xref: /freebsd/contrib/sendmail/src/srvrsmtp.c (revision 4928135658a9d0eaee37003df6137ab363fcb0b4)
1 /*
2  * Copyright (c) 1998-2010, 2012-2014 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
5  * Copyright (c) 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * By using this file, you agree to the terms and conditions set
9  * forth in the LICENSE file which can be found at the top level of
10  * the sendmail distribution.
11  *
12  */
13 
14 #include <sendmail.h>
15 #if MILTER
16 # include <libmilter/mfapi.h>
17 # include <libmilter/mfdef.h>
18 #endif /* MILTER */
19 
20 SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.1016 2013-11-22 20:51:56 ca Exp $")
21 
22 #include <sm/time.h>
23 #include <sm/fdset.h>
24 
25 #if SASL || STARTTLS
26 # include "sfsasl.h"
27 #endif /* SASL || STARTTLS */
28 #if SASL
29 # define ENC64LEN(l)	(((l) + 2) * 4 / 3 + 1)
30 static int saslmechs __P((sasl_conn_t *, char **));
31 #endif /* SASL */
32 #if STARTTLS
33 # include <openssl/err.h>
34 # include <sysexits.h>
35 
36 static SSL_CTX	*srv_ctx = NULL;	/* TLS server context */
37 static SSL	*srv_ssl = NULL;	/* per connection context */
38 
39 static bool	tls_ok_srv = false;
40 
41 # define TLS_VERIFY_CLIENT() tls_set_verify(srv_ctx, srv_ssl, \
42 				bitset(SRV_VRFY_CLT, features))
43 #endif /* STARTTLS */
44 
45 #if _FFR_DM_ONE
46 static bool	NotFirstDelivery = false;
47 #endif /* _FFR_DM_ONE */
48 
49 /* server features */
50 #define SRV_NONE	0x0000	/* none... */
51 #define SRV_OFFER_TLS	0x0001	/* offer STARTTLS */
52 #define SRV_VRFY_CLT	0x0002	/* request a cert */
53 #define SRV_OFFER_AUTH	0x0004	/* offer AUTH */
54 #define SRV_OFFER_ETRN	0x0008	/* offer ETRN */
55 #define SRV_OFFER_VRFY	0x0010	/* offer VRFY (not yet used) */
56 #define SRV_OFFER_EXPN	0x0020	/* offer EXPN */
57 #define SRV_OFFER_VERB	0x0040	/* offer VERB */
58 #define SRV_OFFER_DSN	0x0080	/* offer DSN */
59 #if PIPELINING
60 # define SRV_OFFER_PIPE	0x0100	/* offer PIPELINING */
61 # if _FFR_NO_PIPE
62 #  define SRV_NO_PIPE	0x0200	/* disable PIPELINING, sleep if used */
63 # endif /* _FFR_NO_PIPE */
64 #endif /* PIPELINING */
65 #define SRV_REQ_AUTH	0x0400	/* require AUTH */
66 #define SRV_REQ_SEC	0x0800	/* require security - equiv to AuthOptions=p */
67 #define SRV_TMP_FAIL	0x1000	/* ruleset caused a temporary failure */
68 
69 static unsigned int	srvfeatures __P((ENVELOPE *, char *, unsigned int));
70 
71 #define	STOP_ATTACK	((time_t) -1)
72 static time_t	checksmtpattack __P((volatile unsigned int *, unsigned int,
73 				     bool, char *, ENVELOPE *));
74 static void	printvrfyaddr __P((ADDRESS *, bool, bool));
75 static char	*skipword __P((char *volatile, char *));
76 static void	setup_smtpd_io __P((void));
77 
78 #if SASL
79 # if SASL >= 20000
80 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
81 				char *_remoteip, char *_localip,
82 				char *_auth_id, sasl_ssf_t *_ext_ssf));
83 
84 # define RESET_SASLCONN	\
85 	do							\
86 	{							\
87 		result = reset_saslconn(&conn, AuthRealm, remoteip, \
88 					localip, auth_id, &ext_ssf); \
89 		if (result != SASL_OK)				\
90 			sasl_ok = false;			\
91 	} while (0)
92 
93 # else /* SASL >= 20000 */
94 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
95 				struct sockaddr_in *_saddr_r,
96 				struct sockaddr_in *_saddr_l,
97 				sasl_external_properties_t *_ext_ssf));
98 # define RESET_SASLCONN	\
99 	do							\
100 	{							\
101 		result = reset_saslconn(&conn, AuthRealm, &saddr_r, \
102 					&saddr_l, &ext_ssf);	\
103 		if (result != SASL_OK)				\
104 			sasl_ok = false;			\
105 	} while (0)
106 
107 # endif /* SASL >= 20000 */
108 #endif /* SASL */
109 
110 extern ENVELOPE	BlankEnvelope;
111 
112 #define NBADRCPTS						\
113 	do							\
114 	{							\
115 		char buf[16];					\
116 		(void) sm_snprintf(buf, sizeof(buf), "%d",	\
117 			BadRcptThrottle > 0 && n_badrcpts > BadRcptThrottle \
118 				? n_badrcpts - 1 : n_badrcpts);	\
119 		macdefine(&e->e_macro, A_TEMP, macid("{nbadrcpts}"), buf); \
120 	} while (0)
121 
122 #define SKIP_SPACE(s)	while (isascii(*s) && isspace(*s))	\
123 				(s)++
124 
125 /*
126 **  PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
127 **
128 **	Parameters:
129 **		e -- the envelope
130 **		addr_st -- address (RCPT only)
131 **		p -- read buffer
132 **		delimptr -- current position in read buffer
133 **		which -- MAIL/RCPT
134 **		args -- arguments (output)
135 **		esmtp_args -- function to process a single ESMTP argument
136 **
137 **	Returns:
138 **		none
139 */
140 
141 void
142 parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args)
143 	ENVELOPE *e;
144 	ADDRESS *addr_st;
145 	char *p;
146 	char *delimptr;
147 	char *which;
148 	char *args[];
149 	esmtp_args_F esmtp_args;
150 {
151 	int argno;
152 
153 	argno = 0;
154 	if (args != NULL)
155 		args[argno++] = p;
156 	p = delimptr;
157 	while (p != NULL && *p != '\0')
158 	{
159 		char *kp;
160 		char *vp = NULL;
161 		char *equal = NULL;
162 
163 		/* locate the beginning of the keyword */
164 		SKIP_SPACE(p);
165 		if (*p == '\0')
166 			break;
167 		kp = p;
168 
169 		/* skip to the value portion */
170 		while ((isascii(*p) && isalnum(*p)) || *p == '-')
171 			p++;
172 		if (*p == '=')
173 		{
174 			equal = p;
175 			*p++ = '\0';
176 			vp = p;
177 
178 			/* skip to the end of the value */
179 			while (*p != '\0' && *p != ' ' &&
180 			       !(isascii(*p) && iscntrl(*p)) &&
181 			       *p != '=')
182 				p++;
183 		}
184 
185 		if (*p != '\0')
186 			*p++ = '\0';
187 
188 		if (tTd(19, 1))
189 			sm_dprintf("%s: got arg %s=\"%s\"\n", which, kp,
190 				vp == NULL ? "<null>" : vp);
191 
192 		esmtp_args(addr_st, kp, vp, e);
193 		if (equal != NULL)
194 			*equal = '=';
195 		if (args != NULL)
196 			args[argno] = kp;
197 		argno++;
198 		if (argno >= MAXSMTPARGS - 1)
199 			usrerr("501 5.5.4 Too many parameters");
200 		if (Errors > 0)
201 			break;
202 	}
203 	if (args != NULL)
204 		args[argno] = NULL;
205 }
206 
207 #if _FFR_ADD_BCC
208 
209 /*
210 **  ADDRCPT -- Add a rcpt to sendq list
211 **
212 **	Parameters:
213 **		rcpt -- rcpt
214 **		sendq -- a pointer to the head of a queue to put
215 **			these people into.
216 **		e -- the envelope in which to add these recipients.
217 **
218 **	Returns:
219 **		The number of addresses added to the list.
220 */
221 
222 static int
223 addrcpt(rcpt, sendq, e)
224 	char *rcpt;
225 	ADDRESS **sendq;
226 	ENVELOPE *e;
227 {
228 	int r;
229 	char *oldto;
230 	ADDRESS *a;
231 
232 	SM_REQUIRE(rcpt != NULL);
233 	SM_REQUIRE(sendq != NULL);
234 	SM_REQUIRE(e != NULL);
235 	oldto = e->e_to;
236 	if (tTd(25, 1))
237 		sm_dprintf("addrcpt: rcpt=%s\n", rcpt);
238 	r = Errors;
239 	a = NULL;
240 	SM_TRY
241 	{
242 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e b");
243 		a = parseaddr(rcpt, NULLADDR, RF_COPYALL, ' ', NULL, e, true);
244 		if (a == NULL)
245 			return 0;
246 
247 		a->q_flags &= ~Q_PINGFLAGS;
248 		a->q_flags |= QINTBCC;
249 		a->q_owner = "<>";
250 
251 		/* disable alias expansion? */
252 		a = recipient(a, sendq, 0, e);
253 	}
254 	SM_FINALLY
255 	{
256 		e->e_to = oldto;
257 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
258 	}
259 	SM_END_TRY
260 	if (tTd(25, 1))
261 		sm_dprintf("addrcpt: rcpt=%s, flags=%#lx\n", rcpt,
262 			a != NULL ? a->q_flags : 0);
263 	Errors = r;
264 	return 1;
265 }
266 
267 /*
268 **  ADDBCC -- Maybe create a copy of an e-mail
269 **
270 **	Parameters:
271 **		a -- current RCPT
272 **		e -- the envelope.
273 **
274 **	Returns:
275 **		nothing
276 **
277 **	Side Effects:
278 **		rscheck() can trigger an "exception"
279 */
280 
281 static void
282 addbcc(a, e)
283 	ADDRESS *a;
284 	ENVELOPE *e;
285 {
286 	int nobcc;
287 	char *newrcpt, empty[1];
288 
289 	if (!AddBcc)
290 		return;
291 
292 	nobcc = false;
293 	empty[0] = '\0';
294 	newrcpt = empty;
295 
296 	nobcc = rscheck("bcc", a->q_paddr, NULL, e, RSF_ADDR, 12, NULL, NOQID,
297 			NULL, &newrcpt);
298 	if (tTd(25, 1))
299 		sm_dprintf("addbcc: nobcc=%d, Errors=%d, newrcpt=<%s>\n", nobcc, Errors, newrcpt);
300 	if (nobcc != EX_OK || Errors > 0 || *newrcpt == '\0')
301 		return;
302 
303 	(void) addrcpt(newrcpt, &e->e_sendqueue, e);
304 	return;
305 }
306 #else /* _FFR_ADD_BCC */
307 # define addbcc(a, e)
308 #endif /* _FFR_ADD_BCC */
309 
310 #if _FFR_RCPTFLAGS
311 /*
312 **  RCPTMODS -- Perform rcpt modifications if requested
313 **
314 **	Parameters:
315 **		rcpt -- current RCPT
316 **		e -- the envelope.
317 **
318 **	Returns:
319 **		nothing.
320 */
321 
322 void
323 rcptmods(rcpt, e)
324 	ADDRESS *rcpt;
325 	ENVELOPE *e;
326 {
327 	char *fl;
328 
329 	SM_REQUIRE(rcpt != NULL);
330 	SM_REQUIRE(e != NULL);
331 
332 	fl = macvalue(macid("{rcpt_flags}"), e);
333 	if (fl == NULL || *fl == '\0')
334 		return;
335 	if (tTd(25, 1))
336 		sm_dprintf("rcptmods: rcpt=%s, flags=%s\n", rcpt->q_paddr, fl);
337 
338 	/* parse flags */
339 	for ( ; *fl != '\0'; ++fl)
340 	{
341 		switch (*fl)
342 		{
343 		  case 'n':
344 			rcpt->q_flags &= ~Q_PINGFLAGS;
345 			rcpt->q_flags |= QINTBCC;
346 			rcpt->q_owner = "<>";
347 			break;
348 
349 		  case 'N':
350 			rcpt->q_flags &= ~Q_PINGFLAGS;
351 			rcpt->q_owner = "<>";
352 			break;
353 
354 		  case QDYNMAILFLG:
355 			rcpt->q_flags |= QDYNMAILER;
356 			newmodmailer(rcpt, *fl);
357 			break;
358 
359 		  default:
360 			sm_syslog(LOG_INFO, e->e_id,
361 				  "rcpt=%s, rcpt_flags=%s, status=unknown",
362 				  rcpt->q_paddr, fl);
363 			break;
364 		}
365 	}
366 
367 	/* reset macro to avoid confusion later on */
368 	macdefine(&e->e_macro, A_PERM, macid("{rcpt_flags}"), NULL);
369 
370 }
371 #else /* _FFR_RCPTFLAGS */
372 # define rcptmods(a, e)
373 #endif /* _FFR_RCPTFLAGS */
374 
375 /*
376 **  SMTP -- run the SMTP protocol.
377 **
378 **	Parameters:
379 **		nullserver -- if non-NULL, rejection message for
380 **			(almost) all SMTP commands.
381 **		d_flags -- daemon flags
382 **		e -- the envelope.
383 **
384 **	Returns:
385 **		never.
386 **
387 **	Side Effects:
388 **		Reads commands from the input channel and processes them.
389 */
390 
391 /*
392 **  Notice: The smtp server doesn't have a session context like the client
393 **	side has (mci). Therefore some data (session oriented) is allocated
394 **	or assigned to the "wrong" structure (esp. STARTTLS, AUTH).
395 **	This should be fixed in a successor version.
396 */
397 
398 struct cmd
399 {
400 	char	*cmd_name;	/* command name */
401 	int	cmd_code;	/* internal code, see below */
402 };
403 
404 /* values for cmd_code */
405 #define CMDERROR	0	/* bad command */
406 #define CMDMAIL	1	/* mail -- designate sender */
407 #define CMDRCPT	2	/* rcpt -- designate recipient */
408 #define CMDDATA	3	/* data -- send message text */
409 #define CMDRSET	4	/* rset -- reset state */
410 #define CMDVRFY	5	/* vrfy -- verify address */
411 #define CMDEXPN	6	/* expn -- expand address */
412 #define CMDNOOP	7	/* noop -- do nothing */
413 #define CMDQUIT	8	/* quit -- close connection and die */
414 #define CMDHELO	9	/* helo -- be polite */
415 #define CMDHELP	10	/* help -- give usage info */
416 #define CMDEHLO	11	/* ehlo -- extended helo (RFC 1425) */
417 #define CMDETRN	12	/* etrn -- flush queue */
418 #if SASL
419 # define CMDAUTH	13	/* auth -- SASL authenticate */
420 #endif /* SASL */
421 #if STARTTLS
422 # define CMDSTLS	14	/* STARTTLS -- start TLS session */
423 #endif /* STARTTLS */
424 /* non-standard commands */
425 #define CMDVERB	17	/* verb -- go into verbose mode */
426 /* unimplemented commands from RFC 821 */
427 #define CMDUNIMPL	19	/* unimplemented rfc821 commands */
428 /* use this to catch and log "door handle" attempts on your system */
429 #define CMDLOGBOGUS	23	/* bogus command that should be logged */
430 /* debugging-only commands, only enabled if SMTPDEBUG is defined */
431 #define CMDDBGQSHOW	24	/* showq -- show send queue */
432 #define CMDDBGDEBUG	25	/* debug -- set debug mode */
433 
434 /*
435 **  Note: If you change this list, remember to update 'helpfile'
436 */
437 
438 static struct cmd	CmdTab[] =
439 {
440 	{ "mail",	CMDMAIL		},
441 	{ "rcpt",	CMDRCPT		},
442 	{ "data",	CMDDATA		},
443 	{ "rset",	CMDRSET		},
444 	{ "vrfy",	CMDVRFY		},
445 	{ "expn",	CMDEXPN		},
446 	{ "help",	CMDHELP		},
447 	{ "noop",	CMDNOOP		},
448 	{ "quit",	CMDQUIT		},
449 	{ "helo",	CMDHELO		},
450 	{ "ehlo",	CMDEHLO		},
451 	{ "etrn",	CMDETRN		},
452 	{ "verb",	CMDVERB		},
453 	{ "send",	CMDUNIMPL	},
454 	{ "saml",	CMDUNIMPL	},
455 	{ "soml",	CMDUNIMPL	},
456 	{ "turn",	CMDUNIMPL	},
457 #if SASL
458 	{ "auth",	CMDAUTH,	},
459 #endif /* SASL */
460 #if STARTTLS
461 	{ "starttls",	CMDSTLS,	},
462 #endif /* STARTTLS */
463     /* remaining commands are here only to trap and log attempts to use them */
464 	{ "showq",	CMDDBGQSHOW	},
465 	{ "debug",	CMDDBGDEBUG	},
466 	{ "wiz",	CMDLOGBOGUS	},
467 
468 	{ NULL,		CMDERROR	}
469 };
470 
471 static char	*CurSmtpClient;		/* who's at the other end of channel */
472 
473 #ifndef MAXBADCOMMANDS
474 # define MAXBADCOMMANDS 25	/* maximum number of bad commands */
475 #endif /* ! MAXBADCOMMANDS */
476 #ifndef MAXHELOCOMMANDS
477 # define MAXHELOCOMMANDS 3	/* max HELO/EHLO commands before slowdown */
478 #endif /* ! MAXHELOCOMMANDS */
479 #ifndef MAXVRFYCOMMANDS
480 # define MAXVRFYCOMMANDS 6	/* max VRFY/EXPN commands before slowdown */
481 #endif /* ! MAXVRFYCOMMANDS */
482 #ifndef MAXETRNCOMMANDS
483 # define MAXETRNCOMMANDS 8	/* max ETRN commands before slowdown */
484 #endif /* ! MAXETRNCOMMANDS */
485 #ifndef MAXTIMEOUT
486 # define MAXTIMEOUT (4 * 60)	/* max timeout for bad commands */
487 #endif /* ! MAXTIMEOUT */
488 
489 /*
490 **  Maximum shift value to compute timeout for bad commands.
491 **  This introduces an upper limit of 2^MAXSHIFT for the timeout.
492 */
493 
494 #ifndef MAXSHIFT
495 # define MAXSHIFT 8
496 #endif /* ! MAXSHIFT */
497 #if MAXSHIFT > 31
498  ERROR _MAXSHIFT > 31 is invalid
499 #endif /* MAXSHIFT */
500 
501 
502 #if MAXBADCOMMANDS > 0
503 # define STOP_IF_ATTACK(r)	do		\
504 	{					\
505 		if ((r) == STOP_ATTACK)		\
506 			goto stopattack;	\
507 	} while (0)
508 
509 #else /* MAXBADCOMMANDS > 0 */
510 # define STOP_IF_ATTACK(r)	r
511 #endif /* MAXBADCOMMANDS > 0 */
512 
513 
514 #if SM_HEAP_CHECK
515 static SM_DEBUG_T DebugLeakSmtp = SM_DEBUG_INITIALIZER("leak_smtp",
516 	"@(#)$Debug: leak_smtp - trace memory leaks during SMTP processing $");
517 #endif /* SM_HEAP_CHECK */
518 
519 typedef struct
520 {
521 	bool		sm_gotmail;	/* mail command received */
522 	unsigned int	sm_nrcpts;	/* number of successful RCPT commands */
523 	bool		sm_discard;
524 #if MILTER
525 	bool		sm_milterize;
526 	bool		sm_milterlist;	/* any filters in the list? */
527 	milters_T	sm_milters;
528 
529 	/* e_nrcpts from envelope before recipient() call */
530 	unsigned int	sm_e_nrcpts_orig;
531 #endif /* MILTER */
532 	char		*sm_quarmsg;	/* carry quarantining across messages */
533 } SMTP_T;
534 
535 static bool	smtp_data __P((SMTP_T *, ENVELOPE *));
536 
537 #define MSG_TEMPFAIL "451 4.3.2 Please try again later"
538 
539 #if MILTER
540 # define MILTER_ABORT(e)	milter_abort((e))
541 
542 # define MILTER_REPLY(str)						\
543 	{								\
544 		int savelogusrerrs = LogUsrErrs;			\
545 									\
546 		milter_cmd_fail = true;					\
547 		switch (state)						\
548 		{							\
549 		  case SMFIR_SHUTDOWN:					\
550 			if (MilterLogLevel > 3)				\
551 			{						\
552 				sm_syslog(LOG_INFO, e->e_id,		\
553 					  "Milter: %s=%s, reject=421, errormode=4",	\
554 					  str, addr);			\
555 				LogUsrErrs = false;			\
556 			}						\
557 			{						\
558 				bool tsave = QuickAbort;		\
559 									\
560 				QuickAbort = false;			\
561 				usrerr("421 4.3.0 closing connection");	\
562 				QuickAbort = tsave;			\
563 				e->e_sendqueue = NULL;			\
564 				goto doquit;				\
565 			}						\
566 			break;						\
567 		  case SMFIR_REPLYCODE:					\
568 			if (MilterLogLevel > 3)				\
569 			{						\
570 				sm_syslog(LOG_INFO, e->e_id,		\
571 					  "Milter: %s=%s, reject=%s",	\
572 					  str, addr, response);		\
573 				LogUsrErrs = false;			\
574 			}						\
575 			if (strncmp(response, "421 ", 4) == 0		\
576 			    || strncmp(response, "421-", 4) == 0)	\
577 			{						\
578 				bool tsave = QuickAbort;		\
579 									\
580 				QuickAbort = false;			\
581 				usrerr(response);			\
582 				QuickAbort = tsave;			\
583 				e->e_sendqueue = NULL;			\
584 				goto doquit;				\
585 			}						\
586 			else						\
587 				usrerr(response);			\
588 			break;						\
589 									\
590 		  case SMFIR_REJECT:					\
591 			if (MilterLogLevel > 3)				\
592 			{						\
593 				sm_syslog(LOG_INFO, e->e_id,		\
594 					  "Milter: %s=%s, reject=550 5.7.1 Command rejected", \
595 					  str, addr);			\
596 				LogUsrErrs = false;			\
597 			}						\
598 			usrerr("550 5.7.1 Command rejected");		\
599 			break;						\
600 									\
601 		  case SMFIR_DISCARD:					\
602 			if (MilterLogLevel > 3)				\
603 				sm_syslog(LOG_INFO, e->e_id,		\
604 					  "Milter: %s=%s, discard",	\
605 					  str, addr);			\
606 			e->e_flags |= EF_DISCARD;			\
607 			milter_cmd_fail = false;			\
608 			break;						\
609 									\
610 		  case SMFIR_TEMPFAIL:					\
611 			if (MilterLogLevel > 3)				\
612 			{						\
613 				sm_syslog(LOG_INFO, e->e_id,		\
614 					  "Milter: %s=%s, reject=%s",	\
615 					  str, addr, MSG_TEMPFAIL);	\
616 				LogUsrErrs = false;			\
617 			}						\
618 			usrerr(MSG_TEMPFAIL);				\
619 			break;						\
620 		  default:						\
621 			milter_cmd_fail = false;			\
622 			break;						\
623 		}							\
624 		LogUsrErrs = savelogusrerrs;				\
625 		if (response != NULL)					\
626 			sm_free(response); /* XXX */			\
627 	}
628 
629 #else /* MILTER */
630 # define MILTER_ABORT(e)
631 #endif /* MILTER */
632 
633 /* clear all SMTP state (for HELO/EHLO/RSET) */
634 #define CLEAR_STATE(cmd)					\
635 do								\
636 {								\
637 	/* abort milter filters */				\
638 	MILTER_ABORT(e);					\
639 								\
640 	if (smtp.sm_nrcpts > 0)					\
641 	{							\
642 		logundelrcpts(e, cmd, 10, false);		\
643 		smtp.sm_nrcpts = 0;				\
644 		macdefine(&e->e_macro, A_PERM,			\
645 			  macid("{nrcpts}"), "0");		\
646 	}							\
647 								\
648 	e->e_sendqueue = NULL;					\
649 	e->e_flags |= EF_CLRQUEUE;				\
650 								\
651 	if (tTd(92, 2))						\
652 		sm_dprintf("CLEAR_STATE: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",\
653 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);\
654 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))	\
655 		logsender(e, NULL);				\
656 	e->e_flags &= ~EF_LOGSENDER;				\
657 								\
658 	/* clean up a bit */					\
659 	smtp.sm_gotmail = false;				\
660 	SuprErrs = true;					\
661 	(void) dropenvelope(e, true, false);			\
662 	sm_rpool_free(e->e_rpool);				\
663 	e = newenvelope(e, CurEnv, sm_rpool_new_x(NULL));	\
664 	CurEnv = e;						\
665 	e->e_features = features;				\
666 								\
667 	/* put back discard bit */				\
668 	if (smtp.sm_discard)					\
669 		e->e_flags |= EF_DISCARD;			\
670 								\
671 	/* restore connection quarantining */			\
672 	if (smtp.sm_quarmsg == NULL)				\
673 	{							\
674 		e->e_quarmsg = NULL;				\
675 		macdefine(&e->e_macro, A_PERM,			\
676 			macid("{quarantine}"), "");		\
677 	}							\
678 	else							\
679 	{							\
680 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool,	\
681 						smtp.sm_quarmsg);	\
682 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"),	\
683 			  e->e_quarmsg);			\
684 	}							\
685 } while (0)
686 
687 /* sleep to flatten out connection load */
688 #define MIN_DELAY_LOG	15	/* wait before logging this again */
689 
690 /* is it worth setting the process title for 1s? */
691 #define DELAY_CONN(cmd)						\
692 	if (DelayLA > 0 && (CurrentLA = getla()) >= DelayLA)	\
693 	{							\
694 		time_t dnow;					\
695 								\
696 		sm_setproctitle(true, e,			\
697 				"%s: %s: delaying %s: load average: %d", \
698 				qid_printname(e), CurSmtpClient,	\
699 				cmd, DelayLA);	\
700 		if (LogLevel > 8 && (dnow = curtime()) > log_delay)	\
701 		{						\
702 			sm_syslog(LOG_INFO, e->e_id,		\
703 				  "delaying=%s, load average=%d >= %d",	\
704 				  cmd, CurrentLA, DelayLA);		\
705 			log_delay = dnow + MIN_DELAY_LOG;	\
706 		}						\
707 		(void) sleep(1);				\
708 		sm_setproctitle(true, e, "%s %s: %.80s",	\
709 				qid_printname(e), CurSmtpClient, inp);	\
710 	}
711 
712 /*
713 **  Determine the correct protocol keyword to use in the
714 **  Received: header, following RFC 3848.
715 */
716 
717 #if !STARTTLS
718 # define tls_active	false
719 #endif
720 #if SASL
721 # define auth_active	(authenticating == SASL_IS_AUTH)
722 #else
723 # define auth_active	false
724 #endif
725 #define GET_PROTOCOL()					\
726 	(auth_active					\
727 	    ? (tls_active ? "ESMTPSA" : "ESMTPA")	\
728 	    : (tls_active ? "ESMTPS"  : "ESMTP"))
729 
730 static bool SevenBitInput_Saved;	/* saved version of SevenBitInput */
731 
732 void
733 smtp(nullserver, d_flags, e)
734 	char *volatile nullserver;
735 	BITMAP256 d_flags;
736 	register ENVELOPE *volatile e;
737 {
738 	register char *volatile p;
739 	register struct cmd *volatile c = NULL;
740 	char *cmd;
741 	auto ADDRESS *vrfyqueue;
742 	ADDRESS *a;
743 	volatile bool gothello;		/* helo command received */
744 	bool vrfy;			/* set if this is a vrfy command */
745 	char *volatile protocol;	/* sending protocol */
746 	char *volatile sendinghost;	/* sending hostname */
747 	char *volatile peerhostname;	/* name of SMTP peer or "localhost" */
748 	auto char *delimptr;
749 	char *id;
750 	volatile unsigned int n_badcmds = 0;	/* count of bad commands */
751 	volatile unsigned int n_badrcpts = 0;	/* number of rejected RCPT */
752 	volatile unsigned int n_verifies = 0;	/* count of VRFY/EXPN */
753 	volatile unsigned int n_etrn = 0;	/* count of ETRN */
754 	volatile unsigned int n_noop = 0;	/* count of NOOP/VERB/etc */
755 	volatile unsigned int n_helo = 0;	/* count of HELO/EHLO */
756 	bool ok;
757 	volatile bool first;
758 	volatile bool tempfail = false;
759 	volatile time_t wt;		/* timeout after too many commands */
760 	volatile time_t previous;	/* time after checksmtpattack() */
761 	volatile bool lognullconnection = true;
762 	register char *q;
763 	SMTP_T smtp;
764 	char *addr;
765 	char *greetcode = "220";
766 	const char *greetmsg = "not accepting messages";
767 	char *hostname;			/* my hostname ($j) */
768 	QUEUE_CHAR *new;
769 	char *args[MAXSMTPARGS];
770 	char inp[MAXINPLINE];
771 #if MAXINPLINE < MAXLINE
772  ERROR _MAXINPLINE must NOT be less than _MAXLINE: MAXINPLINE < MAXLINE
773 #endif /* MAXINPLINE < MAXLINE */
774 	char cmdbuf[MAXLINE];
775 #if SASL
776 	sasl_conn_t *conn;
777 	volatile bool sasl_ok;
778 	volatile unsigned int n_auth = 0;	/* count of AUTH commands */
779 	bool ismore;
780 	int result;
781 	volatile int authenticating;
782 	char *user;
783 	char *in, *out2;
784 # if SASL >= 20000
785 	char *auth_id = NULL;
786 	const char *out;
787 	sasl_ssf_t ext_ssf;
788 	char localip[60], remoteip[60];
789 # else /* SASL >= 20000 */
790 	char *out;
791 	const char *errstr;
792 	sasl_external_properties_t ext_ssf;
793 	struct sockaddr_in saddr_l;
794 	struct sockaddr_in saddr_r;
795 # endif /* SASL >= 20000 */
796 	sasl_security_properties_t ssp;
797 	sasl_ssf_t *ssf;
798 	unsigned int inlen, out2len;
799 	unsigned int outlen;
800 	char *volatile auth_type;
801 	char *mechlist;
802 	volatile unsigned int n_mechs;
803 	unsigned int len;
804 #else /* SASL */
805 #endif /* SASL */
806 	int r;
807 #if STARTTLS
808 	int rfd, wfd;
809 	volatile bool tls_active = false;
810 	volatile bool smtps = bitnset(D_SMTPS, d_flags);
811 	bool saveQuickAbort;
812 	bool saveSuprErrs;
813 	time_t tlsstart;
814 #endif /* STARTTLS */
815 	volatile unsigned int features;
816 #if PIPELINING
817 # if _FFR_NO_PIPE
818 	int np_log = 0;
819 # endif /* _FFR_NO_PIPE */
820 #endif /* PIPELINING */
821 	volatile time_t log_delay = (time_t) 0;
822 #if MILTER
823 	volatile bool milter_cmd_done, milter_cmd_safe;
824 	volatile bool milter_rcpt_added, milter_cmd_fail;
825 	ADDRESS addr_st;
826 # define p_addr_st	&addr_st
827 #else /* MILTER */
828 # define p_addr_st	NULL
829 #endif /* MILTER */
830 	size_t inplen;
831 #if _FFR_BADRCPT_SHUTDOWN
832 	int n_badrcpts_adj;
833 #endif /* _FFR_BADRCPT_SHUTDOWN */
834 
835 	SevenBitInput_Saved = SevenBitInput;
836 	smtp.sm_nrcpts = 0;
837 #if MILTER
838 	smtp.sm_milterize = (nullserver == NULL);
839 	smtp.sm_milterlist = false;
840 	addr = NULL;
841 #endif /* MILTER */
842 
843 	/* setup I/O fd correctly for the SMTP server */
844 	setup_smtpd_io();
845 
846 #if SM_HEAP_CHECK
847 	if (sm_debug_active(&DebugLeakSmtp, 1))
848 	{
849 		sm_heap_newgroup();
850 		sm_dprintf("smtp() heap group #%d\n", sm_heap_group());
851 	}
852 #endif /* SM_HEAP_CHECK */
853 
854 	/* XXX the rpool should be set when e is initialized in main() */
855 	e->e_rpool = sm_rpool_new_x(NULL);
856 	e->e_macro.mac_rpool = e->e_rpool;
857 
858 	settime(e);
859 	sm_getla();
860 	peerhostname = RealHostName;
861 	if (peerhostname == NULL)
862 		peerhostname = "localhost";
863 	CurHostName = peerhostname;
864 	CurSmtpClient = macvalue('_', e);
865 	if (CurSmtpClient == NULL)
866 		CurSmtpClient = CurHostName;
867 
868 	/* check_relay may have set discard bit, save for later */
869 	smtp.sm_discard = bitset(EF_DISCARD, e->e_flags);
870 
871 #if PIPELINING
872 	/* auto-flush output when reading input */
873 	(void) sm_io_autoflush(InChannel, OutChannel);
874 #endif /* PIPELINING */
875 
876 	sm_setproctitle(true, e, "server %s startup", CurSmtpClient);
877 
878 	/* Set default features for server. */
879 	features = ((bitset(PRIV_NOETRN, PrivacyFlags) ||
880 		     bitnset(D_NOETRN, d_flags)) ? SRV_NONE : SRV_OFFER_ETRN)
881 		| (bitnset(D_AUTHREQ, d_flags) ? SRV_REQ_AUTH : SRV_NONE)
882 		| (bitset(PRIV_NOEXPN, PrivacyFlags) ? SRV_NONE
883 			: (SRV_OFFER_EXPN
884 			  | (bitset(PRIV_NOVERB, PrivacyFlags)
885 			     ? SRV_NONE : SRV_OFFER_VERB)))
886 		| ((bitset(PRIV_NORECEIPTS, PrivacyFlags) || !SendMIMEErrors)
887 			 ? SRV_NONE : SRV_OFFER_DSN)
888 #if SASL
889 		| (bitnset(D_NOAUTH, d_flags) ? SRV_NONE : SRV_OFFER_AUTH)
890 		| (bitset(SASL_SEC_NOPLAINTEXT, SASLOpts) ? SRV_REQ_SEC
891 							  : SRV_NONE)
892 #endif /* SASL */
893 #if PIPELINING
894 		| SRV_OFFER_PIPE
895 #endif /* PIPELINING */
896 #if STARTTLS
897 		| (bitnset(D_NOTLS, d_flags) ? SRV_NONE : SRV_OFFER_TLS)
898 		| (bitset(TLS_I_NO_VRFY, TLS_Srv_Opts) ? SRV_NONE
899 						       : SRV_VRFY_CLT)
900 #endif /* STARTTLS */
901 		;
902 	if (nullserver == NULL)
903 	{
904 		features = srvfeatures(e, CurSmtpClient, features);
905 		if (bitset(SRV_TMP_FAIL, features))
906 		{
907 			if (LogLevel > 4)
908 				sm_syslog(LOG_ERR, NOQID,
909 					  "ERROR: srv_features=tempfail, relay=%.100s, access temporarily disabled",
910 					  CurSmtpClient);
911 			nullserver = "450 4.3.0 Please try again later.";
912 		}
913 		else
914 		{
915 #if PIPELINING
916 # if _FFR_NO_PIPE
917 			if (bitset(SRV_NO_PIPE, features))
918 			{
919 				/* for consistency */
920 				features &= ~SRV_OFFER_PIPE;
921 			}
922 # endif /* _FFR_NO_PIPE */
923 #endif /* PIPELINING */
924 #if SASL
925 			if (bitset(SRV_REQ_SEC, features))
926 				SASLOpts |= SASL_SEC_NOPLAINTEXT;
927 			else
928 				SASLOpts &= ~SASL_SEC_NOPLAINTEXT;
929 #endif /* SASL */
930 		}
931 	}
932 	else if (strncmp(nullserver, "421 ", 4) == 0)
933 	{
934 		message(nullserver);
935 		goto doquit;
936 	}
937 
938 	e->e_features = features;
939 	hostname = macvalue('j', e);
940 #if SASL
941 	if (AuthRealm == NULL)
942 		AuthRealm = hostname;
943 	sasl_ok = bitset(SRV_OFFER_AUTH, features);
944 	n_mechs = 0;
945 	authenticating = SASL_NOT_AUTH;
946 
947 	/* SASL server new connection */
948 	if (sasl_ok)
949 	{
950 # if SASL >= 20000
951 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL,
952 					 NULL, 0, &conn);
953 # elif SASL > 10505
954 		/* use empty realm: only works in SASL > 1.5.5 */
955 		result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn);
956 # else /* SASL >= 20000 */
957 		/* use no realm -> realm is set to hostname by SASL lib */
958 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, 0,
959 					 &conn);
960 # endif /* SASL >= 20000 */
961 		sasl_ok = result == SASL_OK;
962 		if (!sasl_ok)
963 		{
964 			if (LogLevel > 9)
965 				sm_syslog(LOG_WARNING, NOQID,
966 					  "AUTH error: sasl_server_new failed=%d",
967 					  result);
968 		}
969 	}
970 	if (sasl_ok)
971 	{
972 		/*
973 		**  SASL set properties for sasl
974 		**  set local/remote IP
975 		**  XXX Cyrus SASL v1 only supports IPv4
976 		**
977 		**  XXX where exactly are these used/required?
978 		**  Kerberos_v4
979 		*/
980 
981 # if SASL >= 20000
982 		localip[0] = remoteip[0] = '\0';
983 #  if NETINET || NETINET6
984 		in = macvalue(macid("{daemon_family}"), e);
985 		if (in != NULL && (
986 #   if NETINET6
987 		    strcmp(in, "inet6") == 0 ||
988 #   endif /* NETINET6 */
989 		    strcmp(in, "inet") == 0))
990 		{
991 			SOCKADDR_LEN_T addrsize;
992 			SOCKADDR saddr_l;
993 			SOCKADDR saddr_r;
994 
995 			addrsize = sizeof(saddr_r);
996 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
997 						      NULL),
998 					(struct sockaddr *) &saddr_r,
999 					&addrsize) == 0)
1000 			{
1001 				if (iptostring(&saddr_r, addrsize,
1002 					       remoteip, sizeof(remoteip)))
1003 				{
1004 					sasl_setprop(conn, SASL_IPREMOTEPORT,
1005 						     remoteip);
1006 				}
1007 				addrsize = sizeof(saddr_l);
1008 				if (getsockname(sm_io_getinfo(InChannel,
1009 							      SM_IO_WHAT_FD,
1010 							      NULL),
1011 						(struct sockaddr *) &saddr_l,
1012 						&addrsize) == 0)
1013 				{
1014 					if (iptostring(&saddr_l, addrsize,
1015 						       localip,
1016 						       sizeof(localip)))
1017 					{
1018 						sasl_setprop(conn,
1019 							     SASL_IPLOCALPORT,
1020 							     localip);
1021 					}
1022 				}
1023 			}
1024 		}
1025 #  endif /* NETINET || NETINET6 */
1026 # else /* SASL >= 20000 */
1027 #  if NETINET
1028 		in = macvalue(macid("{daemon_family}"), e);
1029 		if (in != NULL && strcmp(in, "inet") == 0)
1030 		{
1031 			SOCKADDR_LEN_T addrsize;
1032 
1033 			addrsize = sizeof(struct sockaddr_in);
1034 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
1035 						      NULL),
1036 					(struct sockaddr *)&saddr_r,
1037 					&addrsize) == 0)
1038 			{
1039 				sasl_setprop(conn, SASL_IP_REMOTE, &saddr_r);
1040 				addrsize = sizeof(struct sockaddr_in);
1041 				if (getsockname(sm_io_getinfo(InChannel,
1042 							      SM_IO_WHAT_FD,
1043 							      NULL),
1044 						(struct sockaddr *)&saddr_l,
1045 						&addrsize) == 0)
1046 					sasl_setprop(conn, SASL_IP_LOCAL,
1047 						     &saddr_l);
1048 			}
1049 		}
1050 #  endif /* NETINET */
1051 # endif /* SASL >= 20000 */
1052 
1053 		auth_type = NULL;
1054 		mechlist = NULL;
1055 		user = NULL;
1056 # if 0
1057 		macdefine(&BlankEnvelope.e_macro, A_PERM,
1058 			macid("{auth_author}"), NULL);
1059 # endif /* 0 */
1060 
1061 		/* set properties */
1062 		(void) memset(&ssp, '\0', sizeof(ssp));
1063 
1064 		/* XXX should these be options settable via .cf ? */
1065 		/* ssp.min_ssf = 0; is default due to memset() */
1066 		ssp.max_ssf = MaxSLBits;
1067 		ssp.maxbufsize = MAXOUTLEN;
1068 		ssp.security_flags = SASLOpts & SASL_SEC_MASK;
1069 		sasl_ok = sasl_setprop(conn, SASL_SEC_PROPS, &ssp) == SASL_OK;
1070 
1071 		if (sasl_ok)
1072 		{
1073 			/*
1074 			**  external security strength factor;
1075 			**	currently we have none so zero
1076 			*/
1077 
1078 # if SASL >= 20000
1079 			ext_ssf = 0;
1080 			auth_id = NULL;
1081 			sasl_ok = ((sasl_setprop(conn, SASL_SSF_EXTERNAL,
1082 						 &ext_ssf) == SASL_OK) &&
1083 				   (sasl_setprop(conn, SASL_AUTH_EXTERNAL,
1084 						 auth_id) == SASL_OK));
1085 # else /* SASL >= 20000 */
1086 			ext_ssf.ssf = 0;
1087 			ext_ssf.auth_id = NULL;
1088 			sasl_ok = sasl_setprop(conn, SASL_SSF_EXTERNAL,
1089 					       &ext_ssf) == SASL_OK;
1090 # endif /* SASL >= 20000 */
1091 		}
1092 		if (sasl_ok)
1093 			n_mechs = saslmechs(conn, &mechlist);
1094 	}
1095 #endif /* SASL */
1096 
1097 	(void) set_tls_rd_tmo(TimeOuts.to_nextcommand);
1098 
1099 #if MILTER
1100 	if (smtp.sm_milterize)
1101 	{
1102 		char state;
1103 
1104 		/* initialize mail filter connection */
1105 		smtp.sm_milterlist = milter_init(e, &state, &smtp.sm_milters);
1106 		switch (state)
1107 		{
1108 		  case SMFIR_REJECT:
1109 			if (MilterLogLevel > 3)
1110 				sm_syslog(LOG_INFO, e->e_id,
1111 					  "Milter: initialization failed, rejecting commands");
1112 			greetcode = "554";
1113 			nullserver = "Command rejected";
1114 			smtp.sm_milterize = false;
1115 			break;
1116 
1117 		  case SMFIR_TEMPFAIL:
1118 			if (MilterLogLevel > 3)
1119 				sm_syslog(LOG_INFO, e->e_id,
1120 					  "Milter: initialization failed, temp failing commands");
1121 			tempfail = true;
1122 			smtp.sm_milterize = false;
1123 			break;
1124 
1125 		  case SMFIR_SHUTDOWN:
1126 			if (MilterLogLevel > 3)
1127 				sm_syslog(LOG_INFO, e->e_id,
1128 					  "Milter: initialization failed, closing connection");
1129 			tempfail = true;
1130 			smtp.sm_milterize = false;
1131 			message("421 4.7.0 %s closing connection",
1132 					MyHostName);
1133 
1134 			/* arrange to ignore send list */
1135 			e->e_sendqueue = NULL;
1136 			lognullconnection = false;
1137 			goto doquit;
1138 		}
1139 	}
1140 
1141 	if (smtp.sm_milterlist && smtp.sm_milterize &&
1142 	    !bitset(EF_DISCARD, e->e_flags))
1143 	{
1144 		char state;
1145 		char *response;
1146 
1147 		q = macvalue(macid("{client_name}"), e);
1148 		SM_ASSERT(q != NULL || OpMode == MD_SMTP);
1149 		if (q == NULL)
1150 			q = "localhost";
1151 		response = milter_connect(q, RealHostAddr, e, &state);
1152 		switch (state)
1153 		{
1154 #if _FFR_MILTER_CONNECT_REPLYCODE
1155 		  case SMFIR_REPLYCODE:
1156 			if (*response == '5')
1157 			{
1158 				if (MilterLogLevel > 3)
1159 					sm_syslog(LOG_INFO, e->e_id,
1160 						  "Milter: connect: host=%s, addr=%s, reject=%s",
1161 						  peerhostname,
1162 						  anynet_ntoa(&RealHostAddr),
1163 						  response);
1164 				greetcode = "554"; /* Required by 2821 3.1 */
1165 				nullserver = newstr(response);
1166 				if (strlen(nullserver) > 4)
1167 				{
1168 					int skip;
1169 
1170 					greetmsg = nullserver + 4;
1171 
1172 					/* skip over enhanced status code */
1173 					skip = isenhsc(greetmsg, ' ');
1174 					if (skip > 0)
1175 						greetmsg += skip + 1;
1176 				}
1177 				smtp.sm_milterize = false;
1178 				break;
1179 			}
1180 			else if (strncmp(response, "421 ", 4) == 0)
1181 			{
1182 				int skip;
1183 				const char *msg = response + 4;
1184 
1185 				if (MilterLogLevel > 3)
1186 					sm_syslog(LOG_INFO, e->e_id,
1187 						  "Milter: connect: host=%s, addr=%s, shutdown=%s",
1188 						  peerhostname,
1189 						  anynet_ntoa(&RealHostAddr),
1190 						  response);
1191 				tempfail = true;
1192 				smtp.sm_milterize = false;
1193 
1194 				/* skip over enhanced status code */
1195 				skip = isenhsc(msg, ' ');
1196 				if (skip > 0)
1197 					msg += skip + 1;
1198 				message("421 %s %s", MyHostName, msg);
1199 
1200 				/* arrange to ignore send list */
1201 				e->e_sendqueue = NULL;
1202 				goto doquit;
1203 			}
1204 			else
1205 			{
1206 				if (MilterLogLevel > 3)
1207 					sm_syslog(LOG_INFO, e->e_id,
1208 						  "Milter: connect: host=%s, addr=%s, temp failing commands=%s",
1209 						  peerhostname,
1210 						  anynet_ntoa(&RealHostAddr),
1211 						  response);
1212 				/*tempfail = true;*/
1213 				smtp.sm_milterize = false;
1214 				nullserver = newstr(response);
1215 				break;
1216 			}
1217 
1218 #else /* _FFR_MILTER_CONNECT_REPLYCODE */
1219 		  case SMFIR_REPLYCODE:	/* REPLYCODE shouldn't happen */
1220 #endif /* _FFR_MILTER_CONNECT_REPLYCODE */
1221 		  case SMFIR_REJECT:
1222 			if (MilterLogLevel > 3)
1223 				sm_syslog(LOG_INFO, e->e_id,
1224 					  "Milter: connect: host=%s, addr=%s, rejecting commands",
1225 					  peerhostname,
1226 					  anynet_ntoa(&RealHostAddr));
1227 			greetcode = "554";
1228 			nullserver = "Command rejected";
1229 			smtp.sm_milterize = false;
1230 			break;
1231 
1232 		  case SMFIR_TEMPFAIL:
1233 			if (MilterLogLevel > 3)
1234 				sm_syslog(LOG_INFO, e->e_id,
1235 					  "Milter: connect: host=%s, addr=%s, temp failing commands",
1236 					  peerhostname,
1237 					  anynet_ntoa(&RealHostAddr));
1238 			tempfail = true;
1239 			smtp.sm_milterize = false;
1240 			break;
1241 
1242 		  case SMFIR_SHUTDOWN:
1243 			if (MilterLogLevel > 3)
1244 				sm_syslog(LOG_INFO, e->e_id,
1245 					  "Milter: connect: host=%s, addr=%s, shutdown",
1246 					  peerhostname,
1247 					  anynet_ntoa(&RealHostAddr));
1248 			tempfail = true;
1249 			smtp.sm_milterize = false;
1250 			message("421 4.7.0 %s closing connection",
1251 					MyHostName);
1252 
1253 			/* arrange to ignore send list */
1254 			e->e_sendqueue = NULL;
1255 			goto doquit;
1256 		}
1257 		if (response != NULL)
1258 			sm_free(response);
1259 	}
1260 #endif /* MILTER */
1261 
1262 	/*
1263 	**  Broken proxies and SMTP slammers
1264 	**  push data without waiting, catch them
1265 	*/
1266 
1267 	if (
1268 #if STARTTLS
1269 	    !smtps &&
1270 #endif /* STARTTLS */
1271 	    *greetcode == '2' && nullserver == NULL)
1272 	{
1273 		time_t msecs = 0;
1274 		char **pvp;
1275 		char pvpbuf[PSBUFSIZE];
1276 
1277 		/* Ask the rulesets how long to pause */
1278 		pvp = NULL;
1279 		r = rscap("greet_pause", peerhostname,
1280 			  anynet_ntoa(&RealHostAddr), e,
1281 			  &pvp, pvpbuf, sizeof(pvpbuf));
1282 		if (r == EX_OK && pvp != NULL && pvp[0] != NULL &&
1283 		    (pvp[0][0] & 0377) == CANONNET && pvp[1] != NULL)
1284 		{
1285 			msecs = strtol(pvp[1], NULL, 10);
1286 		}
1287 
1288 		if (msecs > 0)
1289 		{
1290 			int fd;
1291 			fd_set readfds;
1292 			struct timeval timeout;
1293 			struct timeval bp, ep, tp; /* {begin,end,total}pause */
1294 			int eoftest;
1295 
1296 			/* pause for a moment */
1297 			timeout.tv_sec = msecs / 1000;
1298 			timeout.tv_usec = (msecs % 1000) * 1000;
1299 
1300 			/* Obey RFC 2821: 4.3.5.2: 220 timeout of 5 minutes */
1301 			if (timeout.tv_sec >= 300)
1302 			{
1303 				timeout.tv_sec = 300;
1304 				timeout.tv_usec = 0;
1305 			}
1306 
1307 			/* check if data is on the socket during the pause */
1308 			fd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
1309 			FD_ZERO(&readfds);
1310 			SM_FD_SET(fd, &readfds);
1311 			gettimeofday(&bp, NULL);
1312 			if (select(fd + 1, FDSET_CAST &readfds,
1313 			    NULL, NULL, &timeout) > 0 &&
1314 			    FD_ISSET(fd, &readfds) &&
1315 			    (eoftest = sm_io_getc(InChannel, SM_TIME_DEFAULT))
1316 			    != SM_IO_EOF)
1317 			{
1318 				sm_io_ungetc(InChannel, SM_TIME_DEFAULT,
1319 					     eoftest);
1320 				gettimeofday(&ep, NULL);
1321 				timersub(&ep, &bp, &tp);
1322 				greetcode = "554";
1323 				nullserver = "Command rejected";
1324 				sm_syslog(LOG_INFO, e->e_id,
1325 					  "rejecting commands from %s [%s] due to pre-greeting traffic after %d seconds",
1326 					  peerhostname,
1327 					  anynet_ntoa(&RealHostAddr),
1328 					  (int) tp.tv_sec +
1329 						(tp.tv_usec >= 500000 ? 1 : 0)
1330 					 );
1331 			}
1332 		}
1333 	}
1334 
1335 #if STARTTLS
1336 	/* If this an smtps connection, start TLS now */
1337 	if (smtps)
1338 	{
1339 		Errors = 0;
1340 		goto starttls;
1341 	}
1342 
1343   greeting:
1344 
1345 #endif /* STARTTLS */
1346 
1347 	/* output the first line, inserting "ESMTP" as second word */
1348 	if (*greetcode == '5')
1349 		(void) sm_snprintf(inp, sizeof(inp), "%s %s", hostname,
1350 				   greetmsg);
1351 	else
1352 		expand(SmtpGreeting, inp, sizeof(inp), e);
1353 
1354 	p = strchr(inp, '\n');
1355 	if (p != NULL)
1356 		*p++ = '\0';
1357 	id = strchr(inp, ' ');
1358 	if (id == NULL)
1359 		id = &inp[strlen(inp)];
1360 	if (p == NULL)
1361 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1362 			 "%s %%.*s ESMTP%%s", greetcode);
1363 	else
1364 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1365 			 "%s-%%.*s ESMTP%%s", greetcode);
1366 	message(cmdbuf, (int) (id - inp), inp, id);
1367 
1368 	/* output remaining lines */
1369 	while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL)
1370 	{
1371 		*p++ = '\0';
1372 		if (isascii(*id) && isspace(*id))
1373 			id++;
1374 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, "-%s");
1375 		message(cmdbuf, id);
1376 	}
1377 	if (id != NULL)
1378 	{
1379 		if (isascii(*id) && isspace(*id))
1380 			id++;
1381 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, " %s");
1382 		message(cmdbuf, id);
1383 	}
1384 
1385 	protocol = NULL;
1386 	sendinghost = macvalue('s', e);
1387 
1388 	/* If quarantining by a connect/ehlo action, save between messages */
1389 	if (e->e_quarmsg == NULL)
1390 		smtp.sm_quarmsg = NULL;
1391 	else
1392 		smtp.sm_quarmsg = newstr(e->e_quarmsg);
1393 
1394 	/* sendinghost's storage must outlive the current envelope */
1395 	if (sendinghost != NULL)
1396 		sendinghost = sm_strdup_x(sendinghost);
1397 	first = true;
1398 	gothello = false;
1399 	smtp.sm_gotmail = false;
1400 	for (;;)
1401 	{
1402 	    SM_TRY
1403 	    {
1404 		QuickAbort = false;
1405 		HoldErrs = false;
1406 		SuprErrs = false;
1407 		LogUsrErrs = false;
1408 		OnlyOneError = true;
1409 		e->e_flags &= ~(EF_VRFYONLY|EF_GLOBALERRS);
1410 #if MILTER
1411 		milter_cmd_fail = false;
1412 #endif /* MILTER */
1413 
1414 		/* setup for the read */
1415 		e->e_to = NULL;
1416 		Errors = 0;
1417 		FileName = NULL;
1418 		(void) sm_io_flush(smioout, SM_TIME_DEFAULT);
1419 
1420 		/* read the input line */
1421 		SmtpPhase = "server cmd read";
1422 		sm_setproctitle(true, e, "server %s cmd read", CurSmtpClient);
1423 
1424 		/* handle errors */
1425 		if (sm_io_error(OutChannel) ||
1426 		    (p = sfgets(inp, sizeof(inp), InChannel,
1427 				TimeOuts.to_nextcommand, SmtpPhase)) == NULL)
1428 		{
1429 			char *d;
1430 
1431 			d = macvalue(macid("{daemon_name}"), e);
1432 			if (d == NULL)
1433 				d = "stdin";
1434 			/* end of file, just die */
1435 			disconnect(1, e);
1436 
1437 #if MILTER
1438 			/* close out milter filters */
1439 			milter_quit(e);
1440 #endif /* MILTER */
1441 
1442 			message("421 4.4.1 %s Lost input channel from %s",
1443 				MyHostName, CurSmtpClient);
1444 			if (LogLevel > (smtp.sm_gotmail ? 1 : 19))
1445 				sm_syslog(LOG_NOTICE, e->e_id,
1446 					  "lost input channel from %s to %s after %s",
1447 					  CurSmtpClient, d,
1448 					  (c == NULL || c->cmd_name == NULL) ? "startup" : c->cmd_name);
1449 			/*
1450 			**  If have not accepted mail (DATA), do not bounce
1451 			**  bad addresses back to sender.
1452 			*/
1453 
1454 			if (bitset(EF_CLRQUEUE, e->e_flags))
1455 				e->e_sendqueue = NULL;
1456 			goto doquit;
1457 		}
1458 
1459 		/* also used by "proxy" check below */
1460 		inplen = strlen(inp);
1461 #if SASL
1462 		/*
1463 		**  SMTP AUTH requires accepting any length,
1464 		**  at least for challenge/response. However, not imposing
1465 		**  a limit is a bad idea (denial of service).
1466 		*/
1467 
1468 		if (authenticating != SASL_PROC_AUTH
1469 		    && sm_strncasecmp(inp, "AUTH ", 5) != 0
1470 		    && inplen > MAXLINE)
1471 		{
1472 			message("421 4.7.0 %s Command too long, possible attack %s",
1473 				MyHostName, CurSmtpClient);
1474 			sm_syslog(LOG_INFO, e->e_id,
1475 				  "%s: SMTP violation, input too long: %lu",
1476 				  CurSmtpClient, (unsigned long) inplen);
1477 			goto doquit;
1478 		}
1479 #endif /* SASL */
1480 
1481 		if (first)
1482 		{
1483 			size_t cmdlen;
1484 			int idx;
1485 			char *http_cmd;
1486 			static char *http_cmds[] = { "GET", "POST",
1487 						     "CONNECT", "USER", NULL };
1488 
1489 			for (idx = 0; (http_cmd = http_cmds[idx]) != NULL;
1490 			     idx++)
1491 			{
1492 				cmdlen = strlen(http_cmd);
1493 				if (cmdlen < inplen &&
1494 				    sm_strncasecmp(inp, http_cmd, cmdlen) == 0 &&
1495 				    isascii(inp[cmdlen]) && isspace(inp[cmdlen]))
1496 				{
1497 					/* Open proxy, drop it */
1498 					message("421 4.7.0 %s Rejecting open proxy %s",
1499 						MyHostName, CurSmtpClient);
1500 					sm_syslog(LOG_INFO, e->e_id,
1501 						  "%s: probable open proxy: command=%.40s",
1502 						  CurSmtpClient, inp);
1503 					goto doquit;
1504 				}
1505 			}
1506 			first = false;
1507 		}
1508 
1509 		/* clean up end of line */
1510 		fixcrlf(inp, true);
1511 
1512 #if PIPELINING
1513 # if _FFR_NO_PIPE
1514 		/*
1515 		**  if there is more input and pipelining is disabled:
1516 		**	delay ... (and maybe discard the input?)
1517 		**  XXX this doesn't really work, at least in tests using
1518 		**  telnet SM_IO_IS_READABLE only returns 1 if there were
1519 		**  more than 2 input lines available.
1520 		*/
1521 
1522 		if (bitset(SRV_NO_PIPE, features) &&
1523 		    sm_io_getinfo(InChannel, SM_IO_IS_READABLE, NULL) > 0)
1524 		{
1525 			if (++np_log < 3)
1526 				sm_syslog(LOG_INFO, NOQID,
1527 					  "unauthorized PIPELINING, sleeping, relay=%.100s",
1528 					   CurSmtpClient);
1529 			sleep(1);
1530 		}
1531 
1532 # endif /* _FFR_NO_PIPE */
1533 #endif /* PIPELINING */
1534 
1535 #if SASL
1536 		if (authenticating == SASL_PROC_AUTH)
1537 		{
1538 # if 0
1539 			if (*inp == '\0')
1540 			{
1541 				authenticating = SASL_NOT_AUTH;
1542 				message("501 5.5.2 missing input");
1543 				RESET_SASLCONN;
1544 				continue;
1545 			}
1546 # endif /* 0 */
1547 			if (*inp == '*' && *(inp + 1) == '\0')
1548 			{
1549 				authenticating = SASL_NOT_AUTH;
1550 
1551 				/* RFC 2554 4. */
1552 				message("501 5.0.0 AUTH aborted");
1553 				RESET_SASLCONN;
1554 				continue;
1555 			}
1556 
1557 			/* could this be shorter? XXX */
1558 # if SASL >= 20000
1559 			in = xalloc(strlen(inp) + 1);
1560 			result = sasl_decode64(inp, strlen(inp), in,
1561 					       strlen(inp), &inlen);
1562 # else /* SASL >= 20000 */
1563 			out = xalloc(strlen(inp));
1564 			result = sasl_decode64(inp, strlen(inp), out, &outlen);
1565 # endif /* SASL >= 20000 */
1566 			if (result != SASL_OK)
1567 			{
1568 				authenticating = SASL_NOT_AUTH;
1569 
1570 				/* RFC 2554 4. */
1571 				message("501 5.5.4 cannot decode AUTH parameter %s",
1572 					inp);
1573 # if SASL >= 20000
1574 				sm_free(in);
1575 # endif /* SASL >= 20000 */
1576 				RESET_SASLCONN;
1577 				continue;
1578 			}
1579 
1580 # if SASL >= 20000
1581 			result = sasl_server_step(conn,	in, inlen,
1582 						  &out, &outlen);
1583 			sm_free(in);
1584 # else /* SASL >= 20000 */
1585 			result = sasl_server_step(conn,	out, outlen,
1586 						  &out, &outlen, &errstr);
1587 # endif /* SASL >= 20000 */
1588 
1589 			/* get an OK if we're done */
1590 			if (result == SASL_OK)
1591 			{
1592   authenticated:
1593 				message("235 2.0.0 OK Authenticated");
1594 				authenticating = SASL_IS_AUTH;
1595 				macdefine(&BlankEnvelope.e_macro, A_TEMP,
1596 					macid("{auth_type}"), auth_type);
1597 
1598 # if SASL >= 20000
1599 				user = macvalue(macid("{auth_authen}"), e);
1600 
1601 				/* get security strength (features) */
1602 				result = sasl_getprop(conn, SASL_SSF,
1603 						      (const void **) &ssf);
1604 # else /* SASL >= 20000 */
1605 				result = sasl_getprop(conn, SASL_USERNAME,
1606 						      (void **)&user);
1607 				if (result != SASL_OK)
1608 				{
1609 					user = "";
1610 					macdefine(&BlankEnvelope.e_macro,
1611 						  A_PERM,
1612 						  macid("{auth_authen}"), NULL);
1613 				}
1614 				else
1615 				{
1616 					macdefine(&BlankEnvelope.e_macro,
1617 						  A_TEMP,
1618 						  macid("{auth_authen}"),
1619 						  xtextify(user, "<>\")"));
1620 				}
1621 
1622 # if 0
1623 				/* get realm? */
1624 				sasl_getprop(conn, SASL_REALM, (void **) &data);
1625 # endif /* 0 */
1626 
1627 				/* get security strength (features) */
1628 				result = sasl_getprop(conn, SASL_SSF,
1629 						      (void **) &ssf);
1630 # endif /* SASL >= 20000 */
1631 				if (result != SASL_OK)
1632 				{
1633 					macdefine(&BlankEnvelope.e_macro,
1634 						  A_PERM,
1635 						  macid("{auth_ssf}"), "0");
1636 					ssf = NULL;
1637 				}
1638 				else
1639 				{
1640 					char pbuf[8];
1641 
1642 					(void) sm_snprintf(pbuf, sizeof(pbuf),
1643 							   "%u", *ssf);
1644 					macdefine(&BlankEnvelope.e_macro,
1645 						  A_TEMP,
1646 						  macid("{auth_ssf}"), pbuf);
1647 					if (tTd(95, 8))
1648 						sm_dprintf("AUTH auth_ssf: %u\n",
1649 							   *ssf);
1650 				}
1651 
1652 				protocol = GET_PROTOCOL();
1653 
1654 				/*
1655 				**  Only switch to encrypted connection
1656 				**  if a security layer has been negotiated
1657 				*/
1658 
1659 				if (ssf != NULL && *ssf > 0)
1660 				{
1661 					int tmo;
1662 
1663 					/*
1664 					**  Convert I/O layer to use SASL.
1665 					**  If the call fails, the connection
1666 					**  is aborted.
1667 					*/
1668 
1669 					tmo = TimeOuts.to_datablock * 1000;
1670 					if (sfdcsasl(&InChannel, &OutChannel,
1671 						     conn, tmo) == 0)
1672 					{
1673 						/* restart dialogue */
1674 						n_helo = 0;
1675 # if PIPELINING
1676 						(void) sm_io_autoflush(InChannel,
1677 								       OutChannel);
1678 # endif /* PIPELINING */
1679 					}
1680 					else
1681 						syserr("503 5.3.3 SASL TLS failed");
1682 				}
1683 
1684 				/* NULL pointer ok since it's our function */
1685 				if (LogLevel > 8)
1686 					sm_syslog(LOG_INFO, NOQID,
1687 						  "AUTH=server, relay=%s, authid=%.128s, mech=%.16s, bits=%d",
1688 						  CurSmtpClient,
1689 						  shortenstring(user, 128),
1690 						  auth_type, *ssf);
1691 			}
1692 			else if (result == SASL_CONTINUE)
1693 			{
1694 				len = ENC64LEN(outlen);
1695 				out2 = xalloc(len);
1696 				result = sasl_encode64(out, outlen, out2, len,
1697 						       &out2len);
1698 				if (result != SASL_OK)
1699 				{
1700 					/* correct code? XXX */
1701 					/* 454 Temp. authentication failure */
1702 					message("454 4.5.4 Internal error: unable to encode64");
1703 					if (LogLevel > 5)
1704 						sm_syslog(LOG_WARNING, e->e_id,
1705 							  "AUTH encode64 error [%d for \"%s\"], relay=%.100s",
1706 							  result, out,
1707 							  CurSmtpClient);
1708 					/* start over? */
1709 					authenticating = SASL_NOT_AUTH;
1710 				}
1711 				else
1712 				{
1713 					message("334 %s", out2);
1714 					if (tTd(95, 2))
1715 						sm_dprintf("AUTH continue: msg='%s' len=%u\n",
1716 							   out2, out2len);
1717 				}
1718 # if SASL >= 20000
1719 				sm_free(out2);
1720 # endif /* SASL >= 20000 */
1721 			}
1722 			else
1723 			{
1724 				/* not SASL_OK or SASL_CONT */
1725 				message("535 5.7.0 authentication failed");
1726 				if (LogLevel > 9)
1727 					sm_syslog(LOG_WARNING, e->e_id,
1728 						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
1729 						  auth_type,
1730 						  sasl_errstring(result, NULL,
1731 								 NULL),
1732 						  result,
1733 # if SASL >= 20000
1734 						  sasl_errdetail(conn),
1735 # else /* SASL >= 20000 */
1736 						  errstr == NULL ? "" : errstr,
1737 # endif /* SASL >= 20000 */
1738 						  CurSmtpClient);
1739 				RESET_SASLCONN;
1740 				authenticating = SASL_NOT_AUTH;
1741 			}
1742 		}
1743 		else
1744 		{
1745 			/* don't want to do any of this if authenticating */
1746 #endif /* SASL */
1747 
1748 		/* echo command to transcript */
1749 		if (e->e_xfp != NULL)
1750 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
1751 					     "<<< %s\n", inp);
1752 
1753 		if (LogLevel > 14)
1754 			sm_syslog(LOG_INFO, e->e_id, "<-- %s", inp);
1755 
1756 		/* break off command */
1757 		for (p = inp; isascii(*p) && isspace(*p); p++)
1758 			continue;
1759 		cmd = cmdbuf;
1760 		while (*p != '\0' &&
1761 		       !(isascii(*p) && isspace(*p)) &&
1762 		       cmd < &cmdbuf[sizeof(cmdbuf) - 2])
1763 			*cmd++ = *p++;
1764 		*cmd = '\0';
1765 
1766 		/* throw away leading whitespace */
1767 		SKIP_SPACE(p);
1768 
1769 		/* decode command */
1770 		for (c = CmdTab; c->cmd_name != NULL; c++)
1771 		{
1772 			if (sm_strcasecmp(c->cmd_name, cmdbuf) == 0)
1773 				break;
1774 		}
1775 
1776 		/* reset errors */
1777 		errno = 0;
1778 
1779 		/* check whether a "non-null" command has been used */
1780 		switch (c->cmd_code)
1781 		{
1782 #if SASL
1783 		  case CMDAUTH:
1784 			/* avoid information leak; take first two words? */
1785 			q = "AUTH";
1786 			break;
1787 #endif /* SASL */
1788 
1789 		  case CMDMAIL:
1790 		  case CMDEXPN:
1791 		  case CMDVRFY:
1792 		  case CMDETRN:
1793 			lognullconnection = false;
1794 			/* FALLTHROUGH */
1795 		  default:
1796 			q = inp;
1797 			break;
1798 		}
1799 
1800 		if (e->e_id == NULL)
1801 			sm_setproctitle(true, e, "%s: %.80s",
1802 					CurSmtpClient, q);
1803 		else
1804 			sm_setproctitle(true, e, "%s %s: %.80s",
1805 					qid_printname(e),
1806 					CurSmtpClient, q);
1807 
1808 		/*
1809 		**  Process command.
1810 		**
1811 		**	If we are running as a null server, return 550
1812 		**	to almost everything.
1813 		*/
1814 
1815 		if (nullserver != NULL || bitnset(D_ETRNONLY, d_flags))
1816 		{
1817 			switch (c->cmd_code)
1818 			{
1819 			  case CMDQUIT:
1820 			  case CMDHELO:
1821 			  case CMDEHLO:
1822 			  case CMDNOOP:
1823 			  case CMDRSET:
1824 			  case CMDERROR:
1825 				/* process normally */
1826 				break;
1827 
1828 			  case CMDETRN:
1829 				if (bitnset(D_ETRNONLY, d_flags) &&
1830 				    nullserver == NULL)
1831 					break;
1832 				DELAY_CONN("ETRN");
1833 				/* FALLTHROUGH */
1834 
1835 			  default:
1836 #if MAXBADCOMMANDS > 0
1837 				/* theoretically this could overflow */
1838 				if (nullserver != NULL &&
1839 				    ++n_badcmds > MAXBADCOMMANDS)
1840 				{
1841 					message("421 4.7.0 %s Too many bad commands; closing connection",
1842 						MyHostName);
1843 
1844 					/* arrange to ignore send list */
1845 					e->e_sendqueue = NULL;
1846 					goto doquit;
1847 				}
1848 #endif /* MAXBADCOMMANDS > 0 */
1849 				if (nullserver != NULL)
1850 				{
1851 					if (ISSMTPREPLY(nullserver))
1852 						usrerr(nullserver);
1853 					else
1854 						usrerr("550 5.0.0 %s",
1855 						       nullserver);
1856 				}
1857 				else
1858 					usrerr("452 4.4.5 Insufficient disk space; try again later");
1859 				continue;
1860 			}
1861 		}
1862 
1863 		switch (c->cmd_code)
1864 		{
1865 #if SASL
1866 		  case CMDAUTH: /* sasl */
1867 			DELAY_CONN("AUTH");
1868 			if (!sasl_ok || n_mechs <= 0)
1869 			{
1870 				message("503 5.3.3 AUTH not available");
1871 				break;
1872 			}
1873 			if (authenticating == SASL_IS_AUTH)
1874 			{
1875 				message("503 5.5.0 Already Authenticated");
1876 				break;
1877 			}
1878 			if (smtp.sm_gotmail)
1879 			{
1880 				message("503 5.5.0 AUTH not permitted during a mail transaction");
1881 				break;
1882 			}
1883 			if (tempfail)
1884 			{
1885 				if (LogLevel > 9)
1886 					sm_syslog(LOG_INFO, e->e_id,
1887 						  "SMTP AUTH command (%.100s) from %s tempfailed (due to previous checks)",
1888 						  p, CurSmtpClient);
1889 				usrerr("454 4.3.0 Please try again later");
1890 				break;
1891 			}
1892 
1893 			ismore = false;
1894 
1895 			/* crude way to avoid crack attempts */
1896 			STOP_IF_ATTACK(checksmtpattack(&n_auth, n_mechs + 1,
1897 							true, "AUTH", e));
1898 
1899 			/* make sure mechanism (p) is a valid string */
1900 			for (q = p; *q != '\0' && isascii(*q); q++)
1901 			{
1902 				if (isspace(*q))
1903 				{
1904 					*q = '\0';
1905 					while (*++q != '\0' &&
1906 					       isascii(*q) && isspace(*q))
1907 						continue;
1908 					*(q - 1) = '\0';
1909 					ismore = (*q != '\0');
1910 					break;
1911 				}
1912 			}
1913 
1914 			if (*p == '\0')
1915 			{
1916 				message("501 5.5.2 AUTH mechanism must be specified");
1917 				break;
1918 			}
1919 
1920 			/* check whether mechanism is available */
1921 			if (iteminlist(p, mechlist, " ") == NULL)
1922 			{
1923 				message("504 5.3.3 AUTH mechanism %.32s not available",
1924 					p);
1925 				break;
1926 			}
1927 
1928 			/*
1929 			**  RFC 2554 4.
1930 			**  Unlike a zero-length client answer to a
1931 			**  334 reply, a zero- length initial response
1932 			**  is sent as a single equals sign ("=").
1933 			*/
1934 
1935 			if (ismore && *q == '=' && *(q + 1) == '\0')
1936 			{
1937 				/* will be free()d, don't use in=""; */
1938 				in = xalloc(1);
1939 				*in = '\0';
1940 				inlen = 0;
1941 			}
1942 			else if (ismore)
1943 			{
1944 				/* could this be shorter? XXX */
1945 # if SASL >= 20000
1946 				in = xalloc(strlen(q) + 1);
1947 				result = sasl_decode64(q, strlen(q), in,
1948 						       strlen(q), &inlen);
1949 # else /* SASL >= 20000 */
1950 				in = sm_rpool_malloc(e->e_rpool, strlen(q));
1951 				result = sasl_decode64(q, strlen(q), in,
1952 						       &inlen);
1953 # endif /* SASL >= 20000 */
1954 				if (result != SASL_OK)
1955 				{
1956 					message("501 5.5.4 cannot BASE64 decode '%s'",
1957 						q);
1958 					if (LogLevel > 5)
1959 						sm_syslog(LOG_WARNING, e->e_id,
1960 							  "AUTH decode64 error [%d for \"%s\"], relay=%.100s",
1961 							  result, q,
1962 							  CurSmtpClient);
1963 					/* start over? */
1964 					authenticating = SASL_NOT_AUTH;
1965 # if SASL >= 20000
1966 					sm_free(in);
1967 # endif /* SASL >= 20000 */
1968 					in = NULL;
1969 					inlen = 0;
1970 					break;
1971 				}
1972 			}
1973 			else
1974 			{
1975 				in = NULL;
1976 				inlen = 0;
1977 			}
1978 
1979 			/* see if that auth type exists */
1980 # if SASL >= 20000
1981 			result = sasl_server_start(conn, p, in, inlen,
1982 						   &out, &outlen);
1983 			if (in != NULL)
1984 				sm_free(in);
1985 # else /* SASL >= 20000 */
1986 			result = sasl_server_start(conn, p, in, inlen,
1987 						   &out, &outlen, &errstr);
1988 # endif /* SASL >= 20000 */
1989 
1990 			if (result != SASL_OK && result != SASL_CONTINUE)
1991 			{
1992 				message("535 5.7.0 authentication failed");
1993 				if (LogLevel > 9)
1994 					sm_syslog(LOG_ERR, e->e_id,
1995 						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
1996 						  p,
1997 						  sasl_errstring(result, NULL,
1998 								 NULL),
1999 						  result,
2000 # if SASL >= 20000
2001 						  sasl_errdetail(conn),
2002 # else /* SASL >= 20000 */
2003 						  errstr,
2004 # endif /* SASL >= 20000 */
2005 						  CurSmtpClient);
2006 				RESET_SASLCONN;
2007 				break;
2008 			}
2009 			auth_type = newstr(p);
2010 
2011 			if (result == SASL_OK)
2012 			{
2013 				/* ugly, but same code */
2014 				goto authenticated;
2015 				/* authenticated by the initial response */
2016 			}
2017 
2018 			/* len is at least 2 */
2019 			len = ENC64LEN(outlen);
2020 			out2 = xalloc(len);
2021 			result = sasl_encode64(out, outlen, out2, len,
2022 					       &out2len);
2023 
2024 			if (result != SASL_OK)
2025 			{
2026 				message("454 4.5.4 Temporary authentication failure");
2027 				if (LogLevel > 5)
2028 					sm_syslog(LOG_WARNING, e->e_id,
2029 						  "AUTH encode64 error [%d for \"%s\"]",
2030 						  result, out);
2031 
2032 				/* start over? */
2033 				authenticating = SASL_NOT_AUTH;
2034 				RESET_SASLCONN;
2035 			}
2036 			else
2037 			{
2038 				message("334 %s", out2);
2039 				authenticating = SASL_PROC_AUTH;
2040 			}
2041 # if SASL >= 20000
2042 			sm_free(out2);
2043 # endif /* SASL >= 20000 */
2044 			break;
2045 #endif /* SASL */
2046 
2047 #if STARTTLS
2048 		  case CMDSTLS: /* starttls */
2049 			DELAY_CONN("STARTTLS");
2050 			if (*p != '\0')
2051 			{
2052 				message("501 5.5.2 Syntax error (no parameters allowed)");
2053 				break;
2054 			}
2055 			if (!bitset(SRV_OFFER_TLS, features))
2056 			{
2057 				message("503 5.5.0 TLS not available");
2058 				break;
2059 			}
2060 			if (!tls_ok_srv)
2061 			{
2062 				message("454 4.3.3 TLS not available after start");
2063 				break;
2064 			}
2065 			if (smtp.sm_gotmail)
2066 			{
2067 				message("503 5.5.0 TLS not permitted during a mail transaction");
2068 				break;
2069 			}
2070 			if (tempfail)
2071 			{
2072 				if (LogLevel > 9)
2073 					sm_syslog(LOG_INFO, e->e_id,
2074 						  "SMTP STARTTLS command (%.100s) from %s tempfailed (due to previous checks)",
2075 						  p, CurSmtpClient);
2076 				usrerr("454 4.7.0 Please try again later");
2077 				break;
2078 			}
2079   starttls:
2080 # if USE_OPENSSL_ENGINE
2081 			if (!SSLEngineInitialized)
2082 			{
2083 				if (!SSL_set_engine(NULL))
2084 				{
2085 					sm_syslog(LOG_ERR, NOQID,
2086 						  "STARTTLS=server, SSL_set_engine=failed");
2087 					tls_ok_srv = false;
2088 					message("454 4.3.3 TLS not available right now");
2089 					break;
2090 				}
2091 				else
2092 					SSLEngineInitialized = true;
2093 			}
2094 # endif /* USE_OPENSSL_ENGINE */
2095 # if TLS_NO_RSA
2096 			/*
2097 			**  XXX do we need a temp key ?
2098 			*/
2099 # else /* TLS_NO_RSA */
2100 # endif /* TLS_NO_RSA */
2101 
2102 # if TLS_VRFY_PER_CTX
2103 			/*
2104 			**  Note: this sets the verification globally
2105 			**  (per SSL_CTX)
2106 			**  it's ok since it applies only to one transaction
2107 			*/
2108 
2109 			TLS_VERIFY_CLIENT();
2110 # endif /* TLS_VRFY_PER_CTX */
2111 
2112 			if (srv_ssl != NULL)
2113 				SSL_clear(srv_ssl);
2114 			else if ((srv_ssl = SSL_new(srv_ctx)) == NULL)
2115 			{
2116 				message("454 4.3.3 TLS not available: error generating SSL handle");
2117 				if (LogLevel > 8)
2118 					tlslogerr(LOG_WARNING, "server");
2119 				goto tls_done;
2120 			}
2121 
2122 			if (get_tls_se_options(e, srv_ssl, true) != 0)
2123 			{
2124 				message("454 4.3.3 TLS not available: error setting options");
2125 				SSL_free(srv_ssl);
2126 				srv_ssl = NULL;
2127 				goto tls_done;
2128 			}
2129 
2130 # if !TLS_VRFY_PER_CTX
2131 			/*
2132 			**  this could be used if it were possible to set
2133 			**  verification per SSL (connection)
2134 			**  not just per SSL_CTX (global)
2135 			*/
2136 
2137 			TLS_VERIFY_CLIENT();
2138 # endif /* !TLS_VRFY_PER_CTX */
2139 
2140 			rfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
2141 			wfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
2142 
2143 			if (rfd < 0 || wfd < 0 ||
2144 			    SSL_set_rfd(srv_ssl, rfd) <= 0 ||
2145 			    SSL_set_wfd(srv_ssl, wfd) <= 0)
2146 			{
2147 				message("454 4.3.3 TLS not available: error set fd");
2148 				SSL_free(srv_ssl);
2149 				srv_ssl = NULL;
2150 				goto tls_done;
2151 			}
2152 			if (!smtps)
2153 				message("220 2.0.0 Ready to start TLS");
2154 # if PIPELINING
2155 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
2156 # endif /* PIPELINING */
2157 
2158 			SSL_set_accept_state(srv_ssl);
2159 
2160 			tlsstart = curtime();
2161   ssl_retry:
2162 			if ((r = SSL_accept(srv_ssl)) <= 0)
2163 			{
2164 				int i, ssl_err;
2165 				int save_errno = errno;
2166 
2167 				ssl_err = SSL_get_error(srv_ssl, r);
2168 				i = tls_retry(srv_ssl, rfd, wfd, tlsstart,
2169 						TimeOuts.to_starttls, ssl_err,
2170 						"server");
2171 				if (i > 0)
2172 					goto ssl_retry;
2173 
2174 				if (LogLevel > 5)
2175 				{
2176 					unsigned long l;
2177 					const char *sr;
2178 
2179 					l = ERR_peek_error();
2180 					sr = ERR_reason_error_string(l);
2181 					sm_syslog(LOG_WARNING, NOQID,
2182 						  "STARTTLS=server, error: accept failed=%d, reason=%s, SSL_error=%d, errno=%d, retry=%d, relay=%.100s",
2183 						  r, sr == NULL ? "unknown"
2184 								: sr,
2185 						  ssl_err, save_errno, i,
2186 						  CurSmtpClient);
2187 					if (LogLevel > 9)
2188 						tlslogerr(LOG_WARNING, "server");
2189 				}
2190 				tls_ok_srv = false;
2191 				SSL_free(srv_ssl);
2192 				srv_ssl = NULL;
2193 
2194 				/*
2195 				**  according to the next draft of
2196 				**  RFC 2487 the connection should be dropped
2197 				*/
2198 
2199 				/* arrange to ignore any current send list */
2200 				e->e_sendqueue = NULL;
2201 				goto doquit;
2202 			}
2203 
2204 			/* ignore return code for now, it's in {verify} */
2205 			(void) tls_get_info(srv_ssl, true,
2206 					    CurSmtpClient,
2207 					    &BlankEnvelope.e_macro,
2208 					    bitset(SRV_VRFY_CLT, features));
2209 
2210 			/*
2211 			**  call Stls_client to find out whether
2212 			**  to accept the connection from the client
2213 			*/
2214 
2215 			saveQuickAbort = QuickAbort;
2216 			saveSuprErrs = SuprErrs;
2217 			SuprErrs = true;
2218 			QuickAbort = false;
2219 			if (rscheck("tls_client",
2220 				     macvalue(macid("{verify}"), e),
2221 				     "STARTTLS", e,
2222 				     RSF_RMCOMM|RSF_COUNT,
2223 				     5, NULL, NOQID, NULL, NULL) != EX_OK ||
2224 			    Errors > 0)
2225 			{
2226 				extern char MsgBuf[];
2227 
2228 				if (MsgBuf[0] != '\0' && ISSMTPREPLY(MsgBuf))
2229 					nullserver = newstr(MsgBuf);
2230 				else
2231 					nullserver = "503 5.7.0 Authentication required.";
2232 			}
2233 			QuickAbort = saveQuickAbort;
2234 			SuprErrs = saveSuprErrs;
2235 
2236 			tls_ok_srv = false;	/* don't offer STARTTLS again */
2237 			n_helo = 0;
2238 # if SASL
2239 			if (sasl_ok)
2240 			{
2241 				int cipher_bits;
2242 				bool verified;
2243 				char *s, *v, *c;
2244 
2245 				s = macvalue(macid("{cipher_bits}"), e);
2246 				v = macvalue(macid("{verify}"), e);
2247 				c = macvalue(macid("{cert_subject}"), e);
2248 				verified = (v != NULL && strcmp(v, "OK") == 0);
2249 				if (s != NULL && (cipher_bits = atoi(s)) > 0)
2250 				{
2251 #  if SASL >= 20000
2252 					ext_ssf = cipher_bits;
2253 					auth_id = verified ? c : NULL;
2254 					sasl_ok = ((sasl_setprop(conn,
2255 							SASL_SSF_EXTERNAL,
2256 							&ext_ssf) == SASL_OK) &&
2257 						   (sasl_setprop(conn,
2258 							SASL_AUTH_EXTERNAL,
2259 							auth_id) == SASL_OK));
2260 #  else /* SASL >= 20000 */
2261 					ext_ssf.ssf = cipher_bits;
2262 					ext_ssf.auth_id = verified ? c : NULL;
2263 					sasl_ok = sasl_setprop(conn,
2264 							SASL_SSF_EXTERNAL,
2265 							&ext_ssf) == SASL_OK;
2266 #  endif /* SASL >= 20000 */
2267 					mechlist = NULL;
2268 					if (sasl_ok)
2269 						n_mechs = saslmechs(conn,
2270 								    &mechlist);
2271 				}
2272 			}
2273 # endif /* SASL */
2274 
2275 			/* switch to secure connection */
2276 			if (sfdctls(&InChannel, &OutChannel, srv_ssl) == 0)
2277 			{
2278 				tls_active = true;
2279 # if PIPELINING
2280 				(void) sm_io_autoflush(InChannel, OutChannel);
2281 # endif /* PIPELINING */
2282 			}
2283 			else
2284 			{
2285 				/*
2286 				**  XXX this is an internal error
2287 				**  how to deal with it?
2288 				**  we can't generate an error message
2289 				**  since the other side switched to an
2290 				**  encrypted layer, but we could not...
2291 				**  just "hang up"?
2292 				*/
2293 
2294 				nullserver = "454 4.3.3 TLS not available: can't switch to encrypted layer";
2295 				syserr("STARTTLS: can't switch to encrypted layer");
2296 			}
2297 		  tls_done:
2298 			if (smtps)
2299 			{
2300 				if (tls_active)
2301 					goto greeting;
2302 				else
2303 					goto doquit;
2304 			}
2305 			break;
2306 #endif /* STARTTLS */
2307 
2308 		  case CMDHELO:		/* hello -- introduce yourself */
2309 		  case CMDEHLO:		/* extended hello */
2310 			DELAY_CONN("EHLO");
2311 			if (c->cmd_code == CMDEHLO)
2312 			{
2313 				protocol = GET_PROTOCOL();
2314 				SmtpPhase = "server EHLO";
2315 			}
2316 			else
2317 			{
2318 				protocol = "SMTP";
2319 				SmtpPhase = "server HELO";
2320 			}
2321 
2322 			/* avoid denial-of-service */
2323 			STOP_IF_ATTACK(checksmtpattack(&n_helo, MAXHELOCOMMANDS,
2324 							true, "HELO/EHLO", e));
2325 
2326 #if 0
2327 			/* RFC2821 4.1.4 allows duplicate HELO/EHLO */
2328 			/* check for duplicate HELO/EHLO per RFC 1651 4.2 */
2329 			if (gothello)
2330 			{
2331 				usrerr("503 %s Duplicate HELO/EHLO",
2332 				       MyHostName);
2333 				break;
2334 			}
2335 #endif /* 0 */
2336 
2337 			/* check for valid domain name (re 1123 5.2.5) */
2338 			if (*p == '\0' && !AllowBogusHELO)
2339 			{
2340 				usrerr("501 %s requires domain address",
2341 					cmdbuf);
2342 				break;
2343 			}
2344 
2345 			/* check for long domain name (hides Received: info) */
2346 			if (strlen(p) > MAXNAME)
2347 			{
2348 				usrerr("501 Invalid domain name");
2349 				if (LogLevel > 9)
2350 					sm_syslog(LOG_INFO, CurEnv->e_id,
2351 						  "invalid domain name (too long) from %s",
2352 						  CurSmtpClient);
2353 				break;
2354 			}
2355 
2356 			ok = true;
2357 			for (q = p; *q != '\0'; q++)
2358 			{
2359 				if (!isascii(*q))
2360 					break;
2361 				if (isalnum(*q))
2362 					continue;
2363 				if (isspace(*q))
2364 				{
2365 					*q = '\0';
2366 
2367 					/* only complain if strict check */
2368 					ok = AllowBogusHELO;
2369 
2370 					/* allow trailing whitespace */
2371 					while (!ok && *++q != '\0' &&
2372 					       isspace(*q))
2373 						;
2374 					if (*q == '\0')
2375 						ok = true;
2376 					break;
2377 				}
2378 				if (strchr("[].-_#:", *q) == NULL)
2379 					break;
2380 			}
2381 
2382 			if (*q == '\0' && ok)
2383 			{
2384 				q = "pleased to meet you";
2385 				sendinghost = sm_strdup_x(p);
2386 			}
2387 			else if (!AllowBogusHELO)
2388 			{
2389 				usrerr("501 Invalid domain name");
2390 				if (LogLevel > 9)
2391 					sm_syslog(LOG_INFO, CurEnv->e_id,
2392 						  "invalid domain name (%s) from %.100s",
2393 						  p, CurSmtpClient);
2394 				break;
2395 			}
2396 			else
2397 			{
2398 				q = "accepting invalid domain name";
2399 			}
2400 
2401 			if (gothello || smtp.sm_gotmail)
2402 				CLEAR_STATE(cmdbuf);
2403 
2404 #if MILTER
2405 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2406 			    !bitset(EF_DISCARD, e->e_flags))
2407 			{
2408 				char state;
2409 				char *response;
2410 
2411 				response = milter_helo(p, e, &state);
2412 				switch (state)
2413 				{
2414 				  case SMFIR_REJECT:
2415 					if (MilterLogLevel > 3)
2416 						sm_syslog(LOG_INFO, e->e_id,
2417 							  "Milter: helo=%s, reject=Command rejected",
2418 							  p);
2419 					nullserver = "Command rejected";
2420 					smtp.sm_milterize = false;
2421 					break;
2422 
2423 				  case SMFIR_TEMPFAIL:
2424 					if (MilterLogLevel > 3)
2425 						sm_syslog(LOG_INFO, e->e_id,
2426 							  "Milter: helo=%s, reject=%s",
2427 							  p, MSG_TEMPFAIL);
2428 					tempfail = true;
2429 					smtp.sm_milterize = false;
2430 					break;
2431 
2432 				  case SMFIR_REPLYCODE:
2433 					if (MilterLogLevel > 3)
2434 						sm_syslog(LOG_INFO, e->e_id,
2435 							  "Milter: helo=%s, reject=%s",
2436 							  p, response);
2437 					if (strncmp(response, "421 ", 4) != 0
2438 					    && strncmp(response, "421-", 4) != 0)
2439 					{
2440 						nullserver = newstr(response);
2441 						smtp.sm_milterize = false;
2442 						break;
2443 					}
2444 					/* FALLTHROUGH */
2445 
2446 				  case SMFIR_SHUTDOWN:
2447 					if (MilterLogLevel > 3 &&
2448 					    response == NULL)
2449 						sm_syslog(LOG_INFO, e->e_id,
2450 							  "Milter: helo=%s, reject=421 4.7.0 %s closing connection",
2451 							  p, MyHostName);
2452 					tempfail = true;
2453 					smtp.sm_milterize = false;
2454 					if (response != NULL)
2455 						usrerr(response);
2456 					else
2457 						message("421 4.7.0 %s closing connection",
2458 							MyHostName);
2459 					/* arrange to ignore send list */
2460 					e->e_sendqueue = NULL;
2461 					lognullconnection = false;
2462 					goto doquit;
2463 				}
2464 				if (response != NULL)
2465 					sm_free(response);
2466 
2467 				/*
2468 				**  If quarantining by a connect/ehlo action,
2469 				**  save between messages
2470 				*/
2471 
2472 				if (smtp.sm_quarmsg == NULL &&
2473 				    e->e_quarmsg != NULL)
2474 					smtp.sm_quarmsg = newstr(e->e_quarmsg);
2475 			}
2476 #endif /* MILTER */
2477 			gothello = true;
2478 
2479 			/* print HELO response message */
2480 			if (c->cmd_code != CMDEHLO)
2481 			{
2482 				message("250 %s Hello %s, %s",
2483 					MyHostName, CurSmtpClient, q);
2484 				break;
2485 			}
2486 
2487 			message("250-%s Hello %s, %s",
2488 				MyHostName, CurSmtpClient, q);
2489 
2490 			/* offer ENHSC even for nullserver */
2491 			if (nullserver != NULL)
2492 			{
2493 				message("250 ENHANCEDSTATUSCODES");
2494 				break;
2495 			}
2496 
2497 			/*
2498 			**  print EHLO features list
2499 			**
2500 			**  Note: If you change this list,
2501 			**	  remember to update 'helpfile'
2502 			*/
2503 
2504 			message("250-ENHANCEDSTATUSCODES");
2505 #if PIPELINING
2506 			if (bitset(SRV_OFFER_PIPE, features))
2507 				message("250-PIPELINING");
2508 #endif /* PIPELINING */
2509 			if (bitset(SRV_OFFER_EXPN, features))
2510 			{
2511 				message("250-EXPN");
2512 				if (bitset(SRV_OFFER_VERB, features))
2513 					message("250-VERB");
2514 			}
2515 #if MIME8TO7
2516 			message("250-8BITMIME");
2517 #endif /* MIME8TO7 */
2518 			if (MaxMessageSize > 0)
2519 				message("250-SIZE %ld", MaxMessageSize);
2520 			else
2521 				message("250-SIZE");
2522 #if DSN
2523 			if (SendMIMEErrors && bitset(SRV_OFFER_DSN, features))
2524 				message("250-DSN");
2525 #endif /* DSN */
2526 			if (bitset(SRV_OFFER_ETRN, features))
2527 				message("250-ETRN");
2528 #if SASL
2529 			if (sasl_ok && mechlist != NULL && *mechlist != '\0')
2530 				message("250-AUTH %s", mechlist);
2531 #endif /* SASL */
2532 #if STARTTLS
2533 			if (tls_ok_srv && bitset(SRV_OFFER_TLS, features))
2534 				message("250-STARTTLS");
2535 #endif /* STARTTLS */
2536 			if (DeliverByMin > 0)
2537 				message("250-DELIVERBY %ld",
2538 					(long) DeliverByMin);
2539 			else if (DeliverByMin == 0)
2540 				message("250-DELIVERBY");
2541 
2542 			/* < 0: no deliver-by */
2543 
2544 			message("250 HELP");
2545 			break;
2546 
2547 		  case CMDMAIL:		/* mail -- designate sender */
2548 			SmtpPhase = "server MAIL";
2549 			DELAY_CONN("MAIL");
2550 
2551 			/* check for validity of this command */
2552 			if (!gothello && bitset(PRIV_NEEDMAILHELO, PrivacyFlags))
2553 			{
2554 				usrerr("503 5.0.0 Polite people say HELO first");
2555 				break;
2556 			}
2557 			if (smtp.sm_gotmail)
2558 			{
2559 				usrerr("503 5.5.0 Sender already specified");
2560 				break;
2561 			}
2562 #if SASL
2563 			if (bitset(SRV_REQ_AUTH, features) &&
2564 			    authenticating != SASL_IS_AUTH)
2565 			{
2566 				usrerr("530 5.7.0 Authentication required");
2567 				break;
2568 			}
2569 #endif /* SASL */
2570 
2571 			p = skipword(p, "from");
2572 			if (p == NULL)
2573 				break;
2574 			if (tempfail)
2575 			{
2576 				if (LogLevel > 9)
2577 					sm_syslog(LOG_INFO, e->e_id,
2578 						  "SMTP MAIL command (%.100s) from %s tempfailed (due to previous checks)",
2579 						  p, CurSmtpClient);
2580 				usrerr(MSG_TEMPFAIL);
2581 				break;
2582 			}
2583 
2584 			/* make sure we know who the sending host is */
2585 			if (sendinghost == NULL)
2586 				sendinghost = peerhostname;
2587 
2588 
2589 #if SM_HEAP_CHECK
2590 			if (sm_debug_active(&DebugLeakSmtp, 1))
2591 			{
2592 				sm_heap_newgroup();
2593 				sm_dprintf("smtp() heap group #%d\n",
2594 					sm_heap_group());
2595 			}
2596 #endif /* SM_HEAP_CHECK */
2597 
2598 			if (Errors > 0)
2599 				goto undo_no_pm;
2600 			if (!gothello)
2601 			{
2602 				auth_warning(e, "%s didn't use HELO protocol",
2603 					     CurSmtpClient);
2604 			}
2605 #ifdef PICKY_HELO_CHECK
2606 			if (sm_strcasecmp(sendinghost, peerhostname) != 0 &&
2607 			    (sm_strcasecmp(peerhostname, "localhost") != 0 ||
2608 			     sm_strcasecmp(sendinghost, MyHostName) != 0))
2609 			{
2610 				auth_warning(e, "Host %s claimed to be %s",
2611 					     CurSmtpClient, sendinghost);
2612 			}
2613 #endif /* PICKY_HELO_CHECK */
2614 
2615 			if (protocol == NULL)
2616 				protocol = "SMTP";
2617 			macdefine(&e->e_macro, A_PERM, 'r', protocol);
2618 			macdefine(&e->e_macro, A_PERM, 's', sendinghost);
2619 
2620 			if (Errors > 0)
2621 				goto undo_no_pm;
2622 			smtp.sm_nrcpts = 0;
2623 			n_badrcpts = 0;
2624 			macdefine(&e->e_macro, A_PERM, macid("{ntries}"), "0");
2625 			macdefine(&e->e_macro, A_PERM, macid("{nrcpts}"), "0");
2626 			macdefine(&e->e_macro, A_PERM, macid("{nbadrcpts}"),
2627 				"0");
2628 			e->e_flags |= EF_CLRQUEUE;
2629 			sm_setproctitle(true, e, "%s %s: %.80s",
2630 					qid_printname(e),
2631 					CurSmtpClient, inp);
2632 
2633 			/* do the processing */
2634 		    SM_TRY
2635 		    {
2636 			extern char *FullName;
2637 
2638 			QuickAbort = true;
2639 			SM_FREE_CLR(FullName);
2640 
2641 			/* must parse sender first */
2642 			delimptr = NULL;
2643 			setsender(p, e, &delimptr, ' ', false);
2644 			if (delimptr != NULL && *delimptr != '\0')
2645 				*delimptr++ = '\0';
2646 			if (Errors > 0)
2647 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2648 
2649 			/* Successfully set e_from, allow logging */
2650 			e->e_flags |= EF_LOGSENDER;
2651 
2652 			/* put resulting triple from parseaddr() into macros */
2653 			if (e->e_from.q_mailer != NULL)
2654 				 macdefine(&e->e_macro, A_PERM,
2655 					macid("{mail_mailer}"),
2656 					e->e_from.q_mailer->m_name);
2657 			else
2658 				 macdefine(&e->e_macro, A_PERM,
2659 					macid("{mail_mailer}"), NULL);
2660 			if (e->e_from.q_host != NULL)
2661 				macdefine(&e->e_macro, A_PERM,
2662 					macid("{mail_host}"),
2663 					e->e_from.q_host);
2664 			else
2665 				macdefine(&e->e_macro, A_PERM,
2666 					macid("{mail_host}"), "localhost");
2667 			if (e->e_from.q_user != NULL)
2668 				macdefine(&e->e_macro, A_PERM,
2669 					macid("{mail_addr}"),
2670 					e->e_from.q_user);
2671 			else
2672 				macdefine(&e->e_macro, A_PERM,
2673 					macid("{mail_addr}"), NULL);
2674 			if (Errors > 0)
2675 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2676 
2677 			/* check for possible spoofing */
2678 			if (RealUid != 0 && OpMode == MD_SMTP &&
2679 			    !wordinclass(RealUserName, 't') &&
2680 			    (!bitnset(M_LOCALMAILER,
2681 				      e->e_from.q_mailer->m_flags) ||
2682 			     strcmp(e->e_from.q_user, RealUserName) != 0))
2683 			{
2684 				auth_warning(e, "%s owned process doing -bs",
2685 					RealUserName);
2686 			}
2687 
2688 			/* reset to default value */
2689 			SevenBitInput = SevenBitInput_Saved;
2690 
2691 			/* now parse ESMTP arguments */
2692 			e->e_msgsize = 0;
2693 			addr = p;
2694 			parse_esmtp_args(e, NULL, p, delimptr, "MAIL", args,
2695 					mail_esmtp_args);
2696 			if (Errors > 0)
2697 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2698 
2699 #if SASL
2700 # if _FFR_AUTH_PASSING
2701 			/* set the default AUTH= if the sender didn't */
2702 			if (e->e_auth_param == NULL)
2703 			{
2704 				/* XXX only do this for an MSA? */
2705 				e->e_auth_param = macvalue(macid("{auth_authen}"),
2706 							   e);
2707 				if (e->e_auth_param == NULL)
2708 					e->e_auth_param = "<>";
2709 
2710 				/*
2711 				**  XXX should we invoke Strust_auth now?
2712 				**  authorizing as the client that just
2713 				**  authenticated, so we'll trust implicitly
2714 				*/
2715 			}
2716 # endif /* _FFR_AUTH_PASSING */
2717 #endif /* SASL */
2718 
2719 			/* do config file checking of the sender */
2720 			macdefine(&e->e_macro, A_PERM,
2721 				macid("{addr_type}"), "e s");
2722 #if _FFR_MAIL_MACRO
2723 			/* make the "real" sender address available */
2724 			macdefine(&e->e_macro, A_TEMP, macid("{mail_from}"),
2725 				  e->e_from.q_paddr);
2726 #endif /* _FFR_MAIL_MACRO */
2727 			if (rscheck("check_mail", addr,
2728 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
2729 				    NULL, e->e_id, NULL, NULL) != EX_OK ||
2730 			    Errors > 0)
2731 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2732 			macdefine(&e->e_macro, A_PERM,
2733 				  macid("{addr_type}"), NULL);
2734 
2735 			if (MaxMessageSize > 0 &&
2736 			    (e->e_msgsize > MaxMessageSize ||
2737 			     e->e_msgsize < 0))
2738 			{
2739 				usrerr("552 5.2.3 Message size exceeds fixed maximum message size (%ld)",
2740 					MaxMessageSize);
2741 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2742 			}
2743 
2744 			/*
2745 			**  XXX always check whether there is at least one fs
2746 			**  with enough space?
2747 			**  However, this may not help much: the queue group
2748 			**  selection may later on select a FS that hasn't
2749 			**  enough space.
2750 			*/
2751 
2752 			if ((NumFileSys == 1 || NumQueue == 1) &&
2753 			    !enoughdiskspace(e->e_msgsize, e)
2754 #if _FFR_ANY_FREE_FS
2755 			    && !filesys_free(e->e_msgsize)
2756 #endif /* _FFR_ANY_FREE_FS */
2757 			   )
2758 			{
2759 				/*
2760 				**  We perform this test again when the
2761 				**  queue directory is selected, in collect.
2762 				*/
2763 
2764 				usrerr("452 4.4.5 Insufficient disk space; try again later");
2765 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2766 			}
2767 			if (Errors > 0)
2768 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2769 
2770 			LogUsrErrs = true;
2771 #if MILTER
2772 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2773 			    !bitset(EF_DISCARD, e->e_flags))
2774 			{
2775 				char state;
2776 				char *response;
2777 
2778 				response = milter_envfrom(args, e, &state);
2779 				MILTER_REPLY("from");
2780 			}
2781 #endif /* MILTER */
2782 			if (Errors > 0)
2783 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2784 
2785 			message("250 2.1.0 Sender ok");
2786 			smtp.sm_gotmail = true;
2787 		    }
2788 		    SM_EXCEPT(exc, "[!F]*")
2789 		    {
2790 			/*
2791 			**  An error occurred while processing a MAIL command.
2792 			**  Jump to the common error handling code.
2793 			*/
2794 
2795 			sm_exc_free(exc);
2796 			goto undo_no_pm;
2797 		    }
2798 		    SM_END_TRY
2799 			break;
2800 
2801 		  undo_no_pm:
2802 			e->e_flags &= ~EF_PM_NOTIFY;
2803 		  undo:
2804 			break;
2805 
2806 		  case CMDRCPT:		/* rcpt -- designate recipient */
2807 			DELAY_CONN("RCPT");
2808 			macdefine(&e->e_macro, A_PERM,
2809 				macid("{rcpt_mailer}"), NULL);
2810 			macdefine(&e->e_macro, A_PERM,
2811 				macid("{rcpt_host}"), NULL);
2812 			macdefine(&e->e_macro, A_PERM,
2813 				macid("{rcpt_addr}"), NULL);
2814 #if MILTER
2815 			(void) memset(&addr_st, '\0', sizeof(addr_st));
2816 			a = NULL;
2817 			milter_rcpt_added = false;
2818 			smtp.sm_e_nrcpts_orig = e->e_nrcpts;
2819 #endif
2820 #if _FFR_BADRCPT_SHUTDOWN
2821 			/*
2822 			**  hack to deal with hack, see below:
2823 			**  n_badrcpts is increased if limit is reached.
2824 			*/
2825 
2826 			n_badrcpts_adj = (BadRcptThrottle > 0 &&
2827 					  n_badrcpts > BadRcptThrottle &&
2828 					  LogLevel > 5)
2829 					  ? n_badrcpts - 1 : n_badrcpts;
2830 			if (BadRcptShutdown > 0 &&
2831 			    n_badrcpts_adj >= BadRcptShutdown &&
2832 			    (BadRcptShutdownGood == 0 ||
2833 			     smtp.sm_nrcpts == 0 ||
2834 			     (n_badrcpts_adj * 100 /
2835 			      (smtp.sm_nrcpts + n_badrcpts) >=
2836 			      BadRcptShutdownGood)))
2837 			{
2838 				if (LogLevel > 5)
2839 					sm_syslog(LOG_INFO, e->e_id,
2840 						  "%s: Possible SMTP RCPT flood, shutting down connection.",
2841 						  CurSmtpClient);
2842 				message("421 4.7.0 %s Too many bad recipients; closing connection",
2843 				MyHostName);
2844 
2845 				/* arrange to ignore any current send list */
2846 				e->e_sendqueue = NULL;
2847 				goto doquit;
2848 			}
2849 #endif /* _FFR_BADRCPT_SHUTDOWN */
2850 			if (BadRcptThrottle > 0 &&
2851 			    n_badrcpts >= BadRcptThrottle)
2852 			{
2853 				if (LogLevel > 5 &&
2854 				    n_badrcpts == BadRcptThrottle)
2855 				{
2856 					sm_syslog(LOG_INFO, e->e_id,
2857 						  "%s: Possible SMTP RCPT flood, throttling.",
2858 						  CurSmtpClient);
2859 
2860 					/* To avoid duplicated message */
2861 					n_badrcpts++;
2862 				}
2863 				NBADRCPTS;
2864 
2865 				/*
2866 				**  Don't use exponential backoff for now.
2867 				**  Some systems will open more connections
2868 				**  and actually overload the receiver even
2869 				**  more.
2870 				*/
2871 
2872 				(void) sleep(BadRcptThrottleDelay);
2873 			}
2874 			if (!smtp.sm_gotmail)
2875 			{
2876 				usrerr("503 5.0.0 Need MAIL before RCPT");
2877 				break;
2878 			}
2879 			SmtpPhase = "server RCPT";
2880 		    SM_TRY
2881 		    {
2882 			QuickAbort = true;
2883 			LogUsrErrs = true;
2884 
2885 			/* limit flooding of our machine */
2886 			if (MaxRcptPerMsg > 0 &&
2887 			    smtp.sm_nrcpts >= MaxRcptPerMsg)
2888 			{
2889 				/* sleep(1); / * slow down? */
2890 				usrerr("452 4.5.3 Too many recipients");
2891 				goto rcpt_done;
2892 			}
2893 
2894 			if (!SM_IS_INTERACTIVE(e->e_sendmode)
2895 #if _FFR_DM_ONE
2896 			    && (NotFirstDelivery || SM_DM_ONE != e->e_sendmode)
2897 #endif /* _FFR_DM_ONE */
2898 			   )
2899 				e->e_flags |= EF_VRFYONLY;
2900 
2901 #if MILTER
2902 			/*
2903 			**  Do not expand recipients at RCPT time (in the call
2904 			**  to recipient()) if a milter can delete or reject
2905 			**  a RCPT.  If they are expanded, it is impossible
2906 			**  for removefromlist() to figure out the expanded
2907 			**  members of the original recipient and mark them
2908 			**  as QS_DONTSEND.
2909 			*/
2910 
2911 			if (!(smtp.sm_milterlist && smtp.sm_milterize &&
2912 			      !bitset(EF_DISCARD, e->e_flags)) &&
2913 			    (smtp.sm_milters.mis_flags &
2914 			     (MIS_FL_DEL_RCPT|MIS_FL_REJ_RCPT)) != 0)
2915 				e->e_flags |= EF_VRFYONLY;
2916 			milter_cmd_done = false;
2917 			milter_cmd_safe = false;
2918 #endif /* MILTER */
2919 
2920 			p = skipword(p, "to");
2921 			if (p == NULL)
2922 				goto rcpt_done;
2923 			macdefine(&e->e_macro, A_PERM,
2924 				macid("{addr_type}"), "e r");
2925 			a = parseaddr(p, NULLADDR, RF_COPYALL, ' ', &delimptr,
2926 				      e, true);
2927 			macdefine(&e->e_macro, A_PERM,
2928 				macid("{addr_type}"), NULL);
2929 			if (Errors > 0)
2930 				goto rcpt_done;
2931 			if (a == NULL)
2932 			{
2933 				usrerr("501 5.0.0 Missing recipient");
2934 				goto rcpt_done;
2935 			}
2936 
2937 			if (delimptr != NULL && *delimptr != '\0')
2938 				*delimptr++ = '\0';
2939 
2940 			/* put resulting triple from parseaddr() into macros */
2941 			if (a->q_mailer != NULL)
2942 				macdefine(&e->e_macro, A_PERM,
2943 					macid("{rcpt_mailer}"),
2944 					a->q_mailer->m_name);
2945 			else
2946 				macdefine(&e->e_macro, A_PERM,
2947 					macid("{rcpt_mailer}"), NULL);
2948 			if (a->q_host != NULL)
2949 				macdefine(&e->e_macro, A_PERM,
2950 					macid("{rcpt_host}"), a->q_host);
2951 			else
2952 				macdefine(&e->e_macro, A_PERM,
2953 					macid("{rcpt_host}"), "localhost");
2954 			if (a->q_user != NULL)
2955 				macdefine(&e->e_macro, A_PERM,
2956 					macid("{rcpt_addr}"), a->q_user);
2957 			else
2958 				macdefine(&e->e_macro, A_PERM,
2959 					macid("{rcpt_addr}"), NULL);
2960 			if (Errors > 0)
2961 				goto rcpt_done;
2962 
2963 			/* now parse ESMTP arguments */
2964 			addr = p;
2965 			parse_esmtp_args(e, a, p, delimptr, "RCPT", args,
2966 					rcpt_esmtp_args);
2967 			if (Errors > 0)
2968 				goto rcpt_done;
2969 
2970 #if MILTER
2971 			/*
2972 			**  rscheck() can trigger an "exception"
2973 			**  in which case the execution continues at
2974 			**  SM_EXCEPT(exc, "[!F]*")
2975 			**  This means milter_cmd_safe is not set
2976 			**  and hence milter is not invoked.
2977 			**  Would it be "safe" to change that, i.e., use
2978 			**  milter_cmd_safe = true;
2979 			**  here so a milter is informed (if requested)
2980 			**  about RCPTs that are rejected by check_rcpt?
2981 			*/
2982 # if _FFR_MILTER_CHECK_REJECTIONS_TOO
2983 			milter_cmd_safe = true;
2984 # endif
2985 #endif
2986 
2987 			/* do config file checking of the recipient */
2988 			macdefine(&e->e_macro, A_PERM,
2989 				macid("{addr_type}"), "e r");
2990 			if (rscheck("check_rcpt", addr,
2991 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
2992 				    NULL, e->e_id, p_addr_st, NULL) != EX_OK ||
2993 			    Errors > 0)
2994 				goto rcpt_done;
2995 			macdefine(&e->e_macro, A_PERM,
2996 				macid("{addr_type}"), NULL);
2997 
2998 			/* If discarding, don't bother to verify user */
2999 			if (bitset(EF_DISCARD, e->e_flags))
3000 				a->q_state = QS_VERIFIED;
3001 #if MILTER
3002 			milter_cmd_safe = true;
3003 #endif
3004 
3005 			addbcc(a, e);
3006 			rcptmods(a, e);
3007 
3008 			/* save in recipient list after ESMTP mods */
3009 			a = recipient(a, &e->e_sendqueue, 0, e);
3010 			/* may trigger exception... */
3011 
3012 #if MILTER
3013 			milter_rcpt_added = true;
3014 #endif
3015 
3016 			if(!(Errors > 0) && QS_IS_BADADDR(a->q_state))
3017 			{
3018 				/* punt -- should keep message in ADDRESS.... */
3019 				usrerr("550 5.1.1 Addressee unknown");
3020 			}
3021 
3022 #if MILTER
3023 		rcpt_done:
3024 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3025 			    !bitset(EF_DISCARD, e->e_flags))
3026 			{
3027 				char state;
3028 				char *response;
3029 
3030 				/* how to get the error codes? */
3031 				if (Errors > 0)
3032 				{
3033 					macdefine(&e->e_macro, A_PERM,
3034 						macid("{rcpt_mailer}"),
3035 						"error");
3036 					if (a != NULL &&
3037 					    a->q_status != NULL &&
3038 					    a->q_rstatus != NULL)
3039 					{
3040 						macdefine(&e->e_macro, A_PERM,
3041 							macid("{rcpt_host}"),
3042 							a->q_status);
3043 						macdefine(&e->e_macro, A_PERM,
3044 							macid("{rcpt_addr}"),
3045 							a->q_rstatus);
3046 					}
3047 					else
3048 					{
3049 						if (addr_st.q_host != NULL)
3050 							macdefine(&e->e_macro,
3051 								A_PERM,
3052 								macid("{rcpt_host}"),
3053 								addr_st.q_host);
3054 						if (addr_st.q_user != NULL)
3055 							macdefine(&e->e_macro,
3056 								A_PERM,
3057 								macid("{rcpt_addr}"),
3058 								addr_st.q_user);
3059 					}
3060 				}
3061 
3062 				response = milter_envrcpt(args, e, &state,
3063 							Errors > 0);
3064 				milter_cmd_done = true;
3065 				MILTER_REPLY("to");
3066 			}
3067 #endif /* MILTER */
3068 
3069 			/* no errors during parsing, but might be a duplicate */
3070 			e->e_to = a->q_paddr;
3071 			if (!(Errors > 0) && !QS_IS_BADADDR(a->q_state))
3072 			{
3073 				if (smtp.sm_nrcpts == 0)
3074 					initsys(e);
3075 				message("250 2.1.5 Recipient ok%s",
3076 					QS_IS_QUEUEUP(a->q_state) ?
3077 						" (will queue)" : "");
3078 				smtp.sm_nrcpts++;
3079 			}
3080 
3081 			/* Is this needed? */
3082 #if !MILTER
3083 		rcpt_done:
3084 #endif /* !MILTER */
3085 
3086 			macdefine(&e->e_macro, A_PERM,
3087 				macid("{rcpt_mailer}"), NULL);
3088 			macdefine(&e->e_macro, A_PERM,
3089 				macid("{rcpt_host}"), NULL);
3090 			macdefine(&e->e_macro, A_PERM,
3091 				macid("{rcpt_addr}"), NULL);
3092 			macdefine(&e->e_macro, A_PERM,
3093 				macid("{dsn_notify}"), NULL);
3094 
3095 			if (Errors > 0)
3096 			{
3097 				++n_badrcpts;
3098 				NBADRCPTS;
3099 			}
3100 		    }
3101 		    SM_EXCEPT(exc, "[!F]*")
3102 		    {
3103 			/* An exception occurred while processing RCPT */
3104 			e->e_flags &= ~(EF_FATALERRS|EF_PM_NOTIFY);
3105 			++n_badrcpts;
3106 			NBADRCPTS;
3107 #if MILTER
3108 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3109 			    !bitset(EF_DISCARD, e->e_flags) &&
3110 			    !milter_cmd_done && milter_cmd_safe)
3111 			{
3112 				char state;
3113 				char *response;
3114 
3115 				macdefine(&e->e_macro, A_PERM,
3116 					macid("{rcpt_mailer}"), "error");
3117 
3118 				/* how to get the error codes? */
3119 				if (addr_st.q_host != NULL)
3120 					macdefine(&e->e_macro, A_PERM,
3121 						macid("{rcpt_host}"),
3122 						addr_st.q_host);
3123 				else if (a != NULL && a->q_status != NULL)
3124 					macdefine(&e->e_macro, A_PERM,
3125 						macid("{rcpt_host}"),
3126 						a->q_status);
3127 
3128 				if (addr_st.q_user != NULL)
3129 					macdefine(&e->e_macro, A_PERM,
3130 						macid("{rcpt_addr}"),
3131 						addr_st.q_user);
3132 				else if (a != NULL && a->q_rstatus != NULL)
3133 					macdefine(&e->e_macro, A_PERM,
3134 						macid("{rcpt_addr}"),
3135 						a->q_rstatus);
3136 
3137 				response = milter_envrcpt(args, e, &state,
3138 							true);
3139 				milter_cmd_done = true;
3140 				MILTER_REPLY("to");
3141 				macdefine(&e->e_macro, A_PERM,
3142 					macid("{rcpt_mailer}"), NULL);
3143 				macdefine(&e->e_macro, A_PERM,
3144 					macid("{rcpt_host}"), NULL);
3145 				macdefine(&e->e_macro, A_PERM,
3146 					macid("{rcpt_addr}"), NULL);
3147 			}
3148 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3149 			    milter_rcpt_added && milter_cmd_done &&
3150 			    milter_cmd_fail)
3151 			{
3152 				(void) removefromlist(addr, &e->e_sendqueue, e);
3153 				milter_cmd_fail = false;
3154 				if (smtp.sm_e_nrcpts_orig < e->e_nrcpts)
3155 					e->e_nrcpts = smtp.sm_e_nrcpts_orig;
3156 			}
3157 #endif /* MILTER */
3158 		    }
3159 		    SM_END_TRY
3160 			break;
3161 
3162 		  case CMDDATA:		/* data -- text of mail */
3163 			DELAY_CONN("DATA");
3164 			if (!smtp_data(&smtp, e))
3165 				goto doquit;
3166 			break;
3167 
3168 		  case CMDRSET:		/* rset -- reset state */
3169 			if (tTd(94, 100))
3170 				message("451 4.0.0 Test failure");
3171 			else
3172 				message("250 2.0.0 Reset state");
3173 			CLEAR_STATE(cmdbuf);
3174 			break;
3175 
3176 		  case CMDVRFY:		/* vrfy -- verify address */
3177 		  case CMDEXPN:		/* expn -- expand address */
3178 			vrfy = c->cmd_code == CMDVRFY;
3179 			DELAY_CONN(vrfy ? "VRFY" : "EXPN");
3180 			if (tempfail)
3181 			{
3182 				if (LogLevel > 9)
3183 					sm_syslog(LOG_INFO, e->e_id,
3184 						  "SMTP %s command (%.100s) from %s tempfailed (due to previous checks)",
3185 						  vrfy ? "VRFY" : "EXPN",
3186 						  p, CurSmtpClient);
3187 
3188 				/* RFC 821 doesn't allow 4xy reply code */
3189 				usrerr("550 5.7.1 Please try again later");
3190 				break;
3191 			}
3192 			wt = checksmtpattack(&n_verifies, MAXVRFYCOMMANDS,
3193 					     false, vrfy ? "VRFY" : "EXPN", e);
3194 			STOP_IF_ATTACK(wt);
3195 			previous = curtime();
3196 			if ((vrfy && bitset(PRIV_NOVRFY, PrivacyFlags)) ||
3197 			    (!vrfy && !bitset(SRV_OFFER_EXPN, features)))
3198 			{
3199 				if (vrfy)
3200 					message("252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)");
3201 				else
3202 					message("502 5.7.0 Sorry, we do not allow this operation");
3203 				if (LogLevel > 5)
3204 					sm_syslog(LOG_INFO, e->e_id,
3205 						  "%s: %s [rejected]",
3206 						  CurSmtpClient,
3207 						  shortenstring(inp, MAXSHORTSTR));
3208 				break;
3209 			}
3210 			else if (!gothello &&
3211 				 bitset(vrfy ? PRIV_NEEDVRFYHELO : PRIV_NEEDEXPNHELO,
3212 						PrivacyFlags))
3213 			{
3214 				usrerr("503 5.0.0 I demand that you introduce yourself first");
3215 				break;
3216 			}
3217 			if (Errors > 0)
3218 				break;
3219 			if (LogLevel > 5)
3220 				sm_syslog(LOG_INFO, e->e_id, "%s: %s",
3221 					  CurSmtpClient,
3222 					  shortenstring(inp, MAXSHORTSTR));
3223 		    SM_TRY
3224 		    {
3225 			QuickAbort = true;
3226 			vrfyqueue = NULL;
3227 			if (vrfy)
3228 				e->e_flags |= EF_VRFYONLY;
3229 			while (*p != '\0' && isascii(*p) && isspace(*p))
3230 				p++;
3231 			if (*p == '\0')
3232 			{
3233 				usrerr("501 5.5.2 Argument required");
3234 			}
3235 			else
3236 			{
3237 				/* do config file checking of the address */
3238 				if (rscheck(vrfy ? "check_vrfy" : "check_expn",
3239 					    p, NULL, e, RSF_RMCOMM, 3, NULL,
3240 					    NOQID, NULL, NULL) != EX_OK ||
3241 				    Errors > 0)
3242 					sm_exc_raisenew_x(&EtypeQuickAbort, 1);
3243 				(void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e);
3244 			}
3245 			if (wt > 0)
3246 			{
3247 				time_t t;
3248 
3249 				t = wt - (curtime() - previous);
3250 				if (t > 0)
3251 					(void) sleep(t);
3252 			}
3253 			if (Errors > 0)
3254 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
3255 			if (vrfyqueue == NULL)
3256 			{
3257 				usrerr("554 5.5.2 Nothing to %s", vrfy ? "VRFY" : "EXPN");
3258 			}
3259 			while (vrfyqueue != NULL)
3260 			{
3261 				if (!QS_IS_UNDELIVERED(vrfyqueue->q_state))
3262 				{
3263 					vrfyqueue = vrfyqueue->q_next;
3264 					continue;
3265 				}
3266 
3267 				/* see if there is more in the vrfy list */
3268 				a = vrfyqueue;
3269 				while ((a = a->q_next) != NULL &&
3270 				       (!QS_IS_UNDELIVERED(a->q_state)))
3271 					continue;
3272 				printvrfyaddr(vrfyqueue, a == NULL, vrfy);
3273 				vrfyqueue = a;
3274 			}
3275 		    }
3276 		    SM_EXCEPT(exc, "[!F]*")
3277 		    {
3278 			/*
3279 			**  An exception occurred while processing VRFY/EXPN
3280 			*/
3281 
3282 			sm_exc_free(exc);
3283 			goto undo;
3284 		    }
3285 		    SM_END_TRY
3286 			break;
3287 
3288 		  case CMDETRN:		/* etrn -- force queue flush */
3289 			DELAY_CONN("ETRN");
3290 
3291 			/* Don't leak queue information via debug flags */
3292 			if (!bitset(SRV_OFFER_ETRN, features) || UseMSP ||
3293 			    (RealUid != 0 && RealUid != TrustedUid &&
3294 			     OpMode == MD_SMTP))
3295 			{
3296 				/* different message for MSA ? */
3297 				message("502 5.7.0 Sorry, we do not allow this operation");
3298 				if (LogLevel > 5)
3299 					sm_syslog(LOG_INFO, e->e_id,
3300 						  "%s: %s [rejected]",
3301 						  CurSmtpClient,
3302 						  shortenstring(inp, MAXSHORTSTR));
3303 				break;
3304 			}
3305 			if (tempfail)
3306 			{
3307 				if (LogLevel > 9)
3308 					sm_syslog(LOG_INFO, e->e_id,
3309 						  "SMTP ETRN command (%.100s) from %s tempfailed (due to previous checks)",
3310 						  p, CurSmtpClient);
3311 				usrerr(MSG_TEMPFAIL);
3312 				break;
3313 			}
3314 
3315 			if (strlen(p) <= 0)
3316 			{
3317 				usrerr("500 5.5.2 Parameter required");
3318 				break;
3319 			}
3320 
3321 			/* crude way to avoid denial-of-service attacks */
3322 			STOP_IF_ATTACK(checksmtpattack(&n_etrn, MAXETRNCOMMANDS,
3323 							true, "ETRN", e));
3324 
3325 			/*
3326 			**  Do config file checking of the parameter.
3327 			**  Even though we have srv_features now, we still
3328 			**  need this ruleset because the former is called
3329 			**  when the connection has been established, while
3330 			**  this ruleset is called when the command is
3331 			**  actually issued and therefore has all information
3332 			**  available to make a decision.
3333 			*/
3334 
3335 			if (rscheck("check_etrn", p, NULL, e, RSF_RMCOMM, 3,
3336 				    NULL, NOQID, NULL, NULL) != EX_OK ||
3337 			    Errors > 0)
3338 				break;
3339 
3340 			if (LogLevel > 5)
3341 				sm_syslog(LOG_INFO, e->e_id,
3342 					  "%s: ETRN %s", CurSmtpClient,
3343 					  shortenstring(p, MAXSHORTSTR));
3344 
3345 			id = p;
3346 			if (*id == '#')
3347 			{
3348 				int i, qgrp;
3349 
3350 				id++;
3351 				qgrp = name2qid(id);
3352 				if (!ISVALIDQGRP(qgrp))
3353 				{
3354 					usrerr("459 4.5.4 Queue %s unknown",
3355 					       id);
3356 					break;
3357 				}
3358 				for (i = 0; i < NumQueue && Queue[i] != NULL;
3359 				     i++)
3360 					Queue[i]->qg_nextrun = (time_t) -1;
3361 				Queue[qgrp]->qg_nextrun = 0;
3362 				ok = run_work_group(Queue[qgrp]->qg_wgrp,
3363 						    RWG_FORK|RWG_FORCE);
3364 				if (ok && Errors == 0)
3365 					message("250 2.0.0 Queuing for queue group %s started", id);
3366 				break;
3367 			}
3368 
3369 			if (*id == '@')
3370 				id++;
3371 			else
3372 				*--id = '@';
3373 
3374 			new = (QUEUE_CHAR *) sm_malloc(sizeof(QUEUE_CHAR));
3375 			if (new == NULL)
3376 			{
3377 				syserr("500 5.5.0 ETRN out of memory");
3378 				break;
3379 			}
3380 			new->queue_match = id;
3381 			new->queue_negate = false;
3382 			new->queue_next = NULL;
3383 			QueueLimitRecipient = new;
3384 			ok = runqueue(true, false, false, true);
3385 			sm_free(QueueLimitRecipient); /* XXX */
3386 			QueueLimitRecipient = NULL;
3387 			if (ok && Errors == 0)
3388 				message("250 2.0.0 Queuing for node %s started", p);
3389 			break;
3390 
3391 		  case CMDHELP:		/* help -- give user info */
3392 			DELAY_CONN("HELP");
3393 			help(p, e);
3394 			break;
3395 
3396 		  case CMDNOOP:		/* noop -- do nothing */
3397 			DELAY_CONN("NOOP");
3398 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3399 							true, "NOOP", e));
3400 			message("250 2.0.0 OK");
3401 			break;
3402 
3403 		  case CMDQUIT:		/* quit -- leave mail */
3404 			message("221 2.0.0 %s closing connection", MyHostName);
3405 #if PIPELINING
3406 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
3407 #endif /* PIPELINING */
3408 
3409 			if (smtp.sm_nrcpts > 0)
3410 				logundelrcpts(e, "aborted by sender", 9, false);
3411 
3412 			/* arrange to ignore any current send list */
3413 			e->e_sendqueue = NULL;
3414 
3415 #if STARTTLS
3416 			/* shutdown TLS connection */
3417 			if (tls_active)
3418 			{
3419 				(void) endtls(srv_ssl, "server");
3420 				tls_active = false;
3421 			}
3422 #endif /* STARTTLS */
3423 #if SASL
3424 			if (authenticating == SASL_IS_AUTH)
3425 			{
3426 				sasl_dispose(&conn);
3427 				authenticating = SASL_NOT_AUTH;
3428 				/* XXX sasl_done(); this is a child */
3429 			}
3430 #endif /* SASL */
3431 
3432 doquit:
3433 			/* avoid future 050 messages */
3434 			disconnect(1, e);
3435 
3436 #if MILTER
3437 			/* close out milter filters */
3438 			milter_quit(e);
3439 #endif /* MILTER */
3440 
3441 			if (tTd(92, 2))
3442 				sm_dprintf("QUIT: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
3443 					e->e_id,
3444 					bitset(EF_LOGSENDER, e->e_flags),
3445 					LogLevel);
3446 			if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
3447 				logsender(e, NULL);
3448 			e->e_flags &= ~EF_LOGSENDER;
3449 
3450 			if (lognullconnection && LogLevel > 5 &&
3451 			    nullserver == NULL)
3452 			{
3453 				char *d;
3454 
3455 				d = macvalue(macid("{daemon_name}"), e);
3456 				if (d == NULL)
3457 					d = "stdin";
3458 
3459 				/*
3460 				**  even though this id is "bogus", it makes
3461 				**  it simpler to "grep" related events, e.g.,
3462 				**  timeouts for the same connection.
3463 				*/
3464 
3465 				sm_syslog(LOG_INFO, e->e_id,
3466 					  "%s did not issue MAIL/EXPN/VRFY/ETRN during connection to %s",
3467 					  CurSmtpClient, d);
3468 			}
3469 			if (tTd(93, 100))
3470 			{
3471 				/* return to handle next connection */
3472 				return;
3473 			}
3474 			finis(true, true, ExitStat);
3475 			/* NOTREACHED */
3476 
3477 			/* just to avoid bogus warning from some compilers */
3478 			exit(EX_OSERR);
3479 
3480 		  case CMDVERB:		/* set verbose mode */
3481 			DELAY_CONN("VERB");
3482 			if (!bitset(SRV_OFFER_EXPN, features) ||
3483 			    !bitset(SRV_OFFER_VERB, features))
3484 			{
3485 				/* this would give out the same info */
3486 				message("502 5.7.0 Verbose unavailable");
3487 				break;
3488 			}
3489 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3490 							true, "VERB", e));
3491 			Verbose = 1;
3492 			set_delivery_mode(SM_DELIVER, e);
3493 			message("250 2.0.0 Verbose mode");
3494 			break;
3495 
3496 #if SMTPDEBUG
3497 		  case CMDDBGQSHOW:	/* show queues */
3498 			(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3499 					     "Send Queue=");
3500 			printaddr(smioout, e->e_sendqueue, true);
3501 			break;
3502 
3503 		  case CMDDBGDEBUG:	/* set debug mode */
3504 			tTsetup(tTdvect, sizeof(tTdvect), "0-99.1");
3505 			tTflag(p);
3506 			message("200 2.0.0 Debug set");
3507 			break;
3508 
3509 #else /* SMTPDEBUG */
3510 		  case CMDDBGQSHOW:	/* show queues */
3511 		  case CMDDBGDEBUG:	/* set debug mode */
3512 #endif /* SMTPDEBUG */
3513 		  case CMDLOGBOGUS:	/* bogus command */
3514 			DELAY_CONN("Bogus");
3515 			if (LogLevel > 0)
3516 				sm_syslog(LOG_CRIT, e->e_id,
3517 					  "\"%s\" command from %s (%.100s)",
3518 					  c->cmd_name, CurSmtpClient,
3519 					  anynet_ntoa(&RealHostAddr));
3520 			/* FALLTHROUGH */
3521 
3522 		  case CMDERROR:	/* unknown command */
3523 #if MAXBADCOMMANDS > 0
3524 			if (++n_badcmds > MAXBADCOMMANDS)
3525 			{
3526   stopattack:
3527 				message("421 4.7.0 %s Too many bad commands; closing connection",
3528 					MyHostName);
3529 
3530 				/* arrange to ignore any current send list */
3531 				e->e_sendqueue = NULL;
3532 				goto doquit;
3533 			}
3534 #endif /* MAXBADCOMMANDS > 0 */
3535 
3536 #if MILTER && SMFI_VERSION > 2
3537 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3538 			    !bitset(EF_DISCARD, e->e_flags))
3539 			{
3540 				char state;
3541 				char *response;
3542 
3543 				if (MilterLogLevel > 9)
3544 					sm_syslog(LOG_INFO, e->e_id,
3545 						"Sending \"%s\" to Milter", inp);
3546 				response = milter_unknown(inp, e, &state);
3547 				MILTER_REPLY("unknown");
3548 				if (state == SMFIR_REPLYCODE ||
3549 				    state == SMFIR_REJECT ||
3550 				    state == SMFIR_TEMPFAIL ||
3551 				    state == SMFIR_SHUTDOWN)
3552 				{
3553 					/* MILTER_REPLY already gave an error */
3554 					break;
3555 				}
3556 			}
3557 #endif /* MILTER && SMFI_VERSION > 2 */
3558 
3559 			usrerr("500 5.5.1 Command unrecognized: \"%s\"",
3560 			       shortenstring(inp, MAXSHORTSTR));
3561 			break;
3562 
3563 		  case CMDUNIMPL:
3564 			DELAY_CONN("Unimpl");
3565 			usrerr("502 5.5.1 Command not implemented: \"%s\"",
3566 			       shortenstring(inp, MAXSHORTSTR));
3567 			break;
3568 
3569 		  default:
3570 			DELAY_CONN("default");
3571 			errno = 0;
3572 			syserr("500 5.5.0 smtp: unknown code %d", c->cmd_code);
3573 			break;
3574 		}
3575 #if SASL
3576 		}
3577 #endif /* SASL */
3578 	    }
3579 	    SM_EXCEPT(exc, "[!F]*")
3580 	    {
3581 		/*
3582 		**  The only possible exception is "E:mta.quickabort".
3583 		**  There is nothing to do except fall through and loop.
3584 		*/
3585 	    }
3586 	    SM_END_TRY
3587 	}
3588 }
3589 /*
3590 **  SMTP_DATA -- implement the SMTP DATA command.
3591 **
3592 **	Parameters:
3593 **		smtp -- status of SMTP connection.
3594 **		e -- envelope.
3595 **
3596 **	Returns:
3597 **		true iff SMTP session can continue.
3598 **
3599 **	Side Effects:
3600 **		possibly sends message.
3601 */
3602 
3603 static bool
3604 smtp_data(smtp, e)
3605 	SMTP_T *smtp;
3606 	ENVELOPE *e;
3607 {
3608 #if MILTER
3609 	bool milteraccept;
3610 #endif /* MILTER */
3611 	bool aborting;
3612 	bool doublequeue;
3613 	bool rv = true;
3614 	ADDRESS *a;
3615 	ENVELOPE *ee;
3616 	char *id;
3617 	char *oldid;
3618 	unsigned int features;
3619 	char buf[32];
3620 
3621 	SmtpPhase = "server DATA";
3622 	if (!smtp->sm_gotmail)
3623 	{
3624 		usrerr("503 5.0.0 Need MAIL command");
3625 		return true;
3626 	}
3627 	else if (smtp->sm_nrcpts <= 0)
3628 	{
3629 		usrerr("503 5.0.0 Need RCPT (recipient)");
3630 		return true;
3631 	}
3632 	(void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts);
3633 	if (rscheck("check_data", buf, NULL, e,
3634 		    RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL,
3635 		    e->e_id, NULL, NULL) != EX_OK)
3636 		return true;
3637 
3638 #if MILTER && SMFI_VERSION > 3
3639 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3640 	    !bitset(EF_DISCARD, e->e_flags))
3641 	{
3642 		char state;
3643 		char *response;
3644 		int savelogusrerrs = LogUsrErrs;
3645 
3646 		response = milter_data_cmd(e, &state);
3647 		switch (state)
3648 		{
3649 		  case SMFIR_REPLYCODE:
3650 			if (MilterLogLevel > 3)
3651 			{
3652 				sm_syslog(LOG_INFO, e->e_id,
3653 					  "Milter: cmd=data, reject=%s",
3654 					  response);
3655 				LogUsrErrs = false;
3656 			}
3657 #if _FFR_MILTER_ENHSC
3658 			if (ISSMTPCODE(response))
3659 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3660 #endif /* _FFR_MILTER_ENHSC */
3661 
3662 			usrerr(response);
3663 			if (strncmp(response, "421 ", 4) == 0
3664 			    || strncmp(response, "421-", 4) == 0)
3665 			{
3666 				e->e_sendqueue = NULL;
3667 				return false;
3668 			}
3669 			return true;
3670 
3671 		  case SMFIR_REJECT:
3672 			if (MilterLogLevel > 3)
3673 			{
3674 				sm_syslog(LOG_INFO, e->e_id,
3675 					  "Milter: cmd=data, reject=550 5.7.1 Command rejected");
3676 				LogUsrErrs = false;
3677 			}
3678 #if _FFR_MILTER_ENHSC
3679 			(void) sm_strlcpy(e->e_enhsc, "5.7.1",
3680 					 sizeof(e->e_enhsc));
3681 #endif /* _FFR_MILTER_ENHSC */
3682 			usrerr("550 5.7.1 Command rejected");
3683 			return true;
3684 
3685 		  case SMFIR_DISCARD:
3686 			if (MilterLogLevel > 3)
3687 				sm_syslog(LOG_INFO, e->e_id,
3688 					  "Milter: cmd=data, discard");
3689 			e->e_flags |= EF_DISCARD;
3690 			break;
3691 
3692 		  case SMFIR_TEMPFAIL:
3693 			if (MilterLogLevel > 3)
3694 			{
3695 				sm_syslog(LOG_INFO, e->e_id,
3696 					  "Milter: cmd=data, reject=%s",
3697 					  MSG_TEMPFAIL);
3698 				LogUsrErrs = false;
3699 			}
3700 #if _FFR_MILTER_ENHSC
3701 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3702 #endif /* _FFR_MILTER_ENHSC */
3703 			usrerr(MSG_TEMPFAIL);
3704 			return true;
3705 
3706 		  case SMFIR_SHUTDOWN:
3707 			if (MilterLogLevel > 3)
3708 			{
3709 				sm_syslog(LOG_INFO, e->e_id,
3710 					  "Milter: cmd=data, reject=421 4.7.0 %s closing connection",
3711 					  MyHostName);
3712 				LogUsrErrs = false;
3713 			}
3714 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3715 			e->e_sendqueue = NULL;
3716 			return false;
3717 		}
3718 		LogUsrErrs = savelogusrerrs;
3719 		if (response != NULL)
3720 			sm_free(response); /* XXX */
3721 	}
3722 #endif /* MILTER && SMFI_VERSION > 3 */
3723 
3724 	/* put back discard bit */
3725 	if (smtp->sm_discard)
3726 		e->e_flags |= EF_DISCARD;
3727 
3728 	/* check to see if we need to re-expand aliases */
3729 	/* also reset QS_BADADDR on already-diagnosted addrs */
3730 	doublequeue = false;
3731 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
3732 	{
3733 		if (QS_IS_VERIFIED(a->q_state) &&
3734 		    !bitset(EF_DISCARD, e->e_flags))
3735 		{
3736 			/* need to re-expand aliases */
3737 			doublequeue = true;
3738 		}
3739 		if (QS_IS_BADADDR(a->q_state))
3740 		{
3741 			/* make this "go away" */
3742 			a->q_state = QS_DONTSEND;
3743 		}
3744 	}
3745 
3746 	/* collect the text of the message */
3747 	SmtpPhase = "collect";
3748 	buffer_errors();
3749 
3750 	collect(InChannel, true, NULL, e, true);
3751 
3752 	/* redefine message size */
3753 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3754 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3755 
3756 	/* rscheck() will set Errors or EF_DISCARD if it trips */
3757 	(void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT,
3758 		       3, NULL, e->e_id, NULL, NULL);
3759 
3760 #if MILTER
3761 	milteraccept = true;
3762 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3763 	    Errors <= 0 &&
3764 	    !bitset(EF_DISCARD, e->e_flags))
3765 	{
3766 		char state;
3767 		char *response;
3768 
3769 		response = milter_data(e, &state);
3770 		switch (state)
3771 		{
3772 		  case SMFIR_REPLYCODE:
3773 			if (MilterLogLevel > 3)
3774 				sm_syslog(LOG_INFO, e->e_id,
3775 					  "Milter: data, reject=%s",
3776 					  response);
3777 			milteraccept = false;
3778 #if _FFR_MILTER_ENHSC
3779 			if (ISSMTPCODE(response))
3780 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3781 #endif /* _FFR_MILTER_ENHSC */
3782 			usrerr(response);
3783 			if (strncmp(response, "421 ", 4) == 0
3784 			    || strncmp(response, "421-", 4) == 0)
3785 				rv = false;
3786 			break;
3787 
3788 		  case SMFIR_REJECT:
3789 			milteraccept = false;
3790 			if (MilterLogLevel > 3)
3791 				sm_syslog(LOG_INFO, e->e_id,
3792 					  "Milter: data, reject=554 5.7.1 Command rejected");
3793 			usrerr("554 5.7.1 Command rejected");
3794 			break;
3795 
3796 		  case SMFIR_DISCARD:
3797 			if (MilterLogLevel > 3)
3798 				sm_syslog(LOG_INFO, e->e_id,
3799 					  "Milter: data, discard");
3800 			milteraccept = false;
3801 			e->e_flags |= EF_DISCARD;
3802 			break;
3803 
3804 		  case SMFIR_TEMPFAIL:
3805 			if (MilterLogLevel > 3)
3806 				sm_syslog(LOG_INFO, e->e_id,
3807 					  "Milter: data, reject=%s",
3808 					  MSG_TEMPFAIL);
3809 			milteraccept = false;
3810 #if _FFR_MILTER_ENHSC
3811 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3812 #endif /* _FFR_MILTER_ENHSC */
3813 			usrerr(MSG_TEMPFAIL);
3814 			break;
3815 
3816 		  case SMFIR_SHUTDOWN:
3817 			if (MilterLogLevel > 3)
3818 				sm_syslog(LOG_INFO, e->e_id,
3819 					  "Milter: data, reject=421 4.7.0 %s closing connection",
3820 					  MyHostName);
3821 			milteraccept = false;
3822 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3823 			rv = false;
3824 			break;
3825 		}
3826 		if (response != NULL)
3827 			sm_free(response);
3828 	}
3829 
3830 	/* Milter may have changed message size */
3831 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3832 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3833 
3834 	/* abort message filters that didn't get the body & log msg is OK */
3835 	if (smtp->sm_milterlist && smtp->sm_milterize)
3836 	{
3837 		milter_abort(e);
3838 		if (milteraccept && MilterLogLevel > 9)
3839 			sm_syslog(LOG_INFO, e->e_id, "Milter accept: message");
3840 	}
3841 
3842 	/*
3843 	**  If SuperSafe is SAFE_REALLY_POSTMILTER, and we don't have milter or
3844 	**  milter accepted message, sync it now
3845 	**
3846 	**  XXX This is almost a copy of the code in collect(): put it into
3847 	**	a function that is called from both places?
3848 	*/
3849 
3850 	if (milteraccept && SuperSafe == SAFE_REALLY_POSTMILTER)
3851 	{
3852 		int afd;
3853 		SM_FILE_T *volatile df;
3854 		char *dfname;
3855 
3856 		df = e->e_dfp;
3857 		dfname = queuename(e, DATAFL_LETTER);
3858 		if (sm_io_setinfo(df, SM_BF_COMMIT, NULL) < 0
3859 		    && errno != EINVAL)
3860 		{
3861 			int save_errno;
3862 
3863 			save_errno = errno;
3864 			if (save_errno == EEXIST)
3865 			{
3866 				struct stat st;
3867 				int dfd;
3868 
3869 				if (stat(dfname, &st) < 0)
3870 					st.st_size = -1;
3871 				errno = EEXIST;
3872 				syserr("@collect: bfcommit(%s): already on disk, size=%ld",
3873 				       dfname, (long) st.st_size);
3874 				dfd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL);
3875 				if (dfd >= 0)
3876 					dumpfd(dfd, true, true);
3877 			}
3878 			errno = save_errno;
3879 			dferror(df, "bfcommit", e);
3880 			flush_errors(true);
3881 			finis(save_errno != EEXIST, true, ExitStat);
3882 		}
3883 		else if ((afd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL)) < 0)
3884 		{
3885 			dferror(df, "sm_io_getinfo", e);
3886 			flush_errors(true);
3887 			finis(true, true, ExitStat);
3888 			/* NOTREACHED */
3889 		}
3890 		else if (fsync(afd) < 0)
3891 		{
3892 			dferror(df, "fsync", e);
3893 			flush_errors(true);
3894 			finis(true, true, ExitStat);
3895 			/* NOTREACHED */
3896 		}
3897 		else if (sm_io_close(df, SM_TIME_DEFAULT) < 0)
3898 		{
3899 			dferror(df, "sm_io_close", e);
3900 			flush_errors(true);
3901 			finis(true, true, ExitStat);
3902 			/* NOTREACHED */
3903 		}
3904 
3905 		/* Now reopen the df file */
3906 		e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname,
3907 					SM_IO_RDONLY, NULL);
3908 		if (e->e_dfp == NULL)
3909 		{
3910 			/* we haven't acked receipt yet, so just chuck this */
3911 			syserr("@Cannot reopen %s", dfname);
3912 			finis(true, true, ExitStat);
3913 			/* NOTREACHED */
3914 		}
3915 	}
3916 #endif /* MILTER */
3917 
3918 	/* Check if quarantining stats should be updated */
3919 	if (e->e_quarmsg != NULL)
3920 		markstats(e, NULL, STATS_QUARANTINE);
3921 
3922 	/*
3923 	**  If a header/body check (header checks or milter)
3924 	**  set EF_DISCARD, don't queueup the message --
3925 	**  that would lose the EF_DISCARD bit and deliver
3926 	**  the message.
3927 	*/
3928 
3929 	if (bitset(EF_DISCARD, e->e_flags))
3930 		doublequeue = false;
3931 
3932 	aborting = Errors > 0;
3933 	if (!(aborting || bitset(EF_DISCARD, e->e_flags)) &&
3934 	    (QueueMode == QM_QUARANTINE || e->e_quarmsg == NULL) &&
3935 	    !split_by_recipient(e))
3936 		aborting = bitset(EF_FATALERRS, e->e_flags);
3937 
3938 	if (aborting)
3939 	{
3940 		ADDRESS *q;
3941 
3942 		/* Log who the mail would have gone to */
3943 		logundelrcpts(e, e->e_message, 8, false);
3944 
3945 		/*
3946 		**  If something above refused the message, we still haven't
3947 		**  accepted responsibility for it.  Don't send DSNs.
3948 		*/
3949 
3950 		for (q = e->e_sendqueue; q != NULL; q = q->q_next)
3951 			q->q_flags &= ~Q_PINGFLAGS;
3952 
3953 		flush_errors(true);
3954 		buffer_errors();
3955 		goto abortmessage;
3956 	}
3957 
3958 	/* from now on, we have to operate silently */
3959 	buffer_errors();
3960 
3961 #if 0
3962 	/*
3963 	**  Clear message, it may contain an error from the SMTP dialogue.
3964 	**  This error must not show up in the queue.
3965 	**	Some error message should show up, e.g., alias database
3966 	**	not available, but others shouldn't, e.g., from check_rcpt.
3967 	*/
3968 
3969 	e->e_message = NULL;
3970 #endif /* 0 */
3971 
3972 	/*
3973 	**  Arrange to send to everyone.
3974 	**	If sending to multiple people, mail back
3975 	**		errors rather than reporting directly.
3976 	**	In any case, don't mail back errors for
3977 	**		anything that has happened up to
3978 	**		now (the other end will do this).
3979 	**	Truncate our transcript -- the mail has gotten
3980 	**		to us successfully, and if we have
3981 	**		to mail this back, it will be easier
3982 	**		on the reader.
3983 	**	Then send to everyone.
3984 	**	Finally give a reply code.  If an error has
3985 	**		already been given, don't mail a
3986 	**		message back.
3987 	**	We goose error returns by clearing error bit.
3988 	*/
3989 
3990 	SmtpPhase = "delivery";
3991 	(void) sm_io_setinfo(e->e_xfp, SM_BF_TRUNCATE, NULL);
3992 	id = e->e_id;
3993 
3994 #if NAMED_BIND
3995 	_res.retry = TimeOuts.res_retry[RES_TO_FIRST];
3996 	_res.retrans = TimeOuts.res_retrans[RES_TO_FIRST];
3997 #endif /* NAMED_BIND */
3998 
3999 #if _FFR_PROXY
4000 	if (SM_PROXY_REQ == e->e_sendmode)
4001 	{
4002 		/* is proxy mode possible? */
4003 		if (e->e_sibling == NULL && e->e_nrcpts == 1
4004 		    && smtp->sm_nrcpts == 1
4005 		    && (a = e->e_sendqueue) != NULL && a->q_next == NULL)
4006 		{
4007 			a->q_flags &= ~(QPINGONFAILURE|QPINGONSUCCESS|
4008 					QPINGONDELAY);
4009 			e->e_errormode = EM_QUIET;
4010 			e->e_sendmode = SM_PROXY;
4011 		}
4012 		else
4013 		{
4014 			if (tTd(87, 2))
4015 			{
4016 				a = e->e_sendqueue;
4017 				sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, sm_nrcpts=%d, sendqueue=%p, next=%p\n",
4018 				e->e_sendmode, e, e->e_sibling, e->e_nrcpts,
4019 				smtp->sm_nrcpts, a,
4020 				(a == NULL) ? (void *)0 : a->q_next);
4021 			}
4022 
4023 			/* switch to interactive mode */
4024 			e->e_sendmode = SM_DELIVER;
4025 			if (LogLevel > 9)
4026 				sm_syslog(LOG_DEBUG, e->e_id,
4027 					  "proxy mode requested but not possible");
4028 		}
4029 	}
4030 #endif /* _FFR_PROXY */
4031 
4032 	for (ee = e; ee != NULL; ee = ee->e_sibling)
4033 	{
4034 		/* make sure we actually do delivery */
4035 		ee->e_flags &= ~EF_CLRQUEUE;
4036 
4037 		/* from now on, operate silently */
4038 		ee->e_errormode = EM_MAIL;
4039 
4040 		if (doublequeue)
4041 		{
4042 			/* make sure it is in the queue */
4043 			queueup(ee, false, true);
4044 		}
4045 		else
4046 		{
4047 			int mode;
4048 
4049 			/* send to all recipients */
4050 			mode = SM_DEFAULT;
4051 #if _FFR_DM_ONE
4052 			if (SM_DM_ONE == e->e_sendmode)
4053 			{
4054 				if (NotFirstDelivery)
4055 				{
4056 					mode = SM_QUEUE;
4057 					e->e_sendmode = SM_QUEUE;
4058 				}
4059 				else
4060 				{
4061 					mode = SM_FORK;
4062 					NotFirstDelivery = true;
4063 				}
4064 			}
4065 #endif /* _FFR_DM_ONE */
4066 			sendall(ee, mode);
4067 		}
4068 		ee->e_to = NULL;
4069 	}
4070 
4071 	/* put back id for SMTP logging in putoutmsg() */
4072 	oldid = CurEnv->e_id;
4073 	CurEnv->e_id = id;
4074 
4075 #if _FFR_PROXY
4076 	a = e->e_sendqueue;
4077 	if (tTd(87, 1))
4078 	{
4079 		sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, msg=%s, sendqueue=%p, next=%p, state=%d, SmtpError=%s, rcode=%d, renhsc=%s, text=%s\n",
4080 		e->e_sendmode, e, e->e_sibling, e->e_nrcpts, e->e_message, a,
4081 		(a == NULL) ? (void *)0 : a->q_next,
4082 		(a == NULL) ? -1 : a->q_state, SmtpError, e->e_rcode,
4083 		e->e_renhsc, e->e_text);
4084 	}
4085 
4086 	if (SM_PROXY == e->e_sendmode && a->q_state != QS_SENT &&
4087 	    a->q_state != QS_VERIFIED) /* discarded! */
4088 	{
4089 		char *m, *errtext;
4090 		char replycode[4];
4091 		char enhsc[10];
4092 		int offset;
4093 
4094 #define NN_MSG(e)	(((e)->e_message != NULL) ? (e)->e_message : "")
4095 		m = e->e_message;
4096 #define SM_MSG_DEFERRED "Deferred: "
4097 		if (m != NULL && strncmp(SM_MSG_DEFERRED, m,
4098 					 sizeof(SM_MSG_DEFERRED) - 1) == 0)
4099 			m += sizeof(SM_MSG_DEFERRED) - 1;
4100 		offset = extsc(m, ' ', replycode, enhsc);
4101 
4102 		if (tTd(87, 2))
4103 		{
4104 			sm_dprintf("srv: SmtpError=%s, rcode=%d, renhsc=%s, replycode=%s, enhsc=%s, offset=%d\n",
4105 				SmtpError, e->e_rcode, e->e_renhsc,
4106 				replycode, enhsc, offset);
4107 		}
4108 
4109 #define DIG2CHAR(d)	((d) + '0')
4110 		if (e->e_rcode != 0 && (replycode[0] == '\0' ||
4111 		    replycode[0] == DIG2CHAR(REPLYTYPE(e->e_rcode))))
4112 		{
4113 			replycode[0] = DIG2CHAR(REPLYTYPE(e->e_rcode));
4114 			replycode[1] = DIG2CHAR(REPLYCLASS(e->e_rcode));
4115 			replycode[2] = DIG2CHAR(REPLYMINOR(e->e_rcode));
4116 			replycode[3] = '\0';
4117 			if (e->e_renhsc[0] == replycode[0])
4118 				sm_strlcpy(enhsc, e->e_renhsc, sizeof(enhsc));
4119 			if (offset < 0)
4120 				offset = 0;
4121 		}
4122 		if (e->e_text != NULL)
4123 		{
4124 			(void) strreplnonprt(e->e_text, '_');
4125 			errtext = e->e_text;
4126 		}
4127 		else
4128 			errtext = m + offset;
4129 
4130 		if (replycode[0] != '\0' && enhsc[0] != '\0')
4131 			emessage(replycode, enhsc, "%s", errtext);
4132 		else if (replycode[0] != '\0')
4133 			emessage(replycode, smtptodsn(atoi(replycode)),
4134 				 "%s", errtext);
4135 		else if (QS_IS_TEMPFAIL(a->q_state))
4136 		{
4137 			if (m != NULL)
4138 				message("450 4.5.1 %s", m);
4139 			else
4140 				message("450 4.5.1 Temporary error");
4141 		}
4142 		else
4143 		{
4144 			if (m != NULL)
4145 				message("550 5.5.1 %s", m);
4146 			else
4147 				message("550 5.0.0 Permanent error");
4148 		}
4149 	}
4150 	else
4151 	{
4152 #endif /* _FFR_PROXY */
4153 		/* issue success message */
4154 #if _FFR_MSG_ACCEPT
4155 		if (MessageAccept != NULL && *MessageAccept != '\0')
4156 		{
4157 			char msg[MAXLINE];
4158 
4159 			expand(MessageAccept, msg, sizeof(msg), e);
4160 			message("250 2.0.0 %s", msg);
4161 		}
4162 		else
4163 #endif /* _FFR_MSG_ACCEPT */
4164 		message("250 2.0.0 %s Message accepted for delivery", id);
4165 #if _FFR_PROXY
4166 	}
4167 #endif /* _FFR_PROXY */
4168 	CurEnv->e_id = oldid;
4169 
4170 	/* if we just queued, poke it */
4171 	if (doublequeue)
4172 	{
4173 		bool anything_to_send = false;
4174 
4175 		sm_getla();
4176 		for (ee = e; ee != NULL; ee = ee->e_sibling)
4177 		{
4178 			if (WILL_BE_QUEUED(ee->e_sendmode))
4179 				continue;
4180 			if (shouldqueue(ee->e_msgpriority, ee->e_ctime))
4181 			{
4182 				ee->e_sendmode = SM_QUEUE;
4183 				continue;
4184 			}
4185 			else if (QueueMode != QM_QUARANTINE &&
4186 				 ee->e_quarmsg != NULL)
4187 			{
4188 				ee->e_sendmode = SM_QUEUE;
4189 				continue;
4190 			}
4191 			anything_to_send = true;
4192 
4193 			/* close all the queue files */
4194 			closexscript(ee);
4195 			if (ee->e_dfp != NULL)
4196 			{
4197 				(void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
4198 				ee->e_dfp = NULL;
4199 			}
4200 			unlockqueue(ee);
4201 		}
4202 		if (anything_to_send)
4203 		{
4204 #if PIPELINING
4205 			/*
4206 			**  XXX if we don't do this, we get 250 twice
4207 			**	because it is also flushed in the child.
4208 			*/
4209 
4210 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
4211 #endif /* PIPELINING */
4212 			(void) doworklist(e, true, true);
4213 		}
4214 	}
4215 
4216   abortmessage:
4217 	if (tTd(92, 2))
4218 		sm_dprintf("abortmessage: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
4219 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);
4220 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
4221 		logsender(e, NULL);
4222 	e->e_flags &= ~EF_LOGSENDER;
4223 
4224 	/* clean up a bit */
4225 	smtp->sm_gotmail = false;
4226 
4227 	/*
4228 	**  Call dropenvelope if and only if the envelope is *not*
4229 	**  being processed by the child process forked by doworklist().
4230 	*/
4231 
4232 	if (aborting || bitset(EF_DISCARD, e->e_flags))
4233 		(void) dropenvelope(e, true, false);
4234 	else
4235 	{
4236 		for (ee = e; ee != NULL; ee = ee->e_sibling)
4237 		{
4238 			if (!doublequeue &&
4239 			    QueueMode != QM_QUARANTINE &&
4240 			    ee->e_quarmsg != NULL)
4241 			{
4242 				(void) dropenvelope(ee, true, false);
4243 				continue;
4244 			}
4245 			if (WILL_BE_QUEUED(ee->e_sendmode))
4246 				(void) dropenvelope(ee, true, false);
4247 		}
4248 	}
4249 
4250 	CurEnv = e;
4251 	features = e->e_features;
4252 	sm_rpool_free(e->e_rpool);
4253 	newenvelope(e, e, sm_rpool_new_x(NULL));
4254 	e->e_flags = BlankEnvelope.e_flags;
4255 	e->e_features = features;
4256 
4257 	/* restore connection quarantining */
4258 	if (smtp->sm_quarmsg == NULL)
4259 	{
4260 		e->e_quarmsg = NULL;
4261 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), "");
4262 	}
4263 	else
4264 	{
4265 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, smtp->sm_quarmsg);
4266 		macdefine(&e->e_macro, A_PERM,
4267 			  macid("{quarantine}"), e->e_quarmsg);
4268 	}
4269 	return rv;
4270 }
4271 /*
4272 **  LOGUNDELRCPTS -- log undelivered (or all) recipients.
4273 **
4274 **	Parameters:
4275 **		e -- envelope.
4276 **		msg -- message for Stat=
4277 **		level -- log level.
4278 **		all -- log all recipients.
4279 **
4280 **	Returns:
4281 **		none.
4282 **
4283 **	Side Effects:
4284 **		logs undelivered (or all) recipients
4285 */
4286 
4287 void
4288 logundelrcpts(e, msg, level, all)
4289 	ENVELOPE *e;
4290 	char *msg;
4291 	int level;
4292 	bool all;
4293 {
4294 	ADDRESS *a;
4295 
4296 	if (LogLevel <= level || msg == NULL || *msg == '\0')
4297 		return;
4298 
4299 	/* Clear $h so relay= doesn't get mislogged by logdelivery() */
4300 	macdefine(&e->e_macro, A_PERM, 'h', NULL);
4301 
4302 	/* Log who the mail would have gone to */
4303 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
4304 	{
4305 		if (!QS_IS_UNDELIVERED(a->q_state) && !all)
4306 			continue;
4307 		e->e_to = a->q_paddr;
4308 		logdelivery(NULL, NULL,
4309 #if _FFR_MILTER_ENHSC
4310 			    (a->q_status == NULL && e->e_enhsc[0] != '\0')
4311 			    ? e->e_enhsc :
4312 #endif /* _FFR_MILTER_ENHSC */
4313 			    a->q_status,
4314 			    msg, NULL, (time_t) 0, e, a, EX_OK /* ??? */);
4315 	}
4316 	e->e_to = NULL;
4317 }
4318 /*
4319 **  CHECKSMTPATTACK -- check for denial-of-service attack by repetition
4320 **
4321 **	Parameters:
4322 **		pcounter -- pointer to a counter for this command.
4323 **		maxcount -- maximum value for this counter before we
4324 **			slow down.
4325 **		waitnow -- sleep now (in this routine)?
4326 **		cname -- command name for logging.
4327 **		e -- the current envelope.
4328 **
4329 **	Returns:
4330 **		time to wait,
4331 **		STOP_ATTACK if twice as many commands as allowed and
4332 **			MaxChildren > 0.
4333 **
4334 **	Side Effects:
4335 **		Slows down if we seem to be under attack.
4336 */
4337 
4338 static time_t
4339 checksmtpattack(pcounter, maxcount, waitnow, cname, e)
4340 	volatile unsigned int *pcounter;
4341 	unsigned int maxcount;
4342 	bool waitnow;
4343 	char *cname;
4344 	ENVELOPE *e;
4345 {
4346 	if (maxcount <= 0)	/* no limit */
4347 		return (time_t) 0;
4348 
4349 	if (++(*pcounter) >= maxcount)
4350 	{
4351 		unsigned int shift;
4352 		time_t s;
4353 
4354 		if (*pcounter == maxcount && LogLevel > 5)
4355 		{
4356 			sm_syslog(LOG_INFO, e->e_id,
4357 				  "%s: possible SMTP attack: command=%.40s, count=%u",
4358 				  CurSmtpClient, cname, *pcounter);
4359 		}
4360 		shift = *pcounter - maxcount;
4361 		s = 1 << shift;
4362 		if (shift > MAXSHIFT || s >= MAXTIMEOUT || s <= 0)
4363 			s = MAXTIMEOUT;
4364 
4365 #define IS_ATTACK(s)	((MaxChildren > 0 && *pcounter >= maxcount * 2)	\
4366 				? STOP_ATTACK : (time_t) s)
4367 
4368 		/* sleep at least 1 second before returning */
4369 		(void) sleep(*pcounter / maxcount);
4370 		s -= *pcounter / maxcount;
4371 		if (s >= MAXTIMEOUT || s < 0)
4372 			s = MAXTIMEOUT;
4373 		if (waitnow && s > 0)
4374 		{
4375 			(void) sleep(s);
4376 			return IS_ATTACK(0);
4377 		}
4378 		return IS_ATTACK(s);
4379 	}
4380 	return (time_t) 0;
4381 }
4382 /*
4383 **  SETUP_SMTPD_IO -- setup I/O fd correctly for the SMTP server
4384 **
4385 **	Parameters:
4386 **		none.
4387 **
4388 **	Returns:
4389 **		nothing.
4390 **
4391 **	Side Effects:
4392 **		may change I/O fd.
4393 */
4394 
4395 static void
4396 setup_smtpd_io()
4397 {
4398 	int inchfd, outchfd, outfd;
4399 
4400 	inchfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
4401 	outchfd  = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
4402 	outfd = sm_io_getinfo(smioout, SM_IO_WHAT_FD, NULL);
4403 	if (outchfd != outfd)
4404 	{
4405 		/* arrange for debugging output to go to remote host */
4406 		(void) dup2(outchfd, outfd);
4407 	}
4408 
4409 	/*
4410 	**  if InChannel and OutChannel are stdin/stdout
4411 	**  and connected to ttys
4412 	**  and fcntl(STDIN, F_SETFL, O_NONBLOCKING) also changes STDOUT,
4413 	**  then "chain" them together.
4414 	*/
4415 
4416 	if (inchfd == STDIN_FILENO && outchfd == STDOUT_FILENO &&
4417 	    isatty(inchfd) && isatty(outchfd))
4418 	{
4419 		int inmode, outmode;
4420 
4421 		inmode = fcntl(inchfd, F_GETFL, 0);
4422 		if (inmode == -1)
4423 		{
4424 			if (LogLevel > 11)
4425 				sm_syslog(LOG_INFO, NOQID,
4426 					"fcntl(inchfd, F_GETFL) failed: %s",
4427 					sm_errstring(errno));
4428 			return;
4429 		}
4430 		outmode = fcntl(outchfd, F_GETFL, 0);
4431 		if (outmode == -1)
4432 		{
4433 			if (LogLevel > 11)
4434 				sm_syslog(LOG_INFO, NOQID,
4435 					"fcntl(outchfd, F_GETFL) failed: %s",
4436 					sm_errstring(errno));
4437 			return;
4438 		}
4439 		if (bitset(O_NONBLOCK, inmode) ||
4440 		    bitset(O_NONBLOCK, outmode) ||
4441 		    fcntl(inchfd, F_SETFL, inmode | O_NONBLOCK) == -1)
4442 			return;
4443 		outmode = fcntl(outchfd, F_GETFL, 0);
4444 		if (outmode != -1 && bitset(O_NONBLOCK, outmode))
4445 		{
4446 			/* changing InChannel also changes OutChannel */
4447 			sm_io_automode(OutChannel, InChannel);
4448 			if (tTd(97, 4) && LogLevel > 9)
4449 				sm_syslog(LOG_INFO, NOQID,
4450 					  "set automode for I (%d)/O (%d) in SMTP server",
4451 					  inchfd, outchfd);
4452 		}
4453 
4454 		/* undo change of inchfd */
4455 		(void) fcntl(inchfd, F_SETFL, inmode);
4456 	}
4457 }
4458 /*
4459 **  SKIPWORD -- skip a fixed word.
4460 **
4461 **	Parameters:
4462 **		p -- place to start looking.
4463 **		w -- word to skip.
4464 **
4465 **	Returns:
4466 **		p following w.
4467 **		NULL on error.
4468 **
4469 **	Side Effects:
4470 **		clobbers the p data area.
4471 */
4472 
4473 static char *
4474 skipword(p, w)
4475 	register char *volatile p;
4476 	char *w;
4477 {
4478 	register char *q;
4479 	char *firstp = p;
4480 
4481 	/* find beginning of word */
4482 	SKIP_SPACE(p);
4483 	q = p;
4484 
4485 	/* find end of word */
4486 	while (*p != '\0' && *p != ':' && !(isascii(*p) && isspace(*p)))
4487 		p++;
4488 	while (isascii(*p) && isspace(*p))
4489 		*p++ = '\0';
4490 	if (*p != ':')
4491 	{
4492 	  syntax:
4493 		usrerr("501 5.5.2 Syntax error in parameters scanning \"%s\"",
4494 			shortenstring(firstp, MAXSHORTSTR));
4495 		return NULL;
4496 	}
4497 	*p++ = '\0';
4498 	SKIP_SPACE(p);
4499 
4500 	if (*p == '\0')
4501 		goto syntax;
4502 
4503 	/* see if the input word matches desired word */
4504 	if (sm_strcasecmp(q, w))
4505 		goto syntax;
4506 
4507 	return p;
4508 }
4509 
4510 /*
4511 **  RESET_MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4512 **
4513 **	Parameters:
4514 **		e -- the envelope.
4515 **
4516 **	Returns:
4517 **		none.
4518 */
4519 
4520 void
4521 reset_mail_esmtp_args(e)
4522 	ENVELOPE *e;
4523 {
4524 	/* "size": no reset */
4525 
4526 	/* "body" */
4527 	SevenBitInput = SevenBitInput_Saved;
4528 	e->e_bodytype = NULL;
4529 
4530 	/* "envid" */
4531 	e->e_envid = NULL;
4532 	macdefine(&e->e_macro, A_PERM, macid("{dsn_envid}"), NULL);
4533 
4534 	/* "ret" */
4535 	e->e_flags &= ~(EF_RET_PARAM|EF_NO_BODY_RETN);
4536 	macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), NULL);
4537 
4538 #if SASL
4539 	/* "auth" */
4540 	macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), NULL);
4541 	e->e_auth_param = "";
4542 # if _FFR_AUTH_PASSING
4543 	macdefine(&BlankEnvelope.e_macro, A_PERM,
4544 				  macid("{auth_author}"), NULL);
4545 # endif /* _FFR_AUTH_PASSING */
4546 #endif /* SASL */
4547 
4548 	/* "by" */
4549 	e->e_deliver_by = 0;
4550 	e->e_dlvr_flag = 0;
4551 }
4552 
4553 /*
4554 **  MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4555 **
4556 **	Parameters:
4557 **		a -- address (unused, for compatibility with rcpt_esmtp_args)
4558 **		kp -- the parameter key.
4559 **		vp -- the value of that parameter.
4560 **		e -- the envelope.
4561 **
4562 **	Returns:
4563 **		none.
4564 */
4565 
4566 void
4567 mail_esmtp_args(a, kp, vp, e)
4568 	ADDRESS *a;
4569 	char *kp;
4570 	char *vp;
4571 	ENVELOPE *e;
4572 {
4573 	if (sm_strcasecmp(kp, "size") == 0)
4574 	{
4575 		if (vp == NULL)
4576 		{
4577 			usrerr("501 5.5.2 SIZE requires a value");
4578 			/* NOTREACHED */
4579 		}
4580 		macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), vp);
4581 		errno = 0;
4582 		e->e_msgsize = strtol(vp, (char **) NULL, 10);
4583 		if (e->e_msgsize == LONG_MAX && errno == ERANGE)
4584 		{
4585 			usrerr("552 5.2.3 Message size exceeds maximum value");
4586 			/* NOTREACHED */
4587 		}
4588 		if (e->e_msgsize < 0)
4589 		{
4590 			usrerr("552 5.2.3 Message size invalid");
4591 			/* NOTREACHED */
4592 		}
4593 	}
4594 	else if (sm_strcasecmp(kp, "body") == 0)
4595 	{
4596 		if (vp == NULL)
4597 		{
4598 			usrerr("501 5.5.2 BODY requires a value");
4599 			/* NOTREACHED */
4600 		}
4601 		else if (sm_strcasecmp(vp, "8bitmime") == 0)
4602 		{
4603 			SevenBitInput = false;
4604 		}
4605 		else if (sm_strcasecmp(vp, "7bit") == 0)
4606 		{
4607 			SevenBitInput = true;
4608 		}
4609 		else
4610 		{
4611 			usrerr("501 5.5.4 Unknown BODY type %s", vp);
4612 			/* NOTREACHED */
4613 		}
4614 		e->e_bodytype = sm_rpool_strdup_x(e->e_rpool, vp);
4615 	}
4616 	else if (sm_strcasecmp(kp, "envid") == 0)
4617 	{
4618 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4619 		{
4620 			usrerr("504 5.7.0 Sorry, ENVID not supported, we do not allow DSN");
4621 			/* NOTREACHED */
4622 		}
4623 		if (vp == NULL)
4624 		{
4625 			usrerr("501 5.5.2 ENVID requires a value");
4626 			/* NOTREACHED */
4627 		}
4628 		if (!xtextok(vp))
4629 		{
4630 			usrerr("501 5.5.4 Syntax error in ENVID parameter value");
4631 			/* NOTREACHED */
4632 		}
4633 		if (e->e_envid != NULL)
4634 		{
4635 			usrerr("501 5.5.0 Duplicate ENVID parameter");
4636 			/* NOTREACHED */
4637 		}
4638 		e->e_envid = sm_rpool_strdup_x(e->e_rpool, vp);
4639 		macdefine(&e->e_macro, A_PERM,
4640 			macid("{dsn_envid}"), e->e_envid);
4641 	}
4642 	else if (sm_strcasecmp(kp, "ret") == 0)
4643 	{
4644 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4645 		{
4646 			usrerr("504 5.7.0 Sorry, RET not supported, we do not allow DSN");
4647 			/* NOTREACHED */
4648 		}
4649 		if (vp == NULL)
4650 		{
4651 			usrerr("501 5.5.2 RET requires a value");
4652 			/* NOTREACHED */
4653 		}
4654 		if (bitset(EF_RET_PARAM, e->e_flags))
4655 		{
4656 			usrerr("501 5.5.0 Duplicate RET parameter");
4657 			/* NOTREACHED */
4658 		}
4659 		e->e_flags |= EF_RET_PARAM;
4660 		if (sm_strcasecmp(vp, "hdrs") == 0)
4661 			e->e_flags |= EF_NO_BODY_RETN;
4662 		else if (sm_strcasecmp(vp, "full") != 0)
4663 		{
4664 			usrerr("501 5.5.2 Bad argument \"%s\" to RET", vp);
4665 			/* NOTREACHED */
4666 		}
4667 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), vp);
4668 	}
4669 #if SASL
4670 	else if (sm_strcasecmp(kp, "auth") == 0)
4671 	{
4672 		int len;
4673 		char *q;
4674 		char *auth_param;	/* the value of the AUTH=x */
4675 		bool saveQuickAbort = QuickAbort;
4676 		bool saveSuprErrs = SuprErrs;
4677 		bool saveExitStat = ExitStat;
4678 
4679 		if (vp == NULL)
4680 		{
4681 			usrerr("501 5.5.2 AUTH= requires a value");
4682 			/* NOTREACHED */
4683 		}
4684 		if (e->e_auth_param != NULL)
4685 		{
4686 			usrerr("501 5.5.0 Duplicate AUTH parameter");
4687 			/* NOTREACHED */
4688 		}
4689 		if ((q = strchr(vp, ' ')) != NULL)
4690 			len = q - vp + 1;
4691 		else
4692 			len = strlen(vp) + 1;
4693 		auth_param = xalloc(len);
4694 		(void) sm_strlcpy(auth_param, vp, len);
4695 		if (!xtextok(auth_param))
4696 		{
4697 			usrerr("501 5.5.4 Syntax error in AUTH parameter value");
4698 			/* just a warning? */
4699 			/* NOTREACHED */
4700 		}
4701 
4702 		/* XXX define this always or only if trusted? */
4703 		macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"),
4704 			  auth_param);
4705 
4706 		/*
4707 		**  call Strust_auth to find out whether
4708 		**  auth_param is acceptable (trusted)
4709 		**  we shouldn't trust it if not authenticated
4710 		**  (required by RFC, leave it to ruleset?)
4711 		*/
4712 
4713 		SuprErrs = true;
4714 		QuickAbort = false;
4715 		if (strcmp(auth_param, "<>") != 0 &&
4716 		     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM, 9,
4717 			      NULL, NOQID, NULL, NULL) != EX_OK || Errors > 0))
4718 		{
4719 			if (tTd(95, 8))
4720 			{
4721 				q = e->e_auth_param;
4722 				sm_dprintf("auth=\"%.100s\" not trusted user=\"%.100s\"\n",
4723 					auth_param, (q == NULL) ? "" : q);
4724 			}
4725 
4726 			/* not trusted */
4727 			e->e_auth_param = "<>";
4728 # if _FFR_AUTH_PASSING
4729 			macdefine(&BlankEnvelope.e_macro, A_PERM,
4730 				  macid("{auth_author}"), NULL);
4731 # endif /* _FFR_AUTH_PASSING */
4732 		}
4733 		else
4734 		{
4735 			if (tTd(95, 8))
4736 				sm_dprintf("auth=\"%.100s\" trusted\n", auth_param);
4737 			e->e_auth_param = sm_rpool_strdup_x(e->e_rpool,
4738 							    auth_param);
4739 		}
4740 		sm_free(auth_param); /* XXX */
4741 
4742 		/* reset values */
4743 		Errors = 0;
4744 		QuickAbort = saveQuickAbort;
4745 		SuprErrs = saveSuprErrs;
4746 		ExitStat = saveExitStat;
4747 	}
4748 #endif /* SASL */
4749 #define PRTCHAR(c)	((isascii(c) && isprint(c)) ? (c) : '?')
4750 
4751 	/*
4752 	**  "by" is only accepted if DeliverByMin >= 0.
4753 	**  We maybe could add this to the list of server_features.
4754 	*/
4755 
4756 	else if (sm_strcasecmp(kp, "by") == 0 && DeliverByMin >= 0)
4757 	{
4758 		char *s;
4759 
4760 		if (vp == NULL)
4761 		{
4762 			usrerr("501 5.5.2 BY= requires a value");
4763 			/* NOTREACHED */
4764 		}
4765 		errno = 0;
4766 		e->e_deliver_by = strtol(vp, &s, 10);
4767 		if (e->e_deliver_by == LONG_MIN ||
4768 		    e->e_deliver_by == LONG_MAX ||
4769 		    e->e_deliver_by > 999999999l ||
4770 		    e->e_deliver_by < -999999999l)
4771 		{
4772 			usrerr("501 5.5.2 BY=%s out of range", vp);
4773 			/* NOTREACHED */
4774 		}
4775 		if (s == NULL || *s != ';')
4776 		{
4777 			usrerr("501 5.5.2 BY= missing ';'");
4778 			/* NOTREACHED */
4779 		}
4780 		e->e_dlvr_flag = 0;
4781 		++s;	/* XXX: spaces allowed? */
4782 		SKIP_SPACE(s);
4783 		switch (tolower(*s))
4784 		{
4785 		  case 'n':
4786 			e->e_dlvr_flag = DLVR_NOTIFY;
4787 			break;
4788 		  case 'r':
4789 			e->e_dlvr_flag = DLVR_RETURN;
4790 			if (e->e_deliver_by <= 0)
4791 			{
4792 				usrerr("501 5.5.4 mode R requires BY time > 0");
4793 				/* NOTREACHED */
4794 			}
4795 			if (DeliverByMin > 0 && e->e_deliver_by > 0 &&
4796 			    e->e_deliver_by < DeliverByMin)
4797 			{
4798 				usrerr("555 5.5.2 time %ld less than %ld",
4799 					e->e_deliver_by, (long) DeliverByMin);
4800 				/* NOTREACHED */
4801 			}
4802 			break;
4803 		  default:
4804 			usrerr("501 5.5.2 illegal by-mode '%c'", PRTCHAR(*s));
4805 			/* NOTREACHED */
4806 		}
4807 		++s;	/* XXX: spaces allowed? */
4808 		SKIP_SPACE(s);
4809 		switch (tolower(*s))
4810 		{
4811 		  case 't':
4812 			e->e_dlvr_flag |= DLVR_TRACE;
4813 			break;
4814 		  case '\0':
4815 			break;
4816 		  default:
4817 			usrerr("501 5.5.2 illegal by-trace '%c'", PRTCHAR(*s));
4818 			/* NOTREACHED */
4819 		}
4820 
4821 		/* XXX: check whether more characters follow? */
4822 	}
4823 	else
4824 	{
4825 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
4826 		/* NOTREACHED */
4827 	}
4828 }
4829 
4830 /*
4831 **  RCPT_ESMTP_ARGS -- process ESMTP arguments from RCPT line
4832 **
4833 **	Parameters:
4834 **		a -- the address corresponding to the To: parameter.
4835 **		kp -- the parameter key.
4836 **		vp -- the value of that parameter.
4837 **		e -- the envelope.
4838 **
4839 **	Returns:
4840 **		none.
4841 */
4842 
4843 void
4844 rcpt_esmtp_args(a, kp, vp, e)
4845 	ADDRESS *a;
4846 	char *kp;
4847 	char *vp;
4848 	ENVELOPE *e;
4849 {
4850 	if (sm_strcasecmp(kp, "notify") == 0)
4851 	{
4852 		char *p;
4853 
4854 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4855 		{
4856 			usrerr("504 5.7.0 Sorry, NOTIFY not supported, we do not allow DSN");
4857 			/* NOTREACHED */
4858 		}
4859 		if (vp == NULL)
4860 		{
4861 			usrerr("501 5.5.2 NOTIFY requires a value");
4862 			/* NOTREACHED */
4863 		}
4864 		a->q_flags &= ~(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY);
4865 		a->q_flags |= QHASNOTIFY;
4866 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_notify}"), vp);
4867 
4868 		if (sm_strcasecmp(vp, "never") == 0)
4869 			return;
4870 		for (p = vp; p != NULL; vp = p)
4871 		{
4872 			char *s;
4873 
4874 			s = p = strchr(p, ',');
4875 			if (p != NULL)
4876 				*p++ = '\0';
4877 			if (sm_strcasecmp(vp, "success") == 0)
4878 				a->q_flags |= QPINGONSUCCESS;
4879 			else if (sm_strcasecmp(vp, "failure") == 0)
4880 				a->q_flags |= QPINGONFAILURE;
4881 			else if (sm_strcasecmp(vp, "delay") == 0)
4882 				a->q_flags |= QPINGONDELAY;
4883 			else
4884 			{
4885 				usrerr("501 5.5.4 Bad argument \"%s\"  to NOTIFY",
4886 					vp);
4887 				/* NOTREACHED */
4888 			}
4889 			if (s != NULL)
4890 				*s = ',';
4891 		}
4892 	}
4893 	else if (sm_strcasecmp(kp, "orcpt") == 0)
4894 	{
4895 		char *p;
4896 
4897 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4898 		{
4899 			usrerr("504 5.7.0 Sorry, ORCPT not supported, we do not allow DSN");
4900 			/* NOTREACHED */
4901 		}
4902 		if (vp == NULL)
4903 		{
4904 			usrerr("501 5.5.2 ORCPT requires a value");
4905 			/* NOTREACHED */
4906 		}
4907 		if (a->q_orcpt != NULL)
4908 		{
4909 			usrerr("501 5.5.0 Duplicate ORCPT parameter");
4910 			/* NOTREACHED */
4911 		}
4912 		p = strchr(vp, ';');
4913 		if (p == NULL)
4914 		{
4915 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
4916 			/* NOTREACHED */
4917 		}
4918 		*p = '\0';
4919 		if (!isatom(vp) || !xtextok(p + 1))
4920 		{
4921 			*p = ';';
4922 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
4923 			/* NOTREACHED */
4924 		}
4925 		*p = ';';
4926 		a->q_orcpt = sm_rpool_strdup_x(e->e_rpool, vp);
4927 	}
4928 	else
4929 	{
4930 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
4931 		/* NOTREACHED */
4932 	}
4933 }
4934 /*
4935 **  PRINTVRFYADDR -- print an entry in the verify queue
4936 **
4937 **	Parameters:
4938 **		a -- the address to print.
4939 **		last -- set if this is the last one.
4940 **		vrfy -- set if this is a VRFY command.
4941 **
4942 **	Returns:
4943 **		none.
4944 **
4945 **	Side Effects:
4946 **		Prints the appropriate 250 codes.
4947 */
4948 #define OFFF	(3 + 1 + 5 + 1)	/* offset in fmt: SMTP reply + enh. code */
4949 
4950 static void
4951 printvrfyaddr(a, last, vrfy)
4952 	register ADDRESS *a;
4953 	bool last;
4954 	bool vrfy;
4955 {
4956 	char fmtbuf[30];
4957 
4958 	if (vrfy && a->q_mailer != NULL &&
4959 	    !bitnset(M_VRFY250, a->q_mailer->m_flags))
4960 		(void) sm_strlcpy(fmtbuf, "252", sizeof(fmtbuf));
4961 	else
4962 		(void) sm_strlcpy(fmtbuf, "250", sizeof(fmtbuf));
4963 	fmtbuf[3] = last ? ' ' : '-';
4964 	(void) sm_strlcpy(&fmtbuf[4], "2.1.5 ", sizeof(fmtbuf) - 4);
4965 	if (a->q_fullname == NULL)
4966 	{
4967 		if ((a->q_mailer == NULL ||
4968 		     a->q_mailer->m_addrtype == NULL ||
4969 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
4970 		    strchr(a->q_user, '@') == NULL)
4971 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s@%s>",
4972 				       sizeof(fmtbuf) - OFFF);
4973 		else
4974 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s>",
4975 				       sizeof(fmtbuf) - OFFF);
4976 		message(fmtbuf, a->q_user, MyHostName);
4977 	}
4978 	else
4979 	{
4980 		if ((a->q_mailer == NULL ||
4981 		     a->q_mailer->m_addrtype == NULL ||
4982 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
4983 		    strchr(a->q_user, '@') == NULL)
4984 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s@%s>",
4985 				       sizeof(fmtbuf) - OFFF);
4986 		else
4987 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s>",
4988 				       sizeof(fmtbuf) - OFFF);
4989 		message(fmtbuf, a->q_fullname, a->q_user, MyHostName);
4990 	}
4991 }
4992 
4993 #if SASL
4994 /*
4995 **  SASLMECHS -- get list of possible AUTH mechanisms
4996 **
4997 **	Parameters:
4998 **		conn -- SASL connection info.
4999 **		mechlist -- output parameter for list of mechanisms.
5000 **
5001 **	Returns:
5002 **		number of mechs.
5003 */
5004 
5005 static int
5006 saslmechs(conn, mechlist)
5007 	sasl_conn_t *conn;
5008 	char **mechlist;
5009 {
5010 	int len, num, result;
5011 
5012 	/* "user" is currently unused */
5013 # if SASL >= 20000
5014 	result = sasl_listmech(conn, NULL,
5015 			       "", " ", "", (const char **) mechlist,
5016 			       (unsigned int *)&len, &num);
5017 # else /* SASL >= 20000 */
5018 	result = sasl_listmech(conn, "user", /* XXX */
5019 			       "", " ", "", mechlist,
5020 			       (unsigned int *)&len, (unsigned int *)&num);
5021 # endif /* SASL >= 20000 */
5022 	if (result != SASL_OK)
5023 	{
5024 		if (LogLevel > 9)
5025 			sm_syslog(LOG_WARNING, NOQID,
5026 				  "AUTH error: listmech=%d, num=%d",
5027 				  result, num);
5028 		num = 0;
5029 	}
5030 	if (num > 0)
5031 	{
5032 		if (LogLevel > 11)
5033 			sm_syslog(LOG_INFO, NOQID,
5034 				  "AUTH: available mech=%s, allowed mech=%s",
5035 				  *mechlist, AuthMechanisms);
5036 		*mechlist = intersect(AuthMechanisms, *mechlist, NULL);
5037 	}
5038 	else
5039 	{
5040 		*mechlist = NULL;	/* be paranoid... */
5041 		if (result == SASL_OK && LogLevel > 9)
5042 			sm_syslog(LOG_WARNING, NOQID,
5043 				  "AUTH warning: no mechanisms");
5044 	}
5045 	return num;
5046 }
5047 
5048 # if SASL >= 20000
5049 /*
5050 **  PROXY_POLICY -- define proxy policy for AUTH
5051 **
5052 **	Parameters:
5053 **		conn -- unused.
5054 **		context -- unused.
5055 **		requested_user -- authorization identity.
5056 **		rlen -- authorization identity length.
5057 **		auth_identity -- authentication identity.
5058 **		alen -- authentication identity length.
5059 **		def_realm -- default user realm.
5060 **		urlen -- user realm length.
5061 **		propctx -- unused.
5062 **
5063 **	Returns:
5064 **		ok?
5065 **
5066 **	Side Effects:
5067 **		sets {auth_authen} macro.
5068 */
5069 
5070 int
5071 proxy_policy(conn, context, requested_user, rlen, auth_identity, alen,
5072 	     def_realm, urlen, propctx)
5073 	sasl_conn_t *conn;
5074 	void *context;
5075 	const char *requested_user;
5076 	unsigned rlen;
5077 	const char *auth_identity;
5078 	unsigned alen;
5079 	const char *def_realm;
5080 	unsigned urlen;
5081 	struct propctx *propctx;
5082 {
5083 	if (auth_identity == NULL)
5084 		return SASL_FAIL;
5085 
5086 	macdefine(&BlankEnvelope.e_macro, A_TEMP,
5087 		  macid("{auth_authen}"),
5088 		  xtextify((char *) auth_identity, "=<>\")"));
5089 
5090 	return SASL_OK;
5091 }
5092 # else /* SASL >= 20000 */
5093 
5094 /*
5095 **  PROXY_POLICY -- define proxy policy for AUTH
5096 **
5097 **	Parameters:
5098 **		context -- unused.
5099 **		auth_identity -- authentication identity.
5100 **		requested_user -- authorization identity.
5101 **		user -- allowed user (output).
5102 **		errstr -- possible error string (output).
5103 **
5104 **	Returns:
5105 **		ok?
5106 */
5107 
5108 int
5109 proxy_policy(context, auth_identity, requested_user, user, errstr)
5110 	void *context;
5111 	const char *auth_identity;
5112 	const char *requested_user;
5113 	const char **user;
5114 	const char **errstr;
5115 {
5116 	if (user == NULL || auth_identity == NULL)
5117 		return SASL_FAIL;
5118 	*user = newstr(auth_identity);
5119 	return SASL_OK;
5120 }
5121 # endif /* SASL >= 20000 */
5122 #endif /* SASL */
5123 
5124 #if STARTTLS
5125 /*
5126 **  INITSRVTLS -- initialize server side TLS
5127 **
5128 **	Parameters:
5129 **		tls_ok -- should tls initialization be done?
5130 **
5131 **	Returns:
5132 **		succeeded?
5133 **
5134 **	Side Effects:
5135 **		sets tls_ok_srv which is a static variable in this module.
5136 **		Do NOT remove assignments to it!
5137 */
5138 
5139 bool
5140 initsrvtls(tls_ok)
5141 	bool tls_ok;
5142 {
5143 	if (!tls_ok)
5144 		return false;
5145 
5146 	/* do NOT remove assignment */
5147 	tls_ok_srv = inittls(&srv_ctx, TLS_Srv_Opts, Srv_SSL_Options, true,
5148 			     SrvCertFile, SrvKeyFile,
5149 			     CACertPath, CACertFile, DHParams);
5150 	return tls_ok_srv;
5151 }
5152 #endif /* STARTTLS */
5153 /*
5154 **  SRVFEATURES -- get features for SMTP server
5155 **
5156 **	Parameters:
5157 **		e -- envelope (should be session context).
5158 **		clientname -- name of client.
5159 **		features -- default features for this invocation.
5160 **
5161 **	Returns:
5162 **		server features.
5163 */
5164 
5165 /* table with options: it uses just one character, how about strings? */
5166 static struct
5167 {
5168 	char		srvf_opt;
5169 	unsigned int	srvf_flag;
5170 } srv_feat_table[] =
5171 {
5172 	{ 'A',	SRV_OFFER_AUTH	},
5173 	{ 'B',	SRV_OFFER_VERB	},
5174 	{ 'C',	SRV_REQ_SEC	},
5175 	{ 'D',	SRV_OFFER_DSN	},
5176 	{ 'E',	SRV_OFFER_ETRN	},
5177 	{ 'L',	SRV_REQ_AUTH	},
5178 #if PIPELINING
5179 # if _FFR_NO_PIPE
5180 	{ 'N',	SRV_NO_PIPE	},
5181 # endif /* _FFR_NO_PIPE */
5182 	{ 'P',	SRV_OFFER_PIPE	},
5183 #endif /* PIPELINING */
5184 	{ 'R',	SRV_VRFY_CLT	},	/* same as V; not documented */
5185 	{ 'S',	SRV_OFFER_TLS	},
5186 /*	{ 'T',	SRV_TMP_FAIL	},	*/
5187 	{ 'V',	SRV_VRFY_CLT	},
5188 	{ 'X',	SRV_OFFER_EXPN	},
5189 /*	{ 'Y',	SRV_OFFER_VRFY	},	*/
5190 	{ '\0',	SRV_NONE	}
5191 };
5192 
5193 static unsigned int
5194 srvfeatures(e, clientname, features)
5195 	ENVELOPE *e;
5196 	char *clientname;
5197 	unsigned int features;
5198 {
5199 	int r, i, j;
5200 	char **pvp, c, opt;
5201 	char pvpbuf[PSBUFSIZE];
5202 
5203 	pvp = NULL;
5204 	r = rscap("srv_features", clientname, "", e, &pvp, pvpbuf,
5205 		  sizeof(pvpbuf));
5206 	if (r != EX_OK)
5207 		return features;
5208 	if (pvp == NULL || pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET)
5209 		return features;
5210 	if (pvp[1] != NULL && sm_strncasecmp(pvp[1], "temp", 4) == 0)
5211 		return SRV_TMP_FAIL;
5212 
5213 	/*
5214 	**  General rule (see sendmail.h, d_flags):
5215 	**  lower case: required/offered, upper case: Not required/available
5216 	**
5217 	**  Since we can change some features per daemon, we have both
5218 	**  cases here: turn on/off a feature.
5219 	*/
5220 
5221 	for (i = 1; pvp[i] != NULL; i++)
5222 	{
5223 		c = pvp[i][0];
5224 		j = 0;
5225 		for (;;)
5226 		{
5227 			if ((opt = srv_feat_table[j].srvf_opt) == '\0')
5228 			{
5229 				if (LogLevel > 9)
5230 					sm_syslog(LOG_WARNING, e->e_id,
5231 						  "srvfeatures: unknown feature %s",
5232 						  pvp[i]);
5233 				break;
5234 			}
5235 			if (c == opt)
5236 			{
5237 				features &= ~(srv_feat_table[j].srvf_flag);
5238 				break;
5239 			}
5240 			if (c == tolower(opt))
5241 			{
5242 				features |= srv_feat_table[j].srvf_flag;
5243 				break;
5244 			}
5245 			++j;
5246 		}
5247 	}
5248 	return features;
5249 }
5250 
5251 /*
5252 **  HELP -- implement the HELP command.
5253 **
5254 **	Parameters:
5255 **		topic -- the topic we want help for.
5256 **		e -- envelope.
5257 **
5258 **	Returns:
5259 **		none.
5260 **
5261 **	Side Effects:
5262 **		outputs the help file to message output.
5263 */
5264 #define HELPVSTR	"#vers	"
5265 #define HELPVERSION	2
5266 
5267 void
5268 help(topic, e)
5269 	char *topic;
5270 	ENVELOPE *e;
5271 {
5272 	register SM_FILE_T *hf;
5273 	register char *p;
5274 	int len;
5275 	bool noinfo;
5276 	bool first = true;
5277 	long sff = SFF_OPENASROOT|SFF_REGONLY;
5278 	char buf[MAXLINE];
5279 	char inp[MAXLINE];
5280 	static int foundvers = -1;
5281 	extern char Version[];
5282 
5283 	if (DontLockReadFiles)
5284 		sff |= SFF_NOLOCK;
5285 	if (!bitnset(DBS_HELPFILEINUNSAFEDIRPATH, DontBlameSendmail))
5286 		sff |= SFF_SAFEDIRPATH;
5287 
5288 	if (HelpFile == NULL ||
5289 	    (hf = safefopen(HelpFile, O_RDONLY, 0444, sff)) == NULL)
5290 	{
5291 		/* no help */
5292 		errno = 0;
5293 		message("502 5.3.0 Sendmail %s -- HELP not implemented",
5294 			Version);
5295 		return;
5296 	}
5297 
5298 	if (topic == NULL || *topic == '\0')
5299 	{
5300 		topic = "smtp";
5301 		noinfo = false;
5302 	}
5303 	else
5304 	{
5305 		makelower(topic);
5306 		noinfo = true;
5307 	}
5308 
5309 	len = strlen(topic);
5310 
5311 	while (sm_io_fgets(hf, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0)
5312 	{
5313 		if (buf[0] == '#')
5314 		{
5315 			if (foundvers < 0 &&
5316 			    strncmp(buf, HELPVSTR, strlen(HELPVSTR)) == 0)
5317 			{
5318 				int h;
5319 
5320 				if (sm_io_sscanf(buf + strlen(HELPVSTR), "%d",
5321 						 &h) == 1)
5322 					foundvers = h;
5323 			}
5324 			continue;
5325 		}
5326 		if (strncmp(buf, topic, len) == 0)
5327 		{
5328 			if (first)
5329 			{
5330 				first = false;
5331 
5332 				/* print version if no/old vers# in file */
5333 				if (foundvers < 2 && !noinfo)
5334 					message("214-2.0.0 This is Sendmail version %s", Version);
5335 			}
5336 			p = strpbrk(buf, " \t");
5337 			if (p == NULL)
5338 				p = buf + strlen(buf) - 1;
5339 			else
5340 				p++;
5341 			fixcrlf(p, true);
5342 			if (foundvers >= 2)
5343 			{
5344 				char *lbp;
5345 				int lbs = sizeof(buf) - (p - buf);
5346 
5347 				lbp = translate_dollars(p, p, &lbs);
5348 				expand(lbp, inp, sizeof(inp), e);
5349 				if (p != lbp)
5350 					sm_free(lbp);
5351 				p = inp;
5352 			}
5353 			message("214-2.0.0 %s", p);
5354 			noinfo = false;
5355 		}
5356 	}
5357 
5358 	if (noinfo)
5359 		message("504 5.3.0 HELP topic \"%.10s\" unknown", topic);
5360 	else
5361 		message("214 2.0.0 End of HELP info");
5362 
5363 	if (foundvers != 0 && foundvers < HELPVERSION)
5364 	{
5365 		if (LogLevel > 1)
5366 			sm_syslog(LOG_WARNING, e->e_id,
5367 				  "%s too old (require version %d)",
5368 				  HelpFile, HELPVERSION);
5369 
5370 		/* avoid log next time */
5371 		foundvers = 0;
5372 	}
5373 
5374 	(void) sm_io_close(hf, SM_TIME_DEFAULT);
5375 }
5376 
5377 #if SASL
5378 /*
5379 **  RESET_SASLCONN -- reset SASL connection data
5380 **
5381 **	Parameters:
5382 **		conn -- SASL connection context
5383 **		hostname -- host name
5384 **		various connection data
5385 **
5386 **	Returns:
5387 **		SASL result
5388 */
5389 
5390 static int
5391 reset_saslconn(sasl_conn_t **conn, char *hostname,
5392 # if SASL >= 20000
5393 	       char *remoteip, char *localip,
5394 	       char *auth_id, sasl_ssf_t * ext_ssf)
5395 # else /* SASL >= 20000 */
5396 	       struct sockaddr_in *saddr_r, struct sockaddr_in *saddr_l,
5397 	       sasl_external_properties_t * ext_ssf)
5398 # endif /* SASL >= 20000 */
5399 {
5400 	int result;
5401 
5402 	sasl_dispose(conn);
5403 # if SASL >= 20000
5404 	result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
5405 				 NULL, 0, conn);
5406 # elif SASL > 10505
5407 	/* use empty realm: only works in SASL > 1.5.5 */
5408 	result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
5409 # else /* SASL >= 20000 */
5410 	/* use no realm -> realm is set to hostname by SASL lib */
5411 	result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
5412 				 conn);
5413 # endif /* SASL >= 20000 */
5414 	if (result != SASL_OK)
5415 		return result;
5416 
5417 # if SASL >= 20000
5418 #  if NETINET || NETINET6
5419 	if (remoteip != NULL && *remoteip != '\0')
5420 		result = sasl_setprop(*conn, SASL_IPREMOTEPORT, remoteip);
5421 	if (result != SASL_OK)
5422 		return result;
5423 
5424 	if (localip != NULL && *localip != '\0')
5425 		result = sasl_setprop(*conn, SASL_IPLOCALPORT, localip);
5426 	if (result != SASL_OK)
5427 		return result;
5428 #  endif /* NETINET || NETINET6 */
5429 
5430 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5431 	if (result != SASL_OK)
5432 		return result;
5433 
5434 	result = sasl_setprop(*conn, SASL_AUTH_EXTERNAL, auth_id);
5435 	if (result != SASL_OK)
5436 		return result;
5437 # else /* SASL >= 20000 */
5438 #  if NETINET
5439 	if (saddr_r != NULL)
5440 		result = sasl_setprop(*conn, SASL_IP_REMOTE, saddr_r);
5441 	if (result != SASL_OK)
5442 		return result;
5443 
5444 	if (saddr_l != NULL)
5445 		result = sasl_setprop(*conn, SASL_IP_LOCAL, saddr_l);
5446 	if (result != SASL_OK)
5447 		return result;
5448 #  endif /* NETINET */
5449 
5450 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5451 	if (result != SASL_OK)
5452 		return result;
5453 # endif /* SASL >= 20000 */
5454 	return SASL_OK;
5455 }
5456 #endif /* SASL */
5457