diff options
Diffstat (limited to 'sendmail/src/srvrsmtp.c')
| -rw-r--r-- | sendmail/src/srvrsmtp.c | 4974 |
1 files changed, 4974 insertions, 0 deletions
diff --git a/sendmail/src/srvrsmtp.c b/sendmail/src/srvrsmtp.c new file mode 100644 index 000000000000..514a5e6310b8 --- /dev/null +++ b/sendmail/src/srvrsmtp.c @@ -0,0 +1,4974 @@ +/* + * Copyright (c) 1998-2007 Sendmail, Inc. and its suppliers. + * All rights reserved. + * Copyright (c) 1983, 1995-1997 Eric P. Allman. All rights reserved. + * Copyright (c) 1988, 1993 + * The Regents of the University of California. All rights reserved. + * + * By using this file, you agree to the terms and conditions set + * forth in the LICENSE file which can be found at the top level of + * the sendmail distribution. + * + */ + +#include <sendmail.h> +#if MILTER +# include <libmilter/mfapi.h> +# include <libmilter/mfdef.h> +#endif /* MILTER */ + +SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.967 2007/10/01 16:22:14 ca Exp $") + +#include <sm/time.h> +#include <sm/fdset.h> + +#if SASL || STARTTLS +# include "sfsasl.h" +#endif /* SASL || STARTTLS */ +#if SASL +# define ENC64LEN(l) (((l) + 2) * 4 / 3 + 1) +static int saslmechs __P((sasl_conn_t *, char **)); +#endif /* SASL */ +#if STARTTLS +# include <sysexits.h> + +static SSL_CTX *srv_ctx = NULL; /* TLS server context */ +static SSL *srv_ssl = NULL; /* per connection context */ + +static bool tls_ok_srv = false; + +# define TLS_VERIFY_CLIENT() tls_set_verify(srv_ctx, srv_ssl, \ + bitset(SRV_VRFY_CLT, features)) +#endif /* STARTTLS */ + +#if _FFR_DM_ONE +static bool NotFirstDelivery = false; +#endif /* _FFR_DM_ONE */ + +/* server features */ +#define SRV_NONE 0x0000 /* none... */ +#define SRV_OFFER_TLS 0x0001 /* offer STARTTLS */ +#define SRV_VRFY_CLT 0x0002 /* request a cert */ +#define SRV_OFFER_AUTH 0x0004 /* offer AUTH */ +#define SRV_OFFER_ETRN 0x0008 /* offer ETRN */ +#define SRV_OFFER_VRFY 0x0010 /* offer VRFY (not yet used) */ +#define SRV_OFFER_EXPN 0x0020 /* offer EXPN */ +#define SRV_OFFER_VERB 0x0040 /* offer VERB */ +#define SRV_OFFER_DSN 0x0080 /* offer DSN */ +#if PIPELINING +# define SRV_OFFER_PIPE 0x0100 /* offer PIPELINING */ +# if _FFR_NO_PIPE +# define SRV_NO_PIPE 0x0200 /* disable PIPELINING, sleep if used */ +# endif /* _FFR_NO_PIPE */ +#endif /* PIPELINING */ +#define SRV_REQ_AUTH 0x0400 /* require AUTH */ +#define SRV_REQ_SEC 0x0800 /* require security - equiv to AuthOptions=p */ +#define SRV_TMP_FAIL 0x1000 /* ruleset caused a temporary failure */ + +static unsigned int srvfeatures __P((ENVELOPE *, char *, unsigned int)); + +#define STOP_ATTACK ((time_t) -1) +static time_t checksmtpattack __P((volatile unsigned int *, unsigned int, + bool, char *, ENVELOPE *)); +static void printvrfyaddr __P((ADDRESS *, bool, bool)); +static char *skipword __P((char *volatile, char *)); +static void setup_smtpd_io __P((void)); + +#if SASL +# if SASL >= 20000 +static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname, + char *_remoteip, char *_localip, + char *_auth_id, sasl_ssf_t *_ext_ssf)); + +# define RESET_SASLCONN \ + do \ + { \ + result = reset_saslconn(&conn, AuthRealm, remoteip, \ + localip, auth_id, &ext_ssf); \ + if (result != SASL_OK) \ + sasl_ok = false; \ + } while (0) + +# else /* SASL >= 20000 */ +static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname, + struct sockaddr_in *_saddr_r, + struct sockaddr_in *_saddr_l, + sasl_external_properties_t *_ext_ssf)); +# define RESET_SASLCONN \ + do \ + { \ + result = reset_saslconn(&conn, AuthRealm, &saddr_r, \ + &saddr_l, &ext_ssf); \ + if (result != SASL_OK) \ + sasl_ok = false; \ + } while (0) + +# endif /* SASL >= 20000 */ +#endif /* SASL */ + +extern ENVELOPE BlankEnvelope; + +#define NBADRCPTS \ + do \ + { \ + char buf[16]; \ + (void) sm_snprintf(buf, sizeof(buf), "%d", \ + BadRcptThrottle > 0 && n_badrcpts > BadRcptThrottle \ + ? n_badrcpts - 1 : n_badrcpts); \ + macdefine(&e->e_macro, A_TEMP, macid("{nbadrcpts}"), buf); \ + } while (0) + +#define SKIP_SPACE(s) while (isascii(*s) && isspace(*s)) \ + (s)++ + +/* +** PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT) +** +** Parameters: +** e -- the envelope +** addr_st -- address (RCPT only) +** p -- read buffer +** delimptr -- current position in read buffer +** which -- MAIL/RCPT +** args -- arguments (output) +** esmtp_args -- function to process a single ESMTP argument +** +** Returns: +** none +*/ + +void +parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args) + ENVELOPE *e; + ADDRESS *addr_st; + char *p; + char *delimptr; + char *which; + char *args[]; + esmtp_args_F esmtp_args; +{ + int argno; + + argno = 0; + if (args != NULL) + args[argno++] = p; + p = delimptr; + while (p != NULL && *p != '\0') + { + char *kp; + char *vp = NULL; + char *equal = NULL; + + /* locate the beginning of the keyword */ + SKIP_SPACE(p); + if (*p == '\0') + break; + kp = p; + + /* skip to the value portion */ + while ((isascii(*p) && isalnum(*p)) || *p == '-') + p++; + if (*p == '=') + { + equal = p; + *p++ = '\0'; + vp = p; + + /* skip to the end of the value */ + while (*p != '\0' && *p != ' ' && + !(isascii(*p) && iscntrl(*p)) && + *p != '=') + p++; + } + + if (*p != '\0') + *p++ = '\0'; + + if (tTd(19, 1)) + sm_dprintf("%s: got arg %s=\"%s\"\n", which, kp, + vp == NULL ? "<null>" : vp); + + esmtp_args(addr_st, kp, vp, e); + if (equal != NULL) + *equal = '='; + if (args != NULL) + args[argno] = kp; + argno++; + if (argno >= MAXSMTPARGS - 1) + usrerr("501 5.5.4 Too many parameters"); + if (Errors > 0) + break; + } + if (args != NULL) + args[argno] = NULL; +} + +/* +** SMTP -- run the SMTP protocol. +** +** Parameters: +** nullserver -- if non-NULL, rejection message for +** (almost) all SMTP commands. +** d_flags -- daemon flags +** e -- the envelope. +** +** Returns: +** never. +** +** Side Effects: +** Reads commands from the input channel and processes them. +*/ + +/* +** Notice: The smtp server doesn't have a session context like the client +** side has (mci). Therefore some data (session oriented) is allocated +** or assigned to the "wrong" structure (esp. STARTTLS, AUTH). +** This should be fixed in a successor version. +*/ + +struct cmd +{ + char *cmd_name; /* command name */ + int cmd_code; /* internal code, see below */ +}; + +/* values for cmd_code */ +#define CMDERROR 0 /* bad command */ +#define CMDMAIL 1 /* mail -- designate sender */ +#define CMDRCPT 2 /* rcpt -- designate recipient */ +#define CMDDATA 3 /* data -- send message text */ +#define CMDRSET 4 /* rset -- reset state */ +#define CMDVRFY 5 /* vrfy -- verify address */ +#define CMDEXPN 6 /* expn -- expand address */ +#define CMDNOOP 7 /* noop -- do nothing */ +#define CMDQUIT 8 /* quit -- close connection and die */ +#define CMDHELO 9 /* helo -- be polite */ +#define CMDHELP 10 /* help -- give usage info */ +#define CMDEHLO 11 /* ehlo -- extended helo (RFC 1425) */ +#define CMDETRN 12 /* etrn -- flush queue */ +#if SASL +# define CMDAUTH 13 /* auth -- SASL authenticate */ +#endif /* SASL */ +#if STARTTLS +# define CMDSTLS 14 /* STARTTLS -- start TLS session */ +#endif /* STARTTLS */ +/* non-standard commands */ +#define CMDVERB 17 /* verb -- go into verbose mode */ +/* unimplemented commands from RFC 821 */ +#define CMDUNIMPL 19 /* unimplemented rfc821 commands */ +/* use this to catch and log "door handle" attempts on your system */ +#define CMDLOGBOGUS 23 /* bogus command that should be logged */ +/* debugging-only commands, only enabled if SMTPDEBUG is defined */ +#define CMDDBGQSHOW 24 /* showq -- show send queue */ +#define CMDDBGDEBUG 25 /* debug -- set debug mode */ + +/* +** Note: If you change this list, remember to update 'helpfile' +*/ + +static struct cmd CmdTab[] = +{ + { "mail", CMDMAIL }, + { "rcpt", CMDRCPT }, + { "data", CMDDATA }, + { "rset", CMDRSET }, + { "vrfy", CMDVRFY }, + { "expn", CMDEXPN }, + { "help", CMDHELP }, + { "noop", CMDNOOP }, + { "quit", CMDQUIT }, + { "helo", CMDHELO }, + { "ehlo", CMDEHLO }, + { "etrn", CMDETRN }, + { "verb", CMDVERB }, + { "send", CMDUNIMPL }, + { "saml", CMDUNIMPL }, + { "soml", CMDUNIMPL }, + { "turn", CMDUNIMPL }, +#if SASL + { "auth", CMDAUTH, }, +#endif /* SASL */ +#if STARTTLS + { "starttls", CMDSTLS, }, +#endif /* STARTTLS */ + /* remaining commands are here only to trap and log attempts to use them */ + { "showq", CMDDBGQSHOW }, + { "debug", CMDDBGDEBUG }, + { "wiz", CMDLOGBOGUS }, + + { NULL, CMDERROR } +}; + +static char *CurSmtpClient; /* who's at the other end of channel */ + +#ifndef MAXBADCOMMANDS +# define MAXBADCOMMANDS 25 /* maximum number of bad commands */ +#endif /* ! MAXBADCOMMANDS */ +#ifndef MAXHELOCOMMANDS +# define MAXHELOCOMMANDS 3 /* max HELO/EHLO commands before slowdown */ +#endif /* ! MAXHELOCOMMANDS */ +#ifndef MAXVRFYCOMMANDS +# define MAXVRFYCOMMANDS 6 /* max VRFY/EXPN commands before slowdown */ +#endif /* ! MAXVRFYCOMMANDS */ +#ifndef MAXETRNCOMMANDS +# define MAXETRNCOMMANDS 8 /* max ETRN commands before slowdown */ +#endif /* ! MAXETRNCOMMANDS */ +#ifndef MAXTIMEOUT +# define MAXTIMEOUT (4 * 60) /* max timeout for bad commands */ +#endif /* ! MAXTIMEOUT */ + +/* +** Maximum shift value to compute timeout for bad commands. +** This introduces an upper limit of 2^MAXSHIFT for the timeout. +*/ + +#ifndef MAXSHIFT +# define MAXSHIFT 8 +#endif /* ! MAXSHIFT */ +#if MAXSHIFT > 31 + ERROR _MAXSHIFT > 31 is invalid +#endif /* MAXSHIFT */ + + +#if MAXBADCOMMANDS > 0 +# define STOP_IF_ATTACK(r) do \ + { \ + if ((r) == STOP_ATTACK) \ + goto stopattack; \ + } while (0) + +#else /* MAXBADCOMMANDS > 0 */ +# define STOP_IF_ATTACK(r) r +#endif /* MAXBADCOMMANDS > 0 */ + + +#if SM_HEAP_CHECK +static SM_DEBUG_T DebugLeakSmtp = SM_DEBUG_INITIALIZER("leak_smtp", + "@(#)$Debug: leak_smtp - trace memory leaks during SMTP processing $"); +#endif /* SM_HEAP_CHECK */ + +typedef struct +{ + bool sm_gotmail; /* mail command received */ + unsigned int sm_nrcpts; /* number of successful RCPT commands */ + bool sm_discard; +#if MILTER + bool sm_milterize; + bool sm_milterlist; /* any filters in the list? */ + milters_T sm_milters; + + /* e_nrcpts from envelope before recipient() call */ + unsigned int sm_e_nrcpts_orig; +#endif /* MILTER */ + char *sm_quarmsg; /* carry quarantining across messages */ +} SMTP_T; + +static bool smtp_data __P((SMTP_T *, ENVELOPE *)); + +#define MSG_TEMPFAIL "451 4.3.2 Please try again later" + +#if MILTER +# define MILTER_ABORT(e) milter_abort((e)) + +# define MILTER_REPLY(str) \ + { \ + int savelogusrerrs = LogUsrErrs; \ + \ + milter_cmd_fail = true; \ + switch (state) \ + { \ + case SMFIR_SHUTDOWN: \ + if (MilterLogLevel > 3) \ + { \ + sm_syslog(LOG_INFO, e->e_id, \ + "Milter: %s=%s, reject=421, errormode=4", \ + str, addr); \ + LogUsrErrs = false; \ + } \ + { \ + bool tsave = QuickAbort; \ + \ + QuickAbort = false; \ + usrerr("421 4.3.0 closing connection"); \ + QuickAbort = tsave; \ + e->e_sendqueue = NULL; \ + goto doquit; \ + } \ + break; \ + case SMFIR_REPLYCODE: \ + if (MilterLogLevel > 3) \ + { \ + sm_syslog(LOG_INFO, e->e_id, \ + "Milter: %s=%s, reject=%s", \ + str, addr, response); \ + LogUsrErrs = false; \ + } \ + if (strncmp(response, "421 ", 4) == 0 \ + || strncmp(response, "421-", 4) == 0) \ + { \ + bool tsave = QuickAbort; \ + \ + QuickAbort = false; \ + usrerr(response); \ + QuickAbort = tsave; \ + e->e_sendqueue = NULL; \ + goto doquit; \ + } \ + else \ + usrerr(response); \ + break; \ + \ + case SMFIR_REJECT: \ + if (MilterLogLevel > 3) \ + { \ + sm_syslog(LOG_INFO, e->e_id, \ + "Milter: %s=%s, reject=550 5.7.1 Command rejected", \ + str, addr); \ + LogUsrErrs = false; \ + } \ + usrerr("550 5.7.1 Command rejected"); \ + break; \ + \ + case SMFIR_DISCARD: \ + if (MilterLogLevel > 3) \ + sm_syslog(LOG_INFO, e->e_id, \ + "Milter: %s=%s, discard", \ + str, addr); \ + e->e_flags |= EF_DISCARD; \ + milter_cmd_fail = false; \ + break; \ + \ + case SMFIR_TEMPFAIL: \ + if (MilterLogLevel > 3) \ + { \ + sm_syslog(LOG_INFO, e->e_id, \ + "Milter: %s=%s, reject=%s", \ + str, addr, MSG_TEMPFAIL); \ + LogUsrErrs = false; \ + } \ + usrerr(MSG_TEMPFAIL); \ + break; \ + default: \ + milter_cmd_fail = false; \ + break; \ + } \ + LogUsrErrs = savelogusrerrs; \ + if (response != NULL) \ + sm_free(response); /* XXX */ \ + } + +#else /* MILTER */ +# define MILTER_ABORT(e) +#endif /* MILTER */ + +/* clear all SMTP state (for HELO/EHLO/RSET) */ +#define CLEAR_STATE(cmd) \ +do \ +{ \ + /* abort milter filters */ \ + MILTER_ABORT(e); \ + \ + if (smtp.sm_nrcpts > 0) \ + { \ + logundelrcpts(e, cmd, 10, false); \ + smtp.sm_nrcpts = 0; \ + macdefine(&e->e_macro, A_PERM, \ + macid("{nrcpts}"), "0"); \ + } \ + \ + e->e_sendqueue = NULL; \ + e->e_flags |= EF_CLRQUEUE; \ + \ + if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags)) \ + logsender(e, NULL); \ + e->e_flags &= ~EF_LOGSENDER; \ + \ + /* clean up a bit */ \ + smtp.sm_gotmail = false; \ + SuprErrs = true; \ + dropenvelope(e, true, false); \ + sm_rpool_free(e->e_rpool); \ + e = newenvelope(e, CurEnv, sm_rpool_new_x(NULL)); \ + CurEnv = e; \ + e->e_features = features; \ + \ + /* put back discard bit */ \ + if (smtp.sm_discard) \ + e->e_flags |= EF_DISCARD; \ + \ + /* restore connection quarantining */ \ + if (smtp.sm_quarmsg == NULL) \ + { \ + e->e_quarmsg = NULL; \ + macdefine(&e->e_macro, A_PERM, \ + macid("{quarantine}"), ""); \ + } \ + else \ + { \ + e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, \ + smtp.sm_quarmsg); \ + macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), \ + e->e_quarmsg); \ + } \ +} while (0) + +/* sleep to flatten out connection load */ +#define MIN_DELAY_LOG 15 /* wait before logging this again */ + +/* is it worth setting the process title for 1s? */ +#define DELAY_CONN(cmd) \ + if (DelayLA > 0 && (CurrentLA = getla()) >= DelayLA) \ + { \ + time_t dnow; \ + \ + sm_setproctitle(true, e, \ + "%s: %s: delaying %s: load average: %d", \ + qid_printname(e), CurSmtpClient, \ + cmd, DelayLA); \ + if (LogLevel > 8 && (dnow = curtime()) > log_delay) \ + { \ + sm_syslog(LOG_INFO, e->e_id, \ + "delaying=%s, load average=%d >= %d", \ + cmd, CurrentLA, DelayLA); \ + log_delay = dnow + MIN_DELAY_LOG; \ + } \ + (void) sleep(1); \ + sm_setproctitle(true, e, "%s %s: %.80s", \ + qid_printname(e), CurSmtpClient, inp); \ + } + +static bool SevenBitInput_Saved; /* saved version of SevenBitInput */ + +void +smtp(nullserver, d_flags, e) + char *volatile nullserver; + BITMAP256 d_flags; + register ENVELOPE *volatile e; +{ + register char *volatile p; + register struct cmd *volatile c = NULL; + char *cmd; + auto ADDRESS *vrfyqueue; + ADDRESS *a; + volatile bool gothello; /* helo command received */ + bool vrfy; /* set if this is a vrfy command */ + char *volatile protocol; /* sending protocol */ + char *volatile sendinghost; /* sending hostname */ + char *volatile peerhostname; /* name of SMTP peer or "localhost" */ + auto char *delimptr; + char *id; + volatile unsigned int n_badcmds = 0; /* count of bad commands */ + volatile unsigned int n_badrcpts = 0; /* number of rejected RCPT */ + volatile unsigned int n_verifies = 0; /* count of VRFY/EXPN */ + volatile unsigned int n_etrn = 0; /* count of ETRN */ + volatile unsigned int n_noop = 0; /* count of NOOP/VERB/etc */ + volatile unsigned int n_helo = 0; /* count of HELO/EHLO */ + bool ok; + volatile bool first; + volatile bool tempfail = false; + volatile time_t wt; /* timeout after too many commands */ + volatile time_t previous; /* time after checksmtpattack() */ + volatile bool lognullconnection = true; + register char *q; + SMTP_T smtp; + char *addr; + char *greetcode = "220"; + char *hostname; /* my hostname ($j) */ + QUEUE_CHAR *new; + char *args[MAXSMTPARGS]; + char inp[MAXINPLINE]; +#if MAXINPLINE < MAXLINE + ERROR _MAXINPLINE must NOT be less than _MAXLINE: MAXINPLINE < MAXLINE +#endif /* MAXINPLINE < MAXLINE */ + char cmdbuf[MAXLINE]; +#if SASL + sasl_conn_t *conn; + volatile bool sasl_ok; + volatile unsigned int n_auth = 0; /* count of AUTH commands */ + bool ismore; + int result; + volatile int authenticating; + char *user; + char *in, *out2; +# if SASL >= 20000 + char *auth_id = NULL; + const char *out; + sasl_ssf_t ext_ssf; + char localip[60], remoteip[60]; +# else /* SASL >= 20000 */ + char *out; + const char *errstr; + sasl_external_properties_t ext_ssf; + struct sockaddr_in saddr_l; + struct sockaddr_in saddr_r; +# endif /* SASL >= 20000 */ + sasl_security_properties_t ssp; + sasl_ssf_t *ssf; + unsigned int inlen, out2len; + unsigned int outlen; + char *volatile auth_type; + char *mechlist; + volatile unsigned int n_mechs; + unsigned int len; +#else /* SASL */ +#endif /* SASL */ + int r; +#if STARTTLS + int rfd, wfd; + volatile bool tls_active = false; + volatile bool smtps = bitnset(D_SMTPS, d_flags); + bool saveQuickAbort; + bool saveSuprErrs; + time_t tlsstart; +#endif /* STARTTLS */ + volatile unsigned int features; +#if PIPELINING +# if _FFR_NO_PIPE + int np_log = 0; +# endif /* _FFR_NO_PIPE */ +#endif /* PIPELINING */ + volatile time_t log_delay = (time_t) 0; +#if MILTER + volatile bool milter_cmd_done, milter_cmd_safe; + volatile bool milter_rcpt_added, milter_cmd_fail; + ADDRESS addr_st; +# define p_addr_st &addr_st +#else /* MILTER */ +# define p_addr_st NULL +#endif /* MILTER */ + size_t inplen; + + SevenBitInput_Saved = SevenBitInput; + smtp.sm_nrcpts = 0; +#if MILTER + smtp.sm_milterize = (nullserver == NULL); + smtp.sm_milterlist = false; + addr = NULL; +#endif /* MILTER */ + + /* setup I/O fd correctly for the SMTP server */ + setup_smtpd_io(); + +#if SM_HEAP_CHECK + if (sm_debug_active(&DebugLeakSmtp, 1)) + { + sm_heap_newgroup(); + sm_dprintf("smtp() heap group #%d\n", sm_heap_group()); + } +#endif /* SM_HEAP_CHECK */ + + /* XXX the rpool should be set when e is initialized in main() */ + e->e_rpool = sm_rpool_new_x(NULL); + e->e_macro.mac_rpool = e->e_rpool; + + settime(e); + sm_getla(); + peerhostname = RealHostName; + if (peerhostname == NULL) + peerhostname = "localhost"; + CurHostName = peerhostname; + CurSmtpClient = macvalue('_', e); + if (CurSmtpClient == NULL) + CurSmtpClient = CurHostName; + + /* check_relay may have set discard bit, save for later */ + smtp.sm_discard = bitset(EF_DISCARD, e->e_flags); + +#if PIPELINING + /* auto-flush output when reading input */ + (void) sm_io_autoflush(InChannel, OutChannel); +#endif /* PIPELINING */ + + sm_setproctitle(true, e, "server %s startup", CurSmtpClient); + + /* Set default features for server. */ + features = ((bitset(PRIV_NOETRN, PrivacyFlags) || + bitnset(D_NOETRN, d_flags)) ? SRV_NONE : SRV_OFFER_ETRN) + | (bitnset(D_AUTHREQ, d_flags) ? SRV_REQ_AUTH : SRV_NONE) + | (bitset(PRIV_NOEXPN, PrivacyFlags) ? SRV_NONE + : (SRV_OFFER_EXPN + | (bitset(PRIV_NOVERB, PrivacyFlags) + ? SRV_NONE : SRV_OFFER_VERB))) + | ((bitset(PRIV_NORECEIPTS, PrivacyFlags) || !SendMIMEErrors) + ? SRV_NONE : SRV_OFFER_DSN) +#if SASL + | (bitnset(D_NOAUTH, d_flags) ? SRV_NONE : SRV_OFFER_AUTH) + | (bitset(SASL_SEC_NOPLAINTEXT, SASLOpts) ? SRV_REQ_SEC + : SRV_NONE) +#endif /* SASL */ +#if PIPELINING + | SRV_OFFER_PIPE +#endif /* PIPELINING */ +#if STARTTLS + | (bitnset(D_NOTLS, d_flags) ? SRV_NONE : SRV_OFFER_TLS) + | (bitset(TLS_I_NO_VRFY, TLS_Srv_Opts) ? SRV_NONE + : SRV_VRFY_CLT) +#endif /* STARTTLS */ + ; + if (nullserver == NULL) + { + features = srvfeatures(e, CurSmtpClient, features); + if (bitset(SRV_TMP_FAIL, features)) + { + if (LogLevel > 4) + sm_syslog(LOG_ERR, NOQID, + "ERROR: srv_features=tempfail, relay=%.100s, access temporarily disabled", + CurSmtpClient); + nullserver = "450 4.3.0 Please try again later."; + } + else + { +#if PIPELINING +# if _FFR_NO_PIPE + if (bitset(SRV_NO_PIPE, features)) + { + /* for consistency */ + features &= ~SRV_OFFER_PIPE; + } +# endif /* _FFR_NO_PIPE */ +#endif /* PIPELINING */ +#if SASL + if (bitset(SRV_REQ_SEC, features)) + SASLOpts |= SASL_SEC_NOPLAINTEXT; + else + SASLOpts &= ~SASL_SEC_NOPLAINTEXT; +#endif /* SASL */ + } + } + else if (strncmp(nullserver, "421 ", 4) == 0) + { + message(nullserver); + goto doquit; + } + + e->e_features = features; + hostname = macvalue('j', e); +#if SASL + if (AuthRealm == NULL) + AuthRealm = hostname; + sasl_ok = bitset(SRV_OFFER_AUTH, features); + n_mechs = 0; + authenticating = SASL_NOT_AUTH; + + /* SASL server new connection */ + if (sasl_ok) + { +# if SASL >= 20000 + result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL, + NULL, 0, &conn); +# elif SASL > 10505 + /* use empty realm: only works in SASL > 1.5.5 */ + result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn); +# else /* SASL >= 20000 */ + /* use no realm -> realm is set to hostname by SASL lib */ + result = sasl_server_new("smtp", AuthRealm, NULL, NULL, 0, + &conn); +# endif /* SASL >= 20000 */ + sasl_ok = result == SASL_OK; + if (!sasl_ok) + { + if (LogLevel > 9) + sm_syslog(LOG_WARNING, NOQID, + "AUTH error: sasl_server_new failed=%d", + result); + } + } + if (sasl_ok) + { + /* + ** SASL set properties for sasl + ** set local/remote IP + ** XXX Cyrus SASL v1 only supports IPv4 + ** + ** XXX where exactly are these used/required? + ** Kerberos_v4 + */ + +# if SASL >= 20000 + localip[0] = remoteip[0] = '\0'; +# if NETINET || NETINET6 + in = macvalue(macid("{daemon_family}"), e); + if (in != NULL && ( +# if NETINET6 + strcmp(in, "inet6") == 0 || +# endif /* NETINET6 */ + strcmp(in, "inet") == 0)) + { + SOCKADDR_LEN_T addrsize; + SOCKADDR saddr_l; + SOCKADDR saddr_r; + + addrsize = sizeof(saddr_r); + if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD, + NULL), + (struct sockaddr *) &saddr_r, + &addrsize) == 0) + { + if (iptostring(&saddr_r, addrsize, + remoteip, sizeof(remoteip))) + { + sasl_setprop(conn, SASL_IPREMOTEPORT, + remoteip); + } + addrsize = sizeof(saddr_l); + if (getsockname(sm_io_getinfo(InChannel, + SM_IO_WHAT_FD, + NULL), + (struct sockaddr *) &saddr_l, + &addrsize) == 0) + { + if (iptostring(&saddr_l, addrsize, + localip, + sizeof(localip))) + { + sasl_setprop(conn, + SASL_IPLOCALPORT, + localip); + } + } + } + } +# endif /* NETINET || NETINET6 */ +# else /* SASL >= 20000 */ +# if NETINET + in = macvalue(macid("{daemon_family}"), e); + if (in != NULL && strcmp(in, "inet") == 0) + { + SOCKADDR_LEN_T addrsize; + + addrsize = sizeof(struct sockaddr_in); + if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD, + NULL), + (struct sockaddr *)&saddr_r, + &addrsize) == 0) + { + sasl_setprop(conn, SASL_IP_REMOTE, &saddr_r); + addrsize = sizeof(struct sockaddr_in); + if (getsockname(sm_io_getinfo(InChannel, + SM_IO_WHAT_FD, + NULL), + (struct sockaddr *)&saddr_l, + &addrsize) == 0) + sasl_setprop(conn, SASL_IP_LOCAL, + &saddr_l); + } + } +# endif /* NETINET */ +# endif /* SASL >= 20000 */ + + auth_type = NULL; + mechlist = NULL; + user = NULL; +# if 0 + macdefine(&BlankEnvelope.e_macro, A_PERM, + macid("{auth_author}"), NULL); +# endif /* 0 */ + + /* set properties */ + (void) memset(&ssp, '\0', sizeof(ssp)); + + /* XXX should these be options settable via .cf ? */ + /* ssp.min_ssf = 0; is default due to memset() */ + { + ssp.max_ssf = MaxSLBits; + ssp.maxbufsize = MAXOUTLEN; + } + ssp.security_flags = SASLOpts & SASL_SEC_MASK; + sasl_ok = sasl_setprop(conn, SASL_SEC_PROPS, &ssp) == SASL_OK; + + if (sasl_ok) + { + /* + ** external security strength factor; + ** currently we have none so zero + */ + +# if SASL >= 20000 + ext_ssf = 0; + auth_id = NULL; + sasl_ok = ((sasl_setprop(conn, SASL_SSF_EXTERNAL, + &ext_ssf) == SASL_OK) && + (sasl_setprop(conn, SASL_AUTH_EXTERNAL, + auth_id) == SASL_OK)); +# else /* SASL >= 20000 */ + ext_ssf.ssf = 0; + ext_ssf.auth_id = NULL; + sasl_ok = sasl_setprop(conn, SASL_SSF_EXTERNAL, + &ext_ssf) == SASL_OK; +# endif /* SASL >= 20000 */ + } + if (sasl_ok) + n_mechs = saslmechs(conn, &mechlist); + } +#endif /* SASL */ + +#if STARTTLS +#endif /* STARTTLS */ + +#if MILTER + if (smtp.sm_milterize) + { + char state; + + /* initialize mail filter connection */ + smtp.sm_milterlist = milter_init(e, &state, &smtp.sm_milters); + switch (state) + { + case SMFIR_REJECT: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: initialization failed, rejecting commands"); + greetcode = "554"; + nullserver = "Command rejected"; + smtp.sm_milterize = false; + break; + + case SMFIR_TEMPFAIL: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: initialization failed, temp failing commands"); + tempfail = true; + smtp.sm_milterize = false; + break; + + case SMFIR_SHUTDOWN: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: initialization failed, closing connection"); + tempfail = true; + smtp.sm_milterize = false; + message("421 4.7.0 %s closing connection", + MyHostName); + + /* arrange to ignore send list */ + e->e_sendqueue = NULL; + goto doquit; + } + } + + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + q = macvalue(macid("{client_name}"), e); + SM_ASSERT(q != NULL || OpMode == MD_SMTP); + if (q == NULL) + q = "localhost"; + response = milter_connect(q, RealHostAddr, e, &state); + switch (state) + { + case SMFIR_REPLYCODE: /* REPLYCODE shouldn't happen */ + case SMFIR_REJECT: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: connect: host=%s, addr=%s, rejecting commands", + peerhostname, + anynet_ntoa(&RealHostAddr)); + greetcode = "554"; + nullserver = "Command rejected"; + smtp.sm_milterize = false; + break; + + case SMFIR_TEMPFAIL: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: connect: host=%s, addr=%s, temp failing commands", + peerhostname, + anynet_ntoa(&RealHostAddr)); + tempfail = true; + smtp.sm_milterize = false; + break; + + case SMFIR_SHUTDOWN: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: connect: host=%s, addr=%s, shutdown", + peerhostname, + anynet_ntoa(&RealHostAddr)); + tempfail = true; + smtp.sm_milterize = false; + message("421 4.7.0 %s closing connection", + MyHostName); + + /* arrange to ignore send list */ + e->e_sendqueue = NULL; + goto doquit; + } + if (response != NULL) + sm_free(response); /* XXX */ + } +#endif /* MILTER */ + + /* + ** Broken proxies and SMTP slammers + ** push data without waiting, catch them + */ + + if ( +#if STARTTLS + !smtps && +#endif /* STARTTLS */ + *greetcode == '2' && nullserver == NULL) + { + time_t msecs = 0; + char **pvp; + char pvpbuf[PSBUFSIZE]; + + /* Ask the rulesets how long to pause */ + pvp = NULL; + r = rscap("greet_pause", peerhostname, + anynet_ntoa(&RealHostAddr), e, + &pvp, pvpbuf, sizeof(pvpbuf)); + if (r == EX_OK && pvp != NULL && pvp[0] != NULL && + (pvp[0][0] & 0377) == CANONNET && pvp[1] != NULL) + { + msecs = strtol(pvp[1], NULL, 10); + } + + if (msecs > 0) + { + int fd; + fd_set readfds; + struct timeval timeout; + struct timeval bp, ep, tp; /* {begin,end,total}pause */ + int eoftest; + + /* pause for a moment */ + timeout.tv_sec = msecs / 1000; + timeout.tv_usec = (msecs % 1000) * 1000; + + /* Obey RFC 2821: 4.3.5.2: 220 timeout of 5 minutes */ + if (timeout.tv_sec >= 300) + { + timeout.tv_sec = 300; + timeout.tv_usec = 0; + } + + /* check if data is on the socket during the pause */ + fd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL); + FD_ZERO(&readfds); + SM_FD_SET(fd, &readfds); + gettimeofday(&bp, NULL); + if (select(fd + 1, FDSET_CAST &readfds, + NULL, NULL, &timeout) > 0 && + FD_ISSET(fd, &readfds) && + (eoftest = sm_io_getc(InChannel, SM_TIME_DEFAULT)) + != SM_IO_EOF) + { + sm_io_ungetc(InChannel, SM_TIME_DEFAULT, + eoftest); + gettimeofday(&ep, NULL); + timersub(&ep, &bp, &tp); + greetcode = "554"; + nullserver = "Command rejected"; + sm_syslog(LOG_INFO, e->e_id, + "rejecting commands from %s [%s] due to pre-greeting traffic after %d seconds", + peerhostname, + anynet_ntoa(&RealHostAddr), + (int) tp.tv_sec + + (tp.tv_usec >= 500000 ? 1 : 0) + ); + } + } + } + +#if STARTTLS + /* If this an smtps connection, start TLS now */ + if (smtps) + { + Errors = 0; + goto starttls; + } + + greeting: + +#endif /* STARTTLS */ + + /* output the first line, inserting "ESMTP" as second word */ + if (*greetcode == '5') + (void) sm_snprintf(inp, sizeof(inp), + "%s not accepting messages", hostname); + else + expand(SmtpGreeting, inp, sizeof(inp), e); + + p = strchr(inp, '\n'); + if (p != NULL) + *p++ = '\0'; + id = strchr(inp, ' '); + if (id == NULL) + id = &inp[strlen(inp)]; + if (p == NULL) + (void) sm_snprintf(cmdbuf, sizeof(cmdbuf), + "%s %%.*s ESMTP%%s", greetcode); + else + (void) sm_snprintf(cmdbuf, sizeof(cmdbuf), + "%s-%%.*s ESMTP%%s", greetcode); + message(cmdbuf, (int) (id - inp), inp, id); + + /* output remaining lines */ + while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL) + { + *p++ = '\0'; + if (isascii(*id) && isspace(*id)) + id++; + (void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, "-%s"); + message(cmdbuf, id); + } + if (id != NULL) + { + if (isascii(*id) && isspace(*id)) + id++; + (void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, " %s"); + message(cmdbuf, id); + } + + protocol = NULL; + sendinghost = macvalue('s', e); + + /* If quarantining by a connect/ehlo action, save between messages */ + if (e->e_quarmsg == NULL) + smtp.sm_quarmsg = NULL; + else + smtp.sm_quarmsg = newstr(e->e_quarmsg); + + /* sendinghost's storage must outlive the current envelope */ + if (sendinghost != NULL) + sendinghost = sm_strdup_x(sendinghost); + first = true; + gothello = false; + smtp.sm_gotmail = false; + for (;;) + { + SM_TRY + { + QuickAbort = false; + HoldErrs = false; + SuprErrs = false; + LogUsrErrs = false; + OnlyOneError = true; + e->e_flags &= ~(EF_VRFYONLY|EF_GLOBALERRS); +#if MILTER + milter_cmd_fail = false; +#endif /* MILTER */ + + /* setup for the read */ + e->e_to = NULL; + Errors = 0; + FileName = NULL; + (void) sm_io_flush(smioout, SM_TIME_DEFAULT); + + /* read the input line */ + SmtpPhase = "server cmd read"; + sm_setproctitle(true, e, "server %s cmd read", CurSmtpClient); + + /* handle errors */ + if (sm_io_error(OutChannel) || + (p = sfgets(inp, sizeof(inp), InChannel, + TimeOuts.to_nextcommand, SmtpPhase)) == NULL) + { + char *d; + + d = macvalue(macid("{daemon_name}"), e); + if (d == NULL) + d = "stdin"; + /* end of file, just die */ + disconnect(1, e); + +#if MILTER + /* close out milter filters */ + milter_quit(e); +#endif /* MILTER */ + + message("421 4.4.1 %s Lost input channel from %s", + MyHostName, CurSmtpClient); + if (LogLevel > (smtp.sm_gotmail ? 1 : 19)) + sm_syslog(LOG_NOTICE, e->e_id, + "lost input channel from %s to %s after %s", + CurSmtpClient, d, + (c == NULL || c->cmd_name == NULL) ? "startup" : c->cmd_name); + /* + ** If have not accepted mail (DATA), do not bounce + ** bad addresses back to sender. + */ + + if (bitset(EF_CLRQUEUE, e->e_flags)) + e->e_sendqueue = NULL; + goto doquit; + } + + /* also used by "proxy" check below */ + inplen = strlen(inp); +#if SASL + /* + ** SMTP AUTH requires accepting any length, + ** at least for challenge/response. However, not imposing + ** a limit is a bad idea (denial of service). + */ + + if (authenticating != SASL_PROC_AUTH + && sm_strncasecmp(inp, "AUTH ", 5) != 0 + && inplen > MAXLINE) + { + message("421 4.7.0 %s Command too long, possible attack %s", + MyHostName, CurSmtpClient); + sm_syslog(LOG_INFO, e->e_id, + "%s: SMTP violation, input too long: %lu", + CurSmtpClient, (unsigned long) inplen); + goto doquit; + } +#endif /* SASL */ + + if (first) + { + size_t cmdlen; + int idx; + char *http_cmd; + static char *http_cmds[] = { "GET", "POST", + "CONNECT", "USER", NULL }; + + for (idx = 0; (http_cmd = http_cmds[idx]) != NULL; + idx++) + { + cmdlen = strlen(http_cmd); + if (cmdlen < inplen && + sm_strncasecmp(inp, http_cmd, cmdlen) == 0 && + isascii(inp[cmdlen]) && isspace(inp[cmdlen])) + { + /* Open proxy, drop it */ + message("421 4.7.0 %s Rejecting open proxy %s", + MyHostName, CurSmtpClient); + sm_syslog(LOG_INFO, e->e_id, + "%s: probable open proxy: command=%.40s", + CurSmtpClient, inp); + goto doquit; + } + } + first = false; + } + + /* clean up end of line */ + fixcrlf(inp, true); + +#if PIPELINING +# if _FFR_NO_PIPE + /* + ** if there is more input and pipelining is disabled: + ** delay ... (and maybe discard the input?) + ** XXX this doesn't really work, at least in tests using + ** telnet SM_IO_IS_READABLE only returns 1 if there were + ** more than 2 input lines available. + */ + + if (bitset(SRV_NO_PIPE, features) && + sm_io_getinfo(InChannel, SM_IO_IS_READABLE, NULL) > 0) + { + if (++np_log < 3) + sm_syslog(LOG_INFO, NOQID, + "unauthorized PIPELINING, sleeping"); + sleep(1); + } + +# endif /* _FFR_NO_PIPE */ +#endif /* PIPELINING */ + +#if SASL + if (authenticating == SASL_PROC_AUTH) + { +# if 0 + if (*inp == '\0') + { + authenticating = SASL_NOT_AUTH; + message("501 5.5.2 missing input"); + RESET_SASLCONN; + continue; + } +# endif /* 0 */ + if (*inp == '*' && *(inp + 1) == '\0') + { + authenticating = SASL_NOT_AUTH; + + /* RFC 2554 4. */ + message("501 5.0.0 AUTH aborted"); + RESET_SASLCONN; + continue; + } + + /* could this be shorter? XXX */ +# if SASL >= 20000 + in = xalloc(strlen(inp) + 1); + result = sasl_decode64(inp, strlen(inp), in, + strlen(inp), &inlen); +# else /* SASL >= 20000 */ + out = xalloc(strlen(inp)); + result = sasl_decode64(inp, strlen(inp), out, &outlen); +# endif /* SASL >= 20000 */ + if (result != SASL_OK) + { + authenticating = SASL_NOT_AUTH; + + /* RFC 2554 4. */ + message("501 5.5.4 cannot decode AUTH parameter %s", + inp); +# if SASL >= 20000 + sm_free(in); +# endif /* SASL >= 20000 */ + RESET_SASLCONN; + continue; + } + +# if SASL >= 20000 + result = sasl_server_step(conn, in, inlen, + &out, &outlen); + sm_free(in); +# else /* SASL >= 20000 */ + result = sasl_server_step(conn, out, outlen, + &out, &outlen, &errstr); +# endif /* SASL >= 20000 */ + + /* get an OK if we're done */ + if (result == SASL_OK) + { + authenticated: + message("235 2.0.0 OK Authenticated"); + authenticating = SASL_IS_AUTH; + macdefine(&BlankEnvelope.e_macro, A_TEMP, + macid("{auth_type}"), auth_type); + +# if SASL >= 20000 + user = macvalue(macid("{auth_authen}"), e); + + /* get security strength (features) */ + result = sasl_getprop(conn, SASL_SSF, + (const void **) &ssf); +# else /* SASL >= 20000 */ + result = sasl_getprop(conn, SASL_USERNAME, + (void **)&user); + if (result != SASL_OK) + { + user = ""; + macdefine(&BlankEnvelope.e_macro, + A_PERM, + macid("{auth_authen}"), NULL); + } + else + { + macdefine(&BlankEnvelope.e_macro, + A_TEMP, + macid("{auth_authen}"), + xtextify(user, "<>\")")); + } + +# if 0 + /* get realm? */ + sasl_getprop(conn, SASL_REALM, (void **) &data); +# endif /* 0 */ + + /* get security strength (features) */ + result = sasl_getprop(conn, SASL_SSF, + (void **) &ssf); +# endif /* SASL >= 20000 */ + if (result != SASL_OK) + { + macdefine(&BlankEnvelope.e_macro, + A_PERM, + macid("{auth_ssf}"), "0"); + ssf = NULL; + } + else + { + char pbuf[8]; + + (void) sm_snprintf(pbuf, sizeof(pbuf), + "%u", *ssf); + macdefine(&BlankEnvelope.e_macro, + A_TEMP, + macid("{auth_ssf}"), pbuf); + if (tTd(95, 8)) + sm_dprintf("AUTH auth_ssf: %u\n", + *ssf); + } + + /* + ** Only switch to encrypted connection + ** if a security layer has been negotiated + */ + + if (ssf != NULL && *ssf > 0) + { + int tmo; + + /* + ** Convert I/O layer to use SASL. + ** If the call fails, the connection + ** is aborted. + */ + + tmo = TimeOuts.to_datablock * 1000; + if (sfdcsasl(&InChannel, &OutChannel, + conn, tmo) == 0) + { + /* restart dialogue */ + n_helo = 0; +# if PIPELINING + (void) sm_io_autoflush(InChannel, + OutChannel); +# endif /* PIPELINING */ + } + else + syserr("503 5.3.3 SASL TLS failed"); + } + + /* NULL pointer ok since it's our function */ + if (LogLevel > 8) + sm_syslog(LOG_INFO, NOQID, + "AUTH=server, relay=%s, authid=%.128s, mech=%.16s, bits=%d", + CurSmtpClient, + shortenstring(user, 128), + auth_type, *ssf); + } + else if (result == SASL_CONTINUE) + { + len = ENC64LEN(outlen); + out2 = xalloc(len); + result = sasl_encode64(out, outlen, out2, len, + &out2len); + if (result != SASL_OK) + { + /* correct code? XXX */ + /* 454 Temp. authentication failure */ + message("454 4.5.4 Internal error: unable to encode64"); + if (LogLevel > 5) + sm_syslog(LOG_WARNING, e->e_id, + "AUTH encode64 error [%d for \"%s\"]", + result, out); + /* start over? */ + authenticating = SASL_NOT_AUTH; + } + else + { + message("334 %s", out2); + if (tTd(95, 2)) + sm_dprintf("AUTH continue: msg='%s' len=%u\n", + out2, out2len); + } +# if SASL >= 20000 + sm_free(out2); +# endif /* SASL >= 20000 */ + } + else + { + /* not SASL_OK or SASL_CONT */ + message("535 5.7.0 authentication failed"); + if (LogLevel > 9) + sm_syslog(LOG_WARNING, e->e_id, + "AUTH failure (%s): %s (%d) %s", + auth_type, + sasl_errstring(result, NULL, + NULL), + result, +# if SASL >= 20000 + sasl_errdetail(conn)); +# else /* SASL >= 20000 */ + errstr == NULL ? "" : errstr); +# endif /* SASL >= 20000 */ + RESET_SASLCONN; + authenticating = SASL_NOT_AUTH; + } + } + else + { + /* don't want to do any of this if authenticating */ +#endif /* SASL */ + + /* echo command to transcript */ + if (e->e_xfp != NULL) + (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT, + "<<< %s\n", inp); + + if (LogLevel > 14) + sm_syslog(LOG_INFO, e->e_id, "<-- %s", inp); + + /* break off command */ + for (p = inp; isascii(*p) && isspace(*p); p++) + continue; + cmd = cmdbuf; + while (*p != '\0' && + !(isascii(*p) && isspace(*p)) && + cmd < &cmdbuf[sizeof(cmdbuf) - 2]) + *cmd++ = *p++; + *cmd = '\0'; + + /* throw away leading whitespace */ + SKIP_SPACE(p); + + /* decode command */ + for (c = CmdTab; c->cmd_name != NULL; c++) + { + if (sm_strcasecmp(c->cmd_name, cmdbuf) == 0) + break; + } + + /* reset errors */ + errno = 0; + + /* check whether a "non-null" command has been used */ + switch (c->cmd_code) + { +#if SASL + case CMDAUTH: + /* avoid information leak; take first two words? */ + q = "AUTH"; + break; +#endif /* SASL */ + + case CMDMAIL: + case CMDEXPN: + case CMDVRFY: + case CMDETRN: + lognullconnection = false; + /* FALLTHROUGH */ + default: + q = inp; + break; + } + + if (e->e_id == NULL) + sm_setproctitle(true, e, "%s: %.80s", + CurSmtpClient, q); + else + sm_setproctitle(true, e, "%s %s: %.80s", + qid_printname(e), + CurSmtpClient, q); + + /* + ** Process command. + ** + ** If we are running as a null server, return 550 + ** to almost everything. + */ + + if (nullserver != NULL || bitnset(D_ETRNONLY, d_flags)) + { + switch (c->cmd_code) + { + case CMDQUIT: + case CMDHELO: + case CMDEHLO: + case CMDNOOP: + case CMDRSET: + case CMDERROR: + /* process normally */ + break; + + case CMDETRN: + if (bitnset(D_ETRNONLY, d_flags) && + nullserver == NULL) + break; + DELAY_CONN("ETRN"); + /* FALLTHROUGH */ + + default: +#if MAXBADCOMMANDS > 0 + /* theoretically this could overflow */ + if (nullserver != NULL && + ++n_badcmds > MAXBADCOMMANDS) + { + message("421 4.7.0 %s Too many bad commands; closing connection", + MyHostName); + + /* arrange to ignore send list */ + e->e_sendqueue = NULL; + goto doquit; + } +#endif /* MAXBADCOMMANDS > 0 */ + if (nullserver != NULL) + { + if (ISSMTPREPLY(nullserver)) + usrerr(nullserver); + else + usrerr("550 5.0.0 %s", + nullserver); + } + else + usrerr("452 4.4.5 Insufficient disk space; try again later"); + continue; + } + } + + switch (c->cmd_code) + { +#if SASL + case CMDAUTH: /* sasl */ + DELAY_CONN("AUTH"); + if (!sasl_ok || n_mechs <= 0) + { + message("503 5.3.3 AUTH not available"); + break; + } + if (authenticating == SASL_IS_AUTH) + { + message("503 5.5.0 Already Authenticated"); + break; + } + if (smtp.sm_gotmail) + { + message("503 5.5.0 AUTH not permitted during a mail transaction"); + break; + } + if (tempfail) + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "SMTP AUTH command (%.100s) from %s tempfailed (due to previous checks)", + p, CurSmtpClient); + usrerr("454 4.3.0 Please try again later"); + break; + } + + ismore = false; + + /* crude way to avoid crack attempts */ + STOP_IF_ATTACK(checksmtpattack(&n_auth, n_mechs + 1, + true, "AUTH", e)); + + /* make sure mechanism (p) is a valid string */ + for (q = p; *q != '\0' && isascii(*q); q++) + { + if (isspace(*q)) + { + *q = '\0'; + while (*++q != '\0' && + isascii(*q) && isspace(*q)) + continue; + *(q - 1) = '\0'; + ismore = (*q != '\0'); + break; + } + } + + if (*p == '\0') + { + message("501 5.5.2 AUTH mechanism must be specified"); + break; + } + + /* check whether mechanism is available */ + if (iteminlist(p, mechlist, " ") == NULL) + { + message("504 5.3.3 AUTH mechanism %.32s not available", + p); + break; + } + + /* + ** RFC 2554 4. + ** Unlike a zero-length client answer to a + ** 334 reply, a zero- length initial response + ** is sent as a single equals sign ("="). + */ + + if (ismore && *q == '=' && *(q + 1) == '\0') + { + /* will be free()d, don't use in=""; */ + in = xalloc(1); + *in = '\0'; + inlen = 0; + } + else if (ismore) + { + /* could this be shorter? XXX */ +# if SASL >= 20000 + in = xalloc(strlen(q) + 1); + result = sasl_decode64(q, strlen(q), in, + strlen(q), &inlen); +# else /* SASL >= 20000 */ + in = sm_rpool_malloc(e->e_rpool, strlen(q)); + result = sasl_decode64(q, strlen(q), in, + &inlen); +# endif /* SASL >= 20000 */ + if (result != SASL_OK) + { + message("501 5.5.4 cannot BASE64 decode '%s'", + q); + if (LogLevel > 5) + sm_syslog(LOG_WARNING, e->e_id, + "AUTH decode64 error [%d for \"%s\"]", + result, q); + /* start over? */ + authenticating = SASL_NOT_AUTH; +# if SASL >= 20000 + sm_free(in); +# endif /* SASL >= 20000 */ + in = NULL; + inlen = 0; + break; + } + } + else + { + in = NULL; + inlen = 0; + } + + /* see if that auth type exists */ +# if SASL >= 20000 + result = sasl_server_start(conn, p, in, inlen, + &out, &outlen); + if (in != NULL) + sm_free(in); +# else /* SASL >= 20000 */ + result = sasl_server_start(conn, p, in, inlen, + &out, &outlen, &errstr); +# endif /* SASL >= 20000 */ + + if (result != SASL_OK && result != SASL_CONTINUE) + { + message("535 5.7.0 authentication failed"); + if (LogLevel > 9) + sm_syslog(LOG_ERR, e->e_id, + "AUTH failure (%s): %s (%d) %s", + p, + sasl_errstring(result, NULL, + NULL), + result, +# if SASL >= 20000 + sasl_errdetail(conn)); +# else /* SASL >= 20000 */ + errstr); +# endif /* SASL >= 20000 */ + RESET_SASLCONN; + break; + } + auth_type = newstr(p); + + if (result == SASL_OK) + { + /* ugly, but same code */ + goto authenticated; + /* authenticated by the initial response */ + } + + /* len is at least 2 */ + len = ENC64LEN(outlen); + out2 = xalloc(len); + result = sasl_encode64(out, outlen, out2, len, + &out2len); + + if (result != SASL_OK) + { + message("454 4.5.4 Temporary authentication failure"); + if (LogLevel > 5) + sm_syslog(LOG_WARNING, e->e_id, + "AUTH encode64 error [%d for \"%s\"]", + result, out); + + /* start over? */ + authenticating = SASL_NOT_AUTH; + RESET_SASLCONN; + } + else + { + message("334 %s", out2); + authenticating = SASL_PROC_AUTH; + } +# if SASL >= 20000 + sm_free(out2); +# endif /* SASL >= 20000 */ + break; +#endif /* SASL */ + +#if STARTTLS + case CMDSTLS: /* starttls */ + DELAY_CONN("STARTTLS"); + if (*p != '\0') + { + message("501 5.5.2 Syntax error (no parameters allowed)"); + break; + } + if (!bitset(SRV_OFFER_TLS, features)) + { + message("503 5.5.0 TLS not available"); + break; + } + if (!tls_ok_srv) + { + message("454 4.3.3 TLS not available after start"); + break; + } + if (smtp.sm_gotmail) + { + message("503 5.5.0 TLS not permitted during a mail transaction"); + break; + } + if (tempfail) + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "SMTP STARTTLS command (%.100s) from %s tempfailed (due to previous checks)", + p, CurSmtpClient); + usrerr("454 4.7.0 Please try again later"); + break; + } + starttls: +# if TLS_NO_RSA + /* + ** XXX do we need a temp key ? + */ +# else /* TLS_NO_RSA */ +# endif /* TLS_NO_RSA */ + +# if TLS_VRFY_PER_CTX + /* + ** Note: this sets the verification globally + ** (per SSL_CTX) + ** it's ok since it applies only to one transaction + */ + + TLS_VERIFY_CLIENT(); +# endif /* TLS_VRFY_PER_CTX */ + + if (srv_ssl != NULL) + SSL_clear(srv_ssl); + else if ((srv_ssl = SSL_new(srv_ctx)) == NULL) + { + message("454 4.3.3 TLS not available: error generating SSL handle"); + if (LogLevel > 8) + tlslogerr("server"); + goto tls_done; + } + +# if !TLS_VRFY_PER_CTX + /* + ** this could be used if it were possible to set + ** verification per SSL (connection) + ** not just per SSL_CTX (global) + */ + + TLS_VERIFY_CLIENT(); +# endif /* !TLS_VRFY_PER_CTX */ + + rfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL); + wfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL); + + if (rfd < 0 || wfd < 0 || + SSL_set_rfd(srv_ssl, rfd) <= 0 || + SSL_set_wfd(srv_ssl, wfd) <= 0) + { + message("454 4.3.3 TLS not available: error set fd"); + SSL_free(srv_ssl); + srv_ssl = NULL; + goto tls_done; + } + if (!smtps) + message("220 2.0.0 Ready to start TLS"); +# if PIPELINING + (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT); +# endif /* PIPELINING */ + + SSL_set_accept_state(srv_ssl); + +# define SSL_ACC(s) SSL_accept(s) + + tlsstart = curtime(); + ssl_retry: + if ((r = SSL_ACC(srv_ssl)) <= 0) + { + int i, ssl_err; + + ssl_err = SSL_get_error(srv_ssl, r); + i = tls_retry(srv_ssl, rfd, wfd, tlsstart, + TimeOuts.to_starttls, ssl_err, + "server"); + if (i > 0) + goto ssl_retry; + + if (LogLevel > 5) + { + sm_syslog(LOG_WARNING, NOQID, + "STARTTLS=server, error: accept failed=%d, SSL_error=%d, errno=%d, retry=%d", + r, ssl_err, errno, i); + if (LogLevel > 8) + tlslogerr("server"); + } + tls_ok_srv = false; + SSL_free(srv_ssl); + srv_ssl = NULL; + + /* + ** according to the next draft of + ** RFC 2487 the connection should be dropped + */ + + /* arrange to ignore any current send list */ + e->e_sendqueue = NULL; + goto doquit; + } + + /* ignore return code for now, it's in {verify} */ + (void) tls_get_info(srv_ssl, true, + CurSmtpClient, + &BlankEnvelope.e_macro, + bitset(SRV_VRFY_CLT, features)); + + /* + ** call Stls_client to find out whether + ** to accept the connection from the client + */ + + saveQuickAbort = QuickAbort; + saveSuprErrs = SuprErrs; + SuprErrs = true; + QuickAbort = false; + if (rscheck("tls_client", + macvalue(macid("{verify}"), e), + "STARTTLS", e, + RSF_RMCOMM|RSF_COUNT, + 5, NULL, NOQID, NULL) != EX_OK || + Errors > 0) + { + extern char MsgBuf[]; + + if (MsgBuf[0] != '\0' && ISSMTPREPLY(MsgBuf)) + nullserver = newstr(MsgBuf); + else + nullserver = "503 5.7.0 Authentication required."; + } + QuickAbort = saveQuickAbort; + SuprErrs = saveSuprErrs; + + tls_ok_srv = false; /* don't offer STARTTLS again */ + n_helo = 0; +# if SASL + if (sasl_ok) + { + int cipher_bits; + bool verified; + char *s, *v, *c; + + s = macvalue(macid("{cipher_bits}"), e); + v = macvalue(macid("{verify}"), e); + c = macvalue(macid("{cert_subject}"), e); + verified = (v != NULL && strcmp(v, "OK") == 0); + if (s != NULL && (cipher_bits = atoi(s)) > 0) + { +# if SASL >= 20000 + ext_ssf = cipher_bits; + auth_id = verified ? c : NULL; + sasl_ok = ((sasl_setprop(conn, + SASL_SSF_EXTERNAL, + &ext_ssf) == SASL_OK) && + (sasl_setprop(conn, + SASL_AUTH_EXTERNAL, + auth_id) == SASL_OK)); +# else /* SASL >= 20000 */ + ext_ssf.ssf = cipher_bits; + ext_ssf.auth_id = verified ? c : NULL; + sasl_ok = sasl_setprop(conn, + SASL_SSF_EXTERNAL, + &ext_ssf) == SASL_OK; +# endif /* SASL >= 20000 */ + mechlist = NULL; + if (sasl_ok) + n_mechs = saslmechs(conn, + &mechlist); + } + } +# endif /* SASL */ + + /* switch to secure connection */ + if (sfdctls(&InChannel, &OutChannel, srv_ssl) == 0) + { + tls_active = true; +# if PIPELINING + (void) sm_io_autoflush(InChannel, OutChannel); +# endif /* PIPELINING */ + } + else + { + /* + ** XXX this is an internal error + ** how to deal with it? + ** we can't generate an error message + ** since the other side switched to an + ** encrypted layer, but we could not... + ** just "hang up"? + */ + + nullserver = "454 4.3.3 TLS not available: can't switch to encrypted layer"; + syserr("STARTTLS: can't switch to encrypted layer"); + } + tls_done: + if (smtps) + { + if (tls_active) + goto greeting; + else + goto doquit; + } + break; +#endif /* STARTTLS */ + + case CMDHELO: /* hello -- introduce yourself */ + case CMDEHLO: /* extended hello */ + DELAY_CONN("EHLO"); + if (c->cmd_code == CMDEHLO) + { + protocol = "ESMTP"; + SmtpPhase = "server EHLO"; + } + else + { + protocol = "SMTP"; + SmtpPhase = "server HELO"; + } + + /* avoid denial-of-service */ + STOP_IF_ATTACK(checksmtpattack(&n_helo, MAXHELOCOMMANDS, + true, "HELO/EHLO", e)); + +#if 0 + /* RFC2821 4.1.4 allows duplicate HELO/EHLO */ + /* check for duplicate HELO/EHLO per RFC 1651 4.2 */ + if (gothello) + { + usrerr("503 %s Duplicate HELO/EHLO", + MyHostName); + break; + } +#endif /* 0 */ + + /* check for valid domain name (re 1123 5.2.5) */ + if (*p == '\0' && !AllowBogusHELO) + { + usrerr("501 %s requires domain address", + cmdbuf); + break; + } + + /* check for long domain name (hides Received: info) */ + if (strlen(p) > MAXNAME) + { + usrerr("501 Invalid domain name"); + if (LogLevel > 9) + sm_syslog(LOG_INFO, CurEnv->e_id, + "invalid domain name (too long) from %s", + CurSmtpClient); + break; + } + + ok = true; + for (q = p; *q != '\0'; q++) + { + if (!isascii(*q)) + break; + if (isalnum(*q)) + continue; + if (isspace(*q)) + { + *q = '\0'; + + /* only complain if strict check */ + ok = AllowBogusHELO; + + /* allow trailing whitespace */ + while (!ok && *++q != '\0' && + isspace(*q)) + ; + if (*q == '\0') + ok = true; + break; + } + if (strchr("[].-_#:", *q) == NULL) + break; + } + + if (*q == '\0' && ok) + { + q = "pleased to meet you"; + sendinghost = sm_strdup_x(p); + } + else if (!AllowBogusHELO) + { + usrerr("501 Invalid domain name"); + if (LogLevel > 9) + sm_syslog(LOG_INFO, CurEnv->e_id, + "invalid domain name (%s) from %.100s", + p, CurSmtpClient); + break; + } + else + { + q = "accepting invalid domain name"; + } + + if (gothello || smtp.sm_gotmail) + CLEAR_STATE(cmdbuf); + +#if MILTER + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + response = milter_helo(p, e, &state); + switch (state) + { + case SMFIR_REJECT: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: helo=%s, reject=Command rejected", + p); + nullserver = "Command rejected"; + smtp.sm_milterize = false; + break; + + case SMFIR_TEMPFAIL: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: helo=%s, reject=%s", + p, MSG_TEMPFAIL); + tempfail = true; + smtp.sm_milterize = false; + break; + + case SMFIR_REPLYCODE: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: helo=%s, reject=%s", + p, response); + if (strncmp(response, "421 ", 4) != 0 + && strncmp(response, "421-", 4) != 0) + { + nullserver = newstr(response); + smtp.sm_milterize = false; + break; + } + /* FALLTHROUGH */ + + case SMFIR_SHUTDOWN: + if (MilterLogLevel > 3 && + response == NULL) + sm_syslog(LOG_INFO, e->e_id, + "Milter: helo=%s, reject=421 4.7.0 %s closing connection", + p, MyHostName); + tempfail = true; + smtp.sm_milterize = false; + if (response != NULL) + usrerr(response); + else + message("421 4.7.0 %s closing connection", + MyHostName); + /* arrange to ignore send list */ + e->e_sendqueue = NULL; + lognullconnection = false; + goto doquit; + } + if (response != NULL) + sm_free(response); + + /* + ** If quarantining by a connect/ehlo action, + ** save between messages + */ + + if (smtp.sm_quarmsg == NULL && + e->e_quarmsg != NULL) + smtp.sm_quarmsg = newstr(e->e_quarmsg); + } +#endif /* MILTER */ + gothello = true; + + /* print HELO response message */ + if (c->cmd_code != CMDEHLO) + { + message("250 %s Hello %s, %s", + MyHostName, CurSmtpClient, q); + break; + } + + message("250-%s Hello %s, %s", + MyHostName, CurSmtpClient, q); + + /* offer ENHSC even for nullserver */ + if (nullserver != NULL) + { + message("250 ENHANCEDSTATUSCODES"); + break; + } + + /* + ** print EHLO features list + ** + ** Note: If you change this list, + ** remember to update 'helpfile' + */ + + message("250-ENHANCEDSTATUSCODES"); +#if PIPELINING + if (bitset(SRV_OFFER_PIPE, features)) + message("250-PIPELINING"); +#endif /* PIPELINING */ + if (bitset(SRV_OFFER_EXPN, features)) + { + message("250-EXPN"); + if (bitset(SRV_OFFER_VERB, features)) + message("250-VERB"); + } +#if MIME8TO7 + message("250-8BITMIME"); +#endif /* MIME8TO7 */ + if (MaxMessageSize > 0) + message("250-SIZE %ld", MaxMessageSize); + else + message("250-SIZE"); +#if DSN + if (SendMIMEErrors && bitset(SRV_OFFER_DSN, features)) + message("250-DSN"); +#endif /* DSN */ + if (bitset(SRV_OFFER_ETRN, features)) + message("250-ETRN"); +#if SASL + if (sasl_ok && mechlist != NULL && *mechlist != '\0') + message("250-AUTH %s", mechlist); +#endif /* SASL */ +#if STARTTLS + if (tls_ok_srv && + bitset(SRV_OFFER_TLS, features)) + message("250-STARTTLS"); +#endif /* STARTTLS */ + if (DeliverByMin > 0) + message("250-DELIVERBY %ld", + (long) DeliverByMin); + else if (DeliverByMin == 0) + message("250-DELIVERBY"); + + /* < 0: no deliver-by */ + + message("250 HELP"); + break; + + case CMDMAIL: /* mail -- designate sender */ + SmtpPhase = "server MAIL"; + DELAY_CONN("MAIL"); + + /* check for validity of this command */ + if (!gothello && bitset(PRIV_NEEDMAILHELO, PrivacyFlags)) + { + usrerr("503 5.0.0 Polite people say HELO first"); + break; + } + if (smtp.sm_gotmail) + { + usrerr("503 5.5.0 Sender already specified"); + break; + } +#if SASL + if (bitset(SRV_REQ_AUTH, features) && + authenticating != SASL_IS_AUTH) + { + usrerr("530 5.7.0 Authentication required"); + break; + } +#endif /* SASL */ + + p = skipword(p, "from"); + if (p == NULL) + break; + if (tempfail) + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "SMTP MAIL command (%.100s) from %s tempfailed (due to previous checks)", + p, CurSmtpClient); + usrerr(MSG_TEMPFAIL); + break; + } + + /* make sure we know who the sending host is */ + if (sendinghost == NULL) + sendinghost = peerhostname; + + +#if SM_HEAP_CHECK + if (sm_debug_active(&DebugLeakSmtp, 1)) + { + sm_heap_newgroup(); + sm_dprintf("smtp() heap group #%d\n", + sm_heap_group()); + } +#endif /* SM_HEAP_CHECK */ + + if (Errors > 0) + goto undo_no_pm; + if (!gothello) + { + auth_warning(e, "%s didn't use HELO protocol", + CurSmtpClient); + } +#ifdef PICKY_HELO_CHECK + if (sm_strcasecmp(sendinghost, peerhostname) != 0 && + (sm_strcasecmp(peerhostname, "localhost") != 0 || + sm_strcasecmp(sendinghost, MyHostName) != 0)) + { + auth_warning(e, "Host %s claimed to be %s", + CurSmtpClient, sendinghost); + } +#endif /* PICKY_HELO_CHECK */ + + if (protocol == NULL) + protocol = "SMTP"; + macdefine(&e->e_macro, A_PERM, 'r', protocol); + macdefine(&e->e_macro, A_PERM, 's', sendinghost); + + if (Errors > 0) + goto undo_no_pm; + smtp.sm_nrcpts = 0; + n_badrcpts = 0; + macdefine(&e->e_macro, A_PERM, macid("{ntries}"), "0"); + macdefine(&e->e_macro, A_PERM, macid("{nrcpts}"), "0"); + macdefine(&e->e_macro, A_PERM, macid("{nbadrcpts}"), + "0"); + e->e_flags |= EF_CLRQUEUE; + sm_setproctitle(true, e, "%s %s: %.80s", + qid_printname(e), + CurSmtpClient, inp); + + /* do the processing */ + SM_TRY + { + extern char *FullName; + + QuickAbort = true; + SM_FREE_CLR(FullName); + + /* must parse sender first */ + delimptr = NULL; + setsender(p, e, &delimptr, ' ', false); + if (delimptr != NULL && *delimptr != '\0') + *delimptr++ = '\0'; + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + + /* Successfully set e_from, allow logging */ + e->e_flags |= EF_LOGSENDER; + + /* put resulting triple from parseaddr() into macros */ + if (e->e_from.q_mailer != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{mail_mailer}"), + e->e_from.q_mailer->m_name); + else + macdefine(&e->e_macro, A_PERM, + macid("{mail_mailer}"), NULL); + if (e->e_from.q_host != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{mail_host}"), + e->e_from.q_host); + else + macdefine(&e->e_macro, A_PERM, + macid("{mail_host}"), "localhost"); + if (e->e_from.q_user != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{mail_addr}"), + e->e_from.q_user); + else + macdefine(&e->e_macro, A_PERM, + macid("{mail_addr}"), NULL); + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + + /* check for possible spoofing */ + if (RealUid != 0 && OpMode == MD_SMTP && + !wordinclass(RealUserName, 't') && + (!bitnset(M_LOCALMAILER, + e->e_from.q_mailer->m_flags) || + strcmp(e->e_from.q_user, RealUserName) != 0)) + { + auth_warning(e, "%s owned process doing -bs", + RealUserName); + } + + /* reset to default value */ + SevenBitInput = SevenBitInput_Saved; + + /* now parse ESMTP arguments */ + e->e_msgsize = 0; + addr = p; + parse_esmtp_args(e, NULL, p, delimptr, "MAIL", args, + mail_esmtp_args); + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + +#if SASL +# if _FFR_AUTH_PASSING + /* set the default AUTH= if the sender didn't */ + if (e->e_auth_param == NULL) + { + /* XXX only do this for an MSA? */ + e->e_auth_param = macvalue(macid("{auth_authen}"), + e); + if (e->e_auth_param == NULL) + e->e_auth_param = "<>"; + + /* + ** XXX should we invoke Strust_auth now? + ** authorizing as the client that just + ** authenticated, so we'll trust implicitly + */ + } +# endif /* _FFR_AUTH_PASSING */ +#endif /* SASL */ + + /* do config file checking of the sender */ + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), "e s"); +#if _FFR_MAIL_MACRO + /* make the "real" sender address available */ + macdefine(&e->e_macro, A_TEMP, macid("{mail_from}"), + e->e_from.q_paddr); +#endif /* _FFR_MAIL_MACRO */ + if (rscheck("check_mail", addr, + NULL, e, RSF_RMCOMM|RSF_COUNT, 3, + NULL, e->e_id, NULL) != EX_OK || + Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), NULL); + + if (MaxMessageSize > 0 && + (e->e_msgsize > MaxMessageSize || + e->e_msgsize < 0)) + { + usrerr("552 5.2.3 Message size exceeds fixed maximum message size (%ld)", + MaxMessageSize); + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + } + + /* + ** XXX always check whether there is at least one fs + ** with enough space? + ** However, this may not help much: the queue group + ** selection may later on select a FS that hasn't + ** enough space. + */ + + if ((NumFileSys == 1 || NumQueue == 1) && + !enoughdiskspace(e->e_msgsize, e) +#if _FFR_ANY_FREE_FS + && !filesys_free(e->e_msgsize) +#endif /* _FFR_ANY_FREE_FS */ + ) + { + /* + ** We perform this test again when the + ** queue directory is selected, in collect. + */ + + usrerr("452 4.4.5 Insufficient disk space; try again later"); + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + } + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + + LogUsrErrs = true; +#if MILTER + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + response = milter_envfrom(args, e, &state); + MILTER_REPLY("from"); + } +#endif /* MILTER */ + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + + message("250 2.1.0 Sender ok"); + smtp.sm_gotmail = true; + } + SM_EXCEPT(exc, "[!F]*") + { + /* + ** An error occurred while processing a MAIL command. + ** Jump to the common error handling code. + */ + + sm_exc_free(exc); + goto undo_no_pm; + } + SM_END_TRY + break; + + undo_no_pm: + e->e_flags &= ~EF_PM_NOTIFY; + undo: + break; + + case CMDRCPT: /* rcpt -- designate recipient */ + DELAY_CONN("RCPT"); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), NULL); +#if MILTER + (void) memset(&addr_st, '\0', sizeof(addr_st)); + a = NULL; + milter_rcpt_added = false; + smtp.sm_e_nrcpts_orig = e->e_nrcpts; +#endif + if (BadRcptThrottle > 0 && + n_badrcpts >= BadRcptThrottle) + { + if (LogLevel > 5 && + n_badrcpts == BadRcptThrottle) + { + sm_syslog(LOG_INFO, e->e_id, + "%s: Possible SMTP RCPT flood, throttling.", + CurSmtpClient); + + /* To avoid duplicated message */ + n_badrcpts++; + } + NBADRCPTS; + + /* + ** Don't use exponential backoff for now. + ** Some servers will open more connections + ** and actually overload the receiver even + ** more. + */ + + (void) sleep(1); + } + if (!smtp.sm_gotmail) + { + usrerr("503 5.0.0 Need MAIL before RCPT"); + break; + } + SmtpPhase = "server RCPT"; + SM_TRY + { + QuickAbort = true; + LogUsrErrs = true; + + /* limit flooding of our machine */ + if (MaxRcptPerMsg > 0 && + smtp.sm_nrcpts >= MaxRcptPerMsg) + { + /* sleep(1); / * slow down? */ + usrerr("452 4.5.3 Too many recipients"); + goto rcpt_done; + } + + if (e->e_sendmode != SM_DELIVER +#if _FFR_DM_ONE + && (NotFirstDelivery || SM_DM_ONE != e->e_sendmode) +#endif /* _FFR_DM_ONE */ + ) + e->e_flags |= EF_VRFYONLY; + +#if MILTER + /* + ** Do not expand recipients at RCPT time (in the call + ** to recipient()) if a milter can delete or reject + ** a RCPT. If they are expanded, it is impossible + ** for removefromlist() to figure out the expanded + ** members of the original recipient and mark them + ** as QS_DONTSEND. + */ + + if (!(smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) && + (smtp.sm_milters.mis_flags & + (MIS_FL_DEL_RCPT|MIS_FL_REJ_RCPT)) != 0) + e->e_flags |= EF_VRFYONLY; + milter_cmd_done = false; + milter_cmd_safe = false; +#endif /* MILTER */ + + p = skipword(p, "to"); + if (p == NULL) + goto rcpt_done; + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), "e r"); + a = parseaddr(p, NULLADDR, RF_COPYALL, ' ', &delimptr, + e, true); + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), NULL); + if (Errors > 0) + goto rcpt_done; + if (a == NULL) + { + usrerr("501 5.0.0 Missing recipient"); + goto rcpt_done; + } + + if (delimptr != NULL && *delimptr != '\0') + *delimptr++ = '\0'; + + /* put resulting triple from parseaddr() into macros */ + if (a->q_mailer != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), + a->q_mailer->m_name); + else + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), NULL); + if (a->q_host != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), a->q_host); + else + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), "localhost"); + if (a->q_user != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), a->q_user); + else + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), NULL); + if (Errors > 0) + goto rcpt_done; + + /* now parse ESMTP arguments */ + addr = p; + parse_esmtp_args(e, a, p, delimptr, "RCPT", args, + rcpt_esmtp_args); + if (Errors > 0) + goto rcpt_done; + +#if MILTER + /* + ** rscheck() can trigger an "exception" + ** in which case the execution continues at + ** SM_EXCEPT(exc, "[!F]*") + ** This means milter_cmd_safe is not set + ** and hence milter is not invoked. + ** Would it be "safe" to change that, i.e., use + ** milter_cmd_safe = true; + ** here so a milter is informed (if requested) + ** about RCPTs that are rejected by check_rcpt? + */ +# if _FFR_MILTER_CHECK_REJECTIONS_TOO + milter_cmd_safe = true; +# endif +#endif + + /* do config file checking of the recipient */ + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), "e r"); + if (rscheck("check_rcpt", addr, + NULL, e, RSF_RMCOMM|RSF_COUNT, 3, + NULL, e->e_id, p_addr_st) != EX_OK || + Errors > 0) + goto rcpt_done; + macdefine(&e->e_macro, A_PERM, + macid("{addr_type}"), NULL); + + /* If discarding, don't bother to verify user */ + if (bitset(EF_DISCARD, e->e_flags)) + a->q_state = QS_VERIFIED; +#if MILTER + milter_cmd_safe = true; +#endif + + /* save in recipient list after ESMTP mods */ + a = recipient(a, &e->e_sendqueue, 0, e); + /* may trigger exception... */ + +#if MILTER + milter_rcpt_added = true; +#endif + + if(!(Errors > 0) && QS_IS_BADADDR(a->q_state)) + { + /* punt -- should keep message in ADDRESS.... */ + usrerr("550 5.1.1 Addressee unknown"); + } + +#if MILTER + rcpt_done: + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + /* how to get the error codes? */ + if (Errors > 0) + { + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), + "error"); + if (a != NULL && + a->q_status != NULL && + a->q_rstatus != NULL) + { + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), + a->q_status); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), + a->q_rstatus); + } + else + { + if (addr_st.q_host != NULL) + macdefine(&e->e_macro, + A_PERM, + macid("{rcpt_host}"), + addr_st.q_host); + if (addr_st.q_user != NULL) + macdefine(&e->e_macro, + A_PERM, + macid("{rcpt_addr}"), + addr_st.q_user); + } + } + + response = milter_envrcpt(args, e, &state, + Errors > 0); + milter_cmd_done = true; + MILTER_REPLY("to"); + } +#endif /* MILTER */ + + /* no errors during parsing, but might be a duplicate */ + e->e_to = a->q_paddr; + if (!(Errors > 0) && !QS_IS_BADADDR(a->q_state)) + { + if (smtp.sm_nrcpts == 0) + initsys(e); + message("250 2.1.5 Recipient ok%s", + QS_IS_QUEUEUP(a->q_state) ? + " (will queue)" : ""); + smtp.sm_nrcpts++; + } + + /* Is this needed? */ +#if !MILTER + rcpt_done: +#endif /* !MILTER */ + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{dsn_notify}"), NULL); + + if (Errors > 0) + { + ++n_badrcpts; + NBADRCPTS; + } + } + SM_EXCEPT(exc, "[!F]*") + { + /* An exception occurred while processing RCPT */ + e->e_flags &= ~(EF_FATALERRS|EF_PM_NOTIFY); + ++n_badrcpts; + NBADRCPTS; +#if MILTER + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags) && + !milter_cmd_done && milter_cmd_safe) + { + char state; + char *response; + + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), "error"); + + /* how to get the error codes? */ + if (addr_st.q_host != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), + addr_st.q_host); + else if (a != NULL && a->q_status != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), + a->q_status); + + if (addr_st.q_user != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), + addr_st.q_user); + else if (a != NULL && a->q_rstatus != NULL) + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), + a->q_rstatus); + + response = milter_envrcpt(args, e, &state, + true); + milter_cmd_done = true; + MILTER_REPLY("to"); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_mailer}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_host}"), NULL); + macdefine(&e->e_macro, A_PERM, + macid("{rcpt_addr}"), NULL); + } + if (smtp.sm_milterlist && smtp.sm_milterize && + milter_rcpt_added && milter_cmd_done && + milter_cmd_fail) + { + (void) removefromlist(addr, &e->e_sendqueue, e); + milter_cmd_fail = false; + if (smtp.sm_e_nrcpts_orig < e->e_nrcpts) + e->e_nrcpts = smtp.sm_e_nrcpts_orig; + } +#endif /* MILTER */ + } + SM_END_TRY + break; + + case CMDDATA: /* data -- text of mail */ + DELAY_CONN("DATA"); + if (!smtp_data(&smtp, e)) + goto doquit; + break; + + case CMDRSET: /* rset -- reset state */ + if (tTd(94, 100)) + message("451 4.0.0 Test failure"); + else + message("250 2.0.0 Reset state"); + CLEAR_STATE(cmdbuf); + break; + + case CMDVRFY: /* vrfy -- verify address */ + case CMDEXPN: /* expn -- expand address */ + vrfy = c->cmd_code == CMDVRFY; + DELAY_CONN(vrfy ? "VRFY" : "EXPN"); + if (tempfail) + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "SMTP %s command (%.100s) from %s tempfailed (due to previous checks)", + vrfy ? "VRFY" : "EXPN", + p, CurSmtpClient); + + /* RFC 821 doesn't allow 4xy reply code */ + usrerr("550 5.7.1 Please try again later"); + break; + } + wt = checksmtpattack(&n_verifies, MAXVRFYCOMMANDS, + false, vrfy ? "VRFY" : "EXPN", e); + STOP_IF_ATTACK(wt); + previous = curtime(); + if ((vrfy && bitset(PRIV_NOVRFY, PrivacyFlags)) || + (!vrfy && !bitset(SRV_OFFER_EXPN, features))) + { + if (vrfy) + message("252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)"); + else + message("502 5.7.0 Sorry, we do not allow this operation"); + if (LogLevel > 5) + sm_syslog(LOG_INFO, e->e_id, + "%s: %s [rejected]", + CurSmtpClient, + shortenstring(inp, MAXSHORTSTR)); + break; + } + else if (!gothello && + bitset(vrfy ? PRIV_NEEDVRFYHELO : PRIV_NEEDEXPNHELO, + PrivacyFlags)) + { + usrerr("503 5.0.0 I demand that you introduce yourself first"); + break; + } + if (Errors > 0) + break; + if (LogLevel > 5) + sm_syslog(LOG_INFO, e->e_id, "%s: %s", + CurSmtpClient, + shortenstring(inp, MAXSHORTSTR)); + SM_TRY + { + QuickAbort = true; + vrfyqueue = NULL; + if (vrfy) + e->e_flags |= EF_VRFYONLY; + while (*p != '\0' && isascii(*p) && isspace(*p)) + p++; + if (*p == '\0') + { + usrerr("501 5.5.2 Argument required"); + } + else + { + /* do config file checking of the address */ + if (rscheck(vrfy ? "check_vrfy" : "check_expn", + p, NULL, e, RSF_RMCOMM, + 3, NULL, NOQID, NULL) != EX_OK || + Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + (void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e); + } + if (wt > 0) + { + time_t t; + + t = wt - (curtime() - previous); + if (t > 0) + (void) sleep(t); + } + if (Errors > 0) + sm_exc_raisenew_x(&EtypeQuickAbort, 1); + if (vrfyqueue == NULL) + { + usrerr("554 5.5.2 Nothing to %s", vrfy ? "VRFY" : "EXPN"); + } + while (vrfyqueue != NULL) + { + if (!QS_IS_UNDELIVERED(vrfyqueue->q_state)) + { + vrfyqueue = vrfyqueue->q_next; + continue; + } + + /* see if there is more in the vrfy list */ + a = vrfyqueue; + while ((a = a->q_next) != NULL && + (!QS_IS_UNDELIVERED(a->q_state))) + continue; + printvrfyaddr(vrfyqueue, a == NULL, vrfy); + vrfyqueue = a; + } + } + SM_EXCEPT(exc, "[!F]*") + { + /* + ** An exception occurred while processing VRFY/EXPN + */ + + sm_exc_free(exc); + goto undo; + } + SM_END_TRY + break; + + case CMDETRN: /* etrn -- force queue flush */ + DELAY_CONN("ETRN"); + + /* Don't leak queue information via debug flags */ + if (!bitset(SRV_OFFER_ETRN, features) || UseMSP || + (RealUid != 0 && RealUid != TrustedUid && + OpMode == MD_SMTP)) + { + /* different message for MSA ? */ + message("502 5.7.0 Sorry, we do not allow this operation"); + if (LogLevel > 5) + sm_syslog(LOG_INFO, e->e_id, + "%s: %s [rejected]", + CurSmtpClient, + shortenstring(inp, MAXSHORTSTR)); + break; + } + if (tempfail) + { + if (LogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "SMTP ETRN command (%.100s) from %s tempfailed (due to previous checks)", + p, CurSmtpClient); + usrerr(MSG_TEMPFAIL); + break; + } + + if (strlen(p) <= 0) + { + usrerr("500 5.5.2 Parameter required"); + break; + } + + /* crude way to avoid denial-of-service attacks */ + STOP_IF_ATTACK(checksmtpattack(&n_etrn, MAXETRNCOMMANDS, + true, "ETRN", e)); + + /* + ** Do config file checking of the parameter. + ** Even though we have srv_features now, we still + ** need this ruleset because the former is called + ** when the connection has been established, while + ** this ruleset is called when the command is + ** actually issued and therefore has all information + ** available to make a decision. + */ + + if (rscheck("check_etrn", p, NULL, e, + RSF_RMCOMM, 3, NULL, NOQID, NULL) + != EX_OK || + Errors > 0) + break; + + if (LogLevel > 5) + sm_syslog(LOG_INFO, e->e_id, + "%s: ETRN %s", CurSmtpClient, + shortenstring(p, MAXSHORTSTR)); + + id = p; + if (*id == '#') + { + int i, qgrp; + + id++; + qgrp = name2qid(id); + if (!ISVALIDQGRP(qgrp)) + { + usrerr("459 4.5.4 Queue %s unknown", + id); + break; + } + for (i = 0; i < NumQueue && Queue[i] != NULL; + i++) + Queue[i]->qg_nextrun = (time_t) -1; + Queue[qgrp]->qg_nextrun = 0; + ok = run_work_group(Queue[qgrp]->qg_wgrp, + RWG_FORK|RWG_FORCE); + if (ok && Errors == 0) + message("250 2.0.0 Queuing for queue group %s started", id); + break; + } + + if (*id == '@') + id++; + else + *--id = '@'; + + new = (QUEUE_CHAR *) sm_malloc(sizeof(QUEUE_CHAR)); + if (new == NULL) + { + syserr("500 5.5.0 ETRN out of memory"); + break; + } + new->queue_match = id; + new->queue_negate = false; + new->queue_next = NULL; + QueueLimitRecipient = new; + ok = runqueue(true, false, false, true); + sm_free(QueueLimitRecipient); /* XXX */ + QueueLimitRecipient = NULL; + if (ok && Errors == 0) + message("250 2.0.0 Queuing for node %s started", p); + break; + + case CMDHELP: /* help -- give user info */ + DELAY_CONN("HELP"); + help(p, e); + break; + + case CMDNOOP: /* noop -- do nothing */ + DELAY_CONN("NOOP"); + STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands, + true, "NOOP", e)); + message("250 2.0.0 OK"); + break; + + case CMDQUIT: /* quit -- leave mail */ + message("221 2.0.0 %s closing connection", MyHostName); +#if PIPELINING + (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT); +#endif /* PIPELINING */ + + if (smtp.sm_nrcpts > 0) + logundelrcpts(e, "aborted by sender", 9, false); + + /* arrange to ignore any current send list */ + e->e_sendqueue = NULL; + +#if STARTTLS + /* shutdown TLS connection */ + if (tls_active) + { + (void) endtls(srv_ssl, "server"); + tls_active = false; + } +#endif /* STARTTLS */ +#if SASL + if (authenticating == SASL_IS_AUTH) + { + sasl_dispose(&conn); + authenticating = SASL_NOT_AUTH; + /* XXX sasl_done(); this is a child */ + } +#endif /* SASL */ + +doquit: + /* avoid future 050 messages */ + disconnect(1, e); + +#if MILTER + /* close out milter filters */ + milter_quit(e); +#endif /* MILTER */ + + if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags)) + logsender(e, NULL); + e->e_flags &= ~EF_LOGSENDER; + + if (lognullconnection && LogLevel > 5 && + nullserver == NULL) + { + char *d; + + d = macvalue(macid("{daemon_name}"), e); + if (d == NULL) + d = "stdin"; + + /* + ** even though this id is "bogus", it makes + ** it simpler to "grep" related events, e.g., + ** timeouts for the same connection. + */ + + sm_syslog(LOG_INFO, e->e_id, + "%s did not issue MAIL/EXPN/VRFY/ETRN during connection to %s", + CurSmtpClient, d); + } + if (tTd(93, 100)) + { + /* return to handle next connection */ + return; + } + finis(true, true, ExitStat); + /* NOTREACHED */ + + /* just to avoid bogus warning from some compilers */ + exit(EX_OSERR); + + case CMDVERB: /* set verbose mode */ + DELAY_CONN("VERB"); + if (!bitset(SRV_OFFER_EXPN, features) || + !bitset(SRV_OFFER_VERB, features)) + { + /* this would give out the same info */ + message("502 5.7.0 Verbose unavailable"); + break; + } + STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands, + true, "VERB", e)); + Verbose = 1; + set_delivery_mode(SM_DELIVER, e); + message("250 2.0.0 Verbose mode"); + break; + +#if SMTPDEBUG + case CMDDBGQSHOW: /* show queues */ + (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT, + "Send Queue="); + printaddr(smioout, e->e_sendqueue, true); + break; + + case CMDDBGDEBUG: /* set debug mode */ + tTsetup(tTdvect, sizeof(tTdvect), "0-99.1"); + tTflag(p); + message("200 2.0.0 Debug set"); + break; + +#else /* SMTPDEBUG */ + case CMDDBGQSHOW: /* show queues */ + case CMDDBGDEBUG: /* set debug mode */ +#endif /* SMTPDEBUG */ + case CMDLOGBOGUS: /* bogus command */ + DELAY_CONN("Bogus"); + if (LogLevel > 0) + sm_syslog(LOG_CRIT, e->e_id, + "\"%s\" command from %s (%.100s)", + c->cmd_name, CurSmtpClient, + anynet_ntoa(&RealHostAddr)); + /* FALLTHROUGH */ + + case CMDERROR: /* unknown command */ +#if MAXBADCOMMANDS > 0 + if (++n_badcmds > MAXBADCOMMANDS) + { + stopattack: + message("421 4.7.0 %s Too many bad commands; closing connection", + MyHostName); + + /* arrange to ignore any current send list */ + e->e_sendqueue = NULL; + goto doquit; + } +#endif /* MAXBADCOMMANDS > 0 */ + +#if MILTER && SMFI_VERSION > 2 + if (smtp.sm_milterlist && smtp.sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + if (MilterLogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, + "Sending \"%s\" to Milter", inp); + response = milter_unknown(inp, e, &state); + MILTER_REPLY("unknown"); + if (state == SMFIR_REPLYCODE || + state == SMFIR_REJECT || + state == SMFIR_TEMPFAIL || + state == SMFIR_SHUTDOWN) + { + /* MILTER_REPLY already gave an error */ + break; + } + } +#endif /* MILTER && SMFI_VERSION > 2 */ + + usrerr("500 5.5.1 Command unrecognized: \"%s\"", + shortenstring(inp, MAXSHORTSTR)); + break; + + case CMDUNIMPL: + DELAY_CONN("Unimpl"); + usrerr("502 5.5.1 Command not implemented: \"%s\"", + shortenstring(inp, MAXSHORTSTR)); + break; + + default: + DELAY_CONN("default"); + errno = 0; + syserr("500 5.5.0 smtp: unknown code %d", c->cmd_code); + break; + } +#if SASL + } +#endif /* SASL */ + } + SM_EXCEPT(exc, "[!F]*") + { + /* + ** The only possible exception is "E:mta.quickabort". + ** There is nothing to do except fall through and loop. + */ + } + SM_END_TRY + } +} +/* +** SMTP_DATA -- implement the SMTP DATA command. +** +** Parameters: +** smtp -- status of SMTP connection. +** e -- envelope. +** +** Returns: +** true iff SMTP session can continue. +** +** Side Effects: +** possibly sends message. +*/ + +static bool +smtp_data(smtp, e) + SMTP_T *smtp; + ENVELOPE *e; +{ +#if MILTER + bool milteraccept; +#endif /* MILTER */ + bool aborting; + bool doublequeue; + bool rv = true; + ADDRESS *a; + ENVELOPE *ee; + char *id; + char *oldid; + unsigned int features; + char buf[32]; + + SmtpPhase = "server DATA"; + if (!smtp->sm_gotmail) + { + usrerr("503 5.0.0 Need MAIL command"); + return true; + } + else if (smtp->sm_nrcpts <= 0) + { + usrerr("503 5.0.0 Need RCPT (recipient)"); + return true; + } + (void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts); + if (rscheck("check_data", buf, NULL, e, + RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL, + e->e_id, NULL) != EX_OK) + return true; + +#if MILTER && SMFI_VERSION > 3 + if (smtp->sm_milterlist && smtp->sm_milterize && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + int savelogusrerrs = LogUsrErrs; + + response = milter_data_cmd(e, &state); + switch (state) + { + case SMFIR_REPLYCODE: + if (MilterLogLevel > 3) + { + sm_syslog(LOG_INFO, e->e_id, + "Milter: cmd=data, reject=%s", + response); + LogUsrErrs = false; + } + usrerr(response); + if (strncmp(response, "421 ", 4) == 0 + || strncmp(response, "421-", 4) == 0) + { + e->e_sendqueue = NULL; + return false; + } + return true; + + case SMFIR_REJECT: + if (MilterLogLevel > 3) + { + sm_syslog(LOG_INFO, e->e_id, + "Milter: cmd=data, reject=550 5.7.1 Command rejected"); + LogUsrErrs = false; + } + usrerr("550 5.7.1 Command rejected"); + return true; + + case SMFIR_DISCARD: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: cmd=data, discard"); + e->e_flags |= EF_DISCARD; + break; + + case SMFIR_TEMPFAIL: + if (MilterLogLevel > 3) + { + sm_syslog(LOG_INFO, e->e_id, + "Milter: cmd=data, reject=%s", + MSG_TEMPFAIL); + LogUsrErrs = false; + } + usrerr(MSG_TEMPFAIL); + return true; + + case SMFIR_SHUTDOWN: + if (MilterLogLevel > 3) + { + sm_syslog(LOG_INFO, e->e_id, + "Milter: cmd=data, reject=421 4.7.0 %s closing connection", + MyHostName); + LogUsrErrs = false; + } + usrerr("421 4.7.0 %s closing connection", MyHostName); + e->e_sendqueue = NULL; + return false; + } + LogUsrErrs = savelogusrerrs; + if (response != NULL) + sm_free(response); /* XXX */ + } +#endif /* MILTER && SMFI_VERSION > 3 */ + + /* put back discard bit */ + if (smtp->sm_discard) + e->e_flags |= EF_DISCARD; + + /* check to see if we need to re-expand aliases */ + /* also reset QS_BADADDR on already-diagnosted addrs */ + doublequeue = false; + for (a = e->e_sendqueue; a != NULL; a = a->q_next) + { + if (QS_IS_VERIFIED(a->q_state) && + !bitset(EF_DISCARD, e->e_flags)) + { + /* need to re-expand aliases */ + doublequeue = true; + } + if (QS_IS_BADADDR(a->q_state)) + { + /* make this "go away" */ + a->q_state = QS_DONTSEND; + } + } + + /* collect the text of the message */ + SmtpPhase = "collect"; + buffer_errors(); + + collect(InChannel, true, NULL, e, true); + + /* redefine message size */ + (void) sm_snprintf(buf, sizeof(buf), "%ld", e->e_msgsize); + macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf); + + /* rscheck() will set Errors or EF_DISCARD if it trips */ + (void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT, + 3, NULL, e->e_id, NULL); + +#if MILTER + milteraccept = true; + if (smtp->sm_milterlist && smtp->sm_milterize && + Errors <= 0 && + !bitset(EF_DISCARD, e->e_flags)) + { + char state; + char *response; + + response = milter_data(e, &state); + switch (state) + { + case SMFIR_REPLYCODE: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: data, reject=%s", + response); + milteraccept = false; + usrerr(response); + break; + + case SMFIR_REJECT: + milteraccept = false; + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: data, reject=554 5.7.1 Command rejected"); + usrerr("554 5.7.1 Command rejected"); + break; + + case SMFIR_DISCARD: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: data, discard"); + milteraccept = false; + e->e_flags |= EF_DISCARD; + break; + + case SMFIR_TEMPFAIL: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: data, reject=%s", + MSG_TEMPFAIL); + milteraccept = false; + usrerr(MSG_TEMPFAIL); + break; + + case SMFIR_SHUTDOWN: + if (MilterLogLevel > 3) + sm_syslog(LOG_INFO, e->e_id, + "Milter: data, reject=421 4.7.0 %s closing connection", + MyHostName); + milteraccept = false; + usrerr("421 4.7.0 %s closing connection", MyHostName); + rv = false; + break; + } + if (response != NULL) + sm_free(response); + } + + /* Milter may have changed message size */ + (void) sm_snprintf(buf, sizeof(buf), "%ld", e->e_msgsize); + macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf); + + /* abort message filters that didn't get the body & log msg is OK */ + if (smtp->sm_milterlist && smtp->sm_milterize) + { + milter_abort(e); + if (milteraccept && MilterLogLevel > 9) + sm_syslog(LOG_INFO, e->e_id, "Milter accept: message"); + } + + /* + ** If SuperSafe is SAFE_REALLY_POSTMILTER, and we don't have milter or + ** milter accepted message, sync it now + ** + ** XXX This is almost a copy of the code in collect(): put it into + ** a function that is called from both places? + */ + + if (milteraccept && SuperSafe == SAFE_REALLY_POSTMILTER) + { + int afd; + SM_FILE_T *volatile df; + char *dfname; + + df = e->e_dfp; + dfname = queuename(e, DATAFL_LETTER); + if (sm_io_setinfo(df, SM_BF_COMMIT, NULL) < 0 + && errno != EINVAL) + { + int save_errno; + + save_errno = errno; + if (save_errno == EEXIST) + { + struct stat st; + int dfd; + + if (stat(dfname, &st) < 0) + st.st_size = -1; + errno = EEXIST; + syserr("@collect: bfcommit(%s): already on disk, size=%ld", + dfname, (long) st.st_size); + dfd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL); + if (dfd >= 0) + dumpfd(dfd, true, true); + } + errno = save_errno; + dferror(df, "bfcommit", e); + flush_errors(true); + finis(save_errno != EEXIST, true, ExitStat); + } + else if ((afd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL)) < 0) + { + dferror(df, "sm_io_getinfo", e); + flush_errors(true); + finis(true, true, ExitStat); + /* NOTREACHED */ + } + else if (fsync(afd) < 0) + { + dferror(df, "fsync", e); + flush_errors(true); + finis(true, true, ExitStat); + /* NOTREACHED */ + } + else if (sm_io_close(df, SM_TIME_DEFAULT) < 0) + { + dferror(df, "sm_io_close", e); + flush_errors(true); + finis(true, true, ExitStat); + /* NOTREACHED */ + } + + /* Now reopen the df file */ + e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname, + SM_IO_RDONLY, NULL); + if (e->e_dfp == NULL) + { + /* we haven't acked receipt yet, so just chuck this */ + syserr("@Cannot reopen %s", dfname); + finis(true, true, ExitStat); + /* NOTREACHED */ + } + } +#endif /* MILTER */ + + /* Check if quarantining stats should be updated */ + if (e->e_quarmsg != NULL) + markstats(e, NULL, STATS_QUARANTINE); + + /* + ** If a header/body check (header checks or milter) + ** set EF_DISCARD, don't queueup the message -- + ** that would lose the EF_DISCARD bit and deliver + ** the message. + */ + + if (bitset(EF_DISCARD, e->e_flags)) + doublequeue = false; + + aborting = Errors > 0; + if (!(aborting || bitset(EF_DISCARD, e->e_flags)) && + (QueueMode == QM_QUARANTINE || e->e_quarmsg == NULL) && + !split_by_recipient(e)) + aborting = bitset(EF_FATALERRS, e->e_flags); + + if (aborting) + { + ADDRESS *q; + + /* Log who the mail would have gone to */ + logundelrcpts(e, e->e_message, 8, false); + + /* + ** If something above refused the message, we still haven't + ** accepted responsibility for it. Don't send DSNs. + */ + + for (q = e->e_sendqueue; q != NULL; q = q->q_next) + q->q_flags &= ~Q_PINGFLAGS; + + flush_errors(true); + buffer_errors(); + goto abortmessage; + } + + /* from now on, we have to operate silently */ + buffer_errors(); + +#if 0 + /* + ** Clear message, it may contain an error from the SMTP dialogue. + ** This error must not show up in the queue. + ** Some error message should show up, e.g., alias database + ** not available, but others shouldn't, e.g., from check_rcpt. + */ + + e->e_message = NULL; +#endif /* 0 */ + + /* + ** Arrange to send to everyone. + ** If sending to multiple people, mail back + ** errors rather than reporting directly. + ** In any case, don't mail back errors for + ** anything that has happened up to + ** now (the other end will do this). + ** Truncate our transcript -- the mail has gotten + ** to us successfully, and if we have + ** to mail this back, it will be easier + ** on the reader. + ** Then send to everyone. + ** Finally give a reply code. If an error has + ** already been given, don't mail a + ** message back. + ** We goose error returns by clearing error bit. + */ + + SmtpPhase = "delivery"; + (void) sm_io_setinfo(e->e_xfp, SM_BF_TRUNCATE, NULL); + id = e->e_id; + +#if NAMED_BIND + _res.retry = TimeOuts.res_retry[RES_TO_FIRST]; + _res.retrans = TimeOuts.res_retrans[RES_TO_FIRST]; +#endif /* NAMED_BIND */ + + for (ee = e; ee != NULL; ee = ee->e_sibling) + { + /* make sure we actually do delivery */ + ee->e_flags &= ~EF_CLRQUEUE; + + /* from now on, operate silently */ + ee->e_errormode = EM_MAIL; + + if (doublequeue) + { + /* make sure it is in the queue */ + queueup(ee, false, true); + } + else + { + int mode; + + /* send to all recipients */ + mode = SM_DEFAULT; +#if _FFR_DM_ONE + if (SM_DM_ONE == e->e_sendmode) + { + if (NotFirstDelivery) + { + mode = SM_QUEUE; + e->e_sendmode = SM_QUEUE; + } + else + { + mode = SM_FORK; + NotFirstDelivery = true; + } + } +#endif /* _FFR_DM_ONE */ + sendall(ee, mode); + } + ee->e_to = NULL; + } + + /* put back id for SMTP logging in putoutmsg() */ + oldid = CurEnv->e_id; + CurEnv->e_id = id; + + /* issue success message */ +#if _FFR_MSG_ACCEPT + if (MessageAccept != NULL && *MessageAccept != '\0') + { + char msg[MAXLINE]; + + expand(MessageAccept, msg, sizeof(msg), e); + message("250 2.0.0 %s", msg); + } + else +#endif /* _FFR_MSG_ACCEPT */ + message("250 2.0.0 %s Message accepted for delivery", id); + CurEnv->e_id = oldid; + + /* if we just queued, poke it */ + if (doublequeue) + { + bool anything_to_send = false; + + sm_getla(); + for (ee = e; ee != NULL; ee = ee->e_sibling) + { + if (WILL_BE_QUEUED(ee->e_sendmode)) + continue; + if (shouldqueue(ee->e_msgpriority, ee->e_ctime)) + { + ee->e_sendmode = SM_QUEUE; + continue; + } + else if (QueueMode != QM_QUARANTINE && + ee->e_quarmsg != NULL) + { + ee->e_sendmode = SM_QUEUE; + continue; + } + anything_to_send = true; + + /* close all the queue files */ + closexscript(ee); + if (ee->e_dfp != NULL) + { + (void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT); + ee->e_dfp = NULL; + } + unlockqueue(ee); + } + if (anything_to_send) + { +#if PIPELINING + /* + ** XXX if we don't do this, we get 250 twice + ** because it is also flushed in the child. + */ + + (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT); +#endif /* PIPELINING */ + (void) doworklist(e, true, true); + } + } + + abortmessage: + if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags)) + logsender(e, NULL); + e->e_flags &= ~EF_LOGSENDER; + + /* clean up a bit */ + smtp->sm_gotmail = false; + + /* + ** Call dropenvelope if and only if the envelope is *not* + ** being processed by the child process forked by doworklist(). + */ + + if (aborting || bitset(EF_DISCARD, e->e_flags)) + dropenvelope(e, true, false); + else + { + for (ee = e; ee != NULL; ee = ee->e_sibling) + { + if (!doublequeue && + QueueMode != QM_QUARANTINE && + ee->e_quarmsg != NULL) + { + dropenvelope(ee, true, false); + continue; + } + if (WILL_BE_QUEUED(ee->e_sendmode)) + dropenvelope(ee, true, false); + } + } + sm_rpool_free(e->e_rpool); + + /* + ** At this point, e == &MainEnvelope, but if we did splitting, + ** then CurEnv may point to an envelope structure that was just + ** freed with the rpool. So reset CurEnv *before* calling + ** newenvelope. + */ + + CurEnv = e; + features = e->e_features; + newenvelope(e, e, sm_rpool_new_x(NULL)); + e->e_flags = BlankEnvelope.e_flags; + e->e_features = features; + + /* restore connection quarantining */ + if (smtp->sm_quarmsg == NULL) + { + e->e_quarmsg = NULL; + macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), ""); + } + else + { + e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, smtp->sm_quarmsg); + macdefine(&e->e_macro, A_PERM, + macid("{quarantine}"), e->e_quarmsg); + } + return rv; +} +/* +** LOGUNDELRCPTS -- log undelivered (or all) recipients. +** +** Parameters: +** e -- envelope. +** msg -- message for Stat= +** level -- log level. +** all -- log all recipients. +** +** Returns: +** none. +** +** Side Effects: +** logs undelivered (or all) recipients +*/ + +void +logundelrcpts(e, msg, level, all) + ENVELOPE *e; + char *msg; + int level; + bool all; +{ + ADDRESS *a; + + if (LogLevel <= level || msg == NULL || *msg == '\0') + return; + + /* Clear $h so relay= doesn't get mislogged by logdelivery() */ + macdefine(&e->e_macro, A_PERM, 'h', NULL); + + /* Log who the mail would have gone to */ + for (a = e->e_sendqueue; a != NULL; a = a->q_next) + { + if (!QS_IS_UNDELIVERED(a->q_state) && !all) + continue; + e->e_to = a->q_paddr; + logdelivery(NULL, NULL, a->q_status, msg, NULL, + (time_t) 0, e); + } + e->e_to = NULL; +} +/* +** CHECKSMTPATTACK -- check for denial-of-service attack by repetition +** +** Parameters: +** pcounter -- pointer to a counter for this command. +** maxcount -- maximum value for this counter before we +** slow down. +** waitnow -- sleep now (in this routine)? +** cname -- command name for logging. +** e -- the current envelope. +** +** Returns: +** time to wait, +** STOP_ATTACK if twice as many commands as allowed and +** MaxChildren > 0. +** +** Side Effects: +** Slows down if we seem to be under attack. +*/ + +static time_t +checksmtpattack(pcounter, maxcount, waitnow, cname, e) + volatile unsigned int *pcounter; + unsigned int maxcount; + bool waitnow; + char *cname; + ENVELOPE *e; +{ + if (maxcount <= 0) /* no limit */ + return (time_t) 0; + + if (++(*pcounter) >= maxcount) + { + unsigned int shift; + time_t s; + + if (*pcounter == maxcount && LogLevel > 5) + { + sm_syslog(LOG_INFO, e->e_id, + "%s: possible SMTP attack: command=%.40s, count=%u", + CurSmtpClient, cname, *pcounter); + } + shift = *pcounter - maxcount; + s = 1 << shift; + if (shift > MAXSHIFT || s >= MAXTIMEOUT || s <= 0) + s = MAXTIMEOUT; + +#define IS_ATTACK(s) ((MaxChildren > 0 && *pcounter >= maxcount * 2) \ + ? STOP_ATTACK : (time_t) s) + + /* sleep at least 1 second before returning */ + (void) sleep(*pcounter / maxcount); + s -= *pcounter / maxcount; + if (s >= MAXTIMEOUT || s < 0) + s = MAXTIMEOUT; + if (waitnow && s > 0) + { + (void) sleep(s); + return IS_ATTACK(0); + } + return IS_ATTACK(s); + } + return (time_t) 0; +} +/* +** SETUP_SMTPD_IO -- setup I/O fd correctly for the SMTP server +** +** Parameters: +** none. +** +** Returns: +** nothing. +** +** Side Effects: +** may change I/O fd. +*/ + +static void +setup_smtpd_io() +{ + int inchfd, outchfd, outfd; + + inchfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL); + outchfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL); + outfd = sm_io_getinfo(smioout, SM_IO_WHAT_FD, NULL); + if (outchfd != outfd) + { + /* arrange for debugging output to go to remote host */ + (void) dup2(outchfd, outfd); + } + + /* + ** if InChannel and OutChannel are stdin/stdout + ** and connected to ttys + ** and fcntl(STDIN, F_SETFL, O_NONBLOCKING) also changes STDOUT, + ** then "chain" them together. + */ + + if (inchfd == STDIN_FILENO && outchfd == STDOUT_FILENO && + isatty(inchfd) && isatty(outchfd)) + { + int inmode, outmode; + + inmode = fcntl(inchfd, F_GETFL, 0); + if (inmode == -1) + { + if (LogLevel > 11) + sm_syslog(LOG_INFO, NOQID, + "fcntl(inchfd, F_GETFL) failed: %s", + sm_errstring(errno)); + return; + } + outmode = fcntl(outchfd, F_GETFL, 0); + if (outmode == -1) + { + if (LogLevel > 11) + sm_syslog(LOG_INFO, NOQID, + "fcntl(outchfd, F_GETFL) failed: %s", + sm_errstring(errno)); + return; + } + if (bitset(O_NONBLOCK, inmode) || + bitset(O_NONBLOCK, outmode) || + fcntl(inchfd, F_SETFL, inmode | O_NONBLOCK) == -1) + return; + outmode = fcntl(outchfd, F_GETFL, 0); + if (outmode != -1 && bitset(O_NONBLOCK, outmode)) + { + /* changing InChannel also changes OutChannel */ + sm_io_automode(OutChannel, InChannel); + if (tTd(97, 4) && LogLevel > 9) + sm_syslog(LOG_INFO, NOQID, + "set automode for I (%d)/O (%d) in SMTP server", + inchfd, outchfd); + } + + /* undo change of inchfd */ + (void) fcntl(inchfd, F_SETFL, inmode); + } +} +/* +** SKIPWORD -- skip a fixed word. +** +** Parameters: +** p -- place to start looking. +** w -- word to skip. +** +** Returns: +** p following w. +** NULL on error. +** +** Side Effects: +** clobbers the p data area. +*/ + +static char * +skipword(p, w) + register char *volatile p; + char *w; +{ + register char *q; + char *firstp = p; + + /* find beginning of word */ + SKIP_SPACE(p); + q = p; + + /* find end of word */ + while (*p != '\0' && *p != ':' && !(isascii(*p) && isspace(*p))) + p++; + while (isascii(*p) && isspace(*p)) + *p++ = '\0'; + if (*p != ':') + { + syntax: + usrerr("501 5.5.2 Syntax error in parameters scanning \"%s\"", + shortenstring(firstp, MAXSHORTSTR)); + return NULL; + } + *p++ = '\0'; + SKIP_SPACE(p); + + if (*p == '\0') + goto syntax; + + /* see if the input word matches desired word */ + if (sm_strcasecmp(q, w)) + goto syntax; + + return p; +} + +/* +** RESET_MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line +** +** Parameters: +** e -- the envelope. +** +** Returns: +** none. +*/ + +void +reset_mail_esmtp_args(e) + ENVELOPE *e; +{ + /* "size": no reset */ + + /* "body" */ + SevenBitInput = SevenBitInput_Saved; + e->e_bodytype = NULL; + + /* "envid" */ + e->e_envid = NULL; + macdefine(&e->e_macro, A_PERM, macid("{dsn_envid}"), NULL); + + /* "ret" */ + e->e_flags &= ~(EF_RET_PARAM|EF_NO_BODY_RETN); + macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), NULL); + +#if SASL + /* "auth" */ + macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), NULL); + e->e_auth_param = ""; +# if _FFR_AUTH_PASSING + macdefine(&BlankEnvelope.e_macro, A_PERM, + macid("{auth_author}"), NULL); +# endif /* _FFR_AUTH_PASSING */ +#endif /* SASL */ + + /* "by" */ + e->e_deliver_by = 0; + e->e_dlvr_flag = 0; +} + +/* +** MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line +** +** Parameters: +** a -- address (unused, for compatibility with rcpt_esmtp_args) +** kp -- the parameter key. +** vp -- the value of that parameter. +** e -- the envelope. +** +** Returns: +** none. +*/ + +void +mail_esmtp_args(a, kp, vp, e) + ADDRESS *a; + char *kp; + char *vp; + ENVELOPE *e; +{ + if (sm_strcasecmp(kp, "size") == 0) + { + if (vp == NULL) + { + usrerr("501 5.5.2 SIZE requires a value"); + /* NOTREACHED */ + } + macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), vp); + errno = 0; + e->e_msgsize = strtol(vp, (char **) NULL, 10); + if (e->e_msgsize == LONG_MAX && errno == ERANGE) + { + usrerr("552 5.2.3 Message size exceeds maximum value"); + /* NOTREACHED */ + } + if (e->e_msgsize < 0) + { + usrerr("552 5.2.3 Message size invalid"); + /* NOTREACHED */ + } + } + else if (sm_strcasecmp(kp, "body") == 0) + { + if (vp == NULL) + { + usrerr("501 5.5.2 BODY requires a value"); + /* NOTREACHED */ + } + else if (sm_strcasecmp(vp, "8bitmime") == 0) + { + SevenBitInput = false; + } + else if (sm_strcasecmp(vp, "7bit") == 0) + { + SevenBitInput = true; + } + else + { + usrerr("501 5.5.4 Unknown BODY type %s", vp); + /* NOTREACHED */ + } + e->e_bodytype = sm_rpool_strdup_x(e->e_rpool, vp); + } + else if (sm_strcasecmp(kp, "envid") == 0) + { + if (!bitset(SRV_OFFER_DSN, e->e_features)) + { + usrerr("504 5.7.0 Sorry, ENVID not supported, we do not allow DSN"); + /* NOTREACHED */ + } + if (vp == NULL) + { + usrerr("501 5.5.2 ENVID requires a value"); + /* NOTREACHED */ + } + if (!xtextok(vp)) + { + usrerr("501 5.5.4 Syntax error in ENVID parameter value"); + /* NOTREACHED */ + } + if (e->e_envid != NULL) + { + usrerr("501 5.5.0 Duplicate ENVID parameter"); + /* NOTREACHED */ + } + e->e_envid = sm_rpool_strdup_x(e->e_rpool, vp); + macdefine(&e->e_macro, A_PERM, + macid("{dsn_envid}"), e->e_envid); + } + else if (sm_strcasecmp(kp, "ret") == 0) + { + if (!bitset(SRV_OFFER_DSN, e->e_features)) + { + usrerr("504 5.7.0 Sorry, RET not supported, we do not allow DSN"); + /* NOTREACHED */ + } + if (vp == NULL) + { + usrerr("501 5.5.2 RET requires a value"); + /* NOTREACHED */ + } + if (bitset(EF_RET_PARAM, e->e_flags)) + { + usrerr("501 5.5.0 Duplicate RET parameter"); + /* NOTREACHED */ + } + e->e_flags |= EF_RET_PARAM; + if (sm_strcasecmp(vp, "hdrs") == 0) + e->e_flags |= EF_NO_BODY_RETN; + else if (sm_strcasecmp(vp, "full") != 0) + { + usrerr("501 5.5.2 Bad argument \"%s\" to RET", vp); + /* NOTREACHED */ + } + macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), vp); + } +#if SASL + else if (sm_strcasecmp(kp, "auth") == 0) + { + int len; + char *q; + char *auth_param; /* the value of the AUTH=x */ + bool saveQuickAbort = QuickAbort; + bool saveSuprErrs = SuprErrs; + bool saveExitStat = ExitStat; + + if (vp == NULL) + { + usrerr("501 5.5.2 AUTH= requires a value"); + /* NOTREACHED */ + } + if (e->e_auth_param != NULL) + { + usrerr("501 5.5.0 Duplicate AUTH parameter"); + /* NOTREACHED */ + } + if ((q = strchr(vp, ' ')) != NULL) + len = q - vp + 1; + else + len = strlen(vp) + 1; + auth_param = xalloc(len); + (void) sm_strlcpy(auth_param, vp, len); + if (!xtextok(auth_param)) + { + usrerr("501 5.5.4 Syntax error in AUTH parameter value"); + /* just a warning? */ + /* NOTREACHED */ + } + + /* XXX define this always or only if trusted? */ + macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), + auth_param); + + /* + ** call Strust_auth to find out whether + ** auth_param is acceptable (trusted) + ** we shouldn't trust it if not authenticated + ** (required by RFC, leave it to ruleset?) + */ + + SuprErrs = true; + QuickAbort = false; + if (strcmp(auth_param, "<>") != 0 && + (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM, + 9, NULL, NOQID, NULL) != EX_OK || Errors > 0)) + { + if (tTd(95, 8)) + { + q = e->e_auth_param; + sm_dprintf("auth=\"%.100s\" not trusted user=\"%.100s\"\n", + auth_param, (q == NULL) ? "" : q); + } + + /* not trusted */ + e->e_auth_param = "<>"; +# if _FFR_AUTH_PASSING + macdefine(&BlankEnvelope.e_macro, A_PERM, + macid("{auth_author}"), NULL); +# endif /* _FFR_AUTH_PASSING */ + } + else + { + if (tTd(95, 8)) + sm_dprintf("auth=\"%.100s\" trusted\n", auth_param); + e->e_auth_param = sm_rpool_strdup_x(e->e_rpool, + auth_param); + } + sm_free(auth_param); /* XXX */ + + /* reset values */ + Errors = 0; + QuickAbort = saveQuickAbort; + SuprErrs = saveSuprErrs; + ExitStat = saveExitStat; + } +#endif /* SASL */ +#define PRTCHAR(c) ((isascii(c) && isprint(c)) ? (c) : '?') + + /* + ** "by" is only accepted if DeliverByMin >= 0. + ** We maybe could add this to the list of server_features. + */ + + else if (sm_strcasecmp(kp, "by") == 0 && DeliverByMin >= 0) + { + char *s; + + if (vp == NULL) + { + usrerr("501 5.5.2 BY= requires a value"); + /* NOTREACHED */ + } + errno = 0; + e->e_deliver_by = strtol(vp, &s, 10); + if (e->e_deliver_by == LONG_MIN || + e->e_deliver_by == LONG_MAX || + e->e_deliver_by > 999999999l || + e->e_deliver_by < -999999999l) + { + usrerr("501 5.5.2 BY=%s out of range", vp); + /* NOTREACHED */ + } + if (s == NULL || *s != ';') + { + usrerr("501 5.5.2 BY= missing ';'"); + /* NOTREACHED */ + } + e->e_dlvr_flag = 0; + ++s; /* XXX: spaces allowed? */ + SKIP_SPACE(s); + switch (tolower(*s)) + { + case 'n': + e->e_dlvr_flag = DLVR_NOTIFY; + break; + case 'r': + e->e_dlvr_flag = DLVR_RETURN; + if (e->e_deliver_by <= 0) + { + usrerr("501 5.5.4 mode R requires BY time > 0"); + /* NOTREACHED */ + } + if (DeliverByMin > 0 && e->e_deliver_by > 0 && + e->e_deliver_by < DeliverByMin) + { + usrerr("555 5.5.2 time %ld less than %ld", + e->e_deliver_by, (long) DeliverByMin); + /* NOTREACHED */ + } + break; + default: + usrerr("501 5.5.2 illegal by-mode '%c'", PRTCHAR(*s)); + /* NOTREACHED */ + } + ++s; /* XXX: spaces allowed? */ + SKIP_SPACE(s); + switch (tolower(*s)) + { + case 't': + e->e_dlvr_flag |= DLVR_TRACE; + break; + case '\0': + break; + default: + usrerr("501 5.5.2 illegal by-trace '%c'", PRTCHAR(*s)); + /* NOTREACHED */ + } + + /* XXX: check whether more characters follow? */ + } + else + { + usrerr("555 5.5.4 %s parameter unrecognized", kp); + /* NOTREACHED */ + } +} + +/* +** RCPT_ESMTP_ARGS -- process ESMTP arguments from RCPT line +** +** Parameters: +** a -- the address corresponding to the To: parameter. +** kp -- the parameter key. +** vp -- the value of that parameter. +** e -- the envelope. +** +** Returns: +** none. +*/ + +void +rcpt_esmtp_args(a, kp, vp, e) + ADDRESS *a; + char *kp; + char *vp; + ENVELOPE *e; +{ + if (sm_strcasecmp(kp, "notify") == 0) + { + char *p; + + if (!bitset(SRV_OFFER_DSN, e->e_features)) + { + usrerr("504 5.7.0 Sorry, NOTIFY not supported, we do not allow DSN"); + /* NOTREACHED */ + } + if (vp == NULL) + { + usrerr("501 5.5.2 NOTIFY requires a value"); + /* NOTREACHED */ + } + a->q_flags &= ~(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY); + a->q_flags |= QHASNOTIFY; + macdefine(&e->e_macro, A_TEMP, macid("{dsn_notify}"), vp); + + if (sm_strcasecmp(vp, "never") == 0) + return; + for (p = vp; p != NULL; vp = p) + { + char *s; + + s = p = strchr(p, ','); + if (p != NULL) + *p++ = '\0'; + if (sm_strcasecmp(vp, "success") == 0) + a->q_flags |= QPINGONSUCCESS; + else if (sm_strcasecmp(vp, "failure") == 0) + a->q_flags |= QPINGONFAILURE; + else if (sm_strcasecmp(vp, "delay") == 0) + a->q_flags |= QPINGONDELAY; + else + { + usrerr("501 5.5.4 Bad argument \"%s\" to NOTIFY", + vp); + /* NOTREACHED */ + } + if (s != NULL) + *s = ','; + } + } + else if (sm_strcasecmp(kp, "orcpt") == 0) + { + if (!bitset(SRV_OFFER_DSN, e->e_features)) + { + usrerr("504 5.7.0 Sorry, ORCPT not supported, we do not allow DSN"); + /* NOTREACHED */ + } + if (vp == NULL) + { + usrerr("501 5.5.2 ORCPT requires a value"); + /* NOTREACHED */ + } + if (strchr(vp, ';') == NULL || !xtextok(vp)) + { + usrerr("501 5.5.4 Syntax error in ORCPT parameter value"); + /* NOTREACHED */ + } + if (a->q_orcpt != NULL) + { + usrerr("501 5.5.0 Duplicate ORCPT parameter"); + /* NOTREACHED */ + } + a->q_orcpt = sm_rpool_strdup_x(e->e_rpool, vp); + } + else + { + usrerr("555 5.5.4 %s parameter unrecognized", kp); + /* NOTREACHED */ + } +} +/* +** PRINTVRFYADDR -- print an entry in the verify queue +** +** Parameters: +** a -- the address to print. +** last -- set if this is the last one. +** vrfy -- set if this is a VRFY command. +** +** Returns: +** none. +** +** Side Effects: +** Prints the appropriate 250 codes. +*/ +#define OFFF (3 + 1 + 5 + 1) /* offset in fmt: SMTP reply + enh. code */ + +static void +printvrfyaddr(a, last, vrfy) + register ADDRESS *a; + bool last; + bool vrfy; +{ + char fmtbuf[30]; + + if (vrfy && a->q_mailer != NULL && + !bitnset(M_VRFY250, a->q_mailer->m_flags)) + (void) sm_strlcpy(fmtbuf, "252", sizeof(fmtbuf)); + else + (void) sm_strlcpy(fmtbuf, "250", sizeof(fmtbuf)); + fmtbuf[3] = last ? ' ' : '-'; + (void) sm_strlcpy(&fmtbuf[4], "2.1.5 ", sizeof(fmtbuf) - 4); + if (a->q_fullname == NULL) + { + if ((a->q_mailer == NULL || + a->q_mailer->m_addrtype == NULL || + sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) && + strchr(a->q_user, '@') == NULL) + (void) sm_strlcpy(&fmtbuf[OFFF], "<%s@%s>", + sizeof(fmtbuf) - OFFF); + else + (void) sm_strlcpy(&fmtbuf[OFFF], "<%s>", + sizeof(fmtbuf) - OFFF); + message(fmtbuf, a->q_user, MyHostName); + } + else + { + if ((a->q_mailer == NULL || + a->q_mailer->m_addrtype == NULL || + sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) && + strchr(a->q_user, '@') == NULL) + (void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s@%s>", + sizeof(fmtbuf) - OFFF); + else + (void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s>", + sizeof(fmtbuf) - OFFF); + message(fmtbuf, a->q_fullname, a->q_user, MyHostName); + } +} + +#if SASL +/* +** SASLMECHS -- get list of possible AUTH mechanisms +** +** Parameters: +** conn -- SASL connection info. +** mechlist -- output parameter for list of mechanisms. +** +** Returns: +** number of mechs. +*/ + +static int +saslmechs(conn, mechlist) + sasl_conn_t *conn; + char **mechlist; +{ + int len, num, result; + + /* "user" is currently unused */ +# if SASL >= 20000 + result = sasl_listmech(conn, NULL, + "", " ", "", (const char **) mechlist, + (unsigned int *)&len, &num); +# else /* SASL >= 20000 */ + result = sasl_listmech(conn, "user", /* XXX */ + "", " ", "", mechlist, + (unsigned int *)&len, (unsigned int *)&num); +# endif /* SASL >= 20000 */ + if (result != SASL_OK) + { + if (LogLevel > 9) + sm_syslog(LOG_WARNING, NOQID, + "AUTH error: listmech=%d, num=%d", + result, num); + num = 0; + } + if (num > 0) + { + if (LogLevel > 11) + sm_syslog(LOG_INFO, NOQID, + "AUTH: available mech=%s, allowed mech=%s", + *mechlist, AuthMechanisms); + *mechlist = intersect(AuthMechanisms, *mechlist, NULL); + } + else + { + *mechlist = NULL; /* be paranoid... */ + if (result == SASL_OK && LogLevel > 9) + sm_syslog(LOG_WARNING, NOQID, + "AUTH warning: no mechanisms"); + } + return num; +} + +# if SASL >= 20000 +/* +** PROXY_POLICY -- define proxy policy for AUTH +** +** Parameters: +** conn -- unused. +** context -- unused. +** requested_user -- authorization identity. +** rlen -- authorization identity length. +** auth_identity -- authentication identity. +** alen -- authentication identity length. +** def_realm -- default user realm. +** urlen -- user realm length. +** propctx -- unused. +** +** Returns: +** ok? +** +** Side Effects: +** sets {auth_authen} macro. +*/ + +int +proxy_policy(conn, context, requested_user, rlen, auth_identity, alen, + def_realm, urlen, propctx) + sasl_conn_t *conn; + void *context; + const char *requested_user; + unsigned rlen; + const char *auth_identity; + unsigned alen; + const char *def_realm; + unsigned urlen; + struct propctx *propctx; +{ + if (auth_identity == NULL) + return SASL_FAIL; + + macdefine(&BlankEnvelope.e_macro, A_TEMP, + macid("{auth_authen}"), (char *) auth_identity); + + return SASL_OK; +} +# else /* SASL >= 20000 */ + +/* +** PROXY_POLICY -- define proxy policy for AUTH +** +** Parameters: +** context -- unused. +** auth_identity -- authentication identity. +** requested_user -- authorization identity. +** user -- allowed user (output). +** errstr -- possible error string (output). +** +** Returns: +** ok? +*/ + +int +proxy_policy(context, auth_identity, requested_user, user, errstr) + void *context; + const char *auth_identity; + const char *requested_user; + const char **user; + const char **errstr; +{ + if (user == NULL || auth_identity == NULL) + return SASL_FAIL; + *user = newstr(auth_identity); + return SASL_OK; +} +# endif /* SASL >= 20000 */ +#endif /* SASL */ + +#if STARTTLS +/* +** INITSRVTLS -- initialize server side TLS +** +** Parameters: +** tls_ok -- should tls initialization be done? +** +** Returns: +** succeeded? +** +** Side Effects: +** sets tls_ok_srv which is a static variable in this module. +** Do NOT remove assignments to it! +*/ + +bool +initsrvtls(tls_ok) + bool tls_ok; +{ + if (!tls_ok) + return false; + + /* do NOT remove assignment */ + tls_ok_srv = inittls(&srv_ctx, TLS_Srv_Opts, true, SrvCertFile, + SrvKeyFile, CACertPath, CACertFile, DHParams); + return tls_ok_srv; +} +#endif /* STARTTLS */ +/* +** SRVFEATURES -- get features for SMTP server +** +** Parameters: +** e -- envelope (should be session context). +** clientname -- name of client. +** features -- default features for this invocation. +** +** Returns: +** server features. +*/ + +/* table with options: it uses just one character, how about strings? */ +static struct +{ + char srvf_opt; + unsigned int srvf_flag; +} srv_feat_table[] = +{ + { 'A', SRV_OFFER_AUTH }, + { 'B', SRV_OFFER_VERB }, + { 'C', SRV_REQ_SEC }, + { 'D', SRV_OFFER_DSN }, + { 'E', SRV_OFFER_ETRN }, + { 'L', SRV_REQ_AUTH }, +#if PIPELINING +# if _FFR_NO_PIPE + { 'N', SRV_NO_PIPE }, +# endif /* _FFR_NO_PIPE */ + { 'P', SRV_OFFER_PIPE }, +#endif /* PIPELINING */ + { 'R', SRV_VRFY_CLT }, /* same as V; not documented */ + { 'S', SRV_OFFER_TLS }, +/* { 'T', SRV_TMP_FAIL }, */ + { 'V', SRV_VRFY_CLT }, + { 'X', SRV_OFFER_EXPN }, +/* { 'Y', SRV_OFFER_VRFY }, */ + { '\0', SRV_NONE } +}; + +static unsigned int +srvfeatures(e, clientname, features) + ENVELOPE *e; + char *clientname; + unsigned int features; +{ + int r, i, j; + char **pvp, c, opt; + char pvpbuf[PSBUFSIZE]; + + pvp = NULL; + r = rscap("srv_features", clientname, "", e, &pvp, pvpbuf, + sizeof(pvpbuf)); + if (r != EX_OK) + return features; + if (pvp == NULL || pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET) + return features; + if (pvp[1] != NULL && sm_strncasecmp(pvp[1], "temp", 4) == 0) + return SRV_TMP_FAIL; + + /* + ** General rule (see sendmail.h, d_flags): + ** lower case: required/offered, upper case: Not required/available + ** + ** Since we can change some features per daemon, we have both + ** cases here: turn on/off a feature. + */ + + for (i = 1; pvp[i] != NULL; i++) + { + c = pvp[i][0]; + j = 0; + for (;;) + { + if ((opt = srv_feat_table[j].srvf_opt) == '\0') + { + if (LogLevel > 9) + sm_syslog(LOG_WARNING, e->e_id, + "srvfeatures: unknown feature %s", + pvp[i]); + break; + } + if (c == opt) + { + features &= ~(srv_feat_table[j].srvf_flag); + break; + } + if (c == tolower(opt)) + { + features |= srv_feat_table[j].srvf_flag; + break; + } + ++j; + } + } + return features; +} + +/* +** HELP -- implement the HELP command. +** +** Parameters: +** topic -- the topic we want help for. +** e -- envelope. +** +** Returns: +** none. +** +** Side Effects: +** outputs the help file to message output. +*/ +#define HELPVSTR "#vers " +#define HELPVERSION 2 + +void +help(topic, e) + char *topic; + ENVELOPE *e; +{ + register SM_FILE_T *hf; + register char *p; + int len; + bool noinfo; + bool first = true; + long sff = SFF_OPENASROOT|SFF_REGONLY; + char buf[MAXLINE]; + char inp[MAXLINE]; + static int foundvers = -1; + extern char Version[]; + + if (DontLockReadFiles) + sff |= SFF_NOLOCK; + if (!bitnset(DBS_HELPFILEINUNSAFEDIRPATH, DontBlameSendmail)) + sff |= SFF_SAFEDIRPATH; + + if (HelpFile == NULL || + (hf = safefopen(HelpFile, O_RDONLY, 0444, sff)) == NULL) + { + /* no help */ + errno = 0; + message("502 5.3.0 Sendmail %s -- HELP not implemented", + Version); + return; + } + + if (topic == NULL || *topic == '\0') + { + topic = "smtp"; + noinfo = false; + } + else + { + makelower(topic); + noinfo = true; + } + + len = strlen(topic); + + while (sm_io_fgets(hf, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL) + { + if (buf[0] == '#') + { + if (foundvers < 0 && + strncmp(buf, HELPVSTR, strlen(HELPVSTR)) == 0) + { + int h; + + if (sm_io_sscanf(buf + strlen(HELPVSTR), "%d", + &h) == 1) + foundvers = h; + } + continue; + } + if (strncmp(buf, topic, len) == 0) + { + if (first) + { + first = false; + + /* print version if no/old vers# in file */ + if (foundvers < 2 && !noinfo) + message("214-2.0.0 This is Sendmail version %s", Version); + } + p = strpbrk(buf, " \t"); + if (p == NULL) + p = buf + strlen(buf) - 1; + else + p++; + fixcrlf(p, true); + if (foundvers >= 2) + { + char *lbp; + int lbs = sizeof(buf) - (p - buf); + + lbp = translate_dollars(p, p, &lbs); + expand(lbp, inp, sizeof(inp), e); + if (p != lbp) + sm_free(lbp); + p = inp; + } + message("214-2.0.0 %s", p); + noinfo = false; + } + } + + if (noinfo) + message("504 5.3.0 HELP topic \"%.10s\" unknown", topic); + else + message("214 2.0.0 End of HELP info"); + + if (foundvers != 0 && foundvers < HELPVERSION) + { + if (LogLevel > 1) + sm_syslog(LOG_WARNING, e->e_id, + "%s too old (require version %d)", + HelpFile, HELPVERSION); + + /* avoid log next time */ + foundvers = 0; + } + + (void) sm_io_close(hf, SM_TIME_DEFAULT); +} + +#if SASL +/* +** RESET_SASLCONN -- reset SASL connection data +** +** Parameters: +** conn -- SASL connection context +** hostname -- host name +** various connection data +** +** Returns: +** SASL result +*/ + +static int +reset_saslconn(sasl_conn_t **conn, char *hostname, +# if SASL >= 20000 + char *remoteip, char *localip, + char *auth_id, sasl_ssf_t * ext_ssf) +# else /* SASL >= 20000 */ + struct sockaddr_in *saddr_r, struct sockaddr_in *saddr_l, + sasl_external_properties_t * ext_ssf) +# endif /* SASL >= 20000 */ +{ + int result; + + sasl_dispose(conn); +# if SASL >= 20000 + result = sasl_server_new("smtp", hostname, NULL, NULL, NULL, + NULL, 0, conn); +# elif SASL > 10505 + /* use empty realm: only works in SASL > 1.5.5 */ + result = sasl_server_new("smtp", hostname, "", NULL, 0, conn); +# else /* SASL >= 20000 */ + /* use no realm -> realm is set to hostname by SASL lib */ + result = sasl_server_new("smtp", hostname, NULL, NULL, 0, + conn); +# endif /* SASL >= 20000 */ + if (result != SASL_OK) + return result; + +# if SASL >= 20000 +# if NETINET || NETINET6 + if (remoteip != NULL && *remoteip != '\0') + result = sasl_setprop(*conn, SASL_IPREMOTEPORT, remoteip); + if (result != SASL_OK) + return result; + + if (localip != NULL && *localip != '\0') + result = sasl_setprop(*conn, SASL_IPLOCALPORT, localip); + if (result != SASL_OK) + return result; +# endif /* NETINET || NETINET6 */ + + result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf); + if (result != SASL_OK) + return result; + + result = sasl_setprop(*conn, SASL_AUTH_EXTERNAL, auth_id); + if (result != SASL_OK) + return result; +# else /* SASL >= 20000 */ +# if NETINET + if (saddr_r != NULL) + result = sasl_setprop(*conn, SASL_IP_REMOTE, saddr_r); + if (result != SASL_OK) + return result; + + if (saddr_l != NULL) + result = sasl_setprop(*conn, SASL_IP_LOCAL, saddr_l); + if (result != SASL_OK) + return result; +# endif /* NETINET */ + + result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf); + if (result != SASL_OK) + return result; +# endif /* SASL >= 20000 */ + return SASL_OK; +} +#endif /* SASL */ |