*~
*.bak
.*.swp
+0*.patch
+*.orig
+*.rej
. the <bookinfo> element must also be updated for each new edition.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.75"
+.set previousversion "4.80"
.set version "4.80"
.set ACL "access control lists (ACLs)"
overridden if necessary.
-.new
.section "PCRE library" "SECTpcre"
.cindex "PCRE library"
Exim no longer has an embedded PCRE library as the vast majority of
PCRE support then you will need to obtain and build the current PCRE
from &url(ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/).
More information on PCRE is available at &url(http://www.pcre.org/).
-.wen
.section "DBM libraries" "SECTdb"
.cindex "DBM libraries" "discussion of"
TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
TLS_INCLUDE=-I/usr/local/openssl/include/
.endd
-.new
.cindex "pkg-config" "OpenSSL"
If you have &'pkg-config'& available, then instead you can just use:
.code
SUPPORT_TLS=yes
USE_OPENSSL_PC=openssl
.endd
-.wen
.cindex "USE_GNUTLS"
If GnuTLS is installed, you should set
.code
TLS_LIBS=-L/usr/gnu/lib -lgnutls -ltasn1 -lgcrypt
TLS_INCLUDE=-I/usr/gnu/include
.endd
-.new
.cindex "pkg-config" "GnuTLS"
If you have &'pkg-config'& available, then instead you can just use:
.code
USE_GNUTLS=yes
USE_GNUTLS_PC=gnutls
.endd
-.wen
You do not need to set TLS_INCLUDE if the relevant directory is already
specified in INCLUDE. Details of how to configure Exim to make use of TLS are
binary, attempts to configure Exim to use it cause run time configuration
errors.
-.new
.cindex "pkg-config" "lookups"
.cindex "pkg-config" "authenticators"
Many systems now use a tool called &'pkg-config'& to encapsulate information
AUTH_HEIMDAL_GSSAPI=yes
AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
.endd
-.wen
.cindex "Perl" "including support for"
Exim can be linked with an embedded Perl interpreter, allowing Perl
This option is an alias for &%-bV%& and causes version information to be
displayed.
+.new
+.vitem &%-Ac%& &&&
+ &%-Am%&
+.oindex "&%-Ac%&"
+.oindex "&%-Am%&"
+These options are used by Sendmail for selecting configuration files and are
+ignored by Exim.
+.wen
+
.vitem &%-B%&<&'type'&>
.oindex "&%-B%&"
.cindex "8-bit characters"
if this is required. If the &%bi_command%& option is not set, calling Exim with
&%-bi%& is a no-op.
+.new
+. // Keep :help first, then the rest in alphabetical order
+.vitem &%-bI:help%&
+.oindex "&%-bI:help%&"
+.cindex "querying exim information"
+We shall provide various options starting &`-bI:`& for querying Exim for
+information. The output of many of these will be intended for machine
+consumption. This one is not. The &%-bI:help%& option asks Exim for a
+synopsis of supported options beginning &`-bI:`&. Use of any of these
+options shall cause Exim to exit after producing the requested output.
+
+.vitem &%-bI:dscp%&
+.oindex "&%-bI:dscp%&"
+.cindex "DSCP" "values"
+This option causes Exim to emit an alphabetically sorted list of all
+recognised DSCP names.
+
+.vitem &%-bI:sieve%&
+.oindex "&%-bI:sieve%&"
+.cindex "Sieve filter" "capabilities"
+This option causes Exim to emit an alphabetically sorted list of all supported
+Sieve protocol extensions on stdout, one per line. This is anticipated to be
+useful for ManageSieve (RFC 5804) implementations, in providing that protocol's
+&`SIEVE`& capability response line. As the precise list may depend upon
+compile-time build options, which this option will adapt to, this is the only
+way to guarantee a correct response.
+.wen
+
.vitem &%-bm%&
.oindex "&%-bm%&"
.cindex "local message reception"
If a list of configuration files was supplied, the value that is output here
is the name of the file that was actually used.
+.new
+.cindex "options" "hiding name of"
+If the &%-n%& flag is given, then for most modes of &%-bP%& operation the
+name will not be output.
+.wen
+
.cindex "daemon" "process id (pid)"
.cindex "pid (process id)" "of daemon"
If &%log_file_path%& or &%pid_file_path%& are given, the names of the
.vitem &%-G%&
.oindex "&%-G%&"
-.cindex "Sendmail compatibility" "&%-G%& option ignored"
-This is a Sendmail option which is ignored by Exim.
+.cindex "submission fixups, suppressing (command-line)"
+.new
+This option is equivalent to an ACL applying:
+.code
+control = suppress_local_fixups
+.endd
+for every message received. Note that Sendmail will complain about such
+bad formatting, where Exim silently just does not fix it up. This may change
+in future.
+
+As this affects audit information, the caller must be a trusted user to use
+this option.
+.wen
.vitem &%-h%&&~<&'number'&>
.oindex "&%-h%&"
no documentation for this option in Solaris 2.4 Sendmail, but the &'mailx'&
command in Solaris 2.4 uses it. See also &%-ti%&.
+.new
+.vitem &%-L%&&~<&'tag'&>
+.oindex "&%-L%&"
+.cindex "syslog" "process name; set with flag"
+This option is equivalent to setting &%syslog_processname%& in the config
+file and setting &%log_file_path%& to &`syslog`&.
+Its use is restricted to administrators. The configuration file has to be
+read and parsed, to determine access rights, before this is set and takes
+effect, so early configuration file errors will not honour this flag.
+
+The tag should not be longer than 32 characters.
+.wen
+
.vitem &%-M%&&~<&'message&~id'&>&~<&'message&~id'&>&~...
.oindex "&%-M%&"
.cindex "forcing delivery"
.vitem &%-n%&
.oindex "&%-n%&"
-.cindex "Sendmail compatibility" "&%-n%& option ignored"
-This option is interpreted by Sendmail to mean &"no aliasing"&. It is ignored
-by Exim.
+This option is interpreted by Sendmail to mean &"no aliasing"&.
+For normal modes of operation, it is ignored by Exim.
+When combined with &%-bP%& it suppresses the name of an option from being output.
.vitem &%-O%&&~<&'data'&>
.oindex "&%-O%&"
National Language Support extended characters in the body of the mail item"&).
It sets &%-x%& when calling the MTA from its &%mail%& command. Exim ignores
this option.
+
+.new
+.vitem &%-X%&&~<&'logfile'&>
+.oindex "&%-X%&"
+This option is interpreted by Sendmail to cause debug information to be sent
+to the named file. It is ignored by Exim.
+.wen
.endlist
.ecindex IIDclo1
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
And the example LOGIN authenticator looks like this:
.code
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
.endd
The &%server_set_id%& option makes Exim remember the authenticated username
the DB_UNKNOWN option. This enables it to handle any of the types of database
that the library supports, and can be useful for accessing DBM files created by
other applications. (For earlier DB versions, DB_HASH is always used.)
-.new
.next
.cindex "lookup" "dbmjz"
.cindex "lookup" "dbm &-- embedded NULs"
authenticate incoming SMTP calls using the passwords from Cyrus SASL's
&_/etc/sasldb2_& file with the &(gsasl)& authenticator or Exim's own
&(cram_md5)& authenticator.
-.wen
.next
.cindex "lookup" "dbmnz"
.cindex "lookup" "dbm &-- terminating zero"
&`fail`& keyword causes a &'forced expansion failure'& &-- see section
&<<SECTforexpfai>>& for an explanation of what this means.
-.new
The supported DNS record types are A, CNAME, MX, NS, PTR, SPF, SRV, and TXT,
and, when Exim is compiled with IPv6 support, AAAA (and A6 if that is also
configured). If no type is given, TXT is assumed. When the type is PTR,
the data can be an IP address, written as normal; inversion and the addition of
&%in-addr.arpa%& or &%ip6.arpa%& happens automatically. For example:
-.wen
.code
${lookup dnsdb{ptr=192.168.4.5}{$value}fail}
.endd
.cindex "TXT record" "in &(dnsdb)& lookup"
.cindex "SPF record" "in &(dnsdb)& lookup"
-.new
For TXT records with multiple items of data, only the first item is returned,
unless a separator for them is specified using a comma after the separator
character followed immediately by the TXT record item separator. To concatenate
items without a separator, use a semicolon instead. For SPF records the
default behaviour is to concatenate multiple items without using a separator.
-.wen
.code
${lookup dnsdb{>\n,: txt=a.b.example}}
${lookup dnsdb{>\n; txt=a.b.example}}
supplied number and is at least 0. The quality of this randomness depends
on how Exim was built; the values are not suitable for keying material.
If Exim is linked against OpenSSL then RAND_pseudo_bytes() is used.
-.new
If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used,
for versions of GnuTLS with that function.
-.wen
Otherwise, the implementation may be arc4random(), random() seeded by
srandomdev() or srandom(), or a custom implementation even weaker than
random().
.endd
Note that the general negation operator provides for inequality testing. The
two strings must take the form of optionally signed decimal integers,
-optionally followed by one of the letters &"K"& or &"M"& (in either upper or
-lower case), signifying multiplication by 1024 or 1024*1024, respectively.
+optionally followed by one of the letters &"K"&, &"M"& or &"G"& (in either upper or
+lower case), signifying multiplication by 1024, 1024*1024 or 1024*1024*1024, respectively.
As a special case, the numerical value of an empty string is taken as
zero.
includes the case of letters, whereas for &%gti%& the comparison is
case-independent.
-.new
.vitem &*inlist&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*& &&&
&*inlisti&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "string" "comparison"
${if inlisti{Needle}{fOo:NeeDLE:bAr}}
${if forany{fOo:NeeDLE:bAr}{eqi{$item}{Needle}}}
.endd
-.wen
.vitem &*isip&~{*&<&'string'&>&*}*& &&&
&*isip4&~{*&<&'string'&>&*}*& &&&
.vitem &*match_ip&~{*&<&'string1'&>&*}{*&<&'string2'&>&*}*&
.cindex "&%match_ip%& expansion condition"
-.new
This condition matches an IP address to a list of IP address patterns. It must
be followed by two argument strings. The first (after expansion) must be an IP
address or an empty string. The second (not expanded) is a restricted host
list that can match only an IP address, not a host name. For example:
-.wen
.code
${if match_ip{$sender_host_address}{1.2.3.4:5.6.7.8}{...}{...}}
.endd
.endd
.endlist ilist
-.new
Note that <&'string2'&> is not itself subject to string expansion, unless
Exim was built with the EXPAND_LISTMATCH_RHS option.
-.wen
Consult section &<<SECThoslispatip>>& for further details of these patterns.
have their local parts matched casefully. Domains are always matched
caselessly.
-.new
Note that <&'string2'&> is not itself subject to string expansion, unless
Exim was built with the EXPAND_LISTMATCH_RHS option.
-.wen
&*Note*&: Host lists are &'not'& supported in this way. This is because
hosts have two identities: a name and an IP address, and it is not clear
negative response to an AUTH command, including (for example) an attempt to use
an undefined mechanism.
-.new
.vitem &$av_failed$&
.cindex "content scanning" "AV scanner failure"
This variable is available when Exim is compiled with the content-scanning
extension. It is set to &"0"& by default, but will be set to &"1"& if any
problem occurs with the virus scanner (specified by &%av_scanner%&) during
the ACL malware condition.
-.wen
.vitem &$body_linecount$&
.cindex "message body" "line count"
received. It is empty if there was no successful authentication. See also
&$authenticated_id$&.
+.new
+.vitem &$sender_host_dnssec$&
+.vindex "&$sender_host_dnssec$&"
+If &$sender_host_name$& has been populated (by reference, &%hosts_lookup%& or
+otherwise) then this boolean will have been set true if, and only if, the
+resolver library states that the reverse DNS was authenticated data. At all
+other times, this variable is false.
+
+It is likely that you will need to coerce DNSSEC support on in the resolver
+library, by setting:
+.code
+dns_use_dnssec = 1
+.endd
+
+Exim does not perform DNSSEC validation itself, instead leaving that to a
+validating resolver (eg, unbound, or bind with suitable configuration).
+
+Exim does not (currently) check to see if the forward DNS was also secured
+with DNSSEC, only the reverse DNS.
+
+If you have changed &%host_lookup_order%& so that &`bydns`& is not the first
+mechanism in the list, then this variable will be false.
+.wen
+
+
.vitem &$sender_host_name$&
.vindex "&$sender_host_name$&"
When a message is received from a remote host, this variable contains the
command, which can be found in the separate document entitled &'Exim's
interfaces to mail filtering'&.
-.new
-.vitem &$tls_bits$&
-.vindex "&$tls_bits$&"
-Contains an approximation of the TLS cipher's bit-strength; the meaning of
+.vitem &$tls_in_bits$&
+.vindex "&$tls_in_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on the inbound connection; the meaning of
this depends upon the TLS implementation used.
If TLS has not been negotiated, the value will be 0.
The value of this is automatically fed into the Cyrus SASL authenticator
when acting as a server, to specify the "external SSF" (a SASL term).
-.wen
-.vitem &$tls_certificate_verified$&
-.vindex "&$tls_certificate_verified$&"
+The deprecated &$tls_bits$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_bits$&
+.vindex "&$tls_out_bits$&"
+Contains an approximation of the TLS cipher's bit-strength
+on an outbound SMTP connection; the meaning of
+this depends upon the TLS implementation used.
+If TLS has not been negotiated, the value will be 0.
+
+.vitem &$tls_in_certificate_verified$&
+.vindex "&$tls_in_certificate_verified$&"
This variable is set to &"1"& if a TLS certificate was verified when the
message was received, and &"0"& otherwise.
-.vitem &$tls_cipher$&
+The deprecated &$tls_certificate_verfied$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_certificate_verified$&
+.vindex "&$tls_out_certificate_verified$&"
+This variable is set to &"1"& if a TLS certificate was verified when an
+outbound SMTP connection was made,
+and &"0"& otherwise.
+
+.vitem &$tls_in_cipher$&
+.vindex "&$tls_in_cipher$&"
.vindex "&$tls_cipher$&"
When a message is received from a remote host over an encrypted SMTP
connection, this variable is set to the cipher suite that was negotiated, for
&$tls_cipher$& for emptiness is one way of distinguishing between encrypted and
non-encrypted connections during ACL processing.
-The &$tls_cipher$& variable retains its value during message delivery, except
-when an outward SMTP delivery takes place via the &(smtp)& transport. In this
-case, &$tls_cipher$& is cleared before any outgoing SMTP connection is made,
+The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during message reception,
+but in the context of an outward SMTP delivery taking place via the &(smtp)& transport
+becomes the same as &$tls_out_cipher$&.
+
+.vitem &$tls_out_cipher$&
+.vindex "&$tls_out_cipher$&"
+This variable is
+cleared before any outgoing SMTP connection is made,
and then set to the outgoing cipher suite if one is negotiated. See chapter
&<<CHAPTLS>>& for details of TLS support and chapter &<<CHAPsmtptrans>>& for
details of the &(smtp)& transport.
-.vitem &$tls_peerdn$&
+.vitem &$tls_in_peerdn$&
+.vindex "&$tls_in_peerdn$&"
.vindex "&$tls_peerdn$&"
When a message is received from a remote host over an encrypted SMTP
connection, and Exim is configured to request a certificate from the client,
the value of the Distinguished Name of the certificate is made available in the
-&$tls_peerdn$& during subsequent processing. Like &$tls_cipher$&, the
-value is retained during message delivery, except during outbound SMTP
-deliveries.
+&$tls_in_peerdn$& during subsequent processing.
-.new
-.vitem &$tls_sni$&
+The deprecated &$tls_peerdn$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_peerdn$&
+.vindex "&$tls_out_peerdn$&"
+When a message is being delivered to a remote host over an encrypted SMTP
+connection, and Exim is configured to request a certificate from the server,
+the value of the Distinguished Name of the certificate is made available in the
+&$tls_out_peerdn$& during subsequent processing.
+
+.vitem &$tls_in_sni$&
+.vindex "&$tls_in_sni$&"
.vindex "&$tls_sni$&"
.cindex "TLS" "Server Name Indication"
When a TLS session is being established, if the client sends the Server
a different certificate to be presented (and optionally a different key to be
used) to the client, based upon the value of the SNI extension.
-The value will be retained for the lifetime of the message. During outbound
-SMTP deliveries, it reflects the value of the &%tls_sni%& option on
+The deprecated &$tls_sni$& variable refers to the inbound side
+except when used in the context of an outbound SMTP delivery, when it refers to
+the outbound.
+
+.vitem &$tls_out_sni$&
+.vindex "&$tls_out_sni$&"
+.cindex "TLS" "Server Name Indication"
+During outbound
+SMTP deliveries, this variable reflects the value of the &%tls_sni%& option on
the transport.
-.wen
.vitem &$tod_bsdinbox$&
.vindex "&$tod_bsdinbox$&"
.row &%dns_ipv4_lookup%& "only v4 lookup for these domains"
.row &%dns_retrans%& "parameter for resolver"
.row &%dns_retry%& "parameter for resolver"
+.new
+.row &%dns_use_dnssec%& "parameter for resolver"
+.wen
.row &%dns_use_edns0%& "parameter for resolver"
.row &%hold_domains%& "hold delivery for these domains"
.row &%local_interfaces%& "for routing checks"
Those options that undergo string expansion before use are marked with
†.
-.new
.option accept_8bitmime main boolean true
.cindex "8BITMIME"
.cindex "8-bit characters"
.display
&url(http://cr.yp.to/smtp/8bitmime.html)
.endd
-.wen
.option acl_not_smtp main string&!! unset
.cindex "&ACL;" "for non-SMTP messages"
is encrypted using TLS, you can make use of the fact that the value of this
option is expanded, with a setting like this:
.code
-auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
+auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}}
.endd
-.vindex "&$tls_cipher$&"
-If &$tls_cipher$& is empty, the session is not encrypted, and the result of
+.vindex "&$tls_in_cipher$&"
+If &$tls_in_cipher$& is empty, the session is not encrypted, and the result of
the expansion is empty, thus matching no hosts. Otherwise, the result of the
expansion is *, which matches all hosts.
.new
+.option dns_use_dnssec main integer -1
+.cindex "DNS" "resolver options"
+.cindex "DNS" "DNSSEC"
+If this option is set to a non-negative number then Exim will initialise the
+DNS resolver library to either use or not use DNSSEC, overriding the system
+default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on.
+
+If the resolver library does not support DNSSEC then this option has no effect.
+.wen
+
+
.option dns_use_edns0 main integer -1
.cindex "DNS" "resolver options"
.cindex "DNS" "EDNS0"
on.
If the resolver library does not support EDNS0 then this option has no effect.
-.wen
.option drop_cr main boolean false
adjusted lightly. An unrecognised item will be detected at startup, by
invoking Exim with the &%-bV%& flag.
-.new
Historical note: prior to release 4.80, Exim defaulted this value to
"+dont_insert_empty_fragments", which may still be needed for compatibility
with some clients, but which lowers security by increasing exposure to
some now infamous attacks.
-.wen
An example:
.code
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\
by $primary_hostname \
${if def:received_protocol {with $received_protocol}} \
- ${if def:tls_cipher {($tls_cipher)\n\t}}\
+ ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\
(Exim $version_number)\n\t\
${if def:sender_address \
{(envelope-from <$sender_address>)\n\t}}\
use when sending messages as a client, you must set the &%tls_certificate%&
option in the relevant &(smtp)& transport.
-.new
-If the option contains &$tls_sni$& and Exim is built against OpenSSL, then
+If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
Server Name Indication extension, then this option and others documented in
&<<SECTtlssni>>& will be re-expanded.
-.wen
.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
This option specifies a certificate revocation list. The expanded value must
be the name of a file that contains a CRL in PEM format.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
-.new
.option tls_dh_max_bits main integer 2236
.cindex "TLS" "D-H bit count"
The number of bits used for Diffie-Hellman key-exchange may be suggested by
Note that the value passed to GnuTLS for *generating* a new prime may be a
little less than this figure, because GnuTLS is inexact and may produce a
larger prime than requested.
-.wen
.option tls_dhparam main string&!! unset
.cindex "TLS" "D-H parameters for server"
-.new
The value of this option is expanded and indicates the source of DH parameters
to be used by Exim.
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.
-.wen
.option tls_on_connect_ports main "string list" unset
key is assumed to be in the same file as the server's certificates. See chapter
&<<CHAPTLS>>& for further details.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
.option tls_remember_esmtp main boolean false
Thus the values defined should be considered public data. To avoid this,
use OpenSSL with a directory.
-.new
See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.
-.wen
.option tls_verify_hosts main "host list&!!" unset
case routing fails.
-.new
.section "Declining addresses by dnslookup" "SECTdnslookupdecline"
.cindex "&(dnslookup)& router" "declines"
There are a few cases where a &(dnslookup)& router will decline to accept
&%check_secondary_mx%& is set on this router but the local host can
not be found in the MX records (see below)
.endlist
-.wen
.endd
is interpreted as a pipe with a rather strange command name, and no arguments.
+.new
+Note that the above example assumes that the text comes from a lookup source
+of some sort, so that the quotes are part of the data. If composing a
+redirect router with a &%data%& option directly specifying this command, the
+quotes will be used by the configuration parser to define the extent of one
+string, but will not be passed down into the redirect router itself. There
+are two main approaches to get around this: escape quotes to be part of the
+data itself, or avoid using this mechanism and instead create a custom
+transport with the &%command%& option set and reference that transport from
+an &%accept%& router.
+.wen
+
.next
.cindex "file" "in redirection list"
.cindex "address redirection" "to file"
section &<<SECTmaildirdelivery>>& below.
-.new
.option maildir_use_size_file appendfile&!! boolean false
.cindex "maildir format" "&_maildirsize_& file"
The result of string expansion for this option must be a valid boolean value.
quota from the &%quota%& option of the transport. If &%quota%& is unset, the
value is zero. See &%maildir_quota_directory_regex%& above and section
&<<SECTmaildirdelivery>>& below for further details.
-.wen
.option maildirfolder_create_regex appendfile string unset
.cindex "maildir format" "&_maildirfolder_& file"
are in force when any authenticators are run and when the
&%authenticated_sender%& option is expanded.
+These variables are deprecated in favour of &$tls_in_cipher$& et. al.
+and will be removed in a future release.
+
.section "Private options for smtp" "SECID146"
.cindex "options" "&(smtp)& transport"
The expansion happens after the outgoing connection has been made and TLS
started, if required. This means that the &$host$&, &$host_address$&,
-&$tls_cipher$&, and &$tls_peerdn$& variables are set according to the
+&$tls_out_cipher$&, and &$tls_out_peerdn$& variables are set according to the
particular connection.
If the SMTP session is not authenticated, the expansion of
details.
+.new
+.option dscp smtp string&!! unset
+.cindex "DCSP" "outbound"
+This option causes the DSCP value associated with a socket to be set to one
+of a number of fixed strings or to numeric value.
+The &%-bI:dscp%& option may be used to ask Exim which names it knows of.
+Common values include &`throughput`&, &`mincost`&, and on newer systems
+&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F.
+
+The outbound packets from Exim will be marked with this value in the header
+(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee
+that these values will have any effect, not be stripped by networking
+equipment, or do much of anything without cooperation with your Network
+Engineer and those of all network operators between the source and destination.
+.wen
+
.option fallback_hosts smtp "string list" unset
.cindex "fallback" "hosts specified on transport"
Exim will not try to start a TLS session when delivering to any host that
matches this list. See chapter &<<CHAPTLS>>& for details of TLS.
+.option hosts_verify_avoid_tls smtp "host list&!!" *
+.cindex "TLS" "avoiding for certain hosts"
+Exim will not try to start a TLS session for a verify callout,
+or when delivering in cutthrough mode,
+to any host that matches this list.
+Note that the default is to not use TLS.
+
.option hosts_max_try smtp integer 5
.cindex "host" "maximum number to try"
deliveries into closed message stores. Exim also has support for running LMTP
over a pipe to a local process &-- see chapter &<<CHAPLMTP>>&.
-.new
If this option is set to &"smtps"&, the default vaule for the &%port%& option
changes to &"smtps"&, and the transport initiates TLS immediately after
connecting, as an outbound SSL-on-connect, instead of using STARTTLS to upgrade.
The Internet standards bodies strongly discourage use of this mode.
-.wen
.option retry_include_ip_address smtp boolean true
be the name of a file that contains a CRL in PEM format.
+.new
+.option tls_dh_min_bits smtp integer 1024
+.cindex "TLS" "Diffie-Hellman minimum acceptable size"
+When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman
+key agreement is negotiated, the server will provide a large prime number
+for use. This option establishes the minimum acceptable size of that number.
+If the parameter offered by the server is too small, then the TLS handshake
+will fail.
+
+Only supported when using GnuTLS.
+.wen
+
+
.option tls_privatekey smtp string&!! unset
.cindex "TLS" "client private key, location of"
.vindex "&$host$&"
-.new
.option tls_sni smtp string&!! unset
.cindex "TLS" "Server Name Indication"
.vindex "&$tls_sni$&"
-If this option is set then it sets the $tls_sni variable and causes any
+If this option is set then it sets the $tls_out_sni variable and causes any
TLS session to pass this value as the Server Name Indication extension to
the remote side, which can be used by the remote side to select an appropriate
certificate and private key for the session.
See &<<SECTtlssni>>& for more information.
-OpenSSL only, also requiring a build of OpenSSL that supports TLS extensions.
-.wen
+Note that for OpenSSL, this feature requires a build of OpenSSL that supports
+TLS extensions.
+
.code
AUTH_CRAM_MD5=yes
AUTH_CYRUS_SASL=yes
-.new
AUTH_DOVECOT=yes
AUTH_GSASL=yes
AUTH_HEIMDAL_GSSAPI=yes
-.wen
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
.endd
in &_Local/Makefile_&, respectively. The first of these supports the CRAM-MD5
authentication mechanism (RFC 2195), and the second provides an interface to
the Cyrus SASL authentication library.
-.new
The third is an interface to Dovecot's authentication system, delegating the
work via a socket interface.
The fourth provides an interface to the GNU SASL authentication library, which
the PLAIN authentication mechanism (RFC 2595) or the LOGIN mechanism, which is
not formally documented, but used by several MUAs. The seventh authenticator
supports Microsoft's &'Secure Password Authentication'& mechanism.
-.wen
The authenticators are configured using the same syntax as other drivers (see
section &<<SECTfordricon>>&). If no authenticators are required, no
authenticators, followed by general discussion of the way authentication works
in Exim.
-.new
&*Beware:*& the meaning of &$auth1$&, &$auth2$&, ... varies on a per-driver and
per-mechanism basis. Please read carefully to determine which variables hold
account labels such as usercodes and which hold passwords or other
to a client to help it select an account and credentials to use. In some
mechanisms, the client and server provably agree on the realm, but clients
typically can not treat the realm as secure data to be blindly trusted.
-.wen
used, for example, to skip plain text authenticators when the connection is not
encrypted by a setting such as:
.code
-client_condition = ${if !eq{$tls_cipher}{}}
+client_condition = ${if !eq{$tls_out_cipher}{}}
.endd
-(Older documentation incorrectly states that &$tls_cipher$& contains the cipher
-used for incoming messages. In fact, during SMTP delivery, it contains the
-cipher used for the delivery.)
.option driver authenticators string unset
is used directly to control authentication. See section &<<SECTplainserver>>&
for details.
-.new
For the &(gsasl)& authenticator, this option is required for various
mechanisms; see chapter &<<CHAPgsasl>>& for details.
-.wen
For the other authenticators, &%server_condition%& can be used as an additional
authentication or authorization mechanism that is applied after the other
advertisement of a particular mechanism to encrypted connections, by a setting
such as:
.code
-server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}}
.endd
-.vindex "&$tls_cipher$&"
-If the session is encrypted, &$tls_cipher$& is not empty, and so the expansion
+.vindex "&$tls_in_cipher$&"
+If the session is encrypted, &$tls_in_cipher$& is not empty, and so the expansion
yields &"yes"&, which allows the advertisement to happen.
When an Exim server receives an AUTH command from a client, it rejects it
Note that this expansion explicitly forces failure if the lookup fails
because &$auth1$& contains an unknown user name.
-.new
As another example, if you wish to re-use a Cyrus SASL sasldb2 file without
using the relevant libraries, you need to know the realm to specify in the
lookup and then ask for the &"userPassword"& attribute for that user in that
dbmjz{/etc/sasldb2}}
server_set_id = $auth1
.endd
-.wen
.section "Using cram_md5 as a client" "SECID177"
.cindex "options" "&(cram_md5)& authenticator (client)"
changing the server keytab might need to be communicated down to the Kerberos
layer independently. The mechanism for doing so is dependent upon the Kerberos
implementation.
-.new
+
For example, for older releases of Heimdal, the environment variable KRB5_KTNAME
may be set to point to an alternative keytab file. Exim will pass this
variable through from its own inherited environment when started as root or the
environment variable. In practice, for those releases, the Cyrus authenticator
is not a suitable interface for GSSAPI (Kerberos) support. Instead, consider
the &(heimdal_gssapi)& authenticator, described in chapter &<<CHAPheimdalgss>>&
-.wen
.section "Using cyrus_sasl as a server" "SECID178"
server_set_id = $auth1
.endd
-.new
.option server_realm cyrus_sasl string&!! unset
This specifies the SASL realm that the server claims to be in.
-.wen
.option server_service cyrus_sasl string &`smtp`&
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.new
.chapter "The gsasl authenticator" "CHAPgsasl"
.scindex IIDgsaslauth1 "&(gsasl)& authenticator"
.scindex IIDgsaslauth2 "authenticators" "&(gsasl)&"
server_condition = yes
.endd
-.wen
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.new
.chapter "The heimdal_gssapi authenticator" "CHAPheimdalgss"
.scindex IIDheimdalgssauth1 "&(heimdal_gssapi)& authenticator"
.scindex IIDheimdalgssauth2 "authenticators" "&(heimdal_gssapi)&"
GSS Display Name.
.endlist
-.wen
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
The &%tls_verify_certificates%& option must contain the name of a file, not the
name of a directory (for OpenSSL it can be either).
.next
-.new
The default value for &%tls_dhparam%& differs for historical reasons.
-.wen
.next
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
+.vindex "&$tls_out_peerdn$&"
Distinguished Name (DN) strings reported by the OpenSSL library use a slash for
separating fields; GnuTLS uses commas, in accordance with RFC 2253. This
-affects the value of the &$tls_peerdn$& variable.
+affects the value of the &$tls_in_peerdn$& and &$tls_out_peerdn$& variables.
.next
OpenSSL identifies cipher suites using hyphens as separators, for example:
DES-CBC3-SHA. GnuTLS historically used underscores, for example:
.next
The &%tls_require_ciphers%& options operate differently, as described in the
sections &<<SECTreqciphssl>>& and &<<SECTreqciphgnu>>&.
+.next
.new
+The &%tls_dh_min_bits%& SMTP transport option is only honoured by GnuTLS.
+When using OpenSSL, this option is ignored.
+(If an API is found to let OpenSSL be configured in this way,
+let the Exim Maintainers know and we'll likely use it).
+.wen
.next
Some other recently added features may only be available in one or the other.
This should be documented with the feature. If the documentation does not
explicitly state that the feature is infeasible in the other TLS
implementation, then patches are welcome.
-.wen
.endlist
.section "GnuTLS parameter computation" "SECTgnutlsparam"
-.new
This section only applies if &%tls_dhparam%& is set to &`historic`& or to
an explicit path; if the latter, then the text about generation still applies,
but not the chosen filename.
bounds, as GnuTLS has been observed to overshoot. Note the check step in the
procedure above. There is no sane procedure available to Exim to double-check
the size of the generated prime, so it might still be too large.
-.wen
.section "Requiring specific ciphers in OpenSSL" "SECTreqciphssl"
not be moved to the end of the list.
.endlist
-.new
The OpenSSL &'ciphers(1)'& command may be used to test the results of a given
string:
.code
{DEFAULT}\
{HIGH:!MD5:!SHA1}}
.endd
-.wen
-.new
.section "Requiring specific ciphers or other parameters in GnuTLS" &&&
"SECTreqciphgnu"
.cindex "GnuTLS" "specifying parameters for"
{NORMAL:%COMPAT}\
{SECURE128}}
.endd
-.wen
.section "Configuring an Exim server to use TLS" "SECID182"
.endd
is set, the SSL library is initialized for the use of Diffie-Hellman ciphers
with the parameters contained in the file.
-.new
Set this to &`none`& to disable use of DH entirely, by making no prime
available:
.code
openssl dhparam
.endd
for a way of generating file data.
-.wen
The strings supplied for these three options are expanded every time a client
host connects. It is therefore possible to use different certificates and keys
.cindex "cipher" "logging"
.cindex "log" "TLS cipher"
-.vindex "&$tls_cipher$&"
-The variable &$tls_cipher$& is set to the cipher suite that was negotiated for
+.vindex "&$tls_in_cipher$&"
+The variable &$tls_in_cipher$& is set to the cipher suite that was negotiated for
an incoming TLS connection. It is included in the &'Received:'& header of an
incoming message (by default &-- you can, of course, change this), and it is
also included in the log line that records a message's arrival, keyed by
&"X="&, unless the &%tls_cipher%& log selector is turned off. The &%encrypted%&
condition can be used to test for specific cipher suites in ACLs.
-(For outgoing SMTP deliveries, &$tls_cipher$& is reset &-- see section
-&<<SECID185>>&.)
Once TLS has been established, the ACLs that run for subsequent SMTP commands
can check the name of the cipher suite and vary their actions accordingly. The
contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS
documentation for more details.
+For outgoing SMTP deliveries, &$tls_out_cipher$& is used and logged
+(again depending on the &%tls_cipher%& log selector).
+
.section "Requesting and verifying client certificates" "SECID183"
.cindex "certificate" "verification of client"
example, you can insist on a certificate before accepting a message for
relaying, but not when the message is destined for local delivery.
-.vindex "&$tls_peerdn$&"
+.vindex "&$tls_in_peerdn$&"
When a client supplies a certificate (whether it verifies or not), the value of
the Distinguished Name of the certificate is made available in the variable
-&$tls_peerdn$& during subsequent processing of the message.
+&$tls_in_peerdn$& during subsequent processing of the message.
.cindex "log" "distinguished name"
Because it is often a long text string, it is not included in the log line or
&'Received:'& header by default. You can arrange for it to be logged, keyed by
&"DN="&, by setting the &%tls_peerdn%& log selector, and you can use
&%received_header_text%& to change the &'Received:'& header. When no
-certificate is supplied, &$tls_peerdn$& is empty.
+certificate is supplied, &$tls_in_peerdn$& is empty.
.section "Revoked certificates" "SECID184"
which the client is connected. Forced failure of an expansion causes Exim to
behave as if the relevant option were unset.
-.vindex &$tls_bits$&
-.vindex &$tls_cipher$&
-.vindex &$tls_peerdn$&
-.vindex &$tls_sni$&
+.vindex &$tls_out_bits$&
+.vindex &$tls_out_cipher$&
+.vindex &$tls_out_peerdn$&
+.vindex &$tls_out_sni$&
Before an SMTP connection is established, the
-&$tls_bits$&, &$tls_cipher$&, &$tls_peerdn$& and &$tls_sni$&
+&$tls_out_bits$&, &$tls_out_cipher$&, &$tls_out_peerdn$& and &$tls_out_sni$&
variables are emptied. (Until the first connection, they contain the values
that were set when the message was received.) If STARTTLS is subsequently
successfully obeyed, these variables are set to the relevant values for the
-.new
.section "Use of TLS Server Name Indication" "SECTtlssni"
.cindex "TLS" "Server Name Indication"
-.vindex "&$tls_sni$&"
-.oindex "&%tls_sni%&"
+.vindex "&$tls_in_sni$&"
+.oindex "&%tls_in_sni%&"
With TLS1.0 or above, there is an extension mechanism by which extra
information can be included at various points in the protocol. One of these
extensions, documented in RFC 6066 (and before that RFC 4366) is
The &%tls_sni%& option on an SMTP transport is an expanded string; the result,
if not empty, will be sent on a TLS session as part of the handshake. There's
nothing more to it. Choosing a sensible value not derived insecurely is the
-only point of caution. The &$tls_sni$& variable will be set to this string
+only point of caution. The &$tls_out_sni$& variable will be set to this string
for the lifetime of the client connection (including during authentication).
-Except during SMTP client sessions, if &$tls_sni$& is set then it is a string
+Except during SMTP client sessions, if &$tls_in_sni$& is set then it is a string
received from a client.
It can be logged with the &%log_selector%& item &`+tls_sni`&.
-If the string &`tls_sni`& appears in the main section's &%tls_certificate%&
+If the string &`tls_in_sni`& appears in the main section's &%tls_certificate%&
option (prior to expansion) then the following options will be re-expanded
during TLS session handshake, to permit alternative values to be chosen:
When Exim is built against GnuTLS, SNI support is available as of GnuTLS
0.5.10. (Its presence predates the current API which Exim uses, so if Exim
built, then you have SNI support).
-.wen
This modifier sets up a message that is used as part of the log message if the
ACL denies access or a &%warn%& statement's conditions are true. For example:
.code
-require log_message = wrong cipher suite $tls_cipher
+require log_message = wrong cipher suite $tls_in_cipher
encrypted = DES-CBC3-SHA
.endd
&%log_message%& is also used when recipients are discarded by &%discard%&. For
is what is wanted for subsequent tests.
+.new
+.vitem &*control&~=&~cutthrough_delivery*&
+.cindex "&ACL;" "cutthrough routing"
+This option requests delivery be attempted while the item is being received.
+It is usable in the RCPT ACL and valid only for single-recipient mails forwarded
+from one SMTP connection to another. If a recipient-verify callout connection is
+requested in the same ACL it is held open and used for the data, otherwise one is made
+after the ACL completes.
+
+Should the ultimate destination system positively accept or reject the mail,
+a corresponding indication is given to the source system and nothing is queued.
+If there is a temporary error the item is queued for later delivery in the
+usual fashion. If the item is successfully delivered in cutthrough mode the log line
+is tagged with ">>" rather than "=>" and appears before the acceptance "<="
+line.
+
+Delivery in this mode avoids the generation of a bounce mail to a (possibly faked)
+sender when the destination system is doing content-scan based rejection.
+.wen
+
+
+.new
+.vitem &*control&~=&~dscp/*&<&'value'&>
+.cindex "&ACL;" "setting DSCP value"
+.cindex "DSCP" "inbound"
+This option causes the DSCP value associated with the socket for the inbound
+connection to be adjusted to a given value, given as one of a number of fixed
+strings or to numeric value.
+The &%-bI:dscp%& option may be used to ask Exim which names it knows of.
+Common values include &`throughput`&, &`mincost`&, and on newer systems
+&`ef`&, &`af41`&, etc. Numeric values may be in the range 0 to 0x3F.
+
+The outbound packets from Exim will be marked with this value in the header
+(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee
+that these values will have any effect, not be stripped by networking
+equipment, or do much of anything without cooperation with your Network
+Engineer and those of all network operators between the source and destination.
+.wen
+
+
.vitem &*control&~=&~debug/*&<&'options'&>
.cindex "&ACL;" "enabling debug logging"
.cindex "debugging" "enabling from an ACL"
If the remote server advertises support for the STARTTLS command, and Exim
was built to support TLS encryption, it tries to start a TLS session unless the
server matches &%hosts_avoid_tls%&. See chapter &<<CHAPTLS>>& for more details.
+Either a match in that or &%hosts_verify_avoid_tls%& apply when the transport
+is called for verification.
If the remote server advertises support for the AUTH command, Exim scans
the authenticators configuration for any suitable client settings, as described
Change log file for Exim from version 4.21
-------------------------------------------
+Exim version 4.81
+-----------------
+
+PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities.
+
+PP/02 Make -n do something, by making it not do something.
+ When combined with -bP, the name of an option is not output.
+
+PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
+ by GnuTLS.
+
+PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
+ $sender_host_name and config options to manage this, and basic check
+ routines.
+
+PP/05 DSCP support for outbound connections and control modifier for inbound.
+
+PP/06 Cyrus SASL: set local and remote IP;port properties for driver.
+ (Only plugin which currently uses this is kerberos4, which nobody should
+ be using, but we should make it available and other future plugins might
+ conceivably use it, even though it would break NAT; stuff *should* be
+ using channel bindings instead).
+
+PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process
+ name; added for Sendmail compatibility; requires admin caller.
+ Handle -G as equivalent to "control = suppress_local_fixups" (we used to
+ just ignore it); requires trusted caller.
+ Also parse but ignore: -Ac -Am -X<logfile>
+ Bugzilla 1117.
+
+TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing.
+
+JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support.
+
+JH/02 Support "G" suffix to numbers in ${if comparisons.
+
+PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL.
+
+
Exim version 4.80
-----------------
NM/33 Bugzilla 898: Transport filter timeout fix.
Patch by Todd Rinaldo.
-NM/34 Bugzilla 901: Fix sign/unsigned and UTF mistmatches.
+NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches.
Patch by Serge Demonchaux.
NM/35 Bugzilla 39: Base64 decode bug fixes.
test from the snapshots or the CVS before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.81
+------------
+
+ 1. New command-line option -bI:sieve will list all supported sieve extensions
+ of this Exim build on standard output, one per line.
+ ManageSieve (RFC 5804) providers managing scripts for use by Exim should
+ query this to establish the correct list to include in the protocol's
+ SIEVE capability line.
+
+ 2. If the -n option is combined with the -bP option, then the name of an
+ emitted option is not output, only the value (if visible to you).
+ For instance, "exim -n -bP pid_file_path" should just emit a pathname
+ followed by a newline, and no other text.
+
+ 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
+ has a "tls_dh_min_bits" option, to set the minimum acceptable number of
+ bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
+ acceptable for security. (Option accepted but ignored if using OpenSSL).
+ Defaults to 1024, the old value. May be lowered only to 512, or raised as
+ far as you like. Raising this may hinder TLS interoperability with other
+ sites and is not currently recommended. Lowering this will permit you to
+ establish a TLS session which is not as secure as you might like.
+
+ Unless you really know what you are doing, leave it alone.
+
+ 4. If not built with DISABLE_DNSSEC, Exim now has the main option
+ dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+ to send the DO flag to your recursive resolver. If you have a recursive
+ resolver, which can set the Authenticated Data (AD) flag in results, Exim
+ can now detect this.
+
+ Current status: work-in-progress; $sender_host_dnssec variable added.
+
+ 5. DSCP support for outbound connections: on a transport using the smtp driver,
+ set "dscp = ef", for instance, to cause the connections to have the relevant
+ DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
+
+ Similarly for inbound connections, there is a new control modifier, dscp,
+ so "warn control = dscp/ef" in the connect ACL, or after authentication.
+
+ Supported values depend upon system libraries. "exim -bI:dscp" to list the
+ ones Exim knows of. You can also set a raw number 0..0x3F.
+
+ 6. The -G command-line flag is no longer ignored; it is now equivalent to an
+ ACL setting "control = suppress_local_fixups". The -L command-line flag
+ is now accepted and forces use of syslog, with the provided tag as the
+ process name. A few other flags used by Sendmail are now accepted and
+ ignored.
+
+ 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
+ ACL modifier; works for single-recipient mails which are recieved on and
+ deliverable via SMTP. Using the connection made for a recipient verify,
+ if requested before the verify, or a new one made for the purpose while
+ the inbound connection is still active. The bulk of the mail item is copied
+ direct from the inbound socket to the outbound (as well as the spool file).
+ When the source notifies the end of data, the data acceptance by the destination
+ is negociated before the acceptance is sent to the source. If the destination
+ does not accept the mail item, for example due to content-scanning, the item
+ is not accepted from the source and therefore there is no need to generate
+ a bounce mail. This is of benefit when providing a secondary-MX service.
+ The downside is that delays are under the control of the ultimate destination
+ system not your own.
+
+ The Recieved-by: header on items delivered by cutthrough is generated
+ early in of reception rather than at the end; this will affect any timestamp
+ included. The log line showing delivery is recorded before that showing
+ reception; it uses a new ">>" tag instead of "=>".
+
+ To support the feature, verify-callout connections can now use ESMTP and TLS.
+ The usual smtp transport options are honoured, plus a (new, default everything)
+ hosts_verify_avoid_tls.
+
+ New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
+ for specific access to the information for each connection. The old names
+ are present for now but deprecated.
+
+ Not yet supported: IGNOREQUOTA, SIZE, PIPELINING, AUTH.
+
+
Version 4.80
------------
dns_retrans time 0s main 1.60
dns_retry integer 0 main 1.60
dns_search_parents boolean false smtp
+dns_use_dnssec integer -1 main 4.81
dns_use_edns0 integer -1 main 4.76
domains domain list unset routers 4.00
driver string unset authenticators
unset routers 4.00
unset transports
drop_cr boolean false main 4.00 became a no-op in 4.21
+dscp string unset smtp 4.81
dsn_from string* + main 4.67
envelope_to_add boolean false transports
envelope_to_remove boolean true main
tls_certificate string* unset main 3.20
unset smtp 3.20
tls_dh_max_bits integer 2236 main 4.80
+tls_dh_min_bits integer 1024 smtp 4.81
tls_dhparam string* unset main 3.20
tls_on_connect_ports string unset main 4.43
tls_privatekey string* unset main 3.20
-bh Test incoming SMTP call, omitting callouts
-bhc Test incoming SMTP call, with callouts
-bi * Run <command>bi_command</command>
+-bI:help Show list of accepted -bI:<tag> options
-bm Accept message on standard input
-bmalware + Invoke configured malware scanning against supplied filename
-bnq Don't qualify addresses in locally submitted messages
DELIVER_IN_BUFFER_SIZE optional*
DELIVER_OUT_BUFFER_SIZE optional*
DISABLE_DKIM optional disables DKIM support
+DISABLE_DNSSEC optional disables attempts to use DNSSEC
DISABLE_D_OPTION optional disables -D option
ERRNO_QUOTA optional* error code for system quota failures
EXICYCLOG_MAX optional number of old log files to keep
EXIM ACKNOWLEDGEMENTS
+This file is divided into two parts. The first is the original list maintained
+by Exim's author, Philip Hazel, before he retired. That has two sub-lists of
+contributors. The second main part is an attempt to bring this up-to-date,
+using information from ChangeLog and git.
+
+Names may well occur more than once.
+
+There was a five year gap. It is unlikely that this file is complete.
+If you contributed and are not listed, then *please* let us know. Even if you
+don't much care, we want to acknowledge your help. A contribution isn't just
+code, it includes reporting real bugs, helping with tracking problems down,
+documentation fixes and more.
+
+(Note that we have patches from folks in various countries and Latin1 is not
+ sufficient to handle all of their names acceptably.
+ This file should be in UTF-8).
+
+-Phil Pennock, pp The Exim Maintainers.
+
+============================8< cut here >8==============================
+
I have not been very good at keeping a proper record of all the people who have
sent in patches and other contributions to Exim. I am going to try to do better
in the future by keeping a record in this file. First, I'll put a list of all
Lists created: 20 November 2002
Last updated (by PH): 22 August 2007
- Note: at current time, Exim is maintained in git; the commit messages
- typically credit sources, at the very least. Also the ChangeLog file
- will record who provided patches. This file is not very up-to-date.
- -Phil Pennock, 2012
-
THE OLD LIST
Alan Barratt First code for relay checking
Tom Kistner SPA server code
Writing and maintaining the content scanning
extension (exiscan)
-Jürgen Kreileder Fix for cyrus_sasl advertisement problem
+Jürgen Kreileder Fix for cyrus_sasl advertisement problem
Friso Kuipers Patch for GDBM problem
Matthias Lederhofer Diagnosing and patching obscure and subtle socket bug
Chris Liddiard Fix for bug in exiqsumm
control=freeze/no_tell basic code
Erik ? patch to use select() instead of poll() on OS X
****
+
+============================8< cut here >8==============================
+
+The Exim Maintainers Lists
+==========================
+
+We'll start with the Exim Maintainers, who are the people with commit
+access to the master git repository and a couple more folk; then we'll list
+known contributors since the lists above.
+
+For the Maintainers, we may list primary focus area. All maintainers
+will have contributed to work outside those areas. The maintainers'
+contributions are initialled in ChangeLog. Changes from before maintainership
+should be listed as a contributor.
+
+For other contributors, we will attempt to track all contributions. Note that
+the entries per-person were added initially by scanning back through the
+ChangeLog and git, so are not in chronological order.
+
+[ With names from all over the world, we need one sort order. I've arbitrarily
+ decreed it to be "normal British address-book sort order, but based on family
+ name rather than whichever comes last and using whatever seems sanest for
+ sort order of characters which do not collate onto an English character",
+ which should handle the majority of cases. If it is not adequate for some
+ situation, we'll resolve it then.
+ We leave out titles and honourifics, just names and handles. ]
+
+
+Maintainers
+-----------
+Steve Campbell eximstats maintainer.
+Mike Cardwell Exim webmaster.
+Tony Finch Unbreaks lots of things. Ratelimit code.
+Graeme Fowler
+Michael Haardt Maintains Sieve support, works on DKIM.
+Jeremy Harris
+Philip Hazel Retired.
+ Originating architect and author of the Exim project.
+John Jetmore
+Tom Kistner DKIM. Content scanning. SPA.
+Todd Lyons
+Nigel Metheringham Transitioning out of Default Victim status.
+Phil Pennock Release Coordinator. Breaks lots of things.
+David Woodhouse Dynamic modules. Security.
+
+
+Contributors
+------------
+Andrew Aitchison Spotted cmdline AV scanner regression with -bmalware
+Simon Arlott Code for outbound SSL-on-connect
+ Patch implementing %M datestamping in log filenames
+ Patch restoring SIGPIPE handler for child_open_uid
+ Patch fixing NUL term/init of DKIM strings
+ Patch fixing dnsdb TXT record handling for DKIM
+ Patch speeding up DomainKeys signing
+Dmitry Banschikov Path to check for LDAP TLS initialisation errors
+René Berber Pointed out mistake in build instructions for QNX
+Johannes Berg Maintained dynamically loadable module code out-of-tree
+ Patch expanding spamd_address if contains $
+Jasen Betts Spotted lack of docs re bool{} on empty string
+Wolfgang Breyha DCC integration; expandable spamd_address
+ Patch handling IPv6 addresses for SPF
+ Patch fixing DKIM verification when signature header
+ not prepended
+ Unbroke Cyrus SASL auth after incorrect SSF addition
+David Brownlee Patch improving local interface IP address detection
+Eugene Bujak Security patch fixing buffer overflow in string_format
+Adam Ciarcinski Patch for TLS-enabled LDAP (alternative to ldaps)
+Dennis Davis Patches fixing compilation in older compilers
+ Reported dynlookup framework build issues on Solaris
+Serge Demonchaux Maintained dynamically loadable module code out-of-tree
+ Patch fixing sign/unsigned and UTF mismatches
+Uwe Doering Patch fixing DKIM multiple signature generation
+Maxim Dounin Patch portability of accept() len
+Frank Elsner Fixed build reliability by exporting LC_ALL=C
+Paul Fisher Diagnosed smtp_cmd_buffer_size affecting GSSAPI SASL
+ initial response, raised buffer size
+Oliver Fleischmann Patches fixing compilation in older compilers
+Julian Gilbey Helped improve userforward local_part_suffix docs
+Richard Godbee Patch fixing usage fprintf
+Steve Haslam Maintained dynamically loadable module code out-of-tree
+Oliver Heesakkers Debugged dynamic lookup build issues for LOOKUP_foo.
+Dmitry Isaikin Spotted short writes to local files
+ Patch for format string regression
+Alun Jones Patch for NULL dereference in localhost_number
+Brad Jorsch Patches fixing Resent-*: header handling
+John Hall Updated PCRE to 7.4 (when in-tree)
+Jeremy Harris Patch to log authentication information in reject log
+ Reported a ${extract error message typo
+Jakob Hirsch Patch implementing freeze_signal on pipe transports
+ Suggested X-Envelope-Sender: for content-scanning
+ Patch fixing Base64 decode bugs
+John Horne Patch adding $av_failed
+ Patch escaping log text after lookup expansion defer
+ Documentation fixes
+ Pointed out ClamAV ExtendedDetectionInfo compat issue
+Andreas M. Kirchwitz Let /dev/null have normal permissions (4.73 fallout)
+Roberto Lima Patch letting exicyclog rotate paniclog
+Todd Lyons Patch handling TAB in MAIL arguments
+Christof Meerwald Provided insight & suggested patch for GnuTLS update
+Andreas Metzler Patch upgrading PolarSSL (DKIM)
+ Reported delivery logging problems (4.73 fallout)
+ Patch to build without WITH_CONTENT_SCAN
+ Patch fixing docs for max_rcpts
+Kirill Miazine Multiple patches improving Dovecot authenticator
+Robert Millan Wrote SPF Best Guess support
+Marcin Mirosław Running static analysis tools for us, catching issues
+Dirk Mueller Patch extending use of our printf() compiler checking
+Andrey Oktyabrski Patch fixing wide character breakage in rfc2047 coding
+ Patch keeping SQL errors from being returned over SMTP
+Phil Pennock Patch adding gnutls_compat_mode
+ Patches adding bool{} and later bool_lax{}
+ Patch for TLS library version reporting build/runtime
+ Patch letting EXPN work under TLS
+ More patches built up & applied when became maintainer
+Mark Daniel Reidel Patch adding f-protd malware scanner support
+Steven A Reisman Pointed out ${eval:x % 0} SIGFPE
+Todd Rinaldo Patch fixing transport filter timeout
+Dan Rosenberg Security notification & patch for hardlink attack on
+ sticky mail directory
+ Security notification of race condition in MBX locking
+Jay Rouman Kept our copyright claim in the 21st century, not 11th
+Heiko Schlittermann Patch making maildir_use_size_file expand
+ Patch fixing maildir quota file races
+ Patch fixing make parallelisation
+ Updates to eximstats, exiwhat
+Janne Snabb TLS extensive debugging & failure root cause analysis
+ Added SPF record type support to dnsdb lookup
+Jan Srzednicki Patch improving Dovecot authenticator
+ Reported crash in Dovecot authenticator
+Martin Tscholak Reported issue with TLS anonymous ciphersuites
+Stephen Usher Patch fixing use of Oracle's LDAP libraries on Solaris
+Holger Weiß Patch leting ${run} return more data than OS pipe
+ buffer size
+Moritz Wilhelmy Pointed out PCRE_PRERELEASE glitch
+Alain Williams Patch supporting MySQL stored procedures
+Mark Zealey Patch updating $message_linecount for maildir_tag
+ Patch improving spamd server selection
+
+
+# vim: set fileencoding=utf-8 expandtab :
# There's no setting of CFLAGS here, to allow the system default
# for "make" to be the default.
-PORTOBJFORMAT!= test -x /usr/bin/objformat && /usr/bin/objformat || echo aout
-
CHOWN_COMMAND=/usr/sbin/chown
STRIP_COMMAND=/usr/bin/strip
CHMOD_COMMAND=/bin/chmod
X11=/usr/local
.endif
+# nb: FreeBSD is entirely elf; objformat was removed prior to FreeBSD 7
+# http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/objformat/Attic/objformat.c
+# deleted Jan 2007.
+#
+# So if this fails, you're on an ancient unsupported FreeBSD release *and*
+# running GUI software, which seems both unusual and unwise.
+#
+# http://www.freebsd.org/doc/handbook/binary-formats.html suggests that the
+# switch to default to ELF came with FreeBSD 3. elf(5) claims ELF support
+# introduced in FreeBSD 2.2.6.
+#
XINCLUDE=-I$(X11)/include
-XLFLAGS=-L$(X11)/lib
-.if ${PORTOBJFORMAT} == "elf"
-XLFLAGS+=-Wl,-rpath,${X11}/lib
-.endif
+XLFLAGS=-L$(X11)/lib -Wl,-rpath,${X11}/lib
X11_LD_LIB=$(X11)/lib
EXIWHAT_PS_ARG=-ax
#endif /* __linux__ */
+/* Some folks running "unusual" setups with very old libc environments have
+found that _GNU_SOURCE=1 before <features.h> is not sufficient to define some
+constants needed for 64-bit arithmetic. If you encounter build errors based
+on LLONG_MIN being undefined and various other escape hatches have not helped,
+then change the 0 to 1 in the next block. */
+
+#if 0
+# define LLONG_MIN LONG_LONG_MIN
+# define LLONG_MAX LONG_LONG_MAX
+#endif
+
+
/* End */
THE EXIM MAIL TRANSFER AGENT VERSION 4
--------------------------------------
-Copyright (c) 1995 - 2005 University of Cambridge.
+Copyright (c) 1995 - 2012 University of Cambridge.
See the file NOTICE for conditions of use and distribution.
There is a book about Exim by Philip Hazel called "The Exim SMTP Mail Server",
install, and run Exim. For straightforward installations on operating systems
to which Exim has already been ported, the building process is as follows:
-. Ensure that the top-level Exim directory (e.g. exim-4.40) is the current
+. Ensure that the top-level Exim directory (e.g. exim-4.80) is the current
directory (containing the files and directories listed above).
. Edit the file called src/EDITME and put the result in a new file called
int string_datestamp_type = -1;
BOOL timestamps_utc = FALSE;
-BOOL tls_certificate_verified = FALSE;
-uschar *tls_cipher = NULL;
-uschar *tls_peerdn = NULL;
-#ifdef SUPPORT_TLS
-uschar *tls_sni = NULL;
-#endif
+tls_support tls_in = {
+ -1, /* tls_active */
+ FALSE, /* tls_certificate_verified */
+ NULL, /* tls_cipher */
+ FALSE, /* tls_on_connect */
+ NULL, /* tls_on_connect_ports */
+ NULL, /* tls_peerdn */
+ NULL /* tls_sni */
+};
tree_node *tree_duplicates = NULL;
tree_node *tree_nonrecipients = NULL;
# DISABLE_DKIM=yes
+#------------------------------------------------------------------------------
+# By default, Exim has support for checking the AD bit in a DNS response, to
+# determine if DNSSEC validation was successful. If your system libraries
+# do not support that bit, then set DISABLE_DNSSEC to "yes"
+
+# DISABLE_DNSSEC=yes
+
+
#------------------------------------------------------------------------------
# Compiling Exim with experimental features. These are documented in
# experimental-spec.txt. "Experimental" means that the way these features are
#ifndef DISABLE_DKIM
CONTROL_DKIM_VERIFY,
#endif
+ CONTROL_DSCP,
CONTROL_ERROR,
CONTROL_CASEFUL_LOCAL_PART,
CONTROL_CASELOWER_LOCAL_PART,
+ CONTROL_CUTTHROUGH_DELIVERY,
CONTROL_ENFORCE_SYNC,
CONTROL_NO_ENFORCE_SYNC,
CONTROL_FREEZE,
#ifndef DISABLE_DKIM
US"dkim_disable_verify",
#endif
+ US"dscp",
US"error",
US"caseful_local_part",
US"caselower_local_part",
+ US"cutthrough_delivery",
US"enforce_sync",
US"no_enforce_sync",
US"freeze",
(1<<ACL_WHERE_NOTSMTP_START),
#endif
+ (1<<ACL_WHERE_NOTSMTP)|
+ (1<<ACL_WHERE_NOTSMTP_START)|
+ (1<<ACL_WHERE_NOTQUIT), /* dscp */
+
0, /* error */
(unsigned int)
(unsigned int)
~(1<<ACL_WHERE_RCPT), /* caselower_local_part */
+ (unsigned int)
+ 0, /* cutthrough_delivery */
+
(1<<ACL_WHERE_NOTSMTP)| /* enforce_sync */
(1<<ACL_WHERE_NOTSMTP_START),
#ifndef DISABLE_DKIM
{ US"dkim_disable_verify", CONTROL_DKIM_VERIFY, FALSE },
#endif
+ { US"dscp", CONTROL_DSCP, TRUE },
{ US"caseful_local_part", CONTROL_CASEFUL_LOCAL_PART, FALSE },
{ US"caselower_local_part", CONTROL_CASELOWER_LOCAL_PART, FALSE },
{ US"enforce_sync", CONTROL_ENFORCE_SYNC, FALSE },
{ US"fakedefer", CONTROL_FAKEDEFER, TRUE },
{ US"fakereject", CONTROL_FAKEREJECT, TRUE },
{ US"submission", CONTROL_SUBMISSION, TRUE },
- { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE }
+ { US"suppress_local_fixups", CONTROL_SUPPRESS_LOCAL_FIXUPS, FALSE },
+ { US"cutthrough_delivery", CONTROL_CUTTHROUGH_DELIVERY, FALSE }
};
/* Support data structures for Client SMTP Authorization. acl_verify_csa()
test whether it was successful or not. (This is for optional verification; for
mandatory verification, the connection doesn't last this long.) */
- if (tls_certificate_verified) return OK;
+ if (tls_in.certificate_verified) return OK;
*user_msgptr = US"no verified certificate";
return FAIL;
break;
#endif
+ case CONTROL_DSCP:
+ if (*p == '/')
+ {
+ int fd, af, level, optname, value;
+ /* If we are acting on stdin, the setsockopt may fail if stdin is not
+ a socket; we can accept that, we'll just debug-log failures anyway. */
+ fd = fileno(smtp_in);
+ af = ip_get_address_family(fd);
+ if (af < 0)
+ {
+ HDEBUG(D_acl)
+ debug_printf("smtp input is probably not a socket [%s], not setting DSCP\n",
+ strerror(errno));
+ break;
+ }
+ if (dscp_lookup(p+1, af, &level, &optname, &value))
+ {
+ if (setsockopt(fd, level, optname, &value, sizeof(value)) < 0)
+ {
+ HDEBUG(D_acl) debug_printf("failed to set input DSCP[%s]: %s\n",
+ p+1, strerror(errno));
+ }
+ else
+ {
+ HDEBUG(D_acl) debug_printf("set input DSCP to \"%s\"\n", p+1);
+ }
+ }
+ else
+ {
+ *log_msgptr = string_sprintf("unrecognised DSCP value in \"control=%s\"", arg);
+ return ERROR;
+ }
+ }
+ else
+ {
+ *log_msgptr = string_sprintf("syntax error in \"control=%s\"", arg);
+ return ERROR;
+ }
+ break;
+
case CONTROL_ERROR:
return ERROR;
case CONTROL_SUPPRESS_LOCAL_FIXUPS:
suppress_local_fixups = TRUE;
break;
+
+ case CONTROL_CUTTHROUGH_DELIVERY:
+ if (deliver_freeze)
+ {
+ *log_msgptr = string_sprintf("\"control=%s\" on frozen item", arg);
+ return ERROR;
+ }
+ if (queue_only_policy)
+ {
+ *log_msgptr = string_sprintf("\"control=%s\" on queue-only item", arg);
+ return ERROR;
+ }
+ cutthrough_delivery = TRUE;
+ break;
}
break;
writing is poorly documented. */
case ACLC_ENCRYPTED:
- if (tls_cipher == NULL) rc = FAIL; else
+ if (tls_in.cipher == NULL) rc = FAIL; else
{
uschar *endcipher = NULL;
- uschar *cipher = Ustrchr(tls_cipher, ':');
- if (cipher == NULL) cipher = tls_cipher; else
+ uschar *cipher = Ustrchr(tls_in.cipher, ':');
+ if (cipher == NULL) cipher = tls_in.cipher; else
{
endcipher = Ustrchr(++cipher, ':');
if (endcipher != NULL) *endcipher = 0;
rc = acl_check_internal(where, addr, s, 0, user_msgptr, log_msgptr);
+/* Cutthrough - if requested,
+and WHERE_RCPT and not yet opened conn as result of recipient-verify,
+and rcpt acl returned accept,
+and first recipient (cancel on any subsequents)
+open one now and run it up to RCPT acceptance.
+A failed verify should cancel cutthrough request.
+
+Initial implementation: dual-write to spool.
+Assume the rxd datastream is now being copied byte-for-byte to an open cutthrough connection.
+
+Cease cutthrough copy on rxd final dot; do not send one.
+
+On a data acl, if not accept and a cutthrough conn is open, hard-close it (no SMTP niceness).
+
+On data acl accept, terminate the dataphase on an open cutthrough conn. If accepted or
+perm-rejected, reflect that to the original sender - and dump the spooled copy.
+If temp-reject, close the conn (and keep the spooled copy).
+If conn-failure, no action (and keep the spooled copy).
+*/
+switch (where)
+{
+case ACL_WHERE_RCPT:
+ if( rcpt_count > 1 )
+ cancel_cutthrough_connection("more than one recipient");
+ else if (rc == OK && cutthrough_delivery && cutthrough_fd < 0)
+ open_cutthrough_connection(addr);
+ break;
+
+case ACL_WHERE_PREDATA:
+ if( rc == OK )
+ cutthrough_predata();
+ else
+ cancel_cutthrough_connection("predata acl not ok");
+ break;
+
+case ACL_WHERE_QUIT:
+case ACL_WHERE_NOTQUIT:
+ cancel_cutthrough_connection("quit or notquit");
+ break;
+
+default:
+ break;
+}
+
deliver_domain = deliver_localpart = deliver_address_data =
sender_address_data = NULL;
sasl_callback_t cbs[]={{SASL_CB_LIST_END, NULL, NULL}};
sasl_conn_t *conn;
char *realm_expanded;
-int rc, firsttime=1, clen, *negotiated_ssf_ptr=NULL, negotiated_ssf;
+int rc, i, firsttime=1, clen, *negotiated_ssf_ptr=NULL, negotiated_ssf;
unsigned int inlen, outlen;
input=data;
return DEFER;
}
-if (tls_cipher)
+if (tls_in.cipher)
{
- rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_bits);
+ rc = sasl_setprop(conn, SASL_SSF_EXTERNAL, (sasl_ssf_t *) &tls_in.bits);
if (rc != SASL_OK)
{
HDEBUG(D_auth) debug_printf("Cyrus SASL EXTERNAL SSF set %d failed: %s\n",
- tls_bits, sasl_errstring(rc, NULL, NULL));
+ tls_in.bits, sasl_errstring(rc, NULL, NULL));
auth_defer_msg = US"couldn't set Cyrus SASL EXTERNAL SSF";
sasl_done();
return DEFER;
}
else
- HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_bits);
+ HDEBUG(D_auth) debug_printf("Cyrus SASL set EXTERNAL SSF to %d\n", tls_in.bits);
}
else
HDEBUG(D_auth) debug_printf("Cyrus SASL: no TLS, no EXTERNAL SSF set\n");
+/* So sasl_setprop() documents non-shorted IPv6 addresses which is incredibly
+annoying; looking at cyrus-imapd-2.3.x source, the IP address is constructed
+with their iptostring() function, which just wraps
+getnameinfo(..., NI_NUMERICHOST|NI_NUMERICSERV), which is equivalent to the
+inet_ntop which we wrap in our host_ntoa() function.
+
+So the docs are too strict and we shouldn't worry about :: contractions. */
+
+/* Set properties for remote and local host-ip;port */
+for (i=0; i < 2; ++i)
+ {
+ struct sockaddr_storage ss;
+ int (*query)(int, struct sockaddr *, socklen_t *);
+ int propnum, port;
+ const uschar *label;
+ uschar *address, *address_port;
+ const char *s_err;
+ socklen_t sslen;
+
+ if (i)
+ {
+ query = &getpeername;
+ propnum = SASL_IPREMOTEPORT;
+ label = CUS"peer";
+ }
+ else
+ {
+ query = &getsockname;
+ propnum = SASL_IPLOCALPORT;
+ label = CUS"local";
+ }
+
+ sslen = sizeof(ss);
+ rc = query(fileno(smtp_in), (struct sockaddr *) &ss, &sslen);
+ if (rc < 0)
+ {
+ HDEBUG(D_auth)
+ debug_printf("Failed to get %s address information: %s\n",
+ label, strerror(errno));
+ break;
+ }
+
+ address = host_ntoa(-1, &ss, NULL, &port);
+ address_port = string_sprintf("%s;%d", address, port);
+
+ rc = sasl_setprop(conn, propnum, address_port);
+ if (rc != SASL_OK)
+ {
+ s_err = sasl_errdetail(conn);
+ HDEBUG(D_auth)
+ debug_printf("Failed to set %s SASL property: [%d] %s\n",
+ label, rc, s_err ? s_err : "<unknown reason>");
+ break;
+ }
+ HDEBUG(D_auth) debug_printf("Cyrus SASL set %s hostport to: %s\n",
+ label, address_port);
+ }
+
rc=SASL_CONTINUE;
while(rc==SASL_CONTINUE)
/* Added by PH: extra fields when TLS is in use or if the TCP/IP
connection is local. */
- if (tls_cipher != NULL)
+ if (tls_in.cipher != NULL)
auth_extra_data = string_sprintf("secured\t%s%s",
- tls_certificate_verified? "valid-client-cert" : "",
- tls_certificate_verified? "\t" : "");
+ tls_in.certificate_verified? "valid-client-cert" : "",
+ tls_in.certificate_verified? "\t" : "");
else if (interface_address != NULL &&
Ustrcmp(sender_host_address, interface_address) == 0)
auth_extra_data = US"secured\t";
}
/* how many bits Exim, as a client, demands must be in D-H */
- /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we
- specify the number of bits. We've stuck with the historical value, but
- it can be overridden. */
- else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) ||
+ /* 1024 is a historical figure; some sites actually use lower, so we
+ permit the value to be lowered "dangerously" low, but not "insanely"
+ low. Though actually, 1024 is becoming "dangerous". */
+ else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_MIN_BITS") == 0) ||
+ (strcmp(name, "EXIM_CLIENT_DH_DEFAULT_MIN_BITS") == 0) ||
(strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
{
long nv;
char *end;
nv = strtol(value, &end, 10);
- if (end != value && *end == '\0' && nv >= 1000 && nv < 50000)
+ if (end != value && *end == '\0' && nv >= 512 && nv < 500000)
{
fprintf(new, "%s\n", value);
}
#define DELIVER_IN_BUFFER_SIZE 8192
#define DELIVER_OUT_BUFFER_SIZE 8192
#define DISABLE_DKIM
+#define DISABLE_DNSSEC
#define DISABLE_D_OPTION
#define ENABLE_DISABLE_FSYNC
#define EXIMDB_LOCK_TIMEOUT 60
#define EXIMDB_LOCKFILE_MODE 0640
#define EXIMDB_MODE 0640
-#define EXIM_CLIENT_DH_MIN_BITS
+#define EXIM_CLIENT_DH_MIN_MIN_BITS 512
+#define EXIM_CLIENT_DH_DEFAULT_MIN_BITS 1024
#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
#define EXIM_SERVER_DH_BITS_PRE2_12
#define EXIM_PERL
#define ROOT_UID 0
#define ROOT_GID 0
-/* Sizes for integer arithmetic. Go for 64bit; can be overridden in OS/os.h-FOO */
-#ifndef int_eximarith_t
- #define int_eximarith_t int64_t
-#endif
-#ifndef PR_EXIM_ARITH
- #define PR_EXIM_ARITH "%" PRId64 /* C99 standard, printf %lld */
-#endif
-#ifndef SC_EXIM_ARITH
- #define SC_EXIM_ARITH "%" SCNi64 /* scanf incl. 0x prefix */
-#endif
-#ifndef SC_EXIM_DEC
- #define SC_EXIM_DEC "%" SCNd64 /* scanf decimal */
-#endif
+/* Sizes for integer arithmetic. Go for 64bit; can be overridden in OS/Makefile-FOO */
+#define int_eximarith_t int64_t
+#define PR_EXIM_ARITH "%" PRId64 /* C99 standard, printf %lld */
+#define SC_EXIM_ARITH "%" SCNi64 /* scanf incl. 0x prefix */
+#define SC_EXIM_DEC "%" SCNd64 /* scanf decimal */
/* End of config.h.defaults */
# server_set_id = $auth2
# server_prompts = :
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
# server_condition = Authentication is not yet configured
-# server_advertise_condition = ${if def:tls_cipher }
+# server_advertise_condition = ${if def:tls_in_cipher }
######################################################################
/* Check for a tls-on-connect port */
- if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
+ if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
/* Expand smtp_active_hostname if required. We do not do this any earlier,
because it may depend on the local interface address (indeed, that is most
the data structures if necessary. */
#ifdef SUPPORT_TLS
- tls_close(FALSE);
+ tls_close(FALSE, FALSE);
#endif
/* Reset SIGHUP and SIGCHLD in the child in both cases. */
+/* If msg is NULL this is a delivery log and logchar is used. Otherwise
+this is a nonstandard call; no two-characher delivery flag is written
+but sender-host and sender are prefixed and "msg" is inserted in the log line.
+
+Arguments:
+ flags passed to log_write()
+*/
+void
+delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
+{
+uschar *log_address;
+int size = 256; /* Used for a temporary, */
+int ptr = 0; /* expanding buffer, for */
+uschar *s; /* building log lines; */
+void *reset_point; /* released afterwards. */
+
+
+/* Log the delivery on the main log. We use an extensible string to build up
+the log line, and reset the store afterwards. Remote deliveries should always
+have a pointer to the host item that succeeded; local deliveries can have a
+pointer to a single host item in their host list, for use by the transport. */
+
+s = reset_point = store_get(size);
+
+log_address = string_log_address(addr, (log_write_selector & L_all_parents) != 0, TRUE);
+if (msg)
+ s = string_append(s, &size, &ptr, 3, host_and_ident(TRUE), US" ", log_address);
+else
+ {
+ s[ptr++] = logchar;
+ s = string_append(s, &size, &ptr, 2, US"> ", log_address);
+ }
+
+if ((log_extra_selector & LX_sender_on_delivery) != 0 || msg)
+ s = string_append(s, &size, &ptr, 3, US" F=<", sender_address, US">");
+
+#ifdef EXPERIMENTAL_SRS
+if(addr->p.srs_sender)
+ s = string_append(s, &size, &ptr, 3, US" SRS=<", addr->p.srs_sender, US">");
+#endif
+
+/* You might think that the return path must always be set for a successful
+delivery; indeed, I did for some time, until this statement crashed. The case
+when it is not set is for a delivery to /dev/null which is optimised by not
+being run at all. */
+
+if (used_return_path != NULL &&
+ (log_extra_selector & LX_return_path_on_delivery) != 0)
+ s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">");
+
+if (msg)
+ s = string_append(s, &size, &ptr, 2, US" ", msg);
+
+/* For a delivery from a system filter, there may not be a router */
+if (addr->router != NULL)
+ s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
+
+s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name);
+
+if ((log_extra_selector & LX_delivery_size) != 0)
+ s = string_append(s, &size, &ptr, 2, US" S=",
+ string_sprintf("%d", transport_count));
+
+/* Local delivery */
+
+if (addr->transport->info->local)
+ {
+ if (addr->host_list != NULL)
+ s = string_append(s, &size, &ptr, 2, US" H=", addr->host_list->name);
+ if (addr->shadow_message != NULL)
+ s = string_cat(s, &size, &ptr, addr->shadow_message,
+ Ustrlen(addr->shadow_message));
+ }
+
+/* Remote delivery */
+
+else
+ {
+ if (addr->host_used != NULL)
+ {
+ s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
+ US" [", addr->host_used->address, US"]");
+ if ((log_extra_selector & LX_outgoing_port) != 0)
+ s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d",
+ addr->host_used->port));
+ if (continue_sequence > 1)
+ s = string_cat(s, &size, &ptr, US"*", 1);
+ }
+
+ #ifdef SUPPORT_TLS
+ if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL)
+ s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher);
+ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
+ addr->cipher != NULL)
+ s = string_append(s, &size, &ptr, 2, US" CV=",
+ testflag(addr, af_cert_verified)? "yes":"no");
+ if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
+ s = string_append(s, &size, &ptr, 3, US" DN=\"",
+ string_printing(addr->peerdn), US"\"");
+ #endif
+
+ if ((log_extra_selector & LX_smtp_confirmation) != 0 &&
+ addr->message != NULL)
+ {
+ int i;
+ uschar *p = big_buffer;
+ uschar *ss = addr->message;
+ *p++ = '\"';
+ for (i = 0; i < 100 && ss[i] != 0; i++)
+ {
+ if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
+ *p++ = ss[i];
+ }
+ *p++ = '\"';
+ *p = 0;
+ s = string_append(s, &size, &ptr, 2, US" C=", big_buffer);
+ }
+ }
+
+/* Time on queue and actual time taken to deliver */
+
+if ((log_extra_selector & LX_queue_time) != 0)
+ {
+ s = string_append(s, &size, &ptr, 2, US" QT=",
+ readconf_printtime(time(NULL) - received_time));
+ }
+
+if ((log_extra_selector & LX_deliver_time) != 0)
+ {
+ s = string_append(s, &size, &ptr, 2, US" DT=",
+ readconf_printtime(addr->more_errno));
+ }
+
+/* string_cat() always leaves room for the terminator. Release the
+store we used to build the line after writing it. */
+
+s[ptr] = 0;
+log_write(0, flags, "%s", s);
+store_reset(reset_point);
+return;
+}
+
+
+
/*************************************************
* Actions at the end of handling an address *
*************************************************/
(void)close(addr->return_file);
}
-/* Create the address string for logging. Must not do this earlier, because
-an OK result may be changed to FAIL when a pipe returns text. */
-
-log_address = string_log_address(addr,
- (log_write_selector & L_all_parents) != 0, result == OK);
-
/* The sucess case happens only after delivery by a transport. */
if (result == OK)
child_done(addr, now);
}
- /* Log the delivery on the main log. We use an extensible string to build up
- the log line, and reset the store afterwards. Remote deliveries should always
- have a pointer to the host item that succeeded; local deliveries can have a
- pointer to a single host item in their host list, for use by the transport. */
-
- s = reset_point = store_get(size);
- s[ptr++] = logchar;
-
- s = string_append(s, &size, &ptr, 2, US"> ", log_address);
-
- if ((log_extra_selector & LX_sender_on_delivery) != 0)
- s = string_append(s, &size, &ptr, 3, US" F=<", sender_address, US">");
-
- #ifdef EXPERIMENTAL_SRS
- if(addr->p.srs_sender)
- s = string_append(s, &size, &ptr, 3, US" SRS=<", addr->p.srs_sender, US">");
- #endif
-
- /* You might think that the return path must always be set for a successful
- delivery; indeed, I did for some time, until this statement crashed. The case
- when it is not set is for a delivery to /dev/null which is optimised by not
- being run at all. */
-
- if (used_return_path != NULL &&
- (log_extra_selector & LX_return_path_on_delivery) != 0)
- s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">");
-
- /* For a delivery from a system filter, there may not be a router */
-
- if (addr->router != NULL)
- s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
-
- s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name);
-
- if ((log_extra_selector & LX_delivery_size) != 0)
- s = string_append(s, &size, &ptr, 2, US" S=",
- string_sprintf("%d", transport_count));
-
- /* Local delivery */
-
- if (addr->transport->info->local)
- {
- if (addr->host_list != NULL)
- s = string_append(s, &size, &ptr, 2, US" H=", addr->host_list->name);
- if (addr->shadow_message != NULL)
- s = string_cat(s, &size, &ptr, addr->shadow_message,
- Ustrlen(addr->shadow_message));
- }
-
- /* Remote delivery */
-
- else
- {
- if (addr->host_used != NULL)
- {
- s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
- US" [", addr->host_used->address, US"]");
- if ((log_extra_selector & LX_outgoing_port) != 0)
- s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d",
- addr->host_used->port));
- if (continue_sequence > 1)
- s = string_cat(s, &size, &ptr, US"*", 1);
- }
-
- #ifdef SUPPORT_TLS
- if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher);
- if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- addr->cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" CV=",
- testflag(addr, af_cert_verified)? "yes":"no");
- if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
- s = string_append(s, &size, &ptr, 3, US" DN=\"",
- string_printing(addr->peerdn), US"\"");
- #endif
-
- if ((log_extra_selector & LX_smtp_confirmation) != 0 &&
- addr->message != NULL)
- {
- int i;
- uschar *p = big_buffer;
- uschar *ss = addr->message;
- *p++ = '\"';
- for (i = 0; i < 100 && ss[i] != 0; i++)
- {
- if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
- *p++ = ss[i];
- }
- *p++ = '\"';
- *p = 0;
- s = string_append(s, &size, &ptr, 2, US" C=", big_buffer);
- }
- }
-
- /* Time on queue and actual time taken to deliver */
-
- if ((log_extra_selector & LX_queue_time) != 0)
- {
- s = string_append(s, &size, &ptr, 2, US" QT=",
- readconf_printtime(time(NULL) - received_time));
- }
-
- if ((log_extra_selector & LX_deliver_time) != 0)
- {
- s = string_append(s, &size, &ptr, 2, US" DT=",
- readconf_printtime(addr->more_errno));
- }
-
- /* string_cat() always leaves room for the terminator. Release the
- store we used to build the line after writing it. */
-
- s[ptr] = 0;
- log_write(0, LOG_MAIN, "%s", s);
- store_reset(reset_point);
+ delivery_log(LOG_MAIN, addr, logchar, NULL);
}
log. */
s = reset_point = store_get(size);
+
+ /* Create the address string for logging. Must not do this earlier, because
+ an OK result may be changed to FAIL when a pipe returns text. */
+
+ log_address = string_log_address(addr,
+ (log_write_selector & L_all_parents) != 0, result == OK);
+
s = string_cat(s, &size, &ptr, log_address, Ustrlen(log_address));
/* Either driver_name contains something and driver_kind contains
/* Build up the log line for the message and main logs */
s = reset_point = store_get(size);
+
+ /* Create the address string for logging. Must not do this earlier, because
+ an OK result may be changed to FAIL when a pipe returns text. */
+
+ log_address = string_log_address(addr,
+ (log_write_selector & L_all_parents) != 0, result == OK);
+
s = string_cat(s, &size, &ptr, log_address, Ustrlen(log_address));
if ((log_extra_selector & LX_sender_on_delivery) != 0)
/* The certificate verification status goes into the flags */
- if (tls_certificate_verified) setflag(addr, af_cert_verified);
+ if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
/* Use an X item only if there's something to send */
dns_use_edns0 ? "" : "un");
#endif
+#ifndef DISABLE_DNSSEC
+# ifdef RES_USE_DNSSEC
+# ifndef RES_USE_EDNS0
+# error Have RES_USE_DNSSEC but not RES_USE_EDNS0? Something hinky ...
+# endif
+if (dns_use_dnssec >= 0)
+ {
+ if (dns_use_edns0 == 0 && dns_use_dnssec != 0)
+ {
+ DEBUG(D_resolver)
+ debug_printf("CONFLICT: dns_use_edns0 forced false, dns_use_dnssec forced true!\n");
+ }
+ else
+ {
+ if (dns_use_dnssec)
+ resp->options |= RES_USE_DNSSEC;
+ else
+ resp->options &= ~RES_USE_DNSSEC;
+ DEBUG(D_resolver) debug_printf("Coerced resolver DNSSEC support %s.\n",
+ dns_use_dnssec ? "on" : "off");
+ }
+ }
+# else
+if (dns_use_dnssec >= 0)
+ DEBUG(D_resolver)
+ debug_printf("Unable to %sset DNSSEC without resolver support.\n",
+ dns_use_dnssec ? "" : "un");
+# endif
+#endif /* DISABLE_DNSSEC */
+
os_put_dns_resolver_res(resp);
}
+/*************************************************
+* Return whether AD bit set in DNS result *
+*************************************************/
+
+/* We do not perform DNSSEC work ourselves; if the administrator has installed
+a verifying resolver which sets AD as appropriate, though, we'll use that.
+(AD = Authentic Data)
+
+Argument: pointer to dns answer block
+Returns: bool indicating presence of AD bit
+*/
+
+BOOL
+dns_is_secure(dns_answer *dnsa)
+{
+#ifdef DISABLE_DNSSEC
+DEBUG(D_dns)
+ debug_printf("DNSSEC support disabled at build-time; dns_is_secure() false\n");
+return FALSE;
+#else
+HEADER *h = (HEADER *)dnsa->answer;
+return h->ad ? TRUE : FALSE;
+#endif
+}
+
+
+
+
/*************************************************
* Turn DNS type into text *
*************************************************/
+/*************************************************
+* Enums for cmdline interface *
+*************************************************/
+
+enum commandline_info { CMDINFO_NONE=0,
+ CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
+
+
+
+
/*************************************************
* Compile regular expression and panic on fail *
*************************************************/
if (smtp_input)
{
#ifdef SUPPORT_TLS
- tls_close(FALSE); /* Shut down the TLS library */
+ tls_close(FALSE, FALSE); /* Shut down the TLS library */
#endif
(void)close(fileno(smtp_in));
(void)close(fileno(smtp_out));
}
+/*************************************************
+* Show auxiliary information about Exim *
+*************************************************/
+
+static void
+show_exim_information(enum commandline_info request, FILE *stream)
+{
+const uschar **pp;
+
+switch(request)
+ {
+ case CMDINFO_NONE:
+ fprintf(stream, "Oops, something went wrong.\n");
+ return;
+ case CMDINFO_HELP:
+ fprintf(stream,
+"The -bI: flag takes a string indicating which information to provide.\n"
+"If the string is not recognised, you'll get this help (on stderr).\n"
+"\n"
+" exim -bI:help this information\n"
+" exim -bI:dscp dscp value keywords known\n"
+" exim -bI:sieve list of supported sieve extensions, one per line.\n"
+);
+ return;
+ case CMDINFO_SIEVE:
+ for (pp = exim_sieve_extension_list; *pp; ++pp)
+ fprintf(stream, "%s\n", *pp);
+ return;
+ case CMDINFO_DSCP:
+ dscp_list_to_stream(stream);
+ return;
+ }
+}
/*************************************************
BOOL count_queue = FALSE;
BOOL expansion_test = FALSE;
BOOL extract_recipients = FALSE;
+BOOL flag_G = FALSE;
+BOOL flag_n = FALSE;
BOOL forced_delivery = FALSE;
BOOL f_end_dot = FALSE;
BOOL deliver_give_up = FALSE;
BOOL version_printed = FALSE;
uschar *alias_arg = NULL;
uschar *called_as = US"";
+uschar *cmdline_syslog_name = NULL;
uschar *start_queue_run_id = NULL;
uschar *stop_queue_run_id = NULL;
uschar *expansion_test_message = NULL;
uschar *malware_test_file = NULL;
uschar *real_sender_address;
uschar *originator_home = US"/";
+size_t sz;
void *reset_point;
struct passwd *pw;
int passed_qr_pipe = -1;
gid_t group_list[NGROUPS_MAX];
+/* For the -bI: flag */
+enum commandline_info info_flag = CMDINFO_NONE;
+BOOL info_stdout = FALSE;
+
/* Possible options for -R and -S */
static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
switch(switchchar)
{
+
+ /* sendmail uses -Ac and -Am to control which .cf file is used;
+ we ignore them. */
+ case 'A':
+ if (*argrest == '\0') { badarg = TRUE; break; }
+ else
+ {
+ BOOL ignore = FALSE;
+ switch (*argrest)
+ {
+ case 'c':
+ case 'm':
+ if (*(argrest + 1) == '\0')
+ ignore = TRUE;
+ break;
+ }
+ if (!ignore) { badarg = TRUE; break; }
+ }
+ break;
+
/* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
so has no need of it. */
else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
+ /* -bI: provide information, of the type to follow after a colon.
+ This is an Exim flag. */
+
+ else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
+ {
+ uschar *p = &argrest[2];
+ info_flag = CMDINFO_HELP;
+ if (Ustrlen(p))
+ {
+ if (strcmpic(p, CUS"sieve") == 0)
+ {
+ info_flag = CMDINFO_SIEVE;
+ info_stdout = TRUE;
+ }
+ else if (strcmpic(p, CUS"dscp") == 0)
+ {
+ info_flag = CMDINFO_DSCP;
+ info_stdout = TRUE;
+ }
+ else if (strcmpic(p, CUS"help") == 0)
+ {
+ info_stdout = TRUE;
+ }
+ }
+ }
+
/* -bm: Accept and deliver message - the default option. Reinstate
receiving_message, which got turned off for all -b options. */
}
break;
- /* This is some Sendmail thing which can be ignored */
+ /* -G: sendmail invocation to specify that it's a gateway submission and
+ sendmail may complain about problems instead of fixing them.
+ We make it equivalent to an ACL "control = suppress_local_fixups" and do
+ not at this time complain about problems. */
case 'G':
+ flag_G = TRUE;
break;
/* -h: Set the hop count for an incoming message. Exim does not currently
break;
+ /* -L: set the identifier used for syslog; equivalent to setting
+ syslog_processname in the config file, but needs to be an admin option. */
+
+ case 'L':
+ if (*argrest == '\0')
+ {
+ if(++i < argc) argrest = argv[i]; else
+ { badarg = TRUE; break; }
+ }
+ sz = Ustrlen(argrest);
+ if (sz > 32)
+ {
+ fprintf(stderr, "exim: the -L syslog name is too long: \"%s\"\n", argrest);
+ return EXIT_FAILURE;
+ }
+ if (sz < 1)
+ {
+ fprintf(stderr, "exim: the -L syslog name is too short\n");
+ return EXIT_FAILURE;
+ }
+ cmdline_syslog_name = argrest;
+ break;
+
case 'M':
receiving_message = FALSE;
break;
- /* -n: This means "don't alias" in sendmail, apparently. Just ignore
- it. */
+ /* -n: This means "don't alias" in sendmail, apparently.
+ For normal invocations, it has no effect.
+ It may affect some other options. */
case 'n':
+ flag_n = TRUE;
break;
/* -O: Just ignore it. In sendmail, apparently -O option=value means set
/* -tls-on-connect: don't wait for STARTTLS (for old clients) */
#ifdef SUPPORT_TLS
- else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
+ else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
#endif
else badarg = TRUE;
if (*argrest != 0) badarg = TRUE;
break;
+ /* -X: in sendmail: takes one parameter, logfile, and sends debugging
+ logs to that file. We swallow the parameter and otherwise ignore it. */
+
+ case 'X':
+ if (*argrest == '\0')
+ {
+ if (++i >= argc)
+ {
+ fprintf(stderr, "exim: string expected after -X\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+ break;
+
/* All other initial characters are errors */
default:
readconf_main();
+/* If an action on specific messages is requested, or if a daemon or queue
+runner is being started, we need to know if Exim was called by an admin user.
+This is the case if the real user is root or exim, or if the real group is
+exim, or if one of the supplementary groups is exim or a group listed in
+admin_groups. We don't fail all message actions immediately if not admin_user,
+since some actions can be performed by non-admin users. Instead, set admin_user
+for later interrogation. */
+
+if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
+ admin_user = TRUE;
+else
+ {
+ int i, j;
+ for (i = 0; i < group_count; i++)
+ {
+ if (group_list[i] == exim_gid) admin_user = TRUE;
+ else if (admin_groups != NULL)
+ {
+ for (j = 1; j <= (int)(admin_groups[0]); j++)
+ if (admin_groups[j] == group_list[i])
+ { admin_user = TRUE; break; }
+ }
+ if (admin_user) break;
+ }
+ }
+
+/* Another group of privileged users are the trusted users. These are root,
+exim, and any caller matching trusted_users or trusted_groups. Trusted callers
+are permitted to specify sender_addresses with -f on the command line, and
+other message parameters as well. */
+
+if (real_uid == root_uid || real_uid == exim_uid)
+ trusted_caller = TRUE;
+else
+ {
+ int i, j;
+
+ if (trusted_users != NULL)
+ {
+ for (i = 1; i <= (int)(trusted_users[0]); i++)
+ if (trusted_users[i] == real_uid)
+ { trusted_caller = TRUE; break; }
+ }
+
+ if (!trusted_caller && trusted_groups != NULL)
+ {
+ for (i = 1; i <= (int)(trusted_groups[0]); i++)
+ {
+ if (trusted_groups[i] == real_gid)
+ trusted_caller = TRUE;
+ else for (j = 0; j < group_count; j++)
+ {
+ if (trusted_groups[i] == group_list[j])
+ { trusted_caller = TRUE; break; }
+ }
+ if (trusted_caller) break;
+ }
+ }
+ }
+
/* Handle the decoding of logging options. */
decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
}
}
+/* See if an admin user overrode our logging. */
+
+if (cmdline_syslog_name != NULL)
+ {
+ if (admin_user)
+ {
+ syslog_processname = cmdline_syslog_name;
+ log_file_path = string_copy(CUS"syslog");
+ }
+ else
+ {
+ /* not a panic, non-privileged users should not be able to spam paniclog */
+ fprintf(stderr,
+ "exim: you lack sufficient privilege to specify syslog process name\n");
+ return EXIT_FAILURE;
+ }
+ }
+
/* Paranoia check of maximum lengths of certain strings. There is a check
on the length of the log file path in log.c, which will come into effect
if there are any calls to write the log earlier than this. However, if we
}
}
-/* If an action on specific messages is requested, or if a daemon or queue
-runner is being started, we need to know if Exim was called by an admin user.
-This is the case if the real user is root or exim, or if the real group is
-exim, or if one of the supplementary groups is exim or a group listed in
-admin_groups. We don't fail all message actions immediately if not admin_user,
-since some actions can be performed by non-admin users. Instead, set admin_user
-for later interrogation. */
-
-if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
- admin_user = TRUE;
-else
- {
- int i, j;
- for (i = 0; i < group_count; i++)
- {
- if (group_list[i] == exim_gid) admin_user = TRUE;
- else if (admin_groups != NULL)
- {
- for (j = 1; j <= (int)(admin_groups[0]); j++)
- if (admin_groups[j] == group_list[i])
- { admin_user = TRUE; break; }
- }
- if (admin_user) break;
- }
- }
-
-/* Another group of privileged users are the trusted users. These are root,
-exim, and any caller matching trusted_users or trusted_groups. Trusted callers
-are permitted to specify sender_addresses with -f on the command line, and
-other message parameters as well. */
-
-if (real_uid == root_uid || real_uid == exim_uid)
- trusted_caller = TRUE;
-else
- {
- int i, j;
-
- if (trusted_users != NULL)
- {
- for (i = 1; i <= (int)(trusted_users[0]); i++)
- if (trusted_users[i] == real_uid)
- { trusted_caller = TRUE; break; }
- }
-
- if (!trusted_caller && trusted_groups != NULL)
- {
- for (i = 1; i <= (int)(trusted_groups[0]); i++)
- {
- if (trusted_groups[i] == real_gid)
- trusted_caller = TRUE;
- else for (j = 0; j < group_count; j++)
- {
- if (trusted_groups[i] == group_list[j])
- { trusted_caller = TRUE; break; }
- }
- if (trusted_caller) break;
- }
- }
- }
+/* We moved the admin/trusted check to be immediately after reading the
+configuration file. We leave these prints here to ensure that syslog setup,
+logfile setup, and so on has already happened. */
if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
interface_port = check_port(interface_address);
}
+/* If the caller is trusted, then they can use -G to suppress_local_fixups. */
+if (flag_G)
+ {
+ if (trusted_caller)
+ {
+ suppress_local_fixups = suppress_local_fixups_default = TRUE;
+ DEBUG(D_acl) debug_printf("suppress_local_fixups forced on by -G\n");
+ }
+ else
+ {
+ fprintf(stderr, "exim: permission denied (-G requires a trusted user)\n");
+ return EXIT_FAILURE;
+ }
+ }
+
/* If an SMTP message is being received check to see if the standard input is a
TCP/IP socket. If it is, we assume that Exim was called from inetd if the
caller is root or the Exim user, or if the port is a privileged one. Otherwise,
interface_address = host_ntoa(-1, &interface_sock, NULL,
&interface_port);
- if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
+ if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
{
}
/* Handle a request to list one or more configuration options */
+/* If -n was set, we suppress some information */
if (list_options)
{
set_process_info("listing variables");
- if (recipients_arg >= argc) readconf_print(US"all", NULL);
+ if (recipients_arg >= argc) readconf_print(US"all", NULL, flag_n);
else for (i = recipients_arg; i < argc; i++)
{
if (i < argc - 1 &&
Ustrcmp(argv[i], "authenticator") == 0 ||
Ustrcmp(argv[i], "macro") == 0))
{
- readconf_print(argv[i+1], argv[i]);
+ readconf_print(argv[i+1], argv[i], flag_n);
i++;
}
- else readconf_print(argv[i], NULL);
+ else readconf_print(argv[i], NULL, flag_n);
}
exim_exit(EXIT_SUCCESS);
}
/* Arrange for message reception if recipients or SMTP were specified;
otherwise complain unless a version print (-bV) happened or this is a filter
-verification test. In the former case, show the configuration file name. */
+verification test or info dump.
+In the former case, show the configuration file name. */
if (recipients_arg >= argc && !extract_recipients && !smtp_input)
{
return EXIT_SUCCESS;
}
+ if (info_flag != CMDINFO_NONE)
+ {
+ show_exim_information(info_flag, info_stdout ? stdout : stderr);
+ return info_stdout ? EXIT_SUCCESS : EXIT_FAILURE;
+ }
+
if (filter_test == FTEST_NONE)
exim_usage(called_as);
}
{ "srs_status", vtype_stringptr, &srs_status },
#endif
{ "thisaddress", vtype_stringptr, &filter_thisaddress },
- { "tls_bits", vtype_int, &tls_bits },
- { "tls_certificate_verified", vtype_int, &tls_certificate_verified },
- { "tls_cipher", vtype_stringptr, &tls_cipher },
- { "tls_peerdn", vtype_stringptr, &tls_peerdn },
-#ifdef SUPPORT_TLS
- { "tls_sni", vtype_stringptr, &tls_sni },
+
+ /* The non-(in,out) variables are now deprecated */
+ { "tls_bits", vtype_int, &tls_in.bits },
+ { "tls_certificate_verified", vtype_int, &tls_in.certificate_verified },
+ { "tls_cipher", vtype_stringptr, &tls_in.cipher },
+
+ { "tls_in_bits", vtype_int, &tls_in.bits },
+ { "tls_in_certificate_verified", vtype_int, &tls_in.certificate_verified },
+ { "tls_in_cipher", vtype_stringptr, &tls_in.cipher },
+ { "tls_in_peerdn", vtype_stringptr, &tls_in.peerdn },
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+ { "tls_in_sni", vtype_stringptr, &tls_in.sni },
+#endif
+ { "tls_out_bits", vtype_int, &tls_out.bits },
+ { "tls_out_certificate_verified", vtype_int,&tls_out.certificate_verified },
+ { "tls_out_cipher", vtype_stringptr, &tls_out.cipher },
+ { "tls_out_peerdn", vtype_stringptr, &tls_out.peerdn },
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+ { "tls_out_sni", vtype_stringptr, &tls_out.sni },
+#endif
+
+ { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+ { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
#endif
+
{ "tod_bsdinbox", vtype_todbsdin, NULL },
{ "tod_epoch", vtype_tode, NULL },
{ "tod_epoch_l", vtype_todel, NULL },
+void
+modify_variable(uschar *name, void * value)
+{
+int first = 0;
+int last = var_table_size;
+
+while (last > first)
+ {
+ int middle = (first + last)/2;
+ int c = Ustrcmp(name, var_table[middle].name);
+
+ if (c > 0) { first = middle + 1; continue; }
+ if (c < 0) { last = middle; continue; }
+
+ /* Found an existing variable; change the item it refers to */
+ var_table[middle].value = value;
+ return;
+ }
+return; /* Unknown variable name, fail silently */
+}
+
+
+
+
+
/*************************************************
* Read and expand substrings *
*************************************************/
}
else
{
- if (tolower(*endptr) == 'k')
+ switch (tolower(*endptr))
{
- if (value > LLONG_MAX/1024 || value < LLONG_MIN/1024) errno = ERANGE;
+ default:
+ break;
+ case 'k':
+ if (value > LLONG_MAX/1024 || value < LLONG_MIN/1024) errno = ERANGE;
else value *= 1024;
- endptr++;
- }
- else if (tolower(*endptr) == 'm')
- {
- if (value > LLONG_MAX/(1024*1024) || value < LLONG_MIN/(1024*1024))
- errno = ERANGE;
- else value *= 1024*1024;
- endptr++;
+ endptr++;
+ break;
+ case 'm':
+ if (value > LLONG_MAX/(1024*1024) || value < LLONG_MIN/(1024*1024)) errno = ERANGE;
+ else value *= 1024*1024;
+ endptr++;
+ break;
+ case 'g':
+ if (value > LLONG_MAX/(1024*1024*1024) || value < LLONG_MIN/(1024*1024*1024)) errno = ERANGE;
+ else value *= 1024*1024*1024;
+ endptr++;
+ break;
}
if (errno == ERANGE)
msg = US"absolute value of integer \"%s\" is too large (overflow)";
std_dh_prime_named(const uschar *);
extern int tls_client_start(int, host_item *, address_item *, uschar *,
uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
- int);
-extern void tls_close(BOOL);
+ int, int);
+extern void tls_close(BOOL, BOOL);
extern int tls_feof(void);
extern int tls_ferror(void);
extern int tls_getc(void);
-extern int tls_read(uschar *, size_t);
+extern int tls_read(BOOL, uschar *, size_t);
extern int tls_server_start(const uschar *);
extern BOOL tls_smtp_buffered(void);
extern int tls_ungetc(int);
-extern int tls_write(const uschar *, size_t);
+extern int tls_write(BOOL, const uschar *, size_t);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
extern uschar *auth_xtextencode(uschar *, int);
extern int auth_xtextdecode(uschar *, uschar **);
+extern void cancel_cutthrough_connection(const char *);
extern int check_host(void *, uschar *, uschar **, uschar **);
extern uschar **child_exec_exim(int, BOOL, int *, BOOL, int, ...);
extern pid_t child_open_uid(uschar **, uschar **, int, uid_t *, gid_t *,
int *, int *, uschar *, BOOL);
+extern uschar *cutthrough_finaldot(void);
+extern BOOL cutthrough_flush_send(void);
+extern BOOL cutthrough_headers_send(void);
+extern BOOL cutthrough_predata(void);
+extern BOOL cutthrough_puts(uschar *, int);
+extern BOOL cutthrough_put_nl(void);
extern void daemon_go(void);
extern void decode_bits(unsigned int *, unsigned int *,
int, int, uschar *, bit_table *, int, uschar *, int);
extern address_item *deliver_make_addr(uschar *, BOOL);
+extern void delivery_log(int, address_item *, int, uschar *);
extern int deliver_message(uschar *, BOOL, BOOL);
extern void deliver_msglog(const char *, ...) PRINTF_FUNCTION(1,2);
extern void deliver_set_expansions(address_item *);
extern void dns_build_reverse(uschar *, uschar *);
extern void dns_init(BOOL, BOOL);
extern int dns_basic_lookup(dns_answer *, uschar *, int);
+extern BOOL dns_is_secure(dns_answer *);
extern int dns_lookup(dns_answer *, uschar *, int, uschar **);
extern int dns_special_lookup(dns_answer *, uschar *, int, uschar **);
extern dns_record *dns_next_rr(dns_answer *, dns_scan *, int);
extern uschar *dns_text_type(int);
+extern void dscp_list_to_stream(FILE *);
+extern BOOL dscp_lookup(const uschar *, int, int *, int *, int *);
extern void enq_end(uschar *);
extern BOOL enq_start(uschar *);
extern uschar *expand_string(uschar *);
extern uschar *expand_string_copy(uschar *);
extern int_eximarith_t expand_string_integer(uschar *, BOOL);
+extern void modify_variable(uschar *, void *);
extern int filter_interpret(uschar *, int, address_item **, uschar **);
extern BOOL filter_personal(string_item *, BOOL);
extern void invert_address(uschar *, uschar *);
extern int ip_bind(int, int, uschar *, int);
extern int ip_connect(int, int, uschar *, int, int);
+extern int ip_get_address_family(int);
extern void ip_keepalive(int, uschar *, BOOL);
extern int ip_recv(int, uschar *, int, int);
extern int ip_socket(int, int);
extern void moan_write_from(FILE *);
extern FILE *modefopen(const uschar *, const char *, mode_t);
+extern void open_cutthrough_connection( address_item * addr );
+
extern uschar *parse_extract_address(uschar *, uschar **, int *, int *, int *,
BOOL);
extern int parse_forward_list(uschar *, int, address_item **, uschar **,
driver_info *, int, void *, int, optionlist *, int);
extern uschar *readconf_find_option(void *);
extern void readconf_main(void);
-extern void readconf_print(uschar *, uschar *);
+extern void readconf_print(uschar *, uschar *, BOOL);
extern uschar *readconf_printtime(int);
extern uschar *readconf_readname(uschar *, int, uschar *);
extern int readconf_readtime(uschar *, int, BOOL);
extern void sigalrm_handler(int);
extern BOOL smtp_buffered(void);
extern void smtp_closedown(uschar *);
-extern int smtp_connect(host_item *, int, int, uschar *, int, BOOL);
+extern int smtp_connect(host_item *, int, int, uschar *, int, BOOL, const uschar *);
extern int smtp_feof(void);
extern int smtp_ferror(void);
extern uschar *smtp_get_connection_info(void);
cluttered in several places (e.g. during logging) if we can always refer to
them. Also, the tls_ variables are now always visible. */
-BOOL tls_active = -1;
-int tls_bits = 0;
-BOOL tls_certificate_verified = FALSE;
-uschar *tls_cipher = NULL;
-BOOL tls_on_connect = FALSE;
-uschar *tls_on_connect_ports = NULL;
-uschar *tls_peerdn = NULL;
+tls_support tls_in = {
+ -1, /* tls_active */
+ 0, /* tls_bits */
+ FALSE,/* tls_certificate_verified */
+ NULL, /* tls_cipher */
+ FALSE,/* tls_on_connect */
+ NULL, /* tls_on_connect_ports */
+ NULL, /* tls_peerdn */
+ NULL /* tls_sni */
+};
+tls_support tls_out = {
+ -1, /* tls_active */
+ 0, /* tls_bits */
+ FALSE,/* tls_certificate_verified */
+ NULL, /* tls_cipher */
+ FALSE,/* tls_on_connect */
+ NULL, /* tls_on_connect_ports */
+ NULL, /* tls_peerdn */
+ NULL /* tls_sni */
+};
+
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
uschar *tls_privatekey = NULL;
BOOL tls_remember_esmtp = FALSE;
uschar *tls_require_ciphers = NULL;
-uschar *tls_sni = NULL;
uschar *tls_try_verify_hosts = NULL;
uschar *tls_verify_certificates= NULL;
uschar *tls_verify_hosts = NULL;
uschar *continue_transport = NULL;
uschar *csa_status = NULL;
+BOOL cutthrough_delivery = FALSE;
+int cutthrough_fd = -1;
BOOL daemon_listen = FALSE;
uschar *daemon_smtp_port = US"smtp";
uschar *dns_ipv4_lookup = NULL;
int dns_retrans = 0;
int dns_retry = 0;
+int dns_use_dnssec = -1; /* <0 = not coerced */
int dns_use_edns0 = -1; /* <0 = not coerced */
uschar *dnslist_domain = NULL;
uschar *dnslist_matched = NULL;
uschar *sender_host_address = NULL;
uschar *sender_host_authenticated = NULL;
unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32];
+BOOL sender_host_dnssec = FALSE;
uschar *sender_host_name = NULL;
int sender_host_port = 0;
BOOL sender_host_notsocket = FALSE;
BOOL submission_mode = FALSE;
uschar *submission_name = NULL;
BOOL suppress_local_fixups = FALSE;
+BOOL suppress_local_fixups_default = FALSE;
BOOL synchronous_delivery = FALSE;
BOOL syslog_duplication = TRUE;
int syslog_facility = LOG_MAIL;
cluttered in several places (e.g. during logging) if we can always refer to
them. Also, the tls_ variables are now always visible. */
-extern int tls_active; /* fd/socket when in a TLS session */
-extern int tls_bits; /* bits used in TLS session */
-extern BOOL tls_certificate_verified; /* Client certificate verified */
-extern uschar *tls_cipher; /* Cipher used */
-extern BOOL tls_on_connect; /* For older MTAs that don't STARTTLS */
-extern uschar *tls_on_connect_ports; /* Ports always tls-on-connect */
-extern uschar *tls_peerdn; /* DN from peer */
+typedef struct {
+ int active; /* fd/socket when in a TLS session */
+ int bits; /* bits used in TLS session */
+ BOOL certificate_verified; /* Client certificate verified */
+ uschar *cipher; /* Cipher used */
+ BOOL on_connect; /* For older MTAs that don't STARTTLS */
+ uschar *on_connect_ports; /* Ports always tls-on-connect */
+ uschar *peerdn; /* DN from peer */
+ uschar *sni; /* Server Name Indication */
+} tls_support;
+extern tls_support tls_in;
+extern tls_support tls_out;
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern uschar *tls_privatekey; /* Private key file */
extern BOOL tls_remember_esmtp; /* For YAEB */
extern uschar *tls_require_ciphers; /* So some can be avoided */
-extern uschar *tls_sni; /* Server Name Indication */
extern uschar *tls_try_verify_hosts; /* Optional client verification */
extern uschar *tls_verify_certificates;/* Path for certificates to check */
extern uschar *tls_verify_hosts; /* Mandatory client verification */
extern uschar *continue_transport; /* Transport for continued delivery */
extern uschar *csa_status; /* Client SMTP Authorization result */
+extern BOOL cutthrough_delivery; /* Deliver in foreground */
+extern int cutthrough_fd; /* Connection for ditto */
extern BOOL daemon_listen; /* True if listening required */
extern uschar *daemon_smtp_port; /* Can be a list of ports */
extern uschar *dns_ipv4_lookup; /* For these domains, don't look for AAAA (or A6) */
extern int dns_retrans; /* Retransmission time setting */
extern int dns_retry; /* Number of retries */
+extern int dns_use_dnssec; /* When constructing DNS query, set DO flag */
extern int dns_use_edns0; /* Coerce EDNS0 support on/off in resolver. */
extern uschar *dnslist_domain; /* DNS (black) list domain */
extern uschar *dnslist_matched; /* DNS (black) list matched key */
extern gid_t exim_gid; /* To be used with exim_uid */
extern BOOL exim_gid_set; /* TRUE if exim_gid set */
extern uschar *exim_path; /* Path to exec exim */
+extern const uschar *exim_sieve_extension_list[]; /* list of sieve extensions */
extern uid_t exim_uid; /* Non-root uid for exim */
extern BOOL exim_uid_set; /* TRUE if exim_uid set */
extern int expand_forbid; /* RDO flags for forbidding things */
extern uschar *sender_helo_name; /* Host name from HELO/EHLO */
extern uschar **sender_host_aliases; /* Points to list of alias names */
extern unsigned int sender_host_cache[(MAX_NAMED_LIST * 2)/32]; /* Cache bits for incoming host */
+extern BOOL sender_host_dnssec; /* true if sender_host_name verified in DNSSEC */
extern BOOL sender_host_notsocket; /* Set for -bs and -bS */
extern BOOL sender_host_unknown; /* TRUE for -bs and -bS except inetd */
extern uschar *sender_ident; /* Sender identity via RFC 1413 */
extern BOOL submission_mode; /* Can be forced from ACL */
extern uschar *submission_name; /* User name set from ACL */
extern BOOL suppress_local_fixups; /* Can be forced from ACL */
+extern BOOL suppress_local_fixups_default; /* former is reset to this; override with -G */
extern BOOL synchronous_delivery; /* TRUE if -odi is set */
extern BOOL syslog_duplication; /* FALSE => no duplicate logging */
extern int syslog_facility; /* As defined by Syslog.h */
{
int sep = 0;
uschar buffer[32];
-uschar *list = tls_on_connect_ports;
+uschar *list = tls_in.on_connect_ports;
uschar *s;
-if (tls_on_connect) return TRUE;
+if (tls_in.on_connect) return TRUE;
while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL)
{
dns_answer dnsa;
dns_scan dnss;
-host_lookup_deferred = host_lookup_failed = FALSE;
+sender_host_dnssec = host_lookup_deferred = host_lookup_failed = FALSE;
HDEBUG(D_host_lookup)
debug_printf("looking up host name for %s\n", sender_host_address);
int count = 0;
int old_pool = store_pool;
+ /* Ideally we'd check DNSSEC both forward and reverse, but we use the
+ gethost* routines for forward, so can't do that unless/until we rewrite. */
+ sender_host_dnssec = dns_is_secure(&dnsa);
+ DEBUG(D_dns)
+ debug_printf("Reverse DNS security status: %s\n",
+ sender_host_dnssec ? "DNSSEC verified (AD)" : "unverified");
+
store_pool = POOL_PERM; /* Save names in permanent storage */
for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
close down of the connection), set errno to zero; otherwise leave it alone. */
#ifdef SUPPORT_TLS
-if (tls_active == sock)
- rc = tls_read(buffer, buffsize);
+if (tls_out.active == sock)
+ rc = tls_read(FALSE, buffer, buffsize);
+else if (tls_in.active == sock)
+ rc = tls_read(TRUE, buffer, buffsize);
else
#endif
rc = recv(sock, buffer, buffsize, 0);
}
+
+
+/*************************************************
+* Lookup address family of potential socket *
+*************************************************/
+
+/* Given a file-descriptor, check to see if it's a socket and, if so,
+return the address family; detects IPv4 vs IPv6. If not a socket then
+return -1.
+
+The value 0 is typically AF_UNSPEC, which should not be seen on a connected
+fd. If the return is -1, the errno will be from getsockname(); probably
+ENOTSOCK or ECONNRESET.
+
+Arguments: socket-or-not fd
+Returns: address family or -1
+*/
+
+int
+ip_get_address_family(int fd)
+{
+struct sockaddr_storage ss;
+socklen_t sslen = sizeof(ss);
+
+if (getsockname(fd, (struct sockaddr *) &ss, &sslen) < 0)
+ return -1;
+
+return (int) ss.ss_family;
+}
+
+
+
+
+/*************************************************
+* Lookup DSCP settings for a socket *
+*************************************************/
+
+struct dscp_name_tableentry {
+ const uschar *name;
+ int value;
+};
+/* Keep both of these tables sorted! */
+static struct dscp_name_tableentry dscp_table[] = {
+#ifdef IPTOS_DSCP_AF11
+ { CUS"af11", IPTOS_DSCP_AF11 },
+ { CUS"af12", IPTOS_DSCP_AF12 },
+ { CUS"af13", IPTOS_DSCP_AF13 },
+ { CUS"af21", IPTOS_DSCP_AF21 },
+ { CUS"af22", IPTOS_DSCP_AF22 },
+ { CUS"af23", IPTOS_DSCP_AF23 },
+ { CUS"af31", IPTOS_DSCP_AF31 },
+ { CUS"af32", IPTOS_DSCP_AF32 },
+ { CUS"af33", IPTOS_DSCP_AF33 },
+ { CUS"af41", IPTOS_DSCP_AF41 },
+ { CUS"af42", IPTOS_DSCP_AF42 },
+ { CUS"af43", IPTOS_DSCP_AF43 },
+ { CUS"ef", IPTOS_DSCP_EF },
+#endif
+#ifdef IPTOS_LOWCOST
+ { CUS"lowcost", IPTOS_LOWCOST },
+#endif
+ { CUS"lowdelay", IPTOS_LOWDELAY },
+#ifdef IPTOS_MINCOST
+ { CUS"mincost", IPTOS_MINCOST },
+#endif
+ { CUS"reliability", IPTOS_RELIABILITY },
+ { CUS"throughput", IPTOS_THROUGHPUT }
+};
+static int dscp_table_size =
+ sizeof(dscp_table) / sizeof(struct dscp_name_tableentry);
+
+/* DSCP values change by protocol family, and so do the options used for
+setsockopt(); this utility does all the lookups. It takes an unexpanded
+option string, expands it, strips off affix whitespace, then checks if it's
+a number. If all of what's left is a number, then that's how the option will
+be parsed and success/failure is a range check. If it's not all a number,
+then it must be a supported keyword.
+
+Arguments:
+ dscp_name a string, so far unvalidated
+ af address_family in use
+ level setsockopt level to use
+ optname setsockopt name to use
+ dscp_value value for dscp_name
+
+Returns: TRUE if okay to setsockopt(), else FALSE
+
+*level and *optname may be set even if FALSE is returned
+*/
+
+BOOL
+dscp_lookup(const uschar *dscp_name, int af,
+ int *level, int *optname, int *dscp_value)
+{
+uschar *dscp_lookup, *p;
+int first, last;
+long rawlong;
+
+if (af == AF_INET)
+ {
+ *level = IPPROTO_IP;
+ *optname = IP_TOS;
+ }
+else if (af == AF_INET6)
+ {
+ *level = IPPROTO_IPV6;
+ *optname = IPV6_TCLASS;
+ }
+else
+ {
+ DEBUG(D_transport)
+ debug_printf("Unhandled address family %d in dscp_lookup()\n", af);
+ return FALSE;
+ }
+if (!dscp_name)
+ {
+ DEBUG(D_transport)
+ debug_printf("[empty DSCP]\n");
+ return FALSE;
+ }
+dscp_lookup = expand_string(US dscp_name);
+if (dscp_lookup == NULL || *dscp_lookup == '\0')
+ return FALSE;
+
+p = dscp_lookup + Ustrlen(dscp_lookup) - 1;
+while (isspace(*p)) *p-- = '\0';
+while (isspace(*dscp_lookup) && dscp_lookup < p) dscp_lookup++;
+if (*dscp_lookup == '\0')
+ return FALSE;
+
+rawlong = Ustrtol(dscp_lookup, &p, 0);
+if (p != dscp_lookup && *p == '\0')
+ {
+ /* We have six bits available, which will end up shifted to fit in 0xFC mask.
+ RFC 2597 defines the values unshifted. */
+ if (rawlong < 0 || rawlong > 0x3F)
+ {
+ DEBUG(D_transport)
+ debug_printf("DSCP value %ld out of range, ignored.\n", rawlong);
+ return FALSE;
+ }
+ *dscp_value = rawlong << 2;
+ return TRUE;
+ }
+
+first = 0;
+last = dscp_table_size;
+while (last > first)
+ {
+ int middle = (first + last)/2;
+ int c = Ustrcmp(dscp_lookup, dscp_table[middle].name);
+ if (c == 0)
+ {
+ *dscp_value = dscp_table[middle].value;
+ return TRUE;
+ }
+ else if (c > 0)
+ {
+ first = middle + 1;
+ }
+ else
+ {
+ last = middle;
+ }
+ }
+return FALSE;
+}
+
+void
+dscp_list_to_stream(FILE *stream)
+{
+int i;
+for (i=0; i < dscp_table_size; ++i)
+ fprintf(stream, "%s\n", dscp_table[i].name);
+}
+
+
/* End of ip.c */
a no-op once an SSL session is in progress. */
#ifdef SUPPORT_TLS
-#define mac_smtp_fflush() if (tls_active < 0) fflush(smtp_out);
+#define mac_smtp_fflush() if (tls_in.active < 0) fflush(smtp_out);
#else
#define mac_smtp_fflush() fflush(smtp_out);
#endif
{ "dns_ipv4_lookup", opt_stringptr, &dns_ipv4_lookup },
{ "dns_retrans", opt_time, &dns_retrans },
{ "dns_retry", opt_int, &dns_retry },
+ { "dns_use_dnssec", opt_int, &dns_use_dnssec },
{ "dns_use_edns0", opt_int, &dns_use_edns0 },
/* This option is now a no-op, retained for compability */
{ "drop_cr", opt_bool, &drop_cr },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
-#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
+# if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
-#endif
- { "tls_on_connect_ports", opt_stringptr, &tls_on_connect_ports },
+# endif
+ { "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
{ "tls_require_ciphers", opt_stringptr, &tls_require_ciphers },
resides.
oltop points to the option list in which ol exists
last one more than the offset of the last entry in optop
+ no_labels do not show "foo = " at the start.
Returns: nothing
*/
static void
print_ol(optionlist *ol, uschar *name, void *options_block,
- optionlist *oltop, int last)
+ optionlist *oltop, int last, BOOL no_labels)
{
struct passwd *pw;
struct group *gr;
if (!admin_user && (ol->type & opt_secure) != 0)
{
- printf("%s = <value not displayable>\n", name);
+ const char * const hidden = "<value not displayable>";
+ if (no_labels)
+ printf("%s\n", hidden);
+ else
+ printf("%s = %s\n", name, hidden);
return;
}
case opt_stringptr:
case opt_rewrite: /* Show the text value */
s = *((uschar **)value);
- printf("%s = %s\n", name, (s == NULL)? US"" : string_printing2(s, FALSE));
+ if (!no_labels) printf("%s = ", name);
+ printf("%s\n", (s == NULL)? US"" : string_printing2(s, FALSE));
break;
case opt_int:
- printf("%s = %d\n", name, *((int *)value));
+ if (!no_labels) printf("%s = ", name);
+ printf("%d\n", *((int *)value));
break;
case opt_mkint:
c = 'M';
x >>= 10;
}
- printf("%s = %d%c\n", name, x, c);
+ if (!no_labels) printf("%s = ", name);
+ printf("%d%c\n", x, c);
+ }
+ else
+ {
+ if (!no_labels) printf("%s = ", name);
+ printf("%d\n", x);
}
- else printf("%s = %d\n", name, x);
}
break;
case opt_Kint:
{
int x = *((int *)value);
- if (x == 0) printf("%s = 0\n", name);
- else if ((x & 1023) == 0) printf("%s = %dM\n", name, x >> 10);
- else printf("%s = %dK\n", name, x);
+ if (!no_labels) printf("%s = ", name);
+ if (x == 0) printf("0\n");
+ else if ((x & 1023) == 0) printf("%dM\n", x >> 10);
+ else printf("%dK\n", x);
}
break;
case opt_octint:
- printf("%s = %#o\n", name, *((int *)value));
+ if (!no_labels) printf("%s = ", name);
+ printf("%#o\n", *((int *)value));
break;
/* Can be negative only when "unset", in which case integer */
int d = 100;
if (x < 0) printf("%s =\n", name); else
{
- printf("%s = %d.", name, x/1000);
+ if (!no_labels) printf("%s = ", name);
+ printf("%d.", x/1000);
do
{
printf("%d", f/d);
if (options_block != NULL)
value2 = (void *)((uschar *)options_block + (long int)value2);
s = *((uschar **)value2);
- printf("%s = %s\n", name, (s == NULL)? US"" : string_printing(s));
+ if (!no_labels) printf("%s = ", name);
+ printf("%s\n", (s == NULL)? US"" : string_printing(s));
break;
}
}
/* Else fall through */
case opt_uid:
+ if (!no_labels) printf("%s = ", name);
if (! *get_set_flag(name, oltop, last, options_block))
- printf("%s =\n", name);
+ printf("\n");
else
{
pw = getpwuid(*((uid_t *)value));
if (pw == NULL)
- printf("%s = %ld\n", name, (long int)(*((uid_t *)value)));
- else printf("%s = %s\n", name, pw->pw_name);
+ printf("%ld\n", (long int)(*((uid_t *)value)));
+ else printf("%s\n", pw->pw_name);
}
break;
if (options_block != NULL)
value2 = (void *)((uschar *)options_block + (long int)value2);
s = *((uschar **)value2);
- printf("%s = %s\n", name, (s == NULL)? US"" : string_printing(s));
+ if (!no_labels) printf("%s = ", name);
+ printf("%s\n", (s == NULL)? US"" : string_printing(s));
break;
}
}
/* Else fall through */
case opt_gid:
+ if (!no_labels) printf("%s = ", name);
if (! *get_set_flag(name, oltop, last, options_block))
- printf("%s =\n", name);
+ printf("\n");
else
{
gr = getgrgid(*((int *)value));
if (gr == NULL)
- printf("%s = %ld\n", name, (long int)(*((int *)value)));
- else printf("%s = %s\n", name, gr->gr_name);
+ printf("%ld\n", (long int)(*((int *)value)));
+ else printf("%s\n", gr->gr_name);
}
break;
case opt_uidlist:
uidlist = *((uid_t **)value);
- printf("%s =", name);
+ if (!no_labels) printf("%s =", name);
if (uidlist != NULL)
{
int i;
uschar sep = ' ';
+ if (no_labels) sep = '\0';
for (i = 1; i <= (int)(uidlist[0]); i++)
{
uschar *name = NULL;
pw = getpwuid(uidlist[i]);
if (pw != NULL) name = US pw->pw_name;
- if (name != NULL) printf("%c%s", sep, name);
- else printf("%c%ld", sep, (long int)(uidlist[i]));
+ if (sep != '\0') printf("%c", sep);
+ if (name != NULL) printf("%s", name);
+ else printf("%ld", (long int)(uidlist[i]));
sep = ':';
}
}
case opt_gidlist:
gidlist = *((gid_t **)value);
- printf("%s =", name);
+ if (!no_labels) printf("%s =", name);
if (gidlist != NULL)
{
int i;
uschar sep = ' ';
+ if (no_labels) sep = '\0';
for (i = 1; i <= (int)(gidlist[0]); i++)
{
uschar *name = NULL;
gr = getgrgid(gidlist[i]);
if (gr != NULL) name = US gr->gr_name;
- if (name != NULL) printf("%c%s", sep, name);
- else printf("%c%ld", sep, (long int)(gidlist[i]));
+ if (sep != '\0') printf("%c", sep);
+ if (name != NULL) printf("%s", name);
+ else printf("%ld", (long int)(gidlist[i]));
sep = ':';
}
}
break;
case opt_time:
- printf("%s = %s\n", name, readconf_printtime(*((int *)value)));
+ if (!no_labels) printf("%s = ", name);
+ printf("%s\n", readconf_printtime(*((int *)value)));
break;
case opt_timelist:
{
int i;
int *list = (int *)value;
- printf("%s = ", name);
+ if (!no_labels) printf("%s = ", name);
for (i = 0; i < list[1]; i++)
printf("%s%s", (i == 0)? "" : ":", readconf_printtime(list[i+2]));
printf("\n");
s = *((uschar **)value2);
if (s != NULL)
{
- printf("%s = %s\n", name, string_printing(s));
+ if (!no_labels) printf("%s = ", name);
+ printf("%s\n", string_printing(s));
break;
}
/* s == NULL => string not set; fall through */
Arguments:
name option name if type == NULL; else driver name
type NULL or driver type name, as described above
+ no_labels avoid the "foo = " at the start of an item
Returns: nothing
*/
void
-readconf_print(uschar *name, uschar *type)
+readconf_print(uschar *name, uschar *type, BOOL no_labels)
{
BOOL names_only = FALSE;
optionlist *ol;
if (t != NULL)
{
found = TRUE;
- printf("%slist %s = %s\n", types[i], name+1,
- ((namedlist_block *)(t->data.ptr))->string);
+ if (no_labels)
+ printf("%s\n", ((namedlist_block *)(t->data.ptr))->string);
+ else
+ printf("%slist %s = %s\n", types[i], name+1,
+ ((namedlist_block *)(t->data.ptr))->string);
}
}
ol < optionlist_config + optionlist_config_size; ol++)
{
if ((ol->type & opt_hidden) == 0)
- print_ol(ol, US ol->name, NULL, optionlist_config, optionlist_config_size);
+ print_ol(ol, US ol->name, NULL,
+ optionlist_config, optionlist_config_size,
+ no_labels);
}
return;
}
ol < local_scan_options + local_scan_options_count; ol++)
{
print_ol(ol, US ol->name, NULL, local_scan_options,
- local_scan_options_count);
+ local_scan_options_count, no_labels);
}
#endif
return;
else
{
print_ol(find_option(name, optionlist_config, optionlist_config_size),
- name, NULL, optionlist_config, optionlist_config_size);
+ name, NULL, optionlist_config, optionlist_config_size, no_labels);
return;
}
}
for (ol = ol2; ol < ol2 + size; ol++)
{
if ((ol->type & opt_hidden) == 0)
- print_ol(ol, US ol->name, d, ol2, size);
+ print_ol(ol, US ol->name, d, ol2, size, no_labels);
}
for (ol = d->info->options;
ol < d->info->options + *(d->info->options_count); ol++)
{
if ((ol->type & opt_hidden) == 0)
- print_ol(ol, US ol->name, d, d->info->options, *(d->info->options_count));
+ print_ol(ol, US ol->name, d, d->info->options, *(d->info->options_count), no_labels);
}
if (name != NULL) return;
}
read_message_data_smtp(FILE *fout)
{
int ch_state = 0;
-register int ch;
+int ch;
register int linelength = 0;
while ((ch = (receive_getc)()) != EOF)
{
message_size++;
if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
+ (void) cutthrough_put_nl();
if (ch != '\r') ch_state = 1; else continue;
}
break;
message_size++;
body_linecount++;
if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
+ (void) cutthrough_put_nl();
if (ch == '\r')
{
ch_state = 2;
if (fputc(ch, fout) == EOF) return END_WERROR;
if (message_size > thismessage_size_limit) return END_SIZE;
}
+ if(ch == '\n')
+ (void) cutthrough_put_nl();
+ else
+ {
+ uschar c= ch;
+ (void) cutthrough_puts(&c, 1);
+ }
}
/* Fall through here if EOF encountered. This indicates some kind of error,
#endif /* WITH_CONTENT_SCAN */
+
+void
+received_header_gen(void)
+{
+uschar *received;
+uschar *timestamp;
+header_line *received_header= header_list;
+
+timestamp = expand_string(US"${tod_full}");
+if (recipients_count == 1) received_for = recipients_list[0].address;
+received = expand_string(received_header_text);
+received_for = NULL;
+
+if (received == NULL)
+ {
+ if(spool_name[0] != 0)
+ Uunlink(spool_name); /* Lose the data file */
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
+ "(received_header_text) failed: %s", string_printing(received_header_text),
+ expand_string_message);
+ }
+
+/* The first element on the header chain is reserved for the Received header,
+so all we have to do is fill in the text pointer, and set the type. However, if
+the result of the expansion is an empty string, we leave the header marked as
+"old" so as to refrain from adding a Received header. */
+
+if (received[0] == 0)
+ {
+ received_header->text = string_sprintf("Received: ; %s\n", timestamp);
+ received_header->type = htype_old;
+ }
+else
+ {
+ received_header->text = string_sprintf("%s; %s\n", received, timestamp);
+ received_header->type = htype_received;
+ }
+
+received_header->slen = Ustrlen(received_header->text);
+
+DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
+ received_header->type, received_header->text);
+}
+
+
+
/*************************************************
* Receive message *
*************************************************/
both. The flag sender_local is true for locally generated messages. The flag
submission_mode is true if an ACL has obeyed "control = submission". The flag
suppress_local_fixups is true if an ACL has obeyed "control =
-suppress_local_fixups". The flag smtp_input is true if the message is to be
+suppress_local_fixups" or -G was passed on the command-line.
+The flag smtp_input is true if the message is to be
handled using SMTP conventions about termination and lines starting with dots.
For non-SMTP messages, dot_ends is true for dot-terminated messages.
uschar *resent_prefix = US"";
uschar *blackholed_by = NULL;
uschar *blackhole_log_msg = US"";
+int cutthrough_done;
flock_t lock_data;
error_block *bad_addresses = NULL;
/* Variables for use when building the Received: header. */
-uschar *received;
uschar *timestamp;
int tslen;
search_tidyup();
+/* Extracting the recipient list from an input file is incompatible with
+cutthrough delivery with the no-spool option. It shouldn't be possible
+to set up the combination, but just in case kill any ongoing connection. */
+if (extract_recip || !smtp_input)
+ cancel_cutthrough_connection("not smtp input");
+
/* Initialize the chain of headers by setting up a place-holder for Received:
header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
pointing to the end of the chain to make adding headers simple. */
return message_ended == END_DOT;
}
+/* Cutthrough delivery:
+ We have to create the Received header now rather than at the end of reception,
+ so the timestamp behaviour is a change to the normal case.
+ XXX Ensure this gets documented XXX.
+ Having created it, send the headers to the destination.
+*/
+if (cutthrough_fd >= 0)
+ {
+ if (received_count > received_headers_max)
+ {
+ cancel_cutthrough_connection("too many headers");
+ if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
+ log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
+ "Too many \"Received\" headers",
+ sender_address,
+ (sender_fullhost == NULL)? "" : " H=",
+ (sender_fullhost == NULL)? US"" : sender_fullhost,
+ (sender_ident == NULL)? "" : " U=",
+ (sender_ident == NULL)? US"" : sender_ident);
+ message_id[0] = 0; /* Indicate no message accepted */
+ smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
+ goto TIDYUP; /* Skip to end of function */
+ }
+ received_header_gen();
+ add_acl_headers(US"MAIL or RCPT");
+ (void) cutthrough_headers_send();
+ }
+
+
/* Open a new spool file for the data portion of the message. We need
to access it both via a file descriptor and a stream. Try to make the
directory if it isn't there. Note re use of sprintf: spool_directory
if (smtp_input && message_ended == END_EOF)
{
Uunlink(spool_name); /* Lose data file when closed */
+ cancel_cutthrough_connection("sender closed connection");
message_id[0] = 0; /* Indicate no message accepted */
smtp_reply = handle_lost_connection(US"");
smtp_yield = FALSE;
if (message_ended == END_SIZE)
{
Uunlink(spool_name); /* Lose the data file when closed */
+ cancel_cutthrough_connection("mail too big");
if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
Uunlink(spool_name); /* Lose the data file */
+ cancel_cutthrough_connection("error writing spoolfile");
if (smtp_input)
{
Note: the checking for too many Received: headers is handled by the delivery
code. */
+/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
-timestamp = expand_string(US"${tod_full}");
-if (recipients_count == 1) received_for = recipients_list[0].address;
-received = expand_string(received_header_text);
-received_for = NULL;
-
-if (received == NULL)
- {
- Uunlink(spool_name); /* Lose the data file */
- log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
- "(received_header_text) failed: %s", string_printing(received_header_text),
- expand_string_message);
- }
-
-/* The first element on the header chain is reserved for the Received header,
-so all we have to do is fill in the text pointer, and set the type. However, if
-the result of the expansion is an empty string, we leave the header marked as
-"old" so as to refrain from adding a Received header. */
-
-if (received[0] == 0)
- {
- received_header->text = string_sprintf("Received: ; %s\n", timestamp);
- received_header->type = htype_old;
- }
-else
+if (received_header->text == NULL) /* Non-cutthrough case */
{
- received_header->text = string_sprintf("%s; %s\n", received, timestamp);
- received_header->type = htype_received;
- }
-
-received_header->slen = Ustrlen(received_header->text);
-
-DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
- received_header->type, received_header->text);
+ received_header_gen();
-/* Set the value of message_body_size for the DATA ACL and for local_scan() */
+ /* Set the value of message_body_size for the DATA ACL and for local_scan() */
-message_body_size = (fstat(data_fd, &statbuf) == 0)?
- statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
+ message_body_size = (fstat(data_fd, &statbuf) == 0)?
+ statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
-/* If an ACL from any RCPT commands set up any warning headers to add, do so
-now, before running the DATA ACL. */
+ /* If an ACL from any RCPT commands set up any warning headers to add, do so
+ now, before running the DATA ACL. */
-add_acl_headers(US"MAIL or RCPT");
+ add_acl_headers(US"MAIL or RCPT");
+ }
+else
+ message_body_size = (fstat(data_fd, &statbuf) == 0)?
+ statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
/* If an ACL is specified for checking things at this stage of reception of a
message, run it, unless all the recipients were removed by "discard" in earlier
{
DEBUG(D_receive)
debug_printf("acl_smtp_dkim: acl_check returned %d on %s, skipping remaining items\n", rc, item);
+ cancel_cutthrough_connection("dkim acl not ok");
break;
}
}
blackholed_by = US"DATA ACL";
if (log_msg != NULL)
blackhole_log_msg = string_sprintf(": %s", log_msg);
+ cancel_cutthrough_connection("data acl discard");
}
else if (rc != OK)
{
Uunlink(spool_name);
+ cancel_cutthrough_connection("data acl not ok");
#ifdef WITH_CONTENT_SCAN
unspool_mbox();
#endif
signal(SIGTERM, SIG_IGN);
signal(SIGINT, SIG_IGN);
+
/* Ensure the first time flag is set in the newly-received message. */
deliver_firsttime = TRUE;
s = add_host_info_for_log(s, &size, &sptr);
#ifdef SUPPORT_TLS
-if ((log_extra_selector & LX_tls_cipher) != 0 && tls_cipher != NULL)
- s = string_append(s, &size, &sptr, 2, US" X=", tls_cipher);
+if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL)
+ s = string_append(s, &size, &sptr, 2, US" X=", tls_in.cipher);
if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- tls_cipher != NULL)
+ tls_in.cipher != NULL)
s = string_append(s, &size, &sptr, 2, US" CV=",
- tls_certificate_verified? "yes":"no");
-if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
+ tls_in.certificate_verified? "yes":"no");
+if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL)
s = string_append(s, &size, &sptr, 3, US" DN=\"",
- string_printing(tls_peerdn), US"\"");
-if ((log_extra_selector & LX_tls_sni) != 0 && tls_sni != NULL)
+ string_printing(tls_in.peerdn), US"\"");
+if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL)
s = string_append(s, &size, &sptr, 3, US" SNI=\"",
- string_printing(tls_sni), US"\"");
+ string_printing(tls_in.sni), US"\"");
#endif
if (sender_host_authenticated != NULL)
/* Create a message log file if message logs are being used and this message is
not blackholed. Write the reception stuff to it. We used to leave message log
-creation until the first delivery, but this has proved confusing for somep
+creation until the first delivery, but this has proved confusing for some
people. */
if (message_logs && blackholed_by == NULL)
/* The connection has not gone away; we really are going to take responsibility
for this message. */
-log_write(0, LOG_MAIN |
- (((log_extra_selector & LX_received_recipients) != 0)? LOG_RECIPIENTS : 0) |
- (((log_extra_selector & LX_received_sender) != 0)? LOG_SENDER : 0),
- "%s", s);
-receive_call_bombout = FALSE;
+/* Cutthrough - had sender last-dot; assume we've sent (or bufferred) all
+ data onward by now.
+
+ Send dot onward. If accepted, wipe the spooled files, log as delivered and accept
+ the sender's dot (below).
+ If rejected: copy response to sender, wipe the spooled files, log approriately.
+ If temp-reject: accept to sender, keep the spooled files.
+
+ Having the normal spool files lets us do data-filtering, and store/forward on temp-reject.
-/* Log any control actions taken by an ACL or local_scan(). */
+ XXX We do not handle queue-only, freezing, or blackholes.
+*/
+if(cutthrough_fd >= 0)
+ {
+ uschar * msg= cutthrough_finaldot(); /* Ask the target system to accept the messsage */
+ /* Logging was done in finaldot() */
+ switch(msg[0])
+ {
+ case '2': /* Accept. Do the same to the source; dump any spoolfiles. */
+ cutthrough_done = 3;
+ break; /* message_id needed for SMTP accept below */
+
+ default: /* Unknown response, or error. Treat as temp-reject. */
+ case '4': /* Temp-reject. Keep spoolfiles and accept. */
+ cutthrough_done = 1; /* Avoid the usual immediate delivery attempt */
+ break; /* message_id needed for SMTP accept below */
+
+ case '5': /* Perm-reject. Do the same to the source. Dump any spoolfiles */
+ smtp_reply= msg; /* Pass on the exact error */
+ cutthrough_done = 2;
+ break;
+ }
+ }
+else
+ cutthrough_done = 0;
+
+if(smtp_reply == NULL)
+ {
+ log_write(0, LOG_MAIN |
+ (((log_extra_selector & LX_received_recipients) != 0)? LOG_RECIPIENTS : 0) |
+ (((log_extra_selector & LX_received_sender) != 0)? LOG_SENDER : 0),
+ "%s", s);
-if (deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
-if (queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
- "no immediate delivery: queued by %s", queued_by);
+ /* Log any control actions taken by an ACL or local_scan(). */
+
+ if (deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
+ if (queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
+ "no immediate delivery: queued by %s", queued_by);
+ }
+receive_call_bombout = FALSE;
store_reset(s); /* The store for the main log message can be reused */
possible for fclose() to fail - but what to do? What has happened to the lock
if this happens? */
+
TIDYUP:
process_info[process_info_len] = 0; /* Remove message id */
if (data_file != NULL) (void)fclose(data_file); /* Frees the lock */
else
smtp_printf("%.1024s\r\n", smtp_reply);
}
+
+ switch (cutthrough_done)
+ {
+ case 3: log_write(0, LOG_MAIN, "Completed"); /* Delivery was done */
+ case 2: { /* Delete spool files */
+ sprintf(CS spool_name, "%s/input/%s/%s-D", spool_directory,
+ message_subdir, message_id);
+ Uunlink(spool_name);
+ sprintf(CS spool_name, "%s/input/%s/%s-H", spool_directory,
+ message_subdir, message_id);
+ Uunlink(spool_name);
+ sprintf(CS spool_name, "%s/msglog/%s/%s", spool_directory,
+ message_subdir, message_id);
+ Uunlink(spool_name);
+ }
+ case 1: message_id[0] = 0; /* Prevent a delivery from starting */
+ default:break;
+ }
+ cutthrough_delivery = FALSE;
}
/* For batched SMTP, generate an error message on failure, and do
struct Notification *next;
};
+/* This should be a complete list of supported extensions, so that an external
+ManageSieve (RFC 5804) program can interrogate the current Exim binary for the
+list of extensions and provide correct information to a client.
+
+We'll emit the list in the order given here; keep it alphabetically sorted, so
+that callers don't get surprised.
+
+List *MUST* end with a NULL. Which at least makes ifdef-vs-comma easier. */
+
+const uschar *exim_sieve_extension_list[] = {
+ CUS"comparator-i;ascii-numeric",
+ CUS"copy",
+#ifdef ENCODED_CHARACTER
+ CUS"encoded-character",
+#endif
+#ifdef ENOTIFY
+ CUS"enotify",
+#endif
+ CUS"envelope",
+#ifdef ENVELOPE_AUTH
+ CUS"envelope-auth",
+#endif
+ CUS"fileinto",
+#ifdef SUBADDRESS
+ CUS"subaddress",
+#endif
+#ifdef VACATION
+ CUS"vacation",
+#endif
+ NULL
+};
+
static int eq_asciicase(const struct String *needle, const struct String *haystack, int match_prefix);
static int parse_test(struct Sieve *filter, int *cond, int exec);
static int parse_commands(struct Sieve *filter, int exec, address_item **generated);
#define pauthed 2 /* added to pextend */
#define pnlocal 6 /* offset to remove "local" */
+/* Sanity check and validate optional args to MAIL FROM: envelope */
+enum {
+ ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
+ ENV_MAIL_OPT_PRDR, ENV_MAIL_OPT_NULL
+ };
+typedef struct {
+ uschar * name; /* option requested during MAIL cmd */
+ int value; /* enum type */
+ BOOL need_value; /* TRUE requires value (name=value pair format)
+ FALSE is a singleton */
+ } env_mail_type_t;
+static env_mail_type_t env_mail_type_list[] = {
+ { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
+ { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
+ { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
+ { US"NULL", ENV_MAIL_OPT_NULL, FALSE } /* Placeholder for ending */
+ };
+
/* When reading SMTP from a remote host, we have to use our own versions of the
C input-reading functions, in order to be able to flush the SMTP output only
when about to read more data from the socket. This is the only way to get
/* Now write the string */
#ifdef SUPPORT_TLS
-if (tls_active >= 0)
+if (tls_in.active >= 0)
{
- if (tls_write(big_buffer, Ustrlen(big_buffer)) < 0) smtp_write_error = -1;
+ if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer)) < 0)
+ smtp_write_error = -1;
}
else
#endif
int
smtp_fflush(void)
{
-if (tls_active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
+if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
return smtp_write_error;
}
sig = sig; /* Keep picky compilers happy */
log_write(L_lost_incoming_connection,
LOG_MAIN, "SMTP command timeout on%s connection from %s",
- (tls_active >= 0)? " TLS" : "",
+ (tls_in.active >= 0)? " TLS" : "",
host_and_ident(FALSE));
if (smtp_batched_input)
moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
struct timeval tzero;
if (!smtp_enforce_sync || sender_host_address == NULL ||
- sender_host_notsocket || tls_active >= 0)
+ sender_host_notsocket || tls_in.active >= 0)
return TRUE;
fd = fileno(smtp_in);
}
#ifdef SUPPORT_TLS
-if ((log_extra_selector & LX_tls_cipher) != 0 && tls_cipher != NULL)
- s = string_append(s, &size, &ptr, 2, US" X=", tls_cipher);
+if ((log_extra_selector & LX_tls_cipher) != 0 && tls_in.cipher != NULL)
+ s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
- tls_cipher != NULL)
+ tls_in.cipher != NULL)
s = string_append(s, &size, &ptr, 2, US" CV=",
- tls_certificate_verified? "yes":"no");
-if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
+ tls_in.certificate_verified? "yes":"no");
+if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_in.peerdn != NULL)
s = string_append(s, &size, &ptr, 3, US" DN=\"",
- string_printing(tls_peerdn), US"\"");
-if ((log_extra_selector & LX_tls_sni) != 0 && tls_sni != NULL)
+ string_printing(tls_in.peerdn), US"\"");
+if ((log_extra_selector & LX_tls_sni) != 0 && tls_in.sni != NULL)
s = string_append(s, &size, &ptr, 3, US" SNI=\"",
- string_printing(tls_sni), US"\"");
+ string_printing(tls_in.sni), US"\"");
#endif
sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
recipients_list = NULL;
rcpt_count = rcpt_defer_count = rcpt_fail_count =
raw_recipients_count = recipients_count = recipients_list_max = 0;
+cancel_cutthrough_connection("smtp reset");
message_linecount = 0;
message_size = -1;
acl_added_headers = NULL;
no_mbox_unspool = FALSE; /* Can be set by ACL */
#endif
submission_mode = FALSE; /* Can be set by ACL */
-suppress_local_fixups = FALSE; /* Can be set by ACL */
+suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
active_local_from_check = local_from_check; /* Can be set by ACL */
active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
sender_address = NULL;
authenticated_by = NULL;
#ifdef SUPPORT_TLS
-tls_cipher = tls_peerdn = NULL;
+tls_in.cipher = tls_in.peerdn = NULL;
tls_advertised = FALSE;
#endif
smtps port for use with older style SSL MTAs. */
#ifdef SUPPORT_TLS
- if (tls_on_connect &&
- tls_server_start(tls_require_ciphers) != OK)
+ if (tls_in.on_connect && tls_server_start(tls_require_ciphers) != OK)
return FALSE;
#endif
sender_host_authenticated = au->name;
authentication_failed = FALSE;
received_protocol =
- protocols[pextend + pauthed + ((tls_active >= 0)? pcrpted:0)] +
+ protocols[pextend + pauthed + ((tls_in.active >= 0)? pcrpted:0)] +
((sender_host_address != NULL)? pnlocal : 0);
s = ss = US"235 Authentication succeeded";
authenticated_by = au;
host_build_sender_fullhost(); /* Rebuild */
set_process_info("handling%s incoming connection from %s",
- (tls_active >= 0)? " TLS" : "", host_and_ident(FALSE));
+ (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
/* Verify if configured. This doesn't give much security, but it does
make some people happy to be able to do it. If helo_required is set,
secure connection. */
#ifdef SUPPORT_TLS
- if (tls_active < 0 &&
+ if (tls_in.active < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
{
s = string_cat(s, &size, &ptr, smtp_code, 3);
s[ptr] = 0;
#ifdef SUPPORT_TLS
- if (tls_active >= 0) (void)tls_write(s, ptr); else
+ if (tls_in.active >= 0) (void)tls_write(TRUE, s, ptr); else
#endif
(void)fwrite(s, 1, ptr, smtp_out);
received_protocol = (esmtp?
protocols[pextend +
((sender_host_authenticated != NULL)? pauthed : 0) +
- ((tls_active >= 0)? pcrpted : 0)]
+ ((tls_in.active >= 0)? pcrpted : 0)]
:
- protocols[pnormal + ((tls_active >= 0)? pcrpted : 0)])
+ protocols[pnormal + ((tls_in.active >= 0)? pcrpted : 0)])
+
((sender_host_address != NULL)? pnlocal : 0);
HAD(SCH_MAIL);
smtp_mailcmd_count++; /* Count for limit and ratelimit */
was_rej_mail = TRUE; /* Reset if accepted */
+ env_mail_type_t * mail_args; /* Sanity check & validate args */
if (helo_required && !helo_seen)
{
{
uschar *name, *value, *end;
unsigned long int size;
+ BOOL arg_error = FALSE;
if (!extract_option(&name, &value)) break;
- /* Handle SIZE= by reading the value. We don't do the check till later,
- in order to be able to log the sender address on failure. */
-
- if (strcmpic(name, US"SIZE") == 0 &&
- ((size = Ustrtoul(value, &end, 10)), *end == 0))
+ for (mail_args = env_mail_type_list;
+ (char *)mail_args < (char *)env_mail_type_list + sizeof(env_mail_type_list);
+ mail_args++
+ )
{
- if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
- size = INT_MAX;
- message_size = (int)size;
+ if (strcmpic(name, mail_args->name) == 0)
+ break;
}
+ if (mail_args->need_value && strcmpic(value, US"") == 0)
+ break;
+ /* This doesn't seem right to use
+ if ((char *)mail_args >= (char *)env_mail_type_list + sizeof(env_mail_type_list))
+ goto BAD_MAIL_ARGS;
+ */
- /* If this session was initiated with EHLO and accept_8bitmime is set,
- Exim will have indicated that it supports the BODY=8BITMIME option. In
- fact, it does not support this according to the RFCs, in that it does not
- take any special action for forwarding messages containing 8-bit
- characters. That is why accept_8bitmime is not the default setting, but
- some sites want the action that is provided. We recognize both "8BITMIME"
- and "7BIT" as body types, but take no action. */
-
- else if (accept_8bitmime && strcmpic(name, US"BODY") == 0 &&
- (strcmpic(value, US"8BITMIME") == 0 ||
- strcmpic(value, US"7BIT") == 0)) {}
-
- /* Handle the AUTH extension. If the value given is not "<>" and either
- the ACL says "yes" or there is no ACL but the sending host is
- authenticated, we set it up as the authenticated sender. However, if the
- authenticator set a condition to be tested, we ignore AUTH on MAIL unless
- the condition is met. The value of AUTH is an xtext, which means that +,
- = and cntrl chars are coded in hex; however "<>" is unaffected by this
- coding. */
-
- else if (strcmpic(name, US"AUTH") == 0)
+ switch(mail_args->value)
{
- if (Ustrcmp(value, "<>") != 0)
- {
- int rc;
- uschar *ignore_msg;
-
- if (auth_xtextdecode(value, &authenticated_sender) < 0)
+ /* Handle SIZE= by reading the value. We don't do the check till later,
+ in order to be able to log the sender address on failure. */
+ case ENV_MAIL_OPT_SIZE:
+ /* if (strcmpic(name, US"SIZE") == 0 && */
+ if (((size = Ustrtoul(value, &end, 10)), *end == 0))
{
- /* Put back terminator overrides for error message */
- name[-1] = ' ';
- value[-1] = '=';
- done = synprot_error(L_smtp_syntax_error, 501, NULL,
- US"invalid data for AUTH");
- goto COMMAND_LOOP;
- }
-
- if (acl_smtp_mailauth == NULL)
- {
- ignore_msg = US"client not authenticated";
- rc = (sender_host_authenticated != NULL)? OK : FAIL;
+ if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
+ size = INT_MAX;
+ message_size = (int)size;
}
else
- {
- ignore_msg = US"rejected by ACL";
- rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
- &user_msg, &log_msg);
- }
+ arg_error = TRUE;
+ break;
- switch (rc)
- {
- case OK:
- if (authenticated_by == NULL ||
- authenticated_by->mail_auth_condition == NULL ||
- expand_check_condition(authenticated_by->mail_auth_condition,
- authenticated_by->name, US"authenticator"))
- break; /* Accept the AUTH */
-
- ignore_msg = US"server_mail_auth_condition failed";
- if (authenticated_id != NULL)
- ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
- ignore_msg, authenticated_id);
-
- /* Fall through */
-
- case FAIL:
- authenticated_sender = NULL;
- log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
- value, host_and_ident(TRUE), ignore_msg);
+ /* If this session was initiated with EHLO and accept_8bitmime is set,
+ Exim will have indicated that it supports the BODY=8BITMIME option. In
+ fact, it does not support this according to the RFCs, in that it does not
+ take any special action for forwarding messages containing 8-bit
+ characters. That is why accept_8bitmime is not the default setting, but
+ some sites want the action that is provided. We recognize both "8BITMIME"
+ and "7BIT" as body types, but take no action. */
+ case ENV_MAIL_OPT_BODY:
+ if (accept_8bitmime &&
+ (strcmpic(value, US"8BITMIME") == 0 ||
+ strcmpic(value, US"7BIT") == 0) )
break;
+ arg_error = TRUE;
+ break;
- /* Should only get DEFER or ERROR here. Put back terminator
- overrides for error message */
+ /* Handle the AUTH extension. If the value given is not "<>" and either
+ the ACL says "yes" or there is no ACL but the sending host is
+ authenticated, we set it up as the authenticated sender. However, if the
+ authenticator set a condition to be tested, we ignore AUTH on MAIL unless
+ the condition is met. The value of AUTH is an xtext, which means that +,
+ = and cntrl chars are coded in hex; however "<>" is unaffected by this
+ coding. */
+ case ENV_MAIL_OPT_AUTH:
+ if (Ustrcmp(value, "<>") != 0)
+ {
+ int rc;
+ uschar *ignore_msg;
- default:
- name[-1] = ' ';
- value[-1] = '=';
- (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
- log_msg);
- goto COMMAND_LOOP;
+ if (auth_xtextdecode(value, &authenticated_sender) < 0)
+ {
+ /* Put back terminator overrides for error message */
+ name[-1] = ' ';
+ value[-1] = '=';
+ done = synprot_error(L_smtp_syntax_error, 501, NULL,
+ US"invalid data for AUTH");
+ goto COMMAND_LOOP;
+ }
+ if (acl_smtp_mailauth == NULL)
+ {
+ ignore_msg = US"client not authenticated";
+ rc = (sender_host_authenticated != NULL)? OK : FAIL;
+ }
+ else
+ {
+ ignore_msg = US"rejected by ACL";
+ rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
+ &user_msg, &log_msg);
+ }
+
+ switch (rc)
+ {
+ case OK:
+ if (authenticated_by == NULL ||
+ authenticated_by->mail_auth_condition == NULL ||
+ expand_check_condition(authenticated_by->mail_auth_condition,
+ authenticated_by->name, US"authenticator"))
+ break; /* Accept the AUTH */
+
+ ignore_msg = US"server_mail_auth_condition failed";
+ if (authenticated_id != NULL)
+ ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
+ ignore_msg, authenticated_id);
+
+ /* Fall through */
+
+ case FAIL:
+ authenticated_sender = NULL;
+ log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
+ value, host_and_ident(TRUE), ignore_msg);
+ break;
+
+ /* Should only get DEFER or ERROR here. Put back terminator
+ overrides for error message */
+
+ default:
+ name[-1] = ' ';
+ value[-1] = '=';
+ (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
+ log_msg);
+ goto COMMAND_LOOP;
+ }
}
- }
- }
-
- /* Unknown option. Stick back the terminator characters and break
- the loop. An error for a malformed address will occur. */
+ break;
+
+ /* Unknown option. Stick back the terminator characters and break
+ the loop. An error for a malformed address will occur. */
+ default:
- else
- {
- name[-1] = ' ';
- value[-1] = '=';
- break;
+ /* BAD_MAIL_ARGS: */
+ name[-1] = ' ';
+ value[-1] = '=';
+ break;
}
+ /* Break out of for loop if switch() had bad argument or
+ when start of the email address is reached */
+ if (arg_error) break;
}
/* If we have passed the threshold for rate limiting, apply the current
}
/* If there is an ACL, re-check the synchronization afterwards, since the
- ACL may have delayed. */
+ ACL may have delayed. To handle cutthrough delivery enforce a dummy call
+ to get the DATA command sent. */
- if (acl_smtp_predata == NULL) rc = OK; else
+ if (acl_smtp_predata == NULL && cutthrough_fd < 0) rc = OK; else
{
+ uschar * acl= acl_smtp_predata ? acl_smtp_predata : US"accept";
enable_dollar_recipients = TRUE;
- rc = acl_check(ACL_WHERE_PREDATA, NULL, acl_smtp_predata, &user_msg,
+ rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
&log_msg);
enable_dollar_recipients = FALSE;
if (rc == OK && !check_sync()) goto SYNC_FAILURE;
{
DEBUG(D_any)
debug_printf("Non-empty input buffer after STARTTLS; naive attack?");
- if (tls_active < 0)
+ if (tls_in.active < 0)
smtp_inend = smtp_inptr = smtp_inbuffer;
/* and if TLS is already active, tls_server_start() should fail */
}
}
/* Hard failure. Reject everything except QUIT or closed connection. One
- cause for failure is a nested STARTTLS, in which case tls_active remains
+ cause for failure is a nested STARTTLS, in which case tls_in.active remains
set, but we must still reject all incoming commands. */
DEBUG(D_tls) debug_printf("TLS failed to start\n");
break;
/* It is perhaps arguable as to which exit ACL should be called here,
- but as it is probably a situtation that almost never arises, it
+ but as it is probably a situation that almost never arises, it
probably doesn't matter. We choose to call the real QUIT ACL, which in
some sense is perhaps "right". */
break;
}
}
- tls_close(TRUE);
+ tls_close(TRUE, TRUE);
break;
#endif
smtp_respond(US"221", 3, TRUE, user_msg);
#ifdef SUPPORT_TLS
- tls_close(TRUE);
+ tls_close(TRUE, TRUE);
#endif
done = 2;
buffer[0] = 0;
Ustrcat(buffer, " AUTH");
#ifdef SUPPORT_TLS
- if (tls_active < 0 &&
+ if (tls_in.active < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
Ustrcat(buffer, " STARTTLS");
#endif
interface outgoing interface address or NULL
timeout timeout value or 0
keepalive TRUE to use keepalive
+ dscp DSCP value to assign to socket
Returns: connected socket number, or -1 with errno set
*/
int
smtp_connect(host_item *host, int host_af, int port, uschar *interface,
- int timeout, BOOL keepalive)
+ int timeout, BOOL keepalive, const uschar *dscp)
{
int on = 1;
int save_errno = 0;
+int dscp_value;
+int dscp_level;
+int dscp_option;
int sock;
if (host->port != PORT_NONE)
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (uschar *)(&on), sizeof(on));
+/* Set DSCP value, if we can. For now, if we fail to set the value, we don't
+bomb out, just log it and continue in default traffic class. */
+
+if (dscp && dscp_lookup(dscp, host_af, &dscp_level, &dscp_option, &dscp_value))
+ {
+ HDEBUG(D_transport|D_acl|D_v)
+ debug_printf("DSCP \"%s\"=%x ", dscp, dscp_value);
+ if (setsockopt(sock, dscp_level, dscp_option, &dscp_value, sizeof(dscp_value)) < 0)
+ HDEBUG(D_transport|D_acl|D_v)
+ debug_printf("failed to set DSCP: %s ", strerror(errno));
+ /* If the kernel supports IPv4 and IPv6 on an IPv6 socket, we need to set the
+ option for both; ignore failures here */
+ if (host_af == AF_INET6 &&
+ dscp_lookup(dscp, AF_INET, &dscp_level, &dscp_option, &dscp_value))
+ {
+ (void) setsockopt(sock, dscp_level, dscp_option, &dscp_value, sizeof(dscp_value));
+ }
+ }
+
/* Bind to a specific interface if requested. Caller must ensure the interface
is the same type (IPv4 or IPv6) as the outgoing address. */
int rc;
#ifdef SUPPORT_TLS
-if (tls_active == outblock->sock)
- rc = tls_write(outblock->buffer, outblock->ptr - outblock->buffer);
+if (tls_out.active == outblock->sock)
+ rc = tls_write(FALSE, outblock->buffer, outblock->ptr - outblock->buffer);
else
#endif
#endif
#ifdef SUPPORT_TLS
-tls_certificate_verified = FALSE;
-tls_cipher = NULL;
-tls_peerdn = NULL;
-tls_sni = NULL;
+tls_in.certificate_verified = FALSE;
+tls_in.cipher = NULL;
+tls_in.peerdn = NULL;
+tls_in.sni = NULL;
#endif
#ifdef WITH_CONTENT_SCAN
#ifdef SUPPORT_TLS
case 't':
if (Ustrncmp(p, "ls_certificate_verified", 23) == 0)
- tls_certificate_verified = TRUE;
+ tls_in.certificate_verified = TRUE;
else if (Ustrncmp(p, "ls_cipher", 9) == 0)
- tls_cipher = string_copy(big_buffer + 12);
+ tls_in.cipher = string_copy(big_buffer + 12);
else if (Ustrncmp(p, "ls_peerdn", 9) == 0)
- tls_peerdn = string_unprinting(string_copy(big_buffer + 12));
+ tls_in.peerdn = string_unprinting(string_copy(big_buffer + 12));
else if (Ustrncmp(p, "ls_sni", 6) == 0)
- tls_sni = string_unprinting(string_copy(big_buffer + 9));
+ tls_in.sni = string_unprinting(string_copy(big_buffer + 9));
break;
#endif
#endif
#ifdef SUPPORT_TLS
-if (tls_certificate_verified) fprintf(f, "-tls_certificate_verified\n");
-if (tls_cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_cipher);
-if (tls_peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_peerdn));
-if (tls_sni != NULL) fprintf(f, "-tls_sni %s\n", string_printing(tls_sni));
+if (tls_in.certificate_verified) fprintf(f, "-tls_certificate_verified\n");
+if (tls_in.cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_in.cipher);
+if (tls_in.peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", string_printing(tls_in.peerdn));
+if (tls_in.sni != NULL) fprintf(f, "-tls_sni %s\n", string_printing(tls_in.sni));
#endif
/* To complete the envelope, write out the tree of non-recipients, followed by
be set to point to content in one of these instances, as appropriate for
the stage of the process lifetime.
-Not handled here: globals tls_active, tls_bits, tls_cipher, tls_peerdn,
-tls_certificate_verified, tls_channelbinding_b64, tls_sni.
+Not handled here: global tls_channelbinding_b64.
*/
typedef struct exim_gnutls_state {
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
+ tls_support *tlsp; /* set in tls_init() */
+
uschar *xfer_buffer;
int xfer_buffer_lwm;
int xfer_buffer_hwm;
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL,
+ NULL,
NULL, 0, 0, 0, 0,
};
second connection. */
static exim_gnutls_state_st state_server, state_client;
-static exim_gnutls_state_st *current_global_tls_state;
/* dh_params are initialised once within the lifetime of a process using TLS;
if we used TLS in a long-lived daemon, we'd have to reconsider this. But we
tls_cipher a string
tls_peerdn a string
tls_sni a (UTF-8) string
-Also:
- current_global_tls_state for API limitations
Argument:
state the relevant exim_gnutls_state_st *
*/
static void
-extract_exim_vars_from_tls_state(exim_gnutls_state_st *state)
+extract_exim_vars_from_tls_state(exim_gnutls_state_st *state, BOOL is_server)
{
gnutls_cipher_algorithm_t cipher;
#ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
gnutls_datum_t channel;
#endif
-current_global_tls_state = state;
-
-tls_active = state->fd_out;
+state->tlsp->active = state->fd_out;
cipher = gnutls_cipher_get(state->session);
/* returns size in "bytes" */
-tls_bits = gnutls_cipher_get_key_size(cipher) * 8;
+state->tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
-tls_cipher = state->ciphersuite;
+state->tlsp->cipher = state->ciphersuite;
-DEBUG(D_tls) debug_printf("cipher: %s\n", tls_cipher);
+DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
-tls_certificate_verified = state->peer_cert_verified;
+state->tlsp->certificate_verified = state->peer_cert_verified;
/* note that tls_channelbinding_b64 is not saved to the spool file, since it's
only available for use for authenticators while this TLS session is running. */
}
#endif
-tls_peerdn = state->peerdn;
-
-tls_sni = state->received_sni;
+state->tlsp->peerdn = state->peerdn;
+state->tlsp->sni = state->received_sni;
}
{
if (!state->received_sni)
{
- if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni"))
+ if (state->tls_certificate &&
+ (Ustrstr(state->tls_certificate, US"tls_sni") ||
+ Ustrstr(state->tls_certificate, US"tls_in_sni") ||
+ Ustrstr(state->tls_certificate, US"tls_out_sni")
+ ))
{
DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
state->trigger_sni_changes = TRUE;
cas CA certs file
crl CRL file
require_ciphers tls_require_ciphers setting
+ caller_state returned state-info structure
Returns: OK/DEFER/FAIL
*/
{
state = &state_client;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
+ state->tlsp = &tls_out;
DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
rc = gnutls_init(&state->session, GNUTLS_CLIENT);
}
{
state = &state_server;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
+ state->tlsp = &tls_in;
DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
rc = gnutls_init(&state->session, GNUTLS_SERVER);
}
/* set SNI in client, only */
if (host)
{
- if (!expand_check_tlsvar(tls_sni))
+ if (!expand_check(state->tlsp->sni, "tls_out_sni", &state->exp_tls_sni))
return DEFER;
if (state->exp_tls_sni && *state->exp_tls_sni)
{
}
*caller_state = state;
-/* needs to happen before callbacks during handshake */
-current_global_tls_state = state;
return OK;
}
store_pool = POOL_PERM;
state->ciphersuite = string_copy(cipherbuf);
store_pool = old_pool;
-tls_cipher = state->ciphersuite;
+state->tlsp->cipher = state->ciphersuite;
/* tls_peerdn */
cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
state->peerdn ? state->peerdn : US"<unset>");
}
-tls_peerdn = state->peerdn;
+state->tlsp->peerdn = state->peerdn;
return TRUE;
}
For inability to get SNI information, we return 0.
We only return non-zero if re-setup failed.
+Only used for server-side TLS.
*/
static int
{
char sni_name[MAX_HOST_LEN];
size_t data_len = MAX_HOST_LEN;
-exim_gnutls_state_st *state = current_global_tls_state;
+exim_gnutls_state_st *state = &state_server;
unsigned int sni_type;
int rc, old_pool;
store_pool = old_pool;
/* We set this one now so that variable expansions below will work */
-tls_sni = state->received_sni;
+state->tlsp->sni = state->received_sni;
DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", sni_name,
state->trigger_sni_changes ? "" : " (unused for certificate selection)");
exim_gnutls_state_st *state = NULL;
/* Check for previous activation */
-/* nb: this will not be TLS callout safe, needs reworking as part of that. */
-
-if (tls_active >= 0)
+if (tls_in.active >= 0)
{
tls_error(US"STARTTLS received after TLS started", "", NULL);
smtp_printf("554 Already in TLS\r\n");
the response. Other smtp_printf() calls do not need it, because in non-TLS
mode, the fflush() happens when smtp_getc() is called. */
-if (!tls_on_connect)
+if (!state->tlsp->on_connect)
{
smtp_printf("220 TLS go ahead\r\n");
- fflush(smtp_out);
+ fflush(smtp_out); /*XXX JGH */
}
/* Now negotiate the TLS session. We put our own timer on it, since it seems
/* Sets various Exim expansion variables; always safe within server */
-extract_exim_vars_from_tls_state(state);
+extract_exim_vars_from_tls_state(state, TRUE);
/* TLS has been set up. Adjust the input functions to read via TLS,
and initialize appropriately. */
verify_certs file for certificate verify
verify_crl CRL for verify
require_ciphers list of allowed ciphers or NULL
+ dh_min_bits minimum number of bits acceptable in server's DH prime
timeout startup timeout
Returns: OK/DEFER/FAIL (because using common functions),
address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED,
uschar *certificate, uschar *privatekey, uschar *sni,
uschar *verify_certs, uschar *verify_crl,
- uschar *require_ciphers, int timeout)
+ uschar *require_ciphers, int dh_min_bits, int timeout)
{
int rc;
const char *error;
sni, verify_certs, verify_crl, require_ciphers, &state);
if (rc != OK) return rc;
-gnutls_dh_set_prime_bits(state->session, EXIM_CLIENT_DH_MIN_BITS);
+if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
+ {
+ DEBUG(D_tls)
+ debug_printf("WARNING: tls_dh_min_bits far too low, clamping %d up to %d\n",
+ dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
+ dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
+ }
+
+DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n",
+ dh_min_bits);
+gnutls_dh_set_prime_bits(state->session, dh_min_bits);
if (verify_certs == NULL)
{
/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
-extract_exim_vars_from_tls_state(state);
+extract_exim_vars_from_tls_state(state, FALSE);
return OK;
}
*/
void
-tls_close(BOOL shutdown)
+tls_close(BOOL is_server, BOOL shutdown)
{
-exim_gnutls_state_st *state = current_global_tls_state;
+exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
-if (tls_active < 0) return; /* TLS was not active */
+if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
if (shutdown)
{
gnutls_deinit(state->session);
+state->tlsp->active = -1;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
if ((state_server.session == NULL) && (state_client.session == NULL))
exim_gnutls_base_init_done = FALSE;
}
-tls_active = -1;
}
/* This gets the next byte from the TLS input buffer. If the buffer is empty,
it refills the buffer via the GnuTLS reading function.
+Only used by the server-side TLS.
This feeds DKIM and should be used for all message-body reads.
int
tls_getc(void)
{
-exim_gnutls_state_st *state = current_global_tls_state;
+exim_gnutls_state_st *state = &state_server;
if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
{
ssize_t inbytes;
gnutls_deinit(state->session);
state->session = NULL;
- tls_active = -1;
- tls_bits = 0;
- tls_certificate_verified = FALSE;
- tls_channelbinding_b64 = NULL;
- tls_cipher = NULL;
- tls_peerdn = NULL;
+ state->tlsp->active = -1;
+ state->tlsp->bits = 0;
+ state->tlsp->certificate_verified = FALSE;
+ tls_channelbinding_b64 = NULL; /*XXX JGH */
+ state->tlsp->cipher = NULL;
+ state->tlsp->peerdn = NULL;
return smtp_getc();
}
/* This does not feed DKIM, so if the caller uses this for reading message body,
then the caller must feed DKIM.
+
Arguments:
buff buffer of data
len size of buffer
*/
int
-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)
{
-exim_gnutls_state_st *state = current_global_tls_state;
+exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
ssize_t inbytes;
if (len > INT_MAX)
/*
Arguments:
+ is_server channel specifier
buff buffer of data
len number of bytes
*/
int
-tls_write(const uschar *buff, size_t len)
+tls_write(BOOL is_server, const uschar *buff, size_t len)
{
ssize_t outbytes;
size_t left = len;
-exim_gnutls_state_st *state = current_global_tls_state;
+exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
DEBUG(D_tls) debug_printf("tls_do_write(%p, " SIZE_T_FMT ")\n", buff, left);
while (left > 0)
/* Local static variables */
-static BOOL verify_callback_called = FALSE;
+static BOOL client_verify_callback_called = FALSE;
+static BOOL server_verify_callback_called = FALSE;
static const uschar *sid_ctx = US"exim";
-static SSL_CTX *ctx = NULL;
+static SSL_CTX *client_ctx = NULL;
+static SSL_CTX *server_ctx = NULL;
+static SSL *client_ssl = NULL;
+static SSL *server_ssl = NULL;
+
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
-static SSL_CTX *ctx_sni = NULL;
+static SSL_CTX *client_sni = NULL;
+static SSL_CTX *server_sni = NULL;
#endif
-static SSL *ssl = NULL;
static char ssl_errstring[256];
static int ssl_session_timeout = 200;
-static BOOL verify_optional = FALSE;
+static BOOL client_verify_optional = FALSE;
+static BOOL server_verify_optional = FALSE;
static BOOL reexpand_tls_files_for_sni = FALSE;
/* should figure out a cleanup of API to handle state preserved per
implementation, for various reasons, which can be void * in the APIs.
For now, we hack around it. */
-tls_ext_ctx_cb *static_cbinfo = NULL;
+tls_ext_ctx_cb *client_static_cbinfo = NULL;
+tls_ext_ctx_cb *server_static_cbinfo = NULL;
static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional);
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client);
/* Callbacks */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
Arguments:
state current yes/no state as 1/0
x509ctx certificate information.
+ client TRUE for client startup, FALSE for server startup
Returns: 1 if verified, 0 if not
*/
static int
-verify_callback(int state, X509_STORE_CTX *x509ctx)
+verify_callback(int state, X509_STORE_CTX *x509ctx, BOOL client)
{
static uschar txt[256];
+tls_support * tlsp;
+BOOL * calledp;
+BOOL * optionalp;
+
+if (client)
+ {
+ tlsp= &tls_out;
+ calledp= &client_verify_callback_called;
+ optionalp= &client_verify_optional;
+ }
+else
+ {
+ tlsp= &tls_in;
+ calledp= &server_verify_callback_called;
+ optionalp= &server_verify_optional;
+ }
X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
CS txt, sizeof(txt));
x509ctx->error_depth,
X509_verify_cert_error_string(x509ctx->error),
txt);
- tls_certificate_verified = FALSE;
- verify_callback_called = TRUE;
- if (!verify_optional) return 0; /* reject */
+ tlsp->certificate_verified = FALSE;
+ *calledp = TRUE;
+ if (!*optionalp) return 0; /* reject */
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
return 1; /* accept */
else
{
DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
- verify_callback_called? "" : " authenticated", txt);
- tls_peerdn = txt;
+ *calledp ? "" : " authenticated", txt);
+ tlsp->peerdn = txt;
}
-if (!verify_callback_called) tls_certificate_verified = TRUE;
-verify_callback_called = TRUE;
+if (!*calledp) tlsp->certificate_verified = TRUE;
+*calledp = TRUE;
return 1; /* accept */
}
+static int
+verify_callback_client(int state, X509_STORE_CTX *x509ctx)
+{
+return verify_callback(state, x509ctx, TRUE);
+}
+
+static int
+verify_callback_server(int state, X509_STORE_CTX *x509ctx)
+{
+return verify_callback(state, x509ctx, FALSE);
+}
+
/*************************************************
if (cbinfo->certificate == NULL)
return OK;
-if (Ustrstr(cbinfo->certificate, US"tls_sni"))
+if (Ustrstr(cbinfo->certificate, US"tls_sni") ||
+ Ustrstr(cbinfo->certificate, US"tls_in_sni") ||
+ Ustrstr(cbinfo->certificate, US"tls_out_sni")
+ )
reexpand_tls_files_for_sni = TRUE;
if (!expand_check(cbinfo->certificate, US"tls_certificate", &expanded))
/* Make the extension value available for expansion */
store_pool = POOL_PERM;
-tls_sni = string_copy(US servername);
+tls_in.sni = string_copy(US servername);
store_pool = old_pool;
if (!reexpand_tls_files_for_sni)
not confident that memcpy wouldn't break some internal reference counting.
Especially since there's a references struct member, which would be off. */
-ctx_sni = SSL_CTX_new(SSLv23_server_method());
-if (!ctx_sni)
+server_sni = SSL_CTX_new(SSLv23_server_method());
+if (!server_sni)
{
ERR_error_string(ERR_get_error(), ssl_errstring);
DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
/* Not sure how many of these are actually needed, since SSL object
already exists. Might even need this selfsame callback, for reneg? */
-SSL_CTX_set_info_callback(ctx_sni, SSL_CTX_get_info_callback(ctx));
-SSL_CTX_set_mode(ctx_sni, SSL_CTX_get_mode(ctx));
-SSL_CTX_set_options(ctx_sni, SSL_CTX_get_options(ctx));
-SSL_CTX_set_timeout(ctx_sni, SSL_CTX_get_timeout(ctx));
-SSL_CTX_set_tlsext_servername_callback(ctx_sni, tls_servername_cb);
-SSL_CTX_set_tlsext_servername_arg(ctx_sni, cbinfo);
+SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(server_ctx));
+SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(server_ctx));
+SSL_CTX_set_options(server_sni, SSL_CTX_get_options(server_ctx));
+SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(server_ctx));
+SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
+SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
if (cbinfo->server_cipher_list)
- SSL_CTX_set_cipher_list(ctx_sni, CS cbinfo->server_cipher_list);
+ SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
#ifdef EXPERIMENTAL_OCSP
if (cbinfo->ocsp_file)
{
- SSL_CTX_set_tlsext_status_cb(ctx_sni, tls_stapling_cb);
+ SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
SSL_CTX_set_tlsext_status_arg(ctx, cbinfo);
}
#endif
-rc = setup_certs(ctx_sni, tls_verify_certificates, tls_crl, NULL, FALSE);
+rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
/* do this after setup_certs, because this can require the certs for verifying
OCSP information. */
-rc = tls_expand_session_files(ctx_sni, cbinfo);
+rc = tls_expand_session_files(server_sni, cbinfo);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
-rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
+rc = init_dh(server_sni, cbinfo->dhparam, NULL);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
DEBUG(D_tls) debug_printf("Switching SSL context.\n");
-SSL_set_SSL_CTX(s, ctx_sni);
+SSL_set_SSL_CTX(s, server_sni);
return SSL_TLSEXT_ERR_OK;
}
*/
static int
-tls_init(host_item *host, uschar *dhparam, uschar *certificate,
+tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
uschar *privatekey,
#ifdef EXPERIMENTAL_OCSP
uschar *ocsp_file,
#endif
- address_item *addr)
+ address_item *addr, tls_ext_ctx_cb ** cbp)
{
long init_options;
int rc;
By disabling with openssl_options, we can let admins re-enable with the
existing knob. */
-ctx = SSL_CTX_new((host == NULL)?
+*ctxp = SSL_CTX_new((host == NULL)?
SSLv23_server_method() : SSLv23_client_method());
-if (ctx == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
+if (*ctxp == NULL) return tls_error(US"SSL_CTX_new", host, NULL);
/* It turns out that we need to seed the random number generator this early in
order to get the full complement of ciphers to work. It took me roughly a day
/* Set up the information callback, which outputs if debugging is at a suitable
level. */
-SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+SSL_CTX_set_info_callback(*ctxp, (void (*)())info_callback);
/* Automatically re-try reads/writes after renegotiation. */
-(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
+(void) SSL_CTX_set_mode(*ctxp, SSL_MODE_AUTO_RETRY);
/* Apply administrator-supplied work-arounds.
Historically we applied just one requested option,
if (init_options)
{
DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
- if (!(SSL_CTX_set_options(ctx, init_options)))
+ if (!(SSL_CTX_set_options(*ctxp, init_options)))
return tls_error(string_sprintf(
"SSL_CTX_set_option(%#lx)", init_options), host, NULL);
}
/* Initialize with DH parameters if supplied */
-if (!init_dh(ctx, dhparam, host)) return DEFER;
+if (!init_dh(*ctxp, dhparam, host)) return DEFER;
/* Set up certificate and key (and perhaps OCSP info) */
-rc = tls_expand_session_files(ctx, cbinfo);
+rc = tls_expand_session_files(*ctxp, cbinfo);
if (rc != OK) return rc;
/* If we need to handle SNI, do so */
#endif
/* We always do this, so that $tls_sni is available even if not used in
tls_certificate */
- SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
- SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
+ SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
}
#endif
/* Set up the RSA callback */
-SSL_CTX_set_tmp_rsa_callback(ctx, rsa_callback);
+SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
/* Finally, set the timeout, and we are done */
-SSL_CTX_set_timeout(ctx, ssl_session_timeout);
+SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
DEBUG(D_tls) debug_printf("Initialized TLS\n");
-static_cbinfo = cbinfo;
+*cbp = cbinfo;
return OK;
}
* Get name of cipher in use *
*************************************************/
-/* The answer is left in a static buffer, and tls_cipher is set to point
-to it.
-
+/*
Argument: pointer to an SSL structure for the connection
+ buffer to use for answer
+ size of buffer
+ pointer to number of bits for cipher
Returns: nothing
*/
static void
-construct_cipher_name(SSL *ssl)
+construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
{
-static uschar cipherbuf[256];
/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
}
c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
-SSL_CIPHER_get_bits(c, &tls_bits);
+SSL_CIPHER_get_bits(c, bits);
-string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
- SSL_CIPHER_get_name(c), tls_bits);
-tls_cipher = cipherbuf;
+string_format(cipherbuf, bsize, "%s:%s:%u", ver,
+ SSL_CIPHER_get_name(c), *bits);
DEBUG(D_tls) debug_printf("Cipher: %s\n", cipherbuf);
}
host NULL in a server; the remote host in a client
optional TRUE if called from a server for a host in tls_try_verify_hosts;
otherwise passed as FALSE
+ client TRUE if called for client startup, FALSE for server startup
Returns: OK/DEFER/FAIL
*/
static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional)
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client)
{
uschar *expcerts, *expcrl;
SSL_CTX_set_verify(sctx,
SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
- verify_callback);
+ client ? verify_callback_client : verify_callback_server);
}
return OK;
int rc;
uschar *expciphers;
tls_ext_ctx_cb *cbinfo;
+static uschar cipherbuf[256];
/* Check for previous activation */
-if (tls_active >= 0)
+if (tls_in.active >= 0)
{
tls_error(US"STARTTLS received after TLS started", NULL, US"");
smtp_printf("554 Already in TLS\r\n");
/* Initialize the SSL library. If it fails, it will already have logged
the error. */
-rc = tls_init(NULL, tls_dhparam, tls_certificate, tls_privatekey,
+rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
#ifdef EXPERIMENTAL_OCSP
tls_ocsp_file,
#endif
- NULL);
+ NULL, &server_static_cbinfo);
if (rc != OK) return rc;
-cbinfo = static_cbinfo;
+cbinfo = server_static_cbinfo;
if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
return FAIL;
uschar *s = expciphers;
while (*s != 0) { if (*s == '_') *s = '-'; s++; }
DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
- if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
+ if (!SSL_CTX_set_cipher_list(server_ctx, CS expciphers))
return tls_error(US"SSL_CTX_set_cipher_list", NULL, NULL);
cbinfo->server_cipher_list = expciphers;
}
/* If this is a host for which certificate verification is mandatory or
optional, set up appropriately. */
-tls_certificate_verified = FALSE;
-verify_callback_called = FALSE;
+tls_in.certificate_verified = FALSE;
+server_verify_callback_called = FALSE;
if (verify_check_host(&tls_verify_hosts) == OK)
{
- rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, FALSE);
+ rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
if (rc != OK) return rc;
- verify_optional = FALSE;
+ server_verify_optional = FALSE;
}
else if (verify_check_host(&tls_try_verify_hosts) == OK)
{
- rc = setup_certs(ctx, tls_verify_certificates, tls_crl, NULL, TRUE);
+ rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, TRUE, FALSE);
if (rc != OK) return rc;
- verify_optional = TRUE;
+ server_verify_optional = TRUE;
}
/* Prepare for new connection */
-if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
+if ((server_ssl = SSL_new(server_ctx)) == NULL) return tls_error(US"SSL_new", NULL, NULL);
/* Warning: we used to SSL_clear(ssl) here, it was removed.
*
the response. Other smtp_printf() calls do not need it, because in non-TLS
mode, the fflush() happens when smtp_getc() is called. */
-SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
-if (!tls_on_connect)
+SSL_set_session_id_context(server_ssl, sid_ctx, Ustrlen(sid_ctx));
+if (!tls_in.on_connect)
{
smtp_printf("220 TLS go ahead\r\n");
fflush(smtp_out);
/* Now negotiate the TLS session. We put our own timer on it, since it seems
that the OpenSSL library doesn't. */
-SSL_set_wfd(ssl, fileno(smtp_out));
-SSL_set_rfd(ssl, fileno(smtp_in));
-SSL_set_accept_state(ssl);
+SSL_set_wfd(server_ssl, fileno(smtp_out));
+SSL_set_rfd(server_ssl, fileno(smtp_in));
+SSL_set_accept_state(server_ssl);
DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
sigalrm_seen = FALSE;
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
-rc = SSL_accept(ssl);
+rc = SSL_accept(server_ssl);
alarm(0);
if (rc <= 0)
/* TLS has been set up. Adjust the input functions to read via TLS,
and initialize things. */
-construct_cipher_name(ssl);
+construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
+tls_in.cipher = cipherbuf;
DEBUG(D_tls)
{
uschar buf[2048];
- if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)) != NULL)
+ if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
debug_printf("Shared ciphers: %s\n", buf);
}
+/* Only used by the server-side tls (tls_in), including tls_getc.
+ Client-side (tls_out) reads (seem to?) go via
+ smtp_read_response()/ip_recv().
+ Hence no need to duplicate for _in and _out.
+ */
ssl_xfer_buffer = store_malloc(ssl_xfer_buffer_size);
ssl_xfer_buffer_lwm = ssl_xfer_buffer_hwm = 0;
ssl_xfer_eof = ssl_xfer_error = 0;
receive_ferror = tls_ferror;
receive_smtp_buffered = tls_smtp_buffered;
-tls_active = fileno(smtp_out);
+tls_in.active = fileno(smtp_out);
return OK;
}
verify_certs file for certificate verify
crl file containing CRL
require_ciphers list of allowed ciphers
+ dh_min_bits minimum number of bits acceptable in server's DH prime
+ (unused in OpenSSL)
timeout startup timeout
Returns: OK on success
tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
uschar *certificate, uschar *privatekey, uschar *sni,
uschar *verify_certs, uschar *crl,
- uschar *require_ciphers, int timeout)
+ uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout)
{
static uschar txt[256];
uschar *expciphers;
X509* server_cert;
int rc;
+static uschar cipherbuf[256];
-rc = tls_init(host, dhparam, certificate, privatekey,
+rc = tls_init(&client_ctx, host, dhparam, certificate, privatekey,
#ifdef EXPERIMENTAL_OCSP
NULL,
#endif
- addr);
+ addr, &client_static_cbinfo);
if (rc != OK) return rc;
-tls_certificate_verified = FALSE;
-verify_callback_called = FALSE;
+tls_out.certificate_verified = FALSE;
+client_verify_callback_called = FALSE;
if (!expand_check(require_ciphers, US"tls_require_ciphers", &expciphers))
return FAIL;
uschar *s = expciphers;
while (*s != 0) { if (*s == '_') *s = '-'; s++; }
DEBUG(D_tls) debug_printf("required ciphers: %s\n", expciphers);
- if (!SSL_CTX_set_cipher_list(ctx, CS expciphers))
+ if (!SSL_CTX_set_cipher_list(client_ctx, CS expciphers))
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
}
-rc = setup_certs(ctx, verify_certs, crl, host, FALSE);
+rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, TRUE);
if (rc != OK) return rc;
-if ((ssl = SSL_new(ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
-SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
-SSL_set_fd(ssl, fd);
-SSL_set_connect_state(ssl);
+if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
+SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
+SSL_set_fd(client_ssl, fd);
+SSL_set_connect_state(client_ssl);
if (sni)
{
- if (!expand_check(sni, US"tls_sni", &tls_sni))
+ if (!expand_check(sni, US"tls_sni", &tls_out.sni))
return FAIL;
- if (tls_sni == NULL)
+ if (tls_out.sni == NULL)
{
DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n");
}
- else if (!Ustrlen(tls_sni))
- tls_sni = NULL;
+ else if (!Ustrlen(tls_out.sni))
+ tls_out.sni = NULL;
else
{
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
- DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
- SSL_set_tlsext_host_name(ssl, tls_sni);
+ DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_out.sni);
+ SSL_set_tlsext_host_name(client_ssl, tls_out.sni);
#else
DEBUG(D_tls)
debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
sigalrm_seen = FALSE;
alarm(timeout);
-rc = SSL_connect(ssl);
+rc = SSL_connect(client_ssl);
alarm(0);
if (rc <= 0)
DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
/* Beware anonymous ciphers which lead to server_cert being NULL */
-server_cert = SSL_get_peer_certificate (ssl);
+server_cert = SSL_get_peer_certificate (client_ssl);
if (server_cert)
{
- tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
+ tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert),
CS txt, sizeof(txt));
- tls_peerdn = txt;
+ tls_out.peerdn = txt;
}
else
- tls_peerdn = NULL;
+ tls_out.peerdn = NULL;
-construct_cipher_name(ssl); /* Sets tls_cipher */
+construct_cipher_name(client_ssl, cipherbuf, sizeof(cipherbuf), &tls_out.bits);
+tls_out.cipher = cipherbuf;
-tls_active = fd;
+tls_out.active = fd;
return OK;
}
Arguments: none
Returns: the next character or EOF
+
+Only used by the server-side TLS.
*/
int
int error;
int inbytes;
- DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
+ DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
ssl_xfer_buffer, ssl_xfer_buffer_size);
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
- inbytes = SSL_read(ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
- error = SSL_get_error(ssl, inbytes);
+ inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
+ error = SSL_get_error(server_ssl, inbytes);
alarm(0);
/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
receive_ferror = smtp_ferror;
receive_smtp_buffered = smtp_buffered;
- SSL_free(ssl);
- ssl = NULL;
- tls_active = -1;
- tls_bits = 0;
- tls_cipher = NULL;
- tls_peerdn = NULL;
- tls_sni = NULL;
+ SSL_free(server_ssl);
+ server_ssl = NULL;
+ tls_in.active = -1;
+ tls_in.bits = 0;
+ tls_in.cipher = NULL;
+ tls_in.peerdn = NULL;
+ tls_in.sni = NULL;
return smtp_getc();
}
Returns: the number of bytes read
-1 after a failed read
+
+Only used by the client-side TLS.
*/
int
-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)
{
+SSL *ssl = is_server ? server_ssl : client_ssl;
int inbytes;
int error;
/*
Arguments:
+ is_server channel specifier
buff buffer of data
len number of bytes
Returns: the number of bytes after a successful write,
-1 after a failed write
+
+Used by both server-side and client-side TLS.
*/
int
-tls_write(const uschar *buff, size_t len)
+tls_write(BOOL is_server, const uschar *buff, size_t len)
{
int outbytes;
int error;
int left = len;
+SSL *ssl = is_server ? server_ssl : client_ssl;
DEBUG(D_tls) debug_printf("tls_do_write(%p, %d)\n", buff, left);
while (left > 0)
log_write(0, LOG_MAIN, "SSL channel closed on write");
return -1;
+ case SSL_ERROR_SYSCALL:
+ log_write(0, LOG_MAIN, "SSL_write: (from %s) syscall: %s",
+ sender_fullhost ? sender_fullhost : US"<unknown>",
+ strerror(errno));
+
default:
log_write(0, LOG_MAIN, "SSL_write error %d", error);
return -1;
Arguments: TRUE if SSL_shutdown is to be called
Returns: nothing
+
+Used by both server-side and client-side TLS.
*/
void
-tls_close(BOOL shutdown)
+tls_close(BOOL is_server, BOOL shutdown)
{
-if (tls_active < 0) return; /* TLS was not active */
+SSL **sslp = is_server ? &server_ssl : &client_ssl;
+int *fdp = is_server ? &tls_in.active : &tls_out.active;
+
+if (*fdp < 0) return; /* TLS was not active */
if (shutdown)
{
DEBUG(D_tls) debug_printf("tls_close(): shutting down SSL\n");
- SSL_shutdown(ssl);
+ SSL_shutdown(*sslp);
}
-SSL_free(ssl);
-ssl = NULL;
+SSL_free(*sslp);
+*sslp = NULL;
-tls_active = -1;
+*fdp = -1;
}
#ifdef USE_GNUTLS
#include "tls-gnu.c"
-#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer)
-#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm)
-#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm)
-#define ssl_xfer_eof (current_global_tls_state->xfer_eof)
-#define ssl_xfer_error (current_global_tls_state->xfer_error)
+#define ssl_xfer_buffer (state_server.xfer_buffer)
+#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+#define ssl_xfer_eof (state_server.xfer_eof)
+#define ssl_xfer_error (state_server.xfer_error)
#else
#include "tls-openssl.c"
/* Puts a character back in the input buffer. Only ever
called once.
+Only used by the server-side TLS.
Arguments:
ch the character
*************************************************/
/* Tests for a previous EOF
+Only used by the server-side TLS.
Arguments: none
Returns: non-zero if the eof flag is set
/* Tests for a previous read error, and returns with errno
restored to what it was when the error was detected.
+Only used by the server-side TLS.
>>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
*************************************************/
/* Tests for unused chars in the TLS input buffer.
+Only used by the server-side TLS.
Arguments: none
Returns: TRUE/FALSE
if (transport_write_timeout <= 0) /* No timeout wanted */
{
#ifdef SUPPORT_TLS
- if (tls_active == fd) rc = tls_write(block, len); else
+ if (tls_out.active == fd) rc = tls_write(FALSE, block, len); else
#endif
rc = write(fd, block, len);
save_errno = errno;
{
alarm(local_timeout);
#ifdef SUPPORT_TLS
- if (tls_active == fd) rc = tls_write(block, len); else
+ if (tls_out.active == fd) rc = tls_write(FALSE, block, len); else
#endif
rc = write(fd, block, len);
save_errno = errno;
int siglen = Ustrlen(dkim_signature);
while(siglen > 0) {
#ifdef SUPPORT_TLS
- if (tls_active == fd) wwritten = tls_write(dkim_signature, siglen); else
+ if (tls_out.active == fd) wwritten = tls_write(FALSE, dkim_signature, siglen); else
#endif
wwritten = write(fd,dkim_signature,siglen);
if (wwritten == -1) {
to the socket. However only if we don't use TLS,
in which case theres another layer of indirection
before the data finally hits the socket. */
- if (tls_active != fd)
+ if (tls_out.active != fd)
{
ssize_t copied = 0;
off_t offset = 0;
/* write the chunk */
DKIM_WRITE:
#ifdef SUPPORT_TLS
- if (tls_active == fd) wwritten = tls_write(US p, sread); else
+ if (tls_out.active == fd) wwritten = tls_write(FALSE, US p, sread); else
#endif
wwritten = write(fd,p,sread);
if (wwritten == -1)
(void *)offsetof(smtp_transport_options_block, dns_qualify_single) },
{ "dns_search_parents", opt_bool,
(void *)offsetof(smtp_transport_options_block, dns_search_parents) },
+ { "dscp", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, dscp) },
{ "fallback_hosts", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, fallback_hosts) },
{ "final_timeout", opt_time,
#endif
{ "hosts_try_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
+#ifdef SUPPORT_TLS
+ { "hosts_verify_avoid_tls", opt_stringptr,
+ (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
+#endif
{ "interface", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, interface) },
{ "keepalive", opt_bool,
(void *)offsetof(smtp_transport_options_block, tls_certificate) },
{ "tls_crl", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_crl) },
+ { "tls_dh_min_bits", opt_int,
+ (void *)offsetof(smtp_transport_options_block, tls_dh_min_bits) },
{ "tls_privatekey", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_privatekey) },
{ "tls_require_ciphers", opt_stringptr,
NULL, /* interface */
NULL, /* port */
US"smtp", /* protocol */
+ NULL, /* DSCP */
NULL, /* serialize_hosts */
NULL, /* hosts_try_auth */
NULL, /* hosts_require_auth */
NULL, /* hosts_require_tls */
NULL, /* hosts_avoid_tls */
+ US"*", /* hosts_verify_avoid_tls */
NULL, /* hosts_avoid_pipelining */
NULL, /* hosts_avoid_esmtp */
NULL, /* hosts_nopass_tls */
NULL, /* gnutls_require_kx */
NULL, /* gnutls_require_mac */
NULL, /* gnutls_require_proto */
+ NULL, /* tls_sni */
NULL, /* tls_verify_certificates */
- TRUE, /* tls_tempfail_tryclear */
- NULL /* tls_sni */
+ EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
+ /* tls_dh_min_bits */
+ TRUE /* tls_tempfail_tryclear */
#endif
#ifndef DISABLE_DKIM
,NULL, /* dkim_canon */
/* Reset the parameters of a TLS session. */
-tls_bits = 0;
-tls_cipher = NULL;
-tls_peerdn = NULL;
+tls_in.bits = 0;
+tls_in.cipher = NULL; /* for back-compatible behaviour */
+tls_in.peerdn = NULL;
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+tls_in.sni = NULL;
+#endif
+
+tls_out.bits = 0;
+tls_out.cipher = NULL; /* the one we may use for this transport */
+tls_out.peerdn = NULL;
#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
-tls_sni = NULL;
+tls_out.sni = NULL;
#endif
/* If an authenticated_sender override has been specified for this transport
{
inblock.sock = outblock.sock =
smtp_connect(host, host_af, port, interface, ob->connect_timeout,
- ob->keepalive); /* This puts port into host->port */
+ ob->keepalive, ob->dscp); /* This puts port into host->port */
if (inblock.sock < 0)
{
ob->tls_verify_certificates,
ob->tls_crl,
ob->tls_require_ciphers,
+ ob->tls_dh_min_bits,
ob->command_timeout);
/* TLS negotiation failed; give an error. From outside, this function may
{
if (addr->transport_return == PENDING_DEFER)
{
- addr->cipher = tls_cipher;
- addr->peerdn = tls_peerdn;
+ addr->cipher = tls_out.cipher;
+ addr->peerdn = tls_out.peerdn;
}
}
}
expand it here. $sending_ip_address and $sending_port are set up right at the
start of the Exim process (in exim.c). */
-if (tls_active >= 0)
+if (tls_out.active >= 0)
{
char *greeting_cmd;
if (helo_data == NULL)
if (continue_hostname == NULL
#ifdef SUPPORT_TLS
- || tls_active >= 0
+ || tls_out.active >= 0
#endif
)
{
BOOL more;
if (first_addr != NULL || continue_more ||
(
- (tls_active < 0 ||
+ (tls_out.active < 0 ||
verify_check_this_host(&(ob->hosts_nopass_tls), NULL, host->name,
host->address, NULL) != OK)
&&
don't get a good response, we don't attempt to pass the socket on. */
#ifdef SUPPORT_TLS
- if (tls_active >= 0)
+ if (tls_out.active >= 0)
{
- tls_close(TRUE);
+ tls_close(FALSE, TRUE);
if (smtps)
ok = FALSE;
else
END_OFF:
#ifdef SUPPORT_TLS
-tls_close(TRUE);
+tls_close(FALSE, TRUE);
#endif
/* Close the socket, and return the appropriate value, first setting
uschar *interface;
uschar *port;
uschar *protocol;
+ uschar *dscp;
uschar *serialize_hosts;
uschar *hosts_try_auth;
uschar *hosts_require_auth;
uschar *hosts_require_tls;
uschar *hosts_avoid_tls;
+ uschar *hosts_verify_avoid_tls;
uschar *hosts_avoid_pipelining;
uschar *hosts_avoid_esmtp;
uschar *hosts_nopass_tls;
uschar *gnutls_require_kx;
uschar *gnutls_require_mac;
uschar *gnutls_require_proto;
+ uschar *tls_sni;
uschar *tls_verify_certificates;
+ int tls_dh_min_bits;
BOOL tls_tempfail_tryclear;
- uschar *tls_sni;
#endif
#ifndef DISABLE_DKIM
uschar *dkim_domain;
#include "exim.h"
+#include "transports/smtp.h"
+
+#define CUTTHROUGH_CMD_TIMEOUT 30 /* timeout for cutthrough-routing calls */
+#define CUTTHROUGH_DATA_TIMEOUT 60 /* timeout for cutthrough-routing calls */
+address_item cutthrough_addr;
+static smtp_outblock ctblock;
+uschar ctbuffer[8192];
/* Structure for caching DNSBL lookups */
dbm_file = NULL;
}
-/* The information wasn't available in the cache, so we have to do a real
-callout and save the result in the cache for next time, unless no_cache is set,
-or unless we have a previously cached negative random result. If we are to test
-with a random local part, ensure that such a local part is available. If not,
-log the fact, but carry on without randomming. */
-
-if (callout_random && callout_random_local_part != NULL)
+if (!addr->transport)
{
- random_local_part = expand_string(callout_random_local_part);
- if (random_local_part == NULL)
- log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
- "callout_random_local_part: %s", expand_string_message);
+ HDEBUG(D_verify) debug_printf("cannot callout via null transport\n");
}
+else
+ {
+ smtp_transport_options_block *ob =
+ (smtp_transport_options_block *)(addr->transport->options_block);
-/* Default the connect and overall callout timeouts if not set, and record the
-time we are starting so that we can enforce it. */
+ /* The information wasn't available in the cache, so we have to do a real
+ callout and save the result in the cache for next time, unless no_cache is set,
+ or unless we have a previously cached negative random result. If we are to test
+ with a random local part, ensure that such a local part is available. If not,
+ log the fact, but carry on without randomming. */
-if (callout_overall < 0) callout_overall = 4 * callout;
-if (callout_connect < 0) callout_connect = callout;
-callout_start_time = time(NULL);
+ if (callout_random && callout_random_local_part != NULL)
+ {
+ random_local_part = expand_string(callout_random_local_part);
+ if (random_local_part == NULL)
+ log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand "
+ "callout_random_local_part: %s", expand_string_message);
+ }
-/* Before doing a real callout, if this is an SMTP connection, flush the SMTP
-output because a callout might take some time. When PIPELINING is active and
-there are many recipients, the total time for doing lots of callouts can add up
-and cause the client to time out. So in this case we forgo the PIPELINING
-optimization. */
+ /* Default the connect and overall callout timeouts if not set, and record the
+ time we are starting so that we can enforce it. */
-if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
+ if (callout_overall < 0) callout_overall = 4 * callout;
+ if (callout_connect < 0) callout_connect = callout;
+ callout_start_time = time(NULL);
-/* Now make connections to the hosts and do real callouts. The list of hosts
-is passed in as an argument. */
+ /* Before doing a real callout, if this is an SMTP connection, flush the SMTP
+ output because a callout might take some time. When PIPELINING is active and
+ there are many recipients, the total time for doing lots of callouts can add up
+ and cause the client to time out. So in this case we forgo the PIPELINING
+ optimization. */
-for (host = host_list; host != NULL && !done; host = host->next)
- {
- smtp_inblock inblock;
- smtp_outblock outblock;
- int host_af;
- int port = 25;
- BOOL send_quit = TRUE;
- uschar *active_hostname = smtp_active_hostname;
- uschar *helo = US"HELO";
- uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
- uschar inbuffer[4096];
- uschar outbuffer[1024];
- uschar responsebuffer[4096];
-
- clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
- clearflag(addr, af_verify_nsfail); /* null sender callout flag */
-
- /* Skip this host if we don't have an IP address for it. */
-
- if (host->address == NULL)
- {
- DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
- host->name);
- continue;
- }
+ if (smtp_out != NULL && !disable_callout_flush) mac_smtp_fflush();
- /* Check the overall callout timeout */
+ /* Now make connections to the hosts and do real callouts. The list of hosts
+ is passed in as an argument. */
- if (time(NULL) - callout_start_time >= callout_overall)
+ for (host = host_list; host != NULL && !done; host = host->next)
{
- HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
- break;
- }
+ smtp_inblock inblock;
+ smtp_outblock outblock;
+ int host_af;
+ int port = 25;
+ BOOL send_quit = TRUE;
+ uschar *active_hostname = smtp_active_hostname;
+ BOOL lmtp;
+ BOOL smtps;
+ BOOL esmtp;
+ BOOL suppress_tls = FALSE;
+ uschar *interface = NULL; /* Outgoing interface to use; NULL => any */
+ uschar inbuffer[4096];
+ uschar outbuffer[1024];
+ uschar responsebuffer[4096];
+
+ clearflag(addr, af_verify_pmfail); /* postmaster callout flag */
+ clearflag(addr, af_verify_nsfail); /* null sender callout flag */
+
+ /* Skip this host if we don't have an IP address for it. */
+
+ if (host->address == NULL)
+ {
+ DEBUG(D_verify) debug_printf("no IP address for host name %s: skipping\n",
+ host->name);
+ continue;
+ }
- /* Set IPv4 or IPv6 */
+ /* Check the overall callout timeout */
- host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
+ if (time(NULL) - callout_start_time >= callout_overall)
+ {
+ HDEBUG(D_verify) debug_printf("overall timeout for callout exceeded\n");
+ break;
+ }
- /* Expand and interpret the interface and port strings. The latter will not
- be used if there is a host-specific port (e.g. from a manualroute router).
- This has to be delayed till now, because they may expand differently for
- different hosts. If there's a failure, log it, but carry on with the
- defaults. */
+ /* Set IPv4 or IPv6 */
- deliver_host = host->name;
- deliver_host_address = host->address;
- deliver_domain = addr->domain;
+ host_af = (Ustrchr(host->address, ':') == NULL)? AF_INET:AF_INET6;
- if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
- US"callout") ||
- !smtp_get_port(tf->port, addr, &port, US"callout"))
- log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
- addr->message);
+ /* Expand and interpret the interface and port strings. The latter will not
+ be used if there is a host-specific port (e.g. from a manualroute router).
+ This has to be delayed till now, because they may expand differently for
+ different hosts. If there's a failure, log it, but carry on with the
+ defaults. */
- /* Set HELO string according to the protocol */
+ deliver_host = host->name;
+ deliver_host_address = host->address;
+ deliver_domain = addr->domain;
- if (Ustrcmp(tf->protocol, "lmtp") == 0) helo = US"LHLO";
+ if (!smtp_get_interface(tf->interface, host_af, addr, NULL, &interface,
+ US"callout") ||
+ !smtp_get_port(tf->port, addr, &port, US"callout"))
+ log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: %s", addr->address,
+ addr->message);
- HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
+ /* Set HELO string according to the protocol */
+ lmtp= Ustrcmp(tf->protocol, "lmtp") == 0;
+ smtps= Ustrcmp(tf->protocol, "smtps") == 0;
- /* Set up the buffer for reading SMTP response packets. */
- inblock.buffer = inbuffer;
- inblock.buffersize = sizeof(inbuffer);
- inblock.ptr = inbuffer;
- inblock.ptrend = inbuffer;
+ HDEBUG(D_verify) debug_printf("interface=%s port=%d\n", interface, port);
- /* Set up the buffer for holding SMTP commands while pipelining */
+ /* Set up the buffer for reading SMTP response packets. */
- outblock.buffer = outbuffer;
- outblock.buffersize = sizeof(outbuffer);
- outblock.ptr = outbuffer;
- outblock.cmd_count = 0;
- outblock.authenticating = FALSE;
+ inblock.buffer = inbuffer;
+ inblock.buffersize = sizeof(inbuffer);
+ inblock.ptr = inbuffer;
+ inblock.ptrend = inbuffer;
- /* Connect to the host; on failure, just loop for the next one, but we
- set the error for the last one. Use the callout_connect timeout. */
+ /* Set up the buffer for holding SMTP commands while pipelining */
- inblock.sock = outblock.sock =
- smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
- if (inblock.sock < 0)
- {
- addr->message = string_sprintf("could not connect to %s [%s]: %s",
- host->name, host->address, strerror(errno));
- deliver_host = deliver_host_address = NULL;
- deliver_domain = save_deliver_domain;
- continue;
- }
+ outblock.buffer = outbuffer;
+ outblock.buffersize = sizeof(outbuffer);
+ outblock.ptr = outbuffer;
+ outblock.cmd_count = 0;
+ outblock.authenticating = FALSE;
- /* Expand the helo_data string to find the host name to use. */
+ /* Reset the parameters of a TLS session */
+ tls_out.cipher = tls_out.peerdn = NULL;
- if (tf->helo_data != NULL)
- {
- uschar *s = expand_string(tf->helo_data);
- if (s == NULL)
- log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
- "helo_data value for callout: %s", addr->address,
- expand_string_message);
- else active_hostname = s;
- }
+ /* Connect to the host; on failure, just loop for the next one, but we
+ set the error for the last one. Use the callout_connect timeout. */
- deliver_host = deliver_host_address = NULL;
- deliver_domain = save_deliver_domain;
+ tls_retry_connection:
- /* Wait for initial response, and send HELO. The smtp_write_command()
- function leaves its command in big_buffer. This is used in error responses.
- Initialize it in case the connection is rejected. */
+ inblock.sock = outblock.sock =
+ smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
+ /* reconsider DSCP here */
+ if (inblock.sock < 0)
+ {
+ addr->message = string_sprintf("could not connect to %s [%s]: %s",
+ host->name, host->address, strerror(errno));
+ deliver_host = deliver_host_address = NULL;
+ deliver_domain = save_deliver_domain;
+ continue;
+ }
- Ustrcpy(big_buffer, "initial connection");
+ /* Expand the helo_data string to find the host name to use. */
- done =
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout) &&
- smtp_write_command(&outblock, FALSE, "%s %s\r\n", helo,
- active_hostname) >= 0 &&
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout);
+ if (tf->helo_data != NULL)
+ {
+ uschar *s = expand_string(tf->helo_data);
+ if (s == NULL)
+ log_write(0, LOG_MAIN|LOG_PANIC, "<%s>: failed to expand transport's "
+ "helo_data value for callout: %s", addr->address,
+ expand_string_message);
+ else active_hostname = s;
+ }
- /* Failure to accept HELO is cached; this blocks the whole domain for all
- senders. I/O errors and defer responses are not cached. */
+ deliver_host = deliver_host_address = NULL;
+ deliver_domain = save_deliver_domain;
- if (!done)
- {
- *failure_ptr = US"mail"; /* At or before MAIL */
- if (errno == 0 && responsebuffer[0] == '5')
+ /* Wait for initial response, and send HELO. The smtp_write_command()
+ function leaves its command in big_buffer. This is used in error responses.
+ Initialize it in case the connection is rejected. */
+
+ Ustrcpy(big_buffer, "initial connection");
+
+ /* Unless ssl-on-connect, wait for the initial greeting */
+ smtps_redo_greeting:
+
+ #ifdef SUPPORT_TLS
+ if (!smtps || (smtps && tls_out.active >= 0))
+ #endif
+ if (!(done= smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout)))
+ goto RESPONSE_FAILED;
+
+ /* Not worth checking greeting line for ESMTP support */
+ if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL,
+ host->name, host->address, NULL) != OK))
+ DEBUG(D_transport)
+ debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n");
+
+ tls_redo_helo:
+
+ #ifdef SUPPORT_TLS
+ if (smtps && tls_out.active < 0) /* ssl-on-connect, first pass */
{
- setflag(addr, af_verify_nsfail);
- new_domain_record.result = ccache_reject;
+ tls_offered = TRUE;
+ ob->tls_tempfail_tryclear = FALSE;
}
- }
+ else /* all other cases */
+ #endif
- /* Send the MAIL command */
+ { esmtp_retry:
- else done =
- smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
- from_address) >= 0 &&
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout);
+ if (!(done= smtp_write_command(&outblock, FALSE, "%s %s\r\n",
+ !esmtp? "HELO" : lmtp? "LHLO" : "EHLO", active_hostname) >= 0))
+ goto SEND_FAILED;
+ if (!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), '2', callout))
+ {
+ if (errno != 0 || responsebuffer[0] == 0 || lmtp || !esmtp || tls_out.active >= 0)
+ {
+ done= FALSE;
+ goto RESPONSE_FAILED;
+ }
+ #ifdef SUPPORT_TLS
+ tls_offered = FALSE;
+ #endif
+ esmtp = FALSE;
+ goto esmtp_retry; /* fallback to HELO */
+ }
- /* If the host does not accept MAIL FROM:<>, arrange to cache this
- information, but again, don't record anything for an I/O error or a defer. Do
- not cache rejections of MAIL when a non-empty sender has been used, because
- that blocks the whole domain for all senders. */
+ /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
+ #ifdef SUPPORT_TLS
+ if (esmtp && !suppress_tls && tls_out.active < 0)
+ {
+ if (regex_STARTTLS == NULL) regex_STARTTLS =
+ regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
- if (!done)
- {
- *failure_ptr = US"mail"; /* At or before MAIL */
- if (errno == 0 && responsebuffer[0] == '5')
+ tls_offered = pcre_exec(regex_STARTTLS, NULL, CS responsebuffer,
+ Ustrlen(responsebuffer), 0, PCRE_EOPT, NULL, 0) >= 0;
+ }
+ else
+ tls_offered = FALSE;
+ #endif
+ }
+
+ /* If TLS is available on this connection attempt to
+ start up a TLS session, unless the host is in hosts_avoid_tls. If successful,
+ send another EHLO - the server may give a different answer in secure mode. We
+ use a separate buffer for reading the response to STARTTLS so that if it is
+ negative, the original EHLO data is available for subsequent analysis, should
+ the client not be required to use TLS. If the response is bad, copy the buffer
+ for error analysis. */
+
+ #ifdef SUPPORT_TLS
+ if (tls_offered &&
+ verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name,
+ host->address, NULL) != OK &&
+ verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name,
+ host->address, NULL) != OK
+ )
{
- setflag(addr, af_verify_nsfail);
- if (from_address[0] == 0)
- new_domain_record.result = ccache_reject_mfnull;
+ uschar buffer2[4096];
+ if ( !smtps
+ && !(done= smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") >= 0))
+ goto SEND_FAILED;
+
+ /* If there is an I/O error, transmission of this message is deferred. If
+ there is a temporary rejection of STARRTLS and tls_tempfail_tryclear is
+ false, we also defer. However, if there is a temporary rejection of STARTTLS
+ and tls_tempfail_tryclear is true, or if there is an outright rejection of
+ STARTTLS, we carry on. This means we will try to send the message in clear,
+ unless the host is in hosts_require_tls (tested below). */
+
+ if (!smtps && !smtp_read_response(&inblock, buffer2, sizeof(buffer2), '2',
+ ob->command_timeout))
+ {
+ if (errno != 0 || buffer2[0] == 0 ||
+ (buffer2[0] == '4' && !ob->tls_tempfail_tryclear))
+ {
+ Ustrncpy(responsebuffer, buffer2, sizeof(responsebuffer));
+ done= FALSE;
+ goto RESPONSE_FAILED;
+ }
+ }
+
+ /* STARTTLS accepted or ssl-on-connect: try to negotiate a TLS session. */
+ else
+ {
+ int rc = tls_client_start(inblock.sock, host, addr,
+ NULL, /* No DH param */
+ ob->tls_certificate, ob->tls_privatekey,
+ ob->tls_sni,
+ ob->tls_verify_certificates, ob->tls_crl,
+ ob->tls_require_ciphers, ob->tls_dh_min_bits,
+ callout);
+
+ /* TLS negotiation failed; give an error. Try in clear on a new connection,
+ if the options permit it for this host. */
+ if (rc != OK)
+ {
+ if (rc == DEFER && ob->tls_tempfail_tryclear && !smtps &&
+ verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+ host->address, NULL) != OK)
+ {
+ (void)close(inblock.sock);
+ log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted "
+ "to %s [%s] (not in hosts_require_tls)", host->name, host->address);
+ suppress_tls = TRUE;
+ goto tls_retry_connection;
+ }
+ /*save_errno = ERRNO_TLSFAILURE;*/
+ /*message = US"failure while setting up TLS session";*/
+ send_quit = FALSE;
+ done= FALSE;
+ goto TLS_FAILED;
+ }
+
+ /* TLS session is set up. Copy info for logging. */
+ addr->cipher = tls_out.cipher;
+ addr->peerdn = tls_out.peerdn;
+
+ /* For SMTPS we need to wait for the initial OK response, then do HELO. */
+ if (smtps)
+ goto smtps_redo_greeting;
+
+ /* For STARTTLS we need to redo EHLO */
+ goto tls_redo_helo;
+ }
}
- }
- /* Otherwise, proceed to check a "random" address (if required), then the
- given address, and the postmaster address (if required). Between each check,
- issue RSET, because some servers accept only one recipient after MAIL
- FROM:<>.
+ /* If the host is required to use a secure channel, ensure that we have one. */
+ if (tls_out.active < 0)
+ if (verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name,
+ host->address, NULL) == OK)
+ {
+ /*save_errno = ERRNO_TLSREQUIRED;*/
+ log_write(0, LOG_MAIN, "a TLS session is required for %s [%s], but %s",
+ host->name, host->address,
+ tls_offered? "an attempt to start TLS failed" : "the server did not offer TLS support");
+ done= FALSE;
+ goto TLS_FAILED;
+ }
- Before doing this, set the result in the domain cache record to "accept",
- unless its previous value was ccache_reject_mfnull. In that case, the domain
- rejects MAIL FROM:<> and we want to continue to remember that. When that is
- the case, we have got here only in the case of a recipient verification with
- a non-null sender. */
+ #endif /*SUPPORT_TLS*/
- else
- {
- new_domain_record.result =
- (old_domain_cache_result == ccache_reject_mfnull)?
- ccache_reject_mfnull: ccache_accept;
+ done = TRUE; /* so far so good; have response to HELO */
- /* Do the random local part check first */
+ /*XXX the EHLO response would be analyzed here for IGNOREQUOTA, SIZE, PIPELINING, AUTH */
+ /* If we haven't authenticated, but are required to, give up. */
- if (random_local_part != NULL)
- {
- uschar randombuffer[1024];
- BOOL random_ok =
- smtp_write_command(&outblock, FALSE,
- "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
- addr->domain) >= 0 &&
- smtp_read_response(&inblock, randombuffer,
- sizeof(randombuffer), '2', callout);
+ /*XXX "filter command specified for this transport" ??? */
+ /* for now, transport_filter by cutthrough-delivery is not supported */
+ /* Need proper integration with the proper transport mechanism. */
- /* Remember when we last did a random test */
- new_domain_record.random_stamp = time(NULL);
+ SEND_FAILED:
+ RESPONSE_FAILED:
+ TLS_FAILED:
+ ;
+ /* Clear down of the TLS, SMTP and TCP layers on error is handled below. */
- /* If accepted, we aren't going to do any further tests below. */
- if (random_ok)
+ /* Failure to accept HELO is cached; this blocks the whole domain for all
+ senders. I/O errors and defer responses are not cached. */
+
+ if (!done)
+ {
+ *failure_ptr = US"mail"; /* At or before MAIL */
+ if (errno == 0 && responsebuffer[0] == '5')
{
- new_domain_record.random_result = ccache_accept;
+ setflag(addr, af_verify_nsfail);
+ new_domain_record.result = ccache_reject;
}
+ }
- /* Otherwise, cache a real negative response, and get back to the right
- state to send RCPT. Unless there's some problem such as a dropped
- connection, we expect to succeed, because the commands succeeded above. */
+ /* Send the MAIL command */
- else if (errno == 0)
- {
- if (randombuffer[0] == '5')
- new_domain_record.random_result = ccache_reject;
+ else done =
+ smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
+ from_address) >= 0 &&
+ smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
+ '2', callout);
- done =
- smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout) &&
+ /* If the host does not accept MAIL FROM:<>, arrange to cache this
+ information, but again, don't record anything for an I/O error or a defer. Do
+ not cache rejections of MAIL when a non-empty sender has been used, because
+ that blocks the whole domain for all senders. */
- smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
- from_address) >= 0 &&
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout);
+ if (!done)
+ {
+ *failure_ptr = US"mail"; /* At or before MAIL */
+ if (errno == 0 && responsebuffer[0] == '5')
+ {
+ setflag(addr, af_verify_nsfail);
+ if (from_address[0] == 0)
+ new_domain_record.result = ccache_reject_mfnull;
}
- else done = FALSE; /* Some timeout/connection problem */
- } /* Random check */
+ }
+
+ /* Otherwise, proceed to check a "random" address (if required), then the
+ given address, and the postmaster address (if required). Between each check,
+ issue RSET, because some servers accept only one recipient after MAIL
+ FROM:<>.
- /* If the host is accepting all local parts, as determined by the "random"
- check, we don't need to waste time doing any further checking. */
+ Before doing this, set the result in the domain cache record to "accept",
+ unless its previous value was ccache_reject_mfnull. In that case, the domain
+ rejects MAIL FROM:<> and we want to continue to remember that. When that is
+ the case, we have got here only in the case of a recipient verification with
+ a non-null sender. */
- if (new_domain_record.random_result != ccache_accept && done)
+ else
{
- /* Get the rcpt_include_affixes flag from the transport if there is one,
- but assume FALSE if there is not. */
-
- done =
- smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
- transport_rcpt_address(addr,
- (addr->transport == NULL)? FALSE :
- addr->transport->rcpt_include_affixes)) >= 0 &&
- smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
- '2', callout);
-
- if (done)
- new_address_record.result = ccache_accept;
- else if (errno == 0 && responsebuffer[0] == '5')
- {
- *failure_ptr = US"recipient";
- new_address_record.result = ccache_reject;
- }
+ new_domain_record.result =
+ (old_domain_cache_result == ccache_reject_mfnull)?
+ ccache_reject_mfnull: ccache_accept;
- /* Do postmaster check if requested; if a full check is required, we
- check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
+ /* Do the random local part check first */
- if (done && pm_mailfrom != NULL)
+ if (random_local_part != NULL)
{
- done =
- smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
- smtp_read_response(&inblock, responsebuffer,
- sizeof(responsebuffer), '2', callout) &&
-
+ uschar randombuffer[1024];
+ BOOL random_ok =
smtp_write_command(&outblock, FALSE,
- "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
- smtp_read_response(&inblock, responsebuffer,
- sizeof(responsebuffer), '2', callout) &&
+ "RCPT TO:<%.1000s@%.1000s>\r\n", random_local_part,
+ addr->domain) >= 0 &&
+ smtp_read_response(&inblock, randombuffer,
+ sizeof(randombuffer), '2', callout);
- /* First try using the current domain */
+ /* Remember when we last did a random test */
- ((
- smtp_write_command(&outblock, FALSE,
- "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
- smtp_read_response(&inblock, responsebuffer,
- sizeof(responsebuffer), '2', callout)
- )
+ new_domain_record.random_stamp = time(NULL);
+
+ /* If accepted, we aren't going to do any further tests below. */
- ||
+ if (random_ok)
+ {
+ new_domain_record.random_result = ccache_accept;
+ }
- /* If that doesn't work, and a full check is requested,
- try without the domain. */
+ /* Otherwise, cache a real negative response, and get back to the right
+ state to send RCPT. Unless there's some problem such as a dropped
+ connection, we expect to succeed, because the commands succeeded above. */
- (
- (options & vopt_callout_fullpm) != 0 &&
- smtp_write_command(&outblock, FALSE,
- "RCPT TO:<postmaster>\r\n") >= 0 &&
- smtp_read_response(&inblock, responsebuffer,
- sizeof(responsebuffer), '2', callout)
- ));
+ else if (errno == 0)
+ {
+ if (randombuffer[0] == '5')
+ new_domain_record.random_result = ccache_reject;
+
+ done =
+ smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
+ smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
+ '2', callout) &&
+
+ smtp_write_command(&outblock, FALSE, "MAIL FROM:<%s>\r\n",
+ from_address) >= 0 &&
+ smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
+ '2', callout);
+ }
+ else done = FALSE; /* Some timeout/connection problem */
+ } /* Random check */
- /* Sort out the cache record */
+ /* If the host is accepting all local parts, as determined by the "random"
+ check, we don't need to waste time doing any further checking. */
- new_domain_record.postmaster_stamp = time(NULL);
+ if (new_domain_record.random_result != ccache_accept && done)
+ {
+ /* Get the rcpt_include_affixes flag from the transport if there is one,
+ but assume FALSE if there is not. */
+
+ done =
+ smtp_write_command(&outblock, FALSE, "RCPT TO:<%.1000s>\r\n",
+ transport_rcpt_address(addr,
+ (addr->transport == NULL)? FALSE :
+ addr->transport->rcpt_include_affixes)) >= 0 &&
+ smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer),
+ '2', callout);
if (done)
- new_domain_record.postmaster_result = ccache_accept;
+ new_address_record.result = ccache_accept;
else if (errno == 0 && responsebuffer[0] == '5')
{
- *failure_ptr = US"postmaster";
- setflag(addr, af_verify_pmfail);
- new_domain_record.postmaster_result = ccache_reject;
+ *failure_ptr = US"recipient";
+ new_address_record.result = ccache_reject;
}
- }
- } /* Random not accepted */
- } /* MAIL FROM: accepted */
- /* For any failure of the main check, other than a negative response, we just
- close the connection and carry on. We can identify a negative response by the
- fact that errno is zero. For I/O errors it will be non-zero
+ /* Do postmaster check if requested; if a full check is required, we
+ check for RCPT TO:<postmaster> (no domain) in accordance with RFC 821. */
- Set up different error texts for logging and for sending back to the caller
- as an SMTP response. Log in all cases, using a one-line format. For sender
- callouts, give a full response to the caller, but for recipient callouts,
- don't give the IP address because this may be an internal host whose identity
- is not to be widely broadcast. */
+ if (done && pm_mailfrom != NULL)
+ {
+ /*XXX not suitable for cutthrough - sequencing problems */
+ cutthrough_delivery= FALSE;
+ HDEBUG(D_acl|D_v) debug_printf("Cutthrough cancelled by presence of postmaster verify\n");
- if (!done)
- {
- if (errno == ETIMEDOUT)
- {
- HDEBUG(D_verify) debug_printf("SMTP timeout\n");
- send_quit = FALSE;
- }
- else if (errno == 0)
- {
- if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
+ done =
+ smtp_write_command(&outblock, FALSE, "RSET\r\n") >= 0 &&
+ smtp_read_response(&inblock, responsebuffer,
+ sizeof(responsebuffer), '2', callout) &&
- addr->message =
- string_sprintf("response to \"%s\" from %s [%s] was: %s",
- big_buffer, host->name, host->address,
- string_printing(responsebuffer));
+ smtp_write_command(&outblock, FALSE,
+ "MAIL FROM:<%s>\r\n", pm_mailfrom) >= 0 &&
+ smtp_read_response(&inblock, responsebuffer,
+ sizeof(responsebuffer), '2', callout) &&
- addr->user_message = is_recipient?
- string_sprintf("Callout verification failed:\n%s", responsebuffer)
- :
- string_sprintf("Called: %s\nSent: %s\nResponse: %s",
- host->address, big_buffer, responsebuffer);
+ /* First try using the current domain */
+
+ ((
+ smtp_write_command(&outblock, FALSE,
+ "RCPT TO:<postmaster@%.1000s>\r\n", addr->domain) >= 0 &&
+ smtp_read_response(&inblock, responsebuffer,
+ sizeof(responsebuffer), '2', callout)
+ )
+
+ ||
+
+ /* If that doesn't work, and a full check is requested,
+ try without the domain. */
+
+ (
+ (options & vopt_callout_fullpm) != 0 &&
+ smtp_write_command(&outblock, FALSE,
+ "RCPT TO:<postmaster>\r\n") >= 0 &&
+ smtp_read_response(&inblock, responsebuffer,
+ sizeof(responsebuffer), '2', callout)
+ ));
- /* Hard rejection ends the process */
+ /* Sort out the cache record */
- if (responsebuffer[0] == '5') /* Address rejected */
+ new_domain_record.postmaster_stamp = time(NULL);
+
+ if (done)
+ new_domain_record.postmaster_result = ccache_accept;
+ else if (errno == 0 && responsebuffer[0] == '5')
+ {
+ *failure_ptr = US"postmaster";
+ setflag(addr, af_verify_pmfail);
+ new_domain_record.postmaster_result = ccache_reject;
+ }
+ }
+ } /* Random not accepted */
+ } /* MAIL FROM: accepted */
+
+ /* For any failure of the main check, other than a negative response, we just
+ close the connection and carry on. We can identify a negative response by the
+ fact that errno is zero. For I/O errors it will be non-zero
+
+ Set up different error texts for logging and for sending back to the caller
+ as an SMTP response. Log in all cases, using a one-line format. For sender
+ callouts, give a full response to the caller, but for recipient callouts,
+ don't give the IP address because this may be an internal host whose identity
+ is not to be widely broadcast. */
+
+ if (!done)
+ {
+ if (errno == ETIMEDOUT)
{
- yield = FAIL;
- done = TRUE;
+ HDEBUG(D_verify) debug_printf("SMTP timeout\n");
+ send_quit = FALSE;
+ }
+ else if (errno == 0)
+ {
+ if (*responsebuffer == 0) Ustrcpy(responsebuffer, US"connection dropped");
+
+ addr->message =
+ string_sprintf("response to \"%s\" from %s [%s] was: %s",
+ big_buffer, host->name, host->address,
+ string_printing(responsebuffer));
+
+ addr->user_message = is_recipient?
+ string_sprintf("Callout verification failed:\n%s", responsebuffer)
+ :
+ string_sprintf("Called: %s\nSent: %s\nResponse: %s",
+ host->address, big_buffer, responsebuffer);
+
+ /* Hard rejection ends the process */
+
+ if (responsebuffer[0] == '5') /* Address rejected */
+ {
+ yield = FAIL;
+ done = TRUE;
+ }
}
}
- }
- /* End the SMTP conversation and close the connection. */
+ /* End the SMTP conversation and close the connection. */
+
+ /* Cutthrough - on a successfull connect and recipient-verify with use-sender
+ and we have no cutthrough conn so far
+ here is where we want to leave the conn open */
+ if ( cutthrough_delivery
+ && done
+ && yield == OK
+ && (options & (vopt_callout_recipsender|vopt_callout_recippmaster)) == vopt_callout_recipsender
+ && !random_local_part
+ && !pm_mailfrom
+ && cutthrough_fd < 0
+ )
+ {
+ cutthrough_fd= outblock.sock; /* We assume no buffer in use in the outblock */
+ cutthrough_addr = *addr; /* Save the address_item for later logging */
+ cutthrough_addr.host_used = store_get(sizeof(host_item));
+ cutthrough_addr.host_used->name = host->name;
+ cutthrough_addr.host_used->address = host->address;
+ cutthrough_addr.host_used->port = port;
+ if (addr->parent)
+ *(cutthrough_addr.parent = store_get(sizeof(address_item)))= *addr->parent;
+ ctblock.buffer = ctbuffer;
+ ctblock.buffersize = sizeof(ctbuffer);
+ ctblock.ptr = ctbuffer;
+ /* ctblock.cmd_count = 0; ctblock.authenticating = FALSE; */
+ ctblock.sock = cutthrough_fd;
+ }
+ else
+ {
+ /* Ensure no cutthrough on multiple address verifies */
+ if (options & vopt_callout_recipsender)
+ cancel_cutthrough_connection("multiple verify calls");
+ if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
+
+ #ifdef SUPPORT_TLS
+ tls_close(FALSE, TRUE);
+ #endif
+ (void)close(inblock.sock);
+ }
- if (send_quit) (void)smtp_write_command(&outblock, FALSE, "QUIT\r\n");
- (void)close(inblock.sock);
- } /* Loop through all hosts, while !done */
+ } /* Loop through all hosts, while !done */
+ }
/* If we get here with done == TRUE, a successful callout happened, and yield
will be set OK or FAIL according to the response to the RCPT command.
+/* Called after recipient-acl to get a cutthrough connection open when
+ one was requested and a recipient-verify wasn't subsequently done.
+*/
+void
+open_cutthrough_connection( address_item * addr )
+{
+address_item addr2;
+
+/* Use a recipient-verify-callout to set up the cutthrough connection. */
+/* We must use a copy of the address for verification, because it might
+get rewritten. */
+
+addr2 = *addr;
+HDEBUG(D_acl) debug_printf("----------- start cutthrough setup ------------\n");
+(void) verify_address(&addr2, NULL,
+ vopt_is_recipient | vopt_callout_recipsender | vopt_callout_no_cache,
+ CUTTHROUGH_CMD_TIMEOUT, -1, -1,
+ NULL, NULL, NULL);
+HDEBUG(D_acl) debug_printf("----------- end cutthrough setup ------------\n");
+return;
+}
+
+
+
+/* Send given number of bytes from the buffer */
+static BOOL
+cutthrough_send(int n)
+{
+if(cutthrough_fd < 0)
+ return TRUE;
+
+if(
+#ifdef SUPPORT_TLS
+ (tls_out.active == cutthrough_fd) ? tls_write(FALSE, ctblock.buffer, n) :
+#endif
+ send(cutthrough_fd, ctblock.buffer, n, 0) > 0
+ )
+{
+ transport_count += n;
+ ctblock.ptr= ctblock.buffer;
+ return TRUE;
+}
+
+HDEBUG(D_transport|D_acl) debug_printf("cutthrough_send failed: %s\n", strerror(errno));
+return FALSE;
+}
+
+
+
+static BOOL
+_cutthrough_puts(uschar * cp, int n)
+{
+while(n--)
+ {
+ if(ctblock.ptr >= ctblock.buffer+ctblock.buffersize)
+ if(!cutthrough_send(ctblock.buffersize))
+ return FALSE;
+
+ *ctblock.ptr++ = *cp++;
+ }
+return TRUE;
+}
+
+/* Buffered output of counted data block. Return boolean success */
+BOOL
+cutthrough_puts(uschar * cp, int n)
+{
+if (cutthrough_fd < 0) return TRUE;
+if (_cutthrough_puts(cp, n)) return TRUE;
+cancel_cutthrough_connection("transmit failed");
+return FALSE;
+}
+
+
+static BOOL
+_cutthrough_flush_send( void )
+{
+int n= ctblock.ptr-ctblock.buffer;
+
+if(n>0)
+ if(!cutthrough_send(n))
+ return FALSE;
+return TRUE;
+}
+
+
+/* Send out any bufferred output. Return boolean success. */
+BOOL
+cutthrough_flush_send( void )
+{
+if (_cutthrough_flush_send()) return TRUE;
+cancel_cutthrough_connection("transmit failed");
+return FALSE;
+}
+
+
+BOOL
+cutthrough_put_nl( void )
+{
+return cutthrough_puts(US"\r\n", 2);
+}
+
+
+/* Get and check response from cutthrough target */
+static uschar
+cutthrough_response(char expect, uschar ** copy)
+{
+smtp_inblock inblock;
+uschar inbuffer[4096];
+uschar responsebuffer[4096];
+
+inblock.buffer = inbuffer;
+inblock.buffersize = sizeof(inbuffer);
+inblock.ptr = inbuffer;
+inblock.ptrend = inbuffer;
+inblock.sock = cutthrough_fd;
+/* this relies on (inblock.sock == tls_out.active) */
+if(!smtp_read_response(&inblock, responsebuffer, sizeof(responsebuffer), expect, CUTTHROUGH_DATA_TIMEOUT))
+ cancel_cutthrough_connection("target timeout on read");
+
+if(copy != NULL)
+ {
+ uschar * cp;
+ *copy= cp= string_copy(responsebuffer);
+ /* Trim the trailing end of line */
+ cp += Ustrlen(responsebuffer);
+ if(cp > *copy && cp[-1] == '\n') *--cp = '\0';
+ if(cp > *copy && cp[-1] == '\r') *--cp = '\0';
+ }
+
+return responsebuffer[0];
+}
+
+
+/* Negotiate dataphase with the cutthrough target, returning success boolean */
+BOOL
+cutthrough_predata( void )
+{
+if(cutthrough_fd < 0)
+ return FALSE;
+
+HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> DATA\n");
+cutthrough_puts(US"DATA\r\n", 6);
+cutthrough_flush_send();
+
+/* Assume nothing buffered. If it was it gets ignored. */
+return cutthrough_response('3', NULL) == '3';
+}
+
+
+/* Buffered send of headers. Return success boolean. */
+/* Expands newlines to wire format (CR,NL). */
+/* Also sends header-terminating blank line. */
+BOOL
+cutthrough_headers_send( void )
+{
+header_line * h;
+uschar * cp1, * cp2;
+
+if(cutthrough_fd < 0)
+ return FALSE;
+
+for(h= header_list; h != NULL; h= h->next)
+ if(h->type != htype_old && h->text != NULL)
+ for (cp1 = h->text; *cp1 && (cp2 = Ustrchr(cp1, '\n')); cp1 = cp2+1)
+ if( !cutthrough_puts(cp1, cp2-cp1)
+ || !cutthrough_put_nl())
+ return FALSE;
+
+HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>>(nl)\n");
+return cutthrough_put_nl();
+}
+
+
+static void
+close_cutthrough_connection( const char * why )
+{
+if(cutthrough_fd >= 0)
+ {
+ /* We could be sending this after a bunch of data, but that is ok as
+ the only way to cancel the transfer in dataphase is to drop the tcp
+ conn before the final dot.
+ */
+ ctblock.ptr = ctbuffer;
+ HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> QUIT\n");
+ _cutthrough_puts(US"QUIT\r\n", 6); /* avoid recursion */
+ _cutthrough_flush_send();
+ /* No wait for response */
+
+ #ifdef SUPPORT_TLS
+ tls_close(FALSE, TRUE);
+ #endif
+ (void)close(cutthrough_fd);
+ cutthrough_fd= -1;
+ HDEBUG(D_acl) debug_printf("----------- cutthrough shutdown (%s) ------------\n", why);
+ }
+ctblock.ptr = ctbuffer;
+}
+
+void
+cancel_cutthrough_connection( const char * why )
+{
+close_cutthrough_connection(why);
+cutthrough_delivery= FALSE;
+}
+
+
+
+
+/* Have senders final-dot. Send one to cutthrough target, and grab the response.
+ Log an OK response as a transmission.
+ Close the connection.
+ Return smtp response-class digit.
+*/
+uschar *
+cutthrough_finaldot( void )
+{
+HDEBUG(D_transport|D_acl|D_v) debug_printf(" SMTP>> .\n");
+
+/* Assume data finshed with new-line */
+if(!cutthrough_puts(US".", 1) || !cutthrough_put_nl() || !cutthrough_flush_send())
+ return cutthrough_addr.message;
+
+switch(cutthrough_response('2', &cutthrough_addr.message))
+ {
+ case '2':
+ delivery_log(LOG_MAIN, &cutthrough_addr, (int)'>', NULL);
+ close_cutthrough_connection("delivered");
+ break;
+
+ case '4':
+ delivery_log(LOG_MAIN, &cutthrough_addr, 0, US"tmp-reject from cutthrough after DATA:");
+ break;
+
+ case '5':
+ delivery_log(LOG_MAIN|LOG_REJECT, &cutthrough_addr, 0, US"rejected after DATA:");
+ break;
+
+ default:
+ break;
+ }
+ return cutthrough_addr.message;
+}
+
+
+
/*************************************************
* Copy error to toplevel address *
*************************************************/
if (address[0] == 0) return OK;
+/* Flip the legacy TLS-related variables over to the outbound set in case
+they're used in the context of a transport used by verification. Reset them
+at exit from this routine. */
+
+modify_variable(US"tls_bits", &tls_out.bits);
+modify_variable(US"tls_certificate_verified", &tls_out.certificate_verified);
+modify_variable(US"tls_cipher", &tls_out.cipher);
+modify_variable(US"tls_peerdn", &tls_out.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &tls_out.sni);
+#endif
+
/* Save a copy of the sender address for re-instating if we change it to <>
while verifying a sender address (a nice bit of self-reference there). */
}
else
{
+#ifdef SUPPORT_TLS
+ deliver_set_expansions(addr);
+#endif
rc = do_callout(addr, host_list, &tf, callout, callout_overall,
callout_connect, options, se_mailfrom, pm_mailfrom);
}
}
respond_printf(f, "%s\n", cr);
}
+ cancel_cutthrough_connection("routing hard fail");
- if (!full_info) return copy_error(vaddr, addr, FAIL);
- else yield = FAIL;
+ if (!full_info)
+ {
+ yield = copy_error(vaddr, addr, FAIL);
+ goto out;
+ }
+ else yield = FAIL;
}
/* Soft failure */
}
respond_printf(f, "%s\n", cr);
}
- if (!full_info) return copy_error(vaddr, addr, DEFER);
- else if (yield == OK) yield = DEFER;
+ cancel_cutthrough_connection("routing soft fail");
+
+ if (!full_info)
+ {
+ yield = copy_error(vaddr, addr, DEFER);
+ goto out;
+ }
+ else if (yield == OK) yield = DEFER;
}
/* If we are handling EXPN, we do not want to continue to route beyond
if (addr_new == NULL) ok_prefix = US"250 ";
respond_printf(f, "%s<%s>\r\n", ok_prefix, addr2->address);
}
- return OK;
+ yield = OK;
+ goto out;
}
/* Successful routing other than EXPN. */
of $address_data to be that of the child */
vaddr->p.address_data = addr->p.address_data;
- return OK;
+ yield = OK;
+ goto out;
}
}
} /* Loop for generated addresses */
if (allok && addr_local == NULL && addr_remote == NULL)
{
fprintf(f, "mail to %s is discarded\n", address);
- return yield;
+ goto out;
}
for (addr_list = addr_local, i = 0; i < 2; addr_list = addr_remote, i++)
}
}
-/* Will be DEFER or FAIL if any one address has, only for full_info (which is
+/* Yield will be DEFER or FAIL if any one address has, only for full_info (which is
the -bv or -bt case). */
+out:
+
+modify_variable(US"tls_bits", &tls_in.bits);
+modify_variable(US"tls_certificate_verified", &tls_in.certificate_verified);
+modify_variable(US"tls_cipher", &tls_in.cipher);
+modify_variable(US"tls_peerdn", &tls_in.peerdn);
+#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+modify_variable(US"tls_sni", &tls_in.sni);
+#endif
+
return yield;
}
to the screen.
+ munge <name>
+
+This command requests custom munging of the test outputs. The munge names
+used are coded in the runtest script.
+
+
need_ipv4
This command must be at the head of a script. If no IPv4 interface has been
route_list = * "<= 127.0.0.1:PORT_S"
self = send
verify_only
+ transport = t1
+
+
+begin transports
+
+t1:
+ driver = smtp
# End
--- /dev/null
+# Exim test configuration 0028
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex
+
+acl_smtp_rcpt = acl_rcpt
+acl_smtp_data = acl_data
+
+
+# ------ ACLs ------
+
+begin acl
+
+acl_rcpt:
+ accept endpass
+ message = SIZE value too big
+ condition = ${if > {$message_size}{10000}{no}{yes}}
+
+acl_data:
+ accept endpass
+ message = message too big - \$recipients=$recipients ($recipients_count)
+ condition = ${if > {$message_size}{10000}{no}{yes}}
+
+
+# ------ Routers ------
+
+begin routers
+
+r1:
+ driver = dnslookup
+ domains = ! +local_domains
+ transport = dev_null
+ no_more
+
+r2:
+ driver = accept
+ local_parts = userx : postmaster
+ transport = local_delivery
+
+
+# ------ Transports ------
+
+begin transports
+
+dev_null:
+ driver = appendfile
+ file = /dev/null
+ user = CALLER
+
+local_delivery:
+ driver = appendfile
+ file = DIR/test-mail/$local_part
+ user = CALLER
+
+# End
server_condition = "\
${if and {{eq{$2}{userx}}{eq{$3}{secret1}}}{yes}{no}}"
server_set_id = $2
- client_condition = ${if !eq {$tls_cipher}{}}
+ client_condition = ${if !eq {$tls_out_cipher}{}}
client_send = ^userx^secret1
login:
server_condition = "\
${if and {{eq{$2}{userx}}{eq{$3}{secret1}}}{yes}{no}}"
server_set_id = $2
- client_condition = ${if !eq {$tls_cipher}{}}
+ client_condition = ${if !eq {$tls_out_cipher}{}}
client_send = ^userx^secret1
login:
--- /dev/null
+# Exim test configuration 5400
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = ar
+
+
+# ----- ACLs -----
+
+begin acl
+
+ar:
+ accept control = cutthrough_delivery
+ logwrite = rcpt for $local_part@$domain
+
+# ----- Routers -----
+
+begin routers
+
+all:
+ driver = manualroute
+ domains = ! +local_domains
+ route_list = * 127.0.0.1
+ self = send
+ transport = smtp
+ no_more
+
+
+# ----- Transports -----
+
+begin transports
+
+smtp:
+ driver = smtp
+ interface = HOSTIPV4
+ port = PORT_S
+
+
+# End
--- /dev/null
+# Exim test configuration 5401
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = acl_rcpt
+
+# ----- ACLs -------
+
+begin acl
+
+acl_rcpt:
+ accept control = cutthrough_delivery
+ verify = recipient
+
+
+# ----- Routers -----
+
+begin routers
+
+all:
+ driver = manualroute
+ domains = ! +local_domains
+ route_list = * 127.0.0.1
+ self = send
+ transport = smtp
+ no_more
+
+
+# ----- Transports -----
+
+begin transports
+
+smtp:
+ driver = smtp
+ interface = HOSTIPV4
+ port = PORT_S
+
+
+# End
--- /dev/null
+# Exim test configuration 5410
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+log_selector = +smtp_confirmation
+tls_advertise_hosts = *
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = ${if eq {SERVER}{server}{queue}{cutthrough}}
+
+# ----- ACLs -------
+
+begin acl
+
+cutthrough:
+ accept control = cutthrough_delivery
+ verify = recipient
+
+queue:
+ accept control = queue_only
+
+# ----- Routers -----
+
+begin routers
+
+all:
+ driver = manualroute
+ domains = ! +local_domains
+ route_list = * 127.0.0.1
+ self = send
+ address_data = $local_part
+ transport = smtp
+ no_more
+
+
+# ----- Transports -----
+
+begin transports
+
+smtp:
+ driver = smtp
+ interface = HOSTIPV4
+ port = PORT_D
+ hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
+ hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
+
+
+# End
--- /dev/null
+# Exim test configuration 5420
+
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+primary_hostname = myhost.test.ex
+rfc1413_query_timeout = 0s
+spool_directory = DIR/spool
+log_file_path = DIR/spool/log/%slog
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+
+# ----- Main settings -----
+
+log_selector = +smtp_confirmation
+tls_advertise_hosts = *
+tls_certificate = ${if eq {SERVER}{server}{DIR/aux-fixed/cert1}fail}
+
+domainlist local_domains = test.ex : *.test.ex
+
+acl_smtp_rcpt = ${if eq {SERVER}{server}{queue}{cutthrough}}
+
+# ----- ACLs -------
+
+begin acl
+
+cutthrough:
+ accept control = cutthrough_delivery
+ verify = recipient
+
+queue:
+ accept control = queue_only
+
+# ----- Routers -----
+
+begin routers
+
+all:
+ driver = manualroute
+ domains = ! +local_domains
+ route_list = * 127.0.0.1
+ self = send
+ address_data = $local_part
+ transport = smtp
+ no_more
+
+
+# ----- Transports -----
+
+begin transports
+
+smtp:
+ driver = smtp
+ interface = HOSTIPV4
+ port = PORT_D
+ hosts_avoid_tls = ${if eq {$address_data}{usery}{*}{:}}
+ hosts_verify_avoid_tls = ${if eq {$address_data}{userz}{*}{:}}
+
+
+# End
-1999-03-02 09:44:33 U=CALLER sender verify fail for <unknown@x.x.x.x>: response to "RCPT TO:<unknown@x.x.x.x>" from 127.0.0.1 [127.0.0.1] was: 550 unrouteable address
-1999-03-02 09:44:33 U=CALLER F=<unknown@x.x.x.x> rejected RCPT <unknown@u.u.u.u>: Sender verify failed
+1999-03-02 09:44:33 U=CALLER sender verify defer for <unknown@x.x.x.x>: Could not complete sender verify callout
+1999-03-02 09:44:33 U=CALLER F=<unknown@x.x.x.x> temporarily rejected RCPT <unknown@u.u.u.u>: Could not complete sender verify callout
--- /dev/null
+1999-03-02 09:44:33 ignoring AUTH=x@y from U=CALLER (client not authenticated)
+1999-03-02 09:44:33 ignoring AUTH=x@y from U=CALLER (client not authenticated)
+1999-03-02 09:44:33 ignoring AUTH=x@y from U=CALLER (client not authenticated)
+1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <userx@test.ex>: SIZE value too big
+1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <userx@test.ex>: SIZE value too big
1999-03-02 09:44:33 TLS error on connection from (rhu5.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): invalid
1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (recv): A TLS packet with unexpected length was received.
1999-03-02 09:44:33 TLS error on connection from [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 H=[127.0.0.1] F=<userx@test.ex> rejected RCPT <userx@test.ex>: certificate not verified: peerdn=C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock
--- /dev/null
+1999-03-02 09:44:33 rcpt for userx@domain.com
+1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 rcpt for userz@domain.com
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userz@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 rcpt for usery@domain.com
+1999-03-02 09:44:33 rcpt for userx@domain.com
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+1999-03-02 09:44:33 10HmaZ-0005vi-00 -> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
--- /dev/null
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaX-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
--- /dev/null
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbA-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbC-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmbB-0005vi-00 no immediate delivery: queued by ACL
+1999-03-02 09:44:33 10HmbC-0005vi-00 >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
-1999-03-02 09:44:33 U=CALLER sender verify fail for <unknown@x.x.x.x>: response to "RCPT TO:<unknown@x.x.x.x>" from 127.0.0.1 [127.0.0.1] was: 550 unrouteable address
-1999-03-02 09:44:33 U=CALLER F=<unknown@x.x.x.x> rejected RCPT <unknown@u.u.u.u>: Sender verify failed
+1999-03-02 09:44:33 U=CALLER sender verify defer for <unknown@x.x.x.x>: Could not complete sender verify callout
+1999-03-02 09:44:33 U=CALLER F=<unknown@x.x.x.x> temporarily rejected RCPT <unknown@u.u.u.u>: Could not complete sender verify callout
--- /dev/null
+1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <userx@test.ex>: SIZE value too big
+1999-03-02 09:44:33 U=CALLER F=<x@y> rejected RCPT <userx@test.ex>: SIZE value too big
sub munge {
my($file) = $_[0];
+my($extra) = $_[1];
my($yield) = 0;
my(@saved) = ();
while(<IN>)
{
RESET_AFTER_EXTRA_LINE_READ:
+ # Custom munges
+ if ($extra)
+ {
+ next if $extra =~ m%^/% && eval $extra;
+ eval $extra if $extra =~ m/^s/;
+ }
+
# Check for "*** truncated ***"
$yield = 1 if /\*\*\* truncated \*\*\*/;
# [2] where to put the munged copy
# [3] the name of the saved file
# [4] TRUE if this is a log file whose deliveries must be sorted
+# [5] optionally, a custom munge command
#
# Returns: 0 comparison succeeded or differences to be ignored
# 1 comparison failed; files may have been updated (=> re-compare)
# Does not return if the user replies "Q" to a prompt.
sub check_file{
-my($rf,$rsf,$mf,$sf,$sortfile) = @_;
+my($rf,$rsf,$mf,$sf,$sortfile,$extra) = @_;
# If there is no saved file, the raw files must either not exist, or be
# empty. The test ! -s is TRUE if the file does not exist or is empty.
# data that does exist.
open(MUNGED, ">$mf") || tests_exit(-1, "Failed to open $mf: $!");
-my($truncated) = munge($rf) if -e $rf;
+my($truncated) = munge($rf, $extra) if -e $rf;
if (defined $rsf && -e $rsf)
{
print MUNGED "\n******** SERVER ********\n";
- $truncated |= munge($rsf);
+ $truncated |= munge($rsf, $extra);
}
close(MUNGED);
+##################################################
+# Custom munges
+# keyed by name of munge; value is a ref to a hash
+# which is keyed by file, value a string to look for.
+# Usable files are:
+# paniclog, rejectlog, mainlog, stdout, stderr, msglog, mail
+# Search strings starting with 's' do substitutions;
+# with '/' do line-skips.
+##################################################
+$munges =
+ { 'dnssec' =>
+ { 'stderr' => '/^Reverse DNS security status: unverified\n/', },
+
+ 'gnutls_unexpected' =>
+ { 'mainlog' => '/\(recv\): A TLS packet with unexpected length was received./', },
+
+ 'gnutls_handshake' =>
+ { 'mainlog' => 's/\(gnutls_handshake\): Error in the push function/\(gnutls_handshake\): A TLS packet with unexpected length was received/', },
+
+ };
+
+
##################################################
# Subroutine to check the output of a test #
##################################################
# This function is called when the series of subtests is complete. It makes
-# use of check() file, whose arguments are:
+# use of check_file(), whose arguments are:
#
# [0] the name of the main raw output file
# [1] the name of the server raw output file or undef
# [2] where to put the munged copy
# [3] the name of the saved file
# [4] TRUE if this is a log file whose deliveries must be sorted
+# [5] an optional custom munge command
#
-# Arguments: none
+# Arguments: Optionally, name of a custom munge to run.
# Returns: 0 if the output compared equal
# 1 if re-run needed (files may have been updated)
sub check_output{
+my($mungename) = $_[0];
my($yield) = 0;
+my($munge) = $munges->{$mungename} if defined $mungename;
$yield = 1 if check_file("spool/log/paniclog",
"spool/log/serverpaniclog",
"test-paniclog-munged",
- "paniclog/$testno", 0);
+ "paniclog/$testno", 0,
+ $munge->{'paniclog'});
$yield = 1 if check_file("spool/log/rejectlog",
"spool/log/serverrejectlog",
"test-rejectlog-munged",
- "rejectlog/$testno", 0);
+ "rejectlog/$testno", 0,
+ $munge->{'rejectlog'});
$yield = 1 if check_file("spool/log/mainlog",
"spool/log/servermainlog",
"test-mainlog-munged",
- "log/$testno", $sortlog);
+ "log/$testno", $sortlog,
+ $munge->{'mainlog'});
if (!$stdout_skip)
{
$yield = 1 if check_file("test-stdout",
"test-stdout-server",
"test-stdout-munged",
- "stdout/$testno", 0);
+ "stdout/$testno", 0,
+ $munge->{'stdout'});
}
if (!$stderr_skip)
$yield = 1 if check_file("test-stderr",
"test-stderr-server",
"test-stderr-munged",
- "stderr/$testno", 0);
+ "stderr/$testno", 0,
+ $munge->{'stderr'});
}
# Compare any delivered messages, unless this test is skipped.
print ">> COMPARE $mail mail/$testno.$saved_mail\n" if $debug;
$yield = 1 if check_file($mail, undef, "test-mail-munged",
- "mail/$testno.$saved_mail", 0);
+ "mail/$testno.$saved_mail", 0,
+ $munge->{'mail'});
delete $expected_mails{"mail/$testno.$saved_mail"};
}
s/((?:[^\W_]{6}-){2}[^\W_]{2})
/new_value($1, "10Hm%s-0005vi-00", \$next_msgid)/egx;
$yield = 1 if check_file("spool/msglog/$msglog", undef,
- "test-msglog-munged", "msglog/$testno.$munged_msglog", 0);
+ "test-msglog-munged", "msglog/$testno.$munged_msglog", 0,
+ $munge->{'msglog'});
delete $expected_msglogs{"$testno.$munged_msglog"};
}
}
# 4 EOF was encountered after an initial return code line
# Optionally alse a second parameter, a hash-ref, with auxilliary information:
# exim_pid: pid of a run process
+# munge: name of a post-script results munger
sub run_command{
my($testno) = $_[0];
}
+# The "munge" command selects one of a hardwired set of test-result modifications
+# to be made before result compares are run agains the golden set. This lets
+# us account for test-system dependent things which only affect a few, but known,
+# test-cases.
+# Currently only the last munge takes effect.
+
+if (/^munge\s+(.*)$/)
+ {
+ return (0, { munge => $1 });
+ }
+
+
# The "sleep" command does just that. For sleeps longer than 1 second we
# tell the user what's going on.
$exp_v6 = $1 . ':0' x (8-length($exp_v6)) . ':' . $2;
} elsif ( $parm_ipv6 =~ /^::(.+[^:])$/ ) {
$exp_v6 = '0:' x (9-length($exp_v6)) . $1;
+ } else {
+ $exp_v6 = $parm_ipv6;
}
my(@components) = split /:/, $exp_v6;
my(@nibbles) = reverse (split /\s*/, shift @components);
if ($docheck)
{
- if (check_output() != 0)
+ if (check_output($TEST_STATE->{munge}) != 0)
{
print (("#" x 79) . "\n");
redo;
# be present in the basic Exim binary which we require in order to run these
# tests at all. Specialized expansion tests also exist for optional features
# in other test scripts.
+munge dnssec
exim -be
md5: ${if eq {1}{2}{${md5:invalid}}{NO}}
mask: ${if eq {1}{2}{${mask:invalid}}{NO}}
+# Number suffixes in conditions
+1k: ${if >{1}{1k}{n}{y}}
+1K: ${if >{1}{1K}{n}{y}}
+1M: ${if >{1}{1M}{n}{y}}
+1G: ${if >{1}{1G}{n}{y}}
+
# Numeric overflow
# >32b should work, >64b not
# Reverse lookup failures
+munge dnssec
exim -bh V4NET.11.12.13
mail from:<userx@cam.ac.uk>
rcpt to:<userx@cam.ac.uk>
#
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
550 Error for <>
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
550-Multiline error for <>
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
#
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test unsuccessful caching
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of rejection of MAIL FROM:<>
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
550 REJECT MAIL FROM
# Test caching of rejection of postmaster
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of accepting of postmaster
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of accepting a random address
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of accepting a random address and postmaster
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of rejecting a random address and postmaster
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# address has to be tested
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test caching of rejecting a random address
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
sleep 2
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Timeout on the RCPT for random
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Postmaster_sender set non-empty
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Header_sender sender set non-empty
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Timeout on RCPT for header_sender (defer_ok test)
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test full postmaster check
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Test postmaster_mailfrom with random
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# negatives with wildcard hosts when host has multiple names
+munge dnssec
exim -d -bs -oMa V4NET.99.99.97
mail from:<notgov@test.ex>
rcpt to:<x@test.ex>
#
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
#
server PORT_S 3
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
250 OK
*eof
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
250 OK
*eof
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 server ready
-HELO
+EHLO
250 OK
MAIL
250 OK
****
server PORT_S
220 server ready
-HELO
+EHLO
250 OK
MAIL
250 OK
# Timeout stuff
server PORT_S
220 server ready
-HELO
+EHLO
*sleep 2
*eof
****
#
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# This one fails the actual address
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
# Same again, but with sender_verify_fail logging turned off
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
#
server PORT_S 3
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
250 OK
*eof
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
250 OK
*eof
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
550 NOTOK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
****
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
dump callout
server PORT_S
220 Server ready
-HELO
+EHLO
250 OK
MAIL FROM
250 OK
#
server PORT_S 8
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
# callout with no transport
need_ipv4
#
-server PORT_S
-220 Welcome
-HELO
-250 Hi
-MAIL FROM
-250 OK
-RCPT TO
-550 unrouteable address
-QUIT
-221 Bye
-****
exim -bs
mail from:<unknown@x.x.x.x>
rcpt to:<unknown@u.u.u.u>
# Do a sender address verify that rejects MAIL FROM:<>
server PORT_S
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
550 I'm misconfigured
# Now do a recipient verify for the same domain, with use_sender
server PORT_S
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
#
server PORT_S 4
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
250 OK
*eof
220 Welcome
-HELO
+EHLO
250 Hi
MAIL FROM
250 OK
--- /dev/null
+# Optional MAIL FROM args processing
+#
+# SIZE alone
+exim -bs
+ehlo Testing
+mail from:<x@y> SIZE=1000
+rcpt to:<userx@test.ex>
+quit
+****
+# BODY alone
+exim -bs
+ehlo Testing
+mail from:<x@y> BODY=7BIT
+rcpt to:<userx@test.ex>
+quit
+****
+# SIZE then BODY
+exim -bs
+ehlo Testing
+mail from:<x@y> SIZE=1000 BODY=7BIT
+rcpt to:<userx@test.ex>
+quit
+****
+# BODY then SIZE
+exim -bs
+ehlo Testing
+mail from:<x@y> BODY=7BIT SIZE=1000
+rcpt to:<userx@test.ex>
+quit
+****
+# AUTH then BODY then SIZE
+exim -bs
+ehlo Testing
+mail from:<x@y> AUTH=x@y BODY=7BIT SIZE=1000
+rcpt to:<userx@test.ex>
+quit
+****
+# BODY then AUTH then SIZE
+exim -bs
+ehlo Testing
+mail from:<x@y> BODY=7BIT AUTH=x@y SIZE=1000
+rcpt to:<userx@test.ex>
+quit
+****
+# SIZE then BODY then AUTH
+exim -bs
+ehlo Testing
+mail from:<x@y> SIZE=1000 BODY=7BIT AUTH=x@y
+rcpt to:<userx@test.ex>
+quit
+****
+# SIZE then BODY then SIZE
+exim -bs
+ehlo Testing
+mail from:<x@y> SIZE=1000 BODY=7BIT SIZE=1200
+rcpt to:<userx@test.ex>
+quit
+****
+# (over)SIZE then BODY
+exim -bs
+ehlo Testing
+mail from:<x@y> SIZE=40004 BODY=8BITMIME
+rcpt to:<userx@test.ex>
+quit
+****
+# BODY then (over)SIZE
+exim -bs
+ehlo Testing
+mail from:<x@y> BODY=8BITMIME SIZE=40004
+rcpt to:<userx@test.ex>
+quit
+****
+no_msglog_check
# TLS server: mandatory, optional, and revoked certificates
gnutls
+munge gnutls_unexpected
exim -DSERVER=server -bd -oX PORT_D
****
# No certificate, certificate required
# TLS server & client: no certificate in client
gnutls
+munge gnutls_handshake
exim -DSERVER=server -bd -oX PORT_D
****
exim userx@test.ex
# dns_again_means_nonexist
+munge dnssec
exim -d -bh HOSTIPV4
mail from:<xx@cioce.test.again.dns>
rcpt to:<a@b>
--- /dev/null
+# cutthrough_delivery basic operation
+need_ipv4
+#
+server PORT_S
+220 ESMTP
+EHLO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+DATA
+354 Send data
+.
+250 OK
+QUIT
+250 OK
+****
+exim -d-all+acl+transport -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<userx@domain.com>
+DATA
+
+.
+QUIT
+****
+# cutthrough_delivery into HELO-only server
+need_ipv4
+#
+server PORT_S
+220 SMTP only spoken here
+EHLO
+550 Not here, mate
+HELO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+DATA
+354 Send data
+.
+250 OK
+QUIT
+250 OK
+****
+exim -d-all+acl+transport -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<userz@domain.com>
+DATA
+
+.
+QUIT
+****
+# cutthrough cancelled by multiple recipients
+server PORT_S 2
+220 ESMTP
+EHLO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+QUIT
+*eof
+220 ESMTP
+EHLO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+RCPT TO:
+250 Recipient OK
+DATA
+354 Send data
+.
+250 OK
+QUIT
+250 OK
+****
+exim -d-all+acl+transport -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+RCPT TO:<userx@domain.com>
+DATA
+
+.
+QUIT
+****
+sleep 1
--- /dev/null
+# cutthrough_delivery triggered by recipient-verify
+need_ipv4
+#
+server PORT_S
+220 ESMTP
+EHLO
+250 OK
+MAIL FROM:
+250 Sender OK
+RCPT TO:
+250 Recipient OK
+DATA
+354 Send data
+.
+250 OK
+QUIT
+250 OK
+****
+exim -d-all+acl+transport -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<userx@domain.com>
+DATA
+
+.
+QUIT
+****
--- /dev/null
+# cutthrough_delivery to target oferring TLS
+exim -DSERVER=server -bd -oX PORT_D
+****
+# this one should succeed
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<userx@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_avoid_tls
+# so this one should not use TLS
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_verify_avoid_tls
+# so this one should not use TLS
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support OpenSSL
+running IPv4
--- /dev/null
+# cutthrough_delivery to target offering TLS
+exim -DSERVER=server -bd -oX PORT_D
+****
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<userx@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_avoid_tls
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+# via a transport setting hosts_verify_avoid_tls
+exim -d-all+acl+transport+expand+lists -bs
+EHLO myhost.test.ex
+MAIL FROM:<eximtest@myhost.test.ex>
+RCPT TO:<usery@domain.com>
+DATA
+
+.
+QUIT
+****
+killdaemon
+no_msglog_check
--- /dev/null
+support GnuTLS
+running IPv4
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 550 Error for <>
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 550-Multiline error for <>
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@localhost1>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP connection from root
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@localhost1>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 550 REJECT MAIL FROM
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@otherhost>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@otherhost2>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@otherhost41>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@otherhost21>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<okokok@otherhost52>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<pmsend@a.domain>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<somesender@a.domain>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<ok@otherhost9>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<postmaster@myhost.test.ex>
SMTP<< 250 OK
SMTP<< 250 OK
SMTP>> RCPT TO:<z@test.ex>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<pmsend@b.domain>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO mail.test.ex
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO mail.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 server ready
- SMTP>> HELO myhost.test.ex
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
>>> interface=NULL port=1224
>>> Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
>>> SMTP<< 220 server ready
->>> SMTP>> HELO myhost.test.ex
+>>> 127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+>>> SMTP>> EHLO myhost.test.ex
>>> SMTP<< 250 OK
>>> SMTP>> MAIL FROM:<>
>>> SMTP<< 250 OK
>>> interface=NULL port=1224
>>> Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
>>> SMTP<< 220 server ready
->>> SMTP>> HELO myhost.test.ex
+>>> 127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+>>> SMTP>> EHLO myhost.test.ex
>>> SMTP timeout
>>> ----------- end verify ------------
>>> accept: condition test deferred in ACL "mail"
>>> Attempting full verification using callout
>>> callout cache: no domain record found
>>> callout cache: no address record found
->>> interface=NULL port=25
->>> Connecting to ten-1.test.ex [V4NET.0.0.1]:25 ... failed: Network Error
+>>> cannot callout via null transport
>>> ----------- end verify ------------
>>> accept: condition test deferred in ACL "rcpt"
-LOG: H=[V4NET.0.0.1] sender verify defer for <x@ten-1.test.ex>: could not connect to ten-1.test.ex [V4NET.0.0.1]: Network Error
+LOG: H=[V4NET.0.0.1] sender verify defer for <x@ten-1.test.ex>: Could not complete sender verify callout
LOG: H=[V4NET.0.0.1] F=<x@ten-1.test.ex> temporarily rejected RCPT x@y: Could not complete sender verify callout
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
SMTP>> RCPT TO:<Ok@localhost>
SMTP<< 250 OK
+Cutthrough cancelled by presence of postmaster verify
SMTP>> RSET
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO myhost.test.ex
+ SMTP>> EHLO myhost.test.ex
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
interface=NULL port=1224
Connecting to 127.0.0.1 [127.0.0.1]:1224 ... connected
SMTP<< 220 Server ready
- SMTP>> HELO the.local.host.name
+ SMTP>> EHLO the.local.host.name
SMTP<< 250 OK
SMTP>> MAIL FROM:<>
SMTP<< 250 OK
--- /dev/null
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+using ACL "ar"
+processing "accept"
+check control = cutthrough_delivery
+check logwrite = rcpt for $local_part@$domain
+ = rcpt for userx@domain.com
+LOG: MAIN
+ rcpt for userx@domain.com
+created log directory TESTSUITE/spool/log
+accept: condition test succeeded in ACL "ar"
+----------- start cutthrough setup ------------
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 ESMTP
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250 OK
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Recipient OK
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Send data
+ SMTP>>(nl)
+ SMTP>> .
+ SMTP<< 250 OK
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+using ACL "ar"
+processing "accept"
+check control = cutthrough_delivery
+check logwrite = rcpt for $local_part@$domain
+ = rcpt for userz@domain.com
+LOG: MAIN
+ rcpt for userz@domain.com
+accept: condition test succeeded in ACL "ar"
+----------- start cutthrough setup ------------
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 SMTP only spoken here
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 550 Not here, mate
+ SMTP>> HELO myhost.test.ex
+ SMTP<< 250 OK
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<userz@domain.com>
+ SMTP<< 250 Recipient OK
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Send data
+ SMTP>>(nl)
+ SMTP>> .
+ SMTP<< 250 OK
+LOG: MAIN
+ >> userz@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+using ACL "ar"
+processing "accept"
+check control = cutthrough_delivery
+check logwrite = rcpt for $local_part@$domain
+ = rcpt for usery@domain.com
+LOG: MAIN
+ rcpt for usery@domain.com
+accept: condition test succeeded in ACL "ar"
+----------- start cutthrough setup ------------
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 ESMTP
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250 OK
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Recipient OK
+----------- end cutthrough setup ------------
+using ACL "ar"
+processing "accept"
+check control = cutthrough_delivery
+check logwrite = rcpt for $local_part@$domain
+ = rcpt for userx@domain.com
+LOG: MAIN
+ rcpt for userx@domain.com
+accept: condition test succeeded in ACL "ar"
+ SMTP>> QUIT
+----------- cutthrough shutdown (more than one recipient) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+trusted user
+admin user
+skipping ACL configuration - not needed
+>>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>
+--------> usery@domain.com <--------
+smtp transport entered
+ usery@domain.com
+ userx@domain.com
+checking status of 127.0.0.1
+127.0.0.1 [127.0.0.1]:1111 status = usable
+delivering 10HmaZ-0005vi-00 to 127.0.0.1 [127.0.0.1] (usery@domain.com, ...)
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 ESMTP
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250 OK
+not using PIPELINING
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Recipient OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Recipient OK
+ SMTP>> DATA
+ SMTP<< 354 Send data
+ SMTP>> writing message and terminating "."
+writing data block fd=dddd size=sss timeout=300
+ SMTP<< 250 OK
+ok=1 send_quit=1 send_rset=0 continue_more=0 yield=0 first_address is NULL
+transport_check_waiting entered
+ sequence=1 local_max=500 global_max=-1
+no messages waiting for 127.0.0.1
+ SMTP>> QUIT
+Leaving smtp transport
+LOG: MAIN
+ => usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+LOG: MAIN
+ -> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+LOG: MAIN
+ Completed
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
--- /dev/null
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+using ACL "acl_rcpt"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+----------- end verify ------------
+accept: condition test succeeded in ACL "acl_rcpt"
+----------- start cutthrough setup ------------
+Connecting to 127.0.0.1 [127.0.0.1]:1224 from ip4.ip4.ip4.ip4 ... connected
+ SMTP<< 220 ESMTP
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250 OK
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 Sender OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Recipient OK
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Send data
+ SMTP>>(nl)
+ SMTP>> .
+ SMTP<< 250 OK
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1]
+created log directory TESTSUITE/spool/log
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
--- /dev/null
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: userx
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: false
+expanding: *
+ result: *
+skipping: result is not used
+expanding: :
+ result: :
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: :
+127.0.0.1 in hosts_avoid_tls? no (end of list)
+ SMTP>> STARTTLS
+ SMTP<< 220 TLS go ahead
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250 HELP
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for userx@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaX-0005vi-00
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaX-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: usery
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: true
+expanding: *
+ result: *
+expanding: :
+ result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaZ-0005vi-00
+LOG: MAIN
+ >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+
+******** SERVER ********
--- /dev/null
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: userx
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: false
+expanding: *
+ result: *
+skipping: result is not used
+expanding: :
+ result: :
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: :
+127.0.0.1 in hosts_avoid_tls? no (end of list)
+expanding: $address_data
+ result: userx
+expanding: userz
+ result: userz
+condition: eq {$address_data}{userz}
+ result: false
+expanding: *
+ result: *
+skipping: result is not used
+expanding: :
+ result: :
+expanding: ${if eq {$address_data}{userz}{*}{:}}
+ result: :
+127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
+ SMTP>> STARTTLS
+ SMTP<< 220 TLS go ahead
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250 HELP
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for userx@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaX-0005vi-00
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 C="250 OK id=10HmaX-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: usery
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: true
+expanding: *
+ result: *
+expanding: :
+ result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaZ-0005vi-00
+LOG: MAIN
+ >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: usery
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: true
+expanding: *
+ result: *
+expanding: :
+ result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmbB-0005vi-00
+LOG: MAIN
+ >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+
+******** SERVER ********
--- /dev/null
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: userx
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: userx
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: false
+expanding: *
+ result: *
+skipping: result is not used
+expanding: :
+ result: :
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: :
+127.0.0.1 in hosts_avoid_tls? no (end of list)
+expanding: $address_data
+ result: userx
+expanding: userz
+ result: userz
+condition: eq {$address_data}{userz}
+ result: false
+expanding: *
+ result: *
+skipping: result is not used
+expanding: :
+ result: :
+expanding: ${if eq {$address_data}{userz}{*}{:}}
+ result: :
+127.0.0.1 in hosts_verify_avoid_tls? no (end of list)
+ SMTP>> STARTTLS
+ SMTP<< 220 TLS go ahead
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250 HELP
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<userx@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for userx@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaX-0005vi-00
+LOG: MAIN
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: usery
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: true
+expanding: *
+ result: *
+expanding: :
+ result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmaZ-0005vi-00
+LOG: MAIN
+ >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmaZ-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+Exim version x.yz ....
+configuration file is TESTSUITE/test-config
+admin user
+ in hosts_connection_nolog? no (option unset)
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER
+expanding: $smtp_active_hostname ESMTP Exim $version_number $tod_full
+ result: myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+ in pipelining_advertise_hosts? yes (matched "*")
+ in tls_advertise_hosts? yes (matched "*")
+expanding: SERVER
+ result: SERVER
+expanding: server
+ result: server
+condition: eq {SERVER}{server}
+ result: false
+expanding: queue
+ result: queue
+skipping: result is not used
+expanding: cutthrough
+ result: cutthrough
+expanding: ${if eq {SERVER}{server}{queue}{cutthrough}}
+ result: cutthrough
+using ACL "cutthrough"
+processing "accept"
+check control = cutthrough_delivery
+check verify = recipient
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+----------- end verify ------------
+accept: condition test succeeded in ACL "cutthrough"
+----------- start cutthrough setup ------------
+domain.com in "test.ex : *.test.ex"? no (end of list)
+domain.com in "! +local_domains"? yes (end of list)
+expanding: $local_part
+ result: usery
+domain.com in "*"? yes (matched "*")
+Connecting to 127.0.0.1 [127.0.0.1]:1225 from ip4.ip4.ip4.ip4 ... connected
+expanding: $primary_hostname
+ result: myhost.test.ex
+ SMTP<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+127.0.0.1 in hosts_avoid_esmtp? no (option unset)
+ SMTP>> EHLO myhost.test.ex
+ SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
+ 250-SIZE 52428800
+ 250-8BITMIME
+ 250-PIPELINING
+ 250-STARTTLS
+ 250 HELP
+expanding: $address_data
+ result: usery
+expanding: usery
+ result: usery
+condition: eq {$address_data}{usery}
+ result: true
+expanding: *
+ result: *
+expanding: :
+ result: :
+skipping: result is not used
+expanding: ${if eq {$address_data}{usery}{*}{:}}
+ result: *
+127.0.0.1 in hosts_avoid_tls? yes (matched "*")
+ SMTP>> MAIL FROM:<CALLER@myhost.test.ex>
+ SMTP<< 250 OK
+ SMTP>> RCPT TO:<usery@domain.com>
+ SMTP<< 250 Accepted
+----------- end cutthrough setup ------------
+processing "accept"
+accept: condition test succeeded in inline ACL
+ SMTP>> DATA
+ SMTP<< 354 Enter message, ending with "." on a line by itself
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+condition: def:sender_rcvhost
+ result: false
+expanding: from $sender_rcvhost
+
+ result: from
+
+skipping: result is not used
+condition: def:sender_ident
+ result: true
+expanding: $sender_ident
+ result: CALLER
+expanding: from ${quote_local_part:$sender_ident}
+ result: from CALLER
+condition: def:sender_helo_name
+ result: true
+expanding: (helo=$sender_helo_name)
+
+ result: (helo=myhost.test.ex)
+
+expanding: ${if def:sender_ident {from ${quote_local_part:$sender_ident} }}${if def:sender_helo_name {(helo=$sender_helo_name)
+ }}
+ result: from CALLER (helo=myhost.test.ex)
+
+condition: def:received_protocol
+ result: true
+expanding: with $received_protocol
+ result: with local-esmtp
+condition: def:sender_address
+ result: true
+expanding: (envelope-from <$sender_address>)
+
+ result: (envelope-from <CALLER@myhost.test.ex>)
+
+condition: def:received_for
+ result: true
+expanding:
+ for $received_for
+ result:
+ for usery@domain.com
+PDKIM <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+expanding: ${tod_full}
+ result: Tue, 2 Mar 1999 09:44:33 +0000
+ SMTP>> .
+ SMTP<< 250 OK id=10HmbB-0005vi-00
+LOG: MAIN
+ >> usery@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] C="250 OK id=10HmbB-0005vi-00"
+ SMTP>> QUIT
+----------- cutthrough shutdown (delivered) ------------
+LOG: MAIN
+ <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
+LOG: MAIN
+ Completed
+LOG: smtp_connection MAIN
+ SMTP connection from CALLER closed by QUIT
+>>>>>>>>>>>>>>>> Exim pid=pppp terminating with rc=0 >>>>>>>>>>>>>>>>
+
+******** SERVER ********
> md5: NO
> mask: NO
>
+> # Number suffixes in conditions
+> 1k: y
+> 1K: y
+> 1M: y
+> 1G: y
+>
> # Numeric overflow
> # >32b should work, >64b not
>
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
550 Error for <>
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
550-Multiline error for <>
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
550 REJECT MAIL FROM
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<somesender@a.domain>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<postmaster@myhost.test.ex>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [ip4.ip4.ip4.ip4]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO mail.test.ex
+EHLO mail.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
*sleep 2
Expected EOF read from client
End of script
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<s1@test.ex>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<s2@test.ex>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<s3@other.ex>
550 NOTOK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<postmaster@the.local.host.name>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<x9@test.ex>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<postmaster@the.local.host.name>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Server ready
-HELO the.local.host.name
+EHLO the.local.host.name
250 OK
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
250 OK\r
-550-Verification failed for <unknown@x.x.x.x>\r
-550-Called: 127.0.0.1\r
-550-Sent: RCPT TO:<unknown@x.x.x.x>\r
-550-Response: 550 unrouteable address\r
-550 Sender verify failed\r
+451 Could not complete sender verify callout\r
221 myhost.test.ex closing connection\r
-
-******** SERVER ********
-Listening on port 1224 ...
-Connection request from [127.0.0.1]
-220 Welcome
-HELO myhost.test.ex
-250 Hi
-MAIL FROM:<>
-250 OK
-RCPT TO:<unknown@x.x.x.x>
-550 unrouteable address
-QUIT
-221 Bye
-End of script
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
550 I'm misconfigured
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<userx@ok.example>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO localhost
+EHLO localhost
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO aname
+EHLO aname
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
Listening on port 1224 ...
Connection request from [127.0.0.1]
220 Welcome
-HELO myhost.test.ex
+EHLO myhost.test.ex
250 Hi
MAIL FROM:<>
250 OK
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+550 SIZE value too big\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at Testing\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+550 SIZE value too big\r
+221 myhost.test.ex closing connection\r
SSL info: SSLv3 read finished A
SSL info: SSL negotiation finished successfully
SSL info: SSL negotiation finished successfully
-SSL connection using DHE-RSA-AES256-SHA
+SSL connection using AES256-SHA
Succeeded in starting TLS
>>> ehlo foobar
??? 250-
SSL info: SSLv3 read finished A
SSL info: SSL negotiation finished successfully
SSL info: SSL negotiation finished successfully
-SSL connection using DHE-RSA-AES256-SHA
+SSL connection using AES256-SHA
Succeeded in starting TLS
>>> auth plain AHVzZXJ4AHNlY3JldA==
??? 503
SSL info: SSLv3 read finished A
SSL info: SSL negotiation finished successfully
SSL info: SSL negotiation finished successfully
-SSL connection using DHE-RSA-AES256-SHA
+SSL connection using AES256-SHA
Succeeded in starting TLS
>>> ehlo foobar
??? 250-myhost
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaX-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaZ-0005vi-00\r
+221 myhost.test.ex closing connection\r
+
+******** SERVER ********
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 ESMTP
+EHLO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<userx@domain.com>
+250 Recipient OK
+DATA
+354 Send data
+Received: from CALLER (helo=myhost.test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaX-0005vi-00
+ for userx@domain.com; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
+From: CALLER_NAME <CALLER@myhost.test.ex>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+.
+250 OK
+QUIT
+250 OK
+End of script
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 SMTP only spoken here
+EHLO myhost.test.ex
+550 Not here, mate
+HELO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<userz@domain.com>
+250 Recipient OK
+DATA
+354 Send data
+Received: from CALLER (helo=myhost.test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaY-0005vi-00
+ for userz@domain.com; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaY-0005vi-00@myhost.test.ex>
+From: CALLER_NAME <CALLER@myhost.test.ex>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+.
+250 OK
+QUIT
+250 OK
+End of script
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 ESMTP
+EHLO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<usery@domain.com>
+250 Recipient OK
+QUIT
+Expected EOF read from client
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 ESMTP
+EHLO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<usery@domain.com>
+250 Recipient OK
+RCPT TO:<userx@domain.com>
+250 Recipient OK
+DATA
+354 Send data
+Received: from CALLER (helo=myhost.test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaZ-0005vi-00; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaZ-0005vi-00@myhost.test.ex>
+From: CALLER_NAME <CALLER@myhost.test.ex>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+.
+250 OK
+QUIT
+250 OK
+End of script
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaX-0005vi-00\r
+221 myhost.test.ex closing connection\r
+
+******** SERVER ********
+Listening on port 1224 ...
+Connection request from [ip4.ip4.ip4.ip4]
+220 ESMTP
+EHLO myhost.test.ex
+250 OK
+MAIL FROM:<CALLER@myhost.test.ex>
+250 Sender OK
+RCPT TO:<userx@domain.com>
+250 Recipient OK
+DATA
+354 Send data
+Received: from CALLER (helo=myhost.test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmaX-0005vi-00
+ for userx@domain.com; Tue, 2 Mar 1999 09:44:33 +0000
+Message-Id: <E10HmaX-0005vi-00@myhost.test.ex>
+From: CALLER_NAME <CALLER@myhost.test.ex>
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+
+.
+250 OK
+QUIT
+250 OK
+End of script
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbA-0005vi-00\r
+221 myhost.test.ex closing connection\r
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbA-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbC-0005vi-00\r
+221 myhost.test.ex closing connection\r
--- /dev/null
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmaY-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbA-0005vi-00\r
+221 myhost.test.ex closing connection\r
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000\r
+250-myhost.test.ex Hello CALLER at myhost.test.ex\r
+250-SIZE 52428800\r
+250-8BITMIME\r
+250-PIPELINING\r
+250-STARTTLS\r
+250 HELP\r
+250 OK\r
+250 Accepted\r
+354 Enter message, ending with "." on a line by itself\r
+250 OK id=10HmbC-0005vi-00\r
+221 myhost.test.ex closing connection\r
git://git.exim.org / exim.git / commitdiff