Commit Message
All of the dma patches in src/patches/ were merged into its upstream
repository by now, thus becoming obsolete and deleted by this patch.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
lfs/dma | 9 +-
src/patches/dma-0.10-better-authentication.patch | 373 -----------------------
src/patches/dma-0.10-better-tls.patch | 26 --
src/patches/dma-0.11-compile-fixes.patch | 29 --
4 files changed, 3 insertions(+), 434 deletions(-)
delete mode 100644 src/patches/dma-0.10-better-authentication.patch
delete mode 100644 src/patches/dma-0.10-better-tls.patch
delete mode 100644 src/patches/dma-0.11-compile-fixes.patch
Comments
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> On 1 Feb 2020, at 20:26, Peter Müller <peter.mueller@ipfire.org> wrote:
>
> All of the dma patches in src/patches/ were merged into its upstream
> repository by now, thus becoming obsolete and deleted by this patch.
>
> Cc: Michael Tremer <michael.tremer@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> lfs/dma | 9 +-
> src/patches/dma-0.10-better-authentication.patch | 373 -----------------------
> src/patches/dma-0.10-better-tls.patch | 26 --
> src/patches/dma-0.11-compile-fixes.patch | 29 --
> 4 files changed, 3 insertions(+), 434 deletions(-)
> delete mode 100644 src/patches/dma-0.10-better-authentication.patch
> delete mode 100644 src/patches/dma-0.10-better-tls.patch
> delete mode 100644 src/patches/dma-0.11-compile-fixes.patch
>
> diff --git a/lfs/dma b/lfs/dma
> index 2b89bcc6e..aceb2704e 100644
> --- a/lfs/dma
> +++ b/lfs/dma
> @@ -1,7 +1,7 @@
> ###############################################################################
> # #
> # IPFire.org - A linux based firewall #
> -# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
> +# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
> # #
> # This program is free software: you can redistribute it and/or modify #
> # it under the terms of the GNU General Public License as published by #
> @@ -24,7 +24,7 @@
>
> include Config
>
> -VER = 0.11
> +VER = 0.12
>
> THISAPP = dma-$(VER)
> DL_FILE = $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>
> -$(DL_FILE)_MD5 = 4090572921fc33be0977f4010881b501
> +$(DL_FILE)_MD5 = 58cb2a286995381c92dc557e639622d6
>
> install : $(TARGET)
>
> @@ -73,9 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
> mkdir -pv /var/ipfire/dma
> touch /var/ipfire/dma/mail.conf
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-authentication.patch
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-tls.patch
> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.11-compile-fixes.patch
> cd $(DIR_APP) && sed -i '/PREFIX/s/usr\/local/usr/g' Makefile
> cd $(DIR_APP) && sed -i '/CONFDIR/s/etc\/dma/var\/ipfire\/dma/g' Makefile
> cd $(DIR_APP) && make
> diff --git a/src/patches/dma-0.10-better-authentication.patch b/src/patches/dma-0.10-better-authentication.patch
> deleted file mode 100644
> index 596168d2a..000000000
> --- a/src/patches/dma-0.10-better-authentication.patch
> +++ /dev/null
> @@ -1,373 +0,0 @@
> -From 1fa7a882dd22d5f619b3645c6597a419034e9b4e Mon Sep 17 00:00:00 2001
> -From: Michael Tremer <michael.tremer@ipfire.org>
> -Date: Mon, 9 Nov 2015 21:52:08 +0000
> -Subject: [PATCH] Implement better authentication
> -
> -DMA tries to authenticate by simply trying various authentication
> -mechanisms. This is obviously not conforming to RFC and some mail
> -providers detect this is spam and reject all emails.
> -
> -This patch parses the EHLO response and reads various keywords
> -from it that can then later in the program be used to jump into
> -certain code paths.
> -
> -Currently this is used to only authenticate with CRAM-MD5 and/or
> -LOGIN if the server supports one or both of these. The
> -implementation can be easily be extended though.
> -
> -Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ----
> - crypto.c | 6 +-
> - dma.h | 13 +++-
> - net.c | 219 +++++++++++++++++++++++++++++++++++++++++++++++----------------
> - 3 files changed, 181 insertions(+), 57 deletions(-)
> -
> -diff --git a/crypto.c b/crypto.c
> -index 897b55b..8048f20 100644
> ---- a/crypto.c
> -+++ b/crypto.c
> -@@ -77,7 +77,7 @@ init_cert_file(SSL_CTX *ctx, const char *path)
> - }
> -
> - int
> --smtp_init_crypto(int fd, int feature)
> -+smtp_init_crypto(int fd, int feature, struct smtp_features* features)
> - {
> - SSL_CTX *ctx = NULL;
> - #if (OPENSSL_VERSION_NUMBER >= 0x00909000L)
> -@@ -118,8 +118,7 @@ smtp_init_crypto(int fd, int feature)
> - /* TLS init phase, disable SSL_write */
> - config.features |= NOSSL;
> -
> -- send_remote_command(fd, "EHLO %s", hostname());
> -- if (read_remote(fd, 0, NULL) == 2) {
> -+ if (perform_server_greeting(fd, features) == 0) {
> - send_remote_command(fd, "STARTTLS");
> - if (read_remote(fd, 0, NULL) != 2) {
> - if ((feature & TLS_OPP) == 0) {
> -@@ -131,6 +130,7 @@ smtp_init_crypto(int fd, int feature)
> - }
> - }
> - }
> -+
> - /* End of TLS init phase, enable SSL_write/read */
> - config.features &= ~NOSSL;
> - }
> -diff --git a/dma.h b/dma.h
> -index acf5e44..ee749d8 100644
> ---- a/dma.h
> -+++ b/dma.h
> -@@ -51,6 +51,7 @@
> - #define BUF_SIZE 2048
> - #define ERRMSG_SIZE 200
> - #define USERNAME_SIZE 50
> -+#define EHLO_RESPONSE_SIZE BUF_SIZE
> - #define MIN_RETRY 300 /* 5 minutes */
> - #define MAX_RETRY (3*60*60) /* retry at least every 3 hours */
> - #define MAX_TIMEOUT (5*24*60*60) /* give up after 5 days */
> -@@ -160,6 +161,15 @@ struct mx_hostentry {
> - struct sockaddr_storage sa;
> - };
> -
> -+struct smtp_auth_mechanisms {
> -+ int cram_md5;
> -+ int login;
> -+};
> -+
> -+struct smtp_features {
> -+ struct smtp_auth_mechanisms auth;
> -+ int starttls;
> -+};
> -
> - /* global variables */
> - extern struct aliases aliases;
> -@@ -187,7 +197,7 @@ void parse_authfile(const char *);
> - /* crypto.c */
> - void hmac_md5(unsigned char *, int, unsigned char *, int, unsigned char *);
> - int smtp_auth_md5(int, char *, char *);
> --int smtp_init_crypto(int, int);
> -+int smtp_init_crypto(int, int, struct smtp_features*);
> -
> - /* dns.c */
> - int dns_get_mx_list(const char *, int, struct mx_hostentry **, int);
> -@@ -196,6 +206,7 @@ int dns_get_mx_list(const char *, int, struct mx_hostentry **, int);
> - char *ssl_errstr(void);
> - int read_remote(int, int, char *);
> - ssize_t send_remote_command(int, const char*, ...) __attribute__((__nonnull__(2), __format__ (__printf__, 2, 3)));
> -+int perform_server_greeting(int, struct smtp_features*);
> - int deliver_remote(struct qitem *);
> -
> - /* base64.c */
> -diff --git a/net.c b/net.c
> -index 26935a8..33ff8f5 100644
> ---- a/net.c
> -+++ b/net.c
> -@@ -247,64 +247,70 @@ read_remote(int fd, int extbufsize, char *extbuf)
> - * Handle SMTP authentication
> - */
> - static int
> --smtp_login(int fd, char *login, char* password)
> -+smtp_login(int fd, char *login, char* password, const struct smtp_features* features)
> - {
> - char *temp;
> - int len, res = 0;
> -
> -- res = smtp_auth_md5(fd, login, password);
> -- if (res == 0) {
> -- return (0);
> -- } else if (res == -2) {
> -- /*
> -- * If the return code is -2, then then the login attempt failed,
> -- * do not try other login mechanisms
> -- */
> -- return (1);
> -- }
> --
> -- if ((config.features & INSECURE) != 0 ||
> -- (config.features & SECURETRANS) != 0) {
> -- /* Send AUTH command according to RFC 2554 */
> -- send_remote_command(fd, "AUTH LOGIN");
> -- if (read_remote(fd, 0, NULL) != 3) {
> -- syslog(LOG_NOTICE, "remote delivery deferred:"
> -- " AUTH login not available: %s",
> -- neterr);
> -+ // CRAM-MD5
> -+ if (features->auth.cram_md5) {
> -+ res = smtp_auth_md5(fd, login, password);
> -+ if (res == 0) {
> -+ return (0);
> -+ } else if (res == -2) {
> -+ /*
> -+ * If the return code is -2, then then the login attempt failed,
> -+ * do not try other login mechanisms
> -+ */
> - return (1);
> - }
> -+ }
> -
> -- len = base64_encode(login, strlen(login), &temp);
> -- if (len < 0) {
> -+ // LOGIN
> -+ if (features->auth.login) {
> -+ if ((config.features & INSECURE) != 0 ||
> -+ (config.features & SECURETRANS) != 0) {
> -+ /* Send AUTH command according to RFC 2554 */
> -+ send_remote_command(fd, "AUTH LOGIN");
> -+ if (read_remote(fd, 0, NULL) != 3) {
> -+ syslog(LOG_NOTICE, "remote delivery deferred:"
> -+ " AUTH login not available: %s",
> -+ neterr);
> -+ return (1);
> -+ }
> -+
> -+ len = base64_encode(login, strlen(login), &temp);
> -+ if (len < 0) {
> - encerr:
> -- syslog(LOG_ERR, "can not encode auth reply: %m");
> -- return (1);
> -- }
> -+ syslog(LOG_ERR, "can not encode auth reply: %m");
> -+ return (1);
> -+ }
> -
> -- send_remote_command(fd, "%s", temp);
> -- free(temp);
> -- res = read_remote(fd, 0, NULL);
> -- if (res != 3) {
> -- syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s",
> -- res == 5 ? "failed" : "deferred", neterr);
> -- return (res == 5 ? -1 : 1);
> -- }
> -+ send_remote_command(fd, "%s", temp);
> -+ free(temp);
> -+ res = read_remote(fd, 0, NULL);
> -+ if (res != 3) {
> -+ syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s",
> -+ res == 5 ? "failed" : "deferred", neterr);
> -+ return (res == 5 ? -1 : 1);
> -+ }
> -
> -- len = base64_encode(password, strlen(password), &temp);
> -- if (len < 0)
> -- goto encerr;
> --
> -- send_remote_command(fd, "%s", temp);
> -- free(temp);
> -- res = read_remote(fd, 0, NULL);
> -- if (res != 2) {
> -- syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s",
> -- res == 5 ? "failed" : "deferred", neterr);
> -- return (res == 5 ? -1 : 1);
> -+ len = base64_encode(password, strlen(password), &temp);
> -+ if (len < 0)
> -+ goto encerr;
> -+
> -+ send_remote_command(fd, "%s", temp);
> -+ free(temp);
> -+ res = read_remote(fd, 0, NULL);
> -+ if (res != 2) {
> -+ syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s",
> -+ res == 5 ? "failed" : "deferred", neterr);
> -+ return (res == 5 ? -1 : 1);
> -+ }
> -+ } else {
> -+ syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. ");
> -+ return (1);
> - }
> -- } else {
> -- syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. ");
> -- return (1);
> - }
> -
> - return (0);
> -@@ -348,10 +354,115 @@ close_connection(int fd)
> - close(fd);
> - }
> -
> -+static void parse_auth_line(char* line, struct smtp_auth_mechanisms* auth) {
> -+ // Skip the auth prefix
> -+ line += strlen("AUTH ");
> -+
> -+ char* method = strtok(line, " ");
> -+ while (method) {
> -+ if (strcmp(method, "CRAM-MD5") == 0)
> -+ auth->cram_md5 = 1;
> -+
> -+ else if (strcmp(method, "LOGIN") == 0)
> -+ auth->login = 1;
> -+
> -+ method = strtok(NULL, " ");
> -+ }
> -+}
> -+
> -+int perform_server_greeting(int fd, struct smtp_features* features) {
> -+ /*
> -+ Send EHLO
> -+ XXX allow HELO fallback
> -+ */
> -+ send_remote_command(fd, "EHLO %s", hostname());
> -+
> -+ char buffer[EHLO_RESPONSE_SIZE];
> -+ memset(buffer, 0, sizeof(buffer));
> -+
> -+ int res = read_remote(fd, sizeof(buffer) - 1, buffer);
> -+
> -+ // Got an unexpected response
> -+ if (res != 2)
> -+ return -1;
> -+
> -+ // Reset all features
> -+ memset(features, 0, sizeof(*features));
> -+
> -+ // Run through the buffer line by line
> -+ char linebuffer[EHLO_RESPONSE_SIZE];
> -+ char* p = buffer;
> -+
> -+ while (*p) {
> -+ char* line = linebuffer;
> -+ while (*p && *p != '\n') {
> -+ *line++ = *p++;
> -+ }
> -+
> -+ // p should never point to NULL after the loop
> -+ // above unless we reached the end of the buffer.
> -+ // In that case we will raise an error.
> -+ if (!*p) {
> -+ return -1;
> -+ }
> -+
> -+ // Otherwise p points to the newline character which
> -+ // we will skip.
> -+ p++;
> -+
> -+ // Terminte the string (and remove the carriage-return character)
> -+ *--line = '\0';
> -+ line = linebuffer;
> -+
> -+ // End main loop for empty lines
> -+ if (*line == '\0')
> -+ break;
> -+
> -+ // Process the line
> -+ // - Must start with 250, followed by dash or space
> -+ // - We won't check for the correct usage of space and dash because
> -+ // that is already done in read_remote().
> -+ if ((strncmp(line, "250-", 4) != 0) && (strncmp(line, "250 ", 4) != 0)) {
> -+ syslog(LOG_ERR, "Invalid line: %s\n", line);
> -+ return -1;
> -+ }
> -+
> -+ // Skip the prefix
> -+ line += 4;
> -+
> -+ // Check for STARTTLS
> -+ if (strcmp(line, "STARTTLS") == 0)
> -+ features->starttls = 1;
> -+
> -+ // Parse authentication mechanisms
> -+ else if (strncmp(line, "AUTH ", 5) == 0)
> -+ parse_auth_line(line, &features->auth);
> -+ }
> -+
> -+ syslog(LOG_DEBUG, "Server greeting successfully completed");
> -+
> -+ // STARTTLS
> -+ if (features->starttls)
> -+ syslog(LOG_DEBUG, " Server supports STARTTLS");
> -+ else
> -+ syslog(LOG_DEBUG, " Server does not support STARTTLS");
> -+
> -+ // Authentication
> -+ if (features->auth.cram_md5) {
> -+ syslog(LOG_DEBUG, " Server supports CRAM-MD5 authentication");
> -+ }
> -+ if (features->auth.login) {
> -+ syslog(LOG_DEBUG, " Server supports LOGIN authentication");
> -+ }
> -+
> -+ return 0;
> -+}
> -+
> - static int
> - deliver_to_host(struct qitem *it, struct mx_hostentry *host)
> - {
> - struct authuser *a;
> -+ struct smtp_features features;
> - char line[1000];
> - size_t linelen;
> - int fd, error = 0, do_auth = 0, res = 0;
> -@@ -389,7 +500,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
> - }
> -
> - if ((config.features & SECURETRANS) != 0) {
> -- error = smtp_init_crypto(fd, config.features);
> -+ error = smtp_init_crypto(fd, config.features, &features);
> - if (error == 0)
> - syslog(LOG_DEBUG, "SSL initialization successful");
> - else
> -@@ -399,10 +510,12 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
> - READ_REMOTE_CHECK("connect", 2);
> - }
> -
> -- /* XXX allow HELO fallback */
> -- /* XXX record ESMTP keywords */
> -- send_remote_command(fd, "EHLO %s", hostname());
> -- READ_REMOTE_CHECK("EHLO", 2);
> -+ // Say EHLO
> -+ if (perform_server_greeting(fd, &features) != 0) {
> -+ syslog(LOG_ERR, "Could not perform server greeting at %s [%s]: %s",
> -+ host->host, host->addr, neterr);
> -+ return -1;
> -+ }
> -
> - /*
> - * Use SMTP authentication if the user defined an entry for the remote
> -@@ -421,7 +534,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
> - * encryption.
> - */
> - syslog(LOG_INFO, "using SMTP authentication for user %s", a->login);
> -- error = smtp_login(fd, a->login, a->password);
> -+ error = smtp_login(fd, a->login, a->password, &features);
> - if (error < 0) {
> - syslog(LOG_ERR, "remote delivery failed:"
> - " SMTP login failed: %m");
> diff --git a/src/patches/dma-0.10-better-tls.patch b/src/patches/dma-0.10-better-tls.patch
> deleted file mode 100644
> index 8f60fdd04..000000000
> --- a/src/patches/dma-0.10-better-tls.patch
> +++ /dev/null
> @@ -1,26 +0,0 @@
> -commit e94f50bbbe7318eec5b6b165ff73d94bbc9d20b0
> -Author: Michael Tremer <michael.tremer@ipfire.org>
> -Date: Sun Feb 11 11:05:43 2018 +0000
> -
> - crypto: Don't limit to TLSv1 only
> -
> - Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> -
> -diff --git a/crypto.c b/crypto.c
> -index 897b55bfdcfc..440c882880b5 100644
> ---- a/crypto.c
> -+++ b/crypto.c
> -@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature)
> - SSL_library_init();
> - SSL_load_error_strings();
> -
> -- meth = TLSv1_client_method();
> -+ // Allow any possible version
> -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
> -+ meth = TLS_client_method();
> -+#else
> -+ meth = SSLv23_client_method();
> -+#endif
> -
> - ctx = SSL_CTX_new(meth);
> - if (ctx == NULL) {
> diff --git a/src/patches/dma-0.11-compile-fixes.patch b/src/patches/dma-0.11-compile-fixes.patch
> deleted file mode 100644
> index a6e5165c9..000000000
> --- a/src/patches/dma-0.11-compile-fixes.patch
> +++ /dev/null
> @@ -1,29 +0,0 @@
> -From 60cf6f03a4b13ec0e491a282ab5233a1619a7a66 Mon Sep 17 00:00:00 2001
> -From: Michael Tremer <michael.tremer@ipfire.org>
> -Date: Tue, 24 Apr 2018 12:30:13 +0100
> -Subject: [PATCH] net.c: Include string.h
> -
> -Various functions that have been used come from string.h. GCC compiled
> -dma without this header, but unfortunately the binary segfaulted at random
> -times.
> -
> -Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
> ----
> - net.c | 1 +
> - 1 file changed, 1 insertion(+)
> -
> -diff --git a/net.c b/net.c
> -index a1cc3e3bfd79..221dda131a23 100644
> ---- a/net.c
> -+++ b/net.c
> -@@ -53,6 +53,7 @@
> - #include <netdb.h>
> - #include <setjmp.h>
> - #include <signal.h>
> -+#include <string.h>
> - #include <syslog.h>
> - #include <unistd.h>
> -
> ---
> -2.14.3
> -
> --
> 2.16.4
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 0.11
+VER = 0.12
THISAPP = dma-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4090572921fc33be0977f4010881b501
+$(DL_FILE)_MD5 = 58cb2a286995381c92dc557e639622d6
install : $(TARGET)
@@ -73,9 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
mkdir -pv /var/ipfire/dma
touch /var/ipfire/dma/mail.conf
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-authentication.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-tls.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.11-compile-fixes.patch
cd $(DIR_APP) && sed -i '/PREFIX/s/usr\/local/usr/g' Makefile
cd $(DIR_APP) && sed -i '/CONFDIR/s/etc\/dma/var\/ipfire\/dma/g' Makefile
cd $(DIR_APP) && make
deleted file mode 100644
@@ -1,373 +0,0 @@
-From 1fa7a882dd22d5f619b3645c6597a419034e9b4e Mon Sep 17 00:00:00 2001
-From: Michael Tremer <michael.tremer@ipfire.org>
-Date: Mon, 9 Nov 2015 21:52:08 +0000
-Subject: [PATCH] Implement better authentication
-
-DMA tries to authenticate by simply trying various authentication
-mechanisms. This is obviously not conforming to RFC and some mail
-providers detect this is spam and reject all emails.
-
-This patch parses the EHLO response and reads various keywords
-from it that can then later in the program be used to jump into
-certain code paths.
-
-Currently this is used to only authenticate with CRAM-MD5 and/or
-LOGIN if the server supports one or both of these. The
-implementation can be easily be extended though.
-
-Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
----
- crypto.c | 6 +-
- dma.h | 13 +++-
- net.c | 219 +++++++++++++++++++++++++++++++++++++++++++++++----------------
- 3 files changed, 181 insertions(+), 57 deletions(-)
-
-diff --git a/crypto.c b/crypto.c
-index 897b55b..8048f20 100644
---- a/crypto.c
-+++ b/crypto.c
-@@ -77,7 +77,7 @@ init_cert_file(SSL_CTX *ctx, const char *path)
- }
-
- int
--smtp_init_crypto(int fd, int feature)
-+smtp_init_crypto(int fd, int feature, struct smtp_features* features)
- {
- SSL_CTX *ctx = NULL;
- #if (OPENSSL_VERSION_NUMBER >= 0x00909000L)
-@@ -118,8 +118,7 @@ smtp_init_crypto(int fd, int feature)
- /* TLS init phase, disable SSL_write */
- config.features |= NOSSL;
-
-- send_remote_command(fd, "EHLO %s", hostname());
-- if (read_remote(fd, 0, NULL) == 2) {
-+ if (perform_server_greeting(fd, features) == 0) {
- send_remote_command(fd, "STARTTLS");
- if (read_remote(fd, 0, NULL) != 2) {
- if ((feature & TLS_OPP) == 0) {
-@@ -131,6 +130,7 @@ smtp_init_crypto(int fd, int feature)
- }
- }
- }
-+
- /* End of TLS init phase, enable SSL_write/read */
- config.features &= ~NOSSL;
- }
-diff --git a/dma.h b/dma.h
-index acf5e44..ee749d8 100644
---- a/dma.h
-+++ b/dma.h
-@@ -51,6 +51,7 @@
- #define BUF_SIZE 2048
- #define ERRMSG_SIZE 200
- #define USERNAME_SIZE 50
-+#define EHLO_RESPONSE_SIZE BUF_SIZE
- #define MIN_RETRY 300 /* 5 minutes */
- #define MAX_RETRY (3*60*60) /* retry at least every 3 hours */
- #define MAX_TIMEOUT (5*24*60*60) /* give up after 5 days */
-@@ -160,6 +161,15 @@ struct mx_hostentry {
- struct sockaddr_storage sa;
- };
-
-+struct smtp_auth_mechanisms {
-+ int cram_md5;
-+ int login;
-+};
-+
-+struct smtp_features {
-+ struct smtp_auth_mechanisms auth;
-+ int starttls;
-+};
-
- /* global variables */
- extern struct aliases aliases;
-@@ -187,7 +197,7 @@ void parse_authfile(const char *);
- /* crypto.c */
- void hmac_md5(unsigned char *, int, unsigned char *, int, unsigned char *);
- int smtp_auth_md5(int, char *, char *);
--int smtp_init_crypto(int, int);
-+int smtp_init_crypto(int, int, struct smtp_features*);
-
- /* dns.c */
- int dns_get_mx_list(const char *, int, struct mx_hostentry **, int);
-@@ -196,6 +206,7 @@ int dns_get_mx_list(const char *, int, struct mx_hostentry **, int);
- char *ssl_errstr(void);
- int read_remote(int, int, char *);
- ssize_t send_remote_command(int, const char*, ...) __attribute__((__nonnull__(2), __format__ (__printf__, 2, 3)));
-+int perform_server_greeting(int, struct smtp_features*);
- int deliver_remote(struct qitem *);
-
- /* base64.c */
-diff --git a/net.c b/net.c
-index 26935a8..33ff8f5 100644
---- a/net.c
-+++ b/net.c
-@@ -247,64 +247,70 @@ read_remote(int fd, int extbufsize, char *extbuf)
- * Handle SMTP authentication
- */
- static int
--smtp_login(int fd, char *login, char* password)
-+smtp_login(int fd, char *login, char* password, const struct smtp_features* features)
- {
- char *temp;
- int len, res = 0;
-
-- res = smtp_auth_md5(fd, login, password);
-- if (res == 0) {
-- return (0);
-- } else if (res == -2) {
-- /*
-- * If the return code is -2, then then the login attempt failed,
-- * do not try other login mechanisms
-- */
-- return (1);
-- }
--
-- if ((config.features & INSECURE) != 0 ||
-- (config.features & SECURETRANS) != 0) {
-- /* Send AUTH command according to RFC 2554 */
-- send_remote_command(fd, "AUTH LOGIN");
-- if (read_remote(fd, 0, NULL) != 3) {
-- syslog(LOG_NOTICE, "remote delivery deferred:"
-- " AUTH login not available: %s",
-- neterr);
-+ // CRAM-MD5
-+ if (features->auth.cram_md5) {
-+ res = smtp_auth_md5(fd, login, password);
-+ if (res == 0) {
-+ return (0);
-+ } else if (res == -2) {
-+ /*
-+ * If the return code is -2, then then the login attempt failed,
-+ * do not try other login mechanisms
-+ */
- return (1);
- }
-+ }
-
-- len = base64_encode(login, strlen(login), &temp);
-- if (len < 0) {
-+ // LOGIN
-+ if (features->auth.login) {
-+ if ((config.features & INSECURE) != 0 ||
-+ (config.features & SECURETRANS) != 0) {
-+ /* Send AUTH command according to RFC 2554 */
-+ send_remote_command(fd, "AUTH LOGIN");
-+ if (read_remote(fd, 0, NULL) != 3) {
-+ syslog(LOG_NOTICE, "remote delivery deferred:"
-+ " AUTH login not available: %s",
-+ neterr);
-+ return (1);
-+ }
-+
-+ len = base64_encode(login, strlen(login), &temp);
-+ if (len < 0) {
- encerr:
-- syslog(LOG_ERR, "can not encode auth reply: %m");
-- return (1);
-- }
-+ syslog(LOG_ERR, "can not encode auth reply: %m");
-+ return (1);
-+ }
-
-- send_remote_command(fd, "%s", temp);
-- free(temp);
-- res = read_remote(fd, 0, NULL);
-- if (res != 3) {
-- syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s",
-- res == 5 ? "failed" : "deferred", neterr);
-- return (res == 5 ? -1 : 1);
-- }
-+ send_remote_command(fd, "%s", temp);
-+ free(temp);
-+ res = read_remote(fd, 0, NULL);
-+ if (res != 3) {
-+ syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s",
-+ res == 5 ? "failed" : "deferred", neterr);
-+ return (res == 5 ? -1 : 1);
-+ }
-
-- len = base64_encode(password, strlen(password), &temp);
-- if (len < 0)
-- goto encerr;
--
-- send_remote_command(fd, "%s", temp);
-- free(temp);
-- res = read_remote(fd, 0, NULL);
-- if (res != 2) {
-- syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s",
-- res == 5 ? "failed" : "deferred", neterr);
-- return (res == 5 ? -1 : 1);
-+ len = base64_encode(password, strlen(password), &temp);
-+ if (len < 0)
-+ goto encerr;
-+
-+ send_remote_command(fd, "%s", temp);
-+ free(temp);
-+ res = read_remote(fd, 0, NULL);
-+ if (res != 2) {
-+ syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s",
-+ res == 5 ? "failed" : "deferred", neterr);
-+ return (res == 5 ? -1 : 1);
-+ }
-+ } else {
-+ syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. ");
-+ return (1);
- }
-- } else {
-- syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so skipping it. ");
-- return (1);
- }
-
- return (0);
-@@ -348,10 +354,115 @@ close_connection(int fd)
- close(fd);
- }
-
-+static void parse_auth_line(char* line, struct smtp_auth_mechanisms* auth) {
-+ // Skip the auth prefix
-+ line += strlen("AUTH ");
-+
-+ char* method = strtok(line, " ");
-+ while (method) {
-+ if (strcmp(method, "CRAM-MD5") == 0)
-+ auth->cram_md5 = 1;
-+
-+ else if (strcmp(method, "LOGIN") == 0)
-+ auth->login = 1;
-+
-+ method = strtok(NULL, " ");
-+ }
-+}
-+
-+int perform_server_greeting(int fd, struct smtp_features* features) {
-+ /*
-+ Send EHLO
-+ XXX allow HELO fallback
-+ */
-+ send_remote_command(fd, "EHLO %s", hostname());
-+
-+ char buffer[EHLO_RESPONSE_SIZE];
-+ memset(buffer, 0, sizeof(buffer));
-+
-+ int res = read_remote(fd, sizeof(buffer) - 1, buffer);
-+
-+ // Got an unexpected response
-+ if (res != 2)
-+ return -1;
-+
-+ // Reset all features
-+ memset(features, 0, sizeof(*features));
-+
-+ // Run through the buffer line by line
-+ char linebuffer[EHLO_RESPONSE_SIZE];
-+ char* p = buffer;
-+
-+ while (*p) {
-+ char* line = linebuffer;
-+ while (*p && *p != '\n') {
-+ *line++ = *p++;
-+ }
-+
-+ // p should never point to NULL after the loop
-+ // above unless we reached the end of the buffer.
-+ // In that case we will raise an error.
-+ if (!*p) {
-+ return -1;
-+ }
-+
-+ // Otherwise p points to the newline character which
-+ // we will skip.
-+ p++;
-+
-+ // Terminte the string (and remove the carriage-return character)
-+ *--line = '\0';
-+ line = linebuffer;
-+
-+ // End main loop for empty lines
-+ if (*line == '\0')
-+ break;
-+
-+ // Process the line
-+ // - Must start with 250, followed by dash or space
-+ // - We won't check for the correct usage of space and dash because
-+ // that is already done in read_remote().
-+ if ((strncmp(line, "250-", 4) != 0) && (strncmp(line, "250 ", 4) != 0)) {
-+ syslog(LOG_ERR, "Invalid line: %s\n", line);
-+ return -1;
-+ }
-+
-+ // Skip the prefix
-+ line += 4;
-+
-+ // Check for STARTTLS
-+ if (strcmp(line, "STARTTLS") == 0)
-+ features->starttls = 1;
-+
-+ // Parse authentication mechanisms
-+ else if (strncmp(line, "AUTH ", 5) == 0)
-+ parse_auth_line(line, &features->auth);
-+ }
-+
-+ syslog(LOG_DEBUG, "Server greeting successfully completed");
-+
-+ // STARTTLS
-+ if (features->starttls)
-+ syslog(LOG_DEBUG, " Server supports STARTTLS");
-+ else
-+ syslog(LOG_DEBUG, " Server does not support STARTTLS");
-+
-+ // Authentication
-+ if (features->auth.cram_md5) {
-+ syslog(LOG_DEBUG, " Server supports CRAM-MD5 authentication");
-+ }
-+ if (features->auth.login) {
-+ syslog(LOG_DEBUG, " Server supports LOGIN authentication");
-+ }
-+
-+ return 0;
-+}
-+
- static int
- deliver_to_host(struct qitem *it, struct mx_hostentry *host)
- {
- struct authuser *a;
-+ struct smtp_features features;
- char line[1000];
- size_t linelen;
- int fd, error = 0, do_auth = 0, res = 0;
-@@ -389,7 +500,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
- }
-
- if ((config.features & SECURETRANS) != 0) {
-- error = smtp_init_crypto(fd, config.features);
-+ error = smtp_init_crypto(fd, config.features, &features);
- if (error == 0)
- syslog(LOG_DEBUG, "SSL initialization successful");
- else
-@@ -399,10 +510,12 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
- READ_REMOTE_CHECK("connect", 2);
- }
-
-- /* XXX allow HELO fallback */
-- /* XXX record ESMTP keywords */
-- send_remote_command(fd, "EHLO %s", hostname());
-- READ_REMOTE_CHECK("EHLO", 2);
-+ // Say EHLO
-+ if (perform_server_greeting(fd, &features) != 0) {
-+ syslog(LOG_ERR, "Could not perform server greeting at %s [%s]: %s",
-+ host->host, host->addr, neterr);
-+ return -1;
-+ }
-
- /*
- * Use SMTP authentication if the user defined an entry for the remote
-@@ -421,7 +534,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry *host)
- * encryption.
- */
- syslog(LOG_INFO, "using SMTP authentication for user %s", a->login);
-- error = smtp_login(fd, a->login, a->password);
-+ error = smtp_login(fd, a->login, a->password, &features);
- if (error < 0) {
- syslog(LOG_ERR, "remote delivery failed:"
- " SMTP login failed: %m");
deleted file mode 100644
@@ -1,26 +0,0 @@
-commit e94f50bbbe7318eec5b6b165ff73d94bbc9d20b0
-Author: Michael Tremer <michael.tremer@ipfire.org>
-Date: Sun Feb 11 11:05:43 2018 +0000
-
- crypto: Don't limit to TLSv1 only
-
- Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-
-diff --git a/crypto.c b/crypto.c
-index 897b55bfdcfc..440c882880b5 100644
---- a/crypto.c
-+++ b/crypto.c
-@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature)
- SSL_library_init();
- SSL_load_error_strings();
-
-- meth = TLSv1_client_method();
-+ // Allow any possible version
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-+ meth = TLS_client_method();
-+#else
-+ meth = SSLv23_client_method();
-+#endif
-
- ctx = SSL_CTX_new(meth);
- if (ctx == NULL) {
deleted file mode 100644
@@ -1,29 +0,0 @@
-From 60cf6f03a4b13ec0e491a282ab5233a1619a7a66 Mon Sep 17 00:00:00 2001
-From: Michael Tremer <michael.tremer@ipfire.org>
-Date: Tue, 24 Apr 2018 12:30:13 +0100
-Subject: [PATCH] net.c: Include string.h
-
-Various functions that have been used come from string.h. GCC compiled
-dma without this header, but unfortunately the binary segfaulted at random
-times.
-
-Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
----
- net.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/net.c b/net.c
-index a1cc3e3bfd79..221dda131a23 100644
---- a/net.c
-+++ b/net.c
-@@ -53,6 +53,7 @@
- #include <netdb.h>
- #include <setjmp.h>
- #include <signal.h>
-+#include <string.h>
- #include <syslog.h>
- #include <unistd.h>
-
-2.14.3
-