X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d341f2a27e689098e23c4eae2f78b59d053d5060..74f1a42304ce056cf979d22fb970faae161e3ab2:/src/src/smtp_in.c diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 33d6d3cc8..0afb97ca6 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -340,7 +340,7 @@ fd_set fds; struct timeval tzero; #ifdef SUPPORT_TLS -if (tls_in.active >= 0) +if (tls_in.active.sock >= 0) return !tls_could_read(); #endif @@ -424,6 +424,53 @@ log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS, +void +smtp_command_timeout_exit(void) +{ +log_write(L_lost_incoming_connection, + LOG_MAIN, "SMTP command timeout on%s connection from %s", + tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE)); +if (smtp_batched_input) + moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */ +smtp_notquit_exit(US"command-timeout", US"421", + US"%s: SMTP command timeout - closing connection", + smtp_active_hostname); +exim_exit(EXIT_FAILURE, US"receiving"); +} + +void +smtp_command_sigterm_exit(void) +{ +log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info()); +if (smtp_batched_input) + moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */ +smtp_notquit_exit(US"signal-exit", US"421", + US"%s: Service not available - closing connection", smtp_active_hostname); +exim_exit(EXIT_FAILURE, US"receiving"); +} + +void +smtp_data_timeout_exit(void) +{ +log_write(L_lost_incoming_connection, + LOG_MAIN, "SMTP data timeout (message abandoned) on connection from %s F=<%s>", + sender_fullhost ? sender_fullhost : US"local process", sender_address); +receive_bomb_out(US"data-timeout", US"SMTP incoming data timeout"); +/* Does not return */ +} + +void +smtp_data_sigint_exit(void) +{ +log_write(0, LOG_MAIN, "%s closed after %s", + smtp_get_connection_info(), had_data_sigint == SIGTERM ? "SIGTERM":"SIGINT"); +receive_bomb_out(US"signal-exit", + US"Service not available - SIGTERM or SIGINT received"); +/* Does not return */ +} + + + /* Refill the buffer, and notify DKIM verification code. Return false for error or EOF. */ @@ -441,18 +488,28 @@ Take care to not touch the safety NUL at the end of the buffer. */ rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE-1, lim)); save_errno = errno; -alarm(0); +if (smtp_receive_timeout > 0) alarm(0); if (rc <= 0) { /* Must put the error text in fixed store, because this might be during header reading, where it releases unused store above the header. */ if (rc < 0) { + if (had_command_timeout) /* set by signal handler */ + smtp_command_timeout_exit(); /* does not return */ + if (had_command_sigterm) + smtp_command_sigterm_exit(); + if (had_data_timeout) + smtp_data_timeout_exit(); + if (had_data_sigint) + smtp_data_sigint_exit(); + smtp_had_error = save_errno; smtp_read_error = string_copy_malloc( string_sprintf(" (error: %s)", strerror(save_errno))); } - else smtp_had_eof = 1; + else + smtp_had_eof = 1; return FALSE; } #ifndef DISABLE_DKIM @@ -538,7 +595,7 @@ uschar * log_msg; for(;;) { #ifndef DISABLE_DKIM - BOOL dkim_save; + unsigned dkim_save; #endif if (chunking_data_left > 0) @@ -549,7 +606,7 @@ for(;;) receive_ungetc = lwr_receive_ungetc; #ifndef DISABLE_DKIM dkim_save = dkim_collect_input; - dkim_collect_input = FALSE; + dkim_collect_input = 0; #endif /* Unless PIPELINING was offered, there should be no next command @@ -865,9 +922,9 @@ if (rcpt_in_progress) /* Now write the string */ #ifdef SUPPORT_TLS -if (tls_in.active >= 0) +if (tls_in.active.sock >= 0) { - if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer), more) < 0) + if (tls_write(NULL, big_buffer, Ustrlen(big_buffer), more) < 0) smtp_write_error = -1; } else @@ -894,7 +951,7 @@ Returns: 0 for no error; -1 after an error int smtp_fflush(void) { -if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1; +if (tls_in.active.sock < 0 && fflush(smtp_out) != 0) smtp_write_error = -1; return smtp_write_error; } @@ -914,16 +971,7 @@ Returns: nothing static void command_timeout_handler(int sig) { -sig = sig; /* Keep picky compilers happy */ -log_write(L_lost_incoming_connection, - LOG_MAIN, "SMTP command timeout on%s connection from %s", - (tls_in.active >= 0)? " TLS" : "", - host_and_ident(FALSE)); -if (smtp_batched_input) - moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */ -smtp_notquit_exit(US"command-timeout", US"421", - US"%s: SMTP command timeout - closing connection", smtp_active_hostname); -exim_exit(EXIT_FAILURE, US"receiving"); +had_command_timeout = sig; } @@ -941,13 +989,7 @@ Returns: nothing static void command_sigterm_handler(int sig) { -sig = sig; /* Keep picky compilers happy */ -log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info()); -if (smtp_batched_input) - moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */ -smtp_notquit_exit(US"signal-exit", US"421", - US"%s: Service not available - closing connection", smtp_active_hostname); -exim_exit(EXIT_FAILURE, US"receiving"); +had_command_sigterm = sig; } @@ -1507,6 +1549,7 @@ int ptr = 0; smtp_cmd_list *p; BOOL hadnull = FALSE; +had_command_timeout = 0; os_non_restarting_signal(SIGALRM, command_timeout_handler); while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF) @@ -1994,32 +2037,34 @@ bmi_run = 0; bmi_verdicts = NULL; #endif dnslist_domain = dnslist_matched = NULL; +#ifdef SUPPORT_SPF +spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL; +spf_result_guessed = FALSE; +#endif #ifndef DISABLE_DKIM dkim_cur_signer = dkim_signers = -dkim_signing_domain = dkim_signing_selector = NULL; +dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL; dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL; -dkim_disable_verify = dkim_collect_input = FALSE; +dkim_disable_verify = FALSE; +dkim_collect_input = 0; dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL; dkim_key_length = 0; dkim_verify_signers = US"$dkim_signers"; #endif -dsn_ret = 0; -dsn_envid = NULL; -deliver_host = deliver_host_address = NULL; /* Can be set by ACL */ -#ifndef DISABLE_PRDR -prdr_requested = FALSE; -#endif -#ifdef SUPPORT_SPF -spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL; -spf_result_guessed = FALSE; -#endif #ifdef EXPERIMENTAL_DMARC dmarc_has_been_checked = dmarc_disable_verify = dmarc_enable_forensic = FALSE; -dmarc_domain_policy = dmarc_status = dmarc_status_text = dmarc_used_domain = NULL; +dmarc_domain_policy = dmarc_status = dmarc_status_text = +dmarc_used_domain = NULL; #endif #ifdef EXPERIMENTAL_ARC arc_state = arc_state_reason = NULL; #endif +dsn_ret = 0; +dsn_envid = NULL; +deliver_host = deliver_host_address = NULL; /* Can be set by ACL */ +#ifndef DISABLE_PRDR +prdr_requested = FALSE; +#endif #ifdef SUPPORT_I18N message_smtputf8 = FALSE; #endif @@ -3641,7 +3686,7 @@ switch(rc) received_protocol = (sender_host_address ? protocols : protocols_local) - [pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)]; + [pextend + pauthed + (tls_in.active.sock >= 0 ? pcrpted:0)]; *s = *ss = US"235 Authentication succeeded"; authenticated_by = au; break; @@ -3735,7 +3780,7 @@ else smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname); #ifdef SUPPORT_TLS -tls_close(TRUE, TLS_SHUTDOWN_NOWAIT); +tls_close(NULL, TLS_SHUTDOWN_NOWAIT); #endif log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT", @@ -3811,6 +3856,7 @@ cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE; /* Set the local signal handler for SIGTERM - it tries to end off tidily */ +had_command_sigterm = 0; os_non_restarting_signal(SIGTERM, command_sigterm_handler); /* Batched SMTP is handled in a different function. */ @@ -3845,7 +3891,7 @@ while (done <= 0) #ifdef AUTH_TLS /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */ - if ( tls_in.active >= 0 + if ( tls_in.active.sock >= 0 && tls_in.peercert && tls_in.certificate_verified && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd @@ -4062,7 +4108,7 @@ while (done <= 0) host_build_sender_fullhost(); /* Rebuild */ set_process_info("handling%s incoming connection from %s", - (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE)); + (tls_in.active.sock >= 0)? " TLS" : "", host_and_ident(FALSE)); /* Verify if configured. This doesn't give much security, but it does make some people happy to be able to do it. If helo_required is set, @@ -4318,7 +4364,7 @@ while (done <= 0) secure connection. */ #ifdef SUPPORT_TLS - if (tls_in.active < 0 && + if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) { g = string_catn(g, smtp_code, 3); @@ -4356,7 +4402,7 @@ while (done <= 0) has been seen. */ #ifdef SUPPORT_TLS - if (tls_in.active >= 0) (void)tls_write(TRUE, g->s, g->ptr, FALSE); else + if (tls_in.active.sock >= 0) (void)tls_write(NULL, g->s, g->ptr, FALSE); else #endif { @@ -4379,7 +4425,7 @@ while (done <= 0) [ (esmtp ? pextend + (sender_host_authenticated ? pauthed : 0) : pnormal) - + (tls_in.active >= 0 ? pcrpted : 0) + + (tls_in.active.sock >= 0 ? pcrpted : 0) ]; cancel_cutthrough_connection(TRUE, US"sent EHLO response"); smtp_reset(reset_point); @@ -5167,7 +5213,7 @@ while (done <= 0) ACL may have delayed. To handle cutthrough delivery enforce a dummy call to get the DATA command sent. */ - if (acl_smtp_predata == NULL && cutthrough.fd < 0) + if (acl_smtp_predata == NULL && cutthrough.cctx.sock < 0) rc = OK; else { @@ -5321,7 +5367,7 @@ while (done <= 0) { DEBUG(D_any) debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n"); - if (tls_in.active < 0) + if (tls_in.active.sock < 0) smtp_inend = smtp_inptr = smtp_inbuffer; /* and if TLS is already active, tls_server_start() should fail */ } @@ -5364,7 +5410,7 @@ while (done <= 0) [ (esmtp ? pextend + (sender_host_authenticated ? pauthed : 0) : pnormal) - + (tls_in.active >= 0 ? pcrpted : 0) + + (tls_in.active.sock >= 0 ? pcrpted : 0) ]; sender_host_auth_pubname = sender_host_authenticated = NULL; @@ -5424,7 +5470,7 @@ while (done <= 0) smtp_printf("554 Security failure\r\n", FALSE); break; } - tls_close(TRUE, TLS_SHUTDOWN_NOWAIT); + tls_close(NULL, TLS_SHUTDOWN_NOWAIT); break; #endif @@ -5466,7 +5512,7 @@ while (done <= 0) buffer[0] = 0; Ustrcat(buffer, " AUTH"); #ifdef SUPPORT_TLS - if (tls_in.active < 0 && + if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) Ustrcat(buffer, " STARTTLS"); #endif