: string_copy(addr->message)
: addr->basic_errno > 0
? string_copy(US strerror(addr->basic_errno))
- : NULL);
+ : NULL,
+ NULL);
deliver_localpart = save_local;
deliver_domain = save_domain;
#endif
#ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
- US"smtp:ehlo", sx->buffer);
+ US"smtp:ehlo", sx->buffer, NULL);
#endif
return TRUE;
}
host_item * host = sx->conn_args.host; /* host to deliver to */
int rc;
+/* Set up globals for error messages */
+
+authenticator_name = au->name;
+driver_srcfile = au->srcfile;
+driver_srcline = au->srcline;
+
sx->outblock.authenticating = TRUE;
rc = (au->info->clientcode)(au, sx, ob->command_timeout,
sx->buffer, sizeof(sx->buffer));
sx->outblock.authenticating = FALSE;
+driver_srcfile = authenticator_name = NULL; driver_srcline = 0;
DEBUG(D_transport) debug_printf("%s authenticator yielded %d\n", au->name, rc);
/* A temporary authentication failure must hold up delivery to
uschar * tls_errstr;
#endif
+/* Many lines of clearing individual elements of *sx that used to
+be here have been replaced by a full memset to zero (de41aff051).
+There are two callers, this file and verify.c . Now we only set
+up nonzero elements. */
+
sx->conn_args.ob = ob;
sx->lmtp = strcmpic(ob->protocol, US"lmtp") == 0;
sx->smtps = strcmpic(ob->protocol, US"smtps") == 0;
-/* sx->ok = FALSE; */
sx->send_rset = TRUE;
sx->send_quit = TRUE;
sx->setting_up = TRUE;
sx->esmtp = TRUE;
-/* sx->esmtp_sent = FALSE; */
-#ifdef SUPPORT_I18N
-/* sx->utf8_needed = FALSE; */
-#endif
sx->dsn_all_lasthop = TRUE;
#ifdef SUPPORT_DANE
-/* sx->conn_args.dane = FALSE; */
sx->dane_required =
verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
#endif
-#ifndef DISABLE_PIPE_CONNECT
-/* sx->early_pipe_active = sx->early_pipe_ok = FALSE; */
-/* sx->ehlo_resp.cleartext_features = sx->ehlo_resp.crypted_features = 0; */
-/* sx->pending_BANNER = sx->pending_EHLO = sx->pending_MAIL = FALSE; */
-#endif
if ((sx->max_mail = sx->conn_args.tblock->connection_max_messages) == 0) sx->max_mail = 999999;
if ((sx->max_rcpt = sx->conn_args.tblock->max_addresses) == 0) sx->max_rcpt = 999999;
-/* sx->peer_offered = 0; */
-/* sx->avoid_option = 0; */
sx->igquotstr = US"";
if (!sx->helo_data) sx->helo_data = ob->helo_data;
-#ifdef EXPERIMENTAL_DSN_INFO
-/* sx->smtp_greeting = NULL; */
-/* sx->helo_response = NULL; */
-#endif
smtp_command = US"initial connection";
-/* sx->buffer[0] = '\0'; */
/* Set up the buffer for reading SMTP response packets. */
sx->outblock.buffer = sx->outbuffer;
sx->outblock.buffersize = sizeof(sx->outbuffer);
sx->outblock.ptr = sx->outbuffer;
-/* sx->outblock.cmd_count = 0; */
-/* sx->outblock.authenticating = FALSE; */
-/* sx->outblock.conn_args = NULL; */
/* Reset the parameters of a TLS session. */
# ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
US"dane:fail", sx->dane_required
- ? US"dane-required" : US"dnssec-invalid");
+ ? US"dane-required" : US"dnssec-invalid",
+ NULL);
# endif
return rc;
}
DEBUG(D_transport)
debug_printf("Closing proxied-TLS connection due to SNI mismatch\n");
- HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n");
+ smtp_debug_cmd(US"QUIT", 0);
write(0, "QUIT\r\n", 6);
close(0);
continue_hostname = continue_proxy_cipher = NULL;
# ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
US"dane:fail", sx->dane_required
- ? US"dane-required" : US"dnssec-invalid");
+ ? US"dane-required" : US"dnssec-invalid",
+ NULL);
# endif
return rc;
}
FAIL, FALSE, &sx->delivery_start);
# ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
- US"dane:fail", US"dane-required");
+ US"dane:fail", US"dane-required", NULL);
# endif
return FAIL;
}
sx->peer_limit_mail = sx->peer_limit_rcpt = sx->peer_limit_rcptdom =
#endif
sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
+#ifndef DISABLE_CLIENT_CMD_LOG
+ client_cmd_log = NULL;
+#endif
#ifndef DISABLE_PIPE_CONNECT
if ( verify_check_given_host(CUSS &ob->hosts_pipe_connect,
the helo string might use it avoid doing early-pipelining. */
if ( !sx->helo_data
+ || sx->conn_args.interface
|| !Ustrstr(sx->helo_data, "$sending_ip_address")
|| Ustrstr(sx->helo_data, "def:sending_ip_address")
)
}
}
else DEBUG(D_transport)
- debug_printf("helo needs $sending_ip_address\n");
+ debug_printf("helo needs $sending_ip_address; avoid early-pipelining\n");
PIPE_CONNECT_RETRY:
if (sx->early_pipe_active)
+ {
sx->outblock.conn_args = &sx->conn_args;
+ (void) smtp_boundsock(&sx->conn_args);
+ }
else
#endif
{
}
/* Expand the greeting message while waiting for the initial response. (Makes
sense if helo_data contains ${lookup dnsdb ...} stuff). The expansion is
- delayed till here so that $sending_interface and $sending_port are set. */
-/*XXX early-pipe: they still will not be. Is there any way to find out what they
-will be? Somehow I doubt it. */
+ delayed till here so that $sending_ip_address and $sending_port are set.
+ Those will be known even for a TFO lazy-connect, having been set by the bind().
+ For early-pipe, we are ok if binding to a local interface; otherwise (if
+ $sending_ip_address is seen in helo_data) we disabled early-pipe above. */
if (sx->helo_data)
if (!(sx->helo_data = expand_string(sx->helo_data)))
uschar * s;
lookup_dnssec_authenticated = sx->conn_args.host->dnssec==DS_YES ? US"yes"
: sx->conn_args.host->dnssec==DS_NO ? US"no" : NULL;
- s = event_raise(sx->conn_args.tblock->event_action, US"smtp:connect", sx->buffer);
+ s = event_raise(sx->conn_args.tblock->event_action, US"smtp:connect", sx->buffer, NULL);
if (s)
{
set_errno_nohost(sx->addrlist, ERRNO_EXPANDFAIL,
sx->conn_args.host->name, sx->conn_args.host->address, tls_errstr);
# ifndef DISABLE_EVENT
(void) event_raise(sx->conn_args.tblock->event_action,
- US"dane:fail", US"validation-failure"); /* could do with better detail */
+ US"dane:fail", US"validation-failure", NULL); /* could do with better detail */
# endif
}
# endif
(void) event_raise(sx->conn_args.tblock->event_action, US"dane:fail",
smtp_peer_options & OPTION_TLS
? US"validation-failure" /* could do with better detail */
- : US"starttls-not-supported");
+ : US"starttls-not-supported",
+ NULL);
# endif
goto TLS_FAILED;
}
smtp_peer_options & OPTION_PIPE ? "" : "not ");
if ( sx->peer_offered & OPTION_CHUNKING
- && verify_check_given_host(CUSS &ob->hosts_try_chunking, sx->conn_args.host) != OK)
- sx->peer_offered &= ~OPTION_CHUNKING;
+ && verify_check_given_host(CUSS &ob->hosts_try_chunking, sx->conn_args.host) == OK)
+ smtp_peer_options |= OPTION_CHUNKING;
- if (sx->peer_offered & OPTION_CHUNKING)
+ if (smtp_peer_options & OPTION_CHUNKING)
DEBUG(D_transport) debug_printf("CHUNKING usable\n");
#ifndef DISABLE_PRDR
if ( sx->peer_offered & OPTION_PRDR
- && verify_check_given_host(CUSS &ob->hosts_try_prdr, sx->conn_args.host) != OK)
- sx->peer_offered &= ~OPTION_PRDR;
+ && verify_check_given_host(CUSS &ob->hosts_try_prdr, sx->conn_args.host) == OK)
+ smtp_peer_options |= OPTION_PRDR;
- if (sx->peer_offered & OPTION_PRDR)
+ if (smtp_peer_options & OPTION_PRDR)
DEBUG(D_transport) debug_printf("PRDR usable\n");
#endif
sx->cctx.sock = -1;
#ifndef DISABLE_EVENT
-(void) event_raise(sx->conn_args.tblock->event_action, US"tcp:close", NULL);
+(void) event_raise(sx->conn_args.tblock->event_action, US"tcp:close", NULL, NULL);
#endif
+smtp_debug_cmd_report();
continue_transport = NULL;
continue_hostname = NULL;
return yield;
request that */
sx->prdr_active = FALSE;
-if (sx->peer_offered & OPTION_PRDR)
+if (smtp_peer_options & OPTION_PRDR)
for (address_item * addr = addrlist; addr; addr = addr->next)
if (addr->transport_return == PENDING_DEFER)
{
bufsiz size of buffer
pfd pipe filedescriptor array; [0] is comms to proxied process
timeout per-read timeout, seconds
+ host hostname of remote
Does not return.
*/
void
smtp_proxy_tls(void * ct_ctx, uschar * buf, size_t bsize, int * pfd,
- int timeout)
+ int timeout, const uschar * host)
{
struct pollfd p[2] = {{.fd = tls_out.active.sock, .events = POLLIN},
{.fd = pfd[0], .events = POLLIN}};
int rc, i;
BOOL send_tls_shutdown = TRUE;
+uschar * s =
+ string_sprintf("proxying TLS connection for continued transport to %s\n", host);
close(pfd[1]);
if ((rc = exim_fork(US"tls-proxy")))
_exit(rc < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
-set_process_info("proxying TLS connection for continued transport");
+set_process_info(CCS s);
do
{
uschar *message = NULL;
uschar new_message_id[MESSAGE_ID_LENGTH + 1];
-smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */
+smtp_context * sx = store_get(sizeof(*sx), GET_TAINTED); /* tainted, for the data buffers */
BOOL pass_message = FALSE;
#ifdef EXPERIMENTAL_ESMTP_LIMITS
BOOL mail_limit = FALSE;
memset(sx, 0, sizeof(*sx));
sx->addrlist = addrlist;
sx->conn_args.host = host;
-sx->conn_args.host_af = host_af,
+sx->conn_args.host_af = host_af;
sx->port = defport;
sx->conn_args.interface = interface;
sx->helo_data = NULL;
sx->conn_args.tblock = tblock;
-/* sx->verify = FALSE; */
+sx->conn_args.sock = -1;
gettimeofday(&sx->delivery_start, NULL);
sx->sync_addr = sx->first_addr = addrlist;
yield ERROR. */
if (!transport_set_up_command(&transport_filter_argv,
- tblock->filter_command, TRUE, DEFER, addrlist,
- string_sprintf("%.50s transport", tblock->name), NULL))
+ tblock->filter_command, TRUE, DEFER, addrlist, FALSE,
+ string_sprintf("%.50s transport filter", tblock->name), NULL))
{
set_errno_nohost(addrlist->next, addrlist->basic_errno, addrlist->message, DEFER,
FALSE, &sx->delivery_start);
if ( transport_filter_argv
&& *transport_filter_argv
&& **transport_filter_argv
- && sx->peer_offered & OPTION_CHUNKING
+ && smtp_peer_options & OPTION_CHUNKING
#ifndef DISABLE_DKIM
/* When dkim signing, chunking is handled even with a transport-filter */
&& !(ob->dkim.dkim_private_key && ob->dkim.dkim_domain && ob->dkim.dkim_selector)
#endif
)
{
- sx->peer_offered &= ~OPTION_CHUNKING;
+ smtp_peer_options &= ~OPTION_CHUNKING;
DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n");
}
}
If using CHUNKING, do not send a BDAT until we know how big a chunk we want
to send is. */
-if ( !(sx->peer_offered & OPTION_CHUNKING)
+if ( !(smtp_peer_options & OPTION_CHUNKING)
&& (sx->ok || (pipelining_active && !mua_wrapper)))
{
int count = smtp_write_command(sx, SCMD_FLUSH, "DATA\r\n");
(Haven't been able to make it work using select() for writing yet.) */
if ( !sx->ok
- && (!(sx->peer_offered & OPTION_CHUNKING) || !pipelining_active))
+ && (!(smtp_peer_options & OPTION_CHUNKING) || !pipelining_active))
{
/* Save the first address of the next batch. */
sx->first_addr = sx->next_addr;
of responses. The callback needs a whole bunch of state so set up
a transport-context structure to be passed around. */
- if (sx->peer_offered & OPTION_CHUNKING)
+ if (smtp_peer_options & OPTION_CHUNKING)
{
tctx.check_string = tctx.escape_string = NULL;
tctx.options |= topt_use_bdat;
transport_write_timeout = ob->data_timeout;
smtp_command = US"sending data block"; /* For error messages */
DEBUG(D_transport|D_v)
- if (sx->peer_offered & OPTION_CHUNKING)
+ if (smtp_peer_options & OPTION_CHUNKING)
debug_printf(" will write message using CHUNKING\n");
else
debug_printf(" SMTP>> writing message and terminating \".\"\n");
If we can, we want the message-write to not flush (the tail end of) its data out. */
if ( sx->pipelining_used
- && (sx->ok && sx->completed_addr || sx->peer_offered & OPTION_CHUNKING)
+ && (sx->ok && sx->completed_addr || smtp_peer_options & OPTION_CHUNKING)
&& sx->send_quit
&& !(sx->first_addr || f.continue_more)
&& f.deliver_firsttime
sx->send_quit = FALSE; /* avoid sending it later */
#ifndef DISABLE_TLS
- if (sx->cctx.tls_ctx) /* need to send TLS Close Notify */
+ if (sx->cctx.tls_ctx && sx->send_tlsclose) /* need to send TLS Close Notify */
{
# ifdef EXIM_TCP_CORK /* Use _CORK to get Close Notify in FIN segment */
(void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
}
}
- if (sx->peer_offered & OPTION_CHUNKING && sx->cmd_count > 1)
+ if (smtp_peer_options & OPTION_CHUNKING && sx->cmd_count > 1)
{
/* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */
switch(sync_responses(sx, sx->cmd_count-1, 0))
#ifndef DISABLE_PRDR
if (sx->prdr_active) setflag(addr, af_prdr_used);
#endif
- if (sx->peer_offered & OPTION_CHUNKING) setflag(addr, af_chunking_used);
+ if (smtp_peer_options & OPTION_CHUNKING) setflag(addr, af_chunking_used);
flag = '-';
#ifndef DISABLE_PRDR
# ifndef DISABLE_TLS
if (sx->cctx.tls_ctx)
{
- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+ tls_close(sx->cctx.tls_ctx,
+ sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);
sx->cctx.tls_ctx = NULL;
}
# endif
a new EHLO. If we don't get a good response, we don't attempt to pass
the socket on. */
- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+ tls_close(sx->cctx.tls_ctx,
+ sx->send_tlsclose ? TLS_SHUTDOWN_WAIT : TLS_SHUTDOWN_WONLY);
sx->send_tlsclose = FALSE;
sx->cctx.tls_ctx = NULL;
tls_out.active.sock = -1;
{
/* does not return */
smtp_proxy_tls(sx->cctx.tls_ctx, sx->buffer, sizeof(sx->buffer), pfd,
- ob->command_timeout);
+ ob->command_timeout, host->name);
}
if (pid > 0) /* parent */
{ /* Use _MORE to get QUIT in FIN segment */
(void)smtp_write_command(sx, SCMD_MORE, "QUIT\r\n");
#ifndef DISABLE_TLS
- if (sx->cctx.tls_ctx)
+ if (sx->cctx.tls_ctx && sx->send_tlsclose)
{
# ifdef EXIM_TCP_CORK /* Use _CORK to get TLS Close Notify in FIN segment */
(void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
while (!sigalrm_seen && n > 0);
ALARM_CLR(0);
+ if (sx->send_tlsclose)
+ {
# ifdef EXIM_TCP_CORK
- (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
+ (void) setsockopt(sx->cctx.sock, IPPROTO_TCP, EXIM_TCP_CORK, US &on, sizeof(on));
# endif
- tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+ tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT);
+ }
+ else
+ tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WONLY);
sx->cctx.tls_ctx = NULL;
}
#endif
sx->cctx.sock = -1;
continue_transport = NULL;
continue_hostname = NULL;
+smtp_debug_cmd_report();
#ifndef DISABLE_EVENT
-(void) event_raise(tblock->event_action, US"tcp:close", NULL);
+(void) event_raise(tblock->event_action, US"tcp:close", NULL, NULL);
#endif
#ifdef SUPPORT_DANE
else
if (ob->hosts_randomize) s = expanded_hosts = string_copy(s);
- if (is_tainted2(s, LOG_MAIN|LOG_PANIC, "Tainted host list '%s' from '%s' in transport %s", s, ob->hosts, tblock->name))
+ if (is_tainted(s))
{
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "attempt to use tainted host list '%s' from '%s' in transport %s",
+ s, ob->hosts, tblock->name);
/* Avoid leaking info to an attacker */
addrlist->message = US"internal configuration error";
addrlist->transport_return = PANIC;
if (expanded_hosts)
{
- thost = store_get(sizeof(host_item), FALSE);
+ thost = store_get(sizeof(host_item), GET_UNTAINTED);
*thost = *host;
thost->name = string_copy(host->name);
thost->address = string_copy(host->address);