xref: /freebsd/contrib/sendmail/src/srvrsmtp.c (revision bc96366c864c07ef352edb92017357917c75b36c)
1 /*
2  * Copyright (c) 1998-2010, 2012, 2013 Proofpoint, Inc. and its suppliers.
3  *	All rights reserved.
4  * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
5  * Copyright (c) 1988, 1993
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * By using this file, you agree to the terms and conditions set
9  * forth in the LICENSE file which can be found at the top level of
10  * the sendmail distribution.
11  *
12  */
13 
14 #include <sendmail.h>
15 #if MILTER
16 # include <libmilter/mfapi.h>
17 # include <libmilter/mfdef.h>
18 #endif /* MILTER */
19 
20 SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.1016 2013-11-22 20:51:56 ca Exp $")
21 
22 #include <sm/time.h>
23 #include <sm/fdset.h>
24 
25 #if SASL || STARTTLS
26 # include "sfsasl.h"
27 #endif /* SASL || STARTTLS */
28 #if SASL
29 # define ENC64LEN(l)	(((l) + 2) * 4 / 3 + 1)
30 static int saslmechs __P((sasl_conn_t *, char **));
31 #endif /* SASL */
32 #if STARTTLS
33 #  include <openssl/err.h>
34 # include <sysexits.h>
35 
36 static SSL_CTX	*srv_ctx = NULL;	/* TLS server context */
37 static SSL	*srv_ssl = NULL;	/* per connection context */
38 
39 static bool	tls_ok_srv = false;
40 
41 # define TLS_VERIFY_CLIENT() tls_set_verify(srv_ctx, srv_ssl, \
42 				bitset(SRV_VRFY_CLT, features))
43 #endif /* STARTTLS */
44 
45 #if _FFR_DM_ONE
46 static bool	NotFirstDelivery = false;
47 #endif /* _FFR_DM_ONE */
48 
49 /* server features */
50 #define SRV_NONE	0x0000	/* none... */
51 #define SRV_OFFER_TLS	0x0001	/* offer STARTTLS */
52 #define SRV_VRFY_CLT	0x0002	/* request a cert */
53 #define SRV_OFFER_AUTH	0x0004	/* offer AUTH */
54 #define SRV_OFFER_ETRN	0x0008	/* offer ETRN */
55 #define SRV_OFFER_VRFY	0x0010	/* offer VRFY (not yet used) */
56 #define SRV_OFFER_EXPN	0x0020	/* offer EXPN */
57 #define SRV_OFFER_VERB	0x0040	/* offer VERB */
58 #define SRV_OFFER_DSN	0x0080	/* offer DSN */
59 #if PIPELINING
60 # define SRV_OFFER_PIPE	0x0100	/* offer PIPELINING */
61 # if _FFR_NO_PIPE
62 #  define SRV_NO_PIPE	0x0200	/* disable PIPELINING, sleep if used */
63 # endif /* _FFR_NO_PIPE */
64 #endif /* PIPELINING */
65 #define SRV_REQ_AUTH	0x0400	/* require AUTH */
66 #define SRV_REQ_SEC	0x0800	/* require security - equiv to AuthOptions=p */
67 #define SRV_TMP_FAIL	0x1000	/* ruleset caused a temporary failure */
68 
69 static unsigned int	srvfeatures __P((ENVELOPE *, char *, unsigned int));
70 
71 #define	STOP_ATTACK	((time_t) -1)
72 static time_t	checksmtpattack __P((volatile unsigned int *, unsigned int,
73 				     bool, char *, ENVELOPE *));
74 static void	printvrfyaddr __P((ADDRESS *, bool, bool));
75 static char	*skipword __P((char *volatile, char *));
76 static void	setup_smtpd_io __P((void));
77 
78 #if SASL
79 # if SASL >= 20000
80 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
81 				char *_remoteip, char *_localip,
82 				char *_auth_id, sasl_ssf_t *_ext_ssf));
83 
84 # define RESET_SASLCONN	\
85 	do							\
86 	{							\
87 		result = reset_saslconn(&conn, AuthRealm, remoteip, \
88 					localip, auth_id, &ext_ssf); \
89 		if (result != SASL_OK)				\
90 			sasl_ok = false;			\
91 	} while (0)
92 
93 # else /* SASL >= 20000 */
94 static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
95 				struct sockaddr_in *_saddr_r,
96 				struct sockaddr_in *_saddr_l,
97 				sasl_external_properties_t *_ext_ssf));
98 # define RESET_SASLCONN	\
99 	do							\
100 	{							\
101 		result = reset_saslconn(&conn, AuthRealm, &saddr_r, \
102 					&saddr_l, &ext_ssf);	\
103 		if (result != SASL_OK)				\
104 			sasl_ok = false;			\
105 	} while (0)
106 
107 # endif /* SASL >= 20000 */
108 #endif /* SASL */
109 
110 extern ENVELOPE	BlankEnvelope;
111 
112 #define NBADRCPTS						\
113 	do							\
114 	{							\
115 		char buf[16];					\
116 		(void) sm_snprintf(buf, sizeof(buf), "%d",	\
117 			BadRcptThrottle > 0 && n_badrcpts > BadRcptThrottle \
118 				? n_badrcpts - 1 : n_badrcpts);	\
119 		macdefine(&e->e_macro, A_TEMP, macid("{nbadrcpts}"), buf); \
120 	} while (0)
121 
122 #define SKIP_SPACE(s)	while (isascii(*s) && isspace(*s))	\
123 				(s)++
124 
125 /*
126 **  PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
127 **
128 **	Parameters:
129 **		e -- the envelope
130 **		addr_st -- address (RCPT only)
131 **		p -- read buffer
132 **		delimptr -- current position in read buffer
133 **		which -- MAIL/RCPT
134 **		args -- arguments (output)
135 **		esmtp_args -- function to process a single ESMTP argument
136 **
137 **	Returns:
138 **		none
139 */
140 
141 void
142 parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args)
143 	ENVELOPE *e;
144 	ADDRESS *addr_st;
145 	char *p;
146 	char *delimptr;
147 	char *which;
148 	char *args[];
149 	esmtp_args_F esmtp_args;
150 {
151 	int argno;
152 
153 	argno = 0;
154 	if (args != NULL)
155 		args[argno++] = p;
156 	p = delimptr;
157 	while (p != NULL && *p != '\0')
158 	{
159 		char *kp;
160 		char *vp = NULL;
161 		char *equal = NULL;
162 
163 		/* locate the beginning of the keyword */
164 		SKIP_SPACE(p);
165 		if (*p == '\0')
166 			break;
167 		kp = p;
168 
169 		/* skip to the value portion */
170 		while ((isascii(*p) && isalnum(*p)) || *p == '-')
171 			p++;
172 		if (*p == '=')
173 		{
174 			equal = p;
175 			*p++ = '\0';
176 			vp = p;
177 
178 			/* skip to the end of the value */
179 			while (*p != '\0' && *p != ' ' &&
180 			       !(isascii(*p) && iscntrl(*p)) &&
181 			       *p != '=')
182 				p++;
183 		}
184 
185 		if (*p != '\0')
186 			*p++ = '\0';
187 
188 		if (tTd(19, 1))
189 			sm_dprintf("%s: got arg %s=\"%s\"\n", which, kp,
190 				vp == NULL ? "<null>" : vp);
191 
192 		esmtp_args(addr_st, kp, vp, e);
193 		if (equal != NULL)
194 			*equal = '=';
195 		if (args != NULL)
196 			args[argno] = kp;
197 		argno++;
198 		if (argno >= MAXSMTPARGS - 1)
199 			usrerr("501 5.5.4 Too many parameters");
200 		if (Errors > 0)
201 			break;
202 	}
203 	if (args != NULL)
204 		args[argno] = NULL;
205 }
206 
207 /*
208 **  SMTP -- run the SMTP protocol.
209 **
210 **	Parameters:
211 **		nullserver -- if non-NULL, rejection message for
212 **			(almost) all SMTP commands.
213 **		d_flags -- daemon flags
214 **		e -- the envelope.
215 **
216 **	Returns:
217 **		never.
218 **
219 **	Side Effects:
220 **		Reads commands from the input channel and processes them.
221 */
222 
223 /*
224 **  Notice: The smtp server doesn't have a session context like the client
225 **	side has (mci). Therefore some data (session oriented) is allocated
226 **	or assigned to the "wrong" structure (esp. STARTTLS, AUTH).
227 **	This should be fixed in a successor version.
228 */
229 
230 struct cmd
231 {
232 	char	*cmd_name;	/* command name */
233 	int	cmd_code;	/* internal code, see below */
234 };
235 
236 /* values for cmd_code */
237 #define CMDERROR	0	/* bad command */
238 #define CMDMAIL	1	/* mail -- designate sender */
239 #define CMDRCPT	2	/* rcpt -- designate recipient */
240 #define CMDDATA	3	/* data -- send message text */
241 #define CMDRSET	4	/* rset -- reset state */
242 #define CMDVRFY	5	/* vrfy -- verify address */
243 #define CMDEXPN	6	/* expn -- expand address */
244 #define CMDNOOP	7	/* noop -- do nothing */
245 #define CMDQUIT	8	/* quit -- close connection and die */
246 #define CMDHELO	9	/* helo -- be polite */
247 #define CMDHELP	10	/* help -- give usage info */
248 #define CMDEHLO	11	/* ehlo -- extended helo (RFC 1425) */
249 #define CMDETRN	12	/* etrn -- flush queue */
250 #if SASL
251 # define CMDAUTH	13	/* auth -- SASL authenticate */
252 #endif /* SASL */
253 #if STARTTLS
254 # define CMDSTLS	14	/* STARTTLS -- start TLS session */
255 #endif /* STARTTLS */
256 /* non-standard commands */
257 #define CMDVERB	17	/* verb -- go into verbose mode */
258 /* unimplemented commands from RFC 821 */
259 #define CMDUNIMPL	19	/* unimplemented rfc821 commands */
260 /* use this to catch and log "door handle" attempts on your system */
261 #define CMDLOGBOGUS	23	/* bogus command that should be logged */
262 /* debugging-only commands, only enabled if SMTPDEBUG is defined */
263 #define CMDDBGQSHOW	24	/* showq -- show send queue */
264 #define CMDDBGDEBUG	25	/* debug -- set debug mode */
265 
266 /*
267 **  Note: If you change this list, remember to update 'helpfile'
268 */
269 
270 static struct cmd	CmdTab[] =
271 {
272 	{ "mail",	CMDMAIL		},
273 	{ "rcpt",	CMDRCPT		},
274 	{ "data",	CMDDATA		},
275 	{ "rset",	CMDRSET		},
276 	{ "vrfy",	CMDVRFY		},
277 	{ "expn",	CMDEXPN		},
278 	{ "help",	CMDHELP		},
279 	{ "noop",	CMDNOOP		},
280 	{ "quit",	CMDQUIT		},
281 	{ "helo",	CMDHELO		},
282 	{ "ehlo",	CMDEHLO		},
283 	{ "etrn",	CMDETRN		},
284 	{ "verb",	CMDVERB		},
285 	{ "send",	CMDUNIMPL	},
286 	{ "saml",	CMDUNIMPL	},
287 	{ "soml",	CMDUNIMPL	},
288 	{ "turn",	CMDUNIMPL	},
289 #if SASL
290 	{ "auth",	CMDAUTH,	},
291 #endif /* SASL */
292 #if STARTTLS
293 	{ "starttls",	CMDSTLS,	},
294 #endif /* STARTTLS */
295     /* remaining commands are here only to trap and log attempts to use them */
296 	{ "showq",	CMDDBGQSHOW	},
297 	{ "debug",	CMDDBGDEBUG	},
298 	{ "wiz",	CMDLOGBOGUS	},
299 
300 	{ NULL,		CMDERROR	}
301 };
302 
303 static char	*CurSmtpClient;		/* who's at the other end of channel */
304 
305 #ifndef MAXBADCOMMANDS
306 # define MAXBADCOMMANDS 25	/* maximum number of bad commands */
307 #endif /* ! MAXBADCOMMANDS */
308 #ifndef MAXHELOCOMMANDS
309 # define MAXHELOCOMMANDS 3	/* max HELO/EHLO commands before slowdown */
310 #endif /* ! MAXHELOCOMMANDS */
311 #ifndef MAXVRFYCOMMANDS
312 # define MAXVRFYCOMMANDS 6	/* max VRFY/EXPN commands before slowdown */
313 #endif /* ! MAXVRFYCOMMANDS */
314 #ifndef MAXETRNCOMMANDS
315 # define MAXETRNCOMMANDS 8	/* max ETRN commands before slowdown */
316 #endif /* ! MAXETRNCOMMANDS */
317 #ifndef MAXTIMEOUT
318 # define MAXTIMEOUT (4 * 60)	/* max timeout for bad commands */
319 #endif /* ! MAXTIMEOUT */
320 
321 /*
322 **  Maximum shift value to compute timeout for bad commands.
323 **  This introduces an upper limit of 2^MAXSHIFT for the timeout.
324 */
325 
326 #ifndef MAXSHIFT
327 # define MAXSHIFT 8
328 #endif /* ! MAXSHIFT */
329 #if MAXSHIFT > 31
330  ERROR _MAXSHIFT > 31 is invalid
331 #endif /* MAXSHIFT */
332 
333 
334 #if MAXBADCOMMANDS > 0
335 # define STOP_IF_ATTACK(r)	do		\
336 	{					\
337 		if ((r) == STOP_ATTACK)		\
338 			goto stopattack;	\
339 	} while (0)
340 
341 #else /* MAXBADCOMMANDS > 0 */
342 # define STOP_IF_ATTACK(r)	r
343 #endif /* MAXBADCOMMANDS > 0 */
344 
345 
346 #if SM_HEAP_CHECK
347 static SM_DEBUG_T DebugLeakSmtp = SM_DEBUG_INITIALIZER("leak_smtp",
348 	"@(#)$Debug: leak_smtp - trace memory leaks during SMTP processing $");
349 #endif /* SM_HEAP_CHECK */
350 
351 typedef struct
352 {
353 	bool		sm_gotmail;	/* mail command received */
354 	unsigned int	sm_nrcpts;	/* number of successful RCPT commands */
355 	bool		sm_discard;
356 #if MILTER
357 	bool		sm_milterize;
358 	bool		sm_milterlist;	/* any filters in the list? */
359 	milters_T	sm_milters;
360 
361 	/* e_nrcpts from envelope before recipient() call */
362 	unsigned int	sm_e_nrcpts_orig;
363 #endif /* MILTER */
364 	char		*sm_quarmsg;	/* carry quarantining across messages */
365 } SMTP_T;
366 
367 static bool	smtp_data __P((SMTP_T *, ENVELOPE *));
368 
369 #define MSG_TEMPFAIL "451 4.3.2 Please try again later"
370 
371 #if MILTER
372 # define MILTER_ABORT(e)	milter_abort((e))
373 
374 # define MILTER_REPLY(str)						\
375 	{								\
376 		int savelogusrerrs = LogUsrErrs;			\
377 									\
378 		milter_cmd_fail = true;					\
379 		switch (state)						\
380 		{							\
381 		  case SMFIR_SHUTDOWN:					\
382 			if (MilterLogLevel > 3)				\
383 			{						\
384 				sm_syslog(LOG_INFO, e->e_id,		\
385 					  "Milter: %s=%s, reject=421, errormode=4",	\
386 					  str, addr);			\
387 				LogUsrErrs = false;			\
388 			}						\
389 			{						\
390 				bool tsave = QuickAbort;		\
391 									\
392 				QuickAbort = false;			\
393 				usrerr("421 4.3.0 closing connection");	\
394 				QuickAbort = tsave;			\
395 				e->e_sendqueue = NULL;			\
396 				goto doquit;				\
397 			}						\
398 			break;						\
399 		  case SMFIR_REPLYCODE:					\
400 			if (MilterLogLevel > 3)				\
401 			{						\
402 				sm_syslog(LOG_INFO, e->e_id,		\
403 					  "Milter: %s=%s, reject=%s",	\
404 					  str, addr, response);		\
405 				LogUsrErrs = false;			\
406 			}						\
407 			if (strncmp(response, "421 ", 4) == 0		\
408 			    || strncmp(response, "421-", 4) == 0)	\
409 			{						\
410 				bool tsave = QuickAbort;		\
411 									\
412 				QuickAbort = false;			\
413 				usrerr(response);			\
414 				QuickAbort = tsave;			\
415 				e->e_sendqueue = NULL;			\
416 				goto doquit;				\
417 			}						\
418 			else						\
419 				usrerr(response);			\
420 			break;						\
421 									\
422 		  case SMFIR_REJECT:					\
423 			if (MilterLogLevel > 3)				\
424 			{						\
425 				sm_syslog(LOG_INFO, e->e_id,		\
426 					  "Milter: %s=%s, reject=550 5.7.1 Command rejected", \
427 					  str, addr);			\
428 				LogUsrErrs = false;			\
429 			}						\
430 			usrerr("550 5.7.1 Command rejected");		\
431 			break;						\
432 									\
433 		  case SMFIR_DISCARD:					\
434 			if (MilterLogLevel > 3)				\
435 				sm_syslog(LOG_INFO, e->e_id,		\
436 					  "Milter: %s=%s, discard",	\
437 					  str, addr);			\
438 			e->e_flags |= EF_DISCARD;			\
439 			milter_cmd_fail = false;			\
440 			break;						\
441 									\
442 		  case SMFIR_TEMPFAIL:					\
443 			if (MilterLogLevel > 3)				\
444 			{						\
445 				sm_syslog(LOG_INFO, e->e_id,		\
446 					  "Milter: %s=%s, reject=%s",	\
447 					  str, addr, MSG_TEMPFAIL);	\
448 				LogUsrErrs = false;			\
449 			}						\
450 			usrerr(MSG_TEMPFAIL);				\
451 			break;						\
452 		  default:						\
453 			milter_cmd_fail = false;			\
454 			break;						\
455 		}							\
456 		LogUsrErrs = savelogusrerrs;				\
457 		if (response != NULL)					\
458 			sm_free(response); /* XXX */			\
459 	}
460 
461 #else /* MILTER */
462 # define MILTER_ABORT(e)
463 #endif /* MILTER */
464 
465 /* clear all SMTP state (for HELO/EHLO/RSET) */
466 #define CLEAR_STATE(cmd)					\
467 do								\
468 {								\
469 	/* abort milter filters */				\
470 	MILTER_ABORT(e);					\
471 								\
472 	if (smtp.sm_nrcpts > 0)					\
473 	{							\
474 		logundelrcpts(e, cmd, 10, false);		\
475 		smtp.sm_nrcpts = 0;				\
476 		macdefine(&e->e_macro, A_PERM,			\
477 			  macid("{nrcpts}"), "0");		\
478 	}							\
479 								\
480 	e->e_sendqueue = NULL;					\
481 	e->e_flags |= EF_CLRQUEUE;				\
482 								\
483 	if (tTd(92, 2))						\
484 		sm_dprintf("CLEAR_STATE: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",\
485 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);\
486 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))	\
487 		logsender(e, NULL);				\
488 	e->e_flags &= ~EF_LOGSENDER;				\
489 								\
490 	/* clean up a bit */					\
491 	smtp.sm_gotmail = false;				\
492 	SuprErrs = true;					\
493 	(void) dropenvelope(e, true, false);			\
494 	sm_rpool_free(e->e_rpool);				\
495 	e = newenvelope(e, CurEnv, sm_rpool_new_x(NULL));	\
496 	CurEnv = e;						\
497 	e->e_features = features;				\
498 								\
499 	/* put back discard bit */				\
500 	if (smtp.sm_discard)					\
501 		e->e_flags |= EF_DISCARD;			\
502 								\
503 	/* restore connection quarantining */			\
504 	if (smtp.sm_quarmsg == NULL)				\
505 	{							\
506 		e->e_quarmsg = NULL;				\
507 		macdefine(&e->e_macro, A_PERM,			\
508 			macid("{quarantine}"), "");		\
509 	}							\
510 	else							\
511 	{							\
512 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool,	\
513 						smtp.sm_quarmsg);	\
514 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"),	\
515 			  e->e_quarmsg);			\
516 	}							\
517 } while (0)
518 
519 /* sleep to flatten out connection load */
520 #define MIN_DELAY_LOG	15	/* wait before logging this again */
521 
522 /* is it worth setting the process title for 1s? */
523 #define DELAY_CONN(cmd)						\
524 	if (DelayLA > 0 && (CurrentLA = getla()) >= DelayLA)	\
525 	{							\
526 		time_t dnow;					\
527 								\
528 		sm_setproctitle(true, e,			\
529 				"%s: %s: delaying %s: load average: %d", \
530 				qid_printname(e), CurSmtpClient,	\
531 				cmd, DelayLA);	\
532 		if (LogLevel > 8 && (dnow = curtime()) > log_delay)	\
533 		{						\
534 			sm_syslog(LOG_INFO, e->e_id,		\
535 				  "delaying=%s, load average=%d >= %d",	\
536 				  cmd, CurrentLA, DelayLA);		\
537 			log_delay = dnow + MIN_DELAY_LOG;	\
538 		}						\
539 		(void) sleep(1);				\
540 		sm_setproctitle(true, e, "%s %s: %.80s",	\
541 				qid_printname(e), CurSmtpClient, inp);	\
542 	}
543 
544 static bool SevenBitInput_Saved;	/* saved version of SevenBitInput */
545 
546 void
547 smtp(nullserver, d_flags, e)
548 	char *volatile nullserver;
549 	BITMAP256 d_flags;
550 	register ENVELOPE *volatile e;
551 {
552 	register char *volatile p;
553 	register struct cmd *volatile c = NULL;
554 	char *cmd;
555 	auto ADDRESS *vrfyqueue;
556 	ADDRESS *a;
557 	volatile bool gothello;		/* helo command received */
558 	bool vrfy;			/* set if this is a vrfy command */
559 	char *volatile protocol;	/* sending protocol */
560 	char *volatile sendinghost;	/* sending hostname */
561 	char *volatile peerhostname;	/* name of SMTP peer or "localhost" */
562 	auto char *delimptr;
563 	char *id;
564 	volatile unsigned int n_badcmds = 0;	/* count of bad commands */
565 	volatile unsigned int n_badrcpts = 0;	/* number of rejected RCPT */
566 	volatile unsigned int n_verifies = 0;	/* count of VRFY/EXPN */
567 	volatile unsigned int n_etrn = 0;	/* count of ETRN */
568 	volatile unsigned int n_noop = 0;	/* count of NOOP/VERB/etc */
569 	volatile unsigned int n_helo = 0;	/* count of HELO/EHLO */
570 	bool ok;
571 	volatile bool first;
572 	volatile bool tempfail = false;
573 	volatile time_t wt;		/* timeout after too many commands */
574 	volatile time_t previous;	/* time after checksmtpattack() */
575 	volatile bool lognullconnection = true;
576 	register char *q;
577 	SMTP_T smtp;
578 	char *addr;
579 	char *greetcode = "220";
580 	char *hostname;			/* my hostname ($j) */
581 	QUEUE_CHAR *new;
582 	char *args[MAXSMTPARGS];
583 	char inp[MAXINPLINE];
584 #if MAXINPLINE < MAXLINE
585  ERROR _MAXINPLINE must NOT be less than _MAXLINE: MAXINPLINE < MAXLINE
586 #endif /* MAXINPLINE < MAXLINE */
587 	char cmdbuf[MAXLINE];
588 #if SASL
589 	sasl_conn_t *conn;
590 	volatile bool sasl_ok;
591 	volatile unsigned int n_auth = 0;	/* count of AUTH commands */
592 	bool ismore;
593 	int result;
594 	volatile int authenticating;
595 	char *user;
596 	char *in, *out2;
597 # if SASL >= 20000
598 	char *auth_id = NULL;
599 	const char *out;
600 	sasl_ssf_t ext_ssf;
601 	char localip[60], remoteip[60];
602 # else /* SASL >= 20000 */
603 	char *out;
604 	const char *errstr;
605 	sasl_external_properties_t ext_ssf;
606 	struct sockaddr_in saddr_l;
607 	struct sockaddr_in saddr_r;
608 # endif /* SASL >= 20000 */
609 	sasl_security_properties_t ssp;
610 	sasl_ssf_t *ssf;
611 	unsigned int inlen, out2len;
612 	unsigned int outlen;
613 	char *volatile auth_type;
614 	char *mechlist;
615 	volatile unsigned int n_mechs;
616 	unsigned int len;
617 #else /* SASL */
618 #endif /* SASL */
619 	int r;
620 #if STARTTLS
621 	int rfd, wfd;
622 	volatile bool tls_active = false;
623 	volatile bool smtps = bitnset(D_SMTPS, d_flags);
624 	bool saveQuickAbort;
625 	bool saveSuprErrs;
626 	time_t tlsstart;
627 #endif /* STARTTLS */
628 	volatile unsigned int features;
629 #if PIPELINING
630 # if _FFR_NO_PIPE
631 	int np_log = 0;
632 # endif /* _FFR_NO_PIPE */
633 #endif /* PIPELINING */
634 	volatile time_t log_delay = (time_t) 0;
635 #if MILTER
636 	volatile bool milter_cmd_done, milter_cmd_safe;
637 	volatile bool milter_rcpt_added, milter_cmd_fail;
638 	ADDRESS addr_st;
639 # define p_addr_st	&addr_st
640 #else /* MILTER */
641 # define p_addr_st	NULL
642 #endif /* MILTER */
643 	size_t inplen;
644 #if _FFR_BADRCPT_SHUTDOWN
645 	int n_badrcpts_adj;
646 #endif /* _FFR_BADRCPT_SHUTDOWN */
647 
648 	SevenBitInput_Saved = SevenBitInput;
649 	smtp.sm_nrcpts = 0;
650 #if MILTER
651 	smtp.sm_milterize = (nullserver == NULL);
652 	smtp.sm_milterlist = false;
653 	addr = NULL;
654 #endif /* MILTER */
655 
656 	/* setup I/O fd correctly for the SMTP server */
657 	setup_smtpd_io();
658 
659 #if SM_HEAP_CHECK
660 	if (sm_debug_active(&DebugLeakSmtp, 1))
661 	{
662 		sm_heap_newgroup();
663 		sm_dprintf("smtp() heap group #%d\n", sm_heap_group());
664 	}
665 #endif /* SM_HEAP_CHECK */
666 
667 	/* XXX the rpool should be set when e is initialized in main() */
668 	e->e_rpool = sm_rpool_new_x(NULL);
669 	e->e_macro.mac_rpool = e->e_rpool;
670 
671 	settime(e);
672 	sm_getla();
673 	peerhostname = RealHostName;
674 	if (peerhostname == NULL)
675 		peerhostname = "localhost";
676 	CurHostName = peerhostname;
677 	CurSmtpClient = macvalue('_', e);
678 	if (CurSmtpClient == NULL)
679 		CurSmtpClient = CurHostName;
680 
681 	/* check_relay may have set discard bit, save for later */
682 	smtp.sm_discard = bitset(EF_DISCARD, e->e_flags);
683 
684 #if PIPELINING
685 	/* auto-flush output when reading input */
686 	(void) sm_io_autoflush(InChannel, OutChannel);
687 #endif /* PIPELINING */
688 
689 	sm_setproctitle(true, e, "server %s startup", CurSmtpClient);
690 
691 	/* Set default features for server. */
692 	features = ((bitset(PRIV_NOETRN, PrivacyFlags) ||
693 		     bitnset(D_NOETRN, d_flags)) ? SRV_NONE : SRV_OFFER_ETRN)
694 		| (bitnset(D_AUTHREQ, d_flags) ? SRV_REQ_AUTH : SRV_NONE)
695 		| (bitset(PRIV_NOEXPN, PrivacyFlags) ? SRV_NONE
696 			: (SRV_OFFER_EXPN
697 			  | (bitset(PRIV_NOVERB, PrivacyFlags)
698 			     ? SRV_NONE : SRV_OFFER_VERB)))
699 		| ((bitset(PRIV_NORECEIPTS, PrivacyFlags) || !SendMIMEErrors)
700 			 ? SRV_NONE : SRV_OFFER_DSN)
701 #if SASL
702 		| (bitnset(D_NOAUTH, d_flags) ? SRV_NONE : SRV_OFFER_AUTH)
703 		| (bitset(SASL_SEC_NOPLAINTEXT, SASLOpts) ? SRV_REQ_SEC
704 							  : SRV_NONE)
705 #endif /* SASL */
706 #if PIPELINING
707 		| SRV_OFFER_PIPE
708 #endif /* PIPELINING */
709 #if STARTTLS
710 		| (bitnset(D_NOTLS, d_flags) ? SRV_NONE : SRV_OFFER_TLS)
711 		| (bitset(TLS_I_NO_VRFY, TLS_Srv_Opts) ? SRV_NONE
712 						       : SRV_VRFY_CLT)
713 #endif /* STARTTLS */
714 		;
715 	if (nullserver == NULL)
716 	{
717 		features = srvfeatures(e, CurSmtpClient, features);
718 		if (bitset(SRV_TMP_FAIL, features))
719 		{
720 			if (LogLevel > 4)
721 				sm_syslog(LOG_ERR, NOQID,
722 					  "ERROR: srv_features=tempfail, relay=%.100s, access temporarily disabled",
723 					  CurSmtpClient);
724 			nullserver = "450 4.3.0 Please try again later.";
725 		}
726 		else
727 		{
728 #if PIPELINING
729 # if _FFR_NO_PIPE
730 			if (bitset(SRV_NO_PIPE, features))
731 			{
732 				/* for consistency */
733 				features &= ~SRV_OFFER_PIPE;
734 			}
735 # endif /* _FFR_NO_PIPE */
736 #endif /* PIPELINING */
737 #if SASL
738 			if (bitset(SRV_REQ_SEC, features))
739 				SASLOpts |= SASL_SEC_NOPLAINTEXT;
740 			else
741 				SASLOpts &= ~SASL_SEC_NOPLAINTEXT;
742 #endif /* SASL */
743 		}
744 	}
745 	else if (strncmp(nullserver, "421 ", 4) == 0)
746 	{
747 		message(nullserver);
748 		goto doquit;
749 	}
750 
751 	e->e_features = features;
752 	hostname = macvalue('j', e);
753 #if SASL
754 	if (AuthRealm == NULL)
755 		AuthRealm = hostname;
756 	sasl_ok = bitset(SRV_OFFER_AUTH, features);
757 	n_mechs = 0;
758 	authenticating = SASL_NOT_AUTH;
759 
760 	/* SASL server new connection */
761 	if (sasl_ok)
762 	{
763 # if SASL >= 20000
764 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL,
765 					 NULL, 0, &conn);
766 # elif SASL > 10505
767 		/* use empty realm: only works in SASL > 1.5.5 */
768 		result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn);
769 # else /* SASL >= 20000 */
770 		/* use no realm -> realm is set to hostname by SASL lib */
771 		result = sasl_server_new("smtp", AuthRealm, NULL, NULL, 0,
772 					 &conn);
773 # endif /* SASL >= 20000 */
774 		sasl_ok = result == SASL_OK;
775 		if (!sasl_ok)
776 		{
777 			if (LogLevel > 9)
778 				sm_syslog(LOG_WARNING, NOQID,
779 					  "AUTH error: sasl_server_new failed=%d",
780 					  result);
781 		}
782 	}
783 	if (sasl_ok)
784 	{
785 		/*
786 		**  SASL set properties for sasl
787 		**  set local/remote IP
788 		**  XXX Cyrus SASL v1 only supports IPv4
789 		**
790 		**  XXX where exactly are these used/required?
791 		**  Kerberos_v4
792 		*/
793 
794 # if SASL >= 20000
795 		localip[0] = remoteip[0] = '\0';
796 #  if NETINET || NETINET6
797 		in = macvalue(macid("{daemon_family}"), e);
798 		if (in != NULL && (
799 #   if NETINET6
800 		    strcmp(in, "inet6") == 0 ||
801 #   endif /* NETINET6 */
802 		    strcmp(in, "inet") == 0))
803 		{
804 			SOCKADDR_LEN_T addrsize;
805 			SOCKADDR saddr_l;
806 			SOCKADDR saddr_r;
807 
808 			addrsize = sizeof(saddr_r);
809 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
810 						      NULL),
811 					(struct sockaddr *) &saddr_r,
812 					&addrsize) == 0)
813 			{
814 				if (iptostring(&saddr_r, addrsize,
815 					       remoteip, sizeof(remoteip)))
816 				{
817 					sasl_setprop(conn, SASL_IPREMOTEPORT,
818 						     remoteip);
819 				}
820 				addrsize = sizeof(saddr_l);
821 				if (getsockname(sm_io_getinfo(InChannel,
822 							      SM_IO_WHAT_FD,
823 							      NULL),
824 						(struct sockaddr *) &saddr_l,
825 						&addrsize) == 0)
826 				{
827 					if (iptostring(&saddr_l, addrsize,
828 						       localip,
829 						       sizeof(localip)))
830 					{
831 						sasl_setprop(conn,
832 							     SASL_IPLOCALPORT,
833 							     localip);
834 					}
835 				}
836 			}
837 		}
838 #  endif /* NETINET || NETINET6 */
839 # else /* SASL >= 20000 */
840 #  if NETINET
841 		in = macvalue(macid("{daemon_family}"), e);
842 		if (in != NULL && strcmp(in, "inet") == 0)
843 		{
844 			SOCKADDR_LEN_T addrsize;
845 
846 			addrsize = sizeof(struct sockaddr_in);
847 			if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
848 						      NULL),
849 					(struct sockaddr *)&saddr_r,
850 					&addrsize) == 0)
851 			{
852 				sasl_setprop(conn, SASL_IP_REMOTE, &saddr_r);
853 				addrsize = sizeof(struct sockaddr_in);
854 				if (getsockname(sm_io_getinfo(InChannel,
855 							      SM_IO_WHAT_FD,
856 							      NULL),
857 						(struct sockaddr *)&saddr_l,
858 						&addrsize) == 0)
859 					sasl_setprop(conn, SASL_IP_LOCAL,
860 						     &saddr_l);
861 			}
862 		}
863 #  endif /* NETINET */
864 # endif /* SASL >= 20000 */
865 
866 		auth_type = NULL;
867 		mechlist = NULL;
868 		user = NULL;
869 # if 0
870 		macdefine(&BlankEnvelope.e_macro, A_PERM,
871 			macid("{auth_author}"), NULL);
872 # endif /* 0 */
873 
874 		/* set properties */
875 		(void) memset(&ssp, '\0', sizeof(ssp));
876 
877 		/* XXX should these be options settable via .cf ? */
878 		/* ssp.min_ssf = 0; is default due to memset() */
879 		ssp.max_ssf = MaxSLBits;
880 		ssp.maxbufsize = MAXOUTLEN;
881 		ssp.security_flags = SASLOpts & SASL_SEC_MASK;
882 		sasl_ok = sasl_setprop(conn, SASL_SEC_PROPS, &ssp) == SASL_OK;
883 
884 		if (sasl_ok)
885 		{
886 			/*
887 			**  external security strength factor;
888 			**	currently we have none so zero
889 			*/
890 
891 # if SASL >= 20000
892 			ext_ssf = 0;
893 			auth_id = NULL;
894 			sasl_ok = ((sasl_setprop(conn, SASL_SSF_EXTERNAL,
895 						 &ext_ssf) == SASL_OK) &&
896 				   (sasl_setprop(conn, SASL_AUTH_EXTERNAL,
897 						 auth_id) == SASL_OK));
898 # else /* SASL >= 20000 */
899 			ext_ssf.ssf = 0;
900 			ext_ssf.auth_id = NULL;
901 			sasl_ok = sasl_setprop(conn, SASL_SSF_EXTERNAL,
902 					       &ext_ssf) == SASL_OK;
903 # endif /* SASL >= 20000 */
904 		}
905 		if (sasl_ok)
906 			n_mechs = saslmechs(conn, &mechlist);
907 	}
908 #endif /* SASL */
909 
910 #if STARTTLS
911 
912 
913 	set_tls_rd_tmo(TimeOuts.to_nextcommand);
914 #endif /* STARTTLS */
915 
916 #if MILTER
917 	if (smtp.sm_milterize)
918 	{
919 		char state;
920 
921 		/* initialize mail filter connection */
922 		smtp.sm_milterlist = milter_init(e, &state, &smtp.sm_milters);
923 		switch (state)
924 		{
925 		  case SMFIR_REJECT:
926 			if (MilterLogLevel > 3)
927 				sm_syslog(LOG_INFO, e->e_id,
928 					  "Milter: initialization failed, rejecting commands");
929 			greetcode = "554";
930 			nullserver = "Command rejected";
931 			smtp.sm_milterize = false;
932 			break;
933 
934 		  case SMFIR_TEMPFAIL:
935 			if (MilterLogLevel > 3)
936 				sm_syslog(LOG_INFO, e->e_id,
937 					  "Milter: initialization failed, temp failing commands");
938 			tempfail = true;
939 			smtp.sm_milterize = false;
940 			break;
941 
942 		  case SMFIR_SHUTDOWN:
943 			if (MilterLogLevel > 3)
944 				sm_syslog(LOG_INFO, e->e_id,
945 					  "Milter: initialization failed, closing connection");
946 			tempfail = true;
947 			smtp.sm_milterize = false;
948 			message("421 4.7.0 %s closing connection",
949 					MyHostName);
950 
951 			/* arrange to ignore send list */
952 			e->e_sendqueue = NULL;
953 			lognullconnection = false;
954 			goto doquit;
955 		}
956 	}
957 
958 	if (smtp.sm_milterlist && smtp.sm_milterize &&
959 	    !bitset(EF_DISCARD, e->e_flags))
960 	{
961 		char state;
962 		char *response;
963 
964 		q = macvalue(macid("{client_name}"), e);
965 		SM_ASSERT(q != NULL || OpMode == MD_SMTP);
966 		if (q == NULL)
967 			q = "localhost";
968 		response = milter_connect(q, RealHostAddr, e, &state);
969 		switch (state)
970 		{
971 		  case SMFIR_REPLYCODE:	/* REPLYCODE shouldn't happen */
972 		  case SMFIR_REJECT:
973 			if (MilterLogLevel > 3)
974 				sm_syslog(LOG_INFO, e->e_id,
975 					  "Milter: connect: host=%s, addr=%s, rejecting commands",
976 					  peerhostname,
977 					  anynet_ntoa(&RealHostAddr));
978 			greetcode = "554";
979 			nullserver = "Command rejected";
980 			smtp.sm_milterize = false;
981 			break;
982 
983 		  case SMFIR_TEMPFAIL:
984 			if (MilterLogLevel > 3)
985 				sm_syslog(LOG_INFO, e->e_id,
986 					  "Milter: connect: host=%s, addr=%s, temp failing commands",
987 					  peerhostname,
988 					  anynet_ntoa(&RealHostAddr));
989 			tempfail = true;
990 			smtp.sm_milterize = false;
991 			break;
992 
993 		  case SMFIR_SHUTDOWN:
994 			if (MilterLogLevel > 3)
995 				sm_syslog(LOG_INFO, e->e_id,
996 					  "Milter: connect: host=%s, addr=%s, shutdown",
997 					  peerhostname,
998 					  anynet_ntoa(&RealHostAddr));
999 			tempfail = true;
1000 			smtp.sm_milterize = false;
1001 			message("421 4.7.0 %s closing connection",
1002 					MyHostName);
1003 
1004 			/* arrange to ignore send list */
1005 			e->e_sendqueue = NULL;
1006 			goto doquit;
1007 		}
1008 		if (response != NULL)
1009 			sm_free(response); /* XXX */
1010 	}
1011 #endif /* MILTER */
1012 
1013 	/*
1014 	**  Broken proxies and SMTP slammers
1015 	**  push data without waiting, catch them
1016 	*/
1017 
1018 	if (
1019 #if STARTTLS
1020 	    !smtps &&
1021 #endif /* STARTTLS */
1022 	    *greetcode == '2' && nullserver == NULL)
1023 	{
1024 		time_t msecs = 0;
1025 		char **pvp;
1026 		char pvpbuf[PSBUFSIZE];
1027 
1028 		/* Ask the rulesets how long to pause */
1029 		pvp = NULL;
1030 		r = rscap("greet_pause", peerhostname,
1031 			  anynet_ntoa(&RealHostAddr), e,
1032 			  &pvp, pvpbuf, sizeof(pvpbuf));
1033 		if (r == EX_OK && pvp != NULL && pvp[0] != NULL &&
1034 		    (pvp[0][0] & 0377) == CANONNET && pvp[1] != NULL)
1035 		{
1036 			msecs = strtol(pvp[1], NULL, 10);
1037 		}
1038 
1039 		if (msecs > 0)
1040 		{
1041 			int fd;
1042 			fd_set readfds;
1043 			struct timeval timeout;
1044 			struct timeval bp, ep, tp; /* {begin,end,total}pause */
1045 			int eoftest;
1046 
1047 			/* pause for a moment */
1048 			timeout.tv_sec = msecs / 1000;
1049 			timeout.tv_usec = (msecs % 1000) * 1000;
1050 
1051 			/* Obey RFC 2821: 4.3.5.2: 220 timeout of 5 minutes */
1052 			if (timeout.tv_sec >= 300)
1053 			{
1054 				timeout.tv_sec = 300;
1055 				timeout.tv_usec = 0;
1056 			}
1057 
1058 			/* check if data is on the socket during the pause */
1059 			fd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
1060 			FD_ZERO(&readfds);
1061 			SM_FD_SET(fd, &readfds);
1062 			gettimeofday(&bp, NULL);
1063 			if (select(fd + 1, FDSET_CAST &readfds,
1064 			    NULL, NULL, &timeout) > 0 &&
1065 			    FD_ISSET(fd, &readfds) &&
1066 			    (eoftest = sm_io_getc(InChannel, SM_TIME_DEFAULT))
1067 			    != SM_IO_EOF)
1068 			{
1069 				sm_io_ungetc(InChannel, SM_TIME_DEFAULT,
1070 					     eoftest);
1071 				gettimeofday(&ep, NULL);
1072 				timersub(&ep, &bp, &tp);
1073 				greetcode = "554";
1074 				nullserver = "Command rejected";
1075 				sm_syslog(LOG_INFO, e->e_id,
1076 					  "rejecting commands from %s [%s] due to pre-greeting traffic after %d seconds",
1077 					  peerhostname,
1078 					  anynet_ntoa(&RealHostAddr),
1079 					  (int) tp.tv_sec +
1080 						(tp.tv_usec >= 500000 ? 1 : 0)
1081 					 );
1082 			}
1083 		}
1084 	}
1085 
1086 #if STARTTLS
1087 	/* If this an smtps connection, start TLS now */
1088 	if (smtps)
1089 	{
1090 		Errors = 0;
1091 		goto starttls;
1092 	}
1093 
1094   greeting:
1095 
1096 #endif /* STARTTLS */
1097 
1098 	/* output the first line, inserting "ESMTP" as second word */
1099 	if (*greetcode == '5')
1100 		(void) sm_snprintf(inp, sizeof(inp),
1101 				"%s not accepting messages", hostname);
1102 	else
1103 		expand(SmtpGreeting, inp, sizeof(inp), e);
1104 
1105 	p = strchr(inp, '\n');
1106 	if (p != NULL)
1107 		*p++ = '\0';
1108 	id = strchr(inp, ' ');
1109 	if (id == NULL)
1110 		id = &inp[strlen(inp)];
1111 	if (p == NULL)
1112 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1113 			 "%s %%.*s ESMTP%%s", greetcode);
1114 	else
1115 		(void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
1116 			 "%s-%%.*s ESMTP%%s", greetcode);
1117 	message(cmdbuf, (int) (id - inp), inp, id);
1118 
1119 	/* output remaining lines */
1120 	while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL)
1121 	{
1122 		*p++ = '\0';
1123 		if (isascii(*id) && isspace(*id))
1124 			id++;
1125 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, "-%s");
1126 		message(cmdbuf, id);
1127 	}
1128 	if (id != NULL)
1129 	{
1130 		if (isascii(*id) && isspace(*id))
1131 			id++;
1132 		(void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, " %s");
1133 		message(cmdbuf, id);
1134 	}
1135 
1136 	protocol = NULL;
1137 	sendinghost = macvalue('s', e);
1138 
1139 	/* If quarantining by a connect/ehlo action, save between messages */
1140 	if (e->e_quarmsg == NULL)
1141 		smtp.sm_quarmsg = NULL;
1142 	else
1143 		smtp.sm_quarmsg = newstr(e->e_quarmsg);
1144 
1145 	/* sendinghost's storage must outlive the current envelope */
1146 	if (sendinghost != NULL)
1147 		sendinghost = sm_strdup_x(sendinghost);
1148 	first = true;
1149 	gothello = false;
1150 	smtp.sm_gotmail = false;
1151 	for (;;)
1152 	{
1153 	    SM_TRY
1154 	    {
1155 		QuickAbort = false;
1156 		HoldErrs = false;
1157 		SuprErrs = false;
1158 		LogUsrErrs = false;
1159 		OnlyOneError = true;
1160 		e->e_flags &= ~(EF_VRFYONLY|EF_GLOBALERRS);
1161 #if MILTER
1162 		milter_cmd_fail = false;
1163 #endif /* MILTER */
1164 
1165 		/* setup for the read */
1166 		e->e_to = NULL;
1167 		Errors = 0;
1168 		FileName = NULL;
1169 		(void) sm_io_flush(smioout, SM_TIME_DEFAULT);
1170 
1171 		/* read the input line */
1172 		SmtpPhase = "server cmd read";
1173 		sm_setproctitle(true, e, "server %s cmd read", CurSmtpClient);
1174 
1175 		/* handle errors */
1176 		if (sm_io_error(OutChannel) ||
1177 		    (p = sfgets(inp, sizeof(inp), InChannel,
1178 				TimeOuts.to_nextcommand, SmtpPhase)) == NULL)
1179 		{
1180 			char *d;
1181 
1182 			d = macvalue(macid("{daemon_name}"), e);
1183 			if (d == NULL)
1184 				d = "stdin";
1185 			/* end of file, just die */
1186 			disconnect(1, e);
1187 
1188 #if MILTER
1189 			/* close out milter filters */
1190 			milter_quit(e);
1191 #endif /* MILTER */
1192 
1193 			message("421 4.4.1 %s Lost input channel from %s",
1194 				MyHostName, CurSmtpClient);
1195 			if (LogLevel > (smtp.sm_gotmail ? 1 : 19))
1196 				sm_syslog(LOG_NOTICE, e->e_id,
1197 					  "lost input channel from %s to %s after %s",
1198 					  CurSmtpClient, d,
1199 					  (c == NULL || c->cmd_name == NULL) ? "startup" : c->cmd_name);
1200 			/*
1201 			**  If have not accepted mail (DATA), do not bounce
1202 			**  bad addresses back to sender.
1203 			*/
1204 
1205 			if (bitset(EF_CLRQUEUE, e->e_flags))
1206 				e->e_sendqueue = NULL;
1207 			goto doquit;
1208 		}
1209 
1210 		/* also used by "proxy" check below */
1211 		inplen = strlen(inp);
1212 #if SASL
1213 		/*
1214 		**  SMTP AUTH requires accepting any length,
1215 		**  at least for challenge/response. However, not imposing
1216 		**  a limit is a bad idea (denial of service).
1217 		*/
1218 
1219 		if (authenticating != SASL_PROC_AUTH
1220 		    && sm_strncasecmp(inp, "AUTH ", 5) != 0
1221 		    && inplen > MAXLINE)
1222 		{
1223 			message("421 4.7.0 %s Command too long, possible attack %s",
1224 				MyHostName, CurSmtpClient);
1225 			sm_syslog(LOG_INFO, e->e_id,
1226 				  "%s: SMTP violation, input too long: %lu",
1227 				  CurSmtpClient, (unsigned long) inplen);
1228 			goto doquit;
1229 		}
1230 #endif /* SASL */
1231 
1232 		if (first)
1233 		{
1234 			size_t cmdlen;
1235 			int idx;
1236 			char *http_cmd;
1237 			static char *http_cmds[] = { "GET", "POST",
1238 						     "CONNECT", "USER", NULL };
1239 
1240 			for (idx = 0; (http_cmd = http_cmds[idx]) != NULL;
1241 			     idx++)
1242 			{
1243 				cmdlen = strlen(http_cmd);
1244 				if (cmdlen < inplen &&
1245 				    sm_strncasecmp(inp, http_cmd, cmdlen) == 0 &&
1246 				    isascii(inp[cmdlen]) && isspace(inp[cmdlen]))
1247 				{
1248 					/* Open proxy, drop it */
1249 					message("421 4.7.0 %s Rejecting open proxy %s",
1250 						MyHostName, CurSmtpClient);
1251 					sm_syslog(LOG_INFO, e->e_id,
1252 						  "%s: probable open proxy: command=%.40s",
1253 						  CurSmtpClient, inp);
1254 					goto doquit;
1255 				}
1256 			}
1257 			first = false;
1258 		}
1259 
1260 		/* clean up end of line */
1261 		fixcrlf(inp, true);
1262 
1263 #if PIPELINING
1264 # if _FFR_NO_PIPE
1265 		/*
1266 		**  if there is more input and pipelining is disabled:
1267 		**	delay ... (and maybe discard the input?)
1268 		**  XXX this doesn't really work, at least in tests using
1269 		**  telnet SM_IO_IS_READABLE only returns 1 if there were
1270 		**  more than 2 input lines available.
1271 		*/
1272 
1273 		if (bitset(SRV_NO_PIPE, features) &&
1274 		    sm_io_getinfo(InChannel, SM_IO_IS_READABLE, NULL) > 0)
1275 		{
1276 			if (++np_log < 3)
1277 				sm_syslog(LOG_INFO, NOQID,
1278 					  "unauthorized PIPELINING, sleeping, relay=%.100s",
1279 					   CurSmtpClient);
1280 			sleep(1);
1281 		}
1282 
1283 # endif /* _FFR_NO_PIPE */
1284 #endif /* PIPELINING */
1285 
1286 #if SASL
1287 		if (authenticating == SASL_PROC_AUTH)
1288 		{
1289 # if 0
1290 			if (*inp == '\0')
1291 			{
1292 				authenticating = SASL_NOT_AUTH;
1293 				message("501 5.5.2 missing input");
1294 				RESET_SASLCONN;
1295 				continue;
1296 			}
1297 # endif /* 0 */
1298 			if (*inp == '*' && *(inp + 1) == '\0')
1299 			{
1300 				authenticating = SASL_NOT_AUTH;
1301 
1302 				/* RFC 2554 4. */
1303 				message("501 5.0.0 AUTH aborted");
1304 				RESET_SASLCONN;
1305 				continue;
1306 			}
1307 
1308 			/* could this be shorter? XXX */
1309 # if SASL >= 20000
1310 			in = xalloc(strlen(inp) + 1);
1311 			result = sasl_decode64(inp, strlen(inp), in,
1312 					       strlen(inp), &inlen);
1313 # else /* SASL >= 20000 */
1314 			out = xalloc(strlen(inp));
1315 			result = sasl_decode64(inp, strlen(inp), out, &outlen);
1316 # endif /* SASL >= 20000 */
1317 			if (result != SASL_OK)
1318 			{
1319 				authenticating = SASL_NOT_AUTH;
1320 
1321 				/* RFC 2554 4. */
1322 				message("501 5.5.4 cannot decode AUTH parameter %s",
1323 					inp);
1324 # if SASL >= 20000
1325 				sm_free(in);
1326 # endif /* SASL >= 20000 */
1327 				RESET_SASLCONN;
1328 				continue;
1329 			}
1330 
1331 # if SASL >= 20000
1332 			result = sasl_server_step(conn,	in, inlen,
1333 						  &out, &outlen);
1334 			sm_free(in);
1335 # else /* SASL >= 20000 */
1336 			result = sasl_server_step(conn,	out, outlen,
1337 						  &out, &outlen, &errstr);
1338 # endif /* SASL >= 20000 */
1339 
1340 			/* get an OK if we're done */
1341 			if (result == SASL_OK)
1342 			{
1343   authenticated:
1344 				message("235 2.0.0 OK Authenticated");
1345 				authenticating = SASL_IS_AUTH;
1346 				macdefine(&BlankEnvelope.e_macro, A_TEMP,
1347 					macid("{auth_type}"), auth_type);
1348 
1349 # if SASL >= 20000
1350 				user = macvalue(macid("{auth_authen}"), e);
1351 
1352 				/* get security strength (features) */
1353 				result = sasl_getprop(conn, SASL_SSF,
1354 						      (const void **) &ssf);
1355 # else /* SASL >= 20000 */
1356 				result = sasl_getprop(conn, SASL_USERNAME,
1357 						      (void **)&user);
1358 				if (result != SASL_OK)
1359 				{
1360 					user = "";
1361 					macdefine(&BlankEnvelope.e_macro,
1362 						  A_PERM,
1363 						  macid("{auth_authen}"), NULL);
1364 				}
1365 				else
1366 				{
1367 					macdefine(&BlankEnvelope.e_macro,
1368 						  A_TEMP,
1369 						  macid("{auth_authen}"),
1370 						  xtextify(user, "<>\")"));
1371 				}
1372 
1373 # if 0
1374 				/* get realm? */
1375 				sasl_getprop(conn, SASL_REALM, (void **) &data);
1376 # endif /* 0 */
1377 
1378 				/* get security strength (features) */
1379 				result = sasl_getprop(conn, SASL_SSF,
1380 						      (void **) &ssf);
1381 # endif /* SASL >= 20000 */
1382 				if (result != SASL_OK)
1383 				{
1384 					macdefine(&BlankEnvelope.e_macro,
1385 						  A_PERM,
1386 						  macid("{auth_ssf}"), "0");
1387 					ssf = NULL;
1388 				}
1389 				else
1390 				{
1391 					char pbuf[8];
1392 
1393 					(void) sm_snprintf(pbuf, sizeof(pbuf),
1394 							   "%u", *ssf);
1395 					macdefine(&BlankEnvelope.e_macro,
1396 						  A_TEMP,
1397 						  macid("{auth_ssf}"), pbuf);
1398 					if (tTd(95, 8))
1399 						sm_dprintf("AUTH auth_ssf: %u\n",
1400 							   *ssf);
1401 				}
1402 
1403 				/*
1404 				**  Only switch to encrypted connection
1405 				**  if a security layer has been negotiated
1406 				*/
1407 
1408 				if (ssf != NULL && *ssf > 0)
1409 				{
1410 					int tmo;
1411 
1412 					/*
1413 					**  Convert I/O layer to use SASL.
1414 					**  If the call fails, the connection
1415 					**  is aborted.
1416 					*/
1417 
1418 					tmo = TimeOuts.to_datablock * 1000;
1419 					if (sfdcsasl(&InChannel, &OutChannel,
1420 						     conn, tmo) == 0)
1421 					{
1422 						/* restart dialogue */
1423 						n_helo = 0;
1424 # if PIPELINING
1425 						(void) sm_io_autoflush(InChannel,
1426 								       OutChannel);
1427 # endif /* PIPELINING */
1428 					}
1429 					else
1430 						syserr("503 5.3.3 SASL TLS failed");
1431 				}
1432 
1433 				/* NULL pointer ok since it's our function */
1434 				if (LogLevel > 8)
1435 					sm_syslog(LOG_INFO, NOQID,
1436 						  "AUTH=server, relay=%s, authid=%.128s, mech=%.16s, bits=%d",
1437 						  CurSmtpClient,
1438 						  shortenstring(user, 128),
1439 						  auth_type, *ssf);
1440 			}
1441 			else if (result == SASL_CONTINUE)
1442 			{
1443 				len = ENC64LEN(outlen);
1444 				out2 = xalloc(len);
1445 				result = sasl_encode64(out, outlen, out2, len,
1446 						       &out2len);
1447 				if (result != SASL_OK)
1448 				{
1449 					/* correct code? XXX */
1450 					/* 454 Temp. authentication failure */
1451 					message("454 4.5.4 Internal error: unable to encode64");
1452 					if (LogLevel > 5)
1453 						sm_syslog(LOG_WARNING, e->e_id,
1454 							  "AUTH encode64 error [%d for \"%s\"], relay=%.100s",
1455 							  result, out,
1456 							  CurSmtpClient);
1457 					/* start over? */
1458 					authenticating = SASL_NOT_AUTH;
1459 				}
1460 				else
1461 				{
1462 					message("334 %s", out2);
1463 					if (tTd(95, 2))
1464 						sm_dprintf("AUTH continue: msg='%s' len=%u\n",
1465 							   out2, out2len);
1466 				}
1467 # if SASL >= 20000
1468 				sm_free(out2);
1469 # endif /* SASL >= 20000 */
1470 			}
1471 			else
1472 			{
1473 				/* not SASL_OK or SASL_CONT */
1474 				message("535 5.7.0 authentication failed");
1475 				if (LogLevel > 9)
1476 					sm_syslog(LOG_WARNING, e->e_id,
1477 						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
1478 						  auth_type,
1479 						  sasl_errstring(result, NULL,
1480 								 NULL),
1481 						  result,
1482 # if SASL >= 20000
1483 						  sasl_errdetail(conn),
1484 # else /* SASL >= 20000 */
1485 						  errstr == NULL ? "" : errstr,
1486 # endif /* SASL >= 20000 */
1487 						  CurSmtpClient);
1488 				RESET_SASLCONN;
1489 				authenticating = SASL_NOT_AUTH;
1490 			}
1491 		}
1492 		else
1493 		{
1494 			/* don't want to do any of this if authenticating */
1495 #endif /* SASL */
1496 
1497 		/* echo command to transcript */
1498 		if (e->e_xfp != NULL)
1499 			(void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
1500 					     "<<< %s\n", inp);
1501 
1502 		if (LogLevel > 14)
1503 			sm_syslog(LOG_INFO, e->e_id, "<-- %s", inp);
1504 
1505 		/* break off command */
1506 		for (p = inp; isascii(*p) && isspace(*p); p++)
1507 			continue;
1508 		cmd = cmdbuf;
1509 		while (*p != '\0' &&
1510 		       !(isascii(*p) && isspace(*p)) &&
1511 		       cmd < &cmdbuf[sizeof(cmdbuf) - 2])
1512 			*cmd++ = *p++;
1513 		*cmd = '\0';
1514 
1515 		/* throw away leading whitespace */
1516 		SKIP_SPACE(p);
1517 
1518 		/* decode command */
1519 		for (c = CmdTab; c->cmd_name != NULL; c++)
1520 		{
1521 			if (sm_strcasecmp(c->cmd_name, cmdbuf) == 0)
1522 				break;
1523 		}
1524 
1525 		/* reset errors */
1526 		errno = 0;
1527 
1528 		/* check whether a "non-null" command has been used */
1529 		switch (c->cmd_code)
1530 		{
1531 #if SASL
1532 		  case CMDAUTH:
1533 			/* avoid information leak; take first two words? */
1534 			q = "AUTH";
1535 			break;
1536 #endif /* SASL */
1537 
1538 		  case CMDMAIL:
1539 		  case CMDEXPN:
1540 		  case CMDVRFY:
1541 		  case CMDETRN:
1542 			lognullconnection = false;
1543 			/* FALLTHROUGH */
1544 		  default:
1545 			q = inp;
1546 			break;
1547 		}
1548 
1549 		if (e->e_id == NULL)
1550 			sm_setproctitle(true, e, "%s: %.80s",
1551 					CurSmtpClient, q);
1552 		else
1553 			sm_setproctitle(true, e, "%s %s: %.80s",
1554 					qid_printname(e),
1555 					CurSmtpClient, q);
1556 
1557 		/*
1558 		**  Process command.
1559 		**
1560 		**	If we are running as a null server, return 550
1561 		**	to almost everything.
1562 		*/
1563 
1564 		if (nullserver != NULL || bitnset(D_ETRNONLY, d_flags))
1565 		{
1566 			switch (c->cmd_code)
1567 			{
1568 			  case CMDQUIT:
1569 			  case CMDHELO:
1570 			  case CMDEHLO:
1571 			  case CMDNOOP:
1572 			  case CMDRSET:
1573 			  case CMDERROR:
1574 				/* process normally */
1575 				break;
1576 
1577 			  case CMDETRN:
1578 				if (bitnset(D_ETRNONLY, d_flags) &&
1579 				    nullserver == NULL)
1580 					break;
1581 				DELAY_CONN("ETRN");
1582 				/* FALLTHROUGH */
1583 
1584 			  default:
1585 #if MAXBADCOMMANDS > 0
1586 				/* theoretically this could overflow */
1587 				if (nullserver != NULL &&
1588 				    ++n_badcmds > MAXBADCOMMANDS)
1589 				{
1590 					message("421 4.7.0 %s Too many bad commands; closing connection",
1591 						MyHostName);
1592 
1593 					/* arrange to ignore send list */
1594 					e->e_sendqueue = NULL;
1595 					goto doquit;
1596 				}
1597 #endif /* MAXBADCOMMANDS > 0 */
1598 				if (nullserver != NULL)
1599 				{
1600 					if (ISSMTPREPLY(nullserver))
1601 						usrerr(nullserver);
1602 					else
1603 						usrerr("550 5.0.0 %s",
1604 						       nullserver);
1605 				}
1606 				else
1607 					usrerr("452 4.4.5 Insufficient disk space; try again later");
1608 				continue;
1609 			}
1610 		}
1611 
1612 		switch (c->cmd_code)
1613 		{
1614 #if SASL
1615 		  case CMDAUTH: /* sasl */
1616 			DELAY_CONN("AUTH");
1617 			if (!sasl_ok || n_mechs <= 0)
1618 			{
1619 				message("503 5.3.3 AUTH not available");
1620 				break;
1621 			}
1622 			if (authenticating == SASL_IS_AUTH)
1623 			{
1624 				message("503 5.5.0 Already Authenticated");
1625 				break;
1626 			}
1627 			if (smtp.sm_gotmail)
1628 			{
1629 				message("503 5.5.0 AUTH not permitted during a mail transaction");
1630 				break;
1631 			}
1632 			if (tempfail)
1633 			{
1634 				if (LogLevel > 9)
1635 					sm_syslog(LOG_INFO, e->e_id,
1636 						  "SMTP AUTH command (%.100s) from %s tempfailed (due to previous checks)",
1637 						  p, CurSmtpClient);
1638 				usrerr("454 4.3.0 Please try again later");
1639 				break;
1640 			}
1641 
1642 			ismore = false;
1643 
1644 			/* crude way to avoid crack attempts */
1645 			STOP_IF_ATTACK(checksmtpattack(&n_auth, n_mechs + 1,
1646 							true, "AUTH", e));
1647 
1648 			/* make sure mechanism (p) is a valid string */
1649 			for (q = p; *q != '\0' && isascii(*q); q++)
1650 			{
1651 				if (isspace(*q))
1652 				{
1653 					*q = '\0';
1654 					while (*++q != '\0' &&
1655 					       isascii(*q) && isspace(*q))
1656 						continue;
1657 					*(q - 1) = '\0';
1658 					ismore = (*q != '\0');
1659 					break;
1660 				}
1661 			}
1662 
1663 			if (*p == '\0')
1664 			{
1665 				message("501 5.5.2 AUTH mechanism must be specified");
1666 				break;
1667 			}
1668 
1669 			/* check whether mechanism is available */
1670 			if (iteminlist(p, mechlist, " ") == NULL)
1671 			{
1672 				message("504 5.3.3 AUTH mechanism %.32s not available",
1673 					p);
1674 				break;
1675 			}
1676 
1677 			/*
1678 			**  RFC 2554 4.
1679 			**  Unlike a zero-length client answer to a
1680 			**  334 reply, a zero- length initial response
1681 			**  is sent as a single equals sign ("=").
1682 			*/
1683 
1684 			if (ismore && *q == '=' && *(q + 1) == '\0')
1685 			{
1686 				/* will be free()d, don't use in=""; */
1687 				in = xalloc(1);
1688 				*in = '\0';
1689 				inlen = 0;
1690 			}
1691 			else if (ismore)
1692 			{
1693 				/* could this be shorter? XXX */
1694 # if SASL >= 20000
1695 				in = xalloc(strlen(q) + 1);
1696 				result = sasl_decode64(q, strlen(q), in,
1697 						       strlen(q), &inlen);
1698 # else /* SASL >= 20000 */
1699 				in = sm_rpool_malloc(e->e_rpool, strlen(q));
1700 				result = sasl_decode64(q, strlen(q), in,
1701 						       &inlen);
1702 # endif /* SASL >= 20000 */
1703 				if (result != SASL_OK)
1704 				{
1705 					message("501 5.5.4 cannot BASE64 decode '%s'",
1706 						q);
1707 					if (LogLevel > 5)
1708 						sm_syslog(LOG_WARNING, e->e_id,
1709 							  "AUTH decode64 error [%d for \"%s\"], relay=%.100s",
1710 							  result, q,
1711 							  CurSmtpClient);
1712 					/* start over? */
1713 					authenticating = SASL_NOT_AUTH;
1714 # if SASL >= 20000
1715 					sm_free(in);
1716 # endif /* SASL >= 20000 */
1717 					in = NULL;
1718 					inlen = 0;
1719 					break;
1720 				}
1721 			}
1722 			else
1723 			{
1724 				in = NULL;
1725 				inlen = 0;
1726 			}
1727 
1728 			/* see if that auth type exists */
1729 # if SASL >= 20000
1730 			result = sasl_server_start(conn, p, in, inlen,
1731 						   &out, &outlen);
1732 			if (in != NULL)
1733 				sm_free(in);
1734 # else /* SASL >= 20000 */
1735 			result = sasl_server_start(conn, p, in, inlen,
1736 						   &out, &outlen, &errstr);
1737 # endif /* SASL >= 20000 */
1738 
1739 			if (result != SASL_OK && result != SASL_CONTINUE)
1740 			{
1741 				message("535 5.7.0 authentication failed");
1742 				if (LogLevel > 9)
1743 					sm_syslog(LOG_ERR, e->e_id,
1744 						  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
1745 						  p,
1746 						  sasl_errstring(result, NULL,
1747 								 NULL),
1748 						  result,
1749 # if SASL >= 20000
1750 						  sasl_errdetail(conn),
1751 # else /* SASL >= 20000 */
1752 						  errstr,
1753 # endif /* SASL >= 20000 */
1754 						  CurSmtpClient);
1755 				RESET_SASLCONN;
1756 				break;
1757 			}
1758 			auth_type = newstr(p);
1759 
1760 			if (result == SASL_OK)
1761 			{
1762 				/* ugly, but same code */
1763 				goto authenticated;
1764 				/* authenticated by the initial response */
1765 			}
1766 
1767 			/* len is at least 2 */
1768 			len = ENC64LEN(outlen);
1769 			out2 = xalloc(len);
1770 			result = sasl_encode64(out, outlen, out2, len,
1771 					       &out2len);
1772 
1773 			if (result != SASL_OK)
1774 			{
1775 				message("454 4.5.4 Temporary authentication failure");
1776 				if (LogLevel > 5)
1777 					sm_syslog(LOG_WARNING, e->e_id,
1778 						  "AUTH encode64 error [%d for \"%s\"]",
1779 						  result, out);
1780 
1781 				/* start over? */
1782 				authenticating = SASL_NOT_AUTH;
1783 				RESET_SASLCONN;
1784 			}
1785 			else
1786 			{
1787 				message("334 %s", out2);
1788 				authenticating = SASL_PROC_AUTH;
1789 			}
1790 # if SASL >= 20000
1791 			sm_free(out2);
1792 # endif /* SASL >= 20000 */
1793 			break;
1794 #endif /* SASL */
1795 
1796 #if STARTTLS
1797 		  case CMDSTLS: /* starttls */
1798 			DELAY_CONN("STARTTLS");
1799 			if (*p != '\0')
1800 			{
1801 				message("501 5.5.2 Syntax error (no parameters allowed)");
1802 				break;
1803 			}
1804 			if (!bitset(SRV_OFFER_TLS, features))
1805 			{
1806 				message("503 5.5.0 TLS not available");
1807 				break;
1808 			}
1809 			if (!tls_ok_srv)
1810 			{
1811 				message("454 4.3.3 TLS not available after start");
1812 				break;
1813 			}
1814 			if (smtp.sm_gotmail)
1815 			{
1816 				message("503 5.5.0 TLS not permitted during a mail transaction");
1817 				break;
1818 			}
1819 			if (tempfail)
1820 			{
1821 				if (LogLevel > 9)
1822 					sm_syslog(LOG_INFO, e->e_id,
1823 						  "SMTP STARTTLS command (%.100s) from %s tempfailed (due to previous checks)",
1824 						  p, CurSmtpClient);
1825 				usrerr("454 4.7.0 Please try again later");
1826 				break;
1827 			}
1828   starttls:
1829 # if USE_OPENSSL_ENGINE
1830 			if (!SSLEngineInitialized)
1831 			{
1832 				if (!SSL_set_engine(NULL))
1833 				{
1834 					sm_syslog(LOG_ERR, NOQID,
1835 						  "STARTTLS=server, SSL_set_engine=failed");
1836 					tls_ok_srv = false;
1837 					message("454 4.3.3 TLS not available right now");
1838 					break;
1839 				}
1840 				else
1841 					SSLEngineInitialized = true;
1842 			}
1843 # endif /* USE_OPENSSL_ENGINE */
1844 # if TLS_NO_RSA
1845 			/*
1846 			**  XXX do we need a temp key ?
1847 			*/
1848 # else /* TLS_NO_RSA */
1849 # endif /* TLS_NO_RSA */
1850 
1851 # if TLS_VRFY_PER_CTX
1852 			/*
1853 			**  Note: this sets the verification globally
1854 			**  (per SSL_CTX)
1855 			**  it's ok since it applies only to one transaction
1856 			*/
1857 
1858 			TLS_VERIFY_CLIENT();
1859 # endif /* TLS_VRFY_PER_CTX */
1860 
1861 			if (srv_ssl != NULL)
1862 				SSL_clear(srv_ssl);
1863 			else if ((srv_ssl = SSL_new(srv_ctx)) == NULL)
1864 			{
1865 				message("454 4.3.3 TLS not available: error generating SSL handle");
1866 				if (LogLevel > 8)
1867 					tlslogerr(LOG_WARNING, "server");
1868 				goto tls_done;
1869 			}
1870 
1871 # if !TLS_VRFY_PER_CTX
1872 			/*
1873 			**  this could be used if it were possible to set
1874 			**  verification per SSL (connection)
1875 			**  not just per SSL_CTX (global)
1876 			*/
1877 
1878 			TLS_VERIFY_CLIENT();
1879 # endif /* !TLS_VRFY_PER_CTX */
1880 
1881 			rfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
1882 			wfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
1883 
1884 			if (rfd < 0 || wfd < 0 ||
1885 			    SSL_set_rfd(srv_ssl, rfd) <= 0 ||
1886 			    SSL_set_wfd(srv_ssl, wfd) <= 0)
1887 			{
1888 				message("454 4.3.3 TLS not available: error set fd");
1889 				SSL_free(srv_ssl);
1890 				srv_ssl = NULL;
1891 				goto tls_done;
1892 			}
1893 			if (!smtps)
1894 				message("220 2.0.0 Ready to start TLS");
1895 # if PIPELINING
1896 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
1897 # endif /* PIPELINING */
1898 
1899 			SSL_set_accept_state(srv_ssl);
1900 
1901 #  define SSL_ACC(s)	SSL_accept(s)
1902 
1903 			tlsstart = curtime();
1904   ssl_retry:
1905 			if ((r = SSL_ACC(srv_ssl)) <= 0)
1906 			{
1907 				int i, ssl_err;
1908 
1909 				ssl_err = SSL_get_error(srv_ssl, r);
1910 				i = tls_retry(srv_ssl, rfd, wfd, tlsstart,
1911 						TimeOuts.to_starttls, ssl_err,
1912 						"server");
1913 				if (i > 0)
1914 					goto ssl_retry;
1915 
1916 				if (LogLevel > 5)
1917 				{
1918 					unsigned long l;
1919 					const char *sr;
1920 
1921 					l = ERR_peek_error();
1922 					sr = ERR_reason_error_string(l);
1923 					sm_syslog(LOG_WARNING, NOQID,
1924 						  "STARTTLS=server, error: accept failed=%d, reason=%s, SSL_error=%d, errno=%d, retry=%d, relay=%.100s",
1925 						  r, sr == NULL ? "unknown"
1926 								: sr,
1927 						  ssl_err, errno, i,
1928 						  CurSmtpClient);
1929 					if (LogLevel > 9)
1930 						tlslogerr(LOG_WARNING, "server");
1931 				}
1932 				tls_ok_srv = false;
1933 				SSL_free(srv_ssl);
1934 				srv_ssl = NULL;
1935 
1936 				/*
1937 				**  according to the next draft of
1938 				**  RFC 2487 the connection should be dropped
1939 				*/
1940 
1941 				/* arrange to ignore any current send list */
1942 				e->e_sendqueue = NULL;
1943 				goto doquit;
1944 			}
1945 
1946 			/* ignore return code for now, it's in {verify} */
1947 			(void) tls_get_info(srv_ssl, true,
1948 					    CurSmtpClient,
1949 					    &BlankEnvelope.e_macro,
1950 					    bitset(SRV_VRFY_CLT, features));
1951 
1952 			/*
1953 			**  call Stls_client to find out whether
1954 			**  to accept the connection from the client
1955 			*/
1956 
1957 			saveQuickAbort = QuickAbort;
1958 			saveSuprErrs = SuprErrs;
1959 			SuprErrs = true;
1960 			QuickAbort = false;
1961 			if (rscheck("tls_client",
1962 				     macvalue(macid("{verify}"), e),
1963 				     "STARTTLS", e,
1964 				     RSF_RMCOMM|RSF_COUNT,
1965 				     5, NULL, NOQID, NULL) != EX_OK ||
1966 			    Errors > 0)
1967 			{
1968 				extern char MsgBuf[];
1969 
1970 				if (MsgBuf[0] != '\0' && ISSMTPREPLY(MsgBuf))
1971 					nullserver = newstr(MsgBuf);
1972 				else
1973 					nullserver = "503 5.7.0 Authentication required.";
1974 			}
1975 			QuickAbort = saveQuickAbort;
1976 			SuprErrs = saveSuprErrs;
1977 
1978 			tls_ok_srv = false;	/* don't offer STARTTLS again */
1979 			n_helo = 0;
1980 # if SASL
1981 			if (sasl_ok)
1982 			{
1983 				int cipher_bits;
1984 				bool verified;
1985 				char *s, *v, *c;
1986 
1987 				s = macvalue(macid("{cipher_bits}"), e);
1988 				v = macvalue(macid("{verify}"), e);
1989 				c = macvalue(macid("{cert_subject}"), e);
1990 				verified = (v != NULL && strcmp(v, "OK") == 0);
1991 				if (s != NULL && (cipher_bits = atoi(s)) > 0)
1992 				{
1993 #  if SASL >= 20000
1994 					ext_ssf = cipher_bits;
1995 					auth_id = verified ? c : NULL;
1996 					sasl_ok = ((sasl_setprop(conn,
1997 							SASL_SSF_EXTERNAL,
1998 							&ext_ssf) == SASL_OK) &&
1999 						   (sasl_setprop(conn,
2000 							SASL_AUTH_EXTERNAL,
2001 							auth_id) == SASL_OK));
2002 #  else /* SASL >= 20000 */
2003 					ext_ssf.ssf = cipher_bits;
2004 					ext_ssf.auth_id = verified ? c : NULL;
2005 					sasl_ok = sasl_setprop(conn,
2006 							SASL_SSF_EXTERNAL,
2007 							&ext_ssf) == SASL_OK;
2008 #  endif /* SASL >= 20000 */
2009 					mechlist = NULL;
2010 					if (sasl_ok)
2011 						n_mechs = saslmechs(conn,
2012 								    &mechlist);
2013 				}
2014 			}
2015 # endif /* SASL */
2016 
2017 			/* switch to secure connection */
2018 			if (sfdctls(&InChannel, &OutChannel, srv_ssl) == 0)
2019 			{
2020 				tls_active = true;
2021 # if PIPELINING
2022 				(void) sm_io_autoflush(InChannel, OutChannel);
2023 # endif /* PIPELINING */
2024 			}
2025 			else
2026 			{
2027 				/*
2028 				**  XXX this is an internal error
2029 				**  how to deal with it?
2030 				**  we can't generate an error message
2031 				**  since the other side switched to an
2032 				**  encrypted layer, but we could not...
2033 				**  just "hang up"?
2034 				*/
2035 
2036 				nullserver = "454 4.3.3 TLS not available: can't switch to encrypted layer";
2037 				syserr("STARTTLS: can't switch to encrypted layer");
2038 			}
2039 		  tls_done:
2040 			if (smtps)
2041 			{
2042 				if (tls_active)
2043 					goto greeting;
2044 				else
2045 					goto doquit;
2046 			}
2047 			break;
2048 #endif /* STARTTLS */
2049 
2050 		  case CMDHELO:		/* hello -- introduce yourself */
2051 		  case CMDEHLO:		/* extended hello */
2052 			DELAY_CONN("EHLO");
2053 			if (c->cmd_code == CMDEHLO)
2054 			{
2055 				protocol = "ESMTP";
2056 				SmtpPhase = "server EHLO";
2057 			}
2058 			else
2059 			{
2060 				protocol = "SMTP";
2061 				SmtpPhase = "server HELO";
2062 			}
2063 
2064 			/* avoid denial-of-service */
2065 			STOP_IF_ATTACK(checksmtpattack(&n_helo, MAXHELOCOMMANDS,
2066 							true, "HELO/EHLO", e));
2067 
2068 #if 0
2069 			/* RFC2821 4.1.4 allows duplicate HELO/EHLO */
2070 			/* check for duplicate HELO/EHLO per RFC 1651 4.2 */
2071 			if (gothello)
2072 			{
2073 				usrerr("503 %s Duplicate HELO/EHLO",
2074 				       MyHostName);
2075 				break;
2076 			}
2077 #endif /* 0 */
2078 
2079 			/* check for valid domain name (re 1123 5.2.5) */
2080 			if (*p == '\0' && !AllowBogusHELO)
2081 			{
2082 				usrerr("501 %s requires domain address",
2083 					cmdbuf);
2084 				break;
2085 			}
2086 
2087 			/* check for long domain name (hides Received: info) */
2088 			if (strlen(p) > MAXNAME)
2089 			{
2090 				usrerr("501 Invalid domain name");
2091 				if (LogLevel > 9)
2092 					sm_syslog(LOG_INFO, CurEnv->e_id,
2093 						  "invalid domain name (too long) from %s",
2094 						  CurSmtpClient);
2095 				break;
2096 			}
2097 
2098 			ok = true;
2099 			for (q = p; *q != '\0'; q++)
2100 			{
2101 				if (!isascii(*q))
2102 					break;
2103 				if (isalnum(*q))
2104 					continue;
2105 				if (isspace(*q))
2106 				{
2107 					*q = '\0';
2108 
2109 					/* only complain if strict check */
2110 					ok = AllowBogusHELO;
2111 
2112 					/* allow trailing whitespace */
2113 					while (!ok && *++q != '\0' &&
2114 					       isspace(*q))
2115 						;
2116 					if (*q == '\0')
2117 						ok = true;
2118 					break;
2119 				}
2120 				if (strchr("[].-_#:", *q) == NULL)
2121 					break;
2122 			}
2123 
2124 			if (*q == '\0' && ok)
2125 			{
2126 				q = "pleased to meet you";
2127 				sendinghost = sm_strdup_x(p);
2128 			}
2129 			else if (!AllowBogusHELO)
2130 			{
2131 				usrerr("501 Invalid domain name");
2132 				if (LogLevel > 9)
2133 					sm_syslog(LOG_INFO, CurEnv->e_id,
2134 						  "invalid domain name (%s) from %.100s",
2135 						  p, CurSmtpClient);
2136 				break;
2137 			}
2138 			else
2139 			{
2140 				q = "accepting invalid domain name";
2141 			}
2142 
2143 			if (gothello || smtp.sm_gotmail)
2144 				CLEAR_STATE(cmdbuf);
2145 
2146 #if MILTER
2147 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2148 			    !bitset(EF_DISCARD, e->e_flags))
2149 			{
2150 				char state;
2151 				char *response;
2152 
2153 				response = milter_helo(p, e, &state);
2154 				switch (state)
2155 				{
2156 				  case SMFIR_REJECT:
2157 					if (MilterLogLevel > 3)
2158 						sm_syslog(LOG_INFO, e->e_id,
2159 							  "Milter: helo=%s, reject=Command rejected",
2160 							  p);
2161 					nullserver = "Command rejected";
2162 					smtp.sm_milterize = false;
2163 					break;
2164 
2165 				  case SMFIR_TEMPFAIL:
2166 					if (MilterLogLevel > 3)
2167 						sm_syslog(LOG_INFO, e->e_id,
2168 							  "Milter: helo=%s, reject=%s",
2169 							  p, MSG_TEMPFAIL);
2170 					tempfail = true;
2171 					smtp.sm_milterize = false;
2172 					break;
2173 
2174 				  case SMFIR_REPLYCODE:
2175 					if (MilterLogLevel > 3)
2176 						sm_syslog(LOG_INFO, e->e_id,
2177 							  "Milter: helo=%s, reject=%s",
2178 							  p, response);
2179 					if (strncmp(response, "421 ", 4) != 0
2180 					    && strncmp(response, "421-", 4) != 0)
2181 					{
2182 						nullserver = newstr(response);
2183 						smtp.sm_milterize = false;
2184 						break;
2185 					}
2186 					/* FALLTHROUGH */
2187 
2188 				  case SMFIR_SHUTDOWN:
2189 					if (MilterLogLevel > 3 &&
2190 					    response == NULL)
2191 						sm_syslog(LOG_INFO, e->e_id,
2192 							  "Milter: helo=%s, reject=421 4.7.0 %s closing connection",
2193 							  p, MyHostName);
2194 					tempfail = true;
2195 					smtp.sm_milterize = false;
2196 					if (response != NULL)
2197 						usrerr(response);
2198 					else
2199 						message("421 4.7.0 %s closing connection",
2200 							MyHostName);
2201 					/* arrange to ignore send list */
2202 					e->e_sendqueue = NULL;
2203 					lognullconnection = false;
2204 					goto doquit;
2205 				}
2206 				if (response != NULL)
2207 					sm_free(response);
2208 
2209 				/*
2210 				**  If quarantining by a connect/ehlo action,
2211 				**  save between messages
2212 				*/
2213 
2214 				if (smtp.sm_quarmsg == NULL &&
2215 				    e->e_quarmsg != NULL)
2216 					smtp.sm_quarmsg = newstr(e->e_quarmsg);
2217 			}
2218 #endif /* MILTER */
2219 			gothello = true;
2220 
2221 			/* print HELO response message */
2222 			if (c->cmd_code != CMDEHLO)
2223 			{
2224 				message("250 %s Hello %s, %s",
2225 					MyHostName, CurSmtpClient, q);
2226 				break;
2227 			}
2228 
2229 			message("250-%s Hello %s, %s",
2230 				MyHostName, CurSmtpClient, q);
2231 
2232 			/* offer ENHSC even for nullserver */
2233 			if (nullserver != NULL)
2234 			{
2235 				message("250 ENHANCEDSTATUSCODES");
2236 				break;
2237 			}
2238 
2239 			/*
2240 			**  print EHLO features list
2241 			**
2242 			**  Note: If you change this list,
2243 			**	  remember to update 'helpfile'
2244 			*/
2245 
2246 			message("250-ENHANCEDSTATUSCODES");
2247 #if PIPELINING
2248 			if (bitset(SRV_OFFER_PIPE, features))
2249 				message("250-PIPELINING");
2250 #endif /* PIPELINING */
2251 			if (bitset(SRV_OFFER_EXPN, features))
2252 			{
2253 				message("250-EXPN");
2254 				if (bitset(SRV_OFFER_VERB, features))
2255 					message("250-VERB");
2256 			}
2257 #if MIME8TO7
2258 			message("250-8BITMIME");
2259 #endif /* MIME8TO7 */
2260 			if (MaxMessageSize > 0)
2261 				message("250-SIZE %ld", MaxMessageSize);
2262 			else
2263 				message("250-SIZE");
2264 #if DSN
2265 			if (SendMIMEErrors && bitset(SRV_OFFER_DSN, features))
2266 				message("250-DSN");
2267 #endif /* DSN */
2268 			if (bitset(SRV_OFFER_ETRN, features))
2269 				message("250-ETRN");
2270 #if SASL
2271 			if (sasl_ok && mechlist != NULL && *mechlist != '\0')
2272 				message("250-AUTH %s", mechlist);
2273 #endif /* SASL */
2274 #if STARTTLS
2275 			if (tls_ok_srv && bitset(SRV_OFFER_TLS, features))
2276 				message("250-STARTTLS");
2277 #endif /* STARTTLS */
2278 			if (DeliverByMin > 0)
2279 				message("250-DELIVERBY %ld",
2280 					(long) DeliverByMin);
2281 			else if (DeliverByMin == 0)
2282 				message("250-DELIVERBY");
2283 
2284 			/* < 0: no deliver-by */
2285 
2286 			message("250 HELP");
2287 			break;
2288 
2289 		  case CMDMAIL:		/* mail -- designate sender */
2290 			SmtpPhase = "server MAIL";
2291 			DELAY_CONN("MAIL");
2292 
2293 			/* check for validity of this command */
2294 			if (!gothello && bitset(PRIV_NEEDMAILHELO, PrivacyFlags))
2295 			{
2296 				usrerr("503 5.0.0 Polite people say HELO first");
2297 				break;
2298 			}
2299 			if (smtp.sm_gotmail)
2300 			{
2301 				usrerr("503 5.5.0 Sender already specified");
2302 				break;
2303 			}
2304 #if SASL
2305 			if (bitset(SRV_REQ_AUTH, features) &&
2306 			    authenticating != SASL_IS_AUTH)
2307 			{
2308 				usrerr("530 5.7.0 Authentication required");
2309 				break;
2310 			}
2311 #endif /* SASL */
2312 
2313 			p = skipword(p, "from");
2314 			if (p == NULL)
2315 				break;
2316 			if (tempfail)
2317 			{
2318 				if (LogLevel > 9)
2319 					sm_syslog(LOG_INFO, e->e_id,
2320 						  "SMTP MAIL command (%.100s) from %s tempfailed (due to previous checks)",
2321 						  p, CurSmtpClient);
2322 				usrerr(MSG_TEMPFAIL);
2323 				break;
2324 			}
2325 
2326 			/* make sure we know who the sending host is */
2327 			if (sendinghost == NULL)
2328 				sendinghost = peerhostname;
2329 
2330 
2331 #if SM_HEAP_CHECK
2332 			if (sm_debug_active(&DebugLeakSmtp, 1))
2333 			{
2334 				sm_heap_newgroup();
2335 				sm_dprintf("smtp() heap group #%d\n",
2336 					sm_heap_group());
2337 			}
2338 #endif /* SM_HEAP_CHECK */
2339 
2340 			if (Errors > 0)
2341 				goto undo_no_pm;
2342 			if (!gothello)
2343 			{
2344 				auth_warning(e, "%s didn't use HELO protocol",
2345 					     CurSmtpClient);
2346 			}
2347 #ifdef PICKY_HELO_CHECK
2348 			if (sm_strcasecmp(sendinghost, peerhostname) != 0 &&
2349 			    (sm_strcasecmp(peerhostname, "localhost") != 0 ||
2350 			     sm_strcasecmp(sendinghost, MyHostName) != 0))
2351 			{
2352 				auth_warning(e, "Host %s claimed to be %s",
2353 					     CurSmtpClient, sendinghost);
2354 			}
2355 #endif /* PICKY_HELO_CHECK */
2356 
2357 			if (protocol == NULL)
2358 				protocol = "SMTP";
2359 			macdefine(&e->e_macro, A_PERM, 'r', protocol);
2360 			macdefine(&e->e_macro, A_PERM, 's', sendinghost);
2361 
2362 			if (Errors > 0)
2363 				goto undo_no_pm;
2364 			smtp.sm_nrcpts = 0;
2365 			n_badrcpts = 0;
2366 			macdefine(&e->e_macro, A_PERM, macid("{ntries}"), "0");
2367 			macdefine(&e->e_macro, A_PERM, macid("{nrcpts}"), "0");
2368 			macdefine(&e->e_macro, A_PERM, macid("{nbadrcpts}"),
2369 				"0");
2370 			e->e_flags |= EF_CLRQUEUE;
2371 			sm_setproctitle(true, e, "%s %s: %.80s",
2372 					qid_printname(e),
2373 					CurSmtpClient, inp);
2374 
2375 			/* do the processing */
2376 		    SM_TRY
2377 		    {
2378 			extern char *FullName;
2379 
2380 			QuickAbort = true;
2381 			SM_FREE_CLR(FullName);
2382 
2383 			/* must parse sender first */
2384 			delimptr = NULL;
2385 			setsender(p, e, &delimptr, ' ', false);
2386 			if (delimptr != NULL && *delimptr != '\0')
2387 				*delimptr++ = '\0';
2388 			if (Errors > 0)
2389 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2390 
2391 			/* Successfully set e_from, allow logging */
2392 			e->e_flags |= EF_LOGSENDER;
2393 
2394 			/* put resulting triple from parseaddr() into macros */
2395 			if (e->e_from.q_mailer != NULL)
2396 				 macdefine(&e->e_macro, A_PERM,
2397 					macid("{mail_mailer}"),
2398 					e->e_from.q_mailer->m_name);
2399 			else
2400 				 macdefine(&e->e_macro, A_PERM,
2401 					macid("{mail_mailer}"), NULL);
2402 			if (e->e_from.q_host != NULL)
2403 				macdefine(&e->e_macro, A_PERM,
2404 					macid("{mail_host}"),
2405 					e->e_from.q_host);
2406 			else
2407 				macdefine(&e->e_macro, A_PERM,
2408 					macid("{mail_host}"), "localhost");
2409 			if (e->e_from.q_user != NULL)
2410 				macdefine(&e->e_macro, A_PERM,
2411 					macid("{mail_addr}"),
2412 					e->e_from.q_user);
2413 			else
2414 				macdefine(&e->e_macro, A_PERM,
2415 					macid("{mail_addr}"), NULL);
2416 			if (Errors > 0)
2417 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2418 
2419 			/* check for possible spoofing */
2420 			if (RealUid != 0 && OpMode == MD_SMTP &&
2421 			    !wordinclass(RealUserName, 't') &&
2422 			    (!bitnset(M_LOCALMAILER,
2423 				      e->e_from.q_mailer->m_flags) ||
2424 			     strcmp(e->e_from.q_user, RealUserName) != 0))
2425 			{
2426 				auth_warning(e, "%s owned process doing -bs",
2427 					RealUserName);
2428 			}
2429 
2430 			/* reset to default value */
2431 			SevenBitInput = SevenBitInput_Saved;
2432 
2433 			/* now parse ESMTP arguments */
2434 			e->e_msgsize = 0;
2435 			addr = p;
2436 			parse_esmtp_args(e, NULL, p, delimptr, "MAIL", args,
2437 					mail_esmtp_args);
2438 			if (Errors > 0)
2439 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2440 
2441 #if SASL
2442 # if _FFR_AUTH_PASSING
2443 			/* set the default AUTH= if the sender didn't */
2444 			if (e->e_auth_param == NULL)
2445 			{
2446 				/* XXX only do this for an MSA? */
2447 				e->e_auth_param = macvalue(macid("{auth_authen}"),
2448 							   e);
2449 				if (e->e_auth_param == NULL)
2450 					e->e_auth_param = "<>";
2451 
2452 				/*
2453 				**  XXX should we invoke Strust_auth now?
2454 				**  authorizing as the client that just
2455 				**  authenticated, so we'll trust implicitly
2456 				*/
2457 			}
2458 # endif /* _FFR_AUTH_PASSING */
2459 #endif /* SASL */
2460 
2461 			/* do config file checking of the sender */
2462 			macdefine(&e->e_macro, A_PERM,
2463 				macid("{addr_type}"), "e s");
2464 #if _FFR_MAIL_MACRO
2465 			/* make the "real" sender address available */
2466 			macdefine(&e->e_macro, A_TEMP, macid("{mail_from}"),
2467 				  e->e_from.q_paddr);
2468 #endif /* _FFR_MAIL_MACRO */
2469 			if (rscheck("check_mail", addr,
2470 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
2471 				    NULL, e->e_id, NULL) != EX_OK ||
2472 			    Errors > 0)
2473 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2474 			macdefine(&e->e_macro, A_PERM,
2475 				  macid("{addr_type}"), NULL);
2476 
2477 			if (MaxMessageSize > 0 &&
2478 			    (e->e_msgsize > MaxMessageSize ||
2479 			     e->e_msgsize < 0))
2480 			{
2481 				usrerr("552 5.2.3 Message size exceeds fixed maximum message size (%ld)",
2482 					MaxMessageSize);
2483 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2484 			}
2485 
2486 			/*
2487 			**  XXX always check whether there is at least one fs
2488 			**  with enough space?
2489 			**  However, this may not help much: the queue group
2490 			**  selection may later on select a FS that hasn't
2491 			**  enough space.
2492 			*/
2493 
2494 			if ((NumFileSys == 1 || NumQueue == 1) &&
2495 			    !enoughdiskspace(e->e_msgsize, e)
2496 #if _FFR_ANY_FREE_FS
2497 			    && !filesys_free(e->e_msgsize)
2498 #endif /* _FFR_ANY_FREE_FS */
2499 			   )
2500 			{
2501 				/*
2502 				**  We perform this test again when the
2503 				**  queue directory is selected, in collect.
2504 				*/
2505 
2506 				usrerr("452 4.4.5 Insufficient disk space; try again later");
2507 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2508 			}
2509 			if (Errors > 0)
2510 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2511 
2512 			LogUsrErrs = true;
2513 #if MILTER
2514 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2515 			    !bitset(EF_DISCARD, e->e_flags))
2516 			{
2517 				char state;
2518 				char *response;
2519 
2520 				response = milter_envfrom(args, e, &state);
2521 				MILTER_REPLY("from");
2522 			}
2523 #endif /* MILTER */
2524 			if (Errors > 0)
2525 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2526 
2527 			message("250 2.1.0 Sender ok");
2528 			smtp.sm_gotmail = true;
2529 		    }
2530 		    SM_EXCEPT(exc, "[!F]*")
2531 		    {
2532 			/*
2533 			**  An error occurred while processing a MAIL command.
2534 			**  Jump to the common error handling code.
2535 			*/
2536 
2537 			sm_exc_free(exc);
2538 			goto undo_no_pm;
2539 		    }
2540 		    SM_END_TRY
2541 			break;
2542 
2543 		  undo_no_pm:
2544 			e->e_flags &= ~EF_PM_NOTIFY;
2545 		  undo:
2546 			break;
2547 
2548 		  case CMDRCPT:		/* rcpt -- designate recipient */
2549 			DELAY_CONN("RCPT");
2550 			macdefine(&e->e_macro, A_PERM,
2551 				macid("{rcpt_mailer}"), NULL);
2552 			macdefine(&e->e_macro, A_PERM,
2553 				macid("{rcpt_host}"), NULL);
2554 			macdefine(&e->e_macro, A_PERM,
2555 				macid("{rcpt_addr}"), NULL);
2556 #if MILTER
2557 			(void) memset(&addr_st, '\0', sizeof(addr_st));
2558 			a = NULL;
2559 			milter_rcpt_added = false;
2560 			smtp.sm_e_nrcpts_orig = e->e_nrcpts;
2561 #endif
2562 #if _FFR_BADRCPT_SHUTDOWN
2563 			/*
2564 			**  hack to deal with hack, see below:
2565 			**  n_badrcpts is increased if limit is reached.
2566 			*/
2567 
2568 			n_badrcpts_adj = (BadRcptThrottle > 0 &&
2569 					  n_badrcpts > BadRcptThrottle &&
2570 					  LogLevel > 5)
2571 					  ? n_badrcpts - 1 : n_badrcpts;
2572 			if (BadRcptShutdown > 0 &&
2573 			    n_badrcpts_adj >= BadRcptShutdown &&
2574 			    (BadRcptShutdownGood == 0 ||
2575 			     smtp.sm_nrcpts == 0 ||
2576 			     (n_badrcpts_adj * 100 /
2577 			      (smtp.sm_nrcpts + n_badrcpts) >=
2578 			      BadRcptShutdownGood)))
2579 			{
2580 				if (LogLevel > 5)
2581 					sm_syslog(LOG_INFO, e->e_id,
2582 						  "%s: Possible SMTP RCPT flood, shutting down connection.",
2583 						  CurSmtpClient);
2584 				message("421 4.7.0 %s Too many bad recipients; closing connection",
2585 				MyHostName);
2586 
2587 				/* arrange to ignore any current send list */
2588 				e->e_sendqueue = NULL;
2589 				goto doquit;
2590 			}
2591 #endif /* _FFR_BADRCPT_SHUTDOWN */
2592 			if (BadRcptThrottle > 0 &&
2593 			    n_badrcpts >= BadRcptThrottle)
2594 			{
2595 				if (LogLevel > 5 &&
2596 				    n_badrcpts == BadRcptThrottle)
2597 				{
2598 					sm_syslog(LOG_INFO, e->e_id,
2599 						  "%s: Possible SMTP RCPT flood, throttling.",
2600 						  CurSmtpClient);
2601 
2602 					/* To avoid duplicated message */
2603 					n_badrcpts++;
2604 				}
2605 				NBADRCPTS;
2606 
2607 				/*
2608 				**  Don't use exponential backoff for now.
2609 				**  Some systems will open more connections
2610 				**  and actually overload the receiver even
2611 				**  more.
2612 				*/
2613 
2614 				(void) sleep(BadRcptThrottleDelay);
2615 			}
2616 			if (!smtp.sm_gotmail)
2617 			{
2618 				usrerr("503 5.0.0 Need MAIL before RCPT");
2619 				break;
2620 			}
2621 			SmtpPhase = "server RCPT";
2622 		    SM_TRY
2623 		    {
2624 			QuickAbort = true;
2625 			LogUsrErrs = true;
2626 
2627 			/* limit flooding of our machine */
2628 			if (MaxRcptPerMsg > 0 &&
2629 			    smtp.sm_nrcpts >= MaxRcptPerMsg)
2630 			{
2631 				/* sleep(1); / * slow down? */
2632 				usrerr("452 4.5.3 Too many recipients");
2633 				goto rcpt_done;
2634 			}
2635 
2636 			if (!SM_IS_INTERACTIVE(e->e_sendmode)
2637 #if _FFR_DM_ONE
2638 			    && (NotFirstDelivery || SM_DM_ONE != e->e_sendmode)
2639 #endif /* _FFR_DM_ONE */
2640 			   )
2641 				e->e_flags |= EF_VRFYONLY;
2642 
2643 #if MILTER
2644 			/*
2645 			**  Do not expand recipients at RCPT time (in the call
2646 			**  to recipient()) if a milter can delete or reject
2647 			**  a RCPT.  If they are expanded, it is impossible
2648 			**  for removefromlist() to figure out the expanded
2649 			**  members of the original recipient and mark them
2650 			**  as QS_DONTSEND.
2651 			*/
2652 
2653 			if (!(smtp.sm_milterlist && smtp.sm_milterize &&
2654 			      !bitset(EF_DISCARD, e->e_flags)) &&
2655 			    (smtp.sm_milters.mis_flags &
2656 			     (MIS_FL_DEL_RCPT|MIS_FL_REJ_RCPT)) != 0)
2657 				e->e_flags |= EF_VRFYONLY;
2658 			milter_cmd_done = false;
2659 			milter_cmd_safe = false;
2660 #endif /* MILTER */
2661 
2662 			p = skipword(p, "to");
2663 			if (p == NULL)
2664 				goto rcpt_done;
2665 			macdefine(&e->e_macro, A_PERM,
2666 				macid("{addr_type}"), "e r");
2667 			a = parseaddr(p, NULLADDR, RF_COPYALL, ' ', &delimptr,
2668 				      e, true);
2669 			macdefine(&e->e_macro, A_PERM,
2670 				macid("{addr_type}"), NULL);
2671 			if (Errors > 0)
2672 				goto rcpt_done;
2673 			if (a == NULL)
2674 			{
2675 				usrerr("501 5.0.0 Missing recipient");
2676 				goto rcpt_done;
2677 			}
2678 
2679 			if (delimptr != NULL && *delimptr != '\0')
2680 				*delimptr++ = '\0';
2681 
2682 			/* put resulting triple from parseaddr() into macros */
2683 			if (a->q_mailer != NULL)
2684 				macdefine(&e->e_macro, A_PERM,
2685 					macid("{rcpt_mailer}"),
2686 					a->q_mailer->m_name);
2687 			else
2688 				macdefine(&e->e_macro, A_PERM,
2689 					macid("{rcpt_mailer}"), NULL);
2690 			if (a->q_host != NULL)
2691 				macdefine(&e->e_macro, A_PERM,
2692 					macid("{rcpt_host}"), a->q_host);
2693 			else
2694 				macdefine(&e->e_macro, A_PERM,
2695 					macid("{rcpt_host}"), "localhost");
2696 			if (a->q_user != NULL)
2697 				macdefine(&e->e_macro, A_PERM,
2698 					macid("{rcpt_addr}"), a->q_user);
2699 			else
2700 				macdefine(&e->e_macro, A_PERM,
2701 					macid("{rcpt_addr}"), NULL);
2702 			if (Errors > 0)
2703 				goto rcpt_done;
2704 
2705 			/* now parse ESMTP arguments */
2706 			addr = p;
2707 			parse_esmtp_args(e, a, p, delimptr, "RCPT", args,
2708 					rcpt_esmtp_args);
2709 			if (Errors > 0)
2710 				goto rcpt_done;
2711 
2712 #if MILTER
2713 			/*
2714 			**  rscheck() can trigger an "exception"
2715 			**  in which case the execution continues at
2716 			**  SM_EXCEPT(exc, "[!F]*")
2717 			**  This means milter_cmd_safe is not set
2718 			**  and hence milter is not invoked.
2719 			**  Would it be "safe" to change that, i.e., use
2720 			**  milter_cmd_safe = true;
2721 			**  here so a milter is informed (if requested)
2722 			**  about RCPTs that are rejected by check_rcpt?
2723 			*/
2724 # if _FFR_MILTER_CHECK_REJECTIONS_TOO
2725 			milter_cmd_safe = true;
2726 # endif
2727 #endif
2728 
2729 			/* do config file checking of the recipient */
2730 			macdefine(&e->e_macro, A_PERM,
2731 				macid("{addr_type}"), "e r");
2732 			if (rscheck("check_rcpt", addr,
2733 				    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
2734 				    NULL, e->e_id, p_addr_st) != EX_OK ||
2735 			    Errors > 0)
2736 				goto rcpt_done;
2737 			macdefine(&e->e_macro, A_PERM,
2738 				macid("{addr_type}"), NULL);
2739 
2740 			/* If discarding, don't bother to verify user */
2741 			if (bitset(EF_DISCARD, e->e_flags))
2742 				a->q_state = QS_VERIFIED;
2743 #if MILTER
2744 			milter_cmd_safe = true;
2745 #endif
2746 
2747 			/* save in recipient list after ESMTP mods */
2748 			a = recipient(a, &e->e_sendqueue, 0, e);
2749 			/* may trigger exception... */
2750 
2751 #if MILTER
2752 			milter_rcpt_added = true;
2753 #endif
2754 
2755 			if(!(Errors > 0) && QS_IS_BADADDR(a->q_state))
2756 			{
2757 				/* punt -- should keep message in ADDRESS.... */
2758 				usrerr("550 5.1.1 Addressee unknown");
2759 			}
2760 
2761 #if MILTER
2762 		rcpt_done:
2763 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2764 			    !bitset(EF_DISCARD, e->e_flags))
2765 			{
2766 				char state;
2767 				char *response;
2768 
2769 				/* how to get the error codes? */
2770 				if (Errors > 0)
2771 				{
2772 					macdefine(&e->e_macro, A_PERM,
2773 						macid("{rcpt_mailer}"),
2774 						"error");
2775 					if (a != NULL &&
2776 					    a->q_status != NULL &&
2777 					    a->q_rstatus != NULL)
2778 					{
2779 						macdefine(&e->e_macro, A_PERM,
2780 							macid("{rcpt_host}"),
2781 							a->q_status);
2782 						macdefine(&e->e_macro, A_PERM,
2783 							macid("{rcpt_addr}"),
2784 							a->q_rstatus);
2785 					}
2786 					else
2787 					{
2788 						if (addr_st.q_host != NULL)
2789 							macdefine(&e->e_macro,
2790 								A_PERM,
2791 								macid("{rcpt_host}"),
2792 								addr_st.q_host);
2793 						if (addr_st.q_user != NULL)
2794 							macdefine(&e->e_macro,
2795 								A_PERM,
2796 								macid("{rcpt_addr}"),
2797 								addr_st.q_user);
2798 					}
2799 				}
2800 
2801 				response = milter_envrcpt(args, e, &state,
2802 							Errors > 0);
2803 				milter_cmd_done = true;
2804 				MILTER_REPLY("to");
2805 			}
2806 #endif /* MILTER */
2807 
2808 			/* no errors during parsing, but might be a duplicate */
2809 			e->e_to = a->q_paddr;
2810 			if (!(Errors > 0) && !QS_IS_BADADDR(a->q_state))
2811 			{
2812 				if (smtp.sm_nrcpts == 0)
2813 					initsys(e);
2814 				message("250 2.1.5 Recipient ok%s",
2815 					QS_IS_QUEUEUP(a->q_state) ?
2816 						" (will queue)" : "");
2817 				smtp.sm_nrcpts++;
2818 			}
2819 
2820 			/* Is this needed? */
2821 #if !MILTER
2822 		rcpt_done:
2823 #endif /* !MILTER */
2824 			macdefine(&e->e_macro, A_PERM,
2825 				macid("{rcpt_mailer}"), NULL);
2826 			macdefine(&e->e_macro, A_PERM,
2827 				macid("{rcpt_host}"), NULL);
2828 			macdefine(&e->e_macro, A_PERM,
2829 				macid("{rcpt_addr}"), NULL);
2830 			macdefine(&e->e_macro, A_PERM,
2831 				macid("{dsn_notify}"), NULL);
2832 
2833 			if (Errors > 0)
2834 			{
2835 				++n_badrcpts;
2836 				NBADRCPTS;
2837 			}
2838 		    }
2839 		    SM_EXCEPT(exc, "[!F]*")
2840 		    {
2841 			/* An exception occurred while processing RCPT */
2842 			e->e_flags &= ~(EF_FATALERRS|EF_PM_NOTIFY);
2843 			++n_badrcpts;
2844 			NBADRCPTS;
2845 #if MILTER
2846 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2847 			    !bitset(EF_DISCARD, e->e_flags) &&
2848 			    !milter_cmd_done && milter_cmd_safe)
2849 			{
2850 				char state;
2851 				char *response;
2852 
2853 				macdefine(&e->e_macro, A_PERM,
2854 					macid("{rcpt_mailer}"), "error");
2855 
2856 				/* how to get the error codes? */
2857 				if (addr_st.q_host != NULL)
2858 					macdefine(&e->e_macro, A_PERM,
2859 						macid("{rcpt_host}"),
2860 						addr_st.q_host);
2861 				else if (a != NULL && a->q_status != NULL)
2862 					macdefine(&e->e_macro, A_PERM,
2863 						macid("{rcpt_host}"),
2864 						a->q_status);
2865 
2866 				if (addr_st.q_user != NULL)
2867 					macdefine(&e->e_macro, A_PERM,
2868 						macid("{rcpt_addr}"),
2869 						addr_st.q_user);
2870 				else if (a != NULL && a->q_rstatus != NULL)
2871 					macdefine(&e->e_macro, A_PERM,
2872 						macid("{rcpt_addr}"),
2873 						a->q_rstatus);
2874 
2875 				response = milter_envrcpt(args, e, &state,
2876 							true);
2877 				milter_cmd_done = true;
2878 				MILTER_REPLY("to");
2879 				macdefine(&e->e_macro, A_PERM,
2880 					macid("{rcpt_mailer}"), NULL);
2881 				macdefine(&e->e_macro, A_PERM,
2882 					macid("{rcpt_host}"), NULL);
2883 				macdefine(&e->e_macro, A_PERM,
2884 					macid("{rcpt_addr}"), NULL);
2885 			}
2886 			if (smtp.sm_milterlist && smtp.sm_milterize &&
2887 			    milter_rcpt_added && milter_cmd_done &&
2888 			    milter_cmd_fail)
2889 			{
2890 				(void) removefromlist(addr, &e->e_sendqueue, e);
2891 				milter_cmd_fail = false;
2892 				if (smtp.sm_e_nrcpts_orig < e->e_nrcpts)
2893 					e->e_nrcpts = smtp.sm_e_nrcpts_orig;
2894 			}
2895 #endif /* MILTER */
2896 		    }
2897 		    SM_END_TRY
2898 			break;
2899 
2900 		  case CMDDATA:		/* data -- text of mail */
2901 			DELAY_CONN("DATA");
2902 			if (!smtp_data(&smtp, e))
2903 				goto doquit;
2904 			break;
2905 
2906 		  case CMDRSET:		/* rset -- reset state */
2907 			if (tTd(94, 100))
2908 				message("451 4.0.0 Test failure");
2909 			else
2910 				message("250 2.0.0 Reset state");
2911 			CLEAR_STATE(cmdbuf);
2912 			break;
2913 
2914 		  case CMDVRFY:		/* vrfy -- verify address */
2915 		  case CMDEXPN:		/* expn -- expand address */
2916 			vrfy = c->cmd_code == CMDVRFY;
2917 			DELAY_CONN(vrfy ? "VRFY" : "EXPN");
2918 			if (tempfail)
2919 			{
2920 				if (LogLevel > 9)
2921 					sm_syslog(LOG_INFO, e->e_id,
2922 						  "SMTP %s command (%.100s) from %s tempfailed (due to previous checks)",
2923 						  vrfy ? "VRFY" : "EXPN",
2924 						  p, CurSmtpClient);
2925 
2926 				/* RFC 821 doesn't allow 4xy reply code */
2927 				usrerr("550 5.7.1 Please try again later");
2928 				break;
2929 			}
2930 			wt = checksmtpattack(&n_verifies, MAXVRFYCOMMANDS,
2931 					     false, vrfy ? "VRFY" : "EXPN", e);
2932 			STOP_IF_ATTACK(wt);
2933 			previous = curtime();
2934 			if ((vrfy && bitset(PRIV_NOVRFY, PrivacyFlags)) ||
2935 			    (!vrfy && !bitset(SRV_OFFER_EXPN, features)))
2936 			{
2937 				if (vrfy)
2938 					message("252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)");
2939 				else
2940 					message("502 5.7.0 Sorry, we do not allow this operation");
2941 				if (LogLevel > 5)
2942 					sm_syslog(LOG_INFO, e->e_id,
2943 						  "%s: %s [rejected]",
2944 						  CurSmtpClient,
2945 						  shortenstring(inp, MAXSHORTSTR));
2946 				break;
2947 			}
2948 			else if (!gothello &&
2949 				 bitset(vrfy ? PRIV_NEEDVRFYHELO : PRIV_NEEDEXPNHELO,
2950 						PrivacyFlags))
2951 			{
2952 				usrerr("503 5.0.0 I demand that you introduce yourself first");
2953 				break;
2954 			}
2955 			if (Errors > 0)
2956 				break;
2957 			if (LogLevel > 5)
2958 				sm_syslog(LOG_INFO, e->e_id, "%s: %s",
2959 					  CurSmtpClient,
2960 					  shortenstring(inp, MAXSHORTSTR));
2961 		    SM_TRY
2962 		    {
2963 			QuickAbort = true;
2964 			vrfyqueue = NULL;
2965 			if (vrfy)
2966 				e->e_flags |= EF_VRFYONLY;
2967 			while (*p != '\0' && isascii(*p) && isspace(*p))
2968 				p++;
2969 			if (*p == '\0')
2970 			{
2971 				usrerr("501 5.5.2 Argument required");
2972 			}
2973 			else
2974 			{
2975 				/* do config file checking of the address */
2976 				if (rscheck(vrfy ? "check_vrfy" : "check_expn",
2977 					    p, NULL, e, RSF_RMCOMM,
2978 					    3, NULL, NOQID, NULL) != EX_OK ||
2979 				    Errors > 0)
2980 					sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2981 				(void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e);
2982 			}
2983 			if (wt > 0)
2984 			{
2985 				time_t t;
2986 
2987 				t = wt - (curtime() - previous);
2988 				if (t > 0)
2989 					(void) sleep(t);
2990 			}
2991 			if (Errors > 0)
2992 				sm_exc_raisenew_x(&EtypeQuickAbort, 1);
2993 			if (vrfyqueue == NULL)
2994 			{
2995 				usrerr("554 5.5.2 Nothing to %s", vrfy ? "VRFY" : "EXPN");
2996 			}
2997 			while (vrfyqueue != NULL)
2998 			{
2999 				if (!QS_IS_UNDELIVERED(vrfyqueue->q_state))
3000 				{
3001 					vrfyqueue = vrfyqueue->q_next;
3002 					continue;
3003 				}
3004 
3005 				/* see if there is more in the vrfy list */
3006 				a = vrfyqueue;
3007 				while ((a = a->q_next) != NULL &&
3008 				       (!QS_IS_UNDELIVERED(a->q_state)))
3009 					continue;
3010 				printvrfyaddr(vrfyqueue, a == NULL, vrfy);
3011 				vrfyqueue = a;
3012 			}
3013 		    }
3014 		    SM_EXCEPT(exc, "[!F]*")
3015 		    {
3016 			/*
3017 			**  An exception occurred while processing VRFY/EXPN
3018 			*/
3019 
3020 			sm_exc_free(exc);
3021 			goto undo;
3022 		    }
3023 		    SM_END_TRY
3024 			break;
3025 
3026 		  case CMDETRN:		/* etrn -- force queue flush */
3027 			DELAY_CONN("ETRN");
3028 
3029 			/* Don't leak queue information via debug flags */
3030 			if (!bitset(SRV_OFFER_ETRN, features) || UseMSP ||
3031 			    (RealUid != 0 && RealUid != TrustedUid &&
3032 			     OpMode == MD_SMTP))
3033 			{
3034 				/* different message for MSA ? */
3035 				message("502 5.7.0 Sorry, we do not allow this operation");
3036 				if (LogLevel > 5)
3037 					sm_syslog(LOG_INFO, e->e_id,
3038 						  "%s: %s [rejected]",
3039 						  CurSmtpClient,
3040 						  shortenstring(inp, MAXSHORTSTR));
3041 				break;
3042 			}
3043 			if (tempfail)
3044 			{
3045 				if (LogLevel > 9)
3046 					sm_syslog(LOG_INFO, e->e_id,
3047 						  "SMTP ETRN command (%.100s) from %s tempfailed (due to previous checks)",
3048 						  p, CurSmtpClient);
3049 				usrerr(MSG_TEMPFAIL);
3050 				break;
3051 			}
3052 
3053 			if (strlen(p) <= 0)
3054 			{
3055 				usrerr("500 5.5.2 Parameter required");
3056 				break;
3057 			}
3058 
3059 			/* crude way to avoid denial-of-service attacks */
3060 			STOP_IF_ATTACK(checksmtpattack(&n_etrn, MAXETRNCOMMANDS,
3061 							true, "ETRN", e));
3062 
3063 			/*
3064 			**  Do config file checking of the parameter.
3065 			**  Even though we have srv_features now, we still
3066 			**  need this ruleset because the former is called
3067 			**  when the connection has been established, while
3068 			**  this ruleset is called when the command is
3069 			**  actually issued and therefore has all information
3070 			**  available to make a decision.
3071 			*/
3072 
3073 			if (rscheck("check_etrn", p, NULL, e,
3074 				    RSF_RMCOMM, 3, NULL, NOQID, NULL)
3075 								!= EX_OK ||
3076 			    Errors > 0)
3077 				break;
3078 
3079 			if (LogLevel > 5)
3080 				sm_syslog(LOG_INFO, e->e_id,
3081 					  "%s: ETRN %s", CurSmtpClient,
3082 					  shortenstring(p, MAXSHORTSTR));
3083 
3084 			id = p;
3085 			if (*id == '#')
3086 			{
3087 				int i, qgrp;
3088 
3089 				id++;
3090 				qgrp = name2qid(id);
3091 				if (!ISVALIDQGRP(qgrp))
3092 				{
3093 					usrerr("459 4.5.4 Queue %s unknown",
3094 					       id);
3095 					break;
3096 				}
3097 				for (i = 0; i < NumQueue && Queue[i] != NULL;
3098 				     i++)
3099 					Queue[i]->qg_nextrun = (time_t) -1;
3100 				Queue[qgrp]->qg_nextrun = 0;
3101 				ok = run_work_group(Queue[qgrp]->qg_wgrp,
3102 						    RWG_FORK|RWG_FORCE);
3103 				if (ok && Errors == 0)
3104 					message("250 2.0.0 Queuing for queue group %s started", id);
3105 				break;
3106 			}
3107 
3108 			if (*id == '@')
3109 				id++;
3110 			else
3111 				*--id = '@';
3112 
3113 			new = (QUEUE_CHAR *) sm_malloc(sizeof(QUEUE_CHAR));
3114 			if (new == NULL)
3115 			{
3116 				syserr("500 5.5.0 ETRN out of memory");
3117 				break;
3118 			}
3119 			new->queue_match = id;
3120 			new->queue_negate = false;
3121 			new->queue_next = NULL;
3122 			QueueLimitRecipient = new;
3123 			ok = runqueue(true, false, false, true);
3124 			sm_free(QueueLimitRecipient); /* XXX */
3125 			QueueLimitRecipient = NULL;
3126 			if (ok && Errors == 0)
3127 				message("250 2.0.0 Queuing for node %s started", p);
3128 			break;
3129 
3130 		  case CMDHELP:		/* help -- give user info */
3131 			DELAY_CONN("HELP");
3132 			help(p, e);
3133 			break;
3134 
3135 		  case CMDNOOP:		/* noop -- do nothing */
3136 			DELAY_CONN("NOOP");
3137 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3138 							true, "NOOP", e));
3139 			message("250 2.0.0 OK");
3140 			break;
3141 
3142 		  case CMDQUIT:		/* quit -- leave mail */
3143 			message("221 2.0.0 %s closing connection", MyHostName);
3144 #if PIPELINING
3145 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
3146 #endif /* PIPELINING */
3147 
3148 			if (smtp.sm_nrcpts > 0)
3149 				logundelrcpts(e, "aborted by sender", 9, false);
3150 
3151 			/* arrange to ignore any current send list */
3152 			e->e_sendqueue = NULL;
3153 
3154 #if STARTTLS
3155 			/* shutdown TLS connection */
3156 			if (tls_active)
3157 			{
3158 				(void) endtls(srv_ssl, "server");
3159 				tls_active = false;
3160 			}
3161 #endif /* STARTTLS */
3162 #if SASL
3163 			if (authenticating == SASL_IS_AUTH)
3164 			{
3165 				sasl_dispose(&conn);
3166 				authenticating = SASL_NOT_AUTH;
3167 				/* XXX sasl_done(); this is a child */
3168 			}
3169 #endif /* SASL */
3170 
3171 doquit:
3172 			/* avoid future 050 messages */
3173 			disconnect(1, e);
3174 
3175 #if MILTER
3176 			/* close out milter filters */
3177 			milter_quit(e);
3178 #endif /* MILTER */
3179 
3180 			if (tTd(92, 2))
3181 				sm_dprintf("QUIT: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
3182 					e->e_id,
3183 					bitset(EF_LOGSENDER, e->e_flags),
3184 					LogLevel);
3185 			if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
3186 				logsender(e, NULL);
3187 			e->e_flags &= ~EF_LOGSENDER;
3188 
3189 			if (lognullconnection && LogLevel > 5 &&
3190 			    nullserver == NULL)
3191 			{
3192 				char *d;
3193 
3194 				d = macvalue(macid("{daemon_name}"), e);
3195 				if (d == NULL)
3196 					d = "stdin";
3197 
3198 				/*
3199 				**  even though this id is "bogus", it makes
3200 				**  it simpler to "grep" related events, e.g.,
3201 				**  timeouts for the same connection.
3202 				*/
3203 
3204 				sm_syslog(LOG_INFO, e->e_id,
3205 					  "%s did not issue MAIL/EXPN/VRFY/ETRN during connection to %s",
3206 					  CurSmtpClient, d);
3207 			}
3208 			if (tTd(93, 100))
3209 			{
3210 				/* return to handle next connection */
3211 				return;
3212 			}
3213 			finis(true, true, ExitStat);
3214 			/* NOTREACHED */
3215 
3216 			/* just to avoid bogus warning from some compilers */
3217 			exit(EX_OSERR);
3218 
3219 		  case CMDVERB:		/* set verbose mode */
3220 			DELAY_CONN("VERB");
3221 			if (!bitset(SRV_OFFER_EXPN, features) ||
3222 			    !bitset(SRV_OFFER_VERB, features))
3223 			{
3224 				/* this would give out the same info */
3225 				message("502 5.7.0 Verbose unavailable");
3226 				break;
3227 			}
3228 			STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
3229 							true, "VERB", e));
3230 			Verbose = 1;
3231 			set_delivery_mode(SM_DELIVER, e);
3232 			message("250 2.0.0 Verbose mode");
3233 			break;
3234 
3235 #if SMTPDEBUG
3236 		  case CMDDBGQSHOW:	/* show queues */
3237 			(void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
3238 					     "Send Queue=");
3239 			printaddr(smioout, e->e_sendqueue, true);
3240 			break;
3241 
3242 		  case CMDDBGDEBUG:	/* set debug mode */
3243 			tTsetup(tTdvect, sizeof(tTdvect), "0-99.1");
3244 			tTflag(p);
3245 			message("200 2.0.0 Debug set");
3246 			break;
3247 
3248 #else /* SMTPDEBUG */
3249 		  case CMDDBGQSHOW:	/* show queues */
3250 		  case CMDDBGDEBUG:	/* set debug mode */
3251 #endif /* SMTPDEBUG */
3252 		  case CMDLOGBOGUS:	/* bogus command */
3253 			DELAY_CONN("Bogus");
3254 			if (LogLevel > 0)
3255 				sm_syslog(LOG_CRIT, e->e_id,
3256 					  "\"%s\" command from %s (%.100s)",
3257 					  c->cmd_name, CurSmtpClient,
3258 					  anynet_ntoa(&RealHostAddr));
3259 			/* FALLTHROUGH */
3260 
3261 		  case CMDERROR:	/* unknown command */
3262 #if MAXBADCOMMANDS > 0
3263 			if (++n_badcmds > MAXBADCOMMANDS)
3264 			{
3265   stopattack:
3266 				message("421 4.7.0 %s Too many bad commands; closing connection",
3267 					MyHostName);
3268 
3269 				/* arrange to ignore any current send list */
3270 				e->e_sendqueue = NULL;
3271 				goto doquit;
3272 			}
3273 #endif /* MAXBADCOMMANDS > 0 */
3274 
3275 #if MILTER && SMFI_VERSION > 2
3276 			if (smtp.sm_milterlist && smtp.sm_milterize &&
3277 			    !bitset(EF_DISCARD, e->e_flags))
3278 			{
3279 				char state;
3280 				char *response;
3281 
3282 				if (MilterLogLevel > 9)
3283 					sm_syslog(LOG_INFO, e->e_id,
3284 						"Sending \"%s\" to Milter", inp);
3285 				response = milter_unknown(inp, e, &state);
3286 				MILTER_REPLY("unknown");
3287 				if (state == SMFIR_REPLYCODE ||
3288 				    state == SMFIR_REJECT ||
3289 				    state == SMFIR_TEMPFAIL ||
3290 				    state == SMFIR_SHUTDOWN)
3291 				{
3292 					/* MILTER_REPLY already gave an error */
3293 					break;
3294 				}
3295 			}
3296 #endif /* MILTER && SMFI_VERSION > 2 */
3297 
3298 			usrerr("500 5.5.1 Command unrecognized: \"%s\"",
3299 			       shortenstring(inp, MAXSHORTSTR));
3300 			break;
3301 
3302 		  case CMDUNIMPL:
3303 			DELAY_CONN("Unimpl");
3304 			usrerr("502 5.5.1 Command not implemented: \"%s\"",
3305 			       shortenstring(inp, MAXSHORTSTR));
3306 			break;
3307 
3308 		  default:
3309 			DELAY_CONN("default");
3310 			errno = 0;
3311 			syserr("500 5.5.0 smtp: unknown code %d", c->cmd_code);
3312 			break;
3313 		}
3314 #if SASL
3315 		}
3316 #endif /* SASL */
3317 	    }
3318 	    SM_EXCEPT(exc, "[!F]*")
3319 	    {
3320 		/*
3321 		**  The only possible exception is "E:mta.quickabort".
3322 		**  There is nothing to do except fall through and loop.
3323 		*/
3324 	    }
3325 	    SM_END_TRY
3326 	}
3327 }
3328 /*
3329 **  SMTP_DATA -- implement the SMTP DATA command.
3330 **
3331 **	Parameters:
3332 **		smtp -- status of SMTP connection.
3333 **		e -- envelope.
3334 **
3335 **	Returns:
3336 **		true iff SMTP session can continue.
3337 **
3338 **	Side Effects:
3339 **		possibly sends message.
3340 */
3341 
3342 static bool
3343 smtp_data(smtp, e)
3344 	SMTP_T *smtp;
3345 	ENVELOPE *e;
3346 {
3347 #if MILTER
3348 	bool milteraccept;
3349 #endif /* MILTER */
3350 	bool aborting;
3351 	bool doublequeue;
3352 	bool rv = true;
3353 	ADDRESS *a;
3354 	ENVELOPE *ee;
3355 	char *id;
3356 	char *oldid;
3357 	unsigned int features;
3358 	char buf[32];
3359 
3360 	SmtpPhase = "server DATA";
3361 	if (!smtp->sm_gotmail)
3362 	{
3363 		usrerr("503 5.0.0 Need MAIL command");
3364 		return true;
3365 	}
3366 	else if (smtp->sm_nrcpts <= 0)
3367 	{
3368 		usrerr("503 5.0.0 Need RCPT (recipient)");
3369 		return true;
3370 	}
3371 	(void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts);
3372 	if (rscheck("check_data", buf, NULL, e,
3373 		    RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL,
3374 		    e->e_id, NULL) != EX_OK)
3375 		return true;
3376 
3377 #if MILTER && SMFI_VERSION > 3
3378 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3379 	    !bitset(EF_DISCARD, e->e_flags))
3380 	{
3381 		char state;
3382 		char *response;
3383 		int savelogusrerrs = LogUsrErrs;
3384 
3385 		response = milter_data_cmd(e, &state);
3386 		switch (state)
3387 		{
3388 		  case SMFIR_REPLYCODE:
3389 			if (MilterLogLevel > 3)
3390 			{
3391 				sm_syslog(LOG_INFO, e->e_id,
3392 					  "Milter: cmd=data, reject=%s",
3393 					  response);
3394 				LogUsrErrs = false;
3395 			}
3396 #if _FFR_MILTER_ENHSC
3397 			if (ISSMTPCODE(response))
3398 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3399 #endif /* _FFR_MILTER_ENHSC */
3400 
3401 			usrerr(response);
3402 			if (strncmp(response, "421 ", 4) == 0
3403 			    || strncmp(response, "421-", 4) == 0)
3404 			{
3405 				e->e_sendqueue = NULL;
3406 				return false;
3407 			}
3408 			return true;
3409 
3410 		  case SMFIR_REJECT:
3411 			if (MilterLogLevel > 3)
3412 			{
3413 				sm_syslog(LOG_INFO, e->e_id,
3414 					  "Milter: cmd=data, reject=550 5.7.1 Command rejected");
3415 				LogUsrErrs = false;
3416 			}
3417 #if _FFR_MILTER_ENHSC
3418 			(void) sm_strlcpy(e->e_enhsc, "5.7.1",
3419 					 sizeof(e->e_enhsc));
3420 #endif /* _FFR_MILTER_ENHSC */
3421 			usrerr("550 5.7.1 Command rejected");
3422 			return true;
3423 
3424 		  case SMFIR_DISCARD:
3425 			if (MilterLogLevel > 3)
3426 				sm_syslog(LOG_INFO, e->e_id,
3427 					  "Milter: cmd=data, discard");
3428 			e->e_flags |= EF_DISCARD;
3429 			break;
3430 
3431 		  case SMFIR_TEMPFAIL:
3432 			if (MilterLogLevel > 3)
3433 			{
3434 				sm_syslog(LOG_INFO, e->e_id,
3435 					  "Milter: cmd=data, reject=%s",
3436 					  MSG_TEMPFAIL);
3437 				LogUsrErrs = false;
3438 			}
3439 #if _FFR_MILTER_ENHSC
3440 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3441 #endif /* _FFR_MILTER_ENHSC */
3442 			usrerr(MSG_TEMPFAIL);
3443 			return true;
3444 
3445 		  case SMFIR_SHUTDOWN:
3446 			if (MilterLogLevel > 3)
3447 			{
3448 				sm_syslog(LOG_INFO, e->e_id,
3449 					  "Milter: cmd=data, reject=421 4.7.0 %s closing connection",
3450 					  MyHostName);
3451 				LogUsrErrs = false;
3452 			}
3453 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3454 			e->e_sendqueue = NULL;
3455 			return false;
3456 		}
3457 		LogUsrErrs = savelogusrerrs;
3458 		if (response != NULL)
3459 			sm_free(response); /* XXX */
3460 	}
3461 #endif /* MILTER && SMFI_VERSION > 3 */
3462 
3463 	/* put back discard bit */
3464 	if (smtp->sm_discard)
3465 		e->e_flags |= EF_DISCARD;
3466 
3467 	/* check to see if we need to re-expand aliases */
3468 	/* also reset QS_BADADDR on already-diagnosted addrs */
3469 	doublequeue = false;
3470 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
3471 	{
3472 		if (QS_IS_VERIFIED(a->q_state) &&
3473 		    !bitset(EF_DISCARD, e->e_flags))
3474 		{
3475 			/* need to re-expand aliases */
3476 			doublequeue = true;
3477 		}
3478 		if (QS_IS_BADADDR(a->q_state))
3479 		{
3480 			/* make this "go away" */
3481 			a->q_state = QS_DONTSEND;
3482 		}
3483 	}
3484 
3485 	/* collect the text of the message */
3486 	SmtpPhase = "collect";
3487 	buffer_errors();
3488 
3489 	collect(InChannel, true, NULL, e, true);
3490 
3491 	/* redefine message size */
3492 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3493 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3494 
3495 	/* rscheck() will set Errors or EF_DISCARD if it trips */
3496 	(void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT,
3497 		       3, NULL, e->e_id, NULL);
3498 
3499 #if MILTER
3500 	milteraccept = true;
3501 	if (smtp->sm_milterlist && smtp->sm_milterize &&
3502 	    Errors <= 0 &&
3503 	    !bitset(EF_DISCARD, e->e_flags))
3504 	{
3505 		char state;
3506 		char *response;
3507 
3508 		response = milter_data(e, &state);
3509 		switch (state)
3510 		{
3511 		  case SMFIR_REPLYCODE:
3512 			if (MilterLogLevel > 3)
3513 				sm_syslog(LOG_INFO, e->e_id,
3514 					  "Milter: data, reject=%s",
3515 					  response);
3516 			milteraccept = false;
3517 #if _FFR_MILTER_ENHSC
3518 			if (ISSMTPCODE(response))
3519 				(void) extenhsc(response + 4, ' ', e->e_enhsc);
3520 #endif /* _FFR_MILTER_ENHSC */
3521 			usrerr(response);
3522 			if (strncmp(response, "421 ", 4) == 0
3523 			    || strncmp(response, "421-", 4) == 0)
3524 				rv = false;
3525 			break;
3526 
3527 		  case SMFIR_REJECT:
3528 			milteraccept = false;
3529 			if (MilterLogLevel > 3)
3530 				sm_syslog(LOG_INFO, e->e_id,
3531 					  "Milter: data, reject=554 5.7.1 Command rejected");
3532 			usrerr("554 5.7.1 Command rejected");
3533 			break;
3534 
3535 		  case SMFIR_DISCARD:
3536 			if (MilterLogLevel > 3)
3537 				sm_syslog(LOG_INFO, e->e_id,
3538 					  "Milter: data, discard");
3539 			milteraccept = false;
3540 			e->e_flags |= EF_DISCARD;
3541 			break;
3542 
3543 		  case SMFIR_TEMPFAIL:
3544 			if (MilterLogLevel > 3)
3545 				sm_syslog(LOG_INFO, e->e_id,
3546 					  "Milter: data, reject=%s",
3547 					  MSG_TEMPFAIL);
3548 			milteraccept = false;
3549 #if _FFR_MILTER_ENHSC
3550 			(void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
3551 #endif /* _FFR_MILTER_ENHSC */
3552 			usrerr(MSG_TEMPFAIL);
3553 			break;
3554 
3555 		  case SMFIR_SHUTDOWN:
3556 			if (MilterLogLevel > 3)
3557 				sm_syslog(LOG_INFO, e->e_id,
3558 					  "Milter: data, reject=421 4.7.0 %s closing connection",
3559 					  MyHostName);
3560 			milteraccept = false;
3561 			usrerr("421 4.7.0 %s closing connection", MyHostName);
3562 			rv = false;
3563 			break;
3564 		}
3565 		if (response != NULL)
3566 			sm_free(response);
3567 	}
3568 
3569 	/* Milter may have changed message size */
3570 	(void) sm_snprintf(buf, sizeof(buf), "%ld", PRT_NONNEGL(e->e_msgsize));
3571 	macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);
3572 
3573 	/* abort message filters that didn't get the body & log msg is OK */
3574 	if (smtp->sm_milterlist && smtp->sm_milterize)
3575 	{
3576 		milter_abort(e);
3577 		if (milteraccept && MilterLogLevel > 9)
3578 			sm_syslog(LOG_INFO, e->e_id, "Milter accept: message");
3579 	}
3580 
3581 	/*
3582 	**  If SuperSafe is SAFE_REALLY_POSTMILTER, and we don't have milter or
3583 	**  milter accepted message, sync it now
3584 	**
3585 	**  XXX This is almost a copy of the code in collect(): put it into
3586 	**	a function that is called from both places?
3587 	*/
3588 
3589 	if (milteraccept && SuperSafe == SAFE_REALLY_POSTMILTER)
3590 	{
3591 		int afd;
3592 		SM_FILE_T *volatile df;
3593 		char *dfname;
3594 
3595 		df = e->e_dfp;
3596 		dfname = queuename(e, DATAFL_LETTER);
3597 		if (sm_io_setinfo(df, SM_BF_COMMIT, NULL) < 0
3598 		    && errno != EINVAL)
3599 		{
3600 			int save_errno;
3601 
3602 			save_errno = errno;
3603 			if (save_errno == EEXIST)
3604 			{
3605 				struct stat st;
3606 				int dfd;
3607 
3608 				if (stat(dfname, &st) < 0)
3609 					st.st_size = -1;
3610 				errno = EEXIST;
3611 				syserr("@collect: bfcommit(%s): already on disk, size=%ld",
3612 				       dfname, (long) st.st_size);
3613 				dfd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL);
3614 				if (dfd >= 0)
3615 					dumpfd(dfd, true, true);
3616 			}
3617 			errno = save_errno;
3618 			dferror(df, "bfcommit", e);
3619 			flush_errors(true);
3620 			finis(save_errno != EEXIST, true, ExitStat);
3621 		}
3622 		else if ((afd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL)) < 0)
3623 		{
3624 			dferror(df, "sm_io_getinfo", e);
3625 			flush_errors(true);
3626 			finis(true, true, ExitStat);
3627 			/* NOTREACHED */
3628 		}
3629 		else if (fsync(afd) < 0)
3630 		{
3631 			dferror(df, "fsync", e);
3632 			flush_errors(true);
3633 			finis(true, true, ExitStat);
3634 			/* NOTREACHED */
3635 		}
3636 		else if (sm_io_close(df, SM_TIME_DEFAULT) < 0)
3637 		{
3638 			dferror(df, "sm_io_close", e);
3639 			flush_errors(true);
3640 			finis(true, true, ExitStat);
3641 			/* NOTREACHED */
3642 		}
3643 
3644 		/* Now reopen the df file */
3645 		e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname,
3646 					SM_IO_RDONLY, NULL);
3647 		if (e->e_dfp == NULL)
3648 		{
3649 			/* we haven't acked receipt yet, so just chuck this */
3650 			syserr("@Cannot reopen %s", dfname);
3651 			finis(true, true, ExitStat);
3652 			/* NOTREACHED */
3653 		}
3654 	}
3655 #endif /* MILTER */
3656 
3657 	/* Check if quarantining stats should be updated */
3658 	if (e->e_quarmsg != NULL)
3659 		markstats(e, NULL, STATS_QUARANTINE);
3660 
3661 	/*
3662 	**  If a header/body check (header checks or milter)
3663 	**  set EF_DISCARD, don't queueup the message --
3664 	**  that would lose the EF_DISCARD bit and deliver
3665 	**  the message.
3666 	*/
3667 
3668 	if (bitset(EF_DISCARD, e->e_flags))
3669 		doublequeue = false;
3670 
3671 	aborting = Errors > 0;
3672 	if (!(aborting || bitset(EF_DISCARD, e->e_flags)) &&
3673 	    (QueueMode == QM_QUARANTINE || e->e_quarmsg == NULL) &&
3674 	    !split_by_recipient(e))
3675 		aborting = bitset(EF_FATALERRS, e->e_flags);
3676 
3677 	if (aborting)
3678 	{
3679 		ADDRESS *q;
3680 
3681 		/* Log who the mail would have gone to */
3682 		logundelrcpts(e, e->e_message, 8, false);
3683 
3684 		/*
3685 		**  If something above refused the message, we still haven't
3686 		**  accepted responsibility for it.  Don't send DSNs.
3687 		*/
3688 
3689 		for (q = e->e_sendqueue; q != NULL; q = q->q_next)
3690 			q->q_flags &= ~Q_PINGFLAGS;
3691 
3692 		flush_errors(true);
3693 		buffer_errors();
3694 		goto abortmessage;
3695 	}
3696 
3697 	/* from now on, we have to operate silently */
3698 	buffer_errors();
3699 
3700 #if 0
3701 	/*
3702 	**  Clear message, it may contain an error from the SMTP dialogue.
3703 	**  This error must not show up in the queue.
3704 	**	Some error message should show up, e.g., alias database
3705 	**	not available, but others shouldn't, e.g., from check_rcpt.
3706 	*/
3707 
3708 	e->e_message = NULL;
3709 #endif /* 0 */
3710 
3711 	/*
3712 	**  Arrange to send to everyone.
3713 	**	If sending to multiple people, mail back
3714 	**		errors rather than reporting directly.
3715 	**	In any case, don't mail back errors for
3716 	**		anything that has happened up to
3717 	**		now (the other end will do this).
3718 	**	Truncate our transcript -- the mail has gotten
3719 	**		to us successfully, and if we have
3720 	**		to mail this back, it will be easier
3721 	**		on the reader.
3722 	**	Then send to everyone.
3723 	**	Finally give a reply code.  If an error has
3724 	**		already been given, don't mail a
3725 	**		message back.
3726 	**	We goose error returns by clearing error bit.
3727 	*/
3728 
3729 	SmtpPhase = "delivery";
3730 	(void) sm_io_setinfo(e->e_xfp, SM_BF_TRUNCATE, NULL);
3731 	id = e->e_id;
3732 
3733 #if NAMED_BIND
3734 	_res.retry = TimeOuts.res_retry[RES_TO_FIRST];
3735 	_res.retrans = TimeOuts.res_retrans[RES_TO_FIRST];
3736 #endif /* NAMED_BIND */
3737 
3738 
3739 	for (ee = e; ee != NULL; ee = ee->e_sibling)
3740 	{
3741 		/* make sure we actually do delivery */
3742 		ee->e_flags &= ~EF_CLRQUEUE;
3743 
3744 		/* from now on, operate silently */
3745 		ee->e_errormode = EM_MAIL;
3746 
3747 		if (doublequeue)
3748 		{
3749 			/* make sure it is in the queue */
3750 			queueup(ee, false, true);
3751 		}
3752 		else
3753 		{
3754 			int mode;
3755 
3756 			/* send to all recipients */
3757 			mode = SM_DEFAULT;
3758 #if _FFR_DM_ONE
3759 			if (SM_DM_ONE == e->e_sendmode)
3760 			{
3761 				if (NotFirstDelivery)
3762 				{
3763 					mode = SM_QUEUE;
3764 					e->e_sendmode = SM_QUEUE;
3765 				}
3766 				else
3767 				{
3768 					mode = SM_FORK;
3769 					NotFirstDelivery = true;
3770 				}
3771 			}
3772 #endif /* _FFR_DM_ONE */
3773 			sendall(ee, mode);
3774 		}
3775 		ee->e_to = NULL;
3776 	}
3777 
3778 	/* put back id for SMTP logging in putoutmsg() */
3779 	oldid = CurEnv->e_id;
3780 	CurEnv->e_id = id;
3781 
3782 		/* issue success message */
3783 #if _FFR_MSG_ACCEPT
3784 		if (MessageAccept != NULL && *MessageAccept != '\0')
3785 		{
3786 			char msg[MAXLINE];
3787 
3788 			expand(MessageAccept, msg, sizeof(msg), e);
3789 			message("250 2.0.0 %s", msg);
3790 		}
3791 		else
3792 #endif /* _FFR_MSG_ACCEPT */
3793 		message("250 2.0.0 %s Message accepted for delivery", id);
3794 	CurEnv->e_id = oldid;
3795 
3796 	/* if we just queued, poke it */
3797 	if (doublequeue)
3798 	{
3799 		bool anything_to_send = false;
3800 
3801 		sm_getla();
3802 		for (ee = e; ee != NULL; ee = ee->e_sibling)
3803 		{
3804 			if (WILL_BE_QUEUED(ee->e_sendmode))
3805 				continue;
3806 			if (shouldqueue(ee->e_msgpriority, ee->e_ctime))
3807 			{
3808 				ee->e_sendmode = SM_QUEUE;
3809 				continue;
3810 			}
3811 			else if (QueueMode != QM_QUARANTINE &&
3812 				 ee->e_quarmsg != NULL)
3813 			{
3814 				ee->e_sendmode = SM_QUEUE;
3815 				continue;
3816 			}
3817 			anything_to_send = true;
3818 
3819 			/* close all the queue files */
3820 			closexscript(ee);
3821 			if (ee->e_dfp != NULL)
3822 			{
3823 				(void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
3824 				ee->e_dfp = NULL;
3825 			}
3826 			unlockqueue(ee);
3827 		}
3828 		if (anything_to_send)
3829 		{
3830 #if PIPELINING
3831 			/*
3832 			**  XXX if we don't do this, we get 250 twice
3833 			**	because it is also flushed in the child.
3834 			*/
3835 
3836 			(void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
3837 #endif /* PIPELINING */
3838 			(void) doworklist(e, true, true);
3839 		}
3840 	}
3841 
3842   abortmessage:
3843 	if (tTd(92, 2))
3844 		sm_dprintf("abortmessage: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
3845 			e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);
3846 	if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
3847 		logsender(e, NULL);
3848 	e->e_flags &= ~EF_LOGSENDER;
3849 
3850 	/* clean up a bit */
3851 	smtp->sm_gotmail = false;
3852 
3853 	/*
3854 	**  Call dropenvelope if and only if the envelope is *not*
3855 	**  being processed by the child process forked by doworklist().
3856 	*/
3857 
3858 	if (aborting || bitset(EF_DISCARD, e->e_flags))
3859 		(void) dropenvelope(e, true, false);
3860 	else
3861 	{
3862 		for (ee = e; ee != NULL; ee = ee->e_sibling)
3863 		{
3864 			if (!doublequeue &&
3865 			    QueueMode != QM_QUARANTINE &&
3866 			    ee->e_quarmsg != NULL)
3867 			{
3868 				(void) dropenvelope(ee, true, false);
3869 				continue;
3870 			}
3871 			if (WILL_BE_QUEUED(ee->e_sendmode))
3872 				(void) dropenvelope(ee, true, false);
3873 		}
3874 	}
3875 
3876 	CurEnv = e;
3877 	features = e->e_features;
3878 	sm_rpool_free(e->e_rpool);
3879 	newenvelope(e, e, sm_rpool_new_x(NULL));
3880 	e->e_flags = BlankEnvelope.e_flags;
3881 	e->e_features = features;
3882 
3883 	/* restore connection quarantining */
3884 	if (smtp->sm_quarmsg == NULL)
3885 	{
3886 		e->e_quarmsg = NULL;
3887 		macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), "");
3888 	}
3889 	else
3890 	{
3891 		e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, smtp->sm_quarmsg);
3892 		macdefine(&e->e_macro, A_PERM,
3893 			  macid("{quarantine}"), e->e_quarmsg);
3894 	}
3895 	return rv;
3896 }
3897 /*
3898 **  LOGUNDELRCPTS -- log undelivered (or all) recipients.
3899 **
3900 **	Parameters:
3901 **		e -- envelope.
3902 **		msg -- message for Stat=
3903 **		level -- log level.
3904 **		all -- log all recipients.
3905 **
3906 **	Returns:
3907 **		none.
3908 **
3909 **	Side Effects:
3910 **		logs undelivered (or all) recipients
3911 */
3912 
3913 void
3914 logundelrcpts(e, msg, level, all)
3915 	ENVELOPE *e;
3916 	char *msg;
3917 	int level;
3918 	bool all;
3919 {
3920 	ADDRESS *a;
3921 
3922 	if (LogLevel <= level || msg == NULL || *msg == '\0')
3923 		return;
3924 
3925 	/* Clear $h so relay= doesn't get mislogged by logdelivery() */
3926 	macdefine(&e->e_macro, A_PERM, 'h', NULL);
3927 
3928 	/* Log who the mail would have gone to */
3929 	for (a = e->e_sendqueue; a != NULL; a = a->q_next)
3930 	{
3931 		if (!QS_IS_UNDELIVERED(a->q_state) && !all)
3932 			continue;
3933 		e->e_to = a->q_paddr;
3934 		logdelivery(NULL, NULL,
3935 #if _FFR_MILTER_ENHSC
3936 			    (a->q_status == NULL && e->e_enhsc[0] != '\0')
3937 			    ? e->e_enhsc :
3938 #endif /* _FFR_MILTER_ENHSC */
3939 			    a->q_status,
3940 			    msg, NULL, (time_t) 0, e);
3941 	}
3942 	e->e_to = NULL;
3943 }
3944 /*
3945 **  CHECKSMTPATTACK -- check for denial-of-service attack by repetition
3946 **
3947 **	Parameters:
3948 **		pcounter -- pointer to a counter for this command.
3949 **		maxcount -- maximum value for this counter before we
3950 **			slow down.
3951 **		waitnow -- sleep now (in this routine)?
3952 **		cname -- command name for logging.
3953 **		e -- the current envelope.
3954 **
3955 **	Returns:
3956 **		time to wait,
3957 **		STOP_ATTACK if twice as many commands as allowed and
3958 **			MaxChildren > 0.
3959 **
3960 **	Side Effects:
3961 **		Slows down if we seem to be under attack.
3962 */
3963 
3964 static time_t
3965 checksmtpattack(pcounter, maxcount, waitnow, cname, e)
3966 	volatile unsigned int *pcounter;
3967 	unsigned int maxcount;
3968 	bool waitnow;
3969 	char *cname;
3970 	ENVELOPE *e;
3971 {
3972 	if (maxcount <= 0)	/* no limit */
3973 		return (time_t) 0;
3974 
3975 	if (++(*pcounter) >= maxcount)
3976 	{
3977 		unsigned int shift;
3978 		time_t s;
3979 
3980 		if (*pcounter == maxcount && LogLevel > 5)
3981 		{
3982 			sm_syslog(LOG_INFO, e->e_id,
3983 				  "%s: possible SMTP attack: command=%.40s, count=%u",
3984 				  CurSmtpClient, cname, *pcounter);
3985 		}
3986 		shift = *pcounter - maxcount;
3987 		s = 1 << shift;
3988 		if (shift > MAXSHIFT || s >= MAXTIMEOUT || s <= 0)
3989 			s = MAXTIMEOUT;
3990 
3991 #define IS_ATTACK(s)	((MaxChildren > 0 && *pcounter >= maxcount * 2)	\
3992 				? STOP_ATTACK : (time_t) s)
3993 
3994 		/* sleep at least 1 second before returning */
3995 		(void) sleep(*pcounter / maxcount);
3996 		s -= *pcounter / maxcount;
3997 		if (s >= MAXTIMEOUT || s < 0)
3998 			s = MAXTIMEOUT;
3999 		if (waitnow && s > 0)
4000 		{
4001 			(void) sleep(s);
4002 			return IS_ATTACK(0);
4003 		}
4004 		return IS_ATTACK(s);
4005 	}
4006 	return (time_t) 0;
4007 }
4008 /*
4009 **  SETUP_SMTPD_IO -- setup I/O fd correctly for the SMTP server
4010 **
4011 **	Parameters:
4012 **		none.
4013 **
4014 **	Returns:
4015 **		nothing.
4016 **
4017 **	Side Effects:
4018 **		may change I/O fd.
4019 */
4020 
4021 static void
4022 setup_smtpd_io()
4023 {
4024 	int inchfd, outchfd, outfd;
4025 
4026 	inchfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
4027 	outchfd  = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
4028 	outfd = sm_io_getinfo(smioout, SM_IO_WHAT_FD, NULL);
4029 	if (outchfd != outfd)
4030 	{
4031 		/* arrange for debugging output to go to remote host */
4032 		(void) dup2(outchfd, outfd);
4033 	}
4034 
4035 	/*
4036 	**  if InChannel and OutChannel are stdin/stdout
4037 	**  and connected to ttys
4038 	**  and fcntl(STDIN, F_SETFL, O_NONBLOCKING) also changes STDOUT,
4039 	**  then "chain" them together.
4040 	*/
4041 
4042 	if (inchfd == STDIN_FILENO && outchfd == STDOUT_FILENO &&
4043 	    isatty(inchfd) && isatty(outchfd))
4044 	{
4045 		int inmode, outmode;
4046 
4047 		inmode = fcntl(inchfd, F_GETFL, 0);
4048 		if (inmode == -1)
4049 		{
4050 			if (LogLevel > 11)
4051 				sm_syslog(LOG_INFO, NOQID,
4052 					"fcntl(inchfd, F_GETFL) failed: %s",
4053 					sm_errstring(errno));
4054 			return;
4055 		}
4056 		outmode = fcntl(outchfd, F_GETFL, 0);
4057 		if (outmode == -1)
4058 		{
4059 			if (LogLevel > 11)
4060 				sm_syslog(LOG_INFO, NOQID,
4061 					"fcntl(outchfd, F_GETFL) failed: %s",
4062 					sm_errstring(errno));
4063 			return;
4064 		}
4065 		if (bitset(O_NONBLOCK, inmode) ||
4066 		    bitset(O_NONBLOCK, outmode) ||
4067 		    fcntl(inchfd, F_SETFL, inmode | O_NONBLOCK) == -1)
4068 			return;
4069 		outmode = fcntl(outchfd, F_GETFL, 0);
4070 		if (outmode != -1 && bitset(O_NONBLOCK, outmode))
4071 		{
4072 			/* changing InChannel also changes OutChannel */
4073 			sm_io_automode(OutChannel, InChannel);
4074 			if (tTd(97, 4) && LogLevel > 9)
4075 				sm_syslog(LOG_INFO, NOQID,
4076 					  "set automode for I (%d)/O (%d) in SMTP server",
4077 					  inchfd, outchfd);
4078 		}
4079 
4080 		/* undo change of inchfd */
4081 		(void) fcntl(inchfd, F_SETFL, inmode);
4082 	}
4083 }
4084 /*
4085 **  SKIPWORD -- skip a fixed word.
4086 **
4087 **	Parameters:
4088 **		p -- place to start looking.
4089 **		w -- word to skip.
4090 **
4091 **	Returns:
4092 **		p following w.
4093 **		NULL on error.
4094 **
4095 **	Side Effects:
4096 **		clobbers the p data area.
4097 */
4098 
4099 static char *
4100 skipword(p, w)
4101 	register char *volatile p;
4102 	char *w;
4103 {
4104 	register char *q;
4105 	char *firstp = p;
4106 
4107 	/* find beginning of word */
4108 	SKIP_SPACE(p);
4109 	q = p;
4110 
4111 	/* find end of word */
4112 	while (*p != '\0' && *p != ':' && !(isascii(*p) && isspace(*p)))
4113 		p++;
4114 	while (isascii(*p) && isspace(*p))
4115 		*p++ = '\0';
4116 	if (*p != ':')
4117 	{
4118 	  syntax:
4119 		usrerr("501 5.5.2 Syntax error in parameters scanning \"%s\"",
4120 			shortenstring(firstp, MAXSHORTSTR));
4121 		return NULL;
4122 	}
4123 	*p++ = '\0';
4124 	SKIP_SPACE(p);
4125 
4126 	if (*p == '\0')
4127 		goto syntax;
4128 
4129 	/* see if the input word matches desired word */
4130 	if (sm_strcasecmp(q, w))
4131 		goto syntax;
4132 
4133 	return p;
4134 }
4135 
4136 /*
4137 **  RESET_MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4138 **
4139 **	Parameters:
4140 **		e -- the envelope.
4141 **
4142 **	Returns:
4143 **		none.
4144 */
4145 
4146 void
4147 reset_mail_esmtp_args(e)
4148 	ENVELOPE *e;
4149 {
4150 	/* "size": no reset */
4151 
4152 	/* "body" */
4153 	SevenBitInput = SevenBitInput_Saved;
4154 	e->e_bodytype = NULL;
4155 
4156 	/* "envid" */
4157 	e->e_envid = NULL;
4158 	macdefine(&e->e_macro, A_PERM, macid("{dsn_envid}"), NULL);
4159 
4160 	/* "ret" */
4161 	e->e_flags &= ~(EF_RET_PARAM|EF_NO_BODY_RETN);
4162 	macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), NULL);
4163 
4164 #if SASL
4165 	/* "auth" */
4166 	macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), NULL);
4167 	e->e_auth_param = "";
4168 # if _FFR_AUTH_PASSING
4169 	macdefine(&BlankEnvelope.e_macro, A_PERM,
4170 				  macid("{auth_author}"), NULL);
4171 # endif /* _FFR_AUTH_PASSING */
4172 #endif /* SASL */
4173 
4174 	/* "by" */
4175 	e->e_deliver_by = 0;
4176 	e->e_dlvr_flag = 0;
4177 }
4178 
4179 /*
4180 **  MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
4181 **
4182 **	Parameters:
4183 **		a -- address (unused, for compatibility with rcpt_esmtp_args)
4184 **		kp -- the parameter key.
4185 **		vp -- the value of that parameter.
4186 **		e -- the envelope.
4187 **
4188 **	Returns:
4189 **		none.
4190 */
4191 
4192 void
4193 mail_esmtp_args(a, kp, vp, e)
4194 	ADDRESS *a;
4195 	char *kp;
4196 	char *vp;
4197 	ENVELOPE *e;
4198 {
4199 	if (sm_strcasecmp(kp, "size") == 0)
4200 	{
4201 		if (vp == NULL)
4202 		{
4203 			usrerr("501 5.5.2 SIZE requires a value");
4204 			/* NOTREACHED */
4205 		}
4206 		macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), vp);
4207 		errno = 0;
4208 		e->e_msgsize = strtol(vp, (char **) NULL, 10);
4209 		if (e->e_msgsize == LONG_MAX && errno == ERANGE)
4210 		{
4211 			usrerr("552 5.2.3 Message size exceeds maximum value");
4212 			/* NOTREACHED */
4213 		}
4214 		if (e->e_msgsize < 0)
4215 		{
4216 			usrerr("552 5.2.3 Message size invalid");
4217 			/* NOTREACHED */
4218 		}
4219 	}
4220 	else if (sm_strcasecmp(kp, "body") == 0)
4221 	{
4222 		if (vp == NULL)
4223 		{
4224 			usrerr("501 5.5.2 BODY requires a value");
4225 			/* NOTREACHED */
4226 		}
4227 		else if (sm_strcasecmp(vp, "8bitmime") == 0)
4228 		{
4229 			SevenBitInput = false;
4230 		}
4231 		else if (sm_strcasecmp(vp, "7bit") == 0)
4232 		{
4233 			SevenBitInput = true;
4234 		}
4235 		else
4236 		{
4237 			usrerr("501 5.5.4 Unknown BODY type %s", vp);
4238 			/* NOTREACHED */
4239 		}
4240 		e->e_bodytype = sm_rpool_strdup_x(e->e_rpool, vp);
4241 	}
4242 	else if (sm_strcasecmp(kp, "envid") == 0)
4243 	{
4244 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4245 		{
4246 			usrerr("504 5.7.0 Sorry, ENVID not supported, we do not allow DSN");
4247 			/* NOTREACHED */
4248 		}
4249 		if (vp == NULL)
4250 		{
4251 			usrerr("501 5.5.2 ENVID requires a value");
4252 			/* NOTREACHED */
4253 		}
4254 		if (!xtextok(vp))
4255 		{
4256 			usrerr("501 5.5.4 Syntax error in ENVID parameter value");
4257 			/* NOTREACHED */
4258 		}
4259 		if (e->e_envid != NULL)
4260 		{
4261 			usrerr("501 5.5.0 Duplicate ENVID parameter");
4262 			/* NOTREACHED */
4263 		}
4264 		e->e_envid = sm_rpool_strdup_x(e->e_rpool, vp);
4265 		macdefine(&e->e_macro, A_PERM,
4266 			macid("{dsn_envid}"), e->e_envid);
4267 	}
4268 	else if (sm_strcasecmp(kp, "ret") == 0)
4269 	{
4270 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4271 		{
4272 			usrerr("504 5.7.0 Sorry, RET not supported, we do not allow DSN");
4273 			/* NOTREACHED */
4274 		}
4275 		if (vp == NULL)
4276 		{
4277 			usrerr("501 5.5.2 RET requires a value");
4278 			/* NOTREACHED */
4279 		}
4280 		if (bitset(EF_RET_PARAM, e->e_flags))
4281 		{
4282 			usrerr("501 5.5.0 Duplicate RET parameter");
4283 			/* NOTREACHED */
4284 		}
4285 		e->e_flags |= EF_RET_PARAM;
4286 		if (sm_strcasecmp(vp, "hdrs") == 0)
4287 			e->e_flags |= EF_NO_BODY_RETN;
4288 		else if (sm_strcasecmp(vp, "full") != 0)
4289 		{
4290 			usrerr("501 5.5.2 Bad argument \"%s\" to RET", vp);
4291 			/* NOTREACHED */
4292 		}
4293 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), vp);
4294 	}
4295 #if SASL
4296 	else if (sm_strcasecmp(kp, "auth") == 0)
4297 	{
4298 		int len;
4299 		char *q;
4300 		char *auth_param;	/* the value of the AUTH=x */
4301 		bool saveQuickAbort = QuickAbort;
4302 		bool saveSuprErrs = SuprErrs;
4303 		bool saveExitStat = ExitStat;
4304 
4305 		if (vp == NULL)
4306 		{
4307 			usrerr("501 5.5.2 AUTH= requires a value");
4308 			/* NOTREACHED */
4309 		}
4310 		if (e->e_auth_param != NULL)
4311 		{
4312 			usrerr("501 5.5.0 Duplicate AUTH parameter");
4313 			/* NOTREACHED */
4314 		}
4315 		if ((q = strchr(vp, ' ')) != NULL)
4316 			len = q - vp + 1;
4317 		else
4318 			len = strlen(vp) + 1;
4319 		auth_param = xalloc(len);
4320 		(void) sm_strlcpy(auth_param, vp, len);
4321 		if (!xtextok(auth_param))
4322 		{
4323 			usrerr("501 5.5.4 Syntax error in AUTH parameter value");
4324 			/* just a warning? */
4325 			/* NOTREACHED */
4326 		}
4327 
4328 		/* XXX define this always or only if trusted? */
4329 		macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"),
4330 			  auth_param);
4331 
4332 		/*
4333 		**  call Strust_auth to find out whether
4334 		**  auth_param is acceptable (trusted)
4335 		**  we shouldn't trust it if not authenticated
4336 		**  (required by RFC, leave it to ruleset?)
4337 		*/
4338 
4339 		SuprErrs = true;
4340 		QuickAbort = false;
4341 		if (strcmp(auth_param, "<>") != 0 &&
4342 		     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM,
4343 			      9, NULL, NOQID, NULL) != EX_OK || Errors > 0))
4344 		{
4345 			if (tTd(95, 8))
4346 			{
4347 				q = e->e_auth_param;
4348 				sm_dprintf("auth=\"%.100s\" not trusted user=\"%.100s\"\n",
4349 					auth_param, (q == NULL) ? "" : q);
4350 			}
4351 
4352 			/* not trusted */
4353 			e->e_auth_param = "<>";
4354 # if _FFR_AUTH_PASSING
4355 			macdefine(&BlankEnvelope.e_macro, A_PERM,
4356 				  macid("{auth_author}"), NULL);
4357 # endif /* _FFR_AUTH_PASSING */
4358 		}
4359 		else
4360 		{
4361 			if (tTd(95, 8))
4362 				sm_dprintf("auth=\"%.100s\" trusted\n", auth_param);
4363 			e->e_auth_param = sm_rpool_strdup_x(e->e_rpool,
4364 							    auth_param);
4365 		}
4366 		sm_free(auth_param); /* XXX */
4367 
4368 		/* reset values */
4369 		Errors = 0;
4370 		QuickAbort = saveQuickAbort;
4371 		SuprErrs = saveSuprErrs;
4372 		ExitStat = saveExitStat;
4373 	}
4374 #endif /* SASL */
4375 #define PRTCHAR(c)	((isascii(c) && isprint(c)) ? (c) : '?')
4376 
4377 	/*
4378 	**  "by" is only accepted if DeliverByMin >= 0.
4379 	**  We maybe could add this to the list of server_features.
4380 	*/
4381 
4382 	else if (sm_strcasecmp(kp, "by") == 0 && DeliverByMin >= 0)
4383 	{
4384 		char *s;
4385 
4386 		if (vp == NULL)
4387 		{
4388 			usrerr("501 5.5.2 BY= requires a value");
4389 			/* NOTREACHED */
4390 		}
4391 		errno = 0;
4392 		e->e_deliver_by = strtol(vp, &s, 10);
4393 		if (e->e_deliver_by == LONG_MIN ||
4394 		    e->e_deliver_by == LONG_MAX ||
4395 		    e->e_deliver_by > 999999999l ||
4396 		    e->e_deliver_by < -999999999l)
4397 		{
4398 			usrerr("501 5.5.2 BY=%s out of range", vp);
4399 			/* NOTREACHED */
4400 		}
4401 		if (s == NULL || *s != ';')
4402 		{
4403 			usrerr("501 5.5.2 BY= missing ';'");
4404 			/* NOTREACHED */
4405 		}
4406 		e->e_dlvr_flag = 0;
4407 		++s;	/* XXX: spaces allowed? */
4408 		SKIP_SPACE(s);
4409 		switch (tolower(*s))
4410 		{
4411 		  case 'n':
4412 			e->e_dlvr_flag = DLVR_NOTIFY;
4413 			break;
4414 		  case 'r':
4415 			e->e_dlvr_flag = DLVR_RETURN;
4416 			if (e->e_deliver_by <= 0)
4417 			{
4418 				usrerr("501 5.5.4 mode R requires BY time > 0");
4419 				/* NOTREACHED */
4420 			}
4421 			if (DeliverByMin > 0 && e->e_deliver_by > 0 &&
4422 			    e->e_deliver_by < DeliverByMin)
4423 			{
4424 				usrerr("555 5.5.2 time %ld less than %ld",
4425 					e->e_deliver_by, (long) DeliverByMin);
4426 				/* NOTREACHED */
4427 			}
4428 			break;
4429 		  default:
4430 			usrerr("501 5.5.2 illegal by-mode '%c'", PRTCHAR(*s));
4431 			/* NOTREACHED */
4432 		}
4433 		++s;	/* XXX: spaces allowed? */
4434 		SKIP_SPACE(s);
4435 		switch (tolower(*s))
4436 		{
4437 		  case 't':
4438 			e->e_dlvr_flag |= DLVR_TRACE;
4439 			break;
4440 		  case '\0':
4441 			break;
4442 		  default:
4443 			usrerr("501 5.5.2 illegal by-trace '%c'", PRTCHAR(*s));
4444 			/* NOTREACHED */
4445 		}
4446 
4447 		/* XXX: check whether more characters follow? */
4448 	}
4449 	else
4450 	{
4451 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
4452 		/* NOTREACHED */
4453 	}
4454 }
4455 
4456 /*
4457 **  RCPT_ESMTP_ARGS -- process ESMTP arguments from RCPT line
4458 **
4459 **	Parameters:
4460 **		a -- the address corresponding to the To: parameter.
4461 **		kp -- the parameter key.
4462 **		vp -- the value of that parameter.
4463 **		e -- the envelope.
4464 **
4465 **	Returns:
4466 **		none.
4467 */
4468 
4469 void
4470 rcpt_esmtp_args(a, kp, vp, e)
4471 	ADDRESS *a;
4472 	char *kp;
4473 	char *vp;
4474 	ENVELOPE *e;
4475 {
4476 	if (sm_strcasecmp(kp, "notify") == 0)
4477 	{
4478 		char *p;
4479 
4480 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4481 		{
4482 			usrerr("504 5.7.0 Sorry, NOTIFY not supported, we do not allow DSN");
4483 			/* NOTREACHED */
4484 		}
4485 		if (vp == NULL)
4486 		{
4487 			usrerr("501 5.5.2 NOTIFY requires a value");
4488 			/* NOTREACHED */
4489 		}
4490 		a->q_flags &= ~(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY);
4491 		a->q_flags |= QHASNOTIFY;
4492 		macdefine(&e->e_macro, A_TEMP, macid("{dsn_notify}"), vp);
4493 
4494 		if (sm_strcasecmp(vp, "never") == 0)
4495 			return;
4496 		for (p = vp; p != NULL; vp = p)
4497 		{
4498 			char *s;
4499 
4500 			s = p = strchr(p, ',');
4501 			if (p != NULL)
4502 				*p++ = '\0';
4503 			if (sm_strcasecmp(vp, "success") == 0)
4504 				a->q_flags |= QPINGONSUCCESS;
4505 			else if (sm_strcasecmp(vp, "failure") == 0)
4506 				a->q_flags |= QPINGONFAILURE;
4507 			else if (sm_strcasecmp(vp, "delay") == 0)
4508 				a->q_flags |= QPINGONDELAY;
4509 			else
4510 			{
4511 				usrerr("501 5.5.4 Bad argument \"%s\"  to NOTIFY",
4512 					vp);
4513 				/* NOTREACHED */
4514 			}
4515 			if (s != NULL)
4516 				*s = ',';
4517 		}
4518 	}
4519 	else if (sm_strcasecmp(kp, "orcpt") == 0)
4520 	{
4521 		char *p;
4522 
4523 		if (!bitset(SRV_OFFER_DSN, e->e_features))
4524 		{
4525 			usrerr("504 5.7.0 Sorry, ORCPT not supported, we do not allow DSN");
4526 			/* NOTREACHED */
4527 		}
4528 		if (vp == NULL)
4529 		{
4530 			usrerr("501 5.5.2 ORCPT requires a value");
4531 			/* NOTREACHED */
4532 		}
4533 		if (a->q_orcpt != NULL)
4534 		{
4535 			usrerr("501 5.5.0 Duplicate ORCPT parameter");
4536 			/* NOTREACHED */
4537 		}
4538 		p = strchr(vp, ';');
4539 		if (p == NULL)
4540 		{
4541 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
4542 			/* NOTREACHED */
4543 		}
4544 		*p = '\0';
4545 		if (!isatom(vp) || !xtextok(p + 1))
4546 		{
4547 			*p = ';';
4548 			usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
4549 			/* NOTREACHED */
4550 		}
4551 		*p = ';';
4552 		a->q_orcpt = sm_rpool_strdup_x(e->e_rpool, vp);
4553 	}
4554 	else
4555 	{
4556 		usrerr("555 5.5.4 %s parameter unrecognized", kp);
4557 		/* NOTREACHED */
4558 	}
4559 }
4560 /*
4561 **  PRINTVRFYADDR -- print an entry in the verify queue
4562 **
4563 **	Parameters:
4564 **		a -- the address to print.
4565 **		last -- set if this is the last one.
4566 **		vrfy -- set if this is a VRFY command.
4567 **
4568 **	Returns:
4569 **		none.
4570 **
4571 **	Side Effects:
4572 **		Prints the appropriate 250 codes.
4573 */
4574 #define OFFF	(3 + 1 + 5 + 1)	/* offset in fmt: SMTP reply + enh. code */
4575 
4576 static void
4577 printvrfyaddr(a, last, vrfy)
4578 	register ADDRESS *a;
4579 	bool last;
4580 	bool vrfy;
4581 {
4582 	char fmtbuf[30];
4583 
4584 	if (vrfy && a->q_mailer != NULL &&
4585 	    !bitnset(M_VRFY250, a->q_mailer->m_flags))
4586 		(void) sm_strlcpy(fmtbuf, "252", sizeof(fmtbuf));
4587 	else
4588 		(void) sm_strlcpy(fmtbuf, "250", sizeof(fmtbuf));
4589 	fmtbuf[3] = last ? ' ' : '-';
4590 	(void) sm_strlcpy(&fmtbuf[4], "2.1.5 ", sizeof(fmtbuf) - 4);
4591 	if (a->q_fullname == NULL)
4592 	{
4593 		if ((a->q_mailer == NULL ||
4594 		     a->q_mailer->m_addrtype == NULL ||
4595 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
4596 		    strchr(a->q_user, '@') == NULL)
4597 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s@%s>",
4598 				       sizeof(fmtbuf) - OFFF);
4599 		else
4600 			(void) sm_strlcpy(&fmtbuf[OFFF], "<%s>",
4601 				       sizeof(fmtbuf) - OFFF);
4602 		message(fmtbuf, a->q_user, MyHostName);
4603 	}
4604 	else
4605 	{
4606 		if ((a->q_mailer == NULL ||
4607 		     a->q_mailer->m_addrtype == NULL ||
4608 		     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
4609 		    strchr(a->q_user, '@') == NULL)
4610 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s@%s>",
4611 				       sizeof(fmtbuf) - OFFF);
4612 		else
4613 			(void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s>",
4614 				       sizeof(fmtbuf) - OFFF);
4615 		message(fmtbuf, a->q_fullname, a->q_user, MyHostName);
4616 	}
4617 }
4618 
4619 #if SASL
4620 /*
4621 **  SASLMECHS -- get list of possible AUTH mechanisms
4622 **
4623 **	Parameters:
4624 **		conn -- SASL connection info.
4625 **		mechlist -- output parameter for list of mechanisms.
4626 **
4627 **	Returns:
4628 **		number of mechs.
4629 */
4630 
4631 static int
4632 saslmechs(conn, mechlist)
4633 	sasl_conn_t *conn;
4634 	char **mechlist;
4635 {
4636 	int len, num, result;
4637 
4638 	/* "user" is currently unused */
4639 # if SASL >= 20000
4640 	result = sasl_listmech(conn, NULL,
4641 			       "", " ", "", (const char **) mechlist,
4642 			       (unsigned int *)&len, &num);
4643 # else /* SASL >= 20000 */
4644 	result = sasl_listmech(conn, "user", /* XXX */
4645 			       "", " ", "", mechlist,
4646 			       (unsigned int *)&len, (unsigned int *)&num);
4647 # endif /* SASL >= 20000 */
4648 	if (result != SASL_OK)
4649 	{
4650 		if (LogLevel > 9)
4651 			sm_syslog(LOG_WARNING, NOQID,
4652 				  "AUTH error: listmech=%d, num=%d",
4653 				  result, num);
4654 		num = 0;
4655 	}
4656 	if (num > 0)
4657 	{
4658 		if (LogLevel > 11)
4659 			sm_syslog(LOG_INFO, NOQID,
4660 				  "AUTH: available mech=%s, allowed mech=%s",
4661 				  *mechlist, AuthMechanisms);
4662 		*mechlist = intersect(AuthMechanisms, *mechlist, NULL);
4663 	}
4664 	else
4665 	{
4666 		*mechlist = NULL;	/* be paranoid... */
4667 		if (result == SASL_OK && LogLevel > 9)
4668 			sm_syslog(LOG_WARNING, NOQID,
4669 				  "AUTH warning: no mechanisms");
4670 	}
4671 	return num;
4672 }
4673 
4674 # if SASL >= 20000
4675 /*
4676 **  PROXY_POLICY -- define proxy policy for AUTH
4677 **
4678 **	Parameters:
4679 **		conn -- unused.
4680 **		context -- unused.
4681 **		requested_user -- authorization identity.
4682 **		rlen -- authorization identity length.
4683 **		auth_identity -- authentication identity.
4684 **		alen -- authentication identity length.
4685 **		def_realm -- default user realm.
4686 **		urlen -- user realm length.
4687 **		propctx -- unused.
4688 **
4689 **	Returns:
4690 **		ok?
4691 **
4692 **	Side Effects:
4693 **		sets {auth_authen} macro.
4694 */
4695 
4696 int
4697 proxy_policy(conn, context, requested_user, rlen, auth_identity, alen,
4698 	     def_realm, urlen, propctx)
4699 	sasl_conn_t *conn;
4700 	void *context;
4701 	const char *requested_user;
4702 	unsigned rlen;
4703 	const char *auth_identity;
4704 	unsigned alen;
4705 	const char *def_realm;
4706 	unsigned urlen;
4707 	struct propctx *propctx;
4708 {
4709 	if (auth_identity == NULL)
4710 		return SASL_FAIL;
4711 
4712 	macdefine(&BlankEnvelope.e_macro, A_TEMP,
4713 		  macid("{auth_authen}"),
4714 		  xtextify((char *) auth_identity, "=<>\")"));
4715 
4716 	return SASL_OK;
4717 }
4718 # else /* SASL >= 20000 */
4719 
4720 /*
4721 **  PROXY_POLICY -- define proxy policy for AUTH
4722 **
4723 **	Parameters:
4724 **		context -- unused.
4725 **		auth_identity -- authentication identity.
4726 **		requested_user -- authorization identity.
4727 **		user -- allowed user (output).
4728 **		errstr -- possible error string (output).
4729 **
4730 **	Returns:
4731 **		ok?
4732 */
4733 
4734 int
4735 proxy_policy(context, auth_identity, requested_user, user, errstr)
4736 	void *context;
4737 	const char *auth_identity;
4738 	const char *requested_user;
4739 	const char **user;
4740 	const char **errstr;
4741 {
4742 	if (user == NULL || auth_identity == NULL)
4743 		return SASL_FAIL;
4744 	*user = newstr(auth_identity);
4745 	return SASL_OK;
4746 }
4747 # endif /* SASL >= 20000 */
4748 #endif /* SASL */
4749 
4750 #if STARTTLS
4751 /*
4752 **  INITSRVTLS -- initialize server side TLS
4753 **
4754 **	Parameters:
4755 **		tls_ok -- should tls initialization be done?
4756 **
4757 **	Returns:
4758 **		succeeded?
4759 **
4760 **	Side Effects:
4761 **		sets tls_ok_srv which is a static variable in this module.
4762 **		Do NOT remove assignments to it!
4763 */
4764 
4765 bool
4766 initsrvtls(tls_ok)
4767 	bool tls_ok;
4768 {
4769 	if (!tls_ok)
4770 		return false;
4771 
4772 	/* do NOT remove assignment */
4773 	tls_ok_srv = inittls(&srv_ctx, TLS_Srv_Opts, Srv_SSL_Options, true,
4774 			     SrvCertFile, SrvKeyFile,
4775 			     CACertPath, CACertFile, DHParams);
4776 	return tls_ok_srv;
4777 }
4778 #endif /* STARTTLS */
4779 /*
4780 **  SRVFEATURES -- get features for SMTP server
4781 **
4782 **	Parameters:
4783 **		e -- envelope (should be session context).
4784 **		clientname -- name of client.
4785 **		features -- default features for this invocation.
4786 **
4787 **	Returns:
4788 **		server features.
4789 */
4790 
4791 /* table with options: it uses just one character, how about strings? */
4792 static struct
4793 {
4794 	char		srvf_opt;
4795 	unsigned int	srvf_flag;
4796 } srv_feat_table[] =
4797 {
4798 	{ 'A',	SRV_OFFER_AUTH	},
4799 	{ 'B',	SRV_OFFER_VERB	},
4800 	{ 'C',	SRV_REQ_SEC	},
4801 	{ 'D',	SRV_OFFER_DSN	},
4802 	{ 'E',	SRV_OFFER_ETRN	},
4803 	{ 'L',	SRV_REQ_AUTH	},
4804 #if PIPELINING
4805 # if _FFR_NO_PIPE
4806 	{ 'N',	SRV_NO_PIPE	},
4807 # endif /* _FFR_NO_PIPE */
4808 	{ 'P',	SRV_OFFER_PIPE	},
4809 #endif /* PIPELINING */
4810 	{ 'R',	SRV_VRFY_CLT	},	/* same as V; not documented */
4811 	{ 'S',	SRV_OFFER_TLS	},
4812 /*	{ 'T',	SRV_TMP_FAIL	},	*/
4813 	{ 'V',	SRV_VRFY_CLT	},
4814 	{ 'X',	SRV_OFFER_EXPN	},
4815 /*	{ 'Y',	SRV_OFFER_VRFY	},	*/
4816 	{ '\0',	SRV_NONE	}
4817 };
4818 
4819 static unsigned int
4820 srvfeatures(e, clientname, features)
4821 	ENVELOPE *e;
4822 	char *clientname;
4823 	unsigned int features;
4824 {
4825 	int r, i, j;
4826 	char **pvp, c, opt;
4827 	char pvpbuf[PSBUFSIZE];
4828 
4829 	pvp = NULL;
4830 	r = rscap("srv_features", clientname, "", e, &pvp, pvpbuf,
4831 		  sizeof(pvpbuf));
4832 	if (r != EX_OK)
4833 		return features;
4834 	if (pvp == NULL || pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET)
4835 		return features;
4836 	if (pvp[1] != NULL && sm_strncasecmp(pvp[1], "temp", 4) == 0)
4837 		return SRV_TMP_FAIL;
4838 
4839 	/*
4840 	**  General rule (see sendmail.h, d_flags):
4841 	**  lower case: required/offered, upper case: Not required/available
4842 	**
4843 	**  Since we can change some features per daemon, we have both
4844 	**  cases here: turn on/off a feature.
4845 	*/
4846 
4847 	for (i = 1; pvp[i] != NULL; i++)
4848 	{
4849 		c = pvp[i][0];
4850 		j = 0;
4851 		for (;;)
4852 		{
4853 			if ((opt = srv_feat_table[j].srvf_opt) == '\0')
4854 			{
4855 				if (LogLevel > 9)
4856 					sm_syslog(LOG_WARNING, e->e_id,
4857 						  "srvfeatures: unknown feature %s",
4858 						  pvp[i]);
4859 				break;
4860 			}
4861 			if (c == opt)
4862 			{
4863 				features &= ~(srv_feat_table[j].srvf_flag);
4864 				break;
4865 			}
4866 			if (c == tolower(opt))
4867 			{
4868 				features |= srv_feat_table[j].srvf_flag;
4869 				break;
4870 			}
4871 			++j;
4872 		}
4873 	}
4874 	return features;
4875 }
4876 
4877 /*
4878 **  HELP -- implement the HELP command.
4879 **
4880 **	Parameters:
4881 **		topic -- the topic we want help for.
4882 **		e -- envelope.
4883 **
4884 **	Returns:
4885 **		none.
4886 **
4887 **	Side Effects:
4888 **		outputs the help file to message output.
4889 */
4890 #define HELPVSTR	"#vers	"
4891 #define HELPVERSION	2
4892 
4893 void
4894 help(topic, e)
4895 	char *topic;
4896 	ENVELOPE *e;
4897 {
4898 	register SM_FILE_T *hf;
4899 	register char *p;
4900 	int len;
4901 	bool noinfo;
4902 	bool first = true;
4903 	long sff = SFF_OPENASROOT|SFF_REGONLY;
4904 	char buf[MAXLINE];
4905 	char inp[MAXLINE];
4906 	static int foundvers = -1;
4907 	extern char Version[];
4908 
4909 	if (DontLockReadFiles)
4910 		sff |= SFF_NOLOCK;
4911 	if (!bitnset(DBS_HELPFILEINUNSAFEDIRPATH, DontBlameSendmail))
4912 		sff |= SFF_SAFEDIRPATH;
4913 
4914 	if (HelpFile == NULL ||
4915 	    (hf = safefopen(HelpFile, O_RDONLY, 0444, sff)) == NULL)
4916 	{
4917 		/* no help */
4918 		errno = 0;
4919 		message("502 5.3.0 Sendmail %s -- HELP not implemented",
4920 			Version);
4921 		return;
4922 	}
4923 
4924 	if (topic == NULL || *topic == '\0')
4925 	{
4926 		topic = "smtp";
4927 		noinfo = false;
4928 	}
4929 	else
4930 	{
4931 		makelower(topic);
4932 		noinfo = true;
4933 	}
4934 
4935 	len = strlen(topic);
4936 
4937 	while (sm_io_fgets(hf, SM_TIME_DEFAULT, buf, sizeof(buf)) >= 0)
4938 	{
4939 		if (buf[0] == '#')
4940 		{
4941 			if (foundvers < 0 &&
4942 			    strncmp(buf, HELPVSTR, strlen(HELPVSTR)) == 0)
4943 			{
4944 				int h;
4945 
4946 				if (sm_io_sscanf(buf + strlen(HELPVSTR), "%d",
4947 						 &h) == 1)
4948 					foundvers = h;
4949 			}
4950 			continue;
4951 		}
4952 		if (strncmp(buf, topic, len) == 0)
4953 		{
4954 			if (first)
4955 			{
4956 				first = false;
4957 
4958 				/* print version if no/old vers# in file */
4959 				if (foundvers < 2 && !noinfo)
4960 					message("214-2.0.0 This is Sendmail version %s", Version);
4961 			}
4962 			p = strpbrk(buf, " \t");
4963 			if (p == NULL)
4964 				p = buf + strlen(buf) - 1;
4965 			else
4966 				p++;
4967 			fixcrlf(p, true);
4968 			if (foundvers >= 2)
4969 			{
4970 				char *lbp;
4971 				int lbs = sizeof(buf) - (p - buf);
4972 
4973 				lbp = translate_dollars(p, p, &lbs);
4974 				expand(lbp, inp, sizeof(inp), e);
4975 				if (p != lbp)
4976 					sm_free(lbp);
4977 				p = inp;
4978 			}
4979 			message("214-2.0.0 %s", p);
4980 			noinfo = false;
4981 		}
4982 	}
4983 
4984 	if (noinfo)
4985 		message("504 5.3.0 HELP topic \"%.10s\" unknown", topic);
4986 	else
4987 		message("214 2.0.0 End of HELP info");
4988 
4989 	if (foundvers != 0 && foundvers < HELPVERSION)
4990 	{
4991 		if (LogLevel > 1)
4992 			sm_syslog(LOG_WARNING, e->e_id,
4993 				  "%s too old (require version %d)",
4994 				  HelpFile, HELPVERSION);
4995 
4996 		/* avoid log next time */
4997 		foundvers = 0;
4998 	}
4999 
5000 	(void) sm_io_close(hf, SM_TIME_DEFAULT);
5001 }
5002 
5003 #if SASL
5004 /*
5005 **  RESET_SASLCONN -- reset SASL connection data
5006 **
5007 **	Parameters:
5008 **		conn -- SASL connection context
5009 **		hostname -- host name
5010 **		various connection data
5011 **
5012 **	Returns:
5013 **		SASL result
5014 */
5015 
5016 static int
5017 reset_saslconn(sasl_conn_t **conn, char *hostname,
5018 # if SASL >= 20000
5019 	       char *remoteip, char *localip,
5020 	       char *auth_id, sasl_ssf_t * ext_ssf)
5021 # else /* SASL >= 20000 */
5022 	       struct sockaddr_in *saddr_r, struct sockaddr_in *saddr_l,
5023 	       sasl_external_properties_t * ext_ssf)
5024 # endif /* SASL >= 20000 */
5025 {
5026 	int result;
5027 
5028 	sasl_dispose(conn);
5029 # if SASL >= 20000
5030 	result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
5031 				 NULL, 0, conn);
5032 # elif SASL > 10505
5033 	/* use empty realm: only works in SASL > 1.5.5 */
5034 	result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
5035 # else /* SASL >= 20000 */
5036 	/* use no realm -> realm is set to hostname by SASL lib */
5037 	result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
5038 				 conn);
5039 # endif /* SASL >= 20000 */
5040 	if (result != SASL_OK)
5041 		return result;
5042 
5043 # if SASL >= 20000
5044 #  if NETINET || NETINET6
5045 	if (remoteip != NULL && *remoteip != '\0')
5046 		result = sasl_setprop(*conn, SASL_IPREMOTEPORT, remoteip);
5047 	if (result != SASL_OK)
5048 		return result;
5049 
5050 	if (localip != NULL && *localip != '\0')
5051 		result = sasl_setprop(*conn, SASL_IPLOCALPORT, localip);
5052 	if (result != SASL_OK)
5053 		return result;
5054 #  endif /* NETINET || NETINET6 */
5055 
5056 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5057 	if (result != SASL_OK)
5058 		return result;
5059 
5060 	result = sasl_setprop(*conn, SASL_AUTH_EXTERNAL, auth_id);
5061 	if (result != SASL_OK)
5062 		return result;
5063 # else /* SASL >= 20000 */
5064 #  if NETINET
5065 	if (saddr_r != NULL)
5066 		result = sasl_setprop(*conn, SASL_IP_REMOTE, saddr_r);
5067 	if (result != SASL_OK)
5068 		return result;
5069 
5070 	if (saddr_l != NULL)
5071 		result = sasl_setprop(*conn, SASL_IP_LOCAL, saddr_l);
5072 	if (result != SASL_OK)
5073 		return result;
5074 #  endif /* NETINET */
5075 
5076 	result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
5077 	if (result != SASL_OK)
5078 		return result;
5079 # endif /* SASL >= 20000 */
5080 	return SASL_OK;
5081 }
5082 #endif /* SASL */
5083