static struct mta_session *
mta_tree_pop(struct tree *wait, uint64_t reqid)
{
struct mta_session *s;
s = tree_xpop(wait, reqid);
if (s->flags & MTA_FREE) {
log_debug("debug: mta: %p: zombie session", s);
mta_free(s);
return (NULL);
}
s->flags &= ~MTA_WAIT;
return (s);
}
static void
mta_connect(struct mta_session *s)
{
struct sockaddr_storage ss;
struct sockaddr *sa;
int portno;
const char *schema = "smtp+tls://";
if (s->helo == NULL) {
if (s->relay->helotable && s->route->src->sa) {
m_create(p_lka, IMSG_LKA_HELO, 0, 0, -1);
m_add_id(p_lka, s->id);
m_add_string(p_lka, s->relay->helotable);
m_add_sockaddr(p_lka, s->route->src->sa);
m_close(p_lka);
tree_xset(&wait_helo, s->id, s);
s->flags |= MTA_WAIT;
return;
}
else if (s->relay->heloname)
s->helo = xstrdup(s->relay->heloname, "mta_connect");
else
s->helo = xstrdup(env->sc_hostname, "mta_connect");
}
io_clear(&s->io);
iobuf_clear(&s->iobuf);
s->use_smtps = s->use_starttls = s->use_smtp_tls = 0;
switch (s->attempt) {
case 0:
if (s->flags & MTA_FORCE_SMTPS)
s->use_smtps = 1; /* smtps */
else if (s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))
s->use_starttls = 1; /* tls, tls+smtps */
else if (!(s->flags & MTA_FORCE_PLAIN))
s->use_smtp_tls = 1;
break;
case 1:
if (s->flags & MTA_FORCE_ANYSSL) {
s->use_smtps = 1; /* tls+smtps */
break;
}
default:
mta_free(s);
return;
}
portno = s->use_smtps ? 465 : 25;
/* Override with relay-specified port */
if (s->relay->port)
portno = s->relay->port;
memmove(&ss, s->route->dst->sa, s->route->dst->sa->sa_len);
sa = (struct sockaddr *)&ss;
if (sa->sa_family == AF_INET)
((struct sockaddr_in *)sa)->sin_port = htons(portno);
else if (sa->sa_family == AF_INET6)
((struct sockaddr_in6 *)sa)->sin6_port = htons(portno);
s->attempt += 1;
if (s->use_smtp_tls)
schema = "smtp+tls://";
else if (s->use_starttls)
schema = "tls://";
else if (s->use_smtps)
schema = "smtps://";
else if (s->flags & MTA_LMTP)
schema = "lmtp://";
else
schema = "smtp://";
log_info("smtp-out: Connecting to %s%s:%d (%s) on session"
" %016"PRIx64"...", schema, sa_to_text(s->route->dst->sa),
portno, s->route->dst->ptrname, s->id);
mta_enter_state(s, MTA_INIT);
iobuf_xinit(&s->iobuf, 0, 0, "mta_connect");
io_init(&s->io, -1, s, mta_io, &s->iobuf);
io_set_timeout(&s->io, 300000);
if (io_connect(&s->io, sa, s->route->src->sa) == -1) {
/*
* This error is most likely a "no route",
* so there is no need to try again.
*/
log_debug("debug: mta: io_connect failed: %s", s->io.error);
if (errno == EADDRNOTAVAIL)
mta_source_error(s->relay, s->route, s->io.error);
else
mta_error(s, "Connection failed: %s", s->io.error);
mta_free(s);
}
}
static void
mta_io(struct io *io, int evt)
{
struct mta_session *s = io->arg;
char *line, *msg, *p;
size_t len;
const char *error;
int cont;
X509 *x;
log_trace(TRACE_IO, "mta: %p: %s %s", s, io_strevent(evt),
io_strio(io));
switch (evt) {
case IO_CONNECTED:
log_info("smtp-out: Connected on session %016"PRIx64, s->id);
if (s->use_smtps) {
io_set_write(io);
mta_start_tls(s);
}
else {
mta_enter_state(s, MTA_BANNER);
io_set_read(io);
}
break;
case IO_TLSREADY:
log_info("smtp-out: Started TLS on session %016"PRIx64": %s",
s->id, ssl_to_text(s->io.ssl));
s->flags |= MTA_TLS;
if (mta_verify_certificate(s)) {
io_pause(&s->io, IO_PAUSE_IN);
break;
}
case IO_TLSVERIFIED:
x = SSL_get_peer_certificate(s->io.ssl);
if (x) {
log_info("smtp-out: Server certificate verification %s "
"on session %016"PRIx64,
(s->flags & MTA_VERIFIED) ? "succeeded" : "failed",
s->id);
X509_free(x);
}
if (s->use_smtps) {
mta_enter_state(s, MTA_BANNER);
io_set_read(io);
}
else
mta_enter_state(s, MTA_EHLO);
break;
case IO_DATAIN:
nextline:
line = iobuf_getline(&s->iobuf, &len);
if (line == NULL) {
if (iobuf_len(&s->iobuf) >= SMTPD_MAXLINESIZE) {
mta_error(s, "Input too long");
mta_free(s);
return;
}
iobuf_normalize(&s->iobuf);
break;
}
log_trace(TRACE_MTA, "mta: %p: <<< %s", s, line);
if ((error = parse_smtp_response(line, len, &msg, &cont))) {
mta_error(s, "Bad response: %s", error);
mta_free(s);
return;
}
/* read extensions */
if (s->state == MTA_EHLO) {
if (strcmp(msg, "STARTTLS") == 0)
s->ext |= MTA_EXT_STARTTLS;
else if (strncmp(msg, "AUTH ", 5) == 0) {
s->ext |= MTA_EXT_AUTH;
if ((p = strstr(msg, " PLAIN")) &&
(*(p+6) == '\0' || *(p+6) == ' '))
s->ext |= MTA_EXT_AUTH_PLAIN;
if ((p = strstr(msg, " LOGIN")) &&
(*(p+6) == '\0' || *(p+6) == ' '))
s->ext |= MTA_EXT_AUTH_LOGIN;
}
else if (strcmp(msg, "PIPELINING") == 0)
s->ext |= MTA_EXT_PIPELINING;
else if (strcmp(msg, "DSN") == 0)
s->ext |= MTA_EXT_DSN;
}
if (cont)
goto nextline;
if (s->state == MTA_QUIT) {
log_info("smtp-out: Closing session %016"PRIx64
": %zu message%s sent.", s->id, s->msgcount,
(s->msgcount > 1) ? "s" : "");
mta_free(s);
return;
}
io_set_write(io);
mta_response(s, line);
if (s->flags & MTA_FREE) {
mta_free(s);
return;
}
iobuf_normalize(&s->iobuf);
if (iobuf_len(&s->iobuf)) {
log_debug("debug: mta: remaining data in input buffer");
mta_error(s, "Remote host sent too much data");
if (s->flags & MTA_WAIT)
s->flags |= MTA_FREE;
else
mta_free(s);
}
break;
case IO_LOWAT:
if (s->state == MTA_BODY) {
mta_enter_state(s, MTA_BODY);
if (s->flags & MTA_FREE) {
mta_free(s);
return;
}
}
if (iobuf_queued(&s->iobuf) == 0)
io_set_read(io);
break;
case IO_TIMEOUT:
log_debug("debug: mta: %p: connection timeout", s);
mta_error(s, "Connection timeout");
if (!s->ready)
mta_connect(s);
else
mta_free(s);
break;
case IO_ERROR:
log_debug("debug: mta: %p: IO error: %s", s, io->error);
mta_error(s, "IO Error: %s", io->error);
if (!s->ready)
mta_connect(s);
else
mta_free(s);
break;
case IO_DISCONNECTED:
log_debug("debug: mta: %p: disconnected in state %s",
s, mta_strstate(s->state));
mta_error(s, "Connection closed unexpectedly");
if (!s->ready)
mta_connect(s);
else
mta_free(s);
break;
default:
fatalx("mta_io() bad event");
}
}
void
mta_session_imsg(struct mproc *p, struct imsg *imsg)
{
struct ca_vrfy_resp_msg *resp_ca_vrfy;
struct ca_cert_resp_msg *resp_ca_cert;
struct mta_session *s;
struct mta_host *h;
struct msg m;
uint64_t reqid;
const char *name;
void *ssl;
int dnserror, status;
switch (imsg->hdr.type) {
case IMSG_QUEUE_MESSAGE_FD:
m_msg(&m, imsg);
m_get_id(&m, &reqid);
m_end(&m);
s = mta_tree_pop(&wait_fd, reqid);
if (s == NULL) {
if (imsg->fd != -1)
close(imsg->fd);
return;
}
if (imsg->fd == -1) {
log_debug("debug: mta: failed to obtain msg fd");
mta_flush_task(s, IMSG_DELIVERY_TEMPFAIL,
"Could not get message fd", 0, 0);
mta_enter_state(s, MTA_READY);
io_reload(&s->io);
return;
}
s->datafp = fdopen(imsg->fd, "r");
if (s->datafp == NULL)
fatal("mta: fdopen");
if (mta_check_loop(s->datafp)) {
log_debug("debug: mta: loop detected");
fclose(s->datafp);
s->datafp = NULL;
mta_flush_task(s, IMSG_DELIVERY_LOOP,
"Loop detected", 0, 0);
mta_enter_state(s, MTA_READY);
} else {
mta_enter_state(s, MTA_MAIL);
}
io_reload(&s->io);
return;
case IMSG_DNS_PTR:
m_msg(&m, imsg);
m_get_id(&m, &reqid);
m_get_int(&m, &dnserror);
if (dnserror)
name = NULL;
else
m_get_string(&m, &name);
m_end(&m);
s = mta_tree_pop(&wait_ptr, reqid);
if (s == NULL)
return;
h = s->route->dst;
h->lastptrquery = time(NULL);
if (name)
h->ptrname = xstrdup(name, "mta: ptr");
waitq_run(&h->ptrname, h->ptrname);
return;
case IMSG_LKA_SSL_INIT:
resp_ca_cert = imsg->data;
s = mta_tree_pop(&wait_ssl_init, resp_ca_cert->reqid);
if (s == NULL)
return;
if (resp_ca_cert->status == CA_FAIL) {
if (s->relay->pki_name) {
log_info("smtp-out: Disconnecting session %016"PRIx64
": CA failure", s->id);
mta_free(s);
return;
}
else {
ssl = ssl_mta_init(NULL, 0, NULL, 0);
if (ssl == NULL)
fatal("mta: ssl_mta_init");
io_start_tls(&s->io, ssl);
return;
}
}
resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert, "mta:ca_cert");
resp_ca_cert->cert = xstrdup((char *)imsg->data +
sizeof *resp_ca_cert, "mta:ca_cert");
resp_ca_cert->key = xstrdup((char *)imsg->data +
sizeof *resp_ca_cert + resp_ca_cert->cert_len,
"mta:ca_key");
ssl = ssl_mta_init(resp_ca_cert->cert, resp_ca_cert->cert_len,
resp_ca_cert->key, resp_ca_cert->key_len);
if (ssl == NULL)
fatal("mta: ssl_mta_init");
io_start_tls(&s->io, ssl);
memset(resp_ca_cert->cert, 0, resp_ca_cert->cert_len);
memset(resp_ca_cert->key, 0, resp_ca_cert->key_len);
free(resp_ca_cert->cert);
free(resp_ca_cert->key);
free(resp_ca_cert);
return;
case IMSG_LKA_SSL_VERIFY:
resp_ca_vrfy = imsg->data;
s = mta_tree_pop(&wait_ssl_verify, resp_ca_vrfy->reqid);
if (s == NULL)
return;
if (resp_ca_vrfy->status == CA_OK)
s->flags |= MTA_VERIFIED;
else if (s->relay->flags & F_TLS_VERIFY) {
errno = 0;
mta_error(s, "SSL certificate check failed");
mta_free(s);
return;
}
mta_io(&s->io, IO_TLSVERIFIED);
io_resume(&s->io, IO_PAUSE_IN);
io_reload(&s->io);
return;
case IMSG_LKA_HELO:
m_msg(&m, imsg);
m_get_id(&m, &reqid);
m_get_int(&m, &status);
if (status == LKA_OK)
m_get_string(&m, &name);
m_end(&m);
s = mta_tree_pop(&wait_helo, reqid);
if (s == NULL)
return;
if (status == LKA_OK) {
s->helo = xstrdup(name, "mta_session_imsg");
mta_connect(s);
} else {
mta_source_error(s->relay, s->route,
"Failed to retrieve helo string");
mta_free(s);
}
return;
default:
errx(1, "mta_session_imsg: unexpected %s imsg",
imsg_to_str(imsg->hdr.type));
}
}
static void
mta_io(struct io *io, int evt)
{
struct mta_session *s = io->arg;
char *line, *msg, *p;
size_t len;
const char *error;
int cont;
X509 *x;
log_trace(TRACE_IO, "mta: %p: %s %s", s, io_strevent(evt),
io_strio(io));
switch (evt) {
case IO_CONNECTED:
log_info("smtp-out: Connected on session %016"PRIx64, s->id);
if (s->use_smtps) {
io_set_write(io);
mta_start_tls(s);
}
else {
mta_enter_state(s, MTA_BANNER);
io_set_read(io);
}
break;
case IO_TLSREADY:
log_info("smtp-out: Started TLS on session %016"PRIx64": %s",
s->id, ssl_to_text(s->io.ssl));
s->flags |= MTA_TLS;
if (mta_verify_certificate(s)) {
io_pause(&s->io, IO_PAUSE_IN);
break;
}
case IO_TLSVERIFIED:
x = SSL_get_peer_certificate(s->io.ssl);
if (x) {
log_info("smtp-out: Server certificate verification %s "
"on session %016"PRIx64,
(s->flags & MTA_VERIFIED) ? "succeeded" : "failed",
s->id);
X509_free(x);
}
if (s->use_smtps) {
mta_enter_state(s, MTA_BANNER);
io_set_read(io);
}
else
mta_enter_state(s, MTA_EHLO);
break;
case IO_DATAIN:
nextline:
line = iobuf_getline(&s->iobuf, &len);
if (line == NULL) {
if (iobuf_len(&s->iobuf) >= LINE_MAX) {
mta_error(s, "Input too long");
mta_free(s);
return;
}
iobuf_normalize(&s->iobuf);
break;
}
log_trace(TRACE_MTA, "mta: %p: <<< %s", s, line);
if ((error = parse_smtp_response(line, len, &msg, &cont))) {
mta_error(s, "Bad response: %s", error);
mta_free(s);
return;
}
/* read extensions */
if (s->state == MTA_EHLO) {
if (strcmp(msg, "STARTTLS") == 0)
s->ext |= MTA_EXT_STARTTLS;
else if (strncmp(msg, "AUTH ", 5) == 0) {
s->ext |= MTA_EXT_AUTH;
if ((p = strstr(msg, " PLAIN")) &&
(*(p+6) == '\0' || *(p+6) == ' '))
s->ext |= MTA_EXT_AUTH_PLAIN;
if ((p = strstr(msg, " LOGIN")) &&
(*(p+6) == '\0' || *(p+6) == ' '))
s->ext |= MTA_EXT_AUTH_LOGIN;
}
else if (strcmp(msg, "PIPELINING") == 0)
s->ext |= MTA_EXT_PIPELINING;
else if (strcmp(msg, "DSN") == 0)
s->ext |= MTA_EXT_DSN;
}
/* continuation reply, we parse out the repeating statuses and ESC */
if (cont) {
if (s->replybuf[0] == '\0')
(void)strlcat(s->replybuf, line, sizeof s->replybuf);
else {
line = line + 4;
if (isdigit((int)*line) && *(line + 1) == '.' &&
isdigit((int)*line+2) && *(line + 3) == '.' &&
isdigit((int)*line+4) && isspace((int)*(line + 5)))
(void)strlcat(s->replybuf, line+5, sizeof s->replybuf);
else
(void)strlcat(s->replybuf, line, sizeof s->replybuf);
}
goto nextline;
}
/* last line of a reply, check if we're on a continuation to parse out status and ESC.
* if we overflow reply buffer or are not on continuation, log entire last line.
*/
if (s->replybuf[0] != '\0') {
p = line + 4;
if (isdigit((int)*p) && *(p + 1) == '.' &&
isdigit((int)*p+2) && *(p + 3) == '.' &&
isdigit((int)*p+4) && isspace((int)*(p + 5)))
p += 5;
if (strlcat(s->replybuf, p, sizeof s->replybuf) >= sizeof s->replybuf)
(void)strlcpy(s->replybuf, line, sizeof s->replybuf);
}
else
(void)strlcpy(s->replybuf, line, sizeof s->replybuf);
if (s->state == MTA_QUIT) {
log_info("smtp-out: Closing session %016"PRIx64
": %zu message%s sent.", s->id, s->msgcount,
(s->msgcount > 1) ? "s" : "");
mta_free(s);
return;
}
io_set_write(io);
mta_response(s, s->replybuf);
if (s->flags & MTA_FREE) {
mta_free(s);
return;
}
if (s->flags & MTA_RECONN) {
s->flags &= ~MTA_RECONN;
mta_connect(s);
return;
}
iobuf_normalize(&s->iobuf);
if (iobuf_len(&s->iobuf)) {
log_debug("debug: mta: remaining data in input buffer");
mta_error(s, "Remote host sent too much data");
if (s->flags & MTA_WAIT)
s->flags |= MTA_FREE;
else
mta_free(s);
}
break;
case IO_LOWAT:
if (s->state == MTA_BODY) {
mta_enter_state(s, MTA_BODY);
if (s->flags & MTA_FREE) {
mta_free(s);
return;
}
}
if (iobuf_queued(&s->iobuf) == 0)
io_set_read(io);
break;
case IO_TIMEOUT:
log_debug("debug: mta: %p: connection timeout", s);
mta_error(s, "Connection timeout");
if (!s->ready)
mta_connect(s);
else
mta_free(s);
break;
case IO_ERROR:
log_debug("debug: mta: %p: IO error: %s", s, io->error);
if (!s->ready) {
mta_error(s, "IO Error: %s", io->error);
mta_connect(s);
break;
}
else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) {
/* error in non-strict SSL negotiation, downgrade to plain */
if (s->flags & MTA_TLS) {
log_info("smtp-out: Error on session %016"PRIx64
": opportunistic TLS failed, "
"downgrading to plain", s->id);
s->flags &= ~MTA_TLS;
s->flags |= MTA_DOWNGRADE_PLAIN;
mta_connect(s);
break;
}
}
mta_error(s, "IO Error: %s", io->error);
mta_free(s);
break;
case IO_TLSERROR:
log_debug("debug: mta: %p: TLS IO error: %s", s, io->error);
if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) {
/* error in non-strict SSL negotiation, downgrade to plain */
log_info("smtp-out: TLS Error on session %016"PRIx64
": TLS failed, "
"downgrading to plain", s->id);
s->flags &= ~MTA_TLS;
s->flags |= MTA_DOWNGRADE_PLAIN;
mta_connect(s);
break;
}
mta_error(s, "IO Error: %s", io->error);
mta_free(s);
break;
case IO_DISCONNECTED:
log_debug("debug: mta: %p: disconnected in state %s",
s, mta_strstate(s->state));
mta_error(s, "Connection closed unexpectedly");
if (!s->ready)
mta_connect(s);
else
mta_free(s);
break;
default:
fatalx("mta_io() bad event");
}
}
