No empty .Rs/.Re
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / src / smtpd / smtpd.c
blobe54d3f10cff5a41d2a4a63e80842c5a9d4f22086
1 /* $NetBSD: smtpd.c,v 1.1.1.1 2009/06/23 10:08:55 tron Exp $ */
3 /*++
4 /* NAME
5 /* smtpd 8
6 /* SUMMARY
7 /* Postfix SMTP server
8 /* SYNOPSIS
9 /* \fBsmtpd\fR [generic Postfix daemon options]
11 /* \fBsendmail -bs\fR
12 /* DESCRIPTION
13 /* The SMTP server accepts network connection requests
14 /* and performs zero or more SMTP transactions per connection.
15 /* Each received message is piped through the \fBcleanup\fR(8)
16 /* daemon, and is placed into the \fBincoming\fR queue as one
17 /* single queue file. For this mode of operation, the program
18 /* expects to be run from the \fBmaster\fR(8) process manager.
20 /* Alternatively, the SMTP server be can run in stand-alone
21 /* mode; this is traditionally obtained with "\fBsendmail
22 /* -bs\fR". When the SMTP server runs stand-alone with non
23 /* $\fBmail_owner\fR privileges, it receives mail even while
24 /* the mail system is not running, deposits messages directly
25 /* into the \fBmaildrop\fR queue, and disables the SMTP server's
26 /* access policies. As of Postfix version 2.3, the SMTP server
27 /* refuses to receive mail from the network when it runs with
28 /* non $\fBmail_owner\fR privileges.
30 /* The SMTP server implements a variety of policies for connection
31 /* requests, and for parameters given to \fBHELO, ETRN, MAIL FROM, VRFY\fR
32 /* and \fBRCPT TO\fR commands. They are detailed below and in the
33 /* \fBmain.cf\fR configuration file.
34 /* SECURITY
35 /* .ad
36 /* .fi
37 /* The SMTP server is moderately security-sensitive. It talks to SMTP
38 /* clients and to DNS servers on the network. The SMTP server can be
39 /* run chrooted at fixed low privilege.
40 /* STANDARDS
41 /* RFC 821 (SMTP protocol)
42 /* RFC 1123 (Host requirements)
43 /* RFC 1652 (8bit-MIME transport)
44 /* RFC 1869 (SMTP service extensions)
45 /* RFC 1870 (Message Size Declaration)
46 /* RFC 1985 (ETRN command)
47 /* RFC 2034 (SMTP Enhanced Error Codes)
48 /* RFC 2554 (AUTH command)
49 /* RFC 2821 (SMTP protocol)
50 /* RFC 2920 (SMTP Pipelining)
51 /* RFC 3207 (STARTTLS command)
52 /* RFC 3461 (SMTP DSN Extension)
53 /* RFC 3463 (Enhanced Status Codes)
54 /* RFC 3848 (ESMTP Transmission Types)
55 /* RFC 4954 (AUTH command)
56 /* DIAGNOSTICS
57 /* Problems and transactions are logged to \fBsyslogd\fR(8).
59 /* Depending on the setting of the \fBnotify_classes\fR parameter,
60 /* the postmaster is notified of bounces, protocol problems,
61 /* policy violations, and of other trouble.
62 /* CONFIGURATION PARAMETERS
63 /* .ad
64 /* .fi
65 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtpd\fR(8)
66 /* processes run for only a limited amount of time. Use the command
67 /* "\fBpostfix reload\fR" to speed up a change.
69 /* The text below provides only a parameter summary. See
70 /* \fBpostconf\fR(5) for more details including examples.
71 /* COMPATIBILITY CONTROLS
72 /* .ad
73 /* .fi
74 /* The following parameters work around implementation errors in other
75 /* software, and/or allow you to override standards in order to prevent
76 /* undesirable use.
77 /* .ad
78 /* .fi
79 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
80 /* Enable inter-operability with SMTP clients that implement an obsolete
81 /* version of the AUTH command (RFC 4954).
82 /* .IP "\fBdisable_vrfy_command (no)\fR"
83 /* Disable the SMTP VRFY command.
84 /* .IP "\fBsmtpd_noop_commands (empty)\fR"
85 /* List of commands that the Postfix SMTP server replies to with "250
86 /* Ok", without doing any syntax checks and without changing state.
87 /* .IP "\fBstrict_rfc821_envelopes (no)\fR"
88 /* Require that addresses received in SMTP MAIL FROM and RCPT TO
89 /* commands are enclosed with <>, and that those addresses do
90 /* not contain RFC 822 style comments or phrases.
91 /* .PP
92 /* Available in Postfix version 2.1 and later:
93 /* .IP "\fBresolve_null_domain (no)\fR"
94 /* Resolve an address that ends in the "@" null domain as if the
95 /* local hostname were specified, instead of rejecting the address as
96 /* invalid.
97 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
98 /* Request that the Postfix SMTP server rejects mail from unknown
99 /* sender addresses, even when no explicit reject_unlisted_sender
100 /* access restriction is specified.
101 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
102 /* What remote SMTP clients the Postfix SMTP server will not offer
103 /* AUTH support to.
104 /* .PP
105 /* Available in Postfix version 2.2 and later:
106 /* .IP "\fBsmtpd_discard_ehlo_keyword_address_maps (empty)\fR"
107 /* Lookup tables, indexed by the remote SMTP client address, with
108 /* case insensitive lists of EHLO keywords (pipelining, starttls, auth,
109 /* etc.) that the SMTP server will not send in the EHLO response to a
110 /* remote SMTP client.
111 /* .IP "\fBsmtpd_discard_ehlo_keywords (empty)\fR"
112 /* A case insensitive list of EHLO keywords (pipelining, starttls,
113 /* auth, etc.) that the SMTP server will not send in the EHLO response
114 /* to a remote SMTP client.
115 /* .IP "\fBsmtpd_delay_open_until_valid_rcpt (yes)\fR"
116 /* Postpone the start of an SMTP mail transaction until a valid
117 /* RCPT TO command is received.
118 /* .PP
119 /* Available in Postfix version 2.3 and later:
120 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
121 /* Force the Postfix SMTP server to issue a TLS session id, even
122 /* when TLS session caching is turned off (smtpd_tls_session_cache_database
123 /* is empty).
124 /* .PP
125 /* Available in Postfix version 2.6 and later:
126 /* .IP "\fBtcp_windowsize (0)\fR"
127 /* An optional workaround for routers that break TCP window scaling.
128 /* ADDRESS REWRITING CONTROLS
129 /* .ad
130 /* .fi
131 /* See the ADDRESS_REWRITING_README document for a detailed
132 /* discussion of Postfix address rewriting.
133 /* .IP "\fBreceive_override_options (empty)\fR"
134 /* Enable or disable recipient validation, built-in content
135 /* filtering, or address mapping.
136 /* .PP
137 /* Available in Postfix version 2.2 and later:
138 /* .IP "\fBlocal_header_rewrite_clients (permit_inet_interfaces)\fR"
139 /* Rewrite message header addresses in mail from these clients and
140 /* update incomplete addresses with the domain name in $myorigin or
141 /* $mydomain; either don't rewrite message headers from other clients
142 /* at all, or rewrite message headers and update incomplete addresses
143 /* with the domain specified in the remote_header_rewrite_domain
144 /* parameter.
145 /* AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
146 /* .ad
147 /* .fi
148 /* As of version 1.0, Postfix can be configured to send new mail to
149 /* an external content filter AFTER the mail is queued. This content
150 /* filter is expected to inject mail back into a (Postfix or other)
151 /* MTA for further delivery. See the FILTER_README document for details.
152 /* .IP "\fBcontent_filter (empty)\fR"
153 /* The name of a mail delivery transport that filters mail after
154 /* it is queued.
155 /* BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
156 /* .ad
157 /* .fi
158 /* As of version 2.1, the Postfix SMTP server can be configured
159 /* to send incoming mail to a real-time SMTP-based content filter
160 /* BEFORE mail is queued. This content filter is expected to inject
161 /* mail back into Postfix. See the SMTPD_PROXY_README document for
162 /* details on how to configure and operate this feature.
163 /* .IP "\fBsmtpd_proxy_filter (empty)\fR"
164 /* The hostname and TCP port of the mail filtering proxy server.
165 /* .IP "\fBsmtpd_proxy_ehlo ($myhostname)\fR"
166 /* How the Postfix SMTP server announces itself to the proxy filter.
167 /* .IP "\fBsmtpd_proxy_timeout (100s)\fR"
168 /* The time limit for connecting to a proxy filter and for sending or
169 /* receiving information.
170 /* BEFORE QUEUE MILTER CONTROLS
171 /* .ad
172 /* .fi
173 /* As of version 2.3, Postfix supports the Sendmail version 8
174 /* Milter (mail filter) protocol. These content filters run
175 /* outside Postfix. They can inspect the SMTP command stream
176 /* and the message content, and can request modifications before
177 /* mail is queued. For details see the MILTER_README document.
178 /* .IP "\fBsmtpd_milters (empty)\fR"
179 /* A list of Milter (mail filter) applications for new mail that
180 /* arrives via the Postfix \fBsmtpd\fR(8) server.
181 /* .IP "\fBmilter_protocol (6)\fR"
182 /* The mail filter protocol version and optional protocol extensions
183 /* for communication with a Milter application; prior to Postfix 2.6
184 /* the default protocol is 2.
185 /* .IP "\fBmilter_default_action (tempfail)\fR"
186 /* The default action when a Milter (mail filter) application is
187 /* unavailable or mis-configured.
188 /* .IP "\fBmilter_macro_daemon_name ($myhostname)\fR"
189 /* The {daemon_name} macro value for Milter (mail filter) applications.
190 /* .IP "\fBmilter_macro_v ($mail_name $mail_version)\fR"
191 /* The {v} macro value for Milter (mail filter) applications.
192 /* .IP "\fBmilter_connect_timeout (30s)\fR"
193 /* The time limit for connecting to a Milter (mail filter)
194 /* application, and for negotiating protocol options.
195 /* .IP "\fBmilter_command_timeout (30s)\fR"
196 /* The time limit for sending an SMTP command to a Milter (mail
197 /* filter) application, and for receiving the response.
198 /* .IP "\fBmilter_content_timeout (300s)\fR"
199 /* The time limit for sending message content to a Milter (mail
200 /* filter) application, and for receiving the response.
201 /* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR"
202 /* The macros that are sent to Milter (mail filter) applications
203 /* after completion of an SMTP connection.
204 /* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR"
205 /* The macros that are sent to Milter (mail filter) applications
206 /* after the SMTP HELO or EHLO command.
207 /* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR"
208 /* The macros that are sent to Milter (mail filter) applications
209 /* after the SMTP MAIL FROM command.
210 /* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR"
211 /* The macros that are sent to Milter (mail filter) applications
212 /* after the SMTP RCPT TO command.
213 /* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR"
214 /* The macros that are sent to version 4 or higher Milter (mail
215 /* filter) applications after the SMTP DATA command.
216 /* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR"
217 /* The macros that are sent to version 3 or higher Milter (mail
218 /* filter) applications after an unknown SMTP command.
219 /* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR"
220 /* The macros that are sent to Milter (mail filter) applications
221 /* after the end of the message header.
222 /* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR"
223 /* The macros that are sent to Milter (mail filter) applications
224 /* after the message end-of-data.
225 /* GENERAL CONTENT INSPECTION CONTROLS
226 /* .ad
227 /* .fi
228 /* The following parameters are applicable for both built-in
229 /* and external content filters.
230 /* .PP
231 /* Available in Postfix version 2.1 and later:
232 /* .IP "\fBreceive_override_options (empty)\fR"
233 /* Enable or disable recipient validation, built-in content
234 /* filtering, or address mapping.
235 /* EXTERNAL CONTENT INSPECTION CONTROLS
236 /* .ad
237 /* .fi
238 /* The following parameters are applicable for both before-queue
239 /* and after-queue content filtering.
240 /* .PP
241 /* Available in Postfix version 2.1 and later:
242 /* .IP "\fBsmtpd_authorized_xforward_hosts (empty)\fR"
243 /* What SMTP clients are allowed to use the XFORWARD feature.
244 /* SASL AUTHENTICATION CONTROLS
245 /* .ad
246 /* .fi
247 /* Postfix SASL support (RFC 4954) can be used to authenticate remote
248 /* SMTP clients to the Postfix SMTP server, and to authenticate the
249 /* Postfix SMTP client to a remote SMTP server.
250 /* See the SASL_README document for details.
251 /* .IP "\fBbroken_sasl_auth_clients (no)\fR"
252 /* Enable inter-operability with SMTP clients that implement an obsolete
253 /* version of the AUTH command (RFC 4954).
254 /* .IP "\fBsmtpd_sasl_auth_enable (no)\fR"
255 /* Enable SASL authentication in the Postfix SMTP server.
256 /* .IP "\fBsmtpd_sasl_local_domain (empty)\fR"
257 /* The name of the Postfix SMTP server's local SASL authentication
258 /* realm.
259 /* .IP "\fBsmtpd_sasl_security_options (noanonymous)\fR"
260 /* Postfix SMTP server SASL security options; as of Postfix 2.3
261 /* the list of available
262 /* features depends on the SASL server implementation that is selected
263 /* with \fBsmtpd_sasl_type\fR.
264 /* .IP "\fBsmtpd_sender_login_maps (empty)\fR"
265 /* Optional lookup table with the SASL login names that own sender
266 /* (MAIL FROM) addresses.
267 /* .PP
268 /* Available in Postfix version 2.1 and later:
269 /* .IP "\fBsmtpd_sasl_exceptions_networks (empty)\fR"
270 /* What remote SMTP clients the Postfix SMTP server will not offer
271 /* AUTH support to.
272 /* .PP
273 /* Available in Postfix version 2.1 and 2.2:
274 /* .IP "\fBsmtpd_sasl_application_name (smtpd)\fR"
275 /* The application name that the Postfix SMTP server uses for SASL
276 /* server initialization.
277 /* .PP
278 /* Available in Postfix version 2.3 and later:
279 /* .IP "\fBsmtpd_sasl_authenticated_header (no)\fR"
280 /* Report the SASL authenticated user name in the \fBsmtpd\fR(8) Received
281 /* message header.
282 /* .IP "\fBsmtpd_sasl_path (smtpd)\fR"
283 /* Implementation-specific information that the Postfix SMTP server
284 /* passes through to
285 /* the SASL plug-in implementation that is selected with
286 /* \fBsmtpd_sasl_type\fR.
287 /* .IP "\fBsmtpd_sasl_type (cyrus)\fR"
288 /* The SASL plug-in type that the Postfix SMTP server should use
289 /* for authentication.
290 /* .PP
291 /* Available in Postfix version 2.5 and later:
292 /* .IP "\fBcyrus_sasl_config_path (empty)\fR"
293 /* Search path for Cyrus SASL application configuration files,
294 /* currently used only to locate the $smtpd_sasl_path.conf file.
295 /* STARTTLS SUPPORT CONTROLS
296 /* .ad
297 /* .fi
298 /* Detailed information about STARTTLS configuration may be
299 /* found in the TLS_README document.
300 /* .IP "\fBsmtpd_tls_security_level (empty)\fR"
301 /* The SMTP TLS security level for the Postfix SMTP server; when
302 /* a non-empty value is specified, this overrides the obsolete parameters
303 /* smtpd_use_tls and smtpd_enforce_tls.
304 /* .IP "\fBsmtpd_sasl_tls_security_options ($smtpd_sasl_security_options)\fR"
305 /* The SASL authentication security options that the Postfix SMTP
306 /* server uses for TLS encrypted SMTP sessions.
307 /* .IP "\fBsmtpd_starttls_timeout (300s)\fR"
308 /* The time limit for Postfix SMTP server write and read operations
309 /* during TLS startup and shutdown handshake procedures.
310 /* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
311 /* A file containing (PEM format) CA certificates of root CAs trusted
312 /* to sign either remote SMTP client certificates or intermediate CA
313 /* certificates.
314 /* .IP "\fBsmtpd_tls_CApath (empty)\fR"
315 /* A directory containing (PEM format) CA certificates of root CAs
316 /* trusted to sign either remote SMTP client certificates or intermediate CA
317 /* certificates.
318 /* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
319 /* Force the Postfix SMTP server to issue a TLS session id, even
320 /* when TLS session caching is turned off (smtpd_tls_session_cache_database
321 /* is empty).
322 /* .IP "\fBsmtpd_tls_ask_ccert (no)\fR"
323 /* Ask a remote SMTP client for a client certificate.
324 /* .IP "\fBsmtpd_tls_auth_only (no)\fR"
325 /* When TLS encryption is optional in the Postfix SMTP server, do
326 /* not announce or accept SASL authentication over unencrypted
327 /* connections.
328 /* .IP "\fBsmtpd_tls_ccert_verifydepth (9)\fR"
329 /* The verification depth for remote SMTP client certificates.
330 /* .IP "\fBsmtpd_tls_cert_file (empty)\fR"
331 /* File with the Postfix SMTP server RSA certificate in PEM format.
332 /* .IP "\fBsmtpd_tls_exclude_ciphers (empty)\fR"
333 /* List of ciphers or cipher types to exclude from the SMTP server
334 /* cipher list at all TLS security levels.
335 /* .IP "\fBsmtpd_tls_dcert_file (empty)\fR"
336 /* File with the Postfix SMTP server DSA certificate in PEM format.
337 /* .IP "\fBsmtpd_tls_dh1024_param_file (empty)\fR"
338 /* File with DH parameters that the Postfix SMTP server should
339 /* use with EDH ciphers.
340 /* .IP "\fBsmtpd_tls_dh512_param_file (empty)\fR"
341 /* File with DH parameters that the Postfix SMTP server should
342 /* use with EDH ciphers.
343 /* .IP "\fBsmtpd_tls_dkey_file ($smtpd_tls_dcert_file)\fR"
344 /* File with the Postfix SMTP server DSA private key in PEM format.
345 /* .IP "\fBsmtpd_tls_key_file ($smtpd_tls_cert_file)\fR"
346 /* File with the Postfix SMTP server RSA private key in PEM format.
347 /* .IP "\fBsmtpd_tls_loglevel (0)\fR"
348 /* Enable additional Postfix SMTP server logging of TLS activity.
349 /* .IP "\fBsmtpd_tls_mandatory_ciphers (medium)\fR"
350 /* The minimum TLS cipher grade that the Postfix SMTP server
351 /* will use with mandatory TLS encryption.
352 /* .IP "\fBsmtpd_tls_mandatory_exclude_ciphers (empty)\fR"
353 /* Additional list of ciphers or cipher types to exclude from the
354 /* SMTP server cipher list at mandatory TLS security levels.
355 /* .IP "\fBsmtpd_tls_mandatory_protocols (SSLv3, TLSv1)\fR"
356 /* The SSL/TLS protocols accepted by the Postfix SMTP server with
357 /* mandatory TLS encryption.
358 /* .IP "\fBsmtpd_tls_received_header (no)\fR"
359 /* Request that the Postfix SMTP server produces Received: message
360 /* headers that include information about the protocol and cipher used,
361 /* as well as the client CommonName and client certificate issuer
362 /* CommonName.
363 /* .IP "\fBsmtpd_tls_req_ccert (no)\fR"
364 /* With mandatory TLS encryption, require a trusted remote SMTP client
365 /* certificate in order to allow TLS connections to proceed.
366 /* .IP "\fBsmtpd_tls_session_cache_database (empty)\fR"
367 /* Name of the file containing the optional Postfix SMTP server
368 /* TLS session cache.
369 /* .IP "\fBsmtpd_tls_session_cache_timeout (3600s)\fR"
370 /* The expiration time of Postfix SMTP server TLS session cache
371 /* information.
372 /* .IP "\fBsmtpd_tls_wrappermode (no)\fR"
373 /* Run the Postfix SMTP server in the non-standard "wrapper" mode,
374 /* instead of using the STARTTLS command.
375 /* .IP "\fBtls_daemon_random_bytes (32)\fR"
376 /* The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
377 /* process requests from the \fBtlsmgr\fR(8) server in order to seed its
378 /* internal pseudo random number generator (PRNG).
379 /* .IP "\fBtls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)\fR"
380 /* The OpenSSL cipherlist for "HIGH" grade ciphers.
381 /* .IP "\fBtls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)\fR"
382 /* The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
383 /* .IP "\fBtls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)\fR"
384 /* The OpenSSL cipherlist for "LOW" or higher grade ciphers.
385 /* .IP "\fBtls_export_cipherlist (ALL:+RC4:@STRENGTH)\fR"
386 /* The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
387 /* .IP "\fBtls_null_cipherlist (eNULL:!aNULL)\fR"
388 /* The OpenSSL cipherlist for "NULL" grade ciphers that provide
389 /* authentication without encryption.
390 /* .PP
391 /* Available in Postfix version 2.5 and later:
392 /* .IP "\fBsmtpd_tls_fingerprint_digest (md5)\fR"
393 /* The message digest algorithm used to construct client-certificate
394 /* fingerprints for \fBcheck_ccert_access\fR and
395 /* \fBpermit_tls_clientcerts\fR.
396 /* .PP
397 /* Available in Postfix version 2.6 and later:
398 /* .IP "\fBsmtpd_tls_protocols (empty)\fR"
399 /* List of TLS protocols that the Postfix SMTP server will exclude
400 /* or include with opportunistic TLS encryption.
401 /* .IP "\fBsmtpd_tls_ciphers (export)\fR"
402 /* The minimum TLS cipher grade that the Postfix SMTP server
403 /* will use with opportunistic TLS encryption.
404 /* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
405 /* File with the Postfix SMTP server ECDSA certificate in PEM format.
406 /* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
407 /* File with the Postfix SMTP server ECDSA private key in PEM format.
408 /* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR"
409 /* The Postfix SMTP server security grade for ephemeral elliptic-curve
410 /* Diffie-Hellman (EECDH) key exchange.
411 /* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
412 /* The elliptic curve used by the SMTP server for sensibly strong
413 /* ephemeral ECDH key exchange.
414 /* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
415 /* The elliptic curve used by the SMTP server for maximally strong
416 /* ephemeral ECDH key exchange.
417 /* OBSOLETE STARTTLS CONTROLS
418 /* .ad
419 /* .fi
420 /* The following configuration parameters exist for compatibility
421 /* with Postfix versions before 2.3. Support for these will
422 /* be removed in a future release.
423 /* .IP "\fBsmtpd_use_tls (no)\fR"
424 /* Opportunistic TLS: announce STARTTLS support to SMTP clients,
425 /* but do not require that clients use TLS encryption.
426 /* .IP "\fBsmtpd_enforce_tls (no)\fR"
427 /* Mandatory TLS: announce STARTTLS support to SMTP clients,
428 /* and require that clients use TLS encryption.
429 /* .IP "\fBsmtpd_tls_cipherlist (empty)\fR"
430 /* Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS
431 /* cipher list.
432 /* VERP SUPPORT CONTROLS
433 /* .ad
434 /* .fi
435 /* With VERP style delivery, each recipient of a message receives a
436 /* customized copy of the message with his/her own recipient address
437 /* encoded in the envelope sender address. The VERP_README file
438 /* describes configuration and operation details of Postfix support
439 /* for variable envelope return path addresses. VERP style delivery
440 /* is requested with the SMTP XVERP command or with the "sendmail
441 /* -V" command-line option and is available in Postfix version 1.1
442 /* and later.
443 /* .IP "\fBdefault_verp_delimiters (+=)\fR"
444 /* The two default VERP delimiter characters.
445 /* .IP "\fBverp_delimiter_filter (-=+)\fR"
446 /* The characters Postfix accepts as VERP delimiter characters on the
447 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands.
448 /* .PP
449 /* Available in Postfix version 1.1 and 2.0:
450 /* .IP "\fBauthorized_verp_clients ($mynetworks)\fR"
451 /* What SMTP clients are allowed to specify the XVERP command.
452 /* .PP
453 /* Available in Postfix version 2.1 and later:
454 /* .IP "\fBsmtpd_authorized_verp_clients ($authorized_verp_clients)\fR"
455 /* What SMTP clients are allowed to specify the XVERP command.
456 /* TROUBLE SHOOTING CONTROLS
457 /* .ad
458 /* .fi
459 /* The DEBUG_README document describes how to debug parts of the
460 /* Postfix mail system. The methods vary from making the software log
461 /* a lot of detail, to running some daemon processes under control of
462 /* a call tracer or debugger.
463 /* .IP "\fBdebug_peer_level (2)\fR"
464 /* The increment in verbose logging level when a remote client or
465 /* server matches a pattern in the debug_peer_list parameter.
466 /* .IP "\fBdebug_peer_list (empty)\fR"
467 /* Optional list of remote client or server hostname or network
468 /* address patterns that cause the verbose logging level to increase
469 /* by the amount specified in $debug_peer_level.
470 /* .IP "\fBerror_notice_recipient (postmaster)\fR"
471 /* The recipient of postmaster notifications about mail delivery
472 /* problems that are caused by policy, resource, software or protocol
473 /* errors.
474 /* .IP "\fBinternal_mail_filter_classes (empty)\fR"
475 /* What categories of Postfix-generated mail are subject to
476 /* before-queue content inspection by non_smtpd_milters, header_checks
477 /* and body_checks.
478 /* .IP "\fBnotify_classes (resource, software)\fR"
479 /* The list of error classes that are reported to the postmaster.
480 /* .IP "\fBsoft_bounce (no)\fR"
481 /* Safety net to keep mail queued that would otherwise be returned to
482 /* the sender.
483 /* .PP
484 /* Available in Postfix version 2.1 and later:
485 /* .IP "\fBsmtpd_authorized_xclient_hosts (empty)\fR"
486 /* What SMTP clients are allowed to use the XCLIENT feature.
487 /* KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
488 /* .ad
489 /* .fi
490 /* As of Postfix version 2.0, the SMTP server rejects mail for
491 /* unknown recipients. This prevents the mail queue from clogging up
492 /* with undeliverable MAILER-DAEMON messages. Additional information
493 /* on this topic is in the LOCAL_RECIPIENT_README and ADDRESS_CLASS_README
494 /* documents.
495 /* .IP "\fBshow_user_unknown_table_name (yes)\fR"
496 /* Display the name of the recipient table in the "User unknown"
497 /* responses.
498 /* .IP "\fBcanonical_maps (empty)\fR"
499 /* Optional address mapping lookup tables for message headers and
500 /* envelopes.
501 /* .IP "\fBrecipient_canonical_maps (empty)\fR"
502 /* Optional address mapping lookup tables for envelope and header
503 /* recipient addresses.
504 /* .PP
505 /* Parameters concerning known/unknown local recipients:
506 /* .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
507 /* The list of domains that are delivered via the $local_transport
508 /* mail delivery transport.
509 /* .IP "\fBinet_interfaces (all)\fR"
510 /* The network interface addresses that this mail system receives
511 /* mail on.
512 /* .IP "\fBproxy_interfaces (empty)\fR"
513 /* The network interface addresses that this mail system receives mail
514 /* on by way of a proxy or network address translation unit.
515 /* .IP "\fBinet_protocols (ipv4)\fR"
516 /* The Internet protocols Postfix will attempt to use when making
517 /* or accepting connections.
518 /* .IP "\fBlocal_recipient_maps (proxy:unix:passwd.byname $alias_maps)\fR"
519 /* Lookup tables with all names or addresses of local recipients:
520 /* a recipient address is local when its domain matches $mydestination,
521 /* $inet_interfaces or $proxy_interfaces.
522 /* .IP "\fBunknown_local_recipient_reject_code (550)\fR"
523 /* The numerical Postfix SMTP server response code when a recipient
524 /* address is local, and $local_recipient_maps specifies a list of
525 /* lookup tables that does not match the recipient.
526 /* .PP
527 /* Parameters concerning known/unknown recipients of relay destinations:
528 /* .IP "\fBrelay_domains ($mydestination)\fR"
529 /* What destination domains (and subdomains thereof) this system
530 /* will relay mail to.
531 /* .IP "\fBrelay_recipient_maps (empty)\fR"
532 /* Optional lookup tables with all valid addresses in the domains
533 /* that match $relay_domains.
534 /* .IP "\fBunknown_relay_recipient_reject_code (550)\fR"
535 /* The numerical Postfix SMTP server reply code when a recipient
536 /* address matches $relay_domains, and relay_recipient_maps specifies
537 /* a list of lookup tables that does not match the recipient address.
538 /* .PP
539 /* Parameters concerning known/unknown recipients in virtual alias
540 /* domains:
541 /* .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
542 /* Postfix is final destination for the specified list of virtual
543 /* alias domains, that is, domains for which all addresses are aliased
544 /* to addresses in other local or remote domains.
545 /* .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
546 /* Optional lookup tables that alias specific mail addresses or domains
547 /* to other local or remote address.
548 /* .IP "\fBunknown_virtual_alias_reject_code (550)\fR"
549 /* The SMTP server reply code when a recipient address matches
550 /* $virtual_alias_domains, and $virtual_alias_maps specifies a list
551 /* of lookup tables that does not match the recipient address.
552 /* .PP
553 /* Parameters concerning known/unknown recipients in virtual mailbox
554 /* domains:
555 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
556 /* Postfix is final destination for the specified list of domains;
557 /* mail is delivered via the $virtual_transport mail delivery transport.
558 /* .IP "\fBvirtual_mailbox_maps (empty)\fR"
559 /* Optional lookup tables with all valid addresses in the domains that
560 /* match $virtual_mailbox_domains.
561 /* .IP "\fBunknown_virtual_mailbox_reject_code (550)\fR"
562 /* The SMTP server reply code when a recipient address matches
563 /* $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list
564 /* of lookup tables that does not match the recipient address.
565 /* RESOURCE AND RATE CONTROLS
566 /* .ad
567 /* .fi
568 /* The following parameters limit resource usage by the SMTP
569 /* server and/or control client request rates.
570 /* .IP "\fBline_length_limit (2048)\fR"
571 /* Upon input, long lines are chopped up into pieces of at most
572 /* this length; upon delivery, long lines are reconstructed.
573 /* .IP "\fBqueue_minfree (0)\fR"
574 /* The minimal amount of free space in bytes in the queue file system
575 /* that is needed to receive mail.
576 /* .IP "\fBmessage_size_limit (10240000)\fR"
577 /* The maximal size in bytes of a message, including envelope information.
578 /* .IP "\fBsmtpd_recipient_limit (1000)\fR"
579 /* The maximal number of recipients that the Postfix SMTP server
580 /* accepts per message delivery request.
581 /* .IP "\fBsmtpd_timeout (normal: 300s, stress: 10s)\fR"
582 /* The time limit for sending a Postfix SMTP server response and for
583 /* receiving a remote SMTP client request.
584 /* .IP "\fBsmtpd_history_flush_threshold (100)\fR"
585 /* The maximal number of lines in the Postfix SMTP server command history
586 /* before it is flushed upon receipt of EHLO, RSET, or end of DATA.
587 /* .PP
588 /* Available in Postfix version 2.3 and later:
589 /* .IP "\fBsmtpd_peername_lookup (yes)\fR"
590 /* Attempt to look up the remote SMTP client hostname, and verify that
591 /* the name matches the client IP address.
592 /* .PP
593 /* The per SMTP client connection count and request rate limits are
594 /* implemented in co-operation with the \fBanvil\fR(8) service, and
595 /* are available in Postfix version 2.2 and later.
596 /* .IP "\fBsmtpd_client_connection_count_limit (50)\fR"
597 /* How many simultaneous connections any client is allowed to
598 /* make to this service.
599 /* .IP "\fBsmtpd_client_connection_rate_limit (0)\fR"
600 /* The maximal number of connection attempts any client is allowed to
601 /* make to this service per time unit.
602 /* .IP "\fBsmtpd_client_message_rate_limit (0)\fR"
603 /* The maximal number of message delivery requests that any client is
604 /* allowed to make to this service per time unit, regardless of whether
605 /* or not Postfix actually accepts those messages.
606 /* .IP "\fBsmtpd_client_recipient_rate_limit (0)\fR"
607 /* The maximal number of recipient addresses that any client is allowed
608 /* to send to this service per time unit, regardless of whether or not
609 /* Postfix actually accepts those recipients.
610 /* .IP "\fBsmtpd_client_event_limit_exceptions ($mynetworks)\fR"
611 /* Clients that are excluded from connection count, connection rate,
612 /* or SMTP request rate restrictions.
613 /* .PP
614 /* Available in Postfix version 2.3 and later:
615 /* .IP "\fBsmtpd_client_new_tls_session_rate_limit (0)\fR"
616 /* The maximal number of new (i.e., uncached) TLS sessions that a
617 /* remote SMTP client is allowed to negotiate with this service per
618 /* time unit.
619 /* TARPIT CONTROLS
620 /* .ad
621 /* .fi
622 /* When a remote SMTP client makes errors, the Postfix SMTP server
623 /* can insert delays before responding. This can help to slow down
624 /* run-away software. The behavior is controlled by an error counter
625 /* that counts the number of errors within an SMTP session that a
626 /* client makes without delivering mail.
627 /* .IP "\fBsmtpd_error_sleep_time (1s)\fR"
628 /* With Postfix version 2.1 and later: the SMTP server response delay after
629 /* a client has made more than $smtpd_soft_error_limit errors, and
630 /* fewer than $smtpd_hard_error_limit errors, without delivering mail.
631 /* .IP "\fBsmtpd_soft_error_limit (10)\fR"
632 /* The number of errors a remote SMTP client is allowed to make without
633 /* delivering mail before the Postfix SMTP server slows down all its
634 /* responses.
635 /* .IP "\fBsmtpd_hard_error_limit (normal: 20, stress: 1)\fR"
636 /* The maximal number of errors a remote SMTP client is allowed to
637 /* make without delivering mail.
638 /* .IP "\fBsmtpd_junk_command_limit (normal: 100, stress: 1)\fR"
639 /* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
640 /* SMTP client can send before the Postfix SMTP server starts to
641 /* increment the error counter with each junk command.
642 /* .PP
643 /* Available in Postfix version 2.1 and later:
644 /* .IP "\fBsmtpd_recipient_overshoot_limit (1000)\fR"
645 /* The number of recipients that a remote SMTP client can send in
646 /* excess of the limit specified with $smtpd_recipient_limit, before
647 /* the Postfix SMTP server increments the per-session error count
648 /* for each excess recipient.
649 /* ACCESS POLICY DELEGATION CONTROLS
650 /* .ad
651 /* .fi
652 /* As of version 2.1, Postfix can be configured to delegate access
653 /* policy decisions to an external server that runs outside Postfix.
654 /* See the file SMTPD_POLICY_README for more information.
655 /* .IP "\fBsmtpd_policy_service_max_idle (300s)\fR"
656 /* The time after which an idle SMTPD policy service connection is
657 /* closed.
658 /* .IP "\fBsmtpd_policy_service_max_ttl (1000s)\fR"
659 /* The time after which an active SMTPD policy service connection is
660 /* closed.
661 /* .IP "\fBsmtpd_policy_service_timeout (100s)\fR"
662 /* The time limit for connecting to, writing to or receiving from a
663 /* delegated SMTPD policy server.
664 /* ACCESS CONTROLS
665 /* .ad
666 /* .fi
667 /* The SMTPD_ACCESS_README document gives an introduction to all the
668 /* SMTP server access control features.
669 /* .IP "\fBsmtpd_delay_reject (yes)\fR"
670 /* Wait until the RCPT TO command before evaluating
671 /* $smtpd_client_restrictions, $smtpd_helo_restrictions and
672 /* $smtpd_sender_restrictions, or wait until the ETRN command before
673 /* evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions.
674 /* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
675 /* What Postfix features match subdomains of "domain.tld" automatically,
676 /* instead of requiring an explicit ".domain.tld" pattern.
677 /* .IP "\fBsmtpd_client_restrictions (empty)\fR"
678 /* Optional SMTP server access restrictions in the context of a client
679 /* SMTP connection request.
680 /* .IP "\fBsmtpd_helo_required (no)\fR"
681 /* Require that a remote SMTP client introduces itself at the beginning
682 /* of an SMTP session with the HELO or EHLO command.
683 /* .IP "\fBsmtpd_helo_restrictions (empty)\fR"
684 /* Optional restrictions that the Postfix SMTP server applies in the
685 /* context of the SMTP HELO command.
686 /* .IP "\fBsmtpd_sender_restrictions (empty)\fR"
687 /* Optional restrictions that the Postfix SMTP server applies in the
688 /* context of the MAIL FROM command.
689 /* .IP "\fBsmtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
690 /* The access restrictions that the Postfix SMTP server applies in
691 /* the context of the RCPT TO command.
692 /* .IP "\fBsmtpd_etrn_restrictions (empty)\fR"
693 /* Optional SMTP server access restrictions in the context of a client
694 /* ETRN request.
695 /* .IP "\fBallow_untrusted_routing (no)\fR"
696 /* Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
697 /* from untrusted clients to destinations matching $relay_domains.
698 /* .IP "\fBsmtpd_restriction_classes (empty)\fR"
699 /* User-defined aliases for groups of access restrictions.
700 /* .IP "\fBsmtpd_null_access_lookup_key (<>)\fR"
701 /* The lookup key to be used in SMTP \fBaccess\fR(5) tables instead of the
702 /* null sender address.
703 /* .IP "\fBpermit_mx_backup_networks (empty)\fR"
704 /* Restrict the use of the permit_mx_backup SMTP access feature to
705 /* only domains whose primary MX hosts match the listed networks.
706 /* .PP
707 /* Available in Postfix version 2.0 and later:
708 /* .IP "\fBsmtpd_data_restrictions (empty)\fR"
709 /* Optional access restrictions that the Postfix SMTP server applies
710 /* in the context of the SMTP DATA command.
711 /* .IP "\fBsmtpd_expansion_filter (see 'postconf -d' output)\fR"
712 /* What characters are allowed in $name expansions of RBL reply
713 /* templates.
714 /* .PP
715 /* Available in Postfix version 2.1 and later:
716 /* .IP "\fBsmtpd_reject_unlisted_sender (no)\fR"
717 /* Request that the Postfix SMTP server rejects mail from unknown
718 /* sender addresses, even when no explicit reject_unlisted_sender
719 /* access restriction is specified.
720 /* .IP "\fBsmtpd_reject_unlisted_recipient (yes)\fR"
721 /* Request that the Postfix SMTP server rejects mail for unknown
722 /* recipient addresses, even when no explicit reject_unlisted_recipient
723 /* access restriction is specified.
724 /* .PP
725 /* Available in Postfix version 2.2 and later:
726 /* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
727 /* Optional access restrictions that the Postfix SMTP server
728 /* applies in the context of the SMTP END-OF-DATA command.
729 /* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
730 /* .ad
731 /* .fi
732 /* Postfix version 2.1 introduces sender and recipient address verification.
733 /* This feature is implemented by sending probe email messages that
734 /* are not actually delivered.
735 /* This feature is requested via the reject_unverified_sender and
736 /* reject_unverified_recipient access restrictions. The status of
737 /* verification probes is maintained by the \fBverify\fR(8) server.
738 /* See the file ADDRESS_VERIFICATION_README for information
739 /* about how to configure and operate the Postfix sender/recipient
740 /* address verification service.
741 /* .IP "\fBaddress_verify_poll_count (3)\fR"
742 /* How many times to query the \fBverify\fR(8) service for the completion
743 /* of an address verification request in progress.
744 /* .IP "\fBaddress_verify_poll_delay (3s)\fR"
745 /* The delay between queries for the completion of an address
746 /* verification request in progress.
747 /* .IP "\fBaddress_verify_sender ($double_bounce_sender)\fR"
748 /* The sender address to use in address verification probes; prior
749 /* to Postfix 2.5 the default was "postmaster".
750 /* .IP "\fBunverified_sender_reject_code (450)\fR"
751 /* The numerical Postfix SMTP server response code when a recipient
752 /* address is rejected by the reject_unverified_sender restriction.
753 /* .IP "\fBunverified_recipient_reject_code (450)\fR"
754 /* The numerical Postfix SMTP server response when a recipient address
755 /* is rejected by the reject_unverified_recipient restriction.
756 /* .PP
757 /* Available in Postfix version 2.6 and later:
758 /* .IP "\fBunverified_sender_defer_code (450)\fR"
759 /* The numerical Postfix SMTP server response code when a sender address
760 /* probe fails due to a temporary error condition.
761 /* .IP "\fBunverified_recipient_defer_code (450)\fR"
762 /* The numerical Postfix SMTP server response when a recipient address
763 /* probe fails due to a temporary error condition.
764 /* .IP "\fBunverified_sender_reject_reason (empty)\fR"
765 /* The Postfix SMTP server's reply when rejecting mail with
766 /* reject_unverified_sender.
767 /* .IP "\fBunverified_recipient_reject_reason (empty)\fR"
768 /* The Postfix SMTP server's reply when rejecting mail with
769 /* reject_unverified_recipient.
770 /* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR"
771 /* The Postfix SMTP server's action when reject_unverified_sender
772 /* fails due to a temporary error condition.
773 /* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
774 /* The Postfix SMTP server's action when reject_unverified_recipient
775 /* fails due to a temporary error condition.
776 /* ACCESS CONTROL RESPONSES
777 /* .ad
778 /* .fi
779 /* The following parameters control numerical SMTP reply codes
780 /* and/or text responses.
781 /* .IP "\fBaccess_map_reject_code (554)\fR"
782 /* The numerical Postfix SMTP server response code for
783 /* an \fBaccess\fR(5) map "reject" action.
784 /* .IP "\fBdefer_code (450)\fR"
785 /* The numerical Postfix SMTP server response code when a remote SMTP
786 /* client request is rejected by the "defer" restriction.
787 /* .IP "\fBinvalid_hostname_reject_code (501)\fR"
788 /* The numerical Postfix SMTP server response code when the client
789 /* HELO or EHLO command parameter is rejected by the reject_invalid_helo_hostname
790 /* restriction.
791 /* .IP "\fBmaps_rbl_reject_code (554)\fR"
792 /* The numerical Postfix SMTP server response code when a remote SMTP
793 /* client request is blocked by the reject_rbl_client, reject_rhsbl_client,
794 /* reject_rhsbl_sender or reject_rhsbl_recipient restriction.
795 /* .IP "\fBnon_fqdn_reject_code (504)\fR"
796 /* The numerical Postfix SMTP server reply code when a client request
797 /* is rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender
798 /* or reject_non_fqdn_recipient restriction.
799 /* .IP "\fBplaintext_reject_code (450)\fR"
800 /* The numerical Postfix SMTP server response code when a request
801 /* is rejected by the \fBreject_plaintext_session\fR restriction.
802 /* .IP "\fBreject_code (554)\fR"
803 /* The numerical Postfix SMTP server response code when a remote SMTP
804 /* client request is rejected by the "reject" restriction.
805 /* .IP "\fBrelay_domains_reject_code (554)\fR"
806 /* The numerical Postfix SMTP server response code when a client
807 /* request is rejected by the reject_unauth_destination recipient
808 /* restriction.
809 /* .IP "\fBunknown_address_reject_code (450)\fR"
810 /* The numerical Postfix SMTP server response code when a sender or
811 /* recipient address is rejected by the reject_unknown_sender_domain
812 /* or reject_unknown_recipient_domain restriction.
813 /* .IP "\fBunknown_client_reject_code (450)\fR"
814 /* The numerical Postfix SMTP server response code when a client
815 /* without valid address <=> name mapping is rejected by the
816 /* reject_unknown_client_hostname restriction.
817 /* .IP "\fBunknown_hostname_reject_code (450)\fR"
818 /* The numerical Postfix SMTP server response code when the hostname
819 /* specified with the HELO or EHLO command is rejected by the
820 /* reject_unknown_helo_hostname restriction.
821 /* .PP
822 /* Available in Postfix version 2.0 and later:
823 /* .IP "\fBdefault_rbl_reply (see 'postconf -d' output)\fR"
824 /* The default SMTP server response template for a request that is
825 /* rejected by an RBL-based restriction.
826 /* .IP "\fBmulti_recipient_bounce_reject_code (550)\fR"
827 /* The numerical Postfix SMTP server response code when a remote SMTP
828 /* client request is blocked by the reject_multi_recipient_bounce
829 /* restriction.
830 /* .IP "\fBrbl_reply_maps (empty)\fR"
831 /* Optional lookup tables with RBL response templates.
832 /* .PP
833 /* Available in Postfix version 2.6 and later:
834 /* .IP "\fBaccess_map_defer_code (450)\fR"
835 /* The numerical Postfix SMTP server response code for
836 /* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
837 /* or "defer_if_reject".
838 /* .IP "\fBreject_tempfail_action (defer_if_permit)\fR"
839 /* The Postfix SMTP server's action when a reject-type restriction
840 /* fails due to a temporary error condition.
841 /* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR"
842 /* The Postfix SMTP server's action when reject_unknown_helo_hostname
843 /* fails due to an temporary error condition.
844 /* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR"
845 /* The Postfix SMTP server's action when reject_unknown_sender_domain
846 /* or reject_unknown_recipient_domain fail due to a temporary error
847 /* condition.
848 /* MISCELLANEOUS CONTROLS
849 /* .ad
850 /* .fi
851 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
852 /* The default location of the Postfix main.cf and master.cf
853 /* configuration files.
854 /* .IP "\fBdaemon_timeout (18000s)\fR"
855 /* How much time a Postfix daemon process may take to handle a
856 /* request before it is terminated by a built-in watchdog timer.
857 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
858 /* The location of all postfix administrative commands.
859 /* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
860 /* The sender address of postmaster notifications that are generated
861 /* by the mail system.
862 /* .IP "\fBipc_timeout (3600s)\fR"
863 /* The time limit for sending or receiving information over an internal
864 /* communication channel.
865 /* .IP "\fBmail_name (Postfix)\fR"
866 /* The mail system name that is displayed in Received: headers, in
867 /* the SMTP greeting banner, and in bounced mail.
868 /* .IP "\fBmail_owner (postfix)\fR"
869 /* The UNIX system account that owns the Postfix queue and most Postfix
870 /* daemon processes.
871 /* .IP "\fBmax_idle (100s)\fR"
872 /* The maximum amount of time that an idle Postfix daemon process waits
873 /* for an incoming connection before terminating voluntarily.
874 /* .IP "\fBmax_use (100)\fR"
875 /* The maximal number of incoming connections that a Postfix daemon
876 /* process will service before terminating voluntarily.
877 /* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
878 /* The internet hostname of this mail system.
879 /* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
880 /* The list of "trusted" SMTP clients that have more privileges than
881 /* "strangers".
882 /* .IP "\fBmyorigin ($myhostname)\fR"
883 /* The domain name that locally-posted mail appears to come
884 /* from, and that locally posted mail is delivered to.
885 /* .IP "\fBprocess_id (read-only)\fR"
886 /* The process ID of a Postfix command or daemon process.
887 /* .IP "\fBprocess_name (read-only)\fR"
888 /* The process name of a Postfix command or daemon process.
889 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
890 /* The location of the Postfix top-level queue directory.
891 /* .IP "\fBrecipient_delimiter (empty)\fR"
892 /* The separator between user names and address extensions (user+foo).
893 /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
894 /* The text that follows the 220 status code in the SMTP greeting
895 /* banner.
896 /* .IP "\fBsyslog_facility (mail)\fR"
897 /* The syslog facility of Postfix logging.
898 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
899 /* The mail system name that is prepended to the process name in syslog
900 /* records, so that "smtpd" becomes, for example, "postfix/smtpd".
901 /* .PP
902 /* Available in Postfix version 2.2 and later:
903 /* .IP "\fBsmtpd_forbidden_commands (CONNECT, GET, POST)\fR"
904 /* List of commands that causes the Postfix SMTP server to immediately
905 /* terminate the session with a 221 code.
906 /* .PP
907 /* Available in Postfix version 2.5 and later:
908 /* .IP "\fBsmtpd_client_port_logging (no)\fR"
909 /* Enable logging of the remote SMTP client port in addition to
910 /* the hostname and IP address.
911 /* SEE ALSO
912 /* anvil(8), connection/rate limiting
913 /* cleanup(8), message canonicalization
914 /* tlsmgr(8), TLS session and PRNG management
915 /* trivial-rewrite(8), address resolver
916 /* verify(8), address verification service
917 /* postconf(5), configuration parameters
918 /* master(5), generic daemon options
919 /* master(8), process manager
920 /* syslogd(8), system logging
921 /* README FILES
922 /* .ad
923 /* .fi
924 /* Use "\fBpostconf readme_directory\fR" or
925 /* "\fBpostconf html_directory\fR" to locate this information.
926 /* .na
927 /* .nf
928 /* ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
929 /* ADDRESS_REWRITING_README Postfix address manipulation
930 /* FILTER_README, external after-queue content filter
931 /* LOCAL_RECIPIENT_README, blocking unknown local recipients
932 /* MILTER_README, before-queue mail filter applications
933 /* SMTPD_ACCESS_README, built-in access policies
934 /* SMTPD_POLICY_README, external policy server
935 /* SMTPD_PROXY_README, external before-queue content filter
936 /* SASL_README, Postfix SASL howto
937 /* TLS_README, Postfix STARTTLS howto
938 /* VERP_README, Postfix XVERP extension
939 /* XCLIENT_README, Postfix XCLIENT extension
940 /* XFORWARD_README, Postfix XFORWARD extension
941 /* LICENSE
942 /* .ad
943 /* .fi
944 /* The Secure Mailer license must be distributed with this software.
945 /* AUTHOR(S)
946 /* Wietse Venema
947 /* IBM T.J. Watson Research
948 /* P.O. Box 704
949 /* Yorktown Heights, NY 10598, USA
951 /* SASL support originally by:
952 /* Till Franke
953 /* SuSE Rhein/Main AG
954 /* 65760 Eschborn, Germany
956 /* TLS support originally by:
957 /* Lutz Jaenicke
958 /* BTU Cottbus
959 /* Allgemeine Elektrotechnik
960 /* Universitaetsplatz 3-4
961 /* D-03044 Cottbus, Germany
963 /* Revised TLS support by:
964 /* Victor Duchovni
965 /* Morgan Stanley
966 /*--*/
968 /* System library. */
970 #include <sys_defs.h>
971 #include <sys/socket.h>
972 #include <sys/stat.h>
973 #include <netinet/in.h>
974 #include <arpa/inet.h>
975 #include <netdb.h>
976 #include <string.h>
977 #include <stdio.h> /* remove() */
978 #include <unistd.h>
979 #include <stdlib.h>
980 #include <errno.h>
981 #include <ctype.h>
982 #include <signal.h>
983 #include <stddef.h> /* offsetof() */
985 #ifdef STRCASECMP_IN_STRINGS_H
986 #include <strings.h>
987 #endif
989 /* Utility library. */
991 #include <msg.h>
992 #include <mymalloc.h>
993 #include <vstring.h>
994 #include <vstream.h>
995 #include <vstring_vstream.h>
996 #include <stringops.h>
997 #include <events.h>
998 #include <smtp_stream.h>
999 #include <valid_hostname.h>
1000 #include <dict.h>
1001 #include <watchdog.h>
1002 #include <iostuff.h>
1003 #include <split_at.h>
1004 #include <name_code.h>
1006 /* Global library. */
1008 #include <mail_params.h>
1009 #include <mail_version.h> /* milter_macro_v */
1010 #include <record.h>
1011 #include <rec_type.h>
1012 #include <mail_proto.h>
1013 #include <cleanup_user.h>
1014 #include <mail_date.h>
1015 #include <mail_conf.h>
1016 #include <off_cvt.h>
1017 #include <debug_peer.h>
1018 #include <mail_error.h>
1019 #include <flush_clnt.h>
1020 #include <mail_stream.h>
1021 #include <mail_queue.h>
1022 #include <tok822.h>
1023 #include <verp_sender.h>
1024 #include <string_list.h>
1025 #include <quote_822_local.h>
1026 #include <lex_822.h>
1027 #include <namadr_list.h>
1028 #include <input_transp.h>
1029 #include <is_header.h>
1030 #include <anvil_clnt.h>
1031 #include <flush_clnt.h>
1032 #include <ehlo_mask.h> /* ehlo filter */
1033 #include <maps.h> /* ehlo filter */
1034 #include <valid_mailhost_addr.h>
1035 #include <dsn_mask.h>
1036 #include <xtext.h>
1038 /* Single-threaded server skeleton. */
1040 #include <mail_server.h>
1042 /* Mail filter library. */
1044 #include <milter.h>
1046 /* Application-specific */
1048 #include <smtpd_token.h>
1049 #include <smtpd.h>
1050 #include <smtpd_check.h>
1051 #include <smtpd_chat.h>
1052 #include <smtpd_sasl_proto.h>
1053 #include <smtpd_sasl_glue.h>
1054 #include <smtpd_proxy.h>
1055 #include <smtpd_milter.h>
1058 * Tunable parameters. Make sure that there is some bound on the length of
1059 * an SMTP command, so that the mail system stays in control even when a
1060 * malicious client sends commands of unreasonable length (qmail-dos-1).
1061 * Make sure there is some bound on the number of recipients, so that the
1062 * mail system stays in control even when a malicious client sends an
1063 * unreasonable number of recipients (qmail-dos-2).
1065 int var_smtpd_rcpt_limit;
1066 int var_smtpd_tmout;
1067 int var_smtpd_soft_erlim;
1068 int var_smtpd_hard_erlim;
1069 int var_queue_minfree; /* XXX use off_t */
1070 char *var_smtpd_banner;
1071 char *var_notify_classes;
1072 char *var_client_checks;
1073 char *var_helo_checks;
1074 char *var_mail_checks;
1075 char *var_rcpt_checks;
1076 char *var_etrn_checks;
1077 char *var_data_checks;
1078 char *var_eod_checks;
1079 int var_unk_client_code;
1080 int var_bad_name_code;
1081 int var_unk_name_code;
1082 int var_unk_addr_code;
1083 int var_relay_code;
1084 int var_maps_rbl_code;
1085 int var_map_reject_code;
1086 int var_map_defer_code;
1087 char *var_maps_rbl_domains;
1088 char *var_rbl_reply_maps;
1089 int var_helo_required;
1090 int var_reject_code;
1091 int var_defer_code;
1092 int var_smtpd_err_sleep;
1093 int var_non_fqdn_code;
1094 char *var_error_rcpt;
1095 int var_smtpd_delay_reject;
1096 char *var_rest_classes;
1097 int var_strict_rfc821_env;
1098 bool var_disable_vrfy_cmd;
1099 char *var_canonical_maps;
1100 char *var_rcpt_canon_maps;
1101 char *var_virt_alias_maps;
1102 char *var_virt_mailbox_maps;
1103 char *var_alias_maps;
1104 char *var_local_rcpt_maps;
1105 bool var_allow_untrust_route;
1106 int var_smtpd_junk_cmd_limit;
1107 int var_smtpd_rcpt_overlim;
1108 bool var_smtpd_sasl_enable;
1109 bool var_smtpd_sasl_auth_hdr;
1110 char *var_smtpd_sasl_opts;
1111 char *var_smtpd_sasl_path;
1112 char *var_cyrus_conf_path;
1113 char *var_smtpd_sasl_realm;
1114 char *var_smtpd_sasl_exceptions_networks;
1115 char *var_smtpd_sasl_type;
1116 char *var_filter_xport;
1117 bool var_broken_auth_clients;
1118 char *var_perm_mx_networks;
1119 char *var_smtpd_snd_auth_maps;
1120 char *var_smtpd_noop_cmds;
1121 char *var_smtpd_null_key;
1122 int var_smtpd_hist_thrsh;
1123 char *var_smtpd_exp_filter;
1124 char *var_def_rbl_reply;
1125 int var_unv_from_rcode;
1126 int var_unv_rcpt_rcode;
1127 int var_unv_from_dcode;
1128 int var_unv_rcpt_dcode;
1129 char *var_unv_from_why;
1130 char *var_unv_rcpt_why;
1131 int var_mul_rcpt_code;
1132 char *var_relay_rcpt_maps;
1133 char *var_verify_sender;
1134 int var_local_rcpt_code;
1135 int var_virt_alias_code;
1136 int var_virt_mailbox_code;
1137 int var_relay_rcpt_code;
1138 char *var_verp_clients;
1139 int var_show_unk_rcpt_table;
1140 int var_verify_poll_count;
1141 int var_verify_poll_delay;
1142 char *var_smtpd_proxy_filt;
1143 int var_smtpd_proxy_tmout;
1144 char *var_smtpd_proxy_ehlo;
1145 char *var_input_transp;
1146 int var_smtpd_policy_tmout;
1147 int var_smtpd_policy_idle;
1148 int var_smtpd_policy_ttl;
1149 char *var_xclient_hosts;
1150 char *var_xforward_hosts;
1151 bool var_smtpd_rej_unl_from;
1152 bool var_smtpd_rej_unl_rcpt;
1153 char *var_smtpd_forbid_cmds;
1154 int var_smtpd_crate_limit;
1155 int var_smtpd_cconn_limit;
1156 int var_smtpd_cmail_limit;
1157 int var_smtpd_crcpt_limit;
1158 int var_smtpd_cntls_limit;
1159 char *var_smtpd_hoggers;
1160 char *var_local_rwr_clients;
1161 char *var_smtpd_ehlo_dis_words;
1162 char *var_smtpd_ehlo_dis_maps;
1164 char *var_smtpd_tls_level;
1165 bool var_smtpd_use_tls;
1166 bool var_smtpd_enforce_tls;
1167 bool var_smtpd_tls_wrappermode;
1168 bool var_smtpd_tls_auth_only;
1170 #ifdef USE_TLS
1171 char *var_smtpd_relay_ccerts;
1172 char *var_smtpd_sasl_tls_opts;
1173 int var_smtpd_starttls_tmout;
1174 char *var_smtpd_tls_CAfile;
1175 char *var_smtpd_tls_CApath;
1176 bool var_smtpd_tls_ask_ccert;
1177 int var_smtpd_tls_ccert_vd;
1178 char *var_smtpd_tls_cert_file;
1179 char *var_smtpd_tls_mand_ciph;
1180 char *var_smtpd_tls_excl_ciph;
1181 char *var_smtpd_tls_mand_excl;
1182 char *var_smtpd_tls_dcert_file;
1183 char *var_smtpd_tls_dh1024_param_file;
1184 char *var_smtpd_tls_dh512_param_file;
1185 char *var_smtpd_tls_dkey_file;
1186 char *var_smtpd_tls_key_file;
1187 int var_smtpd_tls_loglevel;
1188 char *var_smtpd_tls_mand_proto;
1189 bool var_smtpd_tls_received_header;
1190 bool var_smtpd_tls_req_ccert;
1191 int var_smtpd_tls_scache_timeout;
1192 bool var_smtpd_tls_set_sessid;
1193 char *var_smtpd_tls_fpt_dgst;
1194 char *var_smtpd_tls_ciph;
1195 char *var_smtpd_tls_proto;
1196 char *var_smtpd_tls_eecdh;
1197 char *var_smtpd_tls_eccert_file;
1198 char *var_smtpd_tls_eckey_file;
1200 #endif
1202 bool var_smtpd_peername_lookup;
1203 int var_plaintext_code;
1204 bool var_smtpd_delay_open;
1205 char *var_smtpd_milters;
1206 int var_milt_conn_time;
1207 int var_milt_cmd_time;
1208 int var_milt_msg_time;
1209 char *var_milt_protocol;
1210 char *var_milt_def_action;
1211 char *var_milt_daemon_name;
1212 char *var_milt_v;
1213 char *var_milt_conn_macros;
1214 char *var_milt_helo_macros;
1215 char *var_milt_mail_macros;
1216 char *var_milt_rcpt_macros;
1217 char *var_milt_data_macros;
1218 char *var_milt_eoh_macros;
1219 char *var_milt_eod_macros;
1220 char *var_milt_unk_macros;
1221 bool var_smtpd_client_port_log;
1222 char *var_stress;
1224 char *var_reject_tmpf_act;
1225 char *var_unk_name_tf_act;
1226 char *var_unk_addr_tf_act;
1227 char *var_unv_rcpt_tf_act;
1228 char *var_unv_from_tf_act;
1231 * Silly little macros.
1233 #define STR(x) vstring_str(x)
1234 #define LEN(x) VSTRING_LEN(x)
1237 * EHLO keyword filter
1239 static MAPS *ehlo_discard_maps;
1242 * VERP command name.
1244 #define VERP_CMD "XVERP"
1245 #define VERP_CMD_LEN 5
1247 static NAMADR_LIST *verp_clients;
1250 * XCLIENT command. Access control is cached, so that XCLIENT can't override
1251 * its own access control.
1253 static NAMADR_LIST *xclient_hosts;
1254 static int xclient_allowed; /* XXX should be SMTPD_STATE member */
1257 * XFORWARD command. Access control is cached.
1259 static NAMADR_LIST *xforward_hosts;
1260 static int xforward_allowed; /* XXX should be SMTPD_STATE member */
1263 * Client connection and rate limiting.
1265 ANVIL_CLNT *anvil_clnt;
1266 static NAMADR_LIST *hogger_list;
1269 * Other application-specific globals.
1271 int smtpd_input_transp_mask;
1274 * Forward declarations.
1276 static void helo_reset(SMTPD_STATE *);
1277 static void mail_reset(SMTPD_STATE *);
1278 static void rcpt_reset(SMTPD_STATE *);
1279 static void tls_reset(SMTPD_STATE *);
1280 static void chat_reset(SMTPD_STATE *, int);
1283 * This filter is applied after printable().
1285 #define NEUTER_CHARACTERS " <>()\\\";@"
1288 * Reasons for losing the client.
1290 #define REASON_TIMEOUT "timeout"
1291 #define REASON_LOST_CONNECTION "lost connection"
1292 #define REASON_ERROR_LIMIT "too many errors"
1295 * Mail filter initialization status.
1297 MILTERS *smtpd_milters;
1299 #ifdef USE_TLS
1302 * TLS initialization status.
1304 static TLS_APPL_STATE *smtpd_tls_ctx;
1305 static int ask_client_cert;
1307 #endif
1309 static int enforce_tls;
1311 #ifdef USE_SASL_AUTH
1314 * SASL exceptions.
1316 static NAMADR_LIST *sasl_exceptions_networks;
1318 /* sasl_client_exception - can we offer AUTH for this client */
1320 static int sasl_client_exception(SMTPD_STATE *state)
1322 int match;
1325 * This is to work around a Netscape mail client bug where it tries to
1326 * use AUTH if available, even if user has not configured it. Returns
1327 * TRUE if AUTH should be offered in the EHLO.
1329 if (sasl_exceptions_networks == 0)
1330 return (0);
1332 match = namadr_list_match(sasl_exceptions_networks,
1333 state->name, state->addr);
1335 if (msg_verbose)
1336 msg_info("sasl_exceptions: %s, match=%d",
1337 state->namaddr, match);
1339 return (match);
1342 #endif
1344 /* collapse_args - put arguments together again */
1346 static void collapse_args(int argc, SMTPD_TOKEN *argv)
1348 int i;
1350 for (i = 1; i < argc; i++) {
1351 vstring_strcat(argv[0].vstrval, " ");
1352 vstring_strcat(argv[0].vstrval, argv[i].strval);
1354 argv[0].strval = STR(argv[0].vstrval);
1357 /* check_milter_reply - process reply from Milter */
1359 static const char *check_milter_reply(SMTPD_STATE *state, const char *reply)
1361 const char *queue_id = state->queue_id ? state->queue_id : "NOQUEUE";
1362 VSTRING *buf = vstring_alloc(100);
1363 const char *action;
1364 const char *text;
1367 * XXX Copied from log_whatsup(). Needs to be changed into a reusable
1368 * function.
1370 if (state->sender)
1371 vstring_sprintf_append(buf, " from=<%s>", state->sender);
1372 if (state->recipient)
1373 vstring_sprintf_append(buf, " to=<%s>", state->recipient);
1374 if (state->protocol)
1375 vstring_sprintf_append(buf, " proto=%s", state->protocol);
1376 if (state->helo_name)
1377 vstring_sprintf_append(buf, " helo=<%s>", state->helo_name);
1380 * The syntax of user-specified SMTP replies is checked by the Milter
1381 * module, because the replies are also used in the cleanup server.
1382 * Automatically disconnect after 421 (shutdown) reply. The Sendmail 8
1383 * Milter quarantine action is not final, so it is not included in
1384 * MILTER_SKIP_FLAGS.
1386 #define MILTER_SKIP_FLAGS (CLEANUP_FLAG_DISCARD)
1388 switch (reply[0]) {
1389 case 'H':
1390 state->saved_flags |= CLEANUP_FLAG_HOLD;
1391 action = "milter-hold";
1392 reply = 0;
1393 text = "milter triggers HOLD action";
1394 break;
1395 case 'D':
1396 state->saved_flags |= CLEANUP_FLAG_DISCARD;
1397 action = "milter-discard";
1398 reply = 0;
1399 text = "milter triggers DISCARD action";
1400 break;
1401 case 'S':
1402 state->error_mask |= MAIL_ERROR_POLICY;
1403 action = "milter-reject";
1404 reply = "421 4.7.0 Server closing connection";
1405 text = 0;
1406 break;
1407 case '4':
1408 case '5':
1409 state->error_mask |= MAIL_ERROR_POLICY;
1410 action = "milter-reject";
1411 text = 0;
1412 break;
1413 default:
1414 state->error_mask |= MAIL_ERROR_SOFTWARE;
1415 action = "reject";
1416 reply = "421 4.3.5 Server configuration error";
1417 text = 0;
1418 break;
1420 msg_info("%s: %s: %s from %s: %s;%s", queue_id, action, state->where,
1421 state->namaddr, reply ? reply : text, STR(buf));
1422 vstring_free(buf);
1423 return (reply);
1426 /* helo_cmd - process HELO command */
1428 static int helo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1430 const char *err;
1433 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1434 * than the initial greeting and any response to HELO or EHLO are
1435 * prefaced with a status code as defined in RFC 3463.
1437 if (argc < 2) {
1438 state->error_mask |= MAIL_ERROR_PROTOCOL;
1439 smtpd_chat_reply(state, "501 Syntax: HELO hostname");
1440 return (-1);
1442 if (argc > 2)
1443 collapse_args(argc - 1, argv + 1);
1444 if (SMTPD_STAND_ALONE(state) == 0
1445 && var_smtpd_delay_reject == 0
1446 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1447 smtpd_chat_reply(state, "%s", err);
1448 return (-1);
1452 * XXX Sendmail compatibility: if a Milter rejects CONNECT, EHLO, or
1453 * HELO, reply with 250 except in case of 421 (disconnect). The reply
1454 * persists so it will apply to MAIL FROM and to other commands such as
1455 * AUTH, STARTTLS, and VRFY.
1457 #define PUSH_STRING(old, curr, new) { char *old = (curr); (curr) = (new);
1458 #define POP_STRING(old, curr) (curr) = old; }
1460 if (smtpd_milters != 0
1461 && SMTPD_STAND_ALONE(state) == 0
1462 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1463 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 0)) != 0) {
1464 /* Log reject etc. with correct HELO information. */
1465 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1466 err = check_milter_reply(state, err);
1467 POP_STRING(saved_helo, state->helo_name);
1468 if (err != 0 && strncmp(err, "421", 3) == 0) {
1469 smtpd_chat_reply(state, "%s", err);
1470 return (-1);
1473 if (state->helo_name != 0)
1474 helo_reset(state);
1475 chat_reset(state, var_smtpd_hist_thrsh);
1476 mail_reset(state);
1477 rcpt_reset(state);
1478 state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1479 neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1480 /* Downgrading the protocol name breaks the unauthorized pipelining test. */
1481 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
1482 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
1483 myfree(state->protocol);
1484 state->protocol = mystrdup(MAIL_PROTO_SMTP);
1486 smtpd_chat_reply(state, "250 %s", var_myhostname);
1487 return (0);
1490 /* ehlo_cmd - process EHLO command */
1492 static int ehlo_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
1494 const char *err;
1495 int discard_mask;
1496 VSTRING *reply_buf;
1499 * XXX 2821 new feature: Section 4.1.4 specifies that a server must clear
1500 * all buffers and reset the state exactly as if a RSET command had been
1501 * issued.
1503 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses other
1504 * than the initial greeting and any response to HELO or EHLO are
1505 * prefaced with a status code as defined in RFC 3463.
1507 if (argc < 2) {
1508 state->error_mask |= MAIL_ERROR_PROTOCOL;
1509 smtpd_chat_reply(state, "501 Syntax: EHLO hostname");
1510 return (-1);
1512 if (argc > 2)
1513 collapse_args(argc - 1, argv + 1);
1514 if (SMTPD_STAND_ALONE(state) == 0
1515 && var_smtpd_delay_reject == 0
1516 && (err = smtpd_check_helo(state, argv[1].strval)) != 0) {
1517 smtpd_chat_reply(state, "%s", err);
1518 return (-1);
1522 * XXX Sendmail compatibility: if a Milter 5xx rejects CONNECT, EHLO, or
1523 * HELO, reply with ENHANCEDSTATUSCODES except in case of immediate
1524 * disconnect. The reply persists so it will apply to MAIL FROM and to
1525 * other commands such as AUTH, STARTTLS, and VRFY.
1527 err = 0;
1528 if (smtpd_milters != 0
1529 && SMTPD_STAND_ALONE(state) == 0
1530 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
1531 && (err = milter_helo_event(smtpd_milters, argv[1].strval, 1)) != 0) {
1532 /* Log reject etc. with correct HELO information. */
1533 PUSH_STRING(saved_helo, state->helo_name, argv[1].strval);
1534 err = check_milter_reply(state, err);
1535 POP_STRING(saved_helo, state->helo_name);
1536 if (err != 0 && strncmp(err, "421", 3) == 0) {
1537 smtpd_chat_reply(state, "%s", err);
1538 return (-1);
1541 if (state->helo_name != 0)
1542 helo_reset(state);
1543 chat_reset(state, var_smtpd_hist_thrsh);
1544 mail_reset(state);
1545 rcpt_reset(state);
1546 state->helo_name = mystrdup(printable(argv[1].strval, '?'));
1547 neuter(state->helo_name, NEUTER_CHARACTERS, '?');
1550 * XXX reject_unauth_pipelining depends on the following. If the user
1551 * sends EHLO then we announce PIPELINING and we can't accuse them of
1552 * using pipelining in places where it is allowed.
1554 * XXX The reject_unauth_pipelining test needs to change and also account
1555 * for mechanisms that disable PIPELINING selectively.
1557 if (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0) {
1558 myfree(state->protocol);
1559 state->protocol = mystrdup(MAIL_PROTO_ESMTP);
1563 * Build the EHLO response, suppressing features as requested. We store
1564 * each output line in a one-element output queue, where it sits until we
1565 * know if we need to prepend "250-" or "250 " to it. Each time we
1566 * enqueue a reply line we flush the one that sits in the queue. We use a
1567 * couple ugly macros to avoid making mistakes in code that repeats a
1568 * lot.
1570 #define ENQUEUE_FIX_REPLY(state, reply_buf, cmd) \
1571 do { \
1572 smtpd_chat_reply((state), "250-%s", STR(reply_buf)); \
1573 vstring_strcpy((reply_buf), (cmd)); \
1574 } while (0)
1576 #define ENQUEUE_FMT_REPLY(state, reply_buf, fmt, arg) \
1577 do { \
1578 smtpd_chat_reply((state), "250-%s", STR(reply_buf)); \
1579 vstring_sprintf((reply_buf), (fmt), (arg)); \
1580 } while (0)
1583 * XXX Sendmail compatibility: if a Milter 5XX rejects CONNECT, EHLO, or
1584 * HELO, reply with ENHANCEDSTATUSCODES only. The reply persists so it
1585 * will apply to MAIL FROM, but we currently don't have a proper
1586 * mechanism to apply Milter rejects to AUTH, STARTTLS, VRFY, and other
1587 * commands while still allowing HELO/EHLO.
1589 discard_mask = state->ehlo_discard_mask;
1590 if (err != 0 && err[0] == '5')
1591 discard_mask |= ~EHLO_MASK_ENHANCEDSTATUSCODES;
1592 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1593 if (discard_mask && !(discard_mask & EHLO_MASK_SILENT))
1594 msg_info("discarding EHLO keywords: %s", str_ehlo_mask(discard_mask));
1596 reply_buf = vstring_alloc(10);
1597 vstring_strcpy(reply_buf, var_myhostname);
1598 if ((discard_mask & EHLO_MASK_PIPELINING) == 0)
1599 ENQUEUE_FIX_REPLY(state, reply_buf, "PIPELINING");
1600 if ((discard_mask & EHLO_MASK_SIZE) == 0) {
1601 if (var_message_limit)
1602 ENQUEUE_FMT_REPLY(state, reply_buf, "SIZE %lu",
1603 (unsigned long) var_message_limit); /* XXX */
1604 else
1605 ENQUEUE_FIX_REPLY(state, reply_buf, "SIZE");
1607 if ((discard_mask & EHLO_MASK_VRFY) == 0)
1608 if (var_disable_vrfy_cmd == 0)
1609 ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_VRFY);
1610 if ((discard_mask & EHLO_MASK_ETRN) == 0)
1611 ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_ETRN);
1612 #ifdef USE_TLS
1613 if ((discard_mask & EHLO_MASK_STARTTLS) == 0)
1614 if ((state->tls_use_tls || state->tls_enforce_tls) && (!state->tls_context))
1615 ENQUEUE_FIX_REPLY(state, reply_buf, SMTPD_CMD_STARTTLS);
1616 #endif
1617 #ifdef USE_SASL_AUTH
1618 if ((discard_mask & EHLO_MASK_AUTH) == 0) {
1619 if (smtpd_sasl_is_active(state) && !sasl_client_exception(state)) {
1620 ENQUEUE_FMT_REPLY(state, reply_buf, "AUTH %s",
1621 state->sasl_mechanism_list);
1622 if (var_broken_auth_clients)
1623 ENQUEUE_FMT_REPLY(state, reply_buf, "AUTH=%s",
1624 state->sasl_mechanism_list);
1627 #endif
1628 if ((discard_mask & EHLO_MASK_VERP) == 0)
1629 if (namadr_list_match(verp_clients, state->name, state->addr))
1630 ENQUEUE_FIX_REPLY(state, reply_buf, VERP_CMD);
1631 /* XCLIENT must not override its own access control. */
1632 if ((discard_mask & EHLO_MASK_XCLIENT) == 0)
1633 if (xclient_allowed)
1634 ENQUEUE_FIX_REPLY(state, reply_buf, XCLIENT_CMD
1635 " " XCLIENT_NAME " " XCLIENT_ADDR
1636 " " XCLIENT_PROTO " " XCLIENT_HELO
1637 " " XCLIENT_REVERSE_NAME " " XCLIENT_PORT);
1638 if ((discard_mask & EHLO_MASK_XFORWARD) == 0)
1639 if (xforward_allowed)
1640 ENQUEUE_FIX_REPLY(state, reply_buf, XFORWARD_CMD
1641 " " XFORWARD_NAME " " XFORWARD_ADDR
1642 " " XFORWARD_PROTO " " XFORWARD_HELO
1643 " " XFORWARD_DOMAIN " " XFORWARD_PORT);
1644 if ((discard_mask & EHLO_MASK_ENHANCEDSTATUSCODES) == 0)
1645 ENQUEUE_FIX_REPLY(state, reply_buf, "ENHANCEDSTATUSCODES");
1646 if ((discard_mask & EHLO_MASK_8BITMIME) == 0)
1647 ENQUEUE_FIX_REPLY(state, reply_buf, "8BITMIME");
1648 if ((discard_mask & EHLO_MASK_DSN) == 0)
1649 ENQUEUE_FIX_REPLY(state, reply_buf, "DSN");
1650 smtpd_chat_reply(state, "250 %s", STR(reply_buf));
1653 * Clean up.
1655 vstring_free(reply_buf);
1657 return (0);
1660 /* helo_reset - reset HELO/EHLO command stuff */
1662 static void helo_reset(SMTPD_STATE *state)
1664 if (state->helo_name) {
1665 myfree(state->helo_name);
1666 state->helo_name = 0;
1667 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
1668 milter_abort(smtpd_milters);
1672 /* mail_open_stream - open mail queue file or IPC stream */
1674 static int mail_open_stream(SMTPD_STATE *state)
1678 * Connect to the before-queue filter when one is configured. The MAIL
1679 * FROM and RCPT TO commands are forwarded as received (including DSN
1680 * attributes), with the exception that the before-filter smtpd process
1681 * handles all authentication, encryption, access control and relay
1682 * control, and that the before-filter smtpd process does not forward
1683 * blocked commands. If the after-filter smtp server does not support
1684 * some of Postfix's ESMTP features, then they must be turned off in the
1685 * before-filter smtpd process with the smtpd_discard_ehlo_keywords
1686 * feature.
1688 if (state->proxy_mail) {
1689 smtpd_check_rewrite(state);
1690 if (smtpd_proxy_open(state, var_smtpd_proxy_filt,
1691 var_smtpd_proxy_tmout, var_smtpd_proxy_ehlo,
1692 state->proxy_mail) != 0) {
1693 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
1694 return (-1);
1699 * If running from the master or from inetd, connect to the cleanup
1700 * service.
1702 * XXX 2821: An SMTP server is not allowed to "clean up" mail except in the
1703 * case of original submissions.
1705 * We implement this by distinguishing between mail that we are willing to
1706 * rewrite (the local rewrite context) and mail from elsewhere.
1708 else if (SMTPD_STAND_ALONE(state) == 0) {
1709 int cleanup_flags;
1711 smtpd_check_rewrite(state);
1712 cleanup_flags = input_transp_cleanup(CLEANUP_FLAG_MASK_EXTERNAL,
1713 smtpd_input_transp_mask)
1714 | CLEANUP_FLAG_SMTP_REPLY;
1715 state->dest = mail_stream_service(MAIL_CLASS_PUBLIC,
1716 var_cleanup_service);
1717 if (state->dest == 0
1718 || attr_print(state->dest->stream, ATTR_FLAG_NONE,
1719 ATTR_TYPE_INT, MAIL_ATTR_FLAGS, cleanup_flags,
1720 ATTR_TYPE_END) != 0)
1721 msg_fatal("unable to connect to the %s %s service",
1722 MAIL_CLASS_PUBLIC, var_cleanup_service);
1726 * Otherwise, pipe the message through the privileged postdrop helper.
1727 * XXX Make postdrop a manifest constant.
1729 else {
1730 char *postdrop_command;
1732 postdrop_command = concatenate(var_command_dir, "/postdrop",
1733 msg_verbose ? " -v" : (char *) 0, (char *) 0);
1734 state->dest = mail_stream_command(postdrop_command);
1735 if (state->dest == 0)
1736 msg_fatal("unable to execute %s", postdrop_command);
1737 myfree(postdrop_command);
1741 * Record the time of arrival, the SASL-related stuff if applicable, the
1742 * sender envelope address, some session information, and some additional
1743 * attributes.
1745 * XXX Send Milter information first, because this will hang when cleanup
1746 * goes into "throw away" mode. Also, cleanup needs to know early on
1747 * whether or not it has to do its own SMTP event emulation.
1749 * XXX At this point we send only dummy information to keep the cleanup
1750 * server from using its non_smtpd_milters settings. We have to send
1751 * up-to-date Milter information after DATA so that the cleanup server
1752 * knows the actual Milter state.
1754 if (state->dest) {
1755 state->cleanup = state->dest->stream;
1756 state->queue_id = mystrdup(state->dest->id);
1757 if (SMTPD_STAND_ALONE(state) == 0) {
1758 if (smtpd_milters != 0
1759 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
1760 /* Send place-holder smtpd_milters list. */
1761 (void) milter_dummy(smtpd_milters, state->cleanup);
1762 rec_fprintf(state->cleanup, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
1763 REC_TYPE_TIME_ARG(state->arrival_time));
1764 if (*var_filter_xport)
1765 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s", var_filter_xport);
1766 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1767 MAIL_ATTR_RWR_CONTEXT, FORWARD_DOMAIN(state));
1768 #ifdef USE_SASL_AUTH
1769 if (smtpd_sasl_is_active(state)) {
1770 if (state->sasl_method)
1771 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1772 MAIL_ATTR_SASL_METHOD, state->sasl_method);
1773 if (state->sasl_username)
1774 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1775 MAIL_ATTR_SASL_USERNAME, state->sasl_username);
1776 if (state->sasl_sender)
1777 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1778 MAIL_ATTR_SASL_SENDER, state->sasl_sender);
1780 #endif
1783 * Record DSN related information that was received with the MAIL
1784 * FROM command.
1786 * RFC 3461 Section 5.2.1. If no ENVID parameter was included in the
1787 * MAIL command when the message was received, the ENVID
1788 * parameter MUST NOT be supplied when the message is relayed.
1789 * Ditto for the RET parameter.
1791 * In other words, we can't simply make up our default ENVID or RET
1792 * values. We have to remember whether the client sent any.
1794 * We store DSN information as named attribute records so that we
1795 * don't have to pollute the queue file with records that are
1796 * incompatible with past Postfix versions. Preferably, people
1797 * should be able to back out from an upgrade without losing
1798 * mail.
1800 if (state->dsn_envid)
1801 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1802 MAIL_ATTR_DSN_ENVID, state->dsn_envid);
1803 if (state->dsn_ret)
1804 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
1805 MAIL_ATTR_DSN_RET, state->dsn_ret);
1807 rec_fputs(state->cleanup, REC_TYPE_FROM, state->sender);
1808 if (state->encoding != 0)
1809 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1810 MAIL_ATTR_ENCODING, state->encoding);
1813 * Store client attributes.
1815 if (SMTPD_STAND_ALONE(state) == 0) {
1818 * Attributes for logging, also used for XFORWARD.
1820 * We store all client attributes, including ones with unknown
1821 * values. Otherwise, an unknown client hostname would be treated
1822 * as a non-existent hostname (i.e. local submission).
1824 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1825 MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state));
1826 /* XXX Note: state->rfc_addr, not state->addr. */
1827 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1828 MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state));
1829 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1830 MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state));
1831 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1832 MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state));
1833 if (FORWARD_HELO(state))
1834 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1835 MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state));
1836 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1837 MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state));
1840 * Attributes with actual client information. These are used by
1841 * the smtpd Milter client for policy decisions. Mail that is
1842 * requeued with "postsuper -r" is not subject to processing by
1843 * the cleanup Milter client, because a) it has already been
1844 * filtered, and b) we don't have sufficient information to
1845 * reproduce the exact same SMTP events and Sendmail macros that
1846 * the smtpd Milter client received when the message originally
1847 * arrived in Postfix.
1849 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1850 MAIL_ATTR_ACT_CLIENT_NAME, state->name);
1851 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1852 MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name);
1853 /* XXX Note: state->addr, not state->rfc_addr. */
1854 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1855 MAIL_ATTR_ACT_CLIENT_ADDR, state->addr);
1856 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1857 MAIL_ATTR_ACT_CLIENT_PORT, state->port);
1858 if (state->helo_name)
1859 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1860 MAIL_ATTR_ACT_HELO_NAME, state->helo_name);
1861 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1862 MAIL_ATTR_ACT_PROTO_NAME, state->protocol);
1863 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%u",
1864 MAIL_ATTR_ACT_CLIENT_AF, state->addr_family);
1867 * Don't send client certificate down the pipeline unless it is
1868 * a) verified or b) just a fingerprint.
1871 if (state->verp_delims)
1872 rec_fputs(state->cleanup, REC_TYPE_VERP, state->verp_delims);
1876 * Log the queue ID with the message origin.
1878 #ifdef USE_SASL_AUTH
1879 if (smtpd_sasl_is_active(state))
1880 smtpd_sasl_mail_log(state);
1881 else
1882 #endif
1883 msg_info("%s: client=%s", state->queue_id ?
1884 state->queue_id : "NOQUEUE", FORWARD_NAMADDR(state));
1885 return (0);
1888 /* extract_addr - extract address from rubble */
1890 static int extract_addr(SMTPD_STATE *state, SMTPD_TOKEN *arg,
1891 int allow_empty_addr, int strict_rfc821)
1893 const char *myname = "extract_addr";
1894 TOK822 *tree;
1895 TOK822 *tp;
1896 TOK822 *addr = 0;
1897 int naddr;
1898 int non_addr;
1899 int err = 0;
1900 char *junk = 0;
1901 char *text;
1902 char *colon;
1905 * Special case.
1907 #define PERMIT_EMPTY_ADDR 1
1908 #define REJECT_EMPTY_ADDR 0
1911 * Some mailers send RFC822-style address forms (with comments and such)
1912 * in SMTP envelopes. We cannot blame users for this: the blame is with
1913 * programmers violating the RFC, and with sendmail for being permissive.
1915 * XXX The SMTP command tokenizer must leave the address in externalized
1916 * (quoted) form, so that the address parser can correctly extract the
1917 * address from surrounding junk.
1919 * XXX We have only one address parser, written according to the rules of
1920 * RFC 822. That standard differs subtly from RFC 821.
1922 if (msg_verbose)
1923 msg_info("%s: input: %s", myname, STR(arg->vstrval));
1924 if (STR(arg->vstrval)[0] == '<'
1925 && STR(arg->vstrval)[LEN(arg->vstrval) - 1] == '>') {
1926 junk = text = mystrndup(STR(arg->vstrval) + 1, LEN(arg->vstrval) - 2);
1927 } else
1928 text = STR(arg->vstrval);
1931 * Truncate deprecated route address form.
1933 if (*text == '@' && (colon = strchr(text, ':')) != 0)
1934 text = colon + 1;
1935 tree = tok822_parse(text);
1937 if (junk)
1938 myfree(junk);
1941 * Find trouble.
1943 for (naddr = non_addr = 0, tp = tree; tp != 0; tp = tp->next) {
1944 if (tp->type == TOK822_ADDR) {
1945 addr = tp;
1946 naddr += 1; /* count address forms */
1947 } else if (tp->type == '<' || tp->type == '>') {
1948 /* void */ ; /* ignore brackets */
1949 } else {
1950 non_addr += 1; /* count non-address forms */
1955 * Report trouble. XXX Should log a warning only if we are going to
1956 * sleep+reject so that attackers can't flood our logfiles.
1958 * XXX Unfortunately, the sleep-before-reject feature had to be abandoned
1959 * (at least for small error counts) because servers were DOS-ing
1960 * themselves when flooded by backscatter traffic.
1962 if (naddr > 1
1963 || (strict_rfc821 && (non_addr || *STR(arg->vstrval) != '<'))) {
1964 msg_warn("Illegal address syntax from %s in %s command: %s",
1965 state->namaddr, state->where,
1966 printable(STR(arg->vstrval), '?'));
1967 err = 1;
1971 * Don't overwrite the input with the extracted address. We need the
1972 * original (external) form in case the client does not send ORCPT
1973 * information; and error messages are more accurate if we log the
1974 * unmodified form. We need the internal form for all other purposes.
1976 if (addr)
1977 tok822_internalize(state->addr_buf, addr->head, TOK822_STR_DEFL);
1978 else
1979 vstring_strcpy(state->addr_buf, "");
1982 * Report trouble. XXX Should log a warning only if we are going to
1983 * sleep+reject so that attackers can't flood our logfiles. Log the
1984 * original address.
1986 if (err == 0)
1987 if ((STR(state->addr_buf)[0] == 0 && !allow_empty_addr)
1988 || (strict_rfc821 && STR(state->addr_buf)[0] == '@')
1989 || (SMTPD_STAND_ALONE(state) == 0
1990 && smtpd_check_addr(STR(state->addr_buf)) != 0)) {
1991 msg_warn("Illegal address syntax from %s in %s command: %s",
1992 state->namaddr, state->where,
1993 printable(STR(arg->vstrval), '?'));
1994 err = 1;
1998 * Cleanup.
2000 tok822_free_tree(tree);
2001 if (msg_verbose)
2002 msg_info("%s: in: %s, result: %s",
2003 myname, STR(arg->vstrval), STR(state->addr_buf));
2004 return (err);
2007 /* milter_argv - impedance adapter */
2009 static const char **milter_argv(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2011 int n;
2012 ssize_t len = argc + 1;
2014 if (state->milter_argc < len) {
2015 if (state->milter_argc > 0)
2016 state->milter_argv = (const char **)
2017 myrealloc((char *) state->milter_argv,
2018 sizeof(const char *) * len);
2019 else
2020 state->milter_argv = (const char **)
2021 mymalloc(sizeof(const char *) * len);
2022 state->milter_argc = len;
2024 for (n = 0; n < argc; n++)
2025 state->milter_argv[n] = argv[n].strval;
2026 state->milter_argv[n] = 0;
2027 return (state->milter_argv);
2030 /* mail_cmd - process MAIL command */
2032 static int mail_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2034 const char *err;
2035 int narg;
2036 char *arg;
2037 char *verp_delims = 0;
2038 int rate;
2039 int dsn_envid = 0;
2041 state->encoding = 0;
2042 state->dsn_ret = 0;
2045 * Sanity checks.
2047 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2048 * command in which invalid character codes have been employed, and for
2049 * which there are no other reasons for rejection, MUST reject that
2050 * command with a 501 response. Postfix attempts to be 8-bit clean.
2052 if (var_helo_required && state->helo_name == 0) {
2053 state->error_mask |= MAIL_ERROR_POLICY;
2054 smtpd_chat_reply(state, "503 5.5.1 Error: send HELO/EHLO first");
2055 return (-1);
2057 #define IN_MAIL_TRANSACTION(state) ((state)->sender != 0)
2059 if (IN_MAIL_TRANSACTION(state)) {
2060 state->error_mask |= MAIL_ERROR_PROTOCOL;
2061 smtpd_chat_reply(state, "503 5.5.1 Error: nested MAIL command");
2062 return (-1);
2064 if (argc < 3
2065 || strcasecmp(argv[1].strval, "from:") != 0) {
2066 state->error_mask |= MAIL_ERROR_PROTOCOL;
2067 smtpd_chat_reply(state, "501 5.5.4 Syntax: MAIL FROM:<address>");
2068 return (-1);
2072 * XXX The client event count/rate control must be consistent in its use
2073 * of client address information in connect and disconnect events. For
2074 * now we exclude xclient authorized hosts from event count/rate control.
2076 if (SMTPD_STAND_ALONE(state) == 0
2077 && !xclient_allowed
2078 && anvil_clnt
2079 && var_smtpd_cmail_limit > 0
2080 && !namadr_list_match(hogger_list, state->name, state->addr)
2081 && anvil_clnt_mail(anvil_clnt, state->service, state->addr,
2082 &rate) == ANVIL_STAT_OK
2083 && rate > var_smtpd_cmail_limit) {
2084 state->error_mask |= MAIL_ERROR_POLICY;
2085 smtpd_chat_reply(state, "450 4.7.1 Error: too much mail from %s",
2086 state->addr);
2087 msg_warn("Message delivery request rate limit exceeded: %d from %s for service %s",
2088 rate, state->namaddr, state->service);
2089 return (-1);
2091 if (argv[2].tokval == SMTPD_TOK_ERROR) {
2092 state->error_mask |= MAIL_ERROR_PROTOCOL;
2093 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2094 return (-1);
2096 if (extract_addr(state, argv + 2, PERMIT_EMPTY_ADDR, var_strict_rfc821_env) != 0) {
2097 state->error_mask |= MAIL_ERROR_PROTOCOL;
2098 smtpd_chat_reply(state, "501 5.1.7 Bad sender address syntax");
2099 return (-1);
2101 for (narg = 3; narg < argc; narg++) {
2102 arg = argv[narg].strval;
2103 if (strcasecmp(arg, "BODY=8BITMIME") == 0) { /* RFC 1652 */
2104 state->encoding = MAIL_ATTR_ENC_8BIT;
2105 } else if (strcasecmp(arg, "BODY=7BIT") == 0) { /* RFC 1652 */
2106 state->encoding = MAIL_ATTR_ENC_7BIT;
2107 } else if (strncasecmp(arg, "SIZE=", 5) == 0) { /* RFC 1870 */
2108 /* Reject non-numeric size. */
2109 if (!alldig(arg + 5)) {
2110 state->error_mask |= MAIL_ERROR_PROTOCOL;
2111 smtpd_chat_reply(state, "501 5.5.4 Bad message size syntax");
2112 return (-1);
2114 /* Reject size overflow. */
2115 if ((state->msg_size = off_cvt_string(arg + 5)) < 0) {
2116 state->error_mask |= MAIL_ERROR_POLICY;
2117 smtpd_chat_reply(state, "552 5.3.4 Message size exceeds file system imposed limit");
2118 return (-1);
2120 #ifdef USE_SASL_AUTH
2121 } else if (smtpd_sasl_is_active(state)
2122 && strncasecmp(arg, "AUTH=", 5) == 0) {
2123 if ((err = smtpd_sasl_mail_opt(state, arg + 5)) != 0) {
2124 smtpd_chat_reply(state, "%s", err);
2125 return (-1);
2127 #endif
2128 } else if (namadr_list_match(verp_clients, state->name, state->addr)
2129 && strncasecmp(arg, VERP_CMD, VERP_CMD_LEN) == 0
2130 && (arg[VERP_CMD_LEN] == '=' || arg[VERP_CMD_LEN] == 0)) {
2131 if (arg[VERP_CMD_LEN] == 0) {
2132 verp_delims = var_verp_delims;
2133 } else {
2134 verp_delims = arg + VERP_CMD_LEN + 1;
2135 if (verp_delims_verify(verp_delims) != 0) {
2136 state->error_mask |= MAIL_ERROR_PROTOCOL;
2137 smtpd_chat_reply(state,
2138 "501 5.5.4 Error: %s needs two characters from %s",
2139 VERP_CMD, var_verp_filter);
2140 return (-1);
2143 } else if (strncasecmp(arg, "RET=", 4) == 0) { /* RFC 3461 */
2144 /* Sanitized on input. */
2145 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2146 state->error_mask |= MAIL_ERROR_PROTOCOL;
2147 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2148 return (-1);
2150 if (state->dsn_ret
2151 || (state->dsn_ret = dsn_ret_code(arg + 4)) == 0) {
2152 state->error_mask |= MAIL_ERROR_PROTOCOL;
2153 smtpd_chat_reply(state,
2154 "501 5.5.4 Bad RET parameter syntax");
2155 return (-1);
2157 } else if (strncasecmp(arg, "ENVID=", 6) == 0) { /* RFC 3461 */
2158 /* Sanitized by bounce server. */
2159 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2160 state->error_mask |= MAIL_ERROR_PROTOCOL;
2161 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2162 return (-1);
2164 if (dsn_envid
2165 || xtext_unquote(state->dsn_buf, arg + 6) == 0
2166 || !allprint(STR(state->dsn_buf))) {
2167 state->error_mask |= MAIL_ERROR_PROTOCOL;
2168 smtpd_chat_reply(state, "501 5.5.4 Bad ENVID parameter syntax");
2169 return (-1);
2171 dsn_envid = 1;
2172 } else {
2173 state->error_mask |= MAIL_ERROR_PROTOCOL;
2174 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2175 return (-1);
2178 if ((err = smtpd_check_size(state, state->msg_size)) != 0) {
2179 smtpd_chat_reply(state, "%s", err);
2180 return (-1);
2182 if (verp_delims && STR(state->addr_buf)[0] == 0) {
2183 smtpd_chat_reply(state, "503 5.5.4 Error: %s requires non-null sender",
2184 VERP_CMD);
2185 return (-1);
2187 if (SMTPD_STAND_ALONE(state) == 0
2188 && var_smtpd_delay_reject == 0
2189 && (err = smtpd_check_mail(state, STR(state->addr_buf))) != 0) {
2190 /* XXX Reset access map side effects. */
2191 mail_reset(state);
2192 smtpd_chat_reply(state, "%s", err);
2193 return (-1);
2195 if (smtpd_milters != 0
2196 && SMTPD_STAND_ALONE(state) == 0
2197 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2198 PUSH_STRING(saved_sender, state->sender, STR(state->addr_buf));
2199 err = milter_mail_event(smtpd_milters,
2200 milter_argv(state, argc - 2, argv + 2));
2201 if (err != 0) {
2202 /* Log reject etc. with correct sender information. */
2203 err = check_milter_reply(state, err);
2205 POP_STRING(saved_sender, state->sender);
2206 if (err != 0) {
2207 /* XXX Reset access map side effects. */
2208 mail_reset(state);
2209 smtpd_chat_reply(state, "%s", err);
2210 return (-1);
2215 * Check the queue file space, if applicable.
2217 if (!USE_SMTPD_PROXY(state)) {
2218 if (SMTPD_STAND_ALONE(state) == 0
2219 && (err = smtpd_check_queue(state)) != 0) {
2220 /* XXX Reset access map side effects. */
2221 mail_reset(state);
2222 smtpd_chat_reply(state, "%s", err);
2223 return (-1);
2228 * No more early returns. The mail transaction is in progress.
2230 GETTIMEOFDAY(&state->arrival_time);
2231 state->sender = mystrdup(STR(state->addr_buf));
2232 vstring_sprintf(state->instance, "%x.%lx.%lx.%x",
2233 var_pid, (unsigned long) state->arrival_time.tv_sec,
2234 (unsigned long) state->arrival_time.tv_usec, state->seqno++);
2235 if (verp_delims)
2236 state->verp_delims = mystrdup(verp_delims);
2237 if (dsn_envid)
2238 state->dsn_envid = mystrdup(STR(state->dsn_buf));
2239 if (USE_SMTPD_PROXY(state))
2240 state->proxy_mail = mystrdup(STR(state->buffer));
2241 if (var_smtpd_delay_open == 0 && mail_open_stream(state) < 0) {
2242 /* XXX Reset access map side effects. */
2243 mail_reset(state);
2244 return (-1);
2246 smtpd_chat_reply(state, "250 2.1.0 Ok");
2247 return (0);
2250 /* mail_reset - reset MAIL command stuff */
2252 static void mail_reset(SMTPD_STATE *state)
2254 state->msg_size = 0;
2255 state->act_size = 0;
2256 state->flags &= SMTPD_MASK_MAIL_KEEP;
2259 * Unceremoniously close the pipe to the cleanup service. The cleanup
2260 * service will delete the queue file when it detects a premature
2261 * end-of-file condition on input.
2263 if (state->cleanup != 0) {
2264 mail_stream_cleanup(state->dest);
2265 state->dest = 0;
2266 state->cleanup = 0;
2268 state->err = 0;
2269 if (state->queue_id != 0) {
2270 myfree(state->queue_id);
2271 state->queue_id = 0;
2273 if (state->sender) {
2274 if (SMTPD_STAND_ALONE(state) == 0 && smtpd_milters != 0)
2275 milter_abort(smtpd_milters);
2276 myfree(state->sender);
2277 state->sender = 0;
2279 if (state->verp_delims) {
2280 myfree(state->verp_delims);
2281 state->verp_delims = 0;
2283 if (state->proxy_mail) {
2284 myfree(state->proxy_mail);
2285 state->proxy_mail = 0;
2287 if (state->saved_filter) {
2288 myfree(state->saved_filter);
2289 state->saved_filter = 0;
2291 if (state->saved_redirect) {
2292 myfree(state->saved_redirect);
2293 state->saved_redirect = 0;
2295 if (state->saved_bcc) {
2296 myfree(state->saved_bcc);
2297 state->saved_bcc = 0;
2299 state->saved_flags = 0;
2300 #ifdef DELAY_ACTION
2301 state->saved_delay = 0;
2302 #endif
2303 #ifdef USE_SASL_AUTH
2304 if (smtpd_sasl_is_active(state))
2305 smtpd_sasl_mail_reset(state);
2306 #endif
2307 state->discard = 0;
2308 VSTRING_RESET(state->instance);
2309 VSTRING_TERMINATE(state->instance);
2312 * Try to be nice. Don't bother when we lost the connection. Don't bother
2313 * waiting for a reply, it just increases latency.
2315 if (state->proxy) {
2316 (void) smtpd_proxy_cmd(state, SMTPD_PROX_WANT_NONE, SMTPD_CMD_QUIT);
2317 smtpd_proxy_close(state);
2319 if (state->xforward.flags)
2320 smtpd_xforward_reset(state);
2321 if (state->prepend)
2322 state->prepend = argv_free(state->prepend);
2323 if (state->dsn_envid) {
2324 myfree(state->dsn_envid);
2325 state->dsn_envid = 0;
2327 if (state->milter_argv) {
2328 myfree((char *) state->milter_argv);
2329 state->milter_argv = 0;
2330 state->milter_argc = 0;
2334 /* rcpt_cmd - process RCPT TO command */
2336 static int rcpt_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
2338 const char *err;
2339 int narg;
2340 char *arg;
2341 int rate;
2342 const char *dsn_orcpt_addr = 0;
2343 ssize_t dsn_orcpt_addr_len = 0;
2344 const char *dsn_orcpt_type = 0;
2345 int dsn_notify = 0;
2346 const char *coded_addr;
2347 const char *milter_err;
2350 * Sanity checks.
2352 * XXX 2821 pedantism: Section 4.1.2 says that SMTP servers that receive a
2353 * command in which invalid character codes have been employed, and for
2354 * which there are no other reasons for rejection, MUST reject that
2355 * command with a 501 response. So much for the principle of "be liberal
2356 * in what you accept, be strict in what you send".
2358 if (!IN_MAIL_TRANSACTION(state)) {
2359 state->error_mask |= MAIL_ERROR_PROTOCOL;
2360 smtpd_chat_reply(state, "503 5.5.1 Error: need MAIL command");
2361 return (-1);
2363 if (argc < 3
2364 || strcasecmp(argv[1].strval, "to:") != 0) {
2365 state->error_mask |= MAIL_ERROR_PROTOCOL;
2366 smtpd_chat_reply(state, "501 5.5.4 Syntax: RCPT TO:<address>");
2367 return (-1);
2371 * XXX The client event count/rate control must be consistent in its use
2372 * of client address information in connect and disconnect events. For
2373 * now we exclude xclient authorized hosts from event count/rate control.
2375 if (SMTPD_STAND_ALONE(state) == 0
2376 && !xclient_allowed
2377 && anvil_clnt
2378 && var_smtpd_crcpt_limit > 0
2379 && !namadr_list_match(hogger_list, state->name, state->addr)
2380 && anvil_clnt_rcpt(anvil_clnt, state->service, state->addr,
2381 &rate) == ANVIL_STAT_OK
2382 && rate > var_smtpd_crcpt_limit) {
2383 state->error_mask |= MAIL_ERROR_POLICY;
2384 msg_warn("Recipient address rate limit exceeded: %d from %s for service %s",
2385 rate, state->namaddr, state->service);
2386 smtpd_chat_reply(state, "450 4.7.1 Error: too many recipients from %s",
2387 state->addr);
2388 return (-1);
2390 if (argv[2].tokval == SMTPD_TOK_ERROR) {
2391 state->error_mask |= MAIL_ERROR_PROTOCOL;
2392 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2393 return (-1);
2395 if (extract_addr(state, argv + 2, REJECT_EMPTY_ADDR, var_strict_rfc821_env) != 0) {
2396 state->error_mask |= MAIL_ERROR_PROTOCOL;
2397 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
2398 return (-1);
2400 for (narg = 3; narg < argc; narg++) {
2401 arg = argv[narg].strval;
2402 if (strncasecmp(arg, "NOTIFY=", 7) == 0) { /* RFC 3461 */
2403 /* Sanitized on input. */
2404 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2405 state->error_mask |= MAIL_ERROR_PROTOCOL;
2406 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2407 return (-1);
2409 if (dsn_notify || (dsn_notify = dsn_notify_mask(arg + 7)) == 0) {
2410 state->error_mask |= MAIL_ERROR_PROTOCOL;
2411 smtpd_chat_reply(state,
2412 "501 5.5.4 Error: Bad NOTIFY parameter syntax");
2413 return (-1);
2415 } else if (strncasecmp(arg, "ORCPT=", 6) == 0) { /* RFC 3461 */
2416 /* Sanitized by bounce server. */
2417 if (state->ehlo_discard_mask & EHLO_MASK_DSN) {
2418 state->error_mask |= MAIL_ERROR_PROTOCOL;
2419 smtpd_chat_reply(state, "501 5.7.1 DSN support is disabled");
2420 return (-1);
2422 vstring_strcpy(state->dsn_orcpt_buf, arg + 6);
2423 if (dsn_orcpt_addr
2424 || (coded_addr = split_at(STR(state->dsn_orcpt_buf), ';')) == 0
2425 || xtext_unquote(state->dsn_buf, coded_addr) == 0
2426 || *(dsn_orcpt_type = STR(state->dsn_orcpt_buf)) == 0) {
2427 state->error_mask |= MAIL_ERROR_PROTOCOL;
2428 smtpd_chat_reply(state,
2429 "501 5.5.4 Error: Bad ORCPT parameter syntax");
2430 return (-1);
2432 dsn_orcpt_addr = STR(state->dsn_buf);
2433 dsn_orcpt_addr_len = LEN(state->dsn_buf);
2434 } else {
2435 state->error_mask |= MAIL_ERROR_PROTOCOL;
2436 smtpd_chat_reply(state, "555 5.5.4 Unsupported option: %s", arg);
2437 return (-1);
2440 if (var_smtpd_rcpt_limit && state->rcpt_count >= var_smtpd_rcpt_limit) {
2441 smtpd_chat_reply(state, "452 4.5.3 Error: too many recipients");
2442 if (state->rcpt_overshoot++ < var_smtpd_rcpt_overlim)
2443 return (0);
2444 state->error_mask |= MAIL_ERROR_POLICY;
2445 return (-1);
2447 if (SMTPD_STAND_ALONE(state) == 0) {
2448 err = smtpd_check_rcpt(state, STR(state->addr_buf));
2449 if (smtpd_milters != 0
2450 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2451 PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
2452 state->milter_reject_text = err;
2453 milter_err = milter_rcpt_event(smtpd_milters,
2454 err == 0 ? MILTER_FLAG_NONE :
2455 MILTER_FLAG_WANT_RCPT_REJ,
2456 milter_argv(state, argc - 2, argv + 2));
2457 if (err == 0 && milter_err != 0) {
2458 /* Log reject etc. with correct recipient information. */
2459 err = check_milter_reply(state, milter_err);
2461 POP_STRING(saved_rcpt, state->recipient);
2463 if (err != 0) {
2464 smtpd_chat_reply(state, "%s", err);
2465 return (-1);
2470 * Don't access the proxy, queue file, or queue file writer process until
2471 * we have a valid recipient address.
2473 if (state->proxy == 0 && state->cleanup == 0 && mail_open_stream(state) < 0)
2474 return (-1);
2477 * Proxy the recipient. OK, so we lied. If the real-time proxy rejects
2478 * the recipient then we can have a proxy connection without having
2479 * accepted a recipient.
2481 if (state->proxy && smtpd_proxy_cmd(state, SMTPD_PROX_WANT_OK,
2482 "%s", STR(state->buffer)) != 0) {
2483 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
2484 return (-1);
2488 * Store the recipient. Remember the first one.
2490 * Flush recipients to maintain a stiffer coupling with the next stage and
2491 * to better utilize parallelism.
2493 * RFC 3461 Section 5.2.1: If the NOTIFY parameter was not supplied for a
2494 * recipient when the message was received, the NOTIFY parameter MUST NOT
2495 * be supplied for that recipient when the message is relayed.
2497 * In other words, we can't simply make up our default NOTIFY value. We have
2498 * to remember whether the client sent any.
2500 * RFC 3461 Section 5.2.1: If no ORCPT parameter was present when the
2501 * message was received, an ORCPT parameter MAY be added to the RCPT
2502 * command when the message is relayed. If an ORCPT parameter is added
2503 * by the relaying MTA, it MUST contain the recipient address from the
2504 * RCPT command used when the message was received by that MTA.
2506 * In other words, it is OK to make up our own DSN original recipient when
2507 * the client didn't send one. Although the RFC mentions mail relaying
2508 * only, we also make up our own original recipient for the purpose of
2509 * final delivery. For now, we do this here, rather than on the fly.
2511 * XXX We use REC_TYPE_ATTR for DSN-related recipient attributes even though
2512 * 1) REC_TYPE_ATTR is not meant for multiple instances of the same named
2513 * attribute, and 2) mixing REC_TYPE_ATTR with REC_TYPE_(not attr)
2514 * requires that we map attributes with rec_attr_map() in order to
2515 * simplify the recipient record processing loops in the cleanup and qmgr
2516 * servers.
2518 * Another possibility, yet to be explored, is to leave the additional
2519 * recipient information in the queue file and just pass queue file
2520 * offsets along with the delivery request. This is a trade off between
2521 * memory allocation versus numeric conversion overhead.
2523 * Since we have no record grouping mechanism, all recipient-specific
2524 * parameters must be sent to the cleanup server before the actual
2525 * recipient address.
2527 state->rcpt_count++;
2528 if (state->recipient == 0)
2529 state->recipient = mystrdup(STR(state->addr_buf));
2530 if (state->cleanup) {
2531 /* Note: RFC(2)821 externalized address! */
2532 if (dsn_orcpt_addr == 0) {
2533 dsn_orcpt_type = "rfc822";
2534 dsn_orcpt_addr = argv[2].strval;
2535 dsn_orcpt_addr_len = strlen(argv[2].strval);
2536 if (dsn_orcpt_addr[0] == '<'
2537 && dsn_orcpt_addr[dsn_orcpt_addr_len - 1] == '>') {
2538 dsn_orcpt_addr += 1;
2539 dsn_orcpt_addr_len -= 2;
2542 if (dsn_notify)
2543 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2544 MAIL_ATTR_DSN_NOTIFY, dsn_notify);
2545 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s;%.*s",
2546 MAIL_ATTR_DSN_ORCPT, dsn_orcpt_type,
2547 (int) dsn_orcpt_addr_len, dsn_orcpt_addr);
2548 rec_fputs(state->cleanup, REC_TYPE_RCPT, STR(state->addr_buf));
2549 vstream_fflush(state->cleanup);
2551 smtpd_chat_reply(state, "250 2.1.5 Ok");
2552 return (0);
2555 /* rcpt_reset - reset RCPT stuff */
2557 static void rcpt_reset(SMTPD_STATE *state)
2559 if (state->recipient) {
2560 myfree(state->recipient);
2561 state->recipient = 0;
2563 state->rcpt_count = 0;
2564 /* XXX Must flush the command history. */
2565 state->rcpt_overshoot = 0;
2568 #if 0
2570 /* rfc2047_comment_encode - encode comment string */
2572 static VSTRING *rfc2047_comment_encode(const char *str, const char *charset)
2574 VSTRING *buf = vstring_alloc(30);
2575 const unsigned char *cp;
2576 int ch;
2579 * XXX This is problematic code.
2581 * XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments,
2582 * but we encode them anyway to avoid complaints.
2584 * XXX In Received: header comments we enclose peer and issuer common names
2585 * with "" quotes (inherited from the Lutz Jaenicke patch). This is the
2586 * cause of several quirks.
2588 * 1) We encode text that contains the " character, even though that
2589 * character is not special for RFC*822 comments.
2591 * 2) We ignore the recommended limit of 75 characters per encoded word,
2592 * because long comments look ugly when folded in-between quotes.
2594 * 3) We encode the enclosing quotes, to avoid producing invalid encoded
2595 * words. Microsoft abuses RFC 2047 encoding with attachment names, but
2596 * we have no information on what decoders do with malformed encoding in
2597 * comments. This means the comments are Jaenicke-compatible only after
2598 * decoding.
2600 #define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */
2601 #define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */
2602 #define CSPECIALS "\\\"()" /* Special in our comments */
2604 /* Don't encode if not needed. */
2605 for (cp = (unsigned char *) str; /* see below */ ; ++cp) {
2606 if ((ch = *cp) == 0) {
2607 vstring_sprintf(buf, "\"%s\"", str);
2608 return (buf);
2610 if (!ISPRINT(ch) || strchr(CSPECIALS, ch))
2611 break;
2615 * Use quoted-printable (like) encoding with spaces mapped to underscore.
2617 vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"');
2618 for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) {
2619 if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) {
2620 vstring_sprintf_append(buf, "=%02X", ch);
2621 } else if (ch == ' ') {
2622 VSTRING_ADDCH(buf, '_');
2623 } else {
2624 VSTRING_ADDCH(buf, ch);
2627 vstring_sprintf_append(buf, "=%02X?=", '"');
2628 return (buf);
2631 #endif
2633 /* comment_sanitize - clean up comment string */
2635 static void comment_sanitize(VSTRING *comment_string)
2637 unsigned char *cp;
2638 int ch;
2639 int pc;
2642 * Postfix Received: headers can be configured to include a comment with
2643 * the CN (CommonName) of the peer and its issuer, or the login name of a
2644 * SASL authenticated user. To avoid problems with RFC 822 etc. syntax,
2645 * we limit this information to printable ASCII text, and neutralize
2646 * characters that affect comment parsing: the backslash and unbalanced
2647 * parentheses.
2649 for (pc = 0, cp = (unsigned char *) STR(comment_string); (ch = *cp) != 0; cp++) {
2650 if (!ISASCII(ch) || !ISPRINT(ch) || ch == '\\') {
2651 *cp = '?';
2652 } else if (ch == '(') {
2653 pc++;
2654 } else if (ch == ')') {
2655 if (pc > 0)
2656 pc--;
2657 else
2658 *cp = '?';
2661 while (pc-- > 0)
2662 VSTRING_ADDCH(comment_string, ')');
2663 VSTRING_TERMINATE(comment_string);
2666 /* data_cmd - process DATA command */
2668 static int data_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
2670 const char *err;
2671 char *start;
2672 int len;
2673 int curr_rec_type;
2674 int prev_rec_type;
2675 int first = 1;
2676 VSTRING *why = 0;
2677 int saved_err;
2678 int (*out_record) (VSTREAM *, int, const char *, ssize_t);
2679 int (*out_fprintf) (VSTREAM *, int, const char *,...);
2680 VSTREAM *out_stream;
2681 int out_error;
2682 char **cpp;
2683 const CLEANUP_STAT_DETAIL *detail;
2684 const char *rfc3848_sess;
2685 const char *rfc3848_auth;
2687 #ifdef USE_TLS
2688 VSTRING *peer_CN;
2689 VSTRING *issuer_CN;
2691 #endif
2692 #ifdef USE_SASL_AUTH
2693 VSTRING *username;
2695 #endif
2698 * Sanity checks. With ESMTP command pipelining the client can send DATA
2699 * before all recipients are rejected, so don't report that as a protocol
2700 * error.
2702 if (state->rcpt_count == 0) {
2703 if (!IN_MAIL_TRANSACTION(state)) {
2704 state->error_mask |= MAIL_ERROR_PROTOCOL;
2705 smtpd_chat_reply(state, "503 5.5.1 Error: need RCPT command");
2706 } else {
2707 smtpd_chat_reply(state, "554 5.5.1 Error: no valid recipients");
2709 return (-1);
2711 if (argc != 1) {
2712 state->error_mask |= MAIL_ERROR_PROTOCOL;
2713 smtpd_chat_reply(state, "501 5.5.4 Syntax: DATA");
2714 return (-1);
2716 if (SMTPD_STAND_ALONE(state) == 0 && (err = smtpd_check_data(state)) != 0) {
2717 smtpd_chat_reply(state, "%s", err);
2718 return (-1);
2720 if (smtpd_milters != 0
2721 && SMTPD_STAND_ALONE(state) == 0
2722 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0
2723 && (err = milter_data_event(smtpd_milters)) != 0
2724 && (err = check_milter_reply(state, err)) != 0) {
2725 smtpd_chat_reply(state, "%s", err);
2726 return (-1);
2728 if (state->proxy && smtpd_proxy_cmd(state, SMTPD_PROX_WANT_MORE,
2729 "%s", STR(state->buffer)) != 0) {
2730 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
2731 return (-1);
2735 * One level of indirection to choose between normal or proxied
2736 * operation. We want to avoid massive code duplication within tons of
2737 * if-else clauses.
2739 if (state->proxy) {
2740 out_stream = state->proxy;
2741 out_record = smtpd_proxy_rec_put;
2742 out_fprintf = smtpd_proxy_rec_fprintf;
2743 out_error = CLEANUP_STAT_PROXY;
2744 } else {
2745 out_stream = state->cleanup;
2746 out_record = rec_put;
2747 out_fprintf = rec_fprintf;
2748 out_error = CLEANUP_STAT_WRITE;
2752 * Flush out a first batch of access table actions that are delegated to
2753 * the cleanup server, and that may trigger before we accept the first
2754 * valid recipient. There will be more after end-of-data.
2756 * Terminate the message envelope segment. Start the message content
2757 * segment, and prepend our own Received: header. If there is only one
2758 * recipient, list the recipient address.
2760 if (state->cleanup) {
2761 if (SMTPD_STAND_ALONE(state) == 0) {
2762 if (smtpd_milters != 0
2763 && (state->saved_flags & MILTER_SKIP_FLAGS) == 0)
2764 /* Send actual smtpd_milters list. */
2765 (void) milter_send(smtpd_milters, state->cleanup);
2766 if (state->saved_flags)
2767 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
2768 state->saved_flags);
2770 rec_fputs(state->cleanup, REC_TYPE_MESG, "");
2774 * PREPEND message headers.
2776 if (state->prepend)
2777 for (cpp = state->prepend->argv; *cpp; cpp++)
2778 out_fprintf(out_stream, REC_TYPE_NORM, "%s", *cpp);
2781 * Suppress our own Received: header in the unlikely case that we are an
2782 * intermediate proxy.
2784 if (!state->proxy || state->xforward.flags == 0) {
2785 out_fprintf(out_stream, REC_TYPE_NORM,
2786 "Received: from %s (%s [%s])",
2787 state->helo_name ? state->helo_name : state->name,
2788 state->name, state->rfc_addr);
2790 #define VSTRING_STRDUP(s) vstring_strcpy(vstring_alloc(strlen(s) + 1), (s))
2792 #ifdef USE_TLS
2793 if (var_smtpd_tls_received_header && state->tls_context) {
2794 out_fprintf(out_stream, REC_TYPE_NORM,
2795 "\t(using %s with cipher %s (%d/%d bits))",
2796 state->tls_context->protocol,
2797 state->tls_context->cipher_name,
2798 state->tls_context->cipher_usebits,
2799 state->tls_context->cipher_algbits);
2800 if (TLS_CERT_IS_PRESENT(state->tls_context)) {
2801 peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN);
2802 comment_sanitize(peer_CN);
2803 issuer_CN = VSTRING_STRDUP(state->tls_context->issuer_CN ?
2804 state->tls_context->issuer_CN : "");
2805 comment_sanitize(issuer_CN);
2806 out_fprintf(out_stream, REC_TYPE_NORM,
2807 "\t(Client CN \"%s\", Issuer \"%s\" (%s))",
2808 STR(peer_CN), STR(issuer_CN),
2809 TLS_CERT_IS_TRUSTED(state->tls_context) ?
2810 "verified OK" : "not verified");
2811 vstring_free(issuer_CN);
2812 vstring_free(peer_CN);
2813 } else if (var_smtpd_tls_ask_ccert)
2814 out_fprintf(out_stream, REC_TYPE_NORM,
2815 "\t(Client did not present a certificate)");
2816 else
2817 out_fprintf(out_stream, REC_TYPE_NORM,
2818 "\t(No client certificate requested)");
2820 /* RFC 3848 is defined for ESMTP only. */
2821 if (state->tls_context != 0
2822 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
2823 rfc3848_sess = "S";
2824 else
2825 #endif
2826 rfc3848_sess = "";
2827 #ifdef USE_SASL_AUTH
2828 if (smtpd_sasl_is_active(state) && var_smtpd_sasl_auth_hdr
2829 && state->sasl_username) {
2830 username = VSTRING_STRDUP(state->sasl_username);
2831 comment_sanitize(username);
2832 out_fprintf(out_stream, REC_TYPE_NORM,
2833 "\t(Authenticated sender: %s)", STR(username));
2834 vstring_free(username);
2836 /* RFC 3848 is defined for ESMTP only. */
2837 if (smtpd_sasl_is_active(state) && state->sasl_username
2838 && strcmp(state->protocol, MAIL_PROTO_ESMTP) == 0)
2839 rfc3848_auth = "A";
2840 else
2841 #endif
2842 rfc3848_auth = "";
2843 if (state->rcpt_count == 1 && state->recipient) {
2844 out_fprintf(out_stream, REC_TYPE_NORM,
2845 state->cleanup ? "\tby %s (%s) with %s%s%s id %s" :
2846 "\tby %s (%s) with %s%s%s",
2847 var_myhostname, var_mail_name,
2848 state->protocol, rfc3848_sess,
2849 rfc3848_auth, state->queue_id);
2850 quote_822_local(state->buffer, state->recipient);
2851 out_fprintf(out_stream, REC_TYPE_NORM,
2852 "\tfor <%s>; %s", STR(state->buffer),
2853 mail_date(state->arrival_time.tv_sec));
2854 } else {
2855 out_fprintf(out_stream, REC_TYPE_NORM,
2856 state->cleanup ? "\tby %s (%s) with %s%s%s id %s;" :
2857 "\tby %s (%s) with %s%s%s;",
2858 var_myhostname, var_mail_name,
2859 state->protocol, rfc3848_sess,
2860 rfc3848_auth, state->queue_id);
2861 out_fprintf(out_stream, REC_TYPE_NORM,
2862 "\t%s", mail_date(state->arrival_time.tv_sec));
2864 #ifdef RECEIVED_ENVELOPE_FROM
2865 quote_822_local(state->buffer, state->sender);
2866 out_fprintf(out_stream, REC_TYPE_NORM,
2867 "\t(envelope-from %s)", STR(state->buffer));
2868 #endif
2870 smtpd_chat_reply(state, "354 End data with <CR><LF>.<CR><LF>");
2871 state->where = SMTPD_AFTER_DATA;
2874 * Copy the message content. If the cleanup process has a problem, keep
2875 * reading until the remote stops sending, then complain. Produce typed
2876 * records from the SMTP stream so we can handle data that spans buffers.
2878 * XXX Force an empty record when the queue file content begins with
2879 * whitespace, so that it won't be considered as being part of our own
2880 * Received: header. What an ugly Kluge.
2882 * XXX Deal with UNIX-style From_ lines at the start of message content
2883 * because sendmail permits it.
2885 for (prev_rec_type = 0; /* void */ ; prev_rec_type = curr_rec_type) {
2886 if (smtp_get(state->buffer, state->client, var_line_limit) == '\n')
2887 curr_rec_type = REC_TYPE_NORM;
2888 else
2889 curr_rec_type = REC_TYPE_CONT;
2890 start = vstring_str(state->buffer);
2891 len = VSTRING_LEN(state->buffer);
2892 if (first) {
2893 if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) {
2894 out_fprintf(out_stream, curr_rec_type,
2895 "X-Mailbox-Line: %s", start);
2896 continue;
2898 first = 0;
2899 if (len > 0 && IS_SPACE_TAB(start[0]))
2900 out_record(out_stream, REC_TYPE_NORM, "", 0);
2902 if (prev_rec_type != REC_TYPE_CONT && *start == '.'
2903 && (state->proxy == 0 ? (++start, --len) == 0 : len == 1))
2904 break;
2905 if (state->err == CLEANUP_STAT_OK) {
2906 if (var_message_limit > 0 && var_message_limit - state->act_size < len + 2) {
2907 state->err = CLEANUP_STAT_SIZE;
2908 msg_warn("%s: queue file size limit exceeded",
2909 state->queue_id ? state->queue_id : "NOQUEUE");
2910 } else {
2911 state->act_size += len + 2;
2912 if (out_record(out_stream, curr_rec_type, start, len) < 0)
2913 state->err = out_error;
2917 state->where = SMTPD_AFTER_DOT;
2918 if (state->err == CLEANUP_STAT_OK
2919 && SMTPD_STAND_ALONE(state) == 0
2920 && (err = smtpd_check_eod(state)) != 0) {
2921 smtpd_chat_reply(state, "%s", err);
2922 if (state->proxy) {
2923 smtpd_proxy_close(state);
2924 } else {
2925 mail_stream_cleanup(state->dest);
2926 state->dest = 0;
2927 state->cleanup = 0;
2929 return (-1);
2933 * Send the end of DATA and finish the proxy connection. Set the
2934 * CLEANUP_STAT_PROXY error flag in case of trouble.
2936 * XXX The low-level proxy output routines should set "state" error
2937 * attributes. This requires making "state" a context attribute of the
2938 * VSTREAM.
2940 if (state->proxy) {
2941 if (state->err == CLEANUP_STAT_OK) {
2942 (void) smtpd_proxy_cmd(state, SMTPD_PROX_WANT_ANY, ".");
2943 if (state->err == CLEANUP_STAT_OK &&
2944 *STR(state->proxy_buffer) != '2')
2945 state->err = CLEANUP_STAT_CONT;
2946 } else if (state->err != CLEANUP_STAT_SIZE) {
2947 state->err |= CLEANUP_STAT_PROXY;
2948 detail = cleanup_stat_detail(CLEANUP_STAT_PROXY);
2949 vstring_sprintf(state->proxy_buffer,
2950 "%d %s Error: %s",
2951 detail->smtp, detail->dsn, detail->text);
2956 * Flush out access table actions that are delegated to the cleanup
2957 * server. There is similar code at the beginning of the DATA command.
2959 * Send the end-of-segment markers and finish the queue file record stream.
2961 else {
2962 if (state->err == CLEANUP_STAT_OK) {
2963 rec_fputs(state->cleanup, REC_TYPE_XTRA, "");
2964 if (state->saved_filter)
2965 rec_fprintf(state->cleanup, REC_TYPE_FILT, "%s",
2966 state->saved_filter);
2967 if (state->saved_redirect)
2968 rec_fprintf(state->cleanup, REC_TYPE_RDR, "%s",
2969 state->saved_redirect);
2970 if (state->saved_bcc) {
2971 rec_fprintf(state->cleanup, REC_TYPE_RCPT, "%s",
2972 state->saved_bcc);
2973 rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%d",
2974 MAIL_ATTR_DSN_NOTIFY, DSN_NOTIFY_NEVER);
2976 if (state->saved_flags)
2977 rec_fprintf(state->cleanup, REC_TYPE_FLGS, "%d",
2978 state->saved_flags);
2979 #ifdef DELAY_ACTION
2980 if (state->saved_delay)
2981 rec_fprintf(state->cleanup, REC_TYPE_DELAY, "%d",
2982 state->saved_delay);
2983 #endif
2984 if (vstream_ferror(state->cleanup))
2985 state->err = CLEANUP_STAT_WRITE;
2987 if (state->err == CLEANUP_STAT_OK)
2988 if (rec_fputs(state->cleanup, REC_TYPE_END, "") < 0
2989 || vstream_fflush(state->cleanup))
2990 state->err = CLEANUP_STAT_WRITE;
2991 if (state->err == 0) {
2992 why = vstring_alloc(10);
2993 state->err = mail_stream_finish(state->dest, why);
2994 } else
2995 mail_stream_cleanup(state->dest);
2996 state->dest = 0;
2997 state->cleanup = 0;
3001 * XXX If we lose the cleanup server while it is editing a queue file,
3002 * the Postfix SMTP server will be out of sync with Milter applications.
3003 * Sending an ABORT to the Milters is not sufficient to restore
3004 * synchronization, because there may be any number of Milter replies
3005 * already in flight. Destroying and recreating the Milters (and faking
3006 * the connect and ehlo events) is too much trouble for testing and
3007 * maintenance. Workaround: force the Postfix SMTP server to hang up with
3008 * a 421 response in the rare case that the cleanup server breaks AND
3009 * that the remote SMTP client continues the session after end-of-data.
3011 * XXX Should use something other than CLEANUP_STAT_WRITE when we lose
3012 * contact with the cleanup server. This requires changes to the
3013 * mail_stream module and its users (smtpd, qmqpd, perhaps sendmail).
3015 if (smtpd_milters != 0 && (state->err & CLEANUP_STAT_WRITE) != 0)
3016 state->access_denied = mystrdup("421 4.3.0 Mail system error");
3019 * Handle any errors. One message may suffer from multiple errors, so
3020 * complain only about the most severe error. Forgive any previous client
3021 * errors when a message was received successfully.
3023 * See also: qmqpd.c
3025 #define IS_SMTP_REJECT(s) \
3026 (((s)[0] == '4' || (s)[0] == '5') \
3027 && ISDIGIT((s)[1]) && ISDIGIT((s)[2]) \
3028 && ((s)[3] == '\0' || (s)[3] == ' ' || (s)[3] == '-'))
3030 if (state->err == CLEANUP_STAT_OK) {
3031 state->error_count = 0;
3032 state->error_mask = 0;
3033 state->junk_cmds = 0;
3034 if (state->queue_id)
3035 smtpd_chat_reply(state,
3036 "250 2.0.0 Ok: queued as %s", state->queue_id);
3037 else
3038 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
3039 } else if (why && IS_SMTP_REJECT(STR(why))) {
3040 state->error_mask |= MAIL_ERROR_POLICY;
3041 smtpd_chat_reply(state, "%s", STR(why));
3042 } else if ((state->err & CLEANUP_STAT_DEFER) != 0) {
3043 state->error_mask |= MAIL_ERROR_POLICY;
3044 detail = cleanup_stat_detail(CLEANUP_STAT_DEFER);
3045 if (why && LEN(why) > 0) {
3046 /* Allow address-specific DSN status in header/body_checks. */
3047 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3048 } else {
3049 smtpd_chat_reply(state, "%d %s Error: %s",
3050 detail->smtp, detail->dsn, detail->text);
3052 } else if ((state->err & CLEANUP_STAT_BAD) != 0) {
3053 state->error_mask |= MAIL_ERROR_SOFTWARE;
3054 detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3055 smtpd_chat_reply(state, "%d %s Error: internal error %d",
3056 detail->smtp, detail->dsn, state->err);
3057 } else if ((state->err & CLEANUP_STAT_SIZE) != 0) {
3058 state->error_mask |= MAIL_ERROR_BOUNCE;
3059 detail = cleanup_stat_detail(CLEANUP_STAT_SIZE);
3060 smtpd_chat_reply(state, "%d %s Error: %s",
3061 detail->smtp, detail->dsn, detail->text);
3062 } else if ((state->err & CLEANUP_STAT_HOPS) != 0) {
3063 state->error_mask |= MAIL_ERROR_BOUNCE;
3064 detail = cleanup_stat_detail(CLEANUP_STAT_HOPS);
3065 smtpd_chat_reply(state, "%d %s Error: %s",
3066 detail->smtp, detail->dsn, detail->text);
3067 } else if ((state->err & CLEANUP_STAT_CONT) != 0) {
3068 state->error_mask |= MAIL_ERROR_POLICY;
3069 detail = cleanup_stat_detail(CLEANUP_STAT_CONT);
3070 if (state->proxy_buffer) {
3071 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
3072 } else if (why && LEN(why) > 0) {
3073 /* Allow address-specific DSN status in header/body_checks. */
3074 smtpd_chat_reply(state, "%d %s", detail->smtp, STR(why));
3075 } else {
3076 smtpd_chat_reply(state, "%d %s Error: %s",
3077 detail->smtp, detail->dsn, detail->text);
3079 } else if ((state->err & CLEANUP_STAT_WRITE) != 0) {
3080 state->error_mask |= MAIL_ERROR_RESOURCE;
3081 detail = cleanup_stat_detail(CLEANUP_STAT_WRITE);
3082 smtpd_chat_reply(state, "%d %s Error: %s",
3083 detail->smtp, detail->dsn, detail->text);
3084 } else if ((state->err & CLEANUP_STAT_PROXY) != 0) {
3085 state->error_mask |= MAIL_ERROR_SOFTWARE;
3086 smtpd_chat_reply(state, "%s", STR(state->proxy_buffer));
3087 } else {
3088 state->error_mask |= MAIL_ERROR_SOFTWARE;
3089 detail = cleanup_stat_detail(CLEANUP_STAT_BAD);
3090 smtpd_chat_reply(state, "%d %s Error: internal error %d",
3091 detail->smtp, detail->dsn, state->err);
3095 * Cleanup. The client may send another MAIL command.
3097 saved_err = state->err;
3098 chat_reset(state, var_smtpd_hist_thrsh);
3099 mail_reset(state);
3100 rcpt_reset(state);
3101 if (why)
3102 vstring_free(why);
3103 return (saved_err);
3106 /* rset_cmd - process RSET */
3108 static int rset_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3112 * Sanity checks.
3114 if (argc != 1) {
3115 state->error_mask |= MAIL_ERROR_PROTOCOL;
3116 smtpd_chat_reply(state, "501 5.5.4 Syntax: RSET");
3117 return (-1);
3121 * Restore state to right after HELO/EHLO command.
3123 chat_reset(state, var_smtpd_hist_thrsh);
3124 mail_reset(state);
3125 rcpt_reset(state);
3126 smtpd_chat_reply(state, "250 2.0.0 Ok");
3127 return (0);
3130 /* noop_cmd - process NOOP */
3132 static int noop_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
3136 * XXX 2821 incompatibility: Section 4.1.1.9 says that NOOP can have a
3137 * parameter string which is to be ignored. NOOP instructions with
3138 * parameters? Go figure.
3140 * RFC 2821 violates RFC 821, which says that NOOP takes no parameters.
3142 #ifdef RFC821_SYNTAX
3145 * Sanity checks.
3147 if (argc != 1) {
3148 state->error_mask |= MAIL_ERROR_PROTOCOL;
3149 smtpd_chat_reply(state, "501 5.5.4 Syntax: NOOP");
3150 return (-1);
3152 #endif
3153 smtpd_chat_reply(state, "250 2.0.0 Ok");
3154 return (0);
3157 /* vrfy_cmd - process VRFY */
3159 static int vrfy_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3161 const char *err = 0;
3164 * The SMTP standard (RFC 821) disallows unquoted special characters in
3165 * the VRFY argument. Common practice violates the standard, however.
3166 * Postfix accomodates common practice where it violates the standard.
3168 * XXX Impedance mismatch! The SMTP command tokenizer preserves quoting,
3169 * whereas the recipient restrictions checks expect unquoted (internal)
3170 * address forms. Therefore we must parse out the address, or we must
3171 * stop doing recipient restriction checks and lose the opportunity to
3172 * say "user unknown" at the SMTP port.
3174 * XXX 2821 incompatibility and brain damage: Section 4.5.1 requires that
3175 * VRFY is implemented. RFC 821 specifies that VRFY is optional. It gets
3176 * even worse: section 3.5.3 says that a 502 (command recognized but not
3177 * implemented) reply is not fully compliant.
3179 * Thus, an RFC 2821 compliant implementation cannot refuse to supply
3180 * information in reply to VRFY queries. That is simply bogus. The only
3181 * reply we could supply is a generic 252 reply. This causes spammers to
3182 * add tons of bogus addresses to their mailing lists (spam harvesting by
3183 * trying out large lists of potential recipient names with VRFY).
3185 #define SLOPPY 0
3187 if (var_disable_vrfy_cmd) {
3188 state->error_mask |= MAIL_ERROR_POLICY;
3189 smtpd_chat_reply(state, "502 5.5.1 VRFY command is disabled");
3190 return (-1);
3192 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3193 && (err[0] == '5' || err[0] == '4')) {
3194 state->error_mask |= MAIL_ERROR_POLICY;
3195 smtpd_chat_reply(state, "%s", err);
3196 return (-1);
3198 if (argc < 2) {
3199 state->error_mask |= MAIL_ERROR_PROTOCOL;
3200 smtpd_chat_reply(state, "501 5.5.4 Syntax: VRFY address");
3201 return (-1);
3203 if (argc > 2)
3204 collapse_args(argc - 1, argv + 1);
3205 if (extract_addr(state, argv + 1, REJECT_EMPTY_ADDR, SLOPPY) != 0) {
3206 state->error_mask |= MAIL_ERROR_PROTOCOL;
3207 smtpd_chat_reply(state, "501 5.1.3 Bad recipient address syntax");
3208 return (-1);
3210 /* Not: state->addr_buf */
3211 if (SMTPD_STAND_ALONE(state) == 0
3212 && (err = smtpd_check_rcpt(state, argv[1].strval)) != 0) {
3213 smtpd_chat_reply(state, "%s", err);
3214 return (-1);
3218 * XXX 2821 new feature: Section 3.5.1 requires that the VRFY response is
3219 * either "full name <user@domain>" or "user@domain". Postfix replies
3220 * with the address that was provided by the client, whether or not it is
3221 * in fully qualified domain form or not.
3223 * Reply code 250 is reserved for the case where the address is verified;
3224 * reply code 252 should be used when no definitive certainty exists.
3226 smtpd_chat_reply(state, "252 2.0.0 %s", argv[1].strval);
3227 return (0);
3230 /* etrn_cmd - process ETRN command */
3232 static int etrn_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3234 const char *err;
3237 * Sanity checks.
3239 if (var_helo_required && state->helo_name == 0) {
3240 state->error_mask |= MAIL_ERROR_POLICY;
3241 smtpd_chat_reply(state, "503 Error: send HELO/EHLO first");
3242 return (-1);
3244 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0
3245 && (err[0] == '5' || err[0] == '4')) {
3246 state->error_mask |= MAIL_ERROR_POLICY;
3247 smtpd_chat_reply(state, "%s", err);
3248 return (-1);
3250 if (IN_MAIL_TRANSACTION(state)) {
3251 state->error_mask |= MAIL_ERROR_PROTOCOL;
3252 smtpd_chat_reply(state, "503 Error: MAIL transaction in progress");
3253 return (-1);
3255 if (argc != 2) {
3256 state->error_mask |= MAIL_ERROR_PROTOCOL;
3257 smtpd_chat_reply(state, "500 Syntax: ETRN domain");
3258 return (-1);
3260 if (argv[1].strval[0] == '@' || argv[1].strval[0] == '#')
3261 argv[1].strval++;
3264 * As an extension to RFC 1985 we also allow an RFC 2821 address literal
3265 * enclosed in [].
3267 if (!valid_hostname(argv[1].strval, DONT_GRIPE)
3268 && !valid_mailhost_literal(argv[1].strval, DONT_GRIPE)) {
3269 state->error_mask |= MAIL_ERROR_PROTOCOL;
3270 smtpd_chat_reply(state, "501 Error: invalid parameter syntax");
3271 return (-1);
3275 * XXX The implementation borrows heavily from the code that implements
3276 * UCE restrictions. These typically return 450 or 550 when a request is
3277 * rejected. RFC 1985 requires that 459 be sent when the server refuses
3278 * to perform the request.
3280 if (SMTPD_STAND_ALONE(state)) {
3281 msg_warn("do not use ETRN in \"sendmail -bs\" mode");
3282 smtpd_chat_reply(state, "458 Unable to queue messages");
3283 return (-1);
3285 if ((err = smtpd_check_etrn(state, argv[1].strval)) != 0) {
3286 smtpd_chat_reply(state, "%s", err);
3287 return (-1);
3289 switch (flush_send_site(argv[1].strval)) {
3290 case FLUSH_STAT_OK:
3291 smtpd_chat_reply(state, "250 Queuing started");
3292 return (0);
3293 case FLUSH_STAT_DENY:
3294 msg_warn("reject: ETRN %.100s... from %s",
3295 argv[1].strval, state->namaddr);
3296 smtpd_chat_reply(state, "459 <%s>: service unavailable",
3297 argv[1].strval);
3298 return (-1);
3299 case FLUSH_STAT_BAD:
3300 msg_warn("bad ETRN %.100s... from %s", argv[1].strval, state->namaddr);
3301 smtpd_chat_reply(state, "458 Unable to queue messages");
3302 return (-1);
3303 default:
3304 msg_warn("unable to talk to fast flush service");
3305 smtpd_chat_reply(state, "458 Unable to queue messages");
3306 return (-1);
3310 /* quit_cmd - process QUIT command */
3312 static int quit_cmd(SMTPD_STATE *state, int unused_argc, SMTPD_TOKEN *unused_argv)
3314 int out_pending = vstream_bufstat(state->client, VSTREAM_BST_OUT_PEND);
3317 * Don't bother checking the syntax.
3319 smtpd_chat_reply(state, "221 2.0.0 Bye");
3322 * When the "." and quit replies are pipelined, make sure they are
3323 * flushed now, to avoid repeated mail deliveries in case of a crash in
3324 * the "clean up before disconnect" code.
3326 * XXX When this was added in Postfix 2.1 we used vstream_fflush(). As of
3327 * Postfix 2.3 we use smtp_flush() for better error reporting.
3329 if (out_pending > 0)
3330 smtp_flush(state->client);
3331 return (0);
3334 /* xclient_cmd - override SMTP client attributes */
3336 static int xclient_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3338 SMTPD_TOKEN *argp;
3339 char *raw_value;
3340 char *attr_value;
3341 const char *bare_value;
3342 char *attr_name;
3343 int update_namaddr = 0;
3344 int name_status;
3345 static const NAME_CODE peer_codes[] = {
3346 XCLIENT_UNAVAILABLE, SMTPD_PEER_CODE_PERM,
3347 XCLIENT_TEMPORARY, SMTPD_PEER_CODE_TEMP,
3348 0, SMTPD_PEER_CODE_OK,
3350 static const NAME_CODE proto_names[] = {
3351 MAIL_PROTO_SMTP, 1,
3352 MAIL_PROTO_ESMTP, 2,
3353 0, -1,
3355 int got_helo = 0;
3356 int got_proto = 0;
3359 * Sanity checks.
3361 * XXX The XCLIENT command will override its own access control, so that
3362 * connection count/rate restrictions can be correctly simulated.
3364 if (IN_MAIL_TRANSACTION(state)) {
3365 state->error_mask |= MAIL_ERROR_PROTOCOL;
3366 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
3367 return (-1);
3369 if (argc < 2) {
3370 state->error_mask |= MAIL_ERROR_PROTOCOL;
3371 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
3372 XCLIENT_CMD);
3373 return (-1);
3375 if (!xclient_allowed) {
3376 state->error_mask |= MAIL_ERROR_POLICY;
3377 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
3378 return (-1);
3380 #define STREQ(x,y) (strcasecmp((x), (y)) == 0)
3381 #define UPDATE_STR(s, v) do { \
3382 const char *_v = (v); \
3383 if (s) myfree(s); \
3384 s = (_v) ? mystrdup(_v) : 0; \
3385 } while(0)
3388 * Initialize.
3390 if (state->expand_buf == 0)
3391 state->expand_buf = vstring_alloc(100);
3394 * Iterate over all attribute=value elements.
3396 for (argp = argv + 1; argp < argv + argc; argp++) {
3397 attr_name = argp->strval;
3399 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
3400 state->error_mask |= MAIL_ERROR_PROTOCOL;
3401 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
3402 return (-1);
3404 if (strlen(raw_value) > 255) {
3405 state->error_mask |= MAIL_ERROR_PROTOCOL;
3406 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
3407 return (-1);
3411 * Backwards compatibility: Postfix prior to version 2.3 does not
3412 * xtext encode attribute values.
3414 attr_value = xtext_unquote(state->expand_buf, raw_value) ?
3415 STR(state->expand_buf) : raw_value;
3418 * For safety's sake mask non-printable characters. We'll do more
3419 * specific censoring later.
3421 printable(attr_value, '?');
3424 * NAME=substitute SMTP client hostname (and reverse/forward name, in
3425 * case of success). Also updates the client hostname lookup status
3426 * code.
3428 if (STREQ(attr_name, XCLIENT_NAME)) {
3429 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3430 if (name_status != SMTPD_PEER_CODE_OK) {
3431 attr_value = CLIENT_NAME_UNKNOWN;
3432 } else {
3433 if (!valid_hostname(attr_value, DONT_GRIPE)) {
3434 state->error_mask |= MAIL_ERROR_PROTOCOL;
3435 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3436 XCLIENT_NAME, attr_value);
3437 return (-1);
3440 state->name_status = name_status;
3441 UPDATE_STR(state->name, attr_value);
3442 update_namaddr = 1;
3443 if (name_status == SMTPD_PEER_CODE_OK) {
3444 UPDATE_STR(state->reverse_name, attr_value);
3445 state->reverse_name_status = name_status;
3450 * REVERSE_NAME=substitute SMTP client reverse hostname. Also updates
3451 * the client reverse hostname lookup status code.
3453 else if (STREQ(attr_name, XCLIENT_REVERSE_NAME)) {
3454 name_status = name_code(peer_codes, NAME_CODE_FLAG_NONE, attr_value);
3455 if (name_status != SMTPD_PEER_CODE_OK) {
3456 attr_value = CLIENT_NAME_UNKNOWN;
3457 } else {
3458 if (!valid_hostname(attr_value, DONT_GRIPE)) {
3459 state->error_mask |= MAIL_ERROR_PROTOCOL;
3460 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3461 XCLIENT_REVERSE_NAME, attr_value);
3462 return (-1);
3465 state->reverse_name_status = name_status;
3466 UPDATE_STR(state->reverse_name, attr_value);
3470 * ADDR=substitute SMTP client network address.
3472 else if (STREQ(attr_name, XCLIENT_ADDR)) {
3473 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3474 attr_value = CLIENT_ADDR_UNKNOWN;
3475 bare_value = attr_value;
3476 } else {
3477 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
3478 state->error_mask |= MAIL_ERROR_PROTOCOL;
3479 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3480 XCLIENT_ADDR, attr_value);
3481 return (-1);
3484 UPDATE_STR(state->addr, bare_value);
3485 UPDATE_STR(state->rfc_addr, attr_value);
3486 #ifdef HAS_IPV6
3487 if (strncasecmp(attr_value, INET_PROTO_NAME_IPV6 ":",
3488 sizeof(INET_PROTO_NAME_IPV6 ":") - 1) == 0)
3489 state->addr_family = AF_INET6;
3490 else
3491 #endif
3492 state->addr_family = AF_INET;
3493 update_namaddr = 1;
3497 * PORT=substitute SMTP client port number.
3499 else if (STREQ(attr_name, XCLIENT_PORT)) {
3500 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3501 attr_value = CLIENT_PORT_UNKNOWN;
3502 } else {
3503 if (!alldig(attr_value)
3504 || strlen(attr_value) > sizeof("65535") - 1) {
3505 state->error_mask |= MAIL_ERROR_PROTOCOL;
3506 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3507 XCLIENT_PORT, attr_value);
3508 return (-1);
3511 UPDATE_STR(state->port, attr_value);
3512 update_namaddr = 1;
3516 * HELO=substitute SMTP client HELO parameter. Censor special
3517 * characters that could mess up message headers.
3519 else if (STREQ(attr_name, XCLIENT_HELO)) {
3520 if (STREQ(attr_value, XCLIENT_UNAVAILABLE)) {
3521 attr_value = CLIENT_HELO_UNKNOWN;
3522 } else {
3523 if (strlen(attr_value) > VALID_HOSTNAME_LEN) {
3524 state->error_mask |= MAIL_ERROR_PROTOCOL;
3525 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3526 XCLIENT_HELO, attr_value);
3527 return (-1);
3529 neuter(attr_value, NEUTER_CHARACTERS, '?');
3531 UPDATE_STR(state->helo_name, attr_value);
3532 got_helo = 1;
3536 * PROTO=SMTP protocol name.
3538 else if (STREQ(attr_name, XCLIENT_PROTO)) {
3539 if (name_code(proto_names, NAME_CODE_FLAG_NONE, attr_value) < 0) {
3540 state->error_mask |= MAIL_ERROR_PROTOCOL;
3541 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3542 XCLIENT_PROTO, attr_value);
3543 return (-1);
3545 UPDATE_STR(state->protocol, uppercase(attr_value));
3546 got_proto = 1;
3550 * Unknown attribute name. Complain.
3552 else {
3553 state->error_mask |= MAIL_ERROR_PROTOCOL;
3554 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
3555 XCLIENT_CMD, attr_name);
3556 return (-1);
3561 * Update the combined name and address when either has changed.
3563 if (update_namaddr) {
3564 if (state->namaddr)
3565 myfree(state->namaddr);
3566 state->namaddr =
3567 SMTPD_BUILD_NAMADDRPORT(state->name, state->addr, state->port);
3571 * XXX Compatibility: when the client issues XCLIENT then we have to go
3572 * back to initial server greeting stage, otherwise we can't correctly
3573 * simulate smtpd_client_restrictions (with smtpd_delay_reject=0) and
3574 * Milter connect restrictions.
3576 * XXX Compatibility: for accurate simulation we must also reset the HELO
3577 * information. We keep the information if it was specified in the
3578 * XCLIENT command.
3580 * XXX The client connection count/rate control must be consistent in its
3581 * use of client address information in connect and disconnect events. We
3582 * re-evaluate xclient so that we correctly simulate connection
3583 * concurrency and connection rate restrictions.
3585 * XXX Duplicated from smtpd_proto().
3587 xclient_allowed =
3588 namadr_list_match(xclient_hosts, state->name, state->addr);
3589 /* NOT: tls_reset() */
3590 if (got_helo == 0)
3591 helo_reset(state);
3592 if (got_proto == 0 && strcasecmp(state->protocol, MAIL_PROTO_SMTP) != 0) {
3593 myfree(state->protocol);
3594 state->protocol = mystrdup(MAIL_PROTO_SMTP);
3596 #ifdef USE_SASL_AUTH
3597 if (smtpd_sasl_is_active(state))
3598 smtpd_sasl_auth_reset(state);
3599 #endif
3600 chat_reset(state, 0);
3601 mail_reset(state);
3602 rcpt_reset(state);
3603 if (smtpd_milters)
3604 milter_disc_event(smtpd_milters);
3605 vstream_longjmp(state->client, SMTP_ERR_NONE);
3606 return (0);
3609 /* xforward_cmd - forward logging attributes */
3611 static int xforward_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *argv)
3613 SMTPD_TOKEN *argp;
3614 char *raw_value;
3615 char *attr_value;
3616 const char *bare_value;
3617 char *attr_name;
3618 int updated = 0;
3619 static const NAME_CODE xforward_flags[] = {
3620 XFORWARD_NAME, SMTPD_STATE_XFORWARD_NAME,
3621 XFORWARD_ADDR, SMTPD_STATE_XFORWARD_ADDR,
3622 XFORWARD_PORT, SMTPD_STATE_XFORWARD_PORT,
3623 XFORWARD_PROTO, SMTPD_STATE_XFORWARD_PROTO,
3624 XFORWARD_HELO, SMTPD_STATE_XFORWARD_HELO,
3625 XFORWARD_DOMAIN, SMTPD_STATE_XFORWARD_DOMAIN,
3626 0, 0,
3628 static const char *context_name[] = {
3629 MAIL_ATTR_RWR_LOCAL, /* Postfix internal form */
3630 MAIL_ATTR_RWR_REMOTE, /* Postfix internal form */
3632 static const NAME_CODE xforward_to_context[] = {
3633 XFORWARD_DOM_LOCAL, 0, /* XFORWARD representation */
3634 XFORWARD_DOM_REMOTE, 1, /* XFORWARD representation */
3635 0, -1,
3637 int flag;
3638 int context_code;
3641 * Sanity checks.
3643 if (IN_MAIL_TRANSACTION(state)) {
3644 state->error_mask |= MAIL_ERROR_PROTOCOL;
3645 smtpd_chat_reply(state, "503 5.5.1 Error: MAIL transaction in progress");
3646 return (-1);
3648 if (argc < 2) {
3649 state->error_mask |= MAIL_ERROR_PROTOCOL;
3650 smtpd_chat_reply(state, "501 5.5.4 Syntax: %s attribute=value...",
3651 XFORWARD_CMD);
3652 return (-1);
3654 if (!xforward_allowed) {
3655 state->error_mask |= MAIL_ERROR_POLICY;
3656 smtpd_chat_reply(state, "550 5.7.0 Error: insufficient authorization");
3657 return (-1);
3661 * Initialize.
3663 if (state->xforward.flags == 0)
3664 smtpd_xforward_preset(state);
3665 if (state->expand_buf == 0)
3666 state->expand_buf = vstring_alloc(100);
3669 * Iterate over all attribute=value elements.
3671 for (argp = argv + 1; argp < argv + argc; argp++) {
3672 attr_name = argp->strval;
3674 if ((raw_value = split_at(attr_name, '=')) == 0 || *raw_value == 0) {
3675 state->error_mask |= MAIL_ERROR_PROTOCOL;
3676 smtpd_chat_reply(state, "501 5.5.4 Error: attribute=value expected");
3677 return (-1);
3679 if (strlen(raw_value) > 255) {
3680 state->error_mask |= MAIL_ERROR_PROTOCOL;
3681 smtpd_chat_reply(state, "501 5.5.4 Error: attribute value too long");
3682 return (-1);
3686 * Backwards compatibility: Postfix prior to version 2.3 does not
3687 * xtext encode attribute values.
3689 attr_value = xtext_unquote(state->expand_buf, raw_value) ?
3690 STR(state->expand_buf) : raw_value;
3693 * For safety's sake mask non-printable characters. We'll do more
3694 * specific censoring later.
3696 printable(attr_value, '?');
3698 flag = name_code(xforward_flags, NAME_CODE_FLAG_NONE, attr_name);
3699 switch (flag) {
3702 * NAME=up-stream host name, not necessarily in the DNS. Censor
3703 * special characters that could mess up message headers.
3705 case SMTPD_STATE_XFORWARD_NAME:
3706 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3707 attr_value = CLIENT_NAME_UNKNOWN;
3708 } else {
3709 neuter(attr_value, NEUTER_CHARACTERS, '?');
3710 if (!valid_hostname(attr_value, DONT_GRIPE)) {
3711 state->error_mask |= MAIL_ERROR_PROTOCOL;
3712 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3713 XFORWARD_NAME, attr_value);
3714 return (-1);
3717 UPDATE_STR(state->xforward.name, attr_value);
3718 break;
3721 * ADDR=up-stream host network address, not necessarily on the
3722 * Internet. Censor special characters that could mess up message
3723 * headers.
3725 case SMTPD_STATE_XFORWARD_ADDR:
3726 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3727 attr_value = CLIENT_ADDR_UNKNOWN;
3728 bare_value = attr_value;
3729 } else {
3730 neuter(attr_value, NEUTER_CHARACTERS, '?');
3731 if ((bare_value = valid_mailhost_addr(attr_value, DONT_GRIPE)) == 0) {
3732 state->error_mask |= MAIL_ERROR_PROTOCOL;
3733 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3734 XFORWARD_ADDR, attr_value);
3735 return (-1);
3738 UPDATE_STR(state->xforward.addr, bare_value);
3739 UPDATE_STR(state->xforward.rfc_addr, attr_value);
3740 break;
3743 * PORT=up-stream port number.
3745 case SMTPD_STATE_XFORWARD_PORT:
3746 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3747 attr_value = CLIENT_PORT_UNKNOWN;
3748 } else {
3749 if (!alldig(attr_value)
3750 || strlen(attr_value) > sizeof("65535") - 1) {
3751 state->error_mask |= MAIL_ERROR_PROTOCOL;
3752 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3753 XFORWARD_PORT, attr_value);
3754 return (-1);
3757 UPDATE_STR(state->xforward.port, attr_value);
3758 break;
3761 * HELO=hostname that the up-stream MTA introduced itself with
3762 * (not necessarily SMTP HELO). Censor special characters that
3763 * could mess up message headers.
3765 case SMTPD_STATE_XFORWARD_HELO:
3766 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3767 attr_value = CLIENT_HELO_UNKNOWN;
3768 } else {
3769 neuter(attr_value, NEUTER_CHARACTERS, '?');
3771 UPDATE_STR(state->xforward.helo_name, attr_value);
3772 break;
3775 * PROTO=up-stream protocol, not necessarily SMTP or ESMTP.
3776 * Censor special characters that could mess up message headers.
3778 case SMTPD_STATE_XFORWARD_PROTO:
3779 if (STREQ(attr_value, XFORWARD_UNAVAILABLE)) {
3780 attr_value = CLIENT_PROTO_UNKNOWN;
3781 } else {
3782 if (strlen(attr_value) > 64) {
3783 state->error_mask |= MAIL_ERROR_PROTOCOL;
3784 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3785 XFORWARD_PROTO, attr_value);
3786 return (-1);
3788 neuter(attr_value, NEUTER_CHARACTERS, '?');
3790 UPDATE_STR(state->xforward.protocol, attr_value);
3791 break;
3794 * DOMAIN=local or remote.
3796 case SMTPD_STATE_XFORWARD_DOMAIN:
3797 if (STREQ(attr_value, XFORWARD_UNAVAILABLE))
3798 attr_value = XFORWARD_DOM_LOCAL;
3799 if ((context_code = name_code(xforward_to_context,
3800 NAME_CODE_FLAG_NONE,
3801 attr_value)) < 0) {
3802 state->error_mask |= MAIL_ERROR_PROTOCOL;
3803 smtpd_chat_reply(state, "501 5.5.4 Bad %s syntax: %s",
3804 XFORWARD_DOMAIN, attr_value);
3805 return (-1);
3807 UPDATE_STR(state->xforward.domain, context_name[context_code]);
3808 break;
3811 * Unknown attribute name. Complain.
3813 default:
3814 state->error_mask |= MAIL_ERROR_PROTOCOL;
3815 smtpd_chat_reply(state, "501 5.5.4 Bad %s attribute name: %s",
3816 XFORWARD_CMD, attr_name);
3817 return (-1);
3819 updated |= flag;
3821 state->xforward.flags |= updated;
3824 * Update the combined name and address when either has changed. Use only
3825 * the name when no address is available.
3827 if (updated & (SMTPD_STATE_XFORWARD_NAME | SMTPD_STATE_XFORWARD_ADDR)) {
3828 if (state->xforward.namaddr)
3829 myfree(state->xforward.namaddr);
3830 state->xforward.namaddr =
3831 IS_AVAIL_CLIENT_ADDR(state->xforward.addr) ?
3832 SMTPD_BUILD_NAMADDRPORT(state->xforward.name,
3833 state->xforward.addr,
3834 state->xforward.port) :
3835 mystrdup(state->xforward.name);
3837 smtpd_chat_reply(state, "250 2.0.0 Ok");
3838 return (0);
3841 /* chat_reset - notify postmaster and reset conversation log */
3843 static void chat_reset(SMTPD_STATE *state, int threshold)
3847 * Notify the postmaster if there were errors. This usually indicates a
3848 * client configuration problem, or that someone is trying nasty things.
3849 * Either is significant enough to bother the postmaster. XXX Can't
3850 * report problems when running in stand-alone mode: postmaster notices
3851 * require availability of the cleanup service.
3853 if (state->history != 0 && state->history->argc > threshold) {
3854 if (SMTPD_STAND_ALONE(state) == 0
3855 && (state->error_mask & state->notify_mask))
3856 smtpd_chat_notify(state);
3857 state->error_mask = 0;
3858 smtpd_chat_reset(state);
3862 #ifdef USE_TLS
3864 /* smtpd_start_tls - turn on TLS or force disconnect */
3866 static void smtpd_start_tls(SMTPD_STATE *state)
3868 int rate;
3869 TLS_SERVER_START_PROPS props;
3870 static char *cipher_grade;
3871 static VSTRING *cipher_exclusions;
3872 int cert_present;
3875 * Wrapper mode uses a dedicated port and always requires TLS.
3877 * XXX In non-wrapper mode, it is possible to require client certificate
3878 * verification without requiring TLS. Since certificates can be verified
3879 * only while TLS is turned on, this means that Postfix will happily
3880 * perform SMTP transactions when the client does not use the STARTTLS
3881 * command. For this reason, Postfix does not require client certificate
3882 * verification unless TLS is required.
3884 * The cipher grade and exclusions don't change between sessions. Compute
3885 * just once and cache.
3887 #define ADD_EXCLUDE(vstr, str) \
3888 do { \
3889 if (*(str)) \
3890 vstring_sprintf_append((vstr), "%s%s", \
3891 VSTRING_LEN(vstr) ? " " : "", (str)); \
3892 } while (0)
3894 if (cipher_grade == 0) {
3895 cipher_grade =
3896 enforce_tls ? var_smtpd_tls_mand_ciph : var_smtpd_tls_ciph;
3897 cipher_exclusions = vstring_alloc(10);
3898 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
3899 if (enforce_tls)
3900 ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
3901 if (ask_client_cert)
3902 ADD_EXCLUDE(cipher_exclusions, "aNULL");
3906 * Perform the TLS handshake now. Check the client certificate
3907 * requirements later, if necessary.
3909 state->tls_context =
3910 TLS_SERVER_START(&props,
3911 ctx = smtpd_tls_ctx,
3912 stream = state->client,
3913 log_level = var_smtpd_tls_loglevel,
3914 timeout = var_smtpd_starttls_tmout,
3915 requirecert = (var_smtpd_tls_req_ccert
3916 && state->tls_enforce_tls),
3917 serverid = state->service,
3918 namaddr = state->namaddr,
3919 cipher_grade = cipher_grade,
3920 cipher_exclusions = STR(cipher_exclusions),
3921 fpt_dgst = var_smtpd_tls_fpt_dgst);
3924 * For new (i.e. not re-used) TLS sessions, increment the client's new
3925 * TLS session rate counter. We enforce the limit here only for human
3926 * factors reasons (reduce the WTF factor), even though it is too late to
3927 * save the CPU that was already burnt on PKI ops. The real safety
3928 * mechanism applies with future STARTTLS commands (or wrappermode
3929 * connections), prior to the SSL handshake.
3931 * XXX The client event count/rate control must be consistent in its use of
3932 * client address information in connect and disconnect events. For now
3933 * we exclude xclient authorized hosts from event count/rate control.
3935 if (var_smtpd_cntls_limit > 0
3936 && (state->tls_context == 0 || state->tls_context->session_reused == 0)
3937 && SMTPD_STAND_ALONE(state) == 0
3938 && !xclient_allowed
3939 && anvil_clnt
3940 && !namadr_list_match(hogger_list, state->name, state->addr)
3941 && anvil_clnt_newtls(anvil_clnt, state->service, state->addr,
3942 &rate) == ANVIL_STAT_OK
3943 && rate > var_smtpd_cntls_limit) {
3944 state->error_mask |= MAIL_ERROR_POLICY;
3945 msg_warn("New TLS session rate limit exceeded: %d from %s for service %s",
3946 rate, state->namaddr, state->service);
3947 if (state->tls_context)
3948 smtpd_chat_reply(state,
3949 "421 4.7.0 %s Error: too many new TLS sessions from %s",
3950 var_myhostname, state->namaddr);
3951 /* XXX Use regular return to signal end of session. */
3952 vstream_longjmp(state->client, SMTP_ERR_QUIET);
3956 * When the TLS handshake fails, the conversation is in an unknown state.
3957 * There is nothing we can do except to disconnect from the client.
3959 if (state->tls_context == 0)
3960 vstream_longjmp(state->client, SMTP_ERR_EOF);
3963 * If we are requiring verified client certs, enforce the constraint
3964 * here. We have a usable TLS session with the client, so no need to
3965 * disable I/O, ... we can even be polite and send "421 ...".
3967 if (props.requirecert && TLS_CERT_IS_TRUSTED(state->tls_context) == 0) {
3970 * Fetch and reject the next command (should be EHLO), then
3971 * disconnect (side-effect of returning "421 ...".
3973 cert_present = TLS_CERT_IS_PRESENT(state->tls_context);
3974 msg_info("NOQUEUE: abort: TLS from %s: %s",
3975 state->namaddr, cert_present ?
3976 "Client certificate not trusted" :
3977 "No client certificate presented");
3978 smtpd_chat_query(state);
3979 smtpd_chat_reply(state, "421 4.7.1 %s Error: %s",
3980 var_myhostname, cert_present ?
3981 "Client certificate not trusted" :
3982 "No client certificate presented");
3983 state->error_mask |= MAIL_ERROR_POLICY;
3984 return;
3988 * When TLS is turned on, we may offer AUTH methods that would not be
3989 * offered within a plain-text session.
3991 #ifdef USE_SASL_AUTH
3992 if (var_smtpd_sasl_enable) {
3993 /* Non-wrappermode, presumably. */
3994 if (smtpd_sasl_is_active(state)
3995 && strcmp(var_smtpd_sasl_opts, var_smtpd_sasl_tls_opts) != 0) {
3996 smtpd_sasl_auth_reset(state);
3997 smtpd_sasl_deactivate(state);
3999 /* Wrappermode and non-wrappermode. */
4000 if (smtpd_sasl_is_active(state) == 0)
4001 smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
4002 var_smtpd_sasl_tls_opts);
4004 #endif
4007 /* starttls_cmd - respond to STARTTLS */
4009 static int starttls_cmd(SMTPD_STATE *state, int argc, SMTPD_TOKEN *unused_argv)
4011 const char *err;
4012 int rate;
4014 if (argc != 1) {
4015 state->error_mask |= MAIL_ERROR_PROTOCOL;
4016 smtpd_chat_reply(state, "501 5.5.4 Syntax: STARTTLS");
4017 return (-1);
4019 if (smtpd_milters != 0 && (err = milter_other_event(smtpd_milters)) != 0) {
4020 if (err[0] == '5') {
4021 state->error_mask |= MAIL_ERROR_POLICY;
4022 smtpd_chat_reply(state, "%s", err);
4023 return (-1);
4025 /* Sendmail compatibility: map 4xx into 454. */
4026 else if (err[0] == '4') {
4027 state->error_mask |= MAIL_ERROR_POLICY;
4028 smtpd_chat_reply(state, "454 4.3.0 Try again later");
4029 return (-1);
4032 if (state->tls_context != 0) {
4033 state->error_mask |= MAIL_ERROR_PROTOCOL;
4034 smtpd_chat_reply(state, "554 5.5.1 Error: TLS already active");
4035 return (-1);
4037 if (state->tls_use_tls == 0
4038 || (state->ehlo_discard_mask & EHLO_MASK_STARTTLS)) {
4039 state->error_mask |= MAIL_ERROR_PROTOCOL;
4040 smtpd_chat_reply(state, "502 5.5.1 Error: command not implemented");
4041 return (-1);
4043 if (smtpd_tls_ctx == 0) {
4044 state->error_mask |= MAIL_ERROR_SOFTWARE;
4045 /* RFC 4954 Section 6. */
4046 smtpd_chat_reply(state, "454 4.7.0 TLS not available due to local problem");
4047 return (-1);
4051 * Enforce TLS handshake rate limit when this client negotiated too many
4052 * new TLS sessions in the recent past.
4054 * XXX The client event count/rate control must be consistent in its use of
4055 * client address information in connect and disconnect events. For now
4056 * we exclude xclient authorized hosts from event count/rate control.
4058 if (var_smtpd_cntls_limit > 0
4059 && SMTPD_STAND_ALONE(state) == 0
4060 && !xclient_allowed
4061 && anvil_clnt
4062 && !namadr_list_match(hogger_list, state->name, state->addr)
4063 && anvil_clnt_newtls_stat(anvil_clnt, state->service, state->addr,
4064 &rate) == ANVIL_STAT_OK
4065 && rate > var_smtpd_cntls_limit) {
4066 state->error_mask |= MAIL_ERROR_POLICY;
4067 msg_warn("Refusing STARTTLS request from %s for service %s",
4068 state->namaddr, state->service);
4069 smtpd_chat_reply(state,
4070 "454 4.7.0 Error: too many new TLS sessions from %s",
4071 state->namaddr);
4072 return (-1);
4074 smtpd_chat_reply(state, "220 2.0.0 Ready to start TLS");
4075 /* Flush before we switch the stream's read/write routines. */
4076 smtp_flush(state->client);
4079 * Reset all inputs to the initial state.
4081 * XXX RFC 2487 does not forbid the use of STARTTLS while mail transfer is
4082 * in progress, so we have to allow it even when it makes no sense.
4084 helo_reset(state);
4085 mail_reset(state);
4086 rcpt_reset(state);
4089 * Turn on TLS, using code that is shared with TLS wrapper mode. This
4090 * code does not return when the handshake fails.
4092 smtpd_start_tls(state);
4093 return (0);
4096 /* tls_reset - undo STARTTLS */
4098 static void tls_reset(SMTPD_STATE *state)
4100 int failure = 0;
4103 * Don't waste time when we lost contact.
4105 if (state->tls_context) {
4106 if (vstream_feof(state->client) || vstream_ferror(state->client))
4107 failure = 1;
4108 vstream_fflush(state->client); /* NOT: smtp_flush() */
4109 tls_server_stop(smtpd_tls_ctx, state->client, var_smtpd_starttls_tmout,
4110 failure, state->tls_context);
4111 state->tls_context = 0;
4115 #endif
4118 * The table of all SMTP commands that we know. Set the junk limit flag on
4119 * any command that can be repeated an arbitrary number of times without
4120 * triggering a tarpit delay of some sort.
4122 typedef struct SMTPD_CMD {
4123 char *name;
4124 int (*action) (SMTPD_STATE *, int, SMTPD_TOKEN *);
4125 int flags;
4126 } SMTPD_CMD;
4128 #define SMTPD_CMD_FLAG_LIMIT (1<<0) /* limit usage */
4129 #define SMTPD_CMD_FLAG_PRE_TLS (1<<1) /* allow before STARTTLS */
4130 #define SMTPD_CMD_FLAG_LAST (1<<2) /* last in PIPELINING command group */
4132 static SMTPD_CMD smtpd_cmd_table[] = {
4133 SMTPD_CMD_HELO, helo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS,
4134 SMTPD_CMD_EHLO, ehlo_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS,
4135 #ifdef USE_TLS
4136 SMTPD_CMD_STARTTLS, starttls_cmd, SMTPD_CMD_FLAG_PRE_TLS,
4137 #endif
4138 #ifdef USE_SASL_AUTH
4139 SMTPD_CMD_AUTH, smtpd_sasl_auth_cmd, 0,
4140 #endif
4141 SMTPD_CMD_MAIL, mail_cmd, 0,
4142 SMTPD_CMD_RCPT, rcpt_cmd, 0,
4143 SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST,
4144 SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT,
4145 SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS,
4146 SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT,
4147 SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT,
4148 SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS,
4149 SMTPD_CMD_XCLIENT, xclient_cmd, 0,
4150 SMTPD_CMD_XFORWARD, xforward_cmd, 0,
4154 static STRING_LIST *smtpd_noop_cmds;
4155 static STRING_LIST *smtpd_forbid_cmds;
4157 /* smtpd_proto - talk the SMTP protocol */
4159 static void smtpd_proto(SMTPD_STATE *state)
4161 int argc;
4162 SMTPD_TOKEN *argv;
4163 SMTPD_CMD *cmdp;
4164 int tls_rate;
4165 const char *ehlo_words;
4166 const char *err;
4167 int status;
4170 * Print a greeting banner and run the state machine. Read SMTP commands
4171 * one line at a time. According to the standard, a sender or recipient
4172 * address could contain an escaped newline. I think this is perverse,
4173 * and anyone depending on this is really asking for trouble.
4175 * In case of mail protocol trouble, the program jumps back to this place,
4176 * so that it can perform the necessary cleanup before talking to the
4177 * next client. The setjmp/longjmp primitives are like a sharp tool: use
4178 * with care. I would certainly recommend against the use of
4179 * setjmp/longjmp in programs that change privilege levels.
4181 * In case of file system trouble the program terminates after logging the
4182 * error and after informing the client. In all other cases (out of
4183 * memory, panic) the error is logged, and the msg_cleanup() exit handler
4184 * cleans up, but no attempt is made to inform the client of the nature
4185 * of the problem.
4187 smtp_timeout_setup(state->client, var_smtpd_tmout);
4189 while ((status = vstream_setjmp(state->client)) == SMTP_ERR_NONE)
4190 /* void */ ;
4191 switch (status) {
4193 default:
4194 msg_panic("smtpd_proto: unknown error reading from %s",
4195 state->namaddr);
4196 break;
4198 case SMTP_ERR_TIME:
4199 state->reason = REASON_TIMEOUT;
4200 if (vstream_setjmp(state->client) == 0)
4201 smtpd_chat_reply(state, "421 4.4.2 %s Error: timeout exceeded",
4202 var_myhostname);
4203 break;
4205 case SMTP_ERR_EOF:
4206 state->reason = REASON_LOST_CONNECTION;
4207 break;
4209 case SMTP_ERR_QUIET:
4210 break;
4212 case 0:
4215 * In TLS wrapper mode, turn on TLS using code that is shared with
4216 * the STARTTLS command. This code does not return when the handshake
4217 * fails.
4219 * Enforce TLS handshake rate limit when this client negotiated too many
4220 * new TLS sessions in the recent past.
4222 * XXX This means we don't complete a TLS handshake just to tell the
4223 * client that we don't provide service. TLS wrapper mode is
4224 * obsolete, so we don't have to provide perfect support.
4226 #ifdef USE_TLS
4227 if (SMTPD_STAND_ALONE(state) == 0 && var_smtpd_tls_wrappermode) {
4228 if (smtpd_tls_ctx == 0) {
4229 msg_warn("Wrapper-mode request dropped from %s for service %s."
4230 " TLS context initialization failed. For details see"
4231 " earlier warnings in your logs.",
4232 state->namaddr, state->service);
4233 break;
4235 if (var_smtpd_cntls_limit > 0
4236 && !xclient_allowed
4237 && anvil_clnt
4238 && !namadr_list_match(hogger_list, state->name, state->addr)
4239 && anvil_clnt_newtls_stat(anvil_clnt, state->service,
4240 state->addr, &tls_rate) == ANVIL_STAT_OK
4241 && tls_rate > var_smtpd_cntls_limit) {
4242 state->error_mask |= MAIL_ERROR_POLICY;
4243 msg_warn("Refusing TLS service request from %s for service %s",
4244 state->namaddr, state->service);
4245 break;
4247 smtpd_start_tls(state);
4249 #endif
4252 * XXX The client connection count/rate control must be consistent in
4253 * its use of client address information in connect and disconnect
4254 * events. For now we exclude xclient authorized hosts from
4255 * connection count/rate control.
4257 * XXX Must send connect/disconnect events to the anvil server even when
4258 * this service is not connection count or rate limited, otherwise it
4259 * will discard client message or recipient rate information too
4260 * early or too late.
4262 if (SMTPD_STAND_ALONE(state) == 0
4263 && !xclient_allowed
4264 && anvil_clnt
4265 && !namadr_list_match(hogger_list, state->name, state->addr)
4266 && anvil_clnt_connect(anvil_clnt, state->service, state->addr,
4267 &state->conn_count, &state->conn_rate)
4268 == ANVIL_STAT_OK) {
4269 if (var_smtpd_cconn_limit > 0
4270 && state->conn_count > var_smtpd_cconn_limit) {
4271 state->error_mask |= MAIL_ERROR_POLICY;
4272 msg_warn("Connection concurrency limit exceeded: %d from %s for service %s",
4273 state->conn_count, state->namaddr, state->service);
4274 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4275 var_myhostname, state->addr);
4276 break;
4278 if (var_smtpd_crate_limit > 0
4279 && state->conn_rate > var_smtpd_crate_limit) {
4280 msg_warn("Connection rate limit exceeded: %d from %s for service %s",
4281 state->conn_rate, state->namaddr, state->service);
4282 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many connections from %s",
4283 var_myhostname, state->addr);
4284 break;
4287 /* XXX We use the real client for connect access control. */
4288 if (SMTPD_STAND_ALONE(state) == 0
4289 && var_smtpd_delay_reject == 0
4290 && (err = smtpd_check_client(state)) != 0) {
4291 state->error_mask |= MAIL_ERROR_POLICY;
4292 state->access_denied = mystrdup(err);
4293 smtpd_chat_reply(state, "%s", state->access_denied);
4294 state->error_count++;
4298 * RFC 2034: the text part of all 2xx, 4xx, and 5xx SMTP responses
4299 * other than the initial greeting and any response to HELO or EHLO
4300 * are prefaced with a status code as defined in RFC 3463.
4304 * XXX If a Milter rejects CONNECT, reply with 220 except in case of
4305 * hard reject or 421 (disconnect). The reply persists so it will
4306 * apply to MAIL FROM and to other commands such as AUTH, STARTTLS,
4307 * and VRFY. Note: after a Milter CONNECT reject, we must not reject
4308 * HELO or EHLO, but we do change the feature list that is announced
4309 * in the EHLO response.
4311 else {
4312 err = 0;
4313 if (smtpd_milters != 0 && SMTPD_STAND_ALONE(state) == 0) {
4314 milter_macro_callback(smtpd_milters, smtpd_milter_eval,
4315 (void *) state);
4316 if ((err = milter_conn_event(smtpd_milters, state->name,
4317 state->addr,
4318 strcmp(state->port, CLIENT_PORT_UNKNOWN) ?
4319 state->port : "0",
4320 state->addr_family)) != 0)
4321 err = check_milter_reply(state, err);
4323 if (err && err[0] == '5') {
4324 state->error_mask |= MAIL_ERROR_POLICY;
4325 smtpd_chat_reply(state, "554 %s ESMTP not accepting connections",
4326 var_myhostname);
4327 state->error_count++;
4328 } else if (err && strncmp(err, "421", 3) == 0) {
4329 state->error_mask |= MAIL_ERROR_POLICY;
4330 smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
4331 var_myhostname);
4332 /* Not: state->error_count++; */
4333 #ifdef notdef
4334 } else if (strcmp(state->name, "unknown") == 0) {
4335 static char *greet_chunks[] = {
4336 "220 ", 0, " ESMTP ", 0, 0,
4338 char **cpp;
4339 char *cp;
4341 greet_chunks[1] = var_myhostname;
4342 greet_chunks[3] = var_mail_name;
4343 for (cpp = greet_chunks; *cpp; cpp++) {
4344 for (cp = *cpp; *cp; cp++)
4345 smtp_fputc(*(unsigned char *) cp, state->client);
4346 smtp_flush(state->client);
4347 if (read_wait(vstream_fileno(state->client), 2) == 0) {
4348 smtpd_chat_query(state);
4349 msg_info("PREGREET from %s: %s",
4350 state->namaddr, vstring_str(state->buffer));
4351 state->error_mask |= MAIL_ERROR_POLICY;
4352 smtpd_chat_reply(state,
4353 "521 %s ESMTP not accepting connections",
4354 var_myhostname);
4355 /* Not: state->error_count++; */
4356 break;
4359 smtp_fputs("", 0, state->client);
4360 smtp_flush(state->client);
4361 #endif
4362 } else {
4363 #ifdef PREGREET
4364 if (*var_stress == 0 && strcmp(state->name, "unknown") == 0) {
4365 smtpd_chat_reply(state, "220-%s", var_smtpd_banner);
4366 smtp_flush(state->client);
4367 if (read_wait(vstream_fileno(state->client), 1) == 0) {
4368 int n = peekfd(vstream_fileno(state->client));
4370 smtpd_chat_query(state);
4371 msg_info("PREGREET %d from %s: %s",
4372 n, state->namaddr, vstring_str(state->buffer));
4373 state->error_mask |= MAIL_ERROR_POLICY;
4374 smtpd_chat_reply(state,
4375 "521 %s ESMTP not accepting connections",
4376 var_myhostname);
4377 /* Not: state->error_count++; */
4378 break;
4381 #endif
4382 smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
4387 * Determine what server ESMTP features to suppress, typically to
4388 * avoid inter-operability problems.
4390 if (ehlo_discard_maps == 0
4391 || (ehlo_words = maps_find(ehlo_discard_maps, state->addr, 0)) == 0)
4392 ehlo_words = var_smtpd_ehlo_dis_words;
4393 state->ehlo_discard_mask = ehlo_mask(ehlo_words);
4396 * SASL initialization for plaintext mode.
4398 * XXX Backwards compatibility: allow AUTH commands when the AUTH
4399 * announcement is suppressed via smtpd_sasl_exceptions_networks.
4401 * XXX Safety: don't enable SASL with "smtpd_tls_auth_only = yes" and
4402 * non-TLS build.
4404 #ifdef USE_SASL_AUTH
4405 if (var_smtpd_sasl_enable && smtpd_sasl_is_active(state) == 0
4406 #ifdef USE_TLS
4407 && state->tls_context == 0 && !state->tls_auth_only
4408 #else
4409 && var_smtpd_tls_auth_only == 0
4410 #endif
4412 smtpd_sasl_activate(state, VAR_SMTPD_SASL_OPTS,
4413 var_smtpd_sasl_opts);
4414 #endif
4416 for (;;) {
4417 if (state->flags & SMTPD_FLAG_HANGUP)
4418 break;
4419 if (state->error_count >= var_smtpd_hard_erlim) {
4420 state->reason = REASON_ERROR_LIMIT;
4421 state->error_mask |= MAIL_ERROR_PROTOCOL;
4422 smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors",
4423 var_myhostname);
4424 break;
4426 watchdog_pat();
4427 smtpd_chat_query(state);
4428 if ((argc = smtpd_token(vstring_str(state->buffer), &argv)) == 0) {
4429 state->error_mask |= MAIL_ERROR_PROTOCOL;
4430 smtpd_chat_reply(state, "500 5.5.2 Error: bad syntax");
4431 state->error_count++;
4432 continue;
4434 if (*var_smtpd_noop_cmds
4435 && string_list_match(smtpd_noop_cmds, argv[0].strval)) {
4436 smtpd_chat_reply(state, "250 2.0.0 Ok");
4437 if (state->junk_cmds++ > var_smtpd_junk_cmd_limit)
4438 state->error_count++;
4439 continue;
4441 for (cmdp = smtpd_cmd_table; cmdp->name != 0; cmdp++)
4442 if (strcasecmp(argv[0].strval, cmdp->name) == 0)
4443 break;
4444 if (cmdp->name == 0) {
4445 state->where = SMTPD_CMD_UNKNOWN;
4446 if (is_header(argv[0].strval)
4447 || (*var_smtpd_forbid_cmds
4448 && string_list_match(smtpd_forbid_cmds, argv[0].strval))) {
4449 msg_warn("non-SMTP command from %s: %.100s",
4450 state->namaddr, vstring_str(state->buffer));
4451 smtpd_chat_reply(state, "221 2.7.0 Error: I can break rules, too. Goodbye.");
4452 break;
4455 /* XXX We use the real client for connect access control. */
4456 if (state->access_denied && cmdp->action != quit_cmd) {
4457 smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
4458 state->namaddr); /* RFC 2821 Sec 3.1 */
4459 state->error_count++;
4460 continue;
4462 /* state->access_denied == 0 || cmdp->action == quit_cmd */
4463 if (cmdp->name == 0) {
4464 if (smtpd_milters != 0
4465 && SMTPD_STAND_ALONE(state) == 0
4466 && (err = milter_unknown_event(smtpd_milters,
4467 argv[0].strval)) != 0
4468 && (err = check_milter_reply(state, err)) != 0) {
4469 smtpd_chat_reply(state, err);
4470 } else
4471 smtpd_chat_reply(state, "502 5.5.2 Error: command not recognized");
4472 state->error_mask |= MAIL_ERROR_PROTOCOL;
4473 state->error_count++;
4474 continue;
4476 #ifdef USE_TLS
4477 if (state->tls_enforce_tls &&
4478 !state->tls_context &&
4479 (cmdp->flags & SMTPD_CMD_FLAG_PRE_TLS) == 0) {
4480 smtpd_chat_reply(state,
4481 "530 5.7.0 Must issue a STARTTLS command first");
4482 state->error_count++;
4483 continue;
4485 #endif
4486 state->where = cmdp->name;
4487 if (SMTPD_STAND_ALONE(state) == 0
4488 && (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
4489 || (cmdp->flags & SMTPD_CMD_FLAG_LAST))
4490 && (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
4491 && (vstream_peek(state->client) > 0
4492 || peekfd(vstream_fileno(state->client)) > 0)) {
4493 msg_info("improper command pipelining after %s from %s",
4494 cmdp->name, state->namaddr);
4495 state->flags |= SMTPD_FLAG_ILL_PIPELINING;
4497 if (cmdp->action(state, argc, argv) != 0)
4498 state->error_count++;
4499 if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
4500 && state->junk_cmds++ > var_smtpd_junk_cmd_limit)
4501 state->error_count++;
4502 if (cmdp->action == quit_cmd)
4503 break;
4505 break;
4509 * XXX The client connection count/rate control must be consistent in its
4510 * use of client address information in connect and disconnect events.
4511 * For now we exclude xclient authorized hosts from connection count/rate
4512 * control.
4514 * XXX Must send connect/disconnect events to the anvil server even when
4515 * this service is not connection count or rate limited, otherwise it
4516 * will discard client message or recipient rate information too early or
4517 * too late.
4519 if (SMTPD_STAND_ALONE(state) == 0
4520 && !xclient_allowed
4521 && anvil_clnt
4522 && !namadr_list_match(hogger_list, state->name, state->addr))
4523 anvil_clnt_disconnect(anvil_clnt, state->service, state->addr);
4526 * Log abnormal session termination, in case postmaster notification has
4527 * been turned off. In the log, indicate the last recognized state before
4528 * things went wrong. Don't complain about clients that go away without
4529 * sending QUIT. Log the byte count after DATA to help diagnose MTU
4530 * troubles.
4532 if (state->reason && state->where) {
4533 if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) {
4534 msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */
4535 state->reason, SMTPD_CMD_DATA, /* 2.5 compat */
4536 (long) (state->act_size + vstream_peek(state->client)),
4537 state->namaddr);
4538 } else if (strcmp(state->where, SMTPD_AFTER_DOT)
4539 || strcmp(state->reason, REASON_LOST_CONNECTION)) {
4540 msg_info("%s after %s from %s",
4541 state->reason, state->where, state->namaddr);
4546 * Cleanup whatever information the client gave us during the SMTP
4547 * dialog.
4549 * XXX Duplicated in xclient_cmd().
4551 #ifdef USE_TLS
4552 tls_reset(state);
4553 #endif
4554 helo_reset(state);
4555 #ifdef USE_SASL_AUTH
4556 if (smtpd_sasl_is_active(state)) {
4557 smtpd_sasl_auth_reset(state);
4558 smtpd_sasl_deactivate(state);
4560 #endif
4561 chat_reset(state, 0);
4562 mail_reset(state);
4563 rcpt_reset(state);
4564 if (smtpd_milters)
4565 milter_disc_event(smtpd_milters);
4568 /* smtpd_service - service one client */
4570 static void smtpd_service(VSTREAM *stream, char *service, char **argv)
4572 SMTPD_STATE state;
4575 * Sanity check. This service takes no command-line arguments.
4577 if (argv[0])
4578 msg_fatal("unexpected command-line argument: %s", argv[0]);
4581 * This routine runs when a client has connected to our network port, or
4582 * when the smtp server is run in stand-alone mode (input from pipe).
4584 * Look up and sanitize the peer name, then initialize some connection-
4585 * specific state. When the name service is hosed, hostname lookup will
4586 * take a while. This is why I always run a local name server on critical
4587 * machines.
4589 smtpd_state_init(&state, stream, service);
4590 msg_info("connect from %s", state.namaddr);
4593 * With TLS wrapper mode, we run on a dedicated port and turn on TLS
4594 * before actually speaking the SMTP protocol. This implies TLS enforce
4595 * mode.
4597 * With non-wrapper mode, TLS enforce mode implies that we don't advertise
4598 * AUTH before the client issues STARTTLS.
4600 #ifdef USE_TLS
4601 if (!SMTPD_STAND_ALONE((&state))) {
4602 if (var_smtpd_tls_wrappermode) {
4603 state.tls_use_tls = 1;
4604 state.tls_enforce_tls = 1;
4605 } else {
4606 state.tls_use_tls = var_smtpd_use_tls | var_smtpd_enforce_tls;
4607 state.tls_enforce_tls = var_smtpd_enforce_tls;
4609 if (var_smtpd_tls_auth_only || state.tls_enforce_tls)
4610 state.tls_auth_only = 1;
4612 #endif
4615 * XCLIENT must not override its own access control.
4617 xclient_allowed =
4618 namadr_list_match(xclient_hosts, state.name, state.addr);
4621 * Overriding XFORWARD access control makes no sense, either.
4623 xforward_allowed =
4624 namadr_list_match(xforward_hosts, state.name, state.addr);
4627 * See if we need to turn on verbose logging for this client.
4629 debug_peer_check(state.name, state.addr);
4632 * Provide the SMTP service.
4634 smtpd_proto(&state);
4637 * After the client has gone away, clean up whatever we have set up at
4638 * connection time.
4640 msg_info("disconnect from %s", state.namaddr);
4641 smtpd_state_reset(&state);
4642 debug_peer_restore();
4645 /* pre_accept - see if tables have changed */
4647 static void pre_accept(char *unused_name, char **unused_argv)
4649 const char *table;
4651 if ((table = dict_changed_name()) != 0) {
4652 msg_info("table %s has changed -- restarting", table);
4653 exit(0);
4657 /* pre_jail_init - pre-jail initialization */
4659 static void pre_jail_init(char *unused_name, char **unused_argv)
4661 int use_tls;
4664 * Initialize blacklist/etc. patterns before entering the chroot jail, in
4665 * case they specify a filename pattern.
4667 smtpd_noop_cmds = string_list_init(MATCH_FLAG_NONE, var_smtpd_noop_cmds);
4668 smtpd_forbid_cmds = string_list_init(MATCH_FLAG_NONE, var_smtpd_forbid_cmds);
4669 verp_clients = namadr_list_init(MATCH_FLAG_NONE, var_verp_clients);
4670 xclient_hosts = namadr_list_init(MATCH_FLAG_NONE, var_xclient_hosts);
4671 xforward_hosts = namadr_list_init(MATCH_FLAG_NONE, var_xforward_hosts);
4672 hogger_list = namadr_list_init(MATCH_FLAG_NONE, var_smtpd_hoggers);
4675 * Open maps before dropping privileges so we can read passwords etc.
4677 * XXX We should not do this in stand-alone (sendmail -bs) mode, but we
4678 * can't use SMTPD_STAND_ALONE(state) here. This means "sendmail -bs"
4679 * will try to connect to proxymap when invoked by root for mail
4680 * submission. To fix, we would have to pass stand-alone mode information
4681 * via different means. For now we have to tell people not to run mail
4682 * clients as root.
4684 if (getuid() == 0 || getuid() == var_owner_uid)
4685 smtpd_check_init();
4686 debug_peer_init();
4688 if (var_smtpd_sasl_enable)
4689 #ifdef USE_SASL_AUTH
4690 smtpd_sasl_initialize();
4692 if (*var_smtpd_sasl_exceptions_networks)
4693 sasl_exceptions_networks =
4694 namadr_list_init(MATCH_FLAG_NONE,
4695 var_smtpd_sasl_exceptions_networks);
4696 #else
4697 msg_warn("%s is true, but SASL support is not compiled in",
4698 VAR_SMTPD_SASL_ENABLE);
4699 #endif
4701 #ifdef USE_TLS
4703 * XXX Temporary fix to pretend that we consistently implement TLS
4704 * security levels. We implement only a subset for now. If we implement
4705 * more levels, wrappermode should override only weaker TLS security
4706 * levels.
4708 * Note: tls_level_lookup() logs no warning.
4710 if (!var_smtpd_tls_wrappermode && *var_smtpd_tls_level) {
4711 switch (tls_level_lookup(var_smtpd_tls_level)) {
4712 default:
4713 msg_fatal("Invalid TLS level \"%s\"", var_smtpd_tls_level);
4714 /* NOTREACHED */
4715 break;
4716 case TLS_LEV_SECURE:
4717 case TLS_LEV_VERIFY:
4718 case TLS_LEV_FPRINT:
4719 msg_warn("%s: unsupported TLS level \"%s\", using \"encrypt\"",
4720 VAR_SMTPD_TLS_LEVEL, var_smtpd_tls_level);
4721 /* FALLTHROUGH */
4722 case TLS_LEV_ENCRYPT:
4723 var_smtpd_enforce_tls = var_smtpd_use_tls = 1;
4724 break;
4725 case TLS_LEV_MAY:
4726 var_smtpd_enforce_tls = 0;
4727 var_smtpd_use_tls = 1;
4728 break;
4729 case TLS_LEV_NONE:
4730 var_smtpd_enforce_tls = var_smtpd_use_tls = 0;
4731 break;
4734 enforce_tls = var_smtpd_tls_wrappermode || var_smtpd_enforce_tls;
4735 use_tls = var_smtpd_use_tls || enforce_tls;
4736 #else
4737 enforce_tls = use_tls = 0;
4738 #endif
4741 * Keys can only be loaded when running with suitable permissions. When
4742 * called from "sendmail -bs" this is not the case, so we must not
4743 * announce STARTTLS support.
4745 if (getuid() == 0 || getuid() == var_owner_uid) {
4746 if (use_tls) {
4747 #ifdef USE_TLS
4748 TLS_SERVER_INIT_PROPS props;
4749 const char *cert_file;
4750 int have_server_cert;
4751 int no_server_cert_ok;
4752 int require_server_cert;
4755 * Can't use anonymous ciphers if we want client certificates.
4756 * Must use anonymous ciphers if we have no certificates.
4758 * XXX: Ugh! Too many booleans!
4760 ask_client_cert = require_server_cert =
4761 (var_smtpd_tls_ask_ccert
4762 || (enforce_tls && var_smtpd_tls_req_ccert));
4763 if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
4764 no_server_cert_ok = 1;
4765 cert_file = "";
4766 } else {
4767 no_server_cert_ok = 0;
4768 cert_file = var_smtpd_tls_cert_file;
4770 have_server_cert =
4771 (*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file);
4773 /* Some TLS configuration errors are not show stoppers. */
4774 if (!have_server_cert && require_server_cert)
4775 msg_warn("Need a server cert to request client certs");
4776 if (!enforce_tls && var_smtpd_tls_req_ccert)
4777 msg_warn("Can't require client certs unless TLS is required");
4778 /* After a show-stopper error, reply with 454 to STARTTLS. */
4779 if (have_server_cert || (no_server_cert_ok && !require_server_cert))
4782 * Large parameter lists are error-prone, so we emulate a
4783 * language feature that C does not have natively: named
4784 * parameter lists.
4786 smtpd_tls_ctx =
4787 TLS_SERVER_INIT(&props,
4788 log_level = var_smtpd_tls_loglevel,
4789 verifydepth = var_smtpd_tls_ccert_vd,
4790 cache_type = TLS_MGR_SCACHE_SMTPD,
4791 scache_timeout
4792 = var_smtpd_tls_scache_timeout,
4793 set_sessid = var_smtpd_tls_set_sessid,
4794 cert_file = cert_file,
4795 key_file = var_smtpd_tls_key_file,
4796 dcert_file = var_smtpd_tls_dcert_file,
4797 dkey_file = var_smtpd_tls_dkey_file,
4798 eccert_file = var_smtpd_tls_eccert_file,
4799 eckey_file = var_smtpd_tls_eckey_file,
4800 CAfile = var_smtpd_tls_CAfile,
4801 CApath = var_smtpd_tls_CApath,
4802 dh1024_param_file
4803 = var_smtpd_tls_dh1024_param_file,
4804 dh512_param_file
4805 = var_smtpd_tls_dh512_param_file,
4806 eecdh_grade = var_smtpd_tls_eecdh,
4807 protocols = enforce_tls ?
4808 var_smtpd_tls_mand_proto :
4809 var_smtpd_tls_proto,
4810 ask_ccert = ask_client_cert,
4811 fpt_dgst = var_smtpd_tls_fpt_dgst);
4812 else
4813 msg_warn("No server certs available. TLS won't be enabled");
4814 #else
4815 msg_warn("TLS has been selected, but TLS support is not compiled in");
4816 #endif
4821 * flush client.
4823 flush_init();
4826 * EHLO keyword filter.
4828 if (*var_smtpd_ehlo_dis_maps)
4829 ehlo_discard_maps = maps_create(VAR_SMTPD_EHLO_DIS_MAPS,
4830 var_smtpd_ehlo_dis_maps,
4831 DICT_FLAG_LOCK);
4834 /* post_jail_init - post-jail initialization */
4836 static void post_jail_init(char *unused_name, char **unused_argv)
4840 * Initialize the receive transparency options: do we want unknown
4841 * recipient checks, address mapping, header_body_checks?.
4843 smtpd_input_transp_mask =
4844 input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
4847 * Sendmail mail filters.
4849 * XXX Should not do this when running in stand-alone mode. But that test
4850 * looks at VSTREAM_IN which is not available at this point.
4852 * XXX Disable non_smtpd_milters when not sending our own mail filter list.
4854 if ((smtpd_input_transp_mask & INPUT_TRANSP_MILTER) == 0) {
4855 if (*var_smtpd_milters)
4856 smtpd_milters = milter_create(var_smtpd_milters,
4857 var_milt_conn_time,
4858 var_milt_cmd_time,
4859 var_milt_msg_time,
4860 var_milt_protocol,
4861 var_milt_def_action,
4862 var_milt_conn_macros,
4863 var_milt_helo_macros,
4864 var_milt_mail_macros,
4865 var_milt_rcpt_macros,
4866 var_milt_data_macros,
4867 var_milt_eoh_macros,
4868 var_milt_eod_macros,
4869 var_milt_unk_macros);
4870 else
4871 smtpd_input_transp_mask |= INPUT_TRANSP_MILTER;
4875 * Sanity checks. The queue_minfree value should be at least as large as
4876 * (process_limit * message_size_limit) but that is unpractical, so we
4877 * arbitrarily pick a small multiple of the per-message size limit. This
4878 * helps to avoid many unneeded (re)transmissions.
4880 if (var_queue_minfree > 0
4881 && var_message_limit > 0
4882 && var_queue_minfree / 1.5 < var_message_limit)
4883 msg_warn("%s(%lu) should be at least 1.5*%s(%lu)",
4884 VAR_QUEUE_MINFREE, (unsigned long) var_queue_minfree,
4885 VAR_MESSAGE_LIMIT, (unsigned long) var_message_limit);
4888 * Connection rate management.
4890 if (var_smtpd_crate_limit || var_smtpd_cconn_limit
4891 || var_smtpd_cmail_limit || var_smtpd_crcpt_limit
4892 || var_smtpd_cntls_limit)
4893 anvil_clnt = anvil_clnt_create();
4896 MAIL_VERSION_STAMP_DECLARE;
4898 /* main - the main program */
4900 int main(int argc, char **argv)
4902 static const CONFIG_NINT_TABLE nint_table[] = {
4903 VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0,
4904 VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0,
4905 VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
4908 static const CONFIG_INT_TABLE int_table[] = {
4909 VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0,
4910 VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0,
4911 VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0,
4912 VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0,
4913 VAR_UNK_NAME_CODE, DEF_UNK_NAME_CODE, &var_unk_name_code, 0, 0,
4914 VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0,
4915 VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0,
4916 VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0,
4917 VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0,
4918 VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0,
4919 VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0,
4920 VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0,
4921 VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
4922 VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0,
4923 VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0,
4924 VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599,
4925 VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599,
4926 VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499,
4927 VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499,
4928 VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0,
4929 VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0,
4930 VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0,
4931 VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code, 0, 0,
4932 VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code, 0, 0,
4933 VAR_PLAINTEXT_CODE, DEF_PLAINTEXT_CODE, &var_plaintext_code, 0, 0,
4934 VAR_VERIFY_POLL_COUNT, DEF_VERIFY_POLL_COUNT, &var_verify_poll_count, 1, 0,
4935 VAR_SMTPD_CRATE_LIMIT, DEF_SMTPD_CRATE_LIMIT, &var_smtpd_crate_limit, 0, 0,
4936 VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit, 0, 0,
4937 VAR_SMTPD_CMAIL_LIMIT, DEF_SMTPD_CMAIL_LIMIT, &var_smtpd_cmail_limit, 0, 0,
4938 VAR_SMTPD_CRCPT_LIMIT, DEF_SMTPD_CRCPT_LIMIT, &var_smtpd_crcpt_limit, 0, 0,
4939 VAR_SMTPD_CNTLS_LIMIT, DEF_SMTPD_CNTLS_LIMIT, &var_smtpd_cntls_limit, 0, 0,
4940 #ifdef USE_TLS
4941 VAR_SMTPD_TLS_CCERT_VD, DEF_SMTPD_TLS_CCERT_VD, &var_smtpd_tls_ccert_vd, 0, 0,
4942 VAR_SMTPD_TLS_LOGLEVEL, DEF_SMTPD_TLS_LOGLEVEL, &var_smtpd_tls_loglevel, 0, 0,
4943 #endif
4946 static const CONFIG_TIME_TABLE time_table[] = {
4947 VAR_SMTPD_TMOUT, DEF_SMTPD_TMOUT, &var_smtpd_tmout, 1, 0,
4948 VAR_SMTPD_ERR_SLEEP, DEF_SMTPD_ERR_SLEEP, &var_smtpd_err_sleep, 0, 0,
4949 VAR_SMTPD_PROXY_TMOUT, DEF_SMTPD_PROXY_TMOUT, &var_smtpd_proxy_tmout, 1, 0,
4950 VAR_VERIFY_POLL_DELAY, DEF_VERIFY_POLL_DELAY, &var_verify_poll_delay, 1, 0,
4951 VAR_SMTPD_POLICY_TMOUT, DEF_SMTPD_POLICY_TMOUT, &var_smtpd_policy_tmout, 1, 0,
4952 VAR_SMTPD_POLICY_IDLE, DEF_SMTPD_POLICY_IDLE, &var_smtpd_policy_idle, 1, 0,
4953 VAR_SMTPD_POLICY_TTL, DEF_SMTPD_POLICY_TTL, &var_smtpd_policy_ttl, 1, 0,
4954 #ifdef USE_TLS
4955 VAR_SMTPD_STARTTLS_TMOUT, DEF_SMTPD_STARTTLS_TMOUT, &var_smtpd_starttls_tmout, 1, 0,
4956 VAR_SMTPD_TLS_SCACHTIME, DEF_SMTPD_TLS_SCACHTIME, &var_smtpd_tls_scache_timeout, 0, 0,
4957 #endif
4958 VAR_MILT_CONN_TIME, DEF_MILT_CONN_TIME, &var_milt_conn_time, 1, 0,
4959 VAR_MILT_CMD_TIME, DEF_MILT_CMD_TIME, &var_milt_cmd_time, 1, 0,
4960 VAR_MILT_MSG_TIME, DEF_MILT_MSG_TIME, &var_milt_msg_time, 1, 0,
4963 static const CONFIG_BOOL_TABLE bool_table[] = {
4964 VAR_HELO_REQUIRED, DEF_HELO_REQUIRED, &var_helo_required,
4965 VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject,
4966 VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env,
4967 VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
4968 VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
4969 VAR_SMTPD_SASL_ENABLE, DEF_SMTPD_SASL_ENABLE, &var_smtpd_sasl_enable,
4970 VAR_SMTPD_SASL_AUTH_HDR, DEF_SMTPD_SASL_AUTH_HDR, &var_smtpd_sasl_auth_hdr,
4971 VAR_BROKEN_AUTH_CLNTS, DEF_BROKEN_AUTH_CLNTS, &var_broken_auth_clients,
4972 VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
4973 VAR_SMTPD_REJ_UNL_FROM, DEF_SMTPD_REJ_UNL_FROM, &var_smtpd_rej_unl_from,
4974 VAR_SMTPD_REJ_UNL_RCPT, DEF_SMTPD_REJ_UNL_RCPT, &var_smtpd_rej_unl_rcpt,
4975 VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
4976 VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
4977 VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
4978 VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
4979 #ifdef USE_TLS
4980 VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
4981 VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
4982 VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
4983 VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
4984 #endif
4985 VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
4986 VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
4987 VAR_SMTPD_CLIENT_PORT_LOG, DEF_SMTPD_CLIENT_PORT_LOG, &var_smtpd_client_port_log,
4990 static const CONFIG_STR_TABLE str_table[] = {
4991 VAR_SMTPD_BANNER, DEF_SMTPD_BANNER, &var_smtpd_banner, 1, 0,
4992 VAR_NOTIFY_CLASSES, DEF_NOTIFY_CLASSES, &var_notify_classes, 0, 0,
4993 VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0,
4994 VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0,
4995 VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0,
4996 VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0,
4997 VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0,
4998 VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0,
4999 VAR_EOD_CHECKS, DEF_EOD_CHECKS, &var_eod_checks, 0, 0,
5000 VAR_MAPS_RBL_DOMAINS, DEF_MAPS_RBL_DOMAINS, &var_maps_rbl_domains, 0, 0,
5001 VAR_RBL_REPLY_MAPS, DEF_RBL_REPLY_MAPS, &var_rbl_reply_maps, 0, 0,
5002 VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
5003 VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0,
5004 VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0,
5005 VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0,
5006 VAR_VIRT_ALIAS_MAPS, DEF_VIRT_ALIAS_MAPS, &var_virt_alias_maps, 0, 0,
5007 VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0,
5008 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0,
5009 VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
5010 VAR_SMTPD_SASL_OPTS, DEF_SMTPD_SASL_OPTS, &var_smtpd_sasl_opts, 0, 0,
5011 VAR_SMTPD_SASL_PATH, DEF_SMTPD_SASL_PATH, &var_smtpd_sasl_path, 1, 0,
5012 VAR_CYRUS_CONF_PATH, DEF_CYRUS_CONF_PATH, &var_cyrus_conf_path, 0, 0,
5013 VAR_SMTPD_SASL_REALM, DEF_SMTPD_SASL_REALM, &var_smtpd_sasl_realm, 0, 0,
5014 VAR_SMTPD_SASL_EXCEPTIONS_NETWORKS, DEF_SMTPD_SASL_EXCEPTIONS_NETWORKS, &var_smtpd_sasl_exceptions_networks, 0, 0,
5015 VAR_FILTER_XPORT, DEF_FILTER_XPORT, &var_filter_xport, 0, 0,
5016 VAR_PERM_MX_NETWORKS, DEF_PERM_MX_NETWORKS, &var_perm_mx_networks, 0, 0,
5017 VAR_SMTPD_SND_AUTH_MAPS, DEF_SMTPD_SND_AUTH_MAPS, &var_smtpd_snd_auth_maps, 0, 0,
5018 VAR_SMTPD_NOOP_CMDS, DEF_SMTPD_NOOP_CMDS, &var_smtpd_noop_cmds, 0, 0,
5019 VAR_SMTPD_FORBID_CMDS, DEF_SMTPD_FORBID_CMDS, &var_smtpd_forbid_cmds, 0, 0,
5020 VAR_SMTPD_NULL_KEY, DEF_SMTPD_NULL_KEY, &var_smtpd_null_key, 0, 0,
5021 VAR_RELAY_RCPT_MAPS, DEF_RELAY_RCPT_MAPS, &var_relay_rcpt_maps, 0, 0,
5022 VAR_VERIFY_SENDER, DEF_VERIFY_SENDER, &var_verify_sender, 0, 0,
5023 VAR_VERP_CLIENTS, DEF_VERP_CLIENTS, &var_verp_clients, 0, 0,
5024 VAR_SMTPD_PROXY_FILT, DEF_SMTPD_PROXY_FILT, &var_smtpd_proxy_filt, 0, 0,
5025 VAR_SMTPD_PROXY_EHLO, DEF_SMTPD_PROXY_EHLO, &var_smtpd_proxy_ehlo, 0, 0,
5026 VAR_INPUT_TRANSP, DEF_INPUT_TRANSP, &var_input_transp, 0, 0,
5027 VAR_XCLIENT_HOSTS, DEF_XCLIENT_HOSTS, &var_xclient_hosts, 0, 0,
5028 VAR_XFORWARD_HOSTS, DEF_XFORWARD_HOSTS, &var_xforward_hosts, 0, 0,
5029 VAR_SMTPD_HOGGERS, DEF_SMTPD_HOGGERS, &var_smtpd_hoggers, 0, 0,
5030 VAR_LOC_RWR_CLIENTS, DEF_LOC_RWR_CLIENTS, &var_local_rwr_clients, 0, 0,
5031 VAR_SMTPD_EHLO_DIS_WORDS, DEF_SMTPD_EHLO_DIS_WORDS, &var_smtpd_ehlo_dis_words, 0, 0,
5032 VAR_SMTPD_EHLO_DIS_MAPS, DEF_SMTPD_EHLO_DIS_MAPS, &var_smtpd_ehlo_dis_maps, 0, 0,
5033 #ifdef USE_TLS
5034 VAR_RELAY_CCERTS, DEF_RELAY_CCERTS, &var_smtpd_relay_ccerts, 0, 0,
5035 VAR_SMTPD_SASL_TLS_OPTS, DEF_SMTPD_SASL_TLS_OPTS, &var_smtpd_sasl_tls_opts, 0, 0,
5036 VAR_SMTPD_TLS_CERT_FILE, DEF_SMTPD_TLS_CERT_FILE, &var_smtpd_tls_cert_file, 0, 0,
5037 VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
5038 VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
5039 VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
5040 VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0,
5041 VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0,
5042 VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
5043 VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
5044 VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0,
5045 VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
5046 VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
5047 VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
5048 VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0,
5049 VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
5050 VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
5051 VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
5052 VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0,
5053 VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
5054 #endif
5055 VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
5056 VAR_SMTPD_SASL_TYPE, DEF_SMTPD_SASL_TYPE, &var_smtpd_sasl_type, 1, 0,
5057 VAR_SMTPD_MILTERS, DEF_SMTPD_MILTERS, &var_smtpd_milters, 0, 0,
5058 VAR_MILT_CONN_MACROS, DEF_MILT_CONN_MACROS, &var_milt_conn_macros, 0, 0,
5059 VAR_MILT_HELO_MACROS, DEF_MILT_HELO_MACROS, &var_milt_helo_macros, 0, 0,
5060 VAR_MILT_MAIL_MACROS, DEF_MILT_MAIL_MACROS, &var_milt_mail_macros, 0, 0,
5061 VAR_MILT_RCPT_MACROS, DEF_MILT_RCPT_MACROS, &var_milt_rcpt_macros, 0, 0,
5062 VAR_MILT_DATA_MACROS, DEF_MILT_DATA_MACROS, &var_milt_data_macros, 0, 0,
5063 VAR_MILT_EOH_MACROS, DEF_MILT_EOH_MACROS, &var_milt_eoh_macros, 0, 0,
5064 VAR_MILT_EOD_MACROS, DEF_MILT_EOD_MACROS, &var_milt_eod_macros, 0, 0,
5065 VAR_MILT_UNK_MACROS, DEF_MILT_UNK_MACROS, &var_milt_unk_macros, 0, 0,
5066 VAR_MILT_PROTOCOL, DEF_MILT_PROTOCOL, &var_milt_protocol, 1, 0,
5067 VAR_MILT_DEF_ACTION, DEF_MILT_DEF_ACTION, &var_milt_def_action, 1, 0,
5068 VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0,
5069 VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0,
5070 VAR_STRESS, DEF_STRESS, &var_stress, 0, 0,
5071 VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0,
5072 VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0,
5073 VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0,
5074 VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0,
5075 VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0,
5076 VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0,
5077 VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0,
5080 static const CONFIG_RAW_TABLE raw_table[] = {
5081 VAR_SMTPD_EXP_FILTER, DEF_SMTPD_EXP_FILTER, &var_smtpd_exp_filter, 1, 0,
5082 VAR_DEF_RBL_REPLY, DEF_DEF_RBL_REPLY, &var_def_rbl_reply, 1, 0,
5087 * Fingerprint executables and core dumps.
5089 MAIL_VERSION_STAMP_ALLOCATE;
5092 * Pass control to the single-threaded service skeleton.
5094 single_server_main(argc, argv, smtpd_service,
5095 MAIL_SERVER_NINT_TABLE, nint_table,
5096 MAIL_SERVER_INT_TABLE, int_table,
5097 MAIL_SERVER_STR_TABLE, str_table,
5098 MAIL_SERVER_RAW_TABLE, raw_table,
5099 MAIL_SERVER_BOOL_TABLE, bool_table,
5100 MAIL_SERVER_TIME_TABLE, time_table,
5101 MAIL_SERVER_PRE_INIT, pre_jail_init,
5102 MAIL_SERVER_PRE_ACCEPT, pre_accept,
5103 MAIL_SERVER_POST_INIT, post_jail_init,