X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/c0635b6dfe65ee24c2fb8d165beabc608d2fd1a5..2bc0f45ec0637be57e5d87b576a72cac71ccaf81:/src/src/transports/smtp.c

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 38660f797..6d7085881 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -24,6 +24,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, address_retry_include_sender) },
   { "allow_localhost",      opt_bool,
       (void *)offsetof(smtp_transport_options_block, allow_localhost) },
+#ifdef EXPERIMENTAL_ARC
+  { "arc_sign", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, arc_sign) },
+#endif
   { "authenticated_sender", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, authenticated_sender) },
   { "authenticated_sender_force", opt_bool,
@@ -34,6 +38,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, connect_timeout) },
   { "connection_max_messages", opt_int | opt_public,
       (void *)offsetof(transport_instance, connection_max_messages) },
+# ifdef SUPPORT_DANE
+  { "dane_require_tls_ciphers", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dane_require_tls_ciphers) },
+# endif
   { "data_timeout",         opt_time,
       (void *)offsetof(smtp_transport_options_block, data_timeout) },
   { "delay_after_cutoff", opt_bool,
@@ -55,6 +63,8 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, dkim.dkim_sign_headers) },
   { "dkim_strict", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, dkim.dkim_strict) },
+  { "dkim_timestamps", opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, dkim.dkim_timestamps) },
 #endif
   { "dns_qualify_single",   opt_bool,
       (void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
@@ -209,7 +219,6 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .fallback_hosts =		NULL,
   .hostlist =			NULL,
   .fallback_hostlist =		NULL,
-  .authenticated_sender =	NULL,
   .helo_data =			US"$primary_hostname",
   .interface =			NULL,
   .port =			NULL,
@@ -222,6 +231,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
 #ifdef SUPPORT_DANE
   .hosts_try_dane =		NULL,
   .hosts_require_dane =		NULL,
+  .dane_require_tls_ciphers =	NULL,
 #endif
   .hosts_try_fastopen =		NULL,
 #ifndef DISABLE_PRDR
@@ -287,7 +297,16 @@ smtp_transport_options_block smtp_transport_option_defaults = {
     .dkim_sign_headers =	NULL,
     .dkim_strict =		NULL,
     .dkim_hash =		US"sha256",
-    .dot_stuffed =		FALSE},
+    .dkim_timestamps =		NULL,
+    .dot_stuffed =		FALSE,
+    .force_bodyhash =		FALSE,
+# ifdef EXPERIMENTAL_ARC
+    .arc_signspec =		NULL,
+# endif
+    },
+# ifdef EXPERIMENTAL_ARC
+  .arc_sign =			NULL,
+# endif
 #endif
 };
 
@@ -1607,6 +1626,9 @@ if (!continue_hostname)
 				  string_sprintf("DANE error: tlsa lookup %s",
 				    rc == DEFER ? "DEFER" : "FAIL"),
 				  rc, FALSE);
+				(void) event_raise(sx->tblock->event_action,
+				  US"dane:fail", sx->dane_required
+				    ?  US"dane-required" : US"dnssec-invalid");
 				return rc;
 	  }
       }
@@ -1615,6 +1637,8 @@ if (!continue_hostname)
       set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
 	string_sprintf("DANE error: %s lookup not DNSSEC", sx->host->name),
 	FAIL, FALSE);
+      (void) event_raise(sx->tblock->event_action,
+	US"dane:fail", US"dane-required");
       return FAIL;
       }
     }
@@ -1948,9 +1972,14 @@ if (  smtp_peer_options & OPTION_TLS
     if (rc != OK)
       {
 # ifdef SUPPORT_DANE
-      if (sx->dane) log_write(0, LOG_MAIN,
+      if (sx->dane)
+        {
+	log_write(0, LOG_MAIN,
 	  "DANE attempt failed; TLS connection to %s [%s]: %s",
 	  sx->host->name, sx->host->address, errstr);
+	(void) event_raise(sx->tblock->event_action,
+	  US"dane:fail", US"validation-failure");	/* could do with better detail */
+	}
 # endif
 
       errno = ERRNO_TLSFAILURE;
@@ -2044,6 +2073,13 @@ else if (  sx->smtps
   message = string_sprintf("a TLS session is required, but %s",
     smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
+# ifdef SUPPORT_DANE
+  if (sx->dane)
+    (void) event_raise(sx->tblock->event_action, US"dane:fail",
+      smtp_peer_options & OPTION_TLS
+      ? US"validation-failure"		/* could do with better detail */
+      : US"starttls-not-supported");
+# endif
   goto TLS_FAILED;
   }
 #endif	/*SUPPORT_TLS*/
@@ -2234,7 +2270,7 @@ if (sx->send_quit)
   (void)smtp_write_command(&sx->outblock, SCMD_FLUSH, "QUIT\r\n");
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TRUE);
+tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -2668,7 +2704,7 @@ for (fd_bits = 3; fd_bits; )
     if ((rc = read(pfd[0], buf, bsize)) <= 0)
       {
       fd_bits = 0;
-      tls_close(FALSE, TRUE);
+      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
       }
     else
       {
@@ -2965,6 +3001,30 @@ else
   transport_count = 0;
 
 #ifndef DISABLE_DKIM
+  dkim_exim_sign_init();
+# ifdef EXPERIMENTAL_ARC
+    {
+    uschar * s = sx.ob->arc_sign;
+    if (s)
+      {
+      if (!(sx.ob->dkim.arc_signspec = s = expand_string(s)))
+	{
+	if (!expand_string_forcedfail)
+	  {
+	  message = US"failed to expand arc_sign";
+	  sx.ok = FALSE;
+	  goto SEND_FAILED;
+	  }
+	}
+      else if (*s)
+	{
+	/* Ask dkim code to hash the body for ARC */
+	(void) arc_ams_setup_sign_bodyhash();
+	sx.ob->dkim.force_bodyhash = TRUE;
+	}
+      }
+    }
+# endif
   sx.ok = dkim_transport_write_message(&tctx, &sx.ob->dkim, CUSS &message);
 #else
   sx.ok = transport_write_message(&tctx, 0);
@@ -3178,8 +3238,11 @@ else
 #ifndef DISABLE_PRDR
       if (sx.prdr_active)
         {
+	const uschar * overall_message;
+
 	/* PRDR - get the final, overall response.  For any non-success
 	upgrade all the address statuses. */
+
         sx.ok = smtp_read_response(&sx.inblock, sx.buffer, sizeof(sx.buffer), '2',
           sx.ob->final_timeout);
         if (!sx.ok)
@@ -3195,7 +3258,14 @@ else
 	  goto RESPONSE_FAILED;
 	  }
 
-	/* Update the journal, or setup retry. */
+	/* Append the overall response to the individual PRDR response for logging
+	and update the journal, or setup retry. */
+
+	overall_message = string_printing(sx.buffer);
+        for (addr = addrlist; addr != sx.first_addr; addr = addr->next)
+	  if (addr->transport_return == OK)
+	    addr->message = string_sprintf("%s\\n%s", addr->message, overall_message);
+
         for (addr = addrlist; addr != sx.first_addr; addr = addr->next)
 	  if (addr->transport_return == OK)
 	    {
@@ -3458,7 +3528,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
 	  a new EHLO. If we don't get a good response, we don't attempt to pass
 	  the socket on. */
 
-	  tls_close(FALSE, TRUE);
+	  tls_close(FALSE, TLS_SHUTDOWN_WAIT);
 	  smtp_peer_options = smtp_peer_options_wrap;
 	  sx.ok = !sx.smtps
 	    && smtp_write_command(&sx.outblock, SCMD_FLUSH,
@@ -3523,7 +3593,7 @@ propagate it from the initial
 	    close(pfd[0]);
 	    /* tidy the inter-proc to disconn the proxy proc */
 	    waitpid(pid, NULL, 0);
-	    tls_close(FALSE, FALSE);
+	    tls_close(FALSE, TLS_NO_SHUTDOWN);
 	    (void)close(sx.inblock.sock);
 	    continue_transport = NULL;
 	    continue_hostname = NULL;
@@ -3569,7 +3639,7 @@ if (sx.send_quit) (void)smtp_write_command(&sx.outblock, SCMD_FLUSH, "QUIT\r\n")
 END_OFF:
 
 #ifdef SUPPORT_TLS
-tls_close(FALSE, TRUE);
+tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
 #endif
 
 /* Close the socket, and return the appropriate value, first setting
@@ -4541,7 +4611,7 @@ retry_non_continued:
     if (tls_out.active == fd)
       {
       (void) tls_write(FALSE, US"QUIT\r\n", 6, FALSE);
-      tls_close(FALSE, TRUE);
+      tls_close(FALSE, TLS_SHUTDOWN_NOWAIT);
       }
     else
 #else