1 /* $Cambridge: exim/src/src/smtp_in.c,v 1.5.2.2 2004/12/02 16:33:30 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2004 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions for handling an incoming SMTP call. */
16 /* Initialize for TCP wrappers if so configured. It appears that the macro
17 HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
18 including that header, and restore its value afterwards. */
20 #ifdef USE_TCP_WRAPPERS
23 #define EXIM_HAVE_IPV6
29 #define HAVE_IPV6 TRUE
32 int allow_severity = LOG_INFO;
33 int deny_severity = LOG_NOTICE;
37 /* Size of buffer for reading SMTP commands */
39 #define cmd_buffer_size 512 /* Ref. RFC 821 */
41 /* Size of buffer for reading SMTP incoming packets */
43 #define in_buffer_size 8192
45 /* Structure for SMTP command list */
52 short int is_mail_cmd;
55 /* Codes for identifying commands. We order them so that those that come first
56 are those for which synchronization is always required. Checking this can help
60 /* These commands are required to be synchronized, i.e. to be the last in a
61 block of commands when pipelining. */
63 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
64 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
65 ETRN_CMD, /* This by analogy with TURN from the RFC */
66 STARTTLS_CMD, /* Required by the STARTTLS RFC */
68 /* This is a dummy to identify the non-sync commands when pipelining */
70 NON_SYNC_CMD_PIPELINING,
72 /* These commands need not be synchronized when pipelining */
74 MAIL_CMD, RCPT_CMD, RSET_CMD,
76 /* This is a dummy to identify the non-sync commands when not pipelining */
78 NON_SYNC_CMD_NON_PIPELINING,
80 /* I have been unable to find a statement about the use of pipelining
81 with AUTH, so to be on the safe side it is here, though I kind of feel
82 it should be up there with the synchronized commands. */
86 /* I'm not sure about these, but I don't think they matter. */
90 /* These are specials that don't correspond to actual commands */
92 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
93 TOO_MANY_NONMAIL_CMD };
97 /*************************************************
98 * Local static variables *
99 *************************************************/
101 static auth_instance *authenticated_by;
102 static BOOL auth_advertised;
104 static BOOL tls_advertised;
107 static BOOL helo_required = FALSE;
108 static BOOL helo_verify = FALSE;
109 static BOOL helo_seen;
110 static BOOL helo_accept_junk;
111 static BOOL count_nonmail;
112 static BOOL pipelining_advertised;
113 static int nonmail_command_count;
114 static int synprot_error_count;
115 static int unknown_command_count;
116 static int sync_cmd_limit;
117 static int smtp_write_error = 0;
119 static uschar *smtp_data;
121 static uschar *cmd_buffer;
123 /* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
124 final fields of all except AUTH are forced TRUE at the start of a new message
125 setup, to allow one of each between messages that is not counted as a nonmail
126 command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
127 allow a new EHLO after starting up TLS.
129 AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
130 counted. However, the flag is changed when AUTH is received, so that multiple
131 failing AUTHs will eventually hit the limit. After a successful AUTH, another
132 AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
133 forced TRUE, to allow for the re-authentication that can happen at that point.
135 QUIT is also "falsely" labelled as a mail command so that it doesn't up the
136 count of non-mail commands and possibly provoke an error. */
138 static smtp_cmd_list cmd_list[] = {
139 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
140 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
141 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
142 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
144 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
147 /* If you change anything above here, also fix the definitions below. */
149 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
150 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
151 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
152 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
153 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
154 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
155 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
156 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
157 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
160 static smtp_cmd_list *cmd_list_end =
161 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
163 #define CMD_LIST_RSET 0
164 #define CMD_LIST_HELO 1
165 #define CMD_LIST_EHLO 2
166 #define CMD_LIST_AUTH 3
167 #define CMD_LIST_STARTTLS 4
169 static uschar *protocols[] = {
170 US"local-smtp", /* HELO */
171 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
172 US"local-esmtp", /* EHLO */
173 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
174 US"local-esmtpa", /* EHLO->AUTH */
175 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
180 #define pcrpted 1 /* added to pextend or pnormal */
181 #define pauthed 2 /* added to pextend */
182 #define pnlocal 6 /* offset to remove "local" */
184 /* When reading SMTP from a remote host, we have to use our own versions of the
185 C input-reading functions, in order to be able to flush the SMTP output only
186 when about to read more data from the socket. This is the only way to get
187 optimal performance when the client is using pipelining. Flushing for every
188 command causes a separate packet and reply packet each time; saving all the
189 responses up (when pipelining) combines them into one packet and one response.
191 For simplicity, these functions are used for *all* SMTP input, not only when
192 receiving over a socket. However, after setting up a secure socket (SSL), input
193 is read via the OpenSSL library, and another set of functions is used instead
196 These functions are set in the receive_getc etc. variables and called with the
197 same interface as the C functions. However, since there can only ever be
198 one incoming SMTP call, we just use a single buffer and flags. There is no need
199 to implement a complicated private FILE-like structure.*/
201 static uschar *smtp_inbuffer;
202 static uschar *smtp_inptr;
203 static uschar *smtp_inend;
204 static int smtp_had_eof;
205 static int smtp_had_error;
208 /*************************************************
209 * SMTP version of getc() *
210 *************************************************/
212 /* This gets the next byte from the SMTP input buffer. If the buffer is empty,
213 it flushes the output, and refills the buffer, with a timeout. The signal
214 handler is set appropriately by the calling function. This function is not used
215 after a connection has negotated itself into an TLS/SSL state.
218 Returns: the next character or EOF
224 if (smtp_inptr >= smtp_inend)
228 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
229 rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
234 /* Must put the error text in fixed store, because this might be during
235 header reading, where it releases unused store above the header. */
238 smtp_had_error = save_errno;
239 smtp_read_error = string_copy_malloc(
240 string_sprintf(" (error: %s)", strerror(save_errno)));
242 else smtp_had_eof = 1;
245 smtp_inend = smtp_inbuffer + rc;
246 smtp_inptr = smtp_inbuffer;
248 return *smtp_inptr++;
253 /*************************************************
254 * SMTP version of ungetc() *
255 *************************************************/
257 /* Puts a character back in the input buffer. Only ever
263 Returns: the character
269 *(--smtp_inptr) = ch;
276 /*************************************************
277 * SMTP version of feof() *
278 *************************************************/
280 /* Tests for a previous EOF
283 Returns: non-zero if the eof flag is set
295 /*************************************************
296 * SMTP version of ferror() *
297 *************************************************/
299 /* Tests for a previous read error, and returns with errno
300 restored to what it was when the error was detected.
303 Returns: non-zero if the error flag is set
309 errno = smtp_had_error;
310 return smtp_had_error;
316 /*************************************************
317 * Write formatted string to SMTP channel *
318 *************************************************/
320 /* This is a separate function so that we don't have to repeat everything for
321 TLS support or debugging. It is global so that the daemon and the
322 authentication functions can use it. It does not return any error indication,
323 because major problems such as dropped connections won't show up till an output
324 flush for non-TLS connections. The smtp_fflush() function is available for
325 checking that: for convenience, TLS output errors are remembered here so that
326 they are also picked up later by smtp_fflush().
330 ... optional arguments
336 smtp_printf(char *format, ...)
342 va_start(ap, format);
343 (void) string_vformat(big_buffer, big_buffer_size, format, ap);
344 debug_printf("SMTP>> %s", big_buffer);
347 va_start(ap, format);
349 /* If in a TLS session we have to format the string, and then write it using a
355 if (!string_vformat(big_buffer, big_buffer_size, format, ap))
357 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf");
358 smtp_closedown(US"Unexpected error");
359 exim_exit(EXIT_FAILURE);
361 if (tls_write(big_buffer, Ustrlen(big_buffer)) < 0) smtp_write_error = -1;
366 /* Otherwise, just use the standard library function. */
368 if (vfprintf(smtp_out, format, ap) < 0) smtp_write_error = -1;
374 /*************************************************
375 * Flush SMTP out and check for error *
376 *************************************************/
378 /* This function isn't currently used within Exim (it detects errors when it
379 tries to read the next SMTP input), but is available for use in local_scan().
380 For non-TLS connections, it flushes the output and checks for errors. For
381 TLS-connections, it checks for a previously-detected TLS write error.
384 Returns: 0 for no error; -1 after an error
390 if (tls_active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
391 return smtp_write_error;
396 /*************************************************
397 * SMTP command read timeout *
398 *************************************************/
400 /* Signal handler for timing out incoming SMTP commands. This attempts to
403 Argument: signal number (SIGALRM)
408 command_timeout_handler(int sig)
410 sig = sig; /* Keep picky compilers happy */
411 log_write(L_lost_incoming_connection,
412 LOG_MAIN, "SMTP command timeout on%s connection from %s",
413 (tls_active >= 0)? " TLS" : "",
414 host_and_ident(FALSE));
415 if (smtp_batched_input)
416 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
417 smtp_printf("421 %s: SMTP command timeout - closing connection\r\n",
418 smtp_active_hostname);
420 exim_exit(EXIT_FAILURE);
425 /*************************************************
427 *************************************************/
429 /* Signal handler for handling SIGTERM. Again, try to finish tidily.
431 Argument: signal number (SIGTERM)
436 command_sigterm_handler(int sig)
438 sig = sig; /* Keep picky compilers happy */
439 log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
440 if (smtp_batched_input)
441 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
442 smtp_printf("421 %s: Service not available - closing connection\r\n",
443 smtp_active_hostname);
444 exim_exit(EXIT_FAILURE);
449 /*************************************************
450 * Read one command line *
451 *************************************************/
453 /* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
454 There are sites that don't do this, and in any case internal SMTP probably
455 should check only for LF. Consequently, we check here for LF only. The line
456 ends up with [CR]LF removed from its end. If we get an overlong line, treat as
457 an unknown command. The command is read into the static cmd_buffer.
459 The character reading routine sets up a timeout for each block actually read
460 from the input (which may contain more than one command). We set up a special
461 signal handler that closes down the session on a timeout. Control does not
465 check_sync if TRUE, check synchronization rules if global option is TRUE
467 Returns: a code identifying the command (enumerated above)
471 smtp_read_command(BOOL check_sync)
476 BOOL hadnull = FALSE;
478 os_non_restarting_signal(SIGALRM, command_timeout_handler);
480 while ((c = (receive_getc)()) != '\n' && c != EOF)
482 if (ptr >= cmd_buffer_size)
484 os_non_restarting_signal(SIGALRM, sigalrm_handler);
492 cmd_buffer[ptr++] = c;
495 receive_linecount++; /* For BSMTP errors */
496 os_non_restarting_signal(SIGALRM, sigalrm_handler);
498 /* If hit end of file, return pseudo EOF command. Whether we have a
499 part-line already read doesn't matter, since this is an error state. */
501 if (c == EOF) return EOF_CMD;
503 /* Remove any CR and white space at the end of the line, and terminate the
506 while (ptr > 0 && isspace(cmd_buffer[ptr-1])) ptr--;
509 DEBUG(D_receive) debug_printf("SMTP<< %s\n", cmd_buffer);
511 /* NULLs are not allowed in SMTP commands */
513 if (hadnull) return BADCHAR_CMD;
515 /* Scan command list and return identity, having set the data pointer
516 to the start of the actual data characters. Check for SMTP synchronization
519 for (p = cmd_list; p < cmd_list_end; p++)
521 if (strncmpic(cmd_buffer, US p->name, p->len) == 0)
523 if (smtp_inptr < smtp_inend && /* Outstanding input */
524 p->cmd < sync_cmd_limit && /* Command should sync */
525 check_sync && /* Local flag set */
526 smtp_enforce_sync && /* Global flag set */
527 sender_host_address != NULL && /* Not local input */
528 !sender_host_notsocket) /* Really is a socket */
531 /* Point after the command, but don't skip over leading spaces till after
532 the following test, so that if it fails, the command name can easily be
535 smtp_data = cmd_buffer + p->len;
537 /* Count non-mail commands from those hosts that are controlled in this
538 way. The default is all hosts. We don't waste effort checking the list
539 until we get a non-mail command, but then cache the result to save checking
540 again. If there's a DEFER while checking the host, assume it's in the list.
542 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
543 start of each incoming message by fiddling with the value in the table. */
547 if (count_nonmail == TRUE_UNSET) count_nonmail =
548 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
549 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
550 return TOO_MANY_NONMAIL_CMD;
553 /* Get the data pointer over leading spaces and return; if there is no data
554 for a command that expects it, we give the error centrally here. */
556 while (isspace(*smtp_data)) smtp_data++;
557 return (p->has_arg || *smtp_data == 0)? p->cmd : BADARG_CMD;
561 /* Enforce synchronization for unknown commands */
563 if (smtp_inptr < smtp_inend && /* Outstanding input */
564 check_sync && /* Local flag set */
565 smtp_enforce_sync && /* Global flag set */
566 sender_host_address != NULL && /* Not local input */
567 !sender_host_notsocket) /* Really is a socket */
575 /*************************************************
576 * Forced closedown of call *
577 *************************************************/
579 /* This function is called from log.c when Exim is dying because of a serious
580 disaster, and also from some other places. If an incoming non-batched SMTP
581 channel is open, it swallows the rest of the incoming message if in the DATA
582 phase, sends the reply string, and gives an error to all subsequent commands
583 except QUIT. The existence of an SMTP call is detected by the non-NULLness of
586 Argument: SMTP reply string to send, excluding the code
591 smtp_closedown(uschar *message)
593 if (smtp_in == NULL || smtp_batched_input) return;
594 receive_swallow_smtp();
595 smtp_printf("421 %s\r\n", message);
599 switch(smtp_read_command(FALSE))
605 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
610 smtp_printf("250 Reset OK\r\n");
614 smtp_printf("421 %s\r\n", message);
623 /*************************************************
624 * Set up connection info for logging *
625 *************************************************/
627 /* This function is called when logging information about an SMTP connection.
628 It sets up appropriate source information, depending on the type of connection.
631 Returns: a string describing the connection
635 smtp_get_connection_info(void)
638 return string_sprintf("SMTP connection from %s", sender_fullhost);
640 if (sender_host_unknown || sender_host_notsocket)
641 return string_sprintf("SMTP connection from %s", sender_ident);
644 return string_sprintf("SMTP connection from %s (via inetd)", sender_fullhost);
646 if ((log_extra_selector & LX_incoming_interface) != 0 &&
647 interface_address != NULL)
648 return string_sprintf("SMTP connection from %s I=[%s]:%d", sender_fullhost,
649 interface_address, interface_port);
651 return string_sprintf("SMTP connection from %s", sender_fullhost);
656 /*************************************************
657 * Check HELO line and set sender_helo_name *
658 *************************************************/
660 /* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
661 the domain name of the sending host, or an ip literal in square brackets. The
662 arrgument is placed in sender_helo_name, which is in malloc store, because it
663 must persist over multiple incoming messages. If helo_accept_junk is set, this
664 host is permitted to send any old junk (needed for some broken hosts).
665 Otherwise, helo_allow_chars can be used for rogue characters in general
666 (typically people want to let in underscores).
669 s the data portion of the line (already past any white space)
671 Returns: TRUE or FALSE
675 check_helo(uschar *s)
678 uschar *end = s + Ustrlen(s);
679 BOOL yield = helo_accept_junk;
681 /* Discard any previous helo name */
683 if (sender_helo_name != NULL)
685 store_free(sender_helo_name);
686 sender_helo_name = NULL;
689 /* Skip tests if junk is permitted. */
693 /* Allow the new standard form for IPv6 address literals, namely,
694 [IPv6:....], and because someone is bound to use it, allow an equivalent
695 IPv4 form. Allow plain addresses as well. */
702 if (strncmpic(s, US"[IPv6:", 6) == 0)
703 yield = (string_is_ip_address(s+6, NULL) == 6);
704 else if (strncmpic(s, US"[IPv4:", 6) == 0)
705 yield = (string_is_ip_address(s+6, NULL) == 4);
707 yield = (string_is_ip_address(s+1, NULL) != 0);
712 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
713 that have been configured (usually underscore - sigh). */
720 if (!isalnum(*s) && *s != '.' && *s != '-' &&
721 Ustrchr(helo_allow_chars, *s) == NULL)
731 /* Save argument if OK */
733 if (yield) sender_helo_name = string_copy_malloc(start);
741 /*************************************************
742 * Extract SMTP command option *
743 *************************************************/
745 /* This function picks the next option setting off the end of smtp_data. It
746 is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
747 things that can appear there.
750 name point this at the name
751 value point this at the data string
753 Returns: TRUE if found an option
757 extract_option(uschar **name, uschar **value)
760 uschar *v = smtp_data + Ustrlen(smtp_data) -1;
761 while (isspace(*v)) v--;
764 while (v > smtp_data && *v != '=' && !isspace(*v)) v--;
765 if (*v != '=') return FALSE;
768 while(isalpha(n[-1])) n--;
770 if (n[-1] != ' ') return FALSE;
785 /*************************************************
786 * Reset for new message *
787 *************************************************/
789 /* This function is called whenever the SMTP session is reset from
790 within either of the setup functions.
792 Argument: the stacking pool storage reset point
797 smtp_reset(void *reset_point)
800 store_reset(reset_point);
801 recipients_list = NULL;
802 rcpt_count = rcpt_defer_count = rcpt_fail_count =
803 raw_recipients_count = recipients_count = recipients_list_max = 0;
805 acl_warn_headers = NULL;
806 queue_only_policy = FALSE;
807 deliver_freeze = FALSE; /* Can be set by ACL */
808 #ifdef WITH_CONTENT_SCAN
809 fake_reject = FALSE; /* Can be set by ACL */
810 no_mbox_unspool = FALSE; /* Can be set by ACL */
812 submission_mode = FALSE; /* Can be set by ACL */
813 active_local_from_check = local_from_check; /* Can be set by ACL */
814 active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
815 sender_address = NULL;
816 raw_sender = NULL; /* After SMTP rewrite, before qualifying */
817 sender_address_unrewritten = NULL; /* Set only after verify rewrite */
818 sender_verified_list = NULL; /* No senders verified */
819 memset(sender_address_cache, 0, sizeof(sender_address_cache));
820 memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
821 authenticated_sender = NULL;
822 body_linecount = body_zerocount = 0;
824 for (i = 0; i < ACL_M_MAX; i++) acl_var[ACL_C_MAX + i] = NULL;
826 /* The message body variables use malloc store. They may be set if this is
827 not the first message in an SMTP session and the previous message caused them
828 to be referenced in an ACL. */
830 if (message_body != NULL)
832 store_free(message_body);
836 if (message_body_end != NULL)
838 store_free(message_body_end);
839 message_body_end = NULL;
842 /* Warning log messages are also saved in malloc store. They are saved to avoid
843 repetition in the same message, but it seems right to repeat them for different
846 while (acl_warn_logged != NULL)
848 string_item *this = acl_warn_logged;
849 acl_warn_logged = acl_warn_logged->next;
858 /*************************************************
859 * Initialize for incoming batched SMTP message *
860 *************************************************/
862 /* This function is called from smtp_setup_msg() in the case when
863 smtp_batched_input is true. This happens when -bS is used to pass a whole batch
864 of messages in one file with SMTP commands between them. All errors must be
865 reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
866 relevant. After an error on a sender, or an invalid recipient, the remainder
867 of the message is skipped. The value of received_protocol is already set.
870 Returns: > 0 message successfully started (reached DATA)
871 = 0 QUIT read or end of file reached
876 smtp_setup_batch_msg(void)
879 void *reset_point = store_get(0);
881 /* Save the line count at the start of each transaction - single commands
882 like HELO and RSET count as whole transactions. */
884 bsmtp_transaction_linecount = receive_linecount;
886 if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
888 smtp_reset(reset_point); /* Reset for start of message */
890 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
891 value. The values are 2 larger than the required yield of the function. */
896 uschar *recipient = NULL;
897 int start, end, sender_domain, recipient_domain;
899 switch(smtp_read_command(FALSE))
901 /* The HELO/EHLO commands set sender_address_helo if they have
902 valid data; otherwise they are ignored, except that they do
903 a reset of the state. */
908 check_helo(smtp_data);
912 smtp_reset(reset_point);
913 bsmtp_transaction_linecount = receive_linecount;
917 /* The MAIL FROM command requires an address as an operand. All we
918 do here is to parse it for syntactic correctness. The form "<>" is
919 a special case which converts into an empty string. The start/end
920 pointers in the original are not used further for this address, as
921 it is the canonical extracted address which is all that is kept. */
924 if (sender_address != NULL)
925 /* The function moan_smtp_batch() does not return. */
926 moan_smtp_batch(cmd_buffer, "503 Sender already given");
928 if (smtp_data[0] == 0)
929 /* The function moan_smtp_batch() does not return. */
930 moan_smtp_batch(cmd_buffer, "501 MAIL FROM must have an address operand");
932 /* Reset to start of message */
934 smtp_reset(reset_point);
936 /* Apply SMTP rewrite */
938 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
939 rewrite_one(smtp_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
940 US"", global_rewrite_rules) : smtp_data;
942 /* Extract the address; the TRUE flag allows <> as valid */
945 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
948 if (raw_sender == NULL)
949 /* The function moan_smtp_batch() does not return. */
950 moan_smtp_batch(cmd_buffer, "501 %s", errmess);
952 sender_address = string_copy(raw_sender);
954 /* Qualify unqualified sender addresses if permitted to do so. */
956 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
958 if (allow_unqualified_sender)
960 sender_address = rewrite_address_qualify(sender_address, FALSE);
961 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
962 "and rewritten\n", raw_sender);
964 /* The function moan_smtp_batch() does not return. */
965 else moan_smtp_batch(cmd_buffer, "501 sender address must contain "
971 /* The RCPT TO command requires an address as an operand. All we do
972 here is to parse it for syntactic correctness. There may be any number
973 of RCPT TO commands, specifying multiple senders. We build them all into
974 a data structure that is in argc/argv format. The start/end values
975 given by parse_extract_address are not used, as we keep only the
976 extracted address. */
979 if (sender_address == NULL)
980 /* The function moan_smtp_batch() does not return. */
981 moan_smtp_batch(cmd_buffer, "503 No sender yet given");
983 if (smtp_data[0] == 0)
984 /* The function moan_smtp_batch() does not return. */
985 moan_smtp_batch(cmd_buffer, "501 RCPT TO must have an address operand");
987 /* Check maximum number allowed */
989 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
990 /* The function moan_smtp_batch() does not return. */
991 moan_smtp_batch(cmd_buffer, "%s too many recipients",
992 recipients_max_reject? "552": "452");
994 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
997 recipient = ((rewrite_existflags & rewrite_smtp) != 0)?
998 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
999 global_rewrite_rules) : smtp_data;
1001 /* rfc821_domains = TRUE; << no longer needed */
1002 recipient = parse_extract_address(recipient, &errmess, &start, &end,
1003 &recipient_domain, FALSE);
1004 /* rfc821_domains = FALSE; << no longer needed */
1006 if (recipient == NULL)
1007 /* The function moan_smtp_batch() does not return. */
1008 moan_smtp_batch(cmd_buffer, "501 %s", errmess);
1010 /* If the recipient address is unqualified, qualify it if permitted. Then
1011 add it to the list of recipients. */
1013 if (recipient_domain == 0)
1015 if (allow_unqualified_recipient)
1017 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
1019 recipient = rewrite_address_qualify(recipient, TRUE);
1021 /* The function moan_smtp_batch() does not return. */
1022 else moan_smtp_batch(cmd_buffer, "501 recipient address must contain "
1025 receive_add_recipient(recipient, -1);
1029 /* The DATA command is legal only if it follows successful MAIL FROM
1030 and RCPT TO commands. This function is complete when a valid DATA
1031 command is encountered. */
1034 if (sender_address == NULL || recipients_count <= 0)
1036 /* The function moan_smtp_batch() does not return. */
1037 if (sender_address == NULL)
1038 moan_smtp_batch(cmd_buffer,
1039 "503 MAIL FROM:<sender> command must precede DATA");
1041 moan_smtp_batch(cmd_buffer,
1042 "503 RCPT TO:<recipient> must precede DATA");
1046 done = 3; /* DATA successfully achieved */
1047 message_ended = END_NOTENDED; /* Indicate in middle of message */
1052 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
1059 bsmtp_transaction_linecount = receive_linecount;
1070 /* The function moan_smtp_batch() does not return. */
1071 moan_smtp_batch(cmd_buffer, "501 Unexpected argument data");
1076 /* The function moan_smtp_batch() does not return. */
1077 moan_smtp_batch(cmd_buffer, "501 Unexpected NULL in SMTP command");
1082 /* The function moan_smtp_batch() does not return. */
1083 moan_smtp_batch(cmd_buffer, "500 Command unrecognized");
1088 return done - 2; /* Convert yield values */
1094 /*************************************************
1095 * Start an SMTP session *
1096 *************************************************/
1098 /* This function is called at the start of an SMTP session. Thereafter,
1099 smtp_setup_msg() is called to initiate each separate message. This
1100 function does host-specific testing, and outputs the banner line.
1103 Returns: FALSE if the session can not continue; something has
1104 gone wrong, or the connection to the host is blocked
1108 smtp_start_session(void)
1114 helo_seen = esmtp = helo_accept_junk = FALSE;
1115 count_nonmail = TRUE_UNSET;
1116 synprot_error_count = unknown_command_count = nonmail_command_count = 0;
1117 smtp_delay_mail = smtp_rlm_base;
1118 auth_advertised = FALSE;
1119 pipelining_advertised = FALSE;
1120 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
1122 memset(sender_host_cache, 0, sizeof(sender_host_cache));
1124 sender_host_authenticated = NULL;
1125 authenticated_by = NULL;
1128 tls_cipher = tls_peerdn = NULL;
1129 tls_advertised = FALSE;
1132 /* Reset ACL connection variables */
1134 for (i = 0; i < ACL_C_MAX; i++) acl_var[i] = NULL;
1136 cmd_buffer = (uschar *)malloc(cmd_buffer_size + 1); /* allow for trailing 0 */
1137 if (cmd_buffer == NULL)
1138 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1139 "malloc() failed for SMTP command buffer");
1141 /* For batched input, the protocol setting can be overridden from the
1142 command line by a trusted caller. */
1144 if (smtp_batched_input)
1146 if (received_protocol == NULL) received_protocol = US"local-bsmtp";
1149 /* For non-batched SMTP input, the protocol setting is forced here. It will be
1150 reset later if any of EHLO/AUTH/STARTTLS are received. */
1154 protocols[pnormal] + ((sender_host_address != NULL)? pnlocal : 0);
1156 /* Set up the buffer for inputting using direct read() calls, and arrange to
1157 call the local functions instead of the standard C ones. */
1159 smtp_inbuffer = (uschar *)malloc(in_buffer_size);
1160 if (smtp_inbuffer == NULL)
1161 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
1162 receive_getc = smtp_getc;
1163 receive_ungetc = smtp_ungetc;
1164 receive_feof = smtp_feof;
1165 receive_ferror = smtp_ferror;
1166 smtp_inptr = smtp_inend = smtp_inbuffer;
1167 smtp_had_eof = smtp_had_error = 0;
1169 /* Set up the message size limit; this may be host-specific */
1171 thismessage_size_limit = expand_string_integer(message_size_limit);
1172 if (thismessage_size_limit < 0)
1174 if (thismessage_size_limit == -1)
1175 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
1176 "%s", expand_string_message);
1178 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
1179 "%s", expand_string_message);
1180 smtp_closedown(US"Temporary local problem - please try later");
1184 /* When a message is input locally via the -bs or -bS options, sender_host_
1185 unknown is set unless -oMa was used to force an IP address, in which case it
1186 is checked like a real remote connection. When -bs is used from inetd, this
1187 flag is not set, causing the sending host to be checked. The code that deals
1188 with IP source routing (if configured) is never required for -bs or -bS and
1189 the flag sender_host_notsocket is used to suppress it.
1191 If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
1192 reserve for certain hosts and/or networks. */
1194 if (!sender_host_unknown)
1197 BOOL reserved_host = FALSE;
1199 /* Look up IP options (source routing info) on the socket if this is not an
1200 -oMa "host", and if any are found, log them and drop the connection.
1202 Linux (and others now, see below) is different to everyone else, so there
1203 has to be some conditional compilation here. Versions of Linux before 2.1.15
1204 used a structure whose name was "options". Somebody finally realized that
1205 this name was silly, and it got changed to "ip_options". I use the
1206 newer name here, but there is a fudge in the script that sets up os.h
1207 to define a macro in older Linux systems.
1209 Sigh. Linux is a fast-moving target. Another generation of Linux uses
1210 glibc 2, which has chosen ip_opts for the structure name. This is now
1211 really a glibc thing rather than a Linux thing, so the condition name
1212 has been changed to reflect this. It is relevant also to GNU/Hurd.
1214 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
1215 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
1216 a special macro defined in the os.h file.
1218 Some DGUX versions on older hardware appear not to support IP options at
1219 all, so there is now a general macro which can be set to cut out this
1222 How to do this properly in IPv6 is not yet known. */
1224 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
1226 #ifdef GLIBC_IP_OPTIONS
1227 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
1232 #elif defined DARWIN_IP_OPTIONS
1238 if (!host_checking && !sender_host_notsocket)
1241 SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
1242 struct ip_options *ipopt = store_get(optlen);
1244 struct ip_opts ipoptblock;
1245 struct ip_opts *ipopt = &ipoptblock;
1246 SOCKLEN_T optlen = sizeof(ipoptblock);
1248 struct ipoption ipoptblock;
1249 struct ipoption *ipopt = &ipoptblock;
1250 SOCKLEN_T optlen = sizeof(ipoptblock);
1253 /* Occasional genuine failures of getsockopt() have been seen - for
1254 example, "reset by peer". Therefore, just log and give up on this
1255 call, unless the error is ENOPROTOOPT. This error is given by systems
1256 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
1257 of writing. So for that error, carry on - we just can't do an IP options
1260 DEBUG(D_receive) debug_printf("checking for IP options\n");
1262 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
1265 if (errno != ENOPROTOOPT)
1267 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
1268 host_and_ident(FALSE), strerror(errno));
1269 smtp_printf("451 SMTP service not available\r\n");
1274 /* Deal with any IP options that are set. On the systems I have looked at,
1275 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
1276 more logging data than will fit in big_buffer. Nevertheless, after somebody
1277 questioned this code, I've added in some paranoid checking. */
1279 else if (optlen > 0)
1281 uschar *p = big_buffer;
1282 uschar *pend = big_buffer + big_buffer_size;
1283 uschar *opt, *adptr;
1285 struct in_addr addr;
1288 uschar *optstart = (uschar *)(ipopt->__data);
1290 uschar *optstart = (uschar *)(ipopt->ip_opts);
1292 uschar *optstart = (uschar *)(ipopt->ipopt_list);
1295 DEBUG(D_receive) debug_printf("IP options exist\n");
1297 Ustrcpy(p, "IP options on incoming call:");
1300 for (opt = optstart; opt != NULL &&
1301 opt < (uschar *)(ipopt) + optlen;)
1315 if (!string_format(p, pend-p, " %s [@%s",
1316 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
1318 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
1320 inet_ntoa(ipopt->ip_dst)))
1322 inet_ntoa(ipopt->ipopt_dst)))
1330 optcount = (opt[1] - 3) / sizeof(struct in_addr);
1332 while (optcount-- > 0)
1334 memcpy(&addr, adptr, sizeof(addr));
1335 if (!string_format(p, pend - p - 1, "%s%s",
1336 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
1342 adptr += sizeof(struct in_addr);
1351 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
1354 for (i = 0; i < opt[1]; i++)
1356 sprintf(CS p, "%2.2x ", opt[i]);
1367 log_write(0, LOG_MAIN, "%s", big_buffer);
1369 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
1371 log_write(0, LOG_MAIN|LOG_REJECT,
1372 "connection from %s refused (IP options)", host_and_ident(FALSE));
1374 smtp_printf("554 SMTP service not available\r\n");
1378 /* Length of options = 0 => there are no options */
1380 else DEBUG(D_receive) debug_printf("no IP options found\n");
1382 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
1384 /* Set keep-alive in socket options. The option is on by default. This
1385 setting is an attempt to get rid of some hanging connections that stick in
1386 read() when the remote end (usually a dialup) goes away. */
1388 if (smtp_accept_keepalive && !sender_host_notsocket)
1389 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
1391 /* If the current host matches host_lookup, set the name by doing a
1392 reverse lookup. On failure, sender_host_name will be NULL and
1393 host_lookup_failed will be TRUE. This may or may not be serious - optional
1396 if (verify_check_host(&host_lookup) == OK)
1398 (void)host_name_lookup();
1399 host_build_sender_fullhost();
1402 /* Delay this until we have the full name, if it is looked up. */
1404 set_process_info("handling incoming connection from %s",
1405 host_and_ident(FALSE));
1407 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
1408 smtps port for use with older style SSL MTAs. */
1411 if (tls_on_connect && tls_server_start(tls_require_ciphers) != OK)
1415 /* Test for explicit connection rejection */
1417 if (verify_check_host(&host_reject_connection) == OK)
1419 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
1420 "from %s (host_reject_connection)", host_and_ident(FALSE));
1421 smtp_printf("554 SMTP service not available\r\n");
1425 /* Test with TCP Wrappers if so configured */
1427 #ifdef USE_TCP_WRAPPERS
1428 if (!hosts_ctl("exim",
1429 (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
1430 (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
1431 (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
1433 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
1434 log_write(L_connection_reject,
1435 LOG_MAIN|LOG_REJECT, "refused connection from %s "
1436 "(tcp wrappers)", host_and_ident(FALSE));
1437 smtp_printf("554 SMTP service not available\r\n");
1442 /* Check for reserved slots. Note that the count value doesn't include
1443 this process, as it gets upped in the parent process. */
1445 if (smtp_accept_max > 0 &&
1446 smtp_accept_count + 1 > smtp_accept_max - smtp_accept_reserve)
1448 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
1450 log_write(L_connection_reject,
1451 LOG_MAIN, "temporarily refused connection from %s: not in "
1452 "reserve list: connected=%d max=%d reserve=%d%s",
1453 host_and_ident(FALSE), smtp_accept_count, smtp_accept_max,
1454 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
1455 smtp_printf("421 %s: Too many concurrent SMTP connections; "
1456 "please try again later\r\n", smtp_active_hostname);
1459 reserved_host = TRUE;
1462 /* If a load level above which only messages from reserved hosts are
1463 accepted is set, check the load. For incoming calls via the daemon, the
1464 check is done in the superior process if there are no reserved hosts, to
1465 save a fork. In all cases, the load average will already be available
1466 in a global variable at this point. */
1468 if (smtp_load_reserve >= 0 &&
1469 load_average > smtp_load_reserve &&
1471 verify_check_host(&smtp_reserve_hosts) != OK)
1473 log_write(L_connection_reject,
1474 LOG_MAIN, "temporarily refused connection from %s: not in "
1475 "reserve list and load average = %.2f", host_and_ident(FALSE),
1476 (double)load_average/1000.0);
1477 smtp_printf("421 %s: Too much load; please try again later\r\n",
1478 smtp_active_hostname);
1482 /* Determine whether unqualified senders or recipients are permitted
1483 for this host. Unfortunately, we have to do this every time, in order to
1484 set the flags so that they can be inspected when considering qualifying
1485 addresses in the headers. For a site that permits no qualification, this
1486 won't take long, however. */
1488 allow_unqualified_sender =
1489 verify_check_host(&sender_unqualified_hosts) == OK;
1491 allow_unqualified_recipient =
1492 verify_check_host(&recipient_unqualified_hosts) == OK;
1494 /* Determine whether HELO/EHLO is required for this host. The requirement
1495 can be hard or soft. */
1497 helo_required = verify_check_host(&helo_verify_hosts) == OK;
1499 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
1501 /* Determine whether this hosts is permitted to send syntactic junk
1502 after a HELO or EHLO command. */
1504 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
1507 /* For batch SMTP input we are now done. */
1509 if (smtp_batched_input) return TRUE;
1511 /* Run the ACL if it exists */
1513 if (acl_smtp_connect != NULL)
1516 uschar *user_msg, *log_msg;
1517 smtp_data = US"in \"connect\" ACL"; /* For logged failure message */
1518 rc = acl_check(ACL_WHERE_CONNECT, US"", acl_smtp_connect, &user_msg,
1522 (void)smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
1527 /* Output the initial message for a two-way SMTP connection. It may contain
1528 newlines, which then cause a multi-line response to be given. */
1530 s = expand_string(smtp_banner);
1532 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
1533 "failed: %s", smtp_banner, expand_string_message);
1535 /* Remove any terminating newlines; might as well remove trailing space too */
1538 while (p > s && isspace(p[-1])) p--;
1541 /* It seems that CC:Mail is braindead, and assumes that the greeting message
1542 is all contained in a single IP packet. The original code wrote out the
1543 greeting using several calls to fprint/fputc, and on busy servers this could
1544 cause it to be split over more than one packet - which caused CC:Mail to fall
1545 over when it got the second part of the greeting after sending its first
1546 command. Sigh. To try to avoid this, build the complete greeting message
1547 first, and output it in one fell swoop. This gives a better chance of it
1548 ending up as a single packet. */
1550 ss = store_get(size);
1554 do /* At least once, in case we have an empty string */
1557 uschar *linebreak = Ustrchr(p, '\n');
1558 if (linebreak == NULL)
1561 ss = string_cat(ss, &size, &ptr, US"220 ", 4);
1565 len = linebreak - p;
1566 ss = string_cat(ss, &size, &ptr, US"220-", 4);
1568 ss = string_cat(ss, &size, &ptr, p, len);
1569 ss = string_cat(ss, &size, &ptr, US"\r\n", 2);
1571 if (linebreak != NULL) p++;
1575 ss[ptr] = 0; /* string_cat leaves room for this */
1577 /* Before we write the banner, check that there is no input pending, unless
1578 this synchronisation check is disabled. */
1580 if (smtp_enforce_sync && sender_host_address != NULL && !sender_host_notsocket)
1583 struct timeval tzero;
1587 FD_SET(fileno(smtp_in), &fds);
1588 if (select(fileno(smtp_in) + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL,
1591 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
1592 "synchronization error (input sent without waiting for greeting): "
1593 "rejected connection from %s", host_and_ident(TRUE));
1594 smtp_printf("554 SMTP synchronization error\r\n");
1599 /* Now output the banner */
1601 smtp_printf("%s", ss);
1609 /*************************************************
1610 * Handle SMTP syntax and protocol errors *
1611 *************************************************/
1613 /* Write to the log for SMTP syntax errors in incoming commands, if configured
1614 to do so. Then transmit the error response. The return value depends on the
1615 number of syntax and protocol errors in this SMTP session.
1618 type error type, given as a log flag bit
1619 code response code; <= 0 means don't send a response
1620 data data to reflect in the response (can be NULL)
1621 errmess the error message
1623 Returns: -1 limit of syntax/protocol errors NOT exceeded
1624 +1 limit of syntax/protocol errors IS exceeded
1626 These values fit in with the values of the "done" variable in the main
1627 processing loop in smtp_setup_msg(). */
1630 synprot_error(int type, int code, uschar *data, uschar *errmess)
1634 log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
1635 (type == L_smtp_syntax_error)? "syntax" : "protocol",
1636 string_printing(cmd_buffer), host_and_ident(TRUE), errmess);
1638 if (++synprot_error_count > smtp_max_synprot_errors)
1641 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
1642 "syntax or protocol errors (last command was \"%s\")",
1643 host_and_ident(FALSE), cmd_buffer);
1648 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
1649 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
1651 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
1660 /*************************************************
1661 * Log incomplete transactions *
1662 *************************************************/
1664 /* This function is called after a transaction has been aborted by RSET, QUIT,
1665 connection drops or other errors. It logs the envelope information received
1666 so far in order to preserve address verification attempts.
1668 Argument: string to indicate what aborted the transaction
1673 incomplete_transaction_log(uschar *what)
1675 if (sender_address == NULL || /* No transaction in progress */
1676 (log_write_selector & L_smtp_incomplete_transaction) == 0 /* Not logging */
1679 /* Build list of recipients for logging */
1681 if (recipients_count > 0)
1684 raw_recipients = store_get(recipients_count * sizeof(uschar *));
1685 for (i = 0; i < recipients_count; i++)
1686 raw_recipients[i] = recipients_list[i].address;
1687 raw_recipients_count = recipients_count;
1690 log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
1691 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
1697 /*************************************************
1698 * Send SMTP response, possibly multiline *
1699 *************************************************/
1701 /* There are, it seems, broken clients out there that cannot handle multiline
1702 responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
1703 output nothing for non-final calls, and only the first line for anything else.
1707 final FALSE if the last line isn't the final line
1708 msg message text, possibly containing newlines
1714 smtp_respond(int code, BOOL final, uschar *msg)
1716 if (!final && no_multiline_responses) return;
1720 uschar *nl = Ustrchr(msg, '\n');
1723 smtp_printf("%d%c%s\r\n", code, final? ' ':'-', msg);
1726 else if (nl[1] == 0 || no_multiline_responses)
1728 smtp_printf("%d%c%.*s\r\n", code, final? ' ':'-', (int)(nl - msg), msg);
1733 smtp_printf("%d-%.*s\r\n", code, (int)(nl - msg), msg);
1735 while (isspace(*msg)) msg++;
1743 /*************************************************
1744 * Handle an ACL failure *
1745 *************************************************/
1747 /* This function is called when acl_check() fails. As well as calls from within
1748 this module, it is called from receive.c for an ACL after DATA. It sorts out
1749 logging the incident, and sets up the error response. A message containing
1750 newlines is turned into a multiline SMTP response, but for logging, only the
1753 There's a table of the response codes to use in globals.c, along with the table
1754 of names. VFRY is special. Despite RFC1123 it defaults disabled in Exim.
1755 However, discussion in connection with RFC 821bis (aka RFC 2821) has concluded
1756 that the response should be 252 in the disabled state, because there are broken
1757 clients that try VRFY before RCPT. A 5xx response should be given only when the
1758 address is positively known to be undeliverable. Sigh. Also, for ETRN, 458 is
1759 given on refusal, and for AUTH, 503.
1762 where where the ACL was called from
1764 user_msg a message that can be included in an SMTP response
1765 log_msg a message for logging
1767 Returns: 0 in most cases
1768 2 if the failure code was FAIL_DROP, in which case the
1769 SMTP connection should be dropped (this value fits with the
1770 "done" variable in smtp_setup_msg() below)
1774 smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
1776 int code = acl_wherecodes[where];
1777 BOOL drop = rc == FAIL_DROP;
1779 uschar *sender_info = US"";
1780 uschar *what = (where == ACL_WHERE_PREDATA)? US"DATA" :
1781 #ifdef WITH_CONTENT_SCAN
1782 (where == ACL_WHERE_MIME)? US"during MIME ACL checks" :
1784 (where == ACL_WHERE_DATA)? US"after DATA" :
1785 string_sprintf("%s %s", acl_wherenames[where], smtp_data);
1787 if (drop) rc = FAIL;
1789 /* We used to have sender_address here; however, there was a bug that was not
1790 updating sender_address after a rewrite during a verify. When this bug was
1791 fixed, sender_address at this point became the rewritten address. I'm not sure
1792 this is what should be logged, so I've changed to logging the unrewritten
1793 address to retain backward compatibility. */
1795 #ifndef WITH_CONTENT_SCAN
1796 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
1798 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
1801 sender_info = string_sprintf("F=<%s> ", (sender_address_unrewritten != NULL)?
1802 sender_address_unrewritten : sender_address);
1805 /* If there's been a sender verification failure with a specific message, and
1806 we have not sent a response about it yet, do so now, as a preliminary line for
1807 failures, but not defers. However, log it in both cases. */
1809 if (sender_verified_failed != NULL &&
1810 !testflag(sender_verified_failed, af_sverify_told))
1812 setflag(sender_verified_failed, af_sverify_told);
1814 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
1815 host_and_ident(TRUE),
1816 ((sender_verified_failed->special_action & 255) == DEFER)? "defer" : "fail",
1817 sender_verified_failed->address,
1818 (sender_verified_failed->message == NULL)? US"" :
1819 string_sprintf(": %s", sender_verified_failed->message));
1821 if (rc == FAIL && sender_verified_failed->user_message != NULL)
1822 smtp_respond(code, FALSE, string_sprintf(
1823 testflag(sender_verified_failed, af_verify_pmfail)?
1824 "Postmaster verification failed while checking <%s>\n%s\n"
1825 "Several RFCs state that you are required to have a postmaster\n"
1826 "mailbox for each mail domain. This host does not accept mail\n"
1827 "from domains whose servers reject the postmaster address."
1829 testflag(sender_verified_failed, af_verify_nsfail)?
1830 "Callback setup failed while verifying <%s>\n%s\n"
1831 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
1832 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
1833 "RFC requirements, and stops you from receiving standard bounce\n"
1834 "messages. This host does not accept mail from domains whose servers\n"
1837 "Verification failed for <%s>\n%s",
1838 sender_verified_failed->address,
1839 sender_verified_failed->user_message));
1842 /* Sort out text for logging */
1844 log_msg = (log_msg == NULL)? US"" : string_sprintf(": %s", log_msg);
1845 lognl = Ustrchr(log_msg, '\n');
1846 if (lognl != NULL) *lognl = 0;
1848 /* Send permanent failure response to the command, but the code used isn't
1849 always a 5xx one - see comments at the start of this function. If the original
1850 rc was FAIL_DROP we drop the connection and yield 2. */
1852 if (rc == FAIL) smtp_respond(code, TRUE, (user_msg == NULL)?
1853 US"Administrative prohibition" : user_msg);
1855 /* Send temporary failure response to the command. Don't give any details,
1856 unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
1857 verb, and for a header verify when smtp_return_error_details is set.
1859 This conditional logic is all somewhat of a mess because of the odd
1860 interactions between temp_details and return_error_details. One day it should
1861 be re-implemented in a tidier fashion. */
1865 if (acl_temp_details && user_msg != NULL)
1867 if (smtp_return_error_details &&
1868 sender_verified_failed != NULL &&
1869 sender_verified_failed->message != NULL)
1871 smtp_respond(451, FALSE, sender_verified_failed->message);
1873 smtp_respond(451, TRUE, user_msg);
1876 smtp_printf("451 Temporary local problem - please try later\r\n");
1879 /* Log the incident. If the connection is not forcibly to be dropped, return 0.
1880 Otherwise, log why it is closing if required and return 2. */
1882 log_write(0, LOG_MAIN|LOG_REJECT, "%s %s%srejected %s%s",
1883 host_and_ident(TRUE),
1884 sender_info, (rc == FAIL)? US"" : US"temporarily ", what, log_msg);
1886 if (!drop) return 0;
1888 log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
1889 smtp_get_connection_info());
1896 /*************************************************
1897 * Initialize for SMTP incoming message *
1898 *************************************************/
1900 /* This function conducts the initial dialogue at the start of an incoming SMTP
1901 message, and builds a list of recipients. However, if the incoming message
1902 is part of a batch (-bS option) a separate function is called since it would
1903 be messy having tests splattered about all over this function. This function
1904 therefore handles the case where interaction is occurring. The input and output
1905 files are set up in smtp_in and smtp_out.
1907 The global recipients_list is set to point to a vector of recipient_item
1908 blocks, whose number is given by recipients_count. This is extended by the
1909 receive_add_recipient() function. The global variable sender_address is set to
1910 the sender's address. The yield is +1 if a message has been successfully
1911 started, 0 if a QUIT command was encountered or the connection was refused from
1912 the particular host, or -1 if the connection was lost.
1916 Returns: > 0 message successfully started (reached DATA)
1917 = 0 QUIT read or end of file reached or call refused
1922 smtp_setup_msg(void)
1925 BOOL toomany = FALSE;
1926 BOOL discarded = FALSE;
1927 BOOL last_was_rej_mail = FALSE;
1928 BOOL last_was_rcpt = FALSE;
1929 void *reset_point = store_get(0);
1931 DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
1933 /* Reset for start of new message. We allow one RSET not to be counted as a
1934 nonmail command, for those MTAs that insist on sending it between every
1935 message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
1936 TLS between messages (an Exim client may do this if it has messages queued up
1937 for the host). Note: we do NOT reset AUTH at this point. */
1939 smtp_reset(reset_point);
1940 message_ended = END_NOTSTARTED;
1942 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
1943 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
1944 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
1946 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
1949 /* Set the local signal handler for SIGTERM - it tries to end off tidily */
1951 os_non_restarting_signal(SIGTERM, command_sigterm_handler);
1953 /* Batched SMTP is handled in a different function. */
1955 if (smtp_batched_input) return smtp_setup_batch_msg();
1957 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
1958 value. The values are 2 larger than the required yield of the function. */
1963 uschar *etrn_command;
1964 uschar *etrn_serialize_key;
1966 uschar *user_msg, *log_msg;
1967 uschar *recipient = NULL;
1968 uschar *hello = NULL;
1969 uschar *set_id = NULL;
1971 BOOL was_rej_mail = FALSE;
1972 BOOL was_rcpt = FALSE;
1973 void (*oldsignal)(int);
1975 int start, end, sender_domain, recipient_domain;
1980 switch(smtp_read_command(TRUE))
1982 /* The AUTH command is not permitted to occur inside a transaction, and may
1983 occur successfully only once per connection, and then only when we've
1984 advertised it. Actually, that isn't quite true. When TLS is started, all
1985 previous information about a connection must be discarded, so a new AUTH is
1986 permitted at that time.
1988 AUTH is initially labelled as a "nonmail command" so that one occurrence
1989 doesn't get counted. We change the label here so that multiple failing
1990 AUTHS will eventually hit the nonmail threshold. */
1993 authentication_failed = TRUE;
1994 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
1996 if (!auth_advertised)
1998 done = synprot_error(L_smtp_protocol_error, 503, NULL,
1999 US"AUTH command used when not advertised");
2002 if (sender_host_authenticated != NULL)
2004 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2005 US"already authenticated");
2008 if (sender_address != NULL)
2010 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2011 US"not permitted in mail transaction");
2017 if (acl_smtp_auth != NULL)
2019 rc = acl_check(ACL_WHERE_AUTH, smtp_data, acl_smtp_auth, &user_msg,
2023 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
2028 /* Find the name of the requested authentication mechanism. */
2031 while ((c = *smtp_data) != 0 && !isspace(c))
2033 if (!isalnum(c) && c != '-' && c != '_')
2035 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2036 US"invalid character in authentication mechanism name");
2042 /* If not at the end of the line, we must be at white space. Terminate the
2043 name and move the pointer on to any data that may be present. */
2045 if (*smtp_data != 0)
2048 while (isspace(*smtp_data)) smtp_data++;
2051 /* Search for an authentication mechanism which is configured for use
2052 as a server and which has been advertised. */
2054 for (au = auths; au != NULL; au = au->next)
2056 if (strcmpic(s, au->public_name) == 0 && au->server &&
2057 au->advertised) break;
2062 done = synprot_error(L_smtp_protocol_error, 504, NULL,
2063 string_sprintf("%s authentication mechanism not supported", s));
2067 /* Run the checking code, passing the remainder of the command
2068 line as data. Initialize $0 empty. The authenticator may set up
2069 other numeric variables. Afterwards, have a go at expanding the set_id
2070 string, even if authentication failed - for bad passwords it can be useful
2071 to log the userid. On success, require set_id to expand and exist, and
2072 put it in authenticated_id. Save this in permanent store, as the working
2073 store gets reset at HELO, RSET, etc. */
2076 expand_nlength[0] = 0; /* $0 contains nothing */
2078 c = (au->info->servercode)(au, smtp_data);
2079 if (au->set_id != NULL) set_id = expand_string(au->set_id);
2080 expand_nmax = -1; /* Reset numeric variables */
2082 /* For the non-OK cases, set up additional logging data if set_id
2087 if (set_id != NULL && *set_id != 0)
2088 set_id = string_sprintf(" (set_id=%s)", set_id);
2092 /* Switch on the result */
2097 if (au->set_id == NULL || set_id != NULL) /* Complete success */
2099 if (set_id != NULL) authenticated_id = string_copy_malloc(set_id);
2100 sender_host_authenticated = au->name;
2101 authentication_failed = FALSE;
2103 protocols[pextend + pauthed + ((tls_active >= 0)? pcrpted:0)] +
2104 ((sender_host_address != NULL)? pnlocal : 0);
2105 s = ss = US"235 Authentication succeeded";
2106 authenticated_by = au;
2110 /* Authentication succeeded, but we failed to expand the set_id string.
2111 Treat this as a temporary error. */
2113 auth_defer_msg = expand_string_message;
2117 s = string_sprintf("435 Unable to authenticate at present%s",
2118 auth_defer_user_msg);
2119 ss = string_sprintf("435 Unable to authenticate at present%s: %s",
2120 set_id, auth_defer_msg);
2124 s = ss = US"501 Invalid base64 data";
2128 s = ss = US"501 Authentication cancelled";
2132 s = ss = US"553 Initial data not expected";
2136 s = US"535 Incorrect authentication data";
2137 ss = string_sprintf("535 Incorrect authentication data%s", set_id);
2141 s = US"435 Internal error";
2142 ss = string_sprintf("435 Internal error%s: return %d from authentication "
2143 "check", set_id, c);
2147 smtp_printf("%s\r\n", s);
2149 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
2150 au->name, host_and_ident(FALSE), ss);
2152 break; /* AUTH_CMD */
2154 /* The HELO/EHLO commands are permitted to appear in the middle of a
2155 session as well as at the beginning. They have the effect of a reset in
2156 addition to their other functions. Their absence at the start cannot be
2157 taken to be an error.
2161 If the EHLO command is not acceptable to the SMTP server, 501, 500,
2162 or 502 failure replies MUST be returned as appropriate. The SMTP
2163 server MUST stay in the same state after transmitting these replies
2164 that it was in before the EHLO was received.
2166 Therefore, we do not do the reset until after checking the command for
2167 acceptability. This change was made for Exim release 4.11. Previously
2168 it did the reset first. */
2179 HELO_EHLO: /* Common code for HELO and EHLO */
2180 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
2181 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
2183 /* Reject the HELO if its argument was invalid or non-existent. A
2184 successful check causes the argument to be saved in malloc store. */
2186 if (!check_helo(smtp_data))
2188 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
2190 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
2191 "invalid argument(s): %s", hello, host_and_ident(FALSE),
2192 (*smtp_data == 0)? US"(no argument given)" :
2193 string_printing(smtp_data));
2195 if (++synprot_error_count > smtp_max_synprot_errors)
2197 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2198 "syntax or protocol errors (last command was \"%s\")",
2199 host_and_ident(FALSE), cmd_buffer);
2206 /* If sender_host_unknown is true, we have got here via the -bs interface,
2207 not called from inetd. Otherwise, we are running an IP connection and the
2208 host address will be set. If the helo name is the primary name of this
2209 host and we haven't done a reverse lookup, force one now. If helo_required
2210 is set, ensure that the HELO name matches the actual host. If helo_verify
2211 is set, do the same check, but softly. */
2213 if (!sender_host_unknown)
2215 BOOL old_helo_verified = helo_verified;
2216 uschar *p = smtp_data;
2218 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
2221 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
2222 because otherwise the log can be confusing. */
2224 if (sender_host_name == NULL &&
2225 (deliver_domain = sender_helo_name, /* set $domain */
2226 match_isinlist(sender_helo_name, &helo_lookup_domains, 0,
2227 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
2228 (void)host_name_lookup();
2230 /* Rebuild the fullhost info to include the HELO name (and the real name
2231 if it was looked up.) */
2233 host_build_sender_fullhost(); /* Rebuild */
2234 set_process_info("handling%s incoming connection from %s",
2235 (tls_active >= 0)? " TLS" : "", host_and_ident(FALSE));
2237 /* Verify if configured. This doesn't give much security, but it does
2238 make some people happy to be able to do it. Note that HELO is legitimately
2239 allowed to quote an address literal. Allow for IPv6 ::ffff: literals. */
2241 helo_verified = FALSE;
2242 if (helo_required || helo_verify)
2244 BOOL tempfail = FALSE;
2246 HDEBUG(D_receive) debug_printf("verifying %s %s\n", hello,
2248 if (sender_helo_name[0] == '[')
2250 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
2251 Ustrlen(sender_host_address)) == 0;
2256 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
2257 helo_verified = Ustrncmp(sender_helo_name + 1,
2258 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
2263 { if (helo_verified) debug_printf("matched host address\n"); }
2266 /* Do a reverse lookup if one hasn't already given a positive or
2267 negative response. If that fails, or the name doesn't match, try
2268 checking with a forward lookup. */
2272 if (sender_host_name == NULL && !host_lookup_failed)
2273 tempfail = host_name_lookup() == DEFER;
2275 /* If a host name is known, check it and all its aliases. */
2277 if (sender_host_name != NULL)
2279 helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0;
2283 HDEBUG(D_receive) debug_printf("matched host name\n");
2287 uschar **aliases = sender_host_aliases;
2288 while (*aliases != NULL)
2290 helo_verified = strcmpic(*aliases++, sender_helo_name) == 0;
2291 if (helo_verified) break;
2296 debug_printf("matched alias %s\n", *(--aliases));
2301 /* Final attempt: try a forward lookup of the helo name */
2307 h.name = sender_helo_name;
2311 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
2313 rc = host_find_byname(&h, NULL, NULL, TRUE);
2314 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
2319 if (Ustrcmp(hh->address, sender_host_address) == 0)
2321 helo_verified = TRUE;
2323 debug_printf("IP address for %s matches calling address\n",
2333 /* Verification failed. A temporary lookup failure gives a temporary
2340 smtp_printf("%d %s argument does not match calling host\r\n",
2341 tempfail? 451 : 550, hello);
2342 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
2343 tempfail? "temporarily " : "",
2344 hello, sender_helo_name, host_and_ident(FALSE));
2345 helo_verified = old_helo_verified;
2346 break; /* End of HELO/EHLO processing */
2348 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
2349 "helo_try_verify_hosts\n", hello);
2354 /* Apply an ACL check if one is defined */
2356 if (acl_smtp_helo != NULL)
2358 rc = acl_check(ACL_WHERE_HELO, smtp_data, acl_smtp_helo, &user_msg,
2362 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
2363 sender_helo_name = NULL;
2364 host_build_sender_fullhost(); /* Rebuild */
2369 /* The EHLO/HELO command is acceptable. Reset the protocol and the state,
2370 abandoning any previous message. */
2372 received_protocol = (esmtp?
2374 ((sender_host_authenticated != NULL)? pauthed : 0) +
2375 ((tls_active >= 0)? pcrpted : 0)]
2377 protocols[pnormal + ((tls_active >= 0)? pcrpted : 0)])
2379 ((sender_host_address != NULL)? pnlocal : 0);
2381 smtp_reset(reset_point);
2384 /* Generate an OK reply, including the ident if present, and also
2385 the IP address if present. Reflecting back the ident is intended
2386 as a deterrent to mail forgers. For maximum efficiency, and also
2387 because some broken systems expect each response to be in a single
2388 packet, arrange that it is sent in one write(). */
2390 auth_advertised = FALSE;
2391 pipelining_advertised = FALSE;
2393 tls_advertised = FALSE;
2396 s = string_sprintf("250 %s Hello %s%s%s",
2397 smtp_active_hostname,
2398 (sender_ident == NULL)? US"" : sender_ident,
2399 (sender_ident == NULL)? US"" : US" at ",
2400 (sender_host_name == NULL)? sender_helo_name : sender_host_name);
2405 if (sender_host_address != NULL)
2407 s = string_cat(s, &size, &ptr, US" [", 2);
2408 s = string_cat(s, &size, &ptr, sender_host_address,
2409 Ustrlen(sender_host_address));
2410 s = string_cat(s, &size, &ptr, US"]", 1);
2413 s = string_cat(s, &size, &ptr, US"\r\n", 2);
2415 /* If we received EHLO, we must create a multiline response which includes
2416 the functions supported. */
2422 /* I'm not entirely happy with this, as an MTA is supposed to check
2423 that it has enough room to accept a message of maximum size before
2424 it sends this. However, there seems little point in not sending it.
2425 The actual size check happens later at MAIL FROM time. By postponing it
2426 till then, VRFY and EXPN can be used after EHLO when space is short. */
2428 if (thismessage_size_limit > 0)
2430 sprintf(CS big_buffer, "250-SIZE %d\r\n", thismessage_size_limit);
2431 s = string_cat(s, &size, &ptr, big_buffer, Ustrlen(big_buffer));
2435 s = string_cat(s, &size, &ptr, US"250-SIZE\r\n", 10);
2438 /* Exim does not do protocol conversion or data conversion. It is 8-bit
2439 clean; if it has an 8-bit character in its hand, it just sends it. It
2440 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
2441 However, some users want this option simply in order to stop MUAs
2442 mangling messages that contain top-bit-set characters. It is therefore
2443 provided as an option. */
2445 if (accept_8bitmime)
2446 s = string_cat(s, &size, &ptr, US"250-8BITMIME\r\n", 14);
2448 /* Advertise ETRN if there's an ACL checking whether a host is
2449 permitted to issue it; a check is made when any host actually tries. */
2451 if (acl_smtp_etrn != NULL)
2453 s = string_cat(s, &size, &ptr, US"250-ETRN\r\n", 10);
2456 /* Advertise EXPN if there's an ACL checking whether a host is
2457 permitted to issue it; a check is made when any host actually tries. */
2459 if (acl_smtp_expn != NULL)
2461 s = string_cat(s, &size, &ptr, US"250-EXPN\r\n", 10);
2464 /* Exim is quite happy with pipelining, so let the other end know that
2465 it is safe to use it, unless advertising is disabled. */
2467 if (verify_check_host(&pipelining_advertise_hosts) == OK)
2469 s = string_cat(s, &size, &ptr, US"250-PIPELINING\r\n", 16);
2470 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
2471 pipelining_advertised = TRUE;
2474 /* If any server authentication mechanisms are configured, advertise
2475 them if the current host is in auth_advertise_hosts. The problem with
2476 advertising always is that some clients then require users to
2477 authenticate (and aren't configurable otherwise) even though it may not
2478 be necessary (e.g. if the host is in host_accept_relay).
2480 RFC 2222 states that SASL mechanism names contain only upper case
2481 letters, so output the names in upper case, though we actually recognize
2482 them in either case in the AUTH command. */
2486 if (verify_check_host(&auth_advertise_hosts) == OK)
2490 for (au = auths; au != NULL; au = au->next)
2492 if (au->server && (au->advertise_condition == NULL ||
2493 expand_check_condition(au->advertise_condition, au->name,
2494 US"authenticator")))
2499 s = string_cat(s, &size, &ptr, US"250-AUTH", 8);
2501 auth_advertised = TRUE;
2504 s = string_cat(s, &size, &ptr, US" ", 1);
2505 s = string_cat(s, &size, &ptr, au->public_name,
2506 Ustrlen(au->public_name));
2507 while (++saveptr < ptr) s[saveptr] = toupper(s[saveptr]);
2508 au->advertised = TRUE;
2510 else au->advertised = FALSE;
2512 if (!first) s = string_cat(s, &size, &ptr, US"\r\n", 2);
2516 /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
2517 if it has been included in the binary, and the host matches
2518 tls_advertise_hosts. We must *not* advertise if we are already in a
2519 secure connection. */
2522 if (tls_active < 0 &&
2523 verify_check_host(&tls_advertise_hosts) != FAIL)
2525 s = string_cat(s, &size, &ptr, US"250-STARTTLS\r\n", 14);
2526 tls_advertised = TRUE;
2530 /* Finish off the multiline reply with one that is always available. */
2532 s = string_cat(s, &size, &ptr, US"250 HELP\r\n", 10);
2535 /* Terminate the string (for debug), write it, and note that HELO/EHLO
2541 if (tls_active >= 0) (void)tls_write(s, ptr); else
2544 fwrite(s, 1, ptr, smtp_out);
2545 DEBUG(D_receive) debug_printf("SMTP>> %s", s);
2547 break; /* HELO/EHLO */
2550 /* The MAIL command requires an address as an operand. All we do
2551 here is to parse it for syntactic correctness. The form "<>" is
2552 a special case which converts into an empty string. The start/end
2553 pointers in the original are not used further for this address, as
2554 it is the canonical extracted address which is all that is kept. */
2557 smtp_mailcmd_count++; /* Count for limit and ratelimit */
2558 was_rej_mail = TRUE; /* Reset if accepted */
2560 if (helo_required && !helo_seen)
2562 smtp_printf("503 HELO or EHLO required\r\n");
2563 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
2564 "HELO/EHLO given", host_and_ident(FALSE));
2568 if (sender_address != NULL)
2570 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2571 US"sender already given");
2575 if (smtp_data[0] == 0)
2577 done = synprot_error(L_smtp_protocol_error, 501, NULL,
2578 US"MAIL must have an address operand");
2582 /* Check to see if the limit for messages per connection would be
2583 exceeded by accepting further messages. */
2585 if (smtp_accept_max_per_connection > 0 &&
2586 smtp_mailcmd_count > smtp_accept_max_per_connection)
2588 smtp_printf("421 too many messages in this connection\r\n");
2589 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
2590 "messages in one connection", host_and_ident(TRUE));
2594 /* Reset for start of message - even if this is going to fail, we
2595 obviously need to throw away any previous data. */
2597 smtp_reset(reset_point);
2599 sender_data = recipient_data = NULL;
2601 /* Loop, checking for ESMTP additions to the MAIL FROM command. */
2605 uschar *name, *value, *end;
2606 unsigned long int size;
2608 if (!extract_option(&name, &value)) break;
2610 /* Handle SIZE= by reading the value. We don't do the check till later,
2611 in order to be able to log the sender address on failure. */
2613 if (strcmpic(name, US"SIZE") == 0 &&
2614 ((size = (int)Ustrtoul(value, &end, 10)), *end == 0))
2616 if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
2618 message_size = (int)size;
2621 /* If this session was initiated with EHLO and accept_8bitmime is set,
2622 Exim will have indicated that it supports the BODY=8BITMIME option. In
2623 fact, it does not support this according to the RFCs, in that it does not
2624 take any special action for forwarding messages containing 8-bit
2625 characters. That is why accept_8bitmime is not the default setting, but
2626 some sites want the action that is provided. We recognize both "8BITMIME"
2627 and "7BIT" as body types, but take no action. */
2629 else if (accept_8bitmime && strcmpic(name, US"BODY") == 0 &&
2630 (strcmpic(value, US"8BITMIME") == 0 ||
2631 strcmpic(value, US"7BIT") == 0)) {}
2633 /* Handle the AUTH extension. If the value given is not "<>" and either
2634 the ACL says "yes" or there is no ACL but the sending host is
2635 authenticated, we set it up as the authenticated sender. However, if the
2636 authenticator set a condition to be tested, we ignore AUTH on MAIL unless
2637 the condition is met. The value of AUTH is an xtext, which means that +,
2638 = and cntrl chars are coded in hex; however "<>" is unaffected by this
2641 else if (strcmpic(name, US"AUTH") == 0)
2643 if (Ustrcmp(value, "<>") != 0)
2648 if (auth_xtextdecode(value, &authenticated_sender) < 0)
2650 /* Put back terminator overrides for error message */
2653 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2654 US"invalid data for AUTH");
2658 if (acl_smtp_mailauth == NULL)
2660 ignore_msg = US"client not authenticated";
2661 rc = (sender_host_authenticated != NULL)? OK : FAIL;
2665 ignore_msg = US"rejected by ACL";
2666 rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
2667 &user_msg, &log_msg);
2673 if (authenticated_by == NULL ||
2674 authenticated_by->mail_auth_condition == NULL ||
2675 expand_check_condition(authenticated_by->mail_auth_condition,
2676 authenticated_by->name, US"authenticator"))
2677 break; /* Accept the AUTH */
2679 ignore_msg = US"server_mail_auth_condition failed";
2680 if (authenticated_id != NULL)
2681 ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
2682 ignore_msg, authenticated_id);
2687 authenticated_sender = NULL;
2688 log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
2689 value, host_and_ident(TRUE), ignore_msg);
2692 /* Should only get DEFER or ERROR here. Put back terminator
2693 overrides for error message */
2698 (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
2705 /* Unknown option. Stick back the terminator characters and break
2706 the loop. An error for a malformed address will occur. */
2716 /* If we have passed the threshold for rate limiting, apply the current
2717 delay, and update it for next time, provided this is a limited host. */
2719 if (smtp_mailcmd_count > smtp_rlm_threshold &&
2720 verify_check_host(&smtp_ratelimit_hosts) == OK)
2722 DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
2723 smtp_delay_mail/1000.0);
2724 millisleep((int)smtp_delay_mail);
2725 smtp_delay_mail *= smtp_rlm_factor;
2726 if (smtp_delay_mail > (double)smtp_rlm_limit)
2727 smtp_delay_mail = (double)smtp_rlm_limit;
2730 /* Now extract the address, first applying any SMTP-time rewriting. The
2731 TRUE flag allows "<>" as a sender address. */
2733 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
2734 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
2735 global_rewrite_rules) : smtp_data;
2737 /* rfc821_domains = TRUE; << no longer needed */
2739 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
2741 /* rfc821_domains = FALSE; << no longer needed */
2743 if (raw_sender == NULL)
2745 done = synprot_error(L_smtp_syntax_error, 501, smtp_data, errmess);
2749 sender_address = raw_sender;
2751 /* If there is a configured size limit for mail, check that this message
2752 doesn't exceed it. The check is postponed to this point so that the sender
2755 if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
2757 smtp_printf("552 Message size exceeds maximum permitted\r\n");
2758 log_write(L_size_reject,
2759 LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
2760 "message too big: size%s=%d max=%d",
2762 host_and_ident(TRUE),
2763 (message_size == INT_MAX)? ">" : "",
2765 thismessage_size_limit);
2766 sender_address = NULL;
2770 /* Check there is enough space on the disk unless configured not to.
2771 When smtp_check_spool_space is set, the check is for thismessage_size_limit
2772 plus the current message - i.e. we accept the message only if it won't
2773 reduce the space below the threshold. Add 5000 to the size to allow for
2774 overheads such as the Received: line and storing of recipients, etc.
2775 By putting the check here, even when SIZE is not given, it allow VRFY
2776 and EXPN etc. to be used when space is short. */
2778 if (!receive_check_fs(
2779 (smtp_check_spool_space && message_size >= 0)?
2780 message_size + 5000 : 0))
2782 smtp_printf("452 Space shortage, please try later\r\n");
2783 sender_address = NULL;
2787 /* If sender_address is unqualified, reject it, unless this is a locally
2788 generated message, or the sending host or net is permitted to send
2789 unqualified addresses - typically local machines behaving as MUAs -
2790 in which case just qualify the address. The flag is set above at the start
2791 of the SMTP connection. */
2793 if (sender_domain == 0 && sender_address[0] != 0)
2795 if (allow_unqualified_sender)
2797 sender_domain = Ustrlen(sender_address) + 1;
2798 sender_address = rewrite_address_qualify(sender_address, FALSE);
2799 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2804 smtp_printf("501 %s: sender address must contain a domain\r\n",
2806 log_write(L_smtp_syntax_error,
2807 LOG_MAIN|LOG_REJECT,
2808 "unqualified sender rejected: <%s> %s%s",
2810 host_and_ident(TRUE),
2812 sender_address = NULL;
2817 /* Apply an ACL check if one is defined, before responding */
2819 rc = (acl_smtp_mail == NULL)? OK :
2820 acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
2822 if (rc == OK || rc == DISCARD)
2824 smtp_printf("250 OK\r\n");
2825 smtp_delay_rcpt = smtp_rlr_base;
2826 recipients_discarded = (rc == DISCARD);
2827 was_rej_mail = FALSE;
2832 done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
2833 sender_address = NULL;
2838 /* The RCPT command requires an address as an operand. All we do
2839 here is to parse it for syntactic correctness. There may be any number
2840 of RCPT commands, specifying multiple senders. We build them all into
2841 a data structure that is in argc/argv format. The start/end values
2842 given by parse_extract_address are not used, as we keep only the
2843 extracted address. */
2849 /* There must be a sender address; if the sender was rejected and
2850 pipelining was advertised, we assume the client was pipelining, and do not
2851 count this as a protocol error. Reset was_rej_mail so that further RCPTs
2852 get the same treatment. */
2854 if (sender_address == NULL)
2856 if (pipelining_advertised && last_was_rej_mail)
2858 smtp_printf("503 sender not yet given\r\n");
2859 was_rej_mail = TRUE;
2863 done = synprot_error(L_smtp_protocol_error, 503, NULL,
2864 US"sender not yet given");
2865 was_rcpt = FALSE; /* Not a valid RCPT */
2871 /* Check for an operand */
2873 if (smtp_data[0] == 0)
2875 done = synprot_error(L_smtp_syntax_error, 501, NULL,
2876 US"RCPT must have an address operand");
2881 /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
2882 as a recipient address */
2884 recipient = ((rewrite_existflags & rewrite_smtp) != 0)?
2885 rewrite_one(smtp_data, rewrite_smtp, NULL, FALSE, US"",
2886 global_rewrite_rules) : smtp_data;
2888 /* rfc821_domains = TRUE; << no longer needed */
2889 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2890 &recipient_domain, FALSE);
2891 /* rfc821_domains = FALSE; << no longer needed */
2893 if (recipient == NULL)
2895 done = synprot_error(L_smtp_syntax_error, 501, smtp_data, errmess);
2900 /* If the recipient address is unqualified, reject it, unless this is a
2901 locally generated message. However, unqualified addresses are permitted
2902 from a configured list of hosts and nets - typically when behaving as
2903 MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
2904 really. The flag is set at the start of the SMTP connection.
2906 RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
2907 assumed this meant "reserved local part", but the revision of RFC 821 and
2908 friends now makes it absolutely clear that it means *mailbox*. Consequently
2909 we must always qualify this address, regardless. */
2911 if (recipient_domain == 0)
2913 if (allow_unqualified_recipient ||
2914 strcmpic(recipient, US"postmaster") == 0)
2916 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
2918 recipient_domain = Ustrlen(recipient) + 1;
2919 recipient = rewrite_address_qualify(recipient, TRUE);
2924 smtp_printf("501 %s: recipient address must contain a domain\r\n",
2926 log_write(L_smtp_syntax_error,
2927 LOG_MAIN|LOG_REJECT, "unqualified recipient rejected: "
2928 "<%s> %s%s", recipient, host_and_ident(TRUE),
2934 /* Check maximum allowed */
2936 if (rcpt_count > recipients_max && recipients_max > 0)
2938 if (recipients_max_reject)
2941 smtp_printf("552 too many recipients\r\n");
2943 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
2944 "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
2949 smtp_printf("452 too many recipients\r\n");
2951 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
2952 "temporarily rejected: sender=<%s> %s", sender_address,
2953 host_and_ident(TRUE));
2960 /* If we have passed the threshold for rate limiting, apply the current
2961 delay, and update it for next time, provided this is a limited host. */
2963 if (rcpt_count > smtp_rlr_threshold &&
2964 verify_check_host(&smtp_ratelimit_hosts) == OK)
2966 DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
2967 smtp_delay_rcpt/1000.0);
2968 millisleep((int)smtp_delay_rcpt);
2969 smtp_delay_rcpt *= smtp_rlr_factor;
2970 if (smtp_delay_rcpt > (double)smtp_rlr_limit)
2971 smtp_delay_rcpt = (double)smtp_rlr_limit;
2974 /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
2975 for them. Otherwise, check the access control list for this recipient. */
2977 rc = recipients_discarded? DISCARD :
2978 acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg, &log_msg);
2980 /* The ACL was happy */
2984 smtp_printf("250 Accepted\r\n");
2985 receive_add_recipient(recipient, -1);
2988 /* The recipient was discarded */
2990 else if (rc == DISCARD)
2992 smtp_printf("250 Accepted\r\n");
2995 log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> rejected RCPT %s: "
2996 "discarded by %s ACL%s%s", host_and_ident(TRUE),
2997 (sender_address_unrewritten != NULL)?
2998 sender_address_unrewritten : sender_address,
2999 smtp_data, recipients_discarded? "MAIL" : "RCPT",
3000 (log_msg == NULL)? US"" : US": ",
3001 (log_msg == NULL)? US"" : log_msg);
3004 /* Either the ACL failed the address, or it was deferred. */
3008 if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
3009 done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
3014 /* The DATA command is legal only if it follows successful MAIL FROM
3015 and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
3016 not counted as a protocol error if it follows RCPT (which must have been
3017 rejected if there are no recipients.) This function is complete when a
3018 valid DATA command is encountered.
3020 Note concerning the code used: RFC 2821 says this:
3022 - If there was no MAIL, or no RCPT, command, or all such commands
3023 were rejected, the server MAY return a "command out of sequence"
3024 (503) or "no valid recipients" (554) reply in response to the
3027 The example in the pipelining RFC 2920 uses 554, but I use 503 here
3028 because it is the same whether pipelining is in use or not. */
3031 if (!discarded && recipients_count <= 0)
3033 if (pipelining_advertised && last_was_rcpt)
3034 smtp_printf("503 valid RCPT command must precede DATA\r\n");
3036 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3037 US"valid RCPT command must precede DATA");
3041 if (toomany && recipients_max_reject)
3043 sender_address = NULL; /* This will allow a new MAIL without RSET */
3044 sender_address_unrewritten = NULL;
3045 smtp_printf("554 Too many recipients\r\n");
3049 if (acl_smtp_predata == NULL) rc = OK; else
3051 enable_dollar_recipients = TRUE;
3052 rc = acl_check(ACL_WHERE_PREDATA, NULL, acl_smtp_predata, &user_msg,
3054 enable_dollar_recipients = FALSE;
3059 smtp_printf("354 Enter message, ending with \".\" on a line by itself\r\n");
3061 message_ended = END_NOTENDED; /* Indicate in middle of data */
3064 /* Either the ACL failed the address, or it was deferred. */
3067 done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
3073 rc = acl_check(ACL_WHERE_VRFY, smtp_data, acl_smtp_vrfy, &user_msg,
3076 done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
3082 /* rfc821_domains = TRUE; << no longer needed */
3083 address = parse_extract_address(smtp_data, &errmess, &start, &end,
3084 &recipient_domain, FALSE);
3085 /* rfc821_domains = FALSE; << no longer needed */
3087 if (address == NULL)
3088 s = string_sprintf("501 %s", errmess);
3091 address_item *addr = deliver_make_addr(address, FALSE);
3092 switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
3093 -1, -1, NULL, NULL, NULL))
3096 s = string_sprintf("250 <%s> is deliverable", address);
3100 s = (addr->message != NULL)?
3101 string_sprintf("451 <%s> %s", address, addr->message) :
3102 string_sprintf("451 Cannot resolve <%s> at this time", address);
3106 s = (addr->message != NULL)?
3107 string_sprintf("550 <%s> %s", address, addr->message) :
3108 string_sprintf("550 <%s> is not deliverable", address);
3109 log_write(0, LOG_MAIN, "VRFY failed for %s %s",
3110 smtp_data, host_and_ident(TRUE));
3115 smtp_printf("%s\r\n", s);
3121 rc = acl_check(ACL_WHERE_EXPN, smtp_data, acl_smtp_expn, &user_msg,
3124 done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
3127 BOOL save_log_testing_mode = log_testing_mode;
3128 address_test_mode = log_testing_mode = TRUE;
3129 (void) verify_address(deliver_make_addr(smtp_data, FALSE), smtp_out,
3130 vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1, NULL, NULL,
3132 address_test_mode = FALSE;
3133 log_testing_mode = save_log_testing_mode; /* true for -bh */
3141 if (!tls_advertised)
3143 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3144 US"STARTTLS command used when not advertised");
3148 /* Apply an ACL check if one is defined */
3150 if (acl_smtp_starttls != NULL)
3152 rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls, &user_msg,
3156 done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
3161 /* RFC 2487 is not clear on when this command may be sent, though it
3162 does state that all information previously obtained from the client
3163 must be discarded if a TLS session is started. It seems reasonble to
3164 do an implied RSET when STARTTLS is received. */
3166 incomplete_transaction_log(US"STARTTLS");
3167 smtp_reset(reset_point);
3169 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
3171 /* Attempt to start up a TLS session, and if successful, discard all
3172 knowledge that was obtained previously. At least, that's what the RFC says,
3173 and that's what happens by default. However, in order to work round YAEB,
3174 there is an option to remember the esmtp state. Sigh.
3176 We must allow for an extra EHLO command and an extra AUTH command after
3177 STARTTLS that don't add to the nonmail command count. */
3179 if ((rc = tls_server_start(tls_require_ciphers)) == OK)
3181 if (!tls_remember_esmtp)
3182 helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
3183 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3184 cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
3185 if (sender_helo_name != NULL)
3187 store_free(sender_helo_name);
3188 sender_helo_name = NULL;
3189 host_build_sender_fullhost(); /* Rebuild */
3190 set_process_info("handling incoming TLS connection from %s",
3191 host_and_ident(FALSE));
3193 received_protocol = (esmtp?
3194 protocols[pextend + pcrpted +
3195 ((sender_host_authenticated != NULL)? pauthed : 0)]
3197 protocols[pnormal + pcrpted])
3199 ((sender_host_address != NULL)? pnlocal : 0);
3201 sender_host_authenticated = NULL;
3202 authenticated_id = NULL;
3203 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
3204 DEBUG(D_tls) debug_printf("TLS active\n");
3205 break; /* Successful STARTTLS */
3208 /* Some local configuration problem was discovered before actually trying
3209 to do a TLS handshake; give a temporary error. */
3211 else if (rc == DEFER)
3213 smtp_printf("454 TLS currently unavailable\r\n");
3217 /* Hard failure. Reject everything except QUIT or closed connection. One
3218 cause for failure is a nested STARTTLS, in which case tls_active remains
3219 set, but we must still reject all incoming commands. */
3221 DEBUG(D_tls) debug_printf("TLS failed to start\n");
3224 switch(smtp_read_command(FALSE))
3227 log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
3228 smtp_get_connection_info());
3233 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3234 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3235 smtp_get_connection_info());
3240 smtp_printf("554 Security failure\r\n");
3249 /* The ACL for QUIT is provided for gathering statistical information or
3250 similar; it does not affect the response code, but it can supply a custom
3254 incomplete_transaction_log(US"QUIT");
3256 if (acl_smtp_quit != NULL)
3258 rc = acl_check(ACL_WHERE_QUIT, US"", acl_smtp_quit,&user_msg,&log_msg);
3260 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3263 else user_msg = NULL;
3265 if (user_msg == NULL)
3266 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3268 smtp_printf("221 %s\r\n", user_msg);
3275 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3276 smtp_get_connection_info());
3281 incomplete_transaction_log(US"RSET");
3282 smtp_reset(reset_point);
3284 smtp_printf("250 Reset OK\r\n");
3285 cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3290 smtp_printf("250 OK\r\n");
3294 /* Show ETRN/EXPN/VRFY if there's
3295 an ACL for checking hosts; if actually used, a check will be done for
3299 smtp_printf("214-Commands supported:\r\n");
3303 Ustrcat(buffer, " AUTH");
3305 Ustrcat(buffer, " STARTTLS");
3307 Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA");
3308 Ustrcat(buffer, " NOOP QUIT RSET HELP");
3309 if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
3310 if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
3311 if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
3312 smtp_printf("214%s\r\n", buffer);
3318 incomplete_transaction_log(US"connection lost");
3319 smtp_printf("421 %s lost input connection\r\n", smtp_active_hostname);
3321 /* Don't log by default unless in the middle of a message, as some mailers
3322 just drop the call rather than sending QUIT, and it clutters up the logs.
3325 if (sender_address != NULL || recipients_count > 0)
3326 log_write(L_lost_incoming_connection,
3328 "unexpected %s while reading SMTP command from %s%s",
3329 sender_host_unknown? "EOF" : "disconnection",
3330 host_and_ident(FALSE), smtp_read_error);
3332 else log_write(L_smtp_connection, LOG_MAIN, "%s lost%s",
3333 smtp_get_connection_info(), smtp_read_error);
3340 if (sender_address != NULL)
3342 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3343 US"ETRN is not permitted inside a transaction");
3347 log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_data,
3348 host_and_ident(FALSE));
3350 rc = acl_check(ACL_WHERE_ETRN, smtp_data, acl_smtp_etrn, &user_msg,
3354 done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
3358 /* Compute the serialization key for this command. */
3360 etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_data);
3362 /* If a command has been specified for running as a result of ETRN, we
3363 permit any argument to ETRN. If not, only the # standard form is permitted,
3364 since that is strictly the only kind of ETRN that can be implemented
3365 according to the RFC. */
3367 if (smtp_etrn_command != NULL)
3371 etrn_command = smtp_etrn_command;
3372 deliver_domain = smtp_data;
3373 rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
3374 US"ETRN processing", &error);
3375 deliver_domain = NULL;
3378 log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
3380 smtp_printf("458 Internal failure\r\n");
3385 /* Else set up to call Exim with the -R option. */
3389 if (*smtp_data++ != '#')
3391 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3392 US"argument must begin with #");
3395 etrn_command = US"exim -R";
3396 argv = child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE, 2, US"-R",
3400 /* If we are host-testing, don't actually do anything. */
3406 debug_printf("ETRN command is: %s\n", etrn_command);
3407 debug_printf("ETRN command execution skipped\n");
3409 smtp_printf("250 OK\r\n");
3414 /* If ETRN queue runs are to be serialized, check the database to
3415 ensure one isn't already running. */
3417 if (smtp_etrn_serialize && !enq_start(etrn_serialize_key))
3419 smtp_printf("458 Already processing %s\r\n", smtp_data);
3423 /* Fork a child process and run the command. We don't want to have to
3424 wait for the process at any point, so set SIGCHLD to SIG_IGN before
3425 forking. It should be set that way anyway for external incoming SMTP,
3426 but we save and restore to be tidy. If serialization is required, we
3427 actually run the command in yet another process, so we can wait for it
3428 to complete and then remove the serialization lock. */
3430 oldsignal = signal(SIGCHLD, SIG_IGN);
3432 if ((pid = fork()) == 0)
3434 smtp_input = FALSE; /* This process is not associated with the */
3435 fclose(smtp_in); /* SMTP call any more. */
3438 signal(SIGCHLD, SIG_DFL); /* Want to catch child */
3440 /* If not serializing, do the exec right away. Otherwise, fork down
3441 into another process. */
3443 if (!smtp_etrn_serialize || (pid = fork()) == 0)
3445 DEBUG(D_exec) debug_print_argv(argv);
3446 exim_nullstd(); /* Ensure std{in,out,err} exist */
3447 execv(CS argv[0], (char *const *)argv);
3448 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
3449 etrn_command, strerror(errno));
3450 _exit(EXIT_FAILURE); /* paranoia */
3453 /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
3454 is, we are in the first subprocess, after forking again. All we can do
3455 for a failing fork is to log it. Otherwise, wait for the 2nd process to
3456 complete, before removing the serialization. */
3459 log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
3460 "failed: %s", strerror(errno));
3464 DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
3466 (void)wait(&status);
3467 DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
3471 enq_end(etrn_serialize_key);
3472 _exit(EXIT_SUCCESS);
3475 /* Back in the top level SMTP process. Check that we started a subprocess
3476 and restore the signal state. */
3480 log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
3482 smtp_printf("458 Unable to fork process\r\n");
3483 if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
3485 else smtp_printf("250 OK\r\n");
3487 signal(SIGCHLD, oldsignal);
3492 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3493 US"unexpected argument data");
3497 /* This currently happens only for NULLs, but could be extended. */
3500 done = synprot_error(L_smtp_syntax_error, 0, NULL, /* Just logs */
3501 US"NULL character(s) present (shown as '?')");
3502 smtp_printf("501 NULL characters are not allowed in SMTP commands\r\n");
3507 if (smtp_inend >= smtp_inbuffer + in_buffer_size)
3508 smtp_inend = smtp_inbuffer + in_buffer_size - 1;
3509 c = smtp_inend - smtp_inptr;
3510 if (c > 150) c = 150;
3512 incomplete_transaction_log(US"sync failure");
3513 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
3514 "synchronization error "
3515 "(next input sent too soon: pipelining was%s advertised): "
3516 "rejected \"%s\" %s next input=\"%s\"",
3517 pipelining_advertised? "" : " not",
3518 cmd_buffer, host_and_ident(TRUE),
3519 string_printing(smtp_inptr));
3520 smtp_printf("554 SMTP synchronization error\r\n");
3521 done = 1; /* Pretend eof - drops connection */
3525 case TOO_MANY_NONMAIL_CMD:
3526 incomplete_transaction_log(US"too many non-mail commands");
3527 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3528 "nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
3529 smtp_data - cmd_buffer, cmd_buffer);
3530 smtp_printf("554 Too many nonmail commands\r\n");
3531 done = 1; /* Pretend eof - drops connection */
3536 if (unknown_command_count++ >= smtp_max_unknown_commands)
3538 log_write(L_smtp_syntax_error, LOG_MAIN,
3539 "SMTP syntax error in \"%s\" %s %s",
3540 string_printing(cmd_buffer), host_and_ident(TRUE),
3541 US"unrecognized command");
3542 incomplete_transaction_log(US"unrecognized command");
3543 smtp_printf("500 Too many unrecognized commands\r\n");
3545 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3546 "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
3550 done = synprot_error(L_smtp_syntax_error, 500, NULL,
3551 US"unrecognized command");
3555 /* This label is used by goto's inside loops that want to break out to
3556 the end of the command-processing loop. */
3559 last_was_rej_mail = was_rej_mail; /* Remember some last commands for */
3560 last_was_rcpt = was_rcpt; /* protocol error handling */
3564 return done - 2; /* Convert yield values */
3567 /* End of smtp_in.c */