1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for handling an incoming SMTP call. */
16 /* Initialize for TCP wrappers if so configured. It appears that the macro
17 HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
18 including that header, and restore its value afterwards. */
20 #ifdef USE_TCP_WRAPPERS
23 #define EXIM_HAVE_IPV6
29 #define HAVE_IPV6 TRUE
32 int allow_severity = LOG_INFO;
33 int deny_severity = LOG_NOTICE;
34 uschar *tcp_wrappers_name;
38 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
39 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
40 commands that accept arguments, and this in particular applies to AUTH, where
41 the data can be quite long. More recently this value was 2048 in Exim;
42 however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients
43 such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
44 The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
45 we need room to handle large base64-encoded AUTHs for GSSAPI.
48 #define SMTP_CMD_BUFFER_SIZE 16384
50 /* Size of buffer for reading SMTP incoming packets */
52 #define IN_BUFFER_SIZE 8192
54 /* Structure for SMTP command list */
61 short int is_mail_cmd;
64 /* Codes for identifying commands. We order them so that those that come first
65 are those for which synchronization is always required. Checking this can help
69 /* These commands are required to be synchronized, i.e. to be the last in a
70 block of commands when pipelining. */
72 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
73 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
74 ETRN_CMD, /* This by analogy with TURN from the RFC */
75 STARTTLS_CMD, /* Required by the STARTTLS RFC */
76 TLS_AUTH_CMD, /* auto-command at start of SSL */
78 /* This is a dummy to identify the non-sync commands when pipelining */
80 NON_SYNC_CMD_PIPELINING,
82 /* These commands need not be synchronized when pipelining */
84 MAIL_CMD, RCPT_CMD, RSET_CMD,
86 /* This is a dummy to identify the non-sync commands when not pipelining */
88 NON_SYNC_CMD_NON_PIPELINING,
90 /* RFC3030 section 2: "After all MAIL and RCPT responses are collected and
91 processed the message is sent using a series of BDAT commands"
92 implies that BDAT should be synchronized. However, we see Google, at least,
93 sending MAIL,RCPT,BDAT-LAST in a single packet, clearly not waiting for
94 processing of the RCPT response(s). We shall do the same, and not require
95 synch for BDAT. Worse, as the chunk may (very likely will) follow the
96 command-header in the same packet we cannot do the usual "is there any
97 follow-on data after the command line" even for non-pipeline mode.
98 So we'll need an explicit check after reading the expected chunk amount
99 when non-pipe, before sending the ACK. */
103 /* I have been unable to find a statement about the use of pipelining
104 with AUTH, so to be on the safe side it is here, though I kind of feel
105 it should be up there with the synchronized commands. */
109 /* I'm not sure about these, but I don't think they matter. */
114 PROXY_FAIL_IGNORE_CMD,
117 /* These are specials that don't correspond to actual commands */
119 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
120 TOO_MANY_NONMAIL_CMD };
123 /* This is a convenience macro for adding the identity of an SMTP command
124 to the circular buffer that holds a list of the last n received. */
127 smtp_connection_had[smtp_ch_index++] = n; \
128 if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
131 /*************************************************
132 * Local static variables *
133 *************************************************/
136 BOOL auth_advertised :1;
138 BOOL tls_advertised :1;
140 BOOL dsn_advertised :1;
142 BOOL helo_required :1;
145 BOOL helo_accept_junk :1;
146 #ifndef DISABLE_PIPE_CONNECT
147 BOOL pipe_connect_acceptable :1;
149 BOOL rcpt_smtp_response_same :1;
150 BOOL rcpt_in_progress :1;
151 BOOL smtp_exit_function_called :1;
153 BOOL smtputf8_advertised :1;
156 .helo_required = FALSE,
157 .helo_verify = FALSE,
158 .smtp_exit_function_called = FALSE,
161 static auth_instance *authenticated_by;
162 static int count_nonmail;
163 static int nonmail_command_count;
164 static int synprot_error_count;
165 static int unknown_command_count;
166 static int sync_cmd_limit;
167 static int smtp_write_error = 0;
169 static uschar *rcpt_smtp_response;
170 static uschar *smtp_data_buffer;
171 static uschar *smtp_cmd_data;
173 /* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
174 final fields of all except AUTH are forced TRUE at the start of a new message
175 setup, to allow one of each between messages that is not counted as a nonmail
176 command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
177 allow a new EHLO after starting up TLS.
179 AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
180 counted. However, the flag is changed when AUTH is received, so that multiple
181 failing AUTHs will eventually hit the limit. After a successful AUTH, another
182 AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
183 forced TRUE, to allow for the re-authentication that can happen at that point.
185 QUIT is also "falsely" labelled as a mail command so that it doesn't up the
186 count of non-mail commands and possibly provoke an error.
188 tls_auth is a pseudo-command, never expected in input. It is activated
189 on TLS startup and looks for a tls authenticator. */
191 static smtp_cmd_list cmd_list[] = {
192 /* name len cmd has_arg is_mail_cmd */
194 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
195 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
196 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
197 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
199 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
200 { "tls_auth", 0, TLS_AUTH_CMD, FALSE, FALSE },
203 /* If you change anything above here, also fix the definitions below. */
205 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
206 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
207 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
208 { "bdat", sizeof("bdat")-1, BDAT_CMD, TRUE, TRUE },
209 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
210 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
211 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
212 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
213 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
214 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
217 static smtp_cmd_list *cmd_list_end =
218 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
220 #define CMD_LIST_RSET 0
221 #define CMD_LIST_HELO 1
222 #define CMD_LIST_EHLO 2
223 #define CMD_LIST_AUTH 3
224 #define CMD_LIST_STARTTLS 4
225 #define CMD_LIST_TLS_AUTH 5
227 /* This list of names is used for performing the smtp_no_mail logging action.
228 It must be kept in step with the SCH_xxx enumerations. */
230 static uschar *smtp_names[] =
232 US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
233 US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
234 US"STARTTLS", US"VRFY" };
236 static uschar *protocols_local[] = {
237 US"local-smtp", /* HELO */
238 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
239 US"local-esmtp", /* EHLO */
240 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
241 US"local-esmtpa", /* EHLO->AUTH */
242 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
244 static uschar *protocols[] = {
246 US"smtps", /* The rare case EHLO->STARTTLS->HELO */
247 US"esmtp", /* EHLO */
248 US"esmtps", /* EHLO->STARTTLS->EHLO */
249 US"esmtpa", /* EHLO->AUTH */
250 US"esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
255 #define pcrpted 1 /* added to pextend or pnormal */
256 #define pauthed 2 /* added to pextend */
258 /* Sanity check and validate optional args to MAIL FROM: envelope */
261 ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
265 ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
271 uschar * name; /* option requested during MAIL cmd */
272 int value; /* enum type */
273 BOOL need_value; /* TRUE requires value (name=value pair format)
274 FALSE is a singleton */
276 static env_mail_type_t env_mail_type_list[] = {
277 { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
278 { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
279 { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
281 { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
283 { US"RET", ENV_MAIL_OPT_RET, TRUE },
284 { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
286 { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
288 /* keep this the last entry */
289 { US"NULL", ENV_MAIL_OPT_NULL, FALSE },
292 /* When reading SMTP from a remote host, we have to use our own versions of the
293 C input-reading functions, in order to be able to flush the SMTP output only
294 when about to read more data from the socket. This is the only way to get
295 optimal performance when the client is using pipelining. Flushing for every
296 command causes a separate packet and reply packet each time; saving all the
297 responses up (when pipelining) combines them into one packet and one response.
299 For simplicity, these functions are used for *all* SMTP input, not only when
300 receiving over a socket. However, after setting up a secure socket (SSL), input
301 is read via the OpenSSL library, and another set of functions is used instead
304 These functions are set in the receive_getc etc. variables and called with the
305 same interface as the C functions. However, since there can only ever be
306 one incoming SMTP call, we just use a single buffer and flags. There is no need
307 to implement a complicated private FILE-like structure.*/
309 static uschar *smtp_inbuffer;
310 static uschar *smtp_inptr;
311 static uschar *smtp_inend;
312 static int smtp_had_eof;
313 static int smtp_had_error;
316 /* forward declarations */
317 static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
318 static int synprot_error(int type, int code, uschar *data, uschar *errmess);
319 static void smtp_quit_handler(uschar **, uschar **);
320 static void smtp_rset_handler(void);
322 /*************************************************
323 * Recheck synchronization *
324 *************************************************/
326 /* Synchronization checks can never be perfect because a packet may be on its
327 way but not arrived when the check is done. Normally, the checks happen when
328 commands are read: Exim ensures that there is no more input in the input buffer.
329 In normal cases, the response to the command will be fast, and there is no
332 However, for some commands an ACL is run, and that can include delays. In those
333 cases, it is useful to do another check on the input just before sending the
334 response. This also applies at the start of a connection. This function does
335 that check by means of the select() function, as long as the facility is not
336 disabled or inappropriate. A failure of select() is ignored.
338 When there is unwanted input, we read it so that it appears in the log of the
342 Returns: TRUE if all is well; FALSE if there is input pending
346 wouldblock_reading(void)
350 struct timeval tzero;
353 if (tls_in.active.sock >= 0)
354 return !tls_could_read();
357 if (smtp_inptr < smtp_inend)
360 fd = fileno(smtp_in);
365 rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
367 if (rc <= 0) return TRUE; /* Not ready to read */
368 rc = smtp_getc(GETC_BUFFER_UNLIMITED);
369 if (rc < 0) return TRUE; /* End of file or error */
378 if (!smtp_enforce_sync || !sender_host_address || f.sender_host_notsocket)
381 return wouldblock_reading();
385 /* If there's input waiting (and we're doing pipelineing) then we can pipeline
386 a reponse with the one following. */
389 pipeline_response(void)
391 if ( !smtp_enforce_sync || !sender_host_address
392 || f.sender_host_notsocket || !f.smtp_in_pipelining_advertised)
395 if (wouldblock_reading()) return FALSE;
396 f.smtp_in_pipelining_used = TRUE;
401 #ifndef DISABLE_PIPE_CONNECT
403 pipeline_connect_sends(void)
405 if (!sender_host_address || f.sender_host_notsocket || !fl.pipe_connect_acceptable)
408 if (wouldblock_reading()) return FALSE;
409 f.smtp_in_early_pipe_used = TRUE;
414 /*************************************************
415 * Log incomplete transactions *
416 *************************************************/
418 /* This function is called after a transaction has been aborted by RSET, QUIT,
419 connection drops or other errors. It logs the envelope information received
420 so far in order to preserve address verification attempts.
422 Argument: string to indicate what aborted the transaction
427 incomplete_transaction_log(uschar *what)
429 if (!sender_address /* No transaction in progress */
430 || !LOGGING(smtp_incomplete_transaction))
433 /* Build list of recipients for logging */
435 if (recipients_count > 0)
437 raw_recipients = store_get(recipients_count * sizeof(uschar *), FALSE);
438 for (int i = 0; i < recipients_count; i++)
439 raw_recipients[i] = recipients_list[i].address;
440 raw_recipients_count = recipients_count;
443 log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
444 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
451 smtp_command_timeout_exit(void)
453 log_write(L_lost_incoming_connection,
454 LOG_MAIN, "SMTP command timeout on%s connection from %s",
455 tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
456 if (smtp_batched_input)
457 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
458 smtp_notquit_exit(US"command-timeout", US"421",
459 US"%s: SMTP command timeout - closing connection",
460 smtp_active_hostname);
461 exim_exit(EXIT_FAILURE);
465 smtp_command_sigterm_exit(void)
467 log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
468 if (smtp_batched_input)
469 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
470 smtp_notquit_exit(US"signal-exit", US"421",
471 US"%s: Service not available - closing connection", smtp_active_hostname);
472 exim_exit(EXIT_FAILURE);
476 smtp_data_timeout_exit(void)
478 log_write(L_lost_incoming_connection,
479 LOG_MAIN, "SMTP data timeout (message abandoned) on connection from %s F=<%s>",
480 sender_fullhost ? sender_fullhost : US"local process", sender_address);
481 receive_bomb_out(US"data-timeout", US"SMTP incoming data timeout");
482 /* Does not return */
486 smtp_data_sigint_exit(void)
488 log_write(0, LOG_MAIN, "%s closed after %s",
489 smtp_get_connection_info(), had_data_sigint == SIGTERM ? "SIGTERM":"SIGINT");
490 receive_bomb_out(US"signal-exit",
491 US"Service not available - SIGTERM or SIGINT received");
492 /* Does not return */
497 /* Refill the buffer, and notify DKIM verification code.
498 Return false for error or EOF.
502 smtp_refill(unsigned lim)
505 if (!smtp_out) return FALSE;
507 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
509 /* Limit amount read, so non-message data is not fed to DKIM.
510 Take care to not touch the safety NUL at the end of the buffer. */
512 rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE-1, lim));
514 if (smtp_receive_timeout > 0) ALARM_CLR(0);
517 /* Must put the error text in fixed store, because this might be during
518 header reading, where it releases unused store above the header. */
521 if (had_command_timeout) /* set by signal handler */
522 smtp_command_timeout_exit(); /* does not return */
523 if (had_command_sigterm)
524 smtp_command_sigterm_exit();
525 if (had_data_timeout)
526 smtp_data_timeout_exit();
528 smtp_data_sigint_exit();
530 smtp_had_error = save_errno;
531 smtp_read_error = string_copy_perm(
532 string_sprintf(" (error: %s)", strerror(save_errno)), FALSE);
539 dkim_exim_verify_feed(smtp_inbuffer, rc);
541 smtp_inend = smtp_inbuffer + rc;
542 smtp_inptr = smtp_inbuffer;
546 /*************************************************
547 * SMTP version of getc() *
548 *************************************************/
550 /* This gets the next byte from the SMTP input buffer. If the buffer is empty,
551 it flushes the output, and refills the buffer, with a timeout. The signal
552 handler is set appropriately by the calling function. This function is not used
553 after a connection has negotiated itself into an TLS/SSL state.
555 Arguments: lim Maximum amount to read/buffer
556 Returns: the next character or EOF
560 smtp_getc(unsigned lim)
562 if (smtp_inptr >= smtp_inend)
563 if (!smtp_refill(lim))
565 return *smtp_inptr++;
569 smtp_getbuf(unsigned * len)
574 if (smtp_inptr >= smtp_inend)
575 if (!smtp_refill(*len))
576 { *len = 0; return NULL; }
578 if ((size = smtp_inend - smtp_inptr) > *len) size = *len;
589 int n = smtp_inend - smtp_inptr;
591 dkim_exim_verify_feed(smtp_inptr, n);
596 /* Get a byte from the smtp input, in CHUNKING mode. Handle ack of the
597 previous BDAT chunk and getting new ones when we run out. Uses the
598 underlying smtp_getc or tls_getc both for that and for getting the
599 (buffered) data byte. EOD signals (an expected) no further data.
600 ERR signals a protocol error, and EOF a closed input stream.
602 Called from read_bdat_smtp() in receive.c for the message body, but also
603 by the headers read loop in receive_msg(); manipulates chunking_state
604 to handle the BDAT command/response.
605 Placed here due to the correlation with the above smtp_getc(), which it wraps,
606 and also by the need to do smtp command/response handling.
608 Arguments: lim (ignored)
609 Returns: the next character or ERR, EOD or EOF
613 bdat_getc(unsigned lim)
615 uschar * user_msg = NULL;
624 if (chunking_data_left > 0)
625 return lwr_receive_getc(chunking_data_left--);
627 receive_getc = lwr_receive_getc;
628 receive_getbuf = lwr_receive_getbuf;
629 receive_ungetc = lwr_receive_ungetc;
631 dkim_save = dkim_collect_input;
632 dkim_collect_input = 0;
635 /* Unless PIPELINING was offered, there should be no next command
636 until after we ack that chunk */
638 if (!f.smtp_in_pipelining_advertised && !check_sync())
640 unsigned n = smtp_inend - smtp_inptr;
643 incomplete_transaction_log(US"sync failure");
644 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
645 "(next input sent too soon: pipelining was not advertised): "
646 "rejected \"%s\" %s next input=\"%s\"%s",
647 smtp_cmd_buffer, host_and_ident(TRUE),
648 string_printing(string_copyn(smtp_inptr, n)),
649 smtp_inend - smtp_inptr > n ? "..." : "");
650 (void) synprot_error(L_smtp_protocol_error, 554, NULL,
651 US"SMTP synchronization error");
652 goto repeat_until_rset;
655 /* If not the last, ack the received chunk. The last response is delayed
656 until after the data ACL decides on it */
658 if (chunking_state == CHUNKING_LAST)
661 dkim_exim_verify_feed(NULL, 0); /* notify EOD */
666 smtp_printf("250 %u byte chunk received\r\n", FALSE, chunking_datasize);
667 chunking_state = CHUNKING_OFFERED;
668 DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
670 /* Expect another BDAT cmd from input. RFC 3030 says nothing about
671 QUIT, RSET or NOOP but handling them seems obvious */
674 switch(smtp_read_command(TRUE, 1))
677 (void) synprot_error(L_smtp_protocol_error, 503, NULL,
678 US"only BDAT permissible after non-LAST BDAT");
681 switch(smtp_read_command(TRUE, 1))
683 case QUIT_CMD: smtp_quit_handler(&user_msg, &log_msg); /*FALLTHROUGH */
684 case EOF_CMD: return EOF;
685 case RSET_CMD: smtp_rset_handler(); return ERR;
686 default: if (synprot_error(L_smtp_protocol_error, 503, NULL,
687 US"only RSET accepted now") > 0)
689 goto repeat_until_rset;
693 smtp_quit_handler(&user_msg, &log_msg);
704 smtp_printf("250 OK\r\n", FALSE);
711 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
713 (void) synprot_error(L_smtp_protocol_error, 501, NULL,
714 US"missing size for BDAT command");
717 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
718 ? CHUNKING_LAST : CHUNKING_ACTIVE;
719 chunking_data_left = chunking_datasize;
720 DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
721 (int)chunking_state, chunking_data_left);
723 if (chunking_datasize == 0)
724 if (chunking_state == CHUNKING_LAST)
728 (void) synprot_error(L_smtp_protocol_error, 504, NULL,
729 US"zero size for BDAT command");
730 goto repeat_until_rset;
733 receive_getc = bdat_getc;
734 receive_getbuf = bdat_getbuf; /* r~getbuf is never actually used */
735 receive_ungetc = bdat_ungetc;
737 dkim_collect_input = dkim_save;
739 break; /* to top of main loop */
746 bdat_getbuf(unsigned * len)
750 if (chunking_data_left <= 0)
751 { *len = 0; return NULL; }
753 if (*len > chunking_data_left) *len = chunking_data_left;
754 buf = lwr_receive_getbuf(len); /* Either smtp_getbuf or tls_getbuf */
755 chunking_data_left -= *len;
760 bdat_flush_data(void)
762 while (chunking_data_left)
764 unsigned n = chunking_data_left;
765 if (!bdat_getbuf(&n)) break;
768 receive_getc = lwr_receive_getc;
769 receive_getbuf = lwr_receive_getbuf;
770 receive_ungetc = lwr_receive_ungetc;
772 if (chunking_state != CHUNKING_LAST)
774 chunking_state = CHUNKING_OFFERED;
775 DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
782 /*************************************************
783 * SMTP version of ungetc() *
784 *************************************************/
786 /* Puts a character back in the input buffer. Only ever
792 Returns: the character
806 chunking_data_left++;
807 return lwr_receive_ungetc(ch);
812 /*************************************************
813 * SMTP version of feof() *
814 *************************************************/
816 /* Tests for a previous EOF
819 Returns: non-zero if the eof flag is set
831 /*************************************************
832 * SMTP version of ferror() *
833 *************************************************/
835 /* Tests for a previous read error, and returns with errno
836 restored to what it was when the error was detected.
839 Returns: non-zero if the error flag is set
845 errno = smtp_had_error;
846 return smtp_had_error;
851 /*************************************************
852 * Test for characters in the SMTP buffer *
853 *************************************************/
855 /* Used at the end of a message
864 return smtp_inptr < smtp_inend;
869 /*************************************************
870 * Write formatted string to SMTP channel *
871 *************************************************/
873 /* This is a separate function so that we don't have to repeat everything for
874 TLS support or debugging. It is global so that the daemon and the
875 authentication functions can use it. It does not return any error indication,
876 because major problems such as dropped connections won't show up till an output
877 flush for non-TLS connections. The smtp_fflush() function is available for
878 checking that: for convenience, TLS output errors are remembered here so that
879 they are also picked up later by smtp_fflush().
881 This function is exposed to the local_scan API; do not change the signature.
885 more further data expected
886 ... optional arguments
892 smtp_printf(const char *format, BOOL more, ...)
897 smtp_vprintf(format, more, ap);
901 /* This is split off so that verify.c:respond_printf() can, in effect, call
902 smtp_printf(), bearing in mind that in C a vararg function can't directly
903 call another vararg function, only a function which accepts a va_list.
905 This function is exposed to the local_scan API; do not change the signature.
907 /*XXX consider passing caller-info in, for string_vformat-onward */
910 smtp_vprintf(const char *format, BOOL more, va_list ap)
912 gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer };
915 /* Use taint-unchecked routines for writing into big_buffer, trusting
916 that we'll never expand it. */
918 yield = !! string_vformat(&gs, SVFMT_TAINT_NOCHK, format, ap);
919 string_from_gstring(&gs);
923 uschar *msg_copy, *cr, *end;
924 msg_copy = string_copy(gs.s);
925 end = msg_copy + gs.ptr;
926 while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
927 memmove(cr, cr + 1, (end--) - cr);
928 debug_printf("SMTP>> %s", msg_copy);
933 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
934 smtp_closedown(US"Unexpected error");
935 exim_exit(EXIT_FAILURE);
938 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
939 have had the same. Note: this code is also present in smtp_respond(). It would
940 be tidier to have it only in one place, but when it was added, it was easier to
941 do it that way, so as not to have to mess with the code for the RCPT command,
942 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
944 if (fl.rcpt_in_progress)
946 if (rcpt_smtp_response == NULL)
947 rcpt_smtp_response = string_copy(big_buffer);
948 else if (fl.rcpt_smtp_response_same &&
949 Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
950 fl.rcpt_smtp_response_same = FALSE;
951 fl.rcpt_in_progress = FALSE;
954 /* Now write the string */
958 tls_in.active.sock >= 0 ? (tls_write(NULL, gs.s, gs.ptr, more) < 0) :
960 (fwrite(gs.s, gs.ptr, 1, smtp_out) == 0)
962 smtp_write_error = -1;
967 /*************************************************
968 * Flush SMTP out and check for error *
969 *************************************************/
971 /* This function isn't currently used within Exim (it detects errors when it
972 tries to read the next SMTP input), but is available for use in local_scan().
973 It flushes the output and checks for errors.
976 Returns: 0 for no error; -1 after an error
982 if (tls_in.active.sock < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
986 tls_in.active.sock >= 0 ? (tls_write(NULL, NULL, 0, FALSE) < 0) :
988 (fflush(smtp_out) != 0)
990 smtp_write_error = -1;
992 return smtp_write_error;
997 /*************************************************
998 * SMTP command read timeout *
999 *************************************************/
1001 /* Signal handler for timing out incoming SMTP commands. This attempts to
1004 Argument: signal number (SIGALRM)
1009 command_timeout_handler(int sig)
1011 had_command_timeout = sig;
1016 /*************************************************
1017 * SIGTERM received *
1018 *************************************************/
1020 /* Signal handler for handling SIGTERM. Again, try to finish tidily.
1022 Argument: signal number (SIGTERM)
1027 command_sigterm_handler(int sig)
1029 had_command_sigterm = sig;
1035 #ifdef SUPPORT_PROXY
1036 /*************************************************
1037 * Restore socket timeout to previous value *
1038 *************************************************/
1039 /* If the previous value was successfully retrieved, restore
1040 it before returning control to the non-proxy routines
1042 Arguments: fd - File descriptor for input
1043 get_ok - Successfully retrieved previous values
1044 tvtmp - Time struct with previous values
1045 vslen - Length of time struct
1049 restore_socket_timeout(int fd, int get_ok, struct timeval * tvtmp, socklen_t vslen)
1052 (void) setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS tvtmp, vslen);
1055 /*************************************************
1056 * Check if host is required proxy host *
1057 *************************************************/
1058 /* The function determines if inbound host will be a regular smtp host
1059 or if it is configured that it must use Proxy Protocol. A local
1067 check_proxy_protocol_host()
1071 if ( sender_host_address
1072 && (rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
1073 sender_host_address, NULL)) == OK)
1076 debug_printf("Detected proxy protocol configured host\n");
1077 proxy_session = TRUE;
1079 return proxy_session;
1083 /*************************************************
1084 * Read data until newline or end of buffer *
1085 *************************************************/
1086 /* While SMTP is server-speaks-first, TLS is client-speaks-first, so we can't
1087 read an entire buffer and assume there will be nothing past a proxy protocol
1088 header. Our approach normally is to use stdio, but again that relies upon
1089 "STARTTLS\r\n" and a server response before the client starts TLS handshake, or
1090 reading _nothing_ before client TLS handshake. So we don't want to use the
1091 usual buffering reads which may read enough to block TLS starting.
1093 So unfortunately we're down to "read one byte at a time, with a syscall each,
1094 and expect a little overhead", for all proxy-opened connections which are v1,
1095 just to handle the TLS-on-connect case. Since SSL functions wrap the
1096 underlying fd, we can't assume that we can feed them any already-read content.
1098 We need to know where to read to, the max capacity, and we'll read until we
1099 get a CR and one more character. Let the caller scream if it's CR+!LF.
1101 Return the amount read.
1105 swallow_until_crlf(int fd, uschar *base, int already, int capacity)
1107 uschar *to = base + already;
1113 /* For "PROXY UNKNOWN\r\n" we, at time of writing, expect to have read
1114 up through the \r; for the _normal_ case, we haven't yet seen the \r. */
1116 cr = memchr(base, '\r', already);
1119 if ((cr - base) < already - 1)
1121 /* \r and presumed \n already within what we have; probably not
1122 actually proxy protocol, but abort cleanly. */
1125 /* \r is last character read, just need one more. */
1129 while (capacity > 0)
1131 do { ret = recv(fd, to, 1, 0); } while (ret == -1 && errno == EINTR);
1143 /* reached end without having room for a final newline, abort */
1148 /*************************************************
1149 * Setup host for proxy protocol *
1150 *************************************************/
1151 /* The function configures the connection based on a header from the
1152 inbound host to use Proxy Protocol. The specification is very exact
1153 so exit with an error if do not find the exact required pieces. This
1154 includes an incorrect number of spaces separating args.
1157 Returns: Boolean success
1161 setup_proxy_protocol_host()
1173 struct { /* TCP/UDP over IPv4, len = 12 */
1179 struct { /* TCP/UDP over IPv6, len = 36 */
1180 uint8_t src_addr[16];
1181 uint8_t dst_addr[16];
1185 struct { /* AF_UNIX sockets, len = 216 */
1186 uschar src_addr[108];
1187 uschar dst_addr[108];
1193 /* Temp variables used in PPv2 address:port parsing */
1195 char tmpip[INET_ADDRSTRLEN];
1196 struct sockaddr_in tmpaddr;
1197 char tmpip6[INET6_ADDRSTRLEN];
1198 struct sockaddr_in6 tmpaddr6;
1200 /* We can't read "all data until end" because while SMTP is
1201 server-speaks-first, the TLS handshake is client-speaks-first, so for
1202 TLS-on-connect ports the proxy protocol header will usually be immediately
1203 followed by a TLS handshake, and with N TLS libraries, we can't reliably
1204 reinject data for reading by those. So instead we first read "enough to be
1205 safely read within the header, and figure out how much more to read".
1206 For v1 we will later read to the end-of-line, for v2 we will read based upon
1209 The v2 sig is 12 octets, and another 4 gets us the length, so we know how much
1210 data is needed total. For v1, where the line looks like:
1211 PROXY TCPn L3src L3dest SrcPort DestPort \r\n
1213 However, for v1 there's also `PROXY UNKNOWN\r\n` which is only 15 octets.
1214 We seem to support that. So, if we read 14 octets then we can tell if we're
1215 v2 or v1. If we're v1, we can continue reading as normal.
1217 If we're v2, we can't slurp up the entire header. We need the length in the
1218 15th & 16th octets, then to read everything after that.
1220 So to safely handle v1 and v2, with client-sent-first supported correctly,
1221 we have to do a minimum of 3 read calls, not 1. Eww.
1224 #define PROXY_INITIAL_READ 14
1225 #define PROXY_V2_HEADER_SIZE 16
1226 #if PROXY_INITIAL_READ > PROXY_V2_HEADER_SIZE
1227 # error Code bug in sizes of data to read for proxy usage
1232 int fd = fileno(smtp_in);
1233 const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
1234 uschar * iptype; /* To display debug info */
1236 struct timeval tvtmp;
1237 socklen_t vslen = sizeof(struct timeval);
1240 /* Save current socket timeout values */
1241 get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS &tvtmp, &vslen);
1243 /* Proxy Protocol host must send header within a short time
1244 (default 3 seconds) or it's considered invalid */
1245 tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
1246 tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
1247 if (setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, CS &tv, sizeof(tv)) < 0)
1252 /* The inbound host was declared to be a Proxy Protocol host, so
1253 don't do a PEEK into the data, actually slurp up enough to be
1254 "safe". Can't take it all because TLS-on-connect clients follow
1255 immediately with TLS handshake. */
1256 ret = recv(fd, &hdr, PROXY_INITIAL_READ, 0);
1258 while (ret == -1 && errno == EINTR);
1263 /* For v2, handle reading the length, and then the rest. */
1264 if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
1269 /* First get the length fields. */
1272 retmore = recv(fd, (uschar*)&hdr + ret, PROXY_V2_HEADER_SIZE - PROXY_INITIAL_READ, 0);
1273 } while (retmore == -1 && errno == EINTR);
1278 ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
1280 /* May 2014: haproxy combined the version and command into one byte to
1281 allow two full bytes for the length field in order to proxy SSL
1282 connections. SSL Proxy is not supported in this version of Exim, but
1283 must still separate values here. */
1287 DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
1291 /* The v2 header will always be 16 bytes per the spec. */
1292 size = 16 + ntohs(hdr.v2.len);
1293 DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",
1294 size, (int)sizeof(hdr));
1296 /* We should now have 16 octets (PROXY_V2_HEADER_SIZE), and we know the total
1297 amount that we need. Double-check that the size is not unreasonable, then
1299 if (size > sizeof(hdr))
1301 DEBUG(D_receive) debug_printf("PROXYv2 header size unreasonably large; security attack?\n");
1309 retmore = recv(fd, (uschar*)&hdr + ret, size-ret, 0);
1310 } while (retmore == -1 && errno == EINTR);
1314 DEBUG(D_receive) debug_printf("PROXYv2: have %d/%d required octets\n", ret, size);
1315 } while (ret < size);
1317 } /* end scope for getting rest of data for v2 */
1319 /* At this point: if PROXYv2, we've read the exact size required for all data;
1320 if PROXYv1 then we've read "less than required for any valid line" and should
1323 if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
1325 uint8_t cmd = (hdr.v2.ver_cmd & 0x0f);
1329 case 0x01: /* PROXY command */
1332 case 0x11: /* TCPv4 address type */
1334 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
1335 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
1336 if (!string_is_ip_address(US tmpip, NULL))
1338 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
1341 proxy_local_address = sender_host_address;
1342 sender_host_address = string_copy(US tmpip);
1343 tmpport = ntohs(hdr.v2.addr.ip4.src_port);
1344 proxy_local_port = sender_host_port;
1345 sender_host_port = tmpport;
1346 /* Save dest ip/port */
1347 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
1348 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
1349 if (!string_is_ip_address(US tmpip, NULL))
1351 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
1354 proxy_external_address = string_copy(US tmpip);
1355 tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
1356 proxy_external_port = tmpport;
1358 case 0x21: /* TCPv6 address type */
1360 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
1361 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
1362 if (!string_is_ip_address(US tmpip6, NULL))
1364 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
1367 proxy_local_address = sender_host_address;
1368 sender_host_address = string_copy(US tmpip6);
1369 tmpport = ntohs(hdr.v2.addr.ip6.src_port);
1370 proxy_local_port = sender_host_port;
1371 sender_host_port = tmpport;
1372 /* Save dest ip/port */
1373 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
1374 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
1375 if (!string_is_ip_address(US tmpip6, NULL))
1377 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
1380 proxy_external_address = string_copy(US tmpip6);
1381 tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
1382 proxy_external_port = tmpport;
1386 debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
1390 /* Unsupported protocol, keep local connection address */
1392 case 0x00: /* LOCAL command */
1393 /* Keep local connection address for LOCAL */
1398 debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
1402 else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
1406 uschar *sp; /* Utility variables follow */
1411 /* get the rest of the line */
1412 r2 = swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
1417 p = string_copy(hdr.v1.line);
1418 end = memchr(p, '\r', ret - 1);
1420 if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')
1422 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
1425 *end = '\0'; /* Terminate the string */
1426 size = end + 2 - p; /* Skip header + CRLF */
1427 DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
1428 DEBUG(D_receive) debug_printf("Bytes read not within PROXY header: %d\n", ret - size);
1429 /* Step through the string looking for the required fields. Ensure
1430 strict adherence to required formatting, exit for any error. */
1432 if (!isspace(*(p++)))
1434 DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
1437 if (!Ustrncmp(p, CCS"TCP4", 4))
1439 else if (!Ustrncmp(p,CCS"TCP6", 4))
1441 else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
1443 iptype = US"Unknown";
1448 DEBUG(D_receive) debug_printf("Invalid TCP type\n");
1452 p += Ustrlen(iptype);
1453 if (!isspace(*(p++)))
1455 DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
1458 /* Find the end of the arg */
1459 if ((sp = Ustrchr(p, ' ')) == NULL)
1462 debug_printf("Did not find proxied src %s\n", iptype);
1466 if(!string_is_ip_address(p, NULL))
1469 debug_printf("Proxied src arg is not an %s address\n", iptype);
1472 proxy_local_address = sender_host_address;
1473 sender_host_address = p;
1475 if ((sp = Ustrchr(p, ' ')) == NULL)
1478 debug_printf("Did not find proxy dest %s\n", iptype);
1482 if(!string_is_ip_address(p, NULL))
1485 debug_printf("Proxy dest arg is not an %s address\n", iptype);
1488 proxy_external_address = p;
1490 if ((sp = Ustrchr(p, ' ')) == NULL)
1492 DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
1496 tmp_port = strtol(CCS p, &endc, 10);
1497 if (*endc || tmp_port == 0)
1500 debug_printf("Proxied src port '%s' not an integer\n", p);
1503 proxy_local_port = sender_host_port;
1504 sender_host_port = tmp_port;
1506 if ((sp = Ustrchr(p, '\0')) == NULL)
1508 DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
1511 tmp_port = strtol(CCS p, &endc, 10);
1512 if (*endc || tmp_port == 0)
1515 debug_printf("Proxy dest port '%s' not an integer\n", p);
1518 proxy_external_port = tmp_port;
1519 /* Already checked for /r /n above. Good V1 header received. */
1523 /* Wrong protocol */
1524 DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
1525 (void) swallow_until_crlf(fd, (uschar*)&hdr, ret, sizeof(hdr)-ret);
1531 debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
1532 yield = proxy_session;
1534 /* Don't flush any potential buffer contents. Any input on proxyfail
1535 should cause a synchronization failure */
1538 restore_socket_timeout(fd, get_ok, &tvtmp, vslen);
1543 sender_host_name = NULL;
1544 (void) host_name_lookup();
1545 host_build_sender_fullhost();
1549 f.proxy_session_failed = TRUE;
1551 debug_printf("Failure to extract proxied host, only QUIT allowed\n");
1558 /*************************************************
1559 * Read one command line *
1560 *************************************************/
1562 /* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
1563 There are sites that don't do this, and in any case internal SMTP probably
1564 should check only for LF. Consequently, we check here for LF only. The line
1565 ends up with [CR]LF removed from its end. If we get an overlong line, treat as
1566 an unknown command. The command is read into the global smtp_cmd_buffer so that
1567 it is available via $smtp_command.
1569 The character reading routine sets up a timeout for each block actually read
1570 from the input (which may contain more than one command). We set up a special
1571 signal handler that closes down the session on a timeout. Control does not
1572 return when it runs.
1575 check_sync if TRUE, check synchronization rules if global option is TRUE
1576 buffer_lim maximum to buffer in lower layer
1578 Returns: a code identifying the command (enumerated above)
1582 smtp_read_command(BOOL check_sync, unsigned buffer_lim)
1586 BOOL hadnull = FALSE;
1588 had_command_timeout = 0;
1589 os_non_restarting_signal(SIGALRM, command_timeout_handler);
1591 while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
1593 if (ptr >= SMTP_CMD_BUFFER_SIZE)
1595 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1603 smtp_cmd_buffer[ptr++] = c;
1606 receive_linecount++; /* For BSMTP errors */
1607 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1609 /* If hit end of file, return pseudo EOF command. Whether we have a
1610 part-line already read doesn't matter, since this is an error state. */
1612 if (c == EOF) return EOF_CMD;
1614 /* Remove any CR and white space at the end of the line, and terminate the
1617 while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
1618 smtp_cmd_buffer[ptr] = 0;
1620 DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
1622 /* NULLs are not allowed in SMTP commands */
1624 if (hadnull) return BADCHAR_CMD;
1626 /* Scan command list and return identity, having set the data pointer
1627 to the start of the actual data characters. Check for SMTP synchronization
1630 for (smtp_cmd_list * p = cmd_list; p < cmd_list_end; p++)
1632 #ifdef SUPPORT_PROXY
1633 /* Only allow QUIT command if Proxy Protocol parsing failed */
1634 if (proxy_session && f.proxy_session_failed && p->cmd != QUIT_CMD)
1638 && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
1639 && ( smtp_cmd_buffer[p->len-1] == ':' /* "mail from:" or "rcpt to:" */
1640 || smtp_cmd_buffer[p->len] == 0
1641 || smtp_cmd_buffer[p->len] == ' '
1644 if (smtp_inptr < smtp_inend && /* Outstanding input */
1645 p->cmd < sync_cmd_limit && /* Command should sync */
1646 check_sync && /* Local flag set */
1647 smtp_enforce_sync && /* Global flag set */
1648 sender_host_address != NULL && /* Not local input */
1649 !f.sender_host_notsocket) /* Really is a socket */
1652 /* The variables $smtp_command and $smtp_command_argument point into the
1653 unmodified input buffer. A copy of the latter is taken for actual
1654 processing, so that it can be chopped up into separate parts if necessary,
1655 for example, when processing a MAIL command options such as SIZE that can
1656 follow the sender address. */
1658 smtp_cmd_argument = smtp_cmd_buffer + p->len;
1659 while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
1660 Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
1661 smtp_cmd_data = smtp_data_buffer;
1663 /* Count non-mail commands from those hosts that are controlled in this
1664 way. The default is all hosts. We don't waste effort checking the list
1665 until we get a non-mail command, but then cache the result to save checking
1666 again. If there's a DEFER while checking the host, assume it's in the list.
1668 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
1669 start of each incoming message by fiddling with the value in the table. */
1671 if (!p->is_mail_cmd)
1673 if (count_nonmail == TRUE_UNSET) count_nonmail =
1674 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
1675 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
1676 return TOO_MANY_NONMAIL_CMD;
1679 /* If there is data for a command that does not expect it, generate the
1682 return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
1686 #ifdef SUPPORT_PROXY
1687 /* Only allow QUIT command if Proxy Protocol parsing failed */
1688 if (proxy_session && f.proxy_session_failed)
1689 return PROXY_FAIL_IGNORE_CMD;
1692 /* Enforce synchronization for unknown commands */
1694 if ( smtp_inptr < smtp_inend /* Outstanding input */
1695 && check_sync /* Local flag set */
1696 && smtp_enforce_sync /* Global flag set */
1697 && sender_host_address /* Not local input */
1698 && !f.sender_host_notsocket) /* Really is a socket */
1706 /*************************************************
1707 * Forced closedown of call *
1708 *************************************************/
1710 /* This function is called from log.c when Exim is dying because of a serious
1711 disaster, and also from some other places. If an incoming non-batched SMTP
1712 channel is open, it swallows the rest of the incoming message if in the DATA
1713 phase, sends the reply string, and gives an error to all subsequent commands
1714 except QUIT. The existence of an SMTP call is detected by the non-NULLness of
1718 message SMTP reply string to send, excluding the code
1724 smtp_closedown(uschar *message)
1726 if (!smtp_in || smtp_batched_input) return;
1727 receive_swallow_smtp();
1728 smtp_printf("421 %s\r\n", FALSE, message);
1730 for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
1736 smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
1741 smtp_printf("250 Reset OK\r\n", FALSE);
1745 smtp_printf("421 %s\r\n", FALSE, message);
1753 /*************************************************
1754 * Set up connection info for logging *
1755 *************************************************/
1757 /* This function is called when logging information about an SMTP connection.
1758 It sets up appropriate source information, depending on the type of connection.
1759 If sender_fullhost is NULL, we are at a very early stage of the connection;
1760 just use the IP address.
1763 Returns: a string describing the connection
1767 smtp_get_connection_info(void)
1769 const uschar * hostname = sender_fullhost
1770 ? sender_fullhost : sender_host_address;
1773 return string_sprintf("SMTP connection from %s", hostname);
1775 if (f.sender_host_unknown || f.sender_host_notsocket)
1776 return string_sprintf("SMTP connection from %s", sender_ident);
1779 return string_sprintf("SMTP connection from %s (via inetd)", hostname);
1781 if (LOGGING(incoming_interface) && interface_address)
1782 return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
1783 interface_address, interface_port);
1785 return string_sprintf("SMTP connection from %s", hostname);
1791 /* Append TLS-related information to a log line
1794 g String under construction: allocated string to extend, or NULL
1796 Returns: Allocated string or NULL
1799 s_tlslog(gstring * g)
1801 if (LOGGING(tls_cipher) && tls_in.cipher)
1803 g = string_append(g, 2, US" X=", tls_in.cipher);
1804 #ifndef DISABLE_TLS_RESUME
1805 if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
1806 g = string_catn(g, US"*", 1);
1809 if (LOGGING(tls_certificate_verified) && tls_in.cipher)
1810 g = string_append(g, 2, US" CV=", tls_in.certificate_verified? "yes":"no");
1811 if (LOGGING(tls_peerdn) && tls_in.peerdn)
1812 g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
1813 if (LOGGING(tls_sni) && tls_in.sni)
1814 g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
1819 /*************************************************
1820 * Log lack of MAIL if so configured *
1821 *************************************************/
1823 /* This function is called when an SMTP session ends. If the log selector
1824 smtp_no_mail is set, write a log line giving some details of what has happened
1825 in the SMTP session.
1832 smtp_log_no_mail(void)
1837 if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
1840 if (sender_host_authenticated)
1842 g = string_append(g, 2, US" A=", sender_host_authenticated);
1843 if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
1850 sep = smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE ? US" C=..." : US" C=";
1852 for (int i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1853 if (smtp_connection_had[i] != SCH_NONE)
1855 g = string_append(g, 2, sep, smtp_names[smtp_connection_had[i]]);
1859 for (int i = 0; i < smtp_ch_index; i++)
1861 g = string_append(g, 2, sep, smtp_names[smtp_connection_had[i]]);
1865 if (!(s = string_from_gstring(g))) s = US"";
1867 log_write(0, LOG_MAIN, "no MAIL in %sSMTP connection from %s D=%s%s",
1868 f.tcp_in_fastopen ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO " : US"",
1869 host_and_ident(FALSE), string_timesince(&smtp_connection_start), s);
1873 /* Return list of recent smtp commands */
1878 gstring * list = NULL;
1881 for (int i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1882 if (smtp_connection_had[i] != SCH_NONE)
1883 list = string_append_listele(list, ',', smtp_names[smtp_connection_had[i]]);
1885 for (int i = 0; i < smtp_ch_index; i++)
1886 list = string_append_listele(list, ',', smtp_names[smtp_connection_had[i]]);
1888 s = string_from_gstring(list);
1889 return s ? s : US"";
1895 /*************************************************
1896 * Check HELO line and set sender_helo_name *
1897 *************************************************/
1899 /* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
1900 the domain name of the sending host, or an ip literal in square brackets. The
1901 argument is placed in sender_helo_name, which is in malloc store, because it
1902 must persist over multiple incoming messages. If helo_accept_junk is set, this
1903 host is permitted to send any old junk (needed for some broken hosts).
1904 Otherwise, helo_allow_chars can be used for rogue characters in general
1905 (typically people want to let in underscores).
1908 s the data portion of the line (already past any white space)
1910 Returns: TRUE or FALSE
1914 check_helo(uschar *s)
1917 uschar *end = s + Ustrlen(s);
1918 BOOL yield = fl.helo_accept_junk;
1920 /* Discard any previous helo name */
1922 sender_helo_name = NULL;
1924 /* Skip tests if junk is permitted. */
1928 /* Allow the new standard form for IPv6 address literals, namely,
1929 [IPv6:....], and because someone is bound to use it, allow an equivalent
1930 IPv4 form. Allow plain addresses as well. */
1937 if (strncmpic(s, US"[IPv6:", 6) == 0)
1938 yield = (string_is_ip_address(s+6, NULL) == 6);
1939 else if (strncmpic(s, US"[IPv4:", 6) == 0)
1940 yield = (string_is_ip_address(s+6, NULL) == 4);
1942 yield = (string_is_ip_address(s+1, NULL) != 0);
1947 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
1948 that have been configured (usually underscore - sigh). */
1951 for (yield = TRUE; *s; s++)
1952 if (!isalnum(*s) && *s != '.' && *s != '-' &&
1953 Ustrchr(helo_allow_chars, *s) == NULL)
1959 /* Save argument if OK */
1961 if (yield) sender_helo_name = string_copy_perm(start, TRUE);
1969 /*************************************************
1970 * Extract SMTP command option *
1971 *************************************************/
1973 /* This function picks the next option setting off the end of smtp_cmd_data. It
1974 is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
1975 things that can appear there.
1978 name point this at the name
1979 value point this at the data string
1981 Returns: TRUE if found an option
1985 extract_option(uschar **name, uschar **value)
1988 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
1989 while (isspace(*v)) v--;
1991 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
1993 /* Take care to not stop at a space embedded in a quoted local-part */
1995 if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
2002 while(isalpha(n[-1])) n--;
2003 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
2004 if (!isspace(n[-1])) return FALSE;
2010 if (v == smtp_cmd_data) return FALSE;
2022 /*************************************************
2023 * Reset for new message *
2024 *************************************************/
2026 /* This function is called whenever the SMTP session is reset from
2027 within either of the setup functions; also from the daemon loop.
2029 Argument: the stacking pool storage reset point
2034 smtp_reset(void *reset_point)
2036 recipients_list = NULL;
2037 rcpt_count = rcpt_defer_count = rcpt_fail_count =
2038 raw_recipients_count = recipients_count = recipients_list_max = 0;
2039 message_linecount = 0;
2041 acl_added_headers = NULL;
2042 acl_removed_headers = NULL;
2043 f.queue_only_policy = FALSE;
2044 rcpt_smtp_response = NULL;
2045 fl.rcpt_smtp_response_same = TRUE;
2046 fl.rcpt_in_progress = FALSE;
2047 f.deliver_freeze = FALSE; /* Can be set by ACL */
2048 freeze_tell = freeze_tell_config; /* Can be set by ACL */
2049 fake_response = OK; /* Can be set by ACL */
2050 #ifdef WITH_CONTENT_SCAN
2051 f.no_mbox_unspool = FALSE; /* Can be set by ACL */
2053 f.submission_mode = FALSE; /* Can be set by ACL */
2054 f.suppress_local_fixups = f.suppress_local_fixups_default; /* Can be set by ACL */
2055 f.active_local_from_check = local_from_check; /* Can be set by ACL */
2056 f.active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
2057 sending_ip_address = NULL;
2058 return_path = sender_address = NULL;
2059 deliver_localpart_data = deliver_domain_data =
2060 recipient_data = sender_data = NULL; /* Can be set by ACL */
2061 deliver_localpart_parent = deliver_localpart_orig = NULL;
2062 deliver_domain_parent = deliver_domain_orig = NULL;
2063 callout_address = NULL;
2064 submission_name = NULL; /* Can be set by ACL */
2065 raw_sender = NULL; /* After SMTP rewrite, before qualifying */
2066 sender_address_unrewritten = NULL; /* Set only after verify rewrite */
2067 sender_verified_list = NULL; /* No senders verified */
2068 memset(sender_address_cache, 0, sizeof(sender_address_cache));
2069 memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
2071 authenticated_sender = NULL;
2072 #ifdef EXPERIMENTAL_BRIGHTMAIL
2074 bmi_verdicts = NULL;
2076 dnslist_domain = dnslist_matched = NULL;
2078 spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
2079 spf_result_guessed = FALSE;
2081 #ifndef DISABLE_DKIM
2082 dkim_cur_signer = dkim_signers =
2083 dkim_signing_domain = dkim_signing_selector = dkim_signatures = NULL;
2084 dkim_cur_signer = dkim_signers = dkim_signing_domain = dkim_signing_selector = NULL;
2085 f.dkim_disable_verify = FALSE;
2086 dkim_collect_input = 0;
2087 dkim_verify_overall = dkim_verify_status = dkim_verify_reason = NULL;
2088 dkim_key_length = 0;
2090 #ifdef SUPPORT_DMARC
2091 f.dmarc_has_been_checked = f.dmarc_disable_verify = f.dmarc_enable_forensic = FALSE;
2092 dmarc_domain_policy = dmarc_status = dmarc_status_text =
2093 dmarc_used_domain = NULL;
2095 #ifdef EXPERIMENTAL_ARC
2096 arc_state = arc_state_reason = NULL;
2097 arc_received_instance = 0;
2101 deliver_host = deliver_host_address = NULL; /* Can be set by ACL */
2102 #ifndef DISABLE_PRDR
2103 prdr_requested = FALSE;
2106 message_smtputf8 = FALSE;
2108 body_linecount = body_zerocount = 0;
2110 sender_rate = sender_rate_limit = sender_rate_period = NULL;
2111 ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
2112 /* Note that ratelimiters_conn persists across resets. */
2114 /* Reset message ACL variables */
2118 /* The message body variables use malloc store. They may be set if this is
2119 not the first message in an SMTP session and the previous message caused them
2120 to be referenced in an ACL. */
2124 store_free(message_body);
2125 message_body = NULL;
2128 if (message_body_end)
2130 store_free(message_body_end);
2131 message_body_end = NULL;
2134 /* Warning log messages are also saved in malloc store. They are saved to avoid
2135 repetition in the same message, but it seems right to repeat them for different
2138 while (acl_warn_logged)
2140 string_item *this = acl_warn_logged;
2141 acl_warn_logged = acl_warn_logged->next;
2144 store_reset(reset_point);
2145 return store_mark();
2152 /*************************************************
2153 * Initialize for incoming batched SMTP message *
2154 *************************************************/
2156 /* This function is called from smtp_setup_msg() in the case when
2157 smtp_batched_input is true. This happens when -bS is used to pass a whole batch
2158 of messages in one file with SMTP commands between them. All errors must be
2159 reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
2160 relevant. After an error on a sender, or an invalid recipient, the remainder
2161 of the message is skipped. The value of received_protocol is already set.
2164 Returns: > 0 message successfully started (reached DATA)
2165 = 0 QUIT read or end of file reached
2166 < 0 should not occur
2170 smtp_setup_batch_msg(void)
2173 rmark reset_point = store_mark();
2175 /* Save the line count at the start of each transaction - single commands
2176 like HELO and RSET count as whole transactions. */
2178 bsmtp_transaction_linecount = receive_linecount;
2180 if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
2182 cancel_cutthrough_connection(TRUE, US"smtp_setup_batch_msg");
2183 reset_point = smtp_reset(reset_point); /* Reset for start of message */
2185 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
2186 value. The values are 2 larger than the required yield of the function. */
2191 uschar *recipient = NULL;
2192 int start, end, sender_domain, recipient_domain;
2194 switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
2196 /* The HELO/EHLO commands set sender_address_helo if they have
2197 valid data; otherwise they are ignored, except that they do
2198 a reset of the state. */
2203 check_helo(smtp_cmd_data);
2207 cancel_cutthrough_connection(TRUE, US"RSET received");
2208 reset_point = smtp_reset(reset_point);
2209 bsmtp_transaction_linecount = receive_linecount;
2213 /* The MAIL FROM command requires an address as an operand. All we
2214 do here is to parse it for syntactic correctness. The form "<>" is
2215 a special case which converts into an empty string. The start/end
2216 pointers in the original are not used further for this address, as
2217 it is the canonical extracted address which is all that is kept. */
2220 smtp_mailcmd_count++; /* Count for no-mail log */
2221 if (sender_address != NULL)
2222 /* The function moan_smtp_batch() does not return. */
2223 moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
2225 if (smtp_cmd_data[0] == 0)
2226 /* The function moan_smtp_batch() does not return. */
2227 moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
2229 /* Reset to start of message */
2231 cancel_cutthrough_connection(TRUE, US"MAIL received");
2232 reset_point = smtp_reset(reset_point);
2234 /* Apply SMTP rewrite */
2236 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
2237 rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
2238 US"", global_rewrite_rules) : smtp_cmd_data;
2240 /* Extract the address; the TRUE flag allows <> as valid */
2243 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
2247 /* The function moan_smtp_batch() does not return. */
2248 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
2250 sender_address = string_copy(raw_sender);
2252 /* Qualify unqualified sender addresses if permitted to do so. */
2255 && sender_address[0] != 0 && sender_address[0] != '@')
2256 if (f.allow_unqualified_sender)
2258 sender_address = rewrite_address_qualify(sender_address, FALSE);
2259 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
2260 "and rewritten\n", raw_sender);
2262 /* The function moan_smtp_batch() does not return. */
2264 moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
2269 /* The RCPT TO command requires an address as an operand. All we do
2270 here is to parse it for syntactic correctness. There may be any number
2271 of RCPT TO commands, specifying multiple senders. We build them all into
2272 a data structure that is in argc/argv format. The start/end values
2273 given by parse_extract_address are not used, as we keep only the
2274 extracted address. */
2277 if (!sender_address)
2278 /* The function moan_smtp_batch() does not return. */
2279 moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
2281 if (smtp_cmd_data[0] == 0)
2282 /* The function moan_smtp_batch() does not return. */
2283 moan_smtp_batch(smtp_cmd_buffer,
2284 "501 RCPT TO must have an address operand");
2286 /* Check maximum number allowed */
2288 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
2289 /* The function moan_smtp_batch() does not return. */
2290 moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
2291 recipients_max_reject? "552": "452");
2293 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
2294 recipient address */
2296 recipient = rewrite_existflags & rewrite_smtp
2297 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
2298 global_rewrite_rules)
2301 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2302 &recipient_domain, FALSE);
2305 /* The function moan_smtp_batch() does not return. */
2306 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
2308 /* If the recipient address is unqualified, qualify it if permitted. Then
2309 add it to the list of recipients. */
2311 if (!recipient_domain)
2312 if (f.allow_unqualified_recipient)
2314 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2316 recipient = rewrite_address_qualify(recipient, TRUE);
2318 /* The function moan_smtp_batch() does not return. */
2320 moan_smtp_batch(smtp_cmd_buffer,
2321 "501 recipient address must contain a domain");
2323 receive_add_recipient(recipient, -1);
2327 /* The DATA command is legal only if it follows successful MAIL FROM
2328 and RCPT TO commands. This function is complete when a valid DATA
2329 command is encountered. */
2332 if (!sender_address || recipients_count <= 0)
2333 /* The function moan_smtp_batch() does not return. */
2334 if (!sender_address)
2335 moan_smtp_batch(smtp_cmd_buffer,
2336 "503 MAIL FROM:<sender> command must precede DATA");
2338 moan_smtp_batch(smtp_cmd_buffer,
2339 "503 RCPT TO:<recipient> must precede DATA");
2342 done = 3; /* DATA successfully achieved */
2343 message_ended = END_NOTENDED; /* Indicate in middle of message */
2348 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
2355 bsmtp_transaction_linecount = receive_linecount;
2366 /* The function moan_smtp_batch() does not return. */
2367 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
2372 /* The function moan_smtp_batch() does not return. */
2373 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
2378 /* The function moan_smtp_batch() does not return. */
2379 moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
2384 return done - 2; /* Convert yield values */
2392 smtp_log_tls_fail(uschar * errstr)
2394 uschar * conn_info = smtp_get_connection_info();
2396 if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
2397 /* I'd like to get separated H= here, but too hard for now */
2399 log_write(0, LOG_MAIN, "TLS error on %s %s", conn_info, errstr);
2413 socklen_t len = sizeof(is_fastopen);
2415 /* The tinfo TCPOPT_FAST_OPEN bit seems unreliable, and we don't see state
2416 TCP_SYN_RCV (as of 12.1) so no idea about data-use. */
2418 if (getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_FASTOPEN, &is_fastopen, &len) == 0)
2423 debug_printf("TFO mode connection (TCP_FASTOPEN getsockopt)\n");
2424 f.tcp_in_fastopen = TRUE;
2427 else DEBUG(D_receive)
2428 debug_printf("TCP_INFO getsockopt: %s\n", strerror(errno));
2430 # elif defined(TCP_INFO)
2431 struct tcp_info tinfo;
2432 socklen_t len = sizeof(tinfo);
2434 if (getsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_INFO, &tinfo, &len) == 0)
2435 # ifdef TCPI_OPT_SYN_DATA /* FreeBSD 11,12 do not seem to have this yet */
2436 if (tinfo.tcpi_options & TCPI_OPT_SYN_DATA)
2439 debug_printf("TFO mode connection (ACKd data-on-SYN)\n");
2440 f.tcp_in_fastopen_data = f.tcp_in_fastopen = TRUE;
2444 if (tinfo.tcpi_state == TCP_SYN_RECV) /* Not seen on FreeBSD 12.1 */
2447 debug_printf("TFO mode connection (state TCP_SYN_RECV)\n");
2448 f.tcp_in_fastopen = TRUE;
2450 else DEBUG(D_receive)
2451 debug_printf("TCP_INFO getsockopt: %s\n", strerror(errno));
2457 /*************************************************
2458 * Start an SMTP session *
2459 *************************************************/
2461 /* This function is called at the start of an SMTP session. Thereafter,
2462 smtp_setup_msg() is called to initiate each separate message. This
2463 function does host-specific testing, and outputs the banner line.
2466 Returns: FALSE if the session can not continue; something has
2467 gone wrong, or the connection to the host is blocked
2471 smtp_start_session(void)
2474 uschar *user_msg, *log_msg;
2479 gettimeofday(&smtp_connection_start, NULL);
2480 for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
2481 smtp_connection_had[smtp_ch_index] = SCH_NONE;
2484 /* Default values for certain variables */
2486 fl.helo_seen = fl.esmtp = fl.helo_accept_junk = FALSE;
2487 smtp_mailcmd_count = 0;
2488 count_nonmail = TRUE_UNSET;
2489 synprot_error_count = unknown_command_count = nonmail_command_count = 0;
2490 smtp_delay_mail = smtp_rlm_base;
2491 fl.auth_advertised = FALSE;
2492 f.smtp_in_pipelining_advertised = f.smtp_in_pipelining_used = FALSE;
2493 f.pipelining_enable = TRUE;
2494 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
2495 fl.smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
2497 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
2498 authentication settings from -oMaa to remain in force. */
2500 if (!host_checking && !f.sender_host_notsocket)
2501 sender_host_auth_pubname = sender_host_authenticated = NULL;
2502 authenticated_by = NULL;
2505 tls_in.ver = tls_in.cipher = tls_in.peerdn = NULL;
2506 tls_in.ourcert = tls_in.peercert = NULL;
2508 tls_in.ocsp = OCSP_NOT_REQ;
2509 fl.tls_advertised = FALSE;
2511 fl.dsn_advertised = FALSE;
2513 fl.smtputf8_advertised = FALSE;
2516 /* Reset ACL connection variables */
2520 /* Allow for trailing 0 in the command and data buffers. Tainted. */
2522 smtp_cmd_buffer = store_get_perm(2*SMTP_CMD_BUFFER_SIZE + 2, TRUE);
2524 smtp_cmd_buffer[0] = 0;
2525 smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
2527 /* For batched input, the protocol setting can be overridden from the
2528 command line by a trusted caller. */
2530 if (smtp_batched_input)
2532 if (!received_protocol) received_protocol = US"local-bsmtp";
2535 /* For non-batched SMTP input, the protocol setting is forced here. It will be
2536 reset later if any of EHLO/AUTH/STARTTLS are received. */
2540 (sender_host_address ? protocols : protocols_local) [pnormal];
2542 /* Set up the buffer for inputting using direct read() calls, and arrange to
2543 call the local functions instead of the standard C ones. Place a NUL at the
2544 end of the buffer to safety-stop C-string reads from it. */
2546 if (!(smtp_inbuffer = US malloc(IN_BUFFER_SIZE)))
2547 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
2548 smtp_inbuffer[IN_BUFFER_SIZE-1] = '\0';
2550 receive_getc = smtp_getc;
2551 receive_getbuf = smtp_getbuf;
2552 receive_get_cache = smtp_get_cache;
2553 receive_ungetc = smtp_ungetc;
2554 receive_feof = smtp_feof;
2555 receive_ferror = smtp_ferror;
2556 receive_smtp_buffered = smtp_buffered;
2557 smtp_inptr = smtp_inend = smtp_inbuffer;
2558 smtp_had_eof = smtp_had_error = 0;
2560 /* Set up the message size limit; this may be host-specific */
2562 thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
2563 if (expand_string_message)
2565 if (thismessage_size_limit == -1)
2566 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
2567 "%s", expand_string_message);
2569 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
2570 "%s", expand_string_message);
2571 smtp_closedown(US"Temporary local problem - please try later");
2575 /* When a message is input locally via the -bs or -bS options, sender_host_
2576 unknown is set unless -oMa was used to force an IP address, in which case it
2577 is checked like a real remote connection. When -bs is used from inetd, this
2578 flag is not set, causing the sending host to be checked. The code that deals
2579 with IP source routing (if configured) is never required for -bs or -bS and
2580 the flag sender_host_notsocket is used to suppress it.
2582 If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
2583 reserve for certain hosts and/or networks. */
2585 if (!f.sender_host_unknown)
2588 BOOL reserved_host = FALSE;
2590 /* Look up IP options (source routing info) on the socket if this is not an
2591 -oMa "host", and if any are found, log them and drop the connection.
2593 Linux (and others now, see below) is different to everyone else, so there
2594 has to be some conditional compilation here. Versions of Linux before 2.1.15
2595 used a structure whose name was "options". Somebody finally realized that
2596 this name was silly, and it got changed to "ip_options". I use the
2597 newer name here, but there is a fudge in the script that sets up os.h
2598 to define a macro in older Linux systems.
2600 Sigh. Linux is a fast-moving target. Another generation of Linux uses
2601 glibc 2, which has chosen ip_opts for the structure name. This is now
2602 really a glibc thing rather than a Linux thing, so the condition name
2603 has been changed to reflect this. It is relevant also to GNU/Hurd.
2605 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
2606 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
2607 a special macro defined in the os.h file.
2609 Some DGUX versions on older hardware appear not to support IP options at
2610 all, so there is now a general macro which can be set to cut out this
2613 How to do this properly in IPv6 is not yet known. */
2615 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
2617 #ifdef GLIBC_IP_OPTIONS
2618 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
2623 #elif defined DARWIN_IP_OPTIONS
2629 if (!host_checking && !f.sender_host_notsocket)
2632 EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
2633 struct ip_options *ipopt = store_get(optlen, FALSE);
2635 struct ip_opts ipoptblock;
2636 struct ip_opts *ipopt = &ipoptblock;
2637 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2639 struct ipoption ipoptblock;
2640 struct ipoption *ipopt = &ipoptblock;
2641 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2644 /* Occasional genuine failures of getsockopt() have been seen - for
2645 example, "reset by peer". Therefore, just log and give up on this
2646 call, unless the error is ENOPROTOOPT. This error is given by systems
2647 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
2648 of writing. So for that error, carry on - we just can't do an IP options
2651 DEBUG(D_receive) debug_printf("checking for IP options\n");
2653 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, US (ipopt),
2656 if (errno != ENOPROTOOPT)
2658 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
2659 host_and_ident(FALSE), strerror(errno));
2660 smtp_printf("451 SMTP service not available\r\n", FALSE);
2665 /* Deal with any IP options that are set. On the systems I have looked at,
2666 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
2667 more logging data than will fit in big_buffer. Nevertheless, after somebody
2668 questioned this code, I've added in some paranoid checking. */
2670 else if (optlen > 0)
2672 uschar *p = big_buffer;
2673 uschar *pend = big_buffer + big_buffer_size;
2676 struct in_addr addr;
2679 uschar *optstart = US (ipopt->__data);
2681 uschar *optstart = US (ipopt->ip_opts);
2683 uschar *optstart = US (ipopt->ipopt_list);
2686 DEBUG(D_receive) debug_printf("IP options exist\n");
2688 Ustrcpy(p, "IP options on incoming call:");
2691 for (uschar * opt = optstart; opt && opt < US (ipopt) + optlen; )
2704 if (!string_format(p, pend-p, " %s [@%s",
2705 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
2707 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
2709 inet_ntoa(ipopt->ip_dst)))
2711 inet_ntoa(ipopt->ipopt_dst)))
2719 optcount = (opt[1] - 3) / sizeof(struct in_addr);
2721 while (optcount-- > 0)
2723 memcpy(&addr, adptr, sizeof(addr));
2724 if (!string_format(p, pend - p - 1, "%s%s",
2725 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
2731 adptr += sizeof(struct in_addr);
2739 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
2742 for (int i = 0; i < opt[1]; i++)
2743 p += sprintf(CS p, "%2.2x ", opt[i]);
2751 log_write(0, LOG_MAIN, "%s", big_buffer);
2753 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
2755 log_write(0, LOG_MAIN|LOG_REJECT,
2756 "connection from %s refused (IP options)", host_and_ident(FALSE));
2758 smtp_printf("554 SMTP service not available\r\n", FALSE);
2762 /* Length of options = 0 => there are no options */
2764 else DEBUG(D_receive) debug_printf("no IP options found\n");
2766 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
2768 /* Set keep-alive in socket options. The option is on by default. This
2769 setting is an attempt to get rid of some hanging connections that stick in
2770 read() when the remote end (usually a dialup) goes away. */
2772 if (smtp_accept_keepalive && !f.sender_host_notsocket)
2773 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
2775 /* If the current host matches host_lookup, set the name by doing a
2776 reverse lookup. On failure, sender_host_name will be NULL and
2777 host_lookup_failed will be TRUE. This may or may not be serious - optional
2780 if (verify_check_host(&host_lookup) == OK)
2782 (void)host_name_lookup();
2783 host_build_sender_fullhost();
2786 /* Delay this until we have the full name, if it is looked up. */
2788 set_process_info("handling incoming connection from %s",
2789 host_and_ident(FALSE));
2791 /* Expand smtp_receive_timeout, if needed */
2793 if (smtp_receive_timeout_s)
2796 if ( !(exp = expand_string(smtp_receive_timeout_s))
2798 || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
2800 log_write(0, LOG_MAIN|LOG_PANIC,
2801 "bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
2804 /* Test for explicit connection rejection */
2806 if (verify_check_host(&host_reject_connection) == OK)
2808 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
2809 "from %s (host_reject_connection)", host_and_ident(FALSE));
2810 smtp_printf("554 SMTP service not available\r\n", FALSE);
2814 /* Test with TCP Wrappers if so configured. There is a problem in that
2815 hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
2816 such as disks dying. In these cases, it is desirable to reject with a 4xx
2817 error instead of a 5xx error. There isn't a "right" way to detect such
2818 problems. The following kludge is used: errno is zeroed before calling
2819 hosts_ctl(). If the result is "reject", a 5xx error is given only if the
2820 value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
2823 #ifdef USE_TCP_WRAPPERS
2825 if (!(tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name)))
2826 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
2827 "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
2828 expand_string_message);
2830 if (!hosts_ctl(tcp_wrappers_name,
2831 sender_host_name ? CS sender_host_name : STRING_UNKNOWN,
2832 sender_host_address ? CS sender_host_address : STRING_UNKNOWN,
2833 sender_ident ? CS sender_ident : STRING_UNKNOWN))
2835 if (errno == 0 || errno == ENOENT)
2837 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
2838 log_write(L_connection_reject,
2839 LOG_MAIN|LOG_REJECT, "refused connection from %s "
2840 "(tcp wrappers)", host_and_ident(FALSE));
2841 smtp_printf("554 SMTP service not available\r\n", FALSE);
2845 int save_errno = errno;
2846 HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
2847 "errno value %d\n", save_errno);
2848 log_write(L_connection_reject,
2849 LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
2850 "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
2851 smtp_printf("451 Temporary local problem - please try later\r\n", FALSE);
2857 /* Check for reserved slots. The value of smtp_accept_count has already been
2858 incremented to include this process. */
2860 if (smtp_accept_max > 0 &&
2861 smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
2863 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
2865 log_write(L_connection_reject,
2866 LOG_MAIN, "temporarily refused connection from %s: not in "
2867 "reserve list: connected=%d max=%d reserve=%d%s",
2868 host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
2869 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
2870 smtp_printf("421 %s: Too many concurrent SMTP connections; "
2871 "please try again later\r\n", FALSE, smtp_active_hostname);
2874 reserved_host = TRUE;
2877 /* If a load level above which only messages from reserved hosts are
2878 accepted is set, check the load. For incoming calls via the daemon, the
2879 check is done in the superior process if there are no reserved hosts, to
2880 save a fork. In all cases, the load average will already be available
2881 in a global variable at this point. */
2883 if (smtp_load_reserve >= 0 &&
2884 load_average > smtp_load_reserve &&
2886 verify_check_host(&smtp_reserve_hosts) != OK)
2888 log_write(L_connection_reject,
2889 LOG_MAIN, "temporarily refused connection from %s: not in "
2890 "reserve list and load average = %.2f", host_and_ident(FALSE),
2891 (double)load_average/1000.0);
2892 smtp_printf("421 %s: Too much load; please try again later\r\n", FALSE,
2893 smtp_active_hostname);
2897 /* Determine whether unqualified senders or recipients are permitted
2898 for this host. Unfortunately, we have to do this every time, in order to
2899 set the flags so that they can be inspected when considering qualifying
2900 addresses in the headers. For a site that permits no qualification, this
2901 won't take long, however. */
2903 f.allow_unqualified_sender =
2904 verify_check_host(&sender_unqualified_hosts) == OK;
2906 f.allow_unqualified_recipient =
2907 verify_check_host(&recipient_unqualified_hosts) == OK;
2909 /* Determine whether HELO/EHLO is required for this host. The requirement
2910 can be hard or soft. */
2912 fl.helo_required = verify_check_host(&helo_verify_hosts) == OK;
2913 if (!fl.helo_required)
2914 fl.helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
2916 /* Determine whether this hosts is permitted to send syntactic junk
2917 after a HELO or EHLO command. */
2919 fl.helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
2922 /* For batch SMTP input we are now done. */
2924 if (smtp_batched_input) return TRUE;
2926 /* If valid Proxy Protocol source is connecting, set up session.
2927 * Failure will not allow any SMTP function other than QUIT. */
2929 #ifdef SUPPORT_PROXY
2930 proxy_session = FALSE;
2931 f.proxy_session_failed = FALSE;
2932 if (check_proxy_protocol_host())
2933 setup_proxy_protocol_host();
2936 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
2937 smtps port for use with older style SSL MTAs. */
2940 if (tls_in.on_connect)
2942 if (tls_server_start(tls_require_ciphers, &user_msg) != OK)
2943 return smtp_log_tls_fail(user_msg);
2944 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
2948 /* Run the connect ACL if it exists */
2951 if (acl_smtp_connect)
2954 if ((rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
2957 (void) smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
2962 /* Output the initial message for a two-way SMTP connection. It may contain
2963 newlines, which then cause a multi-line response to be given. */
2965 code = US"220"; /* Default status code */
2966 esc = US""; /* Default extended status code */
2967 esclen = 0; /* Length of esc */
2971 if (!(s = expand_string(smtp_banner)))
2972 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
2973 "failed: %s", smtp_banner, expand_string_message);
2979 smtp_message_code(&code, &codelen, &s, NULL, TRUE);
2983 esclen = codelen - 4;
2987 /* Remove any terminating newlines; might as well remove trailing space too */
2990 while (p > s && isspace(p[-1])) p--;
2993 /* It seems that CC:Mail is braindead, and assumes that the greeting message
2994 is all contained in a single IP packet. The original code wrote out the
2995 greeting using several calls to fprint/fputc, and on busy servers this could
2996 cause it to be split over more than one packet - which caused CC:Mail to fall
2997 over when it got the second part of the greeting after sending its first
2998 command. Sigh. To try to avoid this, build the complete greeting message
2999 first, and output it in one fell swoop. This gives a better chance of it
3000 ending up as a single packet. */
3002 ss = string_get(256);
3005 do /* At least once, in case we have an empty string */
3008 uschar *linebreak = Ustrchr(p, '\n');
3009 ss = string_catn(ss, code, 3);
3013 ss = string_catn(ss, US" ", 1);
3017 len = linebreak - p;
3018 ss = string_catn(ss, US"-", 1);
3020 ss = string_catn(ss, esc, esclen);
3021 ss = string_catn(ss, p, len);
3022 ss = string_catn(ss, US"\r\n", 2);
3028 /* Before we write the banner, check that there is no input pending, unless
3029 this synchronisation check is disabled. */
3031 #ifndef DISABLE_PIPE_CONNECT
3032 fl.pipe_connect_acceptable =
3033 sender_host_address && verify_check_host(&pipe_connect_advertise_hosts) == OK;
3036 if (fl.pipe_connect_acceptable)
3037 f.smtp_in_early_pipe_used = TRUE;
3043 unsigned n = smtp_inend - smtp_inptr;
3044 if (n > 128) n = 128;
3046 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
3047 "synchronization error (input sent without waiting for greeting): "
3048 "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
3049 string_printing(string_copyn(smtp_inptr, n)));
3050 smtp_printf("554 SMTP synchronization error\r\n", FALSE);
3054 /* Now output the banner */
3055 /*XXX the ehlo-resp code does its own tls/nontls bit. Maybe subroutine that? */
3058 #ifndef DISABLE_PIPE_CONNECT
3059 fl.pipe_connect_acceptable && pipeline_connect_sends(),
3063 string_from_gstring(ss));
3065 /* Attempt to see if we sent the banner before the last ACK of the 3-way
3066 handshake arrived. If so we must have managed a TFO. */
3069 if (sender_host_address && !f.sender_host_notsocket) tfo_in_check();
3079 /*************************************************
3080 * Handle SMTP syntax and protocol errors *
3081 *************************************************/
3083 /* Write to the log for SMTP syntax errors in incoming commands, if configured
3084 to do so. Then transmit the error response. The return value depends on the
3085 number of syntax and protocol errors in this SMTP session.
3088 type error type, given as a log flag bit
3089 code response code; <= 0 means don't send a response
3090 data data to reflect in the response (can be NULL)
3091 errmess the error message
3093 Returns: -1 limit of syntax/protocol errors NOT exceeded
3094 +1 limit of syntax/protocol errors IS exceeded
3096 These values fit in with the values of the "done" variable in the main
3097 processing loop in smtp_setup_msg(). */
3100 synprot_error(int type, int code, uschar *data, uschar *errmess)
3104 log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
3105 (type == L_smtp_syntax_error)? "syntax" : "protocol",
3106 string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
3108 if (++synprot_error_count > smtp_max_synprot_errors)
3111 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3112 "syntax or protocol errors (last command was \"%s\")",
3113 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
3118 smtp_printf("%d%c%s%s%s\r\n", FALSE, code, yield == 1 ? '-' : ' ',
3119 data ? data : US"", data ? US": " : US"", errmess);
3121 smtp_printf("%d Too many syntax or protocol errors\r\n", FALSE, code);
3130 /*************************************************
3131 * Send SMTP response, possibly multiline *
3132 *************************************************/
3134 /* There are, it seems, broken clients out there that cannot handle multiline
3135 responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
3136 output nothing for non-final calls, and only the first line for anything else.
3139 code SMTP code, may involve extended status codes
3140 codelen length of smtp code; if > 4 there's an ESC
3141 final FALSE if the last line isn't the final line
3142 msg message text, possibly containing newlines
3148 smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
3153 if (!final && f.no_multiline_responses) return;
3158 esclen = codelen - 4;
3161 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
3162 have had the same. Note: this code is also present in smtp_printf(). It would
3163 be tidier to have it only in one place, but when it was added, it was easier to
3164 do it that way, so as not to have to mess with the code for the RCPT command,
3165 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
3167 if (fl.rcpt_in_progress)
3169 if (rcpt_smtp_response == NULL)
3170 rcpt_smtp_response = string_copy(msg);
3171 else if (fl.rcpt_smtp_response_same &&
3172 Ustrcmp(rcpt_smtp_response, msg) != 0)
3173 fl.rcpt_smtp_response_same = FALSE;
3174 fl.rcpt_in_progress = FALSE;
3177 /* Now output the message, splitting it up into multiple lines if necessary.
3178 We only handle pipelining these responses as far as nonfinal/final groups,
3179 not the whole MAIL/RCPT/DATA response set. */
3183 uschar *nl = Ustrchr(msg, '\n');
3186 smtp_printf("%.3s%c%.*s%s\r\n", !final, code, final ? ' ':'-', esclen, esc, msg);
3189 else if (nl[1] == 0 || f.no_multiline_responses)
3191 smtp_printf("%.3s%c%.*s%.*s\r\n", !final, code, final ? ' ':'-', esclen, esc,
3192 (int)(nl - msg), msg);
3197 smtp_printf("%.3s-%.*s%.*s\r\n", TRUE, code, esclen, esc, (int)(nl - msg), msg);
3199 Uskip_whitespace(&msg);
3207 /*************************************************
3208 * Parse user SMTP message *
3209 *************************************************/
3211 /* This function allows for user messages overriding the response code details
3212 by providing a suitable response code string at the start of the message
3213 user_msg. Check the message for starting with a response code and optionally an
3214 extended status code. If found, check that the first digit is valid, and if so,
3215 change the code pointer and length to use the replacement. An invalid code
3216 causes a panic log; in this case, if the log messages is the same as the user
3217 message, we must also adjust the value of the log message to show the code that
3218 is actually going to be used (the original one).
3220 This function is global because it is called from receive.c as well as within
3223 Note that the code length returned includes the terminating whitespace
3224 character, which is always included in the regex match.
3227 code SMTP code, may involve extended status codes
3228 codelen length of smtp code; if > 4 there's an ESC
3230 log_msg optional log message, to be adjusted with the new SMTP code
3231 check_valid if true, verify the response code
3237 smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
3243 if (!msg || !*msg) return;
3245 if ((n = pcre_exec(regex_smtp_code, NULL, CS *msg, Ustrlen(*msg), 0,
3246 PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int))) < 0) return;
3248 if (check_valid && (*msg)[0] != (*code)[0])
3250 log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
3251 "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
3252 if (log_msg != NULL && *log_msg == *msg)
3253 *log_msg = string_sprintf("%s %s", *code, *log_msg + ovector[1]);
3258 *codelen = ovector[1]; /* Includes final space */
3260 *msg += ovector[1]; /* Chop the code off the message */
3267 /*************************************************
3268 * Handle an ACL failure *
3269 *************************************************/
3271 /* This function is called when acl_check() fails. As well as calls from within
3272 this module, it is called from receive.c for an ACL after DATA. It sorts out
3273 logging the incident, and sends the error response. A message containing
3274 newlines is turned into a multiline SMTP response, but for logging, only the
3277 There's a table of default permanent failure response codes to use in
3278 globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
3279 defaults disabled in Exim. However, discussion in connection with RFC 821bis
3280 (aka RFC 2821) has concluded that the response should be 252 in the disabled
3281 state, because there are broken clients that try VRFY before RCPT. A 5xx
3282 response should be given only when the address is positively known to be
3283 undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
3284 no explicit code, but if there is one we let it know best.
3285 Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
3287 From Exim 4.63, it is possible to override the response code details by
3288 providing a suitable response code string at the start of the message provided
3289 in user_msg. The code's first digit is checked for validity.
3292 where where the ACL was called from
3294 user_msg a message that can be included in an SMTP response
3295 log_msg a message for logging
3297 Returns: 0 in most cases
3298 2 if the failure code was FAIL_DROP, in which case the
3299 SMTP connection should be dropped (this value fits with the
3300 "done" variable in smtp_setup_msg() below)
3304 smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
3306 BOOL drop = rc == FAIL_DROP;
3310 uschar *sender_info = US"";
3312 #ifdef WITH_CONTENT_SCAN
3313 where == ACL_WHERE_MIME ? US"during MIME ACL checks" :
3315 where == ACL_WHERE_PREDATA ? US"DATA" :
3316 where == ACL_WHERE_DATA ? US"after DATA" :
3317 #ifndef DISABLE_PRDR
3318 where == ACL_WHERE_PRDR ? US"after DATA PRDR" :
3321 string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data) :
3322 string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]);
3324 if (drop) rc = FAIL;
3326 /* Set the default SMTP code, and allow a user message to change it. */
3328 smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
3329 smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
3330 where != ACL_WHERE_VRFY);
3332 /* We used to have sender_address here; however, there was a bug that was not
3333 updating sender_address after a rewrite during a verify. When this bug was
3334 fixed, sender_address at this point became the rewritten address. I'm not sure
3335 this is what should be logged, so I've changed to logging the unrewritten
3336 address to retain backward compatibility. */
3338 #ifndef WITH_CONTENT_SCAN
3339 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
3341 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
3344 sender_info = string_sprintf("F=<%s>%s%s%s%s ",
3345 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
3346 sender_host_authenticated ? US" A=" : US"",
3347 sender_host_authenticated ? sender_host_authenticated : US"",
3348 sender_host_authenticated && authenticated_id ? US":" : US"",
3349 sender_host_authenticated && authenticated_id ? authenticated_id : US""
3353 /* If there's been a sender verification failure with a specific message, and
3354 we have not sent a response about it yet, do so now, as a preliminary line for
3355 failures, but not defers. However, always log it for defer, and log it for fail
3356 unless the sender_verify_fail log selector has been turned off. */
3358 if (sender_verified_failed &&
3359 !testflag(sender_verified_failed, af_sverify_told))
3361 BOOL save_rcpt_in_progress = fl.rcpt_in_progress;
3362 fl.rcpt_in_progress = FALSE; /* So as not to treat these as the error */
3364 setflag(sender_verified_failed, af_sverify_told);
3366 if (rc != FAIL || LOGGING(sender_verify_fail))
3367 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
3368 host_and_ident(TRUE),
3369 ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
3370 sender_verified_failed->address,
3371 (sender_verified_failed->message == NULL)? US"" :
3372 string_sprintf(": %s", sender_verified_failed->message));
3374 if (rc == FAIL && sender_verified_failed->user_message)
3375 smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
3376 testflag(sender_verified_failed, af_verify_pmfail)?
3377 "Postmaster verification failed while checking <%s>\n%s\n"
3378 "Several RFCs state that you are required to have a postmaster\n"
3379 "mailbox for each mail domain. This host does not accept mail\n"
3380 "from domains whose servers reject the postmaster address."
3382 testflag(sender_verified_failed, af_verify_nsfail)?
3383 "Callback setup failed while verifying <%s>\n%s\n"
3384 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
3385 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
3386 "RFC requirements, and stops you from receiving standard bounce\n"
3387 "messages. This host does not accept mail from domains whose servers\n"
3390 "Verification failed for <%s>\n%s",
3391 sender_verified_failed->address,
3392 sender_verified_failed->user_message));
3394 fl.rcpt_in_progress = save_rcpt_in_progress;
3397 /* Sort out text for logging */
3399 log_msg = log_msg ? string_sprintf(": %s", log_msg) : US"";
3400 if ((lognl = Ustrchr(log_msg, '\n'))) *lognl = 0;
3402 /* Send permanent failure response to the command, but the code used isn't
3403 always a 5xx one - see comments at the start of this function. If the original
3404 rc was FAIL_DROP we drop the connection and yield 2. */
3407 smtp_respond(smtp_code, codelen, TRUE,
3408 user_msg ? user_msg : US"Administrative prohibition");
3410 /* Send temporary failure response to the command. Don't give any details,
3411 unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
3412 verb, and for a header verify when smtp_return_error_details is set.
3414 This conditional logic is all somewhat of a mess because of the odd
3415 interactions between temp_details and return_error_details. One day it should
3416 be re-implemented in a tidier fashion. */
3419 if (f.acl_temp_details && user_msg)
3421 if ( smtp_return_error_details
3422 && sender_verified_failed
3423 && sender_verified_failed->message
3425 smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
3427 smtp_respond(smtp_code, codelen, TRUE, user_msg);
3430 smtp_respond(smtp_code, codelen, TRUE,
3431 US"Temporary local problem - please try later");
3433 /* Log the incident to the logs that are specified by log_reject_target
3434 (default main, reject). This can be empty to suppress logging of rejections. If
3435 the connection is not forcibly to be dropped, return 0. Otherwise, log why it
3436 is closing if required and return 2. */
3438 if (log_reject_target != 0)
3441 gstring * g = s_tlslog(NULL);
3442 uschar * tls = string_from_gstring(g);
3443 if (!tls) tls = US"";
3445 uschar * tls = US"";
3447 log_write(where == ACL_WHERE_CONNECT ? L_connection_reject : 0,
3448 log_reject_target, "%s%s%s %s%srejected %s%s",
3449 LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
3450 host_and_ident(TRUE),
3453 rc == FAIL ? US"" : US"temporarily ",
3457 if (!drop) return 0;
3459 log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
3460 smtp_get_connection_info());
3462 /* Run the not-quit ACL, but without any custom messages. This should not be a
3463 problem, because we get here only if some other ACL has issued "drop", and
3464 in that case, *its* custom messages will have been used above. */
3466 smtp_notquit_exit(US"acl-drop", NULL, NULL);
3473 /*************************************************
3474 * Handle SMTP exit when QUIT is not given *
3475 *************************************************/
3477 /* This function provides a logging/statistics hook for when an SMTP connection
3478 is dropped on the floor or the other end goes away. It's a global function
3479 because it's called from receive.c as well as this module. As well as running
3480 the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
3481 response, either with a custom message from the ACL, or using a default. There
3482 is one case, however, when no message is output - after "drop". In that case,
3483 the ACL that obeyed "drop" has already supplied the custom message, and NULL is
3484 passed to this function.
3486 In case things go wrong while processing this function, causing an error that
3487 may re-enter this function, there is a recursion check.
3490 reason What $smtp_notquit_reason will be set to in the ACL;
3491 if NULL, the ACL is not run
3492 code The error code to return as part of the response
3493 defaultrespond The default message if there's no user_msg
3499 smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
3502 uschar *user_msg = NULL;
3503 uschar *log_msg = NULL;
3505 /* Check for recursive call */
3507 if (fl.smtp_exit_function_called)
3509 log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
3513 fl.smtp_exit_function_called = TRUE;
3515 /* Call the not-QUIT ACL, if there is one, unless no reason is given. */
3517 if (acl_smtp_notquit && reason)
3519 smtp_notquit_reason = reason;
3520 if ((rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
3521 &log_msg)) == ERROR)
3522 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
3526 /* If the connection was dropped, we certainly are no longer talking TLS */
3527 tls_in.active.sock = -1;
3529 /* Write an SMTP response if we are expected to give one. As the default
3530 responses are all internal, they should be reasonable size. */
3532 if (code && defaultrespond)
3535 smtp_respond(code, 3, TRUE, user_msg);
3541 va_start(ap, defaultrespond);
3542 g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS defaultrespond, ap);
3544 smtp_printf("%s %s\r\n", FALSE, code, string_from_gstring(g));
3553 /*************************************************
3554 * Verify HELO argument *
3555 *************************************************/
3557 /* This function is called if helo_verify_hosts or helo_try_verify_hosts is
3558 matched. It is also called from ACL processing if verify = helo is used and
3559 verification was not previously tried (i.e. helo_try_verify_hosts was not
3560 matched). The result of its processing is to set helo_verified and
3561 helo_verify_failed. These variables should both be FALSE for this function to
3564 Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
3565 for IPv6 ::ffff: literals.
3568 Returns: TRUE if testing was completed;
3569 FALSE on a temporary failure
3573 smtp_verify_helo(void)
3577 HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
3580 if (sender_helo_name == NULL)
3582 HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
3585 /* Deal with the case of -bs without an IP address */
3587 else if (sender_host_address == NULL)
3589 HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
3590 f.helo_verified = TRUE;
3593 /* Deal with the more common case when there is a sending IP address */
3595 else if (sender_helo_name[0] == '[')
3597 f.helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
3598 Ustrlen(sender_host_address)) == 0;
3601 if (!f.helo_verified)
3603 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
3604 f.helo_verified = Ustrncmp(sender_helo_name + 1,
3605 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
3610 { if (f.helo_verified) debug_printf("matched host address\n"); }
3613 /* Do a reverse lookup if one hasn't already given a positive or negative
3614 response. If that fails, or the name doesn't match, try checking with a forward
3619 if (sender_host_name == NULL && !host_lookup_failed)
3620 yield = host_name_lookup() != DEFER;
3622 /* If a host name is known, check it and all its aliases. */
3624 if (sender_host_name)
3625 if ((f.helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
3627 sender_helo_dnssec = sender_host_dnssec;
3628 HDEBUG(D_receive) debug_printf("matched host name\n");
3632 uschar **aliases = sender_host_aliases;
3634 if ((f.helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
3636 sender_helo_dnssec = sender_host_dnssec;
3640 HDEBUG(D_receive) if (f.helo_verified)
3641 debug_printf("matched alias %s\n", *(--aliases));
3644 /* Final attempt: try a forward lookup of the helo name */
3646 if (!f.helo_verified)
3650 {.name = sender_helo_name, .address = NULL, .mx = MX_NONE, .next = NULL};
3652 {.request = US"*", .require = US""};
3654 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
3656 rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A | HOST_FIND_BY_AAAA,
3657 NULL, NULL, NULL, &d, NULL, NULL);
3658 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3659 for (host_item * hh = &h; hh; hh = hh->next)
3660 if (Ustrcmp(hh->address, sender_host_address) == 0)
3662 f.helo_verified = TRUE;
3663 if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
3665 debug_printf("IP address for %s matches calling address\n"
3666 "Forward DNS security status: %sverified\n",
3667 sender_helo_name, sender_helo_dnssec ? "" : "un");
3673 if (!f.helo_verified) f.helo_verify_failed = TRUE; /* We've tried ... */
3680 /*************************************************
3681 * Send user response message *
3682 *************************************************/
3684 /* This function is passed a default response code and a user message. It calls
3685 smtp_message_code() to check and possibly modify the response code, and then
3686 calls smtp_respond() to transmit the response. I put this into a function
3687 just to avoid a lot of repetition.
3690 code the response code
3691 user_msg the user message
3697 smtp_user_msg(uschar *code, uschar *user_msg)
3700 smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
3701 smtp_respond(code, len, TRUE, user_msg);
3707 smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
3709 const uschar *set_id = NULL;
3712 /* Run the checking code, passing the remainder of the command line as
3713 data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
3714 it as the only set numerical variable. The authenticator may set $auth<n>
3715 and also set other numeric variables. The $auth<n> variables are preferred
3716 nowadays; the numerical variables remain for backwards compatibility.
3718 Afterwards, have a go at expanding the set_id string, even if
3719 authentication failed - for bad passwords it can be useful to log the
3720 userid. On success, require set_id to expand and exist, and put it in
3721 authenticated_id. Save this in permanent store, as the working store gets
3722 reset at HELO, RSET, etc. */
3724 for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
3726 expand_nlength[0] = 0; /* $0 contains nothing */
3728 rc = (au->info->servercode)(au, smtp_cmd_data);
3729 if (au->set_id) set_id = expand_string(au->set_id);
3730 expand_nmax = -1; /* Reset numeric variables */
3731 for (int i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; /* Reset $auth<n> */
3733 /* The value of authenticated_id is stored in the spool file and printed in
3734 log lines. It must not contain binary zeros or newline characters. In
3735 normal use, it never will, but when playing around or testing, this error
3736 can (did) happen. To guard against this, ensure that the id contains only
3737 printing characters. */
3739 if (set_id) set_id = string_printing(set_id);
3741 /* For the non-OK cases, set up additional logging data if set_id
3745 set_id = set_id && *set_id
3746 ? string_sprintf(" (set_id=%s)", set_id) : US"";
3748 /* Switch on the result */
3753 if (!au->set_id || set_id) /* Complete success */
3755 if (set_id) authenticated_id = string_copy_perm(set_id, TRUE);
3756 sender_host_authenticated = au->name;
3757 sender_host_auth_pubname = au->public_name;
3758 authentication_failed = FALSE;
3759 authenticated_fail_id = NULL; /* Impossible to already be set? */
3762 (sender_host_address ? protocols : protocols_local)
3763 [pextend + pauthed + (tls_in.active.sock >= 0 ? pcrpted:0)];
3764 *s = *ss = US"235 Authentication succeeded";
3765 authenticated_by = au;
3769 /* Authentication succeeded, but we failed to expand the set_id string.
3770 Treat this as a temporary error. */
3772 auth_defer_msg = expand_string_message;
3776 if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
3777 *s = string_sprintf("435 Unable to authenticate at present%s",
3778 auth_defer_user_msg);
3779 *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
3780 set_id, auth_defer_msg);
3784 *s = *ss = US"501 Invalid base64 data";
3788 *s = *ss = US"501 Authentication cancelled";
3792 *s = *ss = US"553 Initial data not expected";
3796 if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
3797 *s = US"535 Incorrect authentication data";
3798 *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
3802 if (set_id) authenticated_fail_id = string_copy_perm(set_id, TRUE);
3803 *s = US"435 Internal error";
3804 *ss = string_sprintf("435 Internal error%s: return %d from authentication "
3805 "check", set_id, rc);
3817 qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
3820 if (f.allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
3822 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
3824 rd = Ustrlen(recipient) + 1;
3825 *recipient = rewrite_address_qualify(*recipient, TRUE);
3828 smtp_printf("501 %s: recipient address must contain a domain\r\n", FALSE,
3830 log_write(L_smtp_syntax_error,
3831 LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
3832 tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
3840 smtp_quit_handler(uschar ** user_msgp, uschar ** log_msgp)
3843 incomplete_transaction_log(US"QUIT");
3846 int rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, user_msgp, log_msgp);
3848 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3853 (void) setsockopt(fileno(smtp_out), IPPROTO_TCP, TCP_CORK, US &on, sizeof(on));
3857 smtp_respond(US"221", 3, TRUE, *user_msgp);
3859 smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
3862 tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
3865 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3866 smtp_get_connection_info());
3871 smtp_rset_handler(void)
3874 incomplete_transaction_log(US"RSET");
3875 smtp_printf("250 Reset OK\r\n", FALSE);
3876 cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3881 /*************************************************
3882 * Initialize for SMTP incoming message *
3883 *************************************************/
3885 /* This function conducts the initial dialogue at the start of an incoming SMTP
3886 message, and builds a list of recipients. However, if the incoming message
3887 is part of a batch (-bS option) a separate function is called since it would
3888 be messy having tests splattered about all over this function. This function
3889 therefore handles the case where interaction is occurring. The input and output
3890 files are set up in smtp_in and smtp_out.
3892 The global recipients_list is set to point to a vector of recipient_item
3893 blocks, whose number is given by recipients_count. This is extended by the
3894 receive_add_recipient() function. The global variable sender_address is set to
3895 the sender's address. The yield is +1 if a message has been successfully
3896 started, 0 if a QUIT command was encountered or the connection was refused from
3897 the particular host, or -1 if the connection was lost.
3901 Returns: > 0 message successfully started (reached DATA)
3902 = 0 QUIT read or end of file reached or call refused
3907 smtp_setup_msg(void)
3910 BOOL toomany = FALSE;
3911 BOOL discarded = FALSE;
3912 BOOL last_was_rej_mail = FALSE;
3913 BOOL last_was_rcpt = FALSE;
3914 rmark reset_point = store_mark();
3916 DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
3918 /* Reset for start of new message. We allow one RSET not to be counted as a
3919 nonmail command, for those MTAs that insist on sending it between every
3920 message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
3921 TLS between messages (an Exim client may do this if it has messages queued up
3922 for the host). Note: we do NOT reset AUTH at this point. */
3924 reset_point = smtp_reset(reset_point);
3925 message_ended = END_NOTSTARTED;
3927 chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
3929 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
3930 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
3931 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3933 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
3936 /* Set the local signal handler for SIGTERM - it tries to end off tidily */
3938 had_command_sigterm = 0;
3939 os_non_restarting_signal(SIGTERM, command_sigterm_handler);
3941 /* Batched SMTP is handled in a different function. */
3943 if (smtp_batched_input) return smtp_setup_batch_msg();
3945 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
3946 value. The values are 2 larger than the required yield of the function. */
3950 const uschar **argv;
3951 uschar *etrn_command;
3952 uschar *etrn_serialize_key;
3954 uschar *log_msg, *smtp_code;
3955 uschar *user_msg = NULL;
3956 uschar *recipient = NULL;
3957 uschar *hello = NULL;
3959 BOOL was_rej_mail = FALSE;
3960 BOOL was_rcpt = FALSE;
3961 void (*oldsignal)(int);
3963 int start, end, sender_domain, recipient_domain;
3966 uschar *orcpt = NULL;
3971 /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
3972 if ( tls_in.active.sock >= 0
3974 && tls_in.certificate_verified
3975 && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
3978 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
3980 for (auth_instance * au = auths; au; au = au->next)
3981 if (strcmpic(US"tls", au->driver_name) == 0)
3984 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3985 &user_msg, &log_msg)) != OK
3987 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3990 smtp_cmd_data = NULL;
3992 if (smtp_in_auth(au, &s, &ss) == OK)
3993 { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
3995 { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
4003 if (smtp_in) /* Avoid pure-ACKs while in cmd pingpong phase */
4004 (void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
4005 US &off, sizeof(off));
4008 switch(smtp_read_command(
4009 #ifndef DISABLE_PIPE_CONNECT
4010 !fl.pipe_connect_acceptable,
4014 GETC_BUFFER_UNLIMITED))
4016 /* The AUTH command is not permitted to occur inside a transaction, and may
4017 occur successfully only once per connection. Actually, that isn't quite
4018 true. When TLS is started, all previous information about a connection must
4019 be discarded, so a new AUTH is permitted at that time.
4021 AUTH may only be used when it has been advertised. However, it seems that
4022 there are clients that send AUTH when it hasn't been advertised, some of
4023 them even doing this after HELO. And there are MTAs that accept this. Sigh.
4024 So there's a get-out that allows this to happen.
4026 AUTH is initially labelled as a "nonmail command" so that one occurrence
4027 doesn't get counted. We change the label here so that multiple failing
4028 AUTHS will eventually hit the nonmail threshold. */
4032 authentication_failed = TRUE;
4033 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
4035 if (!fl.auth_advertised && !f.allow_auth_unadvertised)
4037 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4038 US"AUTH command used when not advertised");
4041 if (sender_host_authenticated)
4043 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4044 US"already authenticated");
4049 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4050 US"not permitted in mail transaction");
4057 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
4058 &user_msg, &log_msg)) != OK
4061 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
4065 /* Find the name of the requested authentication mechanism. */
4068 while ((c = *smtp_cmd_data) != 0 && !isspace(c))
4070 if (!isalnum(c) && c != '-' && c != '_')
4072 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4073 US"invalid character in authentication mechanism name");
4079 /* If not at the end of the line, we must be at white space. Terminate the
4080 name and move the pointer on to any data that may be present. */
4082 if (*smtp_cmd_data != 0)
4084 *smtp_cmd_data++ = 0;
4085 while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
4088 /* Search for an authentication mechanism which is configured for use
4089 as a server and which has been advertised (unless, sigh, allow_auth_
4090 unadvertised is set). */
4094 for (au = auths; au; au = au->next)
4095 if (strcmpic(s, au->public_name) == 0 && au->server &&
4096 (au->advertised || f.allow_auth_unadvertised))
4101 c = smtp_in_auth(au, &s, &ss);
4103 smtp_printf("%s\r\n", FALSE, s);
4105 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
4106 au->name, host_and_ident(FALSE), ss);
4109 done = synprot_error(L_smtp_protocol_error, 504, NULL,
4110 string_sprintf("%s authentication mechanism not supported", s));
4113 break; /* AUTH_CMD */
4115 /* The HELO/EHLO commands are permitted to appear in the middle of a
4116 session as well as at the beginning. They have the effect of a reset in
4117 addition to their other functions. Their absence at the start cannot be
4118 taken to be an error.
4122 If the EHLO command is not acceptable to the SMTP server, 501, 500,
4123 or 502 failure replies MUST be returned as appropriate. The SMTP
4124 server MUST stay in the same state after transmitting these replies
4125 that it was in before the EHLO was received.
4127 Therefore, we do not do the reset until after checking the command for
4128 acceptability. This change was made for Exim release 4.11. Previously
4129 it did the reset first. */
4142 HELO_EHLO: /* Common code for HELO and EHLO */
4143 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
4144 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
4146 /* Reject the HELO if its argument was invalid or non-existent. A
4147 successful check causes the argument to be saved in malloc store. */
4149 if (!check_helo(smtp_cmd_data))
4151 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", FALSE, hello);
4153 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
4154 "invalid argument(s): %s", hello, host_and_ident(FALSE),
4155 *smtp_cmd_argument == 0 ? US"(no argument given)" :
4156 string_printing(smtp_cmd_argument));
4158 if (++synprot_error_count > smtp_max_synprot_errors)
4160 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
4161 "syntax or protocol errors (last command was \"%s\")",
4162 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
4169 /* If sender_host_unknown is true, we have got here via the -bs interface,
4170 not called from inetd. Otherwise, we are running an IP connection and the
4171 host address will be set. If the helo name is the primary name of this
4172 host and we haven't done a reverse lookup, force one now. If helo_required
4173 is set, ensure that the HELO name matches the actual host. If helo_verify
4174 is set, do the same check, but softly. */
4176 if (!f.sender_host_unknown)
4178 BOOL old_helo_verified = f.helo_verified;
4179 uschar *p = smtp_cmd_data;
4181 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
4184 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
4185 because otherwise the log can be confusing. */
4187 if ( !sender_host_name
4188 && match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
4189 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
4190 (void)host_name_lookup();
4192 /* Rebuild the fullhost info to include the HELO name (and the real name
4193 if it was looked up.) */
4195 host_build_sender_fullhost(); /* Rebuild */
4196 set_process_info("handling%s incoming connection from %s",
4197 tls_in.active.sock >= 0 ? " TLS" : "", host_and_ident(FALSE));
4199 /* Verify if configured. This doesn't give much security, but it does
4200 make some people happy to be able to do it. If helo_required is set,
4201 (host matches helo_verify_hosts) failure forces rejection. If helo_verify
4202 is set (host matches helo_try_verify_hosts), it does not. This is perhaps
4203 now obsolescent, since the verification can now be requested selectively
4206 f.helo_verified = f.helo_verify_failed = sender_helo_dnssec = FALSE;
4207 if (fl.helo_required || fl.helo_verify)
4209 BOOL tempfail = !smtp_verify_helo();
4210 if (!f.helo_verified)
4212 if (fl.helo_required)
4214 smtp_printf("%d %s argument does not match calling host\r\n", FALSE,
4215 tempfail? 451 : 550, hello);
4216 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
4217 tempfail? "temporarily " : "",
4218 hello, sender_helo_name, host_and_ident(FALSE));
4219 f.helo_verified = old_helo_verified;
4220 break; /* End of HELO/EHLO processing */
4222 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
4223 "helo_try_verify_hosts\n", hello);
4229 /* set up SPF context */
4230 spf_conn_init(sender_helo_name, sender_host_address);
4233 /* Apply an ACL check if one is defined; afterwards, recheck
4234 synchronization in case the client started sending in a delay. */
4237 if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
4238 &user_msg, &log_msg)) != OK)
4240 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
4241 sender_helo_name = NULL;
4242 host_build_sender_fullhost(); /* Rebuild */
4245 #ifndef DISABLE_PIPE_CONNECT
4246 else if (!fl.pipe_connect_acceptable && !check_sync())
4248 else if (!check_sync())
4252 /* Generate an OK reply. The default string includes the ident if present,
4253 and also the IP address if present. Reflecting back the ident is intended
4254 as a deterrent to mail forgers. For maximum efficiency, and also because
4255 some broken systems expect each response to be in a single packet, arrange
4256 that the entire reply is sent in one write(). */
4258 fl.auth_advertised = FALSE;
4259 f.smtp_in_pipelining_advertised = FALSE;
4261 fl.tls_advertised = FALSE;
4263 fl.dsn_advertised = FALSE;
4265 fl.smtputf8_advertised = FALSE;
4268 smtp_code = US"250 "; /* Default response code plus space*/
4271 /* sender_host_name below will be tainted, so save on copy when we hit it */
4272 g = string_get_tainted(24, TRUE);
4273 g = string_fmt_append(g, "%.3s %s Hello %s%s%s",
4275 smtp_active_hostname,
4276 sender_ident ? sender_ident : US"",
4277 sender_ident ? US" at " : US"",
4278 sender_host_name ? sender_host_name : sender_helo_name);
4280 if (sender_host_address)
4281 g = string_fmt_append(g, " [%s]", sender_host_address);
4284 /* A user-supplied EHLO greeting may not contain more than one line. Note
4285 that the code returned by smtp_message_code() includes the terminating
4286 whitespace character. */
4292 smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
4293 s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
4294 if ((ss = strpbrk(CS s, "\r\n")) != NULL)
4296 log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
4297 "newlines: message truncated: %s", string_printing(s));
4300 g = string_cat(NULL, s);
4303 g = string_catn(g, US"\r\n", 2);
4305 /* If we received EHLO, we must create a multiline response which includes
4306 the functions supported. */
4312 /* I'm not entirely happy with this, as an MTA is supposed to check
4313 that it has enough room to accept a message of maximum size before
4314 it sends this. However, there seems little point in not sending it.
4315 The actual size check happens later at MAIL FROM time. By postponing it
4316 till then, VRFY and EXPN can be used after EHLO when space is short. */
4318 if (thismessage_size_limit > 0)
4319 g = string_fmt_append(g, "%.3s-SIZE %d\r\n", smtp_code,
4320 thismessage_size_limit);
4323 g = string_catn(g, smtp_code, 3);
4324 g = string_catn(g, US"-SIZE\r\n", 7);
4327 /* Exim does not do protocol conversion or data conversion. It is 8-bit
4328 clean; if it has an 8-bit character in its hand, it just sends it. It
4329 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
4330 However, some users want this option simply in order to stop MUAs
4331 mangling messages that contain top-bit-set characters. It is therefore
4332 provided as an option. */
4334 if (accept_8bitmime)
4336 g = string_catn(g, smtp_code, 3);
4337 g = string_catn(g, US"-8BITMIME\r\n", 11);
4340 /* Advertise DSN support if configured to do so. */
4341 if (verify_check_host(&dsn_advertise_hosts) != FAIL)
4343 g = string_catn(g, smtp_code, 3);
4344 g = string_catn(g, US"-DSN\r\n", 6);
4345 fl.dsn_advertised = TRUE;
4348 /* Advertise ETRN/VRFY/EXPN if there's are ACL checking whether a host is
4349 permitted to issue them; a check is made when any host actually tries. */
4353 g = string_catn(g, smtp_code, 3);
4354 g = string_catn(g, US"-ETRN\r\n", 7);
4358 g = string_catn(g, smtp_code, 3);
4359 g = string_catn(g, US"-VRFY\r\n", 7);
4363 g = string_catn(g, smtp_code, 3);
4364 g = string_catn(g, US"-EXPN\r\n", 7);
4367 /* Exim is quite happy with pipelining, so let the other end know that
4368 it is safe to use it, unless advertising is disabled. */
4370 if ( f.pipelining_enable
4371 && verify_check_host(&pipelining_advertise_hosts) == OK)
4373 g = string_catn(g, smtp_code, 3);
4374 g = string_catn(g, US"-PIPELINING\r\n", 13);
4375 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
4376 f.smtp_in_pipelining_advertised = TRUE;
4378 #ifndef DISABLE_PIPE_CONNECT
4379 if (fl.pipe_connect_acceptable)
4381 f.smtp_in_early_pipe_advertised = TRUE;
4382 g = string_catn(g, smtp_code, 3);
4383 g = string_catn(g, US"-" EARLY_PIPE_FEATURE_NAME "\r\n", EARLY_PIPE_FEATURE_LEN+3);
4389 /* If any server authentication mechanisms are configured, advertise
4390 them if the current host is in auth_advertise_hosts. The problem with
4391 advertising always is that some clients then require users to
4392 authenticate (and aren't configurable otherwise) even though it may not
4393 be necessary (e.g. if the host is in host_accept_relay).
4395 RFC 2222 states that SASL mechanism names contain only upper case
4396 letters, so output the names in upper case, though we actually recognize
4397 them in either case in the AUTH command. */
4401 && !sender_host_authenticated
4403 && verify_check_host(&auth_advertise_hosts) == OK
4407 for (auth_instance * au = auths; au; au = au->next)
4409 au->advertised = FALSE;
4412 DEBUG(D_auth+D_expand) debug_printf_indent(
4413 "Evaluating advertise_condition for %s %s athenticator\n",
4414 au->name, au->public_name);
4415 if ( !au->advertise_condition
4416 || expand_check_condition(au->advertise_condition, au->name,
4423 g = string_catn(g, smtp_code, 3);
4424 g = string_catn(g, US"-AUTH", 5);
4426 fl.auth_advertised = TRUE;
4429 g = string_catn(g, US" ", 1);
4430 g = string_cat (g, au->public_name);
4431 while (++saveptr < g->ptr) g->s[saveptr] = toupper(g->s[saveptr]);
4432 au->advertised = TRUE;
4437 if (!first) g = string_catn(g, US"\r\n", 2);
4440 /* RFC 3030 CHUNKING */
4442 if (verify_check_host(&chunking_advertise_hosts) != FAIL)
4444 g = string_catn(g, smtp_code, 3);
4445 g = string_catn(g, US"-CHUNKING\r\n", 11);
4446 f.chunking_offered = TRUE;
4447 chunking_state = CHUNKING_OFFERED;
4450 /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
4451 if it has been included in the binary, and the host matches
4452 tls_advertise_hosts. We must *not* advertise if we are already in a
4453 secure connection. */
4456 if (tls_in.active.sock < 0 &&
4457 verify_check_host(&tls_advertise_hosts) != FAIL)
4459 g = string_catn(g, smtp_code, 3);
4460 g = string_catn(g, US"-STARTTLS\r\n", 11);
4461 fl.tls_advertised = TRUE;
4465 #ifndef DISABLE_PRDR
4466 /* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
4469 g = string_catn(g, smtp_code, 3);
4470 g = string_catn(g, US"-PRDR\r\n", 7);
4475 if ( accept_8bitmime
4476 && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
4478 g = string_catn(g, smtp_code, 3);
4479 g = string_catn(g, US"-SMTPUTF8\r\n", 11);
4480 fl.smtputf8_advertised = TRUE;
4484 /* Finish off the multiline reply with one that is always available. */
4486 g = string_catn(g, smtp_code, 3);
4487 g = string_catn(g, US" HELP\r\n", 7);
4490 /* Terminate the string (for debug), write it, and note that HELO/EHLO
4494 if (tls_in.active.sock >= 0)
4495 (void)tls_write(NULL, g->s, g->ptr,
4496 # ifndef DISABLE_PIPE_CONNECT
4497 fl.pipe_connect_acceptable && pipeline_connect_sends());
4505 int i = fwrite(g->s, 1, g->ptr, smtp_out); i = i; /* compiler quietening */
4511 (void) string_from_gstring(g);
4512 while ((cr = Ustrchr(g->s, '\r')) != NULL) /* lose CRs */
4513 memmove(cr, cr + 1, (g->ptr--) - (cr - g->s));
4514 debug_printf("SMTP>> %s", g->s);
4516 fl.helo_seen = TRUE;
4518 /* Reset the protocol and the state, abandoning any previous message. */
4520 (sender_host_address ? protocols : protocols_local)
4522 ? pextend + (sender_host_authenticated ? pauthed : 0)
4524 + (tls_in.active.sock >= 0 ? pcrpted : 0)
4526 cancel_cutthrough_connection(TRUE, US"sent EHLO response");
4527 reset_point = smtp_reset(reset_point);
4529 break; /* HELO/EHLO */
4532 /* The MAIL command requires an address as an operand. All we do
4533 here is to parse it for syntactic correctness. The form "<>" is
4534 a special case which converts into an empty string. The start/end
4535 pointers in the original are not used further for this address, as
4536 it is the canonical extracted address which is all that is kept. */
4540 smtp_mailcmd_count++; /* Count for limit and ratelimit */
4541 was_rej_mail = TRUE; /* Reset if accepted */
4542 env_mail_type_t * mail_args; /* Sanity check & validate args */
4544 if (fl.helo_required && !fl.helo_seen)
4546 smtp_printf("503 HELO or EHLO required\r\n", FALSE);
4547 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
4548 "HELO/EHLO given", host_and_ident(FALSE));
4554 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4555 US"sender already given");
4559 if (!*smtp_cmd_data)
4561 done = synprot_error(L_smtp_protocol_error, 501, NULL,
4562 US"MAIL must have an address operand");
4566 /* Check to see if the limit for messages per connection would be
4567 exceeded by accepting further messages. */
4569 if (smtp_accept_max_per_connection > 0 &&
4570 smtp_mailcmd_count > smtp_accept_max_per_connection)
4572 smtp_printf("421 too many messages in this connection\r\n", FALSE);
4573 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
4574 "messages in one connection", host_and_ident(TRUE));
4578 /* Reset for start of message - even if this is going to fail, we
4579 obviously need to throw away any previous data. */
4581 cancel_cutthrough_connection(TRUE, US"MAIL received");
4582 reset_point = smtp_reset(reset_point);
4584 sender_data = recipient_data = NULL;
4586 /* Loop, checking for ESMTP additions to the MAIL FROM command. */
4588 if (fl.esmtp) for(;;)
4590 uschar *name, *value, *end;
4591 unsigned long int size;
4592 BOOL arg_error = FALSE;
4594 if (!extract_option(&name, &value)) break;
4596 for (mail_args = env_mail_type_list;
4597 mail_args->value != ENV_MAIL_OPT_NULL;
4600 if (strcmpic(name, mail_args->name) == 0)
4602 if (mail_args->need_value && strcmpic(value, US"") == 0)
4605 switch(mail_args->value)
4607 /* Handle SIZE= by reading the value. We don't do the check till later,
4608 in order to be able to log the sender address on failure. */
4609 case ENV_MAIL_OPT_SIZE:
4610 if (((size = Ustrtoul(value, &end, 10)), *end == 0))
4612 if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
4614 message_size = (int)size;
4620 /* If this session was initiated with EHLO and accept_8bitmime is set,
4621 Exim will have indicated that it supports the BODY=8BITMIME option. In
4622 fact, it does not support this according to the RFCs, in that it does not
4623 take any special action for forwarding messages containing 8-bit
4624 characters. That is why accept_8bitmime is not the default setting, but
4625 some sites want the action that is provided. We recognize both "8BITMIME"
4626 and "7BIT" as body types, but take no action. */
4627 case ENV_MAIL_OPT_BODY:
4628 if (accept_8bitmime) {
4629 if (strcmpic(value, US"8BITMIME") == 0)
4631 else if (strcmpic(value, US"7BIT") == 0)
4636 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4637 US"invalid data for BODY");
4640 DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
4646 /* Handle the two DSN options, but only if configured to do so (which
4647 will have caused "DSN" to be given in the EHLO response). The code itself
4648 is included only if configured in at build time. */
4650 case ENV_MAIL_OPT_RET:
4651 if (fl.dsn_advertised)
4653 /* Check if RET has already been set */
4656 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4657 US"RET can be specified once only");
4660 dsn_ret = strcmpic(value, US"HDRS") == 0
4662 : strcmpic(value, US"FULL") == 0
4665 DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
4666 /* Check for invalid invalid value, and exit with error */
4669 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4670 US"Value for RET is invalid");
4675 case ENV_MAIL_OPT_ENVID:
4676 if (fl.dsn_advertised)
4678 /* Check if the dsn envid has been already set */
4681 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4682 US"ENVID can be specified once only");
4685 dsn_envid = string_copy(value);
4686 DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
4690 /* Handle the AUTH extension. If the value given is not "<>" and either
4691 the ACL says "yes" or there is no ACL but the sending host is
4692 authenticated, we set it up as the authenticated sender. However, if the
4693 authenticator set a condition to be tested, we ignore AUTH on MAIL unless
4694 the condition is met. The value of AUTH is an xtext, which means that +,
4695 = and cntrl chars are coded in hex; however "<>" is unaffected by this
4697 case ENV_MAIL_OPT_AUTH:
4698 if (Ustrcmp(value, "<>") != 0)
4703 if (auth_xtextdecode(value, &authenticated_sender) < 0)
4705 /* Put back terminator overrides for error message */
4708 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4709 US"invalid data for AUTH");
4712 if (!acl_smtp_mailauth)
4714 ignore_msg = US"client not authenticated";
4715 rc = sender_host_authenticated ? OK : FAIL;
4719 ignore_msg = US"rejected by ACL";
4720 rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
4721 &user_msg, &log_msg);
4727 if (authenticated_by == NULL ||
4728 authenticated_by->mail_auth_condition == NULL ||
4729 expand_check_condition(authenticated_by->mail_auth_condition,
4730 authenticated_by->name, US"authenticator"))
4731 break; /* Accept the AUTH */
4733 ignore_msg = US"server_mail_auth_condition failed";
4734 if (authenticated_id != NULL)
4735 ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
4736 ignore_msg, authenticated_id);
4741 authenticated_sender = NULL;
4742 log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
4743 value, host_and_ident(TRUE), ignore_msg);
4746 /* Should only get DEFER or ERROR here. Put back terminator
4747 overrides for error message */
4752 (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
4759 #ifndef DISABLE_PRDR
4760 case ENV_MAIL_OPT_PRDR:
4762 prdr_requested = TRUE;
4767 case ENV_MAIL_OPT_UTF8:
4768 if (!fl.smtputf8_advertised)
4770 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4771 US"SMTPUTF8 used when not advertised");
4775 DEBUG(D_receive) debug_printf("smtputf8 requested\n");
4776 message_smtputf8 = allow_utf8_domains = TRUE;
4777 if (Ustrncmp(received_protocol, US"utf8", 4) != 0)
4779 int old_pool = store_pool;
4780 store_pool = POOL_PERM;
4781 received_protocol = string_sprintf("utf8%s", received_protocol);
4782 store_pool = old_pool;
4787 /* No valid option. Stick back the terminator characters and break
4788 the loop. Do the name-terminator second as extract_option sets
4789 value==name when it found no equal-sign.
4790 An error for a malformed address will occur. */
4791 case ENV_MAIL_OPT_NULL:
4799 /* Break out of for loop if switch() had bad argument or
4800 when start of the email address is reached */
4801 if (arg_error) break;
4804 /* If we have passed the threshold for rate limiting, apply the current
4805 delay, and update it for next time, provided this is a limited host. */
4807 if (smtp_mailcmd_count > smtp_rlm_threshold &&
4808 verify_check_host(&smtp_ratelimit_hosts) == OK)
4810 DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
4811 smtp_delay_mail/1000.0);
4812 millisleep((int)smtp_delay_mail);
4813 smtp_delay_mail *= smtp_rlm_factor;
4814 if (smtp_delay_mail > (double)smtp_rlm_limit)
4815 smtp_delay_mail = (double)smtp_rlm_limit;
4818 /* Now extract the address, first applying any SMTP-time rewriting. The
4819 TRUE flag allows "<>" as a sender address. */
4821 raw_sender = rewrite_existflags & rewrite_smtp
4822 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
4823 global_rewrite_rules)
4827 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
4832 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
4836 sender_address = raw_sender;
4838 /* If there is a configured size limit for mail, check that this message
4839 doesn't exceed it. The check is postponed to this point so that the sender
4842 if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
4844 smtp_printf("552 Message size exceeds maximum permitted\r\n", FALSE);
4845 log_write(L_size_reject,
4846 LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
4847 "message too big: size%s=%d max=%d",
4849 host_and_ident(TRUE),
4850 (message_size == INT_MAX)? ">" : "",
4852 thismessage_size_limit);
4853 sender_address = NULL;
4857 /* Check there is enough space on the disk unless configured not to.
4858 When smtp_check_spool_space is set, the check is for thismessage_size_limit
4859 plus the current message - i.e. we accept the message only if it won't
4860 reduce the space below the threshold. Add 5000 to the size to allow for
4861 overheads such as the Received: line and storing of recipients, etc.
4862 By putting the check here, even when SIZE is not given, it allow VRFY
4863 and EXPN etc. to be used when space is short. */
4865 if (!receive_check_fs(
4866 smtp_check_spool_space && message_size >= 0
4867 ? message_size + 5000 : 0))
4869 smtp_printf("452 Space shortage, please try later\r\n", FALSE);
4870 sender_address = NULL;
4874 /* If sender_address is unqualified, reject it, unless this is a locally
4875 generated message, or the sending host or net is permitted to send
4876 unqualified addresses - typically local machines behaving as MUAs -
4877 in which case just qualify the address. The flag is set above at the start
4878 of the SMTP connection. */
4880 if (!sender_domain && *sender_address)
4881 if (f.allow_unqualified_sender)
4883 sender_domain = Ustrlen(sender_address) + 1;
4884 sender_address = rewrite_address_qualify(sender_address, FALSE);
4885 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
4890 smtp_printf("501 %s: sender address must contain a domain\r\n", FALSE,
4892 log_write(L_smtp_syntax_error,
4893 LOG_MAIN|LOG_REJECT,
4894 "unqualified sender rejected: <%s> %s%s",
4896 host_and_ident(TRUE),
4898 sender_address = NULL;
4902 /* Apply an ACL check if one is defined, before responding. Afterwards,
4903 when pipelining is not advertised, do another sync check in case the ACL
4904 delayed and the client started sending in the meantime. */
4908 rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
4909 if (rc == OK && !f.smtp_in_pipelining_advertised && !check_sync())
4915 if (rc == OK || rc == DISCARD)
4917 BOOL more = pipeline_response();
4920 smtp_printf("%s%s%s", more, US"250 OK",
4921 #ifndef DISABLE_PRDR
4922 prdr_requested ? US", PRDR Requested" : US"",
4929 #ifndef DISABLE_PRDR
4931 user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
4933 smtp_user_msg(US"250", user_msg);
4935 smtp_delay_rcpt = smtp_rlr_base;
4936 f.recipients_discarded = (rc == DISCARD);
4937 was_rej_mail = FALSE;
4941 done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
4942 sender_address = NULL;
4947 /* The RCPT command requires an address as an operand. There may be any
4948 number of RCPT commands, specifying multiple recipients. We build them all
4949 into a data structure. The start/end values given by parse_extract_address
4950 are not used, as we keep only the extracted address. */
4955 was_rcpt = fl.rcpt_in_progress = TRUE;
4957 /* There must be a sender address; if the sender was rejected and
4958 pipelining was advertised, we assume the client was pipelining, and do not
4959 count this as a protocol error. Reset was_rej_mail so that further RCPTs
4960 get the same treatment. */
4962 if (sender_address == NULL)
4964 if (f.smtp_in_pipelining_advertised && last_was_rej_mail)
4966 smtp_printf("503 sender not yet given\r\n", FALSE);
4967 was_rej_mail = TRUE;
4971 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4972 US"sender not yet given");
4973 was_rcpt = FALSE; /* Not a valid RCPT */
4979 /* Check for an operand */
4981 if (smtp_cmd_data[0] == 0)
4983 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4984 US"RCPT must have an address operand");
4989 /* Set the DSN flags orcpt and dsn_flags from the session*/
4993 if (fl.esmtp) for(;;)
4995 uschar *name, *value;
4997 if (!extract_option(&name, &value))
5000 if (fl.dsn_advertised && strcmpic(name, US"ORCPT") == 0)
5002 /* Check whether orcpt has been already set */
5005 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5006 US"ORCPT can be specified once only");
5009 orcpt = string_copy(value);
5010 DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
5013 else if (fl.dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
5015 /* Check if the notify flags have been already set */
5018 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5019 US"NOTIFY can be specified once only");
5022 if (strcmpic(value, US"NEVER") == 0)
5023 dsn_flags |= rf_notify_never;
5030 while (*pp != 0 && *pp != ',') pp++;
5031 if (*pp == ',') *pp++ = 0;
5032 if (strcmpic(p, US"SUCCESS") == 0)
5034 DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
5035 dsn_flags |= rf_notify_success;
5037 else if (strcmpic(p, US"FAILURE") == 0)
5039 DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
5040 dsn_flags |= rf_notify_failure;
5042 else if (strcmpic(p, US"DELAY") == 0)
5044 DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
5045 dsn_flags |= rf_notify_delay;
5049 /* Catch any strange values */
5050 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5051 US"Invalid value for NOTIFY parameter");
5056 DEBUG(D_receive) debug_printf("DSN Flags: %x\n", dsn_flags);
5060 /* Unknown option. Stick back the terminator characters and break
5061 the loop. An error for a malformed address will occur. */
5065 DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
5072 /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
5073 as a recipient address */
5075 recipient = rewrite_existflags & rewrite_smtp
5076 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
5077 global_rewrite_rules)
5080 if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
5081 &recipient_domain, FALSE)))
5083 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
5088 /* If the recipient address is unqualified, reject it, unless this is a
5089 locally generated message. However, unqualified addresses are permitted
5090 from a configured list of hosts and nets - typically when behaving as
5091 MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
5092 really. The flag is set at the start of the SMTP connection.
5094 RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
5095 assumed this meant "reserved local part", but the revision of RFC 821 and
5096 friends now makes it absolutely clear that it means *mailbox*. Consequently
5097 we must always qualify this address, regardless. */
5099 if (!recipient_domain)
5100 if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
5107 /* Check maximum allowed */
5109 if (rcpt_count > recipients_max && recipients_max > 0)
5111 if (recipients_max_reject)
5114 smtp_printf("552 too many recipients\r\n", FALSE);
5116 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
5117 "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
5122 smtp_printf("452 too many recipients\r\n", FALSE);
5124 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
5125 "temporarily rejected: sender=<%s> %s", sender_address,
5126 host_and_ident(TRUE));
5133 /* If we have passed the threshold for rate limiting, apply the current
5134 delay, and update it for next time, provided this is a limited host. */
5136 if (rcpt_count > smtp_rlr_threshold &&
5137 verify_check_host(&smtp_ratelimit_hosts) == OK)
5139 DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
5140 smtp_delay_rcpt/1000.0);
5141 millisleep((int)smtp_delay_rcpt);
5142 smtp_delay_rcpt *= smtp_rlr_factor;
5143 if (smtp_delay_rcpt > (double)smtp_rlr_limit)
5144 smtp_delay_rcpt = (double)smtp_rlr_limit;
5147 /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
5148 for them. Otherwise, check the access control list for this recipient. As
5149 there may be a delay in this, re-check for a synchronization error
5150 afterwards, unless pipelining was advertised. */
5152 if (f.recipients_discarded)
5155 if ( (rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
5157 && !f.smtp_in_pipelining_advertised && !check_sync())
5160 /* The ACL was happy */
5164 BOOL more = pipeline_response();
5167 smtp_user_msg(US"250", user_msg);
5169 smtp_printf("250 Accepted\r\n", more);
5170 receive_add_recipient(recipient, -1);
5172 /* Set the dsn flags in the recipients_list */
5173 recipients_list[recipients_count-1].orcpt = orcpt;
5174 recipients_list[recipients_count-1].dsn_flags = dsn_flags;
5176 /* DEBUG(D_receive) debug_printf("DSN: orcpt: %s flags: %d\n",
5177 recipients_list[recipients_count-1].orcpt,
5178 recipients_list[recipients_count-1].dsn_flags); */
5181 /* The recipient was discarded */
5183 else if (rc == DISCARD)
5186 smtp_user_msg(US"250", user_msg);
5188 smtp_printf("250 Accepted\r\n", FALSE);
5191 log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
5192 "discarded by %s ACL%s%s", host_and_ident(TRUE),
5193 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
5194 smtp_cmd_argument, f.recipients_discarded ? "MAIL" : "RCPT",
5195 log_msg ? US": " : US"", log_msg ? log_msg : US"");
5198 /* Either the ACL failed the address, or it was deferred. */
5202 if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
5203 done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
5208 /* The DATA command is legal only if it follows successful MAIL FROM
5209 and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
5210 not counted as a protocol error if it follows RCPT (which must have been
5211 rejected if there are no recipients.) This function is complete when a
5212 valid DATA command is encountered.
5214 Note concerning the code used: RFC 2821 says this:
5216 - If there was no MAIL, or no RCPT, command, or all such commands
5217 were rejected, the server MAY return a "command out of sequence"
5218 (503) or "no valid recipients" (554) reply in response to the
5221 The example in the pipelining RFC 2920 uses 554, but I use 503 here
5222 because it is the same whether pipelining is in use or not.
5224 If all the RCPT commands that precede DATA provoked the same error message
5225 (often indicating some kind of system error), it is helpful to include it
5226 with the DATA rejection (an idea suggested by Tony Finch). */
5233 if (chunking_state != CHUNKING_OFFERED)
5235 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5236 US"BDAT command used when CHUNKING not advertised");
5240 /* grab size, endmarker */
5242 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
5244 done = synprot_error(L_smtp_protocol_error, 501, NULL,
5245 US"missing size for BDAT command");
5248 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
5249 ? CHUNKING_LAST : CHUNKING_ACTIVE;
5250 chunking_data_left = chunking_datasize;
5251 DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
5252 (int)chunking_state, chunking_data_left);
5254 /* push the current receive_* function on the "stack", and
5255 replace them by bdat_getc(), which in turn will use the lwr_receive_*
5256 functions to do the dirty work. */
5257 lwr_receive_getc = receive_getc;
5258 lwr_receive_getbuf = receive_getbuf;
5259 lwr_receive_ungetc = receive_ungetc;
5261 receive_getc = bdat_getc;
5262 receive_ungetc = bdat_ungetc;
5273 DATA_BDAT: /* Common code for DATA and BDAT */
5274 #ifndef DISABLE_PIPE_CONNECT
5275 fl.pipe_connect_acceptable = FALSE;
5277 if (!discarded && recipients_count <= 0)
5279 if (fl.rcpt_smtp_response_same && rcpt_smtp_response != NULL)
5281 uschar *code = US"503";
5282 int len = Ustrlen(rcpt_smtp_response);
5283 smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
5285 /* Responses from smtp_printf() will have \r\n on the end */
5286 if (len > 2 && rcpt_smtp_response[len-2] == '\r')
5287 rcpt_smtp_response[len-2] = 0;
5288 smtp_respond(code, 3, FALSE, rcpt_smtp_response);
5290 if (f.smtp_in_pipelining_advertised && last_was_rcpt)
5291 smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
5292 smtp_names[smtp_connection_had[smtp_ch_index-1]]);
5294 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5295 smtp_connection_had[smtp_ch_index-1] == SCH_DATA
5296 ? US"valid RCPT command must precede DATA"
5297 : US"valid RCPT command must precede BDAT");
5299 if (chunking_state > CHUNKING_OFFERED)
5304 if (toomany && recipients_max_reject)
5306 sender_address = NULL; /* This will allow a new MAIL without RSET */
5307 sender_address_unrewritten = NULL;
5308 smtp_printf("554 Too many recipients\r\n", FALSE);
5312 if (chunking_state > CHUNKING_OFFERED)
5313 rc = OK; /* No predata ACL or go-ahead output for BDAT */
5316 /* If there is an ACL, re-check the synchronization afterwards, since the
5317 ACL may have delayed. To handle cutthrough delivery enforce a dummy call
5318 to get the DATA command sent. */
5320 if (acl_smtp_predata == NULL && cutthrough.cctx.sock < 0)
5324 uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
5325 f.enable_dollar_recipients = TRUE;
5326 rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
5328 f.enable_dollar_recipients = FALSE;
5329 if (rc == OK && !check_sync())
5333 { /* Either the ACL failed the address, or it was deferred. */
5334 done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
5340 smtp_user_msg(US"354", user_msg);
5343 "354 Enter message, ending with \".\" on a line by itself\r\n", FALSE);
5347 if (smtp_in) /* all ACKs needed to ramp window up for bulk data */
5348 (void) setsockopt(fileno(smtp_in), IPPROTO_TCP, TCP_QUICKACK,
5349 US &on, sizeof(on));
5352 message_ended = END_NOTENDED; /* Indicate in middle of data */
5363 if (!(address = parse_extract_address(smtp_cmd_data, &errmess,
5364 &start, &end, &recipient_domain, FALSE)))
5366 smtp_printf("501 %s\r\n", FALSE, errmess);
5370 if (!recipient_domain)
5371 if (!(recipient_domain = qualify_recipient(&address, smtp_cmd_data,
5375 if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy,
5376 &user_msg, &log_msg)) != OK)
5377 done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
5381 address_item * addr = deliver_make_addr(address, FALSE);
5383 switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
5384 -1, -1, NULL, NULL, NULL))
5387 s = string_sprintf("250 <%s> is deliverable", address);
5391 s = (addr->user_message != NULL)?
5392 string_sprintf("451 <%s> %s", address, addr->user_message) :
5393 string_sprintf("451 Cannot resolve <%s> at this time", address);
5397 s = (addr->user_message != NULL)?
5398 string_sprintf("550 <%s> %s", address, addr->user_message) :
5399 string_sprintf("550 <%s> is not deliverable", address);
5400 log_write(0, LOG_MAIN, "VRFY failed for %s %s",
5401 smtp_cmd_argument, host_and_ident(TRUE));
5405 smtp_printf("%s\r\n", FALSE, s);
5413 rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
5415 done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
5418 BOOL save_log_testing_mode = f.log_testing_mode;
5419 f.address_test_mode = f.log_testing_mode = TRUE;
5420 (void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
5421 smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
5423 f.address_test_mode = FALSE;
5424 f.log_testing_mode = save_log_testing_mode; /* true for -bh */
5433 if (!fl.tls_advertised)
5435 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5436 US"STARTTLS command used when not advertised");
5440 /* Apply an ACL check if one is defined */
5442 if ( acl_smtp_starttls
5443 && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
5444 &user_msg, &log_msg)) != OK
5447 done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
5451 /* RFC 2487 is not clear on when this command may be sent, though it
5452 does state that all information previously obtained from the client
5453 must be discarded if a TLS session is started. It seems reasonable to
5454 do an implied RSET when STARTTLS is received. */
5456 incomplete_transaction_log(US"STARTTLS");
5457 cancel_cutthrough_connection(TRUE, US"STARTTLS received");
5458 reset_point = smtp_reset(reset_point);
5460 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
5462 /* There's an attack where more data is read in past the STARTTLS command
5463 before TLS is negotiated, then assumed to be part of the secure session
5464 when used afterwards; we use segregated input buffers, so are not
5465 vulnerable, but we want to note when it happens and, for sheer paranoia,
5466 ensure that the buffer is "wiped".
5467 Pipelining sync checks will normally have protected us too, unless disabled
5468 by configuration. */
5470 if (receive_smtp_buffered())
5473 debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
5474 if (tls_in.active.sock < 0)
5475 smtp_inend = smtp_inptr = smtp_inbuffer;
5476 /* and if TLS is already active, tls_server_start() should fail */
5479 /* There is nothing we value in the input buffer and if TLS is successfully
5480 negotiated, we won't use this buffer again; if TLS fails, we'll just read
5481 fresh content into it. The buffer contains arbitrary content from an
5482 untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
5483 It seems safest to just wipe away the content rather than leave it as a
5484 target to jump to. */
5486 memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
5488 /* Attempt to start up a TLS session, and if successful, discard all
5489 knowledge that was obtained previously. At least, that's what the RFC says,
5490 and that's what happens by default. However, in order to work round YAEB,
5491 there is an option to remember the esmtp state. Sigh.
5493 We must allow for an extra EHLO command and an extra AUTH command after
5494 STARTTLS that don't add to the nonmail command count. */
5497 if ((rc = tls_server_start(tls_require_ciphers, &s)) == OK)
5499 if (!tls_remember_esmtp)
5500 fl.helo_seen = fl.esmtp = fl.auth_advertised = f.smtp_in_pipelining_advertised = FALSE;
5501 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
5502 cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
5503 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
5504 if (sender_helo_name)
5506 sender_helo_name = NULL;
5507 host_build_sender_fullhost(); /* Rebuild */
5508 set_process_info("handling incoming TLS connection from %s",
5509 host_and_ident(FALSE));
5512 (sender_host_address ? protocols : protocols_local)
5514 ? pextend + (sender_host_authenticated ? pauthed : 0)
5516 + (tls_in.active.sock >= 0 ? pcrpted : 0)
5519 sender_host_auth_pubname = sender_host_authenticated = NULL;
5520 authenticated_id = NULL;
5521 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
5522 DEBUG(D_tls) debug_printf("TLS active\n");
5523 break; /* Successful STARTTLS */
5526 (void) smtp_log_tls_fail(s);
5528 /* Some local configuration problem was discovered before actually trying
5529 to do a TLS handshake; give a temporary error. */
5533 smtp_printf("454 TLS currently unavailable\r\n", FALSE);
5537 /* Hard failure. Reject everything except QUIT or closed connection. One
5538 cause for failure is a nested STARTTLS, in which case tls_in.active remains
5539 set, but we must still reject all incoming commands. Another is a handshake
5540 failure - and there may some encrypted data still in the pipe to us, which we
5541 see as garbage commands. */
5543 DEBUG(D_tls) debug_printf("TLS failed to start\n");
5544 while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
5547 log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
5548 smtp_get_connection_info());
5549 smtp_notquit_exit(US"tls-failed", NULL, NULL);
5553 /* It is perhaps arguable as to which exit ACL should be called here,
5554 but as it is probably a situation that almost never arises, it
5555 probably doesn't matter. We choose to call the real QUIT ACL, which in
5556 some sense is perhaps "right". */
5561 && ((rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
5562 &log_msg)) == ERROR))
5563 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
5566 smtp_respond(US"221", 3, TRUE, user_msg);
5568 smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
5569 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
5570 smtp_get_connection_info());
5575 smtp_printf("554 Security failure\r\n", FALSE);
5578 tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
5583 /* The ACL for QUIT is provided for gathering statistical information or
5584 similar; it does not affect the response code, but it can supply a custom
5588 smtp_quit_handler(&user_msg, &log_msg);
5594 smtp_rset_handler();
5595 cancel_cutthrough_connection(TRUE, US"RSET received");
5596 reset_point = smtp_reset(reset_point);
5603 smtp_printf("250 OK\r\n", FALSE);
5607 /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
5608 used, a check will be done for permitted hosts. Show STARTTLS only if not
5609 already in a TLS session and if it would be advertised in the EHLO
5614 smtp_printf("214-Commands supported:\r\n", TRUE);
5618 Ustrcat(buffer, US" AUTH");
5620 if (tls_in.active.sock < 0 &&
5621 verify_check_host(&tls_advertise_hosts) != FAIL)
5622 Ustrcat(buffer, US" STARTTLS");
5624 Ustrcat(buffer, US" HELO EHLO MAIL RCPT DATA BDAT");
5625 Ustrcat(buffer, US" NOOP QUIT RSET HELP");
5626 if (acl_smtp_etrn) Ustrcat(buffer, US" ETRN");
5627 if (acl_smtp_expn) Ustrcat(buffer, US" EXPN");
5628 if (acl_smtp_vrfy) Ustrcat(buffer, US" VRFY");
5629 smtp_printf("214%s\r\n", FALSE, buffer);
5635 incomplete_transaction_log(US"connection lost");
5636 smtp_notquit_exit(US"connection-lost", US"421",
5637 US"%s lost input connection", smtp_active_hostname);
5639 /* Don't log by default unless in the middle of a message, as some mailers
5640 just drop the call rather than sending QUIT, and it clutters up the logs.
5643 if (sender_address || recipients_count > 0)
5644 log_write(L_lost_incoming_connection, LOG_MAIN,
5645 "unexpected %s while reading SMTP command from %s%s%s D=%s",
5646 f.sender_host_unknown ? "EOF" : "disconnection",
5647 f.tcp_in_fastopen_logged
5650 ? f.tcp_in_fastopen_data ? US"TFO* " : US"TFO "
5652 host_and_ident(FALSE), smtp_read_error,
5653 string_timesince(&smtp_connection_start)
5657 log_write(L_smtp_connection, LOG_MAIN, "%s %slost%s D=%s",
5658 smtp_get_connection_info(),
5659 f.tcp_in_fastopen && !f.tcp_in_fastopen_logged ? US"TFO " : US"",
5661 string_timesince(&smtp_connection_start)
5672 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5673 US"ETRN is not permitted inside a transaction");
5677 log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
5678 host_and_ident(FALSE));
5680 if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
5681 &user_msg, &log_msg)) != OK)
5683 done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
5687 /* Compute the serialization key for this command. */
5689 etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
5691 /* If a command has been specified for running as a result of ETRN, we
5692 permit any argument to ETRN. If not, only the # standard form is permitted,
5693 since that is strictly the only kind of ETRN that can be implemented
5694 according to the RFC. */
5696 if (smtp_etrn_command)
5700 etrn_command = smtp_etrn_command;
5701 deliver_domain = smtp_cmd_data;
5702 rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
5703 US"ETRN processing", &error);
5704 deliver_domain = NULL;
5707 log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
5709 smtp_printf("458 Internal failure\r\n", FALSE);
5714 /* Else set up to call Exim with the -R option. */
5718 if (*smtp_cmd_data++ != '#')
5720 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5721 US"argument must begin with #");
5724 etrn_command = US"exim -R";
5725 argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
5726 *queue_name ? 4 : 2,
5727 US"-R", smtp_cmd_data,
5728 US"-MCG", queue_name);
5731 /* If we are host-testing, don't actually do anything. */
5737 debug_printf("ETRN command is: %s\n", etrn_command);
5738 debug_printf("ETRN command execution skipped\n");
5740 if (user_msg == NULL) smtp_printf("250 OK\r\n", FALSE);
5741 else smtp_user_msg(US"250", user_msg);
5746 /* If ETRN queue runs are to be serialized, check the database to
5747 ensure one isn't already running. */
5749 if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
5751 smtp_printf("458 Already processing %s\r\n", FALSE, smtp_cmd_data);
5755 /* Fork a child process and run the command. We don't want to have to
5756 wait for the process at any point, so set SIGCHLD to SIG_IGN before
5757 forking. It should be set that way anyway for external incoming SMTP,
5758 but we save and restore to be tidy. If serialization is required, we
5759 actually run the command in yet another process, so we can wait for it
5760 to complete and then remove the serialization lock. */
5762 oldsignal = signal(SIGCHLD, SIG_IGN);
5764 if ((pid = exim_fork(US"etrn-command")) == 0)
5766 smtp_input = FALSE; /* This process is not associated with the */
5767 (void)fclose(smtp_in); /* SMTP call any more. */
5768 (void)fclose(smtp_out);
5770 signal(SIGCHLD, SIG_DFL); /* Want to catch child */
5772 /* If not serializing, do the exec right away. Otherwise, fork down
5773 into another process. */
5775 if ( !smtp_etrn_serialize
5776 || (pid = exim_fork(US"etrn-serialised-command")) == 0)
5778 DEBUG(D_exec) debug_print_argv(argv);
5779 exim_nullstd(); /* Ensure std{in,out,err} exist */
5780 execv(CS argv[0], (char *const *)argv);
5781 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
5782 etrn_command, strerror(errno));
5783 _exit(EXIT_FAILURE); /* paranoia */
5786 /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
5787 is, we are in the first subprocess, after forking again. All we can do
5788 for a failing fork is to log it. Otherwise, wait for the 2nd process to
5789 complete, before removing the serialization. */
5792 log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
5793 "failed: %s", strerror(errno));
5797 DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
5799 (void)wait(&status);
5800 DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
5804 enq_end(etrn_serialize_key);
5805 exim_underbar_exit(EXIT_SUCCESS);
5808 /* Back in the top level SMTP process. Check that we started a subprocess
5809 and restore the signal state. */
5813 log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
5815 smtp_printf("458 Unable to fork process\r\n", FALSE);
5816 if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
5820 smtp_printf("250 OK\r\n", FALSE);
5822 smtp_user_msg(US"250", user_msg);
5824 signal(SIGCHLD, oldsignal);
5829 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5830 US"unexpected argument data");
5834 /* This currently happens only for NULLs, but could be extended. */
5837 done = synprot_error(L_smtp_syntax_error, 0, NULL, /* Just logs */
5838 US"NUL character(s) present (shown as '?')");
5839 smtp_printf("501 NUL characters are not allowed in SMTP commands\r\n",
5846 if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
5847 smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
5848 c = smtp_inend - smtp_inptr;
5849 if (c > 150) c = 150; /* limit logged amount */
5851 incomplete_transaction_log(US"sync failure");
5852 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
5853 "(next input sent too soon: pipelining was%s advertised): "
5854 "rejected \"%s\" %s next input=\"%s\"",
5855 f.smtp_in_pipelining_advertised ? "" : " not",
5856 smtp_cmd_buffer, host_and_ident(TRUE),
5857 string_printing(smtp_inptr));
5858 smtp_notquit_exit(US"synchronization-error", US"554",
5859 US"SMTP synchronization error");
5860 done = 1; /* Pretend eof - drops connection */
5864 case TOO_MANY_NONMAIL_CMD:
5865 s = smtp_cmd_buffer;
5866 while (*s != 0 && !isspace(*s)) s++;
5867 incomplete_transaction_log(US"too many non-mail commands");
5868 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5869 "nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
5870 (int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
5871 smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
5872 done = 1; /* Pretend eof - drops connection */
5875 #ifdef SUPPORT_PROXY
5876 case PROXY_FAIL_IGNORE_CMD:
5877 smtp_printf("503 Command refused, required Proxy negotiation failed\r\n", FALSE);
5882 if (unknown_command_count++ >= smtp_max_unknown_commands)
5884 log_write(L_smtp_syntax_error, LOG_MAIN,
5885 "SMTP syntax error in \"%s\" %s %s",
5886 string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
5887 US"unrecognized command");
5888 incomplete_transaction_log(US"unrecognized command");
5889 smtp_notquit_exit(US"bad-commands", US"500",
5890 US"Too many unrecognized commands");
5892 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5893 "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
5894 string_printing(smtp_cmd_buffer));
5897 done = synprot_error(L_smtp_syntax_error, 500, NULL,
5898 US"unrecognized command");
5902 /* This label is used by goto's inside loops that want to break out to
5903 the end of the command-processing loop. */
5906 last_was_rej_mail = was_rej_mail; /* Remember some last commands for */
5907 last_was_rcpt = was_rcpt; /* protocol error handling */
5911 return done - 2; /* Convert yield values */
5917 authres_smtpauth(gstring * g)
5919 if (!sender_host_authenticated)
5922 g = string_append(g, 2, US";\n\tauth=pass (", sender_host_auth_pubname);
5924 if (Ustrcmp(sender_host_auth_pubname, "tls") != 0)
5925 g = string_append(g, 2, US") smtp.auth=", authenticated_id);
5926 else if (authenticated_id)
5927 g = string_append(g, 2, US") x509.auth=", authenticated_id);
5929 g = string_catn(g, US") reason=x509.auth", 17);
5931 if (authenticated_sender)
5932 g = string_append(g, 2, US" smtp.mailfrom=", authenticated_sender);
5940 /* End of smtp_in.c */