| blob | cd4d099ae822e5928834509e61905fa08ee4e98b |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* smtp_connect 3
6 /* SUMMARY
7 /* connect to SMTP/LMTP server and deliver
8 /* SYNOPSIS
9 /* #include "smtp.h"
10 /*
11 /* int smtp_connect(state)
12 /* SMTP_STATE *state;
13 /* DESCRIPTION
14 /* This module implements SMTP/LMTP connection management and controls
15 /* mail delivery.
16 /*
17 /* smtp_connect() attempts to establish an SMTP/LMTP session with a host
18 /* that represents the destination domain, or with an optional fallback
19 /* relay when {the destination cannot be found, or when all the
20 /* destination servers are unavailable}. It skips over IP addresses
21 /* that fail to complete the SMTP/LMTP handshake and tries to find
22 /* an alternate server when an SMTP/LMTP session fails to deliver.
23 /*
24 /* This layer also controls what connections are retrieved from
25 /* the connection cache, and what connections are saved to the cache.
26 /*
27 /* The destination is either a host (or domain) name or a numeric
28 /* address. Symbolic or numeric service port information may be
29 /* appended, separated by a colon (":"). In the case of LMTP,
30 /* destinations may be specified as "unix:pathname", "inet:host"
31 /* or "inet:host:port".
32 /*
33 /* With SMTP, the Internet domain name service is queried for mail
34 /* exchanger hosts. Quote the domain name with `[' and `]' to
35 /* suppress mail exchanger lookups.
36 /*
37 /* Numerical address information should always be quoted with `[]'.
38 /* DIAGNOSTICS
39 /* The delivery status is the result value.
40 /* SEE ALSO
41 /* smtp_proto(3) SMTP client protocol
42 /* LICENSE
43 /* .ad
44 /* .fi
45 /* The Secure Mailer license must be distributed with this software.
46 /* AUTHOR(S)
47 /* Wietse Venema
48 /* IBM T.J. Watson Research
49 /* P.O. Box 704
50 /* Yorktown Heights, NY 10598, USA
51 /*
52 /* Connection caching in cooperation with:
53 /* Victor Duchovni
54 /* Morgan Stanley
55 /*--*/
57 /* System library. */
59 #include <sys_defs.h>
60 #include <stdlib.h>
61 #include <sys/socket.h>
62 #include <sys/un.h>
63 #include <netinet/in.h>
64 #include <arpa/inet.h>
65 #include <errno.h>
66 #include <netdb.h>
67 #include <stdlib.h>
68 #include <string.h>
69 #include <unistd.h>
70 #include <fcntl.h>
71 #include <ctype.h>
73 #ifndef IPPORT_SMTP
74 #define IPPORT_SMTP 25
75 #endif
77 /* Utility library. */
79 #include <msg.h>
80 #include <vstream.h>
81 #include <vstring.h>
82 #include <split_at.h>
83 #include <mymalloc.h>
84 #include <inet_addr_list.h>
85 #include <iostuff.h>
86 #include <timed_connect.h>
87 #include <stringops.h>
88 #include <host_port.h>
89 #include <sane_connect.h>
90 #include <myaddrinfo.h>
91 #include <sock_addr.h>
93 /* Global library. */
95 #include <mail_params.h>
96 #include <own_inet_addr.h>
97 #include <deliver_pass.h>
98 #include <mail_error.h>
99 #include <dsn_buf.h>
101 /* DNS library. */
103 #include <dns.h>
105 /* Application-specific. */
107 #include <smtp.h>
108 #include <smtp_addr.h>
109 #include <smtp_reuse.h>
111 /*
112 * Forward declaration.
113 */
120 /* smtp_connect_unix - connect to UNIX-domain address */
125 {
133 /*
134 * Sanity checks.
135 */
140 }
142 /*
143 * Initialize.
144 */
147 #ifdef HAS_SUN_LEN
149 #endif
152 /*
153 * Create a client socket.
154 */
158 /*
159 * Connect to the server.
160 */
167 }
169 /* smtp_connect_addr - connect to explicit address */
174 {
179 MAI_HOSTADDR_STR hostaddr;
186 /*
187 * Sanity checks.
188 */
194 }
196 /*
197 * Initialize.
198 */
205 /*
206 * Allow the sysadmin to specify the source address, for example, as "-o
207 * smtp_bind_address=x.x.x.x" in the master.cf file.
208 */
209 #ifdef HAS_IPV6
214 #endif
232 }
234 /*
235 * When running as a virtual host, bind to the virtual interface so that
236 * the mail appears to come from the "right" machine address.
237 *
238 * XXX The IPv6 patch expands the null host (as client endpoint) and uses
239 * the result as the loopback address list.
240 */
252 }
253 }
263 }
264 }
265 }
267 /*
268 * Connect to the server.
269 */
277 }
279 /* smtp_connect_sock - connect a socket over some transport */
288 {
303 }
308 else
312 }
315 /*
316 * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE.
317 */
319 #ifdef AF_INET6
321 #endif
322 )
325 /*
326 * Bundle up what we have into a nice SMTP_SESSION object.
327 */
330 }
332 /* smtp_parse_destination - parse host/port destination */
336 {
347 /*
348 * Parse the host/port information. We're working with a copy of the
349 * destination argument so the parsing can be destructive.
350 */
354 /*
355 * Convert service to port number, network byte order.
356 */
365 }
367 }
369 /* smtp_cleanup_session - clean up after using a session */
372 {
377 /*
378 * Inform the postmaster of trouble.
379 */
382 mail_error_masks,
386 /*
387 * When session caching is enabled, cache the first good session for this
388 * delivery request under the next-hop destination, and cache all good
389 * sessions under their server network address (destroying the session in
390 * the process).
391 *
392 * Caching under the next-hop destination name (rather than the fall-back
393 * destination) allows us to skip over non-responding primary or backup
394 * hosts. In fact, this is the only benefit of caching logical to
395 * physical bindings; caching a session under its own hostname provides
396 * no performance benefit, given the way smtp_connect() works.
397 */
402 /* Redundant tests for safety... */
408 }
411 /*
412 * If this session was good, reset the logical next-hop state, so that we
413 * won't cache connections to alternate servers under the logical
414 * next-hop destination. Otherwise we could end up skipping over the
415 * available and more preferred servers.
416 */
420 /*
421 * Clean up the lists with todo and dropped recipients.
422 */
425 /*
426 * Reset profiling info.
427 *
428 * XXX When one delivery request results in multiple sessions, the set-up
429 * and transmission latencies of the earlier sessions will count as
430 * connection set-up time for the later sessions.
431 *
432 * XXX On the other hand, when we first try to connect to one or more dead
433 * hosts before we reach a good host, then all that time must be counted
434 * as connection set-up time for the session with the good host.
435 *
436 * XXX So this set-up attribution problem exists only when we actually
437 * engage in a session, spend a lot of time delivering a message, find
438 * that it fails, and then connect to an alternate host.
439 */
445 }
448 {
453 /*
454 * XXX Disable connection caching when sender-dependent authentication is
455 * enabled. We must not send someone elses mail over an authenticated
456 * connection, and we must not send mail that requires authentication
457 * over a connection that wasn't authenticated.
458 */
469 }
470 }
472 /* smtp_connect_local - connect to local server */
475 {
480 /*
481 * It's too painful to weave this code into the SMTP connection
482 * management routine.
483 *
484 * Connection cache management is based on the UNIX-domain pathname, without
485 * the "unix:" prefix.
486 */
489 /*
490 * XXX We assume that the session->addr member refers to a copy of the
491 * UNIX-domain pathname, so that smtp_save_session() will cache the
492 * connection using the pathname as the physical endpoint name.
493 */
494 #define NO_PORT 0
496 /*
497 * Opportunistic TLS for unix domain sockets does not make much sense,
498 * since the channel is private, mere encryption without authentication
499 * is just wasted cycles and opportunity for breakage. Since we are not
500 * willing to retry after TLS handshake failures here, we downgrade "may"
501 * no "none". Nothing is lost, and much waste is avoided.
502 *
503 * We don't know who is authenticating whom, so if a client cert is
504 * available, "encrypt" may be a sensible policy. Otherwise, we also
505 * downgrade "encrypt" to "none", this time just to avoid waste.
506 */
512 #ifdef USE_TLS
518 }
519 #endif
520 /* All delivery errors bounce or defer. */
523 /*
524 * When a TLS handshake fails, the stream is marked "dead" to avoid
525 * further I/O over a broken channel.
526 */
535 }
537 /*
538 * With opportunistic TLS disabled we don't expect to be asked to
539 * retry connections without TLS, and so we expect the final server
540 * flag to stay on.
541 */
545 }
546 }
548 /* smtp_scrub_address_list - delete all cached addresses from list */
551 {
552 MAI_HOSTADDR_STR hostaddr;
556 /*
557 * XXX Extend the DNS_RR structure with fields for the printable address
558 * and/or binary sockaddr representations, so that we can avoid repeated
559 * binary->string transformations for the same address.
560 */
567 }
570 }
571 }
573 /* smtp_update_addr_list - common address list update */
577 {
586 /*
587 * Truncate the address list if we are not going to use it anyway.
588 */
594 }
596 /*
597 * Convert server address to internal form, and look it up in the address
598 * list.
599 *
600 * XXX smtp_reuse_session() breaks if we remove two or more adjacent list
601 * elements but do not truncate the list to zero length.
602 *
603 * XXX Extend the SMTP_SESSION structure with sockaddr information so that
604 * we can avoid repeated string->binary transformations for the same
605 * address.
606 */
616 }
617 }
619 }
620 }
622 /* smtp_reuse_session - try to use existing connection, return session count */
627 {
631 MAI_HOSTADDR_STR hostaddr;
634 /*
635 * First, search the cache by logical destination. We truncate the server
636 * address list when all the sessions for this destination are used up,
637 * to reduce the number of variables that need to be checked later.
638 *
639 * Note: lookup by logical destination restores the "best MX" bit.
640 */
650 }
652 /*
653 * Second, search the cache by primary MX address. Again, we use address
654 * list truncation so that we have to check fewer variables later.
655 *
656 * XXX This loop is safe because smtp_update_addr_list() either truncates
657 * the list to zero length, or removes at most one list element.
658 */
675 }
676 }
678 }
680 /* smtp_connect_remote - establish remote connection */
684 {
693 /*
694 * First try to deliver to the indicated destination, then try to deliver
695 * to the optional fall-back relays.
696 *
697 * Future proofing: do a null destination sanity check in case we allow the
698 * primary destination to be a list (it could be just separators).
699 */
708 /*
709 * Don't give up after a hard host lookup error until we have tried the
710 * fallback relay servers.
711 *
712 * Don't bounce mail after a host lookup problem with a relayhost or with a
713 * fallback relay.
714 *
715 * Don't give up after a qualifying soft error until we have tried all
716 * qualifying backup mail servers.
717 *
718 * All this means that error handling and error reporting depends on whether
719 * the error qualifies for trying to deliver to a backup mail server, or
720 * whether we're looking up a relayhost or fallback relay. The challenge
721 * then is to build this into the pre-existing SMTP client without
722 * getting lost in the complexity.
723 */
724 #define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \
725 (*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites))
741 MAI_HOSTADDR_STR hostaddr;
746 /*
747 * Parse the destination. Default is to use the SMTP port. Look up
748 * the address instead of the mail exchanger when a quoted host is
749 * specified, or when DNS lookups are disabled.
750 */
753 /*
754 * Resolve an SMTP server. Skip mail exchanger lookups when a quoted
755 * host is specified, or when DNS lookups are disabled.
756 */
762 else
769 /* XXX We could be an MX host for this destination... */
775 /* If we're MX host, don't connect to non-MX backups. */
778 }
780 /*
781 * Don't try fall-back hosts if mail loops to myself. That would just
782 * make the problem worse.
783 */
787 /*
788 * No early loop exit or we have a memory leak with dest_buf.
789 */
793 /*
794 * When session caching is enabled, store the first good session for
795 * this delivery request under the next-hop destination name. All
796 * good sessions will be stored under their specific server IP
797 * address.
798 *
799 * XXX Replace sites->argv by (lookup_mx, domain, port) triples so we
800 * don't have to make clumsy ad-hoc copies and keep track of who
801 * free()s the memory.
802 *
803 * XXX smtp_session_cache_destinations specifies domain names without
804 * :port, because : is already used for maptype:mapname. Because of
805 * this limitation we use the bare domain without the optional [] or
806 * non-default TCP port.
807 *
808 * Opportunistic (a.k.a. on-demand) session caching on request by the
809 * queue manager. This is turned temporarily when a destination has a
810 * high volume of mail in the active queue.
811 *
812 * XXX Disable connection caching when sender-dependent authentication
813 * is enabled. We must not send someone elses mail over an
814 * authenticated connection, and we must not send mail that requires
815 * authentication over a connection that wasn't authenticated.
816 */
821 }
823 /*
824 * Delete visited cached hosts from the address list.
825 *
826 * Optionally search the connection cache by domain name or by primary
827 * MX address before we try to create new connections.
828 *
829 * Enforce the MX session and MX address counts per next-hop or
830 * fall-back destination. smtp_reuse_session() will truncate the
831 * address list when either limit is reached.
832 */
842 /*
843 * Connect to an SMTP server: create primary MX connections, and
844 * reuse or create backup MX connections.
845 *
846 * At the start of an SMTP session, all recipients are unmarked. In the
847 * course of an SMTP session, recipients are marked as KEEP (deliver
848 * to alternate mail server) or DROP (remove from recipient list). At
849 * the end of an SMTP session, weed out the recipient list. Unmark
850 * any left-over recipients and try to deliver them to a backup mail
851 * server.
852 *
853 * Cache the first good session under the next-hop destination name.
854 * Cache all good sessions under their physical endpoint.
855 *
856 * Don't query the session cache for primary MX hosts. We already did
857 * that in smtp_reuse_session(), and if any were found in the cache,
858 * they were already deleted from the address list.
859 */
874 /* Don't count handshake errors towards the session limit. */
878 #ifdef USE_TLS
879 /* Disable TLS when retrying after a handshake failure */
885 }
887 #endif
890 #ifdef USE_TLS
892 /*
893 * When an opportunistic TLS handshake fails, try the
894 * same address again, with TLS disabled. See also the
895 * RETRY_AS_PLAINTEXT macro.
896 */
900 }
901 #endif
903 /*
904 * When a TLS handshake fails, the stream is marked
905 * "dead" to avoid further I/O over a broken channel.
906 */
912 /* Do count delivery errors towards the session limit. */
919 }
922 /* The reason already includes the IP address and TCP port. */
924 }
925 /* Insert: test if we must skip the remaining MX hosts. */
926 }
931 }
933 /*
934 * We still need to deliver, bounce or defer some left-over recipients:
935 * either mail loops or some backup mail server was unavailable.
936 */
939 /*
940 * In case of a "no error" indication we make up an excuse: we did
941 * find the host address, but we did not attempt to connect to it.
942 * This can happen when the fall-back relay was already tried via a
943 * cached connection, so that the address list scrubber left behind
944 * an empty list.
945 */
949 }
951 /*
952 * Pay attention to what could be configuration problems, and pretend
953 * that these are recoverable rather than bouncing the mail.
954 */
958 /*
959 * The fall-back destination did not resolve as expected, or it
960 * is refusing to talk to us, or mail for it loops back to us.
961 */
965 /* XXX Keep the diagnostic code and MTA. */
966 }
968 /*
969 * The next-hop relayhost did not resolve as expected, or it is
970 * refusing to talk to us, or mail for it loops back to us.
971 */
975 /* XXX Keep the diagnostic code and MTA. */
976 }
978 /*
979 * Mail for the next-hop destination loops back to myself. Pass
980 * the mail to the best_mx_transport or bounce it.
981 */
985 var_bestmx_transp,
986 request);
988 }
989 }
990 }
992 /*
993 * Cleanup.
994 */
998 }
1000 /* smtp_connect - establish SMTP connection */
1003 {
1007 /*
1008 * All deliveries proceed along the same lines, whether they are over TCP
1009 * or UNIX-domain sockets, and whether they use SMTP or LMTP: get a
1010 * connection from the cache or create a new connection; deliver mail;
1011 * update the connection cache or disconnect.
1012 *
1013 * The major differences appear at a higher level: the expansion from
1014 * destination to address list, and whether to stop before we reach the
1015 * end of that list.
1016 */
1017 #define DEF_LMTP_SERVICE var_lmtp_tcp_port
1020 /*
1021 * With LMTP we have direct-to-host delivery only. The destination may
1022 * have multiple IP addresses.
1023 */
1031 }
1032 }
1034 /*
1035 * With SMTP we can have indirection via MX host lookup, as well as an
1036 * optional fall-back relayhost that we must avoid when we are MX host.
1037 *
1038 * XXX We don't add support for "unix:" or "inet:" prefixes in SMTP
1039 * destinations, because that would break compatibility with existing
1040 * Postfix configurations that have a host with such a name.
1041 */
1044 }
1046 /*
1047 * We still need to bounce or defer some left-over recipients: either
1048 * (SMTP) mail loops or some server was unavailable.
1049 *
1050 * We could avoid this (and the "final server" complexity) by keeping one
1051 * DSN structure per recipient in memory, by updating those in-memory
1052 * structures with each delivery attempt, and by always flushing all
1053 * deferred recipients at the end. We'd probably still want to bounce
1054 * recipients immediately, so we'd end up with another chunk of code for
1055 * defer logging only.
1056 */
1061 /*
1062 * Sanity check. Don't silently lose recipients.
1063 */
1067 }
1069 }