Overhaul of GnuTLS code.

[exim.git] / src / src / smtp_in.c

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index f1c7aec3451f825de2db8d32d2fd37310e4fbc40..5d241d960b3d7c35e3ef989e2573e9fa55c8e343 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -36,9 +36,14 @@ uschar *tcp_wrappers_name;
 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
 commands that accept arguments, and this in particular applies to AUTH, where
-the data can be quite long. */
+the data can be quite long.  More recently this value was 2048 in Exim; 
+however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH.  Clients
+such as Thunderbird will send an AUTH with an initial-response for GSSAPI. 
+The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and 
+we need room to handle large base64-encoded AUTHs for GSSAPI.
+*/
 
-#define smtp_cmd_buffer_size  2048
+#define smtp_cmd_buffer_size  16384
 
 /* Size of buffer for reading SMTP incoming packets */
 
@@ -836,6 +841,9 @@ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
 if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
   s = string_append(s, &size, &ptr, 3, US" DN=\"",
     string_printing(tls_peerdn), US"\"");
+if ((log_extra_selector & LX_tls_sni) != 0 && tls_sni != NULL)
+  s = string_append(s, &size, &ptr, 3, US" SNI=\"",
+    string_printing(tls_sni), US"\"");
 #endif
 
 sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
@@ -978,7 +986,8 @@ if (*v != '=') return FALSE;
 n = v;
 while(isalpha(n[-1])) n--;
 
-if (n[-1] != ' ') return FALSE;
+/* RFC says SP, but TAB seen in wild and other major MTAs accept it */
+if (!isspace(n[-1])) return FALSE;
 
 n[-1] = 0;
 *name = n;
@@ -1390,6 +1399,7 @@ smtp_cmd_buffer = (uschar *)malloc(2*smtp_cmd_buffer_size + 2);
 if (smtp_cmd_buffer == NULL)
   log_write(0, LOG_MAIN|LOG_PANIC_DIE,
     "malloc() failed for SMTP command buffer");
+smtp_cmd_buffer[0] = 0;
 smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
 
 /* For batched input, the protocol setting can be overridden from the
@@ -1664,8 +1674,7 @@ if (!sender_host_unknown)
 
   #ifdef SUPPORT_TLS
   if (tls_on_connect &&
-      tls_server_start(tls_require_ciphers,
-        gnutls_require_mac, gnutls_require_kx, gnutls_require_proto) != OK)
+      tls_server_start(tls_require_ciphers) != OK)
     return FALSE;
   #endif
 
@@ -2195,8 +2204,13 @@ if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
 #endif
   {
-  sender_info = string_sprintf("F=<%s> ", (sender_address_unrewritten != NULL)?
-    sender_address_unrewritten : sender_address);
+  sender_info = string_sprintf("F=<%s>%s%s%s%s ",
+    sender_address_unrewritten ? sender_address_unrewritten : sender_address,
+    sender_host_authenticated ? US" A="                                    : US"",
+    sender_host_authenticated ? sender_host_authenticated                  : US"",
+    sender_host_authenticated && authenticated_id ? US":"                  : US"",
+    sender_host_authenticated && authenticated_id ? authenticated_id       : US""
+    );
   }
 
 /* If there's been a sender verification failure with a specific message, and
@@ -3876,8 +3890,7 @@ while (done <= 0)
     We must allow for an extra EHLO command and an extra AUTH command after
     STARTTLS that don't add to the nonmail command count. */
 
-    if ((rc = tls_server_start(tls_require_ciphers, gnutls_require_mac,
-           gnutls_require_kx, gnutls_require_proto)) == OK)
+    if ((rc = tls_server_start(tls_require_ciphers)) == OK)
       {
       if (!tls_remember_esmtp)
         helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;