172
176
/* .IP "\fBsmtpd_milters (empty)\fR"
173
177
/* A list of Milter (mail filter) applications for new mail that
174
178
/* arrives via the Postfix \fBsmtpd\fR(8) server.
175
/* .IP "\fBmilter_protocol (2)\fR"
179
/* .IP "\fBmilter_protocol (6)\fR"
176
180
/* The mail filter protocol version and optional protocol extensions
177
/* for communication with a Milter (mail filter) application.
181
/* for communication with a Milter application; prior to Postfix 2.6
182
/* the default protocol is 2.
178
183
/* .IP "\fBmilter_default_action (tempfail)\fR"
179
184
/* The default action when a Milter (mail filter) application is
180
185
/* unavailable or mis-configured.
191
196
/* .IP "\fBmilter_content_timeout (300s)\fR"
192
197
/* The time limit for sending message content to a Milter (mail
193
198
/* filter) application, and for receiving the response.
194
/* .IP "\fBmilter_connect_macros (see postconf -n output)\fR"
199
/* .IP "\fBmilter_connect_macros (see 'postconf -d' output)\fR"
195
200
/* The macros that are sent to Milter (mail filter) applications
196
201
/* after completion of an SMTP connection.
197
/* .IP "\fBmilter_helo_macros (see postconf -n output)\fR"
202
/* .IP "\fBmilter_helo_macros (see 'postconf -d' output)\fR"
198
203
/* The macros that are sent to Milter (mail filter) applications
199
204
/* after the SMTP HELO or EHLO command.
200
/* .IP "\fBmilter_mail_macros (see postconf -n output)\fR"
205
/* .IP "\fBmilter_mail_macros (see 'postconf -d' output)\fR"
201
206
/* The macros that are sent to Milter (mail filter) applications
202
207
/* after the SMTP MAIL FROM command.
203
/* .IP "\fBmilter_rcpt_macros (see postconf -n output)\fR"
208
/* .IP "\fBmilter_rcpt_macros (see 'postconf -d' output)\fR"
204
209
/* The macros that are sent to Milter (mail filter) applications
205
210
/* after the SMTP RCPT TO command.
206
/* .IP "\fBmilter_data_macros (see postconf -n output)\fR"
211
/* .IP "\fBmilter_data_macros (see 'postconf -d' output)\fR"
207
212
/* The macros that are sent to version 4 or higher Milter (mail
208
213
/* filter) applications after the SMTP DATA command.
209
/* .IP "\fBmilter_unknown_command_macros (see postconf -n output)\fR"
214
/* .IP "\fBmilter_unknown_command_macros (see 'postconf -d' output)\fR"
210
215
/* The macros that are sent to version 3 or higher Milter (mail
211
216
/* filter) applications after an unknown SMTP command.
212
/* .IP "\fBmilter_end_of_header_macros (see postconf -n output)\fR"
217
/* .IP "\fBmilter_end_of_header_macros (see 'postconf -d' output)\fR"
213
218
/* The macros that are sent to Milter (mail filter) applications
214
219
/* after the end of the message header.
215
/* .IP "\fBmilter_end_of_data_macros (see postconf -n output)\fR"
220
/* .IP "\fBmilter_end_of_data_macros (see 'postconf -d' output)\fR"
216
221
/* The macros that are sent to Milter (mail filter) applications
217
222
/* after the message end-of-data.
218
223
/* GENERAL CONTENT INSPECTION CONTROLS
301
306
/* The time limit for Postfix SMTP server write and read operations
302
307
/* during TLS startup and shutdown handshake procedures.
303
308
/* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
304
/* The file with the certificate of the certification authority
305
/* (CA) that issued the Postfix SMTP server certificate.
306
/* .IP "\fBsmtpd_tls_CAfile (empty)\fR"
307
/* The file with the certificate of the certification authority
308
/* (CA) that issued the Postfix SMTP server certificate.
309
/* A file containing (PEM format) CA certificates of root CAs trusted
310
/* to sign either remote SMTP client certificates or intermediate CA
312
/* .IP "\fBsmtpd_tls_CApath (empty)\fR"
313
/* A directory containing (PEM format) CA certificates of root CAs
314
/* trusted to sign either remote SMTP client certificates or intermediate CA
309
316
/* .IP "\fBsmtpd_tls_always_issue_session_ids (yes)\fR"
310
317
/* Force the Postfix SMTP server to issue a TLS session id, even
311
318
/* when TLS session caching is turned off (smtpd_tls_session_cache_database
385
391
/* The message digest algorithm used to construct client-certificate
386
392
/* fingerprints for \fBcheck_ccert_access\fR and
387
393
/* \fBpermit_tls_clientcerts\fR.
395
/* Available in Postfix version 2.6 and later:
396
/* .IP "\fBsmtpd_tls_protocols (empty)\fR"
397
/* List of TLS protocols that the Postfix SMTP server will exclude
398
/* or include with opportunistic TLS encryption.
399
/* .IP "\fBsmtpd_tls_ciphers (export)\fR"
400
/* The minimum TLS cipher grade that the Postfix SMTP server
401
/* will use with opportunistic TLS encryption.
402
/* .IP "\fBsmtpd_tls_eccert_file (empty)\fR"
403
/* File with the Postfix SMTP server ECDSA certificate in PEM format.
404
/* .IP "\fBsmtpd_tls_eckey_file ($smtpd_tls_eccert_file)\fR"
405
/* File with the Postfix SMTP server ECDSA private key in PEM format.
406
/* .IP "\fBsmtpd_tls_eecdh_grade (see 'postconf -d' output)\fR"
407
/* The Postfix SMTP server security grade for ephemeral elliptic-curve
408
/* Diffie-Hellman (EECDH) key exchange.
409
/* .IP "\fBtls_eecdh_strong_curve (prime256v1)\fR"
410
/* The elliptic curve used by the SMTP server for sensibly strong
411
/* ephemeral ECDH key exchange.
412
/* .IP "\fBtls_eecdh_ultra_curve (secp384r1)\fR"
413
/* The elliptic curve used by the SMTP server for maximally strong
414
/* ephemeral ECDH key exchange.
388
415
/* OBSOLETE STARTTLS CONTROLS
603
630
/* The number of errors a remote SMTP client is allowed to make without
604
631
/* delivering mail before the Postfix SMTP server slows down all its
606
/* .IP "\fBsmtpd_hard_error_limit (20)\fR"
633
/* .IP "\fBsmtpd_hard_error_limit (normal: 20, stress: 1)\fR"
607
634
/* The maximal number of errors a remote SMTP client is allowed to
608
635
/* make without delivering mail.
609
/* .IP "\fBsmtpd_junk_command_limit (100)\fR"
636
/* .IP "\fBsmtpd_junk_command_limit (normal: 100, stress: 1)\fR"
610
637
/* The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote
611
638
/* SMTP client can send before the Postfix SMTP server starts to
612
639
/* increment the error counter with each junk command.
719
746
/* The sender address to use in address verification probes; prior
720
747
/* to Postfix 2.5 the default was "postmaster".
721
748
/* .IP "\fBunverified_sender_reject_code (450)\fR"
722
/* The numerical Postfix SMTP server response code when a sender
749
/* The numerical Postfix SMTP server response code when a recipient
723
750
/* address is rejected by the reject_unverified_sender restriction.
724
751
/* .IP "\fBunverified_recipient_reject_code (450)\fR"
725
752
/* The numerical Postfix SMTP server response when a recipient address
726
753
/* is rejected by the reject_unverified_recipient restriction.
755
/* Available in Postfix version 2.6 and later:
756
/* .IP "\fBunverified_sender_defer_code (450)\fR"
757
/* The numerical Postfix SMTP server response code when a sender address
758
/* probe fails due to a temporary error condition.
759
/* .IP "\fBunverified_recipient_defer_code (450)\fR"
760
/* The numerical Postfix SMTP server response when a recipient address
761
/* probe fails due to a temporary error condition.
762
/* .IP "\fBunverified_sender_reject_reason (empty)\fR"
763
/* The Postfix SMTP server's reply when rejecting mail with
764
/* reject_unverified_sender.
765
/* .IP "\fBunverified_recipient_reject_reason (empty)\fR"
766
/* The Postfix SMTP server's reply when rejecting mail with
767
/* reject_unverified_recipient.
768
/* .IP "\fBunverified_sender_tempfail_action ($reject_tempfail_action)\fR"
769
/* The Postfix SMTP server's action when reject_unverified_sender
770
/* fails due to a temporary error condition.
771
/* .IP "\fBunverified_recipient_tempfail_action ($reject_tempfail_action)\fR"
772
/* The Postfix SMTP server's action when reject_unverified_recipient
773
/* fails due to a temporary error condition.
727
774
/* ACCESS CONTROL RESPONSES
730
777
/* The following parameters control numerical SMTP reply codes
731
778
/* and/or text responses.
732
779
/* .IP "\fBaccess_map_reject_code (554)\fR"
733
/* The numerical Postfix SMTP server response code when a client
734
/* is rejected by an \fBaccess\fR(5) map restriction.
780
/* The numerical Postfix SMTP server response code for
781
/* an \fBaccess\fR(5) map "reject" action.
735
782
/* .IP "\fBdefer_code (450)\fR"
736
783
/* The numerical Postfix SMTP server response code when a remote SMTP
737
784
/* client request is rejected by the "defer" restriction.
781
828
/* .IP "\fBrbl_reply_maps (empty)\fR"
782
829
/* Optional lookup tables with RBL response templates.
831
/* Available in Postfix version 2.6 and later:
832
/* .IP "\fBaccess_map_defer_code (450)\fR"
833
/* The numerical Postfix SMTP server response code for
834
/* an \fBaccess\fR(5) map "defer" action, including "defer_if_permit"
835
/* or "defer_if_reject".
836
/* .IP "\fBreject_tempfail_action (defer_if_permit)\fR"
837
/* The Postfix SMTP server's action when a reject-type restriction
838
/* fails due to a temporary error condition.
839
/* .IP "\fBunknown_helo_hostname_tempfail_action ($reject_tempfail_action)\fR"
840
/* The Postfix SMTP server's action when reject_unknown_helo_hostname
841
/* fails due to an temporary error condition.
842
/* .IP "\fBunknown_address_tempfail_action ($reject_tempfail_action)\fR"
843
/* The Postfix SMTP server's action when reject_unknown_sender_domain
844
/* or reject_unknown_recipient_domain fail due to a temporary error
783
846
/* MISCELLANEOUS CONTROLS
1741
1816
* Attributes for logging, also used for XFORWARD.
1818
* We store all client attributes, including ones with unknown
1819
* values. Otherwise, an unknown client hostname would be treated
1820
* as a non-existent hostname (i.e. local submission).
1743
if (IS_AVAIL_CLIENT_NAME(FORWARD_NAME(state)))
1744
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1745
MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state));
1746
if (IS_AVAIL_CLIENT_ADDR(FORWARD_ADDR(state)))
1747
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1748
MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state));
1749
if (IS_AVAIL_CLIENT_PORT(FORWARD_PORT(state)))
1750
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1751
MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state));
1752
if (IS_AVAIL_CLIENT_NAMADDR(FORWARD_NAMADDR(state)))
1753
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1754
MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state));
1755
if (IS_AVAIL_CLIENT_HELO(FORWARD_HELO(state)))
1822
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1823
MAIL_ATTR_LOG_CLIENT_NAME, FORWARD_NAME(state));
1824
/* XXX Note: state->rfc_addr, not state->addr. */
1825
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1826
MAIL_ATTR_LOG_CLIENT_ADDR, FORWARD_ADDR(state));
1827
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1828
MAIL_ATTR_LOG_CLIENT_PORT, FORWARD_PORT(state));
1829
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1830
MAIL_ATTR_LOG_ORIGIN, FORWARD_NAMADDR(state));
1831
if (FORWARD_HELO(state))
1756
1832
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1757
1833
MAIL_ATTR_LOG_HELO_NAME, FORWARD_HELO(state));
1758
if (IS_AVAIL_CLIENT_PROTO(FORWARD_PROTO(state)))
1759
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1760
MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state));
1834
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1835
MAIL_ATTR_LOG_PROTO_NAME, FORWARD_PROTO(state));
1763
1838
* Attributes with actual client information. These are used by
1764
* Milters in case mail is re-injected with "postsuper -R".
1839
* the smtpd Milter client for policy decisions. Mail that is
1840
* requeued with "postsuper -r" is not subject to processing by
1841
* the cleanup Milter client, because a) it has already been
1842
* filtered, and b) we don't have sufficient information to
1843
* reproduce the exact same SMTP events and Sendmail macros that
1844
* the smtpd Milter client received when the message originally
1845
* arrived in Postfix.
1766
1847
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1767
1848
MAIL_ATTR_ACT_CLIENT_NAME, state->name);
1768
1849
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1769
1850
MAIL_ATTR_ACT_REVERSE_CLIENT_NAME, state->reverse_name);
1851
/* XXX Note: state->addr, not state->rfc_addr. */
1770
1852
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
1771
1853
MAIL_ATTR_ACT_CLIENT_ADDR, state->addr);
1772
1854
rec_fprintf(state->cleanup, REC_TYPE_ATTR, "%s=%s",
2358
2445
if (SMTPD_STAND_ALONE(state) == 0) {
2359
if ((err = smtpd_check_rcpt(state, STR(state->addr_buf))) != 0) {
2360
smtpd_chat_reply(state, "%s", err);
2446
err = smtpd_check_rcpt(state, STR(state->addr_buf));
2363
2447
if (smtpd_milters != 0
2364
2448
&& (state->saved_flags & MILTER_SKIP_FLAGS) == 0) {
2365
2449
PUSH_STRING(saved_rcpt, state->recipient, STR(state->addr_buf));
2366
err = milter_rcpt_event(smtpd_milters,
2450
state->milter_reject_text = err;
2451
milter_err = milter_rcpt_event(smtpd_milters,
2452
err == 0 ? MILTER_FLAG_NONE :
2453
MILTER_FLAG_WANT_RCPT_REJ,
2367
2454
milter_argv(state, argc - 2, argv + 2));
2455
if (err == 0 && milter_err != 0) {
2369
2456
/* Log reject etc. with correct recipient information. */
2370
err = check_milter_reply(state, err);
2457
err = check_milter_reply(state, milter_err);
2372
2459
POP_STRING(saved_rcpt, state->recipient);
2374
smtpd_chat_reply(state, "%s", err);
2462
smtpd_chat_reply(state, "%s", err);
2476
2563
state->rcpt_overshoot = 0;
2568
/* rfc2047_comment_encode - encode comment string */
2570
static VSTRING *rfc2047_comment_encode(const char *str, const char *charset)
2572
VSTRING *buf = vstring_alloc(30);
2573
const unsigned char *cp;
2577
* XXX This is problematic code.
2579
* XXX Most of the RFC 2047 "especials" are not special in RFC*822 comments,
2580
* but we encode them anyway to avoid complaints.
2582
* XXX In Received: header comments we enclose peer and issuer common names
2583
* with "" quotes (inherited from the Lutz Jaenicke patch). This is the
2584
* cause of several quirks.
2586
* 1) We encode text that contains the " character, even though that
2587
* character is not special for RFC*822 comments.
2589
* 2) We ignore the recommended limit of 75 characters per encoded word,
2590
* because long comments look ugly when folded in-between quotes.
2592
* 3) We encode the enclosing quotes, to avoid producing invalid encoded
2593
* words. Microsoft abuses RFC 2047 encoding with attachment names, but
2594
* we have no information on what decoders do with malformed encoding in
2595
* comments. This means the comments are Jaenicke-compatible only after
2598
#define ESPECIALS "()<>@,;:\"/[]?.=" /* Special in RFC 2047 */
2599
#define QSPECIALS "_" ESPECIALS /* Special in RFC 2047 'Q' */
2600
#define CSPECIALS "\\\"()" /* Special in our comments */
2602
/* Don't encode if not needed. */
2603
for (cp = (unsigned char *) str; /* see below */ ; ++cp) {
2604
if ((ch = *cp) == 0) {
2605
vstring_sprintf(buf, "\"%s\"", str);
2608
if (!ISPRINT(ch) || strchr(CSPECIALS, ch))
2613
* Use quoted-printable (like) encoding with spaces mapped to underscore.
2615
vstring_sprintf(buf, "=?%s?Q?=%02X", charset, '"');
2616
for (cp = (unsigned char *) str; (ch = *cp) != 0; ++cp) {
2617
if (!ISPRINT(ch) || strchr(QSPECIALS CSPECIALS, ch)) {
2618
vstring_sprintf_append(buf, "=%02X", ch);
2619
} else if (ch == ' ') {
2620
VSTRING_ADDCH(buf, '_');
2622
VSTRING_ADDCH(buf, ch);
2625
vstring_sprintf_append(buf, "=%02X?=", '"');
2479
2631
/* comment_sanitize - clean up comment string */
2481
2633
static void comment_sanitize(VSTRING *comment_string)
3831
3987
* offered within a plain-text session.
3833
3989
#ifdef USE_SASL_AUTH
3834
if (var_smtpd_sasl_enable
3835
&& strcmp(var_smtpd_sasl_tls_opts, var_smtpd_sasl_opts) != 0) {
3836
smtpd_sasl_auth_reset(state);
3837
smtpd_sasl_disconnect(state);
3838
smtpd_sasl_connect(state, VAR_SMTPD_SASL_TLS_OPTS,
3839
var_smtpd_sasl_tls_opts);
3990
if (var_smtpd_sasl_enable) {
3991
/* Non-wrappermode, presumably. */
3992
if (smtpd_sasl_is_active(state)
3993
&& strcmp(var_smtpd_sasl_opts, var_smtpd_sasl_tls_opts) != 0) {
3994
smtpd_sasl_auth_reset(state);
3995
smtpd_sasl_deactivate(state);
3997
/* Wrappermode and non-wrappermode. */
3998
if (smtpd_sasl_is_active(state) == 0)
3999
smtpd_sasl_activate(state, VAR_SMTPD_SASL_TLS_OPTS,
4000
var_smtpd_sasl_tls_opts);
3977
4139
SMTPD_CMD_MAIL, mail_cmd, 0,
3978
4140
SMTPD_CMD_RCPT, rcpt_cmd, 0,
3979
SMTPD_CMD_DATA, data_cmd, 0,
4141
SMTPD_CMD_DATA, data_cmd, SMTPD_CMD_FLAG_LAST,
3980
4142
SMTPD_CMD_RSET, rset_cmd, SMTPD_CMD_FLAG_LIMIT,
3981
4143
SMTPD_CMD_NOOP, noop_cmd, SMTPD_CMD_FLAG_LIMIT | SMTPD_CMD_FLAG_PRE_TLS,
3982
4144
SMTPD_CMD_VRFY, vrfy_cmd, SMTPD_CMD_FLAG_LIMIT,
3983
4145
SMTPD_CMD_ETRN, etrn_cmd, SMTPD_CMD_FLAG_LIMIT,
3984
4146
SMTPD_CMD_QUIT, quit_cmd, SMTPD_CMD_FLAG_PRE_TLS,
3985
SMTPD_CMD_XCLIENT, xclient_cmd, SMTPD_CMD_FLAG_LIMIT,
3986
SMTPD_CMD_XFORWARD, xforward_cmd, SMTPD_CMD_FLAG_LIMIT,
4147
SMTPD_CMD_XCLIENT, xclient_cmd, 0,
4148
SMTPD_CMD_XFORWARD, xforward_cmd, 0,
4166
4328
smtpd_chat_reply(state, "421 %s Service unavailable - try again later",
4167
4329
var_myhostname);
4168
4330
/* Not: state->error_count++; */
4332
} else if (strcmp(state->name, "unknown") == 0) {
4333
static char *greet_chunks[] = {
4334
"220 ", 0, " ESMTP ", 0, 0,
4339
greet_chunks[1] = var_myhostname;
4340
greet_chunks[3] = var_mail_name;
4341
for (cpp = greet_chunks; *cpp; cpp++) {
4342
for (cp = *cpp; *cp; cp++)
4343
smtp_fputc(*(unsigned char *) cp, state->client);
4344
smtp_flush(state->client);
4345
if (read_wait(vstream_fileno(state->client), 2) == 0) {
4346
smtpd_chat_query(state);
4347
msg_info("PREGREET from %s: %s",
4348
state->namaddr, vstring_str(state->buffer));
4349
state->error_mask |= MAIL_ERROR_POLICY;
4350
smtpd_chat_reply(state,
4351
"521 %s ESMTP not accepting connections",
4353
/* Not: state->error_count++; */
4357
smtp_fputs("", 0, state->client);
4358
smtp_flush(state->client);
4362
if (*var_stress == 0 && strcmp(state->name, "unknown") == 0) {
4363
smtpd_chat_reply(state, "220-%s", var_smtpd_banner);
4364
smtp_flush(state->client);
4365
if (read_wait(vstream_fileno(state->client), 1) == 0) {
4366
int n = peekfd(vstream_fileno(state->client));
4368
smtpd_chat_query(state);
4369
msg_info("PREGREET %d from %s: %s",
4370
n, state->namaddr, vstring_str(state->buffer));
4371
state->error_mask |= MAIL_ERROR_POLICY;
4372
smtpd_chat_reply(state,
4373
"521 %s ESMTP not accepting connections",
4375
/* Not: state->error_count++; */
4170
4380
smtpd_chat_reply(state, "220 %s", var_smtpd_banner);
4253
4484
state->where = cmdp->name;
4485
if (SMTPD_STAND_ALONE(state) == 0
4486
&& (strcasecmp(state->protocol, MAIL_PROTO_ESMTP) != 0
4487
|| (cmdp->flags & SMTPD_CMD_FLAG_LAST))
4488
&& (state->flags & SMTPD_FLAG_ILL_PIPELINING) == 0
4489
&& (vstream_peek(state->client) > 0
4490
|| peekfd(vstream_fileno(state->client)) > 0)) {
4491
msg_info("improper command pipelining after %s from %s",
4492
cmdp->name, state->namaddr);
4493
state->flags |= SMTPD_FLAG_ILL_PIPELINING;
4254
4495
if (cmdp->action(state, argc, argv) != 0)
4255
4496
state->error_count++;
4256
4497
if ((cmdp->flags & SMTPD_CMD_FLAG_LIMIT)
4289
4530
if (state->reason && state->where) {
4290
if (strcmp(state->where, SMTPD_CMD_DATA) == 0) {
4291
msg_info("%s after %s (%lu bytes) from %s",
4292
state->reason, state->where, (long) state->act_size,
4531
if (strcmp(state->where, SMTPD_AFTER_DATA) == 0) {
4532
msg_info("%s after %s (%lu bytes) from %s", /* 2.5 compat */
4533
state->reason, SMTPD_CMD_DATA, /* 2.5 compat */
4534
(long) (state->act_size + vstream_peek(state->client)),
4293
4535
state->namaddr);
4294
4536
} else if (strcmp(state->where, SMTPD_AFTER_DOT)
4295
4537
|| strcmp(state->reason, REASON_LOST_CONNECTION)) {
4507
4752
* XXX: Ugh! Too many booleans!
4509
wantcert = (var_smtpd_tls_ask_ccert
4510
|| (enforce_tls && var_smtpd_tls_req_ccert));
4754
ask_client_cert = require_server_cert =
4755
(var_smtpd_tls_ask_ccert
4756
|| (enforce_tls && var_smtpd_tls_req_ccert));
4511
4757
if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
4758
no_server_cert_ok = 1;
4513
4759
cert_file = "";
4761
no_server_cert_ok = 0;
4516
4762
cert_file = var_smtpd_tls_cert_file;
4519
(*cert_file || *var_smtpd_tls_dcert_file);
4765
(*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file);
4521
4767
/* Some TLS configuration errors are not show stoppers. */
4522
if (!havecert && wantcert)
4768
if (!have_server_cert && require_server_cert)
4523
4769
msg_warn("Need a server cert to request client certs");
4524
4770
if (!enforce_tls && var_smtpd_tls_req_ccert)
4525
4771
msg_warn("Can't require client certs unless TLS is required");
4526
4772
/* After a show-stopper error, reply with 454 to STARTTLS. */
4527
if (havecert || (oknocert && !wantcert))
4773
if (have_server_cert || (no_server_cert_ok && !require_server_cert))
4530
4776
* Large parameter lists are error-prone, so we emulate a
4543
4789
key_file = var_smtpd_tls_key_file,
4544
4790
dcert_file = var_smtpd_tls_dcert_file,
4545
4791
dkey_file = var_smtpd_tls_dkey_file,
4792
eccert_file = var_smtpd_tls_eccert_file,
4793
eckey_file = var_smtpd_tls_eckey_file,
4546
4794
CAfile = var_smtpd_tls_CAfile,
4547
4795
CApath = var_smtpd_tls_CApath,
4548
4796
dh1024_param_file
4549
4797
= var_smtpd_tls_dh1024_param_file,
4550
4798
dh512_param_file
4551
4799
= var_smtpd_tls_dh512_param_file,
4800
eecdh_grade = var_smtpd_tls_eecdh,
4552
4801
protocols = enforce_tls ?
4553
var_smtpd_tls_mand_proto : "",
4554
ask_ccert = var_smtpd_tls_ask_ccert,
4802
var_smtpd_tls_mand_proto :
4803
var_smtpd_tls_proto,
4804
ask_ccert = ask_client_cert,
4555
4805
fpt_dgst = var_smtpd_tls_fpt_dgst);
4557
4807
msg_warn("No server certs available. TLS won't be enabled");
4644
4894
int main(int argc, char **argv)
4896
static const CONFIG_NINT_TABLE nint_table[] = {
4897
VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0,
4898
VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0,
4899
VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
4646
4902
static const CONFIG_INT_TABLE int_table[] = {
4647
4903
VAR_SMTPD_RCPT_LIMIT, DEF_SMTPD_RCPT_LIMIT, &var_smtpd_rcpt_limit, 1, 0,
4648
VAR_SMTPD_SOFT_ERLIM, DEF_SMTPD_SOFT_ERLIM, &var_smtpd_soft_erlim, 1, 0,
4649
VAR_SMTPD_HARD_ERLIM, DEF_SMTPD_HARD_ERLIM, &var_smtpd_hard_erlim, 1, 0,
4650
4904
VAR_QUEUE_MINFREE, DEF_QUEUE_MINFREE, &var_queue_minfree, 0, 0,
4651
4905
VAR_UNK_CLIENT_CODE, DEF_UNK_CLIENT_CODE, &var_unk_client_code, 0, 0,
4652
4906
VAR_BAD_NAME_CODE, DEF_BAD_NAME_CODE, &var_bad_name_code, 0, 0,
4654
4908
VAR_UNK_ADDR_CODE, DEF_UNK_ADDR_CODE, &var_unk_addr_code, 0, 0,
4655
4909
VAR_RELAY_CODE, DEF_RELAY_CODE, &var_relay_code, 0, 0,
4656
4910
VAR_MAPS_RBL_CODE, DEF_MAPS_RBL_CODE, &var_maps_rbl_code, 0, 0,
4657
VAR_ACCESS_MAP_CODE, DEF_ACCESS_MAP_CODE, &var_access_map_code, 0, 0,
4911
VAR_MAP_REJECT_CODE, DEF_MAP_REJECT_CODE, &var_map_reject_code, 0, 0,
4912
VAR_MAP_DEFER_CODE, DEF_MAP_DEFER_CODE, &var_map_defer_code, 0, 0,
4658
4913
VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, 0, 0,
4659
4914
VAR_DEFER_CODE, DEF_DEFER_CODE, &var_defer_code, 0, 0,
4660
4915
VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, 0, 0,
4661
VAR_SMTPD_JUNK_CMD, DEF_SMTPD_JUNK_CMD, &var_smtpd_junk_cmd_limit, 1, 0,
4662
4916
VAR_SMTPD_RCPT_OVERLIM, DEF_SMTPD_RCPT_OVERLIM, &var_smtpd_rcpt_overlim, 1, 0,
4663
4917
VAR_SMTPD_HIST_THRSH, DEF_SMTPD_HIST_THRSH, &var_smtpd_hist_thrsh, 1, 0,
4664
VAR_UNV_FROM_CODE, DEF_UNV_FROM_CODE, &var_unv_from_code, 0, 0,
4665
VAR_UNV_RCPT_CODE, DEF_UNV_RCPT_CODE, &var_unv_rcpt_code, 0, 0,
4918
VAR_UNV_FROM_RCODE, DEF_UNV_FROM_RCODE, &var_unv_from_rcode, 200, 599,
4919
VAR_UNV_RCPT_RCODE, DEF_UNV_RCPT_RCODE, &var_unv_rcpt_rcode, 200, 599,
4920
VAR_UNV_FROM_DCODE, DEF_UNV_FROM_DCODE, &var_unv_from_dcode, 200, 499,
4921
VAR_UNV_RCPT_DCODE, DEF_UNV_RCPT_DCODE, &var_unv_rcpt_dcode, 200, 499,
4666
4922
VAR_MUL_RCPT_CODE, DEF_MUL_RCPT_CODE, &var_mul_rcpt_code, 0, 0,
4667
4923
VAR_LOCAL_RCPT_CODE, DEF_LOCAL_RCPT_CODE, &var_local_rcpt_code, 0, 0,
4668
4924
VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code, 0, 0,
4713
4969
VAR_SMTPD_USE_TLS, DEF_SMTPD_USE_TLS, &var_smtpd_use_tls,
4714
4970
VAR_SMTPD_ENFORCE_TLS, DEF_SMTPD_ENFORCE_TLS, &var_smtpd_enforce_tls,
4715
4971
VAR_SMTPD_TLS_WRAPPER, DEF_SMTPD_TLS_WRAPPER, &var_smtpd_tls_wrappermode,
4717
4972
VAR_SMTPD_TLS_AUTH_ONLY, DEF_SMTPD_TLS_AUTH_ONLY, &var_smtpd_tls_auth_only,
4718
4974
VAR_SMTPD_TLS_ACERT, DEF_SMTPD_TLS_ACERT, &var_smtpd_tls_ask_ccert,
4719
4975
VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
4720
4976
VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
4775
5031
VAR_SMTPD_TLS_KEY_FILE, DEF_SMTPD_TLS_KEY_FILE, &var_smtpd_tls_key_file, 0, 0,
4776
5032
VAR_SMTPD_TLS_DCERT_FILE, DEF_SMTPD_TLS_DCERT_FILE, &var_smtpd_tls_dcert_file, 0, 0,
4777
5033
VAR_SMTPD_TLS_DKEY_FILE, DEF_SMTPD_TLS_DKEY_FILE, &var_smtpd_tls_dkey_file, 0, 0,
5034
VAR_SMTPD_TLS_ECCERT_FILE, DEF_SMTPD_TLS_ECCERT_FILE, &var_smtpd_tls_eccert_file, 0, 0,
5035
VAR_SMTPD_TLS_ECKEY_FILE, DEF_SMTPD_TLS_ECKEY_FILE, &var_smtpd_tls_eckey_file, 0, 0,
4778
5036
VAR_SMTPD_TLS_CA_FILE, DEF_SMTPD_TLS_CA_FILE, &var_smtpd_tls_CAfile, 0, 0,
4779
5037
VAR_SMTPD_TLS_CA_PATH, DEF_SMTPD_TLS_CA_PATH, &var_smtpd_tls_CApath, 0, 0,
5038
VAR_SMTPD_TLS_CIPH, DEF_SMTPD_TLS_CIPH, &var_smtpd_tls_ciph, 1, 0,
4780
5039
VAR_SMTPD_TLS_MAND_CIPH, DEF_SMTPD_TLS_MAND_CIPH, &var_smtpd_tls_mand_ciph, 1, 0,
4781
5040
VAR_SMTPD_TLS_EXCL_CIPH, DEF_SMTPD_TLS_EXCL_CIPH, &var_smtpd_tls_excl_ciph, 0, 0,
4782
5041
VAR_SMTPD_TLS_MAND_EXCL, DEF_SMTPD_TLS_MAND_EXCL, &var_smtpd_tls_mand_excl, 0, 0,
5042
VAR_SMTPD_TLS_PROTO, DEF_SMTPD_TLS_PROTO, &var_smtpd_tls_proto, 0, 0,
4783
5043
VAR_SMTPD_TLS_MAND_PROTO, DEF_SMTPD_TLS_MAND_PROTO, &var_smtpd_tls_mand_proto, 0, 0,
4784
5044
VAR_SMTPD_TLS_512_FILE, DEF_SMTPD_TLS_512_FILE, &var_smtpd_tls_dh512_param_file, 0, 0,
4785
5045
VAR_SMTPD_TLS_1024_FILE, DEF_SMTPD_TLS_1024_FILE, &var_smtpd_tls_dh1024_param_file, 0, 0,
5046
VAR_SMTPD_TLS_EECDH, DEF_SMTPD_TLS_EECDH, &var_smtpd_tls_eecdh, 1, 0,
4786
5047
VAR_SMTPD_TLS_FPT_DGST, DEF_SMTPD_TLS_FPT_DGST, &var_smtpd_tls_fpt_dgst, 1, 0,
4788
5049
VAR_SMTPD_TLS_LEVEL, DEF_SMTPD_TLS_LEVEL, &var_smtpd_tls_level, 0, 0,
4801
5062
VAR_MILT_DAEMON_NAME, DEF_MILT_DAEMON_NAME, &var_milt_daemon_name, 1, 0,
4802
5063
VAR_MILT_V, DEF_MILT_V, &var_milt_v, 1, 0,
4803
5064
VAR_STRESS, DEF_STRESS, &var_stress, 0, 0,
5065
VAR_UNV_FROM_WHY, DEF_UNV_FROM_WHY, &var_unv_from_why, 0, 0,
5066
VAR_UNV_RCPT_WHY, DEF_UNV_RCPT_WHY, &var_unv_rcpt_why, 0, 0,
5067
VAR_REJECT_TMPF_ACT, DEF_REJECT_TMPF_ACT, &var_reject_tmpf_act, 1, 0,
5068
VAR_UNK_NAME_TF_ACT, DEF_UNK_NAME_TF_ACT, &var_unk_name_tf_act, 1, 0,
5069
VAR_UNK_ADDR_TF_ACT, DEF_UNK_ADDR_TF_ACT, &var_unk_addr_tf_act, 1, 0,
5070
VAR_UNV_RCPT_TF_ACT, DEF_UNV_RCPT_TF_ACT, &var_unv_rcpt_tf_act, 1, 0,
5071
VAR_UNV_FROM_TF_ACT, DEF_UNV_FROM_TF_ACT, &var_unv_from_tf_act, 1, 0,
4806
5074
static const CONFIG_RAW_TABLE raw_table[] = {