1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
8 /* Functions for handling an incoming SMTP call. */
15 /* Initialize for TCP wrappers if so configured. It appears that the macro
16 HAVE_IPV6 is used in some versions of the tcpd.h header, so we unset it before
17 including that header, and restore its value afterwards. */
19 #ifdef USE_TCP_WRAPPERS
22 #define EXIM_HAVE_IPV6
28 #define HAVE_IPV6 TRUE
31 int allow_severity = LOG_INFO;
32 int deny_severity = LOG_NOTICE;
33 uschar *tcp_wrappers_name;
37 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
38 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
39 commands that accept arguments, and this in particular applies to AUTH, where
40 the data can be quite long. More recently this value was 2048 in Exim;
41 however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH. Clients
42 such as Thunderbird will send an AUTH with an initial-response for GSSAPI.
43 The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
44 we need room to handle large base64-encoded AUTHs for GSSAPI.
47 #define smtp_cmd_buffer_size 16384
49 /* Size of buffer for reading SMTP incoming packets */
51 #define in_buffer_size 8192
53 /* Structure for SMTP command list */
60 short int is_mail_cmd;
63 /* Codes for identifying commands. We order them so that those that come first
64 are those for which synchronization is always required. Checking this can help
68 /* These commands are required to be synchronized, i.e. to be the last in a
69 block of commands when pipelining. */
71 HELO_CMD, EHLO_CMD, DATA_CMD, /* These are listed in the pipelining */
72 VRFY_CMD, EXPN_CMD, NOOP_CMD, /* RFC as requiring synchronization */
73 ETRN_CMD, /* This by analogy with TURN from the RFC */
74 STARTTLS_CMD, /* Required by the STARTTLS RFC */
75 TLS_AUTH_CMD, /* auto-command at start of SSL */
77 /* This is a dummy to identify the non-sync commands when pipelining */
79 NON_SYNC_CMD_PIPELINING,
81 /* These commands need not be synchronized when pipelining */
83 MAIL_CMD, RCPT_CMD, RSET_CMD,
85 /* RFC3030 section 2: "After all MAIL and RCPT responses are collected and
86 processed the message is sent using a series of BDAT commands"
87 implies that BDAT should be synchronized. However, we see Google, at least,
88 sending MAIL,RCPT,BDAT-LAST in a single packet, clearly not waiting for
89 processing of the RPCT response(s). We shall do the same, and not require
94 /* This is a dummy to identify the non-sync commands when not pipelining */
96 NON_SYNC_CMD_NON_PIPELINING,
98 /* I have been unable to find a statement about the use of pipelining
99 with AUTH, so to be on the safe side it is here, though I kind of feel
100 it should be up there with the synchronized commands. */
104 /* I'm not sure about these, but I don't think they matter. */
109 PROXY_FAIL_IGNORE_CMD,
112 /* These are specials that don't correspond to actual commands */
114 EOF_CMD, OTHER_CMD, BADARG_CMD, BADCHAR_CMD, BADSYN_CMD,
115 TOO_MANY_NONMAIL_CMD };
118 /* This is a convenience macro for adding the identity of an SMTP command
119 to the circular buffer that holds a list of the last n received. */
122 smtp_connection_had[smtp_ch_index++] = n; \
123 if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
126 /*************************************************
127 * Local static variables *
128 *************************************************/
130 static auth_instance *authenticated_by;
131 static BOOL auth_advertised;
133 static BOOL tls_advertised;
135 static BOOL dsn_advertised;
137 static BOOL helo_required = FALSE;
138 static BOOL helo_verify = FALSE;
139 static BOOL helo_seen;
140 static BOOL helo_accept_junk;
141 static BOOL count_nonmail;
142 static BOOL pipelining_advertised;
143 static BOOL rcpt_smtp_response_same;
144 static BOOL rcpt_in_progress;
145 static int nonmail_command_count;
146 static BOOL smtp_exit_function_called = 0;
148 static BOOL smtputf8_advertised;
150 static int synprot_error_count;
151 static int unknown_command_count;
152 static int sync_cmd_limit;
153 static int smtp_write_error = 0;
155 static uschar *rcpt_smtp_response;
156 static uschar *smtp_data_buffer;
157 static uschar *smtp_cmd_data;
159 /* We need to know the position of RSET, HELO, EHLO, AUTH, and STARTTLS. Their
160 final fields of all except AUTH are forced TRUE at the start of a new message
161 setup, to allow one of each between messages that is not counted as a nonmail
162 command. (In fact, only one of HELO/EHLO is not counted.) Also, we have to
163 allow a new EHLO after starting up TLS.
165 AUTH is "falsely" labelled as a mail command initially, so that it doesn't get
166 counted. However, the flag is changed when AUTH is received, so that multiple
167 failing AUTHs will eventually hit the limit. After a successful AUTH, another
168 AUTH is already forbidden. After a TLS session is started, AUTH's flag is again
169 forced TRUE, to allow for the re-authentication that can happen at that point.
171 QUIT is also "falsely" labelled as a mail command so that it doesn't up the
172 count of non-mail commands and possibly provoke an error.
174 tls_auth is a pseudo-command, never expected in input. It is activated
175 on TLS startup and looks for a tls authenticator. */
177 static smtp_cmd_list cmd_list[] = {
178 /* name len cmd has_arg is_mail_cmd */
180 { "rset", sizeof("rset")-1, RSET_CMD, FALSE, FALSE }, /* First */
181 { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
182 { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
183 { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
185 { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
186 { "tls_auth", 0, TLS_AUTH_CMD, FALSE, TRUE },
189 /* If you change anything above here, also fix the definitions below. */
191 { "mail from:", sizeof("mail from:")-1, MAIL_CMD, TRUE, TRUE },
192 { "rcpt to:", sizeof("rcpt to:")-1, RCPT_CMD, TRUE, TRUE },
193 { "data", sizeof("data")-1, DATA_CMD, FALSE, TRUE },
194 { "bdat", sizeof("bdat")-1, BDAT_CMD, TRUE, TRUE },
195 { "quit", sizeof("quit")-1, QUIT_CMD, FALSE, TRUE },
196 { "noop", sizeof("noop")-1, NOOP_CMD, TRUE, FALSE },
197 { "etrn", sizeof("etrn")-1, ETRN_CMD, TRUE, FALSE },
198 { "vrfy", sizeof("vrfy")-1, VRFY_CMD, TRUE, FALSE },
199 { "expn", sizeof("expn")-1, EXPN_CMD, TRUE, FALSE },
200 { "help", sizeof("help")-1, HELP_CMD, TRUE, FALSE }
203 static smtp_cmd_list *cmd_list_end =
204 cmd_list + sizeof(cmd_list)/sizeof(smtp_cmd_list);
206 #define CMD_LIST_RSET 0
207 #define CMD_LIST_HELO 1
208 #define CMD_LIST_EHLO 2
209 #define CMD_LIST_AUTH 3
210 #define CMD_LIST_STARTTLS 4
211 #define CMD_LIST_TLS_AUTH 5
213 /* This list of names is used for performing the smtp_no_mail logging action.
214 It must be kept in step with the SCH_xxx enumerations. */
216 static uschar *smtp_names[] =
218 US"NONE", US"AUTH", US"DATA", US"BDAT", US"EHLO", US"ETRN", US"EXPN",
219 US"HELO", US"HELP", US"MAIL", US"NOOP", US"QUIT", US"RCPT", US"RSET",
220 US"STARTTLS", US"VRFY" };
222 static uschar *protocols_local[] = {
223 US"local-smtp", /* HELO */
224 US"local-smtps", /* The rare case EHLO->STARTTLS->HELO */
225 US"local-esmtp", /* EHLO */
226 US"local-esmtps", /* EHLO->STARTTLS->EHLO */
227 US"local-esmtpa", /* EHLO->AUTH */
228 US"local-esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
230 static uschar *protocols[] = {
232 US"smtps", /* The rare case EHLO->STARTTLS->HELO */
233 US"esmtp", /* EHLO */
234 US"esmtps", /* EHLO->STARTTLS->EHLO */
235 US"esmtpa", /* EHLO->AUTH */
236 US"esmtpsa" /* EHLO->STARTTLS->EHLO->AUTH */
241 #define pcrpted 1 /* added to pextend or pnormal */
242 #define pauthed 2 /* added to pextend */
244 /* Sanity check and validate optional args to MAIL FROM: envelope */
247 ENV_MAIL_OPT_SIZE, ENV_MAIL_OPT_BODY, ENV_MAIL_OPT_AUTH,
251 ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID,
257 uschar * name; /* option requested during MAIL cmd */
258 int value; /* enum type */
259 BOOL need_value; /* TRUE requires value (name=value pair format)
260 FALSE is a singleton */
262 static env_mail_type_t env_mail_type_list[] = {
263 { US"SIZE", ENV_MAIL_OPT_SIZE, TRUE },
264 { US"BODY", ENV_MAIL_OPT_BODY, TRUE },
265 { US"AUTH", ENV_MAIL_OPT_AUTH, TRUE },
267 { US"PRDR", ENV_MAIL_OPT_PRDR, FALSE },
269 { US"RET", ENV_MAIL_OPT_RET, TRUE },
270 { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE },
272 { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */
274 /* keep this the last entry */
275 { US"NULL", ENV_MAIL_OPT_NULL, FALSE },
278 /* When reading SMTP from a remote host, we have to use our own versions of the
279 C input-reading functions, in order to be able to flush the SMTP output only
280 when about to read more data from the socket. This is the only way to get
281 optimal performance when the client is using pipelining. Flushing for every
282 command causes a separate packet and reply packet each time; saving all the
283 responses up (when pipelining) combines them into one packet and one response.
285 For simplicity, these functions are used for *all* SMTP input, not only when
286 receiving over a socket. However, after setting up a secure socket (SSL), input
287 is read via the OpenSSL library, and another set of functions is used instead
290 These functions are set in the receive_getc etc. variables and called with the
291 same interface as the C functions. However, since there can only ever be
292 one incoming SMTP call, we just use a single buffer and flags. There is no need
293 to implement a complicated private FILE-like structure.*/
295 static uschar *smtp_inbuffer;
296 static uschar *smtp_inptr;
297 static uschar *smtp_inend;
298 static int smtp_had_eof;
299 static int smtp_had_error;
302 /* forward declarations */
303 int bdat_ungetc(int ch);
304 static int smtp_read_command(BOOL check_sync);
305 static int synprot_error(int type, int code, uschar *data, uschar *errmess);
306 static void smtp_quit_handler(uschar **, uschar **);
307 static void smtp_rset_handler(void);
309 /*************************************************
310 * SMTP version of getc() *
311 *************************************************/
313 /* This gets the next byte from the SMTP input buffer. If the buffer is empty,
314 it flushes the output, and refills the buffer, with a timeout. The signal
315 handler is set appropriately by the calling function. This function is not used
316 after a connection has negotated itself into an TLS/SSL state.
319 Returns: the next character or EOF
325 if (smtp_inptr >= smtp_inend)
329 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
330 rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
335 /* Must put the error text in fixed store, because this might be during
336 header reading, where it releases unused store above the header. */
339 smtp_had_error = save_errno;
340 smtp_read_error = string_copy_malloc(
341 string_sprintf(" (error: %s)", strerror(save_errno)));
343 else smtp_had_eof = 1;
347 dkim_exim_verify_feed(smtp_inbuffer, rc);
349 smtp_inend = smtp_inbuffer + rc;
350 smtp_inptr = smtp_inbuffer;
352 return *smtp_inptr++;
357 /* Get a byte from the smtp input, in CHUNKING mode. Handle ack of the
358 previous BDAT chunk and getting new ones when we run out. Uses the
359 underlying smtp_getc or tls_getc both for that and for getting the
360 (buffered) data byte. EOD signals (an expected) no further data.
361 ERR signals a protocol error, and EOF a closed input stream.
363 Called from read_bdat_smtp() in receive.c for the message body, but also
364 by the headers read loop in receive_msg(); manipulates chunking_state
365 to handle the BDAT command/response.
366 Placed here due to the correlation with the above smtp_getc(), which it wraps,
367 and also by the need to do smtp command/response handling.
370 Returns: the next character or ERR, EOD or EOF
376 uschar * user_msg = NULL;
381 if (chunking_data_left-- > 0)
382 return lwr_receive_getc();
384 receive_getc = lwr_receive_getc;
385 receive_ungetc = lwr_receive_ungetc;
387 /* If not the last, ack the received chunk. The last response is delayed
388 until after the data ACL decides on it */
389 /*XXX find that "last response" and append the chunk size */
391 if (chunking_state == CHUNKING_LAST)
394 chunking_state = CHUNKING_OFFERED;
395 smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
397 /* Expect another BDAT cmd from input. RFC 3030 says nothing about
398 QUIT, RSET or NOOP but handling them seems obvious */
401 switch(smtp_read_command(TRUE))
404 (void) synprot_error(L_smtp_protocol_error, 503, NULL,
405 US"only BDAT permissible after non-LAST BDAT");
408 switch(smtp_read_command(TRUE))
410 case QUIT_CMD: smtp_quit_handler(&user_msg, &log_msg); /*FALLTHROUGH */
411 case EOF_CMD: return EOF;
412 case RSET_CMD: smtp_rset_handler(); return ERR;
413 default: if (synprot_error(L_smtp_protocol_error, 503, NULL,
414 US"only RSET accepted now") > 0)
416 goto repeat_until_rset;
420 smtp_quit_handler(&user_msg, &log_msg);
431 smtp_printf("250 OK\r\n");
438 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
440 (void) synprot_error(L_smtp_protocol_error, 501, NULL,
441 US"missing size for BDAT command");
444 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
445 ? CHUNKING_LAST : CHUNKING_ACTIVE;
446 chunking_data_left = chunking_datasize;
448 if (chunking_datasize == 0)
449 if (chunking_state == CHUNKING_LAST)
453 (void) synprot_error(L_smtp_protocol_error, 504, NULL,
454 US"zero size for BDAT command");
455 goto repeat_until_rset;
458 receive_getc = bdat_getc;
459 receive_ungetc = bdat_ungetc;
460 break; /* to top of main loop */
469 /*************************************************
470 * SMTP version of ungetc() *
471 *************************************************/
473 /* Puts a character back in the input buffer. Only ever
479 Returns: the character
493 chunking_data_left++;
494 return lwr_receive_ungetc(ch);
499 /*************************************************
500 * SMTP version of feof() *
501 *************************************************/
503 /* Tests for a previous EOF
506 Returns: non-zero if the eof flag is set
518 /*************************************************
519 * SMTP version of ferror() *
520 *************************************************/
522 /* Tests for a previous read error, and returns with errno
523 restored to what it was when the error was detected.
526 Returns: non-zero if the error flag is set
532 errno = smtp_had_error;
533 return smtp_had_error;
538 /*************************************************
539 * Test for characters in the SMTP buffer *
540 *************************************************/
542 /* Used at the end of a message
551 return smtp_inptr < smtp_inend;
556 /*************************************************
557 * Write formatted string to SMTP channel *
558 *************************************************/
560 /* This is a separate function so that we don't have to repeat everything for
561 TLS support or debugging. It is global so that the daemon and the
562 authentication functions can use it. It does not return any error indication,
563 because major problems such as dropped connections won't show up till an output
564 flush for non-TLS connections. The smtp_fflush() function is available for
565 checking that: for convenience, TLS output errors are remembered here so that
566 they are also picked up later by smtp_fflush().
570 ... optional arguments
576 smtp_printf(const char *format, ...)
580 va_start(ap, format);
581 smtp_vprintf(format, ap);
585 /* This is split off so that verify.c:respond_printf() can, in effect, call
586 smtp_printf(), bearing in mind that in C a vararg function can't directly
587 call another vararg function, only a function which accepts a va_list. */
590 smtp_vprintf(const char *format, va_list ap)
594 yield = string_vformat(big_buffer, big_buffer_size, format, ap);
598 void *reset_point = store_get(0);
599 uschar *msg_copy, *cr, *end;
600 msg_copy = string_copy(big_buffer);
601 end = msg_copy + Ustrlen(msg_copy);
602 while ((cr = Ustrchr(msg_copy, '\r')) != NULL) /* lose CRs */
603 memmove(cr, cr + 1, (end--) - cr);
604 debug_printf("SMTP>> %s", msg_copy);
605 store_reset(reset_point);
610 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
611 smtp_closedown(US"Unexpected error");
612 exim_exit(EXIT_FAILURE);
615 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
616 have had the same. Note: this code is also present in smtp_respond(). It would
617 be tidier to have it only in one place, but when it was added, it was easier to
618 do it that way, so as not to have to mess with the code for the RCPT command,
619 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
621 if (rcpt_in_progress)
623 if (rcpt_smtp_response == NULL)
624 rcpt_smtp_response = string_copy(big_buffer);
625 else if (rcpt_smtp_response_same &&
626 Ustrcmp(rcpt_smtp_response, big_buffer) != 0)
627 rcpt_smtp_response_same = FALSE;
628 rcpt_in_progress = FALSE;
631 /* Now write the string */
634 if (tls_in.active >= 0)
636 if (tls_write(TRUE, big_buffer, Ustrlen(big_buffer)) < 0)
637 smtp_write_error = -1;
642 if (fprintf(smtp_out, "%s", big_buffer) < 0) smtp_write_error = -1;
647 /*************************************************
648 * Flush SMTP out and check for error *
649 *************************************************/
651 /* This function isn't currently used within Exim (it detects errors when it
652 tries to read the next SMTP input), but is available for use in local_scan().
653 For non-TLS connections, it flushes the output and checks for errors. For
654 TLS-connections, it checks for a previously-detected TLS write error.
657 Returns: 0 for no error; -1 after an error
663 if (tls_in.active < 0 && fflush(smtp_out) != 0) smtp_write_error = -1;
664 return smtp_write_error;
669 /*************************************************
670 * SMTP command read timeout *
671 *************************************************/
673 /* Signal handler for timing out incoming SMTP commands. This attempts to
676 Argument: signal number (SIGALRM)
681 command_timeout_handler(int sig)
683 sig = sig; /* Keep picky compilers happy */
684 log_write(L_lost_incoming_connection,
685 LOG_MAIN, "SMTP command timeout on%s connection from %s",
686 (tls_in.active >= 0)? " TLS" : "",
687 host_and_ident(FALSE));
688 if (smtp_batched_input)
689 moan_smtp_batch(NULL, "421 SMTP command timeout"); /* Does not return */
690 smtp_notquit_exit(US"command-timeout", US"421",
691 US"%s: SMTP command timeout - closing connection", smtp_active_hostname);
692 exim_exit(EXIT_FAILURE);
697 /*************************************************
699 *************************************************/
701 /* Signal handler for handling SIGTERM. Again, try to finish tidily.
703 Argument: signal number (SIGTERM)
708 command_sigterm_handler(int sig)
710 sig = sig; /* Keep picky compilers happy */
711 log_write(0, LOG_MAIN, "%s closed after SIGTERM", smtp_get_connection_info());
712 if (smtp_batched_input)
713 moan_smtp_batch(NULL, "421 SIGTERM received"); /* Does not return */
714 smtp_notquit_exit(US"signal-exit", US"421",
715 US"%s: Service not available - closing connection", smtp_active_hostname);
716 exim_exit(EXIT_FAILURE);
723 /*************************************************
724 * Restore socket timeout to previous value *
725 *************************************************/
726 /* If the previous value was successfully retrieved, restore
727 it before returning control to the non-proxy routines
729 Arguments: fd - File descriptor for input
730 get_ok - Successfully retrieved previous values
731 tvtmp - Time struct with previous values
732 vslen - Length of time struct
736 restore_socket_timeout(int fd, int get_ok, struct timeval tvtmp, socklen_t vslen)
739 setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp, vslen);
742 /*************************************************
743 * Check if host is required proxy host *
744 *************************************************/
745 /* The function determines if inbound host will be a regular smtp host
746 or if it is configured that it must use Proxy Protocol.
753 check_proxy_protocol_host()
756 /* Cannot configure local connection as a proxy inbound */
757 if (sender_host_address == NULL) return proxy_session;
759 rc = verify_check_this_host(CUSS &hosts_proxy, NULL, NULL,
760 sender_host_address, NULL);
764 debug_printf("Detected proxy protocol configured host\n");
765 proxy_session = TRUE;
767 return proxy_session;
771 /*************************************************
772 * Setup host for proxy protocol *
773 *************************************************/
774 /* The function configures the connection based on a header from the
775 inbound host to use Proxy Protocol. The specification is very exact
776 so exit with an error if do not find the exact required pieces. This
777 includes an incorrect number of spaces separating args.
784 setup_proxy_protocol_host()
796 struct { /* TCP/UDP over IPv4, len = 12 */
802 struct { /* TCP/UDP over IPv6, len = 36 */
803 uint8_t src_addr[16];
804 uint8_t dst_addr[16];
808 struct { /* AF_UNIX sockets, len = 216 */
809 uschar src_addr[108];
810 uschar dst_addr[108];
816 /* Temp variables used in PPv2 address:port parsing */
818 char tmpip[INET_ADDRSTRLEN];
819 struct sockaddr_in tmpaddr;
820 char tmpip6[INET6_ADDRSTRLEN];
821 struct sockaddr_in6 tmpaddr6;
825 const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A";
826 uschar *iptype; /* To display debug info */
829 struct timeval tvtmp;
831 vslen = sizeof(struct timeval);
833 fd = fileno(smtp_in);
835 /* Save current socket timeout values */
836 get_ok = getsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tvtmp,
839 /* Proxy Protocol host must send header within a short time
840 (default 3 seconds) or it's considered invalid */
841 tv.tv_sec = PROXY_NEGOTIATION_TIMEOUT_SEC;
842 tv.tv_usec = PROXY_NEGOTIATION_TIMEOUT_USEC;
843 setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,
844 sizeof(struct timeval));
848 /* The inbound host was declared to be a Proxy Protocol host, so
849 don't do a PEEK into the data, actually slurp it up. */
850 ret = recv(fd, &hdr, sizeof(hdr), 0);
852 while (ret == -1 && errno == EINTR);
856 restore_socket_timeout(fd, get_ok, tvtmp, vslen);
857 return (errno == EAGAIN) ? 0 : ERRNO_PROXYFAIL;
861 memcmp(&hdr.v2, v2sig, 12) == 0)
865 /* May 2014: haproxy combined the version and command into one byte to
866 allow two full bytes for the length field in order to proxy SSL
867 connections. SSL Proxy is not supported in this version of Exim, but
868 must still seperate values here. */
869 ver = (hdr.v2.ver_cmd & 0xf0) >> 4;
870 cmd = (hdr.v2.ver_cmd & 0x0f);
874 DEBUG(D_receive) debug_printf("Invalid Proxy Protocol version: %d\n", ver);
877 DEBUG(D_receive) debug_printf("Detected PROXYv2 header\n");
878 /* The v2 header will always be 16 bytes per the spec. */
879 size = 16 + hdr.v2.len;
882 DEBUG(D_receive) debug_printf("Truncated or too large PROXYv2 header (%d/%d)\n",
888 case 0x01: /* PROXY command */
891 case 0x11: /* TCPv4 address type */
893 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
894 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
895 if (!string_is_ip_address(US tmpip,NULL))
897 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
898 return ERRNO_PROXYFAIL;
900 proxy_local_address = sender_host_address;
901 sender_host_address = string_copy(US tmpip);
902 tmpport = ntohs(hdr.v2.addr.ip4.src_port);
903 proxy_local_port = sender_host_port;
904 sender_host_port = tmpport;
905 /* Save dest ip/port */
906 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.dst_addr;
907 inet_ntop(AF_INET, &(tmpaddr.sin_addr), (char *)&tmpip, sizeof(tmpip));
908 if (!string_is_ip_address(US tmpip,NULL))
910 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
911 return ERRNO_PROXYFAIL;
913 proxy_external_address = string_copy(US tmpip);
914 tmpport = ntohs(hdr.v2.addr.ip4.dst_port);
915 proxy_external_port = tmpport;
917 case 0x21: /* TCPv6 address type */
919 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
920 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
921 if (!string_is_ip_address(US tmpip6,NULL))
923 DEBUG(D_receive) debug_printf("Invalid %s source IP\n", iptype);
924 return ERRNO_PROXYFAIL;
926 proxy_local_address = sender_host_address;
927 sender_host_address = string_copy(US tmpip6);
928 tmpport = ntohs(hdr.v2.addr.ip6.src_port);
929 proxy_local_port = sender_host_port;
930 sender_host_port = tmpport;
931 /* Save dest ip/port */
932 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.dst_addr, 16);
933 inet_ntop(AF_INET6, &(tmpaddr6.sin6_addr), (char *)&tmpip6, sizeof(tmpip6));
934 if (!string_is_ip_address(US tmpip6,NULL))
936 DEBUG(D_receive) debug_printf("Invalid %s dest port\n", iptype);
937 return ERRNO_PROXYFAIL;
939 proxy_external_address = string_copy(US tmpip6);
940 tmpport = ntohs(hdr.v2.addr.ip6.dst_port);
941 proxy_external_port = tmpport;
945 debug_printf("Unsupported PROXYv2 connection type: 0x%02x\n",
949 /* Unsupported protocol, keep local connection address */
951 case 0x00: /* LOCAL command */
952 /* Keep local connection address for LOCAL */
956 debug_printf("Unsupported PROXYv2 command: 0x%x\n", cmd);
961 memcmp(hdr.v1.line, "PROXY", 5) == 0)
963 uschar *p = string_copy(hdr.v1.line);
964 uschar *end = memchr(p, '\r', ret - 1);
965 uschar *sp; /* Utility variables follow */
969 if (!end || end[1] != '\n')
971 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
974 *end = '\0'; /* Terminate the string */
975 size = end + 2 - hdr.v1.line; /* Skip header + CRLF */
976 DEBUG(D_receive) debug_printf("Detected PROXYv1 header\n");
977 /* Step through the string looking for the required fields. Ensure
978 strict adherance to required formatting, exit for any error. */
980 if (!isspace(*(p++)))
982 DEBUG(D_receive) debug_printf("Missing space after PROXY command\n");
985 if (!Ustrncmp(p, CCS"TCP4", 4))
987 else if (!Ustrncmp(p,CCS"TCP6", 4))
989 else if (!Ustrncmp(p,CCS"UNKNOWN", 7))
991 iptype = US"Unknown";
996 DEBUG(D_receive) debug_printf("Invalid TCP type\n");
1000 p += Ustrlen(iptype);
1001 if (!isspace(*(p++)))
1003 DEBUG(D_receive) debug_printf("Missing space after TCP4/6 command\n");
1006 /* Find the end of the arg */
1007 if ((sp = Ustrchr(p, ' ')) == NULL)
1010 debug_printf("Did not find proxied src %s\n", iptype);
1014 if(!string_is_ip_address(p,NULL))
1017 debug_printf("Proxied src arg is not an %s address\n", iptype);
1020 proxy_local_address = sender_host_address;
1021 sender_host_address = p;
1023 if ((sp = Ustrchr(p, ' ')) == NULL)
1026 debug_printf("Did not find proxy dest %s\n", iptype);
1030 if(!string_is_ip_address(p,NULL))
1033 debug_printf("Proxy dest arg is not an %s address\n", iptype);
1036 proxy_external_address = p;
1038 if ((sp = Ustrchr(p, ' ')) == NULL)
1040 DEBUG(D_receive) debug_printf("Did not find proxied src port\n");
1044 tmp_port = strtol(CCS p,&endc,10);
1045 if (*endc || tmp_port == 0)
1048 debug_printf("Proxied src port '%s' not an integer\n", p);
1051 proxy_local_port = sender_host_port;
1052 sender_host_port = tmp_port;
1054 if ((sp = Ustrchr(p, '\0')) == NULL)
1056 DEBUG(D_receive) debug_printf("Did not find proxy dest port\n");
1059 tmp_port = strtol(CCS p,&endc,10);
1060 if (*endc || tmp_port == 0)
1063 debug_printf("Proxy dest port '%s' not an integer\n", p);
1066 proxy_external_port = tmp_port;
1067 /* Already checked for /r /n above. Good V1 header received. */
1072 /* Wrong protocol */
1073 DEBUG(D_receive) debug_printf("Invalid proxy protocol version negotiation\n");
1078 restore_socket_timeout(fd, get_ok, tvtmp, vslen);
1079 /* Don't flush any potential buffer contents. Any input should cause a
1080 synchronization failure */
1084 restore_socket_timeout(fd, get_ok, tvtmp, vslen);
1086 debug_printf("Valid %s sender from Proxy Protocol header\n", iptype);
1087 return proxy_session;
1091 /*************************************************
1092 * Read one command line *
1093 *************************************************/
1095 /* Strictly, SMTP commands coming over the net are supposed to end with CRLF.
1096 There are sites that don't do this, and in any case internal SMTP probably
1097 should check only for LF. Consequently, we check here for LF only. The line
1098 ends up with [CR]LF removed from its end. If we get an overlong line, treat as
1099 an unknown command. The command is read into the global smtp_cmd_buffer so that
1100 it is available via $smtp_command.
1102 The character reading routine sets up a timeout for each block actually read
1103 from the input (which may contain more than one command). We set up a special
1104 signal handler that closes down the session on a timeout. Control does not
1105 return when it runs.
1108 check_sync if TRUE, check synchronization rules if global option is TRUE
1110 Returns: a code identifying the command (enumerated above)
1114 smtp_read_command(BOOL check_sync)
1119 BOOL hadnull = FALSE;
1121 os_non_restarting_signal(SIGALRM, command_timeout_handler);
1123 while ((c = (receive_getc)()) != '\n' && c != EOF)
1125 if (ptr >= smtp_cmd_buffer_size)
1127 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1135 smtp_cmd_buffer[ptr++] = c;
1138 receive_linecount++; /* For BSMTP errors */
1139 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1141 /* If hit end of file, return pseudo EOF command. Whether we have a
1142 part-line already read doesn't matter, since this is an error state. */
1144 if (c == EOF) return EOF_CMD;
1146 /* Remove any CR and white space at the end of the line, and terminate the
1149 while (ptr > 0 && isspace(smtp_cmd_buffer[ptr-1])) ptr--;
1150 smtp_cmd_buffer[ptr] = 0;
1152 DEBUG(D_receive) debug_printf("SMTP<< %s\n", smtp_cmd_buffer);
1154 /* NULLs are not allowed in SMTP commands */
1156 if (hadnull) return BADCHAR_CMD;
1158 /* Scan command list and return identity, having set the data pointer
1159 to the start of the actual data characters. Check for SMTP synchronization
1162 for (p = cmd_list; p < cmd_list_end; p++)
1164 #ifdef SUPPORT_PROXY
1165 /* Only allow QUIT command if Proxy Protocol parsing failed */
1166 if (proxy_session && proxy_session_failed)
1168 if (p->cmd != QUIT_CMD)
1173 && strncmpic(smtp_cmd_buffer, US p->name, p->len) == 0
1174 && ( smtp_cmd_buffer[p->len-1] == ':' /* "mail from:" or "rcpt to:" */
1175 || smtp_cmd_buffer[p->len] == 0
1176 || smtp_cmd_buffer[p->len] == ' '
1179 if (smtp_inptr < smtp_inend && /* Outstanding input */
1180 p->cmd < sync_cmd_limit && /* Command should sync */
1181 check_sync && /* Local flag set */
1182 smtp_enforce_sync && /* Global flag set */
1183 sender_host_address != NULL && /* Not local input */
1184 !sender_host_notsocket) /* Really is a socket */
1187 /* The variables $smtp_command and $smtp_command_argument point into the
1188 unmodified input buffer. A copy of the latter is taken for actual
1189 processing, so that it can be chopped up into separate parts if necessary,
1190 for example, when processing a MAIL command options such as SIZE that can
1191 follow the sender address. */
1193 smtp_cmd_argument = smtp_cmd_buffer + p->len;
1194 while (isspace(*smtp_cmd_argument)) smtp_cmd_argument++;
1195 Ustrcpy(smtp_data_buffer, smtp_cmd_argument);
1196 smtp_cmd_data = smtp_data_buffer;
1198 /* Count non-mail commands from those hosts that are controlled in this
1199 way. The default is all hosts. We don't waste effort checking the list
1200 until we get a non-mail command, but then cache the result to save checking
1201 again. If there's a DEFER while checking the host, assume it's in the list.
1203 Note that one instance of RSET, EHLO/HELO, and STARTTLS is allowed at the
1204 start of each incoming message by fiddling with the value in the table. */
1206 if (!p->is_mail_cmd)
1208 if (count_nonmail == TRUE_UNSET) count_nonmail =
1209 verify_check_host(&smtp_accept_max_nonmail_hosts) != FAIL;
1210 if (count_nonmail && ++nonmail_command_count > smtp_accept_max_nonmail)
1211 return TOO_MANY_NONMAIL_CMD;
1214 /* If there is data for a command that does not expect it, generate the
1217 return (p->has_arg || *smtp_cmd_data == 0)? p->cmd : BADARG_CMD;
1221 #ifdef SUPPORT_PROXY
1222 /* Only allow QUIT command if Proxy Protocol parsing failed */
1223 if (proxy_session && proxy_session_failed)
1224 return PROXY_FAIL_IGNORE_CMD;
1227 /* Enforce synchronization for unknown commands */
1229 if (smtp_inptr < smtp_inend && /* Outstanding input */
1230 check_sync && /* Local flag set */
1231 smtp_enforce_sync && /* Global flag set */
1232 sender_host_address != NULL && /* Not local input */
1233 !sender_host_notsocket) /* Really is a socket */
1241 /*************************************************
1242 * Recheck synchronization *
1243 *************************************************/
1245 /* Synchronization checks can never be perfect because a packet may be on its
1246 way but not arrived when the check is done. Such checks can in any case only be
1247 done when TLS is not in use. Normally, the checks happen when commands are
1248 read: Exim ensures that there is no more input in the input buffer. In normal
1249 cases, the response to the command will be fast, and there is no further check.
1251 However, for some commands an ACL is run, and that can include delays. In those
1252 cases, it is useful to do another check on the input just before sending the
1253 response. This also applies at the start of a connection. This function does
1254 that check by means of the select() function, as long as the facility is not
1255 disabled or inappropriate. A failure of select() is ignored.
1257 When there is unwanted input, we read it so that it appears in the log of the
1261 Returns: TRUE if all is well; FALSE if there is input pending
1269 struct timeval tzero;
1271 if (!smtp_enforce_sync || sender_host_address == NULL ||
1272 sender_host_notsocket || tls_in.active >= 0)
1275 fd = fileno(smtp_in);
1280 rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
1282 if (rc <= 0) return TRUE; /* Not ready to read */
1284 if (rc < 0) return TRUE; /* End of file or error */
1287 rc = smtp_inend - smtp_inptr;
1288 if (rc > 150) rc = 150;
1295 /*************************************************
1296 * Forced closedown of call *
1297 *************************************************/
1299 /* This function is called from log.c when Exim is dying because of a serious
1300 disaster, and also from some other places. If an incoming non-batched SMTP
1301 channel is open, it swallows the rest of the incoming message if in the DATA
1302 phase, sends the reply string, and gives an error to all subsequent commands
1303 except QUIT. The existence of an SMTP call is detected by the non-NULLness of
1307 message SMTP reply string to send, excluding the code
1313 smtp_closedown(uschar *message)
1315 if (smtp_in == NULL || smtp_batched_input) return;
1316 receive_swallow_smtp();
1317 smtp_printf("421 %s\r\n", message);
1321 switch(smtp_read_command(FALSE))
1327 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
1332 smtp_printf("250 Reset OK\r\n");
1336 smtp_printf("421 %s\r\n", message);
1345 /*************************************************
1346 * Set up connection info for logging *
1347 *************************************************/
1349 /* This function is called when logging information about an SMTP connection.
1350 It sets up appropriate source information, depending on the type of connection.
1351 If sender_fullhost is NULL, we are at a very early stage of the connection;
1352 just use the IP address.
1355 Returns: a string describing the connection
1359 smtp_get_connection_info(void)
1361 uschar *hostname = (sender_fullhost == NULL)?
1362 sender_host_address : sender_fullhost;
1365 return string_sprintf("SMTP connection from %s", hostname);
1367 if (sender_host_unknown || sender_host_notsocket)
1368 return string_sprintf("SMTP connection from %s", sender_ident);
1371 return string_sprintf("SMTP connection from %s (via inetd)", hostname);
1373 if (LOGGING(incoming_interface) && interface_address != NULL)
1374 return string_sprintf("SMTP connection from %s I=[%s]:%d", hostname,
1375 interface_address, interface_port);
1377 return string_sprintf("SMTP connection from %s", hostname);
1383 /* Append TLS-related information to a log line
1386 s String under construction: allocated string to extend, or NULL
1387 sizep Pointer to current allocation size (update on return), or NULL
1388 ptrp Pointer to index for new entries in string (update on return), or NULL
1390 Returns: Allocated string or NULL
1393 s_tlslog(uschar * s, int * sizep, int * ptrp)
1395 int size = sizep ? *sizep : 0;
1396 int ptr = ptrp ? *ptrp : 0;
1398 if (LOGGING(tls_cipher) && tls_in.cipher != NULL)
1399 s = string_append(s, &size, &ptr, 2, US" X=", tls_in.cipher);
1400 if (LOGGING(tls_certificate_verified) && tls_in.cipher != NULL)
1401 s = string_append(s, &size, &ptr, 2, US" CV=",
1402 tls_in.certificate_verified? "yes":"no");
1403 if (LOGGING(tls_peerdn) && tls_in.peerdn != NULL)
1404 s = string_append(s, &size, &ptr, 3, US" DN=\"",
1405 string_printing(tls_in.peerdn), US"\"");
1406 if (LOGGING(tls_sni) && tls_in.sni != NULL)
1407 s = string_append(s, &size, &ptr, 3, US" SNI=\"",
1408 string_printing(tls_in.sni), US"\"");
1413 if (sizep) *sizep = size;
1414 if (ptrp) *ptrp = ptr;
1420 /*************************************************
1421 * Log lack of MAIL if so configured *
1422 *************************************************/
1424 /* This function is called when an SMTP session ends. If the log selector
1425 smtp_no_mail is set, write a log line giving some details of what has happened
1426 in the SMTP session.
1433 smtp_log_no_mail(void)
1438 if (smtp_mailcmd_count > 0 || !LOGGING(smtp_no_mail))
1444 if (sender_host_authenticated != NULL)
1446 s = string_append(s, &size, &ptr, 2, US" A=", sender_host_authenticated);
1447 if (authenticated_id != NULL)
1448 s = string_append(s, &size, &ptr, 2, US":", authenticated_id);
1452 s = s_tlslog(s, &size, &ptr);
1455 sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
1456 US" C=..." : US" C=";
1457 for (i = smtp_ch_index; i < SMTP_HBUFF_SIZE; i++)
1459 if (smtp_connection_had[i] != SCH_NONE)
1461 s = string_append(s, &size, &ptr, 2, sep,
1462 smtp_names[smtp_connection_had[i]]);
1467 for (i = 0; i < smtp_ch_index; i++)
1469 s = string_append(s, &size, &ptr, 2, sep, smtp_names[smtp_connection_had[i]]);
1473 if (s != NULL) s[ptr] = 0; else s = US"";
1474 log_write(0, LOG_MAIN, "no MAIL in SMTP connection from %s D=%s%s",
1475 host_and_ident(FALSE),
1476 readconf_printtime( (int) ((long)time(NULL) - (long)smtp_connection_start)),
1482 /*************************************************
1483 * Check HELO line and set sender_helo_name *
1484 *************************************************/
1486 /* Check the format of a HELO line. The data for HELO/EHLO is supposed to be
1487 the domain name of the sending host, or an ip literal in square brackets. The
1488 arrgument is placed in sender_helo_name, which is in malloc store, because it
1489 must persist over multiple incoming messages. If helo_accept_junk is set, this
1490 host is permitted to send any old junk (needed for some broken hosts).
1491 Otherwise, helo_allow_chars can be used for rogue characters in general
1492 (typically people want to let in underscores).
1495 s the data portion of the line (already past any white space)
1497 Returns: TRUE or FALSE
1501 check_helo(uschar *s)
1504 uschar *end = s + Ustrlen(s);
1505 BOOL yield = helo_accept_junk;
1507 /* Discard any previous helo name */
1509 if (sender_helo_name != NULL)
1511 store_free(sender_helo_name);
1512 sender_helo_name = NULL;
1515 /* Skip tests if junk is permitted. */
1519 /* Allow the new standard form for IPv6 address literals, namely,
1520 [IPv6:....], and because someone is bound to use it, allow an equivalent
1521 IPv4 form. Allow plain addresses as well. */
1528 if (strncmpic(s, US"[IPv6:", 6) == 0)
1529 yield = (string_is_ip_address(s+6, NULL) == 6);
1530 else if (strncmpic(s, US"[IPv4:", 6) == 0)
1531 yield = (string_is_ip_address(s+6, NULL) == 4);
1533 yield = (string_is_ip_address(s+1, NULL) != 0);
1538 /* Non-literals must be alpha, dot, hyphen, plus any non-valid chars
1539 that have been configured (usually underscore - sigh). */
1546 if (!isalnum(*s) && *s != '.' && *s != '-' &&
1547 Ustrchr(helo_allow_chars, *s) == NULL)
1557 /* Save argument if OK */
1559 if (yield) sender_helo_name = string_copy_malloc(start);
1567 /*************************************************
1568 * Extract SMTP command option *
1569 *************************************************/
1571 /* This function picks the next option setting off the end of smtp_cmd_data. It
1572 is called for MAIL FROM and RCPT TO commands, to pick off the optional ESMTP
1573 things that can appear there.
1576 name point this at the name
1577 value point this at the data string
1579 Returns: TRUE if found an option
1583 extract_option(uschar **name, uschar **value)
1586 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
1587 while (isspace(*v)) v--;
1589 while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) v--;
1594 while(isalpha(n[-1])) n--;
1595 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
1596 if (!isspace(n[-1])) return FALSE;
1602 if (v == smtp_cmd_data) return FALSE;
1614 /*************************************************
1615 * Reset for new message *
1616 *************************************************/
1618 /* This function is called whenever the SMTP session is reset from
1619 within either of the setup functions.
1621 Argument: the stacking pool storage reset point
1626 smtp_reset(void *reset_point)
1628 store_reset(reset_point);
1629 recipients_list = NULL;
1630 rcpt_count = rcpt_defer_count = rcpt_fail_count =
1631 raw_recipients_count = recipients_count = recipients_list_max = 0;
1632 cancel_cutthrough_connection("smtp reset");
1633 message_linecount = 0;
1635 acl_added_headers = NULL;
1636 acl_removed_headers = NULL;
1637 queue_only_policy = FALSE;
1638 rcpt_smtp_response = NULL;
1639 rcpt_smtp_response_same = TRUE;
1640 rcpt_in_progress = FALSE;
1641 deliver_freeze = FALSE; /* Can be set by ACL */
1642 freeze_tell = freeze_tell_config; /* Can be set by ACL */
1643 fake_response = OK; /* Can be set by ACL */
1644 #ifdef WITH_CONTENT_SCAN
1645 no_mbox_unspool = FALSE; /* Can be set by ACL */
1647 submission_mode = FALSE; /* Can be set by ACL */
1648 suppress_local_fixups = suppress_local_fixups_default; /* Can be set by ACL */
1649 active_local_from_check = local_from_check; /* Can be set by ACL */
1650 active_local_sender_retain = local_sender_retain; /* Can be set by ACL */
1651 sender_address = NULL;
1652 submission_name = NULL; /* Can be set by ACL */
1653 raw_sender = NULL; /* After SMTP rewrite, before qualifying */
1654 sender_address_unrewritten = NULL; /* Set only after verify rewrite */
1655 sender_verified_list = NULL; /* No senders verified */
1656 memset(sender_address_cache, 0, sizeof(sender_address_cache));
1657 memset(sender_domain_cache, 0, sizeof(sender_domain_cache));
1659 authenticated_sender = NULL;
1660 #ifdef EXPERIMENTAL_BRIGHTMAIL
1662 bmi_verdicts = NULL;
1664 #ifndef DISABLE_DKIM
1665 dkim_signers = NULL;
1666 dkim_disable_verify = FALSE;
1667 dkim_collect_input = FALSE;
1671 #ifndef DISABLE_PRDR
1672 prdr_requested = FALSE;
1674 #ifdef EXPERIMENTAL_SPF
1675 spf_header_comment = NULL;
1676 spf_received = NULL;
1678 spf_smtp_comment = NULL;
1681 message_smtputf8 = FALSE;
1683 body_linecount = body_zerocount = 0;
1685 sender_rate = sender_rate_limit = sender_rate_period = NULL;
1686 ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
1687 /* Note that ratelimiters_conn persists across resets. */
1689 /* Reset message ACL variables */
1693 /* The message body variables use malloc store. They may be set if this is
1694 not the first message in an SMTP session and the previous message caused them
1695 to be referenced in an ACL. */
1697 if (message_body != NULL)
1699 store_free(message_body);
1700 message_body = NULL;
1703 if (message_body_end != NULL)
1705 store_free(message_body_end);
1706 message_body_end = NULL;
1709 /* Warning log messages are also saved in malloc store. They are saved to avoid
1710 repetition in the same message, but it seems right to repeat them for different
1713 while (acl_warn_logged != NULL)
1715 string_item *this = acl_warn_logged;
1716 acl_warn_logged = acl_warn_logged->next;
1725 /*************************************************
1726 * Initialize for incoming batched SMTP message *
1727 *************************************************/
1729 /* This function is called from smtp_setup_msg() in the case when
1730 smtp_batched_input is true. This happens when -bS is used to pass a whole batch
1731 of messages in one file with SMTP commands between them. All errors must be
1732 reported by sending a message, and only MAIL FROM, RCPT TO, and DATA are
1733 relevant. After an error on a sender, or an invalid recipient, the remainder
1734 of the message is skipped. The value of received_protocol is already set.
1737 Returns: > 0 message successfully started (reached DATA)
1738 = 0 QUIT read or end of file reached
1739 < 0 should not occur
1743 smtp_setup_batch_msg(void)
1746 void *reset_point = store_get(0);
1748 /* Save the line count at the start of each transaction - single commands
1749 like HELO and RSET count as whole transactions. */
1751 bsmtp_transaction_linecount = receive_linecount;
1753 if ((receive_feof)()) return 0; /* Treat EOF as QUIT */
1755 smtp_reset(reset_point); /* Reset for start of message */
1757 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
1758 value. The values are 2 larger than the required yield of the function. */
1763 uschar *recipient = NULL;
1764 int start, end, sender_domain, recipient_domain;
1766 switch(smtp_read_command(FALSE))
1768 /* The HELO/EHLO commands set sender_address_helo if they have
1769 valid data; otherwise they are ignored, except that they do
1770 a reset of the state. */
1775 check_helo(smtp_cmd_data);
1779 smtp_reset(reset_point);
1780 bsmtp_transaction_linecount = receive_linecount;
1784 /* The MAIL FROM command requires an address as an operand. All we
1785 do here is to parse it for syntactic correctness. The form "<>" is
1786 a special case which converts into an empty string. The start/end
1787 pointers in the original are not used further for this address, as
1788 it is the canonical extracted address which is all that is kept. */
1791 smtp_mailcmd_count++; /* Count for no-mail log */
1792 if (sender_address != NULL)
1793 /* The function moan_smtp_batch() does not return. */
1794 moan_smtp_batch(smtp_cmd_buffer, "503 Sender already given");
1796 if (smtp_cmd_data[0] == 0)
1797 /* The function moan_smtp_batch() does not return. */
1798 moan_smtp_batch(smtp_cmd_buffer, "501 MAIL FROM must have an address operand");
1800 /* Reset to start of message */
1802 smtp_reset(reset_point);
1804 /* Apply SMTP rewrite */
1806 raw_sender = ((rewrite_existflags & rewrite_smtp) != 0)?
1807 rewrite_one(smtp_cmd_data, rewrite_smtp|rewrite_smtp_sender, NULL, FALSE,
1808 US"", global_rewrite_rules) : smtp_cmd_data;
1810 /* Extract the address; the TRUE flag allows <> as valid */
1813 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
1816 if (raw_sender == NULL)
1817 /* The function moan_smtp_batch() does not return. */
1818 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
1820 sender_address = string_copy(raw_sender);
1822 /* Qualify unqualified sender addresses if permitted to do so. */
1824 if (sender_domain == 0 && sender_address[0] != 0 && sender_address[0] != '@')
1826 if (allow_unqualified_sender)
1828 sender_address = rewrite_address_qualify(sender_address, FALSE);
1829 DEBUG(D_receive) debug_printf("unqualified address %s accepted "
1830 "and rewritten\n", raw_sender);
1832 /* The function moan_smtp_batch() does not return. */
1833 else moan_smtp_batch(smtp_cmd_buffer, "501 sender address must contain "
1839 /* The RCPT TO command requires an address as an operand. All we do
1840 here is to parse it for syntactic correctness. There may be any number
1841 of RCPT TO commands, specifying multiple senders. We build them all into
1842 a data structure that is in argc/argv format. The start/end values
1843 given by parse_extract_address are not used, as we keep only the
1844 extracted address. */
1847 if (sender_address == NULL)
1848 /* The function moan_smtp_batch() does not return. */
1849 moan_smtp_batch(smtp_cmd_buffer, "503 No sender yet given");
1851 if (smtp_cmd_data[0] == 0)
1852 /* The function moan_smtp_batch() does not return. */
1853 moan_smtp_batch(smtp_cmd_buffer, "501 RCPT TO must have an address operand");
1855 /* Check maximum number allowed */
1857 if (recipients_max > 0 && recipients_count + 1 > recipients_max)
1858 /* The function moan_smtp_batch() does not return. */
1859 moan_smtp_batch(smtp_cmd_buffer, "%s too many recipients",
1860 recipients_max_reject? "552": "452");
1862 /* Apply SMTP rewrite, then extract address. Don't allow "<>" as a
1863 recipient address */
1865 recipient = rewrite_existflags & rewrite_smtp
1866 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
1867 global_rewrite_rules)
1870 recipient = parse_extract_address(recipient, &errmess, &start, &end,
1871 &recipient_domain, FALSE);
1874 /* The function moan_smtp_batch() does not return. */
1875 moan_smtp_batch(smtp_cmd_buffer, "501 %s", errmess);
1877 /* If the recipient address is unqualified, qualify it if permitted. Then
1878 add it to the list of recipients. */
1880 if (recipient_domain == 0)
1882 if (allow_unqualified_recipient)
1884 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
1886 recipient = rewrite_address_qualify(recipient, TRUE);
1888 /* The function moan_smtp_batch() does not return. */
1889 else moan_smtp_batch(smtp_cmd_buffer, "501 recipient address must contain "
1892 receive_add_recipient(recipient, -1);
1896 /* The DATA command is legal only if it follows successful MAIL FROM
1897 and RCPT TO commands. This function is complete when a valid DATA
1898 command is encountered. */
1901 if (sender_address == NULL || recipients_count <= 0)
1903 /* The function moan_smtp_batch() does not return. */
1904 if (sender_address == NULL)
1905 moan_smtp_batch(smtp_cmd_buffer,
1906 "503 MAIL FROM:<sender> command must precede DATA");
1908 moan_smtp_batch(smtp_cmd_buffer,
1909 "503 RCPT TO:<recipient> must precede DATA");
1913 done = 3; /* DATA successfully achieved */
1914 message_ended = END_NOTENDED; /* Indicate in middle of message */
1919 /* The VRFY, EXPN, HELP, ETRN, and NOOP commands are ignored. */
1926 bsmtp_transaction_linecount = receive_linecount;
1937 /* The function moan_smtp_batch() does not return. */
1938 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected argument data");
1943 /* The function moan_smtp_batch() does not return. */
1944 moan_smtp_batch(smtp_cmd_buffer, "501 Unexpected NULL in SMTP command");
1949 /* The function moan_smtp_batch() does not return. */
1950 moan_smtp_batch(smtp_cmd_buffer, "500 Command unrecognized");
1955 return done - 2; /* Convert yield values */
1961 /*************************************************
1962 * Start an SMTP session *
1963 *************************************************/
1965 /* This function is called at the start of an SMTP session. Thereafter,
1966 smtp_setup_msg() is called to initiate each separate message. This
1967 function does host-specific testing, and outputs the banner line.
1970 Returns: FALSE if the session can not continue; something has
1971 gone wrong, or the connection to the host is blocked
1975 smtp_start_session(void)
1979 uschar *user_msg, *log_msg;
1983 smtp_connection_start = time(NULL);
1984 for (smtp_ch_index = 0; smtp_ch_index < SMTP_HBUFF_SIZE; smtp_ch_index++)
1985 smtp_connection_had[smtp_ch_index] = SCH_NONE;
1988 /* Default values for certain variables */
1990 helo_seen = esmtp = helo_accept_junk = FALSE;
1991 smtp_mailcmd_count = 0;
1992 count_nonmail = TRUE_UNSET;
1993 synprot_error_count = unknown_command_count = nonmail_command_count = 0;
1994 smtp_delay_mail = smtp_rlm_base;
1995 auth_advertised = FALSE;
1996 pipelining_advertised = FALSE;
1997 pipelining_enable = TRUE;
1998 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
1999 smtp_exit_function_called = FALSE; /* For avoiding loop in not-quit exit */
2001 /* If receiving by -bs from a trusted user, or testing with -bh, we allow
2002 authentication settings from -oMaa to remain in force. */
2004 if (!host_checking && !sender_host_notsocket) sender_host_authenticated = NULL;
2005 authenticated_by = NULL;
2008 tls_in.cipher = tls_in.peerdn = NULL;
2009 tls_in.ourcert = tls_in.peercert = NULL;
2011 tls_in.ocsp = OCSP_NOT_REQ;
2012 tls_advertised = FALSE;
2014 dsn_advertised = FALSE;
2016 smtputf8_advertised = FALSE;
2019 /* Reset ACL connection variables */
2023 /* Allow for trailing 0 in the command and data buffers. */
2025 smtp_cmd_buffer = (uschar *)malloc(2*smtp_cmd_buffer_size + 2);
2026 if (smtp_cmd_buffer == NULL)
2027 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2028 "malloc() failed for SMTP command buffer");
2029 smtp_cmd_buffer[0] = 0;
2030 smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
2032 /* For batched input, the protocol setting can be overridden from the
2033 command line by a trusted caller. */
2035 if (smtp_batched_input)
2037 if (received_protocol == NULL) received_protocol = US"local-bsmtp";
2040 /* For non-batched SMTP input, the protocol setting is forced here. It will be
2041 reset later if any of EHLO/AUTH/STARTTLS are received. */
2045 (sender_host_address ? protocols : protocols_local) [pnormal];
2047 /* Set up the buffer for inputting using direct read() calls, and arrange to
2048 call the local functions instead of the standard C ones. */
2050 smtp_inbuffer = (uschar *)malloc(in_buffer_size);
2051 if (smtp_inbuffer == NULL)
2052 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
2053 receive_getc = smtp_getc;
2054 receive_ungetc = smtp_ungetc;
2055 receive_feof = smtp_feof;
2056 receive_ferror = smtp_ferror;
2057 receive_smtp_buffered = smtp_buffered;
2058 smtp_inptr = smtp_inend = smtp_inbuffer;
2059 smtp_had_eof = smtp_had_error = 0;
2061 /* Set up the message size limit; this may be host-specific */
2063 thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
2064 if (expand_string_message != NULL)
2066 if (thismessage_size_limit == -1)
2067 log_write(0, LOG_MAIN|LOG_PANIC, "unable to expand message_size_limit: "
2068 "%s", expand_string_message);
2070 log_write(0, LOG_MAIN|LOG_PANIC, "invalid message_size_limit: "
2071 "%s", expand_string_message);
2072 smtp_closedown(US"Temporary local problem - please try later");
2076 /* When a message is input locally via the -bs or -bS options, sender_host_
2077 unknown is set unless -oMa was used to force an IP address, in which case it
2078 is checked like a real remote connection. When -bs is used from inetd, this
2079 flag is not set, causing the sending host to be checked. The code that deals
2080 with IP source routing (if configured) is never required for -bs or -bS and
2081 the flag sender_host_notsocket is used to suppress it.
2083 If smtp_accept_max and smtp_accept_reserve are set, keep some connections in
2084 reserve for certain hosts and/or networks. */
2086 if (!sender_host_unknown)
2089 BOOL reserved_host = FALSE;
2091 /* Look up IP options (source routing info) on the socket if this is not an
2092 -oMa "host", and if any are found, log them and drop the connection.
2094 Linux (and others now, see below) is different to everyone else, so there
2095 has to be some conditional compilation here. Versions of Linux before 2.1.15
2096 used a structure whose name was "options". Somebody finally realized that
2097 this name was silly, and it got changed to "ip_options". I use the
2098 newer name here, but there is a fudge in the script that sets up os.h
2099 to define a macro in older Linux systems.
2101 Sigh. Linux is a fast-moving target. Another generation of Linux uses
2102 glibc 2, which has chosen ip_opts for the structure name. This is now
2103 really a glibc thing rather than a Linux thing, so the condition name
2104 has been changed to reflect this. It is relevant also to GNU/Hurd.
2106 Mac OS 10.x (Darwin) is like the later glibc versions, but without the
2107 setting of the __GLIBC__ macro, so we can't detect it automatically. There's
2108 a special macro defined in the os.h file.
2110 Some DGUX versions on older hardware appear not to support IP options at
2111 all, so there is now a general macro which can be set to cut out this
2114 How to do this properly in IPv6 is not yet known. */
2116 #if !HAVE_IPV6 && !defined(NO_IP_OPTIONS)
2118 #ifdef GLIBC_IP_OPTIONS
2119 #if (!defined __GLIBC__) || (__GLIBC__ < 2)
2124 #elif defined DARWIN_IP_OPTIONS
2130 if (!host_checking && !sender_host_notsocket)
2133 EXIM_SOCKLEN_T optlen = sizeof(struct ip_options) + MAX_IPOPTLEN;
2134 struct ip_options *ipopt = store_get(optlen);
2136 struct ip_opts ipoptblock;
2137 struct ip_opts *ipopt = &ipoptblock;
2138 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2140 struct ipoption ipoptblock;
2141 struct ipoption *ipopt = &ipoptblock;
2142 EXIM_SOCKLEN_T optlen = sizeof(ipoptblock);
2145 /* Occasional genuine failures of getsockopt() have been seen - for
2146 example, "reset by peer". Therefore, just log and give up on this
2147 call, unless the error is ENOPROTOOPT. This error is given by systems
2148 that have the interfaces but not the mechanism - e.g. GNU/Hurd at the time
2149 of writing. So for that error, carry on - we just can't do an IP options
2152 DEBUG(D_receive) debug_printf("checking for IP options\n");
2154 if (getsockopt(fileno(smtp_out), IPPROTO_IP, IP_OPTIONS, (uschar *)(ipopt),
2157 if (errno != ENOPROTOOPT)
2159 log_write(0, LOG_MAIN, "getsockopt() failed from %s: %s",
2160 host_and_ident(FALSE), strerror(errno));
2161 smtp_printf("451 SMTP service not available\r\n");
2166 /* Deal with any IP options that are set. On the systems I have looked at,
2167 the value of MAX_IPOPTLEN has been 40, meaning that there should never be
2168 more logging data than will fit in big_buffer. Nevertheless, after somebody
2169 questioned this code, I've added in some paranoid checking. */
2171 else if (optlen > 0)
2173 uschar *p = big_buffer;
2174 uschar *pend = big_buffer + big_buffer_size;
2175 uschar *opt, *adptr;
2177 struct in_addr addr;
2180 uschar *optstart = (uschar *)(ipopt->__data);
2182 uschar *optstart = (uschar *)(ipopt->ip_opts);
2184 uschar *optstart = (uschar *)(ipopt->ipopt_list);
2187 DEBUG(D_receive) debug_printf("IP options exist\n");
2189 Ustrcpy(p, "IP options on incoming call:");
2192 for (opt = optstart; opt != NULL &&
2193 opt < (uschar *)(ipopt) + optlen;)
2207 if (!string_format(p, pend-p, " %s [@%s",
2208 (*opt == IPOPT_SSRR)? "SSRR" : "LSRR",
2210 inet_ntoa(*((struct in_addr *)(&(ipopt->faddr))))))
2212 inet_ntoa(ipopt->ip_dst)))
2214 inet_ntoa(ipopt->ipopt_dst)))
2222 optcount = (opt[1] - 3) / sizeof(struct in_addr);
2224 while (optcount-- > 0)
2226 memcpy(&addr, adptr, sizeof(addr));
2227 if (!string_format(p, pend - p - 1, "%s%s",
2228 (optcount == 0)? ":" : "@", inet_ntoa(addr)))
2234 adptr += sizeof(struct in_addr);
2243 if (pend - p < 4 + 3*opt[1]) { opt = NULL; break; }
2246 for (i = 0; i < opt[1]; i++)
2248 sprintf(CS p, "%2.2x ", opt[i]);
2259 log_write(0, LOG_MAIN, "%s", big_buffer);
2261 /* Refuse any call with IP options. This is what tcpwrappers 7.5 does. */
2263 log_write(0, LOG_MAIN|LOG_REJECT,
2264 "connection from %s refused (IP options)", host_and_ident(FALSE));
2266 smtp_printf("554 SMTP service not available\r\n");
2270 /* Length of options = 0 => there are no options */
2272 else DEBUG(D_receive) debug_printf("no IP options found\n");
2274 #endif /* HAVE_IPV6 && !defined(NO_IP_OPTIONS) */
2276 /* Set keep-alive in socket options. The option is on by default. This
2277 setting is an attempt to get rid of some hanging connections that stick in
2278 read() when the remote end (usually a dialup) goes away. */
2280 if (smtp_accept_keepalive && !sender_host_notsocket)
2281 ip_keepalive(fileno(smtp_out), sender_host_address, FALSE);
2283 /* If the current host matches host_lookup, set the name by doing a
2284 reverse lookup. On failure, sender_host_name will be NULL and
2285 host_lookup_failed will be TRUE. This may or may not be serious - optional
2288 if (verify_check_host(&host_lookup) == OK)
2290 (void)host_name_lookup();
2291 host_build_sender_fullhost();
2294 /* Delay this until we have the full name, if it is looked up. */
2296 set_process_info("handling incoming connection from %s",
2297 host_and_ident(FALSE));
2299 /* Expand smtp_receive_timeout, if needed */
2301 if (smtp_receive_timeout_s)
2304 if ( !(exp = expand_string(smtp_receive_timeout_s))
2306 || (smtp_receive_timeout = readconf_readtime(exp, 0, FALSE)) < 0
2308 log_write(0, LOG_MAIN|LOG_PANIC,
2309 "bad value for smtp_receive_timeout: '%s'", exp ? exp : US"");
2312 /* Start up TLS if tls_on_connect is set. This is for supporting the legacy
2313 smtps port for use with older style SSL MTAs. */
2316 if (tls_in.on_connect && tls_server_start(tls_require_ciphers) != OK)
2320 /* Test for explicit connection rejection */
2322 if (verify_check_host(&host_reject_connection) == OK)
2324 log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection "
2325 "from %s (host_reject_connection)", host_and_ident(FALSE));
2326 smtp_printf("554 SMTP service not available\r\n");
2330 /* Test with TCP Wrappers if so configured. There is a problem in that
2331 hosts_ctl() returns 0 (deny) under a number of system failure circumstances,
2332 such as disks dying. In these cases, it is desirable to reject with a 4xx
2333 error instead of a 5xx error. There isn't a "right" way to detect such
2334 problems. The following kludge is used: errno is zeroed before calling
2335 hosts_ctl(). If the result is "reject", a 5xx error is given only if the
2336 value of errno is 0 or ENOENT (which happens if /etc/hosts.{allow,deny} does
2339 #ifdef USE_TCP_WRAPPERS
2341 tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name);
2342 if (tcp_wrappers_name == NULL)
2344 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
2345 "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
2346 expand_string_message);
2348 if (!hosts_ctl(tcp_wrappers_name,
2349 (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
2350 (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
2351 (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
2353 if (errno == 0 || errno == ENOENT)
2355 HDEBUG(D_receive) debug_printf("tcp wrappers rejection\n");
2356 log_write(L_connection_reject,
2357 LOG_MAIN|LOG_REJECT, "refused connection from %s "
2358 "(tcp wrappers)", host_and_ident(FALSE));
2359 smtp_printf("554 SMTP service not available\r\n");
2363 int save_errno = errno;
2364 HDEBUG(D_receive) debug_printf("tcp wrappers rejected with unexpected "
2365 "errno value %d\n", save_errno);
2366 log_write(L_connection_reject,
2367 LOG_MAIN|LOG_REJECT, "temporarily refused connection from %s "
2368 "(tcp wrappers errno=%d)", host_and_ident(FALSE), save_errno);
2369 smtp_printf("451 Temporary local problem - please try later\r\n");
2375 /* Check for reserved slots. The value of smtp_accept_count has already been
2376 incremented to include this process. */
2378 if (smtp_accept_max > 0 &&
2379 smtp_accept_count > smtp_accept_max - smtp_accept_reserve)
2381 if ((rc = verify_check_host(&smtp_reserve_hosts)) != OK)
2383 log_write(L_connection_reject,
2384 LOG_MAIN, "temporarily refused connection from %s: not in "
2385 "reserve list: connected=%d max=%d reserve=%d%s",
2386 host_and_ident(FALSE), smtp_accept_count - 1, smtp_accept_max,
2387 smtp_accept_reserve, (rc == DEFER)? " (lookup deferred)" : "");
2388 smtp_printf("421 %s: Too many concurrent SMTP connections; "
2389 "please try again later\r\n", smtp_active_hostname);
2392 reserved_host = TRUE;
2395 /* If a load level above which only messages from reserved hosts are
2396 accepted is set, check the load. For incoming calls via the daemon, the
2397 check is done in the superior process if there are no reserved hosts, to
2398 save a fork. In all cases, the load average will already be available
2399 in a global variable at this point. */
2401 if (smtp_load_reserve >= 0 &&
2402 load_average > smtp_load_reserve &&
2404 verify_check_host(&smtp_reserve_hosts) != OK)
2406 log_write(L_connection_reject,
2407 LOG_MAIN, "temporarily refused connection from %s: not in "
2408 "reserve list and load average = %.2f", host_and_ident(FALSE),
2409 (double)load_average/1000.0);
2410 smtp_printf("421 %s: Too much load; please try again later\r\n",
2411 smtp_active_hostname);
2415 /* Determine whether unqualified senders or recipients are permitted
2416 for this host. Unfortunately, we have to do this every time, in order to
2417 set the flags so that they can be inspected when considering qualifying
2418 addresses in the headers. For a site that permits no qualification, this
2419 won't take long, however. */
2421 allow_unqualified_sender =
2422 verify_check_host(&sender_unqualified_hosts) == OK;
2424 allow_unqualified_recipient =
2425 verify_check_host(&recipient_unqualified_hosts) == OK;
2427 /* Determine whether HELO/EHLO is required for this host. The requirement
2428 can be hard or soft. */
2430 helo_required = verify_check_host(&helo_verify_hosts) == OK;
2432 helo_verify = verify_check_host(&helo_try_verify_hosts) == OK;
2434 /* Determine whether this hosts is permitted to send syntactic junk
2435 after a HELO or EHLO command. */
2437 helo_accept_junk = verify_check_host(&helo_accept_junk_hosts) == OK;
2440 /* For batch SMTP input we are now done. */
2442 if (smtp_batched_input) return TRUE;
2444 #ifdef SUPPORT_PROXY
2445 /* If valid Proxy Protocol source is connecting, set up session.
2446 * Failure will not allow any SMTP function other than QUIT. */
2447 proxy_session = FALSE;
2448 proxy_session_failed = FALSE;
2449 if (check_proxy_protocol_host())
2451 if (setup_proxy_protocol_host() == FALSE)
2453 proxy_session_failed = TRUE;
2455 debug_printf("Failure to extract proxied host, only QUIT allowed\n");
2459 sender_host_name = NULL;
2460 (void)host_name_lookup();
2461 host_build_sender_fullhost();
2466 /* Run the ACL if it exists */
2469 if (acl_smtp_connect != NULL)
2472 rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg,
2476 (void)smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg);
2481 /* Output the initial message for a two-way SMTP connection. It may contain
2482 newlines, which then cause a multi-line response to be given. */
2484 code = US"220"; /* Default status code */
2485 esc = US""; /* Default extended status code */
2486 esclen = 0; /* Length of esc */
2490 if (!(s = expand_string(smtp_banner)))
2491 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" (smtp_banner) "
2492 "failed: %s", smtp_banner, expand_string_message);
2498 smtp_message_code(&code, &codelen, &s, NULL, TRUE);
2502 esclen = codelen - 4;
2506 /* Remove any terminating newlines; might as well remove trailing space too */
2509 while (p > s && isspace(p[-1])) p--;
2512 /* It seems that CC:Mail is braindead, and assumes that the greeting message
2513 is all contained in a single IP packet. The original code wrote out the
2514 greeting using several calls to fprint/fputc, and on busy servers this could
2515 cause it to be split over more than one packet - which caused CC:Mail to fall
2516 over when it got the second part of the greeting after sending its first
2517 command. Sigh. To try to avoid this, build the complete greeting message
2518 first, and output it in one fell swoop. This gives a better chance of it
2519 ending up as a single packet. */
2521 ss = store_get(size);
2525 do /* At least once, in case we have an empty string */
2528 uschar *linebreak = Ustrchr(p, '\n');
2529 ss = string_catn(ss, &size, &ptr, code, 3);
2530 if (linebreak == NULL)
2533 ss = string_catn(ss, &size, &ptr, US" ", 1);
2537 len = linebreak - p;
2538 ss = string_catn(ss, &size, &ptr, US"-", 1);
2540 ss = string_catn(ss, &size, &ptr, esc, esclen);
2541 ss = string_catn(ss, &size, &ptr, p, len);
2542 ss = string_catn(ss, &size, &ptr, US"\r\n", 2);
2544 if (linebreak != NULL) p++;
2548 ss[ptr] = 0; /* string_cat leaves room for this */
2550 /* Before we write the banner, check that there is no input pending, unless
2551 this synchronisation check is disabled. */
2555 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol "
2556 "synchronization error (input sent without waiting for greeting): "
2557 "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
2558 string_printing(smtp_inptr));
2559 smtp_printf("554 SMTP synchronization error\r\n");
2563 /* Now output the banner */
2565 smtp_printf("%s", ss);
2573 /*************************************************
2574 * Handle SMTP syntax and protocol errors *
2575 *************************************************/
2577 /* Write to the log for SMTP syntax errors in incoming commands, if configured
2578 to do so. Then transmit the error response. The return value depends on the
2579 number of syntax and protocol errors in this SMTP session.
2582 type error type, given as a log flag bit
2583 code response code; <= 0 means don't send a response
2584 data data to reflect in the response (can be NULL)
2585 errmess the error message
2587 Returns: -1 limit of syntax/protocol errors NOT exceeded
2588 +1 limit of syntax/protocol errors IS exceeded
2590 These values fit in with the values of the "done" variable in the main
2591 processing loop in smtp_setup_msg(). */
2594 synprot_error(int type, int code, uschar *data, uschar *errmess)
2598 log_write(type, LOG_MAIN, "SMTP %s error in \"%s\" %s %s",
2599 (type == L_smtp_syntax_error)? "syntax" : "protocol",
2600 string_printing(smtp_cmd_buffer), host_and_ident(TRUE), errmess);
2602 if (++synprot_error_count > smtp_max_synprot_errors)
2605 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
2606 "syntax or protocol errors (last command was \"%s\")",
2607 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
2612 smtp_printf("%d%c%s%s%s\r\n", code, (yield == 1)? '-' : ' ',
2613 (data == NULL)? US"" : data, (data == NULL)? US"" : US": ", errmess);
2615 smtp_printf("%d Too many syntax or protocol errors\r\n", code);
2624 /*************************************************
2625 * Log incomplete transactions *
2626 *************************************************/
2628 /* This function is called after a transaction has been aborted by RSET, QUIT,
2629 connection drops or other errors. It logs the envelope information received
2630 so far in order to preserve address verification attempts.
2632 Argument: string to indicate what aborted the transaction
2637 incomplete_transaction_log(uschar *what)
2639 if (sender_address == NULL || /* No transaction in progress */
2640 !LOGGING(smtp_incomplete_transaction))
2643 /* Build list of recipients for logging */
2645 if (recipients_count > 0)
2648 raw_recipients = store_get(recipients_count * sizeof(uschar *));
2649 for (i = 0; i < recipients_count; i++)
2650 raw_recipients[i] = recipients_list[i].address;
2651 raw_recipients_count = recipients_count;
2654 log_write(L_smtp_incomplete_transaction, LOG_MAIN|LOG_SENDER|LOG_RECIPIENTS,
2655 "%s incomplete transaction (%s)", host_and_ident(TRUE), what);
2661 /*************************************************
2662 * Send SMTP response, possibly multiline *
2663 *************************************************/
2665 /* There are, it seems, broken clients out there that cannot handle multiline
2666 responses. If no_multiline_responses is TRUE (it can be set from an ACL), we
2667 output nothing for non-final calls, and only the first line for anything else.
2670 code SMTP code, may involve extended status codes
2671 codelen length of smtp code; if > 4 there's an ESC
2672 final FALSE if the last line isn't the final line
2673 msg message text, possibly containing newlines
2679 smtp_respond(uschar* code, int codelen, BOOL final, uschar *msg)
2684 if (!final && no_multiline_responses) return;
2689 esclen = codelen - 4;
2692 /* If this is the first output for a (non-batch) RCPT command, see if all RCPTs
2693 have had the same. Note: this code is also present in smtp_printf(). It would
2694 be tidier to have it only in one place, but when it was added, it was easier to
2695 do it that way, so as not to have to mess with the code for the RCPT command,
2696 which sometimes uses smtp_printf() and sometimes smtp_respond(). */
2698 if (rcpt_in_progress)
2700 if (rcpt_smtp_response == NULL)
2701 rcpt_smtp_response = string_copy(msg);
2702 else if (rcpt_smtp_response_same &&
2703 Ustrcmp(rcpt_smtp_response, msg) != 0)
2704 rcpt_smtp_response_same = FALSE;
2705 rcpt_in_progress = FALSE;
2708 /* Not output the message, splitting it up into multiple lines if necessary. */
2712 uschar *nl = Ustrchr(msg, '\n');
2715 smtp_printf("%.3s%c%.*s%s\r\n", code, final? ' ':'-', esclen, esc, msg);
2718 else if (nl[1] == 0 || no_multiline_responses)
2720 smtp_printf("%.3s%c%.*s%.*s\r\n", code, final? ' ':'-', esclen, esc,
2721 (int)(nl - msg), msg);
2726 smtp_printf("%.3s-%.*s%.*s\r\n", code, esclen, esc, (int)(nl - msg), msg);
2728 while (isspace(*msg)) msg++;
2736 /*************************************************
2737 * Parse user SMTP message *
2738 *************************************************/
2740 /* This function allows for user messages overriding the response code details
2741 by providing a suitable response code string at the start of the message
2742 user_msg. Check the message for starting with a response code and optionally an
2743 extended status code. If found, check that the first digit is valid, and if so,
2744 change the code pointer and length to use the replacement. An invalid code
2745 causes a panic log; in this case, if the log messages is the same as the user
2746 message, we must also adjust the value of the log message to show the code that
2747 is actually going to be used (the original one).
2749 This function is global because it is called from receive.c as well as within
2752 Note that the code length returned includes the terminating whitespace
2753 character, which is always included in the regex match.
2756 code SMTP code, may involve extended status codes
2757 codelen length of smtp code; if > 4 there's an ESC
2759 log_msg optional log message, to be adjusted with the new SMTP code
2760 check_valid if true, verify the response code
2766 smtp_message_code(uschar **code, int *codelen, uschar **msg, uschar **log_msg,
2772 if (!msg || !*msg) return;
2774 if ((n = pcre_exec(regex_smtp_code, NULL, CS *msg, Ustrlen(*msg), 0,
2775 PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int))) < 0) return;
2777 if (check_valid && (*msg)[0] != (*code)[0])
2779 log_write(0, LOG_MAIN|LOG_PANIC, "configured error code starts with "
2780 "incorrect digit (expected %c) in \"%s\"", (*code)[0], *msg);
2781 if (log_msg != NULL && *log_msg == *msg)
2782 *log_msg = string_sprintf("%s %s", *code, *log_msg + ovector[1]);
2787 *codelen = ovector[1]; /* Includes final space */
2789 *msg += ovector[1]; /* Chop the code off the message */
2796 /*************************************************
2797 * Handle an ACL failure *
2798 *************************************************/
2800 /* This function is called when acl_check() fails. As well as calls from within
2801 this module, it is called from receive.c for an ACL after DATA. It sorts out
2802 logging the incident, and sets up the error response. A message containing
2803 newlines is turned into a multiline SMTP response, but for logging, only the
2806 There's a table of default permanent failure response codes to use in
2807 globals.c, along with the table of names. VFRY is special. Despite RFC1123 it
2808 defaults disabled in Exim. However, discussion in connection with RFC 821bis
2809 (aka RFC 2821) has concluded that the response should be 252 in the disabled
2810 state, because there are broken clients that try VRFY before RCPT. A 5xx
2811 response should be given only when the address is positively known to be
2812 undeliverable. Sigh. We return 252 if there is no VRFY ACL or it provides
2813 no explicit code, but if there is one we let it know best.
2814 Also, for ETRN, 458 is given on refusal, and for AUTH, 503.
2816 From Exim 4.63, it is possible to override the response code details by
2817 providing a suitable response code string at the start of the message provided
2818 in user_msg. The code's first digit is checked for validity.
2821 where where the ACL was called from
2823 user_msg a message that can be included in an SMTP response
2824 log_msg a message for logging
2826 Returns: 0 in most cases
2827 2 if the failure code was FAIL_DROP, in which case the
2828 SMTP connection should be dropped (this value fits with the
2829 "done" variable in smtp_setup_msg() below)
2833 smtp_handle_acl_fail(int where, int rc, uschar *user_msg, uschar *log_msg)
2835 BOOL drop = rc == FAIL_DROP;
2839 uschar *sender_info = US"";
2841 #ifdef WITH_CONTENT_SCAN
2842 (where == ACL_WHERE_MIME)? US"during MIME ACL checks" :
2844 (where == ACL_WHERE_PREDATA)? US"DATA" :
2845 (where == ACL_WHERE_DATA)? US"after DATA" :
2846 #ifndef DISABLE_PRDR
2847 (where == ACL_WHERE_PRDR)? US"after DATA PRDR" :
2849 (smtp_cmd_data == NULL)?
2850 string_sprintf("%s in \"connect\" ACL", acl_wherenames[where]) :
2851 string_sprintf("%s %s", acl_wherenames[where], smtp_cmd_data);
2853 if (drop) rc = FAIL;
2855 /* Set the default SMTP code, and allow a user message to change it. */
2857 smtp_code = rc == FAIL ? acl_wherecodes[where] : US"451";
2858 smtp_message_code(&smtp_code, &codelen, &user_msg, &log_msg,
2859 where != ACL_WHERE_VRFY);
2861 /* We used to have sender_address here; however, there was a bug that was not
2862 updating sender_address after a rewrite during a verify. When this bug was
2863 fixed, sender_address at this point became the rewritten address. I'm not sure
2864 this is what should be logged, so I've changed to logging the unrewritten
2865 address to retain backward compatibility. */
2867 #ifndef WITH_CONTENT_SCAN
2868 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA)
2870 if (where == ACL_WHERE_RCPT || where == ACL_WHERE_DATA || where == ACL_WHERE_MIME)
2873 sender_info = string_sprintf("F=<%s>%s%s%s%s ",
2874 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
2875 sender_host_authenticated ? US" A=" : US"",
2876 sender_host_authenticated ? sender_host_authenticated : US"",
2877 sender_host_authenticated && authenticated_id ? US":" : US"",
2878 sender_host_authenticated && authenticated_id ? authenticated_id : US""
2882 /* If there's been a sender verification failure with a specific message, and
2883 we have not sent a response about it yet, do so now, as a preliminary line for
2884 failures, but not defers. However, always log it for defer, and log it for fail
2885 unless the sender_verify_fail log selector has been turned off. */
2887 if (sender_verified_failed != NULL &&
2888 !testflag(sender_verified_failed, af_sverify_told))
2890 BOOL save_rcpt_in_progress = rcpt_in_progress;
2891 rcpt_in_progress = FALSE; /* So as not to treat these as the error */
2893 setflag(sender_verified_failed, af_sverify_told);
2895 if (rc != FAIL || LOGGING(sender_verify_fail))
2896 log_write(0, LOG_MAIN|LOG_REJECT, "%s sender verify %s for <%s>%s",
2897 host_and_ident(TRUE),
2898 ((sender_verified_failed->special_action & 255) == DEFER)? "defer":"fail",
2899 sender_verified_failed->address,
2900 (sender_verified_failed->message == NULL)? US"" :
2901 string_sprintf(": %s", sender_verified_failed->message));
2903 if (rc == FAIL && sender_verified_failed->user_message != NULL)
2904 smtp_respond(smtp_code, codelen, FALSE, string_sprintf(
2905 testflag(sender_verified_failed, af_verify_pmfail)?
2906 "Postmaster verification failed while checking <%s>\n%s\n"
2907 "Several RFCs state that you are required to have a postmaster\n"
2908 "mailbox for each mail domain. This host does not accept mail\n"
2909 "from domains whose servers reject the postmaster address."
2911 testflag(sender_verified_failed, af_verify_nsfail)?
2912 "Callback setup failed while verifying <%s>\n%s\n"
2913 "The initial connection, or a HELO or MAIL FROM:<> command was\n"
2914 "rejected. Refusing MAIL FROM:<> does not help fight spam, disregards\n"
2915 "RFC requirements, and stops you from receiving standard bounce\n"
2916 "messages. This host does not accept mail from domains whose servers\n"
2919 "Verification failed for <%s>\n%s",
2920 sender_verified_failed->address,
2921 sender_verified_failed->user_message));
2923 rcpt_in_progress = save_rcpt_in_progress;
2926 /* Sort out text for logging */
2928 log_msg = (log_msg == NULL)? US"" : string_sprintf(": %s", log_msg);
2929 lognl = Ustrchr(log_msg, '\n');
2930 if (lognl != NULL) *lognl = 0;
2932 /* Send permanent failure response to the command, but the code used isn't
2933 always a 5xx one - see comments at the start of this function. If the original
2934 rc was FAIL_DROP we drop the connection and yield 2. */
2936 if (rc == FAIL) smtp_respond(smtp_code, codelen, TRUE, (user_msg == NULL)?
2937 US"Administrative prohibition" : user_msg);
2939 /* Send temporary failure response to the command. Don't give any details,
2940 unless acl_temp_details is set. This is TRUE for a callout defer, a "defer"
2941 verb, and for a header verify when smtp_return_error_details is set.
2943 This conditional logic is all somewhat of a mess because of the odd
2944 interactions between temp_details and return_error_details. One day it should
2945 be re-implemented in a tidier fashion. */
2949 if (acl_temp_details && user_msg != NULL)
2951 if (smtp_return_error_details &&
2952 sender_verified_failed != NULL &&
2953 sender_verified_failed->message != NULL)
2955 smtp_respond(smtp_code, codelen, FALSE, sender_verified_failed->message);
2957 smtp_respond(smtp_code, codelen, TRUE, user_msg);
2960 smtp_respond(smtp_code, codelen, TRUE,
2961 US"Temporary local problem - please try later");
2964 /* Log the incident to the logs that are specified by log_reject_target
2965 (default main, reject). This can be empty to suppress logging of rejections. If
2966 the connection is not forcibly to be dropped, return 0. Otherwise, log why it
2967 is closing if required and return 2. */
2969 if (log_reject_target != 0)
2972 uschar * tls = s_tlslog(NULL, NULL, NULL);
2973 if (!tls) tls = US"";
2975 uschar * tls = US"";
2977 log_write(0, log_reject_target, "%s%s%s %s%srejected %s%s",
2978 LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"",
2979 host_and_ident(TRUE),
2982 rc == FAIL ? US"" : US"temporarily ",
2986 if (!drop) return 0;
2988 log_write(L_smtp_connection, LOG_MAIN, "%s closed by DROP in ACL",
2989 smtp_get_connection_info());
2991 /* Run the not-quit ACL, but without any custom messages. This should not be a
2992 problem, because we get here only if some other ACL has issued "drop", and
2993 in that case, *its* custom messages will have been used above. */
2995 smtp_notquit_exit(US"acl-drop", NULL, NULL);
3002 /*************************************************
3003 * Handle SMTP exit when QUIT is not given *
3004 *************************************************/
3006 /* This function provides a logging/statistics hook for when an SMTP connection
3007 is dropped on the floor or the other end goes away. It's a global function
3008 because it's called from receive.c as well as this module. As well as running
3009 the NOTQUIT ACL, if there is one, this function also outputs a final SMTP
3010 response, either with a custom message from the ACL, or using a default. There
3011 is one case, however, when no message is output - after "drop". In that case,
3012 the ACL that obeyed "drop" has already supplied the custom message, and NULL is
3013 passed to this function.
3015 In case things go wrong while processing this function, causing an error that
3016 may re-enter this funtion, there is a recursion check.
3019 reason What $smtp_notquit_reason will be set to in the ACL;
3020 if NULL, the ACL is not run
3021 code The error code to return as part of the response
3022 defaultrespond The default message if there's no user_msg
3028 smtp_notquit_exit(uschar *reason, uschar *code, uschar *defaultrespond, ...)
3031 uschar *user_msg = NULL;
3032 uschar *log_msg = NULL;
3034 /* Check for recursive acll */
3036 if (smtp_exit_function_called)
3038 log_write(0, LOG_PANIC, "smtp_notquit_exit() called more than once (%s)",
3042 smtp_exit_function_called = TRUE;
3044 /* Call the not-QUIT ACL, if there is one, unless no reason is given. */
3046 if (acl_smtp_notquit != NULL && reason != NULL)
3048 smtp_notquit_reason = reason;
3049 rc = acl_check(ACL_WHERE_NOTQUIT, NULL, acl_smtp_notquit, &user_msg,
3052 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for not-QUIT returned ERROR: %s",
3056 /* Write an SMTP response if we are expected to give one. As the default
3057 responses are all internal, they should always fit in the buffer, but code a
3058 warning, just in case. Note that string_vformat() still leaves a complete
3059 string, even if it is incomplete. */
3061 if (code != NULL && defaultrespond != NULL)
3063 if (user_msg == NULL)
3067 va_start(ap, defaultrespond);
3068 if (!string_vformat(buffer, sizeof(buffer), CS defaultrespond, ap))
3069 log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_notquit_exit()");
3070 smtp_printf("%s %s\r\n", code, buffer);
3074 smtp_respond(code, 3, TRUE, user_msg);
3082 /*************************************************
3083 * Verify HELO argument *
3084 *************************************************/
3086 /* This function is called if helo_verify_hosts or helo_try_verify_hosts is
3087 matched. It is also called from ACL processing if verify = helo is used and
3088 verification was not previously tried (i.e. helo_try_verify_hosts was not
3089 matched). The result of its processing is to set helo_verified and
3090 helo_verify_failed. These variables should both be FALSE for this function to
3093 Note that EHLO/HELO is legitimately allowed to quote an address literal. Allow
3094 for IPv6 ::ffff: literals.
3097 Returns: TRUE if testing was completed;
3098 FALSE on a temporary failure
3102 smtp_verify_helo(void)
3106 HDEBUG(D_receive) debug_printf("verifying EHLO/HELO argument \"%s\"\n",
3109 if (sender_helo_name == NULL)
3111 HDEBUG(D_receive) debug_printf("no EHLO/HELO command was issued\n");
3114 /* Deal with the case of -bs without an IP address */
3116 else if (sender_host_address == NULL)
3118 HDEBUG(D_receive) debug_printf("no client IP address: assume success\n");
3119 helo_verified = TRUE;
3122 /* Deal with the more common case when there is a sending IP address */
3124 else if (sender_helo_name[0] == '[')
3126 helo_verified = Ustrncmp(sender_helo_name+1, sender_host_address,
3127 Ustrlen(sender_host_address)) == 0;
3132 if (strncmpic(sender_host_address, US"::ffff:", 7) == 0)
3133 helo_verified = Ustrncmp(sender_helo_name + 1,
3134 sender_host_address + 7, Ustrlen(sender_host_address) - 7) == 0;
3139 { if (helo_verified) debug_printf("matched host address\n"); }
3142 /* Do a reverse lookup if one hasn't already given a positive or negative
3143 response. If that fails, or the name doesn't match, try checking with a forward
3148 if (sender_host_name == NULL && !host_lookup_failed)
3149 yield = host_name_lookup() != DEFER;
3151 /* If a host name is known, check it and all its aliases. */
3153 if (sender_host_name)
3154 if ((helo_verified = strcmpic(sender_host_name, sender_helo_name) == 0))
3156 sender_helo_dnssec = sender_host_dnssec;
3157 HDEBUG(D_receive) debug_printf("matched host name\n");
3161 uschar **aliases = sender_host_aliases;
3163 if ((helo_verified = strcmpic(*aliases++, sender_helo_name) == 0))
3165 sender_helo_dnssec = sender_host_dnssec;
3169 HDEBUG(D_receive) if (helo_verified)
3170 debug_printf("matched alias %s\n", *(--aliases));
3173 /* Final attempt: try a forward lookup of the helo name */
3182 h.name = sender_helo_name;
3189 HDEBUG(D_receive) debug_printf("getting IP address for %s\n",
3191 rc = host_find_bydns(&h, NULL, HOST_FIND_BY_A,
3192 NULL, NULL, NULL, &d, NULL, NULL);
3193 if (rc == HOST_FOUND || rc == HOST_FOUND_LOCAL)
3194 for (hh = &h; hh; hh = hh->next)
3195 if (Ustrcmp(hh->address, sender_host_address) == 0)
3197 helo_verified = TRUE;
3198 if (h.dnssec == DS_YES) sender_helo_dnssec = TRUE;
3201 debug_printf("IP address for %s matches calling address\n"
3202 "Forward DNS security status: %sverified\n",
3203 sender_helo_name, sender_helo_dnssec ? "" : "un");
3210 if (!helo_verified) helo_verify_failed = TRUE; /* We've tried ... */
3217 /*************************************************
3218 * Send user response message *
3219 *************************************************/
3221 /* This function is passed a default response code and a user message. It calls
3222 smtp_message_code() to check and possibly modify the response code, and then
3223 calls smtp_respond() to transmit the response. I put this into a function
3224 just to avoid a lot of repetition.
3227 code the response code
3228 user_msg the user message
3234 smtp_user_msg(uschar *code, uschar *user_msg)
3237 smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
3238 smtp_respond(code, len, TRUE, user_msg);
3244 smtp_in_auth(auth_instance *au, uschar ** s, uschar ** ss)
3246 const uschar *set_id = NULL;
3249 /* Run the checking code, passing the remainder of the command line as
3250 data. Initials the $auth<n> variables as empty. Initialize $0 empty and set
3251 it as the only set numerical variable. The authenticator may set $auth<n>
3252 and also set other numeric variables. The $auth<n> variables are preferred
3253 nowadays; the numerical variables remain for backwards compatibility.
3255 Afterwards, have a go at expanding the set_id string, even if
3256 authentication failed - for bad passwords it can be useful to log the
3257 userid. On success, require set_id to expand and exist, and put it in
3258 authenticated_id. Save this in permanent store, as the working store gets
3259 reset at HELO, RSET, etc. */
3261 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL;
3263 expand_nlength[0] = 0; /* $0 contains nothing */
3265 rc = (au->info->servercode)(au, smtp_cmd_data);
3266 if (au->set_id) set_id = expand_string(au->set_id);
3267 expand_nmax = -1; /* Reset numeric variables */
3268 for (i = 0; i < AUTH_VARS; i++) auth_vars[i] = NULL; /* Reset $auth<n> */
3270 /* The value of authenticated_id is stored in the spool file and printed in
3271 log lines. It must not contain binary zeros or newline characters. In
3272 normal use, it never will, but when playing around or testing, this error
3273 can (did) happen. To guard against this, ensure that the id contains only
3274 printing characters. */
3276 if (set_id) set_id = string_printing(set_id);
3278 /* For the non-OK cases, set up additional logging data if set_id
3282 set_id = set_id && *set_id
3283 ? string_sprintf(" (set_id=%s)", set_id) : US"";
3285 /* Switch on the result */
3290 if (!au->set_id || set_id) /* Complete success */
3292 if (set_id) authenticated_id = string_copy_malloc(set_id);
3293 sender_host_authenticated = au->name;
3294 authentication_failed = FALSE;
3295 authenticated_fail_id = NULL; /* Impossible to already be set? */
3298 (sender_host_address ? protocols : protocols_local)
3299 [pextend + pauthed + (tls_in.active >= 0 ? pcrpted:0)];
3300 *s = *ss = US"235 Authentication succeeded";
3301 authenticated_by = au;
3305 /* Authentication succeeded, but we failed to expand the set_id string.
3306 Treat this as a temporary error. */
3308 auth_defer_msg = expand_string_message;
3312 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3313 *s = string_sprintf("435 Unable to authenticate at present%s",
3314 auth_defer_user_msg);
3315 *ss = string_sprintf("435 Unable to authenticate at present%s: %s",
3316 set_id, auth_defer_msg);
3320 *s = *ss = US"501 Invalid base64 data";
3324 *s = *ss = US"501 Authentication cancelled";
3328 *s = *ss = US"553 Initial data not expected";
3332 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3333 *s = US"535 Incorrect authentication data";
3334 *ss = string_sprintf("535 Incorrect authentication data%s", set_id);
3338 if (set_id) authenticated_fail_id = string_copy_malloc(set_id);
3339 *s = US"435 Internal error";
3340 *ss = string_sprintf("435 Internal error%s: return %d from authentication "
3341 "check", set_id, rc);
3353 qualify_recipient(uschar ** recipient, uschar * smtp_cmd_data, uschar * tag)
3356 if (allow_unqualified_recipient || strcmpic(*recipient, US"postmaster") == 0)
3358 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
3360 rd = Ustrlen(recipient) + 1;
3361 *recipient = rewrite_address_qualify(*recipient, TRUE);
3364 smtp_printf("501 %s: recipient address must contain a domain\r\n",
3366 log_write(L_smtp_syntax_error,
3367 LOG_MAIN|LOG_REJECT, "unqualified %s rejected: <%s> %s%s",
3368 tag, *recipient, host_and_ident(TRUE), host_lookup_msg);
3376 smtp_quit_handler(uschar ** user_msgp, uschar ** log_msgp)
3379 incomplete_transaction_log(US"QUIT");
3380 if (acl_smtp_quit != NULL)
3382 int rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, user_msgp, log_msgp);
3384 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
3388 smtp_respond(US"221", 3, TRUE, *user_msgp);
3390 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
3393 tls_close(TRUE, TRUE);
3396 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
3397 smtp_get_connection_info());
3402 smtp_rset_handler(void)
3405 incomplete_transaction_log(US"RSET");
3406 smtp_printf("250 Reset OK\r\n");
3407 cmd_list[CMD_LIST_RSET].is_mail_cmd = FALSE;
3412 /*************************************************
3413 * Initialize for SMTP incoming message *
3414 *************************************************/
3416 /* This function conducts the initial dialogue at the start of an incoming SMTP
3417 message, and builds a list of recipients. However, if the incoming message
3418 is part of a batch (-bS option) a separate function is called since it would
3419 be messy having tests splattered about all over this function. This function
3420 therefore handles the case where interaction is occurring. The input and output
3421 files are set up in smtp_in and smtp_out.
3423 The global recipients_list is set to point to a vector of recipient_item
3424 blocks, whose number is given by recipients_count. This is extended by the
3425 receive_add_recipient() function. The global variable sender_address is set to
3426 the sender's address. The yield is +1 if a message has been successfully
3427 started, 0 if a QUIT command was encountered or the connection was refused from
3428 the particular host, or -1 if the connection was lost.
3432 Returns: > 0 message successfully started (reached DATA)
3433 = 0 QUIT read or end of file reached or call refused
3438 smtp_setup_msg(void)
3441 BOOL toomany = FALSE;
3442 BOOL discarded = FALSE;
3443 BOOL last_was_rej_mail = FALSE;
3444 BOOL last_was_rcpt = FALSE;
3445 void *reset_point = store_get(0);
3447 DEBUG(D_receive) debug_printf("smtp_setup_msg entered\n");
3449 /* Reset for start of new message. We allow one RSET not to be counted as a
3450 nonmail command, for those MTAs that insist on sending it between every
3451 message. Ditto for EHLO/HELO and for STARTTLS, to allow for going in and out of
3452 TLS between messages (an Exim client may do this if it has messages queued up
3453 for the host). Note: we do NOT reset AUTH at this point. */
3455 smtp_reset(reset_point);
3456 message_ended = END_NOTSTARTED;
3458 chunking_state = chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
3460 cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
3461 cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
3462 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
3464 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
3465 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
3468 /* Set the local signal handler for SIGTERM - it tries to end off tidily */
3470 os_non_restarting_signal(SIGTERM, command_sigterm_handler);
3472 /* Batched SMTP is handled in a different function. */
3474 if (smtp_batched_input) return smtp_setup_batch_msg();
3476 /* Deal with SMTP commands. This loop is exited by setting done to a POSITIVE
3477 value. The values are 2 larger than the required yield of the function. */
3481 const uschar **argv;
3482 uschar *etrn_command;
3483 uschar *etrn_serialize_key;
3485 uschar *log_msg, *smtp_code;
3486 uschar *user_msg = NULL;
3487 uschar *recipient = NULL;
3488 uschar *hello = NULL;
3490 BOOL was_rej_mail = FALSE;
3491 BOOL was_rcpt = FALSE;
3492 void (*oldsignal)(int);
3494 int start, end, sender_domain, recipient_domain;
3498 uschar *orcpt = NULL;
3501 #if defined(SUPPORT_TLS) && defined(AUTH_TLS)
3502 /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */
3503 if ( tls_in.active >= 0
3505 && tls_in.certificate_verified
3506 && cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd
3509 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = FALSE;
3511 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3512 &user_msg, &log_msg)) != OK
3515 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3519 for (au = auths; au; au = au->next)
3520 if (strcmpic(US"tls", au->driver_name) == 0)
3522 smtp_cmd_data = NULL;
3524 if (smtp_in_auth(au, &s, &ss) == OK)
3525 { DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
3527 { DEBUG(D_auth) debug_printf("tls auth not succeeded\n"); }
3533 switch(smtp_read_command(TRUE))
3535 /* The AUTH command is not permitted to occur inside a transaction, and may
3536 occur successfully only once per connection. Actually, that isn't quite
3537 true. When TLS is started, all previous information about a connection must
3538 be discarded, so a new AUTH is permitted at that time.
3540 AUTH may only be used when it has been advertised. However, it seems that
3541 there are clients that send AUTH when it hasn't been advertised, some of
3542 them even doing this after HELO. And there are MTAs that accept this. Sigh.
3543 So there's a get-out that allows this to happen.
3545 AUTH is initially labelled as a "nonmail command" so that one occurrence
3546 doesn't get counted. We change the label here so that multiple failing
3547 AUTHS will eventually hit the nonmail threshold. */
3551 authentication_failed = TRUE;
3552 cmd_list[CMD_LIST_AUTH].is_mail_cmd = FALSE;
3554 if (!auth_advertised && !allow_auth_unadvertised)
3556 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3557 US"AUTH command used when not advertised");
3560 if (sender_host_authenticated)
3562 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3563 US"already authenticated");
3568 done = synprot_error(L_smtp_protocol_error, 503, NULL,
3569 US"not permitted in mail transaction");
3576 && (rc = acl_check(ACL_WHERE_AUTH, NULL, acl_smtp_auth,
3577 &user_msg, &log_msg)) != OK
3580 done = smtp_handle_acl_fail(ACL_WHERE_AUTH, rc, user_msg, log_msg);
3584 /* Find the name of the requested authentication mechanism. */
3587 while ((c = *smtp_cmd_data) != 0 && !isspace(c))
3589 if (!isalnum(c) && c != '-' && c != '_')
3591 done = synprot_error(L_smtp_syntax_error, 501, NULL,
3592 US"invalid character in authentication mechanism name");
3598 /* If not at the end of the line, we must be at white space. Terminate the
3599 name and move the pointer on to any data that may be present. */
3601 if (*smtp_cmd_data != 0)
3603 *smtp_cmd_data++ = 0;
3604 while (isspace(*smtp_cmd_data)) smtp_cmd_data++;
3607 /* Search for an authentication mechanism which is configured for use
3608 as a server and which has been advertised (unless, sigh, allow_auth_
3609 unadvertised is set). */
3611 for (au = auths; au; au = au->next)
3612 if (strcmpic(s, au->public_name) == 0 && au->server &&
3613 (au->advertised || allow_auth_unadvertised))
3618 c = smtp_in_auth(au, &s, &ss);
3620 smtp_printf("%s\r\n", s);
3622 log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
3623 au->name, host_and_ident(FALSE), ss);
3626 done = synprot_error(L_smtp_protocol_error, 504, NULL,
3627 string_sprintf("%s authentication mechanism not supported", s));
3629 break; /* AUTH_CMD */
3631 /* The HELO/EHLO commands are permitted to appear in the middle of a
3632 session as well as at the beginning. They have the effect of a reset in
3633 addition to their other functions. Their absence at the start cannot be
3634 taken to be an error.
3638 If the EHLO command is not acceptable to the SMTP server, 501, 500,
3639 or 502 failure replies MUST be returned as appropriate. The SMTP
3640 server MUST stay in the same state after transmitting these replies
3641 that it was in before the EHLO was received.
3643 Therefore, we do not do the reset until after checking the command for
3644 acceptability. This change was made for Exim release 4.11. Previously
3645 it did the reset first. */
3658 HELO_EHLO: /* Common code for HELO and EHLO */
3659 cmd_list[CMD_LIST_HELO].is_mail_cmd = FALSE;
3660 cmd_list[CMD_LIST_EHLO].is_mail_cmd = FALSE;
3662 /* Reject the HELO if its argument was invalid or non-existent. A
3663 successful check causes the argument to be saved in malloc store. */
3665 if (!check_helo(smtp_cmd_data))
3667 smtp_printf("501 Syntactically invalid %s argument(s)\r\n", hello);
3669 log_write(0, LOG_MAIN|LOG_REJECT, "rejected %s from %s: syntactically "
3670 "invalid argument(s): %s", hello, host_and_ident(FALSE),
3671 (*smtp_cmd_argument == 0)? US"(no argument given)" :
3672 string_printing(smtp_cmd_argument));
3674 if (++synprot_error_count > smtp_max_synprot_errors)
3676 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
3677 "syntax or protocol errors (last command was \"%s\")",
3678 host_and_ident(FALSE), string_printing(smtp_cmd_buffer));
3685 /* If sender_host_unknown is true, we have got here via the -bs interface,
3686 not called from inetd. Otherwise, we are running an IP connection and the
3687 host address will be set. If the helo name is the primary name of this
3688 host and we haven't done a reverse lookup, force one now. If helo_required
3689 is set, ensure that the HELO name matches the actual host. If helo_verify
3690 is set, do the same check, but softly. */
3692 if (!sender_host_unknown)
3694 BOOL old_helo_verified = helo_verified;
3695 uschar *p = smtp_cmd_data;
3697 while (*p != 0 && !isspace(*p)) { *p = tolower(*p); p++; }
3700 /* Force a reverse lookup if HELO quoted something in helo_lookup_domains
3701 because otherwise the log can be confusing. */
3703 if (sender_host_name == NULL &&
3704 (deliver_domain = sender_helo_name, /* set $domain */
3705 match_isinlist(sender_helo_name, CUSS &helo_lookup_domains, 0,
3706 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) == OK)
3707 (void)host_name_lookup();
3709 /* Rebuild the fullhost info to include the HELO name (and the real name
3710 if it was looked up.) */
3712 host_build_sender_fullhost(); /* Rebuild */
3713 set_process_info("handling%s incoming connection from %s",
3714 (tls_in.active >= 0)? " TLS" : "", host_and_ident(FALSE));
3716 /* Verify if configured. This doesn't give much security, but it does
3717 make some people happy to be able to do it. If helo_required is set,
3718 (host matches helo_verify_hosts) failure forces rejection. If helo_verify
3719 is set (host matches helo_try_verify_hosts), it does not. This is perhaps
3720 now obsolescent, since the verification can now be requested selectively
3723 helo_verified = helo_verify_failed = sender_helo_dnssec = FALSE;
3724 if (helo_required || helo_verify)
3726 BOOL tempfail = !smtp_verify_helo();
3731 smtp_printf("%d %s argument does not match calling host\r\n",
3732 tempfail? 451 : 550, hello);
3733 log_write(0, LOG_MAIN|LOG_REJECT, "%srejected \"%s %s\" from %s",
3734 tempfail? "temporarily " : "",
3735 hello, sender_helo_name, host_and_ident(FALSE));
3736 helo_verified = old_helo_verified;
3737 break; /* End of HELO/EHLO processing */
3739 HDEBUG(D_all) debug_printf("%s verification failed but host is in "
3740 "helo_try_verify_hosts\n", hello);
3745 #ifdef EXPERIMENTAL_SPF
3746 /* set up SPF context */
3747 spf_init(sender_helo_name, sender_host_address);
3750 /* Apply an ACL check if one is defined; afterwards, recheck
3751 synchronization in case the client started sending in a delay. */
3754 if ((rc = acl_check(ACL_WHERE_HELO, NULL, acl_smtp_helo,
3755 &user_msg, &log_msg)) != OK)
3757 done = smtp_handle_acl_fail(ACL_WHERE_HELO, rc, user_msg, log_msg);
3758 sender_helo_name = NULL;
3759 host_build_sender_fullhost(); /* Rebuild */
3762 else if (!check_sync()) goto SYNC_FAILURE;
3764 /* Generate an OK reply. The default string includes the ident if present,
3765 and also the IP address if present. Reflecting back the ident is intended
3766 as a deterrent to mail forgers. For maximum efficiency, and also because
3767 some broken systems expect each response to be in a single packet, arrange
3768 that the entire reply is sent in one write(). */
3770 auth_advertised = FALSE;
3771 pipelining_advertised = FALSE;
3773 tls_advertised = FALSE;
3775 dsn_advertised = FALSE;
3777 smtputf8_advertised = FALSE;
3780 smtp_code = US"250 "; /* Default response code plus space*/
3781 if (user_msg == NULL)
3783 s = string_sprintf("%.3s %s Hello %s%s%s",
3785 smtp_active_hostname,
3786 (sender_ident == NULL)? US"" : sender_ident,
3787 (sender_ident == NULL)? US"" : US" at ",
3788 (sender_host_name == NULL)? sender_helo_name : sender_host_name);
3793 if (sender_host_address != NULL)
3795 s = string_catn(s, &size, &ptr, US" [", 2);
3796 s = string_cat (s, &size, &ptr, sender_host_address);
3797 s = string_catn(s, &size, &ptr, US"]", 1);
3801 /* A user-supplied EHLO greeting may not contain more than one line. Note
3802 that the code returned by smtp_message_code() includes the terminating
3803 whitespace character. */
3809 smtp_message_code(&smtp_code, &codelen, &user_msg, NULL, TRUE);
3810 s = string_sprintf("%.*s%s", codelen, smtp_code, user_msg);
3811 if ((ss = strpbrk(CS s, "\r\n")) != NULL)
3813 log_write(0, LOG_MAIN|LOG_PANIC, "EHLO/HELO response must not contain "
3814 "newlines: message truncated: %s", string_printing(s));
3821 s = string_catn(s, &size, &ptr, US"\r\n", 2);
3823 /* If we received EHLO, we must create a multiline response which includes
3824 the functions supported. */
3830 /* I'm not entirely happy with this, as an MTA is supposed to check
3831 that it has enough room to accept a message of maximum size before
3832 it sends this. However, there seems little point in not sending it.
3833 The actual size check happens later at MAIL FROM time. By postponing it
3834 till then, VRFY and EXPN can be used after EHLO when space is short. */
3836 if (thismessage_size_limit > 0)
3838 sprintf(CS big_buffer, "%.3s-SIZE %d\r\n", smtp_code,
3839 thismessage_size_limit);
3840 s = string_cat(s, &size, &ptr, big_buffer);
3844 s = string_catn(s, &size, &ptr, smtp_code, 3);
3845 s = string_catn(s, &size, &ptr, US"-SIZE\r\n", 7);
3848 /* Exim does not do protocol conversion or data conversion. It is 8-bit
3849 clean; if it has an 8-bit character in its hand, it just sends it. It
3850 cannot therefore specify 8BITMIME and remain consistent with the RFCs.
3851 However, some users want this option simply in order to stop MUAs
3852 mangling messages that contain top-bit-set characters. It is therefore
3853 provided as an option. */
3855 if (accept_8bitmime)
3857 s = string_catn(s, &size, &ptr, smtp_code, 3);
3858 s = string_catn(s, &size, &ptr, US"-8BITMIME\r\n", 11);
3861 /* Advertise DSN support if configured to do so. */
3862 if (verify_check_host(&dsn_advertise_hosts) != FAIL)
3864 s = string_catn(s, &size, &ptr, smtp_code, 3);
3865 s = string_catn(s, &size, &ptr, US"-DSN\r\n", 6);
3866 dsn_advertised = TRUE;
3869 /* Advertise ETRN if there's an ACL checking whether a host is
3870 permitted to issue it; a check is made when any host actually tries. */
3872 if (acl_smtp_etrn != NULL)
3874 s = string_catn(s, &size, &ptr, smtp_code, 3);
3875 s = string_catn(s, &size, &ptr, US"-ETRN\r\n", 7);
3878 /* Advertise EXPN if there's an ACL checking whether a host is
3879 permitted to issue it; a check is made when any host actually tries. */
3881 if (acl_smtp_expn != NULL)
3883 s = string_catn(s, &size, &ptr, smtp_code, 3);
3884 s = string_catn(s, &size, &ptr, US"-EXPN\r\n", 7);
3887 /* Exim is quite happy with pipelining, so let the other end know that
3888 it is safe to use it, unless advertising is disabled. */
3890 if (pipelining_enable &&
3891 verify_check_host(&pipelining_advertise_hosts) == OK)
3893 s = string_catn(s, &size, &ptr, smtp_code, 3);
3894 s = string_catn(s, &size, &ptr, US"-PIPELINING\r\n", 13);
3895 sync_cmd_limit = NON_SYNC_CMD_PIPELINING;
3896 pipelining_advertised = TRUE;
3900 /* If any server authentication mechanisms are configured, advertise
3901 them if the current host is in auth_advertise_hosts. The problem with
3902 advertising always is that some clients then require users to
3903 authenticate (and aren't configurable otherwise) even though it may not
3904 be necessary (e.g. if the host is in host_accept_relay).
3906 RFC 2222 states that SASL mechanism names contain only upper case
3907 letters, so output the names in upper case, though we actually recognize
3908 them in either case in the AUTH command. */
3911 #if defined(SUPPORT_TLS) && defined(AUTH_TLS)
3912 && !sender_host_authenticated
3914 && verify_check_host(&auth_advertise_hosts) == OK
3919 for (au = auths; au; au = au->next)
3920 if (au->server && (au->advertise_condition == NULL ||
3921 expand_check_condition(au->advertise_condition, au->name,
3922 US"authenticator")))
3927 s = string_catn(s, &size, &ptr, smtp_code, 3);
3928 s = string_catn(s, &size, &ptr, US"-AUTH", 5);
3930 auth_advertised = TRUE;
3933 s = string_catn(s, &size, &ptr, US" ", 1);
3934 s = string_cat (s, &size, &ptr, au->public_name);
3935 while (++saveptr < ptr) s[saveptr] = toupper(s[saveptr]);
3936 au->advertised = TRUE;
3939 au->advertised = FALSE;
3941 if (!first) s = string_catn(s, &size, &ptr, US"\r\n", 2);
3944 /* RFC 3030 CHUNKING */
3946 if (verify_check_host(&chunking_advertise_hosts) != FAIL)
3948 s = string_catn(s, &size, &ptr, smtp_code, 3);
3949 s = string_catn(s, &size, &ptr, US"-CHUNKING\r\n", 11);
3950 chunking_offered = TRUE;
3951 chunking_state = CHUNKING_OFFERED;
3954 /* Advertise TLS (Transport Level Security) aka SSL (Secure Socket Layer)
3955 if it has been included in the binary, and the host matches
3956 tls_advertise_hosts. We must *not* advertise if we are already in a
3957 secure connection. */
3960 if (tls_in.active < 0 &&
3961 verify_check_host(&tls_advertise_hosts) != FAIL)
3963 s = string_catn(s, &size, &ptr, smtp_code, 3);
3964 s = string_catn(s, &size, &ptr, US"-STARTTLS\r\n", 11);
3965 tls_advertised = TRUE;
3969 #ifndef DISABLE_PRDR
3970 /* Per Recipient Data Response, draft by Eric A. Hall extending RFC */
3973 s = string_catn(s, &size, &ptr, smtp_code, 3);
3974 s = string_catn(s, &size, &ptr, US"-PRDR\r\n", 7);
3979 if ( accept_8bitmime
3980 && verify_check_host(&smtputf8_advertise_hosts) != FAIL)
3982 s = string_catn(s, &size, &ptr, smtp_code, 3);
3983 s = string_catn(s, &size, &ptr, US"-SMTPUTF8\r\n", 11);
3984 smtputf8_advertised = TRUE;
3988 /* Finish off the multiline reply with one that is always available. */
3990 s = string_catn(s, &size, &ptr, smtp_code, 3);
3991 s = string_catn(s, &size, &ptr, US" HELP\r\n", 7);
3994 /* Terminate the string (for debug), write it, and note that HELO/EHLO
4000 if (tls_in.active >= 0) (void)tls_write(TRUE, s, ptr); else
4004 int i = fwrite(s, 1, ptr, smtp_out); i = i; /* compiler quietening */
4009 while ((cr = Ustrchr(s, '\r')) != NULL) /* lose CRs */
4010 memmove(cr, cr + 1, (ptr--) - (cr - s));
4011 debug_printf("SMTP>> %s", s);
4015 /* Reset the protocol and the state, abandoning any previous message. */
4017 (sender_host_address ? protocols : protocols_local)
4019 ? pextend + (sender_host_authenticated ? pauthed : 0)
4021 + (tls_in.active >= 0 ? pcrpted : 0)
4023 smtp_reset(reset_point);
4025 break; /* HELO/EHLO */
4028 /* The MAIL command requires an address as an operand. All we do
4029 here is to parse it for syntactic correctness. The form "<>" is
4030 a special case which converts into an empty string. The start/end
4031 pointers in the original are not used further for this address, as
4032 it is the canonical extracted address which is all that is kept. */
4036 smtp_mailcmd_count++; /* Count for limit and ratelimit */
4037 was_rej_mail = TRUE; /* Reset if accepted */
4038 env_mail_type_t * mail_args; /* Sanity check & validate args */
4040 if (helo_required && !helo_seen)
4042 smtp_printf("503 HELO or EHLO required\r\n");
4043 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL from %s: no "
4044 "HELO/EHLO given", host_and_ident(FALSE));
4048 if (sender_address != NULL)
4050 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4051 US"sender already given");
4055 if (smtp_cmd_data[0] == 0)
4057 done = synprot_error(L_smtp_protocol_error, 501, NULL,
4058 US"MAIL must have an address operand");
4062 /* Check to see if the limit for messages per connection would be
4063 exceeded by accepting further messages. */
4065 if (smtp_accept_max_per_connection > 0 &&
4066 smtp_mailcmd_count > smtp_accept_max_per_connection)
4068 smtp_printf("421 too many messages in this connection\r\n");
4069 log_write(0, LOG_MAIN|LOG_REJECT, "rejected MAIL command %s: too many "
4070 "messages in one connection", host_and_ident(TRUE));
4074 /* Reset for start of message - even if this is going to fail, we
4075 obviously need to throw away any previous data. */
4077 smtp_reset(reset_point);
4079 sender_data = recipient_data = NULL;
4081 /* Loop, checking for ESMTP additions to the MAIL FROM command. */
4085 uschar *name, *value, *end;
4086 unsigned long int size;
4087 BOOL arg_error = FALSE;
4089 if (!extract_option(&name, &value)) break;
4091 for (mail_args = env_mail_type_list;
4092 mail_args->value != ENV_MAIL_OPT_NULL;
4095 if (strcmpic(name, mail_args->name) == 0)
4097 if (mail_args->need_value && strcmpic(value, US"") == 0)
4100 switch(mail_args->value)
4102 /* Handle SIZE= by reading the value. We don't do the check till later,
4103 in order to be able to log the sender address on failure. */
4104 case ENV_MAIL_OPT_SIZE:
4105 if (((size = Ustrtoul(value, &end, 10)), *end == 0))
4107 if ((size == ULONG_MAX && errno == ERANGE) || size > INT_MAX)
4109 message_size = (int)size;
4115 /* If this session was initiated with EHLO and accept_8bitmime is set,
4116 Exim will have indicated that it supports the BODY=8BITMIME option. In
4117 fact, it does not support this according to the RFCs, in that it does not
4118 take any special action for forwarding messages containing 8-bit
4119 characters. That is why accept_8bitmime is not the default setting, but
4120 some sites want the action that is provided. We recognize both "8BITMIME"
4121 and "7BIT" as body types, but take no action. */
4122 case ENV_MAIL_OPT_BODY:
4123 if (accept_8bitmime) {
4124 if (strcmpic(value, US"8BITMIME") == 0)
4126 else if (strcmpic(value, US"7BIT") == 0)
4131 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4132 US"invalid data for BODY");
4135 DEBUG(D_receive) debug_printf("8BITMIME: %d\n", body_8bitmime);
4141 /* Handle the two DSN options, but only if configured to do so (which
4142 will have caused "DSN" to be given in the EHLO response). The code itself
4143 is included only if configured in at build time. */
4145 case ENV_MAIL_OPT_RET:
4148 /* Check if RET has already been set */
4151 synprot_error(L_smtp_syntax_error, 501, NULL,
4152 US"RET can be specified once only");
4155 dsn_ret = strcmpic(value, US"HDRS") == 0
4157 : strcmpic(value, US"FULL") == 0
4160 DEBUG(D_receive) debug_printf("DSN_RET: %d\n", dsn_ret);
4161 /* Check for invalid invalid value, and exit with error */
4164 synprot_error(L_smtp_syntax_error, 501, NULL,
4165 US"Value for RET is invalid");
4170 case ENV_MAIL_OPT_ENVID:
4173 /* Check if the dsn envid has been already set */
4174 if (dsn_envid != NULL)
4176 synprot_error(L_smtp_syntax_error, 501, NULL,
4177 US"ENVID can be specified once only");
4180 dsn_envid = string_copy(value);
4181 DEBUG(D_receive) debug_printf("DSN_ENVID: %s\n", dsn_envid);
4185 /* Handle the AUTH extension. If the value given is not "<>" and either
4186 the ACL says "yes" or there is no ACL but the sending host is
4187 authenticated, we set it up as the authenticated sender. However, if the
4188 authenticator set a condition to be tested, we ignore AUTH on MAIL unless
4189 the condition is met. The value of AUTH is an xtext, which means that +,
4190 = and cntrl chars are coded in hex; however "<>" is unaffected by this
4192 case ENV_MAIL_OPT_AUTH:
4193 if (Ustrcmp(value, "<>") != 0)
4198 if (auth_xtextdecode(value, &authenticated_sender) < 0)
4200 /* Put back terminator overrides for error message */
4203 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4204 US"invalid data for AUTH");
4207 if (acl_smtp_mailauth == NULL)
4209 ignore_msg = US"client not authenticated";
4210 rc = (sender_host_authenticated != NULL)? OK : FAIL;
4214 ignore_msg = US"rejected by ACL";
4215 rc = acl_check(ACL_WHERE_MAILAUTH, NULL, acl_smtp_mailauth,
4216 &user_msg, &log_msg);
4222 if (authenticated_by == NULL ||
4223 authenticated_by->mail_auth_condition == NULL ||
4224 expand_check_condition(authenticated_by->mail_auth_condition,
4225 authenticated_by->name, US"authenticator"))
4226 break; /* Accept the AUTH */
4228 ignore_msg = US"server_mail_auth_condition failed";
4229 if (authenticated_id != NULL)
4230 ignore_msg = string_sprintf("%s: authenticated ID=\"%s\"",
4231 ignore_msg, authenticated_id);
4236 authenticated_sender = NULL;
4237 log_write(0, LOG_MAIN, "ignoring AUTH=%s from %s (%s)",
4238 value, host_and_ident(TRUE), ignore_msg);
4241 /* Should only get DEFER or ERROR here. Put back terminator
4242 overrides for error message */
4247 (void)smtp_handle_acl_fail(ACL_WHERE_MAILAUTH, rc, user_msg,
4254 #ifndef DISABLE_PRDR
4255 case ENV_MAIL_OPT_PRDR:
4257 prdr_requested = TRUE;
4262 case ENV_MAIL_OPT_UTF8:
4263 if (smtputf8_advertised)
4265 DEBUG(D_receive) debug_printf("smtputf8 requested\n");
4266 message_smtputf8 = allow_utf8_domains = TRUE;
4267 received_protocol = string_sprintf("utf8%s", received_protocol);
4271 /* No valid option. Stick back the terminator characters and break
4272 the loop. Do the name-terminator second as extract_option sets
4273 value==name when it found no equal-sign.
4274 An error for a malformed address will occur. */
4275 case ENV_MAIL_OPT_NULL:
4283 /* Break out of for loop if switch() had bad argument or
4284 when start of the email address is reached */
4285 if (arg_error) break;
4288 /* If we have passed the threshold for rate limiting, apply the current
4289 delay, and update it for next time, provided this is a limited host. */
4291 if (smtp_mailcmd_count > smtp_rlm_threshold &&
4292 verify_check_host(&smtp_ratelimit_hosts) == OK)
4294 DEBUG(D_receive) debug_printf("rate limit MAIL: delay %.3g sec\n",
4295 smtp_delay_mail/1000.0);
4296 millisleep((int)smtp_delay_mail);
4297 smtp_delay_mail *= smtp_rlm_factor;
4298 if (smtp_delay_mail > (double)smtp_rlm_limit)
4299 smtp_delay_mail = (double)smtp_rlm_limit;
4302 /* Now extract the address, first applying any SMTP-time rewriting. The
4303 TRUE flag allows "<>" as a sender address. */
4305 raw_sender = rewrite_existflags & rewrite_smtp
4306 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
4307 global_rewrite_rules)
4311 parse_extract_address(raw_sender, &errmess, &start, &end, &sender_domain,
4316 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
4320 sender_address = raw_sender;
4322 /* If there is a configured size limit for mail, check that this message
4323 doesn't exceed it. The check is postponed to this point so that the sender
4326 if (thismessage_size_limit > 0 && message_size > thismessage_size_limit)
4328 smtp_printf("552 Message size exceeds maximum permitted\r\n");
4329 log_write(L_size_reject,
4330 LOG_MAIN|LOG_REJECT, "rejected MAIL FROM:<%s> %s: "
4331 "message too big: size%s=%d max=%d",
4333 host_and_ident(TRUE),
4334 (message_size == INT_MAX)? ">" : "",
4336 thismessage_size_limit);
4337 sender_address = NULL;
4341 /* Check there is enough space on the disk unless configured not to.
4342 When smtp_check_spool_space is set, the check is for thismessage_size_limit
4343 plus the current message - i.e. we accept the message only if it won't
4344 reduce the space below the threshold. Add 5000 to the size to allow for
4345 overheads such as the Received: line and storing of recipients, etc.
4346 By putting the check here, even when SIZE is not given, it allow VRFY
4347 and EXPN etc. to be used when space is short. */
4349 if (!receive_check_fs(
4350 (smtp_check_spool_space && message_size >= 0)?
4351 message_size + 5000 : 0))
4353 smtp_printf("452 Space shortage, please try later\r\n");
4354 sender_address = NULL;
4358 /* If sender_address is unqualified, reject it, unless this is a locally
4359 generated message, or the sending host or net is permitted to send
4360 unqualified addresses - typically local machines behaving as MUAs -
4361 in which case just qualify the address. The flag is set above at the start
4362 of the SMTP connection. */
4364 if (sender_domain == 0 && sender_address[0] != 0)
4366 if (allow_unqualified_sender)
4368 sender_domain = Ustrlen(sender_address) + 1;
4369 sender_address = rewrite_address_qualify(sender_address, FALSE);
4370 DEBUG(D_receive) debug_printf("unqualified address %s accepted\n",
4375 smtp_printf("501 %s: sender address must contain a domain\r\n",
4377 log_write(L_smtp_syntax_error,
4378 LOG_MAIN|LOG_REJECT,
4379 "unqualified sender rejected: <%s> %s%s",
4381 host_and_ident(TRUE),
4383 sender_address = NULL;
4388 /* Apply an ACL check if one is defined, before responding. Afterwards,
4389 when pipelining is not advertised, do another sync check in case the ACL
4390 delayed and the client started sending in the meantime. */
4394 rc = acl_check(ACL_WHERE_MAIL, NULL, acl_smtp_mail, &user_msg, &log_msg);
4395 if (rc == OK && !pipelining_advertised && !check_sync())
4401 if (rc == OK || rc == DISCARD)
4404 smtp_printf("%s%s%s", US"250 OK",
4405 #ifndef DISABLE_PRDR
4406 prdr_requested ? US", PRDR Requested" : US"",
4413 #ifndef DISABLE_PRDR
4415 user_msg = string_sprintf("%s%s", user_msg, US", PRDR Requested");
4417 smtp_user_msg(US"250", user_msg);
4419 smtp_delay_rcpt = smtp_rlr_base;
4420 recipients_discarded = (rc == DISCARD);
4421 was_rej_mail = FALSE;
4425 done = smtp_handle_acl_fail(ACL_WHERE_MAIL, rc, user_msg, log_msg);
4426 sender_address = NULL;
4431 /* The RCPT command requires an address as an operand. There may be any
4432 number of RCPT commands, specifying multiple recipients. We build them all
4433 into a data structure. The start/end values given by parse_extract_address
4434 are not used, as we keep only the extracted address. */
4439 was_rcpt = rcpt_in_progress = TRUE;
4441 /* There must be a sender address; if the sender was rejected and
4442 pipelining was advertised, we assume the client was pipelining, and do not
4443 count this as a protocol error. Reset was_rej_mail so that further RCPTs
4444 get the same treatment. */
4446 if (sender_address == NULL)
4448 if (pipelining_advertised && last_was_rej_mail)
4450 smtp_printf("503 sender not yet given\r\n");
4451 was_rej_mail = TRUE;
4455 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4456 US"sender not yet given");
4457 was_rcpt = FALSE; /* Not a valid RCPT */
4463 /* Check for an operand */
4465 if (smtp_cmd_data[0] == 0)
4467 done = synprot_error(L_smtp_syntax_error, 501, NULL,
4468 US"RCPT must have an address operand");
4473 /* Set the DSN flags orcpt and dsn_flags from the session*/
4479 uschar *name, *value;
4481 if (!extract_option(&name, &value))
4484 if (dsn_advertised && strcmpic(name, US"ORCPT") == 0)
4486 /* Check whether orcpt has been already set */
4489 synprot_error(L_smtp_syntax_error, 501, NULL,
4490 US"ORCPT can be specified once only");
4493 orcpt = string_copy(value);
4494 DEBUG(D_receive) debug_printf("DSN orcpt: %s\n", orcpt);
4497 else if (dsn_advertised && strcmpic(name, US"NOTIFY") == 0)
4499 /* Check if the notify flags have been already set */
4502 synprot_error(L_smtp_syntax_error, 501, NULL,
4503 US"NOTIFY can be specified once only");
4506 if (strcmpic(value, US"NEVER") == 0)
4507 flags |= rf_notify_never;
4514 while (*pp != 0 && *pp != ',') pp++;
4515 if (*pp == ',') *pp++ = 0;
4516 if (strcmpic(p, US"SUCCESS") == 0)
4518 DEBUG(D_receive) debug_printf("DSN: Setting notify success\n");
4519 flags |= rf_notify_success;
4521 else if (strcmpic(p, US"FAILURE") == 0)
4523 DEBUG(D_receive) debug_printf("DSN: Setting notify failure\n");
4524 flags |= rf_notify_failure;
4526 else if (strcmpic(p, US"DELAY") == 0)
4528 DEBUG(D_receive) debug_printf("DSN: Setting notify delay\n");
4529 flags |= rf_notify_delay;
4533 /* Catch any strange values */
4534 synprot_error(L_smtp_syntax_error, 501, NULL,
4535 US"Invalid value for NOTIFY parameter");
4540 DEBUG(D_receive) debug_printf("DSN Flags: %x\n", flags);
4544 /* Unknown option. Stick back the terminator characters and break
4545 the loop. An error for a malformed address will occur. */
4549 DEBUG(D_receive) debug_printf("Invalid RCPT option: %s : %s\n", name, value);
4556 /* Apply SMTP rewriting then extract the working address. Don't allow "<>"
4557 as a recipient address */
4559 recipient = rewrite_existflags & rewrite_smtp
4560 ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"",
4561 global_rewrite_rules)
4564 if (!(recipient = parse_extract_address(recipient, &errmess, &start, &end,
4565 &recipient_domain, FALSE)))
4567 done = synprot_error(L_smtp_syntax_error, 501, smtp_cmd_data, errmess);
4572 /* If the recipient address is unqualified, reject it, unless this is a
4573 locally generated message. However, unqualified addresses are permitted
4574 from a configured list of hosts and nets - typically when behaving as
4575 MUAs rather than MTAs. Sad that SMTP is used for both types of traffic,
4576 really. The flag is set at the start of the SMTP connection.
4578 RFC 1123 talks about supporting "the reserved mailbox postmaster"; I always
4579 assumed this meant "reserved local part", but the revision of RFC 821 and
4580 friends now makes it absolutely clear that it means *mailbox*. Consequently
4581 we must always qualify this address, regardless. */
4583 if (recipient_domain == 0)
4584 if (!(recipient_domain = qualify_recipient(&recipient, smtp_cmd_data,
4591 /* Check maximum allowed */
4593 if (rcpt_count > recipients_max && recipients_max > 0)
4595 if (recipients_max_reject)
4598 smtp_printf("552 too many recipients\r\n");
4600 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: message "
4601 "rejected: sender=<%s> %s", sender_address, host_and_ident(TRUE));
4606 smtp_printf("452 too many recipients\r\n");
4608 log_write(0, LOG_MAIN|LOG_REJECT, "too many recipients: excess "
4609 "temporarily rejected: sender=<%s> %s", sender_address,
4610 host_and_ident(TRUE));
4617 /* If we have passed the threshold for rate limiting, apply the current
4618 delay, and update it for next time, provided this is a limited host. */
4620 if (rcpt_count > smtp_rlr_threshold &&
4621 verify_check_host(&smtp_ratelimit_hosts) == OK)
4623 DEBUG(D_receive) debug_printf("rate limit RCPT: delay %.3g sec\n",
4624 smtp_delay_rcpt/1000.0);
4625 millisleep((int)smtp_delay_rcpt);
4626 smtp_delay_rcpt *= smtp_rlr_factor;
4627 if (smtp_delay_rcpt > (double)smtp_rlr_limit)
4628 smtp_delay_rcpt = (double)smtp_rlr_limit;
4631 /* If the MAIL ACL discarded all the recipients, we bypass ACL checking
4632 for them. Otherwise, check the access control list for this recipient. As
4633 there may be a delay in this, re-check for a synchronization error
4634 afterwards, unless pipelining was advertised. */
4636 if (recipients_discarded) rc = DISCARD; else
4638 rc = acl_check(ACL_WHERE_RCPT, recipient, acl_smtp_rcpt, &user_msg,
4640 if (rc == OK && !pipelining_advertised && !check_sync())
4644 /* The ACL was happy */
4648 if (user_msg == NULL) smtp_printf("250 Accepted\r\n");
4649 else smtp_user_msg(US"250", user_msg);
4650 receive_add_recipient(recipient, -1);
4652 /* Set the dsn flags in the recipients_list */
4653 recipients_list[recipients_count-1].orcpt = orcpt;
4654 recipients_list[recipients_count-1].dsn_flags = flags;
4656 DEBUG(D_receive) debug_printf("DSN: orcpt: %s flags: %d\n",
4657 recipients_list[recipients_count-1].orcpt,
4658 recipients_list[recipients_count-1].dsn_flags);
4661 /* The recipient was discarded */
4663 else if (rc == DISCARD)
4665 if (user_msg == NULL) smtp_printf("250 Accepted\r\n");
4666 else smtp_user_msg(US"250", user_msg);
4669 log_write(0, LOG_MAIN|LOG_REJECT, "%s F=<%s> RCPT %s: "
4670 "discarded by %s ACL%s%s", host_and_ident(TRUE),
4671 sender_address_unrewritten? sender_address_unrewritten : sender_address,
4672 smtp_cmd_argument, recipients_discarded? "MAIL" : "RCPT",
4673 log_msg ? US": " : US"", log_msg ? log_msg : US"");
4676 /* Either the ACL failed the address, or it was deferred. */
4680 if (rc == FAIL) rcpt_fail_count++; else rcpt_defer_count++;
4681 done = smtp_handle_acl_fail(ACL_WHERE_RCPT, rc, user_msg, log_msg);
4686 /* The DATA command is legal only if it follows successful MAIL FROM
4687 and RCPT TO commands. However, if pipelining is advertised, a bad DATA is
4688 not counted as a protocol error if it follows RCPT (which must have been
4689 rejected if there are no recipients.) This function is complete when a
4690 valid DATA command is encountered.
4692 Note concerning the code used: RFC 2821 says this:
4694 - If there was no MAIL, or no RCPT, command, or all such commands
4695 were rejected, the server MAY return a "command out of sequence"
4696 (503) or "no valid recipients" (554) reply in response to the
4699 The example in the pipelining RFC 2920 uses 554, but I use 503 here
4700 because it is the same whether pipelining is in use or not.
4702 If all the RCPT commands that precede DATA provoked the same error message
4703 (often indicating some kind of system error), it is helpful to include it
4704 with the DATA rejection (an idea suggested by Tony Finch). */
4711 if (chunking_state != CHUNKING_OFFERED)
4713 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4714 US"BDAT command used when CHUNKING not advertised");
4718 /* grab size, endmarker */
4720 if (sscanf(CS smtp_cmd_data, "%u %n", &chunking_datasize, &n) < 1)
4722 done = synprot_error(L_smtp_protocol_error, 501, NULL,
4723 US"missing size for BDAT command");
4726 chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
4727 ? CHUNKING_LAST : CHUNKING_ACTIVE;
4728 chunking_data_left = chunking_datasize;
4730 lwr_receive_getc = receive_getc;
4731 lwr_receive_ungetc = receive_ungetc;
4732 receive_getc = bdat_getc;
4733 receive_ungetc = bdat_ungetc;
4736 debug_printf("chunking state %d\n", (int)chunking_state);
4743 DATA_BDAT: /* Common code for DATA and BDAT */
4744 if (!discarded && recipients_count <= 0)
4746 if (rcpt_smtp_response_same && rcpt_smtp_response != NULL)
4748 uschar *code = US"503";
4749 int len = Ustrlen(rcpt_smtp_response);
4750 smtp_respond(code, 3, FALSE, US"All RCPT commands were rejected with "
4752 /* Responses from smtp_printf() will have \r\n on the end */
4753 if (len > 2 && rcpt_smtp_response[len-2] == '\r')
4754 rcpt_smtp_response[len-2] = 0;
4755 smtp_respond(code, 3, FALSE, rcpt_smtp_response);
4757 if (pipelining_advertised && last_was_rcpt)
4758 smtp_printf("503 Valid RCPT command must precede %s\r\n",
4759 smtp_names[smtp_connection_had[smtp_ch_index-1]]);
4761 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4762 smtp_connection_had[smtp_ch_index-1] == SCH_DATA
4763 ? US"valid RCPT command must precede DATA"
4764 : US"valid RCPT command must precede BDAT");
4768 if (toomany && recipients_max_reject)
4770 sender_address = NULL; /* This will allow a new MAIL without RSET */
4771 sender_address_unrewritten = NULL;
4772 smtp_printf("554 Too many recipients\r\n");
4776 if (chunking_state > CHUNKING_OFFERED)
4777 { /* No predata ACL or go-ahead output for BDAT */
4782 /* If there is an ACL, re-check the synchronization afterwards, since the
4783 ACL may have delayed. To handle cutthrough delivery enforce a dummy call
4784 to get the DATA command sent. */
4786 if (acl_smtp_predata == NULL && cutthrough.fd < 0)
4790 uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";
4791 enable_dollar_recipients = TRUE;
4792 rc = acl_check(ACL_WHERE_PREDATA, NULL, acl, &user_msg,
4794 enable_dollar_recipients = FALSE;
4795 if (rc == OK && !check_sync())
4799 { /* Either the ACL failed the address, or it was deferred. */
4800 done = smtp_handle_acl_fail(ACL_WHERE_PREDATA, rc, user_msg, log_msg);
4806 smtp_user_msg(US"354", user_msg);
4809 "354 Enter message, ending with \".\" on a line by itself\r\n");
4813 message_ended = END_NOTENDED; /* Indicate in middle of data */
4824 if (!(address = parse_extract_address(smtp_cmd_data, &errmess,
4825 &start, &end, &recipient_domain, FALSE)))
4827 smtp_printf("501 %s\r\n", errmess);
4831 if (recipient_domain == 0)
4832 if (!(recipient_domain = qualify_recipient(&address, smtp_cmd_data,
4836 if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy,
4837 &user_msg, &log_msg)) != OK)
4838 done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg);
4842 address_item * addr = deliver_make_addr(address, FALSE);
4844 switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1,
4845 -1, -1, NULL, NULL, NULL))
4848 s = string_sprintf("250 <%s> is deliverable", address);
4852 s = (addr->user_message != NULL)?
4853 string_sprintf("451 <%s> %s", address, addr->user_message) :
4854 string_sprintf("451 Cannot resolve <%s> at this time", address);
4858 s = (addr->user_message != NULL)?
4859 string_sprintf("550 <%s> %s", address, addr->user_message) :
4860 string_sprintf("550 <%s> is not deliverable", address);
4861 log_write(0, LOG_MAIN, "VRFY failed for %s %s",
4862 smtp_cmd_argument, host_and_ident(TRUE));
4866 smtp_printf("%s\r\n", s);
4874 rc = acl_check(ACL_WHERE_EXPN, NULL, acl_smtp_expn, &user_msg, &log_msg);
4876 done = smtp_handle_acl_fail(ACL_WHERE_EXPN, rc, user_msg, log_msg);
4879 BOOL save_log_testing_mode = log_testing_mode;
4880 address_test_mode = log_testing_mode = TRUE;
4881 (void) verify_address(deliver_make_addr(smtp_cmd_data, FALSE),
4882 smtp_out, vopt_is_recipient | vopt_qualify | vopt_expn, -1, -1, -1,
4884 address_test_mode = FALSE;
4885 log_testing_mode = save_log_testing_mode; /* true for -bh */
4894 if (!tls_advertised)
4896 done = synprot_error(L_smtp_protocol_error, 503, NULL,
4897 US"STARTTLS command used when not advertised");
4901 /* Apply an ACL check if one is defined */
4903 if ( acl_smtp_starttls
4904 && (rc = acl_check(ACL_WHERE_STARTTLS, NULL, acl_smtp_starttls,
4905 &user_msg, &log_msg)) != OK
4908 done = smtp_handle_acl_fail(ACL_WHERE_STARTTLS, rc, user_msg, log_msg);
4912 /* RFC 2487 is not clear on when this command may be sent, though it
4913 does state that all information previously obtained from the client
4914 must be discarded if a TLS session is started. It seems reasonble to
4915 do an implied RSET when STARTTLS is received. */
4917 incomplete_transaction_log(US"STARTTLS");
4918 smtp_reset(reset_point);
4920 cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
4922 /* There's an attack where more data is read in past the STARTTLS command
4923 before TLS is negotiated, then assumed to be part of the secure session
4924 when used afterwards; we use segregated input buffers, so are not
4925 vulnerable, but we want to note when it happens and, for sheer paranoia,
4926 ensure that the buffer is "wiped".
4927 Pipelining sync checks will normally have protected us too, unless disabled
4928 by configuration. */
4930 if (receive_smtp_buffered())
4933 debug_printf("Non-empty input buffer after STARTTLS; naive attack?\n");
4934 if (tls_in.active < 0)
4935 smtp_inend = smtp_inptr = smtp_inbuffer;
4936 /* and if TLS is already active, tls_server_start() should fail */
4939 /* There is nothing we value in the input buffer and if TLS is succesfully
4940 negotiated, we won't use this buffer again; if TLS fails, we'll just read
4941 fresh content into it. The buffer contains arbitrary content from an
4942 untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
4943 It seems safest to just wipe away the content rather than leave it as a
4944 target to jump to. */
4946 memset(smtp_inbuffer, 0, in_buffer_size);
4948 /* Attempt to start up a TLS session, and if successful, discard all
4949 knowledge that was obtained previously. At least, that's what the RFC says,
4950 and that's what happens by default. However, in order to work round YAEB,
4951 there is an option to remember the esmtp state. Sigh.
4953 We must allow for an extra EHLO command and an extra AUTH command after
4954 STARTTLS that don't add to the nonmail command count. */
4956 if ((rc = tls_server_start(tls_require_ciphers)) == OK)
4958 if (!tls_remember_esmtp)
4959 helo_seen = esmtp = auth_advertised = pipelining_advertised = FALSE;
4960 cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
4961 cmd_list[CMD_LIST_AUTH].is_mail_cmd = TRUE;
4962 cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE;
4963 if (sender_helo_name != NULL)
4965 store_free(sender_helo_name);
4966 sender_helo_name = NULL;
4967 host_build_sender_fullhost(); /* Rebuild */
4968 set_process_info("handling incoming TLS connection from %s",
4969 host_and_ident(FALSE));
4972 (sender_host_address ? protocols : protocols_local)
4974 ? pextend + (sender_host_authenticated ? pauthed : 0)
4976 + (tls_in.active >= 0 ? pcrpted : 0)
4979 sender_host_authenticated = NULL;
4980 authenticated_id = NULL;
4981 sync_cmd_limit = NON_SYNC_CMD_NON_PIPELINING;
4982 DEBUG(D_tls) debug_printf("TLS active\n");
4983 break; /* Successful STARTTLS */
4986 /* Some local configuration problem was discovered before actually trying
4987 to do a TLS handshake; give a temporary error. */
4989 else if (rc == DEFER)
4991 smtp_printf("454 TLS currently unavailable\r\n");
4995 /* Hard failure. Reject everything except QUIT or closed connection. One
4996 cause for failure is a nested STARTTLS, in which case tls_in.active remains
4997 set, but we must still reject all incoming commands. */
4999 DEBUG(D_tls) debug_printf("TLS failed to start\n");
5002 switch(smtp_read_command(FALSE))
5005 log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
5006 smtp_get_connection_info());
5007 smtp_notquit_exit(US"tls-failed", NULL, NULL);
5011 /* It is perhaps arguable as to which exit ACL should be called here,
5012 but as it is probably a situation that almost never arises, it
5013 probably doesn't matter. We choose to call the real QUIT ACL, which in
5014 some sense is perhaps "right". */
5018 if (acl_smtp_quit != NULL)
5020 rc = acl_check(ACL_WHERE_QUIT, NULL, acl_smtp_quit, &user_msg,
5023 log_write(0, LOG_MAIN|LOG_PANIC, "ACL for QUIT returned ERROR: %s",
5026 if (user_msg == NULL)
5027 smtp_printf("221 %s closing connection\r\n", smtp_active_hostname);
5029 smtp_respond(US"221", 3, TRUE, user_msg);
5030 log_write(L_smtp_connection, LOG_MAIN, "%s closed by QUIT",
5031 smtp_get_connection_info());
5036 smtp_printf("554 Security failure\r\n");
5040 tls_close(TRUE, TRUE);
5045 /* The ACL for QUIT is provided for gathering statistical information or
5046 similar; it does not affect the response code, but it can supply a custom
5050 smtp_quit_handler(&user_msg, &log_msg);
5056 smtp_rset_handler();
5057 smtp_reset(reset_point);
5064 smtp_printf("250 OK\r\n");
5068 /* Show ETRN/EXPN/VRFY if there's an ACL for checking hosts; if actually
5069 used, a check will be done for permitted hosts. Show STARTTLS only if not
5070 already in a TLS session and if it would be advertised in the EHLO
5075 smtp_printf("214-Commands supported:\r\n");
5079 Ustrcat(buffer, " AUTH");
5081 if (tls_in.active < 0 &&
5082 verify_check_host(&tls_advertise_hosts) != FAIL)
5083 Ustrcat(buffer, " STARTTLS");
5085 Ustrcat(buffer, " HELO EHLO MAIL RCPT DATA BDAT");
5086 Ustrcat(buffer, " NOOP QUIT RSET HELP");
5087 if (acl_smtp_etrn != NULL) Ustrcat(buffer, " ETRN");
5088 if (acl_smtp_expn != NULL) Ustrcat(buffer, " EXPN");
5089 if (acl_smtp_vrfy != NULL) Ustrcat(buffer, " VRFY");
5090 smtp_printf("214%s\r\n", buffer);
5096 incomplete_transaction_log(US"connection lost");
5097 smtp_notquit_exit(US"connection-lost", US"421",
5098 US"%s lost input connection", smtp_active_hostname);
5100 /* Don't log by default unless in the middle of a message, as some mailers
5101 just drop the call rather than sending QUIT, and it clutters up the logs.
5104 if (sender_address != NULL || recipients_count > 0)
5105 log_write(L_lost_incoming_connection,
5107 "unexpected %s while reading SMTP command from %s%s",
5108 sender_host_unknown? "EOF" : "disconnection",
5109 host_and_ident(FALSE), smtp_read_error);
5111 else log_write(L_smtp_connection, LOG_MAIN, "%s lost%s",
5112 smtp_get_connection_info(), smtp_read_error);
5120 if (sender_address != NULL)
5122 done = synprot_error(L_smtp_protocol_error, 503, NULL,
5123 US"ETRN is not permitted inside a transaction");
5127 log_write(L_etrn, LOG_MAIN, "ETRN %s received from %s", smtp_cmd_argument,
5128 host_and_ident(FALSE));
5130 if ((rc = acl_check(ACL_WHERE_ETRN, NULL, acl_smtp_etrn,
5131 &user_msg, &log_msg)) != OK)
5133 done = smtp_handle_acl_fail(ACL_WHERE_ETRN, rc, user_msg, log_msg);
5137 /* Compute the serialization key for this command. */
5139 etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);
5141 /* If a command has been specified for running as a result of ETRN, we
5142 permit any argument to ETRN. If not, only the # standard form is permitted,
5143 since that is strictly the only kind of ETRN that can be implemented
5144 according to the RFC. */
5146 if (smtp_etrn_command != NULL)
5150 etrn_command = smtp_etrn_command;
5151 deliver_domain = smtp_cmd_data;
5152 rc = transport_set_up_command(&argv, smtp_etrn_command, TRUE, 0, NULL,
5153 US"ETRN processing", &error);
5154 deliver_domain = NULL;
5157 log_write(0, LOG_MAIN|LOG_PANIC, "failed to set up ETRN command: %s",
5159 smtp_printf("458 Internal failure\r\n");
5164 /* Else set up to call Exim with the -R option. */
5168 if (*smtp_cmd_data++ != '#')
5170 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5171 US"argument must begin with #");
5174 etrn_command = US"exim -R";
5175 argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, NULL, TRUE,
5176 *queue_name ? 4 : 2,
5177 US"-R", smtp_cmd_data,
5178 US"-MCG", queue_name);
5181 /* If we are host-testing, don't actually do anything. */
5187 debug_printf("ETRN command is: %s\n", etrn_command);
5188 debug_printf("ETRN command execution skipped\n");
5190 if (user_msg == NULL) smtp_printf("250 OK\r\n");
5191 else smtp_user_msg(US"250", user_msg);
5196 /* If ETRN queue runs are to be serialized, check the database to
5197 ensure one isn't already running. */
5199 if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
5201 smtp_printf("458 Already processing %s\r\n", smtp_cmd_data);
5205 /* Fork a child process and run the command. We don't want to have to
5206 wait for the process at any point, so set SIGCHLD to SIG_IGN before
5207 forking. It should be set that way anyway for external incoming SMTP,
5208 but we save and restore to be tidy. If serialization is required, we
5209 actually run the command in yet another process, so we can wait for it
5210 to complete and then remove the serialization lock. */
5212 oldsignal = signal(SIGCHLD, SIG_IGN);
5214 if ((pid = fork()) == 0)
5216 smtp_input = FALSE; /* This process is not associated with the */
5217 (void)fclose(smtp_in); /* SMTP call any more. */
5218 (void)fclose(smtp_out);
5220 signal(SIGCHLD, SIG_DFL); /* Want to catch child */
5222 /* If not serializing, do the exec right away. Otherwise, fork down
5223 into another process. */
5225 if (!smtp_etrn_serialize || (pid = fork()) == 0)
5227 DEBUG(D_exec) debug_print_argv(argv);
5228 exim_nullstd(); /* Ensure std{in,out,err} exist */
5229 execv(CS argv[0], (char *const *)argv);
5230 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "exec of \"%s\" (ETRN) failed: %s",
5231 etrn_command, strerror(errno));
5232 _exit(EXIT_FAILURE); /* paranoia */
5235 /* Obey this if smtp_serialize and the 2nd fork yielded non-zero. That
5236 is, we are in the first subprocess, after forking again. All we can do
5237 for a failing fork is to log it. Otherwise, wait for the 2nd process to
5238 complete, before removing the serialization. */
5241 log_write(0, LOG_MAIN|LOG_PANIC, "2nd fork for serialized ETRN "
5242 "failed: %s", strerror(errno));
5246 DEBUG(D_any) debug_printf("waiting for serialized ETRN process %d\n",
5248 (void)wait(&status);
5249 DEBUG(D_any) debug_printf("serialized ETRN process %d ended\n",
5253 enq_end(etrn_serialize_key);
5254 _exit(EXIT_SUCCESS);
5257 /* Back in the top level SMTP process. Check that we started a subprocess
5258 and restore the signal state. */
5262 log_write(0, LOG_MAIN|LOG_PANIC, "fork of process for ETRN failed: %s",
5264 smtp_printf("458 Unable to fork process\r\n");
5265 if (smtp_etrn_serialize) enq_end(etrn_serialize_key);
5269 if (user_msg == NULL) smtp_printf("250 OK\r\n");
5270 else smtp_user_msg(US"250", user_msg);
5273 signal(SIGCHLD, oldsignal);
5278 done = synprot_error(L_smtp_syntax_error, 501, NULL,
5279 US"unexpected argument data");
5283 /* This currently happens only for NULLs, but could be extended. */
5286 done = synprot_error(L_smtp_syntax_error, 0, NULL, /* Just logs */
5287 US"NULL character(s) present (shown as '?')");
5288 smtp_printf("501 NULL characters are not allowed in SMTP commands\r\n");
5294 if (smtp_inend >= smtp_inbuffer + in_buffer_size)
5295 smtp_inend = smtp_inbuffer + in_buffer_size - 1;
5296 c = smtp_inend - smtp_inptr;
5297 if (c > 150) c = 150;
5299 incomplete_transaction_log(US"sync failure");
5300 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol synchronization error "
5301 "(next input sent too soon: pipelining was%s advertised): "
5302 "rejected \"%s\" %s next input=\"%s\"",
5303 pipelining_advertised? "" : " not",
5304 smtp_cmd_buffer, host_and_ident(TRUE),
5305 string_printing(smtp_inptr));
5306 smtp_notquit_exit(US"synchronization-error", US"554",
5307 US"SMTP synchronization error");
5308 done = 1; /* Pretend eof - drops connection */
5312 case TOO_MANY_NONMAIL_CMD:
5313 s = smtp_cmd_buffer;
5314 while (*s != 0 && !isspace(*s)) s++;
5315 incomplete_transaction_log(US"too many non-mail commands");
5316 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5317 "nonmail commands (last was \"%.*s\")", host_and_ident(FALSE),
5318 (int)(s - smtp_cmd_buffer), smtp_cmd_buffer);
5319 smtp_notquit_exit(US"bad-commands", US"554", US"Too many nonmail commands");
5320 done = 1; /* Pretend eof - drops connection */
5323 #ifdef SUPPORT_PROXY
5324 case PROXY_FAIL_IGNORE_CMD:
5325 smtp_printf("503 Command refused, required Proxy negotiation failed\r\n");
5330 if (unknown_command_count++ >= smtp_max_unknown_commands)
5332 log_write(L_smtp_syntax_error, LOG_MAIN,
5333 "SMTP syntax error in \"%s\" %s %s",
5334 string_printing(smtp_cmd_buffer), host_and_ident(TRUE),
5335 US"unrecognized command");
5336 incomplete_transaction_log(US"unrecognized command");
5337 smtp_notquit_exit(US"bad-commands", US"500",
5338 US"Too many unrecognized commands");
5340 log_write(0, LOG_MAIN|LOG_REJECT, "SMTP call from %s dropped: too many "
5341 "unrecognized commands (last was \"%s\")", host_and_ident(FALSE),
5342 string_printing(smtp_cmd_buffer));
5345 done = synprot_error(L_smtp_syntax_error, 500, NULL,
5346 US"unrecognized command");
5350 /* This label is used by goto's inside loops that want to break out to
5351 the end of the command-processing loop. */
5354 last_was_rej_mail = was_rej_mail; /* Remember some last commands for */
5355 last_was_rcpt = was_rcpt; /* protocol error handling */
5359 return done - 2; /* Convert yield values */
5364 /* End of smtp_in.c */