in Local/Makefile.
It was built on specifications from:
-http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
+(&url(http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt)).
That URL was revised in May 2014 to version 2 spec:
-http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e
+(&url(http://git.1wt.eu/web?p=haproxy.git;a=commitdiff;h=afb768340c9d7e50d8e)).
The purpose of this facility is so that an application load balancer,
such as HAProxy, can sit in front of several Exim servers
PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
Patch provided by "Björn", documentation fix added too.
+JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was
+ missing a wire-to-host endian conversion.
+
Exim version 4.88
-----------------
if (ret == -1)
goto proxyfail;
-if (ret >= 16 &&
- memcmp(&hdr.v2, v2sig, 12) == 0)
+if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
{
- uint8_t ver, cmd;
+ uint8_t ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
+ uint8_t cmd = (hdr.v2.ver_cmd & 0x0f);
/* May 2014: haproxy combined the version and command into one byte to
allow two full bytes for the length field in order to proxy SSL
connections. SSL Proxy is not supported in this version of Exim, but
must still seperate values here. */
- ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
- cmd = (hdr.v2.ver_cmd & 0x0f);
if (ver != 0x02)
{
}
DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n");
/* The v2 header will always be 16 bytes per the spec. */
- size = 16 + hdr.v2.len;
+ size = 16 + ntohs(hdr.v2.len);
if (ret < size)
{
DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n",
case 0x11: /* TCPv4 address type */
iptype = US"IPv4";
tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
- inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
- if (!string_is_ip_address(US tmpip,NULL))
+ inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip, NULL))
{
DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
goto proxyfail;
sender_host_port = tmpport;
/* Save dest ip/port */
tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
- inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
- if (!string_is_ip_address(US tmpip,NULL))
+ inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
+ if (!string_is_ip_address(US tmpip, NULL))
{
DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
goto proxyfail;
case 0x21: /* TCPv6 address type */
iptype = US"IPv6";
memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
- inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
- if (!string_is_ip_address(US tmpip6,NULL))
+ inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6, NULL))
{
DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
goto proxyfail;
sender_host_port = tmpport;
/* Save dest ip/port */
memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
- inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
- if (!string_is_ip_address(US tmpip6,NULL))
+ inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
+ if (!string_is_ip_address(US tmpip6, NULL))
{
DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
goto proxyfail;
goto proxyfail;
}
}
-else if (ret >= 8 &&
- memcmp(hdr.v1.line, "PROXY", 5) == 0)
+else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
{
uschar *p = string_copy(hdr.v1.line);
uschar *end = memchr(p, '\r', ret - 1);
goto proxyfail;
}
*sp = '\0';
- if(!string_is_ip_address(p,NULL))
+ if(!string_is_ip_address(p, NULL))
{
DEBUG(D_receive)
debug_printf("Proxied src arg is not an %s address\n", iptype);
goto proxyfail;
}
*sp = '\0';
- if(!string_is_ip_address(p,NULL))
+ if(!string_is_ip_address(p, NULL))
{
DEBUG(D_receive)
debug_printf("Proxy dest arg is not an %s address\n", iptype);
goto proxyfail;
}
*sp = '\0';
- tmp_port = strtol(CCS p,&endc,10);
+ tmp_port = strtol(CCS p, &endc, 10);
if (*endc || tmp_port == 0)
{
DEBUG(D_receive)
DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
goto proxyfail;
}
- tmp_port = strtol(CCS p,&endc,10);
+ tmp_port = strtol(CCS p, &endc, 10);
if (*endc || tmp_port == 0)
{
DEBUG(D_receive)
(2) If a line starts with three plus signs followed by a space, the rest of the
line specifies a number of seconds to sleep for before proceeding.
-(3) Otherwise, the line is an input line line that is sent to the server. Any
+(3) If a line begins with three '>' characters and a space, the rest of the
+ line is input to be sent to the server. Backslash escaping is done as
+ described below, but no trailing "\r\n" is sent.
+
+(4) Otherwise, the line is an input line line that is sent to the server. Any
occurrences of \r and \n in the line are turned into carriage return and
linefeed, respectively. This is used for testing PIPELINING.
+ Any sequences of \x followed by two hex digits are converted to the equvalent
+ byte value. Any other character following a \ is sent verbatim.
Here is a simple example:
--- /dev/null
+# Exim test configuration 4030
+# Proxy Protocol
+
+.include DIR/aux-var/std_conf_prefix
+
+primary_hostname = myhost.test.ex
+hosts_proxy = HOSTIPV4
+queue_only
+
+# ----- Main settings -----
+
+log_selector = +proxy +incoming_port
+
+acl_smtp_rcpt = r_acl
+
+
+begin acl
+
+r_acl:
+ accept
+ logwrite = proxy session: $proxy_session
+ logwrite = local [$received_ip_address]:$received_port
+ logwrite = proxy internal [$proxy_local_address]:$proxy_local_port
+ logwrite = proxy external [$proxy_external_address]:$proxy_external_port
+ logwrite = remote [$sender_host_address]:$sender_host_port
+
+
+# ----- Routers -----
+
+begin routers
+
+dump:
+ driver = redirect
+ data = :blackhole:
+
+# End
--- /dev/null
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 proxy session: no
+1999-03-02 09:44:33 local [127.0.0.1]:1111
+1999-03-02 09:44:33 proxy internal []:0
+1999-03-02 09:44:33 proxy external []:0
+1999-03-02 09:44:33 remote [127.0.0.1]:1112
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= a@test.ex H=(clientname) [127.0.0.1]:1112 P=smtp S=sss
+1999-03-02 09:44:33 no host name found for IP address 127.0.0.2
+1999-03-02 09:44:33 proxy session: yes
+1999-03-02 09:44:33 local [ip4.ip4.ip4.ip4]:1111
+1999-03-02 09:44:33 proxy internal [ip4.ip4.ip4.ip4]:1113
+1999-03-02 09:44:33 proxy external [127.42.42.42]:1114
+1999-03-02 09:44:33 remote [127.0.0.2]:1115
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= c@test.ex H=(clientname) [127.0.0.2]:1115 P=smtp PRX=ip4.ip4.ip4.ip4 S=sss
+1999-03-02 09:44:33 no host name found for IP address 192.168.0.15
+1999-03-02 09:44:33 proxy session: yes
+1999-03-02 09:44:33 local [ip4.ip4.ip4.ip4]:1111
+1999-03-02 09:44:33 proxy internal [ip4.ip4.ip4.ip4]:1116
+1999-03-02 09:44:33 proxy external [192.168.0.48]:1117
+1999-03-02 09:44:33 remote [192.168.0.15]:1118
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= e@test.ex H=(clientname) [192.168.0.15]:1118 P=smtp PRX=ip4.ip4.ip4.ip4 S=sss
--- /dev/null
+# proxy-protocol proxy on inbound smtp
+#
+munge loopback
+#
+exim -bd -DSERVER=server -oX PORT_D
+****
+#
+# non-prox plain receive
+client 127.0.0.1 PORT_D
+??? 220
+HELO clientname
+??? 250
+MAIL FROM:<a@test.ex>
+??? 250
+RCPT TO:<b@test.ex>
+??? 250
+DATA
+??? 354
+Subject: test
+
+body
+.
+??? 250
+QUIT
+??? 221
+****
+#
+# protocol v1 plain receive
+client HOSTIPV4 PORT_D
+PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
+??? 220
+HELO clientname
+??? 250
+MAIL FROM:<c@test.ex>
+??? 250
+RCPT TO:<d@test.ex>
+??? 250
+DATA
+??? 354
+Subject: test
+
+body
+.
+??? 250
+QUIT
+??? 221
+****
+#
+#
+#
+# protocol v2 plain receive
+client HOSTIPV4 PORT_D
+>>> \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21\x11\x00\x0c\xc0\xa8\x00\x0f\xc0\xa8\x00\05\xc2\x95\x04\01
+??? 220
+HELO clientname
+??? 250
+MAIL FROM:<e@test.ex>
+??? 250
+RCPT TO:<f@test.ex>
+??? 250
+DATA
+??? 354
+Subject: test
+
+body
+.
+??? 250
+QUIT
+??? 221
+****
+#
+#
+#
+killdaemon
+no_msglog_check
--- /dev/null
+support PROXY
/****************************************************************************/
+/* Turn "\n" and "\r" into the relevant characters. This is a hack. */
+
+static int
+unescape_buf(unsigned char * buf, int len)
+{
+unsigned char * s;
+unsigned char c, t;
+unsigned shift;
+
+for (s = buf; s < buf+len; s++) if (*s == '\\')
+ {
+ switch (s[1])
+ {
+ default: c = s[1]; shift = 1; break;
+ case 'n': c = '\n'; shift = 1; break;
+ case 'r': c = '\r'; shift = 1; break;
+ case 'x':
+ t = s[2];
+ if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1;
+ else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1;
+ t -= '0';
+ c = (t<<4) & 0xf0;
+ t = s[3];
+ if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1;
+ else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1;
+ t -= '0';
+ c |= t & 0xf;
+ shift = 3;
+ break;
+ }
+ *s = c;
+ memmove(s+1, s+shift+1, len-shift);
+ len -= shift;
+ }
+return len;
+}
+
+
/****************************************************************************/
[<key file>]\n\
\n";
-int main(int argc, char **argv)
+int
+main(int argc, char **argv)
{
struct sockaddr *s_ptr;
struct sockaddr_in s_in4;
while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL)
{
int n = (int)strlen(CS outbuffer);
+ int crlf = 1;
/* Strip trailing newline */
if (outbuffer[n-1] == '\n') outbuffer[--n] = 0;
unsigned exp_eof = outbuffer[3] == '*';
printf("%s\n", outbuffer);
+ n = unescape_buf(outbuffer, n);
if (*inptr == 0) /* Refill input buffer */
{
}
printf("<<< %s\n", lineptr);
- if (strncmp(CS lineptr, CS outbuffer + 4, (int)strlen(CS outbuffer) - 4) != 0)
+ if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0)
{
printf("\n******** Input mismatch ********\n");
exit(79);
else
{
- unsigned char *escape;
+ unsigned char * out = outbuffer;
+
+ if (strncmp(CS outbuffer, ">>> ", 4) == 0)
+ {
+ crlf = 0;
+ out += 4;
+ n -= 4;
+ }
if (*inptr != 0)
{
printf("Unconsumed input: %s", inptr);
- printf(" About to send: %s\n", outbuffer);
+ printf(" About to send: %s\n", out);
exit(78);
}
/* Shutdown TLS */
- if (strcmp(CS outbuffer, "stoptls") == 0 ||
- strcmp(CS outbuffer, "STOPTLS") == 0)
+ if (strcmp(CS out, "stoptls") == 0 ||
+ strcmp(CS out, "STOPTLS") == 0)
{
if (!tls_active)
{
/* Remember that we sent STARTTLS */
- sent_starttls = (strcmp(CS outbuffer, "starttls") == 0 ||
- strcmp(CS outbuffer, "STARTTLS") == 0);
+ sent_starttls = (strcmp(CS out, "starttls") == 0 ||
+ strcmp(CS out, "STARTTLS") == 0);
/* Fudge: if the command is "starttls_wait", we send the starttls bit,
but we haven't set the flag, so that there is no negotiation. This is for
testing the server's timeout. */
- if (strcmp(CS outbuffer, "starttls_wait") == 0)
+ if (strcmp(CS out, "starttls_wait") == 0)
{
- outbuffer[8] = 0;
+ out[8] = 0;
n = 8;
}
#endif
- printf(">>> %s\n", outbuffer);
- strcpy(CS outbuffer + n, "\r\n");
-
- /* Turn "\n" and "\r" into the relevant characters. This is a hack. */
-
- while ((escape = US strstr(CS outbuffer, "\\r")) != NULL)
+ printf(">>> %s\n", out);
+ if (crlf)
{
- *escape = '\r';
- memmove(escape + 1, escape + 2, (n + 2) - (escape - outbuffer) - 2);
- n--;
+ strcpy(CS out + n, "\r\n");
+ n += 2;
}
- while ((escape = US strstr(CS outbuffer, "\\n")) != NULL)
- {
- *escape = '\n';
- memmove(escape + 1, escape + 2, (n + 2) - (escape - outbuffer) - 2);
- n--;
- }
+ n = unescape_buf(out, n);
/* OK, do it */
if (tls_active)
{
#ifdef HAVE_OPENSSL
- rc = SSL_write (ssl, outbuffer, n + 2);
+ rc = SSL_write (ssl, out, n);
#endif
#ifdef HAVE_GNUTLS
- rc = gnutls_record_send(tls_session, CS outbuffer, n + 2);
- if (rc < 0)
+ if ((rc = gnutls_record_send(tls_session, CS out, n)) < 0)
{
printf("GnuTLS write error: %s\n", gnutls_strerror(rc));
exit(76);
#endif
}
else
- {
- rc = write(sock, outbuffer, n + 2);
- }
+ rc = write(sock, out, n);
alarm(0);
if (rc < 0)
--- /dev/null
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> HELO clientname
+??? 250
+<<< 250 myhost.test.ex Hello clientname [IP_LOOPBACK_ADDR]
+>>> MAIL FROM:<a@test.ex>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<b@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test
+>>>
+>>> body
+>>> .
+??? 250
+<<< 250 OK id=10HmaX-0005vi-00
+>>> QUIT
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+>>> PROXY TCP4 127.0.0.2 127.42.42.42 64000 25
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> HELO clientname
+??? 250
+<<< 250 myhost.test.ex Hello clientname [127.0.0.2]
+>>> MAIL FROM:<c@test.ex>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<d@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test
+>>>
+>>> body
+>>> .
+??? 250
+<<< 250 OK id=10HmaY-0005vi-00
+>>> QUIT
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+>>> \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x21\x11\x00\x0c\xc0\xa8\x00\x0f\xc0\xa8\x00\05\xc2\x95\x04\01
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> HELO clientname
+??? 250
+<<< 250 myhost.test.ex Hello clientname [192.168.0.15]
+>>> MAIL FROM:<e@test.ex>
+??? 250
+<<< 250 OK
+>>> RCPT TO:<f@test.ex>
+??? 250
+<<< 250 Accepted
+>>> DATA
+??? 354
+<<< 354 Enter message, ending with "." on a line by itself
+>>> Subject: test
+>>>
+>>> body
+>>> .
+??? 250
+<<< 250 OK id=10HmaZ-0005vi-00
+>>> QUIT
+??? 221
+<<< 221 myhost.test.ex closing connection
+End of script
git://git.exim.org / exim.git / commitdiff