X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fsmtp_in.c;h=1e478a6ac7a99b77ea75730911997a05a7bd719a;hb=7a9e0ae14e5544e8377d1f91298d0ec9a482bf12;hp=b071298c73d6e79f5601a9b641f7db32caa5b6c7;hpb=2aaa3cdd22a987cbf7c8343d3e6103ee521296dc;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index b071298c7..1e478a6ac 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -133,11 +133,8 @@ to the circular buffer that holds a list of the last n received. */ static struct { BOOL auth_advertised :1; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS BOOL tls_advertised :1; -# ifdef EXPERIMENTAL_REQUIRETLS - BOOL requiretls_advertised :1; -# endif #endif BOOL dsn_advertised :1; BOOL esmtp :1; @@ -145,7 +142,7 @@ static struct { BOOL helo_verify :1; BOOL helo_seen :1; BOOL helo_accept_junk :1; -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT BOOL pipe_connect_acceptable :1; #endif BOOL rcpt_smtp_response_same :1; @@ -197,7 +194,7 @@ static smtp_cmd_list cmd_list[] = { { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE }, { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE }, { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE }, { "tls_auth", 0, TLS_AUTH_CMD, FALSE, FALSE }, #endif @@ -267,9 +264,6 @@ enum { ENV_MAIL_OPT_RET, ENV_MAIL_OPT_ENVID, #ifdef SUPPORT_I18N ENV_MAIL_OPT_UTF8, -#endif -#ifdef EXPERIMENTAL_REQUIRETLS - ENV_MAIL_OPT_REQTLS, #endif }; typedef struct { @@ -289,10 +283,6 @@ static env_mail_type_t env_mail_type_list[] = { { US"ENVID", ENV_MAIL_OPT_ENVID, TRUE }, #ifdef SUPPORT_I18N { US"SMTPUTF8",ENV_MAIL_OPT_UTF8, FALSE }, /* rfc6531 */ -#endif -#ifdef EXPERIMENTAL_REQUIRETLS - /* https://tools.ietf.org/html/draft-ietf-uta-smtp-require-tls-03 */ - { US"REQUIRETLS",ENV_MAIL_OPT_REQTLS, FALSE }, #endif /* keep this the last entry */ { US"NULL", ENV_MAIL_OPT_NULL, FALSE }, @@ -358,7 +348,7 @@ int fd, rc; fd_set fds; struct timeval tzero; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) return !tls_could_read(); #endif @@ -407,7 +397,7 @@ return TRUE; } -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT static BOOL pipeline_connect_sends(void) { @@ -955,7 +945,7 @@ if (fl.rcpt_in_progress) /* Now write the string */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) { if (tls_write(NULL, gs.s, gs.ptr, more) < 0) @@ -1784,7 +1774,7 @@ return string_sprintf("SMTP connection from %s", hostname); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* Append TLS-related information to a log line Arguments: @@ -1796,7 +1786,13 @@ static gstring * s_tlslog(gstring * g) { if (LOGGING(tls_cipher) && tls_in.cipher) + { g = string_append(g, 2, US" X=", tls_in.cipher); +#ifdef EXPERIMENTAL_TLS_RESUME + if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED) + g = string_catn(g, US"*", 1); +#endif + } if (LOGGING(tls_certificate_verified) && tls_in.cipher) g = string_append(g, 2, US" CV=", tls_in.certificate_verified? "yes":"no"); if (LOGGING(tls_peerdn) && tls_in.peerdn) @@ -1834,7 +1830,7 @@ if (sender_host_authenticated) if (authenticated_id) g = string_append(g, 2, US":", authenticated_id); } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS g = s_tlslog(g); #endif @@ -2379,7 +2375,7 @@ return done - 2; /* Convert yield values */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS static BOOL smtp_log_tls_fail(uschar * errstr) { @@ -2470,15 +2466,12 @@ if (!host_checking && !f.sender_host_notsocket) sender_host_auth_pubname = sender_host_authenticated = NULL; authenticated_by = NULL; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_in.cipher = tls_in.peerdn = NULL; tls_in.ourcert = tls_in.peercert = NULL; tls_in.sni = NULL; tls_in.ocsp = OCSP_NOT_REQ; fl.tls_advertised = FALSE; -# ifdef EXPERIMENTAL_REQUIRETLS -fl.requiretls_advertised = FALSE; -# endif #endif fl.dsn_advertised = FALSE; #ifdef SUPPORT_I18N @@ -2910,7 +2903,7 @@ if (check_proxy_protocol_host()) /* Start up TLS if tls_on_connect is set. This is for supporting the legacy smtps port for use with older style SSL MTAs. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.on_connect) { if (tls_server_start(tls_require_ciphers, &user_msg) != OK) @@ -3002,7 +2995,7 @@ while (*p); /* Before we write the banner, check that there is no input pending, unless this synchronisation check is disabled. */ -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT fl.pipe_connect_acceptable = sender_host_address && verify_check_host(&pipe_connect_advertise_hosts) == OK; @@ -3029,7 +3022,7 @@ if (!check_sync()) /*XXX the ehlo-resp code does its own tls/nontls bit. Maybe subroutine that? */ smtp_printf("%s", -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT fl.pipe_connect_acceptable && pipeline_connect_sends(), #else FALSE, @@ -3411,7 +3404,7 @@ is closing if required and return 2. */ if (log_reject_target != 0) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS gstring * g = s_tlslog(NULL); uschar * tls = string_from_gstring(g); if (!tls) tls = US""; @@ -3832,7 +3825,7 @@ if (*user_msgp) else smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(NULL, TLS_SHUTDOWN_NOWAIT); #endif @@ -3903,7 +3896,7 @@ chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED; cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE; cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE; cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE; #endif @@ -3980,7 +3973,7 @@ while (done <= 0) #endif switch(smtp_read_command( -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT !fl.pipe_connect_acceptable, #else TRUE, @@ -4220,7 +4213,7 @@ while (done <= 0) host_build_sender_fullhost(); /* Rebuild */ break; } -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT else if (!fl.pipe_connect_acceptable && !check_sync()) #else else if (!check_sync()) @@ -4235,11 +4228,8 @@ while (done <= 0) fl.auth_advertised = FALSE; f.smtp_in_pipelining_advertised = FALSE; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS fl.tls_advertised = FALSE; -# ifdef EXPERIMENTAL_REQUIRETLS - fl.requiretls_advertised = FALSE; -# endif #endif fl.dsn_advertised = FALSE; #ifdef SUPPORT_I18N @@ -4354,7 +4344,7 @@ while (done <= 0) sync_cmd_limit = NON_SYNC_CMD_PIPELINING; f.smtp_in_pipelining_advertised = TRUE; -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT if (fl.pipe_connect_acceptable) { f.smtp_in_early_pipe_advertised = TRUE; @@ -4431,7 +4421,7 @@ while (done <= 0) tls_advertise_hosts. We must *not* advertise if we are already in a secure connection. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) { @@ -4439,17 +4429,6 @@ while (done <= 0) g = string_catn(g, US"-STARTTLS\r\n", 11); fl.tls_advertised = TRUE; } - -# ifdef EXPERIMENTAL_REQUIRETLS - /* Advertise REQUIRETLS only once we are in a secure connection */ - if ( tls_in.active.sock >= 0 - && verify_check_host(&tls_advertise_requiretls) != FAIL) - { - g = string_catn(g, smtp_code, 3); - g = string_catn(g, US"-REQUIRETLS\r\n", 13); - fl.requiretls_advertised = TRUE; - } -# endif #endif #ifndef DISABLE_PRDR @@ -4480,10 +4459,10 @@ while (done <= 0) /* Terminate the string (for debug), write it, and note that HELO/EHLO has been seen. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) (void)tls_write(NULL, g->s, g->ptr, -# ifdef EXPERIMENTAL_PIPE_CONNECT +# ifdef SUPPORT_PIPE_CONNECT fl.pipe_connect_acceptable && pipeline_connect_sends()); # else FALSE); @@ -4774,28 +4753,6 @@ while (done <= 0) break; #endif -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - case ENV_MAIL_OPT_REQTLS: - { - uschar * r, * t; - - if (!fl.requiretls_advertised) - { - done = synprot_error(L_smtp_syntax_error, 555, NULL, - US"unadvertised MAIL option: REQUIRETLS"); - goto COMMAND_LOOP; - } - - DEBUG(D_receive) debug_printf("requiretls requested\n"); - tls_requiretls = REQUIRETLS_MSG; - - r = string_copy_malloc(received_protocol); - if ((t = Ustrrchr(r, 's'))) *t = 'S'; - received_protocol = r; - } - break; -#endif - /* No valid option. Stick back the terminator characters and break the loop. Do the name-terminator second as extract_option sets value==name when it found no equal-sign. @@ -4813,17 +4770,6 @@ while (done <= 0) if (arg_error) break; } -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS) - if (tls_requiretls & REQUIRETLS_MSG) - { - /* Ensure headers-only bounces whether a RET option was given or not. */ - - DEBUG(D_receive) if (dsn_ret == dsn_ret_full) - debug_printf("requiretls override: dsn_ret_full -> dsn_ret_hdrs\n"); - dsn_ret = dsn_ret_hdrs; - } -#endif - /* If we have passed the threshold for rate limiting, apply the current delay, and update it for next time, provided this is a limited host. */ @@ -5294,7 +5240,7 @@ while (done <= 0) f.dot_ends = TRUE; DATA_BDAT: /* Common code for DATA and BDAT */ -#ifdef EXPERIMENTAL_PIPE_CONNECT +#ifdef SUPPORT_PIPE_CONNECT fl.pipe_connect_acceptable = FALSE; #endif if (!discarded && recipients_count <= 0) @@ -5449,7 +5395,7 @@ while (done <= 0) break; - #ifdef SUPPORT_TLS + #ifndef DISABLE_TLS case STARTTLS_CMD: HAD(SCH_STARTTLS); @@ -5640,7 +5586,7 @@ while (done <= 0) uschar buffer[256]; buffer[0] = 0; Ustrcat(buffer, " AUTH"); - #ifdef SUPPORT_TLS + #ifndef DISABLE_TLS if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) Ustrcat(buffer, " STARTTLS");