From: Jeremy Harris Date: Sat, 10 Dec 2022 16:19:16 +0000 (+0000) Subject: Allow a forced-fail for banner expansion to close connection without panic-log X-Git-Tag: exim-4.97-RC0~184 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4f7a93c27e3d43b44c42d3fc503f03b9b42ca622 Allow a forced-fail for banner expansion to close connection without panic-log --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 1b3c2b454..75a53786d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17692,13 +17692,18 @@ This facility is only available on Linux. .cindex "banner for SMTP" .cindex "welcome banner for SMTP" .cindex "customizing" "SMTP banner" -This string, which is expanded every time it is used, is output as the initial +If a connect ACL does not supply a message, +this string (which is expanded every time it is used) is output as the initial positive response to an SMTP connection. The default setting is: .code smtp_banner = $smtp_active_hostname ESMTP Exim \ $version_number $tod_full .endd -Failure to expand the string causes a panic error. If you want to create a +.new +Failure to expand the string causes a panic error; +a forced fail just closes the connection. +.wen +If you want to create a multiline response to the initial SMTP connection, use &"\n"& in the string at appropriate points, but not at the end. Note that the 220 code is not included in this string. Exim adds it automatically (several times in the case of a diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index b161f362d..6c043d434 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3040,13 +3040,7 @@ code = US"220"; /* Default status code */ esc = US""; /* Default extended status code */ esclen = 0; /* Length of esc */ -if (!user_msg) - { - if (!(s = expand_string(smtp_banner))) - log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) " - "failed: %s", smtp_banner, expand_string_message); - } -else +if (user_msg) { int codelen = 3; s = user_msg; @@ -3057,6 +3051,17 @@ else esclen = codelen - 4; } } +else if (!(s = expand_string(smtp_banner))) + { + log_write(0, f.expand_string_forcedfail ? LOG_MAIN : LOG_MAIN|LOG_PANIC_DIE, + "Expansion of \"%s\" (smtp_banner) failed: %s", + smtp_banner, expand_string_message); + /* for force-fail */ +#ifndef DISABLE_TLS + if (tls_in.on_connect) tls_close(NULL, TLS_SHUTDOWN_WAIT); +#endif + return FALSE; + } /* Remove any terminating newlines; might as well remove trailing space too */ diff --git a/test/confs/5711 b/test/confs/5711 index 57a9fef08..2c6af3cf2 100644 --- a/test/confs/5711 +++ b/test/confs/5711 @@ -14,6 +14,7 @@ tls_advertise_hosts = * tls_certificate = DIR/aux-fixed/cert1 host_reject_connection = ${acl {hrc}} +smtp_banner = ${if != {$received_port}{PORT_D4} {my banner}fail} event_action = ${acl {tls_fail}} log_selector = +pid diff --git a/test/confs/5721 b/test/confs/5721 index 84c7785d9..6839bd528 100644 --- a/test/confs/5721 +++ b/test/confs/5721 @@ -14,6 +14,7 @@ tls_advertise_hosts = * tls_certificate = DIR/aux-fixed/cert1 host_reject_connection = ${acl {hrc}} +smtp_banner = ${if != {$received_port}{PORT_D4} {my banner}fail} event_action = ${acl {tls_fail}} log_selector = +pid diff --git a/test/log/5711 b/test/log/5711 index baf38b97d..4ebb2e2ea 100644 --- a/test/log/5711 +++ b/test/log/5711 @@ -1,6 +1,6 @@ ******** SERVER ******** -1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3 +1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3 port PORT_D4 1999-03-02 09:44:33 [1238] eval host_reject_connection 1999-03-02 09:44:33 [1238] ACL conn 1999-03-02 09:44:33 [1238] ACL quit @@ -15,6 +15,9 @@ 1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you 1999-03-02 09:44:33 [1240] eval host_reject_connection 1999-03-02 09:44:33 [1240] ACL conn -1999-03-02 09:44:33 [1240] EV tls:fail:connect -1999-03-02 09:44:33 [1240] EVDATA: (gnutls_handshake): The TLS connection was non-properly terminated. -1999-03-02 09:44:33 [1240] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer +1999-03-02 09:44:33 [1240] Expansion of "${if != {$received_port}{1228} {my banner}fail}" (smtp_banner) failed: "if" failed and "fail" requested +1999-03-02 09:44:33 [1241] eval host_reject_connection +1999-03-02 09:44:33 [1241] ACL conn +1999-03-02 09:44:33 [1241] EV tls:fail:connect +1999-03-02 09:44:33 [1241] EVDATA: (gnutls_handshake): The TLS connection was non-properly terminated. +1999-03-02 09:44:33 [1241] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer diff --git a/test/log/5721 b/test/log/5721 index 41583c55a..28d5bf8a9 100644 --- a/test/log/5721 +++ b/test/log/5721 @@ -1,6 +1,6 @@ ******** SERVER ******** -1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3 +1999-03-02 09:44:33 [1237] exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTPS on port PORT_D port PORT_D2 port PORT_D3 port PORT_D4 1999-03-02 09:44:33 [1238] eval host_reject_connection 1999-03-02 09:44:33 [1238] ACL conn 1999-03-02 09:44:33 [1238] ACL quit @@ -14,6 +14,9 @@ 1999-03-02 09:44:33 [1235] H=[127.0.0.1] dropped by 'connect' ACL: we dislike you 1999-03-02 09:44:33 [1240] eval host_reject_connection 1999-03-02 09:44:33 [1240] ACL conn -1999-03-02 09:44:33 [1240] EV tls:fail:connect -1999-03-02 09:44:33 [1240] EVDATA: SSL_accept: TCP connection closed by peer -1999-03-02 09:44:33 [1240] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer +1999-03-02 09:44:33 [1240] Expansion of "${if != {$received_port}{1228} {my banner}fail}" (smtp_banner) failed: "if" failed and "fail" requested +1999-03-02 09:44:33 [1241] eval host_reject_connection +1999-03-02 09:44:33 [1241] ACL conn +1999-03-02 09:44:33 [1241] EV tls:fail:connect +1999-03-02 09:44:33 [1241] EVDATA: SSL_accept: TCP connection closed by peer +1999-03-02 09:44:33 [1241] TLS error on connection from [127.0.0.1] (tls lib accept fn): TCP connection closed by peer diff --git a/test/scripts/5710-GnuTLS-events/5711 b/test/scripts/5710-GnuTLS-events/5711 index 725703f2a..6817c8c29 100644 --- a/test/scripts/5710-GnuTLS-events/5711 +++ b/test/scripts/5710-GnuTLS-events/5711 @@ -1,6 +1,6 @@ # smtp-on-connect drop-before-tls-accept # -exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3 +exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3:PORT_D4 **** # # Normal, full connect and quit @@ -25,6 +25,11 @@ client-anytls -tls-on-connect 127.0.0.1 PORT_D3 ???* **** # +# server fails banner expansion +client-anytls -tls-on-connect 127.0.0.1 PORT_D4 +???* +**** +# # client disconnects before server TLS accept completes client 127.0.0.1 PORT_D +++ 1 diff --git a/test/scripts/5720-OpenSSL-events/5721 b/test/scripts/5720-OpenSSL-events/5721 index 19f977c7b..14bcd2cb6 100644 --- a/test/scripts/5720-OpenSSL-events/5721 +++ b/test/scripts/5720-OpenSSL-events/5721 @@ -1,6 +1,6 @@ # smtp-on-connect drop-before-tls-accept # -exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3 +exim -DSERVER=server -tls-on-connect -bd -oX PORT_D:PORT_D2:PORT_D3:PORT_D4 **** # # Normal, full connect and quit @@ -25,6 +25,12 @@ client-anytls -tls-on-connect 127.0.0.1 PORT_D3 ???* **** # +# server fails banner expansion +client-anytls -tls-on-connect 127.0.0.1 PORT_D4 +???* +**** +# +# # client disconnects before server TLS accept completes client 127.0.0.1 PORT_D +++ 1 diff --git a/test/stdout/5711 b/test/stdout/5711 index f96f81b96..6a928b2e9 100644 --- a/test/stdout/5711 +++ b/test/stdout/5711 @@ -2,7 +2,7 @@ Connecting to 127.0.0.1 port 1225 ... connected Attempting to start TLS Succeeded in starting TLS ??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +<<< 220 my banner >>> quit ??? 221 <<< 221 myhost.test.ex closing connection @@ -11,7 +11,7 @@ Connecting to 127.0.0.1 port 1225 ... connected Attempting to start TLS Succeeded in starting TLS ??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +<<< 220 my banner End of script Connecting to 127.0.0.1 port 1226 ... connected Attempting to start TLS @@ -25,6 +25,12 @@ Failed to start TLS ???* Expected EOF read End of script +Connecting to 127.0.0.1 port 1228 ... connected +Attempting to start TLS +Succeeded in starting TLS +???* +Expected EOF read +End of script Connecting to 127.0.0.1 port 1225 ... connected +++ 1 End of script diff --git a/test/stdout/5721 b/test/stdout/5721 index f96f81b96..6a928b2e9 100644 --- a/test/stdout/5721 +++ b/test/stdout/5721 @@ -2,7 +2,7 @@ Connecting to 127.0.0.1 port 1225 ... connected Attempting to start TLS Succeeded in starting TLS ??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +<<< 220 my banner >>> quit ??? 221 <<< 221 myhost.test.ex closing connection @@ -11,7 +11,7 @@ Connecting to 127.0.0.1 port 1225 ... connected Attempting to start TLS Succeeded in starting TLS ??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +<<< 220 my banner End of script Connecting to 127.0.0.1 port 1226 ... connected Attempting to start TLS @@ -25,6 +25,12 @@ Failed to start TLS ???* Expected EOF read End of script +Connecting to 127.0.0.1 port 1228 ... connected +Attempting to start TLS +Succeeded in starting TLS +???* +Expected EOF read +End of script Connecting to 127.0.0.1 port 1225 ... connected +++ 1 End of script