e5885e477165be47c177ad884670cc551d11e19d
[exim.git] / src / src / smtp_in.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2017 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* Functions for handling an incoming SMTP call. */
9
10
11 #include "exim.h"
12 #include <assert.h>
13
14
15 /* Initialize for TCP wrappers if so configured. It appears that the macro
16 HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
17 including that header, and restore its value afterwards. */
18
19 #ifdef USE_TCP_WRAPPERS
20
21 #if HAVE_IPV6
22 #define EXIM_HAVE_IPV6
23 #endif
24 #undef HAVE_IPV6
25 #include <tcpd.h>
26 #undef HAVE_IPV6
27 #ifdef EXIM_HAVE_IPV6
28 #define HAVE_IPV6 TRUE
29 #endif
30
31 int allow_severity = LOG_INFO;
32 int deny_severity = LOG_NOTICE;
33 uschar *tcp_wrappers_name;
34 #endif
35
36
37 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
38 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
39 commands that accept arguments, and this in particular applies to AUTH, where
40 the data can be quite long. More recently this value was 2048 in Exim;
41 however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients
42 such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
43 The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
44 we need room to handle large base64-encoded AUTHs for GSSAPI.
45 */
46
47 #define SMTP_CMD_BUFFER_SIZE 16384
48
49 /* Size of buffer for reading SMTP incoming packets */
50
51 #define IN_BUFFER_SIZE 8192
52
53 /* Structure for SMTP command list */
54
55 typedef struct {
56 const char *name;
57 int len;
58 short int cmd;
59 short int has_arg;
60 short int is_mail_cmd;
61 } smtp_cmd_list;
62
63 /* Codes for identifying commands. We order them so that those that come first
64 are those for which synchronization is always required. Checking this can help
65 block some spam. */
66
67 enum {
68 /* These commands are required to be synchronized, i.e. to be the last in a
69 block of commands when pipelining. */
70
71 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
72 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
73 ETRN_CMD, /* This by analogy with TURN from the RFC */
74 STARTTLS_CMD, /* Required by the STARTTLS RFC */
75 TLS_AUTH_CMD, /* auto-command at start of SSL */
76
77 /* This is a dummy to identify the non-sync commands when pipelining */
78
79 NON_SYNC_CMD_PIPELINING,
80
81 /* These commands need not be synchronized when pipelining */
82
83 MAIL_CMD, RCPT_CMD, RSET_CMD,
84
85 /* This is a dummy to identify the non-sync commands when not pipelining */
86
87 NON_SYNC_CMD_NON_PIPELINING,
88
89 /* RFC3030 section 2: "After all MAIL and RCPT responses are collected and
90 processed the message is sent using a series of BDAT commands"
91 implies that BDAT should be synchronized. However, we see Google, at least,
92 sending MAIL,RCPT,BDAT-LAST in a single packet, clearly not waiting for
93 processing of the RCPT response(s). We shall do the same, and not require
94 synch for BDAT. Worse, as the chunk may (very likely will) follow the
95 command-header in the same packet we cannot do the usual "is there any
96 follow-on data after the command line" even for non-pipeline mode.
97 So we'll need an explicit check after reading the expected chunk amount
98 when non-pipe, before sending the ACK. */
99
100 BDAT_CMD,
101
102 /* I have been unable to find a statement about the use of pipelining
103 with AUTH, so to be on the safe side it is here, though I kind of feel
104 it should be up there with the synchronized commands. */
105
106 AUTH_CMD,
107
108 /* I'm not sure about these, but I don't think they matter. */
109
110 QUIT_CMD, HELP_CMD,
111
112 #ifdef SUPPORT_PROXY
113 PROXY_FAIL_IGNORE_CMD,
114 #endif
115
116 /* These are specials that don't correspond to actual commands */
117
118 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
119 TOO_MANY_NONMAIL_CMD };
120
121
122 /* This is a convenience macro for adding the identity of an SMTP command
123 to the circular buffer that holds a list of the last n received. */
124
125 #define HAD(n) \
126 smtp_connection_had[smtp_ch_index++] = n; \
127 if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
128
129
130 /*************************************************
131 * Local static variables *
132 *************************************************/
133
134 static auth_instance *authenticated_by;
135 static BOOL auth_advertised;
136 #ifdef SUPPORT_TLS
137 static BOOL tls_advertised;
138 #endif
139 static BOOL dsn_advertised;
140 static BOOL esmtp;
141 static BOOL helo_required = FALSE;
142 static BOOL helo_verify = FALSE;
143 static BOOL helo_seen;
144 static BOOL helo_accept_junk;
145 static BOOL count_nonmail;
146 static BOOL pipelining_advertised;
147 static BOOL rcpt_smtp_response_same;
148 static BOOL rcpt_in_progress;
149 static int nonmail_command_count;
150 static BOOL smtp_exit_function_called = 0;
151 #ifdef SUPPORT_I18N
152 static BOOL smtputf8_advertised;
153 #endif
154 static int synprot_error_count;
155 static int unknown_command_count;
156 static int sync_cmd_limit;
157 static int smtp_write_error = 0;
158
159 static uschar *rcpt_smtp_response;
160 static uschar *smtp_data_buffer;
161 static uschar *smtp_cmd_data;
162
163 /* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
164 final fields of all except AUTH are forced TRUE at the start of a new message
165 setup, to allow one of each between messages that is not counted as a nonmail
166 command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
167 allow a new EHLO after starting up TLS.
168
169 AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
170 counted. However, the flag is changed when AUTH is received, so that multiple
171 failing AUTHs will eventually hit the limit. After a successful AUTH, another
172 AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
173 forced TRUE, to allow for the re-authentication that can happen at that point.
174
175 QUIT is also "falsely" labelled as a mail command so that it doesn't up the
176 count of non-mail commands and possibly provoke an error.
177
178 tls_auth is a pseudo-command, never expected in input. It is activated
179 on TLS startup and looks for a tls authenticator. */
180
181 static smtp_cmd_list cmd_list[] = {
182 /* name len cmd has_arg is_mail_cmd */
183
184 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
185 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
186 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
187 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
188 #ifdef SUPPORT_TLS
189 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
190 { "tls_auth", 0, TLS_AUTH_CMD, FALSE, TRUE },
191 #endif
192
193 /* If you change anything above here, also fix the definitions below. */
194
195 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
196 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
197 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
198 { "bdat", sizeof("bdat")-1, BDAT_CMD, TRUE, TRUE },
199 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
200 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
201 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
202 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
203 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
204 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
205 };
206
207 static smtp_cmd_list *cmd_list_end =
208 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
209
210 #define CMD_LIST_RSET 0
211 #define CMD_LIST_HELO 1
212 #define CMD_LIST_EHLO 2
213 #define CMD_LIST_AUTH 3
214 #define CMD_LIST_STARTTLS 4
215 #define CMD_LIST_TLS_AUTH 5
216
217 /* This list of names is used for performing the smtp_no_mail logging action.
218 It must be kept in step with the SCH_xxx enumerations. */
219
220 static uschar *smtp_names[] =
221 {
222 US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
223 US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
224 US"STARTTLS", US"VRFY" };
225
226 static uschar *protocols_local[] = {
227 US"local-smtp", /* HELO */
228 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
229 US"local-esmtp", /* EHLO */
230 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
231 US"local-esmtpa", /* EHLO->AUTH */
232 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
233 };
234 static uschar *protocols[] = {
235 US"smtp", /* HELO */
236 US"smtps", /* The rare case EHLO->STARTTLS->HELO */
237 US"esmtp", /* EHLO */
238 US"esmtps", /* EHLO->STARTTLS->EHLO */
239 US"esmtpa", /* EHLO->AUTH */
240 US"esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
241 };
242
243 #define pnormal 0
244 #define pextend 2
245 #define pcrpted 1 /* added to pextend or pnormal */
246 #define pauthed 2 /* added to pextend */
247
248 /* Sanity check and validate optional args to MAIL FROM: envelope */
249 enum {
250 ENV_MAIL_OPT_NULL,
251 ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
252 #ifndef DISABLE_PRDR
253 ENV_MAIL_OPT_PRDR,
254 #endif
255 ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
256 #ifdef SUPPORT_I18N
257 ENV_MAIL_OPT_UTF8,
258 #endif
259 };
260 typedef struct {
261 uschar * name; /* option requested during MAIL cmd */
262 int value; /* enum type */
263 BOOL need_value; /* TRUE requires value (name=value pair format)
264 FALSE is a singleton */
265 } env_mail_type_t;
266 static env_mail_type_t env_mail_type_list[] = {
267 { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
268 { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
269 { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
270 #ifndef DISABLE_PRDR
271 { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
272 #endif
273 { US"RET", ENV_MAIL_OPT_RET, TRUE },
274 { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
275 #ifdef SUPPORT_I18N
276 { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
277 #endif
278 /* keep this the last entry */
279 { US"NULL", ENV_MAIL_OPT_NULL, FALSE },
280 };
281
282 /* When reading SMTP from a remote host, we have to use our own versions of the
283 C input-reading functions, in order to be able to flush the SMTP output only
284 when about to read more data from the socket. This is the only way to get
285 optimal performance when the client is using pipelining. Flushing for every
286 command causes a separate packet and reply packet each time; saving all the
287 responses up (when pipelining) combines them into one packet and one response.
288
289 For simplicity, these functions are used for *all* SMTP input, not only when
290 receiving over a socket. However, after setting up a secure socket (SSL), input
291 is read via the OpenSSL library, and another set of functions is used instead
292 (see tls.c).
293
294 These functions are set in the receive_getc etc. variables and called with the
295 same interface as the C functions. However, since there can only ever be
296 one incoming SMTP call, we just use a single buffer and flags. There is no need
297 to implement a complicated private FILE-like structure.*/
298
299 static uschar *smtp_inbuffer;
300 static uschar *smtp_inptr;
301 static uschar *smtp_inend;
302 static int smtp_had_eof;
303 static int smtp_had_error;
304
305
306 /* forward declarations */
307 static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
308 static int synprot_error(int type, int code, uschar *data, uschar *errmess);
309 static void smtp_quit_handler(uschar **, uschar **);
310 static void smtp_rset_handler(void);
311
312 /*************************************************
313 * Recheck synchronization *
314 *************************************************/
315
316 /* Synchronization checks can never be perfect because a packet may be on its
317 way but not arrived when the check is done. Such checks can in any case only be
318 done when TLS is not in use. Normally, the checks happen when commands are
319 read: Exim ensures that there is no more input in the input buffer. In normal
320 cases, the response to the command will be fast, and there is no further check.
321
322 However, for some commands an ACL is run, and that can include delays. In those
323 cases, it is useful to do another check on the input just before sending the
324 response. This also applies at the start of a connection. This function does
325 that check by means of the select() function, as long as the facility is not
326 disabled or inappropriate. A failure of select() is ignored.
327
328 When there is unwanted input, we read it so that it appears in the log of the
329 error.
330
331 Arguments: none
332 Returns: TRUE if all is well; FALSE if there is input pending
333 */
334
335 static BOOL
336 check_sync(void)
337 {
338 int fd, rc;
339 fd_set fds;
340 struct timeval tzero;
341
342 if (!smtp_enforce_sync || sender_host_address == NULL ||
343 sender_host_notsocket || tls_in.active >= 0)
344 return TRUE;
345
346 if (smtp_inptr < smtp_inend)
347 return FALSE;
348
349 fd = fileno(smtp_in);
350 FD_ZERO(&fds);
351 FD_SET(fd, &fds);
352 tzero.tv_sec = 0;
353 tzero.tv_usec = 0;
354 rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
355
356 if (rc <= 0) return TRUE; /* Not ready to read */
357 rc = smtp_getc(GETC_BUFFER_UNLIMITED);
358 if (rc < 0) return TRUE; /* End of file or error */
359
360 smtp_ungetc(rc);
361 rc = smtp_inend - smtp_inptr;
362 if (rc > 150) rc = 150;
363 smtp_inptr[rc] = 0;
364 return FALSE;
365 }
366
367
368
369 /*************************************************
370 * Log incomplete transactions *
371 *************************************************/
372
373 /* This function is called after a transaction has been aborted by RSET, QUIT,
374 connection drops or other errors. It logs the envelope information received
375 so far in order to preserve address verification attempts.
376
377 Argument: string to indicate what aborted the transaction
378 Returns: nothing
379 */
380
381 static void
382 incomplete_transaction_log(uschar *what)
383 {
384 if (sender_address == NULL || /* No transaction in progress */
385 !LOGGING(smtp_incomplete_transaction))
386 return;
387
388 /* Build list of recipients for logging */
389
390 if (recipients_count > 0)
391 {
392 int i;
393 raw_recipients = store_get(recipients_count * sizeof(uschar *));
394 for (i = 0; i < recipients_count; i++)
395 raw_recipients[i] = recipients_list[i].address;
396 raw_recipients_count = recipients_count;
397 }
398
399 log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
400 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
401 }
402
403
404
405
406 /* Refill the buffer, and notify DKIM verification code.
407 Return false for error or EOF.
408 */
409
410 static BOOL
411 smtp_refill(unsigned lim)
412 {
413 int rc, save_errno;
414 if (!smtp_out) return FALSE;
415 fflush(smtp_out);
416 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
417
418 /* Limit amount read, so non-message data is not fed to DKIM */
419
420 rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE, lim));
421 save_errno = errno;
422 alarm(0);
423 if (rc <= 0)
424 {
425 /* Must put the error text in fixed store, because this might be during
426 header reading, where it releases unused store above the header. */
427 if (rc < 0)
428 {
429 smtp_had_error = save_errno;
430 smtp_read_error = string_copy_malloc(
431 string_sprintf(" (error: %s)", strerror(save_errno)));
432 }
433 else smtp_had_eof = 1;
434 return FALSE;
435 }
436 #ifndef DISABLE_DKIM
437 dkim_exim_verify_feed(smtp_inbuffer, rc);
438 #endif
439 smtp_inend = smtp_inbuffer + rc;
440 smtp_inptr = smtp_inbuffer;
441 return TRUE;
442 }
443
444 /*************************************************
445 * SMTP version of getc() *
446 *************************************************/
447
448 /* This gets the next byte from the SMTP input buffer. If the buffer is empty,
449 it flushes the output, and refills the buffer, with a timeout. The signal
450 handler is set appropriately by the calling function. This function is not used
451 after a connection has negotiated itself into an TLS/SSL state.
452
453 Arguments: lim Maximum amount to read/buffer
454 Returns: the next character or EOF
455 */
456
457 int
458 smtp_getc(unsigned lim)
459 {
460 if (smtp_inptr >= smtp_inend)
461 if (!smtp_refill(lim))
462 return EOF;
463 return *smtp_inptr++;
464 }
465
466 uschar *
467 smtp_getbuf(unsigned * len)
468 {
469 unsigned size;
470 uschar * buf;
471
472 if (smtp_inptr >= smtp_inend)
473 if (!smtp_refill(*len))
474 { *len = 0; return NULL; }
475
476 if ((size = smtp_inend - smtp_inptr) > *len) size = *len;
477 buf = smtp_inptr;
478 smtp_inptr += size;
479 *len = size;
480 return buf;
481 }
482
483 void
484 smtp_get_cache(void)
485 {
486 #ifndef DISABLE_DKIM
487 int n = smtp_inend - smtp_inptr;
488 if (n > 0)
489 dkim_exim_verify_feed(smtp_inptr, n);
490 #endif
491 }
492
493
494 /* Get a byte from the smtp input, in CHUNKING mode. Handle ack of the
495 previous BDAT chunk and getting new ones when we run out. Uses the
496 underlying smtp_getc or tls_getc both for that and for getting the
497 (buffered) data byte. EOD signals (an expected) no further data.
498 ERR signals a protocol error, and EOF a closed input stream.
499
500 Called from read_bdat_smtp() in receive.c for the message body, but also
501 by the headers read loop in receive_msg(); manipulates chunking_state
502 to handle the BDAT command/response.
503 Placed here due to the correlation with the above smtp_getc(), which it wraps,
504 and also by the need to do smtp command/response handling.
505
506 Arguments: lim (ignored)
507 Returns: the next character or ERR, EOD or EOF
508 */
509
510 int
511 bdat_getc(unsigned lim)
512 {
513 uschar * user_msg = NULL;
514 uschar * log_msg;
515
516 for(;;)
517 {
518 #ifndef DISABLE_DKIM
519 BOOL dkim_save;
520 #endif
521
522 if (chunking_data_left > 0)
523 return lwr_receive_getc(chunking_data_left--);
524
525 receive_getc = lwr_receive_getc;
526 receive_getbuf = lwr_receive_getbuf;
527 receive_ungetc = lwr_receive_ungetc;
528 #ifndef DISABLE_DKIM
529 dkim_save = dkim_collect_input;
530 dkim_collect_input = FALSE;
531 #endif
532
533 /* Unless PIPELINING was offered, there should be no next command
534 until after we ack that chunk */
535
536 if (!pipelining_advertised && !check_sync())
537 {
538 unsigned n = smtp_inend - smtp_inptr;
539 if (n > 32) n = 32;
540
541 incomplete_transaction_log(US"sync failure");
542 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
543 "(next input sent too soon: pipelining was not advertised): "
544 "rejected \"%s\" %s next input=\"%s\"",
545 smtp_cmd_buffer, host_and_ident(TRUE),
546 string_printing(string_copyn(smtp_inptr, n)));
547 (void) synprot_error(L_smtp_protocol_error, 554, NULL,
548 US"SMTP synchronization error");
549 goto repeat_until_rset;
550 }
551
552 /* If not the last, ack the received chunk. The last response is delayed
553 until after the data ACL decides on it */
554
555 if (chunking_state == CHUNKING_LAST)
556 {
557 #ifndef DISABLE_DKIM
558 dkim_exim_verify_feed(NULL, 0); /* notify EOD */
559 #endif
560 return EOD;
561 }
562
563 smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
564 chunking_state = CHUNKING_OFFERED;
565 DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
566
567 /* Expect another BDAT cmd from input. RFC 3030 says nothing about
568 QUIT, RSET or NOOP but handling them seems obvious */
569
570 next_cmd:
571 switch(smtp_read_command(TRUE, 1))
572 {
573 default:
574 (void) synprot_error(L_smtp_protocol_error, 503, NULL,
575 US"only BDAT permissible after non-LAST BDAT");
576
577 repeat_until_rset:
578 switch(smtp_read_command(TRUE, 1))
579 {
580 case QUIT_CMD: smtp_quit_handler(&user_msg, &log_msg); /*FALLTHROUGH */
581 case EOF_CMD: return EOF;
582 case RSET_CMD: smtp_rset_handler(); return ERR;
583 default: if (synprot_error(L_smtp_protocol_error, 503, NULL,
584 US"only RSET accepted now") > 0)
585 return EOF;
586 goto repeat_until_rset;
587 }
588
589 case QUIT_CMD:
590 smtp_quit_handler(&user_msg, &log_msg);
591 /*FALLTHROUGH*/
592 case EOF_CMD:
593 return EOF;
594
595 case RSET_CMD:
596 smtp_rset_handler();
597 return ERR;
598
599 case NOOP_CMD:
600 HAD(SCH_NOOP);
601 smtp_printf("250 OK\r\n");
602 goto next_cmd;
603
604 case BDAT_CMD:
605 {
606 int n;
607
608 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
609 {
610 (void) synprot_error(L_smtp_protocol_error, 501, NULL,
611 US"missing size for BDAT command");
612 return ERR;
613 }
614 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
615 ? CHUNKING_LAST : CHUNKING_ACTIVE;
616 chunking_data_left = chunking_datasize;
617 DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
618 (int)chunking_state, chunking_data_left);
619
620 if (chunking_datasize == 0)
621 if (chunking_state == CHUNKING_LAST)
622 return EOD;
623 else
624 {
625 (void) synprot_error(L_smtp_protocol_error, 504, NULL,
626 US"zero size for BDAT command");
627 goto repeat_until_rset;
628 }
629
630 receive_getc = bdat_getc;
631 receive_getbuf = bdat_getbuf;
632 receive_ungetc = bdat_ungetc;
633 #ifndef DISABLE_DKIM
634 dkim_collect_input = dkim_save;
635 #endif
636 break; /* to top of main loop */
637 }
638 }
639 }
640 }
641
642 uschar *
643 bdat_getbuf(unsigned * len)
644 {
645 uschar * buf;
646
647 if (chunking_data_left <= 0)
648 { *len = 0; return NULL; }
649
650 if (*len > chunking_data_left) *len = chunking_data_left;
651 buf = lwr_receive_getbuf(len); /* Either smtp_getbuf or tls_getbuf */
652 chunking_data_left -= *len;
653 return buf;
654 }
655
656 void
657 bdat_flush_data(void)
658 {
659 unsigned n = chunking_data_left;
660 (void) bdat_getbuf(&n);
661
662 receive_getc = lwr_receive_getc;
663 receive_getbuf = lwr_receive_getbuf;
664 receive_ungetc = lwr_receive_ungetc;
665
666 if (chunking_state != CHUNKING_LAST)
667 {
668 chunking_state = CHUNKING_OFFERED;
669 DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
670 }
671 }
672
673
674
675
676 /*************************************************
677 * SMTP version of ungetc() *
678 *************************************************/
679
680 /* Puts a character back in the input buffer. Only ever
681 called once.
682
683 Arguments:
684 ch the character
685
686 Returns: the character
687 */
688
689 int
690 smtp_ungetc(int ch)
691 {
692 *--smtp_inptr = ch;
693 return ch;
694 }
695
696
697 int
698 bdat_ungetc(int ch)
699 {
700 chunking_data_left++;
701 return lwr_receive_ungetc(ch);
702 }
703
704
705
706 /*************************************************
707 * SMTP version of feof() *
708 *************************************************/
709
710 /* Tests for a previous EOF
711
712 Arguments: none
713 Returns: non-zero if the eof flag is set
714 */
715
716 int
717 smtp_feof(void)
718 {
719 return smtp_had_eof;
720 }
721
722
723
724
725 /*************************************************
726 * SMTP version of ferror() *
727 *************************************************/
728
729 /* Tests for a previous read error, and returns with errno
730 restored to what it was when the error was detected.
731
732 Arguments: none
733 Returns: non-zero if the error flag is set
734 */
735
736 int
737 smtp_ferror(void)
738 {
739 errno = smtp_had_error;
740 return smtp_had_error;
741 }
742
743
744
745 /*************************************************
746 * Test for characters in the SMTP buffer *
747 *************************************************/
748
749 /* Used at the end of a message
750
751 Arguments: none
752 Returns: TRUE/FALSE
753 */
754
755 BOOL
756 smtp_buffered(void)
757 {
758 return smtp_inptr < smtp_inend;
759 }
760
761
762
763 /*************************************************
764 * Write formatted string to SMTP channel *
765 *************************************************/
766
767 /* This is a separate function so that we don't have to repeat everything for
768 TLS support or debugging. It is global so that the daemon and the
769 authentication functions can use it. It does not return any error indication,
770 because major problems such as dropped connections won't show up till an output
771 flush for non-TLS connections. The smtp_fflush() function is available for
772 checking that: for convenience, TLS output errors are remembered here so that
773 they are also picked up later by smtp_fflush().
774
775 Arguments:
776 format format string
777 ... optional arguments
778
779 Returns: nothing
780 */
781
782 void
783 smtp_printf(const char *format, ...)
784 {
785 va_list ap;
786
787 va_start(ap, format);
788 smtp_vprintf(format, ap);
789 va_end(ap);
790 }
791
792 /* This is split off so that verify.c:respond_printf() can, in effect, call
793 smtp_printf(), bearing in mind that in C a vararg function can't directly
794 call another vararg function, only a function which accepts a va_list. */
795
796 void
797 smtp_vprintf(const char *format, va_list ap)
798 {
799 BOOL yield;
800
801 yield = string_vformat(big_buffer, big_buffer_size, format, ap);
802
803 DEBUG(D_receive)
804 {
805 void *reset_point = store_get(0);
806 uschar *msg_copy, *cr, *end;
807 msg_copy = string_copy(big_buffer);
808 end = msg_copy + Ustrlen(msg_copy);
809 while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
810 memmove(cr, cr + 1, (end--) - cr);
811 debug_printf("SMTP>> %s", msg_copy);
812 store_reset(reset_point);
813 }
814
815 if (!yield)
816 {
817 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
818 smtp_closedown(US"Unexpected error");
819 exim_exit(EXIT_FAILURE);
820 }
821
822 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
823 have had the same. Note: this code is also present in smtp_respond(). It would
824 be tidier to have it only in one place, but when it was added, it was easier to
825 do it that way, so as not to have to mess with the code for the RCPT command,
826 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
827
828 if (rcpt_in_progress)
829 {
830 if (rcpt_smtp_response == NULL)
831 rcpt_smtp_response = string_copy(big_buffer);
832 else if (rcpt_smtp_response_same &&
833 Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
834 rcpt_smtp_response_same = FALSE;
835 rcpt_in_progress = FALSE;
836 }
837
838 /* Now write the string */
839
840 #ifdef SUPPORT_TLS
841 if (tls_in.active >= 0)
842 {
843 if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer)) < 0)
844 smtp_write_error = -1;
845 }
846 else
847 #endif
848
849 if (fprintf(smtp_out, "%s", big_buffer) < 0) smtp_write_error = -1;
850 }
851
852
853
854 /*************************************************
855 * Flush SMTP out and check for error *
856 *************************************************/
857
858 /* This function isn't currently used within Exim (it detects errors when it
859 tries to read the next SMTP input), but is available for use in local_scan().
860 For non-TLS connections, it flushes the output and checks for errors. For
861 TLS-connections, it checks for a previously-detected TLS write error.
862
863 Arguments: none
864 Returns: 0 for no error; -1 after an error
865 */
866
867 int
868 smtp_fflush(void)
869 {
870 if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
871 return smtp_write_error;
872 }
873
874
875
876 /*************************************************
877 * SMTP command read timeout *
878 *************************************************/
879
880 /* Signal handler for timing out incoming SMTP commands. This attempts to
881 finish off tidily.
882
883 Argument: signal number (SIGALRM)
884 Returns: nothing
885 */
886
887 static void
888 command_timeout_handler(int sig)
889 {
890 sig = sig; /* Keep picky compilers happy */
891 log_write(L_lost_incoming_connection,
892 LOG_MAIN, "SMTP command timeout on%s connection from %s",
893 (tls_in.active >= 0)? " TLS" : "",
894 host_and_ident(FALSE));
895 if (smtp_batched_input)
896 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
897 smtp_notquit_exit(US"command-timeout", US"421",
898 US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
899 exim_exit(EXIT_FAILURE);
900 }
901
902
903
904 /*************************************************
905 * SIGTERM received *
906 *************************************************/
907
908 /* Signal handler for handling SIGTERM. Again, try to finish tidily.
909
910 Argument: signal number (SIGTERM)
911 Returns: nothing
912 */
913
914 static void
915 command_sigterm_handler(int sig)
916 {
917 sig = sig; /* Keep picky compilers happy */
918 log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
919 if (smtp_batched_input)
920 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
921 smtp_notquit_exit(US"signal-exit", US"421",
922 US"%s: Service not available - closing connection", smtp_active_hostname);
923 exim_exit(EXIT_FAILURE);
924 }
925
926
927
928
929 #ifdef SUPPORT_PROXY
930 /*************************************************
931 * Restore socket timeout to previous value *
932 *************************************************/
933 /* If the previous value was successfully retrieved, restore
934 it before returning control to the non-proxy routines
935
936 Arguments: fd - File descriptor for input
937 get_ok - Successfully retrieved previous values
938 tvtmp - Time struct with previous values
939 vslen - Length of time struct
940 Returns: none
941 */
942 static void
943 restore_socket_timeout(int fd, int get_ok, struct timeval * tvtmp, socklen_t vslen)
944 {
945 if (get_ok == 0)
946 (void) setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS tvtmp, vslen);
947 }
948
949 /*************************************************
950 * Check if host is required proxy host *
951 *************************************************/
952 /* The function determines if inbound host will be a regular smtp host
953 or if it is configured that it must use Proxy Protocol. A local
954 connection cannot.
955
956 Arguments: none
957 Returns: bool
958 */
959
960 static BOOL
961 check_proxy_protocol_host()
962 {
963 int rc;
964
965 if ( sender_host_address
966 && (rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
967 sender_host_address, NULL)) == OK)
968 {
969 DEBUG(D_receive)
970 debug_printf("Detected proxy protocol configured host\n");
971 proxy_session = TRUE;
972 }
973 return proxy_session;
974 }
975
976
977 /*************************************************
978 * Read data until newline or end of buffer *
979 *************************************************/
980 /* While SMTP is server-speaks-first, TLS is client-speaks-first, so we can't
981 read an entire buffer and assume there will be nothing past a proxy protocol
982 header. Our approach normally is to use stdio, but again that relies upon
983 "STARTTLS\r\n" and a server response before the client starts TLS handshake, or
984 reading _nothing_ before client TLS handshake. So we don't want to use the
985 usual buffering reads which may read enough to block TLS starting.
986
987 So unfortunately we're down to "read one byte at a time, with a syscall each,
988 and expect a little overhead", for all proxy-opened connections which are v1,
989 just to handle the TLS-on-connect case. Since SSL functions wrap the
990 underlying fd, we can't assume that we can feed them any already-read content.
991
992 We need to know where to read to, the max capacity, and we'll read until we
993 get a CR and one more character. Let the caller scream if it's CR+!LF.
994
995 Return the amount read.
996 */
997
998 static int
999 swallow_until_crlf(int fd, uschar *base, int already, int capacity)
1000 {
1001 uschar *to = base + already;
1002 uschar *cr;
1003 int have = 0;
1004 int ret;
1005 int last = 0;
1006
1007 /* For "PROXY UNKNOWN\r\n" we, at time of writing, expect to have read
1008 up through the \r; for the _normal_ case, we haven't yet seen the \r. */
1009
1010 cr = memchr(base, '\r', already);
1011 if (cr != NULL)
1012 {
1013 if ((cr - base) < already - 1)
1014 {
1015 /* \r and presumed \n already within what we have; probably not
1016 actually proxy protocol, but abort cleanly. */
1017 return 0;
1018 }
1019 /* \r is last character read, just need one more. */
1020 last = 1;
1021 }
1022
1023 while (capacity > 0)
1024 {
1025 do { ret = recv(fd, to, 1, 0); } while (ret == -1 && errno == EINTR);
1026 if (ret == -1)
1027 return -1;
1028 have++;
1029 if (last)
1030 return have;
1031 if (*to == '\r')
1032 last = 1;
1033 capacity--;
1034 to++;
1035 }
1036
1037 /* reached end without having room for a final newline, abort */
1038 errno = EOVERFLOW;
1039 return -1;
1040 }
1041
1042 /*************************************************
1043 * Setup host for proxy protocol *
1044 *************************************************/
1045 /* The function configures the connection based on a header from the
1046 inbound host to use Proxy Protocol. The specification is very exact
1047 so exit with an error if do not find the exact required pieces. This
1048 includes an incorrect number of spaces separating args.
1049
1050 Arguments: none
1051 Returns: Boolean success
1052 */
1053
1054 static void
1055 setup_proxy_protocol_host()
1056 {
1057 union {
1058 struct {
1059 uschar line[108];
1060 } v1;
1061 struct {
1062 uschar sig[12];
1063 uint8_t ver_cmd;
1064 uint8_t fam;
1065 uint16_t len;
1066 union {
1067 struct { /* TCP/UDP over IPv4, len = 12 */
1068 uint32_t src_addr;
1069 uint32_t dst_addr;
1070 uint16_t src_port;
1071 uint16_t dst_port;
1072 } ip4;
1073 struct { /* TCP/UDP over IPv6, len = 36 */
1074 uint8_t src_addr[16];
1075 uint8_t dst_addr[16];
1076 uint16_t src_port;
1077 uint16_t dst_port;
1078 } ip6;
1079 struct { /* AF_UNIX sockets, len = 216 */
1080 uschar src_addr[108];
1081 uschar dst_addr[108];
1082 } unx;
1083 } addr;
1084 } v2;
1085 } hdr;
1086
1087 /* Temp variables used in PPv2 address:port parsing */
1088 uint16_t tmpport;
1089 char tmpip[INET_ADDRSTRLEN];
1090 struct sockaddr_in tmpaddr;
1091 char tmpip6[INET6_ADDRSTRLEN];
1092 struct sockaddr_in6 tmpaddr6;
1093
1094 /* We can't read "all data until end" because while SMTP is
1095 server-speaks-first, the TLS handshake is client-speaks-first, so for
1096 TLS-on-connect ports the proxy protocol header will usually be immediately
1097 followed by a TLS handshake, and with N TLS libraries, we can't reliably
1098 reinject data for reading by those. So instead we first read "enough to be
1099 safely read within the header, and figure out how much more to read".
1100 For v1 we will later read to the end-of-line, for v2 we will read based upon
1101 the stated length.
1102
1103 The v2 sig is 12 octets, and another 4 gets us the length, so we know how much
1104 data is needed total. For v1, where the line looks like:
1105 PROXY TCPn L3src L3dest SrcPort DestPort \r\n
1106
1107 However, for v1 there's also `PROXY UNKNOWN\r\n` which is only 15 octets.
1108 We seem to support that. So, if we read 14 octets then we can tell if we're
1109 v2 or v1. If we're v1, we can continue reading as normal.
1110
1111 If we're v2, we can't slurp up the entire header. We need the length in the
1112 15th & 16th octets, then to read everything after that.
1113
1114 So to safely handle v1 and v2, with client-sent-first supported correctly,
1115 we have to do a minimum of 3 read calls, not 1. Eww.
1116 */
1117
1118 #define PROXY_INITIAL_READ 14
1119 #define PROXY_V2_HEADER_SIZE 16
1120 #if PROXY_INITIAL_READ > PROXY_V2_HEADER_SIZE
1121 # error Code bug in sizes of data to read for proxy usage
1122 #endif
1123
1124 int get_ok = 0;
1125 int size, ret;
1126 int fd = fileno(smtp_in);
1127 const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
1128 uschar * iptype; /* To display debug info */
1129 struct timeval tv;
1130 struct timeval tvtmp;
1131 socklen_t vslen = sizeof(struct timeval);
1132 BOOL yield = FALSE;
1133
1134 /* Save current socket timeout values */
1135 get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS &tvtmp, &vslen);
1136
1137 /* Proxy Protocol host must send header within a short time
1138 (default 3 seconds) or it's considered invalid */
1139 tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
1140 tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
1141 if (setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS &tv, sizeof(tv)) < 0)
1142 goto bad;
1143
1144 do
1145 {
1146 /* The inbound host was declared to be a Proxy Protocol host, so
1147 don't do a PEEK into the data, actually slurp up enough to be
1148 "safe". Can't take it all because TLS-on-connect clients follow
1149 immediately with TLS handshake. */
1150 ret = recv(fd, &hdr, PROXY_INITIAL_READ, 0);
1151 }
1152 while (ret == -1 && errno == EINTR);
1153
1154 if (ret == -1)
1155 goto proxyfail;
1156
1157 /* For v2, handle reading the length, and then the rest. */
1158 if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
1159 {
1160 int retmore;
1161 uint8_t ver;
1162
1163 /* First get the length fields. */
1164 do
1165 {
1166 retmore = recv(fd, (uschar*)&hdr + ret, PROXY_V2_HEADER_SIZE - PROXY_INITIAL_READ, 0);
1167 } while (retmore == -1 && errno == EINTR);
1168 if (retmore == -1)
1169 goto proxyfail;
1170 ret += retmore;
1171
1172 ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
1173
1174 /* May 2014: haproxy combined the version and command into one byte to
1175 allow two full bytes for the length field in order to proxy SSL
1176 connections. SSL Proxy is not supported in this version of Exim, but
1177 must still separate values here. */
1178
1179 if (ver != 0x02)
1180 {
1181 DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
1182 goto proxyfail;
1183 }
1184
1185 /* The v2 header will always be 16 bytes per the spec. */
1186 size = 16 + ntohs(hdr.v2.len);
1187 DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",
1188 size, (int)sizeof(hdr));
1189
1190 /* We should now have 16 octets (PROXY_V2_HEADER_SIZE), and we know the total
1191 amount that we need. Double-check that the size is not unreasonable, then
1192 get the rest. */
1193 if (size > sizeof(hdr))
1194 {
1195 DEBUG(D_receive) debug_printf("PROXYv2 header size unreasonably large; security attack?\n");
1196 goto proxyfail;
1197 }
1198
1199 do
1200 {
1201 do
1202 {
1203 retmore = recv(fd, (uschar*)&hdr + ret, size-ret, 0);
1204 } while (retmore == -1 && errno == EINTR);
1205 if (retmore == -1)
1206 goto proxyfail;
1207 ret += retmore;
1208 DEBUG(D_receive) debug_printf("PROXYv2: have %d/%d required octets\n", ret, size);
1209 } while (ret < size);
1210
1211 } /* end scope for getting rest of data for v2 */
1212
1213 /* At this point: if PROXYv2, we've read the exact size required for all data;
1214 if PROXYv1 then we've read "less than required for any valid line" and should
1215 read the rest". */
1216
1217 if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
1218 {
1219 uint8_t cmd = (hdr.v2.ver_cmd & 0x0f);
1220
1221 switch (cmd)
1222 {
1223 case 0x01: /* PROXY command */
1224 switch (hdr.v2.fam)
1225 {
1226 case 0x11: /* TCPv4 address type */
1227 iptype = US"IPv4";
1228 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
1229 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
1230 if (!string_is_ip_address(US tmpip, NULL))
1231 {
1232 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
1233 goto proxyfail;
1234 }
1235 proxy_local_address = sender_host_address;
1236 sender_host_address = string_copy(US tmpip);
1237 tmpport = ntohs(hdr.v2.addr.ip4.src_port);
1238 proxy_local_port = sender_host_port;
1239 sender_host_port = tmpport;
1240 /* Save dest ip/port */
1241 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
1242 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
1243 if (!string_is_ip_address(US tmpip, NULL))
1244 {
1245 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
1246 goto proxyfail;
1247 }
1248 proxy_external_address = string_copy(US tmpip);
1249 tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
1250 proxy_external_port = tmpport;
1251 goto done;
1252 case 0x21: /* TCPv6 address type */
1253 iptype = US"IPv6";
1254 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
1255 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
1256 if (!string_is_ip_address(US tmpip6, NULL))
1257 {
1258 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
1259 goto proxyfail;
1260 }
1261 proxy_local_address = sender_host_address;
1262 sender_host_address = string_copy(US tmpip6);
1263 tmpport = ntohs(hdr.v2.addr.ip6.src_port);
1264 proxy_local_port = sender_host_port;
1265 sender_host_port = tmpport;
1266 /* Save dest ip/port */
1267 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
1268 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
1269 if (!string_is_ip_address(US tmpip6, NULL))
1270 {
1271 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
1272 goto proxyfail;
1273 }
1274 proxy_external_address = string_copy(US tmpip6);
1275 tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
1276 proxy_external_port = tmpport;
1277 goto done;
1278 default:
1279 DEBUG(D_receive)
1280 debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
1281 hdr.v2.fam);
1282 goto proxyfail;
1283 }
1284 /* Unsupported protocol, keep local connection address */
1285 break;
1286 case 0x00: /* LOCAL command */
1287 /* Keep local connection address for LOCAL */
1288 iptype = US"local";
1289 break;
1290 default:
1291 DEBUG(D_receive)
1292 debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
1293 goto proxyfail;
1294 }
1295 }
1296 else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
1297 {
1298 uschar *p;
1299 uschar *end;
1300 uschar *sp; /* Utility variables follow */
1301 int tmp_port;
1302 int r2;
1303 char *endc;
1304
1305 /* get the rest of the line */
1306 r2 = swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
1307 if (r2 == -1)
1308 goto proxyfail;
1309 ret += r2;
1310
1311 p = string_copy(hdr.v1.line);
1312 end = memchr(p, '\r', ret - 1);
1313
1314 if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')
1315 {
1316 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
1317 goto proxyfail;
1318 }
1319 *end = '\0'; /* Terminate the string */
1320 size = end + 2 - p; /* Skip header + CRLF */
1321 DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
1322 DEBUG(D_receive) debug_printf("Bytes read not within PROXY header: %d\n", ret - size);
1323 /* Step through the string looking for the required fields. Ensure
1324 strict adherence to required formatting, exit for any error. */
1325 p += 5;
1326 if (!isspace(*(p++)))
1327 {
1328 DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
1329 goto proxyfail;
1330 }
1331 if (!Ustrncmp(p, CCS"TCP4", 4))
1332 iptype = US"IPv4";
1333 else if (!Ustrncmp(p,CCS"TCP6", 4))
1334 iptype = US"IPv6";
1335 else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
1336 {
1337 iptype = US"Unknown";
1338 goto done;
1339 }
1340 else
1341 {
1342 DEBUG(D_receive) debug_printf("Invalid TCP type\n");
1343 goto proxyfail;
1344 }
1345
1346 p += Ustrlen(iptype);
1347 if (!isspace(*(p++)))
1348 {
1349 DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
1350 goto proxyfail;
1351 }
1352 /* Find the end of the arg */
1353 if ((sp = Ustrchr(p, ' ')) == NULL)
1354 {
1355 DEBUG(D_receive)
1356 debug_printf("Did not find proxied src %s\n", iptype);
1357 goto proxyfail;
1358 }
1359 *sp = '\0';
1360 if(!string_is_ip_address(p, NULL))
1361 {
1362 DEBUG(D_receive)
1363 debug_printf("Proxied src arg is not an %s address\n", iptype);
1364 goto proxyfail;
1365 }
1366 proxy_local_address = sender_host_address;
1367 sender_host_address = p;
1368 p = sp + 1;
1369 if ((sp = Ustrchr(p, ' ')) == NULL)
1370 {
1371 DEBUG(D_receive)
1372 debug_printf("Did not find proxy dest %s\n", iptype);
1373 goto proxyfail;
1374 }
1375 *sp = '\0';
1376 if(!string_is_ip_address(p, NULL))
1377 {
1378 DEBUG(D_receive)
1379 debug_printf("Proxy dest arg is not an %s address\n", iptype);
1380 goto proxyfail;
1381 }
1382 proxy_external_address = p;
1383 p = sp + 1;
1384 if ((sp = Ustrchr(p, ' ')) == NULL)
1385 {
1386 DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
1387 goto proxyfail;
1388 }
1389 *sp = '\0';
1390 tmp_port = strtol(CCS p, &endc, 10);
1391 if (*endc || tmp_port == 0)
1392 {
1393 DEBUG(D_receive)
1394 debug_printf("Proxied src port '%s' not an integer\n", p);
1395 goto proxyfail;
1396 }
1397 proxy_local_port = sender_host_port;
1398 sender_host_port = tmp_port;
1399 p = sp + 1;
1400 if ((sp = Ustrchr(p, '\0')) == NULL)
1401 {
1402 DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
1403 goto proxyfail;
1404 }
1405 tmp_port = strtol(CCS p, &endc, 10);
1406 if (*endc || tmp_port == 0)
1407 {
1408 DEBUG(D_receive)
1409 debug_printf("Proxy dest port '%s' not an integer\n", p);
1410 goto proxyfail;
1411 }
1412 proxy_external_port = tmp_port;
1413 /* Already checked for /r /n above. Good V1 header received. */
1414 }
1415 else
1416 {
1417 /* Wrong protocol */
1418 DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
1419 (void) swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
1420 goto proxyfail;
1421 }
1422
1423 done:
1424 DEBUG(D_receive)
1425 debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
1426 yield = proxy_session;
1427
1428 /* Don't flush any potential buffer contents. Any input on proxyfail
1429 should cause a synchronization failure */
1430
1431 proxyfail:
1432 restore_socket_timeout(fd, get_ok, &tvtmp, vslen);
1433
1434 bad:
1435 if (yield)
1436 {
1437 sender_host_name = NULL;
1438 (void) host_name_lookup();
1439 host_build_sender_fullhost();
1440 }
1441 else
1442 {
1443 proxy_session_failed = TRUE;
1444 DEBUG(D_receive)
1445 debug_printf("Failure to extract proxied host, only QUIT allowed\n");
1446 }
1447
1448 return;
1449 }
1450 #endif
1451
1452 /*************************************************
1453 * Read one command line *
1454 *************************************************/
1455
1456 /* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
1457 There are sites that don't do this, and in any case internal SMTP probably
1458 should check only for LF. Consequently, we check here for LF only. The line
1459 ends up with [CR]LF removed from its end. If we get an overlong line, treat as
1460 an unknown command. The command is read into the global smtp_cmd_buffer so that
1461 it is available via $smtp_command.
1462
1463 The character reading routine sets up a timeout for each block actually read
1464 from the input (which may contain more than one command). We set up a special
1465 signal handler that closes down the session on a timeout. Control does not
1466 return when it runs.
1467
1468 Arguments:
1469 check_sync if TRUE, check synchronization rules if global option is TRUE
1470 buffer_lim maximum to buffer in lower layer
1471
1472 Returns: a code identifying the command (enumerated above)
1473 */
1474
1475 static int
1476 smtp_read_command(BOOL check_sync, unsigned buffer_lim)
1477 {
1478 int c;
1479 int ptr = 0;
1480 smtp_cmd_list *p;
1481 BOOL hadnull = FALSE;
1482
1483 os_non_restarting_signal(SIGALRM, command_timeout_handler);
1484
1485 while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
1486 {
1487 if (ptr >= SMTP_CMD_BUFFER_SIZE)
1488 {
1489 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1490 return OTHER_CMD;
1491 }
1492 if (c == 0)
1493 {
1494 hadnull = TRUE;
1495 c = '?';
1496 }
1497 smtp_cmd_buffer[ptr++] = c;
1498 }
1499
1500 receive_linecount++; /* For BSMTP errors */
1501 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1502
1503 /* If hit end of file, return pseudo EOF command. Whether we have a
1504 part-line already read doesn't matter, since this is an error state. */
1505
1506 if (c == EOF) return EOF_CMD;
1507
1508 /* Remove any CR and white space at the end of the line, and terminate the
1509 string. */
1510
1511 while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
1512 smtp_cmd_buffer[ptr] = 0;
1513
1514 DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
1515
1516 /* NULLs are not allowed in SMTP commands */
1517
1518 if (hadnull) return BADCHAR_CMD;
1519
1520 /* Scan command list and return identity, having set the data pointer
1521 to the start of the actual data characters. Check for SMTP synchronization
1522 if required. */
1523
1524 for (p = cmd_list; p < cmd_list_end; p++)
1525 {
1526 #ifdef SUPPORT_PROXY
1527 /* Only allow QUIT command if Proxy Protocol parsing failed */
1528 if (proxy_session && proxy_session_failed && p->cmd != QUIT_CMD)
1529 continue;
1530 #endif
1531 if ( p->len
1532 && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
1533 && ( smtp_cmd_buffer[p->len-1] == ':' /* "mail from:" or "rcpt to:" */
1534 || smtp_cmd_buffer[p->len] == 0
1535 || smtp_cmd_buffer[p->len] == ' '
1536 ) )
1537 {
1538 if (smtp_inptr < smtp_inend && /* Outstanding input */
1539 p->cmd < sync_cmd_limit && /* Command should sync */
1540 check_sync && /* Local flag set */
1541 smtp_enforce_sync && /* Global flag set */
1542 sender_host_address != NULL && /* Not local input */
1543 !sender_host_notsocket) /* Really is a socket */
1544 return BADSYN_CMD;
1545
1546 /* The variables $smtp_command and $smtp_command_argument point into the
1547 unmodified input buffer. A copy of the latter is taken for actual
1548 processing, so that it can be chopped up into separate parts if necessary,
1549 for example, when processing a MAIL command options such as SIZE that can
1550 follow the sender address. */
1551
1552 smtp_cmd_argument = smtp_cmd_buffer + p->len;
1553 while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
1554 Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
1555 smtp_cmd_data = smtp_data_buffer;
1556
1557 /* Count non-mail commands from those hosts that are controlled in this
1558 way. The default is all hosts. We don't waste effort checking the list
1559 until we get a non-mail command, but then cache the result to save checking
1560 again. If there's a DEFER while checking the host, assume it's in the list.
1561
1562 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
1563 start of each incoming message by fiddling with the value in the table. */
1564
1565 if (!p->is_mail_cmd)
1566 {
1567 if (count_nonmail == TRUE_UNSET) count_nonmail =
1568 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
1569 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
1570 return TOO_MANY_NONMAIL_CMD;
1571 }
1572
1573 /* If there is data for a command that does not expect it, generate the
1574 error here. */
1575
1576 return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
1577 }
1578 }
1579
1580 #ifdef SUPPORT_PROXY
1581 /* Only allow QUIT command if Proxy Protocol parsing failed */
1582 if (proxy_session && proxy_session_failed)
1583 return PROXY_FAIL_IGNORE_CMD;
1584 #endif
1585
1586 /* Enforce synchronization for unknown commands */
1587
1588 if (smtp_inptr < smtp_inend && /* Outstanding input */
1589 check_sync && /* Local flag set */
1590 smtp_enforce_sync && /* Global flag set */
1591 sender_host_address != NULL && /* Not local input */
1592 !sender_host_notsocket) /* Really is a socket */
1593 return BADSYN_CMD;
1594
1595 return OTHER_CMD;
1596 }
1597
1598
1599
1600 /*************************************************
1601 * Forced closedown of call *
1602 *************************************************/
1603
1604 /* This function is called from log.c when Exim is dying because of a serious
1605 disaster, and also from some other places. If an incoming non-batched SMTP
1606 channel is open, it swallows the rest of the incoming message if in the DATA
1607 phase, sends the reply string, and gives an error to all subsequent commands
1608 except QUIT. The existence of an SMTP call is detected by the non-NULLness of
1609 smtp_in.
1610
1611 Arguments:
1612 message SMTP reply string to send, excluding the code
1613
1614 Returns: nothing
1615 */
1616
1617 void
1618 smtp_closedown(uschar *message)
1619 {
1620 if (smtp_in == NULL || smtp_batched_input) return;
1621 receive_swallow_smtp();
1622 smtp_printf("421 %s\r\n", message);
1623
1624 for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
1625 {
1626 case EOF_CMD:
1627 return;
1628
1629 case QUIT_CMD:
1630 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
1631 mac_smtp_fflush();
1632 return;
1633
1634 case RSET_CMD:
1635 smtp_printf("250 Reset OK\r\n");
1636 break;
1637
1638 default:
1639 smtp_printf("421 %s\r\n", message);
1640 break;
1641 }
1642 }
1643
1644
1645
1646
1647 /*************************************************
1648 * Set up connection info for logging *
1649 *************************************************/
1650
1651 /* This function is called when logging information about an SMTP connection.
1652 It sets up appropriate source information, depending on the type of connection.
1653 If sender_fullhost is NULL, we are at a very early stage of the connection;
1654 just use the IP address.
1655
1656 Argument: none
1657 Returns: a string describing the connection
1658 */
1659
1660 uschar *
1661 smtp_get_connection_info(void)
1662 {
1663 const uschar * hostname = sender_fullhost
1664 ? sender_fullhost : sender_host_address;
1665
1666 if (host_checking)
1667 return string_sprintf("SMTP connection from %s", hostname);
1668
1669 if (sender_host_unknown || sender_host_notsocket)
1670 return string_sprintf("SMTP connection from %s", sender_ident);
1671
1672 if (is_inetd)
1673 return string_sprintf("SMTP connection from %s (via inetd)", hostname);
1674
1675 if (LOGGING(incoming_interface) && interface_address != NULL)
1676 return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
1677 interface_address, interface_port);
1678
1679 return string_sprintf("SMTP connection from %s", hostname);
1680 }
1681
1682
1683
1684 #ifdef SUPPORT_TLS
1685 /* Append TLS-related information to a log line
1686
1687 Arguments:
1688 s String under construction: allocated string to extend, or NULL
1689 sizep Pointer to current allocation size (update on return), or NULL
1690 ptrp Pointer to index for new entries in string (update on return), or NULL
1691
1692 Returns: Allocated string or NULL
1693 */
1694 static uschar *
1695 s_tlslog(uschar * s, int * sizep, int * ptrp)
1696 {
1697 int size = sizep ? *sizep : 0;
1698 int ptr = ptrp ? *ptrp : 0;
1699
1700 if (LOGGING(tls_cipher) && tls_in.cipher != NULL)
1701 s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
1702 if (LOGGING(tls_certificate_verified) && tls_in.cipher != NULL)
1703 s = string_append(s, &size, &ptr, 2, US" CV=",
1704 tls_in.certificate_verified? "yes":"no");
1705 if (LOGGING(tls_peerdn) && tls_in.peerdn != NULL)
1706 s = string_append(s, &size, &ptr, 3, US" DN=\"",
1707 string_printing(tls_in.peerdn), US"\"");
1708 if (LOGGING(tls_sni) && tls_in.sni != NULL)
1709 s = string_append(s, &size, &ptr, 3, US" SNI=\"",
1710 string_printing(tls_in.sni), US"\"");
1711
1712 if (s)
1713 {
1714 s[ptr] = '\0';
1715 if (sizep) *sizep = size;
1716 if (ptrp) *ptrp = ptr;
1717 }
1718 return s;
1719 }
1720 #endif
1721
1722 /*************************************************
1723 * Log lack of MAIL if so configured *
1724 *************************************************/
1725
1726 /* This function is called when an SMTP session ends. If the log selector
1727 smtp_no_mail is set, write a log line giving some details of what has happened
1728 in the SMTP session.
1729
1730 Arguments: none
1731 Returns: nothing
1732 */
1733
1734 void
1735 smtp_log_no_mail(void)
1736 {
1737 int size, ptr, i;
1738 uschar *s, *sep;
1739
1740 if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
1741 return;
1742
1743 s = NULL;
1744 size = ptr = 0;
1745
1746 if (sender_host_authenticated != NULL)
1747 {
1748 s = string_append(s, &size, &ptr, 2, US" A=", sender_host_authenticated);
1749 if (authenticated_id != NULL)
1750 s = string_append(s, &size, &ptr, 2, US":", authenticated_id);
1751 }
1752
1753 #ifdef SUPPORT_TLS
1754 s = s_tlslog(s, &size, &ptr);
1755 #endif
1756
1757 sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
1758 US" C=..." : US" C=";
1759 for (i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1760 {
1761 if (smtp_connection_had[i] != SCH_NONE)
1762 {
1763 s = string_append(s, &size, &ptr, 2, sep,
1764 smtp_names[smtp_connection_had[i]]);
1765 sep = US",";
1766 }
1767 }
1768
1769 for (i = 0; i < smtp_ch_index; i++)
1770 {
1771 s = string_append(s, &size, &ptr, 2, sep, smtp_names[smtp_connection_had[i]]);
1772 sep = US",";
1773 }
1774
1775 if (s != NULL) s[ptr] = 0; else s = US"";
1776 log_write(0, LOG_MAIN, "no MAIL in SMTP connection from %s D=%s%s",
1777 host_and_ident(FALSE),
1778 readconf_printtime( (int) ((long)time(NULL) - (long)smtp_connection_start)),
1779 s);
1780 }
1781
1782
1783
1784 /*************************************************
1785 * Check HELO line and set sender_helo_name *
1786 *************************************************/
1787
1788 /* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
1789 the domain name of the sending host, or an ip literal in square brackets. The
1790 argument is placed in sender_helo_name, which is in malloc store, because it
1791 must persist over multiple incoming messages. If helo_accept_junk is set, this
1792 host is permitted to send any old junk (needed for some broken hosts).
1793 Otherwise, helo_allow_chars can be used for rogue characters in general
1794 (typically people want to let in underscores).
1795
1796 Argument:
1797 s the data portion of the line (already past any white space)
1798
1799 Returns: TRUE or FALSE
1800 */
1801
1802 static BOOL
1803 check_helo(uschar *s)
1804 {
1805 uschar *start = s;
1806 uschar *end = s + Ustrlen(s);
1807 BOOL yield = helo_accept_junk;
1808
1809 /* Discard any previous helo name */
1810
1811 if (sender_helo_name != NULL)
1812 {
1813 store_free(sender_helo_name);
1814 sender_helo_name = NULL;
1815 }
1816
1817 /* Skip tests if junk is permitted. */
1818
1819 if (!yield)
1820 {
1821 /* Allow the new standard form for IPv6 address literals, namely,
1822 [IPv6:....], and because someone is bound to use it, allow an equivalent
1823 IPv4 form. Allow plain addresses as well. */
1824
1825 if (*s == '[')
1826 {
1827 if (end[-1] == ']')
1828 {
1829 end[-1] = 0;
1830 if (strncmpic(s, US"[IPv6:", 6) == 0)
1831 yield = (string_is_ip_address(s+6, NULL) == 6);
1832 else if (strncmpic(s, US"[IPv4:", 6) == 0)
1833 yield = (string_is_ip_address(s+6, NULL) == 4);
1834 else
1835 yield = (string_is_ip_address(s+1, NULL) != 0);
1836 end[-1] = ']';
1837 }
1838 }
1839
1840 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
1841 that have been configured (usually underscore - sigh). */
1842
1843 else if (*s != 0)
1844 {
1845 yield = TRUE;
1846 while (*s != 0)
1847 {
1848 if (!isalnum(*s) && *s != '.' && *s != '-' &&
1849 Ustrchr(helo_allow_chars, *s) == NULL)
1850 {
1851 yield = FALSE;
1852 break;
1853 }
1854 s++;
1855 }
1856 }
1857 }
1858
1859 /* Save argument if OK */
1860
1861 if (yield) sender_helo_name = string_copy_malloc(start);
1862 return yield;
1863 }
1864
1865
1866
1867
1868
1869 /*************************************************
1870 * Extract SMTP command option *
1871 *************************************************/
1872
1873 /* This function picks the next option setting off the end of smtp_cmd_data. It
1874 is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
1875 things that can appear there.
1876
1877 Arguments:
1878 name point this at the name
1879 value point this at the data string
1880
1881 Returns: TRUE if found an option
1882 */
1883
1884 static BOOL
1885 extract_option(uschar **name, uschar **value)
1886 {
1887 uschar *n;
1888 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
1889 while (isspace(*v)) v--;
1890 v[1] = 0;
1891 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
1892 {
1893 /* Take care to not stop at a space embedded in a quoted local-part */
1894
1895 if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
1896 v--;
1897 }
1898
1899 n = v;
1900 if (*v == '=')
1901 {
1902 while(isalpha(n[-1])) n--;
1903 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
1904 if (!isspace(n[-1])) return FALSE;
1905 n[-1] = 0;
1906 }
1907 else
1908 {
1909 n++;
1910 if (v == smtp_cmd_data) return FALSE;
1911 }
1912 *v++ = 0;
1913 *name = n;
1914 *value = v;
1915 return TRUE;
1916 }
1917
1918
1919
1920
1921
1922 /*************************************************
1923 * Reset for new message *
1924 *************************************************/
1925
1926 /* This function is called whenever the SMTP session is reset from
1927 within either of the setup functions.
1928
1929 Argument: the stacking pool storage reset point
1930 Returns: nothing
1931 */
1932
1933 static void
1934 smtp_reset(void *reset_point)
1935 {
1936 recipients_list = NULL;
1937 rcpt_count = rcpt_defer_count = rcpt_fail_count =
1938 raw_recipients_count = recipients_count = recipients_list_max = 0;
1939 message_linecount = 0;
1940 message_size = -1;
1941 acl_added_headers = NULL;
1942 acl_removed_headers = NULL;
1943 queue_only_policy = FALSE;
1944 rcpt_smtp_response = NULL;
1945 rcpt_smtp_response_same = TRUE;
1946 rcpt_in_progress = FALSE;
1947 deliver_freeze = FALSE; /* Can be set by ACL */
1948 freeze_tell = freeze_tell_config; /* Can be set by ACL */
1949 fake_response = OK; /* Can be set by ACL */
1950 #ifdef WITH_CONTENT_SCAN
1951 no_mbox_unspool = FALSE; /* Can be set by ACL */
1952 #endif
1953 submission_mode = FALSE; /* Can be set by ACL */
1954 suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
1955 active_local_from_check = local_from_check; /* Can be set by ACL */
1956 active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
1957 sending_ip_address = NULL;
1958 return_path = sender_address = NULL;
1959 sender_data = NULL; /* Can be set by ACL */
1960 deliver_localpart_orig = NULL;
1961 deliver_domain_orig = NULL;
1962 callout_address = NULL;
1963 submission_name = NULL; /* Can be set by ACL */
1964 raw_sender = NULL; /* After SMTP rewrite, before qualifying */
1965 sender_address_unrewritten = NULL; /* Set only after verify rewrite */
1966 sender_verified_list = NULL; /* No senders verified */
1967 memset(sender_address_cache, 0, sizeof(sender_address_cache));
1968 memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
1969
1970 authenticated_sender = NULL;
1971 #ifdef EXPERIMENTAL_BRIGHTMAIL
1972 bmi_run = 0;
1973 bmi_verdicts = NULL;
1974 #endif
1975 dnslist_domain = dnslist_matched = NULL;
1976 #ifndef DISABLE_DKIM
1977 dkim_signers = NULL;
1978 dkim_disable_verify = FALSE;
1979 dkim_collect_input = FALSE;
1980 #endif
1981 dsn_ret = 0;
1982 dsn_envid = NULL;
1983 deliver_host = deliver_host_address = NULL; /* Can be set by ACL */
1984 #ifndef DISABLE_PRDR
1985 prdr_requested = FALSE;
1986 #endif
1987 #ifdef EXPERIMENTAL_SPF
1988 spf_header_comment = NULL;
1989 spf_received = NULL;
1990 spf_result = NULL;
1991 spf_smtp_comment = NULL;
1992 #endif
1993 #ifdef SUPPORT_I18N
1994 message_smtputf8 = FALSE;
1995 #endif
1996 body_linecount = body_zerocount = 0;
1997
1998 sender_rate = sender_rate_limit = sender_rate_period = NULL;
1999 ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
2000 /* Note that ratelimiters_conn persists across resets. */
2001
2002 /* Reset message ACL variables */
2003
2004 acl_var_m = NULL;
2005
2006 /* The message body variables use malloc store. They may be set if this is
2007 not the first message in an SMTP session and the previous message caused them
2008 to be referenced in an ACL. */
2009
2010 if (message_body)
2011 {
2012 store_free(message_body);
2013 message_body = NULL;
2014 }
2015
2016 if (message_body_end)
2017 {
2018 store_free(message_body_end);
2019 message_body_end = NULL;
2020 }
2021
2022 /* Warning log messages are also saved in malloc store. They are saved to avoid
2023 repetition in the same message, but it seems right to repeat them for different
2024 messages. */
2025
2026 while (acl_warn_logged)
2027 {
2028 string_item *this = acl_warn_logged;
2029 acl_warn_logged = acl_warn_logged->next;
2030 store_free(this);
2031 }
2032 store_reset(reset_point);
2033 }
2034
2035
2036
2037
2038
2039 /*************************************************
2040 * Initialize for incoming batched SMTP message *
2041 *************************************************/
2042
2043 /* This function is called from smtp_setup_msg() in the case when
2044 smtp_batched_input is true. This happens when -bS is used to pass a whole batch
2045 of messages in one file with SMTP commands between them. All errors must be
2046 reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
2047 relevant. After an error on a sender, or an invalid recipient, the remainder
2048 of the message is skipped. The value of received_protocol is already set.
2049
2050 Argument: none
2051 Returns: > 0 message successfully started (reached DATA)
2052 = 0 QUIT read or end of file reached
2053 < 0 should not occur
2054 */
2055
2056 static int
2057 smtp_setup_batch_msg(void)
2058 {
2059 int done = 0;
2060 void *reset_point = store_get(0);
2061
2062 /* Save the line count at the start of each transaction - single commands
2063 like HELO and RSET count as whole transactions. */
2064
2065 bsmtp_transaction_linecount = receive_linecount;
2066
2067 if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
2068
2069 cancel_cutthrough_connection(TRUE, US"smtp_setup_batch_msg");
2070 smtp_reset(reset_point); /* Reset for start of message */
2071
2072 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
2073 value. The values are 2 larger than the required yield of the function. */
2074
2075 while (done <= 0)
2076 {
2077 uschar *errmess;
2078 uschar *recipient = NULL;
2079 int start, end, sender_domain, recipient_domain;
2080
2081 switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
2082 {
2083 /* The HELO/EHLO commands set sender_address_helo if they have
2084 valid data; otherwise they are ignored, except that they do
2085 a reset of the state. */
2086
2087 case HELO_CMD:
2088 case EHLO_CMD:
2089
2090 check_helo(smtp_cmd_data);
2091 /* Fall through */
2092
2093 case RSET_CMD:
2094 cancel_cutthrough_connection(TRUE, US"RSET received");
2095 smtp_reset(reset_point);
2096 bsmtp_transaction_linecount = receive_linecount;
2097 break;
2098
2099
2100 /* The MAIL FROM command requires an address as an operand. All we
2101 do here is to parse it for syntactic correctness. The form "<>" is
2102 a special case which converts into an empty string. The start/end
2103 pointers in the original are not used further for this address, as
2104 it is the canonical extracted address which is all that is kept. */
2105
2106 case MAIL_CMD:
2107 smtp_mailcmd_count++; /* Count for no-mail log */
2108 if (sender_address != NULL)
2109 /* The function moan_smtp_batch() does not return. */
2110 moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
2111
2112 if (smtp_cmd_data[0] == 0)
2113 /* The function moan_smtp_batch() does not return. */
2114 moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
2115
2116 /* Reset to start of message */
2117
2118 cancel_cutthrough_connection(TRUE, US"MAIL received");
2119 smtp_reset(reset_point);
2120
2121 /* Apply SMTP rewrite */
2122
2123 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
2124 rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
2125 US"", global_rewrite_rules) : smtp_cmd_data;
2126
2127 /* Extract the address; the TRUE flag allows <> as valid */
2128
2129 raw_sender =
2130 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
2131 TRUE);
2132
2133 if (raw_sender == NULL)
2134 /* The function moan_smtp_batch() does not return. */
2135 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
2136
2137 sender_address = string_copy(raw_sender);
2138
2139 /* Qualify unqualified sender addresses if permitted to do so. */
2140
2141 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
2142 {
2143 if (allow_unqualified_sender)
2144 {
2145 sender_address = rewrite_address_qualify(sender_address, FALSE);
2146 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
2147 "and rewritten\n", raw_sender);
2148 }
2149 /* The function moan_smtp_batch() does not return. */
2150 else moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
2151 "a domain");
2152 }
2153 break;
2154
2155
2156 /* The RCPT TO command requires an address as an operand. All we do
2157 here is to parse it for syntactic correctness. There may be any number
2158 of RCPT TO commands, specifying multiple senders. We build them all into
2159 a data structure that is in argc/argv format. The start/end values
2160 given by parse_extract_address are not used, as we keep only the
2161 extracted address. */
2162
2163 case RCPT_CMD:
2164 if (sender_address == NULL)
2165 /* The function moan_smtp_batch() does not return. */
2166 moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
2167
2168 if (smtp_cmd_data[0] == 0)
2169 /* The function moan_smtp_batch() does not return. */
2170 moan_smtp_batch(smtp_cmd_buffer, "501 RCPT TO must have an address operand");
2171
2172 /* Check maximum number allowed */
2173
2174 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
2175 /* The function moan_smtp_batch() does not return. */
2176 moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
2177 recipients_max_reject? "552": "452");
2178
2179 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
2180 recipient address */
2181
2182 recipient = rewrite_existflags & rewrite_smtp
2183 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
2184 global_rewrite_rules)
2185 : smtp_cmd_data;
2186
2187 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2188 &recipient_domain, FALSE);
2189
2190 if (!recipient)
2191 /* The function moan_smtp_batch() does not return. */
2192 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
2193
2194 /* If the recipient address is unqualified, qualify it if permitted. Then
2195 add it to the list of recipients. */
2196
2197 if (recipient_domain == 0)
2198 {
2199 if (allow_unqualified_recipient)
2200 {
2201 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2202 recipient);
2203 recipient = rewrite_address_qualify(recipient, TRUE);
2204 }
2205 /* The function moan_smtp_batch() does not return. */
2206 else moan_smtp_batch(smtp_cmd_buffer, "501 recipient address must contain "
2207 "a domain");
2208 }
2209 receive_add_recipient(recipient, -1);
2210 break;
2211
2212
2213 /* The DATA command is legal only if it follows successful MAIL FROM
2214 and RCPT TO commands. This function is complete when a valid DATA
2215 command is encountered. */
2216
2217 case DATA_CMD:
2218 if (sender_address == NULL || recipients_count <= 0)
2219 {
2220 /* The function moan_smtp_batch() does not return. */
2221 if (sender_address == NULL)
2222 moan_smtp_batch(smtp_cmd_buffer,
2223 "503 MAIL FROM:<sender> command must precede DATA");
2224 else
2225 moan_smtp_batch(smtp_cmd_buffer,
2226 "503 RCPT TO:<recipient> must precede DATA");
2227 }
2228 else
2229 {
2230 done = 3; /* DATA successfully achieved */
2231 message_ended = END_NOTENDED; /* Indicate in middle of message */
2232 }
2233 break;
2234
2235
2236 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
2237
2238 case VRFY_CMD:
2239 case EXPN_CMD:
2240 case HELP_CMD:
2241 case NOOP_CMD:
2242 case ETRN_CMD:
2243 bsmtp_transaction_linecount = receive_linecount;
2244 break;
2245
2246
2247 case EOF_CMD:
2248 case QUIT_CMD:
2249 done = 2;
2250 break;
2251
2252
2253 case BADARG_CMD:
2254 /* The function moan_smtp_batch() does not return. */
2255 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
2256 break;
2257
2258
2259 case BADCHAR_CMD:
2260 /* The function moan_smtp_batch() does not return. */
2261 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
2262 break;
2263
2264
2265 default:
2266 /* The function moan_smtp_batch() does not return. */
2267 moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
2268 break;
2269 }
2270 }
2271
2272 return done - 2; /* Convert yield values */
2273 }
2274
2275
2276
2277
2278 static BOOL
2279 smtp_log_tls_fail(uschar * errstr)
2280 {
2281 uschar * conn_info = smtp_get_connection_info();
2282
2283 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
2284 /* I'd like to get separated H= here, but too hard for now */
2285
2286 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
2287 return FALSE;
2288 }
2289
2290
2291 /*************************************************
2292 * Start an SMTP session *
2293 *************************************************/
2294
2295 /* This function is called at the start of an SMTP session. Thereafter,
2296 smtp_setup_msg() is called to initiate each separate message. This
2297 function does host-specific testing, and outputs the banner line.
2298
2299 Arguments: none
2300 Returns: FALSE if the session can not continue; something has
2301 gone wrong, or the connection to the host is blocked
2302 */
2303
2304 BOOL
2305 smtp_start_session(void)
2306 {
2307 int size = 256;
2308 int ptr, esclen;
2309 uschar *user_msg, *log_msg;
2310 uschar *code, *esc;
2311 uschar *p, *s, *ss;
2312
2313 smtp_connection_start = time(NULL);
2314 for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
2315 smtp_connection_had[smtp_ch_index] = SCH_NONE;
2316 smtp_ch_index = 0;
2317
2318 /* Default values for certain variables */
2319
2320 helo_seen = esmtp = helo_accept_junk = FALSE;
2321 smtp_mailcmd_count = 0;
2322 count_nonmail = TRUE_UNSET;
2323 synprot_error_count = unknown_command_count = nonmail_command_count = 0;
2324 smtp_delay_mail = smtp_rlm_base;
2325 auth_advertised = FALSE;
2326 pipelining_advertised = FALSE;
2327 pipelining_enable = TRUE;
2328 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
2329 smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
2330
2331 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
2332 authentication settings from -oMaa to remain in force. */
2333
2334 if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
2335 authenticated_by = NULL;
2336
2337 #ifdef SUPPORT_TLS
2338 tls_in.cipher = tls_in.peerdn = NULL;
2339 tls_in.ourcert = tls_in.peercert = NULL;
2340 tls_in.sni = NULL;
2341 tls_in.ocsp = OCSP_NOT_REQ;
2342 tls_advertised = FALSE;
2343 #endif
2344 dsn_advertised = FALSE;
2345 #ifdef SUPPORT_I18N
2346 smtputf8_advertised = FALSE;
2347 #endif
2348
2349 /* Reset ACL connection variables */
2350
2351 acl_var_c = NULL;
2352
2353 /* Allow for trailing 0 in the command and data buffers. */
2354
2355 if (!(smtp_cmd_buffer = US malloc(2*SMTP_CMD_BUFFER_SIZE + 2)))
2356 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2357 "malloc() failed for SMTP command buffer");
2358
2359 smtp_cmd_buffer[0] = 0;
2360 smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
2361
2362 /* For batched input, the protocol setting can be overridden from the
2363 command line by a trusted caller. */
2364
2365 if (smtp_batched_input)
2366 {
2367 if (!received_protocol) received_protocol = US"local-bsmtp";
2368 }
2369
2370 /* For non-batched SMTP input, the protocol setting is forced here. It will be
2371 reset later if any of EHLO/AUTH/STARTTLS are received. */
2372
2373 else
2374 received_protocol =
2375 (sender_host_address ? protocols : protocols_local) [pnormal];
2376
2377 /* Set up the buffer for inputting using direct read() calls, and arrange to
2378 call the local functions instead of the standard C ones. */
2379
2380 if (!(smtp_inbuffer = (uschar *)malloc(IN_BUFFER_SIZE)))
2381 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
2382
2383 receive_getc = smtp_getc;
2384 receive_getbuf = smtp_getbuf;
2385 receive_get_cache = smtp_get_cache;
2386 receive_ungetc = smtp_ungetc;
2387 receive_feof = smtp_feof;
2388 receive_ferror = smtp_ferror;
2389 receive_smtp_buffered = smtp_buffered;
2390 smtp_inptr = smtp_inend = smtp_inbuffer;
2391 smtp_had_eof = smtp_had_error = 0;
2392
2393 /* Set up the message size limit; this may be host-specific */
2394
2395 thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
2396 if (expand_string_message != NULL)
2397 {
2398 if (thismessage_size_limit == -1)
2399 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
2400 "%s", expand_string_message);
2401 else
2402 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
2403 "%s", expand_string_message);
2404 smtp_closedown(US"Temporary local problem - please try later");
2405 return FALSE;
2406 }
2407
2408 /* When a message is input locally via the -bs or -bS options, sender_host_
2409 unknown is set unless -oMa was used to force an IP address, in which case it
2410 is checked like a real remote connection. When -bs is used from inetd, this
2411 flag is not set, causing the sending host to be checked. The code that deals
2412 with IP source routing (if configured) is never required for -bs or -bS and
2413 the flag sender_host_notsocket is used to suppress it.
2414
2415 If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
2416 reserve for certain hosts and/or networks. */
2417
2418 if (!sender_host_unknown)
2419 {
2420 int rc;
2421 BOOL reserved_host = FALSE;
2422
2423 /* Look up IP options (source routing info) on the socket if this is not an
2424 -oMa "host", and if any are found, log them and drop the connection.
2425
2426 Linux (and others now, see below) is different to everyone else, so there
2427 has to be some conditional compilation here. Versions of Linux before 2.1.15
2428 used a structure whose name was "options". Somebody finally realized that
2429 this name was silly, and it got changed to "ip_options". I use the
2430 newer name here, but there is a fudge in the script that sets up os.h
2431 to define a macro in older Linux systems.
2432
2433 Sigh. Linux is a fast-moving target. Another generation of Linux uses
2434 glibc 2, which has chosen ip_opts for the structure name. This is now
2435 really a glibc thing rather than a Linux thing, so the condition name
2436 has been changed to reflect this. It is relevant also to GNU/Hurd.
2437
2438 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
2439 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
2440 a special macro defined in the os.h file.
2441
2442 Some DGUX versions on older hardware appear not to support IP options at
2443 all, so there is now a general macro which can be set to cut out this
2444 support altogether.
2445
2446 How to do this properly in IPv6 is not yet known. */
2447
2448 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
2449
2450 #ifdef GLIBC_IP_OPTIONS
2451 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
2452 #define OPTSTYLE 1
2453 #else
2454 #define OPTSTYLE 2
2455 #endif
2456 #elif defined DARWIN_IP_OPTIONS
2457 #define OPTSTYLE 2
2458 #else
2459 #define OPTSTYLE 3
2460 #endif
2461
2462 if (!host_checking && !sender_host_notsocket)
2463 {
2464 #if OPTSTYLE == 1
2465 EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
2466 struct ip_options *ipopt = store_get(optlen);
2467 #elif OPTSTYLE == 2
2468 struct ip_opts ipoptblock;
2469 struct ip_opts *ipopt = &ipoptblock;
2470 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2471 #else
2472 struct ipoption ipoptblock;
2473 struct ipoption *ipopt = &ipoptblock;
2474 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2475 #endif
2476
2477 /* Occasional genuine failures of getsockopt() have been seen - for
2478 example, "reset by peer". Therefore, just log and give up on this
2479 call, unless the error is ENOPROTOOPT. This error is given by systems
2480 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
2481 of writing. So for that error, carry on - we just can't do an IP options
2482 check. */
2483
2484 DEBUG(D_receive) debug_printf("checking for IP options\n");
2485
2486 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
2487 &optlen) < 0)
2488 {
2489 if (errno != ENOPROTOOPT)
2490 {
2491 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
2492 host_and_ident(FALSE), strerror(errno));
2493 smtp_printf("451 SMTP service not available\r\n");
2494 return FALSE;
2495 }
2496 }
2497
2498 /* Deal with any IP options that are set. On the systems I have looked at,
2499 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
2500 more logging data than will fit in big_buffer. Nevertheless, after somebody
2501 questioned this code, I've added in some paranoid checking. */
2502
2503 else if (optlen > 0)
2504 {
2505 uschar *p = big_buffer;
2506 uschar *pend = big_buffer + big_buffer_size;
2507 uschar *opt, *adptr;
2508 int optcount;
2509 struct in_addr addr;
2510
2511 #if OPTSTYLE == 1
2512 uschar *optstart = (uschar *)(ipopt->__data);
2513 #elif OPTSTYLE == 2
2514 uschar *optstart = (uschar *)(ipopt->ip_opts);
2515 #else
2516 uschar *optstart = (uschar *)(ipopt->ipopt_list);
2517 #endif
2518
2519 DEBUG(D_receive) debug_printf("IP options exist\n");
2520
2521 Ustrcpy(p, "IP options on incoming call:");
2522 p += Ustrlen(p);
2523
2524 for (opt = optstart; opt != NULL &&
2525 opt < (uschar *)(ipopt) + optlen;)
2526 {
2527 switch (*opt)
2528 {
2529 case IPOPT_EOL:
2530 opt = NULL;
2531 break;
2532
2533 case IPOPT_NOP:
2534 opt++;
2535 break;
2536
2537 case IPOPT_SSRR:
2538 case IPOPT_LSRR:
2539 if (!string_format(p, pend-p, " %s [@%s",
2540 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
2541 #if OPTSTYLE == 1
2542 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
2543 #elif OPTSTYLE == 2
2544 inet_ntoa(ipopt->ip_dst)))
2545 #else
2546 inet_ntoa(ipopt->ipopt_dst)))
2547 #endif
2548 {
2549 opt = NULL;
2550 break;
2551 }
2552
2553 p += Ustrlen(p);
2554 optcount = (opt[1] - 3) / sizeof(struct in_addr);
2555 adptr = opt + 3;
2556 while (optcount-- > 0)
2557 {
2558 memcpy(&addr, adptr, sizeof(addr));
2559 if (!string_format(p, pend - p - 1, "%s%s",
2560 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
2561 {
2562 opt = NULL;
2563 break;
2564 }
2565 p += Ustrlen(p);
2566 adptr += sizeof(struct in_addr);
2567 }
2568 *p++ = ']';
2569 opt += opt[1];
2570 break;
2571
2572 default:
2573 {
2574 int i;
2575 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
2576 Ustrcat(p, "[ ");
2577 p += 2;
2578 for (i = 0; i < opt[1]; i++)
2579 {
2580 sprintf(CS p, "%2.2x ", opt[i]);
2581 p += 3;
2582 }
2583 *p++ = ']';
2584 }
2585 opt += opt[1];
2586 break;
2587 }
2588 }
2589
2590 *p = 0;
2591 log_write(0, LOG_MAIN, "%s", big_buffer);
2592
2593 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
2594
2595 log_write(0, LOG_MAIN|LOG_REJECT,
2596 "connection from %s refused (IP options)", host_and_ident(FALSE));
2597
2598 smtp_printf("554 SMTP service not available\r\n");
2599 return FALSE;
2600 }
2601
2602 /* Length of options = 0 => there are no options */
2603
2604 else DEBUG(D_receive) debug_printf("no IP options found\n");
2605 }
2606 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
2607
2608 /* Set keep-alive in socket options. The option is on by default. This
2609 setting is an attempt to get rid of some hanging connections that stick in
2610 read() when the remote end (usually a dialup) goes away. */
2611
2612 if (smtp_accept_keepalive && !sender_host_notsocket)
2613 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
2614
2615 /* If the current host matches host_lookup, set the name by doing a
2616 reverse lookup. On failure, sender_host_name will be NULL and
2617 host_lookup_failed will be TRUE. This may or may not be serious - optional
2618 checks later. */
2619
2620 if (verify_check_host(&host_lookup) == OK)
2621 {
2622 (void)host_name_lookup();
2623 host_build_sender_fullhost();
2624 }
2625
2626 /* Delay this until we have the full name, if it is looked up. */
2627
2628 set_process_info("handling incoming connection from %s",
2629 host_and_ident(FALSE));
2630
2631 /* Expand smtp_receive_timeout, if needed */
2632
2633 if (smtp_receive_timeout_s)
2634 {
2635 uschar * exp;
2636 if ( !(exp = expand_string(smtp_receive_timeout_s))
2637 || !(*exp)
2638 || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
2639 )
2640 log_write(0, LOG_MAIN|LOG_PANIC,
2641 "bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
2642 }
2643
2644 /* Test for explicit connection rejection */
2645
2646 if (verify_check_host(&host_reject_connection) == OK)
2647 {
2648 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
2649 "from %s (host_reject_connection)", host_and_ident(FALSE));
2650 smtp_printf("554 SMTP service not available\r\n");
2651 return FALSE;
2652 }
2653
2654 /* Test with TCP Wrappers if so configured. There is a problem in that
2655 hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
2656 such as disks dying. In these cases, it is desirable to reject with a 4xx
2657 error instead of a 5xx error. There isn't a "right" way to detect such
2658 problems. The following kludge is used: errno is zeroed before calling
2659 hosts_ctl(). If the result is "reject", a 5xx error is given only if the
2660 value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
2661 not exist). */
2662
2663 #ifdef USE_TCP_WRAPPERS
2664 errno = 0;
2665 if (!(tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name)))
2666 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
2667 "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
2668 expand_string_message);
2669
2670 if (!hosts_ctl(tcp_wrappers_name,
2671 sender_host_name ? CS sender_host_name : STRING_UNKNOWN,
2672 sender_host_address ? CS sender_host_address : STRING_UNKNOWN,
2673 sender_ident ? CS sender_ident : STRING_UNKNOWN))
2674 {
2675 if (errno == 0 || errno == ENOENT)
2676 {
2677 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
2678 log_write(L_connection_reject,
2679 LOG_MAIN|LOG_REJECT, "refused connection from %s "
2680 "(tcp wrappers)", host_and_ident(FALSE));
2681 smtp_printf("554 SMTP service not available\r\n");
2682 }
2683 else
2684 {
2685 int save_errno = errno;
2686 HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
2687 "errno value %d\n", save_errno);
2688 log_write(L_connection_reject,
2689 LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
2690 "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
2691 smtp_printf("451 Temporary local problem - please try later\r\n");
2692 }
2693 return FALSE;
2694 }
2695 #endif
2696
2697 /* Check for reserved slots. The value of smtp_accept_count has already been
2698 incremented to include this process. */
2699
2700 if (smtp_accept_max > 0 &&
2701 smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
2702 {
2703 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
2704 {
2705 log_write(L_connection_reject,
2706 LOG_MAIN, "temporarily refused connection from %s: not in "
2707 "reserve list: connected=%d max=%d reserve=%d%s",
2708 host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
2709 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
2710 smtp_printf("421 %s: Too many concurrent SMTP connections; "
2711 "please try again later\r\n", smtp_active_hostname);
2712 return FALSE;
2713 }
2714 reserved_host = TRUE;
2715 }
2716
2717 /* If a load level above which only messages from reserved hosts are
2718 accepted is set, check the load. For incoming calls via the daemon, the
2719 check is done in the superior process if there are no reserved hosts, to
2720 save a fork. In all cases, the load average will already be available
2721 in a global variable at this point. */
2722
2723 if (smtp_load_reserve >= 0 &&
2724 load_average > smtp_load_reserve &&
2725 !reserved_host &&
2726 verify_check_host(&smtp_reserve_hosts) != OK)
2727 {
2728 log_write(L_connection_reject,
2729 LOG_MAIN, "temporarily refused connection from %s: not in "
2730 "reserve list and load average = %.2f", host_and_ident(FALSE),
2731 (double)load_average/1000.0);
2732 smtp_printf("421 %s: Too much load; please try again later\r\n",
2733 smtp_active_hostname);
2734 return FALSE;
2735 }
2736
2737 /* Determine whether unqualified senders or recipients are permitted
2738 for this host. Unfortunately, we have to do this every time, in order to
2739 set the flags so that they can be inspected when considering qualifying
2740 addresses in the headers. For a site that permits no qualification, this
2741 won't take long, however. */
2742
2743 allow_unqualified_sender =
2744 verify_check_host(&sender_unqualified_hosts) == OK;
2745
2746 allow_unqualified_recipient =
2747 verify_check_host(&recipient_unqualified_hosts) == OK;
2748
2749 /* Determine whether HELO/EHLO is required for this host. The requirement
2750 can be hard or soft. */
2751
2752 helo_required = verify_check_host(&helo_verify_hosts) == OK;
2753 if (!helo_required)
2754 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
2755
2756 /* Determine whether this hosts is permitted to send syntactic junk
2757 after a HELO or EHLO command. */
2758
2759 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
2760 }
2761
2762 /* For batch SMTP input we are now done. */
2763
2764 if (smtp_batched_input) return TRUE;
2765
2766 /* If valid Proxy Protocol source is connecting, set up session.
2767 * Failure will not allow any SMTP function other than QUIT. */
2768
2769 #ifdef SUPPORT_PROXY
2770 proxy_session = FALSE;
2771 proxy_session_failed = FALSE;
2772 if (check_proxy_protocol_host())
2773 setup_proxy_protocol_host();
2774 #endif
2775
2776 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
2777 smtps port for use with older style SSL MTAs. */
2778
2779 #ifdef SUPPORT_TLS
2780 if (tls_in.on_connect && tls_server_start(tls_require_ciphers, &user_msg) != OK)
2781 return smtp_log_tls_fail(user_msg);
2782 #endif
2783
2784 /* Run the connect ACL if it exists */
2785
2786 user_msg = NULL;
2787 if (acl_smtp_connect)
2788 {
2789 int rc;
2790 if ((rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
2791 &log_msg)) != OK)
2792 {
2793 (void) smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
2794 return FALSE;
2795 }
2796 }
2797
2798 /* Output the initial message for a two-way SMTP connection. It may contain
2799 newlines, which then cause a multi-line response to be given. */
2800
2801 code = US"220"; /* Default status code */
2802 esc = US""; /* Default extended status code */
2803 esclen = 0; /* Length of esc */
2804
2805 if (!user_msg)
2806 {
2807 if (!(s = expand_string(smtp_banner)))
2808 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
2809 "failed: %s", smtp_banner, expand_string_message);
2810 }
2811 else
2812 {
2813 int codelen = 3;
2814 s = user_msg;
2815 smtp_message_code(&code, &codelen, &s, NULL, TRUE);
2816 if (codelen > 4)
2817 {
2818 esc = code + 4;
2819 esclen = codelen - 4;
2820 }
2821 }
2822
2823 /* Remove any terminating newlines; might as well remove trailing space too */
2824
2825 p = s + Ustrlen(s);
2826 while (p > s && isspace(p[-1])) p--;
2827 *p = 0;
2828
2829 /* It seems that CC:Mail is braindead, and assumes that the greeting message
2830 is all contained in a single IP packet. The original code wrote out the
2831 greeting using several calls to fprint/fputc, and on busy servers this could
2832 cause it to be split over more than one packet - which caused CC:Mail to fall
2833 over when it got the second part of the greeting after sending its first
2834 command. Sigh. To try to avoid this, build the complete greeting message
2835 first, and output it in one fell swoop. This gives a better chance of it
2836 ending up as a single packet. */
2837
2838 ss = store_get(size);
2839 ptr = 0;
2840
2841 p = s;
2842 do /* At least once, in case we have an empty string */
2843 {
2844 int len;
2845 uschar *linebreak = Ustrchr(p, '\n');
2846 ss = string_catn(ss, &size, &ptr, code, 3);
2847 if (linebreak == NULL)
2848 {
2849 len = Ustrlen(p);
2850 ss = string_catn(ss, &size, &ptr, US" ", 1);
2851 }
2852 else
2853 {
2854 len = linebreak - p;
2855 ss = string_catn(ss, &size, &ptr, US"-", 1);
2856 }
2857 ss = string_catn(ss, &size, &ptr, esc, esclen);
2858 ss = string_catn(ss, &size, &ptr, p, len);
2859 ss = string_catn(ss, &size, &ptr, US"\r\n", 2);
2860 p += len;
2861 if (linebreak != NULL) p++;
2862 }
2863 while (*p != 0);
2864
2865 ss[ptr] = 0; /* string_cat leaves room for this */
2866
2867 /* Before we write the banner, check that there is no input pending, unless
2868 this synchronisation check is disabled. */
2869
2870 if (!check_sync())
2871 {
2872 unsigned n = smtp_inend - smtp_inptr;
2873 if (n > 32) n = 32;
2874
2875 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
2876 "synchronization error (input sent without waiting for greeting): "
2877 "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
2878 string_printing(string_copyn(smtp_inptr, n)));
2879 smtp_printf("554 SMTP synchronization error\r\n");
2880 return FALSE;
2881 }
2882
2883 /* Now output the banner */
2884
2885 smtp_printf("%s", ss);
2886 return TRUE;
2887 }
2888
2889
2890
2891
2892
2893 /*************************************************
2894 * Handle SMTP syntax and protocol errors *
2895 *************************************************/
2896
2897 /* Write to the log for SMTP syntax errors in incoming commands, if configured
2898 to do so. Then transmit the error response. The return value depends on the
2899 number of syntax and protocol errors in this SMTP session.
2900
2901 Arguments:
2902 type error type, given as a log flag bit
2903 code response code; <= 0 means don't send a response
2904 data data to reflect in the response (can be NULL)
2905 errmess the error message
2906
2907 Returns: -1 limit of syntax/protocol errors NOT exceeded
2908 +1 limit of syntax/protocol errors IS exceeded
2909
2910 These values fit in with the values of the "done" variable in the main
2911 processing loop in smtp_setup_msg(). */
2912
2913 static int
2914 synprot_error(int type, int code, uschar *data, uschar *errmess)
2915 {
2916 int yield = -1;
2917
2918 log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
2919 (type == L_smtp_syntax_error)? "syntax" : "protocol",
2920 string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
2921
2922 if (++synprot_error_count > smtp_max_synprot_errors)
2923 {
2924 yield = 1;
2925 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2926 "syntax or protocol errors (last command was \"%s\")",
2927 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
2928 }
2929
2930 if (code > 0)
2931 {
2932 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
2933 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
2934 if (yield == 1)
2935 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
2936 }
2937
2938 return yield;
2939 }
2940
2941
2942
2943
2944 /*************************************************
2945 * Send SMTP response, possibly multiline *
2946 *************************************************/
2947
2948 /* There are, it seems, broken clients out there that cannot handle multiline
2949 responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
2950 output nothing for non-final calls, and only the first line for anything else.
2951
2952 Arguments:
2953 code SMTP code, may involve extended status codes
2954 codelen length of smtp code; if > 4 there's an ESC
2955 final FALSE if the last line isn't the final line
2956 msg message text, possibly containing newlines
2957
2958 Returns: nothing
2959 */
2960
2961 void
2962 smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
2963 {
2964 int esclen = 0;
2965 uschar *esc = US"";
2966
2967 if (!final && no_multiline_responses) return;
2968
2969 if (codelen > 4)
2970 {
2971 esc = code + 4;
2972 esclen = codelen - 4;
2973 }
2974
2975 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
2976 have had the same. Note: this code is also present in smtp_printf(). It would
2977 be tidier to have it only in one place, but when it was added, it was easier to
2978 do it that way, so as not to have to mess with the code for the RCPT command,
2979 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
2980
2981 if (rcpt_in_progress)
2982 {
2983 if (rcpt_smtp_response == NULL)
2984 rcpt_smtp_response = string_copy(msg);
2985 else if (rcpt_smtp_response_same &&
2986 Ustrcmp(rcpt_smtp_response, msg) != 0)
2987 rcpt_smtp_response_same = FALSE;
2988 rcpt_in_progress = FALSE;
2989 }
2990
2991 /* Not output the message, splitting it up into multiple lines if necessary. */
2992
2993 for (;;)
2994 {
2995 uschar *nl = Ustrchr(msg, '\n');
2996 if (nl == NULL)
2997 {
2998 smtp_printf("%.3s%c%.*s%s\r\n", code, final? ' ':'-', esclen, esc, msg);
2999 return;
3000 }
3001 else if (nl[1] == 0 || no_multiline_responses)
3002 {
3003 smtp_printf("%.3s%c%.*s%.*s\r\n", code, final? ' ':'-', esclen, esc,
3004 (int)(nl - msg), msg);
3005 return;
3006 }
3007 else
3008 {
3009 smtp_printf("%.3s-%.*s%.*s\r\n", code, esclen, esc, (int)(nl - msg), msg);
3010 msg = nl + 1;
3011 while (isspace(*msg)) msg++;
3012 }
3013 }
3014 }
3015
3016
3017
3018
3019 /*************************************************
3020 * Parse user SMTP message *
3021 *************************************************/
3022
3023 /* This function allows for user messages overriding the response code details
3024 by providing a suitable response code string at the start of the message
3025 user_msg. Check the message for starting with a response code and optionally an
3026 extended status code. If found, check that the first digit is valid, and if so,
3027 change the code pointer and length to use the replacement. An invalid code
3028 causes a panic log; in this case, if the log messages is the same as the user
3029 message, we must also adjust the value of the log message to show the code that
3030 is actually going to be used (the original one).
3031
3032 This function is global because it is called from receive.c as well as within
3033 this module.
3034
3035 Note that the code length returned includes the terminating whitespace
3036 character, which is always included in the regex match.
3037
3038 Arguments:
3039 code SMTP code, may involve extended status codes
3040 codelen length of smtp code; if > 4 there's an ESC
3041 msg message text
3042 log_msg optional log message, to be adjusted with the new SMTP code
3043 check_valid if true, verify the response code
3044
3045 Returns: nothing
3046 */
3047
3048 void
3049 smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
3050 BOOL check_valid)
3051 {
3052 int n;
3053 int ovector[3];
3054
3055 if (!msg || !*msg) return;
3056
3057 if ((n = pcre_exec(regex_smtp_code, NULL, CS *msg, Ustrlen(*msg), 0,
3058 PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int))) < 0) return;
3059
3060 if (check_valid && (*msg)[0] != (*code)[0])
3061 {
3062 log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
3063 "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
3064 if (log_msg != NULL && *log_msg == *msg)
3065 *log_msg = string_sprintf("%s %s", *code, *log_msg + ovector[1]);
3066 }
3067 else
3068 {
3069 *code = *msg;
3070 *codelen = ovector[1]; /* Includes final space */
3071 }
3072 *msg += ovector[1]; /* Chop the code off the message */
3073 return;
3074 }
3075
3076
3077
3078
3079 /*************************************************
3080 * Handle an ACL failure *
3081 *************************************************/
3082
3083 /* This function is called when acl_check() fails. As well as calls from within
3084 this module, it is called from receive.c for an ACL after DATA. It sorts out
3085 logging the incident, and sets up the error response. A message containing
3086 newlines is turned into a multiline SMTP response, but for logging, only the
3087 first line is used.
3088
3089 There's a table of default permanent failure response codes to use in
3090 globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
3091 defaults disabled in Exim. However, discussion in connection with RFC 821bis
3092 (aka RFC 2821) has concluded that the response should be 252 in the disabled
3093 state, because there are broken clients that try VRFY before RCPT. A 5xx
3094 response should be given only when the address is positively known to be
3095 undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
3096 no explicit code, but if there is one we let it know best.
3097 Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
3098
3099 From Exim 4.63, it is possible to override the response code details by
3100 providing a suitable response code string at the start of the message provided
3101 in user_msg. The code's first digit is checked for validity.
3102
3103 Arguments:
3104 where where the ACL was called from
3105 rc the failure code
3106 user_msg a message that can be included in an SMTP response
3107 log_msg a message for logging
3108
3109 Returns: 0 in most cases
3110 2 if the failure code was FAIL_DROP, in which case the
3111 SMTP connection should be dropped (this value fits with the
3112 "done" variable in smtp_setup_msg() below)
3113 */
3114
3115 int
3116 smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
3117 {
3118 BOOL drop = rc == FAIL_DROP;
3119 int codelen = 3;
3120 uschar *smtp_code;
3121 uschar *lognl;
3122 uschar *sender_info = US"";
3123 uschar *what =
3124 #ifdef WITH_CONTENT_SCAN
3125 where == ACL_WHERE_MIME ? US"during MIME ACL checks" :
3126 #endif
3127 where == ACL_WHERE_PREDATA ? US"DATA" :
3128 where == ACL_WHERE_DATA ? US"after DATA" :
3129 #ifndef DISABLE_PRDR
3130 where == ACL_WHERE_PRDR ? US"after DATA PRDR" :
3131 #endif
3132 smtp_cmd_data ?
3133 string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data) :
3134 string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]);
3135
3136 if (drop) rc = FAIL;
3137
3138 /* Set the default SMTP code, and allow a user message to change it. */
3139
3140 smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
3141 smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
3142 where != ACL_WHERE_VRFY);
3143
3144 /* We used to have sender_address here; however, there was a bug that was not
3145 updating sender_address after a rewrite during a verify. When this bug was
3146 fixed, sender_address at this point became the rewritten address. I'm not sure
3147 this is what should be logged, so I've changed to logging the unrewritten
3148 address to retain backward compatibility. */
3149
3150 #ifndef WITH_CONTENT_SCAN
3151 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
3152 #else
3153 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
3154 #endif
3155 {
3156 sender_info = string_sprintf("F=<%s>%s%s%s%s ",
3157 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
3158 sender_host_authenticated ? US" A=" : US"",
3159 sender_host_authenticated ? sender_host_authenticated : US"",
3160 sender_host_authenticated && authenticated_id ? US":" : US"",
3161 sender_host_authenticated && authenticated_id ? authenticated_id : US""
3162 );
3163 }
3164
3165 /* If there's been a sender verification failure with a specific message, and
3166 we have not sent a response about it yet, do so now, as a preliminary line for
3167 failures, but not defers. However, always log it for defer, and log it for fail
3168 unless the sender_verify_fail log selector has been turned off. */
3169
3170 if (sender_verified_failed &&
3171 !testflag(sender_verified_failed, af_sverify_told))
3172 {
3173 BOOL save_rcpt_in_progress = rcpt_in_progress;
3174 rcpt_in_progress = FALSE; /* So as not to treat these as the error */
3175
3176 setflag(sender_verified_failed, af_sverify_told);
3177
3178 if (rc != FAIL || LOGGING(sender_verify_fail))
3179 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
3180 host_and_ident(TRUE),
3181 ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
3182 sender_verified_failed->address,
3183 (sender_verified_failed->message == NULL)? US"" :
3184 string_sprintf(": %s", sender_verified_failed->message));
3185
3186 if (rc == FAIL && sender_verified_failed->user_message)
3187 smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
3188 testflag(sender_verified_failed, af_verify_pmfail)?
3189 "Postmaster verification failed while checking <%s>\n%s\n"
3190 "Several RFCs state that you are required to have a postmaster\n"
3191 "mailbox for each mail domain. This host does not accept mail\n"
3192 "from domains whose servers reject the postmaster address."
3193 :
3194 testflag(sender_verified_failed, af_verify_nsfail)?
3195 "Callback setup failed while verifying <%s>\n%s\n"
3196 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
3197 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
3198 "RFC requirements, and stops you from receiving standard bounce\n"
3199 "messages. This host does not accept mail from domains whose servers\n"
3200 "refuse bounces."
3201 :
3202 "Verification failed for <%s>\n%s",
3203 sender_verified_failed->address,
3204 sender_verified_failed->user_message));
3205
3206 rcpt_in_progress = save_rcpt_in_progress;
3207 }
3208
3209 /* Sort out text for logging */
3210
3211 log_msg = log_msg ? string_sprintf(": %s", log_msg) : US"";
3212 if ((lognl = Ustrchr(log_msg, '\n'))) *lognl = 0;
3213
3214 /* Send permanent failure response to the command, but the code used isn't
3215 always a 5xx one - see comments at the start of this function. If the original
3216 rc was FAIL_DROP we drop the connection and yield 2. */
3217
3218 if (rc == FAIL)
3219 smtp_respond(smtp_code, codelen, TRUE,
3220 user_msg ? user_msg : US"Administrative prohibition");
3221
3222 /* Send temporary failure response to the command. Don't give any details,
3223 unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
3224 verb, and for a header verify when smtp_return_error_details is set.
3225
3226 This conditional logic is all somewhat of a mess because of the odd
3227 interactions between temp_details and return_error_details. One day it should
3228 be re-implemented in a tidier fashion. */
3229
3230 else
3231 if (acl_temp_details && user_msg)
3232 {
3233 if ( smtp_return_error_details
3234 && sender_verified_failed
3235 && sender_verified_failed->message
3236 )
3237 smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
3238
3239 smtp_respond(smtp_code, codelen, TRUE, user_msg);
3240 }
3241 else
3242 smtp_respond(smtp_code, codelen, TRUE,
3243 US"Temporary local problem - please try later");
3244
3245 /* Log the incident to the logs that are specified by log_reject_target
3246 (default main, reject). This can be empty to suppress logging of rejections. If
3247 the connection is not forcibly to be dropped, return 0. Otherwise, log why it
3248 is closing if required and return 2. */
3249
3250 if (log_reject_target != 0)
3251 {
3252 #ifdef SUPPORT_TLS
3253 uschar * tls = s_tlslog(NULL, NULL, NULL);
3254 if (!tls) tls = US"";
3255 #else
3256 uschar * tls = US"";
3257 #endif
3258 log_write(where == ACL_WHERE_CONNECT ? L_connection_reject : 0,
3259 log_reject_target, "%s%s%s %s%srejected %s%s",
3260 LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
3261 host_and_ident(TRUE),
3262 tls,
3263 sender_info,
3264 rc == FAIL ? US"" : US"temporarily ",
3265 what, log_msg);
3266 }
3267
3268 if (!drop) return 0;
3269
3270 log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
3271 smtp_get_connection_info());
3272
3273 /* Run the not-quit ACL, but without any custom messages. This should not be a
3274 problem, because we get here only if some other ACL has issued "drop", and
3275 in that case, *its* custom messages will have been used above. */
3276
3277 smtp_notquit_exit(US"acl-drop", NULL, NULL);
3278 return 2;
3279 }
3280
3281
3282
3283
3284 /*************************************************
3285 * Handle SMTP exit when QUIT is not given *
3286 *************************************************/
3287
3288 /* This function provides a logging/statistics hook for when an SMTP connection
3289 is dropped on the floor or the other end goes away. It's a global function
3290 because it's called from receive.c as well as this module. As well as running
3291 the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
3292 response, either with a custom message from the ACL, or using a default. There
3293 is one case, however, when no message is output - after "drop". In that case,
3294 the ACL that obeyed "drop" has already supplied the custom message, and NULL is
3295 passed to this function.
3296
3297 In case things go wrong while processing this function, causing an error that
3298 may re-enter this function, there is a recursion check.
3299
3300 Arguments:
3301 reason What $smtp_notquit_reason will be set to in the ACL;
3302 if NULL, the ACL is not run
3303 code The error code to return as part of the response
3304 defaultrespond The default message if there's no user_msg
3305
3306 Returns: Nothing
3307 */
3308
3309 void
3310 smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
3311 {
3312 int rc;
3313 uschar *user_msg = NULL;
3314 uschar *log_msg = NULL;
3315
3316 /* Check for recursive acll */
3317
3318 if (smtp_exit_function_called)
3319 {
3320 log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
3321 reason);
3322 return;
3323 }
3324 smtp_exit_function_called = TRUE;
3325
3326 /* Call the not-QUIT ACL, if there is one, unless no reason is given. */
3327
3328 if (acl_smtp_notquit && reason)
3329 {
3330 smtp_notquit_reason = reason;
3331 if ((rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
3332 &log_msg)) == ERROR)
3333 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
3334 log_msg);
3335 }
3336
3337 /* Write an SMTP response if we are expected to give one. As the default
3338 responses are all internal, they should always fit in the buffer, but code a
3339 warning, just in case. Note that string_vformat() still leaves a complete
3340 string, even if it is incomplete. */
3341
3342 if (code && defaultrespond)
3343 {
3344 if (user_msg)
3345 smtp_respond(code, 3, TRUE, user_msg);
3346 else
3347 {
3348 uschar buffer[128];
3349 va_list ap;
3350 va_start(ap, defaultrespond);
3351 if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
3352 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
3353 smtp_printf("%s %s\r\n", code, buffer);
3354 va_end(ap);
3355 }
3356 mac_smtp_fflush();
3357 }
3358 }
3359
3360
3361
3362
3363 /*************************************************
3364 * Verify HELO argument *
3365 *************************************************/
3366
3367 /* This function is called if helo_verify_hosts or helo_try_verify_hosts is
3368 matched. It is also called from ACL processing if verify = helo is used and
3369 verification was not previously tried (i.e. helo_try_verify_hosts was not
3370 matched). The result of its processing is to set helo_verified and
3371 helo_verify_failed. These variables should both be FALSE for this function to
3372 be called.
3373
3374 Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
3375 for IPv6 ::ffff: literals.
3376
3377 Argument: none
3378 Returns: TRUE if testing was completed;
3379 FALSE on a temporary failure
3380 */
3381
3382 BOOL
3383 smtp_verify_helo(void)
3384 {
3385 BOOL yield = TRUE;
3386
3387 HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
3388 sender_helo_name);
3389
3390 if (sender_helo_name == NULL)
3391 {
3392 HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
3393 }
3394
3395 /* Deal with the case of -bs without an IP address */
3396
3397 else if (sender_host_address == NULL)
3398 {
3399 HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
3400 helo_verified = TRUE;
3401 }
3402
3403 /* Deal with the more common case when there is a sending IP address */
3404
3405 else if (sender_helo_name[0] == '[')
3406 {
3407 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
3408 Ustrlen(sender_host_address)) == 0;
3409
3410 #if HAVE_IPV6
3411 if (!helo_verified)
3412 {
3413 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
3414 helo_verified = Ustrncmp(sender_helo_name + 1,
3415 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
3416 }
3417 #endif
3418
3419 HDEBUG(D_receive)
3420 { if (helo_verified) debug_printf("matched host address\n"); }
3421 }
3422
3423 /* Do a reverse lookup if one hasn't already given a positive or negative
3424 response. If that fails, or the name doesn't match, try checking with a forward
3425 lookup. */
3426
3427 else
3428 {
3429 if (sender_host_name == NULL && !host_lookup_failed)
3430 yield = host_name_lookup() != DEFER;
3431
3432 /* If a host name is known, check it and all its aliases. */
3433
3434 if (sender_host_name)
3435 if ((helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
3436 {
3437 sender_helo_dnssec = sender_host_dnssec;
3438 HDEBUG(D_receive) debug_printf("matched host name\n");
3439 }
3440 else
3441 {
3442 uschar **aliases = sender_host_aliases;
3443 while (*aliases)
3444 if ((helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
3445 {
3446 sender_helo_dnssec = sender_host_dnssec;
3447 break;
3448 }
3449
3450 HDEBUG(D_receive) if (helo_verified)
3451 debug_printf("matched alias %s\n", *(--aliases));
3452 }
3453
3454 /* Final attempt: try a forward lookup of the helo name */
3455
3456 if (!helo_verified)
3457 {
3458 int rc;
3459 host_item h;
3460 dnssec_domains d;
3461 host_item *hh;
3462
3463 h.name = sender_helo_name;
3464 h.address = NULL;
3465 h.mx = MX_NONE;
3466 h.next = NULL;
3467 d.request = US"*";
3468 d.require = US"";
3469
3470 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
3471 sender_helo_name);
3472 rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A,
3473 NULL, NULL, NULL, &d, NULL, NULL);
3474 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3475 for (hh = &h; hh; hh = hh->next)
3476 if (Ustrcmp(hh->address, sender_host_address) == 0)
3477 {
3478 helo_verified = TRUE;
3479 if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
3480 HDEBUG(D_receive)
3481 {
3482 debug_printf("IP address for %s matches calling address\n"
3483 "Forward DNS security status: %sverified\n",
3484 sender_helo_name, sender_helo_dnssec ? "" : "un");
3485 }
3486 break;
3487 }
3488 }
3489 }
3490
3491 if (!helo_verified) helo_verify_failed = TRUE; /* We've tried ... */
3492 return yield;
3493 }
3494
3495
3496
3497
3498 /*************************************************
3499 * Send user response message *
3500 *************************************************/
3501
3502 /* This function is passed a default response code and a user message. It calls
3503 smtp_message_code() to check and possibly modify the response code, and then
3504 calls smtp_respond() to transmit the response. I put this into a function
3505 just to avoid a lot of repetition.
3506
3507 Arguments:
3508 code the response code
3509 user_msg the user message
3510
3511 Returns: nothing
3512 */
3513
3514 static void
3515 smtp_user_msg(uschar *code, uschar *user_msg)
3516 {
3517 int len = 3;
3518 smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
3519 smtp_respond(code, len, TRUE, user_msg);
3520 }
3521
3522
3523
3524 static int
3525 smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
3526 {
3527 const uschar *set_id = NULL;
3528 int rc, i;
3529
3530 /* Run the checking code, passing the remainder of the command line as
3531 data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
3532 it as the only set numerical variable. The authenticator may set $auth<n>
3533 and also set other numeric variables. The $auth<n> variables are preferred
3534 nowadays; the numerical variables remain for backwards compatibility.
3535
3536 Afterwards, have a go at expanding the set_id string, even if
3537 authentication failed - for bad passwords it can be useful to log the
3538 userid. On success, require set_id to expand and exist, and put it in
3539 authenticated_id. Save this in permanent store, as the working store gets
3540 reset at HELO, RSET, etc. */
3541
3542 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
3543 expand_nmax = 0;
3544 expand_nlength[0] = 0; /* $0 contains nothing */
3545
3546 rc = (au->info->servercode)(au, smtp_cmd_data);
3547 if (au->set_id) set_id = expand_string(au->set_id);
3548 expand_nmax = -1; /* Reset numeric variables */
3549 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; /* Reset $auth<n> */
3550
3551 /* The value of authenticated_id is stored in the spool file and printed in
3552 log lines. It must not contain binary zeros or newline characters. In
3553 normal use, it never will, but when playing around or testing, this error
3554 can (did) happen. To guard against this, ensure that the id contains only
3555 printing characters. */
3556
3557 if (set_id) set_id = string_printing(set_id);
3558
3559 /* For the non-OK cases, set up additional logging data if set_id
3560 is not empty. */
3561
3562 if (rc != OK)
3563 set_id = set_id && *set_id
3564 ? string_sprintf(" (set_id=%s)", set_id) : US"";
3565
3566 /* Switch on the result */
3567
3568 switch(rc)
3569 {
3570 case OK:
3571 if (!au->set_id || set_id) /* Complete success */
3572 {
3573 if (set_id) authenticated_id = string_copy_malloc(set_id);
3574 sender_host_authenticated = au->name;
3575 authentication_failed = FALSE;
3576 authenticated_fail_id = NULL; /* Impossible to already be set? */
3577
3578 received_protocol =
3579 (sender_host_address ? protocols : protocols_local)
3580 [pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)];
3581 *s = *ss = US"235 Authentication succeeded";
3582 authenticated_by = au;
3583 break;
3584 }
3585
3586 /* Authentication succeeded, but we failed to expand the set_id string.
3587 Treat this as a temporary error. */
3588
3589 auth_defer_msg = expand_string_message;
3590 /* Fall through */
3591
3592 case DEFER:
3593 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3594 *s = string_sprintf("435 Unable to authenticate at present%s",
3595 auth_defer_user_msg);
3596 *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
3597 set_id, auth_defer_msg);
3598 break;
3599
3600 case BAD64:
3601 *s = *ss = US"501 Invalid base64 data";
3602 break;
3603
3604 case CANCELLED:
3605 *s = *ss = US"501 Authentication cancelled";
3606 break;
3607
3608 case UNEXPECTED:
3609 *s = *ss = US"553 Initial data not expected";
3610 break;
3611
3612 case FAIL:
3613 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3614 *s = US"535 Incorrect authentication data";
3615 *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
3616 break;
3617
3618 default:
3619 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3620 *s = US"435 Internal error";
3621 *ss = string_sprintf("435 Internal error%s: return %d from authentication "
3622 "check", set_id, rc);
3623 break;
3624 }
3625
3626 return rc;
3627 }
3628
3629
3630
3631
3632
3633 static int
3634 qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
3635 {
3636 int rd;
3637 if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
3638 {
3639 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
3640 *recipient);
3641 rd = Ustrlen(recipient) + 1;
3642 *recipient = rewrite_address_qualify(*recipient, TRUE);
3643 return rd;
3644 }
3645 smtp_printf("501 %s: recipient address must contain a domain\r\n",
3646 smtp_cmd_data);
3647 log_write(L_smtp_syntax_error,
3648 LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
3649 tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
3650 return 0;
3651 }
3652
3653
3654
3655
3656 static void
3657 smtp_quit_handler(uschar ** user_msgp, uschar ** log_msgp)
3658 {
3659 HAD(SCH_QUIT);
3660 incomplete_transaction_log(US"QUIT");
3661 if (acl_smtp_quit)
3662 {
3663 int rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, user_msgp, log_msgp);
3664 if (rc == ERROR)
3665 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3666 *log_msgp);
3667 }
3668 if (*user_msgp)
3669 smtp_respond(US"221", 3, TRUE, *user_msgp);
3670 else
3671 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3672
3673 #ifdef SUPPORT_TLS
3674 tls_close(TRUE, TRUE);
3675 #endif
3676
3677 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3678 smtp_get_connection_info());
3679 }
3680
3681
3682 static void
3683 smtp_rset_handler(void)
3684 {
3685 HAD(SCH_RSET);
3686 incomplete_transaction_log(US"RSET");
3687 smtp_printf("250 Reset OK\r\n");
3688 cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3689 }
3690
3691
3692
3693 /*************************************************
3694 * Initialize for SMTP incoming message *
3695 *************************************************/
3696
3697 /* This function conducts the initial dialogue at the start of an incoming SMTP
3698 message, and builds a list of recipients. However, if the incoming message
3699 is part of a batch (-bS option) a separate function is called since it would
3700 be messy having tests splattered about all over this function. This function
3701 therefore handles the case where interaction is occurring. The input and output
3702 files are set up in smtp_in and smtp_out.
3703
3704 The global recipients_list is set to point to a vector of recipient_item
3705 blocks, whose number is given by recipients_count. This is extended by the
3706 receive_add_recipient() function. The global variable sender_address is set to
3707 the sender's address. The yield is +1 if a message has been successfully
3708 started, 0 if a QUIT command was encountered or the connection was refused from
3709 the particular host, or -1 if the connection was lost.
3710
3711 Argument: none
3712
3713 Returns: > 0 message successfully started (reached DATA)
3714 = 0 QUIT read or end of file reached or call refused
3715 < 0 lost connection
3716 */
3717
3718 int
3719 smtp_setup_msg(void)
3720 {
3721 int done = 0;
3722 BOOL toomany = FALSE;
3723 BOOL discarded = FALSE;
3724 BOOL last_was_rej_mail = FALSE;
3725 BOOL last_was_rcpt = FALSE;
3726 void *reset_point = store_get(0);
3727
3728 DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
3729
3730 /* Reset for start of new message. We allow one RSET not to be counted as a
3731 nonmail command, for those MTAs that insist on sending it between every
3732 message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
3733 TLS between messages (an Exim client may do this if it has messages queued up
3734 for the host). Note: we do NOT reset AUTH at this point. */
3735
3736 smtp_reset(reset_point);
3737 message_ended = END_NOTSTARTED;
3738
3739 chunking_state = chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
3740
3741 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
3742 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
3743 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3744 #ifdef SUPPORT_TLS
3745 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
3746 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
3747 #endif
3748
3749 /* Set the local signal handler for SIGTERM - it tries to end off tidily */
3750
3751 os_non_restarting_signal(SIGTERM, command_sigterm_handler);
3752
3753 /* Batched SMTP is handled in a different function. */
3754
3755 if (smtp_batched_input) return smtp_setup_batch_msg();
3756
3757 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
3758 value. The values are 2 larger than the required yield of the function. */
3759
3760 while (done <= 0)
3761 {
3762 const uschar **argv;
3763 uschar *etrn_command;
3764 uschar *etrn_serialize_key;
3765 uschar *errmess;
3766 uschar *log_msg, *smtp_code;
3767 uschar *user_msg = NULL;
3768 uschar *recipient = NULL;
3769 uschar *hello = NULL;
3770 uschar *s, *ss;
3771 BOOL was_rej_mail = FALSE;
3772 BOOL was_rcpt = FALSE;
3773 void (*oldsignal)(int);
3774 pid_t pid;
3775 int start, end, sender_domain, recipient_domain;
3776 int ptr, size, rc;
3777 int c;
3778 auth_instance *au;
3779 uschar *orcpt = NULL;
3780 int flags;
3781
3782 #ifdef AUTH_TLS
3783 /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
3784 if ( tls_in.active >= 0
3785 && tls_in.peercert
3786 && tls_in.certificate_verified
3787 && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
3788 )
3789 {
3790 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
3791 if ( acl_smtp_auth
3792 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3793 &user_msg, &log_msg)) != OK
3794 )
3795 {
3796 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3797 continue;
3798 }
3799
3800 for (au = auths; au; au = au->next)
3801 if (strcmpic(US"tls", au->driver_name) == 0)
3802 {
3803 smtp_cmd_data = NULL;
3804
3805 if (smtp_in_auth(au, &s, &ss) == OK)
3806 { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
3807 else
3808 { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
3809 break;
3810 }
3811 }
3812 #endif
3813
3814 #ifdef TCP_QUICKACK
3815 if (smtp_in) /* Avoid pure-ACKs while in cmd pingpong phase */
3816 (void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
3817 US &off, sizeof(off));
3818 #endif
3819
3820 switch(smtp_read_command(TRUE, GETC_BUFFER_UNLIMITED))
3821 {
3822 /* The AUTH command is not permitted to occur inside a transaction, and may
3823 occur successfully only once per connection. Actually, that isn't quite
3824 true. When TLS is started, all previous information about a connection must
3825 be discarded, so a new AUTH is permitted at that time.
3826
3827 AUTH may only be used when it has been advertised. However, it seems that
3828 there are clients that send AUTH when it hasn't been advertised, some of
3829 them even doing this after HELO. And there are MTAs that accept this. Sigh.
3830 So there's a get-out that allows this to happen.
3831
3832 AUTH is initially labelled as a "nonmail command" so that one occurrence
3833 doesn't get counted. We change the label here so that multiple failing
3834 AUTHS will eventually hit the nonmail threshold. */
3835
3836 case AUTH_CMD:
3837 HAD(SCH_AUTH);
3838 authentication_failed = TRUE;
3839 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
3840
3841 if (!auth_advertised && !allow_auth_unadvertised)
3842 {
3843 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3844 US"AUTH command used when not advertised");
3845 break;
3846 }
3847 if (sender_host_authenticated)
3848 {
3849 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3850 US"already authenticated");
3851 break;
3852 }
3853 if (sender_address)
3854 {
3855 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3856 US"not permitted in mail transaction");
3857 break;
3858 }
3859
3860 /* Check the ACL */
3861
3862 if ( acl_smtp_auth
3863 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3864 &user_msg, &log_msg)) != OK
3865 )
3866 {
3867 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3868 break;
3869 }
3870
3871 /* Find the name of the requested authentication mechanism. */
3872
3873 s = smtp_cmd_data;
3874 while ((c = *smtp_cmd_data) != 0 && !isspace(c))
3875 {
3876 if (!isalnum(c) && c != '-' && c != '_')
3877 {
3878 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3879 US"invalid character in authentication mechanism name");
3880 goto COMMAND_LOOP;
3881 }
3882 smtp_cmd_data++;
3883 }
3884
3885 /* If not at the end of the line, we must be at white space. Terminate the
3886 name and move the pointer on to any data that may be present. */
3887
3888 if (*smtp_cmd_data != 0)
3889 {
3890 *smtp_cmd_data++ = 0;
3891 while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
3892 }
3893
3894 /* Search for an authentication mechanism which is configured for use
3895 as a server and which has been advertised (unless, sigh, allow_auth_
3896 unadvertised is set). */
3897
3898 for (au = auths; au; au = au->next)
3899 if (strcmpic(s, au->public_name) == 0 && au->server &&
3900 (au->advertised || allow_auth_unadvertised))
3901 break;
3902
3903 if (au)
3904 {
3905 c = smtp_in_auth(au, &s, &ss);
3906
3907 smtp_printf("%s\r\n", s);
3908 if (c != OK)
3909 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
3910 au->name, host_and_ident(FALSE), ss);
3911 }
3912 else
3913 done = synprot_error(L_smtp_protocol_error, 504, NULL,
3914 string_sprintf("%s authentication mechanism not supported", s));
3915
3916 break; /* AUTH_CMD */
3917
3918 /* The HELO/EHLO commands are permitted to appear in the middle of a
3919 session as well as at the beginning. They have the effect of a reset in
3920 addition to their other functions. Their absence at the start cannot be
3921 taken to be an error.
3922
3923 RFC 2821 says:
3924
3925 If the EHLO command is not acceptable to the SMTP server, 501, 500,
3926 or 502 failure replies MUST be returned as appropriate. The SMTP
3927 server MUST stay in the same state after transmitting these replies
3928 that it was in before the EHLO was received.
3929
3930 Therefore, we do not do the reset until after checking the command for
3931 acceptability. This change was made for Exim release 4.11. Previously
3932 it did the reset first. */
3933
3934 case HELO_CMD:
3935 HAD(SCH_HELO);
3936 hello = US"HELO";
3937 esmtp = FALSE;
3938 goto HELO_EHLO;
3939
3940 case EHLO_CMD:
3941 HAD(SCH_EHLO);
3942 hello = US"EHLO";
3943 esmtp = TRUE;
3944
3945 HELO_EHLO: /* Common code for HELO and EHLO */
3946 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
3947 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
3948
3949 /* Reject the HELO if its argument was invalid or non-existent. A
3950 successful check causes the argument to be saved in malloc store. */
3951
3952 if (!check_helo(smtp_cmd_data))
3953 {
3954 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
3955
3956 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
3957 "invalid argument(s): %s", hello, host_and_ident(FALSE),
3958 (*smtp_cmd_argument == 0)? US"(no argument given)" :
3959 string_printing(smtp_cmd_argument));
3960
3961 if (++synprot_error_count > smtp_max_synprot_errors)
3962 {
3963 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3964 "syntax or protocol errors (last command was \"%s\")",
3965 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
3966 done = 1;
3967 }
3968
3969 break;
3970 }
3971
3972 /* If sender_host_unknown is true, we have got here via the -bs interface,
3973 not called from inetd. Otherwise, we are running an IP connection and the
3974 host address will be set. If the helo name is the primary name of this
3975 host and we haven't done a reverse lookup, force one now. If helo_required
3976 is set, ensure that the HELO name matches the actual host. If helo_verify
3977 is set, do the same check, but softly. */
3978
3979 if (!sender_host_unknown)
3980 {
3981 BOOL old_helo_verified = helo_verified;
3982 uschar *p = smtp_cmd_data;
3983
3984 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
3985 *p = 0;
3986
3987 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
3988 because otherwise the log can be confusing. */
3989
3990 if (sender_host_name == NULL &&
3991 (deliver_domain = sender_helo_name, /* set $domain */
3992 match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
3993 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
3994 (void)host_name_lookup();
3995
3996 /* Rebuild the fullhost info to include the HELO name (and the real name
3997 if it was looked up.) */
3998
3999 host_build_sender_fullhost(); /* Rebuild */
4000 set_process_info("handling%s incoming connection from %s",
4001 (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
4002
4003 /* Verify if configured. This doesn't give much security, but it does
4004 make some people happy to be able to do it. If helo_required is set,
4005 (host matches helo_verify_hosts) failure forces rejection. If helo_verify
4006 is set (host matches helo_try_verify_hosts), it does not. This is perhaps
4007 now obsolescent, since the verification can now be requested selectively
4008 at ACL time. */
4009
4010 helo_verified = helo_verify_failed = sender_helo_dnssec = FALSE;
4011 if (helo_required || helo_verify)
4012 {
4013 BOOL tempfail = !smtp_verify_helo();
4014 if (!helo_verified)
4015 {
4016 if (helo_required)
4017 {
4018 smtp_printf("%d %s argument does not match calling host\r\n",
4019 tempfail? 451 : 550, hello);
4020 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
4021 tempfail? "temporarily " : "",
4022 hello, sender_helo_name, host_and_ident(FALSE));
4023 helo_verified = old_helo_verified;
4024 break; /* End of HELO/EHLO processing */
4025 }
4026 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
4027 "helo_try_verify_hosts\n", hello);
4028 }
4029 }
4030 }
4031
4032 #ifdef EXPERIMENTAL_SPF
4033 /* set up SPF context */
4034 spf_init(sender_helo_name, sender_host_address);
4035 #endif
4036
4037 /* Apply an ACL check if one is defined; afterwards, recheck
4038 synchronization in case the client started sending in a delay. */
4039
4040 if (acl_smtp_helo)
4041 if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
4042 &user_msg, &log_msg)) != OK)
4043 {
4044 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
4045 sender_helo_name = NULL;
4046 host_build_sender_fullhost(); /* Rebuild */
4047 break;
4048 }
4049 else if (!check_sync()) goto SYNC_FAILURE;
4050
4051 /* Generate an OK reply. The default string includes the ident if present,
4052 and also the IP address if present. Reflecting back the ident is intended
4053 as a deterrent to mail forgers. For maximum efficiency, and also because
4054 some broken systems expect each response to be in a single packet, arrange
4055 that the entire reply is sent in one write(). */
4056
4057 auth_advertised = FALSE;
4058 pipelining_advertised = FALSE;
4059 #ifdef SUPPORT_TLS
4060 tls_advertised = FALSE;
4061 #endif
4062 dsn_advertised = FALSE;
4063 #ifdef SUPPORT_I18N
4064 smtputf8_advertised = FALSE;
4065 #endif
4066
4067 smtp_code = US"250 "; /* Default response code plus space*/
4068 if (!user_msg)
4069 {
4070 s = string_sprintf("%.3s %s Hello %s%s%s",
4071 smtp_code,
4072 smtp_active_hostname,
4073 sender_ident ? sender_ident : US"",
4074 sender_ident ? US" at " : US"",
4075 sender_host_name ? sender_host_name : sender_helo_name);
4076
4077 ptr = Ustrlen(s);
4078 size = ptr + 1;
4079
4080 if (sender_host_address)
4081 {
4082 s = string_catn(s, &size, &ptr, US" [", 2);
4083 s = string_cat (s, &size, &ptr, sender_host_address);
4084 s = string_catn(s, &size, &ptr, US"]", 1);
4085 }
4086 }
4087
4088 /* A user-supplied EHLO greeting may not contain more than one line. Note
4089 that the code returned by smtp_message_code() includes the terminating
4090 whitespace character. */
4091
4092 else
4093 {
4094 char *ss;
4095 int codelen = 4;
4096 smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
4097 s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
4098 if ((ss = strpbrk(CS s, "\r\n")) != NULL)
4099 {
4100 log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
4101 "newlines: message truncated: %s", string_printing(s));
4102 *ss = 0;
4103 }
4104 ptr = Ustrlen(s);
4105 size = ptr + 1;
4106 }
4107
4108 s = string_catn(s, &size, &ptr, US"\r\n", 2);