-/* $Cambridge: exim/src/src/smtp_in.c,v 1.57 2007/04/13 15:13:47 ph10 Exp $ */
+/* $Cambridge: exim/src/src/smtp_in.c,v 1.67 2010/06/12 15:21:26 jetmore Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for handling an incoming SMTP call. */
int allow_severity = LOG_INFO;
int deny_severity = LOG_NOTICE;
+uschar *tcp_wrappers_name;
#endif
/* Structure for SMTP command list */
typedef struct {
- char *name;
+ const char *name;
int len;
short int cmd;
short int has_arg;
static BOOL rcpt_smtp_response_same;
static BOOL rcpt_in_progress;
static int nonmail_command_count;
+static BOOL smtp_exit_function_called = 0;
static int synprot_error_count;
static int unknown_command_count;
static int sync_cmd_limit;
else smtp_had_eof = 1;
return EOF;
}
+#ifndef DISABLE_DKIM
+ dkim_exim_verify_feed(smtp_inbuffer, rc);
+#endif
smtp_inend = smtp_inbuffer + rc;
smtp_inptr = smtp_inbuffer;
}
*/
void
-smtp_printf(char *format, ...)
+smtp_printf(const char *format, ...)
{
va_list ap;
+va_start(ap, format);
+smtp_vprintf(format, ap);
+va_end(ap);
+}
+
+/* This is split off so that verify.c:respond_printf() can, in effect, call
+smtp_printf(), bearing in mind that in C a vararg function can't directly
+call another vararg function, only a function which accepts a va_list. */
+
+void
+smtp_vprintf(const char *format, va_list ap)
+{
+BOOL yield;
+
+yield = string_vformat(big_buffer, big_buffer_size, format, ap);
+
DEBUG(D_receive)
{
- uschar *cr, *end;
- va_start(ap, format);
- (void) string_vformat(big_buffer, big_buffer_size, format, ap);
- va_end(ap);
- end = big_buffer + Ustrlen(big_buffer);
- while ((cr = Ustrchr(big_buffer, '\r')) != NULL) /* lose CRs */
- memmove(cr, cr + 1, (end--) - cr);
- debug_printf("SMTP>> %s", big_buffer);
+ void *reset_point = store_get(0);
+ uschar *msg_copy, *cr, *end;
+ msg_copy = string_copy(big_buffer);
+ end = msg_copy + Ustrlen(msg_copy);
+ while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
+ memmove(cr, cr + 1, (end--) - cr);
+ debug_printf("SMTP>> %s", msg_copy);
+ store_reset(reset_point);
}
-va_start(ap, format);
-if (!string_vformat(big_buffer, big_buffer_size, format, ap))
+if (!yield)
{
log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
smtp_closedown(US"Unexpected error");
exim_exit(EXIT_FAILURE);
}
-va_end(ap);
/* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
have had the same. Note: this code is also present in smtp_respond(). It would
host_and_ident(FALSE));
if (smtp_batched_input)
moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
-smtp_printf("421 %s: SMTP command timeout - closing connection\r\n",
- smtp_active_hostname);
-mac_smtp_fflush();
+smtp_notquit_exit(US"command-timeout", US"421",
+ US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
exim_exit(EXIT_FAILURE);
}
log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
if (smtp_batched_input)
moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
-smtp_printf("421 %s: Service not available - closing connection\r\n",
- smtp_active_hostname);
+smtp_notquit_exit(US"signal-exit", US"421",
+ US"%s: Service not available - closing connection", smtp_active_hostname);
exim_exit(EXIT_FAILURE);
}
except QUIT. The existence of an SMTP call is detected by the non-NULLness of
smtp_in.
-Argument: SMTP reply string to send, excluding the code
+Arguments:
+ message SMTP reply string to send, excluding the code
+
Returns: nothing
*/
s = string_append(s, &size, &ptr, 2, US" CV=",
tls_certificate_verified? "yes":"no");
if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
- s = string_append(s, &size, &ptr, 3, US" DN=\"", tls_peerdn, US"\"");
+ s = string_append(s, &size, &ptr, 3, US" DN=\"",
+ string_printing(tls_peerdn), US"\"");
#endif
sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
bmi_run = 0;
bmi_verdicts = NULL;
#endif
-#ifdef EXPERIMENTAL_DOMAINKEYS
-dk_do_verify = 0;
+#ifndef DISABLE_DKIM
+dkim_signers = NULL;
+dkim_disable_verify = FALSE;
+dkim_collect_input = FALSE;
#endif
#ifdef EXPERIMENTAL_SPF
spf_header_comment = NULL;
pipelining_advertised = FALSE;
pipelining_enable = TRUE;
sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
+smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
memset(sender_host_cache, 0, sizeof(sender_host_cache));
#ifdef USE_TCP_WRAPPERS
errno = 0;
- if (!hosts_ctl("exim",
+ tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name);
+ if (tcp_wrappers_name == NULL)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
+ "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
+ expand_string_message);
+ }
+ if (!hosts_ctl(tcp_wrappers_name,
(sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
(sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
(sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
smtp_get_connection_info());
+
+/* Run the not-quit ACL, but without any custom messages. This should not be a
+problem, because we get here only if some other ACL has issued "drop", and
+in that case, *its* custom messages will have been used above. */
+
+smtp_notquit_exit(US"acl-drop", NULL, NULL);
return 2;
}
+/*************************************************
+* Handle SMTP exit when QUIT is not given *
+*************************************************/
+
+/* This function provides a logging/statistics hook for when an SMTP connection
+is dropped on the floor or the other end goes away. It's a global function
+because it's called from receive.c as well as this module. As well as running
+the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
+response, either with a custom message from the ACL, or using a default. There
+is one case, however, when no message is output - after "drop". In that case,
+the ACL that obeyed "drop" has already supplied the custom message, and NULL is
+passed to this function.
+
+In case things go wrong while processing this function, causing an error that
+may re-enter this funtion, there is a recursion check.
+
+Arguments:
+ reason What $smtp_notquit_reason will be set to in the ACL;
+ if NULL, the ACL is not run
+ code The error code to return as part of the response
+ defaultrespond The default message if there's no user_msg
+
+Returns: Nothing
+*/
+
+void
+smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
+{
+int rc;
+uschar *user_msg = NULL;
+uschar *log_msg = NULL;
+
+/* Check for recursive acll */
+
+if (smtp_exit_function_called)
+ {
+ log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
+ reason);
+ return;
+ }
+smtp_exit_function_called = TRUE;
+
+/* Call the not-QUIT ACL, if there is one, unless no reason is given. */
+
+if (acl_smtp_notquit != NULL && reason != NULL)
+ {
+ smtp_notquit_reason = reason;
+ rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
+ &log_msg);
+ if (rc == ERROR)
+ log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
+ log_msg);
+ }
+
+/* Write an SMTP response if we are expected to give one. As the default
+responses are all internal, they should always fit in the buffer, but code a
+warning, just in case. Note that string_vformat() still leaves a complete
+string, even if it is incomplete. */
+
+if (code != NULL && defaultrespond != NULL)
+ {
+ if (user_msg == NULL)
+ {
+ uschar buffer[128];
+ va_list ap;
+ va_start(ap, defaultrespond);
+ if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
+ log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
+ smtp_printf("%s %s\r\n", code, buffer);
+ va_end(ap);
+ }
+ else
+ smtp_respond(code, 3, TRUE, user_msg);
+ mac_smtp_fflush();
+ }
+}
+
+
+
+
/*************************************************
* Verify HELO argument *
*************************************************/
in order to be able to log the sender address on failure. */
if (strcmpic(name, US"SIZE") == 0 &&
- ((size = (int)Ustrtoul(value, &end, 10)), *end == 0))
+ ((size = Ustrtoul(value, &end, 10)), *end == 0))
{
if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
size = INT_MAX;
toomany = FALSE;
cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
+ /* There's an attack where more data is read in past the STARTTLS command
+ before TLS is negotiated, then assumed to be part of the secure session
+ when used afterwards; we use segregated input buffers, so are not
+ vulnerable, but we want to note when it happens and, for sheer paranoia,
+ ensure that the buffer is "wiped".
+ Pipelining sync checks will normally have protected us too, unless disabled
+ by configuration. */
+
+ if (receive_smtp_buffered())
+ {
+ DEBUG(D_any)
+ debug_printf("Non-empty input buffer after STARTTLS; naive attack?");
+ if (tls_active < 0)
+ smtp_inend = smtp_inptr = smtp_inbuffer;
+ /* and if TLS is already active, tls_server_start() should fail */
+ }
+
+ /* There is nothing we value in the input buffer and if TLS is succesfully
+ negotiated, we won't use this buffer again; if TLS fails, we'll just read
+ fresh content into it. The buffer contains arbitrary content from an
+ untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+ It seems safest to just wipe away the content rather than leave it as a
+ target to jump to. */
+
+ memset(smtp_inbuffer, 0, in_buffer_size);
+
/* Attempt to start up a TLS session, and if successful, discard all
knowledge that was obtained previously. At least, that's what the RFC says,
and that's what happens by default. However, in order to work round YAEB,
case EOF_CMD:
log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
smtp_get_connection_info());
+ smtp_notquit_exit(US"tls-failed", NULL, NULL);
done = 2;
break;
+ /* It is perhaps arguable as to which exit ACL should be called here,
+ but as it is probably a situtation that almost never arises, it
+ probably doesn't matter. We choose to call the real QUIT ACL, which in
+ some sense is perhaps "right". */
+
case QUIT_CMD:
- smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
+ user_msg = NULL;
+ if (acl_smtp_quit != NULL)
+ {
+ rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
+ &log_msg);
+ if (rc == ERROR)
+ log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
+ log_msg);
+ }
+ if (user_msg == NULL)
+ smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
+ else
+ smtp_respond(US"221", 3, TRUE, user_msg);
log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
smtp_get_connection_info());
done = 2;
case QUIT_CMD:
HAD(SCH_QUIT);
incomplete_transaction_log(US"QUIT");
-
if (acl_smtp_quit != NULL)
{
- rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit,&user_msg,&log_msg);
+ rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg, &log_msg);
if (rc == ERROR)
log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
log_msg);
}
-
if (user_msg == NULL)
smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
else
break;
- /* Show ETRN/EXPN/VRFY if there's
- an ACL for checking hosts; if actually used, a check will be done for
- permitted hosts. */
+ /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
+ used, a check will be done for permitted hosts. Show STARTTLS only if not
+ already in a TLS session and if it would be advertised in the EHLO
+ response. */
case HELP_CMD:
HAD(SCH_HELP);
buffer[0] = 0;
Ustrcat(buffer, " AUTH");
#ifdef SUPPORT_TLS
- Ustrcat(buffer, " STARTTLS");
+ if (tls_active < 0 &&
+ verify_check_host(&tls_advertise_hosts) != FAIL)
+ Ustrcat(buffer, " STARTTLS");
#endif
Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA");
Ustrcat(buffer, " NOOP QUIT RSET HELP");
case EOF_CMD:
incomplete_transaction_log(US"connection lost");
- smtp_printf("421 %s lost input connection\r\n", smtp_active_hostname);
+ smtp_notquit_exit(US"connection-lost", US"421",
+ US"%s lost input connection", smtp_active_hostname);
/* Don't log by default unless in the middle of a message, as some mailers
just drop the call rather than sending QUIT, and it clutters up the logs.
pipelining_advertised? "" : " not",
smtp_cmd_buffer, host_and_ident(TRUE),
string_printing(smtp_inptr));
- smtp_printf("554 SMTP synchronization error\r\n");
+ smtp_notquit_exit(US"synchronization-error", US"554",
+ US"SMTP synchronization error");
done = 1; /* Pretend eof - drops connection */
break;
log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
"nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
s - smtp_cmd_buffer, smtp_cmd_buffer);
- smtp_printf("554 Too many nonmail commands\r\n");
+ smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
done = 1; /* Pretend eof - drops connection */
break;
string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
US"unrecognized command");
incomplete_transaction_log(US"unrecognized command");
- smtp_printf("500 Too many unrecognized commands\r\n");
+ smtp_notquit_exit(US"bad-commands", US"500",
+ US"Too many unrecognized commands");
done = 2;
log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
"unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
projects / exim.git / blobdiff