xref: /freebsd/contrib/sendmail/src/srvrsmtp.c (revision 643ac419fafba89f5adda0e0ea75b538727453fb)
1 /*
2  * Copyright (c) 1998-2010, 2012-2014 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
5  * Copyright (c) 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * By using this file, you agree to the terms and conditions set
9  * forth in the LICENSE file which can be found at the top level of
10  * the sendmail distribution.
11  *
12  */
13 
14 #include <sendmail.h>
15 #if MILTER
16 # include <libmilter/mfapi.h>
17 # include <libmilter/mfdef.h>
18 #endif
19 
20 SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.1016 2013-11-22 20:51:56 ca Exp $")
21 
22 #include <sm/time.h>
23 #include <sm/fdset.h>
24 
25 #if SASL || STARTTLS
26 # include <tls.h>
27 # include "sfsasl.h"
28 #endif
29 #if SASL
30 # define ENC64LEN(l)	(((l) + 2) * 4 / 3 + 1)
31 static int saslmechs __P((sasl_conn_t *, char **));
32 #endif
33 #if STARTTLS
34 # include <openssl/err.h>
35 # include <sysexits.h>
36 
37 static SSL_CTX	*srv_ctx = NULL;	/* TLS server context */
38 static SSL	*srv_ssl = NULL;	/* per connection context */
39 static tlsi_ctx_T tlsi_ctx;		/* TLS information context */
40 
41 static bool	tls_ok_srv = false;
42 
43 # define TLS_VERIFY_CLIENT() tls_set_verify(srv_ctx, srv_ssl, \
44 				bitset(SRV_VRFY_CLT, features))
45 #endif /* STARTTLS */
46 
47 #if _FFR_DM_ONE
48 static bool	NotFirstDelivery = false;
49 #endif
50 
51 /* server features */
52 #define SRV_NONE	0x0000	/* none... */
53 #define SRV_OFFER_TLS	0x0001	/* offer STARTTLS */
54 #define SRV_VRFY_CLT	0x0002	/* request a cert */
55 #define SRV_OFFER_AUTH	0x0004	/* offer AUTH */
56 #define SRV_OFFER_ETRN	0x0008	/* offer ETRN */
57 #define SRV_OFFER_VRFY	0x0010	/* offer VRFY (not yet used) */
58 #define SRV_OFFER_EXPN	0x0020	/* offer EXPN */
59 #define SRV_OFFER_VERB	0x0040	/* offer VERB */
60 #define SRV_OFFER_DSN	0x0080	/* offer DSN */
61 #if PIPELINING
62 # define SRV_OFFER_PIPE	0x0100	/* offer PIPELINING */
63 # if _FFR_NO_PIPE
64 #  define SRV_NO_PIPE	0x0200	/* disable PIPELINING, sleep if used */
65 # endif
66 #endif /* PIPELINING */
67 #define SRV_REQ_AUTH	0x0400	/* require AUTH */
68 #define SRV_REQ_SEC	0x0800	/* require security - equiv to AuthOptions=p */
69 #define SRV_TMP_FAIL	0x1000	/* ruleset caused a temporary failure */
70 #if _FFR_EAI
71 # define SRV_OFFER_EAI	0x2000	/* offer SMTPUTF* */
72 #endif
73 
74 static unsigned int	srvfeatures __P((ENVELOPE *, char *, unsigned int));
75 
76 #define	STOP_ATTACK	((time_t) -1)
77 static time_t	checksmtpattack __P((volatile unsigned int *, unsigned int,
78 				     bool, char *, ENVELOPE *));
79 static void	printvrfyaddr __P((ADDRESS *, bool, bool));
80 static char	*skipword __P((char *volatile, char *));
81 static void	setup_smtpd_io __P((void));
82 
83 #if SASL
84 #  ifndef MAX_AUTH_USER_LEN
85 #   define MAX_AUTH_USER_LEN 256
86 #  endif
87 #  ifndef MAX_AUTH_LOG_LEN
88 #   define MAX_AUTH_LOG_LEN 64
89 #  endif
90 static void get_sasl_user __P((char *, unsigned int, const char *, char *out, size_t));
91 #  define RESET_AUTH_FAIL_LOG_USER	\
92 	do	\
93 	{	\
94 		(void) memset(auth_user, 0, sizeof(auth_user));	\
95 		(void) memset(auth_user_tmp, 0, sizeof(auth_user_tmp));	\
96 		auth_user_len = 0;	\
97 	} while (0)
98 #  define SET_AUTH_USER_TMP(s, len)	\
99 	do	\
100 	{	\
101 		auth_user_len = SM_MIN(len, MAX_AUTH_USER_LEN-1);	\
102 		(void) memcpy(auth_user_tmp, s, auth_user_len);	\
103 	} while (0)
104 #  define SET_AUTH_USER	\
105 	get_sasl_user(auth_user_tmp, auth_user_len, auth_type, auth_user, sizeof(auth_user))
106 #  define SET_AUTH_USER_CONDITIONALLY	\
107 		if ('\0' == auth_user[0])	\
108 			SET_AUTH_USER;
109 #  define LOG_AUTH_FAIL_USER ", user=", (int)MAX_AUTH_LOG_LEN, auth_user
110 # if SASL >= 20000
111 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
112 				char *_remoteip, char *_localip,
113 				char *_auth_id, sasl_ssf_t *_ext_ssf));
114 
115 # define RESET_SASLCONN	\
116 	do							\
117 	{							\
118 		RESET_AUTH_FAIL_LOG_USER;			\
119 		result = reset_saslconn(&conn, AuthRealm, remoteip, \
120 					localip, auth_id, &ext_ssf); \
121 		if (result != SASL_OK)				\
122 			sasl_ok = false;			\
123 	} while (0)
124 
125 # else /* SASL >= 20000 */
126 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
127 				struct sockaddr_in *_saddr_r,
128 				struct sockaddr_in *_saddr_l,
129 				sasl_external_properties_t *_ext_ssf));
130 # define RESET_SASLCONN	\
131 	do							\
132 	{							\
133 		RESET_AUTH_FAIL_LOG_USER;			\
134 		result = reset_saslconn(&conn, AuthRealm, &saddr_r, \
135 					&saddr_l, &ext_ssf);	\
136 		if (result != SASL_OK)				\
137 			sasl_ok = false;			\
138 	} while (0)
139 
140 # endif /* SASL >= 20000 */
141 #endif /* SASL */
142 
143 #if !defined(RESET_AUTH_FAIL_LOG_USER)
144 # define RESET_AUTH_FAIL_LOG_USER
145 #endif
146 
147 extern ENVELOPE	BlankEnvelope;
148 
149 #define NBADRCPTS						\
150 	do							\
151 	{							\
152 		char buf[16];					\
153 		(void) sm_snprintf(buf, sizeof(buf), "%d",	\
154 			BadRcptThrottle > 0 && n_badrcpts > BadRcptThrottle \
155 				? n_badrcpts - 1 : n_badrcpts);	\
156 		macdefine(&e->e_macro, A_TEMP, macid("{nbadrcpts}"), buf); \
157 	} while (0)
158 
159 #define SKIP_SPACE(s)	while (SM_ISSPACE(*s))	\
160 				(s)++
161 
162 #if _FFR_EAI
163 /*
164 **  ADDR_IS_ASCII -- check whether an address is 100% printable ASCII
165 **
166 **	Parameters:
167 **		a -- an address (or other string)
168 **
169 **	Returns:
170 **		TRUE if a is non-NULL and points to only printable ASCII
171 **		FALSE if a is NULL and points to printable ASCII
172 **		FALSE if a is non-NULL and points to something containing 8-bittery
173 */
174 
175 bool
176 addr_is_ascii(a)
177 	const char * a;
178 {
179 	while (a != NULL && *a != '\0' && *a >= ' ' && (unsigned char)*a < 127)
180 		a++;
181 	return (a != NULL && *a == '\0');
182 }
183 #endif
184 
185 /*
186 **  PARSE_ESMTP_ARGS -- parse ESMTP arguments (for MAIL, RCPT)
187 **
188 **	Parameters:
189 **		e -- the envelope
190 **		addr_st -- address (RCPT only)
191 **		p -- read buffer
192 **		delimptr -- current position in read buffer
193 **		which -- MAIL/RCPT
194 **		args -- arguments (output)
195 **		esmtp_args -- function to process a single ESMTP argument
196 **
197 **	Returns:
198 **		none
199 */
200 
201 void
202 parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args)
203 	ENVELOPE *e;
204 	ADDRESS *addr_st;
205 	char *p;
206 	char *delimptr;
207 	char *which;
208 	char *args[];
209 	esmtp_args_F esmtp_args;
210 {
211 	int argno;
212 
213 	argno = 0;
214 	if (args != NULL)
215 		args[argno++] = p;
216 	p = delimptr;
217 	while (p != NULL && *p != '\0')
218 	{
219 		char *kp;
220 		char *vp = NULL;
221 		char *equal = NULL;
222 
223 		/* locate the beginning of the keyword */
224 		SKIP_SPACE(p);
225 		if (*p == '\0')
226 			break;
227 		kp = p;
228 
229 		/* skip to the value portion */
230 		while ((isascii(*p) && isalnum(*p)) || *p == '-')
231 			p++;
232 		if (*p == '=')
233 		{
234 			equal = p;
235 			*p++ = '\0';
236 			vp = p;
237 
238 			/* skip to the end of the value */
239 			while (*p != '\0' && *p != ' ' &&
240 			       !(isascii(*p) && iscntrl(*p)) &&
241 			       *p != '=')
242 				p++;
243 		}
244 
245 		if (*p != '\0')
246 			*p++ = '\0';
247 
248 		if (tTd(19, 1))
249 			sm_dprintf("%s: got arg %s=\"%s\"\n", which, kp,
250 				vp == NULL ? "<null>" : vp);
251 
252 		esmtp_args(addr_st, kp, vp, e);
253 		if (equal != NULL)
254 			*equal = '=';
255 		if (args != NULL)
256 			args[argno] = kp;
257 		argno++;
258 		if (argno >= MAXSMTPARGS - 1)
259 			usrerr("501 5.5.4 Too many parameters");
260 		if (Errors > 0)
261 			break;
262 	}
263 	if (args != NULL)
264 		args[argno] = NULL;
265 }
266 
267 #if _FFR_ADD_BCC
268 
269 /*
270 **  ADDRCPT -- Add a rcpt to sendq list
271 **
272 **	Parameters:
273 **		rcpt -- rcpt
274 **		sendq -- a pointer to the head of a queue to put
275 **			these people into.
276 **		e -- the envelope in which to add these recipients.
277 **
278 **	Returns:
279 **		The number of addresses added to the list.
280 */
281 
282 static int
283 addrcpt(rcpt, sendq, e)
284 	char *rcpt;
285 	ADDRESS **sendq;
286 	ENVELOPE *e;
287 {
288 	int r;
289 	char *oldto;
290 	ADDRESS *a;
291 
292 	SM_REQUIRE(rcpt != NULL);
293 	SM_REQUIRE(sendq != NULL);
294 	SM_REQUIRE(e != NULL);
295 	oldto = e->e_to;
296 	if (tTd(25, 1))
297 		sm_dprintf("addrcpt: rcpt=%s\n", rcpt);
298 	r = Errors;
299 	a = NULL;
300 	SM_TRY
301 	{
302 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), "e b");
303 		a = parseaddr(rcpt, NULLADDR, RF_COPYALL, ' ', NULL, e, true);
304 		if (a == NULL)
305 			return 0;
306 
307 		a->q_flags &= ~Q_PINGFLAGS;
308 		a->q_flags |= QINTBCC;
309 		a->q_owner = "<>";
310 
311 		/* disable alias expansion? */
312 		a = recipient(a, sendq, 0, e);
313 	}
314 	SM_FINALLY
315 	{
316 		e->e_to = oldto;
317 		macdefine(&e->e_macro, A_PERM, macid("{addr_type}"), NULL);
318 	}
319 	SM_END_TRY
320 	if (tTd(25, 1))
321 		sm_dprintf("addrcpt: rcpt=%s, flags=%#lx\n", rcpt,
322 			a != NULL ? a->q_flags : 0);
323 	Errors = r;
324 	return 1;
325 }
326 
327 /*
328 **  ADDBCC -- Maybe create a copy of an e-mail
329 **
330 **	Parameters:
331 **		a -- current RCPT
332 **		e -- the envelope.
333 **
334 **	Returns:
335 **		nothing
336 **
337 **	Side Effects:
338 **		rscheck() can trigger an "exception"
339 */
340 
341 static void
342 addbcc(a, e)
343 	ADDRESS *a;
344 	ENVELOPE *e;
345 {
346 	int nobcc;
347 	char *newrcpt, empty[1];
348 
349 	if (!AddBcc)
350 		return;
351 
352 	nobcc = false;
353 	empty[0] = '\0';
354 	newrcpt = empty;
355 
356 	nobcc = rscheck("bcc", a->q_paddr, NULL, e, RSF_ADDR, 12, NULL, NOQID,
357 			NULL, &newrcpt);
358 	if (tTd(25, 1))
359 		sm_dprintf("addbcc: nobcc=%d, Errors=%d, newrcpt=<%s>\n", nobcc, Errors, newrcpt);
360 	if (nobcc != EX_OK || Errors > 0 || *newrcpt == '\0')
361 		return;
362 
363 	(void) addrcpt(newrcpt, &e->e_sendqueue, e);
364 	return;
365 }
366 #else /* _FFR_ADD_BCC */
367 # define addbcc(a, e)
368 #endif /* _FFR_ADD_BCC */
369 
370 #if _FFR_RCPTFLAGS
371 /*
372 **  RCPTMODS -- Perform rcpt modifications if requested
373 **
374 **	Parameters:
375 **		rcpt -- current RCPT
376 **		e -- the envelope.
377 **
378 **	Returns:
379 **		nothing.
380 */
381 
382 void
383 rcptmods(rcpt, e)
384 	ADDRESS *rcpt;
385 	ENVELOPE *e;
386 {
387 	char *fl;
388 
389 	SM_REQUIRE(rcpt != NULL);
390 	SM_REQUIRE(e != NULL);
391 
392 	fl = macvalue(macid("{rcpt_flags}"), e);
393 	if (fl == NULL || *fl == '\0')
394 		return;
395 	if (tTd(25, 1))
396 		sm_dprintf("rcptmods: rcpt=%s, flags=%s\n", rcpt->q_paddr, fl);
397 
398 	/* parse flags */
399 	for ( ; *fl != '\0'; ++fl)
400 	{
401 		switch (*fl)
402 		{
403 		  case 'n':
404 			rcpt->q_flags &= ~Q_PINGFLAGS;
405 			rcpt->q_flags |= QINTBCC;
406 			rcpt->q_owner = "<>";
407 			break;
408 
409 		  case 'N':
410 			rcpt->q_flags &= ~Q_PINGFLAGS;
411 			rcpt->q_owner = "<>";
412 			break;
413 
414 		  case QDYNMAILFLG:
415 			rcpt->q_flags |= QDYNMAILER;
416 			newmodmailer(rcpt, *fl);
417 			break;
418 
419 		  default:
420 			sm_syslog(LOG_INFO, e->e_id,
421 				  "rcpt=%s, rcpt_flags=%s, status=unknown",
422 				  rcpt->q_paddr, fl);
423 			break;
424 		}
425 	}
426 
427 	/* reset macro to avoid confusion later on */
428 	macdefine(&e->e_macro, A_PERM, macid("{rcpt_flags}"), NULL);
429 
430 }
431 #else /* _FFR_RCPTFLAGS */
432 # define rcptmods(a, e)
433 #endif /* _FFR_RCPTFLAGS */
434 
435 /*
436 **  SMTP -- run the SMTP protocol.
437 **
438 **	Parameters:
439 **		nullserver -- if non-NULL, rejection message for
440 **			(almost) all SMTP commands.
441 **		d_flags -- daemon flags
442 **		e -- the envelope.
443 **
444 **	Returns:
445 **		never.
446 **
447 **	Side Effects:
448 **		Reads commands from the input channel and processes them.
449 */
450 
451 /*
452 **  Notice: The smtp server doesn't have a session context like the client
453 **	side has (mci). Therefore some data (session oriented) is allocated
454 **	or assigned to the "wrong" structure (esp. STARTTLS, AUTH).
455 **	This should be fixed in a successor version.
456 */
457 
458 struct cmd
459 {
460 	char	*cmd_name;	/* command name */
461 	int	cmd_code;	/* internal code, see below */
462 };
463 
464 /* values for cmd_code */
465 #define CMDERROR	0	/* bad command */
466 #define CMDMAIL	1	/* mail -- designate sender */
467 #define CMDRCPT	2	/* rcpt -- designate recipient */
468 #define CMDDATA	3	/* data -- send message text */
469 #define CMDRSET	4	/* rset -- reset state */
470 #define CMDVRFY	5	/* vrfy -- verify address */
471 #define CMDEXPN	6	/* expn -- expand address */
472 #define CMDNOOP	7	/* noop -- do nothing */
473 #define CMDQUIT	8	/* quit -- close connection and die */
474 #define CMDHELO	9	/* helo -- be polite */
475 #define CMDHELP	10	/* help -- give usage info */
476 #define CMDEHLO	11	/* ehlo -- extended helo (RFC 1425) */
477 #define CMDETRN	12	/* etrn -- flush queue */
478 #if SASL
479 # define CMDAUTH	13	/* auth -- SASL authenticate */
480 #endif
481 #if STARTTLS
482 # define CMDSTLS	14	/* STARTTLS -- start TLS session */
483 #endif
484 /* non-standard commands */
485 #define CMDVERB	17	/* verb -- go into verbose mode */
486 /* unimplemented commands from RFC 821 */
487 #define CMDUNIMPL	19	/* unimplemented rfc821 commands */
488 /* use this to catch and log "door handle" attempts on your system */
489 #define CMDLOGBOGUS	23	/* bogus command that should be logged */
490 /* debugging-only commands, only enabled if SMTPDEBUG is defined */
491 #define CMDDBGQSHOW	24	/* showq -- show send queue */
492 #define CMDDBGDEBUG	25	/* debug -- set debug mode */
493 
494 /*
495 **  Note: If you change this list, remember to update 'helpfile'
496 */
497 
498 static struct cmd	CmdTab[] =
499 {
500 	{ "mail",	CMDMAIL		},
501 	{ "rcpt",	CMDRCPT		},
502 	{ "data",	CMDDATA		},
503 	{ "rset",	CMDRSET		},
504 	{ "vrfy",	CMDVRFY		},
505 	{ "expn",	CMDEXPN		},
506 	{ "help",	CMDHELP		},
507 	{ "noop",	CMDNOOP		},
508 	{ "quit",	CMDQUIT		},
509 	{ "helo",	CMDHELO		},
510 	{ "ehlo",	CMDEHLO		},
511 	{ "etrn",	CMDETRN		},
512 	{ "verb",	CMDVERB		},
513 	{ "send",	CMDUNIMPL	},
514 	{ "saml",	CMDUNIMPL	},
515 	{ "soml",	CMDUNIMPL	},
516 	{ "turn",	CMDUNIMPL	},
517 #if SASL
518 	{ "auth",	CMDAUTH,	},
519 #endif
520 #if STARTTLS
521 	{ "starttls",	CMDSTLS,	},
522 #endif
523     /* remaining commands are here only to trap and log attempts to use them */
524 	{ "showq",	CMDDBGQSHOW	},
525 	{ "debug",	CMDDBGDEBUG	},
526 	{ "wiz",	CMDLOGBOGUS	},
527 
528 	{ NULL,		CMDERROR	}
529 };
530 
531 static char	*CurSmtpClient;		/* who's at the other end of channel */
532 
533 #ifndef MAXBADCOMMANDS
534 # define MAXBADCOMMANDS 25	/* maximum number of bad commands */
535 #endif
536 #ifndef MAXHELOCOMMANDS
537 # define MAXHELOCOMMANDS 3	/* max HELO/EHLO commands before slowdown */
538 #endif
539 #ifndef MAXVRFYCOMMANDS
540 # define MAXVRFYCOMMANDS 6	/* max VRFY/EXPN commands before slowdown */
541 #endif
542 #ifndef MAXETRNCOMMANDS
543 # define MAXETRNCOMMANDS 8	/* max ETRN commands before slowdown */
544 #endif
545 #ifndef MAXTIMEOUT
546 # define MAXTIMEOUT (4 * 60)	/* max timeout for bad commands */
547 #endif
548 
549 /*
550 **  Maximum shift value to compute timeout for bad commands.
551 **  This introduces an upper limit of 2^MAXSHIFT for the timeout.
552 */
553 
554 #ifndef MAXSHIFT
555 # define MAXSHIFT 8
556 #endif
557 #if MAXSHIFT > 31
558  ERROR _MAXSHIFT > 31 is invalid
559 #endif
560 
561 
562 #if MAXBADCOMMANDS > 0
563 # define STOP_IF_ATTACK(r)	do		\
564 	{					\
565 		if ((r) == STOP_ATTACK)		\
566 			goto stopattack;	\
567 	} while (0)
568 
569 #else /* MAXBADCOMMANDS > 0 */
570 # define STOP_IF_ATTACK(r)	r
571 #endif /* MAXBADCOMMANDS > 0 */
572 
573 
574 #if SM_HEAP_CHECK
575 static SM_DEBUG_T DebugLeakSmtp = SM_DEBUG_INITIALIZER("leak_smtp",
576 	"@(#)$Debug: leak_smtp - trace memory leaks during SMTP processing $");
577 #endif
578 
579 typedef struct
580 {
581 	bool		sm_gotmail;	/* mail command received */
582 	unsigned int	sm_nrcpts;	/* number of successful RCPT commands */
583 	bool		sm_discard;
584 #if MILTER
585 	bool		sm_milterize;
586 	bool		sm_milterlist;	/* any filters in the list? */
587 	milters_T	sm_milters;
588 
589 	/* e_nrcpts from envelope before recipient() call */
590 	unsigned int	sm_e_nrcpts_orig;
591 #endif /* MILTER */
592 	char		*sm_quarmsg;	/* carry quarantining across messages */
593 } SMTP_T;
594 
595 static bool	smtp_data __P((SMTP_T *, ENVELOPE *));
596 
597 #define MSG_TEMPFAIL "451 4.3.2 Please try again later"
598 
599 #if MILTER
600 # define MILTER_ABORT(e)	milter_abort((e))
601 
602 # define MILTER_REPLY(str)						\
603 	{								\
604 		int savelogusrerrs = LogUsrErrs;			\
605 									\
606 		milter_cmd_fail = true;					\
607 		switch (state)						\
608 		{							\
609 		  case SMFIR_SHUTDOWN:					\
610 			if (MilterLogLevel > 3)				\
611 			{						\
612 				sm_syslog(LOG_INFO, e->e_id,		\
613 					  "Milter: %s=%s, reject=421, errormode=4",	\
614 					  str, addr);			\
615 				LogUsrErrs = false;			\
616 			}						\
617 			{						\
618 				bool tsave = QuickAbort;		\
619 									\
620 				QuickAbort = false;			\
621 				usrerr("421 4.3.0 closing connection");	\
622 				QuickAbort = tsave;			\
623 				e->e_sendqueue = NULL;			\
624 				goto doquit;				\
625 			}						\
626 			break;						\
627 		  case SMFIR_REPLYCODE:					\
628 			if (MilterLogLevel > 3)				\
629 			{						\
630 				sm_syslog(LOG_INFO, e->e_id,		\
631 					  "Milter: %s=%s, reject=%s",	\
632 					  str, addr, response);		\
633 				LogUsrErrs = false;			\
634 			}						\
635 			if (strncmp(response, "421 ", 4) == 0		\
636 			    || strncmp(response, "421-", 4) == 0)	\
637 			{						\
638 				bool tsave = QuickAbort;		\
639 									\
640 				QuickAbort = false;			\
641 				usrerr(response);			\
642 				QuickAbort = tsave;			\
643 				e->e_sendqueue = NULL;			\
644 				goto doquit;				\
645 			}						\
646 			else						\
647 				usrerr(response);			\
648 			break;						\
649 									\
650 		  case SMFIR_REJECT:					\
651 			if (MilterLogLevel > 3)				\
652 			{						\
653 				sm_syslog(LOG_INFO, e->e_id,		\
654 					  "Milter: %s=%s, reject=550 5.7.1 Command rejected", \
655 					  str, addr);			\
656 				LogUsrErrs = false;			\
657 			}						\
658 			usrerr("550 5.7.1 Command rejected");		\
659 			break;						\
660 									\
661 		  case SMFIR_DISCARD:					\
662 			if (MilterLogLevel > 3)				\
663 				sm_syslog(LOG_INFO, e->e_id,		\
664 					  "Milter: %s=%s, discard",	\
665 					  str, addr);			\
666 			e->e_flags |= EF_DISCARD;			\
667 			milter_cmd_fail = false;			\
668 			break;						\
669 									\
670 		  case SMFIR_TEMPFAIL:					\
671 			if (MilterLogLevel > 3)				\
672 			{						\
673 				sm_syslog(LOG_INFO, e->e_id,		\
674 					  "Milter: %s=%s, reject=%s",	\
675 					  str, addr, MSG_TEMPFAIL);	\
676 				LogUsrErrs = false;			\
677 			}						\
678 			usrerr(MSG_TEMPFAIL);				\
679 			break;						\
680 		  default:						\
681 			milter_cmd_fail = false;			\
682 			break;						\
683 		}							\
684 		LogUsrErrs = savelogusrerrs;				\
685 		if (response != NULL)					\
686 			sm_free(response); /* XXX */			\
687 	}
688 
689 #else /* MILTER */
690 # define MILTER_ABORT(e)
691 #endif /* MILTER */
692 
693 /* clear all SMTP state (for HELO/EHLO/RSET) */
694 #define CLEAR_STATE(cmd)					\
695 do								\
696 {								\
697 	/* abort milter filters */				\
698 	MILTER_ABORT(e);					\
699 								\
700 	if (smtp.sm_nrcpts > 0)					\
701 	{							\
702 		logundelrcpts(e, cmd, 10, false);		\
703 		smtp.sm_nrcpts = 0;				\
704 		macdefine(&e->e_macro, A_PERM,			\
705 			  macid("{nrcpts}"), "0");		\
706 	}							\
707 								\
708 	e->e_sendqueue = NULL;					\
709 	e->e_flags |= EF_CLRQUEUE;				\
710 								\
711 	if (tTd(92, 2))						\
712 		sm_dprintf("CLEAR_STATE: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",\
713 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);\
714 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))	\
715 		logsender(e, NULL);				\
716 	e->e_flags &= ~EF_LOGSENDER;				\
717 								\
718 	/* clean up a bit */					\
719 	smtp.sm_gotmail = false;				\
720 	SuprErrs = true;					\
721 	(void) dropenvelope(e, true, false);			\
722 	sm_rpool_free(e->e_rpool);				\
723 	e = newenvelope(e, CurEnv, sm_rpool_new_x(NULL));	\
724 	CurEnv = e;						\
725 	e->e_features = features;				\
726 								\
727 	/* put back discard bit */				\
728 	if (smtp.sm_discard)					\
729 		e->e_flags |= EF_DISCARD;			\
730 								\
731 	/* restore connection quarantining */			\
732 	if (smtp.sm_quarmsg == NULL)				\
733 	{							\
734 		e->e_quarmsg = NULL;				\
735 		macdefine(&e->e_macro, A_PERM,			\
736 			macid("{quarantine}"), "");		\
737 	}							\
738 	else							\
739 	{							\
740 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool,	\
741 						smtp.sm_quarmsg);	\
742 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"),	\
743 			  e->e_quarmsg);			\
744 	}							\
745 } while (0)
746 
747 /* sleep to flatten out connection load */
748 #define MIN_DELAY_LOG	15	/* wait before logging this again */
749 
750 /* is it worth setting the process title for 1s? */
751 #define DELAY_CONN(cmd)						\
752 	if (DelayLA > 0 && (CurrentLA = getla()) >= DelayLA)	\
753 	{							\
754 		time_t dnow;					\
755 								\
756 		sm_setproctitle(true, e,			\
757 				"%s: %s: delaying %s: load average: %d", \
758 				qid_printname(e), CurSmtpClient,	\
759 				cmd, DelayLA);	\
760 		if (LogLevel > 8 && (dnow = curtime()) > log_delay)	\
761 		{						\
762 			sm_syslog(LOG_INFO, e->e_id,		\
763 				  "delaying=%s, load average=%d >= %d",	\
764 				  cmd, CurrentLA, DelayLA);		\
765 			log_delay = dnow + MIN_DELAY_LOG;	\
766 		}						\
767 		(void) sleep(1);				\
768 		sm_setproctitle(true, e, "%s %s: %.80s",	\
769 				qid_printname(e), CurSmtpClient, inp);	\
770 	}
771 
772 /*
773 **  Determine the correct protocol keyword to use in the
774 **  Received: header, following RFC 3848.
775 */
776 
777 #if !STARTTLS
778 # define tls_active	false
779 #endif
780 #if SASL
781 # define auth_active	(authenticating == SASL_IS_AUTH)
782 #else
783 # define auth_active	false
784 #endif
785 #if _FFR_EAI
786 #define GET_PROTOCOL()					\
787 	(e->e_smtputf8					\
788 	    ? (auth_active				\
789 		? (tls_active ? "UTF8SMTPSA" : "UTF8SMTPA") \
790 		: (tls_active ? "UTF8SMTPS"  : "UTF8SMTP")) \
791 	    : (auth_active				\
792 		? (tls_active ? "ESMTPSA" : "ESMTPA")	\
793 		: (tls_active ? "ESMTPS"  : "ESMTP")))
794 #else /* _FFR_EAI */
795 #define GET_PROTOCOL()					\
796 	(auth_active					\
797 	    ? (tls_active ? "ESMTPSA" : "ESMTPA")	\
798 	    : (tls_active ? "ESMTPS"  : "ESMTP"))
799 #endif /* _FFR_EAI */
800 
801 static bool SevenBitInput_Saved;	/* saved version of SevenBitInput */
802 
803 void
804 smtp(nullserver, d_flags, e)
805 	char *volatile nullserver;
806 	BITMAP256 d_flags;
807 	register ENVELOPE *volatile e;
808 {
809 	register char *volatile p;
810 	register struct cmd *volatile c = NULL;
811 	char *cmd;
812 	auto ADDRESS *vrfyqueue;
813 	ADDRESS *a;
814 	volatile bool gothello;		/* helo command received */
815 	bool vrfy;			/* set if this is a vrfy command */
816 	char *volatile protocol;	/* sending protocol */
817 	char *volatile sendinghost;	/* sending hostname */
818 	char *volatile peerhostname;	/* name of SMTP peer or "localhost" */
819 	auto char *delimptr;
820 	char *id;
821 	volatile unsigned int n_badcmds = 0;	/* count of bad commands */
822 	volatile unsigned int n_badrcpts = 0;	/* number of rejected RCPT */
823 	volatile unsigned int n_verifies = 0;	/* count of VRFY/EXPN */
824 	volatile unsigned int n_etrn = 0;	/* count of ETRN */
825 	volatile unsigned int n_noop = 0;	/* count of NOOP/VERB/etc */
826 	volatile unsigned int n_helo = 0;	/* count of HELO/EHLO */
827 	bool ok;
828 	volatile bool first;
829 	volatile bool tempfail = false;
830 	volatile time_t wt;		/* timeout after too many commands */
831 	volatile time_t previous;	/* time after checksmtpattack() */
832 	volatile bool lognullconnection = true;
833 	register char *q;
834 	SMTP_T smtp;
835 	char *addr;
836 	char *greetcode = "220";
837 	const char *greetmsg = "not accepting messages";
838 	char *hostname;			/* my hostname ($j) */
839 	QUEUE_CHAR *new;
840 	char *args[MAXSMTPARGS];
841 	char inp[MAXINPLINE];
842 #if MAXINPLINE < MAXLINE
843  ERROR _MAXINPLINE must NOT be less than _MAXLINE: MAXINPLINE < MAXLINE
844 #endif
845 	char cmdbuf[MAXLINE];
846 #if SASL
847 	sasl_conn_t *conn;
848 	volatile bool sasl_ok;
849 	volatile unsigned int n_auth = 0;	/* count of AUTH commands */
850 	bool ismore;
851 	int result;
852 	volatile int authenticating;
853 	char *user;
854 	char *in, *out2;
855 	char auth_user[MAX_AUTH_USER_LEN], auth_user_tmp[MAX_AUTH_USER_LEN];
856 	unsigned int auth_user_len;
857 # if SASL >= 20000
858 	char *auth_id = NULL;
859 	const char *out;
860 	sasl_ssf_t ext_ssf;
861 	char localip[60], remoteip[60];
862 # else /* SASL >= 20000 */
863 	char *out;
864 	const char *errstr;
865 	sasl_external_properties_t ext_ssf;
866 	struct sockaddr_in saddr_l;
867 	struct sockaddr_in saddr_r;
868 # endif /* SASL >= 20000 */
869 	sasl_security_properties_t ssp;
870 	sasl_ssf_t *ssf;
871 	unsigned int inlen, out2len;
872 	unsigned int outlen;
873 	char *volatile auth_type;
874 	char *mechlist;
875 	volatile unsigned int n_mechs;
876 	unsigned int len;
877 #endif /* SASL */
878 	int r;
879 #if STARTTLS
880 	int rfd, wfd;
881 	volatile bool tls_active = false;
882 	volatile bool smtps = bitnset(D_SMTPS, d_flags);
883 	bool saveQuickAbort;
884 	bool saveSuprErrs;
885 	time_t tlsstart;
886 	int ssl_err, tlsret;
887 	int save_errno;
888 	extern int TLSsslidx;
889 #endif /* STARTTLS */
890 	volatile unsigned int features;
891 #if PIPELINING
892 # if _FFR_NO_PIPE
893 	int np_log = 0;
894 # endif
895 #endif /* PIPELINING */
896 	volatile time_t log_delay = (time_t) 0;
897 #if MILTER
898 	volatile bool milter_cmd_done, milter_cmd_safe;
899 	volatile bool milter_rcpt_added, milter_cmd_fail;
900 	ADDRESS addr_st;
901 # define p_addr_st	&addr_st
902 #else /* MILTER */
903 # define p_addr_st	NULL
904 #endif /* MILTER */
905 	size_t inplen;
906 #if _FFR_BADRCPT_SHUTDOWN
907 	int n_badrcpts_adj;
908 #endif
909 
910 	RESET_AUTH_FAIL_LOG_USER;
911 	SevenBitInput_Saved = SevenBitInput;
912 	smtp.sm_nrcpts = 0;
913 #if MILTER
914 	smtp.sm_milterize = (nullserver == NULL);
915 	smtp.sm_milterlist = false;
916 	addr = NULL;
917 #endif
918 
919 	/* setup I/O fd correctly for the SMTP server */
920 	setup_smtpd_io();
921 
922 #if SM_HEAP_CHECK
923 	if (sm_debug_active(&DebugLeakSmtp, 1))
924 	{
925 		sm_heap_newgroup();
926 		sm_dprintf("smtp() heap group #%d\n", sm_heap_group());
927 	}
928 #endif /* SM_HEAP_CHECK */
929 
930 	/* XXX the rpool should be set when e is initialized in main() */
931 	e->e_rpool = sm_rpool_new_x(NULL);
932 	e->e_macro.mac_rpool = e->e_rpool;
933 
934 	settime(e);
935 	sm_getla();
936 	peerhostname = RealHostName;
937 	if (peerhostname == NULL)
938 		peerhostname = "localhost";
939 	CurHostName = peerhostname;
940 	CurSmtpClient = macvalue('_', e);
941 	if (CurSmtpClient == NULL)
942 		CurSmtpClient = CurHostName;
943 
944 	/* check_relay may have set discard bit, save for later */
945 	smtp.sm_discard = bitset(EF_DISCARD, e->e_flags);
946 
947 #if PIPELINING
948 	/* auto-flush output when reading input */
949 	(void) sm_io_autoflush(InChannel, OutChannel);
950 #endif /* PIPELINING */
951 
952 	sm_setproctitle(true, e, "server %s startup", CurSmtpClient);
953 
954 	/* Set default features for server. */
955 	features = ((bitset(PRIV_NOETRN, PrivacyFlags) ||
956 		     bitnset(D_NOETRN, d_flags)) ? SRV_NONE : SRV_OFFER_ETRN)
957 		| (bitnset(D_AUTHREQ, d_flags) ? SRV_REQ_AUTH : SRV_NONE)
958 		| (bitset(PRIV_NOEXPN, PrivacyFlags) ? SRV_NONE
959 			: (SRV_OFFER_EXPN
960 			  | (bitset(PRIV_NOVERB, PrivacyFlags)
961 			     ? SRV_NONE : SRV_OFFER_VERB)))
962 		| ((bitset(PRIV_NORECEIPTS, PrivacyFlags) || !SendMIMEErrors)
963 			 ? SRV_NONE : SRV_OFFER_DSN)
964 #if SASL
965 		| (bitnset(D_NOAUTH, d_flags) ? SRV_NONE : SRV_OFFER_AUTH)
966 		| (bitset(SASL_SEC_NOPLAINTEXT, SASLOpts) ? SRV_REQ_SEC
967 							  : SRV_NONE)
968 #endif /* SASL */
969 #if PIPELINING
970 		| SRV_OFFER_PIPE
971 #endif
972 #if STARTTLS
973 		| (bitnset(D_NOTLS, d_flags) ? SRV_NONE : SRV_OFFER_TLS)
974 		| (bitset(TLS_I_NO_VRFY, TLS_Srv_Opts) ? SRV_NONE
975 						       : SRV_VRFY_CLT)
976 #endif
977 #if _FFR_EAI
978 		| SRV_OFFER_EAI
979 #endif /* _FFR_EAI */
980 		;
981 	if (nullserver == NULL)
982 	{
983 		features = srvfeatures(e, CurSmtpClient, features);
984 		if (bitset(SRV_TMP_FAIL, features))
985 		{
986 			if (LogLevel > 4)
987 				sm_syslog(LOG_ERR, NOQID,
988 					  "ERROR: srv_features=tempfail, relay=%.100s, access temporarily disabled",
989 					  CurSmtpClient);
990 			nullserver = "450 4.3.0 Please try again later.";
991 		}
992 		else
993 		{
994 #if PIPELINING
995 # if _FFR_NO_PIPE
996 			if (bitset(SRV_NO_PIPE, features))
997 			{
998 				/* for consistency */
999 				features &= ~SRV_OFFER_PIPE;
1000 			}
1001 # endif /* _FFR_NO_PIPE */
1002 #endif /* PIPELINING */
1003 #if SASL
1004 			if (bitset(SRV_REQ_SEC, features))
1005 				SASLOpts |= SASL_SEC_NOPLAINTEXT;
1006 			else
1007 				SASLOpts &= ~SASL_SEC_NOPLAINTEXT;
1008 #endif /* SASL */
1009 		}
1010 	}
1011 	else if (strncmp(nullserver, "421 ", 4) == 0)
1012 	{
1013 		/* Can't use ("%s", ...) due to message() requirements */
1014 		message(nullserver);
1015 		goto doquit;
1016 	}
1017 
1018 	e->e_features = features;
1019 	hostname = macvalue('j', e);
1020 #if SASL
1021 	if (AuthRealm == NULL)
1022 		AuthRealm = hostname;
1023 	sasl_ok = bitset(SRV_OFFER_AUTH, features);
1024 	n_mechs = 0;
1025 	authenticating = SASL_NOT_AUTH;
1026 
1027 	/* SASL server new connection */
1028 	if (sasl_ok)
1029 	{
1030 # if SASL >= 20000
1031 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL,
1032 					 NULL, 0, &conn);
1033 # elif SASL > 10505
1034 		/* use empty realm: only works in SASL > 1.5.5 */
1035 		result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn);
1036 # else /* SASL >= 20000 */
1037 		/* use no realm -> realm is set to hostname by SASL lib */
1038 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, 0,
1039 					 &conn);
1040 # endif /* SASL >= 20000 */
1041 		sasl_ok = result == SASL_OK;
1042 		if (!sasl_ok)
1043 		{
1044 			if (LogLevel > 9)
1045 				sm_syslog(LOG_WARNING, NOQID,
1046 					  "AUTH error: sasl_server_new failed=%d",
1047 					  result);
1048 		}
1049 	}
1050 	if (sasl_ok)
1051 	{
1052 		/*
1053 		**  SASL set properties for sasl
1054 		**  set local/remote IP
1055 		**  XXX Cyrus SASL v1 only supports IPv4
1056 		**
1057 		**  XXX where exactly are these used/required?
1058 		**  Kerberos_v4
1059 		*/
1060 
1061 # if SASL >= 20000
1062 		localip[0] = remoteip[0] = '\0';
1063 #  if NETINET || NETINET6
1064 		in = macvalue(macid("{daemon_family}"), e);
1065 		if (in != NULL && (
1066 #   if NETINET6
1067 		    strcmp(in, "inet6") == 0 ||
1068 #   endif
1069 		    strcmp(in, "inet") == 0))
1070 		{
1071 			SOCKADDR_LEN_T addrsize;
1072 			SOCKADDR saddr_l;
1073 			SOCKADDR saddr_r;
1074 
1075 			addrsize = sizeof(saddr_r);
1076 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
1077 						      NULL),
1078 					(struct sockaddr *) &saddr_r,
1079 					&addrsize) == 0)
1080 			{
1081 				if (iptostring(&saddr_r, addrsize,
1082 					       remoteip, sizeof(remoteip)))
1083 				{
1084 					sasl_setprop(conn, SASL_IPREMOTEPORT,
1085 						     remoteip);
1086 				}
1087 				addrsize = sizeof(saddr_l);
1088 				if (getsockname(sm_io_getinfo(InChannel,
1089 							      SM_IO_WHAT_FD,
1090 							      NULL),
1091 						(struct sockaddr *) &saddr_l,
1092 						&addrsize) == 0)
1093 				{
1094 					if (iptostring(&saddr_l, addrsize,
1095 						       localip,
1096 						       sizeof(localip)))
1097 					{
1098 						sasl_setprop(conn,
1099 							     SASL_IPLOCALPORT,
1100 							     localip);
1101 					}
1102 				}
1103 			}
1104 		}
1105 #  endif /* NETINET || NETINET6 */
1106 # else /* SASL >= 20000 */
1107 #  if NETINET
1108 		in = macvalue(macid("{daemon_family}"), e);
1109 		if (in != NULL && strcmp(in, "inet") == 0)
1110 		{
1111 			SOCKADDR_LEN_T addrsize;
1112 
1113 			addrsize = sizeof(struct sockaddr_in);
1114 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
1115 						      NULL),
1116 					(struct sockaddr *)&saddr_r,
1117 					&addrsize) == 0)
1118 			{
1119 				sasl_setprop(conn, SASL_IP_REMOTE, &saddr_r);
1120 				addrsize = sizeof(struct sockaddr_in);
1121 				if (getsockname(sm_io_getinfo(InChannel,
1122 							      SM_IO_WHAT_FD,
1123 							      NULL),
1124 						(struct sockaddr *)&saddr_l,
1125 						&addrsize) == 0)
1126 					sasl_setprop(conn, SASL_IP_LOCAL,
1127 						     &saddr_l);
1128 			}
1129 		}
1130 #  endif /* NETINET */
1131 # endif /* SASL >= 20000 */
1132 
1133 		auth_type = NULL;
1134 		mechlist = NULL;
1135 		user = NULL;
1136 # if 0
1137 		macdefine(&BlankEnvelope.e_macro, A_PERM,
1138 			macid("{auth_author}"), NULL);
1139 # endif
1140 
1141 		/* set properties */
1142 		(void) memset(&ssp, '\0', sizeof(ssp));
1143 
1144 		/* XXX should these be options settable via .cf ? */
1145 		/* ssp.min_ssf = 0; is default due to memset() */
1146 		ssp.max_ssf = MaxSLBits;
1147 		ssp.maxbufsize = MAXOUTLEN;
1148 		ssp.security_flags = SASLOpts & SASL_SEC_MASK;
1149 		sasl_ok = sasl_setprop(conn, SASL_SEC_PROPS, &ssp) == SASL_OK;
1150 
1151 		if (sasl_ok)
1152 		{
1153 			/*
1154 			**  external security strength factor;
1155 			**	currently we have none so zero
1156 			*/
1157 
1158 # if SASL >= 20000
1159 			ext_ssf = 0;
1160 			auth_id = NULL;
1161 			sasl_ok = ((sasl_setprop(conn, SASL_SSF_EXTERNAL,
1162 						 &ext_ssf) == SASL_OK) &&
1163 				   (sasl_setprop(conn, SASL_AUTH_EXTERNAL,
1164 						 auth_id) == SASL_OK));
1165 # else /* SASL >= 20000 */
1166 			ext_ssf.ssf = 0;
1167 			ext_ssf.auth_id = NULL;
1168 			sasl_ok = sasl_setprop(conn, SASL_SSF_EXTERNAL,
1169 					       &ext_ssf) == SASL_OK;
1170 # endif /* SASL >= 20000 */
1171 		}
1172 		if (sasl_ok)
1173 			n_mechs = saslmechs(conn, &mechlist);
1174 	}
1175 #endif /* SASL */
1176 
1177 	(void) set_tls_rd_tmo(TimeOuts.to_nextcommand);
1178 
1179 #if MILTER
1180 	if (smtp.sm_milterize)
1181 	{
1182 		char state;
1183 
1184 		/* initialize mail filter connection */
1185 		smtp.sm_milterlist = milter_init(e, &state, &smtp.sm_milters);
1186 		switch (state)
1187 		{
1188 		  case SMFIR_REJECT:
1189 			if (MilterLogLevel > 3)
1190 				sm_syslog(LOG_INFO, e->e_id,
1191 					  "Milter: initialization failed, rejecting commands");
1192 			greetcode = "554";
1193 			nullserver = "Command rejected";
1194 			smtp.sm_milterize = false;
1195 			break;
1196 
1197 		  case SMFIR_TEMPFAIL:
1198 			if (MilterLogLevel > 3)
1199 				sm_syslog(LOG_INFO, e->e_id,
1200 					  "Milter: initialization failed, temp failing commands");
1201 			tempfail = true;
1202 			smtp.sm_milterize = false;
1203 			break;
1204 
1205 		  case SMFIR_SHUTDOWN:
1206 			if (MilterLogLevel > 3)
1207 				sm_syslog(LOG_INFO, e->e_id,
1208 					  "Milter: initialization failed, closing connection");
1209 			tempfail = true;
1210 			smtp.sm_milterize = false;
1211 			message("421 4.7.0 %s closing connection",
1212 					MyHostName);
1213 
1214 			/* arrange to ignore send list */
1215 			e->e_sendqueue = NULL;
1216 			lognullconnection = false;
1217 			goto doquit;
1218 		}
1219 	}
1220 
1221 	if (smtp.sm_milterlist && smtp.sm_milterize &&
1222 	    !bitset(EF_DISCARD, e->e_flags))
1223 	{
1224 		char state;
1225 		char *response;
1226 
1227 		q = macvalue(macid("{client_name}"), e);
1228 		SM_ASSERT(q != NULL || OpMode == MD_SMTP);
1229 		if (q == NULL)
1230 			q = "localhost";
1231 		response = milter_connect(q, RealHostAddr, e, &state);
1232 		switch (state)
1233 		{
1234 #if _FFR_MILTER_CONNECT_REPLYCODE
1235 		  case SMFIR_REPLYCODE:
1236 			if (*response == '5')
1237 			{
1238 				if (MilterLogLevel > 3)
1239 					sm_syslog(LOG_INFO, e->e_id,
1240 						  "Milter: connect: host=%s, addr=%s, reject=%s",
1241 						  peerhostname,
1242 						  anynet_ntoa(&RealHostAddr),
1243 						  response);
1244 				greetcode = "554"; /* Required by 2821 3.1 */
1245 				nullserver = newstr(response);
1246 				if (strlen(nullserver) > 4)
1247 				{
1248 					int skip;
1249 
1250 					greetmsg = nullserver + 4;
1251 
1252 					/* skip over enhanced status code */
1253 					skip = isenhsc(greetmsg, ' ');
1254 					if (skip > 0)
1255 						greetmsg += skip + 1;
1256 				}
1257 				smtp.sm_milterize = false;
1258 				break;
1259 			}
1260 			else if (strncmp(response, "421 ", 4) == 0)
1261 			{
1262 				int skip;
1263 				const char *msg = response + 4;
1264 
1265 				if (MilterLogLevel > 3)
1266 					sm_syslog(LOG_INFO, e->e_id,
1267 						  "Milter: connect: host=%s, addr=%s, shutdown=%s",
1268 						  peerhostname,
1269 						  anynet_ntoa(&RealHostAddr),
1270 						  response);
1271 				tempfail = true;
1272 				smtp.sm_milterize = false;
1273 
1274 				/* skip over enhanced status code */
1275 				skip = isenhsc(msg, ' ');
1276 				if (skip > 0)
1277 					msg += skip + 1;
1278 				message("421 %s %s", MyHostName, msg);
1279 
1280 				/* arrange to ignore send list */
1281 				e->e_sendqueue = NULL;
1282 				goto doquit;
1283 			}
1284 			else
1285 			{
1286 				if (MilterLogLevel > 3)
1287 					sm_syslog(LOG_INFO, e->e_id,
1288 						  "Milter: connect: host=%s, addr=%s, temp failing commands=%s",
1289 						  peerhostname,
1290 						  anynet_ntoa(&RealHostAddr),
1291 						  response);
1292 				/*tempfail = true;*/
1293 				smtp.sm_milterize = false;
1294 				nullserver = newstr(response);
1295 				break;
1296 			}
1297 
1298 #else /* _FFR_MILTER_CONNECT_REPLYCODE */
1299 		  case SMFIR_REPLYCODE:	/* REPLYCODE shouldn't happen */
1300 #endif /* _FFR_MILTER_CONNECT_REPLYCODE */
1301 		  case SMFIR_REJECT:
1302 			if (MilterLogLevel > 3)
1303 				sm_syslog(LOG_INFO, e->e_id,
1304 					  "Milter: connect: host=%s, addr=%s, rejecting commands",
1305 					  peerhostname,
1306 					  anynet_ntoa(&RealHostAddr));
1307 			greetcode = "554";
1308 			nullserver = "Command rejected";
1309 			smtp.sm_milterize = false;
1310 			break;
1311 
1312 		  case SMFIR_TEMPFAIL:
1313 			if (MilterLogLevel > 3)
1314 				sm_syslog(LOG_INFO, e->e_id,
1315 					  "Milter: connect: host=%s, addr=%s, temp failing commands",
1316 					  peerhostname,
1317 					  anynet_ntoa(&RealHostAddr));
1318 			tempfail = true;
1319 			smtp.sm_milterize = false;
1320 			break;
1321 
1322 		  case SMFIR_SHUTDOWN:
1323 			if (MilterLogLevel > 3)
1324 				sm_syslog(LOG_INFO, e->e_id,
1325 					  "Milter: connect: host=%s, addr=%s, shutdown",
1326 					  peerhostname,
1327 					  anynet_ntoa(&RealHostAddr));
1328 			tempfail = true;
1329 			smtp.sm_milterize = false;
1330 			message("421 4.7.0 %s closing connection",
1331 					MyHostName);
1332 
1333 			/* arrange to ignore send list */
1334 			e->e_sendqueue = NULL;
1335 			goto doquit;
1336 		}
1337 		if (response != NULL)
1338 			sm_free(response);
1339 	}
1340 #endif /* MILTER */
1341 
1342 	/*
1343 	**  Broken proxies and SMTP slammers
1344 	**  push data without waiting, catch them
1345 	*/
1346 
1347 	if (
1348 #if STARTTLS
1349 	    !smtps &&
1350 #endif
1351 	    *greetcode == '2' && nullserver == NULL)
1352 	{
1353 		time_t msecs = 0;
1354 		char **pvp;
1355 		char pvpbuf[PSBUFSIZE];
1356 
1357 		/* Ask the rulesets how long to pause */
1358 		pvp = NULL;
1359 		r = rscap("greet_pause", peerhostname,
1360 			  anynet_ntoa(&RealHostAddr), e,
1361 			  &pvp, pvpbuf, sizeof(pvpbuf));
1362 		if (r == EX_OK && pvp != NULL && pvp[0] != NULL &&
1363 		    (pvp[0][0] & 0377) == CANONNET && pvp[1] != NULL)
1364 		{
1365 			msecs = strtol(pvp[1], NULL, 10);
1366 		}
1367 
1368 		if (msecs > 0)
1369 		{
1370 			int fd;
1371 			fd_set readfds;
1372 			struct timeval timeout;
1373 			struct timeval bp, ep, tp; /* {begin,end,total}pause */
1374 			int eoftest;
1375 
1376 			/* pause for a moment */
1377 			timeout.tv_sec = msecs / 1000;
1378 			timeout.tv_usec = (msecs % 1000) * 1000;
1379 
1380 			/* Obey RFC 2821: 4.3.5.2: 220 timeout of 5 minutes */
1381 			if (timeout.tv_sec >= 300)
1382 			{
1383 				timeout.tv_sec = 300;
1384 				timeout.tv_usec = 0;
1385 			}
1386 
1387 			/* check if data is on the socket during the pause */
1388 			fd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
1389 			FD_ZERO(&readfds);
1390 			SM_FD_SET(fd, &readfds);
1391 			gettimeofday(&bp, NULL);
1392 			if (select(fd + 1, FDSET_CAST &readfds,
1393 			    NULL, NULL, &timeout) > 0 &&
1394 			    FD_ISSET(fd, &readfds) &&
1395 			    (eoftest = sm_io_getc(InChannel, SM_TIME_DEFAULT))
1396 			    != SM_IO_EOF)
1397 			{
1398 				sm_io_ungetc(InChannel, SM_TIME_DEFAULT,
1399 					     eoftest);
1400 				gettimeofday(&ep, NULL);
1401 				timersub(&ep, &bp, &tp);
1402 				greetcode = "554";
1403 				nullserver = "Command rejected";
1404 				sm_syslog(LOG_INFO, e->e_id,
1405 					  "rejecting commands from %s [%s] due to pre-greeting traffic after %d seconds",
1406 					  peerhostname,
1407 					  anynet_ntoa(&RealHostAddr),
1408 					  (int) tp.tv_sec +
1409 						(tp.tv_usec >= 500000 ? 1 : 0)
1410 					 );
1411 			}
1412 		}
1413 	}
1414 
1415 #if STARTTLS
1416 	/* If this an smtps connection, start TLS now */
1417 	if (smtps)
1418 	{
1419 		if (!tls_ok_srv || srv_ctx == NULL)
1420 		{
1421 			sm_syslog(LOG_ERR, e->e_id,
1422 				"smtps: TLS not available, exiting");
1423 			exit(EX_CONFIG);
1424 		}
1425 		Errors = 0;
1426 		first = true;
1427 		gothello = false;
1428 		smtp.sm_gotmail = false;
1429 		goto starttls;
1430 	}
1431 
1432   greeting:
1433 
1434 #endif /* STARTTLS */
1435 
1436 	/* output the first line, inserting "ESMTP" as second word */
1437 	if (*greetcode == '5')
1438 		(void) sm_snprintf(inp, sizeof(inp), "%s %s", hostname,
1439 				   greetmsg);
1440 	else
1441 		expand(SmtpGreeting, inp, sizeof(inp), e);
1442 
1443 	p = strchr(inp, '\n');
1444 	if (p != NULL)
1445 		*p++ = '\0';
1446 	id = strchr(inp, ' ');
1447 	if (id == NULL)
1448 		id = &inp[strlen(inp)];
1449 	if (p == NULL)
1450 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1451 			 "%s %%.*s ESMTP%%s", greetcode);
1452 	else
1453 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1454 			 "%s-%%.*s ESMTP%%s", greetcode);
1455 	message(cmdbuf, (int) (id - inp), inp, id);
1456 
1457 	/* output remaining lines */
1458 	while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL)
1459 	{
1460 		*p++ = '\0';
1461 		if (SM_ISSPACE(*id))
1462 			id++;
1463 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, "-%s");
1464 		message(cmdbuf, id);
1465 	}
1466 	if (id != NULL)
1467 	{
1468 		if (SM_ISSPACE(*id))
1469 			id++;
1470 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, " %s");
1471 		message(cmdbuf, id);
1472 	}
1473 
1474 	protocol = NULL;
1475 	sendinghost = macvalue('s', e);
1476 
1477 	/* If quarantining by a connect/ehlo action, save between messages */
1478 	if (e->e_quarmsg == NULL)
1479 		smtp.sm_quarmsg = NULL;
1480 	else
1481 		smtp.sm_quarmsg = newstr(e->e_quarmsg);
1482 
1483 	/* sendinghost's storage must outlive the current envelope */
1484 	if (sendinghost != NULL)
1485 		sendinghost = sm_strdup_x(sendinghost);
1486 	first = true;
1487 	gothello = false;
1488 	smtp.sm_gotmail = false;
1489 	for (;;)
1490 	{
1491 	    SM_TRY
1492 	    {
1493 		QuickAbort = false;
1494 		HoldErrs = false;
1495 		SuprErrs = false;
1496 		LogUsrErrs = false;
1497 		OnlyOneError = true;
1498 		e->e_flags &= ~(EF_VRFYONLY|EF_GLOBALERRS);
1499 #if MILTER
1500 		milter_cmd_fail = false;
1501 #endif
1502 
1503 		/* setup for the read */
1504 		e->e_to = NULL;
1505 		Errors = 0;
1506 		FileName = NULL;
1507 		(void) sm_io_flush(smioout, SM_TIME_DEFAULT);
1508 
1509 		/* read the input line */
1510 		SmtpPhase = "server cmd read";
1511 		sm_setproctitle(true, e, "server %s cmd read", CurSmtpClient);
1512 
1513 		/* handle errors */
1514 		if (sm_io_error(OutChannel) ||
1515 		    (p = sfgets(inp, sizeof(inp), InChannel,
1516 				TimeOuts.to_nextcommand, SmtpPhase)) == NULL)
1517 		{
1518 			char *d;
1519 
1520 			d = macvalue(macid("{daemon_name}"), e);
1521 			if (d == NULL)
1522 				d = "stdin";
1523 			/* end of file, just die */
1524 			disconnect(1, e);
1525 
1526 #if MILTER
1527 			/* close out milter filters */
1528 			milter_quit(e);
1529 #endif
1530 
1531 			message("421 4.4.1 %s Lost input channel from %s",
1532 				MyHostName, CurSmtpClient);
1533 			if (LogLevel > (smtp.sm_gotmail ? 1 : 19))
1534 				sm_syslog(LOG_NOTICE, e->e_id,
1535 					  "lost input channel from %s to %s after %s",
1536 					  CurSmtpClient, d,
1537 					  (c == NULL || c->cmd_name == NULL) ? "startup" : c->cmd_name);
1538 			/*
1539 			**  If have not accepted mail (DATA), do not bounce
1540 			**  bad addresses back to sender.
1541 			*/
1542 
1543 			if (bitset(EF_CLRQUEUE, e->e_flags))
1544 				e->e_sendqueue = NULL;
1545 			goto doquit;
1546 		}
1547 
1548 		/* also used by "proxy" check below */
1549 		inplen = strlen(inp);
1550 #if SASL
1551 		/*
1552 		**  SMTP AUTH requires accepting any length,
1553 		**  at least for challenge/response. However, not imposing
1554 		**  a limit is a bad idea (denial of service).
1555 		*/
1556 
1557 		if (authenticating != SASL_PROC_AUTH
1558 		    && sm_strncasecmp(inp, "AUTH ", 5) != 0
1559 		    && inplen > MAXLINE)
1560 		{
1561 			message("421 4.7.0 %s Command too long, possible attack %s",
1562 				MyHostName, CurSmtpClient);
1563 			sm_syslog(LOG_INFO, e->e_id,
1564 				  "%s: SMTP violation, input too long: %lu",
1565 				  CurSmtpClient, (unsigned long) inplen);
1566 			goto doquit;
1567 		}
1568 #endif /* SASL */
1569 
1570 		if (first)
1571 		{
1572 			size_t cmdlen;
1573 			int idx;
1574 			char *http_cmd;
1575 			static char *http_cmds[] = { "GET", "POST",
1576 						     "CONNECT", "USER", NULL };
1577 
1578 			for (idx = 0; (http_cmd = http_cmds[idx]) != NULL;
1579 			     idx++)
1580 			{
1581 				cmdlen = strlen(http_cmd);
1582 				if (cmdlen < inplen &&
1583 				    sm_strncasecmp(inp, http_cmd, cmdlen) == 0 &&
1584 				    SM_ISSPACE(inp[cmdlen]))
1585 				{
1586 					/* Open proxy, drop it */
1587 					message("421 4.7.0 %s Rejecting open proxy %s",
1588 						MyHostName, CurSmtpClient);
1589 					sm_syslog(LOG_INFO, e->e_id,
1590 						  "%s: probable open proxy: command=%.40s",
1591 						  CurSmtpClient, inp);
1592 					goto doquit;
1593 				}
1594 			}
1595 			first = false;
1596 		}
1597 
1598 		/* clean up end of line */
1599 		fixcrlf(inp, true);
1600 
1601 #if PIPELINING
1602 # if _FFR_NO_PIPE
1603 		/*
1604 		**  if there is more input and pipelining is disabled:
1605 		**	delay ... (and maybe discard the input?)
1606 		**  XXX this doesn't really work, at least in tests using
1607 		**  telnet SM_IO_IS_READABLE only returns 1 if there were
1608 		**  more than 2 input lines available.
1609 		*/
1610 
1611 		if (bitset(SRV_NO_PIPE, features) &&
1612 		    sm_io_getinfo(InChannel, SM_IO_IS_READABLE, NULL) > 0)
1613 		{
1614 			if (++np_log < 3)
1615 				sm_syslog(LOG_INFO, NOQID,
1616 					  "unauthorized PIPELINING, sleeping, relay=%.100s",
1617 					   CurSmtpClient);
1618 			sleep(1);
1619 		}
1620 
1621 # endif /* _FFR_NO_PIPE */
1622 #endif /* PIPELINING */
1623 
1624 #if SASL
1625 		if (authenticating == SASL_PROC_AUTH)
1626 		{
1627 # if 0
1628 			if (*inp == '\0')
1629 			{
1630 				authenticating = SASL_NOT_AUTH;
1631 				message("501 5.5.2 missing input");
1632 				RESET_SASLCONN;
1633 				continue;
1634 			}
1635 # endif /* 0 */
1636 			if (*inp == '*' && *(inp + 1) == '\0')
1637 			{
1638 				authenticating = SASL_NOT_AUTH;
1639 
1640 				/* RFC 2554 4. */
1641 				message("501 5.0.0 AUTH aborted");
1642 				RESET_SASLCONN;
1643 				continue;
1644 			}
1645 
1646 			/* could this be shorter? XXX */
1647 # if SASL >= 20000
1648 			in = xalloc(strlen(inp) + 1);
1649 			result = sasl_decode64(inp, strlen(inp), in,
1650 					       strlen(inp), &inlen);
1651 # else /* SASL >= 20000 */
1652 			out = xalloc(strlen(inp));
1653 			result = sasl_decode64(inp, strlen(inp), out, &outlen);
1654 # endif /* SASL >= 20000 */
1655 			if (result != SASL_OK)
1656 			{
1657 				authenticating = SASL_NOT_AUTH;
1658 
1659 				/* RFC 2554 4. */
1660 				message("501 5.5.4 cannot decode AUTH parameter %s",
1661 					inp);
1662 # if SASL >= 20000
1663 				sm_free(in);
1664 # endif
1665 				RESET_SASLCONN;
1666 				continue;
1667 			}
1668 
1669 # if SASL >= 20000
1670 			SET_AUTH_USER_TMP(in, inlen);
1671 			result = sasl_server_step(conn,	in, inlen,
1672 						  &out, &outlen);
1673 			sm_free(in);
1674 # else /* SASL >= 20000 */
1675 			SET_AUTH_USER_TMP(out, outlen);
1676 			result = sasl_server_step(conn,	out, outlen,
1677 						  &out, &outlen, &errstr);
1678 # endif /* SASL >= 20000 */
1679 
1680 			/* get an OK if we're done */
1681 			if (result == SASL_OK)
1682 			{
1683   authenticated:
1684 				message("235 2.0.0 OK Authenticated");
1685 				authenticating = SASL_IS_AUTH;
1686 				macdefine(&BlankEnvelope.e_macro, A_TEMP,
1687 					macid("{auth_type}"), auth_type);
1688 
1689 # if SASL >= 20000
1690 				user = macvalue(macid("{auth_authen}"), e);
1691 
1692 				/* get security strength (features) */
1693 				result = sasl_getprop(conn, SASL_SSF,
1694 						      (const void **) &ssf);
1695 # else /* SASL >= 20000 */
1696 				result = sasl_getprop(conn, SASL_USERNAME,
1697 						      (void **)&user);
1698 				if (result != SASL_OK)
1699 				{
1700 					user = "";
1701 					macdefine(&BlankEnvelope.e_macro,
1702 						  A_PERM,
1703 						  macid("{auth_authen}"), NULL);
1704 				}
1705 				else
1706 				{
1707 					macdefine(&BlankEnvelope.e_macro,
1708 						  A_TEMP,
1709 						  macid("{auth_authen}"),
1710 						  xtextify(user, "<>\")"));
1711 				}
1712 
1713 # if 0
1714 				/* get realm? */
1715 				sasl_getprop(conn, SASL_REALM, (void **) &data);
1716 # endif
1717 
1718 				/* get security strength (features) */
1719 				result = sasl_getprop(conn, SASL_SSF,
1720 						      (void **) &ssf);
1721 # endif /* SASL >= 20000 */
1722 				if (result != SASL_OK)
1723 				{
1724 					macdefine(&BlankEnvelope.e_macro,
1725 						  A_PERM,
1726 						  macid("{auth_ssf}"), "0");
1727 					ssf = NULL;
1728 				}
1729 				else
1730 				{
1731 					char pbuf[8];
1732 
1733 					(void) sm_snprintf(pbuf, sizeof(pbuf),
1734 							   "%u", *ssf);
1735 					macdefine(&BlankEnvelope.e_macro,
1736 						  A_TEMP,
1737 						  macid("{auth_ssf}"), pbuf);
1738 					if (tTd(95, 8))
1739 						sm_dprintf("AUTH auth_ssf: %u\n",
1740 							   *ssf);
1741 				}
1742 
1743 				protocol = GET_PROTOCOL();
1744 
1745 				/*
1746 				**  Only switch to encrypted connection
1747 				**  if a security layer has been negotiated
1748 				*/
1749 
1750 				if (ssf != NULL && *ssf > 0)
1751 				{
1752 					int tmo;
1753 
1754 					/*
1755 					**  Convert I/O layer to use SASL.
1756 					**  If the call fails, the connection
1757 					**  is aborted.
1758 					*/
1759 
1760 					tmo = TimeOuts.to_datablock * 1000;
1761 					if (sfdcsasl(&InChannel, &OutChannel,
1762 						     conn, tmo) == 0)
1763 					{
1764 						/* restart dialogue */
1765 						n_helo = 0;
1766 # if PIPELINING
1767 						(void) sm_io_autoflush(InChannel,
1768 								       OutChannel);
1769 # endif /* PIPELINING */
1770 					}
1771 					else
1772 						syserr("503 5.3.3 SASL TLS failed");
1773 				}
1774 
1775 				/* NULL pointer ok since it's our function */
1776 				if (LogLevel > 8)
1777 					sm_syslog(LOG_INFO, NOQID,
1778 						  "AUTH=server, relay=%s, authid=%.128s, mech=%.16s, bits=%d",
1779 						  CurSmtpClient,
1780 						  shortenstring(user, 128),
1781 						  auth_type, *ssf);
1782 			}
1783 			else if (result == SASL_CONTINUE)
1784 			{
1785 				SET_AUTH_USER;
1786 
1787 				len = ENC64LEN(outlen);
1788 				out2 = xalloc(len);
1789 				result = sasl_encode64(out, outlen, out2, len,
1790 						       &out2len);
1791 				if (result != SASL_OK)
1792 				{
1793 					/* correct code? XXX */
1794 					/* 454 Temp. authentication failure */
1795 					message("454 4.5.4 Internal error: unable to encode64");
1796 					if (LogLevel > 5)
1797 						sm_syslog(LOG_WARNING, e->e_id,
1798 							  "AUTH encode64 error [%d for \"%s\"], relay=%.100s",
1799 							  result, out,
1800 							  CurSmtpClient);
1801 					/* start over? */
1802 					authenticating = SASL_NOT_AUTH;
1803 				}
1804 				else
1805 				{
1806 					message("334 %s", out2);
1807 					if (tTd(95, 2))
1808 						sm_dprintf("AUTH continue: msg='%s' len=%u\n",
1809 							   out2, out2len);
1810 				}
1811 # if SASL >= 20000
1812 				sm_free(out2);
1813 # endif
1814 			}
1815 			else
1816 			{
1817 
1818 # if SASL >= 20000
1819 #  define SASLERR sasl_errdetail(conn)
1820 # else
1821 #  define SASLERR errstr == NULL ? "" : errstr
1822 # endif
1823 #define LOGAUTHFAIL	\
1824 	do	\
1825 	{	\
1826 		SET_AUTH_USER_CONDITIONALLY	\
1827 		message("535 5.7.0 authentication failed");	\
1828 		if (LogLevel >= 9)	\
1829 			sm_syslog(LOG_WARNING, e->e_id,	\
1830 				  "AUTH failure (%s): %s (%d) %s%s%.*s, relay=%.100s",	\
1831 				  (auth_type != NULL) ? auth_type : "unknown", \
1832 				  sasl_errstring(result, NULL, NULL),	\
1833 				  result,	\
1834 				  SASLERR, \
1835 				  LOG_AUTH_FAIL_USER,	\
1836 				  CurSmtpClient);	\
1837 		RESET_SASLCONN;	\
1838 	} while (0)
1839 
1840 
1841 				LOGAUTHFAIL;
1842 				authenticating = SASL_NOT_AUTH;
1843 			}
1844 		}
1845 		else
1846 		{
1847 			/* don't want to do any of this if authenticating */
1848 #endif /* SASL */
1849 
1850 		/* echo command to transcript */
1851 		if (e->e_xfp != NULL)
1852 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
1853 					     "<<< %s\n", inp);
1854 
1855 		if (LogLevel > 14)
1856 			sm_syslog(LOG_INFO, e->e_id, "<-- %s", inp);
1857 
1858 		/* break off command */
1859 		for (p = inp; SM_ISSPACE(*p); p++)
1860 			continue;
1861 		cmd = cmdbuf;
1862 		while (*p != '\0' &&
1863 		       !(SM_ISSPACE(*p)) &&
1864 		       cmd < &cmdbuf[sizeof(cmdbuf) - 2])
1865 			*cmd++ = *p++;
1866 		*cmd = '\0';
1867 
1868 		/* throw away leading whitespace */
1869 		SKIP_SPACE(p);
1870 
1871 		/* decode command */
1872 		for (c = CmdTab; c->cmd_name != NULL; c++)
1873 		{
1874 			if (sm_strcasecmp(c->cmd_name, cmdbuf) == 0)
1875 				break;
1876 		}
1877 
1878 		/* reset errors */
1879 		errno = 0;
1880 
1881 		/* check whether a "non-null" command has been used */
1882 		switch (c->cmd_code)
1883 		{
1884 #if SASL
1885 		  case CMDAUTH:
1886 			/* avoid information leak; take first two words? */
1887 			q = "AUTH";
1888 			break;
1889 #endif /* SASL */
1890 
1891 		  case CMDMAIL:
1892 		  case CMDEXPN:
1893 		  case CMDVRFY:
1894 		  case CMDETRN:
1895 			lognullconnection = false;
1896 			/* FALLTHROUGH */
1897 		  default:
1898 			q = inp;
1899 			break;
1900 		}
1901 
1902 		if (e->e_id == NULL)
1903 			sm_setproctitle(true, e, "%s: %.80s",
1904 					CurSmtpClient, q);
1905 		else
1906 			sm_setproctitle(true, e, "%s %s: %.80s",
1907 					qid_printname(e),
1908 					CurSmtpClient, q);
1909 
1910 		/*
1911 		**  Process command.
1912 		**
1913 		**	If we are running as a null server, return 550
1914 		**	to almost everything.
1915 		*/
1916 
1917 		if (nullserver != NULL || bitnset(D_ETRNONLY, d_flags))
1918 		{
1919 			switch (c->cmd_code)
1920 			{
1921 			  case CMDQUIT:
1922 			  case CMDHELO:
1923 			  case CMDEHLO:
1924 			  case CMDNOOP:
1925 			  case CMDRSET:
1926 			  case CMDERROR:
1927 				/* process normally */
1928 				break;
1929 
1930 			  case CMDETRN:
1931 				if (bitnset(D_ETRNONLY, d_flags) &&
1932 				    nullserver == NULL)
1933 					break;
1934 				DELAY_CONN("ETRN");
1935 				/* FALLTHROUGH */
1936 
1937 			  default:
1938 #if MAXBADCOMMANDS > 0
1939 				/* theoretically this could overflow */
1940 				if (nullserver != NULL &&
1941 				    ++n_badcmds > MAXBADCOMMANDS)
1942 				{
1943 					message("421 4.7.0 %s Too many bad commands; closing connection",
1944 						MyHostName);
1945 
1946 					/* arrange to ignore send list */
1947 					e->e_sendqueue = NULL;
1948 					goto doquit;
1949 				}
1950 #endif /* MAXBADCOMMANDS > 0 */
1951 				if (nullserver != NULL)
1952 				{
1953 					if (ISSMTPREPLY(nullserver))
1954 					{
1955 						/* Can't use ("%s", ...) due to usrerr() requirements */
1956 						usrerr(nullserver);
1957 					}
1958 					else
1959 					{
1960 						usrerr("550 5.0.0 %s",
1961 						       nullserver);
1962 					}
1963 				}
1964 				else
1965 					usrerr("452 4.4.5 Insufficient disk space; try again later");
1966 				continue;
1967 			}
1968 		}
1969 
1970 		switch (c->cmd_code)
1971 		{
1972 #if SASL
1973 		  case CMDAUTH: /* sasl */
1974 			DELAY_CONN("AUTH");
1975 			if (!sasl_ok || n_mechs <= 0)
1976 			{
1977 				message("503 5.3.3 AUTH not available");
1978 				break;
1979 			}
1980 			if (authenticating == SASL_IS_AUTH)
1981 			{
1982 				message("503 5.5.0 Already Authenticated");
1983 				break;
1984 			}
1985 			if (smtp.sm_gotmail)
1986 			{
1987 				message("503 5.5.0 AUTH not permitted during a mail transaction");
1988 				break;
1989 			}
1990 			if (tempfail)
1991 			{
1992 				if (LogLevel > 9)
1993 					sm_syslog(LOG_INFO, e->e_id,
1994 						  "SMTP AUTH command (%.100s) from %s tempfailed (due to previous checks)",
1995 						  p, CurSmtpClient);
1996 				usrerr("454 4.3.0 Please try again later");
1997 				break;
1998 			}
1999 
2000 			ismore = false;
2001 
2002 			/* crude way to avoid crack attempts */
2003 			STOP_IF_ATTACK(checksmtpattack(&n_auth, n_mechs + 1,
2004 							true, "AUTH", e));
2005 
2006 			/* make sure mechanism (p) is a valid string */
2007 			for (q = p; *q != '\0' && isascii(*q); q++)
2008 			{
2009 				if (isspace(*q))
2010 				{
2011 					*q = '\0';
2012 					while (*++q != '\0' && SM_ISSPACE(*q))
2013 						continue;
2014 					*(q - 1) = '\0';
2015 					ismore = (*q != '\0');
2016 					break;
2017 				}
2018 			}
2019 
2020 			if (*p == '\0')
2021 			{
2022 				message("501 5.5.2 AUTH mechanism must be specified");
2023 				break;
2024 			}
2025 
2026 			/* check whether mechanism is available */
2027 			if (iteminlist(p, mechlist, " ") == NULL)
2028 			{
2029 				message("504 5.3.3 AUTH mechanism %.32s not available",
2030 					p);
2031 				break;
2032 			}
2033 
2034 			/*
2035 			**  RFC 2554 4.
2036 			**  Unlike a zero-length client answer to a
2037 			**  334 reply, a zero- length initial response
2038 			**  is sent as a single equals sign ("=").
2039 			*/
2040 
2041 			if (ismore && *q == '=' && *(q + 1) == '\0')
2042 			{
2043 				/* will be free()d, don't use in=""; */
2044 				in = xalloc(1);
2045 				*in = '\0';
2046 				inlen = 0;
2047 			}
2048 			else if (ismore)
2049 			{
2050 				/* could this be shorter? XXX */
2051 # if SASL >= 20000
2052 				in = xalloc(strlen(q) + 1);
2053 				result = sasl_decode64(q, strlen(q), in,
2054 						       strlen(q), &inlen);
2055 # else /* SASL >= 20000 */
2056 				in = sm_rpool_malloc(e->e_rpool, strlen(q));
2057 				result = sasl_decode64(q, strlen(q), in,
2058 						       &inlen);
2059 # endif /* SASL >= 20000 */
2060 
2061 				if (result != SASL_OK)
2062 				{
2063 					message("501 5.5.4 cannot BASE64 decode '%s'",
2064 						q);
2065 					if (LogLevel > 5)
2066 						sm_syslog(LOG_WARNING, e->e_id,
2067 							  "AUTH decode64 error [%d for \"%s\"], relay=%.100s",
2068 							  result, q,
2069 							  CurSmtpClient);
2070 					/* start over? */
2071 					authenticating = SASL_NOT_AUTH;
2072 # if SASL >= 20000
2073 					sm_free(in);
2074 # endif
2075 					in = NULL;
2076 					inlen = 0;
2077 					break;
2078 				}
2079 				SET_AUTH_USER_TMP(in, inlen);
2080 			}
2081 			else
2082 			{
2083 				in = NULL;
2084 				inlen = 0;
2085 			}
2086 
2087 			/* see if that auth type exists */
2088 # if SASL >= 20000
2089 			result = sasl_server_start(conn, p, in, inlen,
2090 						   &out, &outlen);
2091 			SM_FREE(in);
2092 # else /* SASL >= 20000 */
2093 			result = sasl_server_start(conn, p, in, inlen,
2094 						   &out, &outlen, &errstr);
2095 # endif /* SASL >= 20000 */
2096 
2097 			if (p != NULL)
2098 				auth_type = newstr(p);
2099 			if (result != SASL_OK && result != SASL_CONTINUE)
2100 			{
2101 				LOGAUTHFAIL;
2102 				break;
2103 			}
2104 
2105 			if (result == SASL_OK)
2106 			{
2107 				/* ugly, but same code */
2108 				goto authenticated;
2109 				/* authenticated by the initial response */
2110 			}
2111 
2112 			SET_AUTH_USER;
2113 
2114 			/* len is at least 2 */
2115 			len = ENC64LEN(outlen);
2116 			out2 = xalloc(len);
2117 			result = sasl_encode64(out, outlen, out2, len,
2118 					       &out2len);
2119 
2120 			if (result != SASL_OK)
2121 			{
2122 				message("454 4.5.4 Temporary authentication failure");
2123 				if (LogLevel > 5)
2124 					sm_syslog(LOG_WARNING, e->e_id,
2125 						  "AUTH encode64 error [%d for \"%s\"]",
2126 						  result, out);
2127 
2128 				/* start over? */
2129 				authenticating = SASL_NOT_AUTH;
2130 				RESET_SASLCONN;
2131 			}
2132 			else
2133 			{
2134 				message("334 %s", out2);
2135 				authenticating = SASL_PROC_AUTH;
2136 			}
2137 # if SASL >= 20000
2138 			sm_free(out2);
2139 # endif
2140 			break;
2141 #endif /* SASL */
2142 
2143 #if STARTTLS
2144 		  case CMDSTLS: /* starttls */
2145 			DELAY_CONN("STARTTLS");
2146 			if (*p != '\0')
2147 			{
2148 				message("501 5.5.2 Syntax error (no parameters allowed)");
2149 				break;
2150 			}
2151 			if (!bitset(SRV_OFFER_TLS, features))
2152 			{
2153 				message("503 5.5.0 TLS not available");
2154 				break;
2155 			}
2156   starttls:
2157 			if (!tls_ok_srv)
2158 			{
2159 				message("454 4.3.3 TLS not available after start");
2160 				break;
2161 			}
2162 			if (smtp.sm_gotmail)
2163 			{
2164 				message("503 5.5.0 TLS not permitted during a mail transaction");
2165 				break;
2166 			}
2167 			if (tempfail)
2168 			{
2169 				if (LogLevel > 9)
2170 					sm_syslog(LOG_INFO, e->e_id,
2171 						  "SMTP STARTTLS command (%.100s) from %s tempfailed (due to previous checks)",
2172 						  p, CurSmtpClient);
2173 				usrerr("454 4.7.0 Please try again later");
2174 				break;
2175 			}
2176 			if (!TLS_set_engine(SSLEngine, false))
2177 			{
2178 				sm_syslog(LOG_ERR, NOQID,
2179 					  "STARTTLS=server, engine=%s, TLS_set_engine=failed",
2180 					  SSLEngine);
2181 				tls_ok_srv = false;
2182 				message("454 4.3.3 TLS not available right now");
2183 				break;
2184 			}
2185 # if TLS_NO_RSA
2186 			/*
2187 			**  XXX do we need a temp key ?
2188 			*/
2189 # endif
2190 
2191 # if TLS_VRFY_PER_CTX
2192 			/*
2193 			**  Note: this sets the verification globally
2194 			**  (per SSL_CTX)
2195 			**  it's ok since it applies only to one transaction
2196 			*/
2197 
2198 			TLS_VERIFY_CLIENT();
2199 # endif /* TLS_VRFY_PER_CTX */
2200 
2201 #define SMTLSFAILED				\
2202 	do {					\
2203 		SM_SSL_FREE(srv_ssl);		\
2204 		goto tls_done;			\
2205 	} while (0)
2206 
2207 			if (srv_ssl != NULL)
2208 				SSL_clear(srv_ssl);
2209 			else if ((srv_ssl = SSL_new(srv_ctx)) == NULL)
2210 			{
2211 				message("454 4.3.3 TLS not available: error generating SSL handle");
2212 				tlslogerr(LOG_WARNING, 8, "server");
2213 				goto tls_done;
2214 			}
2215 			if (get_tls_se_options(e, srv_ssl, &tlsi_ctx, true)
2216 			    != 0)
2217 			{
2218 				message("454 4.3.3 TLS not available: error setting options");
2219 				SMTLSFAILED;
2220 			}
2221 			r = SSL_set_ex_data(srv_ssl, TLSsslidx, &tlsi_ctx);
2222 			if (0 == r)
2223 			{
2224 				if (LogLevel > 5)
2225 				{
2226 					sm_syslog(LOG_ERR, NOQID,
2227 						"STARTTLS=server, error: SSL_set_ex_data failed=%d",
2228 						r);
2229 					tlslogerr(LOG_WARNING, 9, "server");
2230 				}
2231 				SMTLSFAILED;
2232 			}
2233 
2234 # if !TLS_VRFY_PER_CTX
2235 			/*
2236 			**  this could be used if it were possible to set
2237 			**  verification per SSL (connection)
2238 			**  not just per SSL_CTX (global)
2239 			*/
2240 
2241 			TLS_VERIFY_CLIENT();
2242 # endif /* !TLS_VRFY_PER_CTX */
2243 
2244 			rfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
2245 			wfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
2246 
2247 			if (rfd < 0 || wfd < 0 ||
2248 			    SSL_set_rfd(srv_ssl, rfd) <= 0 ||
2249 			    SSL_set_wfd(srv_ssl, wfd) <= 0)
2250 			{
2251 				message("454 4.3.3 TLS not available: error set fd");
2252 				SMTLSFAILED;
2253 			}
2254 			if (!smtps)
2255 				message("220 2.0.0 Ready to start TLS");
2256 # if PIPELINING
2257 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
2258 # endif
2259 
2260 			SSL_set_accept_state(srv_ssl);
2261 
2262 			tlsstart = curtime();
2263 
2264 			ssl_err = SSL_ERROR_WANT_READ;
2265 			save_errno = 0;
2266 			do
2267 			{
2268 				tlsret = tls_retry(srv_ssl, rfd, wfd, tlsstart,
2269 						TimeOuts.to_starttls, ssl_err,
2270 						"server");
2271 				if (tlsret <= 0)
2272 				{
2273 					if (LogLevel > 5)
2274 					{
2275 						unsigned long l;
2276 						const char *sr;
2277 
2278 						l = ERR_peek_error();
2279 						sr = ERR_reason_error_string(l);
2280 
2281 						sm_syslog(LOG_WARNING, NOQID,
2282 							  "STARTTLS=server, error: accept failed=%d, reason=%s, SSL_error=%d, errno=%d, retry=%d, relay=%.100s",
2283 							  r, sr == NULL ? "unknown"
2284 									: sr,
2285 							  ssl_err, save_errno,
2286 							  tlsret, CurSmtpClient);
2287 						tlslogerr(LOG_WARNING, 9, "server");
2288 					}
2289 					tls_ok_srv = false;
2290 					SM_SSL_FREE(srv_ssl);
2291 
2292 					/*
2293 					**  according to the next draft of
2294 					**  RFC 2487 the connection should
2295 					**  be dropped
2296 					**
2297 					**  arrange to ignore any current
2298 					**  send list
2299 					*/
2300 
2301 					e->e_sendqueue = NULL;
2302 					goto doquit;
2303 				}
2304 
2305 				r = SSL_accept(srv_ssl);
2306 				save_errno = 0;
2307 				if (r <= 0)
2308 					ssl_err = SSL_get_error(srv_ssl, r);
2309 			} while (r <= 0);
2310 
2311 			/* ignore return code for now, it's in {verify} */
2312 			(void) tls_get_info(srv_ssl, true,
2313 					    CurSmtpClient,
2314 					    &BlankEnvelope.e_macro,
2315 					    bitset(SRV_VRFY_CLT, features));
2316 
2317 			/*
2318 			**  call Stls_client to find out whether
2319 			**  to accept the connection from the client
2320 			*/
2321 
2322 			saveQuickAbort = QuickAbort;
2323 			saveSuprErrs = SuprErrs;
2324 			SuprErrs = true;
2325 			QuickAbort = false;
2326 			if (rscheck("tls_client",
2327 				     macvalue(macid("{verify}"), e),
2328 				     "STARTTLS", e,
2329 				     RSF_RMCOMM|RSF_COUNT,
2330 				     5, NULL, NOQID, NULL, NULL) != EX_OK ||
2331 			    Errors > 0)
2332 			{
2333 				extern char MsgBuf[];
2334 
2335 				if (MsgBuf[0] != '\0' && ISSMTPREPLY(MsgBuf))
2336 					nullserver = newstr(MsgBuf);
2337 				else
2338 					nullserver = "503 5.7.0 Authentication required.";
2339 			}
2340 			QuickAbort = saveQuickAbort;
2341 			SuprErrs = saveSuprErrs;
2342 
2343 			tls_ok_srv = false;	/* don't offer STARTTLS again */
2344 			n_helo = 0;
2345 # if SASL
2346 			if (sasl_ok)
2347 			{
2348 				int cipher_bits;
2349 				bool verified;
2350 				char *s, *v, *c;
2351 
2352 				s = macvalue(macid("{cipher_bits}"), e);
2353 				v = macvalue(macid("{verify}"), e);
2354 				c = macvalue(macid("{cert_subject}"), e);
2355 				verified = (v != NULL && strcmp(v, "OK") == 0);
2356 				if (s != NULL && (cipher_bits = atoi(s)) > 0)
2357 				{
2358 #  if SASL >= 20000
2359 					ext_ssf = cipher_bits;
2360 					auth_id = verified ? c : NULL;
2361 					sasl_ok = ((sasl_setprop(conn,
2362 							SASL_SSF_EXTERNAL,
2363 							&ext_ssf) == SASL_OK) &&
2364 						   (sasl_setprop(conn,
2365 							SASL_AUTH_EXTERNAL,
2366 							auth_id) == SASL_OK));
2367 #  else /* SASL >= 20000 */
2368 					ext_ssf.ssf = cipher_bits;
2369 					ext_ssf.auth_id = verified ? c : NULL;
2370 					sasl_ok = sasl_setprop(conn,
2371 							SASL_SSF_EXTERNAL,
2372 							&ext_ssf) == SASL_OK;
2373 #  endif /* SASL >= 20000 */
2374 					mechlist = NULL;
2375 					if (sasl_ok)
2376 						n_mechs = saslmechs(conn,
2377 								    &mechlist);
2378 				}
2379 			}
2380 # endif /* SASL */
2381 
2382 			/* switch to secure connection */
2383 			if (sfdctls(&InChannel, &OutChannel, srv_ssl) == 0)
2384 			{
2385 				tls_active = true;
2386 # if PIPELINING
2387 				(void) sm_io_autoflush(InChannel, OutChannel);
2388 # endif
2389 			}
2390 			else
2391 			{
2392 				/*
2393 				**  XXX this is an internal error
2394 				**  how to deal with it?
2395 				**  we can't generate an error message
2396 				**  since the other side switched to an
2397 				**  encrypted layer, but we could not...
2398 				**  just "hang up"?
2399 				*/
2400 
2401 				nullserver = "454 4.3.3 TLS not available: can't switch to encrypted layer";
2402 				syserr("STARTTLS: can't switch to encrypted layer");
2403 			}
2404 		  tls_done:
2405 			if (smtps)
2406 			{
2407 				if (tls_active)
2408 					goto greeting;
2409 				else
2410 					goto doquit;
2411 			}
2412 			break;
2413 #endif /* STARTTLS */
2414 
2415 		  case CMDHELO:		/* hello -- introduce yourself */
2416 		  case CMDEHLO:		/* extended hello */
2417 			DELAY_CONN("EHLO");
2418 			if (c->cmd_code == CMDEHLO)
2419 			{
2420 				protocol = GET_PROTOCOL();
2421 				SmtpPhase = "server EHLO";
2422 			}
2423 			else
2424 			{
2425 				protocol = "SMTP";
2426 				SmtpPhase = "server HELO";
2427 			}
2428 
2429 			/* avoid denial-of-service */
2430 			STOP_IF_ATTACK(checksmtpattack(&n_helo, MAXHELOCOMMANDS,
2431 							true, "HELO/EHLO", e));
2432 
2433 #if 0
2434 			/* RFC2821 4.1.4 allows duplicate HELO/EHLO */
2435 			/* check for duplicate HELO/EHLO per RFC 1651 4.2 */
2436 			if (gothello)
2437 			{
2438 				usrerr("503 %s Duplicate HELO/EHLO",
2439 				       MyHostName);
2440 				break;
2441 			}
2442 #endif /* 0 */
2443 
2444 			/* check for valid domain name (re 1123 5.2.5) */
2445 			if (*p == '\0' && !AllowBogusHELO)
2446 			{
2447 				usrerr("501 %s requires domain address",
2448 					cmdbuf);
2449 				break;
2450 			}
2451 
2452 			/* check for long domain name (hides Received: info) */
2453 			if (strlen(p) > MAXNAME)
2454 			{
2455 				usrerr("501 Invalid domain name");
2456 				if (LogLevel > 9)
2457 					sm_syslog(LOG_INFO, CurEnv->e_id,
2458 						  "invalid domain name (too long) from %s",
2459 						  CurSmtpClient);
2460 				break;
2461 			}
2462 
2463 			ok = true;
2464 			for (q = p; *q != '\0'; q++)
2465 			{
2466 				if (!isascii(*q))
2467 					break;
2468 				if (isalnum(*q))
2469 					continue;
2470 				if (isspace(*q))
2471 				{
2472 					*q = '\0';
2473 
2474 					/* only complain if strict check */
2475 					ok = AllowBogusHELO;
2476 
2477 					/* allow trailing whitespace */
2478 					while (!ok && *++q != '\0' &&
2479 					       isspace(*q))
2480 						;
2481 					if (*q == '\0')
2482 						ok = true;
2483 					break;
2484 				}
2485 				if (strchr("[].-_#:", *q) == NULL)
2486 					break;
2487 			}
2488 
2489 			if (*q == '\0' && ok)
2490 			{
2491 				q = "pleased to meet you";
2492 				sendinghost = sm_strdup_x(p);
2493 			}
2494 			else if (!AllowBogusHELO)
2495 			{
2496 				usrerr("501 Invalid domain name");
2497 				if (LogLevel > 9)
2498 					sm_syslog(LOG_INFO, CurEnv->e_id,
2499 						  "invalid domain name (%s) from %.100s",
2500 						  p, CurSmtpClient);
2501 				break;
2502 			}
2503 			else
2504 			{
2505 				q = "accepting invalid domain name";
2506 			}
2507 
2508 			if (gothello || smtp.sm_gotmail)
2509 				CLEAR_STATE(cmdbuf);
2510 
2511 #if MILTER
2512 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2513 			    !bitset(EF_DISCARD, e->e_flags))
2514 			{
2515 				char state;
2516 				char *response;
2517 
2518 				response = milter_helo(p, e, &state);
2519 				switch (state)
2520 				{
2521 				  case SMFIR_REJECT:
2522 					if (MilterLogLevel > 3)
2523 						sm_syslog(LOG_INFO, e->e_id,
2524 							  "Milter: helo=%s, reject=Command rejected",
2525 							  p);
2526 					nullserver = "Command rejected";
2527 					smtp.sm_milterize = false;
2528 					break;
2529 
2530 				  case SMFIR_TEMPFAIL:
2531 					if (MilterLogLevel > 3)
2532 						sm_syslog(LOG_INFO, e->e_id,
2533 							  "Milter: helo=%s, reject=%s",
2534 							  p, MSG_TEMPFAIL);
2535 					tempfail = true;
2536 					smtp.sm_milterize = false;
2537 					break;
2538 
2539 				  case SMFIR_REPLYCODE:
2540 					if (MilterLogLevel > 3)
2541 						sm_syslog(LOG_INFO, e->e_id,
2542 							  "Milter: helo=%s, reject=%s",
2543 							  p, response);
2544 					if (strncmp(response, "421 ", 4) != 0
2545 					    && strncmp(response, "421-", 4) != 0)
2546 					{
2547 						nullserver = newstr(response);
2548 						smtp.sm_milterize = false;
2549 						break;
2550 					}
2551 					/* FALLTHROUGH */
2552 
2553 				  case SMFIR_SHUTDOWN:
2554 					if (MilterLogLevel > 3 &&
2555 					    response == NULL)
2556 						sm_syslog(LOG_INFO, e->e_id,
2557 							  "Milter: helo=%s, reject=421 4.7.0 %s closing connection",
2558 							  p, MyHostName);
2559 					tempfail = true;
2560 					smtp.sm_milterize = false;
2561 					if (response != NULL)
2562 					{
2563 						/* Can't use ("%s", ...) due to usrerr() requirements */
2564 						usrerr(response);
2565 					}
2566 					else
2567 					{
2568 						message("421 4.7.0 %s closing connection",
2569 							MyHostName);
2570 					}
2571 					/* arrange to ignore send list */
2572 					e->e_sendqueue = NULL;
2573 					lognullconnection = false;
2574 					goto doquit;
2575 				}
2576 				if (response != NULL)
2577 					sm_free(response);
2578 
2579 				/*
2580 				**  If quarantining by a connect/ehlo action,
2581 				**  save between messages
2582 				*/
2583 
2584 				if (smtp.sm_quarmsg == NULL &&
2585 				    e->e_quarmsg != NULL)
2586 					smtp.sm_quarmsg = newstr(e->e_quarmsg);
2587 			}
2588 #endif /* MILTER */
2589 			gothello = true;
2590 
2591 			/* print HELO response message */
2592 			if (c->cmd_code != CMDEHLO)
2593 			{
2594 				message("250 %s Hello %s, %s",
2595 					MyHostName, CurSmtpClient, q);
2596 				break;
2597 			}
2598 
2599 			message("250-%s Hello %s, %s",
2600 				MyHostName, CurSmtpClient, q);
2601 
2602 			/* offer ENHSC even for nullserver */
2603 			if (nullserver != NULL)
2604 			{
2605 				message("250 ENHANCEDSTATUSCODES");
2606 				break;
2607 			}
2608 
2609 			/*
2610 			**  print EHLO features list
2611 			**
2612 			**  Note: If you change this list,
2613 			**	  remember to update 'helpfile'
2614 			*/
2615 
2616 			message("250-ENHANCEDSTATUSCODES");
2617 #if PIPELINING
2618 			if (bitset(SRV_OFFER_PIPE, features))
2619 				message("250-PIPELINING");
2620 #endif
2621 			if (bitset(SRV_OFFER_EXPN, features))
2622 			{
2623 				message("250-EXPN");
2624 				if (bitset(SRV_OFFER_VERB, features))
2625 					message("250-VERB");
2626 			}
2627 #if MIME8TO7
2628 			message("250-8BITMIME");
2629 #endif
2630 			if (MaxMessageSize > 0)
2631 				message("250-SIZE %ld", MaxMessageSize);
2632 			else
2633 				message("250-SIZE");
2634 #if DSN
2635 			if (SendMIMEErrors && bitset(SRV_OFFER_DSN, features))
2636 				message("250-DSN");
2637 #endif
2638 #if _FFR_EAI
2639 			if (bitset(SRV_OFFER_EAI, features))
2640 				message("250-SMTPUTF8");
2641 #endif /* _FFR_EAI */
2642 			if (bitset(SRV_OFFER_ETRN, features))
2643 				message("250-ETRN");
2644 #if SASL
2645 			if (sasl_ok && mechlist != NULL && *mechlist != '\0')
2646 				message("250-AUTH %s", mechlist);
2647 #endif
2648 #if STARTTLS
2649 			if (tls_ok_srv && bitset(SRV_OFFER_TLS, features))
2650 				message("250-STARTTLS");
2651 #endif
2652 			if (DeliverByMin > 0)
2653 				message("250-DELIVERBY %ld",
2654 					(long) DeliverByMin);
2655 			else if (DeliverByMin == 0)
2656 				message("250-DELIVERBY");
2657 
2658 			/* < 0: no deliver-by */
2659 
2660 			message("250 HELP");
2661 			break;
2662 
2663 		  case CMDMAIL:		/* mail -- designate sender */
2664 			SmtpPhase = "server MAIL";
2665 			DELAY_CONN("MAIL");
2666 
2667 			/* check for validity of this command */
2668 			if (!gothello && bitset(PRIV_NEEDMAILHELO, PrivacyFlags))
2669 			{
2670 				usrerr("503 5.0.0 Polite people say HELO first");
2671 				break;
2672 			}
2673 			if (smtp.sm_gotmail)
2674 			{
2675 				usrerr("503 5.5.0 Sender already specified");
2676 				break;
2677 			}
2678 #if SASL
2679 			if (bitset(SRV_REQ_AUTH, features) &&
2680 			    authenticating != SASL_IS_AUTH)
2681 			{
2682 				usrerr("530 5.7.0 Authentication required");
2683 				break;
2684 			}
2685 #endif /* SASL */
2686 
2687 			p = skipword(p, "from");
2688 			if (p == NULL)
2689 				break;
2690 			if (tempfail)
2691 			{
2692 				if (LogLevel > 9)
2693 					sm_syslog(LOG_INFO, e->e_id,
2694 						  "SMTP MAIL command (%.100s) from %s tempfailed (due to previous checks)",
2695 						  p, CurSmtpClient);
2696 				/* Can't use ("%s", ...) due to usrerr() requirements */
2697 				usrerr(MSG_TEMPFAIL);
2698 				break;
2699 			}
2700 
2701 			/* make sure we know who the sending host is */
2702 			if (sendinghost == NULL)
2703 				sendinghost = peerhostname;
2704 
2705 
2706 #if SM_HEAP_CHECK
2707 			if (sm_debug_active(&DebugLeakSmtp, 1))
2708 			{
2709 				sm_heap_newgroup();
2710 				sm_dprintf("smtp() heap group #%d\n",
2711 					sm_heap_group());
2712 			}
2713 #endif /* SM_HEAP_CHECK */
2714 
2715 			if (Errors > 0)
2716 				goto undo_no_pm;
2717 			if (!gothello)
2718 			{
2719 				auth_warning(e, "%s didn't use HELO protocol",
2720 					     CurSmtpClient);
2721 			}
2722 #ifdef PICKY_HELO_CHECK
2723 			if (sm_strcasecmp(sendinghost, peerhostname) != 0 &&
2724 			    (sm_strcasecmp(peerhostname, "localhost") != 0 ||
2725 			     sm_strcasecmp(sendinghost, MyHostName) != 0))
2726 			{
2727 				auth_warning(e, "Host %s claimed to be %s",
2728 					     CurSmtpClient, sendinghost);
2729 			}
2730 #endif /* PICKY_HELO_CHECK */
2731 
2732 			if (protocol == NULL)
2733 				protocol = "SMTP";
2734 			macdefine(&e->e_macro, A_PERM, 'r', protocol);
2735 			macdefine(&e->e_macro, A_PERM, 's', sendinghost);
2736 
2737 			if (Errors > 0)
2738 				goto undo_no_pm;
2739 			smtp.sm_nrcpts = 0;
2740 			n_badrcpts = 0;
2741 			macdefine(&e->e_macro, A_PERM, macid("{ntries}"), "0");
2742 			macdefine(&e->e_macro, A_PERM, macid("{nrcpts}"), "0");
2743 			macdefine(&e->e_macro, A_PERM, macid("{nbadrcpts}"),
2744 				"0");
2745 			e->e_flags |= EF_CLRQUEUE;
2746 			sm_setproctitle(true, e, "%s %s: %.80s",
2747 					qid_printname(e),
2748 					CurSmtpClient, inp);
2749 
2750 			/* do the processing */
2751 		    SM_TRY
2752 		    {
2753 			extern char *FullName;
2754 
2755 			QuickAbort = true;
2756 			SM_FREE(FullName);
2757 
2758 			/* must parse sender first */
2759 			delimptr = NULL;
2760 			setsender(p, e, &delimptr, ' ', false);
2761 			if (delimptr != NULL && *delimptr != '\0')
2762 				*delimptr++ = '\0';
2763 			if (Errors > 0)
2764 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2765 
2766 			/* Successfully set e_from, allow logging */
2767 			e->e_flags |= EF_LOGSENDER;
2768 
2769 			/* put resulting triple from parseaddr() into macros */
2770 			if (e->e_from.q_mailer != NULL)
2771 				 macdefine(&e->e_macro, A_PERM,
2772 					macid("{mail_mailer}"),
2773 					e->e_from.q_mailer->m_name);
2774 			else
2775 				 macdefine(&e->e_macro, A_PERM,
2776 					macid("{mail_mailer}"), NULL);
2777 			if (e->e_from.q_host != NULL)
2778 				macdefine(&e->e_macro, A_PERM,
2779 					macid("{mail_host}"),
2780 					e->e_from.q_host);
2781 			else
2782 				macdefine(&e->e_macro, A_PERM,
2783 					macid("{mail_host}"), "localhost");
2784 			if (e->e_from.q_user != NULL)
2785 				macdefine(&e->e_macro, A_PERM,
2786 					macid("{mail_addr}"),
2787 					e->e_from.q_user);
2788 			else
2789 				macdefine(&e->e_macro, A_PERM,
2790 					macid("{mail_addr}"), NULL);
2791 			if (Errors > 0)
2792 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2793 
2794 			/* check for possible spoofing */
2795 			if (RealUid != 0 && OpMode == MD_SMTP &&
2796 			    !wordinclass(RealUserName, 't') &&
2797 			    (!bitnset(M_LOCALMAILER,
2798 				      e->e_from.q_mailer->m_flags) ||
2799 			     strcmp(e->e_from.q_user, RealUserName) != 0))
2800 			{
2801 				auth_warning(e, "%s owned process doing -bs",
2802 					RealUserName);
2803 			}
2804 
2805 			/* reset to default value */
2806 			SevenBitInput = SevenBitInput_Saved;
2807 
2808 			/* now parse ESMTP arguments */
2809 			e->e_msgsize = 0;
2810 			addr = p;
2811 			parse_esmtp_args(e, NULL, p, delimptr, "MAIL", args,
2812 					mail_esmtp_args);
2813 			if (Errors > 0)
2814 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2815 
2816 #if _FFR_EAI
2817 			if (e->e_smtputf8)
2818 			{
2819 				protocol = GET_PROTOCOL();
2820 				macdefine(&e->e_macro, A_PERM, 'r', protocol);
2821 			}
2822 
2823 			/* UTF8 addresses are only legal with SMTPUTF8 */
2824 			if (!e->e_smtputf8 && !addr_is_ascii(e->e_from.q_paddr))
2825 			{
2826 				usrerr("553 5.6.7 That address requires SMTPUTF8");
2827 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2828 			}
2829 #endif
2830 
2831 #if SASL
2832 # if _FFR_AUTH_PASSING
2833 			/* set the default AUTH= if the sender didn't */
2834 			if (e->e_auth_param == NULL)
2835 			{
2836 				/* XXX only do this for an MSA? */
2837 				e->e_auth_param = macvalue(macid("{auth_authen}"),
2838 							   e);
2839 				if (e->e_auth_param == NULL)
2840 					e->e_auth_param = "<>";
2841 
2842 				/*
2843 				**  XXX should we invoke Strust_auth now?
2844 				**  authorizing as the client that just
2845 				**  authenticated, so we'll trust implicitly
2846 				*/
2847 			}
2848 # endif /* _FFR_AUTH_PASSING */
2849 #endif /* SASL */
2850 
2851 			/* do config file checking of the sender */
2852 			macdefine(&e->e_macro, A_PERM,
2853 				macid("{addr_type}"), "e s");
2854 #if _FFR_MAIL_MACRO
2855 			/* make the "real" sender address available */
2856 			macdefine(&e->e_macro, A_TEMP, macid("{mail_from}"),
2857 				  e->e_from.q_paddr);
2858 #endif
2859 			if (rscheck("check_mail", addr,
2860 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
2861 				    NULL, e->e_id, NULL, NULL) != EX_OK ||
2862 			    Errors > 0)
2863 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2864 			macdefine(&e->e_macro, A_PERM,
2865 				  macid("{addr_type}"), NULL);
2866 
2867 			if (MaxMessageSize > 0 &&
2868 			    (e->e_msgsize > MaxMessageSize ||
2869 			     e->e_msgsize < 0))
2870 			{
2871 				usrerr("552 5.2.3 Message size exceeds fixed maximum message size (%ld)",
2872 					MaxMessageSize);
2873 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2874 			}
2875 
2876 			/*
2877 			**  XXX always check whether there is at least one fs
2878 			**  with enough space?
2879 			**  However, this may not help much: the queue group
2880 			**  selection may later on select a FS that hasn't
2881 			**  enough space.
2882 			*/
2883 
2884 			if ((NumFileSys == 1 || NumQueue == 1) &&
2885 			    !enoughdiskspace(e->e_msgsize, e)
2886 #if _FFR_ANY_FREE_FS
2887 			    && !filesys_free(e->e_msgsize)
2888 #endif
2889 			   )
2890 			{
2891 				/*
2892 				**  We perform this test again when the
2893 				**  queue directory is selected, in collect.
2894 				*/
2895 
2896 				usrerr("452 4.4.5 Insufficient disk space; try again later");
2897 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2898 			}
2899 			if (Errors > 0)
2900 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2901 
2902 			LogUsrErrs = true;
2903 #if MILTER
2904 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2905 			    !bitset(EF_DISCARD, e->e_flags))
2906 			{
2907 				char state;
2908 				char *response;
2909 
2910 				response = milter_envfrom(args, e, &state);
2911 				MILTER_REPLY("from");
2912 			}
2913 #endif /* MILTER */
2914 			if (Errors > 0)
2915 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2916 
2917 			message("250 2.1.0 Sender ok");
2918 			smtp.sm_gotmail = true;
2919 		    }
2920 		    SM_EXCEPT(exc, "[!F]*")
2921 		    {
2922 			/*
2923 			**  An error occurred while processing a MAIL command.
2924 			**  Jump to the common error handling code.
2925 			*/
2926 
2927 			sm_exc_free(exc);
2928 			goto undo_no_pm;
2929 		    }
2930 		    SM_END_TRY
2931 			break;
2932 
2933 		  undo_no_pm:
2934 			e->e_flags &= ~EF_PM_NOTIFY;
2935 		  undo:
2936 			break;
2937 
2938 		  case CMDRCPT:		/* rcpt -- designate recipient */
2939 			DELAY_CONN("RCPT");
2940 			macdefine(&e->e_macro, A_PERM,
2941 				macid("{rcpt_mailer}"), NULL);
2942 			macdefine(&e->e_macro, A_PERM,
2943 				macid("{rcpt_host}"), NULL);
2944 			macdefine(&e->e_macro, A_PERM,
2945 				macid("{rcpt_addr}"), NULL);
2946 #if MILTER
2947 			(void) memset(&addr_st, '\0', sizeof(addr_st));
2948 			a = NULL;
2949 			milter_rcpt_added = false;
2950 			smtp.sm_e_nrcpts_orig = e->e_nrcpts;
2951 #endif
2952 #if _FFR_BADRCPT_SHUTDOWN
2953 			/*
2954 			**  hack to deal with hack, see below:
2955 			**  n_badrcpts is increased if limit is reached.
2956 			*/
2957 
2958 			n_badrcpts_adj = (BadRcptThrottle > 0 &&
2959 					  n_badrcpts > BadRcptThrottle &&
2960 					  LogLevel > 5)
2961 					  ? n_badrcpts - 1 : n_badrcpts;
2962 			if (BadRcptShutdown > 0 &&
2963 			    n_badrcpts_adj >= BadRcptShutdown &&
2964 			    (BadRcptShutdownGood == 0 ||
2965 			     smtp.sm_nrcpts == 0 ||
2966 			     (n_badrcpts_adj * 100 /
2967 			      (smtp.sm_nrcpts + n_badrcpts) >=
2968 			      BadRcptShutdownGood)))
2969 			{
2970 				if (LogLevel > 5)
2971 					sm_syslog(LOG_INFO, e->e_id,
2972 						  "%s: Possible SMTP RCPT flood, shutting down connection.",
2973 						  CurSmtpClient);
2974 				message("421 4.7.0 %s Too many bad recipients; closing connection",
2975 				MyHostName);
2976 
2977 				/* arrange to ignore any current send list */
2978 				e->e_sendqueue = NULL;
2979 				goto doquit;
2980 			}
2981 #endif /* _FFR_BADRCPT_SHUTDOWN */
2982 			if (BadRcptThrottle > 0 &&
2983 			    n_badrcpts >= BadRcptThrottle)
2984 			{
2985 				if (LogLevel > 5 &&
2986 				    n_badrcpts == BadRcptThrottle)
2987 				{
2988 					sm_syslog(LOG_INFO, e->e_id,
2989 						  "%s: Possible SMTP RCPT flood, throttling.",
2990 						  CurSmtpClient);
2991 
2992 					/* To avoid duplicated message */
2993 					n_badrcpts++;
2994 				}
2995 				NBADRCPTS;
2996 
2997 				/*
2998 				**  Don't use exponential backoff for now.
2999 				**  Some systems will open more connections
3000 				**  and actually overload the receiver even
3001 				**  more.
3002 				*/
3003 
3004 				(void) sleep(BadRcptThrottleDelay);
3005 			}
3006 			if (!smtp.sm_gotmail)
3007 			{
3008 				usrerr("503 5.0.0 Need MAIL before RCPT");
3009 				break;
3010 			}
3011 			SmtpPhase = "server RCPT";
3012 		    SM_TRY
3013 		    {
3014 			QuickAbort = true;
3015 			LogUsrErrs = true;
3016 
3017 			/* limit flooding of our machine */
3018 			if (MaxRcptPerMsg > 0 &&
3019 			    smtp.sm_nrcpts >= MaxRcptPerMsg)
3020 			{
3021 				/* sleep(1); / * slow down? */
3022 				usrerr("452 4.5.3 Too many recipients");
3023 				goto rcpt_done;
3024 			}
3025 
3026 			if (!SM_IS_INTERACTIVE(e->e_sendmode)
3027 #if _FFR_DM_ONE
3028 			    && (NotFirstDelivery || SM_DM_ONE != e->e_sendmode)
3029 #endif
3030 			   )
3031 				e->e_flags |= EF_VRFYONLY;
3032 
3033 #if MILTER
3034 			/*
3035 			**  Do not expand recipients at RCPT time (in the call
3036 			**  to recipient()) if a milter can delete or reject
3037 			**  a RCPT.  If they are expanded, it is impossible
3038 			**  for removefromlist() to figure out the expanded
3039 			**  members of the original recipient and mark them
3040 			**  as QS_DONTSEND.
3041 			*/
3042 
3043 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3044 			      !bitset(EF_DISCARD, e->e_flags) &&
3045 			    (smtp.sm_milters.mis_flags &
3046 			     (MIS_FL_DEL_RCPT|MIS_FL_REJ_RCPT)) != 0)
3047 				e->e_flags |= EF_VRFYONLY;
3048 			milter_cmd_done = false;
3049 			milter_cmd_safe = false;
3050 #endif /* MILTER */
3051 
3052 			p = skipword(p, "to");
3053 			if (p == NULL)
3054 				goto rcpt_done;
3055 			macdefine(&e->e_macro, A_PERM,
3056 				macid("{addr_type}"), "e r");
3057 			a = parseaddr(p, NULLADDR, RF_COPYALL, ' ', &delimptr,
3058 				      e, true);
3059 			macdefine(&e->e_macro, A_PERM,
3060 				macid("{addr_type}"), NULL);
3061 			if (Errors > 0)
3062 				goto rcpt_done;
3063 			if (a == NULL)
3064 			{
3065 				usrerr("501 5.0.0 Missing recipient");
3066 				goto rcpt_done;
3067 			}
3068 #if _FFR_EAI
3069 			if (!e->e_smtputf8 && !addr_is_ascii(a->q_paddr))
3070 			{
3071 				usrerr("553 5.6.7 Address requires SMTPUTF8");
3072 				goto rcpt_done;
3073 			}
3074 #endif
3075 
3076 			if (delimptr != NULL && *delimptr != '\0')
3077 				*delimptr++ = '\0';
3078 
3079 			/* put resulting triple from parseaddr() into macros */
3080 			if (a->q_mailer != NULL)
3081 				macdefine(&e->e_macro, A_PERM,
3082 					macid("{rcpt_mailer}"),
3083 					a->q_mailer->m_name);
3084 			else
3085 				macdefine(&e->e_macro, A_PERM,
3086 					macid("{rcpt_mailer}"), NULL);
3087 			if (a->q_host != NULL)
3088 				macdefine(&e->e_macro, A_PERM,
3089 					macid("{rcpt_host}"), a->q_host);
3090 			else
3091 				macdefine(&e->e_macro, A_PERM,
3092 					macid("{rcpt_host}"), "localhost");
3093 			if (a->q_user != NULL)
3094 				macdefine(&e->e_macro, A_PERM,
3095 					macid("{rcpt_addr}"), a->q_user);
3096 			else
3097 				macdefine(&e->e_macro, A_PERM,
3098 					macid("{rcpt_addr}"), NULL);
3099 			if (Errors > 0)
3100 				goto rcpt_done;
3101 
3102 			/* now parse ESMTP arguments */
3103 			addr = p;
3104 			parse_esmtp_args(e, a, p, delimptr, "RCPT", args,
3105 					rcpt_esmtp_args);
3106 			if (Errors > 0)
3107 				goto rcpt_done;
3108 
3109 #if MILTER
3110 			/*
3111 			**  rscheck() can trigger an "exception"
3112 			**  in which case the execution continues at
3113 			**  SM_EXCEPT(exc, "[!F]*")
3114 			**  This means milter_cmd_safe is not set
3115 			**  and hence milter is not invoked.
3116 			**  Would it be "safe" to change that, i.e., use
3117 			**  milter_cmd_safe = true;
3118 			**  here so a milter is informed (if requested)
3119 			**  about RCPTs that are rejected by check_rcpt?
3120 			*/
3121 # if _FFR_MILTER_CHECK_REJECTIONS_TOO
3122 			milter_cmd_safe = true;
3123 # endif
3124 #endif
3125 
3126 			/* do config file checking of the recipient */
3127 			macdefine(&e->e_macro, A_PERM,
3128 				macid("{addr_type}"), "e r");
3129 			if (rscheck("check_rcpt", addr,
3130 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
3131 				    NULL, e->e_id, p_addr_st, NULL) != EX_OK ||
3132 			    Errors > 0)
3133 				goto rcpt_done;
3134 			macdefine(&e->e_macro, A_PERM,
3135 				macid("{addr_type}"), NULL);
3136 
3137 			/* If discarding, don't bother to verify user */
3138 			if (bitset(EF_DISCARD, e->e_flags))
3139 				a->q_state = QS_VERIFIED;
3140 #if MILTER
3141 			milter_cmd_safe = true;
3142 #endif
3143 
3144 			addbcc(a, e);
3145 			rcptmods(a, e);
3146 
3147 			/* save in recipient list after ESMTP mods */
3148 			a = recipient(a, &e->e_sendqueue, 0, e);
3149 			/* may trigger exception... */
3150 
3151 #if MILTER
3152 			milter_rcpt_added = true;
3153 #endif
3154 
3155 			if(!(Errors > 0) && QS_IS_BADADDR(a->q_state))
3156 			{
3157 				/* punt -- should keep message in ADDRESS.... */
3158 				usrerr("550 5.1.1 Addressee unknown");
3159 			}
3160 
3161 #if MILTER
3162 		rcpt_done:
3163 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3164 			    !bitset(EF_DISCARD, e->e_flags))
3165 			{
3166 				char state;
3167 				char *response;
3168 
3169 				/* how to get the error codes? */
3170 				if (Errors > 0)
3171 				{
3172 					macdefine(&e->e_macro, A_PERM,
3173 						macid("{rcpt_mailer}"),
3174 						"error");
3175 					if (a != NULL &&
3176 					    a->q_status != NULL &&
3177 					    a->q_rstatus != NULL)
3178 					{
3179 						macdefine(&e->e_macro, A_PERM,
3180 							macid("{rcpt_host}"),
3181 							a->q_status);
3182 						macdefine(&e->e_macro, A_PERM,
3183 							macid("{rcpt_addr}"),
3184 							a->q_rstatus);
3185 					}
3186 					else
3187 					{
3188 						if (addr_st.q_host != NULL)
3189 							macdefine(&e->e_macro,
3190 								A_PERM,
3191 								macid("{rcpt_host}"),
3192 								addr_st.q_host);
3193 						if (addr_st.q_user != NULL)
3194 							macdefine(&e->e_macro,
3195 								A_PERM,
3196 								macid("{rcpt_addr}"),
3197 								addr_st.q_user);
3198 					}
3199 				}
3200 
3201 				response = milter_envrcpt(args, e, &state,
3202 							Errors > 0);
3203 				milter_cmd_done = true;
3204 				MILTER_REPLY("to");
3205 			}
3206 #endif /* MILTER */
3207 
3208 			/* no errors during parsing, but might be a duplicate */
3209 			e->e_to = a->q_paddr;
3210 			if (!(Errors > 0) && !QS_IS_BADADDR(a->q_state))
3211 			{
3212 				if (smtp.sm_nrcpts == 0)
3213 					initsys(e);
3214 				message("250 2.1.5 Recipient ok%s",
3215 					QS_IS_QUEUEUP(a->q_state) ?
3216 						" (will queue)" : "");
3217 				smtp.sm_nrcpts++;
3218 			}
3219 
3220 			/* Is this needed? */
3221 #if !MILTER
3222 		rcpt_done:
3223 #endif
3224 
3225 			macdefine(&e->e_macro, A_PERM,
3226 				macid("{rcpt_mailer}"), NULL);
3227 			macdefine(&e->e_macro, A_PERM,
3228 				macid("{rcpt_host}"), NULL);
3229 			macdefine(&e->e_macro, A_PERM,
3230 				macid("{rcpt_addr}"), NULL);
3231 			macdefine(&e->e_macro, A_PERM,
3232 				macid("{dsn_notify}"), NULL);
3233 
3234 			if (Errors > 0)
3235 			{
3236 				++n_badrcpts;
3237 				NBADRCPTS;
3238 			}
3239 		    }
3240 		    SM_EXCEPT(exc, "[!F]*")
3241 		    {
3242 			/* An exception occurred while processing RCPT */
3243 			e->e_flags &= ~(EF_FATALERRS|EF_PM_NOTIFY);
3244 			++n_badrcpts;
3245 			NBADRCPTS;
3246 #if MILTER
3247 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3248 			    !bitset(EF_DISCARD, e->e_flags) &&
3249 			    !milter_cmd_done && milter_cmd_safe)
3250 			{
3251 				char state;
3252 				char *response;
3253 
3254 				macdefine(&e->e_macro, A_PERM,
3255 					macid("{rcpt_mailer}"), "error");
3256 
3257 				/* how to get the error codes? */
3258 				if (addr_st.q_host != NULL)
3259 					macdefine(&e->e_macro, A_PERM,
3260 						macid("{rcpt_host}"),
3261 						addr_st.q_host);
3262 				else if (a != NULL && a->q_status != NULL)
3263 					macdefine(&e->e_macro, A_PERM,
3264 						macid("{rcpt_host}"),
3265 						a->q_status);
3266 
3267 				if (addr_st.q_user != NULL)
3268 					macdefine(&e->e_macro, A_PERM,
3269 						macid("{rcpt_addr}"),
3270 						addr_st.q_user);
3271 				else if (a != NULL && a->q_rstatus != NULL)
3272 					macdefine(&e->e_macro, A_PERM,
3273 						macid("{rcpt_addr}"),
3274 						a->q_rstatus);
3275 
3276 				response = milter_envrcpt(args, e, &state,
3277 							true);
3278 				milter_cmd_done = true;
3279 				MILTER_REPLY("to");
3280 				macdefine(&e->e_macro, A_PERM,
3281 					macid("{rcpt_mailer}"), NULL);
3282 				macdefine(&e->e_macro, A_PERM,
3283 					macid("{rcpt_host}"), NULL);
3284 				macdefine(&e->e_macro, A_PERM,
3285 					macid("{rcpt_addr}"), NULL);
3286 			}
3287 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3288 			    milter_rcpt_added && milter_cmd_done &&
3289 			    milter_cmd_fail)
3290 			{
3291 				(void) removefromlist(addr, &e->e_sendqueue, e);
3292 				milter_cmd_fail = false;
3293 				if (smtp.sm_e_nrcpts_orig < e->e_nrcpts)
3294 					e->e_nrcpts = smtp.sm_e_nrcpts_orig;
3295 			}
3296 #endif /* MILTER */
3297 		    }
3298 		    SM_END_TRY
3299 			break;
3300 
3301 		  case CMDDATA:		/* data -- text of mail */
3302 			DELAY_CONN("DATA");
3303 			if (!smtp_data(&smtp, e))
3304 				goto doquit;
3305 			break;
3306 
3307 		  case CMDRSET:		/* rset -- reset state */
3308 			if (tTd(94, 100))
3309 				message("451 4.0.0 Test failure");
3310 			else
3311 				message("250 2.0.0 Reset state");
3312 			CLEAR_STATE(cmdbuf);
3313 			break;
3314 
3315 		  case CMDVRFY:		/* vrfy -- verify address */
3316 		  case CMDEXPN:		/* expn -- expand address */
3317 			vrfy = c->cmd_code == CMDVRFY;
3318 			DELAY_CONN(vrfy ? "VRFY" : "EXPN");
3319 			if (tempfail)
3320 			{
3321 				if (LogLevel > 9)
3322 					sm_syslog(LOG_INFO, e->e_id,
3323 						  "SMTP %s command (%.100s) from %s tempfailed (due to previous checks)",
3324 						  vrfy ? "VRFY" : "EXPN",
3325 						  p, CurSmtpClient);
3326 
3327 				/* RFC 821 doesn't allow 4xy reply code */
3328 				usrerr("550 5.7.1 Please try again later");
3329 				break;
3330 			}
3331 			wt = checksmtpattack(&n_verifies, MAXVRFYCOMMANDS,
3332 					     false, vrfy ? "VRFY" : "EXPN", e);
3333 			STOP_IF_ATTACK(wt);
3334 			previous = curtime();
3335 			if ((vrfy && bitset(PRIV_NOVRFY, PrivacyFlags)) ||
3336 			    (!vrfy && !bitset(SRV_OFFER_EXPN, features)))
3337 			{
3338 				if (vrfy)
3339 					message("252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)");
3340 				else
3341 					message("502 5.7.0 Sorry, we do not allow this operation");
3342 				if (LogLevel > 5)
3343 					sm_syslog(LOG_INFO, e->e_id,
3344 						  "%s: %s [rejected]",
3345 						  CurSmtpClient,
3346 						  shortenstring(inp, MAXSHORTSTR));
3347 				break;
3348 			}
3349 			else if (!gothello &&
3350 				 bitset(vrfy ? PRIV_NEEDVRFYHELO : PRIV_NEEDEXPNHELO,
3351 						PrivacyFlags))
3352 			{
3353 				usrerr("503 5.0.0 I demand that you introduce yourself first");
3354 				break;
3355 			}
3356 			if (Errors > 0)
3357 				break;
3358 			if (LogLevel > 5)
3359 				sm_syslog(LOG_INFO, e->e_id, "%s: %s",
3360 					  CurSmtpClient,
3361 					  shortenstring(inp, MAXSHORTSTR));
3362 		    SM_TRY
3363 		    {
3364 			QuickAbort = true;
3365 			vrfyqueue = NULL;
3366 			if (vrfy)
3367 				e->e_flags |= EF_VRFYONLY;
3368 			while (*p != '\0' && SM_ISSPACE(*p))
3369 				p++;
3370 			if (*p == '\0')
3371 			{
3372 				usrerr("501 5.5.2 Argument required");
3373 			}
3374 			else
3375 			{
3376 				/* do config file checking of the address */
3377 				if (rscheck(vrfy ? "check_vrfy" : "check_expn",
3378 					    p, NULL, e, RSF_RMCOMM, 3, NULL,
3379 					    NOQID, NULL, NULL) != EX_OK ||
3380 				    Errors > 0)
3381 					sm_exc_raisenew_x(&EtypeQuickAbort, 1);
3382 				(void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e);
3383 			}
3384 			if (wt > 0)
3385 			{
3386 				time_t t;
3387 
3388 				t = wt - (curtime() - previous);
3389 				if (t > 0)
3390 					(void) sleep(t);
3391 			}
3392 			if (Errors > 0)
3393 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
3394 			if (vrfyqueue == NULL)
3395 			{
3396 				usrerr("554 5.5.2 Nothing to %s", vrfy ? "VRFY" : "EXPN");
3397 			}
3398 			while (vrfyqueue != NULL)
3399 			{
3400 				if (!QS_IS_UNDELIVERED(vrfyqueue->q_state))
3401 				{
3402 					vrfyqueue = vrfyqueue->q_next;
3403 					continue;
3404 				}
3405 
3406 				/* see if there is more in the vrfy list */
3407 				a = vrfyqueue;
3408 				while ((a = a->q_next) != NULL &&
3409 				       (!QS_IS_UNDELIVERED(a->q_state)))
3410 					continue;
3411 				printvrfyaddr(vrfyqueue, a == NULL, vrfy);
3412 				vrfyqueue = a;
3413 			}
3414 		    }
3415 		    SM_EXCEPT(exc, "[!F]*")
3416 		    {
3417 			/*
3418 			**  An exception occurred while processing VRFY/EXPN
3419 			*/
3420 
3421 			sm_exc_free(exc);
3422 			goto undo;
3423 		    }
3424 		    SM_END_TRY
3425 			break;
3426 
3427 		  case CMDETRN:		/* etrn -- force queue flush */
3428 			DELAY_CONN("ETRN");
3429 
3430 			/* Don't leak queue information via debug flags */
3431 			if (!bitset(SRV_OFFER_ETRN, features) || UseMSP ||
3432 			    (RealUid != 0 && RealUid != TrustedUid &&
3433 			     OpMode == MD_SMTP))
3434 			{
3435 				/* different message for MSA ? */
3436 				message("502 5.7.0 Sorry, we do not allow this operation");
3437 				if (LogLevel > 5)
3438 					sm_syslog(LOG_INFO, e->e_id,
3439 						  "%s: %s [rejected]",
3440 						  CurSmtpClient,
3441 						  shortenstring(inp, MAXSHORTSTR));
3442 				break;
3443 			}
3444 			if (tempfail)
3445 			{
3446 				if (LogLevel > 9)
3447 					sm_syslog(LOG_INFO, e->e_id,
3448 						  "SMTP ETRN command (%.100s) from %s tempfailed (due to previous checks)",
3449 						  p, CurSmtpClient);
3450 				/* Can't use ("%s", ...) due to usrerr() requirements */
3451 				usrerr(MSG_TEMPFAIL);
3452 				break;
3453 			}
3454 
3455 			if (strlen(p) <= 0)
3456 			{
3457 				usrerr("500 5.5.2 Parameter required");
3458 				break;
3459 			}
3460 
3461 			/* crude way to avoid denial-of-service attacks */
3462 			STOP_IF_ATTACK(checksmtpattack(&n_etrn, MAXETRNCOMMANDS,
3463 							true, "ETRN", e));
3464 
3465 			/*
3466 			**  Do config file checking of the parameter.
3467 			**  Even though we have srv_features now, we still
3468 			**  need this ruleset because the former is called
3469 			**  when the connection has been established, while
3470 			**  this ruleset is called when the command is
3471 			**  actually issued and therefore has all information
3472 			**  available to make a decision.
3473 			*/
3474 
3475 			if (rscheck("check_etrn", p, NULL, e, RSF_RMCOMM, 3,
3476 				    NULL, NOQID, NULL, NULL) != EX_OK ||
3477 			    Errors > 0)
3478 				break;
3479 
3480 			if (LogLevel > 5)
3481 				sm_syslog(LOG_INFO, e->e_id,
3482 					  "%s: ETRN %s", CurSmtpClient,
3483 					  shortenstring(p, MAXSHORTSTR));
3484 
3485 			id = p;
3486 			if (*id == '#')
3487 			{
3488 				int i, qgrp;
3489 
3490 				id++;
3491 				qgrp = name2qid(id);
3492 				if (!ISVALIDQGRP(qgrp))
3493 				{
3494 					usrerr("459 4.5.4 Queue %s unknown",
3495 					       id);
3496 					break;
3497 				}
3498 				for (i = 0; i < NumQueue && Queue[i] != NULL;
3499 				     i++)
3500 					Queue[i]->qg_nextrun = (time_t) -1;
3501 				Queue[qgrp]->qg_nextrun = 0;
3502 				ok = run_work_group(Queue[qgrp]->qg_wgrp,
3503 						    RWG_FORK|RWG_FORCE);
3504 				if (ok && Errors == 0)
3505 					message("250 2.0.0 Queuing for queue group %s started", id);
3506 				break;
3507 			}
3508 
3509 			if (*id == '@')
3510 				id++;
3511 			else
3512 				*--id = '@';
3513 
3514 			new = (QUEUE_CHAR *) sm_malloc(sizeof(QUEUE_CHAR));
3515 			if (new == NULL)
3516 			{
3517 				syserr("500 5.5.0 ETRN out of memory");
3518 				break;
3519 			}
3520 			new->queue_match = id;
3521 			new->queue_negate = false;
3522 			new->queue_next = NULL;
3523 			QueueLimitRecipient = new;
3524 			ok = runqueue(true, false, false, true);
3525 			sm_free(QueueLimitRecipient); /* XXX */
3526 			QueueLimitRecipient = NULL;
3527 			if (ok && Errors == 0)
3528 				message("250 2.0.0 Queuing for node %s started", p);
3529 			break;
3530 
3531 		  case CMDHELP:		/* help -- give user info */
3532 			DELAY_CONN("HELP");
3533 			help(p, e);
3534 			break;
3535 
3536 		  case CMDNOOP:		/* noop -- do nothing */
3537 			DELAY_CONN("NOOP");
3538 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3539 							true, "NOOP", e));
3540 			message("250 2.0.0 OK");
3541 			break;
3542 
3543 		  case CMDQUIT:		/* quit -- leave mail */
3544 			message("221 2.0.0 %s closing connection", MyHostName);
3545 #if PIPELINING
3546 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
3547 #endif
3548 
3549 			if (smtp.sm_nrcpts > 0)
3550 				logundelrcpts(e, "aborted by sender", 9, false);
3551 
3552 			/* arrange to ignore any current send list */
3553 			e->e_sendqueue = NULL;
3554 
3555 #if STARTTLS
3556 			/* shutdown TLS connection */
3557 			if (tls_active)
3558 			{
3559 				(void) endtls(&srv_ssl, "server");
3560 				tls_active = false;
3561 			}
3562 #endif /* STARTTLS */
3563 #if SASL
3564 			if (authenticating == SASL_IS_AUTH)
3565 			{
3566 				sasl_dispose(&conn);
3567 				authenticating = SASL_NOT_AUTH;
3568 				/* XXX sasl_done(); this is a child */
3569 			}
3570 #endif /* SASL */
3571 
3572 doquit:
3573 			/* avoid future 050 messages */
3574 			disconnect(1, e);
3575 
3576 #if MILTER
3577 			/* close out milter filters */
3578 			milter_quit(e);
3579 #endif
3580 
3581 			if (tTd(92, 2))
3582 				sm_dprintf("QUIT: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
3583 					e->e_id,
3584 					bitset(EF_LOGSENDER, e->e_flags),
3585 					LogLevel);
3586 			if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
3587 				logsender(e, NULL);
3588 			e->e_flags &= ~EF_LOGSENDER;
3589 
3590 			if (lognullconnection && LogLevel > 5 &&
3591 			    nullserver == NULL)
3592 			{
3593 				char *d;
3594 
3595 				d = macvalue(macid("{daemon_name}"), e);
3596 				if (d == NULL)
3597 					d = "stdin";
3598 
3599 				/*
3600 				**  even though this id is "bogus", it makes
3601 				**  it simpler to "grep" related events, e.g.,
3602 				**  timeouts for the same connection.
3603 				*/
3604 
3605 				sm_syslog(LOG_INFO, e->e_id,
3606 					  "%s did not issue MAIL/EXPN/VRFY/ETRN during connection to %s",
3607 					  CurSmtpClient, d);
3608 			}
3609 			if (tTd(93, 100))
3610 			{
3611 				/* return to handle next connection */
3612 				return;
3613 			}
3614 			finis(true, true, ExitStat);
3615 			/* NOTREACHED */
3616 
3617 			/* just to avoid bogus warning from some compilers */
3618 			exit(EX_OSERR);
3619 
3620 		  case CMDVERB:		/* set verbose mode */
3621 			DELAY_CONN("VERB");
3622 			if (!bitset(SRV_OFFER_EXPN, features) ||
3623 			    !bitset(SRV_OFFER_VERB, features))
3624 			{
3625 				/* this would give out the same info */
3626 				message("502 5.7.0 Verbose unavailable");
3627 				break;
3628 			}
3629 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3630 							true, "VERB", e));
3631 			Verbose = 1;
3632 			set_delivery_mode(SM_DELIVER, e);
3633 			message("250 2.0.0 Verbose mode");
3634 			break;
3635 
3636 #if SMTPDEBUG
3637 		  case CMDDBGQSHOW:	/* show queues */
3638 			(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3639 					     "Send Queue=");
3640 			printaddr(smioout, e->e_sendqueue, true);
3641 			break;
3642 
3643 		  case CMDDBGDEBUG:	/* set debug mode */
3644 			tTsetup(tTdvect, sizeof(tTdvect), "0-99.1");
3645 			tTflag(p);
3646 			message("200 2.0.0 Debug set");
3647 			break;
3648 
3649 #else /* SMTPDEBUG */
3650 		  case CMDDBGQSHOW:	/* show queues */
3651 		  case CMDDBGDEBUG:	/* set debug mode */
3652 #endif /* SMTPDEBUG */
3653 		  case CMDLOGBOGUS:	/* bogus command */
3654 			DELAY_CONN("Bogus");
3655 			if (LogLevel > 0)
3656 				sm_syslog(LOG_CRIT, e->e_id,
3657 					  "\"%s\" command from %s (%.100s)",
3658 					  c->cmd_name, CurSmtpClient,
3659 					  anynet_ntoa(&RealHostAddr));
3660 			/* FALLTHROUGH */
3661 
3662 		  case CMDERROR:	/* unknown command */
3663 #if MAXBADCOMMANDS > 0
3664 			if (++n_badcmds > MAXBADCOMMANDS)
3665 			{
3666   stopattack:
3667 				message("421 4.7.0 %s Too many bad commands; closing connection",
3668 					MyHostName);
3669 
3670 				/* arrange to ignore any current send list */
3671 				e->e_sendqueue = NULL;
3672 				goto doquit;
3673 			}
3674 #endif /* MAXBADCOMMANDS > 0 */
3675 
3676 #if MILTER && SMFI_VERSION > 2
3677 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3678 			    !bitset(EF_DISCARD, e->e_flags))
3679 			{
3680 				char state;
3681 				char *response;
3682 
3683 				if (MilterLogLevel > 9)
3684 					sm_syslog(LOG_INFO, e->e_id,
3685 						"Sending \"%s\" to Milter", inp);
3686 				response = milter_unknown(inp, e, &state);
3687 				MILTER_REPLY("unknown");
3688 				if (state == SMFIR_REPLYCODE ||
3689 				    state == SMFIR_REJECT ||
3690 				    state == SMFIR_TEMPFAIL ||
3691 				    state == SMFIR_SHUTDOWN)
3692 				{
3693 					/* MILTER_REPLY already gave an error */
3694 					break;
3695 				}
3696 			}
3697 #endif /* MILTER && SMFI_VERSION > 2 */
3698 
3699 			usrerr("500 5.5.1 Command unrecognized: \"%s\"",
3700 			       shortenstring(inp, MAXSHORTSTR));
3701 			break;
3702 
3703 		  case CMDUNIMPL:
3704 			DELAY_CONN("Unimpl");
3705 			usrerr("502 5.5.1 Command not implemented: \"%s\"",
3706 			       shortenstring(inp, MAXSHORTSTR));
3707 			break;
3708 
3709 		  default:
3710 			DELAY_CONN("default");
3711 			errno = 0;
3712 			syserr("500 5.5.0 smtp: unknown code %d", c->cmd_code);
3713 			break;
3714 		}
3715 #if SASL
3716 		}
3717 #endif
3718 	    }
3719 	    SM_EXCEPT(exc, "[!F]*")
3720 	    {
3721 		/*
3722 		**  The only possible exception is "E:mta.quickabort".
3723 		**  There is nothing to do except fall through and loop.
3724 		*/
3725 	    }
3726 	    SM_END_TRY
3727 	}
3728 }
3729 /*
3730 **  SMTP_DATA -- implement the SMTP DATA command.
3731 **
3732 **	Parameters:
3733 **		smtp -- status of SMTP connection.
3734 **		e -- envelope.
3735 **
3736 **	Returns:
3737 **		true iff SMTP session can continue.
3738 **
3739 **	Side Effects:
3740 **		possibly sends message.
3741 */
3742 
3743 static bool
3744 smtp_data(smtp, e)
3745 	SMTP_T *smtp;
3746 	ENVELOPE *e;
3747 {
3748 #if MILTER
3749 	bool milteraccept;
3750 #endif
3751 	bool aborting;
3752 	bool doublequeue;
3753 	bool rv = true;
3754 	ADDRESS *a;
3755 	ENVELOPE *ee;
3756 	char *id;
3757 	char *oldid;
3758 	unsigned int features;
3759 	char buf[32];
3760 
3761 	SmtpPhase = "server DATA";
3762 	if (!smtp->sm_gotmail)
3763 	{
3764 		usrerr("503 5.0.0 Need MAIL command");
3765 		return true;
3766 	}
3767 	else if (smtp->sm_nrcpts <= 0)
3768 	{
3769 		usrerr("503 5.0.0 Need RCPT (recipient)");
3770 		return true;
3771 	}
3772 	(void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts);
3773 	if (rscheck("check_data", buf, NULL, e,
3774 		    RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL,
3775 		    e->e_id, NULL, NULL) != EX_OK)
3776 		return true;
3777 
3778 #if MILTER && SMFI_VERSION > 3
3779 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3780 	    !bitset(EF_DISCARD, e->e_flags))
3781 	{
3782 		char state;
3783 		char *response;
3784 		int savelogusrerrs = LogUsrErrs;
3785 
3786 		response = milter_data_cmd(e, &state);
3787 		switch (state)
3788 		{
3789 		  case SMFIR_REPLYCODE:
3790 			if (MilterLogLevel > 3)
3791 			{
3792 				sm_syslog(LOG_INFO, e->e_id,
3793 					  "Milter: cmd=data, reject=%s",
3794 					  response);
3795 				LogUsrErrs = false;
3796 			}
3797 #if _FFR_MILTER_ENHSC
3798 			if (ISSMTPCODE(response))
3799 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3800 #endif
3801 
3802 			/* Can't use ("%s", ...) due to usrerr() requirements */
3803 			usrerr(response);
3804 			if (strncmp(response, "421 ", 4) == 0
3805 			    || strncmp(response, "421-", 4) == 0)
3806 			{
3807 				e->e_sendqueue = NULL;
3808 				return false;
3809 			}
3810 			return true;
3811 
3812 		  case SMFIR_REJECT:
3813 			if (MilterLogLevel > 3)
3814 			{
3815 				sm_syslog(LOG_INFO, e->e_id,
3816 					  "Milter: cmd=data, reject=550 5.7.1 Command rejected");
3817 				LogUsrErrs = false;
3818 			}
3819 #if _FFR_MILTER_ENHSC
3820 			(void) sm_strlcpy(e->e_enhsc, "5.7.1",
3821 					 sizeof(e->e_enhsc));
3822 #endif
3823 			usrerr("550 5.7.1 Command rejected");
3824 			return true;
3825 
3826 		  case SMFIR_DISCARD:
3827 			if (MilterLogLevel > 3)
3828 				sm_syslog(LOG_INFO, e->e_id,
3829 					  "Milter: cmd=data, discard");
3830 			e->e_flags |= EF_DISCARD;
3831 			break;
3832 
3833 		  case SMFIR_TEMPFAIL:
3834 			if (MilterLogLevel > 3)
3835 			{
3836 				sm_syslog(LOG_INFO, e->e_id,
3837 					  "Milter: cmd=data, reject=%s",
3838 					  MSG_TEMPFAIL);
3839 				LogUsrErrs = false;
3840 			}
3841 #if _FFR_MILTER_ENHSC
3842 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3843 #endif
3844 			/* Can't use ("%s", ...) due to usrerr() requirements */
3845 			usrerr(MSG_TEMPFAIL);
3846 			return true;
3847 
3848 		  case SMFIR_SHUTDOWN:
3849 			if (MilterLogLevel > 3)
3850 			{
3851 				sm_syslog(LOG_INFO, e->e_id,
3852 					  "Milter: cmd=data, reject=421 4.7.0 %s closing connection",
3853 					  MyHostName);
3854 				LogUsrErrs = false;
3855 			}
3856 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3857 			e->e_sendqueue = NULL;
3858 			return false;
3859 		}
3860 		LogUsrErrs = savelogusrerrs;
3861 		if (response != NULL)
3862 			sm_free(response); /* XXX */
3863 	}
3864 #endif /* MILTER && SMFI_VERSION > 3 */
3865 
3866 	/* put back discard bit */
3867 	if (smtp->sm_discard)
3868 		e->e_flags |= EF_DISCARD;
3869 
3870 	/* check to see if we need to re-expand aliases */
3871 	/* also reset QS_BADADDR on already-diagnosted addrs */
3872 	doublequeue = false;
3873 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
3874 	{
3875 		if (QS_IS_VERIFIED(a->q_state) &&
3876 		    !bitset(EF_DISCARD, e->e_flags))
3877 		{
3878 			/* need to re-expand aliases */
3879 			doublequeue = true;
3880 		}
3881 		if (QS_IS_BADADDR(a->q_state))
3882 		{
3883 			/* make this "go away" */
3884 			a->q_state = QS_DONTSEND;
3885 		}
3886 	}
3887 
3888 	/* collect the text of the message */
3889 	SmtpPhase = "collect";
3890 	buffer_errors();
3891 
3892 	collect(InChannel, true, NULL, e, true);
3893 
3894 	/* redefine message size */
3895 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3896 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3897 
3898 	/* rscheck() will set Errors or EF_DISCARD if it trips */
3899 	(void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT,
3900 		       3, NULL, e->e_id, NULL, NULL);
3901 
3902 #if MILTER
3903 	milteraccept = true;
3904 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3905 	    Errors <= 0 &&
3906 	    !bitset(EF_DISCARD, e->e_flags))
3907 	{
3908 		char state;
3909 		char *response;
3910 
3911 		response = milter_data(e, &state);
3912 		switch (state)
3913 		{
3914 		  case SMFIR_REPLYCODE:
3915 			if (MilterLogLevel > 3)
3916 				sm_syslog(LOG_INFO, e->e_id,
3917 					  "Milter: data, reject=%s",
3918 					  response);
3919 			milteraccept = false;
3920 #if _FFR_MILTER_ENHSC
3921 			if (ISSMTPCODE(response))
3922 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3923 #endif
3924 			/* Can't use ("%s", ...) due to usrerr() requirements */
3925 			usrerr(response);
3926 			if (strncmp(response, "421 ", 4) == 0
3927 			    || strncmp(response, "421-", 4) == 0)
3928 				rv = false;
3929 			break;
3930 
3931 		  case SMFIR_REJECT:
3932 			milteraccept = false;
3933 			if (MilterLogLevel > 3)
3934 				sm_syslog(LOG_INFO, e->e_id,
3935 					  "Milter: data, reject=554 5.7.1 Command rejected");
3936 			usrerr("554 5.7.1 Command rejected");
3937 			break;
3938 
3939 		  case SMFIR_DISCARD:
3940 			if (MilterLogLevel > 3)
3941 				sm_syslog(LOG_INFO, e->e_id,
3942 					  "Milter: data, discard");
3943 			milteraccept = false;
3944 			e->e_flags |= EF_DISCARD;
3945 			break;
3946 
3947 		  case SMFIR_TEMPFAIL:
3948 			if (MilterLogLevel > 3)
3949 				sm_syslog(LOG_INFO, e->e_id,
3950 					  "Milter: data, reject=%s",
3951 					  MSG_TEMPFAIL);
3952 			milteraccept = false;
3953 #if _FFR_MILTER_ENHSC
3954 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3955 #endif
3956 			/* Can't use ("%s", ...) due to usrerr() requirements */
3957 			usrerr(MSG_TEMPFAIL);
3958 			break;
3959 
3960 		  case SMFIR_SHUTDOWN:
3961 			if (MilterLogLevel > 3)
3962 				sm_syslog(LOG_INFO, e->e_id,
3963 					  "Milter: data, reject=421 4.7.0 %s closing connection",
3964 					  MyHostName);
3965 			milteraccept = false;
3966 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3967 			rv = false;
3968 			break;
3969 		}
3970 		if (response != NULL)
3971 			sm_free(response);
3972 	}
3973 
3974 	/* Milter may have changed message size */
3975 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3976 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3977 
3978 	/* abort message filters that didn't get the body & log msg is OK */
3979 	if (smtp->sm_milterlist && smtp->sm_milterize)
3980 	{
3981 		milter_abort(e);
3982 		if (milteraccept && MilterLogLevel > 9)
3983 			sm_syslog(LOG_INFO, e->e_id, "Milter accept: message");
3984 	}
3985 
3986 	/*
3987 	**  If SuperSafe is SAFE_REALLY_POSTMILTER, and we don't have milter or
3988 	**  milter accepted message, sync it now
3989 	**
3990 	**  XXX This is almost a copy of the code in collect(): put it into
3991 	**	a function that is called from both places?
3992 	*/
3993 
3994 	if (milteraccept && SuperSafe == SAFE_REALLY_POSTMILTER)
3995 	{
3996 		int afd;
3997 		SM_FILE_T *volatile df;
3998 		char *dfname;
3999 
4000 		df = e->e_dfp;
4001 		dfname = queuename(e, DATAFL_LETTER);
4002 		if (sm_io_setinfo(df, SM_BF_COMMIT, NULL) < 0
4003 		    && errno != EINVAL)
4004 		{
4005 			int save_errno;
4006 
4007 			save_errno = errno;
4008 			if (save_errno == EEXIST)
4009 			{
4010 				struct stat st;
4011 				int dfd;
4012 
4013 				if (stat(dfname, &st) < 0)
4014 					st.st_size = -1;
4015 				errno = EEXIST;
4016 				syserr("@collect: bfcommit(%s): already on disk, size=%ld",
4017 				       dfname, (long) st.st_size);
4018 				dfd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL);
4019 				if (dfd >= 0)
4020 					dumpfd(dfd, true, true);
4021 			}
4022 			errno = save_errno;
4023 			dferror(df, "bfcommit", e);
4024 			flush_errors(true);
4025 			finis(save_errno != EEXIST, true, ExitStat);
4026 		}
4027 		else if ((afd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL)) < 0)
4028 		{
4029 			dferror(df, "sm_io_getinfo", e);
4030 			flush_errors(true);
4031 			finis(true, true, ExitStat);
4032 			/* NOTREACHED */
4033 		}
4034 		else if (fsync(afd) < 0)
4035 		{
4036 			dferror(df, "fsync", e);
4037 			flush_errors(true);
4038 			finis(true, true, ExitStat);
4039 			/* NOTREACHED */
4040 		}
4041 		else if (sm_io_close(df, SM_TIME_DEFAULT) < 0)
4042 		{
4043 			dferror(df, "sm_io_close", e);
4044 			flush_errors(true);
4045 			finis(true, true, ExitStat);
4046 			/* NOTREACHED */
4047 		}
4048 
4049 		/* Now reopen the df file */
4050 		e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname,
4051 					SM_IO_RDONLY, NULL);
4052 		if (e->e_dfp == NULL)
4053 		{
4054 			/* we haven't acked receipt yet, so just chuck this */
4055 			syserr("@Cannot reopen %s", dfname);
4056 			finis(true, true, ExitStat);
4057 			/* NOTREACHED */
4058 		}
4059 	}
4060 #endif /* MILTER */
4061 
4062 	/* Check if quarantining stats should be updated */
4063 	if (e->e_quarmsg != NULL)
4064 		markstats(e, NULL, STATS_QUARANTINE);
4065 
4066 	/*
4067 	**  If a header/body check (header checks or milter)
4068 	**  set EF_DISCARD, don't queueup the message --
4069 	**  that would lose the EF_DISCARD bit and deliver
4070 	**  the message.
4071 	*/
4072 
4073 	if (bitset(EF_DISCARD, e->e_flags))
4074 		doublequeue = false;
4075 
4076 	aborting = Errors > 0;
4077 	if (!(aborting || bitset(EF_DISCARD, e->e_flags)) &&
4078 	    (QueueMode == QM_QUARANTINE || e->e_quarmsg == NULL) &&
4079 	    !split_by_recipient(e))
4080 		aborting = bitset(EF_FATALERRS, e->e_flags);
4081 
4082 	if (aborting)
4083 	{
4084 		ADDRESS *q;
4085 
4086 		/* Log who the mail would have gone to */
4087 		logundelrcpts(e, e->e_message, 8, false);
4088 
4089 		/*
4090 		**  If something above refused the message, we still haven't
4091 		**  accepted responsibility for it.  Don't send DSNs.
4092 		*/
4093 
4094 		for (q = e->e_sendqueue; q != NULL; q = q->q_next)
4095 			q->q_flags &= ~Q_PINGFLAGS;
4096 
4097 		flush_errors(true);
4098 		buffer_errors();
4099 		goto abortmessage;
4100 	}
4101 
4102 	/* from now on, we have to operate silently */
4103 	buffer_errors();
4104 
4105 #if 0
4106 	/*
4107 	**  Clear message, it may contain an error from the SMTP dialogue.
4108 	**  This error must not show up in the queue.
4109 	**	Some error message should show up, e.g., alias database
4110 	**	not available, but others shouldn't, e.g., from check_rcpt.
4111 	*/
4112 
4113 	e->e_message = NULL;
4114 #endif /* 0 */
4115 
4116 	/*
4117 	**  Arrange to send to everyone.
4118 	**	If sending to multiple people, mail back
4119 	**		errors rather than reporting directly.
4120 	**	In any case, don't mail back errors for
4121 	**		anything that has happened up to
4122 	**		now (the other end will do this).
4123 	**	Truncate our transcript -- the mail has gotten
4124 	**		to us successfully, and if we have
4125 	**		to mail this back, it will be easier
4126 	**		on the reader.
4127 	**	Then send to everyone.
4128 	**	Finally give a reply code.  If an error has
4129 	**		already been given, don't mail a
4130 	**		message back.
4131 	**	We goose error returns by clearing error bit.
4132 	*/
4133 
4134 	SmtpPhase = "delivery";
4135 	(void) sm_io_setinfo(e->e_xfp, SM_BF_TRUNCATE, NULL);
4136 	id = e->e_id;
4137 
4138 #if NAMED_BIND
4139 	_res.retry = TimeOuts.res_retry[RES_TO_FIRST];
4140 	_res.retrans = TimeOuts.res_retrans[RES_TO_FIRST];
4141 #endif
4142 
4143 #if _FFR_PROXY
4144 	if (SM_PROXY_REQ == e->e_sendmode)
4145 	{
4146 		/* is proxy mode possible? */
4147 		if (e->e_sibling == NULL && e->e_nrcpts == 1
4148 		    && smtp->sm_nrcpts == 1
4149 		    && (a = e->e_sendqueue) != NULL && a->q_next == NULL)
4150 		{
4151 			a->q_flags &= ~(QPINGONFAILURE|QPINGONSUCCESS|
4152 					QPINGONDELAY);
4153 			e->e_errormode = EM_QUIET;
4154 			e->e_sendmode = SM_PROXY;
4155 		}
4156 		else
4157 		{
4158 			if (tTd(87, 2))
4159 			{
4160 				a = e->e_sendqueue;
4161 				sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, sm_nrcpts=%d, sendqueue=%p, next=%p\n",
4162 				e->e_sendmode, e, e->e_sibling, e->e_nrcpts,
4163 				smtp->sm_nrcpts, a,
4164 				(a == NULL) ? (void *)0 : a->q_next);
4165 			}
4166 
4167 			/* switch to interactive mode */
4168 			e->e_sendmode = SM_DELIVER;
4169 			if (LogLevel > 9)
4170 				sm_syslog(LOG_DEBUG, e->e_id,
4171 					  "proxy mode requested but not possible");
4172 		}
4173 	}
4174 #endif /* _FFR_PROXY */
4175 
4176 	for (ee = e; ee != NULL; ee = ee->e_sibling)
4177 	{
4178 		/* make sure we actually do delivery */
4179 		ee->e_flags &= ~EF_CLRQUEUE;
4180 
4181 		/* from now on, operate silently */
4182 		ee->e_errormode = EM_MAIL;
4183 
4184 		if (doublequeue)
4185 		{
4186 			/* make sure it is in the queue */
4187 			queueup(ee, false, true);
4188 		}
4189 		else
4190 		{
4191 			int mode;
4192 
4193 			/* send to all recipients */
4194 			mode = SM_DEFAULT;
4195 #if _FFR_DM_ONE
4196 			if (SM_DM_ONE == e->e_sendmode)
4197 			{
4198 				if (NotFirstDelivery)
4199 				{
4200 					mode = SM_QUEUE;
4201 					e->e_sendmode = SM_QUEUE;
4202 				}
4203 				else
4204 				{
4205 					mode = SM_FORK;
4206 					NotFirstDelivery = true;
4207 				}
4208 			}
4209 #endif /* _FFR_DM_ONE */
4210 			sendall(ee, mode);
4211 		}
4212 		ee->e_to = NULL;
4213 	}
4214 
4215 	/* put back id for SMTP logging in putoutmsg() */
4216 	oldid = CurEnv->e_id;
4217 	CurEnv->e_id = id;
4218 
4219 #if _FFR_PROXY
4220 	a = e->e_sendqueue;
4221 	if (tTd(87, 1))
4222 	{
4223 		sm_dprintf("srv: mode=%c, e=%p, sibling=%p, nrcpts=%d, msg=%s, sendqueue=%p, next=%p, state=%d, SmtpError=%s, rcode=%d, renhsc=%s, text=%s\n",
4224 		e->e_sendmode, e, e->e_sibling, e->e_nrcpts, e->e_message, a,
4225 		(a == NULL) ? (void *)0 : a->q_next,
4226 		(a == NULL) ? -1 : a->q_state, SmtpError, e->e_rcode,
4227 		e->e_renhsc, e->e_text);
4228 	}
4229 
4230 	if (SM_PROXY == e->e_sendmode && a->q_state != QS_SENT &&
4231 	    a->q_state != QS_VERIFIED) /* discarded! */
4232 	{
4233 		char *m, *errtext;
4234 		char replycode[4];
4235 		char enhsc[10];
4236 		int offset;
4237 
4238 #define NN_MSG(e)	(((e)->e_message != NULL) ? (e)->e_message : "")
4239 		m = e->e_message;
4240 #define SM_MSG_DEFERRED "Deferred: "
4241 		if (m != NULL && strncmp(SM_MSG_DEFERRED, m,
4242 					 sizeof(SM_MSG_DEFERRED) - 1) == 0)
4243 			m += sizeof(SM_MSG_DEFERRED) - 1;
4244 		offset = extsc(m, ' ', replycode, enhsc);
4245 
4246 		if (tTd(87, 2))
4247 		{
4248 			sm_dprintf("srv: SmtpError=%s, rcode=%d, renhsc=%s, replycode=%s, enhsc=%s, offset=%d\n",
4249 				SmtpError, e->e_rcode, e->e_renhsc,
4250 				replycode, enhsc, offset);
4251 		}
4252 
4253 #define DIG2CHAR(d)	((d) + '0')
4254 		if (e->e_rcode != 0 && (replycode[0] == '\0' ||
4255 		    replycode[0] == DIG2CHAR(REPLYTYPE(e->e_rcode))))
4256 		{
4257 			replycode[0] = DIG2CHAR(REPLYTYPE(e->e_rcode));
4258 			replycode[1] = DIG2CHAR(REPLYCLASS(e->e_rcode));
4259 			replycode[2] = DIG2CHAR(REPLYMINOR(e->e_rcode));
4260 			replycode[3] = '\0';
4261 			if (e->e_renhsc[0] == replycode[0])
4262 				sm_strlcpy(enhsc, e->e_renhsc, sizeof(enhsc));
4263 			if (offset < 0)
4264 				offset = 0;
4265 		}
4266 		if (e->e_text != NULL)
4267 		{
4268 			(void) strreplnonprt(e->e_text, '_');
4269 			errtext = e->e_text;
4270 		}
4271 		else
4272 			errtext = m + offset;
4273 
4274 		if (replycode[0] != '\0' && enhsc[0] != '\0')
4275 			emessage(replycode, enhsc, "%s", errtext);
4276 		else if (replycode[0] != '\0')
4277 			emessage(replycode, smtptodsn(atoi(replycode)),
4278 				 "%s", errtext);
4279 		else if (QS_IS_TEMPFAIL(a->q_state))
4280 		{
4281 			if (m != NULL)
4282 				message("450 4.5.1 %s", m);
4283 			else
4284 				message("450 4.5.1 Temporary error");
4285 		}
4286 		else
4287 		{
4288 			if (m != NULL)
4289 				message("550 5.5.1 %s", m);
4290 			else
4291 				message("550 5.0.0 Permanent error");
4292 		}
4293 	}
4294 	else
4295 	{
4296 #endif /* _FFR_PROXY */
4297 		/* issue success message */
4298 #if _FFR_MSG_ACCEPT
4299 		if (MessageAccept != NULL && *MessageAccept != '\0')
4300 		{
4301 			char msg[MAXLINE];
4302 
4303 			expand(MessageAccept, msg, sizeof(msg), e);
4304 			message("250 2.0.0 %s", msg);
4305 		}
4306 		else
4307 #endif /* _FFR_MSG_ACCEPT */
4308 		message("250 2.0.0 %s Message accepted for delivery", id);
4309 #if _FFR_PROXY
4310 	}
4311 #endif
4312 	CurEnv->e_id = oldid;
4313 
4314 	/* if we just queued, poke it */
4315 	if (doublequeue)
4316 	{
4317 		bool anything_to_send = false;
4318 
4319 		sm_getla();
4320 		for (ee = e; ee != NULL; ee = ee->e_sibling)
4321 		{
4322 			if (WILL_BE_QUEUED(ee->e_sendmode))
4323 				continue;
4324 			if (shouldqueue(ee->e_msgpriority, ee->e_ctime))
4325 			{
4326 				ee->e_sendmode = SM_QUEUE;
4327 				continue;
4328 			}
4329 			else if (QueueMode != QM_QUARANTINE &&
4330 				 ee->e_quarmsg != NULL)
4331 			{
4332 				ee->e_sendmode = SM_QUEUE;
4333 				continue;
4334 			}
4335 			anything_to_send = true;
4336 
4337 			/* close all the queue files */
4338 			closexscript(ee);
4339 			if (ee->e_dfp != NULL)
4340 			{
4341 				(void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
4342 				ee->e_dfp = NULL;
4343 			}
4344 			unlockqueue(ee);
4345 		}
4346 		if (anything_to_send)
4347 		{
4348 #if PIPELINING
4349 			/*
4350 			**  XXX if we don't do this, we get 250 twice
4351 			**	because it is also flushed in the child.
4352 			*/
4353 
4354 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
4355 #endif /* PIPELINING */
4356 			(void) doworklist(e, true, true);
4357 		}
4358 	}
4359 
4360   abortmessage:
4361 	if (tTd(92, 2))
4362 		sm_dprintf("abortmessage: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
4363 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);
4364 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
4365 		logsender(e, NULL);
4366 	e->e_flags &= ~EF_LOGSENDER;
4367 
4368 	/* clean up a bit */
4369 	smtp->sm_gotmail = false;
4370 
4371 	/*
4372 	**  Call dropenvelope if and only if the envelope is *not*
4373 	**  being processed by the child process forked by doworklist().
4374 	*/
4375 
4376 	if (aborting || bitset(EF_DISCARD, e->e_flags))
4377 		(void) dropenvelope(e, true, false);
4378 	else
4379 	{
4380 		for (ee = e; ee != NULL; ee = ee->e_sibling)
4381 		{
4382 			if (!doublequeue &&
4383 			    QueueMode != QM_QUARANTINE &&
4384 			    ee->e_quarmsg != NULL)
4385 			{
4386 				(void) dropenvelope(ee, true, false);
4387 				continue;
4388 			}
4389 			if (WILL_BE_QUEUED(ee->e_sendmode))
4390 				(void) dropenvelope(ee, true, false);
4391 		}
4392 	}
4393 
4394 	CurEnv = e;
4395 	features = e->e_features;
4396 	sm_rpool_free(e->e_rpool);
4397 	newenvelope(e, e, sm_rpool_new_x(NULL));
4398 	e->e_flags = BlankEnvelope.e_flags;
4399 	e->e_features = features;
4400 
4401 	/* restore connection quarantining */
4402 	if (smtp->sm_quarmsg == NULL)
4403 	{
4404 		e->e_quarmsg = NULL;
4405 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), "");
4406 	}
4407 	else
4408 	{
4409 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, smtp->sm_quarmsg);
4410 		macdefine(&e->e_macro, A_PERM,
4411 			  macid("{quarantine}"), e->e_quarmsg);
4412 	}
4413 	return rv;
4414 }
4415 /*
4416 **  LOGUNDELRCPTS -- log undelivered (or all) recipients.
4417 **
4418 **	Parameters:
4419 **		e -- envelope.
4420 **		msg -- message for Stat=
4421 **		level -- log level.
4422 **		all -- log all recipients.
4423 **
4424 **	Returns:
4425 **		none.
4426 **
4427 **	Side Effects:
4428 **		logs undelivered (or all) recipients
4429 */
4430 
4431 void
4432 logundelrcpts(e, msg, level, all)
4433 	ENVELOPE *e;
4434 	char *msg;
4435 	int level;
4436 	bool all;
4437 {
4438 	ADDRESS *a;
4439 
4440 	if (LogLevel <= level || msg == NULL || *msg == '\0')
4441 		return;
4442 
4443 	/* Clear $h so relay= doesn't get mislogged by logdelivery() */
4444 	macdefine(&e->e_macro, A_PERM, 'h', NULL);
4445 
4446 	/* Log who the mail would have gone to */
4447 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
4448 	{
4449 		if (!QS_IS_UNDELIVERED(a->q_state) && !all)
4450 			continue;
4451 		e->e_to = a->q_paddr;
4452 		logdelivery(NULL, NULL,
4453 #if _FFR_MILTER_ENHSC
4454 			    (a->q_status == NULL && e->e_enhsc[0] != '\0')
4455 			    ? e->e_enhsc :
4456 #endif
4457 			    a->q_status,
4458 			    msg, NULL, (time_t) 0, e, a, EX_OK /* ??? */);
4459 	}
4460 	e->e_to = NULL;
4461 }
4462 /*
4463 **  CHECKSMTPATTACK -- check for denial-of-service attack by repetition
4464 **
4465 **	Parameters:
4466 **		pcounter -- pointer to a counter for this command.
4467 **		maxcount -- maximum value for this counter before we
4468 **			slow down.
4469 **		waitnow -- sleep now (in this routine)?
4470 **		cname -- command name for logging.
4471 **		e -- the current envelope.
4472 **
4473 **	Returns:
4474 **		time to wait,
4475 **		STOP_ATTACK if twice as many commands as allowed and
4476 **			MaxChildren > 0.
4477 **
4478 **	Side Effects:
4479 **		Slows down if we seem to be under attack.
4480 */
4481 
4482 static time_t
4483 checksmtpattack(pcounter, maxcount, waitnow, cname, e)
4484 	volatile unsigned int *pcounter;
4485 	unsigned int maxcount;
4486 	bool waitnow;
4487 	char *cname;
4488 	ENVELOPE *e;
4489 {
4490 	if (maxcount <= 0)	/* no limit */
4491 		return (time_t) 0;
4492 
4493 	if (++(*pcounter) >= maxcount)
4494 	{
4495 		unsigned int shift;
4496 		time_t s;
4497 
4498 		if (*pcounter == maxcount && LogLevel > 5)
4499 		{
4500 			sm_syslog(LOG_INFO, e->e_id,
4501 				  "%s: possible SMTP attack: command=%.40s, count=%u",
4502 				  CurSmtpClient, cname, *pcounter);
4503 		}
4504 		shift = *pcounter - maxcount;
4505 		s = 1 << shift;
4506 		if (shift > MAXSHIFT || s >= MAXTIMEOUT || s <= 0)
4507 			s = MAXTIMEOUT;
4508 
4509 #define IS_ATTACK(s)	((MaxChildren > 0 && *pcounter >= maxcount * 2)	\
4510 				? STOP_ATTACK : (time_t) s)
4511 
4512 		/* sleep at least 1 second before returning */
4513 		(void) sleep(*pcounter / maxcount);
4514 		s -= *pcounter / maxcount;
4515 		if (s >= MAXTIMEOUT || s < 0)
4516 			s = MAXTIMEOUT;
4517 		if (waitnow && s > 0)
4518 		{
4519 			(void) sleep(s);
4520 			return IS_ATTACK(0);
4521 		}
4522 		return IS_ATTACK(s);
4523 	}
4524 	return (time_t) 0;
4525 }
4526 /*
4527 **  SETUP_SMTPD_IO -- setup I/O fd correctly for the SMTP server
4528 **
4529 **	Parameters:
4530 **		none.
4531 **
4532 **	Returns:
4533 **		nothing.
4534 **
4535 **	Side Effects:
4536 **		may change I/O fd.
4537 */
4538 
4539 static void
4540 setup_smtpd_io()
4541 {
4542 	int inchfd, outchfd, outfd;
4543 
4544 	inchfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
4545 	outchfd  = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
4546 	outfd = sm_io_getinfo(smioout, SM_IO_WHAT_FD, NULL);
4547 	if (outchfd != outfd)
4548 	{
4549 		/* arrange for debugging output to go to remote host */
4550 		(void) dup2(outchfd, outfd);
4551 	}
4552 
4553 	/*
4554 	**  if InChannel and OutChannel are stdin/stdout
4555 	**  and connected to ttys
4556 	**  and fcntl(STDIN, F_SETFL, O_NONBLOCKING) also changes STDOUT,
4557 	**  then "chain" them together.
4558 	*/
4559 
4560 	if (inchfd == STDIN_FILENO && outchfd == STDOUT_FILENO &&
4561 	    isatty(inchfd) && isatty(outchfd))
4562 	{
4563 		int inmode, outmode;
4564 
4565 		inmode = fcntl(inchfd, F_GETFL, 0);
4566 		if (inmode == -1)
4567 		{
4568 			if (LogLevel > 11)
4569 				sm_syslog(LOG_INFO, NOQID,
4570 					"fcntl(inchfd, F_GETFL) failed: %s",
4571 					sm_errstring(errno));
4572 			return;
4573 		}
4574 		outmode = fcntl(outchfd, F_GETFL, 0);
4575 		if (outmode == -1)
4576 		{
4577 			if (LogLevel > 11)
4578 				sm_syslog(LOG_INFO, NOQID,
4579 					"fcntl(outchfd, F_GETFL) failed: %s",
4580 					sm_errstring(errno));
4581 			return;
4582 		}
4583 		if (bitset(O_NONBLOCK, inmode) ||
4584 		    bitset(O_NONBLOCK, outmode) ||
4585 		    fcntl(inchfd, F_SETFL, inmode | O_NONBLOCK) == -1)
4586 			return;
4587 		outmode = fcntl(outchfd, F_GETFL, 0);
4588 		if (outmode != -1 && bitset(O_NONBLOCK, outmode))
4589 		{
4590 			/* changing InChannel also changes OutChannel */
4591 			sm_io_automode(OutChannel, InChannel);
4592 			if (tTd(97, 4) && LogLevel > 9)
4593 				sm_syslog(LOG_INFO, NOQID,
4594 					  "set automode for I (%d)/O (%d) in SMTP server",
4595 					  inchfd, outchfd);
4596 		}
4597 
4598 		/* undo change of inchfd */
4599 		(void) fcntl(inchfd, F_SETFL, inmode);
4600 	}
4601 }
4602 /*
4603 **  SKIPWORD -- skip a fixed word.
4604 **
4605 **	Parameters:
4606 **		p -- place to start looking.
4607 **		w -- word to skip.
4608 **
4609 **	Returns:
4610 **		p following w.
4611 **		NULL on error.
4612 **
4613 **	Side Effects:
4614 **		clobbers the p data area.
4615 */
4616 
4617 static char *
4618 skipword(p, w)
4619 	register char *volatile p;
4620 	char *w;
4621 {
4622 	register char *q;
4623 	char *firstp = p;
4624 
4625 	/* find beginning of word */
4626 	SKIP_SPACE(p);
4627 	q = p;
4628 
4629 	/* find end of word */
4630 	while (*p != '\0' && *p != ':' && !(SM_ISSPACE(*p)))
4631 		p++;
4632 	while (SM_ISSPACE(*p))
4633 		*p++ = '\0';
4634 	if (*p != ':')
4635 	{
4636 	  syntax:
4637 		usrerr("501 5.5.2 Syntax error in parameters scanning \"%s\"",
4638 			shortenstring(firstp, MAXSHORTSTR));
4639 		return NULL;
4640 	}
4641 	*p++ = '\0';
4642 	SKIP_SPACE(p);
4643 
4644 	if (*p == '\0')
4645 		goto syntax;
4646 
4647 	/* see if the input word matches desired word */
4648 	if (sm_strcasecmp(q, w))
4649 		goto syntax;
4650 
4651 	return p;
4652 }
4653 
4654 /*
4655 **  RESET_MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4656 **
4657 **	Parameters:
4658 **		e -- the envelope.
4659 **
4660 **	Returns:
4661 **		none.
4662 */
4663 
4664 void
4665 reset_mail_esmtp_args(e)
4666 	ENVELOPE *e;
4667 {
4668 	/* "size": no reset */
4669 
4670 	/* "body" */
4671 	SevenBitInput = SevenBitInput_Saved;
4672 	e->e_bodytype = NULL;
4673 
4674 	/* "envid" */
4675 	e->e_envid = NULL;
4676 	macdefine(&e->e_macro, A_PERM, macid("{dsn_envid}"), NULL);
4677 
4678 	/* "ret" */
4679 	e->e_flags &= ~(EF_RET_PARAM|EF_NO_BODY_RETN);
4680 	macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), NULL);
4681 
4682 #if SASL
4683 	/* "auth" */
4684 	macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), NULL);
4685 	e->e_auth_param = "";
4686 # if _FFR_AUTH_PASSING
4687 	macdefine(&BlankEnvelope.e_macro, A_PERM,
4688 				  macid("{auth_author}"), NULL);
4689 # endif
4690 #endif /* SASL */
4691 
4692 	/* "by" */
4693 	e->e_deliver_by = 0;
4694 	e->e_dlvr_flag = 0;
4695 }
4696 
4697 /*
4698 **  MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4699 **
4700 **	Parameters:
4701 **		a -- address (unused, for compatibility with rcpt_esmtp_args)
4702 **		kp -- the parameter key.
4703 **		vp -- the value of that parameter.
4704 **		e -- the envelope.
4705 **
4706 **	Returns:
4707 **		none.
4708 */
4709 
4710 void
4711 mail_esmtp_args(a, kp, vp, e)
4712 	ADDRESS *a;
4713 	char *kp;
4714 	char *vp;
4715 	ENVELOPE *e;
4716 {
4717 	if (sm_strcasecmp(kp, "size") == 0)
4718 	{
4719 		if (vp == NULL)
4720 		{
4721 			usrerr("501 5.5.2 SIZE requires a value");
4722 			/* NOTREACHED */
4723 		}
4724 		macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), vp);
4725 		errno = 0;
4726 		e->e_msgsize = strtol(vp, (char **) NULL, 10);
4727 		if (e->e_msgsize == LONG_MAX && errno == ERANGE)
4728 		{
4729 			usrerr("552 5.2.3 Message size exceeds maximum value");
4730 			/* NOTREACHED */
4731 		}
4732 		if (e->e_msgsize < 0)
4733 		{
4734 			usrerr("552 5.2.3 Message size invalid");
4735 			/* NOTREACHED */
4736 		}
4737 	}
4738 	else if (sm_strcasecmp(kp, "body") == 0)
4739 	{
4740 		if (vp == NULL)
4741 		{
4742 			usrerr("501 5.5.2 BODY requires a value");
4743 			/* NOTREACHED */
4744 		}
4745 		else if (sm_strcasecmp(vp, "8bitmime") == 0)
4746 		{
4747 			SevenBitInput = false;
4748 		}
4749 		else if (sm_strcasecmp(vp, "7bit") == 0)
4750 		{
4751 			SevenBitInput = true;
4752 		}
4753 		else
4754 		{
4755 			usrerr("501 5.5.4 Unknown BODY type %s", vp);
4756 			/* NOTREACHED */
4757 		}
4758 		e->e_bodytype = sm_rpool_strdup_x(e->e_rpool, vp);
4759 	}
4760 	else if (sm_strcasecmp(kp, "envid") == 0)
4761 	{
4762 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4763 		{
4764 			usrerr("504 5.7.0 Sorry, ENVID not supported, we do not allow DSN");
4765 			/* NOTREACHED */
4766 		}
4767 		if (vp == NULL)
4768 		{
4769 			usrerr("501 5.5.2 ENVID requires a value");
4770 			/* NOTREACHED */
4771 		}
4772 		if (!xtextok(vp))
4773 		{
4774 			usrerr("501 5.5.4 Syntax error in ENVID parameter value");
4775 			/* NOTREACHED */
4776 		}
4777 		if (e->e_envid != NULL)
4778 		{
4779 			usrerr("501 5.5.0 Duplicate ENVID parameter");
4780 			/* NOTREACHED */
4781 		}
4782 		e->e_envid = sm_rpool_strdup_x(e->e_rpool, vp);
4783 		macdefine(&e->e_macro, A_PERM,
4784 			macid("{dsn_envid}"), e->e_envid);
4785 	}
4786 	else if (sm_strcasecmp(kp, "ret") == 0)
4787 	{
4788 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4789 		{
4790 			usrerr("504 5.7.0 Sorry, RET not supported, we do not allow DSN");
4791 			/* NOTREACHED */
4792 		}
4793 		if (vp == NULL)
4794 		{
4795 			usrerr("501 5.5.2 RET requires a value");
4796 			/* NOTREACHED */
4797 		}
4798 		if (bitset(EF_RET_PARAM, e->e_flags))
4799 		{
4800 			usrerr("501 5.5.0 Duplicate RET parameter");
4801 			/* NOTREACHED */
4802 		}
4803 		e->e_flags |= EF_RET_PARAM;
4804 		if (sm_strcasecmp(vp, "hdrs") == 0)
4805 			e->e_flags |= EF_NO_BODY_RETN;
4806 		else if (sm_strcasecmp(vp, "full") != 0)
4807 		{
4808 			usrerr("501 5.5.2 Bad argument \"%s\" to RET", vp);
4809 			/* NOTREACHED */
4810 		}
4811 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), vp);
4812 	}
4813 #if SASL
4814 	else if (sm_strcasecmp(kp, "auth") == 0)
4815 	{
4816 		int len;
4817 		char *q;
4818 		char *auth_param;	/* the value of the AUTH=x */
4819 		bool saveQuickAbort = QuickAbort;
4820 		bool saveSuprErrs = SuprErrs;
4821 		bool saveExitStat = ExitStat;
4822 
4823 		if (vp == NULL)
4824 		{
4825 			usrerr("501 5.5.2 AUTH= requires a value");
4826 			/* NOTREACHED */
4827 		}
4828 		if (e->e_auth_param != NULL)
4829 		{
4830 			usrerr("501 5.5.0 Duplicate AUTH parameter");
4831 			/* NOTREACHED */
4832 		}
4833 		if ((q = strchr(vp, ' ')) != NULL)
4834 			len = q - vp + 1;
4835 		else
4836 			len = strlen(vp) + 1;
4837 		auth_param = xalloc(len);
4838 		(void) sm_strlcpy(auth_param, vp, len);
4839 		if (!xtextok(auth_param))
4840 		{
4841 			usrerr("501 5.5.4 Syntax error in AUTH parameter value");
4842 			/* just a warning? */
4843 			/* NOTREACHED */
4844 		}
4845 
4846 		/* XXX define this always or only if trusted? */
4847 		macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"),
4848 			  auth_param);
4849 
4850 		/*
4851 		**  call Strust_auth to find out whether
4852 		**  auth_param is acceptable (trusted)
4853 		**  we shouldn't trust it if not authenticated
4854 		**  (required by RFC, leave it to ruleset?)
4855 		*/
4856 
4857 		SuprErrs = true;
4858 		QuickAbort = false;
4859 		if (strcmp(auth_param, "<>") != 0 &&
4860 		     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM, 9,
4861 			      NULL, NOQID, NULL, NULL) != EX_OK || Errors > 0))
4862 		{
4863 			if (tTd(95, 8))
4864 			{
4865 				q = e->e_auth_param;
4866 				sm_dprintf("auth=\"%.100s\" not trusted user=\"%.100s\"\n",
4867 					auth_param, (q == NULL) ? "" : q);
4868 			}
4869 
4870 			/* not trusted */
4871 			e->e_auth_param = "<>";
4872 # if _FFR_AUTH_PASSING
4873 			macdefine(&BlankEnvelope.e_macro, A_PERM,
4874 				  macid("{auth_author}"), NULL);
4875 # endif
4876 		}
4877 		else
4878 		{
4879 			if (tTd(95, 8))
4880 				sm_dprintf("auth=\"%.100s\" trusted\n", auth_param);
4881 			e->e_auth_param = sm_rpool_strdup_x(e->e_rpool,
4882 							    auth_param);
4883 		}
4884 		sm_free(auth_param); /* XXX */
4885 
4886 		/* reset values */
4887 		Errors = 0;
4888 		QuickAbort = saveQuickAbort;
4889 		SuprErrs = saveSuprErrs;
4890 		ExitStat = saveExitStat;
4891 	}
4892 #endif /* SASL */
4893 #define PRTCHAR(c)	((isascii(c) && isprint(c)) ? (c) : '?')
4894 
4895 	/*
4896 	**  "by" is only accepted if DeliverByMin >= 0.
4897 	**  We maybe could add this to the list of server_features.
4898 	*/
4899 
4900 	else if (sm_strcasecmp(kp, "by") == 0 && DeliverByMin >= 0)
4901 	{
4902 		char *s;
4903 
4904 		if (vp == NULL)
4905 		{
4906 			usrerr("501 5.5.2 BY= requires a value");
4907 			/* NOTREACHED */
4908 		}
4909 		errno = 0;
4910 		e->e_deliver_by = strtol(vp, &s, 10);
4911 		if (e->e_deliver_by == LONG_MIN ||
4912 		    e->e_deliver_by == LONG_MAX ||
4913 		    e->e_deliver_by > 999999999l ||
4914 		    e->e_deliver_by < -999999999l)
4915 		{
4916 			usrerr("501 5.5.2 BY=%s out of range", vp);
4917 			/* NOTREACHED */
4918 		}
4919 		if (s == NULL || *s != ';')
4920 		{
4921 			usrerr("501 5.5.2 BY= missing ';'");
4922 			/* NOTREACHED */
4923 		}
4924 		e->e_dlvr_flag = 0;
4925 		++s;	/* XXX: spaces allowed? */
4926 		SKIP_SPACE(s);
4927 		switch (tolower(*s))
4928 		{
4929 		  case 'n':
4930 			e->e_dlvr_flag = DLVR_NOTIFY;
4931 			break;
4932 		  case 'r':
4933 			e->e_dlvr_flag = DLVR_RETURN;
4934 			if (e->e_deliver_by <= 0)
4935 			{
4936 				usrerr("501 5.5.4 mode R requires BY time > 0");
4937 				/* NOTREACHED */
4938 			}
4939 			if (DeliverByMin > 0 && e->e_deliver_by > 0 &&
4940 			    e->e_deliver_by < DeliverByMin)
4941 			{
4942 				usrerr("555 5.5.2 time %ld less than %ld",
4943 					e->e_deliver_by, (long) DeliverByMin);
4944 				/* NOTREACHED */
4945 			}
4946 			break;
4947 		  default:
4948 			usrerr("501 5.5.2 illegal by-mode '%c'", PRTCHAR(*s));
4949 			/* NOTREACHED */
4950 		}
4951 		++s;	/* XXX: spaces allowed? */
4952 		SKIP_SPACE(s);
4953 		switch (tolower(*s))
4954 		{
4955 		  case 't':
4956 			e->e_dlvr_flag |= DLVR_TRACE;
4957 			break;
4958 		  case '\0':
4959 			break;
4960 		  default:
4961 			usrerr("501 5.5.2 illegal by-trace '%c'", PRTCHAR(*s));
4962 			/* NOTREACHED */
4963 		}
4964 
4965 		/* XXX: check whether more characters follow? */
4966 	}
4967 #if _FFR_EAI
4968 	else if (sm_strcasecmp(kp, "smtputf8") == 0)
4969 	{
4970 		if (!bitset(SRV_OFFER_EAI, e->e_features))
4971 		{
4972 			usrerr("504 5.7.0 Sorry, SMTPUTF8 not supported/enabled");
4973 			/* NOTREACHED */
4974 		}
4975 		e->e_smtputf8 = true;
4976 	}
4977 #endif
4978 	else
4979 	{
4980 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
4981 		/* NOTREACHED */
4982 	}
4983 }
4984 
4985 /*
4986 **  RCPT_ESMTP_ARGS -- process ESMTP arguments from RCPT line
4987 **
4988 **	Parameters:
4989 **		a -- the address corresponding to the To: parameter.
4990 **		kp -- the parameter key.
4991 **		vp -- the value of that parameter.
4992 **		e -- the envelope.
4993 **
4994 **	Returns:
4995 **		none.
4996 */
4997 
4998 void
4999 rcpt_esmtp_args(a, kp, vp, e)
5000 	ADDRESS *a;
5001 	char *kp;
5002 	char *vp;
5003 	ENVELOPE *e;
5004 {
5005 	if (sm_strcasecmp(kp, "notify") == 0)
5006 	{
5007 		char *p;
5008 
5009 		if (!bitset(SRV_OFFER_DSN, e->e_features))
5010 		{
5011 			usrerr("504 5.7.0 Sorry, NOTIFY not supported, we do not allow DSN");
5012 			/* NOTREACHED */
5013 		}
5014 		if (vp == NULL)
5015 		{
5016 			usrerr("501 5.5.2 NOTIFY requires a value");
5017 			/* NOTREACHED */
5018 		}
5019 		a->q_flags &= ~(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY);
5020 		a->q_flags |= QHASNOTIFY;
5021 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_notify}"), vp);
5022 
5023 		if (sm_strcasecmp(vp, "never") == 0)
5024 			return;
5025 		for (p = vp; p != NULL; vp = p)
5026 		{
5027 			char *s;
5028 
5029 			s = p = strchr(p, ',');
5030 			if (p != NULL)
5031 				*p++ = '\0';
5032 			if (sm_strcasecmp(vp, "success") == 0)
5033 				a->q_flags |= QPINGONSUCCESS;
5034 			else if (sm_strcasecmp(vp, "failure") == 0)
5035 				a->q_flags |= QPINGONFAILURE;
5036 			else if (sm_strcasecmp(vp, "delay") == 0)
5037 				a->q_flags |= QPINGONDELAY;
5038 			else
5039 			{
5040 				usrerr("501 5.5.4 Bad argument \"%s\"  to NOTIFY",
5041 					vp);
5042 				/* NOTREACHED */
5043 			}
5044 			if (s != NULL)
5045 				*s = ',';
5046 		}
5047 	}
5048 	else if (sm_strcasecmp(kp, "orcpt") == 0)
5049 	{
5050 		char *p;
5051 
5052 		if (!bitset(SRV_OFFER_DSN, e->e_features))
5053 		{
5054 			usrerr("504 5.7.0 Sorry, ORCPT not supported, we do not allow DSN");
5055 			/* NOTREACHED */
5056 		}
5057 		if (vp == NULL)
5058 		{
5059 			usrerr("501 5.5.2 ORCPT requires a value");
5060 			/* NOTREACHED */
5061 		}
5062 		if (a->q_orcpt != NULL)
5063 		{
5064 			usrerr("501 5.5.0 Duplicate ORCPT parameter");
5065 			/* NOTREACHED */
5066 		}
5067 		p = strchr(vp, ';');
5068 		if (p == NULL)
5069 		{
5070 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
5071 			/* NOTREACHED */
5072 		}
5073 		*p = '\0';
5074 		if (!isatom(vp) || !xtextok(p + 1))
5075 		{
5076 			*p = ';';
5077 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
5078 			/* NOTREACHED */
5079 		}
5080 		*p = ';';
5081 		a->q_orcpt = sm_rpool_strdup_x(e->e_rpool, vp);
5082 	}
5083 	else
5084 	{
5085 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
5086 		/* NOTREACHED */
5087 	}
5088 }
5089 /*
5090 **  PRINTVRFYADDR -- print an entry in the verify queue
5091 **
5092 **	Parameters:
5093 **		a -- the address to print.
5094 **		last -- set if this is the last one.
5095 **		vrfy -- set if this is a VRFY command.
5096 **
5097 **	Returns:
5098 **		none.
5099 **
5100 **	Side Effects:
5101 **		Prints the appropriate 250 codes.
5102 */
5103 #define OFFF	(3 + 1 + 5 + 1)	/* offset in fmt: SMTP reply + enh. code */
5104 
5105 static void
5106 printvrfyaddr(a, last, vrfy)
5107 	register ADDRESS *a;
5108 	bool last;
5109 	bool vrfy;
5110 {
5111 	char fmtbuf[30];
5112 
5113 	if (vrfy && a->q_mailer != NULL &&
5114 	    !bitnset(M_VRFY250, a->q_mailer->m_flags))
5115 		(void) sm_strlcpy(fmtbuf, "252", sizeof(fmtbuf));
5116 	else
5117 		(void) sm_strlcpy(fmtbuf, "250", sizeof(fmtbuf));
5118 	fmtbuf[3] = last ? ' ' : '-';
5119 	(void) sm_strlcpy(&fmtbuf[4], "2.1.5 ", sizeof(fmtbuf) - 4);
5120 	if (a->q_fullname == NULL)
5121 	{
5122 		if ((a->q_mailer == NULL ||
5123 		     a->q_mailer->m_addrtype == NULL ||
5124 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
5125 		    strchr(a->q_user, '@') == NULL)
5126 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s@%s>",
5127 				       sizeof(fmtbuf) - OFFF);
5128 		else
5129 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s>",
5130 				       sizeof(fmtbuf) - OFFF);
5131 		message(fmtbuf, a->q_user, MyHostName);
5132 	}
5133 	else
5134 	{
5135 		if ((a->q_mailer == NULL ||
5136 		     a->q_mailer->m_addrtype == NULL ||
5137 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
5138 		    strchr(a->q_user, '@') == NULL)
5139 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s@%s>",
5140 				       sizeof(fmtbuf) - OFFF);
5141 		else
5142 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s>",
5143 				       sizeof(fmtbuf) - OFFF);
5144 		message(fmtbuf, a->q_fullname, a->q_user, MyHostName);
5145 	}
5146 }
5147 
5148 #if SASL
5149 /*
5150 **  SASLMECHS -- get list of possible AUTH mechanisms
5151 **
5152 **	Parameters:
5153 **		conn -- SASL connection info.
5154 **		mechlist -- output parameter for list of mechanisms.
5155 **
5156 **	Returns:
5157 **		number of mechs.
5158 */
5159 
5160 static int
5161 saslmechs(conn, mechlist)
5162 	sasl_conn_t *conn;
5163 	char **mechlist;
5164 {
5165 	int len, num, result;
5166 
5167 	/* "user" is currently unused */
5168 # if SASL >= 20000
5169 	result = sasl_listmech(conn, NULL,
5170 			       "", " ", "", (const char **) mechlist,
5171 			       (unsigned int *)&len, &num);
5172 # else /* SASL >= 20000 */
5173 	result = sasl_listmech(conn, "user", /* XXX */
5174 			       "", " ", "", mechlist,
5175 			       (unsigned int *)&len, (unsigned int *)&num);
5176 # endif /* SASL >= 20000 */
5177 	if (result != SASL_OK)
5178 	{
5179 		if (LogLevel > 9)
5180 			sm_syslog(LOG_WARNING, NOQID,
5181 				  "AUTH error: listmech=%d, num=%d",
5182 				  result, num);
5183 		num = 0;
5184 	}
5185 	if (num > 0)
5186 	{
5187 		if (LogLevel > 11)
5188 			sm_syslog(LOG_INFO, NOQID,
5189 				  "AUTH: available mech=%s, allowed mech=%s",
5190 				  *mechlist, AuthMechanisms);
5191 		*mechlist = intersect(AuthMechanisms, *mechlist, NULL);
5192 	}
5193 	else
5194 	{
5195 		*mechlist = NULL;	/* be paranoid... */
5196 		if (result == SASL_OK && LogLevel > 9)
5197 			sm_syslog(LOG_WARNING, NOQID,
5198 				  "AUTH warning: no mechanisms");
5199 	}
5200 	return num;
5201 }
5202 
5203 # if SASL >= 20000
5204 /*
5205 **  PROXY_POLICY -- define proxy policy for AUTH
5206 **
5207 **	Parameters:
5208 **		conn -- unused.
5209 **		context -- unused.
5210 **		requested_user -- authorization identity.
5211 **		rlen -- authorization identity length.
5212 **		auth_identity -- authentication identity.
5213 **		alen -- authentication identity length.
5214 **		def_realm -- default user realm.
5215 **		urlen -- user realm length.
5216 **		propctx -- unused.
5217 **
5218 **	Returns:
5219 **		ok?
5220 **
5221 **	Side Effects:
5222 **		sets {auth_authen} macro.
5223 */
5224 
5225 int
5226 proxy_policy(conn, context, requested_user, rlen, auth_identity, alen,
5227 	     def_realm, urlen, propctx)
5228 	sasl_conn_t *conn;
5229 	void *context;
5230 	const char *requested_user;
5231 	unsigned rlen;
5232 	const char *auth_identity;
5233 	unsigned alen;
5234 	const char *def_realm;
5235 	unsigned urlen;
5236 	struct propctx *propctx;
5237 {
5238 	if (auth_identity == NULL)
5239 		return SASL_FAIL;
5240 
5241 	macdefine(&BlankEnvelope.e_macro, A_TEMP,
5242 		  macid("{auth_authen}"),
5243 		  xtextify((char *) auth_identity, "=<>\")"));
5244 
5245 	return SASL_OK;
5246 }
5247 # else /* SASL >= 20000 */
5248 
5249 /*
5250 **  PROXY_POLICY -- define proxy policy for AUTH
5251 **
5252 **	Parameters:
5253 **		context -- unused.
5254 **		auth_identity -- authentication identity.
5255 **		requested_user -- authorization identity.
5256 **		user -- allowed user (output).
5257 **		errstr -- possible error string (output).
5258 **
5259 **	Returns:
5260 **		ok?
5261 */
5262 
5263 int
5264 proxy_policy(context, auth_identity, requested_user, user, errstr)
5265 	void *context;
5266 	const char *auth_identity;
5267 	const char *requested_user;
5268 	const char **user;
5269 	const char **errstr;
5270 {
5271 	if (user == NULL || auth_identity == NULL)
5272 		return SASL_FAIL;
5273 	*user = newstr(auth_identity);
5274 	return SASL_OK;
5275 }
5276 # endif /* SASL >= 20000 */
5277 #endif /* SASL */
5278 
5279 #if STARTTLS
5280 /*
5281 **  INITSRVTLS -- initialize server side TLS
5282 **
5283 **	Parameters:
5284 **		tls_ok -- should tls initialization be done?
5285 **
5286 **	Returns:
5287 **		succeeded?
5288 **
5289 **	Side Effects:
5290 **		sets tls_ok_srv which is a static variable in this module.
5291 **		Do NOT remove assignments to it!
5292 */
5293 
5294 bool
5295 initsrvtls(tls_ok)
5296 	bool tls_ok;
5297 {
5298 	if (!tls_ok)
5299 		return false;
5300 
5301 	/* do NOT remove assignment */
5302 	tls_ok_srv = inittls(&srv_ctx, TLS_Srv_Opts, Srv_SSL_Options, true,
5303 			     SrvCertFile, SrvKeyFile,
5304 			     CACertPath, CACertFile, DHParams);
5305 	return tls_ok_srv;
5306 }
5307 #endif /* STARTTLS */
5308 /*
5309 **  SRVFEATURES -- get features for SMTP server
5310 **
5311 **	Parameters:
5312 **		e -- envelope (should be session context).
5313 **		clientname -- name of client.
5314 **		features -- default features for this invocation.
5315 **
5316 **	Returns:
5317 **		server features.
5318 */
5319 
5320 /* table with options: it uses just one character, how about strings? */
5321 static struct
5322 {
5323 	char		srvf_opt;
5324 	unsigned int	srvf_flag;
5325 } srv_feat_table[] =
5326 {
5327 	{ 'A',	SRV_OFFER_AUTH	},
5328 	{ 'B',	SRV_OFFER_VERB	},
5329 	{ 'C',	SRV_REQ_SEC	},
5330 	{ 'D',	SRV_OFFER_DSN	},
5331 	{ 'E',	SRV_OFFER_ETRN	},
5332 #if _FFR_EAI
5333 	{ 'I',	SRV_OFFER_EAI	},
5334 #endif
5335 	{ 'L',	SRV_REQ_AUTH	},
5336 #if PIPELINING
5337 # if _FFR_NO_PIPE
5338 	{ 'N',	SRV_NO_PIPE	},
5339 # endif
5340 	{ 'P',	SRV_OFFER_PIPE	},
5341 #endif /* PIPELINING */
5342 	{ 'R',	SRV_VRFY_CLT	},	/* same as V; not documented */
5343 	{ 'S',	SRV_OFFER_TLS	},
5344 /*	{ 'T',	SRV_TMP_FAIL	},	*/
5345 	{ 'V',	SRV_VRFY_CLT	},
5346 	{ 'X',	SRV_OFFER_EXPN	},
5347 /*	{ 'Y',	SRV_OFFER_VRFY	},	*/
5348 	{ '\0',	SRV_NONE	}
5349 };
5350 
5351 static unsigned int
5352 srvfeatures(e, clientname, features)
5353 	ENVELOPE *e;
5354 	char *clientname;
5355 	unsigned int features;
5356 {
5357 	int r, i, j;
5358 	char **pvp, c, opt;
5359 	char pvpbuf[PSBUFSIZE];
5360 
5361 	pvp = NULL;
5362 	r = rscap("srv_features", clientname, "", e, &pvp, pvpbuf,
5363 		  sizeof(pvpbuf));
5364 	if (r != EX_OK)
5365 		return features;
5366 	if (pvp == NULL || pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET)
5367 		return features;
5368 	if (pvp[1] != NULL && sm_strncasecmp(pvp[1], "temp", 4) == 0)
5369 		return SRV_TMP_FAIL;
5370 
5371 	/*
5372 	**  General rule (see sendmail.h, d_flags):
5373 	**  lower case: required/offered, upper case: Not required/available
5374 	**
5375 	**  Since we can change some features per daemon, we have both
5376 	**  cases here: turn on/off a feature.
5377 	*/
5378 
5379 	for (i = 1; pvp[i] != NULL; i++)
5380 	{
5381 		c = pvp[i][0];
5382 		j = 0;
5383 		for (;;)
5384 		{
5385 			if ((opt = srv_feat_table[j].srvf_opt) == '\0')
5386 			{
5387 				if (LogLevel > 9)
5388 					sm_syslog(LOG_WARNING, e->e_id,
5389 						  "srvfeatures: unknown feature %s",
5390 						  pvp[i]);
5391 				break;
5392 			}
5393 			if (c == opt)
5394 			{
5395 				features &= ~(srv_feat_table[j].srvf_flag);
5396 				break;
5397 			}
5398 			if (c == tolower(opt))
5399 			{
5400 				features |= srv_feat_table[j].srvf_flag;
5401 				break;
5402 			}
5403 			++j;
5404 		}
5405 	}
5406 	return features;
5407 }
5408 
5409 /*
5410 **  HELP -- implement the HELP command.
5411 **
5412 **	Parameters:
5413 **		topic -- the topic we want help for.
5414 **		e -- envelope.
5415 **
5416 **	Returns:
5417 **		none.
5418 **
5419 **	Side Effects:
5420 **		outputs the help file to message output.
5421 */
5422 #define HELPVSTR	"#vers	"
5423 #define HELPVERSION	2
5424 
5425 void
5426 help(topic, e)
5427 	char *topic;
5428 	ENVELOPE *e;
5429 {
5430 	register SM_FILE_T *hf;
5431 	register char *p;
5432 	int len;
5433 	bool noinfo;
5434 	bool first = true;
5435 	long sff = SFF_OPENASROOT|SFF_REGONLY;
5436 	char buf[MAXLINE];
5437 	char inp[MAXLINE];
5438 	static int foundvers = -1;
5439 	extern char Version[];
5440 
5441 	if (DontLockReadFiles)
5442 		sff |= SFF_NOLOCK;
5443 	if (!bitnset(DBS_HELPFILEINUNSAFEDIRPATH, DontBlameSendmail))
5444 		sff |= SFF_SAFEDIRPATH;
5445 
5446 	if (HelpFile == NULL ||
5447 	    (hf = safefopen(HelpFile, O_RDONLY, 0444, sff)) == NULL)
5448 	{
5449 		/* no help */
5450 		errno = 0;
5451 		message("502 5.3.0 Sendmail %s -- HELP not implemented",
5452 			Version);
5453 		return;
5454 	}
5455 
5456 	if (topic == NULL || *topic == '\0')
5457 	{
5458 		topic = "smtp";
5459 		noinfo = false;
5460 	}
5461 	else
5462 	{
5463 		makelower(topic);
5464 		noinfo = true;
5465 	}
5466 
5467 	len = strlen(topic);
5468 
5469 	while (sm_io_fgets(hf, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0)
5470 	{
5471 		if (buf[0] == '#')
5472 		{
5473 			if (foundvers < 0 &&
5474 			    strncmp(buf, HELPVSTR, strlen(HELPVSTR)) == 0)
5475 			{
5476 				int h;
5477 
5478 				if (sm_io_sscanf(buf + strlen(HELPVSTR), "%d",
5479 						 &h) == 1)
5480 					foundvers = h;
5481 			}
5482 			continue;
5483 		}
5484 		if (strncmp(buf, topic, len) == 0)
5485 		{
5486 			if (first)
5487 			{
5488 				first = false;
5489 
5490 				/* print version if no/old vers# in file */
5491 				if (foundvers < 2 && !noinfo)
5492 					message("214-2.0.0 This is Sendmail version %s", Version);
5493 			}
5494 			p = strpbrk(buf, " \t");
5495 			if (p == NULL)
5496 				p = buf + strlen(buf) - 1;
5497 			else
5498 				p++;
5499 			fixcrlf(p, true);
5500 			if (foundvers >= 2)
5501 			{
5502 				char *lbp;
5503 				int lbs = sizeof(buf) - (p - buf);
5504 
5505 				lbp = translate_dollars(p, p, &lbs);
5506 				expand(lbp, inp, sizeof(inp), e);
5507 				if (p != lbp)
5508 					sm_free(lbp);
5509 				p = inp;
5510 			}
5511 			message("214-2.0.0 %s", p);
5512 			noinfo = false;
5513 		}
5514 	}
5515 
5516 	if (noinfo)
5517 		message("504 5.3.0 HELP topic \"%.10s\" unknown", topic);
5518 	else
5519 		message("214 2.0.0 End of HELP info");
5520 
5521 	if (foundvers != 0 && foundvers < HELPVERSION)
5522 	{
5523 		if (LogLevel > 1)
5524 			sm_syslog(LOG_WARNING, e->e_id,
5525 				  "%s too old (require version %d)",
5526 				  HelpFile, HELPVERSION);
5527 
5528 		/* avoid log next time */
5529 		foundvers = 0;
5530 	}
5531 
5532 	(void) sm_io_close(hf, SM_TIME_DEFAULT);
5533 }
5534 
5535 #if SASL
5536 /*
5537 **  RESET_SASLCONN -- reset SASL connection data
5538 **
5539 **	Parameters:
5540 **		conn -- SASL connection context
5541 **		hostname -- host name
5542 **		various connection data
5543 **
5544 **	Returns:
5545 **		SASL result
5546 */
5547 
5548 static int
5549 reset_saslconn(sasl_conn_t **conn, char *hostname,
5550 # if SASL >= 20000
5551 	       char *remoteip, char *localip,
5552 	       char *auth_id, sasl_ssf_t * ext_ssf)
5553 # else /* SASL >= 20000 */
5554 	       struct sockaddr_in *saddr_r, struct sockaddr_in *saddr_l,
5555 	       sasl_external_properties_t * ext_ssf)
5556 # endif /* SASL >= 20000 */
5557 {
5558 	int result;
5559 
5560 	sasl_dispose(conn);
5561 # if SASL >= 20000
5562 	result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
5563 				 NULL, 0, conn);
5564 # elif SASL > 10505
5565 	/* use empty realm: only works in SASL > 1.5.5 */
5566 	result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
5567 # else /* SASL >= 20000 */
5568 	/* use no realm -> realm is set to hostname by SASL lib */
5569 	result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
5570 				 conn);
5571 # endif /* SASL >= 20000 */
5572 	if (result != SASL_OK)
5573 		return result;
5574 
5575 # if SASL >= 20000
5576 #  if NETINET || NETINET6
5577 	if (remoteip != NULL && *remoteip != '\0')
5578 		result = sasl_setprop(*conn, SASL_IPREMOTEPORT, remoteip);
5579 	if (result != SASL_OK)
5580 		return result;
5581 
5582 	if (localip != NULL && *localip != '\0')
5583 		result = sasl_setprop(*conn, SASL_IPLOCALPORT, localip);
5584 	if (result != SASL_OK)
5585 		return result;
5586 #  endif /* NETINET || NETINET6 */
5587 
5588 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5589 	if (result != SASL_OK)
5590 		return result;
5591 
5592 	result = sasl_setprop(*conn, SASL_AUTH_EXTERNAL, auth_id);
5593 	if (result != SASL_OK)
5594 		return result;
5595 # else /* SASL >= 20000 */
5596 #  if NETINET
5597 	if (saddr_r != NULL)
5598 		result = sasl_setprop(*conn, SASL_IP_REMOTE, saddr_r);
5599 	if (result != SASL_OK)
5600 		return result;
5601 
5602 	if (saddr_l != NULL)
5603 		result = sasl_setprop(*conn, SASL_IP_LOCAL, saddr_l);
5604 	if (result != SASL_OK)
5605 		return result;
5606 #  endif /* NETINET */
5607 
5608 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5609 	if (result != SASL_OK)
5610 		return result;
5611 # endif /* SASL >= 20000 */
5612 	return SASL_OK;
5613 }
5614 
5615 /*
5616 **  GET_SASL_USER -- extract user part from SASL reply
5617 **
5618 **	Parameters:
5619 **		val -- sasl reply (may contain NUL)
5620 **		len -- length of val
5621 **		auth_type -- auth_type (can be NULL)
5622 **		user -- output buffer for extract user
5623 **		user_len -- length of output buffer (user)
5624 **
5625 **	Returns:
5626 **		none.
5627 **
5628 **	Note: val is supplied by the client and hence may contain "bad"
5629 **		(non-printable) characters, but the returned value (user)
5630 **		is only used for logging which converts those characters.
5631 */
5632 
5633 static void
5634 get_sasl_user(val, len, auth_type, user, user_len)
5635 	char *val;
5636 	unsigned int len;
5637 	const char *auth_type;
5638 	char *user;
5639 	size_t user_len;
5640 {
5641 	unsigned int u;
5642 
5643 	SM_ASSERT(val != NULL);
5644 	SM_ASSERT(user != NULL);
5645 	SM_ASSERT(user_len > 0);
5646 
5647 	*user = '\0';
5648 	if (NULL == auth_type || '\0' == *auth_type)
5649 		return;
5650 	if (0 == len)
5651 		return;
5652 
5653 # define DIGMD5U	"username=\""
5654 # define DIGMD5U_L	(sizeof(DIGMD5U) - 1)
5655 	if (sm_strcasecmp(auth_type, "digest-md5") == 0 &&
5656 	    strncmp(val, DIGMD5U, DIGMD5U_L) == 0)
5657 	{
5658 		char *s;
5659 
5660 		val += DIGMD5U_L;
5661 		if (len <= DIGMD5U_L)
5662 			return;
5663 		len -= DIGMD5U_L;
5664 
5665 		/* format? could there be a quoted '"'? */
5666 		for (s = val, u = 0; *s != '\0' && u < len; s++)
5667 		{
5668 			if ('"' == *s)
5669 			{
5670 				*s = '\0';
5671 				break;
5672 			}
5673 			if ('\\' == *s)
5674 			{
5675 				++s;
5676 				if ('\0' == *s)
5677 					break;
5678 			}
5679 		}
5680 	}
5681 	else if (sm_strcasecmp(auth_type, "cram-md5") == 0)
5682 	{
5683 		char *s;
5684 
5685 		for (s = val, u = 0; *s != '\0' && u < len; s++)
5686 		{
5687 			if (' ' == *s)
5688 			{
5689 				*s = '\0';
5690 				break;
5691 			}
5692 		}
5693 	}
5694 
5695 	else if (sm_strcasecmp(auth_type, "plain") == 0 ||
5696 		 sm_strcasecmp(auth_type, "login") == 0)
5697 	{
5698 		/*
5699 		**  RFC 4616: The PLAIN Simple Authentication and
5700 		**	Security Layer (SASL) Mechanism
5701 		**    message   = [authzid] UTF8NUL authcid UTF8NUL passwd
5702 		**  each part: 1*SAFE ; MUST accept up to 255 octets
5703 		**  UTF8NUL   = %x00 ; UTF-8 encoded NUL character
5704 		**
5705 		**  draft-murchison-sasl-login: it's just username by its own
5706 		*/
5707 
5708 		for (u = 0; u < len; u++)
5709 		{
5710 			if (val[u] == '\0')
5711 			{
5712 				val[u] = '/';
5713 				(void) sm_strlcpy(user,
5714 						val + ((0 == u) ? 1 : 0),
5715 						user_len);
5716 				return;
5717 			}
5718 		}
5719 	}
5720 	else
5721 	{
5722 		/*
5723 		**  Extracting the "user" from other mechanisms
5724 		**  is currently not supported.
5725 		*/
5726 
5727 		return;
5728 	}
5729 
5730 	/*
5731 	**  Does the input buffer has an NUL in it so it can be treated
5732 	**  as a C string?
5733 	*/
5734 
5735 	/* SM_ASSERT(len > 0); see above */
5736 	u = len - 1;
5737 	if (val[u] != '\0')
5738 	{
5739 		for (u = 0; u < len; u++)
5740 		{
5741 			if (val[u] == '\0')
5742 				break;
5743 		}
5744 	}
5745 	if (val[u] != '\0')
5746 		user_len = SM_MIN(len, user_len);
5747 
5748 	(void) sm_strlcpy(user, val, user_len);
5749 }
5750 #endif /* SASL */
5751