srejected %s%s",
1871 host_and_ident(TRUE),
1872 sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
1873
1874if (!drop) return 0;
1875
1876log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
1877 smtp_get_connection_info());
1878return 2;
1879}
1880
1881
1882
1883
1884/*************************************************
1885* Initialize for SMTP incoming message *
1886*************************************************/
1887
1888/* This function conducts the initial dialogue at the start of an incoming SMTP
1889message, and builds a list of recipients. However, if the incoming message
1890is part of a batch (-bS option) a separate function is called since it would
1891be messy having tests splattered about all over this function. This function
1892therefore handles the case where interaction is occurring. The input and output
1893files are set up in smtp_in and smtp_out.
1894
1895The global recipients_list is set to point to a vector of recipient_item
1896blocks, whose number is given by recipients_count. This is extended by the
1897receive_add_recipient() function. The global variable sender_address is set to
1898the sender's address. The yield is +1 if a message has been successfully
1899started, 0 if a QUIT command was encountered or the connection was refused from
1900the particular host, or -1 if the connection was lost.
1901
1902Argument: none
1903
1904Returns: > 0 message successfully started (reached DATA)
1905 = 0 QUIT read or end of file reached or call refused
1906 < 0 lost connection
1907*/
1908
1909int
1910smtp_setup_msg(void)
1911{
1912int done = 0;
1913BOOL toomany = FALSE;
1914BOOL discarded = FALSE;
1915BOOL last_was_rej_mail = FALSE;
1916BOOL last_was_rcpt = FALSE;
1917void *reset_point = store_get(0);
1918
1919DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
1920
1921/* Reset for start of new message. We allow one RSET not to be counted as a
1922nonmail command, for those MTAs that insist on sending it between every
1923message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
1924TLS between messages (an Exim client may do this if it has messages queued up
1925for the host). Note: we do NOT reset AUTH at this point. */
1926
1927smtp_reset(reset_point);
1928message_ended = END_NOTSTARTED;
1929
1930cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
1931cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
1932cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
1933#ifdef SUPPORT_TLS
1934cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
1935#endif
1936
1937/* Set the local signal handler for SIGTERM - it tries to end off tidily */
1938
1939os_non_restarting_signal(SIGTERM, command_sigterm_handler);
1940
1941/* Batched SMTP is handled in a different function. */
1942
1943if (smtp_batched_input) return smtp_setup_batch_msg();
1944
1945/* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
1946value. The values are 2 larger than the required yield of the function. */
1947
1948while (done <= 0)
1949 {
1950 uschar **argv;
1951 uschar *etrn_command;
1952 uschar *etrn_serialize_key;
1953 uschar *errmess;
1954 uschar *user_msg, *log_msg;
1955 uschar *recipient = NULL;
1956 uschar *hello = NULL;
1957 uschar *set_id = NULL;
1958 uschar *s, *ss;
1959 BOOL was_rej_mail = FALSE;
1960 BOOL was_rcpt = FALSE;
1961 void (*oldsignal)(int);
1962 pid_t pid;
1963 int start, end, sender_domain, recipient_domain;
1964 int ptr, size, rc;
1965 int c;
1966 auth_instance *au;
1967
1968 switch(smtp_read_command(TRUE))
1969 {
1970 /* The AUTH command is not permitted to occur inside a transaction, and may
1971 occur successfully only once per connection, and then only when we've
1972 advertised it. Actually, that isn't quite true. When TLS is started, all
1973 previous information about a connection must be discarded, so a new AUTH is
1974 permitted at that time.
1975
1976 AUTH is initially labelled as a "nonmail command" so that one occurrence
1977 doesn't get counted. We change the label here so that multiple failing
1978 AUTHS will eventually hit the nonmail threshold. */
1979
1980 case AUTH_CMD:
1981 authentication_failed = TRUE;
1982 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
1983
1984 if (!auth_advertised)
1985 {
1986 done = synprot_error(L_smtp_protocol_error, 503, NULL,
1987 US"AUTH command used when not advertised");
1988 break;
1989 }
1990 if (sender_host_authenticated != NULL)
1991 {
1992 done = synprot_error(L_smtp_protocol_error, 503, NULL,
1993 US"already authenticated");
1994 break;
1995 }
1996 if (sender_address != NULL)
1997 {
1998 done = synprot_error(L_smtp_protocol_error, 503, NULL,
1999 US"not permitted in mail transaction");
2000 break;
2001 }
2002
2003 /* Check the ACL */
2004
2005 if (acl_smtp_auth != NULL)
2006 {
2007 rc = acl_check(ACL_WHERE_AUTH, smtp_data, acl_smtp_auth, &user_msg,
2008 &log_msg);
2009 if (rc != OK)
2010 {
2011 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
2012 break;
2013 }
2014 }
2015
2016 /* Find the name of the requested authentication mechanism. */
2017
2018 s = smtp_data;
2019 while ((c = *smtp_data) != 0 && !isspace(c))
2020 {
2021 if (!isalnum(c) && c != '-' && c != '_')
2022 {
2023 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2024 US"invalid character in authentication mechanism name");
2025 goto COMMAND_LOOP;
2026 }
2027 smtp_data++;
2028 }
2029
2030 /* If not at the end of the line, we must be at white space. Terminate the
2031 name and move the pointer on to any data that may be present. */
2032
2033 if (*smtp_data != 0)
2034 {
2035 *smtp_data++ = 0;
2036 while (isspace(*smtp_data)) smtp_data++;
2037 }
2038
2039 /* Search for an authentication mechanism which is configured for use
2040 as a server and which has been advertised. */
2041
2042 for (au = auths; au != NULL; au = au->next)
2043 {
2044 if (strcmpic(s, au->public_name) == 0 && au->server &&
2045 au->advertised) break;
2046 }
2047
2048 if (au == NULL)
2049 {
2050 done = synprot_error(L_smtp_protocol_error, 504, NULL,
2051 string_sprintf("%s authentication mechanism not supported", s));
2052 break;
2053 }
2054
2055 /* Run the checking code, passing the remainder of the command
2056 line as data. Initialize $0 empty. The authenticator may set up
2057 other numeric variables. Afterwards, have a go at expanding the set_id
2058 string, even if authentication failed - for bad passwords it can be useful
2059 to log the userid. On success, require set_id to expand and exist, and
2060 put it in authenticated_id. Save this in permanent store, as the working
2061 store gets reset at HELO, RSET, etc. */
2062
2063 expand_nmax = 0;
2064 expand_nlength[0] = 0; /* $0 contains nothing */
2065
2066 c = (au->info->servercode)(au, smtp_data);
2067 if (au->set_id != NULL) set_id = expand_string(au->set_id);
2068 expand_nmax = -1; /* Reset numeric variables */
2069
2070 /* For the non-OK cases, set up additional logging data if set_id
2071 is not empty. */
2072
2073 if (c != OK)
2074 {
2075 if (set_id != NULL && *set_id != 0)
2076 set_id = string_sprintf(" (set_id=%s)", set_id);
2077 else set_id = US"";
2078 }
2079
2080 /* Switch on the result */
2081
2082 switch(c)
2083 {
2084 case OK:
2085 if (au->set_id == NULL || set_id != NULL) /* Complete success */
2086 {
2087 if (set_id != NULL) authenticated_id = string_copy_malloc(set_id);
2088 sender_host_authenticated = au->name;
2089 authentication_failed = FALSE;
2090 received_protocol =
2091 protocols[pextend + pauthed + ((tls_active >= 0)? pcrpted:0)] +
2092 ((sender_host_address != NULL)? pnlocal : 0);
2093 s = ss = US"235 Authentication succeeded";
2094 authenticated_by = au;
2095 break;
2096 }
2097
2098 /* Authentication succeeded, but we failed to expand the set_id string.
2099 Treat this as a temporary error. */
2100
2101 auth_defer_msg = expand_string_message;
2102 /* Fall through */
2103
2104 case DEFER:
2105 s = string_sprintf("435 Unable to authenticate at present%s",
2106 auth_defer_user_msg);
2107 ss = string_sprintf("435 Unable to authenticate at present%s: %s",
2108 set_id, auth_defer_msg);
2109 break;
2110
2111 case BAD64:
2112 s = ss = US"501 Invalid base64 data";
2113 break;
2114
2115 case CANCELLED:
2116 s = ss = US"501 Authentication cancelled";
2117 break;
2118
2119 case UNEXPECTED:
2120 s = ss = US"553 Initial data not expected";
2121 break;
2122
2123 case FAIL:
2124 s = US"535 Incorrect authentication data";
2125 ss = string_sprintf("535 Incorrect authentication data%s", set_id);
2126 break;
2127
2128 default:
2129 s = US"435 Internal error";
2130 ss = string_sprintf("435 Internal error%s: return %d from authentication "
2131 "check", set_id, c);
2132 break;
2133 }
2134
2135 smtp_printf("%s\r\n", s);
2136 if (c != OK)
2137 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
2138 au->name, host_and_ident(FALSE), ss);
2139
2140 break; /* AUTH_CMD */
2141
2142 /* The HELO/EHLO commands are permitted to appear in the middle of a
2143 session as well as at the beginning. They have the effect of a reset in
2144 addition to their other functions. Their absence at the start cannot be
2145 taken to be an error.
2146
2147 RFC 2821 says:
2148
2149 If the EHLO command is not acceptable to the SMTP server, 501, 500,
2150 or 502 failure replies MUST be returned as appropriate. The SMTP
2151 server MUST stay in the same state after transmitting these replies
2152 that it was in before the EHLO was received.
2153
2154 Therefore, we do not do the reset until after checking the command for
2155 acceptability. This change was made for Exim release 4.11. Previously
2156 it did the reset first. */
2157
2158 case HELO_CMD:
2159 hello = US"HELO";
2160 esmtp = FALSE;
2161 goto HELO_EHLO;
2162
2163 case EHLO_CMD:
2164 hello = US"EHLO";
2165 esmtp = TRUE;
2166
2167 HELO_EHLO: /* Common code for HELO and EHLO */
2168 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
2169 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
2170
2171 /* Reject the HELO if its argument was invalid or non-existent. A
2172 successful check causes the argument to be saved in malloc store. */
2173
2174 if (!check_helo(smtp_data))
2175 {
2176 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
2177
2178 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
2179 "invalid argument(s): %s", hello, host_and_ident(FALSE),
2180 (*smtp_data == 0)? US"(no argument given)" :
2181 string_printing(smtp_data));
2182
2183 if (++synprot_error_count > smtp_max_synprot_errors)
2184 {
2185 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2186 "syntax or protocol errors (last command was \"%s\")",
2187 host_and_ident(FALSE), cmd_buffer);
2188 done = 1;
2189 }
2190
2191 break;
2192 }
2193
2194 /* If sender_host_unknown is true, we have got here via the -bs interface,
2195 not called from inetd. Otherwise, we are running an IP connection and the
2196 host address will be set. If the helo name is the primary name of this
2197 host and we haven't done a reverse lookup, force one now. If helo_required
2198 is set, ensure that the HELO name matches the actual host. If helo_verify
2199 is set, do the same check, but softly. */
2200
2201 if (!sender_host_unknown)
2202 {
2203 BOOL old_helo_verified = helo_verified;
2204 uschar *p = smtp_data;
2205
2206 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
2207 *p = 0;
2208
2209 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
2210 because otherwise the log can be confusing. */
2211
2212 if (sender_host_name == NULL &&
2213 (deliver_domain = sender_helo_name, /* set $domain */
2214 match_isinlist(sender_helo_name, &helo_lookup_domains, 0,
2215 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
2216 (void)host_name_lookup();
2217
2218 /* Rebuild the fullhost info to include the HELO name (and the real name
2219 if it was looked up.) */
2220
2221 host_build_sender_fullhost(); /* Rebuild */
2222 set_process_info("handling%s incoming connection from %s",
2223 (tls_active >= 0)? " TLS" : "", host_and_ident(FALSE));
2224
2225 /* Verify if configured. This doesn't give much security, but it does
2226 make some people happy to be able to do it. Note that HELO is legitimately
2227 allowed to quote an address literal. Allow for IPv6 ::ffff: literals. */
2228
2229 helo_verified = FALSE;
2230 if (helo_required || helo_verify)
2231 {
2232 BOOL tempfail = FALSE;
2233
2234 HDEBUG(D_receive) debug_printf("verifying %s %s\n", hello,
2235 sender_helo_name);
2236 if (sender_helo_name[0] == '[')
2237 {
2238 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
2239 Ustrlen(sender_host_address)) == 0;
2240
2241 #if HAVE_IPV6
2242 if (!helo_verified)
2243 {
2244 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
2245 helo_verified = Ustrncmp(sender_helo_name + 1,
2246 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
2247 }
2248 #endif
2249
2250 HDEBUG(D_receive)
2251 { if (helo_verified) debug_printf("matched host address\n"); }
2252 }
2253
2254 /* Do a reverse lookup if one hasn't already given a positive or
2255 negative response. If that fails, or the name doesn't match, try
2256 checking with a forward lookup. */
2257
2258 else
2259 {
2260 if (sender_host_name == NULL && !host_lookup_failed)
2261 tempfail = host_name_lookup() == DEFER;
2262
2263 /* If a host name is known, check it and all its aliases. */
2264
2265 if (sender_host_name != NULL)
2266 {
2267 helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0;
2268
2269 if (helo_verified)
2270 {
2271 HDEBUG(D_receive) debug_printf("matched host name\n");
2272 }
2273 else
2274 {
2275 uschar **aliases = sender_host_aliases;
2276 while (*aliases != NULL)
2277 {
2278 helo_verified = strcmpic(*aliases++, sender_helo_name) == 0;
2279 if (helo_verified) break;
2280 }
2281 HDEBUG(D_receive)
2282 {
2283 if (helo_verified)
2284 debug_printf("matched alias %s\n", *(--aliases));
2285 }
2286 }
2287 }
2288
2289 /* Final attempt: try a forward lookup of the helo name */
2290
2291 if (!helo_verified)
2292 {
2293 int rc;
2294 host_item h;
2295 h.name = sender_helo_name;
2296 h.address = NULL;
2297 h.mx = MX_NONE;
2298 h.next = NULL;
2299 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
2300 sender_helo_name);
2301 rc = host_find_byname(&h, NULL, NULL, TRUE);
2302 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2303 {
2304 host_item *hh = &h;
2305 while (hh != NULL)
2306 {
2307 if (Ustrcmp(hh->address, sender_host_address) == 0)
2308 {
2309 helo_verified = TRUE;
2310 HDEBUG(D_receive)
2311 debug_printf("IP address for %s matches calling address\n",
2312 sender_helo_name);
2313 break;
2314 }
2315 hh = hh->next;
2316 }
2317 }
2318 }
2319 }
2320
2321 /* Verification failed. A temporary lookup failure gives a temporary
2322 error. */
2323
2324 if (!helo_verified)
2325 {
2326 if (helo_required)
2327 {
2328 smtp_printf("%d %s argument does not match calling host\r\n",
2329 tempfail? 451 : 550, hello);
2330 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
2331 tempfail? "temporarily " : "",
2332 hello, sender_helo_name, host_and_ident(FALSE));
2333 helo_verified = old_helo_verified;
2334 break; /* End of HELO/EHLO processing */
2335 }
2336 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
2337 "helo_try_verify_hosts\n", hello);
2338 }
2339 }
2340 }
2341
2342 /* Apply an ACL check if one is defined */
2343
2344 if (acl_smtp_helo != NULL)
2345 {
2346 rc = acl_check(ACL_WHERE_HELO, smtp_data, acl_smtp_helo, &user_msg,
2347 &log_msg);
2348 if (rc != OK)
2349 {
2350 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
2351 sender_helo_name = NULL;
2352 host_build_sender_fullhost(); /* Rebuild */
2353 break;
2354 }
2355 }
2356
2357 /* The EHLO/HELO command is acceptable. Reset the protocol and the state,
2358 abandoning any previous message. */
2359
2360 received_protocol = (esmtp?
2361 protocols[pextend +
2362 ((sender_host_authenticated != NULL)? pauthed : 0) +
2363 ((tls_active >= 0)? pcrpted : 0)]
2364 :
2365 protocols[pnormal])
2366 +
2367 ((sender_host_address != NULL)? pnlocal : 0);
2368
2369 smtp_reset(reset_point);
2370 toomany = FALSE;
2371
2372 /* Generate an OK reply, including the ident if present, and also
2373 the IP address if present. Reflecting back the ident is intended
2374 as a deterrent to mail forgers. For maximum efficiency, and also
2375 because some broken systems expect each response to be in a single
2376 packet, arrange that it is sent in one write(). */
2377
2378 auth_advertised = FALSE;
2379 pipelining_advertised = FALSE;
2380 #ifdef SUPPORT_TLS
2381 tls_advertised = FALSE;
2382 #endif
2383
2384 s = string_sprintf("250 %s Hello %s%s%s",
2385 smtp_active_hostname,
2386 (sender_ident == NULL)? US"" : sender_ident,
2387 (sender_ident == NULL)? US"" : US" at ",
2388 (sender_host_name == NULL)? sender_helo_name : sender_host_name);
2389
2390 ptr = Ustrlen(s);
2391 size = ptr + 1;
2392
2393 if (sender_host_address != NULL)
2394 {
2395 s = string_cat(s, &size, &ptr, US" [", 2);
2396 s = string_cat(s, &size, &ptr, sender_host_address,
2397 Ustrlen(sender_host_address));
2398 s = string_cat(s, &size, &ptr, US"]", 1);
2399 }
2400
2401 s = string_cat(s, &size, &ptr, US"\r\n", 2);
2402
2403 /* If we received EHLO, we must create a multiline response which includes
2404 the functions supported. */
2405
2406 if (esmtp)
2407 {
2408 s[3] = '-';
2409
2410 /* I'm not entirely happy with this, as an MTA is supposed to check
2411 that it has enough room to accept a message of maximum size before
2412 it sends this. However, there seems little point in not sending it.
2413 The actual size check happens later at MAIL FROM time. By postponing it
2414 till then, VRFY and EXPN can be used after EHLO when space is short. */
2415
2416 if (thismessage_size_limit > 0)
2417 {
2418 sprintf(CS big_buffer, "250-SIZE %d\r\n", thismessage_size_limit);
2419 s = string_cat(s, &size, &ptr, big_buffer, Ustrlen(big_buffer));
2420 }
2421 else
2422 {
2423 s = string_cat(s, &size, &ptr, US"250-SIZE\r\n", 10);
2424 }
2425
2426 /* Exim does not do protocol conversion or data conversion. It is 8-bit
2427 clean; if it has an 8-bit character in its hand, it just sends it. It
2428 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
2429 However, some users want this option simply in order to stop MUAs
2430 mangling messages that contain top-bit-set characters. It is therefore
2431 provided as an option. */
2432
2433 if (accept_8bitmime)
2434 s = string_cat(s, &size, &ptr, US"250-8BITMIME\r\n", 14);
2435
2436 /* Advertise ETRN if there's an ACL checking whether a host is
2437 permitted to issue it; a check is made when any host actually tries. */
2438
2439 if (acl_smtp_etrn != NULL)
2440 {
2441 s = string_cat(s, &size, &ptr, US"250-ETRN\r\n", 10);
2442 }
2443
2444 /* Advertise EXPN if there's an ACL checking whether a host is
2445 permitted to issue it; a check is made when any host actually tries. */
2446
2447 if (acl_smtp_expn != NULL)
2448 {
2449 s = string_cat(s, &size, &ptr, US"250-EXPN\r\n", 10);
2450 }
2451
2452 /* Exim is quite happy with pipelining, so let the other end know that
2453 it is safe to use it, unless advertising is disabled. */
2454
2455 if (verify_check_host(&pipelining_advertise_hosts) == OK)
2456 {
2457 s = string_cat(s, &size, &ptr, US"250-PIPELINING\r\n", 16);
2458 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
2459 pipelining_advertised = TRUE;
2460 }
2461
2462 /* If any server authentication mechanisms are configured, advertise
2463 them if the current host is in auth_advertise_hosts. The problem with
2464 advertising always is that some clients then require users to
2465 authenticate (and aren't configurable otherwise) even though it may not
2466 be necessary (e.g. if the host is in host_accept_relay).
2467
2468 RFC 2222 states that SASL mechanism names contain only upper case
2469 letters, so output the names in upper case, though we actually recognize
2470 them in either case in the AUTH command. */
2471
2472 if (auths != NULL)
2473 {
2474 if (verify_check_host(&auth_advertise_hosts) == OK)
2475 {
2476 auth_instance *au;
2477 BOOL first = TRUE;
2478 for (au = auths; au != NULL; au = au->next)
2479 {
2480 if (au->server && (au->advertise_condition == NULL ||
2481 expand_check_condition(au->advertise_condition, au->name,
2482 US"authenticator")))
2483 {
2484 int saveptr;
2485 if (first)
2486 {
2487 s = string_cat(s, &size, &ptr, US"250-AUTH", 8);
2488 first = FALSE;
2489 auth_advertised = TRUE;
2490 }
2491 saveptr = ptr;
2492 s = string_cat(s, &size, &ptr, US" ", 1);
2493 s = string_cat(s, &size, &ptr, au->public_name,
2494 Ustrlen(au->public_name));
2495 while (++saveptr < ptr) s[saveptr] = toupper(s[saveptr]);
2496 au->advertised = TRUE;
2497 }
2498 else au->advertised = FALSE;
2499 }
2500 if (!first) s = string_cat(s, &size, &ptr, US"\r\n", 2);
2501 }
2502 }
2503
2504 /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
2505 if it has been included in the binary, and the host matches
2506 tls_advertise_hosts. We must *not* advertise if we are already in a
2507 secure connection. */
2508
2509 #ifdef SUPPORT_TLS
2510 if (tls_active < 0 &&
2511 verify_check_host(&tls_advertise_hosts) != FAIL)
2512 {
2513 s = string_cat(s, &size, &ptr, US"250-STARTTLS\r\n", 14);
2514 tls_advertised = TRUE;
2515 }
2516 #endif
2517
2518 /* Finish off the multiline reply with one that is always available. */
2519
2520 s = string_cat(s, &size, &ptr, US"250 HELP\r\n", 10);
2521 }
2522
2523 /* Terminate the string (for debug), write it, and note that HELO/EHLO
2524 has been seen. */
2525
2526 s[ptr] = 0;
2527
2528 #ifdef SUPPORT_TLS
2529 if (tls_active >= 0) (void)tls_write(s, ptr); else
2530 #endif
2531
2532 fwrite(s, 1, ptr, smtp_out);
2533 DEBUG(D_receive) debug_printf("SMTP>> %s", s);
2534 helo_seen = TRUE;
2535 break; /* HELO/EHLO */
2536
2537
2538 /* The MAIL command requires an address as an operand. All we do
2539 here is to parse it for syntactic correctness. The form "<>" is
2540 a special case which converts into an empty string. The start/end
2541 pointers in the original are not used further for this address, as
2542 it is the canonical extracted address which is all that is kept. */
2543
2544 case MAIL_CMD:
2545 smtp_mailcmd_count++; /* Count for limit and ratelimit */
2546 was_rej_mail = TRUE; /* Reset if accepted */
2547
2548 if (helo_required && !helo_seen)
2549 {
2550 smtp_printf("503 HELO or EHLO required\r\n");
2551 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
2552 "HELO/EHLO given", host_and_ident(FALSE));
2553 break;
2554 }
2555
2556 if (sender_address != NULL)
2557 {
2558 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2559 US"sender already given");
2560 break;
2561 }
2562
2563 if (smtp_data[0] == 0)
2564 {
2565 done = synprot_error(L_smtp_protocol_error, 501, NULL,
2566 US"MAIL must have an address operand");
2567 break;
2568 }
2569
2570 /* Check to see if the limit for messages per connection would be
2571 exceeded by accepting further messages. */
2572
2573 if (smtp_accept_max_per_connection > 0 &&
2574 smtp_mailcmd_count > smtp_accept_max_per_connection)
2575 {
2576 smtp_printf("421 too many messages in this connection\r\n");
2577 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
2578 "messages in one connection", host_and_ident(TRUE));
2579 break;
2580 }
2581
2582 /* Reset for start of message - even if this is going to fail, we
2583 obviously need to throw away any previous data. */
2584
2585 smtp_reset(reset_point);
2586 toomany = FALSE;
2587 sender_data = recipient_data = NULL;
2588
2589 /* Loop, checking for ESMTP additions to the MAIL FROM command. */
2590
2591 if (esmtp) for(;;)
2592 {
2593 uschar *name, *value, *end;
2594 unsigned long int size;
2595
2596 if (!extract_option(&name, &value)) break;
2597
2598 /* Handle SIZE= by reading the value. We don't do the check till later,
2599 in order to be able to log the sender address on failure. */
2600
2601 if (strcmpic(name, US"SIZE") == 0 &&
2602 ((size = (int)Ustrtoul(value, &end, 10)), *end == 0))
2603 {
2604 if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
2605 size = INT_MAX;
2606 message_size = (int)size;
2607 }
2608
2609 /* If this session was initiated with EHLO and accept_8bitmime is set,
2610 Exim will have indicated that it supports the BODY=8BITMIME option. In
2611 fact, it does not support this according to the RFCs, in that it does not
2612 take any special action for forwarding messages containing 8-bit
2613 characters. That is why accept_8bitmime is not the default setting, but
2614 some sites want the action that is provided. We recognize both "8BITMIME"
2615 and "7BIT" as body types, but take no action. */
2616
2617 else if (accept_8bitmime && strcmpic(name, US"BODY") == 0 &&
2618 (strcmpic(value, US"8BITMIME") == 0 ||
2619 strcmpic(value, US"7BIT") == 0)) {}
2620
2621 /* Handle the AUTH extension. If the value given is not "<>" and either
2622 the ACL says "yes" or there is no ACL but the sending host is
2623 authenticated, we set it up as the authenticated sender. However, if the
2624 authenticator set a condition to be tested, we ignore AUTH on MAIL unless
2625 the condition is met. The value of AUTH is an xtext, which means that +,
2626 = and cntrl chars are coded in hex; however "<>" is unaffected by this
2627 coding. */
2628
2629 else if (strcmpic(name, US"AUTH") == 0)
2630 {
2631 if (Ustrcmp(value, "<>") != 0)
2632 {
2633 int rc;
2634 uschar *ignore_msg;
2635
2636 if (auth_xtextdecode(value, &authenticated_sender) < 0)
2637 {
2638 /* Put back terminator overrides for error message */
2639 name[-1] = ' ';
2640 value[-1] = '=';
2641 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2642 US"invalid data for AUTH");
2643 goto COMMAND_LOOP;
2644 }
2645
2646 if (acl_smtp_mailauth == NULL)
2647 {
2648 ignore_msg = US"client not authenticated";
2649 rc = (sender_host_authenticated != NULL)? OK : FAIL;
2650 }
2651 else
2652 {
2653 ignore_msg = US"rejected by ACL";
2654 rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
2655 &user_msg, &log_msg);
2656 }
2657
2658 switch (rc)
2659 {
2660 case OK:
2661 if (authenticated_by == NULL ||
2662 authenticated_by->mail_auth_condition == NULL ||
2663 expand_check_condition(authenticated_by->mail_auth_condition,
2664 authenticated_by->name, US"authenticator"))
2665 break; /* Accept the AUTH */
2666
2667 ignore_msg = US"server_mail_auth_condition failed";
2668 if (authenticated_id != NULL)
2669 ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
2670 ignore_msg, authenticated_id);
2671
2672 /* Fall through */
2673
2674 case FAIL:
2675 authenticated_sender = NULL;
2676 log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
2677 value, host_and_ident(TRUE), ignore_msg);
2678 break;
2679
2680 /* Should only get DEFER or ERROR here. Put back terminator
2681 overrides for error message */
2682
2683 default:
2684 name[-1] = ' ';
2685 value[-1] = '=';
2686 (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
2687 log_msg);
2688 goto COMMAND_LOOP;
2689 }
2690 }
2691 }
2692
2693 /* Unknown option. Stick back the terminator characters and break
2694 the loop. An error for a malformed address will occur. */
2695
2696 else
2697 {
2698 name[-1] = ' ';
2699 value[-1] = '=';
2700 break;
2701 }
2702 }
2703
2704 /* If we have passed the threshold for rate limiting, apply the current
2705 delay, and update it for next time, provided this is a limited host. */
2706
2707 if (smtp_mailcmd_count > smtp_rlm_threshold &&
2708 verify_check_host(&smtp_ratelimit_hosts) == OK)
2709 {
2710 DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
2711 smtp_delay_mail/1000.0);
2712 millisleep((int)smtp_delay_mail);
2713 smtp_delay_mail *= smtp_rlm_factor;
2714 if (smtp_delay_mail > (double)smtp_rlm_limit)
2715 smtp_delay_mail = (double)smtp_rlm_limit;
2716 }
2717
2718 /* Now extract the address, first applying any SMTP-time rewriting. The
2719 TRUE flag allows "<>" as a sender address. */
2720
2721 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
2722 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
2723 global_rewrite_rules) : smtp_data;
2724
2725 /* rfc821_domains = TRUE; << no longer needed */
2726 raw_sender =
2727 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
2728 TRUE);
2729 /* rfc821_domains = FALSE; << no longer needed */
2730
2731 if (raw_sender == NULL)
2732 {
2733 done = synprot_error(L_smtp_syntax_error, 501, smtp_data, errmess);
2734 break;
2735 }
2736
2737 sender_address = raw_sender;
2738
2739 /* If there is a configured size limit for mail, check that this message
2740 doesn't exceed it. The check is postponed to this point so that the sender
2741 can be logged. */
2742
2743 if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
2744 {
2745 smtp_printf("552 Message size exceeds maximum permitted\r\n");
2746 log_write(L_size_reject,
2747 LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
2748 "message too big: size%s=%d max=%d",
2749 sender_address,
2750 host_and_ident(TRUE),
2751 (message_size == INT_MAX)? ">" : "",
2752 message_size,
2753 thismessage_size_limit);
2754 sender_address = NULL;
2755 break;
2756 }
2757
2758 /* Check there is enough space on the disk unless configured not to.
2759 When smtp_check_spool_space is set, the check is for thismessage_size_limit
2760 plus the current message - i.e. we accept the message only if it won't
2761 reduce the space below the threshold. Add 5000 to the size to allow for
2762 overheads such as the Received: line and storing of recipients, etc.
2763 By putting the check here, even when SIZE is not given, it allow VRFY
2764 and EXPN etc. to be used when space is short. */
2765
2766 if (!receive_check_fs(
2767 (smtp_check_spool_space && message_size >= 0)?
2768 message_size + 5000 : 0))
2769 {
2770 smtp_printf("452 Space shortage, please try later\r\n");
2771 sender_address = NULL;
2772 break;
2773 }
2774
2775 /* If sender_address is unqualified, reject it, unless this is a locally
2776 generated message, or the sending host or net is permitted to send
2777 unqualified addresses - typically local machines behaving as MUAs -
2778 in which case just qualify the address. The flag is set above at the start
2779 of the SMTP connection. */
2780
2781 if (sender_domain == 0 && sender_address[0] != 0)
2782 {
2783 if (allow_unqualified_sender)
2784 {
2785 sender_domain = Ustrlen(sender_address) + 1;
2786 sender_address = rewrite_address_qualify(sender_address, FALSE);
2787 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2788 raw_sender);
2789 }
2790 else
2791 {
2792 smtp_printf("501 %s: sender address must contain a domain\r\n",
2793 smtp_data);
2794 log_write(L_smtp_syntax_error,
2795 LOG_MAIN|LOG_REJECT,
2796 "unqualified sender rejected: <%s> %s%s",
2797 raw_sender,
2798 host_and_ident(TRUE),
2799 host_lookup_msg);
2800 sender_address = NULL;
2801 break;
2802 }
2803 }
2804
2805 /* Apply an ACL check if one is defined, before responding */
2806
2807 rc = (acl_smtp_mail == NULL)? OK :
2808 acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
2809
2810 if (rc == OK || rc == DISCARD)
2811 {
2812 smtp_printf("250 OK\r\n");
2813 smtp_delay_rcpt = smtp_rlr_base;
2814 recipients_discarded = (rc == DISCARD);
2815 was_rej_mail = FALSE;
2816 }
2817
2818 else
2819 {
2820 done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
2821 sender_address = NULL;
2822 }
2823 break;
2824
2825
2826 /* The RCPT command requires an address as an operand. All we do
2827 here is to parse it for syntactic correctness. There may be any number
2828 of RCPT commands, specifying multiple senders. We build them all into
2829 a data structure that is in argc/argv format. The start/end values
2830 given by parse_extract_address are not used, as we keep only the
2831 extracted address. */
2832
2833 case RCPT_CMD:
2834 rcpt_count++;
2835 was_rcpt = TRUE;
2836
2837 /* There must be a sender address; if the sender was rejected and
2838 pipelining was advertised, we assume the client was pipelining, and do not
2839 count this as a protocol error. Reset was_rej_mail so that further RCPTs
2840 get the same treatment. */
2841
2842 if (sender_address == NULL)
2843 {
2844 if (pipelining_advertised && last_was_rej_mail)
2845 {
2846 smtp_printf("503 sender not yet given\r\n");
2847 was_rej_mail = TRUE;
2848 }
2849 else
2850 {
2851 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2852 US"sender not yet given");
2853 was_rcpt = FALSE; /* Not a valid RCPT */
2854 }
2855 rcpt_fail_count++;
2856 break;
2857 }
2858
2859 /* Check for an operand */
2860
2861 if (smtp_data[0] == 0)
2862 {
2863 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2864 US"RCPT must have an address operand");
2865 rcpt_fail_count++;
2866 break;
2867 }
2868
2869 /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
2870 as a recipient address */
2871
2872 recipient = ((rewrite_existflags & rewrite_smtp) != 0)?
2873 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
2874 global_rewrite_rules) : smtp_data;
2875
2876 /* rfc821_domains = TRUE; << no longer needed */
2877 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2878 &recipient_domain, FALSE);
2879 /* rfc821_domains = FALSE; << no longer needed */
2880
2881 if (recipient == NULL)
2882 {
2883 done = synprot_error(L_smtp_syntax_error, 501, smtp_data, errmess);
2884 rcpt_fail_count++;
2885 break;
2886 }
2887
2888 /* If the recipient address is unqualified, reject it, unless this is a
2889 locally generated message. However, unqualified addresses are permitted
2890 from a configured list of hosts and nets - typically when behaving as
2891 MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
2892 really. The flag is set at the start of the SMTP connection.
2893
2894 RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
2895 assumed this meant "reserved local part", but the revision of RFC 821 and
2896 friends now makes it absolutely clear that it means *mailbox*. Consequently
2897 we must always qualify this address, regardless. */
2898
2899 if (recipient_domain == 0)
2900 {
2901 if (allow_unqualified_recipient ||
2902 strcmpic(recipient, US"postmaster") == 0)
2903 {
2904 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2905 recipient);
2906 recipient_domain = Ustrlen(recipient) + 1;
2907 recipient = rewrite_address_qualify(recipient, TRUE);
2908 }
2909 else
2910 {
2911 rcpt_fail_count++;
2912 smtp_printf("501 %s: recipient address must contain a domain\r\n",
2913 smtp_data);
2914 log_write(L_smtp_syntax_error,
2915 LOG_MAIN|LOG_REJECT, "unqualified recipient rejected: "
2916 "<%s> %s%s", recipient, host_and_ident(TRUE),
2917 host_lookup_msg);
2918 break;
2919 }
2920 }
2921
2922 /* Check maximum allowed */
2923
2924 if (rcpt_count > recipients_max && recipients_max > 0)
2925 {
2926 if (recipients_max_reject)
2927 {
2928 rcpt_fail_count++;
2929 smtp_printf("552 too many recipients\r\n");
2930 if (!toomany)
2931 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
2932 "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
2933 }
2934 else
2935 {
2936 rcpt_defer_count++;
2937 smtp_printf("452 too many recipients\r\n");
2938 if (!toomany)
2939 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
2940 "temporarily rejected: sender=<%s> %s", sender_address,
2941 host_and_ident(TRUE));
2942 }
2943
2944 toomany = TRUE;
2945 break;
2946 }
2947
2948 /* If we have passed the threshold for rate limiting, apply the current
2949 delay, and update it for next time, provided this is a limited host. */
2950
2951 if (rcpt_count > smtp_rlr_threshold &&
2952 verify_check_host(&smtp_ratelimit_hosts) == OK)
2953 {
2954 DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
2955 smtp_delay_rcpt/1000.0);
2956 millisleep((int)smtp_delay_rcpt);
2957 smtp_delay_rcpt *= smtp_rlr_factor;
2958 if (smtp_delay_rcpt > (double)smtp_rlr_limit)
2959 smtp_delay_rcpt = (double)smtp_rlr_limit;
2960 }
2961
2962 /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
2963 for them. Otherwise, check the access control list for this recipient. */
2964
2965 rc = recipients_discarded? DISCARD :
2966 acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg, &log_msg);
2967
2968 /* The ACL was happy */
2969
2970 if (rc == OK)
2971 {
2972 smtp_printf("250 Accepted\r\n");
2973 receive_add_recipient(recipient, -1);
2974 }
2975
2976 /* The recipient was discarded */
2977
2978 else if (rc == DISCARD)
2979 {
2980 smtp_printf("250 Accepted\r\n");
2981 rcpt_fail_count++;
2982 discarded = TRUE;
2983 log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> rejected RCPT %s: "
2984 "discarded by %s ACL%s%s", host_and_ident(TRUE),
2985 (sender_address_unrewritten != NULL)?
2986 sender_address_unrewritten : sender_address,
2987 smtp_data, recipients_discarded? "MAIL" : "RCPT",
2988 (log_msg == NULL)? US"" : US": ",
2989 (log_msg == NULL)? US"" : log_msg);
2990 }
2991
2992 /* Either the ACL failed the address, or it was deferred. */
2993
2994 else
2995 {
2996 if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
2997 done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
2998 }
2999 break;
3000
3001
3002 /* The DATA command is legal only if it follows successful MAIL FROM
3003 and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
3004 not counted as a protocol error if it follows RCPT (which must have been
3005 rejected if there are no recipients.) This function is complete when a
3006 valid DATA command is encountered.
3007
3008 Note concerning the code used: RFC 2821 says this:
3009
3010 - If there was no MAIL, or no RCPT, command, or all such commands
3011 were rejected, the server MAY return a "command out of sequence"
3012 (503) or "no valid recipients" (554) reply in response to the
3013 DATA command.
3014
3015 The example in the pipelining RFC 2920 uses 554, but I use 503 here
3016 because it is the same whether pipelining is in use or not. */
3017
3018 case DATA_CMD:
3019 if (!discarded && recipients_count <= 0)
3020 {
3021 if (pipelining_advertised && last_was_rcpt)
3022 smtp_printf("503 valid RCPT command must precede DATA\r\n");
3023 else
3024 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3025 US"valid RCPT command must precede DATA");
3026 break;
3027 }
3028
3029 if (toomany && recipients_max_reject)
3030 {
3031 sender_address = NULL; /* This will allow a new MAIL without RSET */
3032 sender_address_unrewritten = NULL;
3033 smtp_printf("554 Too many recipients\r\n");
3034 break;
3035 }
5be20824
PH		 3036
3037 if (acl_smtp_predata == NULL) rc = OK; else
3038 {
3039 enable_dollar_recipients = TRUE;
3040 rc = acl_check(ACL_WHERE_PREDATA, NULL, acl_smtp_predata, &user_msg,
3041 &log_msg);
3042 enable_dollar_recipients = FALSE;
3043 }
059ec3d9
PH		 3044
3045 if (rc == OK)
3046 {
3047 smtp_printf("354 Enter message, ending with \".\" on a line by itself\r\n");
3048 done = 3;
3049 message_ended = END_NOTENDED; /* Indicate in middle of data */
3050 }
3051
3052 /* Either the ACL failed the address, or it was deferred. */
3053
3054 else
3055 done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
3056
3057 break;
3058
3059
3060 case VRFY_CMD:
3061 rc = acl_check(ACL_WHERE_VRFY, smtp_data, acl_smtp_vrfy, &user_msg,
3062 &log_msg);
3063 if (rc != OK)
3064 done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
3065 else
3066 {
3067 uschar *address;
3068 uschar *s = NULL;
3069
3070 /* rfc821_domains = TRUE; << no longer needed */
3071 address = parse_extract_address(smtp_data, &errmess, &start, &end,
3072 &recipient_domain, FALSE);
3073 /* rfc821_domains = FALSE; << no longer needed */
3074
3075 if (address == NULL)
3076 s = string_sprintf("501 %s", errmess);
3077 else
3078 {
3079 address_item *addr = deliver_make_addr(address, FALSE);
3080 switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
4deaf07d 3081 -1, -1, NULL, NULL, NULL))
059ec3d9
PH		 3082 {
3083 case OK:
3084 s = string_sprintf("250 <%s> is deliverable", address);
3085 break;
3086
3087 case DEFER:
3088 s = (addr->message != NULL)?
3089 string_sprintf("451 <%s> %s", address, addr->message) :
3090 string_sprintf("451 Cannot resolve <%s> at this time", address);
3091 break;
3092
3093 case FAIL:
3094 s = (addr->message != NULL)?
3095 string_sprintf("550 <%s> %s", address, addr->message) :
3096 string_sprintf("550 <%s> is not deliverable", address);
3097 log_write(0, LOG_MAIN, "VRFY failed for %s %s",
3098 smtp_data, host_and_ident(TRUE));
3099 break;
3100 }
3101 }
3102
3103 smtp_printf("%s\r\n", s);
3104 }
3105 break;
3106
3107
3108 case EXPN_CMD:
3109 rc = acl_check(ACL_WHERE_EXPN, smtp_data, acl_smtp_expn, &user_msg,
3110 &log_msg);
3111 if (rc != OK)
3112 done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
3113 else
3114 {
3115 BOOL save_log_testing_mode = log_testing_mode;
3116 address_test_mode = log_testing_mode = TRUE;
3117 (void) verify_address(deliver_make_addr(smtp_data, FALSE), smtp_out,
4deaf07d
PH		 3118 vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1, NULL, NULL,
3119 NULL);
059ec3d9
PH		 3120 address_test_mode = FALSE;
3121 log_testing_mode = save_log_testing_mode; /* true for -bh */
3122 }
3123 break;
3124
3125
3126 #ifdef SUPPORT_TLS
3127
3128 case STARTTLS_CMD:
3129 if (!tls_advertised)
3130 {
3131 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3132 US"STARTTLS command used when not advertised");
3133 break;
3134 }
3135
3136 /* Apply an ACL check if one is defined */
3137
3138 if (acl_smtp_starttls != NULL)
3139 {
3140 rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls, &user_msg,
3141 &log_msg);
3142 if (rc != OK)
3143 {
3144 done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
3145 break;
3146 }
3147 }
3148
3149 /* RFC 2487 is not clear on when this command may be sent, though it
3150 does state that all information previously obtained from the client
3151 must be discarded if a TLS session is started. It seems reasonble to
3152 do an implied RSET when STARTTLS is received. */
3153
3154 incomplete_transaction_log(US"STARTTLS");
3155 smtp_reset(reset_point);
3156 toomany = FALSE;
3157 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
3158
3159 /* Attempt to start up a TLS session, and if successful, discard all
3160 knowledge that was obtained previously. At least, that's what the RFC says,
3161 and that's what happens by default. However, in order to work round YAEB,
3162 there is an option to remember the esmtp state. Sigh.
3163
3164 We must allow for an extra EHLO command and an extra AUTH command after
3165 STARTTLS that don't add to the nonmail command count. */
3166
3167 if ((rc = tls_server_start(tls_require_ciphers)) == OK)
3168 {
3169 if (!tls_remember_esmtp)
3170 helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
3171 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3172 cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
3173 if (sender_helo_name != NULL)
3174 {
3175 store_free(sender_helo_name);
3176 sender_helo_name = NULL;
3177 host_build_sender_fullhost(); /* Rebuild */
3178 set_process_info("handling incoming TLS connection from %s",
3179 host_and_ident(FALSE));
3180 }
3181 received_protocol = (esmtp?
3182 protocols[pextend + pcrpted +
3183 ((sender_host_authenticated != NULL)? pauthed : 0)]
3184 :
3185 protocols[pnormal])
3186 +
3187 ((sender_host_address != NULL)? pnlocal : 0);
3188
3189 sender_host_authenticated = NULL;
3190 authenticated_id = NULL;
3191 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
3192 DEBUG(D_tls) debug_printf("TLS active\n");
3193 break; /* Successful STARTTLS */
3194 }
3195
3196 /* Some local configuration problem was discovered before actually trying
3197 to do a TLS handshake; give a temporary error. */
3198
3199 else if (rc == DEFER)
3200 {
3201 smtp_printf("454 TLS currently unavailable\r\n");
3202 break;
3203 }
3204
3205 /* Hard failure. Reject everything except QUIT or closed connection. One
3206 cause for failure is a nested STARTTLS, in which case tls_active remains
3207 set, but we must still reject all incoming commands. */
3208
3209 DEBUG(D_tls) debug_printf("TLS failed to start\n");
3210 while (done <= 0)
3211 {
3212 switch(smtp_read_command(FALSE))
3213 {
3214 case EOF_CMD:
3215 log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
3216 smtp_get_connection_info());
3217 done = 2;
3218 break;
3219
3220 case QUIT_CMD:
3221 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3222 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3223 smtp_get_connection_info());
3224 done = 2;
3225 break;
3226
3227 default:
3228 smtp_printf("554 Security failure\r\n");
3229 break;
3230 }
3231 }
3232 tls_close(TRUE);
3233 break;
3234 #endif
3235
3236
3237 /* The ACL for QUIT is provided for gathering statistical information or
3238 similar; it does not affect the response code, but it can supply a custom
3239 message. */
3240
3241 case QUIT_CMD:
3242 incomplete_transaction_log(US"QUIT");
3243
3244 if (acl_smtp_quit != NULL)
3245 {
3246 rc = acl_check(ACL_WHERE_QUIT, US"", acl_smtp_quit,&user_msg,&log_msg);
3247 if (rc == ERROR)
3248 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3249 log_msg);
3250 }
3251 else user_msg = NULL;
3252
3253 if (user_msg == NULL)
3254 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3255 else
3256 smtp_printf("221 %s\r\n", user_msg);
3257
3258 #ifdef SUPPORT_TLS
3259 tls_close(TRUE);
3260 #endif
3261
3262 done = 2;
3263 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3264 smtp_get_connection_info());
3265 break;
3266
3267
3268 case RSET_CMD:
3269 incomplete_transaction_log(US"RSET");
3270 smtp_reset(reset_point);
3271 toomany = FALSE;
3272 smtp_printf("250 Reset OK\r\n");
3273 cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3274 break;
3275
3276
3277 case NOOP_CMD:
3278 smtp_printf("250 OK\r\n");
3279 break;
3280
3281
3282 /* Show ETRN/EXPN/VRFY if there's
3283 an ACL for checking hosts; if actually used, a check will be done for
3284 permitted hosts. */
3285
3286 case HELP_CMD:
3287 smtp_printf("214-Commands supported:\r\n");
3288 {
3289 uschar buffer[256];
3290 buffer[0] = 0;
3291 Ustrcat(buffer, " AUTH");
3292 #ifdef SUPPORT_TLS
3293 Ustrcat(buffer, " STARTTLS");
3294 #endif
3295 Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA");
3296 Ustrcat(buffer, " NOOP QUIT RSET HELP");
3297 if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
3298 if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
3299 if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
3300 smtp_printf("214%s\r\n", buffer);
3301 }
3302 break;
3303
3304
3305 case EOF_CMD:
3306 incomplete_transaction_log(US"connection lost");
3307 smtp_printf("421 %s lost input connection\r\n", smtp_active_hostname);
3308
3309 /* Don't log by default unless in the middle of a message, as some mailers
3310 just drop the call rather than sending QUIT, and it clutters up the logs.
3311 */
3312
3313 if (sender_address != NULL || recipients_count > 0)
3314 log_write(L_lost_incoming_connection,
3315 LOG_MAIN,
3316 "unexpected %s while reading SMTP command from %s%s",
3317 sender_host_unknown? "EOF" : "disconnection",
3318 host_and_ident(FALSE), smtp_read_error);
3319
3320 else log_write(L_smtp_connection, LOG_MAIN, "%s lost%s",
3321 smtp_get_connection_info(), smtp_read_error);
3322
3323 done = 1;
3324 break;
3325
3326
3327 case ETRN_CMD:
3328 if (sender_address != NULL)
3329 {
3330 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3331 US"ETRN is not permitted inside a transaction");
3332 break;
3333 }
3334
3335 log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_data,
3336 host_and_ident(FALSE));
3337
3338 rc = acl_check(ACL_WHERE_ETRN, smtp_data, acl_smtp_etrn, &user_msg,
3339 &log_msg);
3340 if (rc != OK)
3341 {
3342 done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
3343 break;
3344 }
3345
3346 /* Compute the serialization key for this command. */
3347
3348 etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_data);
3349
3350 /* If a command has been specified for running as a result of ETRN, we
3351 permit any argument to ETRN. If not, only the # standard form is permitted,
3352 since that is strictly the only kind of ETRN that can be implemented
3353 according to the RFC. */
3354
3355 if (smtp_etrn_command != NULL)
3356 {
3357 uschar *error;
3358 BOOL rc;
3359 etrn_command = smtp_etrn_command;
3360 deliver_domain = smtp_data;
3361 rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
3362 US"ETRN processing", &error);
3363 deliver_domain = NULL;
3364 if (!rc)
3365 {
3366 log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
3367 error);
3368 smtp_printf("458 Internal failure\r\n");
3369 break;
3370 }
3371 }
3372
3373 /* Else set up to call Exim with the -R option. */
3374
3375 else
3376 {
3377 if (*smtp_data++ != '#')
3378 {
3379 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3380 US"argument must begin with #");
3381 break;
3382 }
3383 etrn_command = US"exim -R";
3384 argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE, 2, US"-R",
3385 smtp_data);
3386 }
3387
3388 /* If we are host-testing, don't actually do anything. */
3389
3390 if (host_checking)
3391 {
3392 HDEBUG(D_any)
3393 {
3394 debug_printf("ETRN command is: %s\n", etrn_command);
3395 debug_printf("ETRN command execution skipped\n");
3396 }
3397 smtp_printf("250 OK\r\n");
3398 break;
3399 }
3400
3401
3402 /* If ETRN queue runs are to be serialized, check the database to
3403 ensure one isn't already running. */
3404
3405 if (smtp_etrn_serialize && !enq_start(etrn_serialize_key))
3406 {
3407 smtp_printf("458 Already processing %s\r\n", smtp_data);
3408 break;
3409 }
3410
3411 /* Fork a child process and run the command. We don't want to have to
3412 wait for the process at any point, so set SIGCHLD to SIG_IGN before
3413 forking. It should be set that way anyway for external incoming SMTP,
3414 but we save and restore to be tidy. If serialization is required, we
3415 actually run the command in yet another process, so we can wait for it
3416 to complete and then remove the serialization lock. */
3417
3418 oldsignal = signal(SIGCHLD, SIG_IGN);
3419
3420 if ((pid = fork()) == 0)
3421 {
3422 smtp_input = FALSE; /* This process is not associated with the */
3423 fclose(smtp_in); /* SMTP call any more. */
3424 fclose(smtp_out);
3425
3426 signal(SIGCHLD, SIG_DFL); /* Want to catch child */
3427
3428 /* If not serializing, do the exec right away. Otherwise, fork down
3429 into another process. */
3430
3431 if (!smtp_etrn_serialize || (pid = fork()) == 0)
3432 {
3433 DEBUG(D_exec) debug_print_argv(argv);
3434 exim_nullstd(); /* Ensure std{in,out,err} exist */
3435 execv(CS argv[0], (char *const *)argv);
3436 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
3437 etrn_command, strerror(errno));
3438 _exit(EXIT_FAILURE); /* paranoia */
3439 }
3440
3441 /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
3442 is, we are in the first subprocess, after forking again. All we can do
3443 for a failing fork is to log it. Otherwise, wait for the 2nd process to
3444 complete, before removing the serialization. */
3445
3446 if (pid < 0)
3447 log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
3448 "failed: %s", strerror(errno));
3449 else
3450 {
3451 int status;
3452 DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
3453 (int)pid);
3454 (void)wait(&status);
3455 DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
3456 (int)pid);
3457 }
3458
3459 enq_end(etrn_serialize_key);
3460 _exit(EXIT_SUCCESS);
3461 }
3462
3463 /* Back in the top level SMTP process. Check that we started a subprocess
3464 and restore the signal state. */
3465
3466 if (pid < 0)
3467 {
3468 log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
3469 strerror(errno));
3470 smtp_printf("458 Unable to fork process\r\n");
3471 if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
3472 }
3473 else smtp_printf("250 OK\r\n");
3474
3475 signal(SIGCHLD, oldsignal);
3476 break;
3477
3478
3479 case BADARG_CMD:
3480 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3481 US"unexpected argument data");
3482 break;
3483
3484
3485 /* This currently happens only for NULLs, but could be extended. */
3486
3487 case BADCHAR_CMD:
3488 done = synprot_error(L_smtp_syntax_error, 0, NULL, /* Just logs */
3489 US"NULL character(s) present (shown as '?')");
3490 smtp_printf("501 NULL characters are not allowed in SMTP commands\r\n");
3491 break;
3492
3493
3494 case BADSYN_CMD:
3495 if (smtp_inend >= smtp_inbuffer + in_buffer_size)
3496 smtp_inend = smtp_inbuffer + in_buffer_size - 1;
3497 c = smtp_inend - smtp_inptr;
3498 if (c > 150) c = 150;
3499 smtp_inptr[c] = 0;
3500 incomplete_transaction_log(US"sync failure");
3501 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
3502 "synchronization error "
3503 "(next input sent too soon: pipelining was%s advertised): "
3504 "rejected \"%s\" %s next input=\"%s\"",
3505 pipelining_advertised? "" : " not",
3506 cmd_buffer, host_and_ident(TRUE),
3507 string_printing(smtp_inptr));
3508 smtp_printf("554 SMTP synchronization error\r\n");
3509 done = 1; /* Pretend eof - drops connection */
3510 break;
3511
3512
3513 case TOO_MANY_NONMAIL_CMD:
3514 incomplete_transaction_log(US"too many non-mail commands");
3515 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3516 "nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
3517 smtp_data - cmd_buffer, cmd_buffer);
3518 smtp_printf("554 Too many nonmail commands\r\n");
3519 done = 1; /* Pretend eof - drops connection */
3520 break;
3521
3522
3523 default:
3524 if (unknown_command_count++ >= smtp_max_unknown_commands)
3525 {
3526 log_write(L_smtp_syntax_error, LOG_MAIN,
3527 "SMTP syntax error in \"%s\" %s %s",
3528 string_printing(cmd_buffer), host_and_ident(TRUE),
3529 US"unrecognized command");
3530 incomplete_transaction_log(US"unrecognized command");
3531 smtp_printf("500 Too many unrecognized commands\r\n");
3532 done = 2;
3533 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3534 "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
3535 cmd_buffer);
3536 }
3537 else
3538 done = synprot_error(L_smtp_syntax_error, 500, NULL,
3539 US"unrecognized command");
3540 break;
3541 }
3542
3543 /* This label is used by goto's inside loops that want to break out to
3544 the end of the command-processing loop. */
3545
3546 COMMAND_LOOP:
3547 last_was_rej_mail = was_rej_mail; /* Remember some last commands for */
3548 last_was_rcpt = was_rcpt; /* protocol error handling */
3549 continue;
3550 }
3551
3552return done - 2; /* Convert yield values */
3553}
3554
3555/* End of smtp_in.c */
Unnamed repository; edit this file 'description' to name the repository.