/*
 * Copyright (c) 1998-2008 Sendmail, Inc. and its suppliers.
 *      All rights reserved.
 * Copyright (c) 1983, 1995-1997 Eric P. Allman.  All rights reserved.
 * Copyright (c) 1988, 1993
 *      The Regents of the University of California.  All rights reserved.
 *
 * By using this file, you agree to the terms and conditions set
 * forth in the LICENSE file which can be found at the top level of
 * the sendmail distribution.
 *
 */

#include <sendmail.h>
#if MILTER
# include <libmilter/mfapi.h>
# include <libmilter/mfdef.h>
#endif /* MILTER */

SM_RCSID("@(#)$Id: srvrsmtp.c,v 8.989 2009/12/18 17:08:01 ca Exp $")

#include <sm/time.h>
#include <sm/fdset.h>

#if SASL || STARTTLS
# include "sfsasl.h"
#endif /* SASL || STARTTLS */
#if SASL
# define ENC64LEN(l)    (((l) + 2) * 4 / 3 + 1)
static int saslmechs __P((sasl_conn_t *, char **));
#endif /* SASL */
#if STARTTLS
# include <sysexits.h>

static SSL_CTX  *srv_ctx = NULL;        /* TLS server context */
static SSL      *srv_ssl = NULL;        /* per connection context */

static bool     tls_ok_srv = false;

# define TLS_VERIFY_CLIENT() tls_set_verify(srv_ctx, srv_ssl, \
                                bitset(SRV_VRFY_CLT, features))
#endif /* STARTTLS */

#if _FFR_DM_ONE
static bool     NotFirstDelivery = false;
#endif /* _FFR_DM_ONE */

/* server features */
#define SRV_NONE        0x0000  /* none... */
#define SRV_OFFER_TLS   0x0001  /* offer STARTTLS */
#define SRV_VRFY_CLT    0x0002  /* request a cert */
#define SRV_OFFER_AUTH  0x0004  /* offer AUTH */
#define SRV_OFFER_ETRN  0x0008  /* offer ETRN */
#define SRV_OFFER_VRFY  0x0010  /* offer VRFY (not yet used) */
#define SRV_OFFER_EXPN  0x0020  /* offer EXPN */
#define SRV_OFFER_VERB  0x0040  /* offer VERB */
#define SRV_OFFER_DSN   0x0080  /* offer DSN */
#if PIPELINING
# define SRV_OFFER_PIPE 0x0100  /* offer PIPELINING */
# if _FFR_NO_PIPE
#  define SRV_NO_PIPE   0x0200  /* disable PIPELINING, sleep if used */
# endif /* _FFR_NO_PIPE */
#endif /* PIPELINING */
#define SRV_REQ_AUTH    0x0400  /* require AUTH */
#define SRV_REQ_SEC     0x0800  /* require security - equiv to AuthOptions=p */
#define SRV_TMP_FAIL    0x1000  /* ruleset caused a temporary failure */

static unsigned int     srvfeatures __P((ENVELOPE *, char *, unsigned int));

#define STOP_ATTACK     ((time_t) -1)
static time_t   checksmtpattack __P((volatile unsigned int *, unsigned int,
                                     bool, char *, ENVELOPE *));
static void     printvrfyaddr __P((ADDRESS *, bool, bool));
static char     *skipword __P((char *volatile, char *));
static void     setup_smtpd_io __P((void));

#if SASL
# if SASL >= 20000
static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
                                char *_remoteip, char *_localip,
                                char *_auth_id, sasl_ssf_t *_ext_ssf));

# define RESET_SASLCONN \
        do                                                      \
        {                                                       \
                result = reset_saslconn(&conn, AuthRealm, remoteip, \
                                        localip, auth_id, &ext_ssf); \
                if (result != SASL_OK)                          \
                        sasl_ok = false;                        \
        } while (0)

# else /* SASL >= 20000 */
static int reset_saslconn __P((sasl_conn_t **_conn, char *_hostname,
                                struct sockaddr_in *_saddr_r,
                                struct sockaddr_in *_saddr_l,
                                sasl_external_properties_t *_ext_ssf));
# define RESET_SASLCONN \
        do                                                      \
        {                                                       \
                result = reset_saslconn(&conn, AuthRealm, &saddr_r, \
                                        &saddr_l, &ext_ssf);    \
                if (result != SASL_OK)                          \
                        sasl_ok = false;                        \
        } while (0)

# endif /* SASL >= 20000 */
#endif /* SASL */

extern ENVELOPE BlankEnvelope;

#define NBADRCPTS                                               \
        do                                                      \
        {                                                       \
                char buf[16];                                   \
                (void) sm_snprintf(buf, sizeof(buf), "%d",      \
                        BadRcptThrottle > 0 && n_badrcpts > BadRcptThrottle \
                                ? n_badrcpts - 1 : n_badrcpts); \
                macdefine(&e->e_macro, A_TEMP, macid("{nbadrcpts}"), buf); \
        } while (0)

#define SKIP_SPACE(s)   while (isascii(*s) && isspace(*s))      \
                                (s)++

/*
**  PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
**
**      Parameters:
**              e -- the envelope
**              addr_st -- address (RCPT only)
**              p -- read buffer
**              delimptr -- current position in read buffer
**              which -- MAIL/RCPT
**              args -- arguments (output)
**              esmtp_args -- function to process a single ESMTP argument
**
**      Returns:
**              none
*/

void
parse_esmtp_args(e, addr_st, p, delimptr, which, args, esmtp_args)
        ENVELOPE *e;
        ADDRESS *addr_st;
        char *p;
        char *delimptr;
        char *which;
        char *args[];
        esmtp_args_F esmtp_args;
{
        int argno;

        argno = 0;
        if (args != NULL)
                args[argno++] = p;
        p = delimptr;
        while (p != NULL && *p != '\0')
        {
                char *kp;
                char *vp = NULL;
                char *equal = NULL;

                /* locate the beginning of the keyword */
                SKIP_SPACE(p);
                if (*p == '\0')
                        break;
                kp = p;

                /* skip to the value portion */
                while ((isascii(*p) && isalnum(*p)) || *p == '-')
                        p++;
                if (*p == '=')
                {
                        equal = p;
                        *p++ = '\0';
                        vp = p;

                        /* skip to the end of the value */
                        while (*p != '\0' && *p != ' ' &&
                               !(isascii(*p) && iscntrl(*p)) &&
                               *p != '=')
                                p++;
                }

                if (*p != '\0')
                        *p++ = '\0';

                if (tTd(19, 1))
                        sm_dprintf("%s: got arg %s=\"%s\"\n", which, kp,
                                vp == NULL ? "<null>" : vp);

                esmtp_args(addr_st, kp, vp, e);
                if (equal != NULL)
                        *equal = '=';
                if (args != NULL)
                        args[argno] = kp;
                argno++;
                if (argno >= MAXSMTPARGS - 1)
                        usrerr("501 5.5.4 Too many parameters");
                if (Errors > 0)
                        break;
        }
        if (args != NULL)
                args[argno] = NULL;
}

/*
**  SMTP -- run the SMTP protocol.
**
**      Parameters:
**              nullserver -- if non-NULL, rejection message for
**                      (almost) all SMTP commands.
**              d_flags -- daemon flags
**              e -- the envelope.
**
**      Returns:
**              never.
**
**      Side Effects:
**              Reads commands from the input channel and processes them.
*/

/*
**  Notice: The smtp server doesn't have a session context like the client
**      side has (mci). Therefore some data (session oriented) is allocated
**      or assigned to the "wrong" structure (esp. STARTTLS, AUTH).
**      This should be fixed in a successor version.
*/

struct cmd
{
        char    *cmd_name;      /* command name */
        int     cmd_code;       /* internal code, see below */
};

/* values for cmd_code */
#define CMDERROR        0       /* bad command */
#define CMDMAIL 1       /* mail -- designate sender */
#define CMDRCPT 2       /* rcpt -- designate recipient */
#define CMDDATA 3       /* data -- send message text */
#define CMDRSET 4       /* rset -- reset state */
#define CMDVRFY 5       /* vrfy -- verify address */
#define CMDEXPN 6       /* expn -- expand address */
#define CMDNOOP 7       /* noop -- do nothing */
#define CMDQUIT 8       /* quit -- close connection and die */
#define CMDHELO 9       /* helo -- be polite */
#define CMDHELP 10      /* help -- give usage info */
#define CMDEHLO 11      /* ehlo -- extended helo (RFC 1425) */
#define CMDETRN 12      /* etrn -- flush queue */
#if SASL
# define CMDAUTH        13      /* auth -- SASL authenticate */
#endif /* SASL */
#if STARTTLS
# define CMDSTLS        14      /* STARTTLS -- start TLS session */
#endif /* STARTTLS */
/* non-standard commands */
#define CMDVERB 17      /* verb -- go into verbose mode */
/* unimplemented commands from RFC 821 */
#define CMDUNIMPL       19      /* unimplemented rfc821 commands */
/* use this to catch and log "door handle" attempts on your system */
#define CMDLOGBOGUS     23      /* bogus command that should be logged */
/* debugging-only commands, only enabled if SMTPDEBUG is defined */
#define CMDDBGQSHOW     24      /* showq -- show send queue */
#define CMDDBGDEBUG     25      /* debug -- set debug mode */

/*
**  Note: If you change this list, remember to update 'helpfile'
*/

static struct cmd       CmdTab[] =
{
        { "mail",       CMDMAIL         },
        { "rcpt",       CMDRCPT         },
        { "data",       CMDDATA         },
        { "rset",       CMDRSET         },
        { "vrfy",       CMDVRFY         },
        { "expn",       CMDEXPN         },
        { "help",       CMDHELP         },
        { "noop",       CMDNOOP         },
        { "quit",       CMDQUIT         },
        { "helo",       CMDHELO         },
        { "ehlo",       CMDEHLO         },
        { "etrn",       CMDETRN         },
        { "verb",       CMDVERB         },
        { "send",       CMDUNIMPL       },
        { "saml",       CMDUNIMPL       },
        { "soml",       CMDUNIMPL       },
        { "turn",       CMDUNIMPL       },
#if SASL
        { "auth",       CMDAUTH,        },
#endif /* SASL */
#if STARTTLS
        { "starttls",   CMDSTLS,        },
#endif /* STARTTLS */
    /* remaining commands are here only to trap and log attempts to use them */
        { "showq",      CMDDBGQSHOW     },
        { "debug",      CMDDBGDEBUG     },
        { "wiz",        CMDLOGBOGUS     },

        { NULL,         CMDERROR        }
};

static char     *CurSmtpClient;         /* who's at the other end of channel */

#ifndef MAXBADCOMMANDS
# define MAXBADCOMMANDS 25      /* maximum number of bad commands */
#endif /* ! MAXBADCOMMANDS */
#ifndef MAXHELOCOMMANDS
# define MAXHELOCOMMANDS 3      /* max HELO/EHLO commands before slowdown */
#endif /* ! MAXHELOCOMMANDS */
#ifndef MAXVRFYCOMMANDS
# define MAXVRFYCOMMANDS 6      /* max VRFY/EXPN commands before slowdown */
#endif /* ! MAXVRFYCOMMANDS */
#ifndef MAXETRNCOMMANDS
# define MAXETRNCOMMANDS 8      /* max ETRN commands before slowdown */
#endif /* ! MAXETRNCOMMANDS */
#ifndef MAXTIMEOUT
# define MAXTIMEOUT (4 * 60)    /* max timeout for bad commands */
#endif /* ! MAXTIMEOUT */

/*
**  Maximum shift value to compute timeout for bad commands.
**  This introduces an upper limit of 2^MAXSHIFT for the timeout.
*/

#ifndef MAXSHIFT
# define MAXSHIFT 8
#endif /* ! MAXSHIFT */
#if MAXSHIFT > 31
 ERROR _MAXSHIFT > 31 is invalid
#endif /* MAXSHIFT */


#if MAXBADCOMMANDS > 0
# define STOP_IF_ATTACK(r)      do              \
        {                                       \
                if ((r) == STOP_ATTACK)         \
                        goto stopattack;        \
        } while (0)

#else /* MAXBADCOMMANDS > 0 */
# define STOP_IF_ATTACK(r)      r
#endif /* MAXBADCOMMANDS > 0 */


#if SM_HEAP_CHECK
static SM_DEBUG_T DebugLeakSmtp = SM_DEBUG_INITIALIZER("leak_smtp",
        "@(#)$Debug: leak_smtp - trace memory leaks during SMTP processing $");
#endif /* SM_HEAP_CHECK */

typedef struct
{
        bool            sm_gotmail;     /* mail command received */
        unsigned int    sm_nrcpts;      /* number of successful RCPT commands */
        bool            sm_discard;
#if MILTER
        bool            sm_milterize;
        bool            sm_milterlist;  /* any filters in the list? */
        milters_T       sm_milters;

        /* e_nrcpts from envelope before recipient() call */
        unsigned int    sm_e_nrcpts_orig;
#endif /* MILTER */
        char            *sm_quarmsg;    /* carry quarantining across messages */
} SMTP_T;

static bool     smtp_data __P((SMTP_T *, ENVELOPE *));

#define MSG_TEMPFAIL "451 4.3.2 Please try again later"

#if MILTER
# define MILTER_ABORT(e)        milter_abort((e))

# define MILTER_REPLY(str)                                              \
        {                                                               \
                int savelogusrerrs = LogUsrErrs;                        \
                                                                        \
                milter_cmd_fail = true;                                 \
                switch (state)                                          \
                {                                                       \
                  case SMFIR_SHUTDOWN:                                  \
                        if (MilterLogLevel > 3)                         \
                        {                                               \
                                sm_syslog(LOG_INFO, e->e_id,            \
                                          "Milter: %s=%s, reject=421, errormode=4",     \
                                          str, addr);                   \
                                LogUsrErrs = false;                     \
                        }                                               \
                        {                                               \
                                bool tsave = QuickAbort;                \
                                                                        \
                                QuickAbort = false;                     \
                                usrerr("421 4.3.0 closing connection"); \
                                QuickAbort = tsave;                     \
                                e->e_sendqueue = NULL;                  \
                                goto doquit;                            \
                        }                                               \
                        break;                                          \
                  case SMFIR_REPLYCODE:                                 \
                        if (MilterLogLevel > 3)                         \
                        {                                               \
                                sm_syslog(LOG_INFO, e->e_id,            \
                                          "Milter: %s=%s, reject=%s",   \
                                          str, addr, response);         \
                                LogUsrErrs = false;                     \
                        }                                               \
                        if (strncmp(response, "421 ", 4) == 0           \
                            || strncmp(response, "421-", 4) == 0)       \
                        {                                               \
                                bool tsave = QuickAbort;                \
                                                                        \
                                QuickAbort = false;                     \
                                usrerr(response);                       \
                                QuickAbort = tsave;                     \
                                e->e_sendqueue = NULL;                  \
                                goto doquit;                            \
                        }                                               \
                        else                                            \
                                usrerr(response);                       \
                        break;                                          \
                                                                        \
                  case SMFIR_REJECT:                                    \
                        if (MilterLogLevel > 3)                         \
                        {                                               \
                                sm_syslog(LOG_INFO, e->e_id,            \
                                          "Milter: %s=%s, reject=550 5.7.1 Command rejected", \
                                          str, addr);                   \
                                LogUsrErrs = false;                     \
                        }                                               \
                        usrerr("550 5.7.1 Command rejected");           \
                        break;                                          \
                                                                        \
                  case SMFIR_DISCARD:                                   \
                        if (MilterLogLevel > 3)                         \
                                sm_syslog(LOG_INFO, e->e_id,            \
                                          "Milter: %s=%s, discard",     \
                                          str, addr);                   \
                        e->e_flags |= EF_DISCARD;                       \
                        milter_cmd_fail = false;                        \
                        break;                                          \
                                                                        \
                  case SMFIR_TEMPFAIL:                                  \
                        if (MilterLogLevel > 3)                         \
                        {                                               \
                                sm_syslog(LOG_INFO, e->e_id,            \
                                          "Milter: %s=%s, reject=%s",   \
                                          str, addr, MSG_TEMPFAIL);     \
                                LogUsrErrs = false;                     \
                        }                                               \
                        usrerr(MSG_TEMPFAIL);                           \
                        break;                                          \
                  default:                                              \
                        milter_cmd_fail = false;                        \
                        break;                                          \
                }                                                       \
                LogUsrErrs = savelogusrerrs;                            \
                if (response != NULL)                                   \
                        sm_free(response); /* XXX */                    \
        }

#else /* MILTER */
# define MILTER_ABORT(e)
#endif /* MILTER */

/* clear all SMTP state (for HELO/EHLO/RSET) */
#define CLEAR_STATE(cmd)                                        \
do                                                              \
{                                                               \
        /* abort milter filters */                              \
        MILTER_ABORT(e);                                        \
                                                                \
        if (smtp.sm_nrcpts > 0)                                 \
        {                                                       \
                logundelrcpts(e, cmd, 10, false);               \
                smtp.sm_nrcpts = 0;                             \
                macdefine(&e->e_macro, A_PERM,                  \
                          macid("{nrcpts}"), "0");              \
        }                                                       \
                                                                \
        e->e_sendqueue = NULL;                                  \
        e->e_flags |= EF_CLRQUEUE;                              \
                                                                \
        if (tTd(92, 2))                                         \
                sm_dprintf("CLEAR_STATE: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",\
                        e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);\
        if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))   \
                logsender(e, NULL);                             \
        e->e_flags &= ~EF_LOGSENDER;                            \
                                                                \
        /* clean up a bit */                                    \
        smtp.sm_gotmail = false;                                \
        SuprErrs = true;                                        \
        (void) dropenvelope(e, true, false);                    \
        sm_rpool_free(e->e_rpool);                              \
        e = newenvelope(e, CurEnv, sm_rpool_new_x(NULL));       \
        CurEnv = e;                                             \
        e->e_features = features;                               \
                                                                \
        /* put back discard bit */                              \
        if (smtp.sm_discard)                                    \
                e->e_flags |= EF_DISCARD;                       \
                                                                \
        /* restore connection quarantining */                   \
        if (smtp.sm_quarmsg == NULL)                            \
        {                                                       \
                e->e_quarmsg = NULL;                            \
                macdefine(&e->e_macro, A_PERM,                  \
                        macid("{quarantine}"), "");             \
        }                                                       \
        else                                                    \
        {                                                       \
                e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool,    \
                                                smtp.sm_quarmsg);       \
                macdefine(&e->e_macro, A_PERM, macid("{quarantine}"),   \
                          e->e_quarmsg);                        \
        }                                                       \
} while (0)

/* sleep to flatten out connection load */
#define MIN_DELAY_LOG   15      /* wait before logging this again */

/* is it worth setting the process title for 1s? */
#define DELAY_CONN(cmd)                                         \
        if (DelayLA > 0 && (CurrentLA = getla()) >= DelayLA)    \
        {                                                       \
                time_t dnow;                                    \
                                                                \
                sm_setproctitle(true, e,                        \
                                "%s: %s: delaying %s: load average: %d", \
                                qid_printname(e), CurSmtpClient,        \
                                cmd, DelayLA);  \
                if (LogLevel > 8 && (dnow = curtime()) > log_delay)     \
                {                                               \
                        sm_syslog(LOG_INFO, e->e_id,            \
                                  "delaying=%s, load average=%d >= %d", \
                                  cmd, CurrentLA, DelayLA);             \
                        log_delay = dnow + MIN_DELAY_LOG;       \
                }                                               \
                (void) sleep(1);                                \
                sm_setproctitle(true, e, "%s %s: %.80s",        \
                                qid_printname(e), CurSmtpClient, inp);  \
        }

static bool SevenBitInput_Saved;        /* saved version of SevenBitInput */

void
smtp(nullserver, d_flags, e)
        char *volatile nullserver;
        BITMAP256 d_flags;
        register ENVELOPE *volatile e;
{
        register char *volatile p;
        register struct cmd *volatile c = NULL;
        char *cmd;
        auto ADDRESS *vrfyqueue;
        ADDRESS *a;
        volatile bool gothello;         /* helo command received */
        bool vrfy;                      /* set if this is a vrfy command */
        char *volatile protocol;        /* sending protocol */
        char *volatile sendinghost;     /* sending hostname */
        char *volatile peerhostname;    /* name of SMTP peer or "localhost" */
        auto char *delimptr;
        char *id;
        volatile unsigned int n_badcmds = 0;    /* count of bad commands */
        volatile unsigned int n_badrcpts = 0;   /* number of rejected RCPT */
        volatile unsigned int n_verifies = 0;   /* count of VRFY/EXPN */
        volatile unsigned int n_etrn = 0;       /* count of ETRN */
        volatile unsigned int n_noop = 0;       /* count of NOOP/VERB/etc */
        volatile unsigned int n_helo = 0;       /* count of HELO/EHLO */
        bool ok;
        volatile bool first;
        volatile bool tempfail = false;
        volatile time_t wt;             /* timeout after too many commands */
        volatile time_t previous;       /* time after checksmtpattack() */
        volatile bool lognullconnection = true;
        register char *q;
        SMTP_T smtp;
        char *addr;
        char *greetcode = "220";
        char *hostname;                 /* my hostname ($j) */
        QUEUE_CHAR *new;
        char *args[MAXSMTPARGS];
        char inp[MAXINPLINE];
#if MAXINPLINE < MAXLINE
 ERROR _MAXINPLINE must NOT be less than _MAXLINE: MAXINPLINE < MAXLINE
#endif /* MAXINPLINE < MAXLINE */
        char cmdbuf[MAXLINE];
#if SASL
        sasl_conn_t *conn;
        volatile bool sasl_ok;
        volatile unsigned int n_auth = 0;       /* count of AUTH commands */
        bool ismore;
        int result;
        volatile int authenticating;
        char *user;
        char *in, *out2;
# if SASL >= 20000
        char *auth_id = NULL;
        const char *out;
        sasl_ssf_t ext_ssf;
        char localip[60], remoteip[60];
# else /* SASL >= 20000 */
        char *out;
        const char *errstr;
        sasl_external_properties_t ext_ssf;
        struct sockaddr_in saddr_l;
        struct sockaddr_in saddr_r;
# endif /* SASL >= 20000 */
        sasl_security_properties_t ssp;
        sasl_ssf_t *ssf;
        unsigned int inlen, out2len;
        unsigned int outlen;
        char *volatile auth_type;
        char *mechlist;
        volatile unsigned int n_mechs;
        unsigned int len;
#else /* SASL */
#endif /* SASL */
        int r;
#if STARTTLS
        int rfd, wfd;
        volatile bool tls_active = false;
        volatile bool smtps = bitnset(D_SMTPS, d_flags);
        bool saveQuickAbort;
        bool saveSuprErrs;
        time_t tlsstart;
#endif /* STARTTLS */
        volatile unsigned int features;
#if PIPELINING
# if _FFR_NO_PIPE
        int np_log = 0;
# endif /* _FFR_NO_PIPE */
#endif /* PIPELINING */
        volatile time_t log_delay = (time_t) 0;
#if MILTER
        volatile bool milter_cmd_done, milter_cmd_safe;
        volatile bool milter_rcpt_added, milter_cmd_fail;
        ADDRESS addr_st;
# define p_addr_st      &addr_st
#else /* MILTER */
# define p_addr_st      NULL
#endif /* MILTER */
        size_t inplen;
#if _FFR_BADRCPT_SHUTDOWN
        int n_badrcpts_adj;
#endif /* _FFR_BADRCPT_SHUTDOWN */

        SevenBitInput_Saved = SevenBitInput;
        smtp.sm_nrcpts = 0;
#if MILTER
        smtp.sm_milterize = (nullserver == NULL);
        smtp.sm_milterlist = false;
        addr = NULL;
#endif /* MILTER */

        /* setup I/O fd correctly for the SMTP server */
        setup_smtpd_io();

#if SM_HEAP_CHECK
        if (sm_debug_active(&DebugLeakSmtp, 1))
        {
                sm_heap_newgroup();
                sm_dprintf("smtp() heap group #%d\n", sm_heap_group());
        }
#endif /* SM_HEAP_CHECK */

        /* XXX the rpool should be set when e is initialized in main() */
        e->e_rpool = sm_rpool_new_x(NULL);
        e->e_macro.mac_rpool = e->e_rpool;

        settime(e);
        sm_getla();
        peerhostname = RealHostName;
        if (peerhostname == NULL)
                peerhostname = "localhost";
        CurHostName = peerhostname;
        CurSmtpClient = macvalue('_', e);
        if (CurSmtpClient == NULL)
                CurSmtpClient = CurHostName;

        /* check_relay may have set discard bit, save for later */
        smtp.sm_discard = bitset(EF_DISCARD, e->e_flags);

#if PIPELINING
        /* auto-flush output when reading input */
        (void) sm_io_autoflush(InChannel, OutChannel);
#endif /* PIPELINING */

        sm_setproctitle(true, e, "server %s startup", CurSmtpClient);

        /* Set default features for server. */
        features = ((bitset(PRIV_NOETRN, PrivacyFlags) ||
                     bitnset(D_NOETRN, d_flags)) ? SRV_NONE : SRV_OFFER_ETRN)
                | (bitnset(D_AUTHREQ, d_flags) ? SRV_REQ_AUTH : SRV_NONE)
                | (bitset(PRIV_NOEXPN, PrivacyFlags) ? SRV_NONE
                        : (SRV_OFFER_EXPN
                          | (bitset(PRIV_NOVERB, PrivacyFlags)
                             ? SRV_NONE : SRV_OFFER_VERB)))
                | ((bitset(PRIV_NORECEIPTS, PrivacyFlags) || !SendMIMEErrors)
                         ? SRV_NONE : SRV_OFFER_DSN)
#if SASL
                | (bitnset(D_NOAUTH, d_flags) ? SRV_NONE : SRV_OFFER_AUTH)
                | (bitset(SASL_SEC_NOPLAINTEXT, SASLOpts) ? SRV_REQ_SEC
                                                          : SRV_NONE)
#endif /* SASL */
#if PIPELINING
                | SRV_OFFER_PIPE
#endif /* PIPELINING */
#if STARTTLS
                | (bitnset(D_NOTLS, d_flags) ? SRV_NONE : SRV_OFFER_TLS)
                | (bitset(TLS_I_NO_VRFY, TLS_Srv_Opts) ? SRV_NONE
                                                       : SRV_VRFY_CLT)
#endif /* STARTTLS */
                ;
        if (nullserver == NULL)
        {
                features = srvfeatures(e, CurSmtpClient, features);
                if (bitset(SRV_TMP_FAIL, features))
                {
                        if (LogLevel > 4)
                                sm_syslog(LOG_ERR, NOQID,
                                          "ERROR: srv_features=tempfail, relay=%.100s, access temporarily disabled",
                                          CurSmtpClient);
                        nullserver = "450 4.3.0 Please try again later.";
                }
                else
                {
#if PIPELINING
# if _FFR_NO_PIPE
                        if (bitset(SRV_NO_PIPE, features))
                        {
                                /* for consistency */
                                features &= ~SRV_OFFER_PIPE;
                        }
# endif /* _FFR_NO_PIPE */
#endif /* PIPELINING */
#if SASL
                        if (bitset(SRV_REQ_SEC, features))
                                SASLOpts |= SASL_SEC_NOPLAINTEXT;
                        else
                                SASLOpts &= ~SASL_SEC_NOPLAINTEXT;
#endif /* SASL */
                }
        }
        else if (strncmp(nullserver, "421 ", 4) == 0)
        {
                message(nullserver);
                goto doquit;
        }

        e->e_features = features;
        hostname = macvalue('j', e);
#if SASL
        if (AuthRealm == NULL)
                AuthRealm = hostname;
        sasl_ok = bitset(SRV_OFFER_AUTH, features);
        n_mechs = 0;
        authenticating = SASL_NOT_AUTH;

        /* SASL server new connection */
        if (sasl_ok)
        {
# if SASL >= 20000
                result = sasl_server_new("smtp", AuthRealm, NULL, NULL, NULL,
                                         NULL, 0, &conn);
# elif SASL > 10505
                /* use empty realm: only works in SASL > 1.5.5 */
                result = sasl_server_new("smtp", AuthRealm, "", NULL, 0, &conn);
# else /* SASL >= 20000 */
                /* use no realm -> realm is set to hostname by SASL lib */
                result = sasl_server_new("smtp", AuthRealm, NULL, NULL, 0,
                                         &conn);
# endif /* SASL >= 20000 */
                sasl_ok = result == SASL_OK;
                if (!sasl_ok)
                {
                        if (LogLevel > 9)
                                sm_syslog(LOG_WARNING, NOQID,
                                          "AUTH error: sasl_server_new failed=%d",
                                          result);
                }
        }
        if (sasl_ok)
        {
                /*
                **  SASL set properties for sasl
                **  set local/remote IP
                **  XXX Cyrus SASL v1 only supports IPv4
                **
                **  XXX where exactly are these used/required?
                **  Kerberos_v4
                */

# if SASL >= 20000
                localip[0] = remoteip[0] = '\0';
#  if NETINET || NETINET6
                in = macvalue(macid("{daemon_family}"), e);
                if (in != NULL && (
#   if NETINET6
                    strcmp(in, "inet6") == 0 ||
#   endif /* NETINET6 */
                    strcmp(in, "inet") == 0))
                {
                        SOCKADDR_LEN_T addrsize;
                        SOCKADDR saddr_l;
                        SOCKADDR saddr_r;

                        addrsize = sizeof(saddr_r);
                        if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
                                                      NULL),
                                        (struct sockaddr *) &saddr_r,
                                        &addrsize) == 0)
                        {
                                if (iptostring(&saddr_r, addrsize,
                                               remoteip, sizeof(remoteip)))
                                {
                                        sasl_setprop(conn, SASL_IPREMOTEPORT,
                                                     remoteip);
                                }
                                addrsize = sizeof(saddr_l);
                                if (getsockname(sm_io_getinfo(InChannel,
                                                              SM_IO_WHAT_FD,
                                                              NULL),
                                                (struct sockaddr *) &saddr_l,
                                                &addrsize) == 0)
                                {
                                        if (iptostring(&saddr_l, addrsize,
                                                       localip,
                                                       sizeof(localip)))
                                        {
                                                sasl_setprop(conn,
                                                             SASL_IPLOCALPORT,
                                                             localip);
                                        }
                                }
                        }
                }
#  endif /* NETINET || NETINET6 */
# else /* SASL >= 20000 */
#  if NETINET
                in = macvalue(macid("{daemon_family}"), e);
                if (in != NULL && strcmp(in, "inet") == 0)
                {
                        SOCKADDR_LEN_T addrsize;

                        addrsize = sizeof(struct sockaddr_in);
                        if (getpeername(sm_io_getinfo(InChannel, SM_IO_WHAT_FD,
                                                      NULL),
                                        (struct sockaddr *)&saddr_r,
                                        &addrsize) == 0)
                        {
                                sasl_setprop(conn, SASL_IP_REMOTE, &saddr_r);
                                addrsize = sizeof(struct sockaddr_in);
                                if (getsockname(sm_io_getinfo(InChannel,
                                                              SM_IO_WHAT_FD,
                                                              NULL),
                                                (struct sockaddr *)&saddr_l,
                                                &addrsize) == 0)
                                        sasl_setprop(conn, SASL_IP_LOCAL,
                                                     &saddr_l);
                        }
                }
#  endif /* NETINET */
# endif /* SASL >= 20000 */

                auth_type = NULL;
                mechlist = NULL;
                user = NULL;
# if 0
                macdefine(&BlankEnvelope.e_macro, A_PERM,
                        macid("{auth_author}"), NULL);
# endif /* 0 */

                /* set properties */
                (void) memset(&ssp, '\0', sizeof(ssp));

                /* XXX should these be options settable via .cf ? */
                /* ssp.min_ssf = 0; is default due to memset() */
                {
                        ssp.max_ssf = MaxSLBits;
                        ssp.maxbufsize = MAXOUTLEN;
                }
                ssp.security_flags = SASLOpts & SASL_SEC_MASK;
                sasl_ok = sasl_setprop(conn, SASL_SEC_PROPS, &ssp) == SASL_OK;

                if (sasl_ok)
                {
                        /*
                        **  external security strength factor;
                        **      currently we have none so zero
                        */

# if SASL >= 20000
                        ext_ssf = 0;
                        auth_id = NULL;
                        sasl_ok = ((sasl_setprop(conn, SASL_SSF_EXTERNAL,
                                                 &ext_ssf) == SASL_OK) &&
                                   (sasl_setprop(conn, SASL_AUTH_EXTERNAL,
                                                 auth_id) == SASL_OK));
# else /* SASL >= 20000 */
                        ext_ssf.ssf = 0;
                        ext_ssf.auth_id = NULL;
                        sasl_ok = sasl_setprop(conn, SASL_SSF_EXTERNAL,
                                               &ext_ssf) == SASL_OK;
# endif /* SASL >= 20000 */
                }
                if (sasl_ok)
                        n_mechs = saslmechs(conn, &mechlist);
        }
#endif /* SASL */

#if STARTTLS
# if USE_OPENSSL_ENGINE
        if (tls_ok_srv && bitset(SRV_OFFER_TLS, features) &&
            !SSL_set_engine(NULL))
        {
                sm_syslog(LOG_ERR, NOQID,
                          "STARTTLS=server, SSL_set_engine=failed");
                tls_ok_srv = false;
        }
# endif /* USE_OPENSSL_ENGINE */


        set_tls_rd_tmo(TimeOuts.to_nextcommand);
#endif /* STARTTLS */

#if MILTER
        if (smtp.sm_milterize)
        {
                char state;

                /* initialize mail filter connection */
                smtp.sm_milterlist = milter_init(e, &state, &smtp.sm_milters);
                switch (state)
                {
                  case SMFIR_REJECT:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: initialization failed, rejecting commands");
                        greetcode = "554";
                        nullserver = "Command rejected";
                        smtp.sm_milterize = false;
                        break;

                  case SMFIR_TEMPFAIL:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: initialization failed, temp failing commands");
                        tempfail = true;
                        smtp.sm_milterize = false;
                        break;

                  case SMFIR_SHUTDOWN:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: initialization failed, closing connection");
                        tempfail = true;
                        smtp.sm_milterize = false;
                        message("421 4.7.0 %s closing connection",
                                        MyHostName);

                        /* arrange to ignore send list */
                        e->e_sendqueue = NULL;
                        lognullconnection = false;
                        goto doquit;
                }
        }

        if (smtp.sm_milterlist && smtp.sm_milterize &&
            !bitset(EF_DISCARD, e->e_flags))
        {
                char state;
                char *response;

                q = macvalue(macid("{client_name}"), e);
                SM_ASSERT(q != NULL || OpMode == MD_SMTP);
                if (q == NULL)
                        q = "localhost";
                response = milter_connect(q, RealHostAddr, e, &state);
                switch (state)
                {
                  case SMFIR_REPLYCODE: /* REPLYCODE shouldn't happen */
                  case SMFIR_REJECT:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: connect: host=%s, addr=%s, rejecting commands",
                                          peerhostname,
                                          anynet_ntoa(&RealHostAddr));
                        greetcode = "554";
                        nullserver = "Command rejected";
                        smtp.sm_milterize = false;
                        break;

                  case SMFIR_TEMPFAIL:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: connect: host=%s, addr=%s, temp failing commands",
                                          peerhostname,
                                          anynet_ntoa(&RealHostAddr));
                        tempfail = true;
                        smtp.sm_milterize = false;
                        break;

                  case SMFIR_SHUTDOWN:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: connect: host=%s, addr=%s, shutdown",
                                          peerhostname,
                                          anynet_ntoa(&RealHostAddr));
                        tempfail = true;
                        smtp.sm_milterize = false;
                        message("421 4.7.0 %s closing connection",
                                        MyHostName);

                        /* arrange to ignore send list */
                        e->e_sendqueue = NULL;
                        goto doquit;
                }
                if (response != NULL)
                        sm_free(response); /* XXX */
        }
#endif /* MILTER */

        /*
        **  Broken proxies and SMTP slammers
        **  push data without waiting, catch them
        */

        if (
#if STARTTLS
            !smtps &&
#endif /* STARTTLS */
            *greetcode == '2' && nullserver == NULL)
        {
                time_t msecs = 0;
                char **pvp;
                char pvpbuf[PSBUFSIZE];

                /* Ask the rulesets how long to pause */
                pvp = NULL;
                r = rscap("greet_pause", peerhostname,
                          anynet_ntoa(&RealHostAddr), e,
                          &pvp, pvpbuf, sizeof(pvpbuf));
                if (r == EX_OK && pvp != NULL && pvp[0] != NULL &&
                    (pvp[0][0] & 0377) == CANONNET && pvp[1] != NULL)
                {
                        msecs = strtol(pvp[1], NULL, 10);
                }

                if (msecs > 0)
                {
                        int fd;
                        fd_set readfds;
                        struct timeval timeout;
                        struct timeval bp, ep, tp; /* {begin,end,total}pause */
                        int eoftest;

                        /* pause for a moment */
                        timeout.tv_sec = msecs / 1000;
                        timeout.tv_usec = (msecs % 1000) * 1000;

                        /* Obey RFC 2821: 4.3.5.2: 220 timeout of 5 minutes */
                        if (timeout.tv_sec >= 300)
                        {
                                timeout.tv_sec = 300;
                                timeout.tv_usec = 0;
                        }

                        /* check if data is on the socket during the pause */
                        fd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
                        FD_ZERO(&readfds);
                        SM_FD_SET(fd, &readfds);
                        gettimeofday(&bp, NULL);
                        if (select(fd + 1, FDSET_CAST &readfds,
                            NULL, NULL, &timeout) > 0 &&
                            FD_ISSET(fd, &readfds) &&
                            (eoftest = sm_io_getc(InChannel, SM_TIME_DEFAULT))
                            != SM_IO_EOF)
                        {
                                sm_io_ungetc(InChannel, SM_TIME_DEFAULT,
                                             eoftest);
                                gettimeofday(&ep, NULL);
                                timersub(&ep, &bp, &tp);
                                greetcode = "554";
                                nullserver = "Command rejected";
                                sm_syslog(LOG_INFO, e->e_id,
                                          "rejecting commands from %s [%s] due to pre-greeting traffic after %d seconds",
                                          peerhostname,
                                          anynet_ntoa(&RealHostAddr),
                                          (int) tp.tv_sec +
                                                (tp.tv_usec >= 500000 ? 1 : 0)
                                         );
                        }
                }
        }

#if STARTTLS
        /* If this an smtps connection, start TLS now */
        if (smtps)
        {
                Errors = 0;
                goto starttls;
        }

  greeting:

#endif /* STARTTLS */

        /* output the first line, inserting "ESMTP" as second word */
        if (*greetcode == '5')
                (void) sm_snprintf(inp, sizeof(inp),
                                "%s not accepting messages", hostname);
        else
                expand(SmtpGreeting, inp, sizeof(inp), e);

        p = strchr(inp, '\n');
        if (p != NULL)
                *p++ = '\0';
        id = strchr(inp, ' ');
        if (id == NULL)
                id = &inp[strlen(inp)];
        if (p == NULL)
                (void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
                         "%s %%.*s ESMTP%%s", greetcode);
        else
                (void) sm_snprintf(cmdbuf, sizeof(cmdbuf),
                         "%s-%%.*s ESMTP%%s", greetcode);
        message(cmdbuf, (int) (id - inp), inp, id);

        /* output remaining lines */
        while ((id = p) != NULL && (p = strchr(id, '\n')) != NULL)
        {
                *p++ = '\0';
                if (isascii(*id) && isspace(*id))
                        id++;
                (void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, "-%s");
                message(cmdbuf, id);
        }
        if (id != NULL)
        {
                if (isascii(*id) && isspace(*id))
                        id++;
                (void) sm_strlcpyn(cmdbuf, sizeof(cmdbuf), 2, greetcode, " %s");
                message(cmdbuf, id);
        }

        protocol = NULL;
        sendinghost = macvalue('s', e);

        /* If quarantining by a connect/ehlo action, save between messages */
        if (e->e_quarmsg == NULL)
                smtp.sm_quarmsg = NULL;
        else
                smtp.sm_quarmsg = newstr(e->e_quarmsg);

        /* sendinghost's storage must outlive the current envelope */
        if (sendinghost != NULL)
                sendinghost = sm_strdup_x(sendinghost);
        first = true;
        gothello = false;
        smtp.sm_gotmail = false;
        for (;;)
        {
            SM_TRY
            {
                QuickAbort = false;
                HoldErrs = false;
                SuprErrs = false;
                LogUsrErrs = false;
                OnlyOneError = true;
                e->e_flags &= ~(EF_VRFYONLY|EF_GLOBALERRS);
#if MILTER
                milter_cmd_fail = false;
#endif /* MILTER */

                /* setup for the read */
                e->e_to = NULL;
                Errors = 0;
                FileName = NULL;
                (void) sm_io_flush(smioout, SM_TIME_DEFAULT);

                /* read the input line */
                SmtpPhase = "server cmd read";
                sm_setproctitle(true, e, "server %s cmd read", CurSmtpClient);

                /* handle errors */
                if (sm_io_error(OutChannel) ||
                    (p = sfgets(inp, sizeof(inp), InChannel,
                                TimeOuts.to_nextcommand, SmtpPhase)) == NULL)
                {
                        char *d;

                        d = macvalue(macid("{daemon_name}"), e);
                        if (d == NULL)
                                d = "stdin";
                        /* end of file, just die */
                        disconnect(1, e);

#if MILTER
                        /* close out milter filters */
                        milter_quit(e);
#endif /* MILTER */

                        message("421 4.4.1 %s Lost input channel from %s",
                                MyHostName, CurSmtpClient);
                        if (LogLevel > (smtp.sm_gotmail ? 1 : 19))
                                sm_syslog(LOG_NOTICE, e->e_id,
                                          "lost input channel from %s to %s after %s",
                                          CurSmtpClient, d,
                                          (c == NULL || c->cmd_name == NULL) ? "startup" : c->cmd_name);
                        /*
                        **  If have not accepted mail (DATA), do not bounce
                        **  bad addresses back to sender.
                        */

                        if (bitset(EF_CLRQUEUE, e->e_flags))
                                e->e_sendqueue = NULL;
                        goto doquit;
                }

                /* also used by "proxy" check below */
                inplen = strlen(inp);
#if SASL
                /*
                **  SMTP AUTH requires accepting any length,
                **  at least for challenge/response. However, not imposing
                **  a limit is a bad idea (denial of service).
                */

                if (authenticating != SASL_PROC_AUTH
                    && sm_strncasecmp(inp, "AUTH ", 5) != 0
                    && inplen > MAXLINE)
                {
                        message("421 4.7.0 %s Command too long, possible attack %s",
                                MyHostName, CurSmtpClient);
                        sm_syslog(LOG_INFO, e->e_id,
                                  "%s: SMTP violation, input too long: %lu",
                                  CurSmtpClient, (unsigned long) inplen);
                        goto doquit;
                }
#endif /* SASL */

                if (first)
                {
                        size_t cmdlen;
                        int idx;
                        char *http_cmd;
                        static char *http_cmds[] = { "GET", "POST",
                                                     "CONNECT", "USER", NULL };

                        for (idx = 0; (http_cmd = http_cmds[idx]) != NULL;
                             idx++)
                        {
                                cmdlen = strlen(http_cmd);
                                if (cmdlen < inplen &&
                                    sm_strncasecmp(inp, http_cmd, cmdlen) == 0 &&
                                    isascii(inp[cmdlen]) && isspace(inp[cmdlen]))
                                {
                                        /* Open proxy, drop it */
                                        message("421 4.7.0 %s Rejecting open proxy %s",
                                                MyHostName, CurSmtpClient);
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: probable open proxy: command=%.40s",
                                                  CurSmtpClient, inp);
                                        goto doquit;
                                }
                        }
                        first = false;
                }

                /* clean up end of line */
                fixcrlf(inp, true);

#if PIPELINING
# if _FFR_NO_PIPE
                /*
                **  if there is more input and pipelining is disabled:
                **      delay ... (and maybe discard the input?)
                **  XXX this doesn't really work, at least in tests using
                **  telnet SM_IO_IS_READABLE only returns 1 if there were
                **  more than 2 input lines available.
                */

                if (bitset(SRV_NO_PIPE, features) &&
                    sm_io_getinfo(InChannel, SM_IO_IS_READABLE, NULL) > 0)
                {
                        if (++np_log < 3)
                                sm_syslog(LOG_INFO, NOQID,
                                          "unauthorized PIPELINING, sleeping, relay=%.100s",
                                           CurSmtpClient);
                        sleep(1);
                }

# endif /* _FFR_NO_PIPE */
#endif /* PIPELINING */

#if SASL
                if (authenticating == SASL_PROC_AUTH)
                {
# if 0
                        if (*inp == '\0')
                        {
                                authenticating = SASL_NOT_AUTH;
                                message("501 5.5.2 missing input");
                                RESET_SASLCONN;
                                continue;
                        }
# endif /* 0 */
                        if (*inp == '*' && *(inp + 1) == '\0')
                        {
                                authenticating = SASL_NOT_AUTH;

                                /* RFC 2554 4. */
                                message("501 5.0.0 AUTH aborted");
                                RESET_SASLCONN;
                                continue;
                        }

                        /* could this be shorter? XXX */
# if SASL >= 20000
                        in = xalloc(strlen(inp) + 1);
                        result = sasl_decode64(inp, strlen(inp), in,
                                               strlen(inp), &inlen);
# else /* SASL >= 20000 */
                        out = xalloc(strlen(inp));
                        result = sasl_decode64(inp, strlen(inp), out, &outlen);
# endif /* SASL >= 20000 */
                        if (result != SASL_OK)
                        {
                                authenticating = SASL_NOT_AUTH;

                                /* RFC 2554 4. */
                                message("501 5.5.4 cannot decode AUTH parameter %s",
                                        inp);
# if SASL >= 20000
                                sm_free(in);
# endif /* SASL >= 20000 */
                                RESET_SASLCONN;
                                continue;
                        }

# if SASL >= 20000
                        result = sasl_server_step(conn, in, inlen,
                                                  &out, &outlen);
                        sm_free(in);
# else /* SASL >= 20000 */
                        result = sasl_server_step(conn, out, outlen,
                                                  &out, &outlen, &errstr);
# endif /* SASL >= 20000 */

                        /* get an OK if we're done */
                        if (result == SASL_OK)
                        {
  authenticated:
                                message("235 2.0.0 OK Authenticated");
                                authenticating = SASL_IS_AUTH;
                                macdefine(&BlankEnvelope.e_macro, A_TEMP,
                                        macid("{auth_type}"), auth_type);

# if SASL >= 20000
                                user = macvalue(macid("{auth_authen}"), e);

                                /* get security strength (features) */
                                result = sasl_getprop(conn, SASL_SSF,
                                                      (const void **) &ssf);
# else /* SASL >= 20000 */
                                result = sasl_getprop(conn, SASL_USERNAME,
                                                      (void **)&user);
                                if (result != SASL_OK)
                                {
                                        user = "";
                                        macdefine(&BlankEnvelope.e_macro,
                                                  A_PERM,
                                                  macid("{auth_authen}"), NULL);
                                }
                                else
                                {
                                        macdefine(&BlankEnvelope.e_macro,
                                                  A_TEMP,
                                                  macid("{auth_authen}"),
                                                  xtextify(user, "<>\")"));
                                }

# if 0
                                /* get realm? */
                                sasl_getprop(conn, SASL_REALM, (void **) &data);
# endif /* 0 */

                                /* get security strength (features) */
                                result = sasl_getprop(conn, SASL_SSF,
                                                      (void **) &ssf);
# endif /* SASL >= 20000 */
                                if (result != SASL_OK)
                                {
                                        macdefine(&BlankEnvelope.e_macro,
                                                  A_PERM,
                                                  macid("{auth_ssf}"), "0");
                                        ssf = NULL;
                                }
                                else
                                {
                                        char pbuf[8];

                                        (void) sm_snprintf(pbuf, sizeof(pbuf),
                                                           "%u", *ssf);
                                        macdefine(&BlankEnvelope.e_macro,
                                                  A_TEMP,
                                                  macid("{auth_ssf}"), pbuf);
                                        if (tTd(95, 8))
                                                sm_dprintf("AUTH auth_ssf: %u\n",
                                                           *ssf);
                                }

                                /*
                                **  Only switch to encrypted connection
                                **  if a security layer has been negotiated
                                */

                                if (ssf != NULL && *ssf > 0)
                                {
                                        int tmo;

                                        /*
                                        **  Convert I/O layer to use SASL.
                                        **  If the call fails, the connection
                                        **  is aborted.
                                        */

                                        tmo = TimeOuts.to_datablock * 1000;
                                        if (sfdcsasl(&InChannel, &OutChannel,
                                                     conn, tmo) == 0)
                                        {
                                                /* restart dialogue */
                                                n_helo = 0;
# if PIPELINING
                                                (void) sm_io_autoflush(InChannel,
                                                                       OutChannel);
# endif /* PIPELINING */
                                        }
                                        else
                                                syserr("503 5.3.3 SASL TLS failed");
                                }

                                /* NULL pointer ok since it's our function */
                                if (LogLevel > 8)
                                        sm_syslog(LOG_INFO, NOQID,
                                                  "AUTH=server, relay=%s, authid=%.128s, mech=%.16s, bits=%d",
                                                  CurSmtpClient,
                                                  shortenstring(user, 128),
                                                  auth_type, *ssf);
                        }
                        else if (result == SASL_CONTINUE)
                        {
                                len = ENC64LEN(outlen);
                                out2 = xalloc(len);
                                result = sasl_encode64(out, outlen, out2, len,
                                                       &out2len);
                                if (result != SASL_OK)
                                {
                                        /* correct code? XXX */
                                        /* 454 Temp. authentication failure */
                                        message("454 4.5.4 Internal error: unable to encode64");
                                        if (LogLevel > 5)
                                                sm_syslog(LOG_WARNING, e->e_id,
                                                          "AUTH encode64 error [%d for \"%s\"], relay=%.100s",
                                                          result, out,
                                                          CurSmtpClient);
                                        /* start over? */
                                        authenticating = SASL_NOT_AUTH;
                                }
                                else
                                {
                                        message("334 %s", out2);
                                        if (tTd(95, 2))
                                                sm_dprintf("AUTH continue: msg='%s' len=%u\n",
                                                           out2, out2len);
                                }
# if SASL >= 20000
                                sm_free(out2);
# endif /* SASL >= 20000 */
                        }
                        else
                        {
                                /* not SASL_OK or SASL_CONT */
                                message("535 5.7.0 authentication failed");
                                if (LogLevel > 9)
                                        sm_syslog(LOG_WARNING, e->e_id,
                                                  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
                                                  auth_type,
                                                  sasl_errstring(result, NULL,
                                                                 NULL),
                                                  result,
# if SASL >= 20000
                                                  sasl_errdetail(conn),
# else /* SASL >= 20000 */
                                                  errstr == NULL ? "" : errstr,
# endif /* SASL >= 20000 */
                                                  CurSmtpClient);
                                RESET_SASLCONN;
                                authenticating = SASL_NOT_AUTH;
                        }
                }
                else
                {
                        /* don't want to do any of this if authenticating */
#endif /* SASL */

                /* echo command to transcript */
                if (e->e_xfp != NULL)
                        (void) sm_io_fprintf(e->e_xfp, SM_TIME_DEFAULT,
                                             "<<< %s\n", inp);

                if (LogLevel > 14)
                        sm_syslog(LOG_INFO, e->e_id, "<-- %s", inp);

                /* break off command */
                for (p = inp; isascii(*p) && isspace(*p); p++)
                        continue;
                cmd = cmdbuf;
                while (*p != '\0' &&
                       !(isascii(*p) && isspace(*p)) &&
                       cmd < &cmdbuf[sizeof(cmdbuf) - 2])
                        *cmd++ = *p++;
                *cmd = '\0';

                /* throw away leading whitespace */
                SKIP_SPACE(p);

                /* decode command */
                for (c = CmdTab; c->cmd_name != NULL; c++)
                {
                        if (sm_strcasecmp(c->cmd_name, cmdbuf) == 0)
                                break;
                }

                /* reset errors */
                errno = 0;

                /* check whether a "non-null" command has been used */
                switch (c->cmd_code)
                {
#if SASL
                  case CMDAUTH:
                        /* avoid information leak; take first two words? */
                        q = "AUTH";
                        break;
#endif /* SASL */

                  case CMDMAIL:
                  case CMDEXPN:
                  case CMDVRFY:
                  case CMDETRN:
                        lognullconnection = false;
                        /* FALLTHROUGH */
                  default:
                        q = inp;
                        break;
                }

                if (e->e_id == NULL)
                        sm_setproctitle(true, e, "%s: %.80s",
                                        CurSmtpClient, q);
                else
                        sm_setproctitle(true, e, "%s %s: %.80s",
                                        qid_printname(e),
                                        CurSmtpClient, q);

                /*
                **  Process command.
                **
                **      If we are running as a null server, return 550
                **      to almost everything.
                */

                if (nullserver != NULL || bitnset(D_ETRNONLY, d_flags))
                {
                        switch (c->cmd_code)
                        {
                          case CMDQUIT:
                          case CMDHELO:
                          case CMDEHLO:
                          case CMDNOOP:
                          case CMDRSET:
                          case CMDERROR:
                                /* process normally */
                                break;

                          case CMDETRN:
                                if (bitnset(D_ETRNONLY, d_flags) &&
                                    nullserver == NULL)
                                        break;
                                DELAY_CONN("ETRN");
                                /* FALLTHROUGH */

                          default:
#if MAXBADCOMMANDS > 0
                                /* theoretically this could overflow */
                                if (nullserver != NULL &&
                                    ++n_badcmds > MAXBADCOMMANDS)
                                {
                                        message("421 4.7.0 %s Too many bad commands; closing connection",
                                                MyHostName);

                                        /* arrange to ignore send list */
                                        e->e_sendqueue = NULL;
                                        goto doquit;
                                }
#endif /* MAXBADCOMMANDS > 0 */
                                if (nullserver != NULL)
                                {
                                        if (ISSMTPREPLY(nullserver))
                                                usrerr(nullserver);
                                        else
                                                usrerr("550 5.0.0 %s",
                                                       nullserver);
                                }
                                else
                                        usrerr("452 4.4.5 Insufficient disk space; try again later");
                                continue;
                        }
                }

                switch (c->cmd_code)
                {
#if SASL
                  case CMDAUTH: /* sasl */
                        DELAY_CONN("AUTH");
                        if (!sasl_ok || n_mechs <= 0)
                        {
                                message("503 5.3.3 AUTH not available");
                                break;
                        }
                        if (authenticating == SASL_IS_AUTH)
                        {
                                message("503 5.5.0 Already Authenticated");
                                break;
                        }
                        if (smtp.sm_gotmail)
                        {
                                message("503 5.5.0 AUTH not permitted during a mail transaction");
                                break;
                        }
                        if (tempfail)
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "SMTP AUTH command (%.100s) from %s tempfailed (due to previous checks)",
                                                  p, CurSmtpClient);
                                usrerr("454 4.3.0 Please try again later");
                                break;
                        }

                        ismore = false;

                        /* crude way to avoid crack attempts */
                        STOP_IF_ATTACK(checksmtpattack(&n_auth, n_mechs + 1,
                                                        true, "AUTH", e));

                        /* make sure mechanism (p) is a valid string */
                        for (q = p; *q != '\0' && isascii(*q); q++)
                        {
                                if (isspace(*q))
                                {
                                        *q = '\0';
                                        while (*++q != '\0' &&
                                               isascii(*q) && isspace(*q))
                                                continue;
                                        *(q - 1) = '\0';
                                        ismore = (*q != '\0');
                                        break;
                                }
                        }

                        if (*p == '\0')
                        {
                                message("501 5.5.2 AUTH mechanism must be specified");
                                break;
                        }

                        /* check whether mechanism is available */
                        if (iteminlist(p, mechlist, " ") == NULL)
                        {
                                message("504 5.3.3 AUTH mechanism %.32s not available",
                                        p);
                                break;
                        }

                        /*
                        **  RFC 2554 4.
                        **  Unlike a zero-length client answer to a
                        **  334 reply, a zero- length initial response
                        **  is sent as a single equals sign ("=").
                        */

                        if (ismore && *q == '=' && *(q + 1) == '\0')
                        {
                                /* will be free()d, don't use in=""; */
                                in = xalloc(1);
                                *in = '\0';
                                inlen = 0;
                        }
                        else if (ismore)
                        {
                                /* could this be shorter? XXX */
# if SASL >= 20000
                                in = xalloc(strlen(q) + 1);
                                result = sasl_decode64(q, strlen(q), in,
                                                       strlen(q), &inlen);
# else /* SASL >= 20000 */
                                in = sm_rpool_malloc(e->e_rpool, strlen(q));
                                result = sasl_decode64(q, strlen(q), in,
                                                       &inlen);
# endif /* SASL >= 20000 */
                                if (result != SASL_OK)
                                {
                                        message("501 5.5.4 cannot BASE64 decode '%s'",
                                                q);
                                        if (LogLevel > 5)
                                                sm_syslog(LOG_WARNING, e->e_id,
                                                          "AUTH decode64 error [%d for \"%s\"], relay=%.100s",
                                                          result, q,
                                                          CurSmtpClient);
                                        /* start over? */
                                        authenticating = SASL_NOT_AUTH;
# if SASL >= 20000
                                        sm_free(in);
# endif /* SASL >= 20000 */
                                        in = NULL;
                                        inlen = 0;
                                        break;
                                }
                        }
                        else
                        {
                                in = NULL;
                                inlen = 0;
                        }

                        /* see if that auth type exists */
# if SASL >= 20000
                        result = sasl_server_start(conn, p, in, inlen,
                                                   &out, &outlen);
                        if (in != NULL)
                                sm_free(in);
# else /* SASL >= 20000 */
                        result = sasl_server_start(conn, p, in, inlen,
                                                   &out, &outlen, &errstr);
# endif /* SASL >= 20000 */

                        if (result != SASL_OK && result != SASL_CONTINUE)
                        {
                                message("535 5.7.0 authentication failed");
                                if (LogLevel > 9)
                                        sm_syslog(LOG_ERR, e->e_id,
                                                  "AUTH failure (%s): %s (%d) %s, relay=%.100s",
                                                  p,
                                                  sasl_errstring(result, NULL,
                                                                 NULL),
                                                  result,
# if SASL >= 20000
                                                  sasl_errdetail(conn),
# else /* SASL >= 20000 */
                                                  errstr,
# endif /* SASL >= 20000 */
                                                  CurSmtpClient);
                                RESET_SASLCONN;
                                break;
                        }
                        auth_type = newstr(p);

                        if (result == SASL_OK)
                        {
                                /* ugly, but same code */
                                goto authenticated;
                                /* authenticated by the initial response */
                        }

                        /* len is at least 2 */
                        len = ENC64LEN(outlen);
                        out2 = xalloc(len);
                        result = sasl_encode64(out, outlen, out2, len,
                                               &out2len);

                        if (result != SASL_OK)
                        {
                                message("454 4.5.4 Temporary authentication failure");
                                if (LogLevel > 5)
                                        sm_syslog(LOG_WARNING, e->e_id,
                                                  "AUTH encode64 error [%d for \"%s\"]",
                                                  result, out);

                                /* start over? */
                                authenticating = SASL_NOT_AUTH;
                                RESET_SASLCONN;
                        }
                        else
                        {
                                message("334 %s", out2);
                                authenticating = SASL_PROC_AUTH;
                        }
# if SASL >= 20000
                        sm_free(out2);
# endif /* SASL >= 20000 */
                        break;
#endif /* SASL */

#if STARTTLS
                  case CMDSTLS: /* starttls */
                        DELAY_CONN("STARTTLS");
                        if (*p != '\0')
                        {
                                message("501 5.5.2 Syntax error (no parameters allowed)");
                                break;
                        }
                        if (!bitset(SRV_OFFER_TLS, features))
                        {
                                message("503 5.5.0 TLS not available");
                                break;
                        }
                        if (!tls_ok_srv)
                        {
                                message("454 4.3.3 TLS not available after start");
                                break;
                        }
                        if (smtp.sm_gotmail)
                        {
                                message("503 5.5.0 TLS not permitted during a mail transaction");
                                break;
                        }
                        if (tempfail)
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "SMTP STARTTLS command (%.100s) from %s tempfailed (due to previous checks)",
                                                  p, CurSmtpClient);
                                usrerr("454 4.7.0 Please try again later");
                                break;
                        }
  starttls:
# if TLS_NO_RSA
                        /*
                        **  XXX do we need a temp key ?
                        */
# else /* TLS_NO_RSA */
# endif /* TLS_NO_RSA */

# if TLS_VRFY_PER_CTX
                        /*
                        **  Note: this sets the verification globally
                        **  (per SSL_CTX)
                        **  it's ok since it applies only to one transaction
                        */

                        TLS_VERIFY_CLIENT();
# endif /* TLS_VRFY_PER_CTX */

                        if (srv_ssl != NULL)
                                SSL_clear(srv_ssl);
                        else if ((srv_ssl = SSL_new(srv_ctx)) == NULL)
                        {
                                message("454 4.3.3 TLS not available: error generating SSL handle");
                                if (LogLevel > 8)
                                        tlslogerr("server");
                                goto tls_done;
                        }

# if !TLS_VRFY_PER_CTX
                        /*
                        **  this could be used if it were possible to set
                        **  verification per SSL (connection)
                        **  not just per SSL_CTX (global)
                        */

                        TLS_VERIFY_CLIENT();
# endif /* !TLS_VRFY_PER_CTX */

                        rfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
                        wfd = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);

                        if (rfd < 0 || wfd < 0 ||
                            SSL_set_rfd(srv_ssl, rfd) <= 0 ||
                            SSL_set_wfd(srv_ssl, wfd) <= 0)
                        {
                                message("454 4.3.3 TLS not available: error set fd");
                                SSL_free(srv_ssl);
                                srv_ssl = NULL;
                                goto tls_done;
                        }
                        if (!smtps)
                                message("220 2.0.0 Ready to start TLS");
# if PIPELINING
                        (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
# endif /* PIPELINING */

                        SSL_set_accept_state(srv_ssl);

#  define SSL_ACC(s)    SSL_accept(s)

                        tlsstart = curtime();
  ssl_retry:
                        if ((r = SSL_ACC(srv_ssl)) <= 0)
                        {
                                int i, ssl_err;

                                ssl_err = SSL_get_error(srv_ssl, r);
                                i = tls_retry(srv_ssl, rfd, wfd, tlsstart,
                                                TimeOuts.to_starttls, ssl_err,
                                                "server");
                                if (i > 0)
                                        goto ssl_retry;

                                if (LogLevel > 5)
                                {
                                        sm_syslog(LOG_WARNING, NOQID,
                                                  "STARTTLS=server, error: accept failed=%d, SSL_error=%d, errno=%d, retry=%d, relay=%.100s",
                                                  r, ssl_err, errno, i,
                                                  CurSmtpClient);
                                        if (LogLevel > 8)
                                                tlslogerr("server");
                                }
                                tls_ok_srv = false;
                                SSL_free(srv_ssl);
                                srv_ssl = NULL;

                                /*
                                **  according to the next draft of
                                **  RFC 2487 the connection should be dropped
                                */

                                /* arrange to ignore any current send list */
                                e->e_sendqueue = NULL;
                                goto doquit;
                        }

                        /* ignore return code for now, it's in {verify} */
                        (void) tls_get_info(srv_ssl, true,
                                            CurSmtpClient,
                                            &BlankEnvelope.e_macro,
                                            bitset(SRV_VRFY_CLT, features));

                        /*
                        **  call Stls_client to find out whether
                        **  to accept the connection from the client
                        */

                        saveQuickAbort = QuickAbort;
                        saveSuprErrs = SuprErrs;
                        SuprErrs = true;
                        QuickAbort = false;
                        if (rscheck("tls_client",
                                     macvalue(macid("{verify}"), e),
                                     "STARTTLS", e,
                                     RSF_RMCOMM|RSF_COUNT,
                                     5, NULL, NOQID, NULL) != EX_OK ||
                            Errors > 0)
                        {
                                extern char MsgBuf[];

                                if (MsgBuf[0] != '\0' && ISSMTPREPLY(MsgBuf))
                                        nullserver = newstr(MsgBuf);
                                else
                                        nullserver = "503 5.7.0 Authentication required.";
                        }
                        QuickAbort = saveQuickAbort;
                        SuprErrs = saveSuprErrs;

                        tls_ok_srv = false;     /* don't offer STARTTLS again */
                        n_helo = 0;
# if SASL
                        if (sasl_ok)
                        {
                                int cipher_bits;
                                bool verified;
                                char *s, *v, *c;

                                s = macvalue(macid("{cipher_bits}"), e);
                                v = macvalue(macid("{verify}"), e);
                                c = macvalue(macid("{cert_subject}"), e);
                                verified = (v != NULL && strcmp(v, "OK") == 0);
                                if (s != NULL && (cipher_bits = atoi(s)) > 0)
                                {
#  if SASL >= 20000
                                        ext_ssf = cipher_bits;
                                        auth_id = verified ? c : NULL;
                                        sasl_ok = ((sasl_setprop(conn,
                                                        SASL_SSF_EXTERNAL,
                                                        &ext_ssf) == SASL_OK) &&
                                                   (sasl_setprop(conn,
                                                        SASL_AUTH_EXTERNAL,
                                                        auth_id) == SASL_OK));
#  else /* SASL >= 20000 */
                                        ext_ssf.ssf = cipher_bits;
                                        ext_ssf.auth_id = verified ? c : NULL;
                                        sasl_ok = sasl_setprop(conn,
                                                        SASL_SSF_EXTERNAL,
                                                        &ext_ssf) == SASL_OK;
#  endif /* SASL >= 20000 */
                                        mechlist = NULL;
                                        if (sasl_ok)
                                                n_mechs = saslmechs(conn,
                                                                    &mechlist);
                                }
                        }
# endif /* SASL */

                        /* switch to secure connection */
                        if (sfdctls(&InChannel, &OutChannel, srv_ssl) == 0)
                        {
                                tls_active = true;
# if PIPELINING
                                (void) sm_io_autoflush(InChannel, OutChannel);
# endif /* PIPELINING */
                        }
                        else
                        {
                                /*
                                **  XXX this is an internal error
                                **  how to deal with it?
                                **  we can't generate an error message
                                **  since the other side switched to an
                                **  encrypted layer, but we could not...
                                **  just "hang up"?
                                */

                                nullserver = "454 4.3.3 TLS not available: can't switch to encrypted layer";
                                syserr("STARTTLS: can't switch to encrypted layer");
                        }
                  tls_done:
                        if (smtps)
                        {
                                if (tls_active)
                                        goto greeting;
                                else
                                        goto doquit;
                        }
                        break;
#endif /* STARTTLS */

                  case CMDHELO:         /* hello -- introduce yourself */
                  case CMDEHLO:         /* extended hello */
                        DELAY_CONN("EHLO");
                        if (c->cmd_code == CMDEHLO)
                        {
                                protocol = "ESMTP";
                                SmtpPhase = "server EHLO";
                        }
                        else
                        {
                                protocol = "SMTP";
                                SmtpPhase = "server HELO";
                        }

                        /* avoid denial-of-service */
                        STOP_IF_ATTACK(checksmtpattack(&n_helo, MAXHELOCOMMANDS,
                                                        true, "HELO/EHLO", e));

#if 0
                        /* RFC2821 4.1.4 allows duplicate HELO/EHLO */
                        /* check for duplicate HELO/EHLO per RFC 1651 4.2 */
                        if (gothello)
                        {
                                usrerr("503 %s Duplicate HELO/EHLO",
                                       MyHostName);
                                break;
                        }
#endif /* 0 */

                        /* check for valid domain name (re 1123 5.2.5) */
                        if (*p == '\0' && !AllowBogusHELO)
                        {
                                usrerr("501 %s requires domain address",
                                        cmdbuf);
                                break;
                        }

                        /* check for long domain name (hides Received: info) */
                        if (strlen(p) > MAXNAME)
                        {
                                usrerr("501 Invalid domain name");
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, CurEnv->e_id,
                                                  "invalid domain name (too long) from %s",
                                                  CurSmtpClient);
                                break;
                        }

                        ok = true;
                        for (q = p; *q != '\0'; q++)
                        {
                                if (!isascii(*q))
                                        break;
                                if (isalnum(*q))
                                        continue;
                                if (isspace(*q))
                                {
                                        *q = '\0';

                                        /* only complain if strict check */
                                        ok = AllowBogusHELO;

                                        /* allow trailing whitespace */
                                        while (!ok && *++q != '\0' &&
                                               isspace(*q))
                                                ;
                                        if (*q == '\0')
                                                ok = true;
                                        break;
                                }
                                if (strchr("[].-_#:", *q) == NULL)
                                        break;
                        }

                        if (*q == '\0' && ok)
                        {
                                q = "pleased to meet you";
                                sendinghost = sm_strdup_x(p);
                        }
                        else if (!AllowBogusHELO)
                        {
                                usrerr("501 Invalid domain name");
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, CurEnv->e_id,
                                                  "invalid domain name (%s) from %.100s",
                                                  p, CurSmtpClient);
                                break;
                        }
                        else
                        {
                                q = "accepting invalid domain name";
                        }

                        if (gothello || smtp.sm_gotmail)
                                CLEAR_STATE(cmdbuf);

#if MILTER
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            !bitset(EF_DISCARD, e->e_flags))
                        {
                                char state;
                                char *response;

                                response = milter_helo(p, e, &state);
                                switch (state)
                                {
                                  case SMFIR_REJECT:
                                        if (MilterLogLevel > 3)
                                                sm_syslog(LOG_INFO, e->e_id,
                                                          "Milter: helo=%s, reject=Command rejected",
                                                          p);
                                        nullserver = "Command rejected";
                                        smtp.sm_milterize = false;
                                        break;

                                  case SMFIR_TEMPFAIL:
                                        if (MilterLogLevel > 3)
                                                sm_syslog(LOG_INFO, e->e_id,
                                                          "Milter: helo=%s, reject=%s",
                                                          p, MSG_TEMPFAIL);
                                        tempfail = true;
                                        smtp.sm_milterize = false;
                                        break;

                                  case SMFIR_REPLYCODE:
                                        if (MilterLogLevel > 3)
                                                sm_syslog(LOG_INFO, e->e_id,
                                                          "Milter: helo=%s, reject=%s",
                                                          p, response);
                                        if (strncmp(response, "421 ", 4) != 0
                                            && strncmp(response, "421-", 4) != 0)
                                        {
                                                nullserver = newstr(response);
                                                smtp.sm_milterize = false;
                                                break;
                                        }
                                        /* FALLTHROUGH */

                                  case SMFIR_SHUTDOWN:
                                        if (MilterLogLevel > 3 &&
                                            response == NULL)
                                                sm_syslog(LOG_INFO, e->e_id,
                                                          "Milter: helo=%s, reject=421 4.7.0 %s closing connection",
                                                          p, MyHostName);
                                        tempfail = true;
                                        smtp.sm_milterize = false;
                                        if (response != NULL)
                                                usrerr(response);
                                        else
                                                message("421 4.7.0 %s closing connection",
                                                        MyHostName);
                                        /* arrange to ignore send list */
                                        e->e_sendqueue = NULL;
                                        lognullconnection = false;
                                        goto doquit;
                                }
                                if (response != NULL)
                                        sm_free(response);

                                /*
                                **  If quarantining by a connect/ehlo action,
                                **  save between messages
                                */

                                if (smtp.sm_quarmsg == NULL &&
                                    e->e_quarmsg != NULL)
                                        smtp.sm_quarmsg = newstr(e->e_quarmsg);
                        }
#endif /* MILTER */
                        gothello = true;

                        /* print HELO response message */
                        if (c->cmd_code != CMDEHLO)
                        {
                                message("250 %s Hello %s, %s",
                                        MyHostName, CurSmtpClient, q);
                                break;
                        }

                        message("250-%s Hello %s, %s",
                                MyHostName, CurSmtpClient, q);

                        /* offer ENHSC even for nullserver */
                        if (nullserver != NULL)
                        {
                                message("250 ENHANCEDSTATUSCODES");
                                break;
                        }

                        /*
                        **  print EHLO features list
                        **
                        **  Note: If you change this list,
                        **        remember to update 'helpfile'
                        */

                        message("250-ENHANCEDSTATUSCODES");
#if PIPELINING
                        if (bitset(SRV_OFFER_PIPE, features))
                                message("250-PIPELINING");
#endif /* PIPELINING */
                        if (bitset(SRV_OFFER_EXPN, features))
                        {
                                message("250-EXPN");
                                if (bitset(SRV_OFFER_VERB, features))
                                        message("250-VERB");
                        }
#if MIME8TO7
                        message("250-8BITMIME");
#endif /* MIME8TO7 */
                        if (MaxMessageSize > 0)
                                message("250-SIZE %ld", MaxMessageSize);
                        else
                                message("250-SIZE");
#if DSN
                        if (SendMIMEErrors && bitset(SRV_OFFER_DSN, features))
                                message("250-DSN");
#endif /* DSN */
                        if (bitset(SRV_OFFER_ETRN, features))
                                message("250-ETRN");
#if SASL
                        if (sasl_ok && mechlist != NULL && *mechlist != '\0')
                                message("250-AUTH %s", mechlist);
#endif /* SASL */
#if STARTTLS
                        if (tls_ok_srv &&
                            bitset(SRV_OFFER_TLS, features))
                                message("250-STARTTLS");
#endif /* STARTTLS */
                        if (DeliverByMin > 0)
                                message("250-DELIVERBY %ld",
                                        (long) DeliverByMin);
                        else if (DeliverByMin == 0)
                                message("250-DELIVERBY");

                        /* < 0: no deliver-by */

                        message("250 HELP");
                        break;

                  case CMDMAIL:         /* mail -- designate sender */
                        SmtpPhase = "server MAIL";
                        DELAY_CONN("MAIL");

                        /* check for validity of this command */
                        if (!gothello && bitset(PRIV_NEEDMAILHELO, PrivacyFlags))
                        {
                                usrerr("503 5.0.0 Polite people say HELO first");
                                break;
                        }
                        if (smtp.sm_gotmail)
                        {
                                usrerr("503 5.5.0 Sender already specified");
                                break;
                        }
#if SASL
                        if (bitset(SRV_REQ_AUTH, features) &&
                            authenticating != SASL_IS_AUTH)
                        {
                                usrerr("530 5.7.0 Authentication required");
                                break;
                        }
#endif /* SASL */

                        p = skipword(p, "from");
                        if (p == NULL)
                                break;
                        if (tempfail)
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "SMTP MAIL command (%.100s) from %s tempfailed (due to previous checks)",
                                                  p, CurSmtpClient);
                                usrerr(MSG_TEMPFAIL);
                                break;
                        }

                        /* make sure we know who the sending host is */
                        if (sendinghost == NULL)
                                sendinghost = peerhostname;


#if SM_HEAP_CHECK
                        if (sm_debug_active(&DebugLeakSmtp, 1))
                        {
                                sm_heap_newgroup();
                                sm_dprintf("smtp() heap group #%d\n",
                                        sm_heap_group());
                        }
#endif /* SM_HEAP_CHECK */

                        if (Errors > 0)
                                goto undo_no_pm;
                        if (!gothello)
                        {
                                auth_warning(e, "%s didn't use HELO protocol",
                                             CurSmtpClient);
                        }
#ifdef PICKY_HELO_CHECK
                        if (sm_strcasecmp(sendinghost, peerhostname) != 0 &&
                            (sm_strcasecmp(peerhostname, "localhost") != 0 ||
                             sm_strcasecmp(sendinghost, MyHostName) != 0))
                        {
                                auth_warning(e, "Host %s claimed to be %s",
                                             CurSmtpClient, sendinghost);
                        }
#endif /* PICKY_HELO_CHECK */

                        if (protocol == NULL)
                                protocol = "SMTP";
                        macdefine(&e->e_macro, A_PERM, 'r', protocol);
                        macdefine(&e->e_macro, A_PERM, 's', sendinghost);

                        if (Errors > 0)
                                goto undo_no_pm;
                        smtp.sm_nrcpts = 0;
                        n_badrcpts = 0;
                        macdefine(&e->e_macro, A_PERM, macid("{ntries}"), "0");
                        macdefine(&e->e_macro, A_PERM, macid("{nrcpts}"), "0");
                        macdefine(&e->e_macro, A_PERM, macid("{nbadrcpts}"),
                                "0");
                        e->e_flags |= EF_CLRQUEUE;
                        sm_setproctitle(true, e, "%s %s: %.80s",
                                        qid_printname(e),
                                        CurSmtpClient, inp);

                        /* do the processing */
                    SM_TRY
                    {
                        extern char *FullName;

                        QuickAbort = true;
                        SM_FREE_CLR(FullName);

                        /* must parse sender first */
                        delimptr = NULL;
                        setsender(p, e, &delimptr, ' ', false);
                        if (delimptr != NULL && *delimptr != '\0')
                                *delimptr++ = '\0';
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);

                        /* Successfully set e_from, allow logging */
                        e->e_flags |= EF_LOGSENDER;

                        /* put resulting triple from parseaddr() into macros */
                        if (e->e_from.q_mailer != NULL)
                                 macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_mailer}"),
                                        e->e_from.q_mailer->m_name);
                        else
                                 macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_mailer}"), NULL);
                        if (e->e_from.q_host != NULL)
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_host}"),
                                        e->e_from.q_host);
                        else
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_host}"), "localhost");
                        if (e->e_from.q_user != NULL)
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_addr}"),
                                        e->e_from.q_user);
                        else
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{mail_addr}"), NULL);
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);

                        /* check for possible spoofing */
                        if (RealUid != 0 && OpMode == MD_SMTP &&
                            !wordinclass(RealUserName, 't') &&
                            (!bitnset(M_LOCALMAILER,
                                      e->e_from.q_mailer->m_flags) ||
                             strcmp(e->e_from.q_user, RealUserName) != 0))
                        {
                                auth_warning(e, "%s owned process doing -bs",
                                        RealUserName);
                        }

                        /* reset to default value */
                        SevenBitInput = SevenBitInput_Saved;

                        /* now parse ESMTP arguments */
                        e->e_msgsize = 0;
                        addr = p;
                        parse_esmtp_args(e, NULL, p, delimptr, "MAIL", args,
                                        mail_esmtp_args);
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);

#if SASL
# if _FFR_AUTH_PASSING
                        /* set the default AUTH= if the sender didn't */
                        if (e->e_auth_param == NULL)
                        {
                                /* XXX only do this for an MSA? */
                                e->e_auth_param = macvalue(macid("{auth_authen}"),
                                                           e);
                                if (e->e_auth_param == NULL)
                                        e->e_auth_param = "<>";

                                /*
                                **  XXX should we invoke Strust_auth now?
                                **  authorizing as the client that just
                                **  authenticated, so we'll trust implicitly
                                */
                        }
# endif /* _FFR_AUTH_PASSING */
#endif /* SASL */

                        /* do config file checking of the sender */
                        macdefine(&e->e_macro, A_PERM,
                                macid("{addr_type}"), "e s");
#if _FFR_MAIL_MACRO
                        /* make the "real" sender address available */
                        macdefine(&e->e_macro, A_TEMP, macid("{mail_from}"),
                                  e->e_from.q_paddr);
#endif /* _FFR_MAIL_MACRO */
                        if (rscheck("check_mail", addr,
                                    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
                                    NULL, e->e_id, NULL) != EX_OK ||
                            Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);
                        macdefine(&e->e_macro, A_PERM,
                                  macid("{addr_type}"), NULL);

                        if (MaxMessageSize > 0 &&
                            (e->e_msgsize > MaxMessageSize ||
                             e->e_msgsize < 0))
                        {
                                usrerr("552 5.2.3 Message size exceeds fixed maximum message size (%ld)",
                                        MaxMessageSize);
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);
                        }

                        /*
                        **  XXX always check whether there is at least one fs
                        **  with enough space?
                        **  However, this may not help much: the queue group
                        **  selection may later on select a FS that hasn't
                        **  enough space.
                        */

                        if ((NumFileSys == 1 || NumQueue == 1) &&
                            !enoughdiskspace(e->e_msgsize, e)
#if _FFR_ANY_FREE_FS
                            && !filesys_free(e->e_msgsize)
#endif /* _FFR_ANY_FREE_FS */
                           )
                        {
                                /*
                                **  We perform this test again when the
                                **  queue directory is selected, in collect.
                                */

                                usrerr("452 4.4.5 Insufficient disk space; try again later");
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);
                        }
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);

                        LogUsrErrs = true;
#if MILTER
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            !bitset(EF_DISCARD, e->e_flags))
                        {
                                char state;
                                char *response;

                                response = milter_envfrom(args, e, &state);
                                MILTER_REPLY("from");
                        }
#endif /* MILTER */
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);

                        message("250 2.1.0 Sender ok");
                        smtp.sm_gotmail = true;
                    }
                    SM_EXCEPT(exc, "[!F]*")
                    {
                        /*
                        **  An error occurred while processing a MAIL command.
                        **  Jump to the common error handling code.
                        */

                        sm_exc_free(exc);
                        goto undo_no_pm;
                    }
                    SM_END_TRY
                        break;

                  undo_no_pm:
                        e->e_flags &= ~EF_PM_NOTIFY;
                  undo:
                        break;

                  case CMDRCPT:         /* rcpt -- designate recipient */
                        DELAY_CONN("RCPT");
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_mailer}"), NULL);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_host}"), NULL);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_addr}"), NULL);
#if MILTER
                        (void) memset(&addr_st, '\0', sizeof(addr_st));
                        a = NULL;
                        milter_rcpt_added = false;
                        smtp.sm_e_nrcpts_orig = e->e_nrcpts;
#endif
#if _FFR_BADRCPT_SHUTDOWN
                        /*
                        **  hack to deal with hack, see below:
                        **  n_badrcpts is increased if limit is reached.
                        */

                        n_badrcpts_adj = (BadRcptThrottle > 0 &&
                                          n_badrcpts > BadRcptThrottle &&
                                          LogLevel > 5)
                                          ? n_badrcpts - 1 : n_badrcpts;
                        if (BadRcptShutdown > 0 &&
                            n_badrcpts_adj >= BadRcptShutdown &&
                            (BadRcptShutdownGood == 0 ||
                             smtp.sm_nrcpts == 0 ||
                             (n_badrcpts_adj * 100 /
                              (smtp.sm_nrcpts + n_badrcpts) >=
                              BadRcptShutdownGood)))
                        {
                                if (LogLevel > 5)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: Possible SMTP RCPT flood, shutting down connection.",
                                                  CurSmtpClient);
                                message("421 4.7.0 %s Too many bad recipients; closing connection",
                                MyHostName);

                                /* arrange to ignore any current send list */
                                e->e_sendqueue = NULL;
                                goto doquit;
                        }
#endif /* _FFR_BADRCPT_SHUTDOWN */
                        if (BadRcptThrottle > 0 &&
                            n_badrcpts >= BadRcptThrottle)
                        {
                                if (LogLevel > 5 &&
                                    n_badrcpts == BadRcptThrottle)
                                {
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: Possible SMTP RCPT flood, throttling.",
                                                  CurSmtpClient);

                                        /* To avoid duplicated message */
                                        n_badrcpts++;
                                }
                                NBADRCPTS;

                                /*
                                **  Don't use exponential backoff for now.
                                **  Some systems will open more connections
                                **  and actually overload the receiver even
                                **  more.
                                */

                                (void) sleep(BadRcptThrottleDelay);
                        }
                        if (!smtp.sm_gotmail)
                        {
                                usrerr("503 5.0.0 Need MAIL before RCPT");
                                break;
                        }
                        SmtpPhase = "server RCPT";
                    SM_TRY
                    {
                        QuickAbort = true;
                        LogUsrErrs = true;

                        /* limit flooding of our machine */
                        if (MaxRcptPerMsg > 0 &&
                            smtp.sm_nrcpts >= MaxRcptPerMsg)
                        {
                                /* sleep(1); / * slow down? */
                                usrerr("452 4.5.3 Too many recipients");
                                goto rcpt_done;
                        }

                        if (e->e_sendmode != SM_DELIVER
#if _FFR_DM_ONE
                            && (NotFirstDelivery || SM_DM_ONE != e->e_sendmode)
#endif /* _FFR_DM_ONE */
                           )
                                e->e_flags |= EF_VRFYONLY;

#if MILTER
                        /*
                        **  Do not expand recipients at RCPT time (in the call
                        **  to recipient()) if a milter can delete or reject
                        **  a RCPT.  If they are expanded, it is impossible
                        **  for removefromlist() to figure out the expanded
                        **  members of the original recipient and mark them
                        **  as QS_DONTSEND.
                        */

                        if (!(smtp.sm_milterlist && smtp.sm_milterize &&
                              !bitset(EF_DISCARD, e->e_flags)) &&
                            (smtp.sm_milters.mis_flags &
                             (MIS_FL_DEL_RCPT|MIS_FL_REJ_RCPT)) != 0)
                                e->e_flags |= EF_VRFYONLY;
                        milter_cmd_done = false;
                        milter_cmd_safe = false;
#endif /* MILTER */

                        p = skipword(p, "to");
                        if (p == NULL)
                                goto rcpt_done;
                        macdefine(&e->e_macro, A_PERM,
                                macid("{addr_type}"), "e r");
                        a = parseaddr(p, NULLADDR, RF_COPYALL, ' ', &delimptr,
                                      e, true);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{addr_type}"), NULL);
                        if (Errors > 0)
                                goto rcpt_done;
                        if (a == NULL)
                        {
                                usrerr("501 5.0.0 Missing recipient");
                                goto rcpt_done;
                        }

                        if (delimptr != NULL && *delimptr != '\0')
                                *delimptr++ = '\0';

                        /* put resulting triple from parseaddr() into macros */
                        if (a->q_mailer != NULL)
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_mailer}"),
                                        a->q_mailer->m_name);
                        else
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_mailer}"), NULL);
                        if (a->q_host != NULL)
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_host}"), a->q_host);
                        else
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_host}"), "localhost");
                        if (a->q_user != NULL)
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_addr}"), a->q_user);
                        else
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_addr}"), NULL);
                        if (Errors > 0)
                                goto rcpt_done;

                        /* now parse ESMTP arguments */
                        addr = p;
                        parse_esmtp_args(e, a, p, delimptr, "RCPT", args,
                                        rcpt_esmtp_args);
                        if (Errors > 0)
                                goto rcpt_done;

#if MILTER
                        /*
                        **  rscheck() can trigger an "exception"
                        **  in which case the execution continues at
                        **  SM_EXCEPT(exc, "[!F]*")
                        **  This means milter_cmd_safe is not set
                        **  and hence milter is not invoked.
                        **  Would it be "safe" to change that, i.e., use
                        **  milter_cmd_safe = true;
                        **  here so a milter is informed (if requested)
                        **  about RCPTs that are rejected by check_rcpt?
                        */
# if _FFR_MILTER_CHECK_REJECTIONS_TOO
                        milter_cmd_safe = true;
# endif
#endif

                        /* do config file checking of the recipient */
                        macdefine(&e->e_macro, A_PERM,
                                macid("{addr_type}"), "e r");
                        if (rscheck("check_rcpt", addr,
                                    NULL, e, RSF_RMCOMM|RSF_COUNT, 3,
                                    NULL, e->e_id, p_addr_st) != EX_OK ||
                            Errors > 0)
                                goto rcpt_done;
                        macdefine(&e->e_macro, A_PERM,
                                macid("{addr_type}"), NULL);

                        /* If discarding, don't bother to verify user */
                        if (bitset(EF_DISCARD, e->e_flags))
                                a->q_state = QS_VERIFIED;
#if MILTER
                        milter_cmd_safe = true;
#endif

                        /* save in recipient list after ESMTP mods */
                        a = recipient(a, &e->e_sendqueue, 0, e);
                        /* may trigger exception... */

#if MILTER
                        milter_rcpt_added = true;
#endif

                        if(!(Errors > 0) && QS_IS_BADADDR(a->q_state))
                        {
                                /* punt -- should keep message in ADDRESS.... */
                                usrerr("550 5.1.1 Addressee unknown");
                        }

#if MILTER
                rcpt_done:
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            !bitset(EF_DISCARD, e->e_flags))
                        {
                                char state;
                                char *response;

                                /* how to get the error codes? */
                                if (Errors > 0)
                                {
                                        macdefine(&e->e_macro, A_PERM,
                                                macid("{rcpt_mailer}"),
                                                "error");
                                        if (a != NULL &&
                                            a->q_status != NULL &&
                                            a->q_rstatus != NULL)
                                        {
                                                macdefine(&e->e_macro, A_PERM,
                                                        macid("{rcpt_host}"),
                                                        a->q_status);
                                                macdefine(&e->e_macro, A_PERM,
                                                        macid("{rcpt_addr}"),
                                                        a->q_rstatus);
                                        }
                                        else
                                        {
                                                if (addr_st.q_host != NULL)
                                                        macdefine(&e->e_macro,
                                                                A_PERM,
                                                                macid("{rcpt_host}"),
                                                                addr_st.q_host);
                                                if (addr_st.q_user != NULL)
                                                        macdefine(&e->e_macro,
                                                                A_PERM,
                                                                macid("{rcpt_addr}"),
                                                                addr_st.q_user);
                                        }
                                }

                                response = milter_envrcpt(args, e, &state,
                                                        Errors > 0);
                                milter_cmd_done = true;
                                MILTER_REPLY("to");
                        }
#endif /* MILTER */

                        /* no errors during parsing, but might be a duplicate */
                        e->e_to = a->q_paddr;
                        if (!(Errors > 0) && !QS_IS_BADADDR(a->q_state))
                        {
                                if (smtp.sm_nrcpts == 0)
                                        initsys(e);
                                message("250 2.1.5 Recipient ok%s",
                                        QS_IS_QUEUEUP(a->q_state) ?
                                                " (will queue)" : "");
                                smtp.sm_nrcpts++;
                        }

                        /* Is this needed? */
#if !MILTER
                rcpt_done:
#endif /* !MILTER */
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_mailer}"), NULL);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_host}"), NULL);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{rcpt_addr}"), NULL);
                        macdefine(&e->e_macro, A_PERM,
                                macid("{dsn_notify}"), NULL);

                        if (Errors > 0)
                        {
                                ++n_badrcpts;
                                NBADRCPTS;
                        }
                    }
                    SM_EXCEPT(exc, "[!F]*")
                    {
                        /* An exception occurred while processing RCPT */
                        e->e_flags &= ~(EF_FATALERRS|EF_PM_NOTIFY);
                        ++n_badrcpts;
                        NBADRCPTS;
#if MILTER
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            !bitset(EF_DISCARD, e->e_flags) &&
                            !milter_cmd_done && milter_cmd_safe)
                        {
                                char state;
                                char *response;

                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_mailer}"), "error");

                                /* how to get the error codes? */
                                if (addr_st.q_host != NULL)
                                        macdefine(&e->e_macro, A_PERM,
                                                macid("{rcpt_host}"),
                                                addr_st.q_host);
                                else if (a != NULL && a->q_status != NULL)
                                        macdefine(&e->e_macro, A_PERM,
                                                macid("{rcpt_host}"),
                                                a->q_status);

                                if (addr_st.q_user != NULL)
                                        macdefine(&e->e_macro, A_PERM,
                                                macid("{rcpt_addr}"),
                                                addr_st.q_user);
                                else if (a != NULL && a->q_rstatus != NULL)
                                        macdefine(&e->e_macro, A_PERM,
                                                macid("{rcpt_addr}"),
                                                a->q_rstatus);

                                response = milter_envrcpt(args, e, &state,
                                                        true);
                                milter_cmd_done = true;
                                MILTER_REPLY("to");
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_mailer}"), NULL);
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_host}"), NULL);
                                macdefine(&e->e_macro, A_PERM,
                                        macid("{rcpt_addr}"), NULL);
                        }
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            milter_rcpt_added && milter_cmd_done &&
                            milter_cmd_fail)
                        {
                                (void) removefromlist(addr, &e->e_sendqueue, e);
                                milter_cmd_fail = false;
                                if (smtp.sm_e_nrcpts_orig < e->e_nrcpts)
                                        e->e_nrcpts = smtp.sm_e_nrcpts_orig;
                        }
#endif /* MILTER */
                    }
                    SM_END_TRY
                        break;

                  case CMDDATA:         /* data -- text of mail */
                        DELAY_CONN("DATA");
                        if (!smtp_data(&smtp, e))
                                goto doquit;
                        break;

                  case CMDRSET:         /* rset -- reset state */
                        if (tTd(94, 100))
                                message("451 4.0.0 Test failure");
                        else
                                message("250 2.0.0 Reset state");
                        CLEAR_STATE(cmdbuf);
                        break;

                  case CMDVRFY:         /* vrfy -- verify address */
                  case CMDEXPN:         /* expn -- expand address */
                        vrfy = c->cmd_code == CMDVRFY;
                        DELAY_CONN(vrfy ? "VRFY" : "EXPN");
                        if (tempfail)
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "SMTP %s command (%.100s) from %s tempfailed (due to previous checks)",
                                                  vrfy ? "VRFY" : "EXPN",
                                                  p, CurSmtpClient);

                                /* RFC 821 doesn't allow 4xy reply code */
                                usrerr("550 5.7.1 Please try again later");
                                break;
                        }
                        wt = checksmtpattack(&n_verifies, MAXVRFYCOMMANDS,
                                             false, vrfy ? "VRFY" : "EXPN", e);
                        STOP_IF_ATTACK(wt);
                        previous = curtime();
                        if ((vrfy && bitset(PRIV_NOVRFY, PrivacyFlags)) ||
                            (!vrfy && !bitset(SRV_OFFER_EXPN, features)))
                        {
                                if (vrfy)
                                        message("252 2.5.2 Cannot VRFY user; try RCPT to attempt delivery (or try finger)");
                                else
                                        message("502 5.7.0 Sorry, we do not allow this operation");
                                if (LogLevel > 5)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: %s [rejected]",
                                                  CurSmtpClient,
                                                  shortenstring(inp, MAXSHORTSTR));
                                break;
                        }
                        else if (!gothello &&
                                 bitset(vrfy ? PRIV_NEEDVRFYHELO : PRIV_NEEDEXPNHELO,
                                                PrivacyFlags))
                        {
                                usrerr("503 5.0.0 I demand that you introduce yourself first");
                                break;
                        }
                        if (Errors > 0)
                                break;
                        if (LogLevel > 5)
                                sm_syslog(LOG_INFO, e->e_id, "%s: %s",
                                          CurSmtpClient,
                                          shortenstring(inp, MAXSHORTSTR));
                    SM_TRY
                    {
                        QuickAbort = true;
                        vrfyqueue = NULL;
                        if (vrfy)
                                e->e_flags |= EF_VRFYONLY;
                        while (*p != '\0' && isascii(*p) && isspace(*p))
                                p++;
                        if (*p == '\0')
                        {
                                usrerr("501 5.5.2 Argument required");
                        }
                        else
                        {
                                /* do config file checking of the address */
                                if (rscheck(vrfy ? "check_vrfy" : "check_expn",
                                            p, NULL, e, RSF_RMCOMM,
                                            3, NULL, NOQID, NULL) != EX_OK ||
                                    Errors > 0)
                                        sm_exc_raisenew_x(&EtypeQuickAbort, 1);
                                (void) sendtolist(p, NULLADDR, &vrfyqueue, 0, e);
                        }
                        if (wt > 0)
                        {
                                time_t t;

                                t = wt - (curtime() - previous);
                                if (t > 0)
                                        (void) sleep(t);
                        }
                        if (Errors > 0)
                                sm_exc_raisenew_x(&EtypeQuickAbort, 1);
                        if (vrfyqueue == NULL)
                        {
                                usrerr("554 5.5.2 Nothing to %s", vrfy ? "VRFY" : "EXPN");
                        }
                        while (vrfyqueue != NULL)
                        {
                                if (!QS_IS_UNDELIVERED(vrfyqueue->q_state))
                                {
                                        vrfyqueue = vrfyqueue->q_next;
                                        continue;
                                }

                                /* see if there is more in the vrfy list */
                                a = vrfyqueue;
                                while ((a = a->q_next) != NULL &&
                                       (!QS_IS_UNDELIVERED(a->q_state)))
                                        continue;
                                printvrfyaddr(vrfyqueue, a == NULL, vrfy);
                                vrfyqueue = a;
                        }
                    }
                    SM_EXCEPT(exc, "[!F]*")
                    {
                        /*
                        **  An exception occurred while processing VRFY/EXPN
                        */

                        sm_exc_free(exc);
                        goto undo;
                    }
                    SM_END_TRY
                        break;

                  case CMDETRN:         /* etrn -- force queue flush */
                        DELAY_CONN("ETRN");

                        /* Don't leak queue information via debug flags */
                        if (!bitset(SRV_OFFER_ETRN, features) || UseMSP ||
                            (RealUid != 0 && RealUid != TrustedUid &&
                             OpMode == MD_SMTP))
                        {
                                /* different message for MSA ? */
                                message("502 5.7.0 Sorry, we do not allow this operation");
                                if (LogLevel > 5)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "%s: %s [rejected]",
                                                  CurSmtpClient,
                                                  shortenstring(inp, MAXSHORTSTR));
                                break;
                        }
                        if (tempfail)
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                  "SMTP ETRN command (%.100s) from %s tempfailed (due to previous checks)",
                                                  p, CurSmtpClient);
                                usrerr(MSG_TEMPFAIL);
                                break;
                        }

                        if (strlen(p) <= 0)
                        {
                                usrerr("500 5.5.2 Parameter required");
                                break;
                        }

                        /* crude way to avoid denial-of-service attacks */
                        STOP_IF_ATTACK(checksmtpattack(&n_etrn, MAXETRNCOMMANDS,
                                                        true, "ETRN", e));

                        /*
                        **  Do config file checking of the parameter.
                        **  Even though we have srv_features now, we still
                        **  need this ruleset because the former is called
                        **  when the connection has been established, while
                        **  this ruleset is called when the command is
                        **  actually issued and therefore has all information
                        **  available to make a decision.
                        */

                        if (rscheck("check_etrn", p, NULL, e,
                                    RSF_RMCOMM, 3, NULL, NOQID, NULL)
                                                                != EX_OK ||
                            Errors > 0)
                                break;

                        if (LogLevel > 5)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "%s: ETRN %s", CurSmtpClient,
                                          shortenstring(p, MAXSHORTSTR));

                        id = p;
                        if (*id == '#')
                        {
                                int i, qgrp;

                                id++;
                                qgrp = name2qid(id);
                                if (!ISVALIDQGRP(qgrp))
                                {
                                        usrerr("459 4.5.4 Queue %s unknown",
                                               id);
                                        break;
                                }
                                for (i = 0; i < NumQueue && Queue[i] != NULL;
                                     i++)
                                        Queue[i]->qg_nextrun = (time_t) -1;
                                Queue[qgrp]->qg_nextrun = 0;
                                ok = run_work_group(Queue[qgrp]->qg_wgrp,
                                                    RWG_FORK|RWG_FORCE);
                                if (ok && Errors == 0)
                                        message("250 2.0.0 Queuing for queue group %s started", id);
                                break;
                        }

                        if (*id == '@')
                                id++;
                        else
                                *--id = '@';

                        new = (QUEUE_CHAR *) sm_malloc(sizeof(QUEUE_CHAR));
                        if (new == NULL)
                        {
                                syserr("500 5.5.0 ETRN out of memory");
                                break;
                        }
                        new->queue_match = id;
                        new->queue_negate = false;
                        new->queue_next = NULL;
                        QueueLimitRecipient = new;
                        ok = runqueue(true, false, false, true);
                        sm_free(QueueLimitRecipient); /* XXX */
                        QueueLimitRecipient = NULL;
                        if (ok && Errors == 0)
                                message("250 2.0.0 Queuing for node %s started", p);
                        break;

                  case CMDHELP:         /* help -- give user info */
                        DELAY_CONN("HELP");
                        help(p, e);
                        break;

                  case CMDNOOP:         /* noop -- do nothing */
                        DELAY_CONN("NOOP");
                        STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
                                                        true, "NOOP", e));
                        message("250 2.0.0 OK");
                        break;

                  case CMDQUIT:         /* quit -- leave mail */
                        message("221 2.0.0 %s closing connection", MyHostName);
#if PIPELINING
                        (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
#endif /* PIPELINING */

                        if (smtp.sm_nrcpts > 0)
                                logundelrcpts(e, "aborted by sender", 9, false);

                        /* arrange to ignore any current send list */
                        e->e_sendqueue = NULL;

#if STARTTLS
                        /* shutdown TLS connection */
                        if (tls_active)
                        {
                                (void) endtls(srv_ssl, "server");
                                tls_active = false;
                        }
#endif /* STARTTLS */
#if SASL
                        if (authenticating == SASL_IS_AUTH)
                        {
                                sasl_dispose(&conn);
                                authenticating = SASL_NOT_AUTH;
                                /* XXX sasl_done(); this is a child */
                        }
#endif /* SASL */

doquit:
                        /* avoid future 050 messages */
                        disconnect(1, e);

#if MILTER
                        /* close out milter filters */
                        milter_quit(e);
#endif /* MILTER */

                        if (tTd(92, 2))
                                sm_dprintf("QUIT: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
                                        e->e_id,
                                        bitset(EF_LOGSENDER, e->e_flags),
                                        LogLevel);
                        if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
                                logsender(e, NULL);
                        e->e_flags &= ~EF_LOGSENDER;

                        if (lognullconnection && LogLevel > 5 &&
                            nullserver == NULL)
                        {
                                char *d;

                                d = macvalue(macid("{daemon_name}"), e);
                                if (d == NULL)
                                        d = "stdin";

                                /*
                                **  even though this id is "bogus", it makes
                                **  it simpler to "grep" related events, e.g.,
                                **  timeouts for the same connection.
                                */

                                sm_syslog(LOG_INFO, e->e_id,
                                          "%s did not issue MAIL/EXPN/VRFY/ETRN during connection to %s",
                                          CurSmtpClient, d);
                        }
                        if (tTd(93, 100))
                        {
                                /* return to handle next connection */
                                return;
                        }
                        finis(true, true, ExitStat);
                        /* NOTREACHED */

                        /* just to avoid bogus warning from some compilers */
                        exit(EX_OSERR);

                  case CMDVERB:         /* set verbose mode */
                        DELAY_CONN("VERB");
                        if (!bitset(SRV_OFFER_EXPN, features) ||
                            !bitset(SRV_OFFER_VERB, features))
                        {
                                /* this would give out the same info */
                                message("502 5.7.0 Verbose unavailable");
                                break;
                        }
                        STOP_IF_ATTACK(checksmtpattack(&n_noop, MaxNOOPCommands,
                                                        true, "VERB", e));
                        Verbose = 1;
                        set_delivery_mode(SM_DELIVER, e);
                        message("250 2.0.0 Verbose mode");
                        break;

#if SMTPDEBUG
                  case CMDDBGQSHOW:     /* show queues */
                        (void) sm_io_fprintf(smioout, SM_TIME_DEFAULT,
                                             "Send Queue=");
                        printaddr(smioout, e->e_sendqueue, true);
                        break;

                  case CMDDBGDEBUG:     /* set debug mode */
                        tTsetup(tTdvect, sizeof(tTdvect), "0-99.1");
                        tTflag(p);
                        message("200 2.0.0 Debug set");
                        break;

#else /* SMTPDEBUG */
                  case CMDDBGQSHOW:     /* show queues */
                  case CMDDBGDEBUG:     /* set debug mode */
#endif /* SMTPDEBUG */
                  case CMDLOGBOGUS:     /* bogus command */
                        DELAY_CONN("Bogus");
                        if (LogLevel > 0)
                                sm_syslog(LOG_CRIT, e->e_id,
                                          "\"%s\" command from %s (%.100s)",
                                          c->cmd_name, CurSmtpClient,
                                          anynet_ntoa(&RealHostAddr));
                        /* FALLTHROUGH */

                  case CMDERROR:        /* unknown command */
#if MAXBADCOMMANDS > 0
                        if (++n_badcmds > MAXBADCOMMANDS)
                        {
  stopattack:
                                message("421 4.7.0 %s Too many bad commands; closing connection",
                                        MyHostName);

                                /* arrange to ignore any current send list */
                                e->e_sendqueue = NULL;
                                goto doquit;
                        }
#endif /* MAXBADCOMMANDS > 0 */

#if MILTER && SMFI_VERSION > 2
                        if (smtp.sm_milterlist && smtp.sm_milterize &&
                            !bitset(EF_DISCARD, e->e_flags))
                        {
                                char state;
                                char *response;

                                if (MilterLogLevel > 9)
                                        sm_syslog(LOG_INFO, e->e_id,
                                                "Sending \"%s\" to Milter", inp);
                                response = milter_unknown(inp, e, &state);
                                MILTER_REPLY("unknown");
                                if (state == SMFIR_REPLYCODE ||
                                    state == SMFIR_REJECT ||
                                    state == SMFIR_TEMPFAIL ||
                                    state == SMFIR_SHUTDOWN)
                                {
                                        /* MILTER_REPLY already gave an error */
                                        break;
                                }
                        }
#endif /* MILTER && SMFI_VERSION > 2 */

                        usrerr("500 5.5.1 Command unrecognized: \"%s\"",
                               shortenstring(inp, MAXSHORTSTR));
                        break;

                  case CMDUNIMPL:
                        DELAY_CONN("Unimpl");
                        usrerr("502 5.5.1 Command not implemented: \"%s\"",
                               shortenstring(inp, MAXSHORTSTR));
                        break;

                  default:
                        DELAY_CONN("default");
                        errno = 0;
                        syserr("500 5.5.0 smtp: unknown code %d", c->cmd_code);
                        break;
                }
#if SASL
                }
#endif /* SASL */
            }
            SM_EXCEPT(exc, "[!F]*")
            {
                /*
                **  The only possible exception is "E:mta.quickabort".
                **  There is nothing to do except fall through and loop.
                */
            }
            SM_END_TRY
        }
}
/*
**  SMTP_DATA -- implement the SMTP DATA command.
**
**      Parameters:
**              smtp -- status of SMTP connection.
**              e -- envelope.
**
**      Returns:
**              true iff SMTP session can continue.
**
**      Side Effects:
**              possibly sends message.
*/

static bool
smtp_data(smtp, e)
        SMTP_T *smtp;
        ENVELOPE *e;
{
#if MILTER
        bool milteraccept;
#endif /* MILTER */
        bool aborting;
        bool doublequeue;
        bool rv = true;
        ADDRESS *a;
        ENVELOPE *ee;
        char *id;
        char *oldid;
        unsigned int features;
        char buf[32];

        SmtpPhase = "server DATA";
        if (!smtp->sm_gotmail)
        {
                usrerr("503 5.0.0 Need MAIL command");
                return true;
        }
        else if (smtp->sm_nrcpts <= 0)
        {
                usrerr("503 5.0.0 Need RCPT (recipient)");
                return true;
        }
        (void) sm_snprintf(buf, sizeof(buf), "%u", smtp->sm_nrcpts);
        if (rscheck("check_data", buf, NULL, e,
                    RSF_RMCOMM|RSF_UNSTRUCTURED|RSF_COUNT, 3, NULL,
                    e->e_id, NULL) != EX_OK)
                return true;

#if MILTER && SMFI_VERSION > 3
        if (smtp->sm_milterlist && smtp->sm_milterize &&
            !bitset(EF_DISCARD, e->e_flags))
        {
                char state;
                char *response;
                int savelogusrerrs = LogUsrErrs;

                response = milter_data_cmd(e, &state);
                switch (state)
                {
                  case SMFIR_REPLYCODE:
                        if (MilterLogLevel > 3)
                        {
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: cmd=data, reject=%s",
                                          response);
                                LogUsrErrs = false;
                        }
#if _FFR_MILTER_ENHSC
                        if (ISSMTPCODE(response))
                                (void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */

                        usrerr(response);
                        if (strncmp(response, "421 ", 4) == 0
                            || strncmp(response, "421-", 4) == 0)
                        {
                                e->e_sendqueue = NULL;
                                return false;
                        }
                        return true;

                  case SMFIR_REJECT:
                        if (MilterLogLevel > 3)
                        {
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: cmd=data, reject=550 5.7.1 Command rejected");
                                LogUsrErrs = false;
                        }
#if _FFR_MILTER_ENHSC
                        (void) sm_strlcpy(e->e_enhsc, "5.7.1",
                                         sizeof(e->e_enhsc));
#endif /* _FFR_MILTER_ENHSC */
                        usrerr("550 5.7.1 Command rejected");
                        return true;

                  case SMFIR_DISCARD:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: cmd=data, discard");
                        e->e_flags |= EF_DISCARD;
                        break;

                  case SMFIR_TEMPFAIL:
                        if (MilterLogLevel > 3)
                        {
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: cmd=data, reject=%s",
                                          MSG_TEMPFAIL);
                                LogUsrErrs = false;
                        }
#if _FFR_MILTER_ENHSC
                        (void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
                        usrerr(MSG_TEMPFAIL);
                        return true;

                  case SMFIR_SHUTDOWN:
                        if (MilterLogLevel > 3)
                        {
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: cmd=data, reject=421 4.7.0 %s closing connection",
                                          MyHostName);
                                LogUsrErrs = false;
                        }
                        usrerr("421 4.7.0 %s closing connection", MyHostName);
                        e->e_sendqueue = NULL;
                        return false;
                }
                LogUsrErrs = savelogusrerrs;
                if (response != NULL)
                        sm_free(response); /* XXX */
        }
#endif /* MILTER && SMFI_VERSION > 3 */

        /* put back discard bit */
        if (smtp->sm_discard)
                e->e_flags |= EF_DISCARD;

        /* check to see if we need to re-expand aliases */
        /* also reset QS_BADADDR on already-diagnosted addrs */
        doublequeue = false;
        for (a = e->e_sendqueue; a != NULL; a = a->q_next)
        {
                if (QS_IS_VERIFIED(a->q_state) &&
                    !bitset(EF_DISCARD, e->e_flags))
                {
                        /* need to re-expand aliases */
                        doublequeue = true;
                }
                if (QS_IS_BADADDR(a->q_state))
                {
                        /* make this "go away" */
                        a->q_state = QS_DONTSEND;
                }
        }

        /* collect the text of the message */
        SmtpPhase = "collect";
        buffer_errors();

        collect(InChannel, true, NULL, e, true);

        /* redefine message size */
        (void) sm_snprintf(buf, sizeof(buf), "%ld", e->e_msgsize);
        macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);

        /* rscheck() will set Errors or EF_DISCARD if it trips */
        (void) rscheck("check_eom", buf, NULL, e, RSF_UNSTRUCTURED|RSF_COUNT,
                       3, NULL, e->e_id, NULL);

#if MILTER
        milteraccept = true;
        if (smtp->sm_milterlist && smtp->sm_milterize &&
            Errors <= 0 &&
            !bitset(EF_DISCARD, e->e_flags))
        {
                char state;
                char *response;

                response = milter_data(e, &state);
                switch (state)
                {
                  case SMFIR_REPLYCODE:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: data, reject=%s",
                                          response);
                        milteraccept = false;
#if _FFR_MILTER_ENHSC
                        if (ISSMTPCODE(response))
                                (void) extenhsc(response + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
                        usrerr(response);
                        if (strncmp(response, "421 ", 4) == 0
                            || strncmp(response, "421-", 4) == 0)
                                rv = false;
                        break;

                  case SMFIR_REJECT:
                        milteraccept = false;
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: data, reject=554 5.7.1 Command rejected");
                        usrerr("554 5.7.1 Command rejected");
                        break;

                  case SMFIR_DISCARD:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: data, discard");
                        milteraccept = false;
                        e->e_flags |= EF_DISCARD;
                        break;

                  case SMFIR_TEMPFAIL:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: data, reject=%s",
                                          MSG_TEMPFAIL);
                        milteraccept = false;
#if _FFR_MILTER_ENHSC
                        (void) extenhsc(MSG_TEMPFAIL + 4, ' ', e->e_enhsc);
#endif /* _FFR_MILTER_ENHSC */
                        usrerr(MSG_TEMPFAIL);
                        break;

                  case SMFIR_SHUTDOWN:
                        if (MilterLogLevel > 3)
                                sm_syslog(LOG_INFO, e->e_id,
                                          "Milter: data, reject=421 4.7.0 %s closing connection",
                                          MyHostName);
                        milteraccept = false;
                        usrerr("421 4.7.0 %s closing connection", MyHostName);
                        rv = false;
                        break;
                }
                if (response != NULL)
                        sm_free(response);
        }

        /* Milter may have changed message size */
        (void) sm_snprintf(buf, sizeof(buf), "%ld", e->e_msgsize);
        macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), buf);

        /* abort message filters that didn't get the body & log msg is OK */
        if (smtp->sm_milterlist && smtp->sm_milterize)
        {
                milter_abort(e);
                if (milteraccept && MilterLogLevel > 9)
                        sm_syslog(LOG_INFO, e->e_id, "Milter accept: message");
        }

        /*
        **  If SuperSafe is SAFE_REALLY_POSTMILTER, and we don't have milter or
        **  milter accepted message, sync it now
        **
        **  XXX This is almost a copy of the code in collect(): put it into
        **      a function that is called from both places?
        */

        if (milteraccept && SuperSafe == SAFE_REALLY_POSTMILTER)
        {
                int afd;
                SM_FILE_T *volatile df;
                char *dfname;

                df = e->e_dfp;
                dfname = queuename(e, DATAFL_LETTER);
                if (sm_io_setinfo(df, SM_BF_COMMIT, NULL) < 0
                    && errno != EINVAL)
                {
                        int save_errno;

                        save_errno = errno;
                        if (save_errno == EEXIST)
                        {
                                struct stat st;
                                int dfd;

                                if (stat(dfname, &st) < 0)
                                        st.st_size = -1;
                                errno = EEXIST;
                                syserr("@collect: bfcommit(%s): already on disk, size=%ld",
                                       dfname, (long) st.st_size);
                                dfd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL);
                                if (dfd >= 0)
                                        dumpfd(dfd, true, true);
                        }
                        errno = save_errno;
                        dferror(df, "bfcommit", e);
                        flush_errors(true);
                        finis(save_errno != EEXIST, true, ExitStat);
                }
                else if ((afd = sm_io_getinfo(df, SM_IO_WHAT_FD, NULL)) < 0)
                {
                        dferror(df, "sm_io_getinfo", e);
                        flush_errors(true);
                        finis(true, true, ExitStat);
                        /* NOTREACHED */
                }
                else if (fsync(afd) < 0)
                {
                        dferror(df, "fsync", e);
                        flush_errors(true);
                        finis(true, true, ExitStat);
                        /* NOTREACHED */
                }
                else if (sm_io_close(df, SM_TIME_DEFAULT) < 0)
                {
                        dferror(df, "sm_io_close", e);
                        flush_errors(true);
                        finis(true, true, ExitStat);
                        /* NOTREACHED */
                }

                /* Now reopen the df file */
                e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname,
                                        SM_IO_RDONLY, NULL);
                if (e->e_dfp == NULL)
                {
                        /* we haven't acked receipt yet, so just chuck this */
                        syserr("@Cannot reopen %s", dfname);
                        finis(true, true, ExitStat);
                        /* NOTREACHED */
                }
        }
#endif /* MILTER */

        /* Check if quarantining stats should be updated */
        if (e->e_quarmsg != NULL)
                markstats(e, NULL, STATS_QUARANTINE);

        /*
        **  If a header/body check (header checks or milter)
        **  set EF_DISCARD, don't queueup the message --
        **  that would lose the EF_DISCARD bit and deliver
        **  the message.
        */

        if (bitset(EF_DISCARD, e->e_flags))
                doublequeue = false;

        aborting = Errors > 0;
        if (!(aborting || bitset(EF_DISCARD, e->e_flags)) &&
            (QueueMode == QM_QUARANTINE || e->e_quarmsg == NULL) &&
            !split_by_recipient(e))
                aborting = bitset(EF_FATALERRS, e->e_flags);

        if (aborting)
        {
                ADDRESS *q;

                /* Log who the mail would have gone to */
                logundelrcpts(e, e->e_message, 8, false);

                /*
                **  If something above refused the message, we still haven't
                **  accepted responsibility for it.  Don't send DSNs.
                */

                for (q = e->e_sendqueue; q != NULL; q = q->q_next)
                        q->q_flags &= ~Q_PINGFLAGS;

                flush_errors(true);
                buffer_errors();
                goto abortmessage;
        }

        /* from now on, we have to operate silently */
        buffer_errors();

#if 0
        /*
        **  Clear message, it may contain an error from the SMTP dialogue.
        **  This error must not show up in the queue.
        **      Some error message should show up, e.g., alias database
        **      not available, but others shouldn't, e.g., from check_rcpt.
        */

        e->e_message = NULL;
#endif /* 0 */

        /*
        **  Arrange to send to everyone.
        **      If sending to multiple people, mail back
        **              errors rather than reporting directly.
        **      In any case, don't mail back errors for
        **              anything that has happened up to
        **              now (the other end will do this).
        **      Truncate our transcript -- the mail has gotten
        **              to us successfully, and if we have
        **              to mail this back, it will be easier
        **              on the reader.
        **      Then send to everyone.
        **      Finally give a reply code.  If an error has
        **              already been given, don't mail a
        **              message back.
        **      We goose error returns by clearing error bit.
        */

        SmtpPhase = "delivery";
        (void) sm_io_setinfo(e->e_xfp, SM_BF_TRUNCATE, NULL);
        id = e->e_id;

#if NAMED_BIND
        _res.retry = TimeOuts.res_retry[RES_TO_FIRST];
        _res.retrans = TimeOuts.res_retrans[RES_TO_FIRST];
#endif /* NAMED_BIND */

        for (ee = e; ee != NULL; ee = ee->e_sibling)
        {
                /* make sure we actually do delivery */
                ee->e_flags &= ~EF_CLRQUEUE;

                /* from now on, operate silently */
                ee->e_errormode = EM_MAIL;

                if (doublequeue)
                {
                        /* make sure it is in the queue */
                        queueup(ee, false, true);
                }
                else
                {
                        int mode;

                        /* send to all recipients */
                        mode = SM_DEFAULT;
#if _FFR_DM_ONE
                        if (SM_DM_ONE == e->e_sendmode)
                        {
                                if (NotFirstDelivery)
                                {
                                        mode = SM_QUEUE;
                                        e->e_sendmode = SM_QUEUE;
                                }
                                else
                                {
                                        mode = SM_FORK;
                                        NotFirstDelivery = true;
                                }
                        }
#endif /* _FFR_DM_ONE */
                        sendall(ee, mode);
                }
                ee->e_to = NULL;
        }

        /* put back id for SMTP logging in putoutmsg() */
        oldid = CurEnv->e_id;
        CurEnv->e_id = id;

        /* issue success message */
#if _FFR_MSG_ACCEPT
        if (MessageAccept != NULL && *MessageAccept != '\0')
        {
                char msg[MAXLINE];

                expand(MessageAccept, msg, sizeof(msg), e);
                message("250 2.0.0 %s", msg);
        }
        else
#endif /* _FFR_MSG_ACCEPT */
        message("250 2.0.0 %s Message accepted for delivery", id);
        CurEnv->e_id = oldid;

        /* if we just queued, poke it */
        if (doublequeue)
        {
                bool anything_to_send = false;

                sm_getla();
                for (ee = e; ee != NULL; ee = ee->e_sibling)
                {
                        if (WILL_BE_QUEUED(ee->e_sendmode))
                                continue;
                        if (shouldqueue(ee->e_msgpriority, ee->e_ctime))
                        {
                                ee->e_sendmode = SM_QUEUE;
                                continue;
                        }
                        else if (QueueMode != QM_QUARANTINE &&
                                 ee->e_quarmsg != NULL)
                        {
                                ee->e_sendmode = SM_QUEUE;
                                continue;
                        }
                        anything_to_send = true;

                        /* close all the queue files */
                        closexscript(ee);
                        if (ee->e_dfp != NULL)
                        {
                                (void) sm_io_close(ee->e_dfp, SM_TIME_DEFAULT);
                                ee->e_dfp = NULL;
                        }
                        unlockqueue(ee);
                }
                if (anything_to_send)
                {
#if PIPELINING
                        /*
                        **  XXX if we don't do this, we get 250 twice
                        **      because it is also flushed in the child.
                        */

                        (void) sm_io_flush(OutChannel, SM_TIME_DEFAULT);
#endif /* PIPELINING */
                        (void) doworklist(e, true, true);
                }
        }

  abortmessage:
        if (tTd(92, 2))
                sm_dprintf("abortmessage: e_id=%s, EF_LOGSENDER=%d, LogLevel=%d\n",
                        e->e_id, bitset(EF_LOGSENDER, e->e_flags), LogLevel);
        if (LogLevel > 4 && bitset(EF_LOGSENDER, e->e_flags))
                logsender(e, NULL);
        e->e_flags &= ~EF_LOGSENDER;

        /* clean up a bit */
        smtp->sm_gotmail = false;

        /*
        **  Call dropenvelope if and only if the envelope is *not*
        **  being processed by the child process forked by doworklist().
        */

        if (aborting || bitset(EF_DISCARD, e->e_flags))
                (void) dropenvelope(e, true, false);
        else
        {
                for (ee = e; ee != NULL; ee = ee->e_sibling)
                {
                        if (!doublequeue &&
                            QueueMode != QM_QUARANTINE &&
                            ee->e_quarmsg != NULL)
                        {
                                (void) dropenvelope(ee, true, false);
                                continue;
                        }
                        if (WILL_BE_QUEUED(ee->e_sendmode))
                                (void) dropenvelope(ee, true, false);
                }
        }

        CurEnv = e;
        features = e->e_features;
        sm_rpool_free(e->e_rpool);
        newenvelope(e, e, sm_rpool_new_x(NULL));
        e->e_flags = BlankEnvelope.e_flags;
        e->e_features = features;

        /* restore connection quarantining */
        if (smtp->sm_quarmsg == NULL)
        {
                e->e_quarmsg = NULL;
                macdefine(&e->e_macro, A_PERM, macid("{quarantine}"), "");
        }
        else
        {
                e->e_quarmsg = sm_rpool_strdup_x(e->e_rpool, smtp->sm_quarmsg);
                macdefine(&e->e_macro, A_PERM,
                          macid("{quarantine}"), e->e_quarmsg);
        }
        return rv;
}
/*
**  LOGUNDELRCPTS -- log undelivered (or all) recipients.
**
**      Parameters:
**              e -- envelope.
**              msg -- message for Stat=
**              level -- log level.
**              all -- log all recipients.
**
**      Returns:
**              none.
**
**      Side Effects:
**              logs undelivered (or all) recipients
*/

void
logundelrcpts(e, msg, level, all)
        ENVELOPE *e;
        char *msg;
        int level;
        bool all;
{
        ADDRESS *a;

        if (LogLevel <= level || msg == NULL || *msg == '\0')
                return;

        /* Clear $h so relay= doesn't get mislogged by logdelivery() */
        macdefine(&e->e_macro, A_PERM, 'h', NULL);

        /* Log who the mail would have gone to */
        for (a = e->e_sendqueue; a != NULL; a = a->q_next)
        {
                if (!QS_IS_UNDELIVERED(a->q_state) && !all)
                        continue;
                e->e_to = a->q_paddr;
                logdelivery(NULL, NULL,
#if _FFR_MILTER_ENHSC
                            (a->q_status == NULL && e->e_enhsc[0] != '\0')
                            ? e->e_enhsc :
#endif /* _FFR_MILTER_ENHSC */
                            a->q_status,
                            msg, NULL, (time_t) 0, e);
        }
        e->e_to = NULL;
}
/*
**  CHECKSMTPATTACK -- check for denial-of-service attack by repetition
**
**      Parameters:
**              pcounter -- pointer to a counter for this command.
**              maxcount -- maximum value for this counter before we
**                      slow down.
**              waitnow -- sleep now (in this routine)?
**              cname -- command name for logging.
**              e -- the current envelope.
**
**      Returns:
**              time to wait,
**              STOP_ATTACK if twice as many commands as allowed and
**                      MaxChildren > 0.
**
**      Side Effects:
**              Slows down if we seem to be under attack.
*/

static time_t
checksmtpattack(pcounter, maxcount, waitnow, cname, e)
        volatile unsigned int *pcounter;
        unsigned int maxcount;
        bool waitnow;
        char *cname;
        ENVELOPE *e;
{
        if (maxcount <= 0)      /* no limit */
                return (time_t) 0;

        if (++(*pcounter) >= maxcount)
        {
                unsigned int shift;
                time_t s;

                if (*pcounter == maxcount && LogLevel > 5)
                {
                        sm_syslog(LOG_INFO, e->e_id,
                                  "%s: possible SMTP attack: command=%.40s, count=%u",
                                  CurSmtpClient, cname, *pcounter);
                }
                shift = *pcounter - maxcount;
                s = 1 << shift;
                if (shift > MAXSHIFT || s >= MAXTIMEOUT || s <= 0)
                        s = MAXTIMEOUT;

#define IS_ATTACK(s)    ((MaxChildren > 0 && *pcounter >= maxcount * 2) \
                                ? STOP_ATTACK : (time_t) s)

                /* sleep at least 1 second before returning */
                (void) sleep(*pcounter / maxcount);
                s -= *pcounter / maxcount;
                if (s >= MAXTIMEOUT || s < 0)
                        s = MAXTIMEOUT;
                if (waitnow && s > 0)
                {
                        (void) sleep(s);
                        return IS_ATTACK(0);
                }
                return IS_ATTACK(s);
        }
        return (time_t) 0;
}
/*
**  SETUP_SMTPD_IO -- setup I/O fd correctly for the SMTP server
**
**      Parameters:
**              none.
**
**      Returns:
**              nothing.
**
**      Side Effects:
**              may change I/O fd.
*/

static void
setup_smtpd_io()
{
        int inchfd, outchfd, outfd;

        inchfd = sm_io_getinfo(InChannel, SM_IO_WHAT_FD, NULL);
        outchfd  = sm_io_getinfo(OutChannel, SM_IO_WHAT_FD, NULL);
        outfd = sm_io_getinfo(smioout, SM_IO_WHAT_FD, NULL);
        if (outchfd != outfd)
        {
                /* arrange for debugging output to go to remote host */
                (void) dup2(outchfd, outfd);
        }

        /*
        **  if InChannel and OutChannel are stdin/stdout
        **  and connected to ttys
        **  and fcntl(STDIN, F_SETFL, O_NONBLOCKING) also changes STDOUT,
        **  then "chain" them together.
        */

        if (inchfd == STDIN_FILENO && outchfd == STDOUT_FILENO &&
            isatty(inchfd) && isatty(outchfd))
        {
                int inmode, outmode;

                inmode = fcntl(inchfd, F_GETFL, 0);
                if (inmode == -1)
                {
                        if (LogLevel > 11)
                                sm_syslog(LOG_INFO, NOQID,
                                        "fcntl(inchfd, F_GETFL) failed: %s",
                                        sm_errstring(errno));
                        return;
                }
                outmode = fcntl(outchfd, F_GETFL, 0);
                if (outmode == -1)
                {
                        if (LogLevel > 11)
                                sm_syslog(LOG_INFO, NOQID,
                                        "fcntl(outchfd, F_GETFL) failed: %s",
                                        sm_errstring(errno));
                        return;
                }
                if (bitset(O_NONBLOCK, inmode) ||
                    bitset(O_NONBLOCK, outmode) ||
                    fcntl(inchfd, F_SETFL, inmode | O_NONBLOCK) == -1)
                        return;
                outmode = fcntl(outchfd, F_GETFL, 0);
                if (outmode != -1 && bitset(O_NONBLOCK, outmode))
                {
                        /* changing InChannel also changes OutChannel */
                        sm_io_automode(OutChannel, InChannel);
                        if (tTd(97, 4) && LogLevel > 9)
                                sm_syslog(LOG_INFO, NOQID,
                                          "set automode for I (%d)/O (%d) in SMTP server",
                                          inchfd, outchfd);
                }

                /* undo change of inchfd */
                (void) fcntl(inchfd, F_SETFL, inmode);
        }
}
/*
**  SKIPWORD -- skip a fixed word.
**
**      Parameters:
**              p -- place to start looking.
**              w -- word to skip.
**
**      Returns:
**              p following w.
**              NULL on error.
**
**      Side Effects:
**              clobbers the p data area.
*/

static char *
skipword(p, w)
        register char *volatile p;
        char *w;
{
        register char *q;
        char *firstp = p;

        /* find beginning of word */
        SKIP_SPACE(p);
        q = p;

        /* find end of word */
        while (*p != '\0' && *p != ':' && !(isascii(*p) && isspace(*p)))
                p++;
        while (isascii(*p) && isspace(*p))
                *p++ = '\0';
        if (*p != ':')
        {
          syntax:
                usrerr("501 5.5.2 Syntax error in parameters scanning \"%s\"",
                        shortenstring(firstp, MAXSHORTSTR));
                return NULL;
        }
        *p++ = '\0';
        SKIP_SPACE(p);

        if (*p == '\0')
                goto syntax;

        /* see if the input word matches desired word */
        if (sm_strcasecmp(q, w))
                goto syntax;

        return p;
}

/*
**  RESET_MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
**
**      Parameters:
**              e -- the envelope.
**
**      Returns:
**              none.
*/

void
reset_mail_esmtp_args(e)
        ENVELOPE *e;
{
        /* "size": no reset */

        /* "body" */
        SevenBitInput = SevenBitInput_Saved;
        e->e_bodytype = NULL;

        /* "envid" */
        e->e_envid = NULL;
        macdefine(&e->e_macro, A_PERM, macid("{dsn_envid}"), NULL);

        /* "ret" */
        e->e_flags &= ~(EF_RET_PARAM|EF_NO_BODY_RETN);
        macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), NULL);

#if SASL
        /* "auth" */
        macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"), NULL);
        e->e_auth_param = "";
# if _FFR_AUTH_PASSING
        macdefine(&BlankEnvelope.e_macro, A_PERM,
                                  macid("{auth_author}"), NULL);
# endif /* _FFR_AUTH_PASSING */
#endif /* SASL */

        /* "by" */
        e->e_deliver_by = 0;
        e->e_dlvr_flag = 0;
}

/*
**  MAIL_ESMTP_ARGS -- process ESMTP arguments from MAIL line
**
**      Parameters:
**              a -- address (unused, for compatibility with rcpt_esmtp_args)
**              kp -- the parameter key.
**              vp -- the value of that parameter.
**              e -- the envelope.
**
**      Returns:
**              none.
*/

void
mail_esmtp_args(a, kp, vp, e)
        ADDRESS *a;
        char *kp;
        char *vp;
        ENVELOPE *e;
{
        if (sm_strcasecmp(kp, "size") == 0)
        {
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 SIZE requires a value");
                        /* NOTREACHED */
                }
                macdefine(&e->e_macro, A_TEMP, macid("{msg_size}"), vp);
                errno = 0;
                e->e_msgsize = strtol(vp, (char **) NULL, 10);
                if (e->e_msgsize == LONG_MAX && errno == ERANGE)
                {
                        usrerr("552 5.2.3 Message size exceeds maximum value");
                        /* NOTREACHED */
                }
                if (e->e_msgsize < 0)
                {
                        usrerr("552 5.2.3 Message size invalid");
                        /* NOTREACHED */
                }
        }
        else if (sm_strcasecmp(kp, "body") == 0)
        {
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 BODY requires a value");
                        /* NOTREACHED */
                }
                else if (sm_strcasecmp(vp, "8bitmime") == 0)
                {
                        SevenBitInput = false;
                }
                else if (sm_strcasecmp(vp, "7bit") == 0)
                {
                        SevenBitInput = true;
                }
                else
                {
                        usrerr("501 5.5.4 Unknown BODY type %s", vp);
                        /* NOTREACHED */
                }
                e->e_bodytype = sm_rpool_strdup_x(e->e_rpool, vp);
        }
        else if (sm_strcasecmp(kp, "envid") == 0)
        {
                if (!bitset(SRV_OFFER_DSN, e->e_features))
                {
                        usrerr("504 5.7.0 Sorry, ENVID not supported, we do not allow DSN");
                        /* NOTREACHED */
                }
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 ENVID requires a value");
                        /* NOTREACHED */
                }
                if (!xtextok(vp))
                {
                        usrerr("501 5.5.4 Syntax error in ENVID parameter value");
                        /* NOTREACHED */
                }
                if (e->e_envid != NULL)
                {
                        usrerr("501 5.5.0 Duplicate ENVID parameter");
                        /* NOTREACHED */
                }
                e->e_envid = sm_rpool_strdup_x(e->e_rpool, vp);
                macdefine(&e->e_macro, A_PERM,
                        macid("{dsn_envid}"), e->e_envid);
        }
        else if (sm_strcasecmp(kp, "ret") == 0)
        {
                if (!bitset(SRV_OFFER_DSN, e->e_features))
                {
                        usrerr("504 5.7.0 Sorry, RET not supported, we do not allow DSN");
                        /* NOTREACHED */
                }
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 RET requires a value");
                        /* NOTREACHED */
                }
                if (bitset(EF_RET_PARAM, e->e_flags))
                {
                        usrerr("501 5.5.0 Duplicate RET parameter");
                        /* NOTREACHED */
                }
                e->e_flags |= EF_RET_PARAM;
                if (sm_strcasecmp(vp, "hdrs") == 0)
                        e->e_flags |= EF_NO_BODY_RETN;
                else if (sm_strcasecmp(vp, "full") != 0)
                {
                        usrerr("501 5.5.2 Bad argument \"%s\" to RET", vp);
                        /* NOTREACHED */
                }
                macdefine(&e->e_macro, A_TEMP, macid("{dsn_ret}"), vp);
        }
#if SASL
        else if (sm_strcasecmp(kp, "auth") == 0)
        {
                int len;
                char *q;
                char *auth_param;       /* the value of the AUTH=x */
                bool saveQuickAbort = QuickAbort;
                bool saveSuprErrs = SuprErrs;
                bool saveExitStat = ExitStat;

                if (vp == NULL)
                {
                        usrerr("501 5.5.2 AUTH= requires a value");
                        /* NOTREACHED */
                }
                if (e->e_auth_param != NULL)
                {
                        usrerr("501 5.5.0 Duplicate AUTH parameter");
                        /* NOTREACHED */
                }
                if ((q = strchr(vp, ' ')) != NULL)
                        len = q - vp + 1;
                else
                        len = strlen(vp) + 1;
                auth_param = xalloc(len);
                (void) sm_strlcpy(auth_param, vp, len);
                if (!xtextok(auth_param))
                {
                        usrerr("501 5.5.4 Syntax error in AUTH parameter value");
                        /* just a warning? */
                        /* NOTREACHED */
                }

                /* XXX define this always or only if trusted? */
                macdefine(&e->e_macro, A_TEMP, macid("{auth_author}"),
                          auth_param);

                /*
                **  call Strust_auth to find out whether
                **  auth_param is acceptable (trusted)
                **  we shouldn't trust it if not authenticated
                **  (required by RFC, leave it to ruleset?)
                */

                SuprErrs = true;
                QuickAbort = false;
                if (strcmp(auth_param, "<>") != 0 &&
                     (rscheck("trust_auth", auth_param, NULL, e, RSF_RMCOMM,
                              9, NULL, NOQID, NULL) != EX_OK || Errors > 0))
                {
                        if (tTd(95, 8))
                        {
                                q = e->e_auth_param;
                                sm_dprintf("auth=\"%.100s\" not trusted user=\"%.100s\"\n",
                                        auth_param, (q == NULL) ? "" : q);
                        }

                        /* not trusted */
                        e->e_auth_param = "<>";
# if _FFR_AUTH_PASSING
                        macdefine(&BlankEnvelope.e_macro, A_PERM,
                                  macid("{auth_author}"), NULL);
# endif /* _FFR_AUTH_PASSING */
                }
                else
                {
                        if (tTd(95, 8))
                                sm_dprintf("auth=\"%.100s\" trusted\n", auth_param);
                        e->e_auth_param = sm_rpool_strdup_x(e->e_rpool,
                                                            auth_param);
                }
                sm_free(auth_param); /* XXX */

                /* reset values */
                Errors = 0;
                QuickAbort = saveQuickAbort;
                SuprErrs = saveSuprErrs;
                ExitStat = saveExitStat;
        }
#endif /* SASL */
#define PRTCHAR(c)      ((isascii(c) && isprint(c)) ? (c) : '?')

        /*
        **  "by" is only accepted if DeliverByMin >= 0.
        **  We maybe could add this to the list of server_features.
        */

        else if (sm_strcasecmp(kp, "by") == 0 && DeliverByMin >= 0)
        {
                char *s;

                if (vp == NULL)
                {
                        usrerr("501 5.5.2 BY= requires a value");
                        /* NOTREACHED */
                }
                errno = 0;
                e->e_deliver_by = strtol(vp, &s, 10);
                if (e->e_deliver_by == LONG_MIN ||
                    e->e_deliver_by == LONG_MAX ||
                    e->e_deliver_by > 999999999l ||
                    e->e_deliver_by < -999999999l)
                {
                        usrerr("501 5.5.2 BY=%s out of range", vp);
                        /* NOTREACHED */
                }
                if (s == NULL || *s != ';')
                {
                        usrerr("501 5.5.2 BY= missing ';'");
                        /* NOTREACHED */
                }
                e->e_dlvr_flag = 0;
                ++s;    /* XXX: spaces allowed? */
                SKIP_SPACE(s);
                switch (tolower(*s))
                {
                  case 'n':
                        e->e_dlvr_flag = DLVR_NOTIFY;
                        break;
                  case 'r':
                        e->e_dlvr_flag = DLVR_RETURN;
                        if (e->e_deliver_by <= 0)
                        {
                                usrerr("501 5.5.4 mode R requires BY time > 0");
                                /* NOTREACHED */
                        }
                        if (DeliverByMin > 0 && e->e_deliver_by > 0 &&
                            e->e_deliver_by < DeliverByMin)
                        {
                                usrerr("555 5.5.2 time %ld less than %ld",
                                        e->e_deliver_by, (long) DeliverByMin);
                                /* NOTREACHED */
                        }
                        break;
                  default:
                        usrerr("501 5.5.2 illegal by-mode '%c'", PRTCHAR(*s));
                        /* NOTREACHED */
                }
                ++s;    /* XXX: spaces allowed? */
                SKIP_SPACE(s);
                switch (tolower(*s))
                {
                  case 't':
                        e->e_dlvr_flag |= DLVR_TRACE;
                        break;
                  case '\0':
                        break;
                  default:
                        usrerr("501 5.5.2 illegal by-trace '%c'", PRTCHAR(*s));
                        /* NOTREACHED */
                }

                /* XXX: check whether more characters follow? */
        }
        else
        {
                usrerr("555 5.5.4 %s parameter unrecognized", kp);
                /* NOTREACHED */
        }
}

/*
**  RCPT_ESMTP_ARGS -- process ESMTP arguments from RCPT line
**
**      Parameters:
**              a -- the address corresponding to the To: parameter.
**              kp -- the parameter key.
**              vp -- the value of that parameter.
**              e -- the envelope.
**
**      Returns:
**              none.
*/

void
rcpt_esmtp_args(a, kp, vp, e)
        ADDRESS *a;
        char *kp;
        char *vp;
        ENVELOPE *e;
{
        if (sm_strcasecmp(kp, "notify") == 0)
        {
                char *p;

                if (!bitset(SRV_OFFER_DSN, e->e_features))
                {
                        usrerr("504 5.7.0 Sorry, NOTIFY not supported, we do not allow DSN");
                        /* NOTREACHED */
                }
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 NOTIFY requires a value");
                        /* NOTREACHED */
                }
                a->q_flags &= ~(QPINGONSUCCESS|QPINGONFAILURE|QPINGONDELAY);
                a->q_flags |= QHASNOTIFY;
                macdefine(&e->e_macro, A_TEMP, macid("{dsn_notify}"), vp);

                if (sm_strcasecmp(vp, "never") == 0)
                        return;
                for (p = vp; p != NULL; vp = p)
                {
                        char *s;

                        s = p = strchr(p, ',');
                        if (p != NULL)
                                *p++ = '\0';
                        if (sm_strcasecmp(vp, "success") == 0)
                                a->q_flags |= QPINGONSUCCESS;
                        else if (sm_strcasecmp(vp, "failure") == 0)
                                a->q_flags |= QPINGONFAILURE;
                        else if (sm_strcasecmp(vp, "delay") == 0)
                                a->q_flags |= QPINGONDELAY;
                        else
                        {
                                usrerr("501 5.5.4 Bad argument \"%s\"  to NOTIFY",
                                        vp);
                                /* NOTREACHED */
                        }
                        if (s != NULL)
                                *s = ',';
                }
        }
        else if (sm_strcasecmp(kp, "orcpt") == 0)
        {
                if (!bitset(SRV_OFFER_DSN, e->e_features))
                {
                        usrerr("504 5.7.0 Sorry, ORCPT not supported, we do not allow DSN");
                        /* NOTREACHED */
                }
                if (vp == NULL)
                {
                        usrerr("501 5.5.2 ORCPT requires a value");
                        /* NOTREACHED */
                }
                if (strchr(vp, ';') == NULL || !xtextok(vp))
                {
                        usrerr("501 5.5.4 Syntax error in ORCPT parameter value");
                        /* NOTREACHED */
                }
                if (a->q_orcpt != NULL)
                {
                        usrerr("501 5.5.0 Duplicate ORCPT parameter");
                        /* NOTREACHED */
                }
                a->q_orcpt = sm_rpool_strdup_x(e->e_rpool, vp);
        }
        else
        {
                usrerr("555 5.5.4 %s parameter unrecognized", kp);
                /* NOTREACHED */
        }
}
/*
**  PRINTVRFYADDR -- print an entry in the verify queue
**
**      Parameters:
**              a -- the address to print.
**              last -- set if this is the last one.
**              vrfy -- set if this is a VRFY command.
**
**      Returns:
**              none.
**
**      Side Effects:
**              Prints the appropriate 250 codes.
*/
#define OFFF    (3 + 1 + 5 + 1) /* offset in fmt: SMTP reply + enh. code */

static void
printvrfyaddr(a, last, vrfy)
        register ADDRESS *a;
        bool last;
        bool vrfy;
{
        char fmtbuf[30];

        if (vrfy && a->q_mailer != NULL &&
            !bitnset(M_VRFY250, a->q_mailer->m_flags))
                (void) sm_strlcpy(fmtbuf, "252", sizeof(fmtbuf));
        else
                (void) sm_strlcpy(fmtbuf, "250", sizeof(fmtbuf));
        fmtbuf[3] = last ? ' ' : '-';
        (void) sm_strlcpy(&fmtbuf[4], "2.1.5 ", sizeof(fmtbuf) - 4);
        if (a->q_fullname == NULL)
        {
                if ((a->q_mailer == NULL ||
                     a->q_mailer->m_addrtype == NULL ||
                     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
                    strchr(a->q_user, '@') == NULL)
                        (void) sm_strlcpy(&fmtbuf[OFFF], "<%s@%s>",
                                       sizeof(fmtbuf) - OFFF);
                else
                        (void) sm_strlcpy(&fmtbuf[OFFF], "<%s>",
                                       sizeof(fmtbuf) - OFFF);
                message(fmtbuf, a->q_user, MyHostName);
        }
        else
        {
                if ((a->q_mailer == NULL ||
                     a->q_mailer->m_addrtype == NULL ||
                     sm_strcasecmp(a->q_mailer->m_addrtype, "rfc822") == 0) &&
                    strchr(a->q_user, '@') == NULL)
                        (void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s@%s>",
                                       sizeof(fmtbuf) - OFFF);
                else
                        (void) sm_strlcpy(&fmtbuf[OFFF], "%s <%s>",
                                       sizeof(fmtbuf) - OFFF);
                message(fmtbuf, a->q_fullname, a->q_user, MyHostName);
        }
}

#if SASL
/*
**  SASLMECHS -- get list of possible AUTH mechanisms
**
**      Parameters:
**              conn -- SASL connection info.
**              mechlist -- output parameter for list of mechanisms.
**
**      Returns:
**              number of mechs.
*/

static int
saslmechs(conn, mechlist)
        sasl_conn_t *conn;
        char **mechlist;
{
        int len, num, result;

        /* "user" is currently unused */
# if SASL >= 20000
        result = sasl_listmech(conn, NULL,
                               "", " ", "", (const char **) mechlist,
                               (unsigned int *)&len, &num);
# else /* SASL >= 20000 */
        result = sasl_listmech(conn, "user", /* XXX */
                               "", " ", "", mechlist,
                               (unsigned int *)&len, (unsigned int *)&num);
# endif /* SASL >= 20000 */
        if (result != SASL_OK)
        {
                if (LogLevel > 9)
                        sm_syslog(LOG_WARNING, NOQID,
                                  "AUTH error: listmech=%d, num=%d",
                                  result, num);
                num = 0;
        }
        if (num > 0)
        {
                if (LogLevel > 11)
                        sm_syslog(LOG_INFO, NOQID,
                                  "AUTH: available mech=%s, allowed mech=%s",
                                  *mechlist, AuthMechanisms);
                *mechlist = intersect(AuthMechanisms, *mechlist, NULL);
        }
        else
        {
                *mechlist = NULL;       /* be paranoid... */
                if (result == SASL_OK && LogLevel > 9)
                        sm_syslog(LOG_WARNING, NOQID,
                                  "AUTH warning: no mechanisms");
        }
        return num;
}

# if SASL >= 20000
/*
**  PROXY_POLICY -- define proxy policy for AUTH
**
**      Parameters:
**              conn -- unused.
**              context -- unused.
**              requested_user -- authorization identity.
**              rlen -- authorization identity length.
**              auth_identity -- authentication identity.
**              alen -- authentication identity length.
**              def_realm -- default user realm.
**              urlen -- user realm length.
**              propctx -- unused.
**
**      Returns:
**              ok?
**
**      Side Effects:
**              sets {auth_authen} macro.
*/

int
proxy_policy(conn, context, requested_user, rlen, auth_identity, alen,
             def_realm, urlen, propctx)
        sasl_conn_t *conn;
        void *context;
        const char *requested_user;
        unsigned rlen;
        const char *auth_identity;
        unsigned alen;
        const char *def_realm;
        unsigned urlen;
        struct propctx *propctx;
{
        if (auth_identity == NULL)
                return SASL_FAIL;

        macdefine(&BlankEnvelope.e_macro, A_TEMP,
                  macid("{auth_authen}"), (char *) auth_identity);

        return SASL_OK;
}
# else /* SASL >= 20000 */

/*
**  PROXY_POLICY -- define proxy policy for AUTH
**
**      Parameters:
**              context -- unused.
**              auth_identity -- authentication identity.
**              requested_user -- authorization identity.
**              user -- allowed user (output).
**              errstr -- possible error string (output).
**
**      Returns:
**              ok?
*/

int
proxy_policy(context, auth_identity, requested_user, user, errstr)
        void *context;
        const char *auth_identity;
        const char *requested_user;
        const char **user;
        const char **errstr;
{
        if (user == NULL || auth_identity == NULL)
                return SASL_FAIL;
        *user = newstr(auth_identity);
        return SASL_OK;
}
# endif /* SASL >= 20000 */
#endif /* SASL */

#if STARTTLS
/*
**  INITSRVTLS -- initialize server side TLS
**
**      Parameters:
**              tls_ok -- should tls initialization be done?
**
**      Returns:
**              succeeded?
**
**      Side Effects:
**              sets tls_ok_srv which is a static variable in this module.
**              Do NOT remove assignments to it!
*/

bool
initsrvtls(tls_ok)
        bool tls_ok;
{
        if (!tls_ok)
                return false;

        /* do NOT remove assignment */
        tls_ok_srv = inittls(&srv_ctx, TLS_Srv_Opts, Srv_SSL_Options, true,
                             SrvCertFile, SrvKeyFile,
                             CACertPath, CACertFile, DHParams);
        return tls_ok_srv;
}
#endif /* STARTTLS */
/*
**  SRVFEATURES -- get features for SMTP server
**
**      Parameters:
**              e -- envelope (should be session context).
**              clientname -- name of client.
**              features -- default features for this invocation.
**
**      Returns:
**              server features.
*/

/* table with options: it uses just one character, how about strings? */
static struct
{
        char            srvf_opt;
        unsigned int    srvf_flag;
} srv_feat_table[] =
{
        { 'A',  SRV_OFFER_AUTH  },
        { 'B',  SRV_OFFER_VERB  },
        { 'C',  SRV_REQ_SEC     },
        { 'D',  SRV_OFFER_DSN   },
        { 'E',  SRV_OFFER_ETRN  },
        { 'L',  SRV_REQ_AUTH    },
#if PIPELINING
# if _FFR_NO_PIPE
        { 'N',  SRV_NO_PIPE     },
# endif /* _FFR_NO_PIPE */
        { 'P',  SRV_OFFER_PIPE  },
#endif /* PIPELINING */
        { 'R',  SRV_VRFY_CLT    },      /* same as V; not documented */
        { 'S',  SRV_OFFER_TLS   },
/*      { 'T',  SRV_TMP_FAIL    },      */
        { 'V',  SRV_VRFY_CLT    },
        { 'X',  SRV_OFFER_EXPN  },
/*      { 'Y',  SRV_OFFER_VRFY  },      */
        { '\0', SRV_NONE        }
};

static unsigned int
srvfeatures(e, clientname, features)
        ENVELOPE *e;
        char *clientname;
        unsigned int features;
{
        int r, i, j;
        char **pvp, c, opt;
        char pvpbuf[PSBUFSIZE];

        pvp = NULL;
        r = rscap("srv_features", clientname, "", e, &pvp, pvpbuf,
                  sizeof(pvpbuf));
        if (r != EX_OK)
                return features;
        if (pvp == NULL || pvp[0] == NULL || (pvp[0][0] & 0377) != CANONNET)
                return features;
        if (pvp[1] != NULL && sm_strncasecmp(pvp[1], "temp", 4) == 0)
                return SRV_TMP_FAIL;

        /*
        **  General rule (see sendmail.h, d_flags):
        **  lower case: required/offered, upper case: Not required/available
        **
        **  Since we can change some features per daemon, we have both
        **  cases here: turn on/off a feature.
        */

        for (i = 1; pvp[i] != NULL; i++)
        {
                c = pvp[i][0];
                j = 0;
                for (;;)
                {
                        if ((opt = srv_feat_table[j].srvf_opt) == '\0')
                        {
                                if (LogLevel > 9)
                                        sm_syslog(LOG_WARNING, e->e_id,
                                                  "srvfeatures: unknown feature %s",
                                                  pvp[i]);
                                break;
                        }
                        if (c == opt)
                        {
                                features &= ~(srv_feat_table[j].srvf_flag);
                                break;
                        }
                        if (c == tolower(opt))
                        {
                                features |= srv_feat_table[j].srvf_flag;
                                break;
                        }
                        ++j;
                }
        }
        return features;
}

/*
**  HELP -- implement the HELP command.
**
**      Parameters:
**              topic -- the topic we want help for.
**              e -- envelope.
**
**      Returns:
**              none.
**
**      Side Effects:
**              outputs the help file to message output.
*/
#define HELPVSTR        "#vers  "
#define HELPVERSION     2

void
help(topic, e)
        char *topic;
        ENVELOPE *e;
{
        register SM_FILE_T *hf;
        register char *p;
        int len;
        bool noinfo;
        bool first = true;
        long sff = SFF_OPENASROOT|SFF_REGONLY;
        char buf[MAXLINE];
        char inp[MAXLINE];
        static int foundvers = -1;
        extern char Version[];

        if (DontLockReadFiles)
                sff |= SFF_NOLOCK;
        if (!bitnset(DBS_HELPFILEINUNSAFEDIRPATH, DontBlameSendmail))
                sff |= SFF_SAFEDIRPATH;

        if (HelpFile == NULL ||
            (hf = safefopen(HelpFile, O_RDONLY, 0444, sff)) == NULL)
        {
                /* no help */
                errno = 0;
                message("502 5.3.0 Sendmail %s -- HELP not implemented",
                        Version);
                return;
        }

        if (topic == NULL || *topic == '\0')
        {
                topic = "smtp";
                noinfo = false;
        }
        else
        {
                makelower(topic);
                noinfo = true;
        }

        len = strlen(topic);

        while (sm_io_fgets(hf, SM_TIME_DEFAULT, buf, sizeof(buf)) != NULL)
        {
                if (buf[0] == '#')
                {
                        if (foundvers < 0 &&
                            strncmp(buf, HELPVSTR, strlen(HELPVSTR)) == 0)
                        {
                                int h;

                                if (sm_io_sscanf(buf + strlen(HELPVSTR), "%d",
                                                 &h) == 1)
                                        foundvers = h;
                        }
                        continue;
                }
                if (strncmp(buf, topic, len) == 0)
                {
                        if (first)
                        {
                                first = false;

                                /* print version if no/old vers# in file */
                                if (foundvers < 2 && !noinfo)
                                        message("214-2.0.0 This is Sendmail version %s", Version);
                        }
                        p = strpbrk(buf, " \t");
                        if (p == NULL)
                                p = buf + strlen(buf) - 1;
                        else
                                p++;
                        fixcrlf(p, true);
                        if (foundvers >= 2)
                        {
                                char *lbp;
                                int lbs = sizeof(buf) - (p - buf);

                                lbp = translate_dollars(p, p, &lbs);
                                expand(lbp, inp, sizeof(inp), e);
                                if (p != lbp)
                                        sm_free(lbp);
                                p = inp;
                        }
                        message("214-2.0.0 %s", p);
                        noinfo = false;
                }
        }

        if (noinfo)
                message("504 5.3.0 HELP topic \"%.10s\" unknown", topic);
        else
                message("214 2.0.0 End of HELP info");

        if (foundvers != 0 && foundvers < HELPVERSION)
        {
                if (LogLevel > 1)
                        sm_syslog(LOG_WARNING, e->e_id,
                                  "%s too old (require version %d)",
                                  HelpFile, HELPVERSION);

                /* avoid log next time */
                foundvers = 0;
        }

        (void) sm_io_close(hf, SM_TIME_DEFAULT);
}

#if SASL
/*
**  RESET_SASLCONN -- reset SASL connection data
**
**      Parameters:
**              conn -- SASL connection context
**              hostname -- host name
**              various connection data
**
**      Returns:
**              SASL result
*/

static int
reset_saslconn(sasl_conn_t **conn, char *hostname,
# if SASL >= 20000
               char *remoteip, char *localip,
               char *auth_id, sasl_ssf_t * ext_ssf)
# else /* SASL >= 20000 */
               struct sockaddr_in *saddr_r, struct sockaddr_in *saddr_l,
               sasl_external_properties_t * ext_ssf)
# endif /* SASL >= 20000 */
{
        int result;

        sasl_dispose(conn);
# if SASL >= 20000
        result = sasl_server_new("smtp", hostname, NULL, NULL, NULL,
                                 NULL, 0, conn);
# elif SASL > 10505
        /* use empty realm: only works in SASL > 1.5.5 */
        result = sasl_server_new("smtp", hostname, "", NULL, 0, conn);
# else /* SASL >= 20000 */
        /* use no realm -> realm is set to hostname by SASL lib */
        result = sasl_server_new("smtp", hostname, NULL, NULL, 0,
                                 conn);
# endif /* SASL >= 20000 */
        if (result != SASL_OK)
                return result;

# if SASL >= 20000
#  if NETINET || NETINET6
        if (remoteip != NULL && *remoteip != '\0')
                result = sasl_setprop(*conn, SASL_IPREMOTEPORT, remoteip);
        if (result != SASL_OK)
                return result;

        if (localip != NULL && *localip != '\0')
                result = sasl_setprop(*conn, SASL_IPLOCALPORT, localip);
        if (result != SASL_OK)
                return result;
#  endif /* NETINET || NETINET6 */

        result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
        if (result != SASL_OK)
                return result;

        result = sasl_setprop(*conn, SASL_AUTH_EXTERNAL, auth_id);
        if (result != SASL_OK)
                return result;
# else /* SASL >= 20000 */
#  if NETINET
        if (saddr_r != NULL)
                result = sasl_setprop(*conn, SASL_IP_REMOTE, saddr_r);
        if (result != SASL_OK)
                return result;

        if (saddr_l != NULL)
                result = sasl_setprop(*conn, SASL_IP_LOCAL, saddr_l);
        if (result != SASL_OK)
                return result;
#  endif /* NETINET */

        result = sasl_setprop(*conn, SASL_SSF_EXTERNAL, ext_ssf);
        if (result != SASL_OK)
                return result;
# endif /* SASL >= 20000 */
        return SASL_OK;
}
#endif /* SASL */