* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2009 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions concerned with verifying things. The original code for callout
tls_retry_connection:
inblock.sock = outblock.sock =
- smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+ smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
/* reconsider DSCP here */
if (inblock.sock < 0)
{
#endif
if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
goto RESPONSE_FAILED;
-
+
/* Not worth checking greeting line for ESMTP support */
if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL,
host->name, host->address, NULL) != OK))
#ifdef SUPPORT_TLS
if (tls_offered &&
verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name,
- host->address, NULL) != OK)
+ host->address, NULL) != OK &&
+ verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name,
+ host->address, NULL) != OK
+ )
{
uschar buffer2[4096];
if ( !smtps
else
{
int rc = tls_client_start(inblock.sock, host, addr,
- NULL, /* No DH param */
ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates, ob->tls_crl,
ob->tls_require_ciphers,
- ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
- callout);
+#ifdef EXPERIMENTAL_OCSP
+ ob->hosts_require_ocsp,
+#endif
+ ob->tls_dh_min_bits, callout);
/* TLS negotiation failed; give an error. Try in clear on a new connection,
if the options permit it for this host. */
done = TRUE; /* so far so good; have response to HELO */
- /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */
- /* If we haven't authenticated, but are required to, give up. */
+ /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING */
- /*XXX "filter command specified for this transport" ??? */
- /* for now, transport_filter by cutthrough-delivery is not supported */
+ /* For now, transport_filter by cutthrough-delivery is not supported */
/* Need proper integration with the proper transport mechanism. */
-
+ if (cutthrough_delivery)
+ {
+ if (addr->transport->filter_command)
+ {
+ cutthrough_delivery= FALSE;
+ HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n");
+ }
+ #ifndef DISABLE_DKIM
+ if (ob->dkim_domain)
+ {
+ cutthrough_delivery= FALSE;
+ HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n");
+ }
+ #endif
+ }
SEND_FAILED:
RESPONSE_FAILED:
}
}
+ /* If we haven't authenticated, but are required to, give up. */
+ /* Try to AUTH */
+
+ else done = smtp_auth(responsebuffer, sizeof(responsebuffer),
+ addr, host, ob, esmtp, &inblock, &outblock) == OK &&
+
+ /* Copy AUTH info for logging */
+ ( (addr->authenticator = client_authenticator),
+ (addr->auth_id = client_authenticated_id),
+
+ /* Build a mail-AUTH string (re-using responsebuffer for convenience */
+ !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob)
+ ) &&
+
+ ( (addr->auth_sndr = client_authenticated_sender),
+
/* Send the MAIL command */
+ (smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>%s\r\n",
+ from_address, responsebuffer) >= 0)
+ ) &&
- else done =
- smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
- from_address) >= 0 &&
smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
'2', callout);
if (address[0] == 0) return OK;
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of a transport used by verification. Reset them
+at exit from this routine. */
+
+modify_variable(US"tls_bits", &tls_out.bits);
+modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
+modify_variable(US"tls_cipher", &tls_out.cipher);
+modify_variable(US"tls_peerdn", &tls_out.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &tls_out.sni);
+#endif
+
/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
}
cancel_cutthrough_connection("routing hard fail");
- if (!full_info) return copy_error(vaddr, addr, FAIL);
- else yield = FAIL;
+ if (!full_info)
+ {
+ yield = copy_error(vaddr, addr, FAIL);
+ goto out;
+ }
+ else yield = FAIL;
}
/* Soft failure */
}
cancel_cutthrough_connection("routing soft fail");
- if (!full_info) return copy_error(vaddr, addr, DEFER);
- else if (yield == OK) yield = DEFER;
+ if (!full_info)
+ {
+ yield = copy_error(vaddr, addr, DEFER);
+ goto out;
+ }
+ else if (yield == OK) yield = DEFER;
}
/* If we are handling EXPN, we do not want to continue to route beyond
if (addr_new == NULL) ok_prefix = US"250 ";
respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
}
- return OK;
+ yield = OK;
+ goto out;
}
/* Successful routing other than EXPN. */
of $address_data to be that of the child */
vaddr->p.address_data = addr->p.address_data;
- return OK;
+ yield = OK;
+ goto out;
}
}
} /* Loop for generated addresses */
if (allok && addr_local == NULL && addr_remote == NULL)
{
fprintf(f, "mail to %s is discarded\n", address);
- return yield;
+ goto out;
}
for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
}
}
-/* Will be DEFER or FAIL if any one address has, only for full_info (which is
+/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
the -bv or -bt case). */
+out:
+
+modify_variable(US"tls_bits", &tls_in.bits);
+modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
+modify_variable(US"tls_cipher", &tls_in.cipher);
+modify_variable(US"tls_peerdn", &tls_in.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &tls_in.sni);
+#endif
+
return yield;
}
}
+/*************************************************
+* Check header names for 8-bit characters *
+*************************************************/
+
+/* This function checks for invalid charcters in header names. See
+RFC 5322, 2.2. and RFC 6532, 3.
+
+Arguments:
+ msgptr where to put an error message
+
+Returns: OK
+ FAIL
+*/
+
+int
+verify_check_header_names_ascii(uschar **msgptr)
+{
+header_line *h;
+uschar *colon, *s;
+
+for (h = header_list; h != NULL; h = h->next)
+ {
+ colon = Ustrchr(h->text, ':');
+ for(s = h->text; s < colon; s++)
+ {
+ if ((*s < 33) || (*s > 126))
+ {
+ *msgptr = string_sprintf("Invalid character in header \"%.*s\" found",
+ colon - h->text, h->text);
+ return FAIL;
+ }
+ }
+ }
+return OK;
+}
/*************************************************
* Check for blind recipients *