| blob | 4710cc509c548033b30a2fe6f4b414e6850efc85 |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* smtp_chat 3
6 /* SUMMARY
7 /* SMTP client request/response support
8 /* SYNOPSIS
9 /* #include "smtp.h"
10 /*
11 /* typedef struct {
12 /* .in +4
13 /* int code; /* SMTP code, not sanitized */
14 /* char *dsn; /* enhanced status, sanitized */
15 /* char *str; /* unmodified SMTP reply */
16 /* VSTRING *dsn_buf;
17 /* VSTRING *str_buf;
18 /* .in -4
19 /* } SMTP_RESP;
20 /*
21 /* void smtp_chat_cmd(session, format, ...)
22 /* SMTP_SESSION *session;
23 /* char *format;
24 /*
25 /* SMTP_RESP *smtp_chat_resp(session)
26 /* SMTP_SESSION *session;
27 /*
28 /* void smtp_chat_notify(session)
29 /* SMTP_SESSION *session;
30 /*
31 /* void smtp_chat_init(session)
32 /* SMTP_SESSION *session;
33 /*
34 /* void smtp_chat_reset(session)
35 /* SMTP_SESSION *session;
36 /* DESCRIPTION
37 /* This module implements SMTP client support for request/reply
38 /* conversations, and maintains a limited SMTP transaction log.
39 /*
40 /* smtp_chat_cmd() formats a command and sends it to an SMTP server.
41 /* Optionally, the command is logged.
42 /*
43 /* smtp_chat_resp() reads one SMTP server response. It extracts
44 /* the SMTP reply code and enhanced status code from the text,
45 /* and concatenates multi-line responses to one string, using
46 /* a newline as separator. Optionally, the server response
47 /* is logged.
48 /* .IP \(bu
49 /* Postfix never sanitizes the extracted SMTP reply code except
50 /* to ensure that it is a three-digit code. A malformed reply
51 /* results in a null extracted SMTP reply code value.
52 /* .IP \(bu
53 /* Postfix always sanitizes the extracted enhanced status code.
54 /* When the server's SMTP status code is 2xx, 4xx or 5xx,
55 /* Postfix requires that the first digit of the server's
56 /* enhanced status code matches the first digit of the server's
57 /* SMTP status code. In case of a mis-match, or when the
58 /* server specified no status code, the extracted enhanced
59 /* status code is set to 2.0.0, 4.0.0 or 5.0.0 instead. With
60 /* SMTP reply codes other than 2xx, 4xx or 5xx, the extracted
61 /* enhanced status code is set to a default value of 5.5.0
62 /* (protocol error) for reasons outlined under the next bullet.
63 /* .IP \(bu
64 /* Since the SMTP reply code may violate the protocol even
65 /* when it is correctly formatted, Postfix uses the sanitized
66 /* extracted enhanced status code to decide whether an error
67 /* condition is permanent or transient. This means that the
68 /* caller may have to update the enhanced status code when it
69 /* discovers that a server reply violates the SMTP protocol,
70 /* even though it was correctly formatted. This happens when
71 /* the client and server get out of step due to a broken proxy
72 /* agent.
73 /* .PP
74 /* smtp_chat_notify() sends a copy of the SMTP transaction log
75 /* to the postmaster for review. The postmaster notice is sent only
76 /* when delivery is possible immediately. It is an error to call
77 /* smtp_chat_notify() when no SMTP transaction log exists.
78 /*
79 /* smtp_chat_init() initializes the per-session transaction log.
80 /* This must be done at the beginning of a new SMTP session.
81 /*
82 /* smtp_chat_reset() resets the transaction log. This is
83 /* typically done at the beginning or end of an SMTP session,
84 /* or within a session to discard non-error information.
85 /* DIAGNOSTICS
86 /* Fatal errors: memory allocation problem, server response exceeds
87 /* configurable limit.
88 /* All other exceptions are handled by long jumps (see smtp_stream(3)).
89 /* SEE ALSO
90 /* smtp_stream(3) SMTP session I/O support
91 /* msg(3) generic logging interface
92 /* LICENSE
93 /* .ad
94 /* .fi
95 /* The Secure Mailer license must be distributed with this software.
96 /* AUTHOR(S)
97 /* Wietse Venema
98 /* IBM T.J. Watson Research
99 /* P.O. Box 704
100 /* Yorktown Heights, NY 10598, USA
101 /*--*/
103 /* System library. */
105 #include <sys_defs.h>
107 #include <stdarg.h>
108 #include <ctype.h>
109 #include <stdlib.h>
110 #include <setjmp.h>
111 #include <string.h>
113 /* Utility library. */
115 #include <msg.h>
116 #include <vstring.h>
117 #include <vstream.h>
118 #include <argv.h>
119 #include <stringops.h>
120 #include <line_wrap.h>
121 #include <mymalloc.h>
123 /* Global library. */
125 #include <recipient_list.h>
126 #include <deliver_request.h>
127 #include <smtp_stream.h>
128 #include <mail_params.h>
129 #include <mail_addr.h>
130 #include <post_mail.h>
131 #include <mail_error.h>
132 #include <dsn_util.h>
134 /* Application-specific. */
138 /* smtp_chat_init - initialize SMTP transaction log */
141 {
143 }
145 /* smtp_chat_reset - reset SMTP transaction log */
148 {
152 }
153 }
155 /* smtp_chat_append - append record to SMTP transaction log */
158 {
166 }
168 /* smtp_chat_cmd - send an SMTP command */
171 {
174 /*
175 * Format the command, and update the transaction log.
176 */
182 /*
183 * Optionally log the command first, so we can see in the log what the
184 * program is trying to do.
185 */
189 /*
190 * Send the command to the SMTP server.
191 */
194 /*
195 * Force flushing of output does not belong here. It is done in the
196 * smtp_loop() main protocol loop when reading the server response, and
197 * in smtp_helo() when reading the EHLO response after sending the EHLO
198 * command.
199 *
200 * If we do forced flush here, then we must longjmp() on error, and a
201 * matching "prepare for disaster" error handler must be set up before
202 * every smtp_chat_cmd() call.
203 */
204 #if 0
206 /*
207 * Flush unsent data to avoid timeouts after slow DNS lookups.
208 */
212 /*
213 * Abort immediately if the connection is broken.
214 */
219 #endif
220 }
222 /* smtp_chat_resp - read and process SMTP server response */
225 {
232 /*
233 * Initialize the response data buffer.
234 */
238 }
240 /*
241 * Censor out non-printable characters in server responses. Concatenate
242 * multi-line server responses. Separate the status code from the text.
243 * Leave further parsing up to the application.
244 */
255 /*
256 * Defend against a denial of service attack by limiting the amount
257 * of multi-line text that we are willing to store.
258 */
264 }
266 /*
267 * Parse into code and text. Ignore unrecognized garbage. This means
268 * that any character except space (or end of line) will have the
269 * same effect as the '-' line continuation character.
270 */
278 }
280 /*
281 * XXX Do not simply ignore garbage in the server reply when ESMTP
282 * command pipelining is turned on. For example, after sending
283 * ".<CR><LF>QUIT<CR><LF>" and receiving garbage followed by a
284 * legitimate 2XX reply, Postfix recognizes the server's QUIT reply
285 * as the END-OF-DATA reply after garbage, causing mail to be lost.
286 *
287 * Without the ability to store per-domain status information in queue
288 * files, automatic workarounds are problematic:
289 *
290 * - Automatically deferring delivery creates a "repeated delivery"
291 * problem when garbage arrives after the DATA stage. Without the
292 * workaround, Postfix delivers only once.
293 *
294 * - Automatically deferring delivery creates a "no delivery" problem
295 * when the garbage arrives before the DATA stage. Without the
296 * workaround, mail might still get through.
297 *
298 * - Automatically turning off pipelining for delayed mail affects
299 * deliveries to correctly implemented servers, and may also affect
300 * delivery of large mailing lists.
301 *
302 * So we leave the decision with the administrator, but we don't force
303 * them to take action, like we would with automatic deferral. If
304 * loss of mail is not acceptable then they can turn off pipelining
305 * for specific sites, or they can turn off pipelining globally when
306 * they find that there are just too many broken sites.
307 */
320 }
321 }
323 /*
324 * Extract RFC 821 reply code and RFC 2034 detail. Use a default detail
325 * code if none was given.
326 *
327 * Ignore out-of-protocol enhanced status codes: codes that accompany 3XX
328 * replies, or codes whose initial digit is out of sync with the reply
329 * code.
330 *
331 * XXX Potential stability problem. In order to save memory, the queue
332 * manager stores DSNs in a compact manner:
333 *
334 * - empty strings are represented by null pointers,
335 *
336 * - the status and reason are required to be non-empty.
337 *
338 * Other Postfix daemons inherit this behavior, because they use the same
339 * DSN support code. This means that everything that receives DSNs must
340 * cope with null pointers for the optional DSN attributes, and that
341 * everything that provides DSN information must provide a non-empty
342 * status and reason, otherwise the DSN support code wil panic().
343 *
344 * Thus, when the remote server sends a malformed reply (or 3XX out of
345 * context) we should not panic() in DSN_COPY() just because we don't
346 * have a status. Robustness suggests that we supply a status here, and
347 * that we leave it up to the down-stream code to override the
348 * server-supplied status in case of an error we can't detect here, such
349 * as an out-of-order server reply.
350 */
363 }
364 }
367 }
371 }
373 /* print_line - line_wrap callback */
376 {
380 }
382 /* smtp_chat_notify - notify postmaster */
385 {
390 /*
391 * Sanity checks.
392 */
398 /*
399 * Construct a message for the postmaster, explaining what this is all
400 * about. This is junk mail: don't send it when the mail posting service
401 * is unavailable, and use the double bounce sender address, to prevent
402 * mail bounce wars. Always prepend one space to message content that we
403 * generate from untrusted data.
404 */
405 #define NULL_TRACE_FLAGS 0
406 #define NO_QUEUE_ID ((VSTRING *) 0)
407 #define LENGTH 78
408 #define INDENT 4
411 var_error_rcpt,
412 INT_FILT_MASK_NOTIFY,
417 }
422 var_mail_name,
439 }