Workaround: report a {client_connections} Milter macro value
of zero instead of garbage, when the remote SMTP client is
- excluded from connection count limits. Problem reported by
- Christian Roessner. File: smtpd/smtpd_state,c,
+ not subject to any smtpd_client_* limits. Problem reported
+ by Christian Roessner. Files: smtpd/smtpd_state.c,
+ proto/MILTER_README.html.
+
+20110817
+
+ Cleanup: avoid misleading error messages after future code
+ change. The tls_bio_ops(3) module now returns non-zero errno
+ values only when requests fail due to a system-call error.
+ File: tls/tls_bio_ops.c.
+
+ Cleanup: TLS handshake error messages. The SMTP client and
+ server now report STARTTLS network errors as "connection
+ timed out", "connection reset by peer", etc., instead of
+ reporting TLS error number 0. Files: tls/tls_bio_ops.c,
+ tls/tls_server.c, tls/tls_client.c.
+
+20110818
+
+ Cleanup: VSTREAM-over-TLS error return values, for robustness
+ against future change. For consistency with VSTREAM internal
+ interfaces, the tls_stream(3) read/write routines now return
+ -1 instead of unspecified negative OpenSSL results. File:
+ tls/tls_stream.c.
+
+20110819
+
+ Cleanup: further TLS code cleanups, for robustness against
+ future change. Unexpected TLS errors are no longer silently
+ treated as ordinary errors, and one corner-case error in TLS
+ timeout handling was fixed before it could cause trouble.
+ File: tls/tls_bio_ops.c.
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
|{client_addr} |Always |Client IP address |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |{client_connections}|CONNECT |Connection concurrency for|
- | | |this client |
+ | | |Connection concurrency for|
+ | | |this client (zero if the |
+ |{client_connections}|CONNECT |client is excluded from |
+ | | |all smtpd_client_* |
+ | | |limits). |
|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
| | |Client hostname |
| | |When address -> name |
address </td> </tr>
<tr> <td> {client_connections} </td> <td> CONNECT </td> <td>
-Connection concurrency for this client </td> </tr>
+Connection concurrency for this client (zero if the client is
+excluded from all smtpd_client_* limits). </td> </tr>
<tr> <td> {client_name} </td> <td> Always </td> <td> Client hostname
<br> When address → name lookup or name → address
<a href="http://tools.ietf.org/html/rfc1123">RFC 1123</a> (Host requirements)
<a href="http://tools.ietf.org/html/rfc1652">RFC 1652</a> (8bit-MIME transport)
<a href="http://tools.ietf.org/html/rfc1869">RFC 1869</a> (SMTP service extensions)
- <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message Size Declaration)
+ <a href="http://tools.ietf.org/html/rfc1870">RFC 1870</a> (Message size declaration)
<a href="http://tools.ietf.org/html/rfc1985">RFC 1985</a> (ETRN command)
- <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP Enhanced Status Codes)
+ <a href="http://tools.ietf.org/html/rfc2034">RFC 2034</a> (SMTP enhanced status codes)
<a href="http://tools.ietf.org/html/rfc2554">RFC 2554</a> (AUTH command)
<a href="http://tools.ietf.org/html/rfc2821">RFC 2821</a> (SMTP protocol)
- <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP Pipelining)
+ <a href="http://tools.ietf.org/html/rfc2920">RFC 2920</a> (SMTP pipelining)
<a href="http://tools.ietf.org/html/rfc3207">RFC 3207</a> (STARTTLS command)
- <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN Extension)
- <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced Status Codes)
- <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP Transmission Types)
+ <a href="http://tools.ietf.org/html/rfc3461">RFC 3461</a> (SMTP DSN extension)
+ <a href="http://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
+ <a href="http://tools.ietf.org/html/rfc3848">RFC 3848</a> (ESMTP transmission types)
+ <a href="http://tools.ietf.org/html/rfc4409">RFC 4409</a> (Message submission)
<a href="http://tools.ietf.org/html/rfc4954">RFC 4954</a> (AUTH command)
<b>DIAGNOSTICS</b>
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
- call, to a time limit to read or write a complete
+ call, to a time limit to send or receive a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
<b><a href="postconf.5.html#smtpd_per_record_deadline">smtpd_per_record_deadline</a> (normal: no, overload: yes)</b>
Change the behavior of the <a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> time
limit, from a time limit per read or write system
- call, to a time limit to read or write a complete
+ call, to a time limit to send or receive a complete
record (an SMTP command line, SMTP response line,
SMTP message content line, or TLS protocol mes-
sage).
RFC 1123 (Host requirements)
RFC 1652 (8bit-MIME transport)
RFC 1869 (SMTP service extensions)
-RFC 1870 (Message Size Declaration)
+RFC 1870 (Message size declaration)
RFC 1985 (ETRN command)
-RFC 2034 (SMTP Enhanced Status Codes)
+RFC 2034 (SMTP enhanced status codes)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
-RFC 2920 (SMTP Pipelining)
+RFC 2920 (SMTP pipelining)
RFC 3207 (STARTTLS command)
-RFC 3461 (SMTP DSN Extension)
-RFC 3463 (Enhanced Status Codes)
-RFC 3848 (ESMTP Transmission Types)
+RFC 3461 (SMTP DSN extension)
+RFC 3463 (Enhanced status codes)
+RFC 3848 (ESMTP transmission types)
+RFC 4409 (Message submission)
RFC 4954 (AUTH command)
.SH DIAGNOSTICS
.ad
address </td> </tr>
<tr> <td> {client_connections} </td> <td> CONNECT </td> <td>
-Connection concurrency for this client </td> </tr>
+Connection concurrency for this client (zero if the client is
+excluded from all smtpd_client_* limits). </td> </tr>
<tr> <td> {client_name} </td> <td> Always </td> <td> Client hostname
<br> When address → name lookup or name → address
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20110814"
+#define MAIL_RELEASE_DATE "20110820"
#define MAIL_VERSION_NUMBER "2.9"
#ifdef SNAPSHOT
/* RFC 1123 (Host requirements)
/* RFC 1652 (8bit-MIME transport)
/* RFC 1869 (SMTP service extensions)
-/* RFC 1870 (Message Size Declaration)
+/* RFC 1870 (Message size declaration)
/* RFC 1985 (ETRN command)
-/* RFC 2034 (SMTP Enhanced Status Codes)
+/* RFC 2034 (SMTP enhanced status codes)
/* RFC 2554 (AUTH command)
/* RFC 2821 (SMTP protocol)
-/* RFC 2920 (SMTP Pipelining)
+/* RFC 2920 (SMTP pipelining)
/* RFC 3207 (STARTTLS command)
-/* RFC 3461 (SMTP DSN Extension)
-/* RFC 3463 (Enhanced Status Codes)
-/* RFC 3848 (ESMTP Transmission Types)
+/* RFC 3461 (SMTP DSN extension)
+/* RFC 3463 (Enhanced status codes)
+/* RFC 3848 (ESMTP transmission types)
+/* RFC 4409 (Message submission)
/* RFC 4954 (AUTH command)
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
-/* time limit per read or write system call, to a time limit to read
-/* or write a complete record (an SMTP command line, SMTP response
+/* time limit per read or write system call, to a time limit to send
+/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* ADDRESS REWRITING CONTROLS
/* .ad
/* Available in Postfix version 2.9 and later:
/* .IP "\fBsmtpd_per_record_deadline (normal: no, overload: yes)\fR"
/* Change the behavior of the smtpd_timeout time limit, from a
-/* time limit per read or write system call, to a time limit to read
-/* or write a complete record (an SMTP command line, SMTP response
+/* time limit per read or write system call, to a time limit to send
+/* or receive a complete record (an SMTP command line, SMTP response
/* line, SMTP message content line, or TLS protocol message).
/* TARPIT CONTROLS
/* .ad
/* int timeout;
/* TLS_SESS_STATE *context;
/* DESCRIPTION
-/* This module enforces timeouts on non-blocking I/O while
-/* performing TLS handshake or input/output operations.
+/* This module enforces VSTREAM-style timeouts on non-blocking
+/* I/O while performing TLS handshake or input/output operations.
/*
/* The Postfix VSTREAM read/write routines invoke the
/* tls_bio_read/write routines to send and receive plain-text
/* .IP TLScontext
/* TLS session state.
/* DIAGNOSTICS
-/* The result value is -1 in case of a network read/write
-/* error, otherwise it is the result value of the TLS operation.
+/* A result value > 0 means successful completion.
+/*
+/* A result value < 0 means that the requested operation did
+/* not complete due to TLS protocol failure, system call
+/* failure, or for any reason described under "in addition"
+/* below.
+/*
+/* A result value of 0 from tls_bio_shutdown() means that the
+/* operation is in progress. A result value of 0 from other
+/* tls_bio_ops(3) operations means that the remote party either
+/* closed the network connection or that it sent a TLS shutdown
+/* request.
+/*
+/* Upon return from the tls_bio_ops(3) routines the global
+/* errno value is non-zero when the requested operation did not
+/* complete due to system call failure.
+/*
+/* In addition, the result value is set to -1, and the global
+/* errno value is set to ETIMEDOUT, when some network read/write
+/* operation did not complete within the time limit.
/* LICENSE
/* .ad
/* .fi
const char *myname = "tls_bio";
int status;
int err;
- int retval = 0;
- int done;
int enable_deadline;
struct timeval time_limit; /* initial time limit */
struct timeval time_left; /* amount of time left */
struct timeval time_now; /* time after SSL_mumble() call */
struct timeval time_elapsed; /* total elapsed time */
+ /*
+ * Compensation for interface mis-match: With VSTREAMs, timeout <= 0
+ * means wait forever; with the read/write_wait() calls below, we need
+ * to specify timeout < 0 instead.
+ *
+ * Safety: no time limit means no deadline.
+ */
+ if (timeout <= 0) {
+ timeout = -1;
+ enable_deadline = 0;
+ }
+
/*
* Deadline management is simpler than with VSTREAMs, because we don't
* need to decrement a per-stream time limit. We just work within the
* budget that is available for this tls_bio() call.
*/
- enable_deadline = vstream_fstat(TLScontext->stream, VSTREAM_FLAG_DEADLINE);
- if (enable_deadline) {
- time_limit.tv_sec = timeout;
- time_limit.tv_usec = 0;
- GETTIMEOFDAY(&time_entry);
+ else {
+ enable_deadline =
+ vstream_fstat(TLScontext->stream, VSTREAM_FLAG_DEADLINE);
+ if (enable_deadline) {
+ time_limit.tv_sec = timeout;
+ time_limit.tv_usec = 0;
+ GETTIMEOFDAY(&time_entry);
+ }
}
/*
* If necessary, retry the SSL handshake or read/write operation after
* handling any pending network I/O.
*/
- for (done = 0; done == 0; /* void */ ) {
+ for (;;) {
if (hsfunc)
status = hsfunc(TLScontext->con);
else if (rfunc)
#endif
/*
+ * Correspondence between SSL_ERROR_* error codes and tls_bio_(read,
+ * write, accept, connect, shutdown) return values (for brevity:
+ * retval).
+ *
+ * SSL_ERROR_NONE corresponds with retval > 0. With SSL_(read, write)
+ * this is the number of plaintext bytes sent or received. With
+ * SSL_(accept, connect, shutdown) this means that the operation was
+ * completed successfully.
+ *
+ * SSL_ERROR_WANT_(WRITE, READ) start a new loop iteration, or force
+ * (retval = -1, errno = ETIMEDOUT) when the time limit is exceeded.
+ *
+ * All other SSL_ERROR_* cases correspond with retval <= 0. With
+ * SSL_(read, write, accept, connect) retval == 0 means that the
+ * remote party either closed the network connection or that it
+ * requested TLS shutdown; with SSL_shutdown() retval == 0 means that
+ * our own shutdown request is in progress. With all operations
+ * retval < 0 means that there was an error. In the latter case,
+ * SSL_ERROR_SYSCALL means that error details are returned via the
+ * errno value.
+ *
* Find out if we must retry the operation and/or if there is pending
* network I/O.
*
* anomaly here and repeat the call.
*/
switch (err) {
- case SSL_ERROR_NONE: /* success */
- retval = status;
- done = 1;
- break;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
if (enable_deadline) {
}
break;
+ /*
+ * Unhandled cases: SSL_ERROR_WANT_(ACCEPT, CONNECT, X509_LOOKUP)
+ * etc. Historically, Postfix silently treated these as ordinary
+ * I/O errors so we don't really know how common they are. For
+ * now, we just log a warning.
+ */
+ default:
+ msg_warn("%s: unexpected SSL_ERROR code %d", myname, err);
+ /* FALLTHROUGH */
+
/*
* With tls_timed_read() and tls_timed_write() the caller is the
* VSTREAM library module which is unaware of TLS, so we log the
if (rfunc || wfunc)
tls_print_errors();
/* FALLTHROUGH */
- default:
- retval = status;
- done = 1;
- break;
+ case SSL_ERROR_ZERO_RETURN:
+ case SSL_ERROR_NONE:
+ errno = 0; /* avoid bogus warnings */
+ /* FALLTHROUGH */
+ case SSL_ERROR_SYSCALL:
+ return (status);
}
}
- return (retval);
}
#endif
sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
- msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
- tls_print_errors();
+ if (ERR_peek_error() != 0) {
+ msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
+ tls_print_errors();
+ } else if (errno != 0) {
+ msg_info("SSL_connect error to %s: %m", props->namaddr);
+ } else {
+ msg_info("SSL_connect error to %s: lost connection",
+ props->namaddr);
+ }
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
sts = tls_bio_accept(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
- msg_info("SSL_accept error from %s: %d", props->namaddr, sts);
- tls_print_errors();
+ if (ERR_peek_error() != 0) {
+ msg_info("SSL_accept error from %s: %d", props->namaddr, sts);
+ tls_print_errors();
+ } else if (errno != 0) {
+ msg_info("SSL_accept error from %s: %m", props->namaddr);
+ } else {
+ msg_info("SSL_accept error from %s: lost connection",
+ props->namaddr);
+ }
tls_free_context(TLScontext);
return (0);
}
/* tls_stream_stop() replaces the VSTREAM read/write routines
/* by dummies that have no side effects, and deletes the
/* VSTREAM's reference to the TLS context.
+/* DIAGNOSTICS
+/* The tls_stream(3) read/write routines return the non-zero
+/* number of plaintext bytes read/written if successful; -1
+/* after TLS protocol failure, system-call failure, or for any
+/* reason described under "in addition" below; and zero when
+/* the remote party closed the connection or sent a TLS shutdown
+/* request.
+/*
+/* Upon return from the tls_stream(3) read/write routines the
+/* global errno value is non-zero when the requested operation
+/* did not complete due to system call failure.
+/*
+/* In addition, the result value is set to -1, and the global
+/* errno value is set to ETIMEDOUT, when a network read/write
+/* request did not complete within the time limit.
/* SEE ALSO
/* dummy_read(3), placebo read routine
/* dummy_write(3), placebo write routine
#define TLS_INTERNAL
#include <tls.h>
+ /*
+ * Interface mis-match compensation. The OpenSSL read/write routines return
+ * unspecified negative values when an operation fails, while the vstream(3)
+ * plaintext timed_read/write() functions follow the convention of UNIX
+ * system calls, and return -1 upon error. The macro below makes OpenSSL
+ * read/write results consistent with the UNIX system-call convention.
+ */
+#define NORMALIZED_VSTREAM_RETURN(retval) ((retval) < 0 ? -1 : (retval))
+
/* tls_timed_read - read content from stream, then TLS decapsulate */
static ssize_t tls_timed_read(int fd, void *buf, size_t len, int timeout,
if (ret > 0 && TLScontext->log_level >= 4)
msg_info("Read %ld chars: %.*s",
(long) ret, (int) (ret > 40 ? 40 : ret), (char *) buf);
- return (ret);
+ return (NORMALIZED_VSTREAM_RETURN(ret));
}
/* tls_timed_write - TLS encapsulate content, then write to stream */
void *context)
{
const char *myname = "tls_timed_write";
+ ssize_t ret;
TLS_SESS_STATE *TLScontext;
TLScontext = (TLS_SESS_STATE *) context;
if (TLScontext->log_level >= 4)
msg_info("Write %ld chars: %.*s",
(long) len, (int) (len > 40 ? 40 : len), (char *) buf);
- return (tls_bio_write(fd, buf, len, timeout, TLScontext));
+ ret = tls_bio_write(fd, buf, len, timeout, TLScontext);
+ return (NORMALIZED_VSTREAM_RETURN(ret));
}
/* tls_stream_start - start VSTREAM over TLS */
/* .IP "VSTREAM_CTL_READ_FN (ssize_t (*)(int, void *, size_t, int, void *))"
/* The argument specifies an alternative for the timed_read(3) function,
/* for example, a read function that performs decryption.
+/* This function receives as arguments a file descriptor, buffer pointer,
+/* buffer length, timeout value, and the VSTREAM's context value.
+/* A timeout value <= 0 disables the time limit.
+/* This function should return the positive number of bytes transferred,
+/* 0 upon EOF, and -1 upon error with errno set appropriately.
/* .IP "VSTREAM_CTL_WRITE_FN (ssize_t (*)(int, void *, size_t, int, void *))"
/* The argument specifies an alternative for the timed_write(3) function,
/* for example, a write function that performs encryption.
+/* This function receives as arguments a file descriptor, buffer pointer,
+/* buffer length, timeout value, and the VSTREAM's context value.
+/* A timeout value <= 0 disables the time limit.
+/* This function should return the positive number of bytes transferred,
+/* and -1 upon error with errno set appropriately. Instead of -1 it may
+/* also return 0, e.g., upon remote party-initiated protocol shutdown.
/* .IP "VSTREAM_CTL_CONTEXT (char *)"
/* The argument specifies application context that is passed on to
/* the application-specified read/write routines. No copy is made.
projects / thirdparty / postfix.git / commitdiff
