diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-10 10:47:05 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-12-10 15:53:02 +0000 |
commit | 4243a209fd9499f30bebd58ceaa2d0d9845407ae (patch) | |
tree | b41720cfb1bb6ed0089d6096835587df8d0f5bdd /src | |
parent | f31b1cd64dfcc7e6a8860ee418543949effd517e (diff) | |
download | exim4-4243a209fd9499f30bebd58ceaa2d0d9845407ae.tar.gz |
Move connect ACL before TLS-on-connect
Diffstat (limited to 'src')
-rw-r--r-- | src/src/EDITME | 2 | ||||
-rw-r--r-- | src/src/smtp_in.c | 52 |
2 files changed, 39 insertions, 15 deletions
diff --git a/src/src/EDITME b/src/src/EDITME index 625df18f5..4fcaeda5b 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -401,7 +401,7 @@ TRANSPORT_SMTP=yes # For Redis you need to have hiredis installed on your system # (https://github.com/redis/hiredis). # Depending on where it is installed you may have to edit the CFLAGS -# (often += -I/usr/local/include) and LDFLAGS (-lhiredis) lines. +# (often += -I/usr/local/include) and LOOKUP_LIBS (-lhiredis) lines. # If your system has pkg-config then the _INCLUDE/_LIBS setting can be # handled for you automatically by also defining the _PC variable to reference diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 9b60702c1..b161f362d 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2505,6 +2505,22 @@ else DEBUG(D_receive) #endif +static void +log_connect_tls_drop(const uschar * what, const uschar * log_msg) +{ +gstring * g = s_tlslog(NULL); +uschar * tls = string_from_gstring(g); + +log_write(L_connection_reject, + log_reject_target, "%s%s%s dropped by %s%s%s", + LOGGING(dnssec) && sender_host_dnssec ? US" DS" : US"", + host_and_ident(TRUE), + tls ? tls : US"", + what, + log_msg ? US": " : US"", log_msg); +} + + /************************************************* * Start an SMTP session * *************************************************/ @@ -2857,7 +2873,10 @@ if (!f.sender_host_unknown) { log_write(L_connection_reject, LOG_MAIN|LOG_REJECT, "refused connection " "from %s (host_reject_connection)", host_and_ident(FALSE)); - smtp_printf("554 SMTP service not available\r\n", FALSE); +#ifndef DISABLE_TLS + if (!tls_in.on_connect) +#endif + smtp_printf("554 SMTP service not available\r\n", FALSE); return FALSE; } @@ -2983,18 +3002,6 @@ if (check_proxy_protocol_host()) setup_proxy_protocol_host(); #endif -/* Start up TLS if tls_on_connect is set. This is for supporting the legacy -smtps port for use with older style SSL MTAs. */ - -#ifndef DISABLE_TLS -if (tls_in.on_connect) - { - if (tls_server_start(&user_msg) != OK) - return smtp_log_tls_fail(user_msg); - cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE; - } -#endif - /* Run the connect ACL if it exists */ user_msg = NULL; @@ -3004,11 +3011,28 @@ if (acl_smtp_connect) if ((rc = acl_check(ACL_WHERE_CONNECT, NULL, acl_smtp_connect, &user_msg, &log_msg)) != OK) { - (void) smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg); +#ifndef DISABLE_TLS + if (tls_in.on_connect) + log_connect_tls_drop(US"'connect' ACL", log_msg); + else +#endif + (void) smtp_handle_acl_fail(ACL_WHERE_CONNECT, rc, user_msg, log_msg); return FALSE; } } +/* Start up TLS if tls_on_connect is set. This is for supporting the legacy +smtps port for use with older style SSL MTAs. */ + +#ifndef DISABLE_TLS +if (tls_in.on_connect) + { + if (tls_server_start(&user_msg) != OK) + return smtp_log_tls_fail(user_msg); + cmd_list[CMD_LIST_TLS_AUTH].is_mail_cmd = TRUE; + } +#endif + /* Output the initial message for a two-way SMTP connection. It may contain newlines, which then cause a multi-line response to be given. */ |