{ "dane_require_tls_ciphers", opt_stringptr, LOFF(dane_require_tls_ciphers) },
# endif
{ "data_timeout", opt_time, LOFF(data_timeout) },
- { "delay_after_cutoff", opt_bool, LOFF(delay_after_cutoff) },
+ { "delay_after_cutoff", opt_bool, LOFF(delay_after_cutoff) },
#ifndef DISABLE_DKIM
{ "dkim_canon", opt_stringptr, LOFF(dkim.dkim_canon) },
{ "dkim_domain", opt_stringptr, LOFF(dkim.dkim_domain) },
/* Default private options block for the smtp transport. */
smtp_transport_options_block smtp_transport_option_defaults = {
- .hosts = NULL,
- .fallback_hosts = NULL,
- .hostlist = NULL,
- .fallback_hostlist = NULL,
+ /* All non-mentioned elements 0/NULL/FALSE */
.helo_data = US"$primary_hostname",
- .interface = NULL,
- .port = NULL,
.protocol = US"smtp",
- .dscp = NULL,
- .serialize_hosts = NULL,
- .hosts_try_auth = NULL,
- .hosts_require_auth = NULL,
.hosts_try_chunking = US"*",
#ifdef SUPPORT_DANE
.hosts_try_dane = US"*",
- .hosts_require_dane = NULL,
- .dane_require_tls_ciphers = NULL,
#endif
.hosts_try_fastopen = US"*",
#ifndef DISABLE_PRDR
#endif
#ifndef DISABLE_OCSP
.hosts_request_ocsp = US"*", /* hosts_request_ocsp (except under DANE; tls_client_start()) */
- .hosts_require_ocsp = NULL,
-#endif
- .hosts_require_tls = NULL,
- .hosts_avoid_tls = NULL,
- .hosts_verify_avoid_tls = NULL,
- .hosts_avoid_pipelining = NULL,
-#ifndef DISABLE_PIPE_CONNECT
- .hosts_pipe_connect = NULL,
-#endif
- .hosts_avoid_esmtp = NULL,
-#ifndef DISABLE_TLS
- .hosts_nopass_tls = NULL,
- .hosts_noproxy_tls = NULL,
#endif
.command_timeout = 5*60,
.connect_timeout = 5*60,
.hosts_max_try_hardlimit = 50,
.message_linelength_limit = 998,
.address_retry_include_sender = TRUE,
- .allow_localhost = FALSE,
- .authenticated_sender_force = FALSE,
- .gethostbyname = FALSE,
.dns_qualify_single = TRUE,
- .dns_search_parents = FALSE,
.dnssec = { .request= US"*", .require=NULL },
.delay_after_cutoff = TRUE,
- .hosts_override = FALSE,
- .hosts_randomize = FALSE,
.keepalive = TRUE,
- .lmtp_ignore_quota = FALSE,
- .expand_retry_include_ip_address = NULL,
.retry_include_ip_address = TRUE,
-#ifdef SUPPORT_SOCKS
- .socks_proxy = NULL,
-#endif
#ifndef DISABLE_TLS
- .tls_certificate = NULL,
- .tls_crl = NULL,
- .tls_privatekey = NULL,
- .tls_require_ciphers = NULL,
- .tls_sni = NULL,
+# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
.tls_verify_certificates = US"system",
+# endif
.tls_dh_min_bits = EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
.tls_tempfail_tryclear = TRUE,
-# ifndef DISABLE_TLS_RESUME
- .tls_resumption_hosts = NULL,
-# endif
- .tls_verify_hosts = NULL,
.tls_try_verify_hosts = US"*",
.tls_verify_cert_hostnames = US"*",
#endif
#endif
#ifndef DISABLE_DKIM
.dkim =
- {.dkim_domain = NULL,
- .dkim_identity = NULL,
- .dkim_private_key = NULL,
- .dkim_selector = NULL,
- .dkim_canon = NULL,
- .dkim_sign_headers = NULL,
- .dkim_strict = NULL,
- .dkim_hash = US"sha256",
- .dkim_timestamps = NULL,
- .dot_stuffed = FALSE,
- .force_bodyhash = FALSE,
-# ifdef EXPERIMENTAL_ARC
- .arc_signspec = NULL,
-# endif
- },
-# ifdef EXPERIMENTAL_ARC
- .arc_sign = NULL,
-# endif
+ { .dkim_hash = US"sha256", },
#endif
};
uschar * ehlo_resp_key = ehlo_cache_key(sx);
dbdata_ehlo_resp * er;
- if (!(er = dbfn_read(dbm_file, ehlo_resp_key)))
+ if (!(er = dbfn_read_enforce_length(dbm_file, ehlo_resp_key, sizeof(dbdata_ehlo_resp))))
{ DEBUG(D_transport) debug_printf("no ehlo-resp record\n"); }
else if (time(NULL) - er->time_stamp > retry_data_expire)
{
typedef struct smtp_compare_s
{
- uschar *current_sender_address;
- struct transport_instance *tblock;
+ uschar * current_sender_address;
+ struct transport_instance * tblock;
} smtp_compare_t;
DEFER, FALSE, &sx->delivery_start);
return ERROR;
}
-#endif
+#else
+
+/* If we have a proxied TLS connection, check usability for this message */
+
+if (continue_hostname && continue_proxy_cipher)
+ {
+ int rc;
+ const uschar * sni = US"";
+
+# ifdef SUPPORT_DANE
+ /* Check if the message will be DANE-verified; if so force its SNI */
+
+ tls_out.dane_verified = FALSE;
+ smtp_port_for_connect(sx->conn_args.host, sx->port);
+ if ( sx->conn_args.host->dnssec == DS_YES
+ && ( sx->dane_required
+ || verify_check_given_host(CUSS &ob->hosts_try_dane, sx->conn_args.host) == OK
+ ) )
+ switch (rc = tlsa_lookup(sx->conn_args.host, &sx->conn_args.tlsa_dnsa, sx->dane_required))
+ {
+ case OK: sx->conn_args.dane = TRUE;
+ ob->tls_tempfail_tryclear = FALSE; /* force TLS */
+ ob->tls_sni = sx->first_addr->domain; /* force SNI */
+ break;
+ case FAIL_FORCED: break;
+ default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
+ string_sprintf("DANE error: tlsa lookup %s",
+ rc_to_string(rc)),
+ rc, FALSE, &sx->delivery_start);
+# ifndef DISABLE_EVENT
+ (void) event_raise(sx->conn_args.tblock->event_action,
+ US"dane:fail", sx->dane_required
+ ? US"dane-required" : US"dnssec-invalid");
+# endif
+ return rc;
+ }
+# endif
+
+ /* If the SNI or the DANE status required for the new message differs from the
+ existing conn drop the connection to force a new one. */
+
+ if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni)))
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "<%s>: failed to expand transport's tls_sni value: %s",
+ sx->addrlist->address, expand_string_message);
+
+# ifdef SUPPORT_DANE
+ if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)
+ && continue_proxy_dane == sx->conn_args.dane)
+ {
+ tls_out.sni = US sni;
+ if ((tls_out.dane_verified = continue_proxy_dane))
+ sx->conn_args.host->dnssec = DS_YES;
+ }
+# else
+ if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni))
+ tls_out.sni = US sni;
+# endif
+ else
+ {
+ DEBUG(D_transport)
+ debug_printf("Closing proxied-TLS connection due to SNI mismatch\n");
+
+ HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n");
+ write(0, "QUIT\r\n", 6);
+ close(0);
+ continue_hostname = continue_proxy_cipher = NULL;
+ f.continue_more = FALSE;
+ continue_sequence = 1; /* Unfortunately, this process cannot affect success log
+ which is done by delivery proc. Would have to pass this
+ back through reporting pipe. */
+ }
+ }
+#endif /*!DISABLE_TLS*/
/* Make a connection to the host if this isn't a continued delivery, and handle
the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled
uschar *message = NULL;
uschar new_message_id[MESSAGE_ID_LENGTH + 1];
smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */
-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+#ifdef SUPPORT_DANE
BOOL dane_held;
#endif
gettimeofday(&sx->delivery_start, NULL);
sx->sync_addr = sx->first_addr = addrlist;
-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+#ifdef SUPPORT_DANE
DANE_DOMAINS:
dane_held = FALSE;
#endif
goto TIDYUP;
}
-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+#ifdef SUPPORT_DANE
/* If the connection used DANE, ignore for now any addresses with incompatible
domains. The SNI has to be the domain. Arrange a whole new TCP conn later,
just in case only TLS isn't enough. */
*message_defer = TRUE;
}
+#ifdef TIOCOUTQ
+ DEBUG(D_transport) if (sx->cctx.sock >= 0)
+ {
+ int n;
+ if (ioctl(sx->cctx.sock, TIOCOUTQ, &n) == 0)
+ debug_printf("%d bytes remain in socket output buffer\n", n);
+ }
+#endif
}
-
/* Otherwise, we have an I/O error or a timeout other than after MAIL or
".", or some other transportation error. We defer all addresses and yield
DEFER, except for the case of failed add_headers expansion, or a transport
t_compare.tblock = tblock;
t_compare.current_sender_address = sender_address;
- if ( sx->first_addr != NULL
- || f.continue_more
+ if ( sx->first_addr != NULL /* more addrs for this message */
+ || f.continue_more /* more addrs for coninued-host */
|| (
#ifndef DISABLE_TLS
( tls_out.active.sock < 0 && !continue_proxy_cipher
if (sx->first_addr != NULL) /* More addresses still to be sent */
- { /* on this connection */
+ { /* for this message */
continue_sequence++; /* Causes * in logging */
pipelining_active = sx->pipelining_used; /* was cleared at DATA */
goto SEND_MESSAGE;
tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
sx->cctx.tls_ctx = NULL;
+ tls_out.active.sock = -1;
smtp_peer_options = smtp_peer_options_wrap;
sx->ok = !sx->smtps
&& smtp_write_command(sx, SCMD_FLUSH, "EHLO %s\r\n", sx->helo_data)
operation, the old commented-out code was removed on 17-Sep-99. */
SEND_QUIT:
-#ifdef TCP_CORK
-(void) setsockopt(sx->cctx.sock, IPPROTO_TCP, TCP_CORK, US &on, sizeof(on));
+if (sx->send_quit)
+ {
+#ifdef EXIM_TCP_CORK
+ (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
#endif
-if (sx->send_quit) (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
+ (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
+ }
END_OFF:
(void) event_raise(tblock->event_action, US"tcp:close", NULL);
#endif
-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+#ifdef SUPPORT_DANE
if (dane_held)
{
sx->first_addr = NULL;
return yield;
TIDYUP:
-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
+#ifdef SUPPORT_DANE
if (dane_held) for (address_item * a = sx->addrlist->next; a; a = a->next)
if (a->transport_return == DANE)
a->transport_return = PENDING_DEFER;
git://git.exim.org / exim.git / blobdiff