const char *str_long_name_mask_opt(VSTRING *buf, const char *context,
const LONG_NAME_MASK * table,
long mask, int flags)
{
const char *myname = "name_mask";
int len;
static VSTRING *my_buf = 0;
int delim = (flags & NAME_MASK_COMMA ? ',' :
(flags & NAME_MASK_PIPE ? '|' : ' '));
const LONG_NAME_MASK *np;
if ((flags & STR_NAME_MASK_REQUIRED) == 0)
msg_panic("%s: missing NAME_MASK_NUMBER/FATAL/RETURN/WARN/IGNORE flag",
myname);
if (buf == 0) {
if (my_buf == 0)
my_buf = vstring_alloc(1);
buf = my_buf;
}
VSTRING_RESET(buf);
for (np = table; mask != 0; np++) {
if (np->name == 0) {
if (flags & NAME_MASK_NUMBER) {
vstring_sprintf_append(buf, "0x%lx%c", mask, delim);
} else if (flags & NAME_MASK_FATAL) {
msg_fatal("%s: unknown %s bit in mask: 0x%lx",
myname, context, mask);
} else if (flags & NAME_MASK_RETURN) {
msg_warn("%s: unknown %s bit in mask: 0x%lx",
myname, context, mask);
return (0);
} else if (flags & NAME_MASK_WARN) {
msg_warn("%s: unknown %s bit in mask: 0x%lx",
myname, context, mask);
}
break;
}
if (mask & np->mask) {
mask &= ~np->mask;
vstring_sprintf_append(buf, "%s%c", np->name, delim);
}
}
if ((len = VSTRING_LEN(buf)) > 0)
vstring_truncate(buf, len - 1);
VSTRING_TERMINATE(buf);
return (STR(buf));
}
VSTRING *format_tv(VSTRING *buf, int sec, int usec,
int sig_dig, int max_dig)
{
static int pow10[] = {1, 10, 100, 1000, 10000, 100000, 1000000};
int n;
int rem;
int wid;
int ures;
/*
* Sanity check.
*/
if (max_dig < 0 || max_dig > 6)
msg_panic("format_tv: bad maximum decimal count %d", max_dig);
if (sec < 0 || usec < 0 || usec > MILLION)
msg_panic("format_tv: bad time %ds %dus", sec, usec);
if (sig_dig < 1 || sig_dig > 6)
msg_panic("format_tv: bad significant decimal count %d", sig_dig);
ures = MILLION / pow10[max_dig];
wid = pow10[sig_dig];
/*
* Adjust the resolution to suppress irrelevant digits.
*/
if (ures < MILLION) {
if (sec > 0) {
for (n = 1; sec >= n && n <= wid / 10; n *= 10)
/* void */ ;
ures = (MILLION / wid) * n;
} else {
while (usec >= wid * ures)
ures *= 10;
}
}
/*
* Round up the number if necessary. Leave thrash below the resolution.
*/
if (ures > 1) {
usec += ures / 2;
if (usec >= MILLION) {
sec += 1;
usec -= MILLION;
}
}
/*
* Format the number. Truncate trailing null and thrash below resolution.
*/
vstring_sprintf_append(buf, "%d", sec);
if (usec >= ures) {
VSTRING_ADDCH(buf, '.');
for (rem = usec, n = MILLION / 10; rem >= ures && n > 0; n /= 10) {
VSTRING_ADDCH(buf, "0123456789"[rem / n]);
rem %= n;
}
}
VSTRING_TERMINATE(buf);
return (buf);
}
const char *cleanup_strflags(unsigned flags)
{
static VSTRING *result;
unsigned i;
if (flags == 0)
return ("none");
if (result == 0)
result = vstring_alloc(20);
else
VSTRING_RESET(result);
for (i = 0; i < sizeof(cleanup_flag_map) / sizeof(cleanup_flag_map[0]); i++) {
if (cleanup_flag_map[i].flag & flags) {
vstring_sprintf_append(result, "%s ", cleanup_flag_map[i].text);
flags &= ~cleanup_flag_map[i].flag;
}
}
if (flags != 0 || VSTRING_LEN(result) == 0)
msg_panic("cleanup_strflags: unrecognized flag value(s) 0x%x", flags);
vstring_truncate(result, VSTRING_LEN(result) - 1);
VSTRING_TERMINATE(result);
return (vstring_str(result));
}
static void smtp_key_append_str(VSTRING *buffer, const char *str,
const char *delim_na)
{
if (str == 0 || str[0] == 0) {
smtp_key_append_na(buffer, delim_na);
} else if (str[strcspn(str, delim_na)] != 0) {
base64_encode_opt(buffer, str, strlen(str), BASE64_FLAG_APPEND);
VSTRING_ADDCH(buffer, delim_na[0]);
} else {
vstring_sprintf_append(buffer, "%s%c", str, delim_na[0]);
}
}
VSTRING *hex_quote(VSTRING *hex, const char *raw)
{
const char *cp;
int ch;
VSTRING_RESET(hex);
for (cp = raw; (ch = *(unsigned const char *) cp) != 0; cp++) {
if (ch != '%' && !ISSPACE(ch) && ISPRINT(ch)) {
VSTRING_ADDCH(hex, ch);
} else {
vstring_sprintf_append(hex, "%%%02X", ch);
}
}
VSTRING_TERMINATE(hex);
return (hex);
}
VSTRING *xtext_quote_append(VSTRING *quoted, const char *unquoted,
const char *special)
{
const char *cp;
int ch;
for (cp = unquoted; (ch = *(unsigned const char *) cp) != 0; cp++) {
if (ch != '+' && ch > 32 && ch < 127
&& (*special == 0 || strchr(special, ch) == 0)) {
VSTRING_ADDCH(quoted, ch);
} else {
vstring_sprintf_append(quoted, "+%02X", ch);
}
}
VSTRING_TERMINATE(quoted);
return (quoted);
}
static int smtpd_proxy_xforward_send(SMTPD_STATE *state, VSTRING *buf,
const char *name,
int value_available,
const char *value)
{
size_t new_len;
int ret;
#define CONSTR_LEN(s) (sizeof(s) - 1)
#define PAYLOAD_LIMIT (512 - CONSTR_LEN("250 " XFORWARD_CMD "\r\n"))
if (!value_available)
value = XFORWARD_UNAVAILABLE;
/*
* Encode the attribute value.
*/
if (state->expand_buf == 0)
state->expand_buf = vstring_alloc(100);
xtext_quote(state->expand_buf, value, "");
/*
* How much space does this attribute need? SPACE name = value.
*/
new_len = strlen(name) + strlen(STR(state->expand_buf)) + 2;
if (new_len > PAYLOAD_LIMIT)
msg_warn("%s command payload %s=%.10s... exceeds SMTP protocol limit",
XFORWARD_CMD, name, value);
/*
* Flush the buffer if we need to, and store the attribute.
*/
if (VSTRING_LEN(buf) > 0 && VSTRING_LEN(buf) + new_len > PAYLOAD_LIMIT)
if ((ret = smtpd_proxy_xforward_flush(state, buf)) < 0)
return (ret);
vstring_sprintf_append(buf, " %s=%s", name, STR(state->expand_buf));
return (0);
}
char *format_line_number(VSTRING *result, ssize_t first, ssize_t last)
{
static VSTRING *buf;
/*
* Your buffer or mine?
*/
if (result == 0) {
if (buf == 0)
buf = vstring_alloc(10);
result = buf;
}
/*
* Print a range only when the numbers differ.
*/
vstring_sprintf(result, "%ld", (long) first);
if (first != last)
vstring_sprintf_append(result, "-%ld", (long) last);
return (vstring_str(result));
}
const char *mynetworks(void)
{
static VSTRING *result;
if (result == 0) {
char *myname = "mynetworks";
INET_ADDR_LIST *my_addr_list;
INET_ADDR_LIST *my_mask_list;
unsigned long addr;
unsigned long mask;
struct in_addr net;
int shift;
int junk;
int i;
int mask_style;
mask_style = name_mask("mynetworks mask style", mask_styles,
var_mynetworks_style);
/*
* XXX Workaround: name_mask() needs a flags argument so that we can
* require exactly one value, or we need to provide an API that is
* dedicated for single-valued flags.
*/
for (i = 0, junk = mask_style; junk != 0; junk >>= 1)
i += (junk & 1);
if (i != 1)
msg_fatal("bad %s value: %s; specify exactly one value",
VAR_MYNETWORKS_STYLE, var_mynetworks_style);
result = vstring_alloc(20);
my_addr_list = own_inet_addr_list();
my_mask_list = own_inet_mask_list();
for (i = 0; i < my_addr_list->used; i++) {
addr = ntohl(my_addr_list->addrs[i].s_addr);
mask = ntohl(my_mask_list->addrs[i].s_addr);
switch (mask_style) {
/*
* Natural mask. This is dangerous if you're customer of an
* ISP who gave you a small portion of their network.
*/
case MASK_STYLE_CLASS:
if (IN_CLASSA(addr)) {
mask = IN_CLASSA_NET;
shift = IN_CLASSA_NSHIFT;
} else if (IN_CLASSB(addr)) {
mask = IN_CLASSB_NET;
shift = IN_CLASSB_NSHIFT;
} else if (IN_CLASSC(addr)) {
mask = IN_CLASSC_NET;
shift = IN_CLASSC_NSHIFT;
} else if (IN_CLASSD(addr)) {
mask = IN_CLASSD_NET;
shift = IN_CLASSD_NSHIFT;
} else {
msg_fatal("%s: bad address class: %s",
myname, inet_ntoa(my_addr_list->addrs[i]));
}
break;
/*
* Subnet mask. This is safe, but breaks backwards
* compatibility when used as default setting.
*/
case MASK_STYLE_SUBNET:
for (junk = mask, shift = BITS_PER_ADDR; junk != 0; shift--, (junk <<= 1))
/* void */ ;
break;
/*
* Host only. Do not relay authorize other hosts.
*/
case MASK_STYLE_HOST:
mask = ~0;
shift = 0;
break;
default:
msg_panic("unknown mynetworks mask style: %s",
var_mynetworks_style);
}
net.s_addr = htonl(addr & mask);
vstring_sprintf_append(result, "%s/%d ",
inet_ntoa(net), BITS_PER_ADDR - shift);
}
if (msg_verbose)
msg_info("%s: %s", myname, vstring_str(result));
}
static void qmgr_message_resolve(QMGR_MESSAGE *message)
{
static ARGV *defer_xport_argv;
RECIPIENT_LIST list = message->rcpt_list;
RECIPIENT *recipient;
QMGR_TRANSPORT *transport = 0;
QMGR_QUEUE *queue = 0;
RESOLVE_REPLY reply;
VSTRING *queue_name;
char *at;
char **cpp;
char *nexthop;
ssize_t len;
int status;
DSN dsn;
MSG_STATS stats;
DSN *saved_dsn;
#define STREQ(x,y) (strcmp(x,y) == 0)
#define STR vstring_str
#define LEN VSTRING_LEN
resolve_clnt_init(&reply);
queue_name = vstring_alloc(1);
for (recipient = list.info; recipient < list.info + list.len; recipient++) {
/*
* Redirect overrides all else. But only once (per entire message).
* For consistency with the remainder of Postfix, rewrite the address
* to canonical form before resolving it.
*/
if (message->redirect_addr) {
if (recipient > list.info) {
recipient->u.queue = 0;
continue;
}
message->rcpt_offset = 0;
message->rcpt_unread = 0;
rewrite_clnt_internal(REWRITE_CANON, message->redirect_addr,
reply.recipient);
RECIPIENT_UPDATE(recipient->address, STR(reply.recipient));
if (qmgr_resolve_one(message, recipient,
recipient->address, &reply) < 0)
continue;
if (!STREQ(recipient->address, STR(reply.recipient)))
RECIPIENT_UPDATE(recipient->address, STR(reply.recipient));
}
/*
* Content filtering overrides the address resolver.
*
* XXX Bypass content_filter inspection for user-generated probes
* (sendmail -bv). MTA-generated probes never have the "please filter
* me" bits turned on, but we handle them here anyway for the sake of
* future proofing.
*/
#define FILTER_WITHOUT_NEXTHOP(filter, next) \
(((next) = split_at((filter), ':')) == 0 || *(next) == 0)
#define RCPT_WITHOUT_DOMAIN(rcpt, next) \
((next = strrchr(rcpt, '@')) == 0 || *++(next) == 0)
else if (message->filter_xport
&& (message->tflags & DEL_REQ_TRACE_ONLY_MASK) == 0) {
reply.flags = 0;
vstring_strcpy(reply.transport, message->filter_xport);
if (FILTER_WITHOUT_NEXTHOP(STR(reply.transport), nexthop)
&& *(nexthop = var_def_filter_nexthop) == 0
&& RCPT_WITHOUT_DOMAIN(recipient->address, nexthop))
nexthop = var_myhostname;
vstring_strcpy(reply.nexthop, nexthop);
vstring_strcpy(reply.recipient, recipient->address);
}
/*
* Resolve the destination to (transport, nexthop, address). The
* result address may differ from the one specified by the sender.
*/
else {
if (qmgr_resolve_one(message, recipient,
recipient->address, &reply) < 0)
continue;
if (!STREQ(recipient->address, STR(reply.recipient)))
RECIPIENT_UPDATE(recipient->address, STR(reply.recipient));
}
/*
* Bounce null recipients. This should never happen, but is most
* likely the result of a fault in a different program, so aborting
* the queue manager process does not help.
*/
if (recipient->address[0] == 0) {
QMGR_REDIRECT(&reply, MAIL_SERVICE_ERROR,
"5.1.3 null recipient address");
}
/*
* Discard mail to the local double bounce address here, so this
* system can run without a local delivery agent. They'd still have
* to configure something for mail directed to the local postmaster,
* though, but that is an RFC requirement anyway.
*
* XXX This lookup should be done in the resolver, and the mail should
* be directed to a general-purpose null delivery agent.
*/
if (reply.flags & RESOLVE_CLASS_LOCAL) {
at = strrchr(STR(reply.recipient), '@');
len = (at ? (at - STR(reply.recipient))
: strlen(STR(reply.recipient)));
if (strncasecmp(STR(reply.recipient), var_double_bounce_sender,
len) == 0
&& !var_double_bounce_sender[len]) {
status = sent(message->tflags, message->queue_id,
QMGR_MSG_STATS(&stats, message), recipient,
"none", DSN_SIMPLE(&dsn, "2.0.0",
"undeliverable postmaster notification discarded"));
if (status == 0) {
deliver_completed(message->fp, recipient->offset);
#if 0
/* It's the default verification probe sender address. */
msg_warn("%s: undeliverable postmaster notification discarded",
message->queue_id);
#endif
} else
message->flags |= status;
continue;
}
}
/*
* Optionally defer deliveries over specific transports, unless the
* restriction is lifted temporarily.
*/
if (*var_defer_xports && (message->qflags & QMGR_FLUSH_DFXP) == 0) {
if (defer_xport_argv == 0)
defer_xport_argv = argv_split(var_defer_xports, CHARS_COMMA_SP);
for (cpp = defer_xport_argv->argv; *cpp; cpp++)
if (strcmp(*cpp, STR(reply.transport)) == 0)
break;
if (*cpp) {
QMGR_REDIRECT(&reply, MAIL_SERVICE_RETRY,
"4.3.2 deferred transport");
}
}
/*
* Look up or instantiate the proper transport.
*/
if (transport == 0 || !STREQ(transport->name, STR(reply.transport))) {
if ((transport = qmgr_transport_find(STR(reply.transport))) == 0)
transport = qmgr_transport_create(STR(reply.transport));
queue = 0;
}
/*
* This message is being flushed. If need-be unthrottle the
* transport.
*/
if ((message->qflags & QMGR_FLUSH_EACH) != 0
&& QMGR_TRANSPORT_THROTTLED(transport))
qmgr_transport_unthrottle(transport);
/*
* This transport is dead. Defer delivery to this recipient.
*/
if (QMGR_TRANSPORT_THROTTLED(transport)) {
saved_dsn = transport->dsn;
if ((transport = qmgr_error_transport(MAIL_SERVICE_RETRY)) != 0) {
nexthop = qmgr_error_nexthop(saved_dsn);
vstring_strcpy(reply.nexthop, nexthop);
myfree(nexthop);
queue = 0;
} else {
qmgr_defer_recipient(message, recipient, saved_dsn);
continue;
}
}
/*
* The nexthop destination provides the default name for the
* per-destination queue. When the delivery agent accepts only one
* recipient per delivery, give each recipient its own queue, so that
* deliveries to different recipients of the same message can happen
* in parallel, and so that we can enforce per-recipient concurrency
* limits and prevent one recipient from tying up all the delivery
* agent resources. We use recipient@nexthop as queue name rather
* than the actual recipient domain name, so that one recipient in
* multiple equivalent domains cannot evade the per-recipient
* concurrency limit. Split the address on the recipient delimiter if
* one is defined, so that extended addresses don't get extra
* delivery slots.
*
* Fold the result to lower case so that we don't have multiple queues
* for the same name.
*
* Important! All recipients in a queue must have the same nexthop
* value. It is OK to have multiple queues with the same nexthop
* value, but only when those queues are named after recipients.
*
* The single-recipient code below was written for local(8) like
* delivery agents, and assumes that all domains that deliver to the
* same (transport + nexthop) are aliases for $nexthop. Delivery
* concurrency is changed from per-domain into per-recipient, by
* changing the queue name from nexthop into localpart@nexthop.
*
* XXX This assumption is incorrect when different destinations share
* the same (transport + nexthop). In reality, such transports are
* rarely configured to use single-recipient deliveries. The fix is
* to decouple the per-destination recipient limit from the
* per-destination concurrency.
*/
vstring_strcpy(queue_name, STR(reply.nexthop));
if (strcmp(transport->name, MAIL_SERVICE_ERROR) != 0
&& strcmp(transport->name, MAIL_SERVICE_RETRY) != 0
&& transport->recipient_limit == 1) {
/* Copy the recipient localpart. */
at = strrchr(STR(reply.recipient), '@');
len = (at ? (at - STR(reply.recipient))
: strlen(STR(reply.recipient)));
vstring_strncpy(queue_name, STR(reply.recipient), len);
/* Remove the address extension from the recipient localpart. */
if (*var_rcpt_delim && split_addr(STR(queue_name), var_rcpt_delim))
vstring_truncate(queue_name, strlen(STR(queue_name)));
/* Assume the recipient domain is equivalent to nexthop. */
vstring_sprintf_append(queue_name, "@%s", STR(reply.nexthop));
}
lowercase(STR(queue_name));
/*
* This transport is alive. Find or instantiate a queue for this
* recipient.
*/
if (queue == 0 || !STREQ(queue->name, STR(queue_name))) {
if ((queue = qmgr_queue_find(transport, STR(queue_name))) == 0)
queue = qmgr_queue_create(transport, STR(queue_name),
STR(reply.nexthop));
}
/*
* This message is being flushed. If need-be unthrottle the queue.
*/
if ((message->qflags & QMGR_FLUSH_EACH) != 0
&& QMGR_QUEUE_THROTTLED(queue))
qmgr_queue_unthrottle(queue);
/*
* This queue is dead. Defer delivery to this recipient.
*/
if (QMGR_QUEUE_THROTTLED(queue)) {
saved_dsn = queue->dsn;
if ((queue = qmgr_error_queue(MAIL_SERVICE_RETRY, saved_dsn)) == 0) {
qmgr_defer_recipient(message, recipient, saved_dsn);
continue;
}
}
/*
* This queue is alive. Bind this recipient to this queue instance.
*/
recipient->u.queue = queue;
}
resolve_clnt_free(&reply);
vstring_free(queue_name);
}
/*
* This is the actual startup routine for the connection. We expect that the
* buffers are flushed and the "220 Ready to start TLS" was received by us,
* so that we can immediately start the TLS handshake process.
*/
TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
{
int sts;
int protomask;
const char *cipher_list;
SSL_SESSION *session;
const SSL_CIPHER *cipher;
X509 *peercert;
TLS_SESS_STATE *TLScontext;
TLS_APPL_STATE *app_ctx = props->ctx;
VSTRING *myserverid;
int log_mask = app_ctx->log_mask;
/*
* When certificate verification is required, log trust chain validation
* errors even when disabled by default for opportunistic sessions.
*/
if (props->tls_level >= TLS_LEV_VERIFY)
log_mask |= TLS_LOG_UNTRUSTED;
if (log_mask & TLS_LOG_VERBOSE)
msg_info("setting up TLS connection to %s", props->namaddr);
/*
* First make sure we have valid protocol and cipher parameters
*
* The cipherlist will be applied to the global SSL context, where it can be
* repeatedly reset if necessary, but the protocol restrictions will be
* is applied to the SSL connection, because protocol restrictions in the
* global context cannot be cleared.
*/
/*
* OpenSSL will ignore cached sessions that use the wrong protocol. So we
* do not need to filter out cached sessions with the "wrong" protocol,
* rather OpenSSL will simply negotiate a new session.
*
* Still, we salt the session lookup key with the protocol list, so that
* sessions found in the cache are always acceptable.
*/
protomask = tls_protocol_mask(props->protocols);
if (protomask == TLS_PROTOCOL_INVALID) {
/* tls_protocol_mask() logs no warning. */
msg_warn("%s: Invalid TLS protocol list \"%s\": aborting TLS session",
props->namaddr, props->protocols);
return (0);
}
myserverid = vstring_alloc(100);
vstring_sprintf_append(myserverid, "%s&p=%d", props->serverid, protomask);
/*
* Per session cipher selection for sessions with mandatory encryption
*
* By the time a TLS client is negotiating ciphers it has already offered to
* re-use a session, it is too late to renege on the offer. So we must
* not attempt to re-use sessions whose ciphers are too weak. We salt the
* session lookup key with the cipher list, so that sessions found in the
* cache are always acceptable.
*/
cipher_list = tls_set_ciphers(app_ctx, "TLS", props->cipher_grade,
props->cipher_exclusions);
if (cipher_list == 0) {
msg_warn("%s: %s: aborting TLS session",
props->namaddr, vstring_str(app_ctx->why));
vstring_free(myserverid);
return (0);
}
if (log_mask & TLS_LOG_VERBOSE)
msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
vstring_sprintf_append(myserverid, "&c=%s", cipher_list);
/*
* Finally, salt the session key with the OpenSSL library version,
* (run-time, rather than compile-time, just in case that matters).
*/
vstring_sprintf_append(myserverid, "&l=%ld", (long) SSLeay());
/*
* Allocate a new TLScontext for the new connection and get an SSL
* structure. Add the location of TLScontext to the SSL to later retrieve
* the information inside the tls_verify_certificate_callback().
*
* If session caching was enabled when TLS was initialized, the cache type
* is stored in the client SSL context.
*/
TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
TLScontext->cache_type = app_ctx->cache_type;
TLScontext->serverid = vstring_export(myserverid);
TLScontext->stream = props->stream;
if ((TLScontext->con = SSL_new(app_ctx->ssl_ctx)) == NULL) {
msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
}
if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
msg_warn("Could not set application data for 'TLScontext->con'");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
}
/*
* Apply session protocol restrictions.
*/
if (protomask != 0)
SSL_set_options(TLScontext->con,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
/*
* XXX To avoid memory leaks we must always call SSL_SESSION_free() after
* calling SSL_set_session(), regardless of whether or not the session
* will be reused.
*/
if (TLScontext->cache_type) {
session = load_clnt_session(TLScontext);
if (session) {
SSL_set_session(TLScontext->con, session);
SSL_SESSION_free(session); /* 200411 */
#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
/*
* Ugly Hack: OpenSSL before 0.9.6a does not store the verify
* result in sessions for the client side. We modify the session
* directly which is version specific, but this bug is version
* specific, too.
*
* READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before beta1
* have this bug, it has been fixed during development of 0.9.6a.
* The development version of 0.9.7 can have this bug, too. It
* has been fixed on 2000/11/29.
*/
SSL_set_verify_result(TLScontext->con, session->verify_result);
#endif
}
}
/*
* Before really starting anything, try to seed the PRNG a little bit
* more.
*/
tls_int_seed();
(void) tls_ext_seed(var_tls_daemon_rand_bytes);
/*
* Initialize the SSL connection to connect state. This should not be
* necessary anymore since 0.9.3, but the call is still in the library
* and maintaining compatibility never hurts.
*/
SSL_set_connect_state(TLScontext->con);
/*
* Connect the SSL connection with the network socket.
*/
if (SSL_set_fd(TLScontext->con, vstream_fileno(props->stream)) != 1) {
msg_info("SSL_set_fd error to %s", props->namaddr);
tls_print_errors();
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
}
/*
* Turn on non-blocking I/O so that we can enforce timeouts on network
* I/O.
*/
non_blocking(vstream_fileno(props->stream), NON_BLOCKING);
/*
* If the debug level selected is high enough, all of the data is dumped:
* TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will
* dump everything.
*
* We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
* Well there is a BIO below the SSL routines that is automatically
* created for us, so we can use it for debugging purposes.
*/
if (log_mask & TLS_LOG_TLSPKTS)
BIO_set_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
/*
* Start TLS negotiations. This process is a black box that invokes our
* call-backs for certificate verification.
*
* Error handling: If the SSL handhake fails, we print out an error message
* and remove all TLS state concerning this session.
*/
sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
if (ERR_peek_error() != 0) {
msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
tls_print_errors();
} else if (errno != 0) {
msg_info("SSL_connect error to %s: %m", props->namaddr);
} else {
msg_info("SSL_connect error to %s: lost connection",
props->namaddr);
}
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
}
/* Turn off packet dump if only dumping the handshake */
if ((log_mask & TLS_LOG_ALLPKTS) == 0)
BIO_set_callback(SSL_get_rbio(TLScontext->con), 0);
/*
* The caller may want to know if this session was reused or if a new
* session was negotiated.
*/
TLScontext->session_reused = SSL_session_reused(TLScontext->con);
if ((log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
msg_info("%s: Reusing old session", TLScontext->namaddr);
/*
* Do peername verification if requested and extract useful information
* from the certificate for later use.
*/
if ((peercert = SSL_get_peer_certificate(TLScontext->con)) != 0) {
TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT;
/*
* Peer name or fingerprint verification as requested.
* Unconditionally set peer_CN, issuer_CN and peer_fingerprint.
*/
verify_extract_name(TLScontext, peercert, props);
verify_extract_print(TLScontext, peercert, props);
if (TLScontext->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT))
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
"fingerprint %s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);
X509_free(peercert);
} else {
TLScontext->issuer_CN = mystrdup("");
TLScontext->peer_CN = mystrdup("");
TLScontext->peer_fingerprint = mystrdup("");
TLScontext->peer_pkey_fprint = mystrdup("");
}
/*
* Finally, collect information about protocol and cipher for logging
*/
TLScontext->protocol = SSL_get_version(TLScontext->con);
cipher = SSL_get_current_cipher(TLScontext->con);
TLScontext->cipher_name = SSL_CIPHER_get_name(cipher);
TLScontext->cipher_usebits = SSL_CIPHER_get_bits(cipher,
&(TLScontext->cipher_algbits));
/*
* The TLS engine is active. Switch to the tls_timed_read/write()
* functions and make the TLScontext available to those functions.
*/
tls_stream_start(props->stream, TLScontext);
/*
* All the key facts in a single log entry.
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);
tls_int_seed();
return (TLScontext);
}
DICT *dict_ldap_open(const char *ldapsource, int dummy, int dict_flags)
{
char *myname = "dict_ldap_open";
DICT_LDAP *dict_ldap;
VSTRING *url_list;
char *s;
char *h;
char *server_host;
char *domainlist;
char *scope;
char *attr;
int tmp;
if (msg_verbose)
msg_info("%s: Using LDAP source %s", myname, ldapsource);
dict_ldap = (DICT_LDAP *) dict_alloc(DICT_TYPE_LDAP, ldapsource,
sizeof(*dict_ldap));
dict_ldap->dict.lookup = dict_ldap_lookup;
dict_ldap->dict.close = dict_ldap_close;
dict_ldap->dict.flags = dict_flags | DICT_FLAG_FIXED;
dict_ldap->ld = NULL;
dict_ldap->parser = cfg_parser_alloc(ldapsource);
dict_ldap->ldapsource = mystrdup(ldapsource);
server_host = cfg_get_str(dict_ldap->parser, "server_host",
"localhost", 1, 0);
/*
* get configured value of "server_port"; default to LDAP_PORT (389)
*/
dict_ldap->server_port =
cfg_get_int(dict_ldap->parser, "server_port", LDAP_PORT, 0, 0);
/*
* Define LDAP Version.
*/
dict_ldap->version = cfg_get_int(dict_ldap->parser, "version", 2, 2, 0);
switch (dict_ldap->version) {
case 2:
dict_ldap->version = LDAP_VERSION2;
break;
case 3:
dict_ldap->version = LDAP_VERSION3;
break;
default:
msg_warn("%s: %s Unknown version %d.", myname, ldapsource,
dict_ldap->version);
dict_ldap->version = LDAP_VERSION2;
}
#if defined(LDAP_API_FEATURE_X_OPENLDAP)
dict_ldap->ldap_ssl = 0;
#endif
url_list = vstring_alloc(32);
s = server_host;
while ((h = mystrtok(&s, " \t\n\r,")) != NULL) {
#if defined(LDAP_API_FEATURE_X_OPENLDAP)
/*
* Convert (host, port) pairs to LDAP URLs
*/
if (ldap_is_ldap_url(h)) {
LDAPURLDesc *url_desc;
int rc;
if ((rc = ldap_url_parse(h, &url_desc)) != 0) {
msg_error("%s: error parsing URL %s: %d: %s; skipping", myname,
h, rc, ldap_err2string(rc));
continue;
}
if (strcasecmp(url_desc->lud_scheme, "ldap") != 0 &&
dict_ldap->version != LDAP_VERSION3) {
msg_warn("%s: URL scheme %s requires protocol version 3", myname,
url_desc->lud_scheme);
dict_ldap->version = LDAP_VERSION3;
}
if (strcasecmp(url_desc->lud_scheme, "ldaps") == 0)
dict_ldap->ldap_ssl = 1;
ldap_free_urldesc(url_desc);
vstring_sprintf_append(url_list, " %s", h);
} else {
if (strrchr(h, ':'))
vstring_sprintf_append(url_list, " ldap://%s", h);
else
vstring_sprintf_append(url_list, " ldap://%s:%d", h,
dict_ldap->server_port);
}
#else
vstring_sprintf_append(url_list, " %s", h);
#endif
}
dict_ldap->server_host =
mystrdup(VSTRING_LEN(url_list) > 0 ? vstring_str(url_list) + 1 : "");
#if defined(LDAP_API_FEATURE_X_OPENLDAP)
/*
* With URL scheme, clear port to normalize connection cache key
*/
dict_ldap->server_port = LDAP_PORT;
if (msg_verbose)
msg_info("%s: %s server_host URL is %s", myname, ldapsource,
dict_ldap->server_host);
#endif
myfree(server_host);
vstring_free(url_list);
/*
* Scope handling thanks to Carsten Hoeger of SuSE.
*/
scope = cfg_get_str(dict_ldap->parser, "scope", "sub", 1, 0);
if (strcasecmp(scope, "one") == 0) {
dict_ldap->scope = LDAP_SCOPE_ONELEVEL;
} else if (strcasecmp(scope, "base") == 0) {
dict_ldap->scope = LDAP_SCOPE_BASE;
} else if (strcasecmp(scope, "sub") == 0) {
dict_ldap->scope = LDAP_SCOPE_SUBTREE;
} else {
msg_warn("%s: %s: Unrecognized value %s specified for scope; using sub",
myname, ldapsource, scope);
dict_ldap->scope = LDAP_SCOPE_SUBTREE;
}
myfree(scope);
dict_ldap->search_base = cfg_get_str(dict_ldap->parser, "search_base",
"", 0, 0);
domainlist = cfg_get_str(dict_ldap->parser, "domain", "", 0, 0);
if (*domainlist) {
#ifdef MATCH_FLAG_NONE
dict_ldap->domain = match_list_init(MATCH_FLAG_NONE,
domainlist, 1, match_string);
#else
dict_ldap->domain = match_list_init(domainlist, 1, match_string);
#endif
if (dict_ldap->domain == NULL)
msg_warn("%s: domain match list creation using \"%s\" failed, will continue without it",
myname, domainlist);
if (msg_verbose)
msg_info("%s: domain list created using \"%s\"", myname,
domainlist);
} else {
dict_ldap->domain = NULL;
}
myfree(domainlist);
/*
* get configured value of "timeout"; default to 10 seconds
*
* Thanks to Manuel Guesdon for spotting that this wasn't really getting
* set.
*/
dict_ldap->timeout = cfg_get_int(dict_ldap->parser, "timeout",
10, 0, 0);
dict_ldap->query_filter =
cfg_get_str(dict_ldap->parser, "query_filter",
"(mailacceptinggeneralid=%s)", 0, 0);
dict_ldap->result_filter =
cfg_get_str(dict_ldap->parser, "result_filter", "%s", 0, 0);
if (strcmp(dict_ldap->result_filter, "%s") == 0) {
myfree(dict_ldap->result_filter);
dict_ldap->result_filter = NULL;
}
attr = cfg_get_str(dict_ldap->parser, "result_attribute",
"maildrop", 0, 0);
dict_ldap->result_attributes = argv_split(attr, " ,\t\r\n");
dict_ldap->num_attributes = dict_ldap->result_attributes->argc;
myfree(attr);
attr = cfg_get_str(dict_ldap->parser, "special_result_attribute",
"", 0, 0);
if (*attr) {
argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
}
myfree(attr);
/*
* get configured value of "bind"; default to true
*/
dict_ldap->bind = cfg_get_bool(dict_ldap->parser, "bind", 1);
/*
* get configured value of "bind_dn"; default to ""
*/
dict_ldap->bind_dn = cfg_get_str(dict_ldap->parser, "bind_dn", "", 0, 0);
/*
* get configured value of "bind_pw"; default to ""
*/
dict_ldap->bind_pw = cfg_get_str(dict_ldap->parser, "bind_pw", "", 0, 0);
/*
* get configured value of "cache"; default to false
*/
tmp = cfg_get_bool(dict_ldap->parser, "cache", 0);
if (tmp)
msg_warn("%s: %s ignoring cache", myname, ldapsource);
/*
* get configured value of "cache_expiry"; default to 30 seconds
*/
tmp = cfg_get_int(dict_ldap->parser, "cache_expiry", -1, 0, 0);
if (tmp >= 0)
msg_warn("%s: %s ignoring cache_expiry", myname, ldapsource);
/*
* get configured value of "cache_size"; default to 32k
*/
tmp = cfg_get_int(dict_ldap->parser, "cache_size", -1, 0, 0);
if (tmp >= 0)
msg_warn("%s: %s ignoring cache_size", myname, ldapsource);
/*
* get configured value of "recursion_limit"; default to 1000
*/
dict_ldap->recursion_limit = cfg_get_int(dict_ldap->parser,
"recursion_limit", 1000, 1, 0);
/*
* get configured value of "expansion_limit"; default to 0
*/
dict_ldap->expansion_limit = cfg_get_int(dict_ldap->parser,
"expansion_limit", 0, 0, 0);
/*
* get configured value of "size_limit"; default to expansion_limit
*/
dict_ldap->size_limit = cfg_get_int(dict_ldap->parser, "size_limit",
dict_ldap->expansion_limit,
0, 0);
/*
* Alias dereferencing suggested by Mike Mattice.
*/
dict_ldap->dereference = cfg_get_int(dict_ldap->parser, "dereference",
0, 0, 0);
if (dict_ldap->dereference < 0 || dict_ldap->dereference > 3) {
msg_warn("%s: %s Unrecognized value %d specified for dereference; using 0",
myname, ldapsource, dict_ldap->dereference);
dict_ldap->dereference = 0;
}
/* Referral chasing */
dict_ldap->chase_referrals = cfg_get_bool(dict_ldap->parser,
"chase_referrals", 0);
#ifdef LDAP_API_FEATURE_X_OPENLDAP
/*
* TLS options
*/
/* get configured value of "start_tls"; default to no */
dict_ldap->start_tls = cfg_get_bool(dict_ldap->parser, "start_tls", 0);
if (dict_ldap->start_tls && dict_ldap->version < LDAP_VERSION3) {
msg_warn("%s: %s start_tls requires protocol version 3",
myname, ldapsource);
dict_ldap->version = LDAP_VERSION3;
}
/* get configured value of "tls_require_cert"; default to no */
dict_ldap->tls_require_cert = cfg_get_bool(dict_ldap->parser,
"tls_require_cert", 0);
/* get configured value of "tls_ca_cert_file"; default "" */
dict_ldap->tls_ca_cert_file = cfg_get_str(dict_ldap->parser,
"tls_ca_cert_file", "", 0, 0);
/* get configured value of "tls_ca_cert_dir"; default "" */
dict_ldap->tls_ca_cert_dir = cfg_get_str(dict_ldap->parser,
"tls_ca_cert_dir", "", 0, 0);
/* get configured value of "tls_cert"; default "" */
dict_ldap->tls_cert = cfg_get_str(dict_ldap->parser, "tls_cert",
"", 0, 0);
/* get configured value of "tls_key"; default "" */
dict_ldap->tls_key = cfg_get_str(dict_ldap->parser, "tls_key",
"", 0, 0);
/* get configured value of "tls_random_file"; default "" */
dict_ldap->tls_random_file = cfg_get_str(dict_ldap->parser,
"tls_random_file", "", 0, 0);
/* get configured value of "tls_cipher_suite"; default "" */
dict_ldap->tls_cipher_suite = cfg_get_str(dict_ldap->parser,
"tls_cipher_suite", "", 0, 0);
#endif
/*
* Debug level.
*/
#if defined(LDAP_OPT_DEBUG_LEVEL) && defined(LBER_OPT_LOG_PRINT_FN)
dict_ldap->debuglevel = cfg_get_int(dict_ldap->parser, "debuglevel",
0, 0, 0);
#endif
/*
* Find or allocate shared LDAP connection container.
*/
dict_ldap_conn_find(dict_ldap);
/*
* Return the new dict_ldap structure.
*/
return (DICT_DEBUG (&dict_ldap->dict));
}
const char *make_verify_sender_addr(void)
{
static VSTRING *verify_sender_buf; /* the complete sender address */
static VSTRING *my_epoch_buf; /* scratch space */
char *my_at_domain;
/*
* The null sender is always time-independent.
*/
if (*var_verify_sender == 0 || strcmp(var_verify_sender, "<>") == 0)
return ("");
/*
* Sanity check.
*/
if (*var_verify_sender == '@')
msg_fatal("parameter %s: value \"%s\" must not start with '@'",
VAR_VERIFY_SENDER, var_verify_sender);
if ((my_at_domain = strchr(var_verify_sender, '@')) != 0 && my_at_domain[1] == 0)
msg_fatal("parameter %s: value \"%s\" must not end with '@'",
VAR_VERIFY_SENDER, var_verify_sender);
/*
* One-time initialization.
*/
if (verify_sender_buf == 0) {
verify_sender_buf = vstring_alloc(10);
my_epoch_buf = vstring_alloc(10);
}
/*
* Start with the bare sender address.
*/
vstring_strcpy(verify_sender_buf, var_verify_sender);
/*
* Append the time stamp to the address localpart, encoded in some
* non-decimal form for obscurity.
*
* XXX It would be nice to have safe_ultostr() append-only support.
*/
if (var_verify_sender_ttl > 0) {
/* Strip the @domain portion, if applicable. */
if (my_at_domain != 0)
vstring_truncate(verify_sender_buf,
(ssize_t) (my_at_domain - var_verify_sender));
/* Append the time stamp to the address localpart. */
vstring_sprintf_append(verify_sender_buf, "%s",
safe_ultostr(my_epoch_buf,
VERIFY_SENDER_ADDR_EPOCH(),
VERIFY_BASE, 0, 0));
/* Add back the @domain, if applicable. */
if (my_at_domain != 0)
vstring_sprintf_append(verify_sender_buf, "%s", my_at_domain);
}
/*
* Rewrite the address to canonical form.
*/
rewrite_clnt_internal(MAIL_ATTR_RWR_LOCAL, STR(verify_sender_buf),
verify_sender_buf);
return (STR(verify_sender_buf));
}
static void smtp_key_append_uint(VSTRING *buffer, unsigned num,
const char *delim_na)
{
vstring_sprintf_append(buffer, "%u%c", num, delim_na[0]);
}
const char *mail_date(time_t when)
{
static VSTRING *vp;
struct tm *lt;
struct tm gmt;
int gmtoff;
/*
* As if strftime() isn't expensive enough, we're dynamically adjusting
* the size for the result, so we won't be surprised by long names etc.
*/
if (vp == 0)
vp = vstring_alloc(100);
else
VSTRING_RESET(vp);
/*
* POSIX does not require that struct tm has a tm_gmtoff field, so we
* must compute the time offset from UTC by hand.
*
* Starting with the difference in hours/minutes between 24-hour clocks,
* adjust for differences in years, in yeardays, and in (leap) seconds.
*
* Assume 0..23 hours in a day, 0..59 minutes in an hour. The library spec
* has changed: we can no longer assume that there are 0..59 seconds in a
* minute.
*/
gmt = *gmtime(&when);
lt = localtime(&when);
gmtoff = (lt->tm_hour - gmt.tm_hour) * HOUR_MIN + lt->tm_min - gmt.tm_min;
if (lt->tm_year < gmt.tm_year)
gmtoff -= DAY_MIN;
else if (lt->tm_year > gmt.tm_year)
gmtoff += DAY_MIN;
else if (lt->tm_yday < gmt.tm_yday)
gmtoff -= DAY_MIN;
else if (lt->tm_yday > gmt.tm_yday)
gmtoff += DAY_MIN;
if (lt->tm_sec <= gmt.tm_sec - MIN_SEC)
gmtoff -= 1;
else if (lt->tm_sec >= gmt.tm_sec + MIN_SEC)
gmtoff += 1;
/*
* First, format the date and wall-clock time. XXX The %e format (day of
* month, leading zero replaced by blank) isn't in my POSIX book, but
* many vendors seem to support it.
*/
#ifdef MISSING_STRFTIME_E
#define STRFTIME_FMT "%a, %d %b %Y %H:%M:%S "
#else
#define STRFTIME_FMT "%a, %e %b %Y %H:%M:%S "
#endif
while (strftime(vstring_end(vp), vstring_avail(vp), STRFTIME_FMT, lt) == 0)
VSTRING_SPACE(vp, 100);
VSTRING_SKIP(vp);
/*
* Then, add the UTC offset.
*/
if (gmtoff < -DAY_MIN || gmtoff > DAY_MIN)
msg_panic("UTC time offset %d is larger than one day", gmtoff);
vstring_sprintf_append(vp, "%+03d%02d", (int) (gmtoff / HOUR_MIN),
(int) (abs(gmtoff) % HOUR_MIN));
/*
* Finally, add the time zone name.
*/
while (strftime(vstring_end(vp), vstring_avail(vp), " (%Z)", lt) == 0)
VSTRING_SPACE(vp, vstring_avail(vp) + 100);
VSTRING_SKIP(vp);
return (vstring_str(vp));
}
