-/* $Cambridge: exim/src/src/transports/smtp.c,v 1.43 2009/10/20 13:10:15 nm4 Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */
/* See the file NOTICE for conditions of use and distribution. */
#include "../exim.h"
{ "gethostbyname", opt_bool,
(void *)offsetof(smtp_transport_options_block, gethostbyname) },
#ifdef SUPPORT_TLS
+ /* These are no longer honoured, as of Exim 4.78; for now, we silently
+ ignore; a later release will warn, and a later-still release will remove
+ these options, so that using them becomes an error. */
{ "gnutls_require_kx", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, gnutls_require_kx) },
{ "gnutls_require_mac", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_crl) },
{ "tls_privatekey", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_privatekey) },
- { "tls_require_ciphers", opt_stringptr,
+ { "tls_require_ciphers", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_require_ciphers) },
+ { "tls_sni", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, tls_sni) },
{ "tls_tempfail_tryclear", opt_bool,
(void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
{ "tls_verify_certificates", opt_stringptr,
NULL, /* gnutls_require_mac */
NULL, /* gnutls_require_proto */
NULL, /* tls_verify_certificates */
- TRUE /* tls_tempfail_tryclear */
+ TRUE, /* tls_tempfail_tryclear */
+ NULL /* tls_sni */
#endif
#ifndef DISABLE_DKIM
,NULL, /* dkim_canon */
/* Set the default port according to the protocol */
if (ob->port == NULL)
- ob->port = (strcmpic(ob->protocol, US"lmtp") == 0)? US"lmtp" : US"smtp";
+ ob->port = (strcmpic(ob->protocol, US"lmtp") == 0)? US"lmtp" :
+ (strcmpic(ob->protocol, US"smtps") == 0)? US"smtps" : US"smtp";
/* Set up the setup entry point, to be called before subprocesses for this
transport. */
smtp_transport_options_block *ob =
(smtp_transport_options_block *)(tblock->options_block);
BOOL lmtp = strcmpic(ob->protocol, US"lmtp") == 0;
+BOOL smtps = strcmpic(ob->protocol, US"smtps") == 0;
BOOL ok = FALSE;
BOOL send_rset = TRUE;
BOOL send_quit = TRUE;
/* Reset the parameters of a TLS session. */
+tls_bits = 0;
tls_cipher = NULL;
tls_peerdn = NULL;
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+tls_sni = NULL;
+#endif
/* If an authenticated_sender override has been specified for this transport
instance, expand it. If the expansion is forced to fail, and there was already
else if (new[0] != 0) local_authenticated_sender = new;
}
+#ifndef SUPPORT_TLS
+if (smtps)
+ {
+ set_errno(addrlist, 0, US"TLS support not available", DEFER, FALSE);
+ return ERROR;
+ }
+#endif
+
/* Make a connection to the host if this isn't a continued delivery, and handle
the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
specially so they can be identified for retries. */
is nevertheless a reasonably clean way of programming this kind of logic,
where you want to escape on any error. */
- if (!smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
- ob->command_timeout)) goto RESPONSE_FAILED;
+ if (!smtps)
+ {
+ if (!smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
+ ob->command_timeout)) goto RESPONSE_FAILED;
- /* Now check if the helo_data expansion went well, and sign off cleanly if it
- didn't. */
+ /* Now check if the helo_data expansion went well, and sign off cleanly if
+ it didn't. */
- if (helo_data == NULL)
- {
- uschar *message = string_sprintf("failed to expand helo_data: %s",
- expand_string_message);
- set_errno(addrlist, 0, message, DEFER, FALSE);
- yield = DEFER;
- goto SEND_QUIT;
+ if (helo_data == NULL)
+ {
+ uschar *message = string_sprintf("failed to expand helo_data: %s",
+ expand_string_message);
+ set_errno(addrlist, 0, message, DEFER, FALSE);
+ yield = DEFER;
+ goto SEND_QUIT;
+ }
}
/** Debugging without sending a message
esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL,
host->name, host->address, NULL) != OK;
+ /* Alas; be careful, since this goto is not an error-out, so conceivably
+ we might set data between here and the target which we assume to exist
+ and be usable. I can see this coming back to bite us. */
+ #ifdef SUPPORT_TLS
+ if (smtps)
+ {
+ tls_offered = TRUE;
+ suppress_tls = FALSE;
+ ob->tls_tempfail_tryclear = FALSE;
+ smtp_command = US"SSL-on-connect";
+ goto TLS_NEGOTIATE;
+ }
+ #endif
+
if (esmtp)
{
if (smtp_write_command(&outblock, FALSE, "%s %s\r\n",
if (!smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
ob->command_timeout))
{
- Ustrncpy(buffer, buffer2, sizeof(buffer));
if (errno != 0 || buffer2[0] == 0 ||
(buffer2[0] == '4' && !ob->tls_tempfail_tryclear))
+ {
+ Ustrncpy(buffer, buffer2, sizeof(buffer));
goto RESPONSE_FAILED;
+ }
}
/* STARTTLS accepted: try to negotiate a TLS session. */
else
+ TLS_NEGOTIATE:
{
int rc = tls_client_start(inblock.sock,
host,
NULL, /* No DH param */
ob->tls_certificate,
ob->tls_privatekey,
+ ob->tls_sni,
ob->tls_verify_certificates,
ob->tls_crl,
ob->tls_require_ciphers,
- ob->gnutls_require_mac,
- ob->gnutls_require_kx,
- ob->gnutls_require_proto,
ob->command_timeout);
/* TLS negotiation failed; give an error. From outside, this function may
}
}
+/* if smtps, we'll have smtp_command set to something else; always safe to
+reset it here. */
+smtp_command = big_buffer;
+
/* If we started TLS, redo the EHLO/LHLO exchange over the secure channel. If
helo_data is null, we are dealing with a connection that was passed from
another process, and so we won't have expanded helo_data above. We have to
if (tls_active >= 0)
{
+ char *greeting_cmd;
if (helo_data == NULL)
{
helo_data = expand_string(ob->helo_data);
}
}
- if (smtp_write_command(&outblock, FALSE, "%s %s\r\n", lmtp? "LHLO" : "EHLO",
- helo_data) < 0)
+ /* For SMTPS we need to wait for the initial OK response. */
+ if (smtps)
+ {
+ if (!smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
+ ob->command_timeout)) goto RESPONSE_FAILED;
+ }
+
+ if (esmtp)
+ greeting_cmd = "EHLO";
+ else
+ {
+ greeting_cmd = "HELO";
+ DEBUG(D_transport)
+ debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
+ }
+
+ if (smtp_write_command(&outblock, FALSE, "%s %s\r\n",
+ lmtp? "LHLO" : greeting_cmd, helo_data) < 0)
goto SEND_FAILED;
if (!smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
ob->command_timeout))
continue;
}
completed_address = TRUE; /* NOW we can set this flag */
- conf = string_sprintf("LMTP Successful delivery:%s", string_printing(buffer));
+ if ((log_extra_selector & LX_smtp_confirmation) != 0)
+ {
+ uschar *s = string_printing(buffer);
+ conf = (s == buffer)? (uschar *)string_copy(s) : s;
+ }
}
/* SMTP, or success return from LMTP for this address. Pass back the
if (tls_active >= 0)
{
tls_close(TRUE);
- ok = smtp_write_command(&outblock,FALSE,"EHLO %s\r\n",helo_data) >= 0 &&
- smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
- ob->command_timeout);
+ if (smtps)
+ ok = FALSE;
+ else
+ ok = smtp_write_command(&outblock,FALSE,"EHLO %s\r\n",helo_data) >= 0 &&
+ smtp_read_response(&inblock, buffer, sizeof(buffer), '2',
+ ob->command_timeout);
}
#endif
git://git.exim.org / exim.git / blobdiff