X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/193e3acd2723abeaaad8575fec3c058df674fc5d..770747fd28008931d72a9f87be83286eaf626a95:/src/src/verify.c diff --git a/src/src/verify.c b/src/src/verify.c index 39ef33787..3d3bfdaf0 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2009 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Functions concerned with verifying things. The original code for callout @@ -407,13 +407,6 @@ else if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush(); - /* Precompile some regex that are used to recognize parameters in response - to an EHLO command, if they aren't already compiled. */ - #ifdef SUPPORT_TLS - if (regex_STARTTLS == NULL) regex_STARTTLS = - regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE); - #endif - /* Now make connections to the hosts and do real callouts. The list of hosts is passed in as an argument. */ @@ -505,7 +498,7 @@ else tls_retry_connection: inblock.sock = outblock.sock = - smtp_connect(host, host_af, port, interface, callout_connect, TRUE); + smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL); /* reconsider DSCP here */ if (inblock.sock < 0) { @@ -545,7 +538,7 @@ else #endif if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))) goto RESPONSE_FAILED; - + /* Not worth checking greeting line for ESMTP support */ if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL, host->name, host->address, NULL) != OK)) @@ -570,11 +563,11 @@ else goto SEND_FAILED; if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)) { - if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0) - { - done= FALSE; - goto RESPONSE_FAILED; - } + if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0) + { + done= FALSE; + goto RESPONSE_FAILED; + } #ifdef SUPPORT_TLS tls_offered = FALSE; #endif @@ -584,9 +577,16 @@ else /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */ #ifdef SUPPORT_TLS - tls_offered = esmtp && !suppress_tls && tls_out.active < 0 && - pcre_exec(regex_STARTTLS, NULL, CS responsebuffer, Ustrlen(responsebuffer), 0, - PCRE_EOPT, NULL, 0) >= 0; + if (esmtp && !suppress_tls && tls_out.active < 0) + { + if (regex_STARTTLS == NULL) regex_STARTTLS = + regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE); + + tls_offered = pcre_exec(regex_STARTTLS, NULL, CS responsebuffer, + Ustrlen(responsebuffer), 0, PCRE_EOPT, NULL, 0) >= 0; + } + else + tls_offered = FALSE; #endif } @@ -601,7 +601,10 @@ else #ifdef SUPPORT_TLS if (tls_offered && verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name, - host->address, NULL) != OK) + host->address, NULL) != OK && + verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name, + host->address, NULL) != OK + ) { uschar buffer2[4096]; if ( !smtps @@ -631,13 +634,14 @@ else else { int rc = tls_client_start(inblock.sock, host, addr, - NULL, /* No DH param */ ob->tls_certificate, ob->tls_privatekey, ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl, ob->tls_require_ciphers, - ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto, - callout); +#ifdef EXPERIMENTAL_OCSP + ob->hosts_require_ocsp, +#endif + ob->tls_dh_min_bits, callout); /* TLS negotiation failed; give an error. Try in clear on a new connection, if the options permit it for this host. */ @@ -690,13 +694,23 @@ else done = TRUE; /* so far so good; have response to HELO */ - /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */ - /* If we haven't authenticated, but are required to, give up. */ + /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING */ - /*XXX "filter command specified for this transport" ??? */ - /* for now, transport_filter by cutthrough-delivery is not supported */ + /* For now, transport_filter by cutthrough-delivery is not supported */ /* Need proper integration with the proper transport mechanism. */ - + if (cutthrough_delivery) + { + if (addr->transport->filter_command) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of transport filter\n"); + } + if (ob->dkim_domain) + { + cutthrough_delivery= FALSE; + HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of DKIM signing\n"); + } + } SEND_FAILED: RESPONSE_FAILED: @@ -718,11 +732,27 @@ else } } + /* If we haven't authenticated, but are required to, give up. */ + /* Try to AUTH */ + + else done = smtp_auth(responsebuffer, sizeof(responsebuffer), + addr, host, ob, esmtp, &inblock, &outblock) == OK && + + /* Copy AUTH info for logging */ + ( (addr->authenticator = client_authenticator), + (addr->auth_id = client_authenticated_id), + + /* Build a mail-AUTH string (re-using responsebuffer for convenience */ + !smtp_mail_auth_str(responsebuffer, sizeof(responsebuffer), addr, ob) + ) && + + ( (addr->auth_sndr = client_authenticated_sender), + /* Send the MAIL command */ + (smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>%s\r\n", + from_address, responsebuffer) >= 0) + ) && - else done = - smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n", - from_address) >= 0 && smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout); @@ -957,8 +987,9 @@ else } else { + /* Ensure no cutthrough on multiple address verifies */ if (options & vopt_callout_recipsender) - cancel_cutthrough_connection(); /* Ensure no cutthrough on multiple address verifies */ + cancel_cutthrough_connection("multiple verify calls"); if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n"); #ifdef SUPPORT_TLS @@ -1129,7 +1160,7 @@ cutthrough_puts(uschar * cp, int n) { if (cutthrough_fd < 0) return TRUE; if (_cutthrough_puts(cp, n)) return TRUE; -cancel_cutthrough_connection(); +cancel_cutthrough_connection("transmit failed"); return FALSE; } @@ -1151,7 +1182,7 @@ BOOL cutthrough_flush_send( void ) { if (_cutthrough_flush_send()) return TRUE; -cancel_cutthrough_connection(); +cancel_cutthrough_connection("transmit failed"); return FALSE; } @@ -1178,7 +1209,7 @@ inblock.ptrend = inbuffer; inblock.sock = cutthrough_fd; /* this relies on (inblock.sock == tls_out.active) */ if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT)) - cancel_cutthrough_connection(); + cancel_cutthrough_connection("target timeout on read"); if(copy != NULL) { @@ -1235,7 +1266,7 @@ return cutthrough_put_nl(); static void -close_cutthrough_connection( void ) +close_cutthrough_connection( const char * why ) { if(cutthrough_fd >= 0) { @@ -1254,15 +1285,15 @@ if(cutthrough_fd >= 0) #endif (void)close(cutthrough_fd); cutthrough_fd= -1; - HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown ------------\n"); + HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why); } ctblock.ptr = ctbuffer; } void -cancel_cutthrough_connection( void ) +cancel_cutthrough_connection( const char * why ) { -close_cutthrough_connection(); +close_cutthrough_connection(why); cutthrough_delivery= FALSE; } @@ -1287,7 +1318,7 @@ switch(cutthrough_response('2', &cutthrough_addr.message)) { case '2': delivery_log(LOG_MAIN, &cutthrough_addr, (int)'>', NULL); - close_cutthrough_connection(); + close_cutthrough_connection("delivered"); break; case '4': @@ -1518,6 +1549,18 @@ addresses, such rewriting fails. */ if (address[0] == 0) return OK; +/* Flip the legacy TLS-related variables over to the outbound set in case +they're used in the context of a transport used by verification. Reset them +at exit from this routine. */ + +modify_variable(US"tls_bits", &tls_out.bits); +modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified); +modify_variable(US"tls_cipher", &tls_out.cipher); +modify_variable(US"tls_peerdn", &tls_out.peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &tls_out.sni); +#endif + /* Save a copy of the sender address for re-instating if we change it to <> while verifying a sender address (a nice bit of self-reference there). */ @@ -1710,6 +1753,9 @@ while (addr_new != NULL) } else { +#ifdef SUPPORT_TLS + deliver_set_expansions(addr); +#endif rc = do_callout(addr, host_list, &tf, callout, callout_overall, callout_connect, options, se_mailfrom, pm_mailfrom); } @@ -1761,10 +1807,14 @@ while (addr_new != NULL) } respond_printf(f, "%s\n", cr); } - cancel_cutthrough_connection(); + cancel_cutthrough_connection("routing hard fail"); - if (!full_info) return copy_error(vaddr, addr, FAIL); - else yield = FAIL; + if (!full_info) + { + yield = copy_error(vaddr, addr, FAIL); + goto out; + } + else yield = FAIL; } /* Soft failure */ @@ -1796,10 +1846,14 @@ while (addr_new != NULL) } respond_printf(f, "%s\n", cr); } - cancel_cutthrough_connection(); + cancel_cutthrough_connection("routing soft fail"); - if (!full_info) return copy_error(vaddr, addr, DEFER); - else if (yield == OK) yield = DEFER; + if (!full_info) + { + yield = copy_error(vaddr, addr, DEFER); + goto out; + } + else if (yield == OK) yield = DEFER; } /* If we are handling EXPN, we do not want to continue to route beyond @@ -1822,7 +1876,8 @@ while (addr_new != NULL) if (addr_new == NULL) ok_prefix = US"250 "; respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address); } - return OK; + yield = OK; + goto out; } /* Successful routing other than EXPN. */ @@ -1857,7 +1912,8 @@ while (addr_new != NULL) of $address_data to be that of the child */ vaddr->p.address_data = addr->p.address_data; - return OK; + yield = OK; + goto out; } } } /* Loop for generated addresses */ @@ -1874,7 +1930,7 @@ discarded, usually because of the use of :blackhole: in an alias file. */ if (allok && addr_local == NULL && addr_remote == NULL) { fprintf(f, "mail to %s is discarded\n", address); - return yield; + goto out; } for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) @@ -1958,9 +2014,19 @@ for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++) } } -/* Will be DEFER or FAIL if any one address has, only for full_info (which is +/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is the -bv or -bt case). */ +out: + +modify_variable(US"tls_bits", &tls_in.bits); +modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified); +modify_variable(US"tls_cipher", &tls_in.cipher); +modify_variable(US"tls_peerdn", &tls_in.peerdn); +#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +modify_variable(US"tls_sni", &tls_in.sni); +#endif + return yield; } @@ -2089,6 +2155,41 @@ return yield; } +/************************************************* +* Check header names for 8-bit characters * +*************************************************/ + +/* This function checks for invalid charcters in header names. See +RFC 5322, 2.2. and RFC 6532, 3. + +Arguments: + msgptr where to put an error message + +Returns: OK + FAIL +*/ + +int +verify_check_header_names_ascii(uschar **msgptr) +{ +header_line *h; +uschar *colon, *s; + +for (h = header_list; h != NULL; h = h->next) + { + colon = Ustrchr(h->text, ':'); + for(s = h->text; s < colon; s++) + { + if ((*s < 33) || (*s > 126)) + { + *msgptr = string_sprintf("Invalid character in header \"%.*s\" found", + colon - h->text, h->text); + return FAIL; + } + } + } +return OK; +} /************************************************* * Check for blind recipients *