X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=src%2Fsrc%2Ftransports%2Fsmtp.c;h=23083f5d879c829a4ed5d7d0ff2a851fa696fb5d;hp=ac61a405b3d2ccaac24e175da642c0272a14eea8;hb=587d831d9428c40f108ac91c1e061096b17a7a3e;hpb=66387a737208e277990b0cbfe58db3db419f34b2

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index ac61a405b..23083f5d8 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2017 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 #include "../exim.h"
@@ -24,6 +24,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, address_retry_include_sender) },
   { "allow_localhost",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, allow_localhost) },
+#ifdef EXPERIMENTAL_ARC
+  { "arc_sign", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, arc_sign) },
+#endif
   { "authenticated_sender", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, authenticated_sender) },
   { "authenticated_sender_force", opt_bool,
@@ -105,7 +109,7 @@ optionlist smtp_transport_options[] = {
   { "hosts_require_auth",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
 #ifdef SUPPORT_TLS
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
   { "hosts_require_dane",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
 # endif
@@ -120,7 +124,7 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
   { "hosts_try_chunking",   opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
   { "hosts_try_dane",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
 #endif
@@ -209,7 +213,6 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .fallback_hosts =		NULL,
   .hostlist =			NULL,
   .fallback_hostlist =		NULL,
-  .authenticated_sender =	NULL,
   .helo_data =			US"$primary_hostname",
   .interface =			NULL,
   .port =			NULL,
@@ -219,7 +222,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .hosts_try_auth =		NULL,
   .hosts_require_auth =		NULL,
   .hosts_try_chunking =		US"*",
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
   .hosts_try_dane =		NULL,
   .hosts_require_dane =		NULL,
 #endif
@@ -287,7 +290,15 @@ smtp_transport_options_block smtp_transport_option_defaults = {
     .dkim_sign_headers =	NULL,
     .dkim_strict =		NULL,
     .dkim_hash =		US"sha256",
-    .dot_stuffed =		FALSE},
+    .dot_stuffed =		FALSE,
+    .force_bodyhash =		FALSE,
+# ifdef EXPERIMENTAL_ARC
+    .arc_signspec =		NULL,
+# endif
+    },
+# ifdef EXPERIMENTAL_ARC
+  .arc_sign =			NULL,
+# endif
 #endif
 };
 
@@ -1190,7 +1201,7 @@ return FALSE;
 
 
 
-#ifdef EXPERIMENTAL_DANE
+#ifdef SUPPORT_DANE
 /* Lookup TLSA record for host/port.
 Return:  OK		success with dnssec; DANE mode
          DEFER		Do not use this host now, may retry later
@@ -1490,7 +1501,7 @@ Returns:          OK    - the connection was made and the delivery attempted;
 int
 smtp_setup_conn(smtp_context * sx, BOOL suppress_tls)
 {
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
 dns_answer tlsa_dnsa;
 #endif
 BOOL pass_message = FALSE;
@@ -1512,7 +1523,7 @@ sx->esmtp_sent = FALSE;
 sx->utf8_needed = FALSE;
 #endif
 sx->dsn_all_lasthop = TRUE;
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
 sx->dane = FALSE;
 sx->dane_required = verify_check_given_host(&sx->ob->hosts_require_dane, sx->host) == OK;
 #endif
@@ -1586,7 +1597,7 @@ if (!continue_hostname)
 
   smtp_port_for_connect(sx->host, sx->port);
 
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_DANE)
+#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
     /* Do TLSA lookup for DANE */
     {
     tls_out.dane_verified = FALSE;
@@ -1607,6 +1618,9 @@ if (!continue_hostname)
 				  string_sprintf("DANE error: tlsa lookup %s",
 				    rc == DEFER ? "DEFER" : "FAIL"),
 				  rc, FALSE);
+				(void) event_raise(sx->tblock->event_action,
+				  US"dane:fail", sx->dane_required
+				    ?  US"dane-required" : US"dnssec-invalid");
 				return rc;
 	  }
       }
@@ -1615,6 +1629,8 @@ if (!continue_hostname)
       set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
 	string_sprintf("DANE error: %s lookup not DNSSEC", sx->host->name),
 	FAIL, FALSE);
+      (void) event_raise(sx->tblock->event_action,
+	US"dane:fail", US"dane-required");
       return FAIL;
       }
     }
@@ -1936,7 +1952,7 @@ if (  smtp_peer_options & OPTION_TLS
     address_item * addr;
     uschar * errstr;
     int rc = tls_client_start(sx->inblock.sock, sx->host, sx->addrlist, sx->tblock,
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
 			     sx->dane ? &tlsa_dnsa : NULL,
 # endif
 			     &errstr);
@@ -1947,10 +1963,15 @@ if (  smtp_peer_options & OPTION_TLS
 
     if (rc != OK)
       {
-# ifdef EXPERIMENTAL_DANE
-      if (sx->dane) log_write(0, LOG_MAIN,
+# ifdef SUPPORT_DANE
+      if (sx->dane)
+        {
+	log_write(0, LOG_MAIN,
 	  "DANE attempt failed; TLS connection to %s [%s]: %s",
 	  sx->host->name, sx->host->address, errstr);
+	(void) event_raise(sx->tblock->event_action,
+	  US"dane:fail", US"validation-failure");	/* could do with better detail */
+	}
 # endif
 
       errno = ERRNO_TLSFAILURE;
@@ -2034,7 +2055,7 @@ if (tls_out.active >= 0)
 have one. */
 
 else if (  sx->smtps
-# ifdef EXPERIMENTAL_DANE
+# ifdef SUPPORT_DANE
 	|| sx->dane
 # endif
 	|| verify_check_given_host(&sx->ob->hosts_require_tls, sx->host) == OK
@@ -2044,6 +2065,13 @@ else if (  sx->smtps
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
+# ifdef SUPPORT_DANE
+  if (sx->dane)
+    (void) event_raise(sx->tblock->event_action, US"dane:fail",
+      smtp_peer_options & OPTION_TLS
+      ? US"validation-failure"		/* could do with better detail */
+      : US"starttls-not-supported");
+# endif
   goto TLS_FAILED;
   }
 #endif	/*SUPPORT_TLS*/
@@ -2234,7 +2262,7 @@ if (sx->send_quit)
   (void)smtp_write_command(&sx->outblock, SCMD_FLUSH, "QUIT\r\n");
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TRUE);
+tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -2668,7 +2696,7 @@ for (fd_bits = 3; fd_bits; )
     if ((rc = read(pfd[0], buf, bsize)) <= 0)
       {
       fd_bits = 0;
-      tls_close(FALSE, TRUE);
+      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
       }
     else
       {
@@ -2965,6 +2993,30 @@ else
   transport_count = 0;
 
 #ifndef DISABLE_DKIM
+  dkim_exim_sign_init();
+# ifdef EXPERIMENTAL_ARC
+    {
+    uschar * s = sx.ob->arc_sign;
+    if (s)
+      {
+      if (!(sx.ob->dkim.arc_signspec = s = expand_string(s)))
+	{
+	if (!expand_string_forcedfail)
+	  {
+	  message = US"failed to expand arc_sign";
+	  sx.ok = FALSE;
+	  goto SEND_FAILED;
+	  }
+	}
+      else if (*s)
+	{
+	/* Ask dkim code to hash the body for ARC */
+	(void) arc_ams_setup_sign_bodyhash();
+	sx.ob->dkim.force_bodyhash = TRUE;
+	}
+      }
+    }
+# endif
   sx.ok = dkim_transport_write_message(&tctx, &sx.ob->dkim, CUSS &message);
 #else
   sx.ok = transport_write_message(&tctx, 0);
@@ -3178,8 +3230,11 @@ else
 #ifndef DISABLE_PRDR
       if (sx.prdr_active)
         {
+	const uschar * overall_message;
+
 	/* PRDR - get the final, overall response.  For any non-success
 	upgrade all the address statuses. */
+
         sx.ok = smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '2',
           sx.ob->final_timeout);
         if (!sx.ok)
@@ -3195,7 +3250,14 @@ else
 	  goto RESPONSE_FAILED;
 	  }
 
-	/* Update the journal, or setup retry. */
+	/* Append the overall response to the individual PRDR response for logging
+	and update the journal, or setup retry. */
+
+	overall_message = string_printing(sx.buffer);
+        for (addr = addrlist; addr != sx.first_addr; addr = addr->next)
+	  if (addr->transport_return == OK)
+	    addr->message = string_sprintf("%s\\n%s", addr->message, overall_message);
+
         for (addr = addrlist; addr != sx.first_addr; addr = addr->next)
 	  if (addr->transport_return == OK)
 	    {
@@ -3458,7 +3520,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
 	  a new EHLO. If we don't get a good response, we don't attempt to pass
 	  the socket on. */
 
-	  tls_close(FALSE, TRUE);
+	  tls_close(FALSE, TLS_SHUTDOWN_WAIT);
 	  smtp_peer_options = smtp_peer_options_wrap;
 	  sx.ok = !sx.smtps
 	    && smtp_write_command(&sx.outblock, SCMD_FLUSH,
@@ -3523,7 +3585,7 @@ propagate it from the initial
 	    close(pfd[0]);
 	    /* tidy the inter-proc to disconn the proxy proc */
 	    waitpid(pid, NULL, 0);
-	    tls_close(FALSE, FALSE);
+	    tls_close(FALSE, TLS_NO_SHUTDOWN);
 	    (void)close(sx.inblock.sock);
 	    continue_transport = NULL;
 	    continue_hostname = NULL;
@@ -3569,7 +3631,7 @@ if (sx.send_quit) (void)smtp_write_command(&sx.outblock, SCMD_FLUSH, "QUIT\r\n")
 END_OFF:
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TRUE);
+tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -4541,7 +4603,7 @@ retry_non_continued:
     if (tls_out.active == fd)
       {
       (void) tls_write(FALSE, US"QUIT\r\n", 6, FALSE);
-      tls_close(FALSE, TRUE);
+      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
       }
     else
 #else