MATCH_LIST *match_list_init(int flags, const char *patterns, int match_count,...)
{
MATCH_LIST *list;
char *saved_patterns;
va_list ap;
int i;
if (flags & ~MATCH_FLAG_ALL)
msg_panic("match_list_init: bad flags 0x%x", flags);
list = (MATCH_LIST *) mymalloc(sizeof(*list));
list->flags = flags;
list->match_count = match_count;
list->match_func =
(MATCH_LIST_FN *) mymalloc(match_count * sizeof(MATCH_LIST_FN));
list->match_args =
(const char **) mymalloc(match_count * sizeof(const char *));
va_start(ap, match_count);
for (i = 0; i < match_count; i++)
list->match_func[i] = va_arg(ap, MATCH_LIST_FN);
va_end(ap);
list->error = 0;
#define DO_MATCH 1
saved_patterns = mystrdup(patterns);
list->patterns = match_list_parse(argv_alloc(1), saved_patterns, DO_MATCH);
argv_terminate(list->patterns);
myfree(saved_patterns);
return (list);
}
ARGV *dict_mapnames()
{
HTABLE_INFO **ht_info;
HTABLE_INFO **ht;
DICT_OPEN_INFO *dp;
ARGV *mapnames;
#ifndef NO_DYNAMIC_MAPS
DLINFO *dlp;
#endif
if (dict_open_hash == 0)
dict_open_init();
mapnames = argv_alloc(dict_open_hash->used + 1);
for (ht_info = ht = htable_list(dict_open_hash); *ht; ht++) {
dp = (DICT_OPEN_INFO *) ht[0]->value;
argv_add(mapnames, dp->type, ARGV_END);
}
#ifndef NO_DYNAMIC_MAPS
if (!dict_dlinfo)
msg_fatal("dlinfo==NULL");
for (dlp=dict_dlinfo; dlp->pattern; dlp++) {
argv_add(mapnames, dlp->pattern, ARGV_END);
}
#endif
qsort((void *) mapnames->argv, mapnames->argc, sizeof(mapnames->argv[0]),
dict_sort_alpha_cpp);
myfree((char *) ht_info);
argv_terminate(mapnames);
return mapnames;
}
ARGV *xsasl_client_types(void)
{
const XSASL_CLIENT_IMPL_INFO *xp;
ARGV *argv = argv_alloc(1);
for (xp = client_impl_info; xp->client_type; xp++)
argv_add(argv, xp->client_type, ARGV_END);
return (argv);
}
ARGV *mbox_lock_names(void)
{
const NAME_MASK *np;
ARGV *argv;
argv = argv_alloc(2);
for (np = mbox_mask; np->name != 0; np++)
argv_add(argv, np->name, ARGV_END);
argv_terminate(argv);
return (argv);
}
ARGV *match_service_init_argv(char **patterns)
{
ARGV *list = argv_alloc(1);
char **cpp;
for (cpp = patterns; *cpp; cpp++)
argv_add(list, *cpp, (char *) 0);
argv_terminate(list);
match_service_compat(list);
return (list);
}
static void smtp_chat_append(SMTP_SESSION *session, const char *direction,
const char *data)
{
char *line;
if (session->history == 0)
session->history = argv_alloc(10);
line = concatenate(direction, data, (char *) 0);
argv_add(session->history, line, (char *) 0);
myfree(line);
}
ARGV *argv_split(const char *string, const char *delim)
{
ARGV *argvp = argv_alloc(1);
char *saved_string = mystrdup(string);
char *bp = saved_string;
char *arg;
while ((arg = mystrtok(&bp, delim)) != 0)
argv_add(argvp, arg, (char *) 0);
argv_terminate(argvp);
myfree(saved_string);
return (argvp);
}
static void smtp_chat_append(SMTPD_STATE *state, char *direction)
{
char *line;
if (state->notify_mask == 0)
return;
if (state->history == 0)
state->history = argv_alloc(10);
line = concatenate(direction, STR(state->buffer), (char *) 0);
argv_add(state->history, line, (char *) 0);
myfree(line);
}
ARGV *mail_addr_crunch(const char *string, const char *extension)
{
VSTRING *extern_addr = vstring_alloc(100);
VSTRING *canon_addr = vstring_alloc(100);
ARGV *argv = argv_alloc(1);
TOK822 *tree;
TOK822 **addr_list;
TOK822 **tpp;
char *ratsign;
ssize_t extlen;
if (extension)
extlen = strlen(extension);
#define STR(x) vstring_str(x)
/*
* Parse the string, rewrite each address to canonical form, and convert
* the result to external (quoted) form. Optionally apply the extension
* to each address found.
*
* XXX Workaround for the null address. This works for envelopes but
* produces ugly results for message headers.
*/
if (*string == 0 || strcmp(string, "<>") == 0)
string = "\"\"";
tree = tok822_parse(string);
addr_list = tok822_grep(tree, TOK822_ADDR);
for (tpp = addr_list; *tpp; tpp++) {
tok822_externalize(extern_addr, tpp[0]->head, TOK822_STR_DEFL);
canon_addr_external(canon_addr, STR(extern_addr));
if (extension) {
VSTRING_SPACE(canon_addr, extlen + 1);
if ((ratsign = strrchr(STR(canon_addr), '@')) == 0) {
vstring_strcat(canon_addr, extension);
} else {
memmove(ratsign + extlen, ratsign, strlen(ratsign) + 1);
memcpy(ratsign, extension, extlen);
VSTRING_SKIP(canon_addr);
}
}
argv_add(argv, STR(canon_addr), ARGV_END);
}
argv_terminate(argv);
myfree((char *) addr_list);
tok822_free_tree(tree);
vstring_free(canon_addr);
vstring_free(extern_addr);
return (argv);
}
ARGV *match_service_init(const char *patterns)
{
const char *delim = " ,\t\r\n";
ARGV *list = argv_alloc(1);
char *saved_patterns = mystrdup(patterns);
char *bp = saved_patterns;
const char *item;
while ((item = mystrtok(&bp, delim)) != 0)
argv_add(list, item, (char *) 0);
argv_terminate(list);
myfree(saved_patterns);
return (list);
}
MAPS *maps_create(const char *title, const char *map_names, int dict_flags)
{
const char *myname = "maps_create";
char *temp;
char *bufp;
static char sep[] = CHARS_COMMA_SP;
static char parens[] = CHARS_BRACE;
MAPS *maps;
char *map_type_name;
VSTRING *map_type_name_flags;
DICT *dict;
/*
* Initialize.
*/
maps = (MAPS *) mymalloc(sizeof(*maps));
maps->title = mystrdup(title);
maps->argv = argv_alloc(2);
maps->error = 0;
/*
* For each specified type:name pair, either register a new dictionary,
* or increment the reference count of an existing one.
*/
if (*map_names) {
bufp = temp = mystrdup(map_names);
map_type_name_flags = vstring_alloc(10);
#define OPEN_FLAGS O_RDONLY
while ((map_type_name = mystrtokq(&bufp, sep, parens)) != 0) {
vstring_sprintf(map_type_name_flags, "%s(%o,%s)",
map_type_name, OPEN_FLAGS,
dict_flags_str(dict_flags));
if ((dict = dict_handle(vstring_str(map_type_name_flags))) == 0)
dict = dict_open(map_type_name, OPEN_FLAGS, dict_flags);
if ((dict->flags & dict_flags) != dict_flags)
msg_panic("%s: map %s has flags 0%o, want flags 0%o",
myname, map_type_name, dict->flags, dict_flags);
dict_register(vstring_str(map_type_name_flags), dict);
argv_add(maps->argv, vstring_str(map_type_name_flags), ARGV_END);
}
myfree(temp);
vstring_free(map_type_name_flags);
}
return (maps);
}
static const char *xsasl_dovecot_server_get_mechanism_list(XSASL_SERVER *xp)
{
XSASL_DOVECOT_SERVER *server = (XSASL_DOVECOT_SERVER *) xp;
if (!server->impl->sasl_stream) {
if (xsasl_dovecot_server_connect(server->impl) < 0)
return (0);
}
if (server->mechanism_list == 0) {
server->mechanism_argv = argv_alloc(2);
server->mechanism_list =
xsasl_dovecot_server_mech_filter(server->mechanism_argv,
server->impl->mechanism_list,
server->sec_props);
}
return (server->mechanism_list[0] ? server->mechanism_list : 0);
}
ARGV *argv_split_count(const char *string, const char *delim, ssize_t count)
{
ARGV *argvp = argv_alloc(1);
char *saved_string = mystrdup(string);
char *bp = saved_string;
char *arg;
if (count < 1)
msg_panic("argv_split_count: bad count: %ld", (long) count);
while (count-- > 1 && (arg = mystrtok(&bp, delim)) != 0)
argv_add(argvp, arg, (char *) 0);
if (*bp)
bp += strspn(bp, delim);
if (*bp)
argv_add(argvp, bp, (char *) 0);
argv_terminate(argvp);
myfree(saved_string);
return (argvp);
}
ARGV *dict_mapnames()
{
HTABLE_INFO **ht_info;
HTABLE_INFO **ht;
DICT_OPEN_INFO *dp;
ARGV *mapnames;
if (dict_open_hash == 0)
dict_open_init();
mapnames = argv_alloc(dict_open_hash->used + 1);
for (ht_info = ht = htable_list(dict_open_hash); *ht; ht++) {
dp = (DICT_OPEN_INFO *) ht[0]->value;
argv_add(mapnames, dp->type, ARGV_END);
}
qsort((void *) mapnames->argv, mapnames->argc, sizeof(mapnames->argv[0]),
dict_sort_alpha_cpp);
myfree((char *) ht_info);
argv_terminate(mapnames);
return mapnames;
}
static void pcf_show_master_any_param(VSTREAM *fp, int mode,
PCF_MASTER_ENT *masterp)
{
const char *myname = "pcf_show_master_any_param";
ARGV *argv = argv_alloc(10);
DICT *dict = masterp->all_params;
const char *param_name;
const char *param_value;
int param_count = 0;
int how;
char **cpp;
/*
* Print parameters in sorted order. The number of parameters per
* master.cf entry is small, so we optmiize for code simplicity and don't
* worry about the cost of double lookup.
*/
/* Look up the parameter names and ignore the values. */
for (how = DICT_SEQ_FUN_FIRST;
dict->sequence(dict, how, ¶m_name, ¶m_value) == 0;
how = DICT_SEQ_FUN_NEXT) {
argv_add(argv, param_name, ARGV_END);
param_count++;
}
/* Print the parameters in sorted order. */
qsort(argv->argv, param_count, sizeof(argv->argv[0]), pcf_sort_argv_cb);
for (cpp = argv->argv; (param_name = *cpp) != 0; cpp++) {
if ((param_value = dict_get(dict, param_name)) == 0)
msg_panic("%s: parameter name not found: %s", myname, param_name);
pcf_print_master_param(fp, mode, masterp, param_name, param_value);
}
/*
* Clean up.
*/
argv_free(argv);
}
static ARGV *milter_macro_lookup(MILTERS *milters, const char *macro_names)
{
const char *myname = "milter_macro_lookup";
char *saved_names = mystrdup(macro_names);
char *cp = saved_names;
ARGV *argv = argv_alloc(10);
const char *value;
const char *name;
while ((name = mystrtok(&cp, ", \t\r\n")) != 0) {
if (msg_verbose)
msg_info("%s: \"%s\"", myname, name);
if ((value = milters->mac_lookup(name, milters->mac_context)) != 0) {
if (msg_verbose)
msg_info("%s: result \"%s\"", myname, value);
argv_add(argv, name, value, (char *) 0);
}
}
myfree(saved_names);
return (argv);
}
SERVER_ACL *server_acl_parse(const char *extern_acl, const char *origin)
{
char *saved_acl = mystrdup(extern_acl);
SERVER_ACL *intern_acl = argv_alloc(1);
char *bp = saved_acl;
char *acl;
#define STREQ(x,y) ((*x) == (*y) && strcasecmp((x), (y)) == 0)
#define STRNE(x,y) ((*x) != (*y) || strcasecmp((x), (y)) != 0)
/*
* Nested tables are not allowed. Tables are opened before entering the
* chroot jail, while access lists are evaluated after entering the
* chroot jail.
*/
while ((acl = mystrtok(&bp, SERVER_ACL_SEPARATORS)) != 0) {
if (strchr(acl, ':') != 0) {
if (strchr(origin, ':') != 0) {
msg_warn("table %s: lookup result \"%s\" is not allowed"
" -- ignoring remainder of access list",
origin, acl);
argv_add(intern_acl, SERVER_ACL_NAME_DUNNO, (char *) 0);
break;
} else {
if (dict_handle(acl) == 0)
dict_register(acl, dict_open(acl, O_RDONLY, DICT_FLAG_LOCK
| DICT_FLAG_FOLD_FIX));
}
}
argv_add(intern_acl, acl, (char *) 0);
}
argv_terminate(intern_acl);
/*
* Cleanup.
*/
myfree(saved_acl);
return (intern_acl);
}
CLEANUP_STATE *cleanup_state_alloc(VSTREAM *src)
{
CLEANUP_STATE *state = (CLEANUP_STATE *) mymalloc(sizeof(*state));
state->attr_buf = vstring_alloc(10);
state->temp1 = vstring_alloc(10);
state->temp2 = vstring_alloc(10);
if (cleanup_strip_chars)
state->stripped_buf = vstring_alloc(10);
state->src = src;
state->dst = 0;
state->handle = 0;
state->queue_name = 0;
state->queue_id = 0;
state->arrival_time.tv_sec = state->arrival_time.tv_usec = 0;
state->fullname = 0;
state->sender = 0;
state->recip = 0;
state->orig_rcpt = 0;
state->return_receipt = 0;
state->errors_to = 0;
state->auto_hdrs = argv_alloc(1);
state->hbc_rcpt = 0;
state->flags = 0;
state->qmgr_opts = 0;
state->errs = 0;
state->err_mask = 0;
state->headers_seen = 0;
state->hop_count = 0;
state->resent = "";
state->dups = been_here_init(var_dup_filter_limit, BH_FLAG_FOLD);
state->action = cleanup_envelope;
state->data_offset = -1;
state->body_offset = -1;
state->xtra_offset = -1;
state->cont_length = 0;
state->sender_pt_offset = -1;
state->sender_pt_target = -1;
state->append_rcpt_pt_offset = -1;
state->append_rcpt_pt_target = -1;
state->append_hdr_pt_offset = -1;
state->append_hdr_pt_target = -1;
state->append_meta_pt_offset = -1;
state->append_meta_pt_target = -1;
state->milter_hbc_checks = 0;
state->milter_hbc_reply = 0;
state->rcpt_count = 0;
state->reason = 0;
state->smtp_reply = 0;
state->attr = nvtable_create(10);
nvtable_update(state->attr, MAIL_ATTR_LOG_ORIGIN, MAIL_ATTR_ORG_LOCAL);
state->mime_state = 0;
state->mime_errs = 0;
state->hdr_rewrite_context = MAIL_ATTR_RWR_LOCAL;
state->filter = 0;
state->redirect = 0;
state->dsn_envid = 0;
state->dsn_ret = 0;
state->dsn_notify = 0;
state->dsn_orcpt = 0;
state->verp_delims = 0;
state->milters = 0;
state->client_name = 0;
state->reverse_name = 0;
state->client_addr = 0;
state->client_af = 0;
state->client_port = 0;
state->milter_ext_from = 0;
state->milter_ext_rcpt = 0;
state->milter_err_text = 0;
state->free_regions = state->body_regions = state->curr_body_region = 0;
state->smtputf8 = 0;
return (state);
}
static void show_queue(void)
{
const char *errstr;
char buf[VSTREAM_BUFSIZE];
VSTREAM *showq;
int n;
uid_t uid = getuid();
if (uid != 0 && uid != var_owner_uid
&& (errstr = check_user_acl_byuid(VAR_SHOWQ_ACL, var_showq_acl,
uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to view the mail queue",
errstr, (long) uid);
/*
* Connect to the show queue service. Terminate silently when piping into
* a program that terminates early.
*/
if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) {
while ((n = vstream_fread(showq, buf, sizeof(buf))) > 0) {
if (vstream_fwrite(VSTREAM_OUT, buf, n) != n
|| vstream_fflush(VSTREAM_OUT) != 0) {
if (errno == EPIPE)
break;
msg_fatal("write error: %m");
}
}
if (vstream_fclose(showq) && errno != EPIPE)
msg_warn("close: %m");
}
/*
* Don't assume that the mail system is down when the user has
* insufficient permission to access the showq socket.
*/
else if (errno == EACCES) {
msg_fatal_status(EX_SOFTWARE,
"Connect to the %s %s service: %m",
var_mail_name, var_showq_service);
}
/*
* When the mail system is down, the superuser can still access the queue
* directly. Just run the showq program in stand-alone mode.
*/
else if (geteuid() == 0) {
ARGV *argv;
int stat;
msg_warn("Mail system is down -- accessing queue directly");
argv = argv_alloc(6);
argv_add(argv, var_showq_service, "-u", "-S", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(argv, "-v", (char *) 0);
argv_terminate(argv);
stat = mail_run_foreground(var_daemon_dir, argv->argv);
argv_free(argv);
if (stat != 0)
msg_fatal_status(stat < 0 ? EX_OSERR : EX_SOFTWARE,
"Error running %s/%s",
var_daemon_dir, argv->argv[0]);
}
/*
* When the mail system is down, unprivileged users are stuck, because by
* design the mail system contains no set_uid programs. The only way for
* an unprivileged user to cross protection boundaries is to talk to the
* showq daemon.
*/
else {
msg_fatal_status(EX_UNAVAILABLE,
"Queue report unavailable - mail system is down");
}
}
int deliver_command(LOCAL_STATE state, USER_ATTR usr_attr, const char *command)
{
const char *myname = "deliver_command";
DSN_BUF *why = state.msg_attr.why;
int cmd_status;
int deliver_status;
ARGV *env;
int copy_flags;
char **cpp;
char *cp;
ARGV *export_env;
VSTRING *exec_dir;
int expand_status;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this command if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "command %s:%ld %s",
state.msg_attr.user, (long) usr_attr.uid, command))
return (0);
/*
* Don't deliver a trace-only request.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to command: %s", command);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Choose a default uid and gid when none have been selected (i.e. values
* are still zero).
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* Deliver.
*/
copy_flags = MAIL_COPY_FROM | MAIL_COPY_RETURN_PATH
| MAIL_COPY_ORIG_RCPT;
if (local_deliver_hdr_mask & DELIVER_HDR_CMD)
copy_flags |= MAIL_COPY_DELIVERED;
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("%s: seek queue file %s: %m",
myname, VSTREAM_PATH(state.msg_attr.fp));
/*
* Pass additional environment information. XXX This should be
* configurable. However, passing untrusted information via environment
* parameters opens up a whole can of worms. Lesson from web servers:
* don't let any network data even near a shell. It causes trouble.
*/
env = argv_alloc(1);
if (usr_attr.home)
argv_add(env, "HOME", usr_attr.home, ARGV_END);
argv_add(env,
"LOGNAME", state.msg_attr.user,
"USER", state.msg_attr.user,
"SENDER", state.msg_attr.sender,
"RECIPIENT", state.msg_attr.rcpt.address,
"LOCAL", state.msg_attr.local,
ARGV_END);
if (usr_attr.shell)
argv_add(env, "SHELL", usr_attr.shell, ARGV_END);
if (state.msg_attr.domain)
argv_add(env, "DOMAIN", state.msg_attr.domain, ARGV_END);
if (state.msg_attr.extension)
argv_add(env, "EXTENSION", state.msg_attr.extension, ARGV_END);
if (state.msg_attr.rcpt.orig_addr && state.msg_attr.rcpt.orig_addr[0])
argv_add(env, "ORIGINAL_RECIPIENT", state.msg_attr.rcpt.orig_addr,
ARGV_END);
#define EXPORT_REQUEST(name, value) \
if ((value)[0]) argv_add(env, (name), (value), ARGV_END);
EXPORT_REQUEST("CLIENT_HOSTNAME", state.msg_attr.request->client_name);
EXPORT_REQUEST("CLIENT_ADDRESS", state.msg_attr.request->client_addr);
EXPORT_REQUEST("CLIENT_HELO", state.msg_attr.request->client_helo);
EXPORT_REQUEST("CLIENT_PROTOCOL", state.msg_attr.request->client_proto);
EXPORT_REQUEST("SASL_METHOD", state.msg_attr.request->sasl_method);
EXPORT_REQUEST("SASL_SENDER", state.msg_attr.request->sasl_sender);
EXPORT_REQUEST("SASL_USERNAME", state.msg_attr.request->sasl_username);
argv_terminate(env);
/*
* Censor out undesirable characters from exported data.
*/
for (cpp = env->argv; *cpp; cpp += 2)
for (cp = cpp[1]; *(cp += strspn(cp, var_cmd_exp_filter)) != 0;)
*cp++ = '_';
/*
* Evaluate the command execution directory. Defer delivery if expansion
* fails.
*/
export_env = mail_parm_split(VAR_EXPORT_ENVIRON, var_export_environ);
exec_dir = vstring_alloc(10);
expand_status = local_expand(exec_dir, var_exec_directory,
&state, &usr_attr, var_exec_exp_filter);
if (expand_status & MAC_PARSE_ERROR) {
cmd_status = PIPE_STAT_DEFER;
dsb_simple(why, "4.3.5", "mail system configuration error");
msg_warn("bad parameter value syntax for %s: %s",
VAR_EXEC_DIRECTORY, var_exec_directory);
} else {
cmd_status = pipe_command(state.msg_attr.fp, why,
PIPE_CMD_UID, usr_attr.uid,
PIPE_CMD_GID, usr_attr.gid,
PIPE_CMD_COMMAND, command,
PIPE_CMD_COPY_FLAGS, copy_flags,
PIPE_CMD_SENDER, state.msg_attr.sender,
PIPE_CMD_ORIG_RCPT, state.msg_attr.rcpt.orig_addr,
PIPE_CMD_DELIVERED, state.msg_attr.delivered,
PIPE_CMD_TIME_LIMIT, var_command_maxtime,
PIPE_CMD_ENV, env->argv,
PIPE_CMD_EXPORT, export_env->argv,
PIPE_CMD_SHELL, var_local_cmd_shell,
PIPE_CMD_CWD, *STR(exec_dir) ?
STR(exec_dir) : (char *) 0,
PIPE_CMD_END);
}
vstring_free(exec_dir);
argv_free(export_env);
argv_free(env);
/*
* Depending on the result, bounce or defer the message.
*/
switch (cmd_status) {
case PIPE_STAT_OK:
dsb_simple(why, "2.0.0", "delivered to command: %s", command);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
break;
case PIPE_STAT_BOUNCE:
case PIPE_STAT_DEFER:
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
break;
case PIPE_STAT_CORRUPT:
deliver_status = DEL_STAT_DEFER;
break;
default:
msg_panic("%s: bad status %d", myname, cmd_status);
/* NOTREACHED */
}
return (deliver_status);
}
ARGV *cleanup_map1n_internal(CLEANUP_STATE *state, const char *addr,
MAPS *maps, int propagate)
{
ARGV *argv;
ARGV *lookup;
int count;
int i;
int arg;
BH_TABLE *been_here;
char *saved_lhs;
/*
* Initialize.
*/
argv = argv_alloc(1);
argv_add(argv, addr, ARGV_END);
argv_terminate(argv);
been_here = been_here_init(0, BH_FLAG_FOLD);
/*
* Rewrite the address vector in place. With each map lookup result,
* split it into separate addresses, then rewrite and flatten each
* address, and repeat the process. Beware: argv is being changed, so we
* must index the array explicitly, instead of running along it with a
* pointer.
*/
#define UPDATE(ptr,new) do { \
if (ptr) myfree(ptr); ptr = mystrdup(new); \
} while (0)
#define STR vstring_str
#define RETURN(x) do { \
been_here_free(been_here); return (x); \
} while (0)
#define UNEXPAND(argv, addr) do { \
argv_truncate((argv), 0); argv_add((argv), (addr), (char *) 0); \
} while (0)
for (arg = 0; arg < argv->argc; arg++) {
if (argv->argc > var_virt_expan_limit) {
msg_warn("%s: unreasonable %s map expansion size for %s -- "
"message not accepted, try again later",
state->queue_id, maps->title, addr);
state->errs |= CLEANUP_STAT_DEFER;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
}
for (count = 0; /* void */ ; count++) {
/*
* Don't expand an address that already expanded into itself.
*/
if (been_here_check_fixed(been_here, argv->argv[arg]) != 0)
break;
if (count >= var_virt_recur_limit) {
msg_warn("%s: unreasonable %s map nesting for %s -- "
"message not accepted, try again later",
state->queue_id, maps->title, addr);
state->errs |= CLEANUP_STAT_DEFER;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
}
quote_822_local(state->temp1, argv->argv[arg]);
if ((lookup = mail_addr_map(maps, STR(state->temp1), propagate)) != 0) {
saved_lhs = mystrdup(argv->argv[arg]);
for (i = 0; i < lookup->argc; i++) {
unquote_822_local(state->temp1, lookup->argv[i]);
if (i == 0) {
UPDATE(argv->argv[arg], STR(state->temp1));
} else {
argv_add(argv, STR(state->temp1), ARGV_END);
argv_terminate(argv);
}
/*
* Allow an address to expand into itself once.
*/
if (strcasecmp(saved_lhs, STR(state->temp1)) == 0)
been_here_fixed(been_here, saved_lhs);
}
myfree(saved_lhs);
argv_free(lookup);
} else if (maps->error != 0) {
msg_warn("%s: %s map lookup problem for %s -- "
"message not accepted, try again later",
state->queue_id, maps->title, addr);
state->errs |= CLEANUP_STAT_WRITE;
UPDATE(state->reason, "4.6.0 Alias expansion error");
UNEXPAND(argv, addr);
RETURN(argv);
} else {
break;
}
}
}
RETURN(argv);
}
int main(int argc, char **argv)
{
int ch;
int fd;
struct stat st;
int junk;
ARGV *ext_argv = 0;
int param_class = PC_PARAM_MASK_CLASS;
static const NAME_MASK param_class_table[] = {
"builtin", PC_PARAM_FLAG_BUILTIN,
"service", PC_PARAM_FLAG_SERVICE,
"user", PC_PARAM_FLAG_USER,
"all", PC_PARAM_MASK_CLASS,
0,
};
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up logging.
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "aAbc:C:deEf#hlmMntv")) > 0) {
switch (ch) {
case 'a':
cmd_mode |= SHOW_SASL_SERV;
break;
case 'A':
cmd_mode |= SHOW_SASL_CLNT;
break;
case 'b':
if (ext_argv)
msg_fatal("specify one of -b and -t");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVnexpand_templates", (char *) 0);
break;
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'C':
param_class = name_mask_opt("-C option", param_class_table,
optarg, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
break;
case 'd':
cmd_mode |= SHOW_DEFS;
break;
case 'e':
cmd_mode |= EDIT_MAIN;
break;
case 'f':
cmd_mode |= FOLD_LINE;
break;
/*
* People, this does not work unless you properly handle default
* settings. For example, fast_flush_domains = $relay_domains
* must not evaluate to the empty string when relay_domains is
* left at its default setting of $mydestination.
*/
#if 0
case 'E':
cmd_mode |= SHOW_EVAL;
break;
#endif
case '#':
cmd_mode = COMMENT_OUT;
break;
case 'h':
cmd_mode &= ~SHOW_NAME;
break;
case 'l':
cmd_mode |= SHOW_LOCKS;
break;
case 'm':
cmd_mode |= SHOW_MAPS;
break;
case 'M':
cmd_mode |= SHOW_MASTER;
break;
case 'n':
cmd_mode |= SHOW_NONDEF;
break;
case 't':
if (ext_argv)
msg_fatal("specify one of -b and -t");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVndump_templates", (char *) 0);
break;
case 'v':
msg_verbose++;
break;
default:
msg_fatal("usage: %s [-a (server SASL types)] [-A (client SASL types)] [-b (bounce templates)] [-c config_dir] [-C param_class] [-d (defaults)] [-e (edit)] [-f (fold lines)] [-# (comment-out)] [-h (no names)] [-l (lock types)] [-m (map types)] [-M (master.cf)] [-n (non-defaults)] [-v] [name...]", argv[0]);
}
}
/*
* Sanity check.
*/
junk = (cmd_mode & (SHOW_DEFS | SHOW_NONDEF | SHOW_MAPS | SHOW_LOCKS | EDIT_MAIN | SHOW_SASL_SERV | SHOW_SASL_CLNT | COMMENT_OUT | SHOW_MASTER));
if (junk != 0 && ((junk != SHOW_DEFS && junk != SHOW_NONDEF
&& junk != SHOW_MAPS && junk != SHOW_LOCKS && junk != EDIT_MAIN
&& junk != SHOW_SASL_SERV && junk != SHOW_SASL_CLNT
&& junk != COMMENT_OUT && junk != SHOW_MASTER)
|| ext_argv != 0))
msg_fatal("specify one of -a, -A, -b, -d, -e, -#, -l, -m, -M and -n");
/*
* Display bounce template information and exit.
*/
if (ext_argv) {
if (argv[optind]) {
if (argv[optind + 1])
msg_fatal("options -b and -t require at most one template file");
argv_add(ext_argv, "-o",
concatenate(VAR_BOUNCE_TMPL, "=",
argv[optind], (char *) 0),
(char *) 0);
}
/* Grr... */
argv_add(ext_argv, "-o",
concatenate(VAR_QUEUE_DIR, "=", ".", (char *) 0),
(char *) 0);
mail_conf_read();
mail_run_replace(var_daemon_dir, ext_argv->argv);
/* NOTREACHED */
}
/*
* If showing map types, show them and exit
*/
if (cmd_mode & SHOW_MAPS) {
mail_dict_init();
show_maps();
}
/*
* If showing locking methods, show them and exit
*/
else if (cmd_mode & SHOW_LOCKS) {
show_locks();
}
/*
* If showing master.cf entries, show them and exit
*/
else if (cmd_mode & SHOW_MASTER) {
read_master(FAIL_ON_OPEN_ERROR);
show_master(cmd_mode, argv + optind);
}
/*
* If showing SASL plug-in types, show them and exit
*/
else if (cmd_mode & SHOW_SASL_SERV) {
show_sasl(SHOW_SASL_SERV);
} else if (cmd_mode & SHOW_SASL_CLNT) {
show_sasl(SHOW_SASL_CLNT);
}
/*
* Edit main.cf.
*/
else if (cmd_mode & (EDIT_MAIN | COMMENT_OUT)) {
edit_parameters(cmd_mode, argc - optind, argv + optind);
} else if (cmd_mode == DEF_MODE
&& argv[optind] && strchr(argv[optind], '=')) {
edit_parameters(cmd_mode | EDIT_MAIN, argc - optind, argv + optind);
}
/*
* If showing non-default values, read main.cf.
*/
else {
if ((cmd_mode & SHOW_DEFS) == 0) {
read_parameters();
set_parameters();
}
register_builtin_parameters();
/*
* Add service-dependent parameters (service names from master.cf)
* and user-defined parameters ($name macros in parameter values in
* main.cf and master.cf, but only if those names have a name=value
* in main.cf or master.cf).
*/
read_master(WARN_ON_OPEN_ERROR);
register_service_parameters();
if ((cmd_mode & SHOW_DEFS) == 0)
register_user_parameters();
/*
* Show the requested values.
*/
show_parameters(cmd_mode, param_class, argv + optind);
/*
* Flag unused parameters. This makes no sense with "postconf -d",
* because that ignores all the user-specified parameters and
* user-specified macro expansions in main.cf.
*/
if ((cmd_mode & SHOW_DEFS) == 0) {
flag_unused_main_parameters();
flag_unused_master_parameters();
}
}
vstream_fflush(VSTREAM_OUT);
exit(0);
}
int main(int argc, char **argv)
{
static char *full_name = 0; /* sendmail -F */
struct stat st;
char *slash;
char *sender = 0; /* sendmail -f */
int c;
int fd;
int mode;
ARGV *ext_argv;
int debug_me = 0;
int err;
int n;
int flags = SM_FLAG_DEFAULT;
char *site_to_flush = 0;
char *id_to_flush = 0;
char *encoding = 0;
char *qtime = 0;
const char *errstr;
uid_t uid;
const char *rewrite_context = MAIL_ATTR_RWR_LOCAL;
int dsn_notify = 0;
int dsn_ret = 0;
const char *dsn_envid = 0;
int saved_optind;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal_status(EX_OSERR, "open /dev/null: %m");
/*
* The CDE desktop calendar manager leaks a parent file descriptor into
* the child process. For the sake of sendmail compatibility we have to
* close the file descriptor otherwise mail notification will hang.
*/
for ( /* void */ ; fd < 100; fd++)
(void) close(fd);
/*
* Process environment options as early as we can. We might be called
* from a set-uid (set-gid) program, so be careful with importing
* environment variables.
*/
if (safe_getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (safe_getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information. Set up signal handlers so that we
* can clean up incomplete output.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(tempfail);
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Some sites mistakenly install Postfix sendmail as set-uid root. Drop
* set-uid privileges only when root, otherwise some systems will not
* reset the saved set-userid, which would be a security vulnerability.
*/
if (geteuid() == 0 && getuid() != 0) {
msg_warn("the Postfix sendmail command has set-uid root file permissions");
msg_warn("or the command is run from a set-uid root process");
msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
set_ugid(getuid(), getgid());
}
/*
* Further initialization. Load main.cf first, so that command-line
* options can override main.cf settings. Pre-scan the argument list so
* that we load the right main.cf file.
*/
#define GETOPT_LIST "A:B:C:F:GIL:N:O:R:UV:X:b:ce:f:h:imno:p:r:q:tvx"
saved_optind = optind;
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) { /* not getopt compatible */
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
if (c == 'C') {
VSTRING *buf = vstring_alloc(1);
if (setenv(CONF_ENV_PATH,
strcmp(sane_basename(buf, optarg), MAIN_CONF_FILE) == 0 ?
sane_dirname(buf, optarg) : optarg, 1) < 0)
msg_fatal_status(EX_UNAVAILABLE, "out of memory");
vstring_free(buf);
}
}
optind = saved_optind;
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
signal(SIGPIPE, SIG_IGN);
/*
* Optionally start the debugger on ourself. This must be done after
* reading the global configuration file, because that file specifies
* what debugger command to execute.
*/
if (debug_me)
debug_process();
/*
* The default mode of operation is determined by the process name. It
* can, however, be changed via command-line options (for example,
* "newaliases -bp" will show the mail queue).
*/
if (strcmp(argv[0], "mailq") == 0) {
mode = SM_MODE_MAILQ;
} else if (strcmp(argv[0], "newaliases") == 0) {
mode = SM_MODE_NEWALIAS;
} else if (strcmp(argv[0], "smtpd") == 0) {
mode = SM_MODE_DAEMON;
} else {
mode = SM_MODE_ENQUEUE;
}
/*
* Parse JCL. Sendmail has been around for a long time, and has acquired
* a large number of options in the course of time. Some options such as
* -q are not parsable with GETOPT() and get special treatment.
*/
#define OPTIND (optind > 0 ? optind : 1)
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) {
if (mode == SM_MODE_DAEMON)
msg_warn("ignoring -q option in daemon mode");
else
mode = SM_MODE_FLUSHQ;
optind++;
continue;
}
if (strcmp(argv[OPTIND], "-V") == 0
&& argv[OPTIND + 1] != 0 && strlen(argv[OPTIND + 1]) == 2) {
msg_warn("option -V is deprecated with Postfix 2.3; "
"specify -XV instead");
argv[OPTIND] = "-XV";
}
if (strncmp(argv[OPTIND], "-V", 2) == 0 && strlen(argv[OPTIND]) == 4) {
msg_warn("option %s is deprecated with Postfix 2.3; "
"specify -X%s instead",
argv[OPTIND], argv[OPTIND] + 1);
argv[OPTIND] = concatenate("-X", argv[OPTIND] + 1, (char *) 0);
}
if (strcmp(argv[OPTIND], "-XV") == 0) {
verp_delims = var_verp_delims;
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
switch (c) {
default:
if (msg_verbose)
msg_info("-%c option ignored", c);
break;
case 'n':
msg_fatal_status(EX_USAGE, "-%c option not supported", c);
case 'B':
if (strcmp(optarg, "8BITMIME") == 0)/* RFC 1652 */
encoding = MAIL_ATTR_ENC_8BIT;
else if (strcmp(optarg, "7BIT") == 0) /* RFC 1652 */
encoding = MAIL_ATTR_ENC_7BIT;
else
msg_fatal_status(EX_USAGE, "-B option needs 8BITMIME or 7BIT");
break;
case 'F': /* full name */
full_name = optarg;
break;
case 'G': /* gateway submission */
rewrite_context = MAIL_ATTR_RWR_REMOTE;
break;
case 'I': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'N':
if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
msg_warn("bad -N option value -- ignored");
break;
case 'R':
if ((dsn_ret = dsn_ret_code(optarg)) == 0)
msg_warn("bad -R option value -- ignored");
break;
case 'V': /* DSN, was: VERP */
if (strlen(optarg) > 100)
msg_warn("too long -V option value -- ignored");
else if (!allprint(optarg))
msg_warn("bad syntax in -V option value -- ignored");
else
dsn_envid = optarg;
break;
case 'X':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'V': /* VERP */
if (verp_delims_verify(optarg + 1) != 0)
msg_fatal_status(EX_USAGE, "-V requires two characters from %s",
var_verp_filter);
verp_delims = optarg + 1;
break;
}
break;
case 'b':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'd': /* daemon mode */
case 'l': /* daemon mode */
if (mode == SM_MODE_FLUSHQ)
msg_warn("ignoring -q option in daemon mode");
mode = SM_MODE_DAEMON;
break;
case 'h': /* print host status */
case 'H': /* flush host status */
mode = SM_MODE_IGNORE;
break;
case 'i': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'm': /* deliver mail */
mode = SM_MODE_ENQUEUE;
break;
case 'p': /* mailq */
mode = SM_MODE_MAILQ;
break;
case 's': /* stand-alone mode */
mode = SM_MODE_USER;
break;
case 'v': /* expand recipients */
flags |= DEL_REQ_FLAG_USR_VRFY;
break;
}
break;
case 'f':
sender = optarg;
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'o':
switch (*optarg) {
default:
if (msg_verbose)
msg_info("-%c%c option ignored", c, *optarg);
break;
case 'A':
if (optarg[1] == 0)
msg_fatal_status(EX_USAGE, "-oA requires pathname");
myfree(var_alias_db_map);
var_alias_db_map = mystrdup(optarg + 1);
set_mail_conf_str(VAR_ALIAS_DB_MAP, var_alias_db_map);
break;
case '7':
case '8':
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'm':
break;
}
break;
case 'r': /* obsoleted by -f */
sender = optarg;
break;
case 'q':
if (ISDIGIT(optarg[0])) {
qtime = optarg;
} else if (optarg[0] == 'R') {
site_to_flush = optarg + 1;
if (*site_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qRsitename");
} else if (optarg[0] == 'I') {
id_to_flush = optarg + 1;
if (*id_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qIqueueid");
} else {
msg_fatal_status(EX_USAGE, "-q%c is not implemented",
optarg[0]);
}
break;
case 't':
flags |= SM_FLAG_XRCPT;
break;
case 'v':
msg_verbose++;
break;
case '?':
msg_fatal_status(EX_USAGE, "usage: %s [options]", argv[0]);
}
}
/*
* Look for conflicting options and arguments.
*/
if ((flags & SM_FLAG_XRCPT) && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-t can be used only in delivery mode");
if (site_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qR can be used only in delivery mode");
if (id_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qI can be used only in delivery mode");
if (flags & DEL_REQ_FLAG_USR_VRFY) {
if (flags & SM_FLAG_XRCPT)
msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv");
if (dsn_notify)
msg_fatal_status(EX_USAGE, "-N option cannot be used with -bv");
if (dsn_ret)
msg_fatal_status(EX_USAGE, "-R option cannot be used with -bv");
if (msg_verbose == 1)
msg_fatal_status(EX_USAGE, "-v option cannot be used with -bv");
}
/*
* The -v option plays double duty. One requests verbose delivery, more
* than one requests verbose logging.
*/
if (msg_verbose == 1 && mode == SM_MODE_ENQUEUE) {
msg_verbose = 0;
flags |= DEL_REQ_FLAG_RECORD;
}
/*
* Start processing. Everything is delegated to external commands.
*/
if (qtime && mode != SM_MODE_DAEMON)
exit(0);
switch (mode) {
default:
msg_panic("unknown operation mode: %d", mode);
/* NOTREACHED */
case SM_MODE_ENQUEUE:
if (site_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush site requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-s", site_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else if (id_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush queue_id requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-i", id_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else {
enqueue(flags, encoding, dsn_envid, dsn_ret, dsn_notify,
rewrite_context, sender, full_name, argv + OPTIND);
exit(0);
/* NOTREACHED */
}
break;
case SM_MODE_MAILQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"display queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-p", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_FLUSHQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"flush queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-f", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_DAEMON:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "daemon mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postfix", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_add(ext_argv, "start", (char *) 0);
argv_terminate(ext_argv);
err = (mail_run_background(var_command_dir, ext_argv->argv) < 0);
argv_free(ext_argv);
exit(err);
break;
case SM_MODE_NEWALIAS:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"alias initialization mode requires no recipient");
if (*var_alias_db_map == 0)
return (0);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postalias", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_split_append(ext_argv, var_alias_db_map, CHARS_COMMA_SP);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_USER:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"stand-alone mode requires no recipient");
/* The actual enforcement happens in the postdrop command. */
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid = getuid())) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "smtpd", "-S", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_daemon_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_IGNORE:
exit(0);
/* NOTREACHED */
}
}
int main(int argc, char **argv)
{
int ch;
int fd;
struct stat st;
ARGV *ext_argv = 0;
int param_class = PCF_PARAM_MASK_CLASS;
static const NAME_MASK param_class_table[] = {
"builtin", PCF_PARAM_FLAG_BUILTIN,
"service", PCF_PARAM_FLAG_SERVICE,
"user", PCF_PARAM_FLAG_USER,
"all", PCF_PARAM_MASK_CLASS,
0,
};
ARGV *override_params = 0;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up logging.
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "aAbc:C:deEfFhlmMno:pPtvxX#")) > 0) {
switch (ch) {
case 'a':
pcf_cmd_mode |= PCF_SHOW_SASL_SERV;
break;
case 'A':
pcf_cmd_mode |= PCF_SHOW_SASL_CLNT;
break;
case 'b':
pcf_cmd_mode |= PCF_EXP_DSN_TEMPL;
if (ext_argv)
msg_fatal("specify one of -b and -t");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVnexpand_templates", (char *) 0);
break;
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'C':
param_class = name_mask_opt("-C option", param_class_table,
optarg, NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
break;
case 'd':
pcf_cmd_mode |= PCF_SHOW_DEFS;
break;
case 'e':
pcf_cmd_mode |= PCF_EDIT_CONF;
break;
case 'f':
pcf_cmd_mode |= PCF_FOLD_LINE;
break;
case 'F':
pcf_cmd_mode |= PCF_MASTER_FLD;
break;
case '#':
pcf_cmd_mode |= PCF_COMMENT_OUT;
break;
case 'h':
pcf_cmd_mode |= PCF_HIDE_NAME;
break;
case 'l':
pcf_cmd_mode |= PCF_SHOW_LOCKS;
break;
case 'm':
pcf_cmd_mode |= PCF_SHOW_MAPS;
break;
case 'M':
pcf_cmd_mode |= PCF_MASTER_ENTRY;
break;
case 'n':
pcf_cmd_mode |= PCF_SHOW_NONDEF;
break;
case 'o':
pcf_cmd_mode |= PCF_MAIN_OVER;
if (override_params == 0)
override_params = argv_alloc(2);
argv_add(override_params, optarg, (char *) 0);
break;
case 'p':
pcf_cmd_mode |= PCF_MAIN_PARAM;
break;
case 'P':
pcf_cmd_mode |= PCF_MASTER_PARAM;
break;
case 't':
pcf_cmd_mode |= PCF_DUMP_DSN_TEMPL;
if (ext_argv)
msg_fatal("specify one of -b and -t");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "bounce", "-SVndump_templates", (char *) 0);
break;
case 'x':
pcf_cmd_mode |= PCF_SHOW_EVAL;
break;
case 'X':
/* This is irreversible, therefore require two-finger action. */
pcf_cmd_mode |= PCF_EDIT_EXCL;
break;
case 'v':
msg_verbose++;
break;
default:
usage(argv[0]);
}
}
/*
* Make all options explicit, before checking their compatibility.
*/
#define PCF_MAIN_OR_MASTER \
(PCF_MAIN_PARAM | PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM)
if ((pcf_cmd_mode & pcf_incompat_options[0]) == 0)
pcf_cmd_mode |= PCF_MAIN_PARAM;
if ((pcf_cmd_mode & PCF_MAIN_OR_MASTER)
&& argv[optind] && strchr(argv[optind], '='))
pcf_cmd_mode |= PCF_EDIT_CONF;
/*
* Sanity check.
*/
pcf_check_exclusive_options(pcf_cmd_mode);
pcf_check_compat_options(pcf_cmd_mode);
if ((pcf_cmd_mode & PCF_EDIT_CONF) && argc == optind)
msg_fatal("-e requires name=value argument");
/*
* Display bounce template information and exit.
*/
if (ext_argv) {
if (argv[optind]) {
if (argv[optind + 1])
msg_fatal("options -b and -t require at most one template file");
argv_add(ext_argv, "-o",
concatenate(VAR_BOUNCE_TMPL, "=",
argv[optind], (char *) 0),
(char *) 0);
}
/* Grr... */
argv_add(ext_argv, "-o",
concatenate(VAR_QUEUE_DIR, "=", ".", (char *) 0),
(char *) 0);
mail_conf_read();
mail_run_replace(var_daemon_dir, ext_argv->argv);
/* NOTREACHED */
}
/*
* If showing map types, show them and exit
*/
if (pcf_cmd_mode & PCF_SHOW_MAPS) {
mail_dict_init();
pcf_show_maps();
}
/*
* If showing locking methods, show them and exit
*/
else if (pcf_cmd_mode & PCF_SHOW_LOCKS) {
pcf_show_locks();
}
/*
* If showing master.cf entries, show them and exit
*/
else if ((pcf_cmd_mode & (PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM))
&& !(pcf_cmd_mode & (PCF_EDIT_CONF | PCF_EDIT_EXCL | PCF_COMMENT_OUT))) {
pcf_read_master(PCF_FAIL_ON_OPEN_ERROR);
pcf_read_parameters();
if (override_params)
pcf_set_parameters(override_params->argv);
pcf_register_builtin_parameters(basename(argv[0]), getpid());
pcf_register_service_parameters();
pcf_register_user_parameters();
if (pcf_cmd_mode & PCF_MASTER_FLD)
pcf_show_master_fields(VSTREAM_OUT, pcf_cmd_mode, argc - optind,
argv + optind);
else if (pcf_cmd_mode & PCF_MASTER_PARAM)
pcf_show_master_params(VSTREAM_OUT, pcf_cmd_mode, argc - optind,
argv + optind);
else
pcf_show_master_entries(VSTREAM_OUT, pcf_cmd_mode, argc - optind,
argv + optind);
}
/*
* If showing SASL plug-in types, show them and exit
*/
else if (pcf_cmd_mode & PCF_SHOW_SASL_SERV) {
pcf_show_sasl(PCF_SHOW_SASL_SERV);
} else if (pcf_cmd_mode & PCF_SHOW_SASL_CLNT) {
pcf_show_sasl(PCF_SHOW_SASL_CLNT);
}
/*
* Edit main.cf or master.cf.
*/
else if (pcf_cmd_mode & (PCF_EDIT_CONF | PCF_COMMENT_OUT | PCF_EDIT_EXCL)) {
if (optind == argc)
msg_fatal("missing service argument");
if (pcf_cmd_mode & (PCF_MASTER_ENTRY | PCF_MASTER_FLD | PCF_MASTER_PARAM)) {
pcf_edit_master(pcf_cmd_mode, argc - optind, argv + optind);
} else {
pcf_edit_main(pcf_cmd_mode, argc - optind, argv + optind);
}
}
/*
* If showing non-default values, read main.cf.
*/
else {
if ((pcf_cmd_mode & PCF_SHOW_DEFS) == 0) {
pcf_read_parameters();
if (override_params)
pcf_set_parameters(override_params->argv);
}
pcf_register_builtin_parameters(basename(argv[0]), getpid());
/*
* Add service-dependent parameters (service names from master.cf)
* and user-defined parameters ($name macros in parameter values in
* main.cf and master.cf, but only if those names have a name=value
* in main.cf or master.cf).
*/
pcf_read_master(PCF_WARN_ON_OPEN_ERROR);
pcf_register_service_parameters();
if ((pcf_cmd_mode & PCF_SHOW_DEFS) == 0)
pcf_register_user_parameters();
/*
* Show the requested values.
*/
pcf_show_parameters(VSTREAM_OUT, pcf_cmd_mode, param_class,
argv + optind);
/*
* Flag unused parameters. This makes no sense with "postconf -d",
* because that ignores all the user-specified parameters and
* user-specified macro expansions in main.cf.
*/
if ((pcf_cmd_mode & PCF_SHOW_DEFS) == 0) {
pcf_flag_unused_main_parameters();
pcf_flag_unused_master_parameters();
}
}
vstream_fflush(VSTREAM_OUT);
exit(0);
}
static void dane_init(SMTP_TLS_POLICY *tls, SMTP_ITERATOR *iter)
{
TLS_DANE *dane;
if (!iter->port) {
msg_warn("%s: the \"dane\" security level is invalid for delivery via"
" unix-domain sockets", STR(iter->dest));
MARK_INVALID(tls->why, &tls->level);
return;
}
if (!tls_dane_avail()) {
dane_incompat(tls, iter, NONDANE_CONFIG,
"%s: %s configured, but no requisite library support",
STR(iter->dest), policy_name(tls->level));
return;
}
if (!(smtp_host_lookup_mask & SMTP_HOST_FLAG_DNS)
|| smtp_dns_support != SMTP_DNS_DNSSEC) {
dane_incompat(tls, iter, NONDANE_CONFIG,
"%s: %s configured with dnssec lookups disabled",
STR(iter->dest), policy_name(tls->level));
return;
}
/*
* If we ignore MX lookup errors, we also ignore DNSSEC security problems
* and thus avoid any reasonable expectation that we get the right DANE
* key material.
*/
if (smtp_mode && var_ign_mx_lookup_err) {
dane_incompat(tls, iter, NONDANE_CONFIG,
"%s: %s configured with MX lookup errors ignored",
STR(iter->dest), policy_name(tls->level));
return;
}
/*
* This is not optional, code in tls_dane.c assumes that the nexthop
* qname is already an fqdn. If we're using these flags to go from qname
* to rname, the assumption is invalid. Likewise we cannot add the qname
* to certificate name checks, ...
*/
if (smtp_dns_res_opt & (RES_DEFNAMES | RES_DNSRCH)) {
dane_incompat(tls, iter, NONDANE_CONFIG,
"%s: dns resolver options incompatible with %s TLS",
STR(iter->dest), policy_name(tls->level));
return;
}
/* When the MX name is present and insecure, DANE does not apply. */
if (iter->mx && !iter->mx->dnssec_valid) {
dane_incompat(tls, iter, NONDANE_DEST, "non DNSSEC destination");
return;
}
/* When TLSA lookups fail, we defer the message */
if ((dane = tls_dane_resolve(iter->port, "tcp", iter->rr,
var_smtp_tls_force_tlsa)) == 0) {
tls->level = TLS_LEV_INVALID;
dsb_simple(tls->why, "4.7.5", "TLSA lookup error for %s:%u",
STR(iter->host), ntohs(iter->port));
return;
}
if (tls_dane_notfound(dane)) {
dane_incompat(tls, iter, NONDANE_DEST, "no TLSA records found");
tls_dane_free(dane);
return;
}
/*
* Some TLSA records found, but none usable, per
*
* https://tools.ietf.org/html/draft-ietf-dane-srv-02#section-4
*
* we MUST use TLS, and SHALL use full PKIX certificate checks. The latter
* would be unwise for SMTP: no human present to "click ok" and risk of
* non-delivery in most cases exceeds risk of interception.
*
* We also have a form of Goedel's incompleteness theorem in play: any list
* of public root CA certs is either incomplete or inconsistent (for any
* given verifier some of the CAs are surely not trustworthy).
*/
if (tls_dane_unusable(dane)) {
dane_incompat(tls, iter, DANE_UNUSABLE, "TLSA records unusable");
tls_dane_free(dane);
return;
}
/*
* With DANE trust anchors, peername matching is not configurable.
*/
if (TLS_DANE_HASTA(dane)) {
tls->matchargv = argv_alloc(2);
argv_add(tls->matchargv, dane->base_domain, ARGV_END);
if (iter->mx) {
if (strcmp(iter->mx->qname, iter->mx->rname) == 0)
argv_add(tls->matchargv, iter->mx->qname, ARGV_END);
else
argv_add(tls->matchargv, iter->mx->rname,
iter->mx->qname, ARGV_END);
}
} else if (!TLS_DANE_HASEE(dane))
msg_panic("empty DANE match list");
tls->dane = dane;
tls->level = TLS_LEV_DANE;
return;
}
static ARGV *expand_argv(const char *service, char **argv,
RECIPIENT_LIST *rcpt_list, int flags)
{
VSTRING *buf = vstring_alloc(100);
ARGV *result;
char **cpp;
PIPE_STATE state;
int i;
char *ext;
char *dom;
/*
* This appears to be simple operation (replace $name by its expansion).
* However, it becomes complex because a command-line argument that
* references $recipient must expand to as many command-line arguments as
* there are recipients (that's wat programs called by sendmail expect).
* So we parse each command-line argument, and depending on what we find,
* we either expand the argument just once, or we expand it once for each
* recipient. In either case we end up parsing the command-line argument
* twice. The amount of CPU time wasted will be negligible.
*
* Note: we can't use recursive macro expansion here, because recursion
* would screw up mail addresses that contain $ characters.
*/
#define NO 0
#define EARLY_RETURN(x) { argv_free(result); vstring_free(buf); return (x); }
result = argv_alloc(1);
for (cpp = argv; *cpp; cpp++) {
state.service = service;
state.expand_flag = 0;
if (mac_parse(*cpp, parse_callback, (char *) &state) & MAC_PARSE_ERROR)
EARLY_RETURN(0);
if (state.expand_flag == 0) { /* no $recipient etc. */
argv_add(result, dict_eval(PIPE_DICT_TABLE, *cpp, NO), ARGV_END);
} else { /* contains $recipient etc. */
for (i = 0; i < rcpt_list->len; i++) {
/*
* This argument contains $recipient.
*/
if (state.expand_flag & PIPE_FLAG_RCPT) {
morph_recipient(buf, rcpt_list->info[i].address, flags);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_RCPT, STR(buf));
}
/*
* This argument contains $original_recipient.
*/
if (state.expand_flag & PIPE_FLAG_ORIG_RCPT) {
morph_recipient(buf, rcpt_list->info[i].orig_addr, flags);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_ORIG_RCPT, STR(buf));
}
/*
* This argument contains $user. Extract the plain user name.
* Either anything to the left of the extension delimiter or,
* in absence of the latter, anything to the left of the
* rightmost @.
*
* Beware: if the user name is blank (e.g. +user@host), the
* argument is suppressed. This is necessary to allow for
* cyrus bulletin-board (global mailbox) delivery. XXX But,
* skipping empty user parts will also prevent other
* expansions of this specific command-line argument.
*/
if (state.expand_flag & PIPE_FLAG_USER) {
morph_recipient(buf, rcpt_list->info[i].address,
flags & PIPE_OPT_FOLD_ALL);
if (split_at_right(STR(buf), '@') == 0)
msg_warn("no @ in recipient address: %s",
rcpt_list->info[i].address);
if (*var_rcpt_delim)
split_addr(STR(buf), var_rcpt_delim);
if (*STR(buf) == 0)
continue;
dict_update(PIPE_DICT_TABLE, PIPE_DICT_USER, STR(buf));
}
/*
* This argument contains $extension. Extract the recipient
* extension: anything between the leftmost extension
* delimiter and the rightmost @. The extension may be blank.
*/
if (state.expand_flag & PIPE_FLAG_EXTENSION) {
morph_recipient(buf, rcpt_list->info[i].address,
flags & PIPE_OPT_FOLD_ALL);
if (split_at_right(STR(buf), '@') == 0)
msg_warn("no @ in recipient address: %s",
rcpt_list->info[i].address);
if (*var_rcpt_delim == 0
|| (ext = split_addr(STR(buf), var_rcpt_delim)) == 0)
ext = ""; /* insert null arg */
dict_update(PIPE_DICT_TABLE, PIPE_DICT_EXTENSION, ext);
}
/*
* This argument contains $mailbox. Extract the mailbox name:
* anything to the left of the rightmost @.
*/
if (state.expand_flag & PIPE_FLAG_MAILBOX) {
morph_recipient(buf, rcpt_list->info[i].address,
flags & PIPE_OPT_FOLD_ALL);
if (split_at_right(STR(buf), '@') == 0)
msg_warn("no @ in recipient address: %s",
rcpt_list->info[i].address);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_MAILBOX, STR(buf));
}
/*
* This argument contains $domain. Extract the domain name:
* anything to the right of the rightmost @.
*/
if (state.expand_flag & PIPE_FLAG_DOMAIN) {
morph_recipient(buf, rcpt_list->info[i].address,
flags & PIPE_OPT_FOLD_ALL);
dom = split_at_right(STR(buf), '@');
if (dom == 0) {
msg_warn("no @ in recipient address: %s",
rcpt_list->info[i].address);
dom = ""; /* insert null arg */
}
dict_update(PIPE_DICT_TABLE, PIPE_DICT_DOMAIN, dom);
}
/*
* Done.
*/
argv_add(result, dict_eval(PIPE_DICT_TABLE, *cpp, NO), ARGV_END);
}
}
}
argv_terminate(result);
vstring_free(buf);
return (result);
}
static void smtp_connect_inet(SMTP_STATE *state, const char *nexthop,
char *def_service)
{
DELIVER_REQUEST *request = state->request;
SMTP_ITERATOR *iter = state->iterator;
ARGV *sites;
char *dest;
char **cpp;
int non_fallback_sites;
int retry_plain = 0;
DSN_BUF *why = state->why;
/*
* For sanity, require that at least one of INET or INET6 is enabled.
* Otherwise, we can't look up interface information, and we can't
* convert names or addresses.
*/
if (inet_proto_info()->ai_family_list[0] == 0) {
dsb_simple(why, "4.4.4", "all network protocols are disabled");
return;
}
/*
* Future proofing: do a null destination sanity check in case we allow
* the primary destination to be a list (it could be just separators).
*/
sites = argv_alloc(1);
argv_add(sites, nexthop, (char *) 0);
if (sites->argc == 0)
msg_panic("null destination: \"%s\"", nexthop);
non_fallback_sites = sites->argc;
argv_split_append(sites, var_fallback_relay, CHARS_COMMA_SP);
/*
* Don't give up after a hard host lookup error until we have tried the
* fallback relay servers.
*
* Don't bounce mail after a host lookup problem with a relayhost or with a
* fallback relay.
*
* Don't give up after a qualifying soft error until we have tried all
* qualifying backup mail servers.
*
* All this means that error handling and error reporting depends on whether
* the error qualifies for trying to deliver to a backup mail server, or
* whether we're looking up a relayhost or fallback relay. The challenge
* then is to build this into the pre-existing SMTP client without
* getting lost in the complexity.
*/
#define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \
(*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites))
for (cpp = sites->argv, (state->misc_flags |= SMTP_MISC_FLAG_FIRST_NEXTHOP);
SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0;
cpp++, (state->misc_flags &= ~SMTP_MISC_FLAG_FIRST_NEXTHOP)) {
char *dest_buf;
char *domain;
unsigned port;
DNS_RR *addr_list;
DNS_RR *addr;
DNS_RR *next;
int addr_count;
int sess_count;
SMTP_SESSION *session;
int lookup_mx;
unsigned domain_best_pref;
MAI_HOSTADDR_STR hostaddr;
if (cpp[1] == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
/*
* Parse the destination. If no TCP port is specified, use the port
* that is reserved for the protocol (SMTP or LMTP).
*/
dest_buf = smtp_parse_destination(dest, def_service, &domain, &port);
if (var_helpful_warnings && var_smtp_tls_wrappermode == 0
&& ntohs(port) == 465) {
msg_info("SMTPS wrappermode (TCP port 465) requires setting "
"\"%s = yes\", and \"%s = encrypt\" (or stronger)",
VAR_LMTP_SMTP(TLS_WRAPPER), VAR_LMTP_SMTP(TLS_LEVEL));
}
#define NO_HOST "" /* safety */
#define NO_ADDR "" /* safety */
SMTP_ITER_INIT(iter, dest, NO_HOST, NO_ADDR, port, state);
/*
* Resolve an SMTP or LMTP server. In the case of SMTP, skip mail
* exchanger lookups when a quoted host is specified or when DNS
* lookups are disabled.
*/
if (msg_verbose)
msg_info("connecting to %s port %d", domain, ntohs(port));
if (smtp_mode) {
if (ntohs(port) == IPPORT_SMTP)
state->misc_flags |= SMTP_MISC_FLAG_LOOP_DETECT;
else
state->misc_flags &= ~SMTP_MISC_FLAG_LOOP_DETECT;
lookup_mx = (smtp_dns_support != SMTP_DNS_DISABLED && *dest != '[');
} else
lookup_mx = 0;
if (!lookup_mx) {
addr_list = smtp_host_addr(domain, state->misc_flags, why);
/* XXX We could be an MX host for this destination... */
} else {
int i_am_mx = 0;
addr_list = smtp_domain_addr(domain, &iter->mx, state->misc_flags,
why, &i_am_mx);
/* If we're MX host, don't connect to non-MX backups. */
if (i_am_mx)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
}
/*
* Don't try fall-back hosts if mail loops to myself. That would just
* make the problem worse.
*/
if (addr_list == 0 && SMTP_HAS_LOOP_DSN(why))
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
/*
* No early loop exit or we have a memory leak with dest_buf.
*/
if (addr_list)
domain_best_pref = addr_list->pref;
/*
* When session caching is enabled, store the first good session for
* this delivery request under the next-hop destination name. All
* good sessions will be stored under their specific server IP
* address.
*
* XXX smtp_session_cache_destinations specifies domain names without
* :port, because : is already used for maptype:mapname. Because of
* this limitation we use the bare domain without the optional [] or
* non-default TCP port.
*
* Opportunistic (a.k.a. on-demand) session caching on request by the
* queue manager. This is turned temporarily when a destination has a
* high volume of mail in the active queue. When the surge reaches
* its end, the queue manager requests that connections be retrieved
* but not stored.
*/
if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_FIRST_NEXTHOP)) {
smtp_cache_policy(state, domain);
if (state->misc_flags & SMTP_MISC_FLAG_CONN_CACHE_MASK)
SET_NEXTHOP_STATE(state, dest);
}
/*
* Delete visited cached hosts from the address list.
*
* Optionally search the connection cache by domain name or by primary
* MX address before we try to create new connections.
*
* Enforce the MX session and MX address counts per next-hop or
* fall-back destination. smtp_reuse_session() will truncate the
* address list when either limit is reached.
*/
if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD)) {
if (state->cache_used->used > 0)
smtp_scrub_addr_list(state->cache_used, &addr_list);
sess_count = addr_count =
smtp_reuse_session(state, &addr_list, domain_best_pref);
} else
sess_count = addr_count = 0;
/*
* Connect to an SMTP server: create primary MX connections, and
* reuse or create backup MX connections.
*
* At the start of an SMTP session, all recipients are unmarked. In the
* course of an SMTP session, recipients are marked as KEEP (deliver
* to alternate mail server) or DROP (remove from recipient list). At
* the end of an SMTP session, weed out the recipient list. Unmark
* any left-over recipients and try to deliver them to a backup mail
* server.
*
* Cache the first good session under the next-hop destination name.
* Cache all good sessions under their physical endpoint.
*
* Don't query the session cache for primary MX hosts. We already did
* that in smtp_reuse_session(), and if any were found in the cache,
* they were already deleted from the address list.
*
* Currently, we use smtp_reuse_addr() only for SASL-unauthenticated
* connections. Furthermore, we rely on smtp_reuse_addr() to look up
* an existing SASL-unauthenticated connection only when a new
* connection would be guaranteed not to require SASL authentication.
*
* In addition, we rely on smtp_reuse_addr() to look up an existing
* plaintext connection only when a new connection would be
* guaranteed not to use TLS.
*/
for (addr = addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) {
next = addr->next;
if (++addr_count == var_smtp_mxaddr_limit)
next = 0;
if (dns_rr_to_pa(addr, &hostaddr) == 0) {
msg_warn("cannot convert type %s record to printable address",
dns_strtype(addr->type));
/* XXX Assume there is no code at the end of this loop. */
continue;
}
vstring_strcpy(iter->addr, hostaddr.buf);
vstring_strcpy(iter->host, SMTP_HNAME(addr));
iter->rr = addr;
#ifdef USE_TLS
if (!smtp_tls_policy_cache_query(why, state->tls, iter)) {
msg_warn("TLS policy lookup for %s/%s: %s",
STR(iter->dest), STR(iter->host), STR(why->reason));
continue;
/* XXX Assume there is no code at the end of this loop. */
}
if (var_smtp_tls_wrappermode
&& state->tls->level < TLS_LEV_ENCRYPT) {
msg_warn("%s requires \"%s = encrypt\" (or stronger)",
VAR_LMTP_SMTP(TLS_WRAPPER), VAR_LMTP_SMTP(TLS_LEVEL));
continue;
/* XXX Assume there is no code at the end of this loop. */
}
/* Disable TLS when retrying after a handshake failure */
if (retry_plain) {
state->tls->level = TLS_LEV_NONE;
retry_plain = 0;
}
#endif
if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0
|| addr->pref == domain_best_pref
|| !(session = smtp_reuse_addr(state,
SMTP_KEY_MASK_SCACHE_ENDP_LABEL)))
session = smtp_connect_addr(iter, why, state->misc_flags);
if ((state->session = session) != 0) {
session->state = state;
#ifdef USE_TLS
session->tls_nexthop = domain;
#endif
if (addr->pref == domain_best_pref)
session->features |= SMTP_FEATURE_BEST_MX;
/* Don't count handshake errors towards the session limit. */
if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
&& next == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER;
if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0
&& smtp_helo(state) != 0) {
#ifdef USE_TLS
/*
* When an opportunistic TLS handshake fails, try the
* same address again, with TLS disabled. See also the
* RETRY_AS_PLAINTEXT macro.
*/
if ((retry_plain = session->tls_retry_plain) != 0) {
--addr_count;
next = addr;
}
#endif
/*
* When a TLS handshake fails, the stream is marked
* "dead" to avoid further I/O over a broken channel.
*/
if (!THIS_SESSION_IS_FORBIDDEN
&& vstream_ferror(session->stream) == 0
&& vstream_feof(session->stream) == 0)
smtp_quit(state);
} else {
/* Do count delivery errors towards the session limit. */
if (++sess_count == var_smtp_mxsess_limit)
next = 0;
if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
&& next == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER;
smtp_xfer(state);
#ifdef USE_TLS
/*
* When opportunistic TLS fails after the STARTTLS
* handshake, try the same address again, with TLS
* disabled. See also the RETRY_AS_PLAINTEXT macro.
*/
if ((retry_plain = session->tls_retry_plain) != 0) {
--sess_count;
--addr_count;
next = addr;
}
#endif
}
smtp_cleanup_session(state);
} else {
/* The reason already includes the IP address and TCP port. */
msg_info("%s", STR(why->reason));
}
/* XXX Code above assumes there is no code at this loop ending. */
}
dns_rr_free(addr_list);
if (iter->mx) {
dns_rr_free(iter->mx);
iter->mx = 0; /* Just in case */
}
myfree(dest_buf);
if (state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
break;
}
/*
* We still need to deliver, bounce or defer some left-over recipients:
* either mail loops or some backup mail server was unavailable.
*/
if (SMTP_RCPT_LEFT(state) > 0) {
/*
* In case of a "no error" indication we make up an excuse: we did
* find the host address, but we did not attempt to connect to it.
* This can happen when the fall-back relay was already tried via a
* cached connection, so that the address list scrubber left behind
* an empty list.
*/
if (!SMTP_HAS_DSN(why)) {
dsb_simple(why, "4.3.0",
"server unavailable or unable to receive mail");
}
/*
* Pay attention to what could be configuration problems, and pretend
* that these are recoverable rather than bouncing the mail.
*/
else if (!SMTP_HAS_SOFT_DSN(why)) {
/*
* The fall-back destination did not resolve as expected, or it
* is refusing to talk to us, or mail for it loops back to us.
*/
if (IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites)) {
msg_warn("%s configuration problem", VAR_SMTP_FALLBACK);
vstring_strcpy(why->status, "4.3.5");
/* XXX Keep the diagnostic code and MTA. */
}
/*
* The next-hop relayhost did not resolve as expected, or it is
* refusing to talk to us, or mail for it loops back to us.
*
* XXX There is no equivalent safety net for mis-configured
* sender-dependent relay hosts. The trivial-rewrite resolver
* would have to flag the result, and the queue manager would
* have to provide that information to delivery agents.
*/
else if (smtp_mode && strcmp(sites->argv[0], var_relayhost) == 0) {
msg_warn("%s configuration problem", VAR_RELAYHOST);
vstring_strcpy(why->status, "4.3.5");
/* XXX Keep the diagnostic code and MTA. */
}
/*
* Mail for the next-hop destination loops back to myself. Pass
* the mail to the best_mx_transport or bounce it.
*/
else if (smtp_mode && SMTP_HAS_LOOP_DSN(why) && *var_bestmx_transp) {
dsb_reset(why); /* XXX */
state->status = deliver_pass_all(MAIL_CLASS_PRIVATE,
var_bestmx_transp,
request);
SMTP_RCPT_LEFT(state) = 0; /* XXX */
}
}
}
/*
* Cleanup.
*/
if (HAVE_NEXTHOP_STATE(state))
FREE_NEXTHOP_STATE(state);
argv_free(sites);
}
static void smtp_connect_remote(SMTP_STATE *state, const char *nexthop,
char *def_service)
{
DELIVER_REQUEST *request = state->request;
ARGV *sites;
char *dest;
char **cpp;
int non_fallback_sites;
int retry_plain = 0;
DSN_BUF *why = state->why;
/*
* First try to deliver to the indicated destination, then try to deliver
* to the optional fall-back relays.
*
* Future proofing: do a null destination sanity check in case we allow the
* primary destination to be a list (it could be just separators).
*/
sites = argv_alloc(1);
argv_add(sites, nexthop, (char *) 0);
if (sites->argc == 0)
msg_panic("null destination: \"%s\"", nexthop);
non_fallback_sites = sites->argc;
if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0)
argv_split_append(sites, var_fallback_relay, ", \t\r\n");
/*
* Don't give up after a hard host lookup error until we have tried the
* fallback relay servers.
*
* Don't bounce mail after a host lookup problem with a relayhost or with a
* fallback relay.
*
* Don't give up after a qualifying soft error until we have tried all
* qualifying backup mail servers.
*
* All this means that error handling and error reporting depends on whether
* the error qualifies for trying to deliver to a backup mail server, or
* whether we're looking up a relayhost or fallback relay. The challenge
* then is to build this into the pre-existing SMTP client without
* getting lost in the complexity.
*/
#define IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites) \
(*(cpp) && (cpp) >= (sites)->argv + (non_fallback_sites))
for (cpp = sites->argv, (state->misc_flags |= SMTP_MISC_FLAG_FIRST_NEXTHOP);
SMTP_RCPT_LEFT(state) > 0 && (dest = *cpp) != 0;
cpp++, (state->misc_flags &= ~SMTP_MISC_FLAG_FIRST_NEXTHOP)) {
char *dest_buf;
char *domain;
unsigned port;
DNS_RR *addr_list;
DNS_RR *addr;
DNS_RR *next;
int addr_count;
int sess_count;
SMTP_SESSION *session;
int lookup_mx;
unsigned domain_best_pref;
MAI_HOSTADDR_STR hostaddr;
if (cpp[1] == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
/*
* Parse the destination. Default is to use the SMTP port. Look up
* the address instead of the mail exchanger when a quoted host is
* specified, or when DNS lookups are disabled.
*/
dest_buf = smtp_parse_destination(dest, def_service, &domain, &port);
if (var_helpful_warnings && ntohs(port) == 465) {
msg_info("CLIENT wrappermode (port smtps/465) is unimplemented");
msg_info("instead, send to (port submission/587) with STARTTLS");
}
/*
* Resolve an SMTP server. Skip mail exchanger lookups when a quoted
* host is specified, or when DNS lookups are disabled.
*/
if (msg_verbose)
msg_info("connecting to %s port %d", domain, ntohs(port));
if ((state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) {
if (ntohs(port) == IPPORT_SMTP)
state->misc_flags |= SMTP_MISC_FLAG_LOOP_DETECT;
else
state->misc_flags &= ~SMTP_MISC_FLAG_LOOP_DETECT;
lookup_mx = (var_disable_dns == 0 && *dest != '[');
} else
lookup_mx = 0;
if (!lookup_mx) {
addr_list = smtp_host_addr(domain, state->misc_flags, why);
/* XXX We could be an MX host for this destination... */
} else {
int i_am_mx = 0;
addr_list = smtp_domain_addr(domain, state->misc_flags,
why, &i_am_mx);
/* If we're MX host, don't connect to non-MX backups. */
if (i_am_mx)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
}
/*
* Don't try fall-back hosts if mail loops to myself. That would just
* make the problem worse.
*/
if (addr_list == 0 && SMTP_HAS_LOOP_DSN(why))
state->misc_flags |= SMTP_MISC_FLAG_FINAL_NEXTHOP;
/*
* No early loop exit or we have a memory leak with dest_buf.
*/
if (addr_list)
domain_best_pref = addr_list->pref;
/*
* When session caching is enabled, store the first good session for
* this delivery request under the next-hop destination name. All
* good sessions will be stored under their specific server IP
* address.
*
* XXX Replace sites->argv by (lookup_mx, domain, port) triples so we
* don't have to make clumsy ad-hoc copies and keep track of who
* free()s the memory.
*
* XXX smtp_session_cache_destinations specifies domain names without
* :port, because : is already used for maptype:mapname. Because of
* this limitation we use the bare domain without the optional [] or
* non-default TCP port.
*
* Opportunistic (a.k.a. on-demand) session caching on request by the
* queue manager. This is turned temporarily when a destination has a
* high volume of mail in the active queue.
*
* XXX Disable connection caching when sender-dependent authentication
* is enabled. We must not send someone elses mail over an
* authenticated connection, and we must not send mail that requires
* authentication over a connection that wasn't authenticated.
*/
if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_FIRST_NEXTHOP)) {
smtp_cache_policy(state, domain);
if (state->misc_flags & SMTP_MISC_FLAG_CONN_STORE)
SET_NEXTHOP_STATE(state, lookup_mx, domain, port);
}
/*
* Delete visited cached hosts from the address list.
*
* Optionally search the connection cache by domain name or by primary
* MX address before we try to create new connections.
*
* Enforce the MX session and MX address counts per next-hop or
* fall-back destination. smtp_reuse_session() will truncate the
* address list when either limit is reached.
*/
if (addr_list && (state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD)) {
if (state->cache_used->used > 0)
smtp_scrub_addr_list(state->cache_used, &addr_list);
sess_count = addr_count =
smtp_reuse_session(state, lookup_mx, domain, port,
&addr_list, domain_best_pref);
} else
sess_count = addr_count = 0;
/*
* Connect to an SMTP server: create primary MX connections, and
* reuse or create backup MX connections.
*
* At the start of an SMTP session, all recipients are unmarked. In the
* course of an SMTP session, recipients are marked as KEEP (deliver
* to alternate mail server) or DROP (remove from recipient list). At
* the end of an SMTP session, weed out the recipient list. Unmark
* any left-over recipients and try to deliver them to a backup mail
* server.
*
* Cache the first good session under the next-hop destination name.
* Cache all good sessions under their physical endpoint.
*
* Don't query the session cache for primary MX hosts. We already did
* that in smtp_reuse_session(), and if any were found in the cache,
* they were already deleted from the address list.
*/
for (addr = addr_list; SMTP_RCPT_LEFT(state) > 0 && addr; addr = next) {
next = addr->next;
if (++addr_count == var_smtp_mxaddr_limit)
next = 0;
if ((state->misc_flags & SMTP_MISC_FLAG_CONN_LOAD) == 0
|| addr->pref == domain_best_pref
|| dns_rr_to_pa(addr, &hostaddr) == 0
|| !(session = smtp_reuse_addr(state, hostaddr.buf, port)))
session = smtp_connect_addr(dest, addr, port, why,
state->misc_flags);
if ((state->session = session) != 0) {
session->state = state;
if (addr->pref == domain_best_pref)
session->features |= SMTP_FEATURE_BEST_MX;
/* Don't count handshake errors towards the session limit. */
if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
&& next == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER;
#ifdef USE_TLS
/* Disable TLS when retrying after a handshake failure */
if (retry_plain) {
if (session->tls_level >= TLS_LEV_ENCRYPT)
msg_panic("Plain-text retry wrong for mandatory TLS");
session->tls_level = TLS_LEV_NONE;
retry_plain = 0;
}
session->tls_nexthop = domain; /* for TLS_LEV_SECURE */
#endif
if ((session->features & SMTP_FEATURE_FROM_CACHE) == 0
&& smtp_helo(state) != 0) {
#ifdef USE_TLS
/*
* When an opportunistic TLS handshake fails, try the
* same address again, with TLS disabled. See also the
* RETRY_AS_PLAINTEXT macro.
*/
if ((retry_plain = session->tls_retry_plain) != 0) {
--addr_count;
next = addr;
}
#endif
/*
* When a TLS handshake fails, the stream is marked
* "dead" to avoid further I/O over a broken channel.
*/
if (!THIS_SESSION_IS_DEAD
&& vstream_ferror(session->stream) == 0
&& vstream_feof(session->stream) == 0)
smtp_quit(state);
} else {
/* Do count delivery errors towards the session limit. */
if (++sess_count == var_smtp_mxsess_limit)
next = 0;
if ((state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
&& next == 0)
state->misc_flags |= SMTP_MISC_FLAG_FINAL_SERVER;
smtp_xfer(state);
}
smtp_cleanup_session(state);
} else {
/* The reason already includes the IP address and TCP port. */
msg_info("%s", STR(why->reason));
}
/* Insert: test if we must skip the remaining MX hosts. */
}
dns_rr_free(addr_list);
myfree(dest_buf);
if (state->misc_flags & SMTP_MISC_FLAG_FINAL_NEXTHOP)
break;
}
/*
* We still need to deliver, bounce or defer some left-over recipients:
* either mail loops or some backup mail server was unavailable.
*/
if (SMTP_RCPT_LEFT(state) > 0) {
/*
* In case of a "no error" indication we make up an excuse: we did
* find the host address, but we did not attempt to connect to it.
* This can happen when the fall-back relay was already tried via a
* cached connection, so that the address list scrubber left behind
* an empty list.
*/
if (!SMTP_HAS_DSN(why)) {
dsb_simple(why, "4.3.0",
"server unavailable or unable to receive mail");
}
/*
* Pay attention to what could be configuration problems, and pretend
* that these are recoverable rather than bouncing the mail.
*/
else if (!SMTP_HAS_SOFT_DSN(why)
&& (state->misc_flags & SMTP_MISC_FLAG_USE_LMTP) == 0) {
/*
* The fall-back destination did not resolve as expected, or it
* is refusing to talk to us, or mail for it loops back to us.
*/
if (IS_FALLBACK_RELAY(cpp, sites, non_fallback_sites)) {
msg_warn("%s configuration problem", VAR_SMTP_FALLBACK);
vstring_strcpy(why->status, "4.3.5");
/* XXX Keep the diagnostic code and MTA. */
}
/*
* The next-hop relayhost did not resolve as expected, or it is
* refusing to talk to us, or mail for it loops back to us.
*/
else if (strcmp(sites->argv[0], var_relayhost) == 0) {
msg_warn("%s configuration problem", VAR_RELAYHOST);
vstring_strcpy(why->status, "4.3.5");
/* XXX Keep the diagnostic code and MTA. */
}
/*
* Mail for the next-hop destination loops back to myself. Pass
* the mail to the best_mx_transport or bounce it.
*/
else if (SMTP_HAS_LOOP_DSN(why) && *var_bestmx_transp) {
dsb_reset(why); /* XXX */
state->status = deliver_pass_all(MAIL_CLASS_PRIVATE,
var_bestmx_transp,
request);
SMTP_RCPT_LEFT(state) = 0; /* XXX */
}
}
}
/*
* Cleanup.
*/
if (HAVE_NEXTHOP_STATE(state))
FREE_NEXTHOP_STATE(state);
argv_free(sites);
}
static void enqueue(const int flags, const char *encoding,
const char *dsn_envid, int dsn_ret, int dsn_notify,
const char *rewrite_context, const char *sender,
const char *full_name, char **recipients)
{
VSTRING *buf;
VSTREAM *dst;
char *saved_sender;
char **cpp;
int type;
char *start;
int skip_from_;
TOK822 *tree;
TOK822 *tp;
int rcpt_count = 0;
enum {
STRIP_CR_DUNNO, STRIP_CR_DO, STRIP_CR_DONT, STRIP_CR_ERROR
} strip_cr;
MAIL_STREAM *handle;
VSTRING *postdrop_command;
uid_t uid = getuid();
int status;
int naddr;
int prev_type;
MIME_STATE *mime_state = 0;
SM_STATE state;
int mime_errs;
const char *errstr;
int addr_count;
int level;
static NAME_CODE sm_fix_eol_table[] = {
SM_FIX_EOL_ALWAYS, STRIP_CR_DO,
SM_FIX_EOL_STRICT, STRIP_CR_DUNNO,
SM_FIX_EOL_NEVER, STRIP_CR_DONT,
0, STRIP_CR_ERROR,
};
/*
* Access control is enforced in the postdrop command. The code here
* merely produces a more user-friendly interface.
*/
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL,
var_submit_acl, uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail", errstr, (long) uid);
/*
* Initialize.
*/
buf = vstring_alloc(100);
/*
* Stop run-away process accidents by limiting the queue file size. This
* is not a defense against DOS attack.
*/
if (var_message_limit > 0 && get_file_limit() > var_message_limit)
set_file_limit((off_t) var_message_limit);
/*
* The sender name is provided by the user. In principle, the mail pickup
* service could deduce the sender name from queue file ownership, but:
* pickup would not be able to run chrooted, and it may not be desirable
* to use login names at all.
*/
if (sender != 0) {
VSTRING_RESET(buf);
VSTRING_TERMINATE(buf);
tree = tok822_parse(sender);
for (naddr = 0, tp = tree; tp != 0; tp = tp->next)
if (tp->type == TOK822_ADDR && naddr++ == 0)
tok822_internalize(buf, tp->head, TOK822_STR_DEFL);
tok822_free_tree(tree);
saved_sender = mystrdup(STR(buf));
if (naddr > 1)
msg_warn("-f option specified malformed sender: %s", sender);
} else {
if ((sender = username()) == 0)
msg_fatal_status(EX_OSERR, "no login name found for user ID %lu",
(unsigned long) uid);
saved_sender = mystrdup(sender);
}
/*
* Let the postdrop command open the queue file for us, and sanity check
* the content. XXX Make postdrop a manifest constant.
*/
errno = 0;
postdrop_command = vstring_alloc(1000);
vstring_sprintf(postdrop_command, "%s/postdrop -r", var_command_dir);
for (level = 0; level < msg_verbose; level++)
vstring_strcat(postdrop_command, " -v");
if ((handle = mail_stream_command(STR(postdrop_command))) == 0)
msg_fatal_status(EX_UNAVAILABLE, "%s(%ld): unable to execute %s: %m",
saved_sender, (long) uid, STR(postdrop_command));
vstring_free(postdrop_command);
dst = handle->stream;
/*
* First, write envelope information to the output stream.
*
* For sendmail compatibility, parse each command-line recipient as if it
* were an RFC 822 message header; some MUAs specify comma-separated
* recipient lists; and some MUAs even specify "word word <address>".
*
* Sort-uniq-ing the recipient list is done after address canonicalization,
* before recipients are written to queue file. That's cleaner than
* having the queue manager nuke duplicate recipient status records.
*
* XXX Should limit the size of envelope records.
*
* With "sendmail -N", instead of a per-message NOTIFY record we store one
* per recipient so that we can simplify the implementation somewhat.
*/
if (dsn_envid)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_DSN_ENVID, dsn_envid);
if (dsn_ret)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_RET, dsn_ret);
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_RWR_CONTEXT, rewrite_context);
if (full_name || (full_name = fullname()) != 0)
rec_fputs(dst, REC_TYPE_FULL, full_name);
rec_fputs(dst, REC_TYPE_FROM, saved_sender);
if (verp_delims && *saved_sender == 0)
msg_fatal_status(EX_USAGE,
"%s(%ld): -V option requires non-null sender address",
saved_sender, (long) uid);
if (encoding)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", MAIL_ATTR_ENCODING, encoding);
if (DEL_REQ_TRACE_FLAGS(flags))
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", MAIL_ATTR_TRACE_FLAGS,
DEL_REQ_TRACE_FLAGS(flags));
if (verp_delims)
rec_fputs(dst, REC_TYPE_VERP, verp_delims);
if (recipients) {
for (cpp = recipients; *cpp != 0; cpp++) {
tree = tok822_parse(*cpp);
for (addr_count = 0, tp = tree; tp != 0; tp = tp->next) {
if (tp->type == TOK822_ADDR) {
tok822_internalize(buf, tp->head, TOK822_STR_DEFL);
if (dsn_notify)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_NOTIFY, dsn_notify);
if (REC_PUT_BUF(dst, REC_TYPE_RCPT, buf) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
++addr_count;
}
}
tok822_free_tree(tree);
if (addr_count == 0) {
if (rec_put(dst, REC_TYPE_RCPT, "", 0) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
}
}
}
/*
* Append the message contents to the queue file. Write chunks of at most
* 1kbyte. Internally, we use different record types for data ending in
* LF and for data that doesn't, so we can actually be binary transparent
* for local mail. Unfortunately, SMTP has no record continuation
* convention, so there is no guarantee that arbitrary data will be
* delivered intact via SMTP. Strip leading From_ lines. For the benefit
* of UUCP environments, also get rid of leading >>>From_ lines.
*/
rec_fputs(dst, REC_TYPE_MESG, "");
if (DEL_REQ_TRACE_ONLY(flags) != 0) {
if (flags & SM_FLAG_XRCPT)
msg_fatal_status(EX_USAGE, "%s(%ld): -t option cannot be used with -bv",
saved_sender, (long) uid);
if (*saved_sender)
rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender);
rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe");
if (recipients) {
rec_fprintf(dst, REC_TYPE_CONT, "To:");
for (cpp = recipients; *cpp != 0; cpp++) {
rec_fprintf(dst, REC_TYPE_NORM, " %s%s",
*cpp, cpp[1] ? "," : "");
}
}
} else {
/*
* Initialize the MIME processor and set up the callback context.
*/
if (flags & SM_FLAG_XRCPT) {
state.dst = dst;
state.recipients = argv_alloc(2);
state.resent_recip = argv_alloc(2);
state.resent = 0;
state.saved_sender = saved_sender;
state.uid = uid;
state.temp = vstring_alloc(10);
mime_state = mime_state_alloc(MIME_OPT_DISABLE_MIME
| MIME_OPT_REPORT_TRUNC_HEADER,
output_header,
(MIME_STATE_ANY_END) 0,
output_text,
(MIME_STATE_ANY_END) 0,
(MIME_STATE_ERR_PRINT) 0,
(void *) &state);
}
/*
* Process header/body lines.
*/
skip_from_ = 1;
strip_cr = name_code(sm_fix_eol_table, NAME_CODE_FLAG_STRICT_CASE,
var_sm_fix_eol);
if (strip_cr == STRIP_CR_ERROR)
msg_fatal_status(EX_USAGE,
"invalid %s value: %s", VAR_SM_FIX_EOL, var_sm_fix_eol);
for (prev_type = 0; (type = rec_streamlf_get(VSTREAM_IN, buf, var_line_limit))
!= REC_TYPE_EOF; prev_type = type) {
if (strip_cr == STRIP_CR_DUNNO && type == REC_TYPE_NORM) {
if (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r')
strip_cr = STRIP_CR_DO;
else
strip_cr = STRIP_CR_DONT;
}
if (skip_from_) {
if (type == REC_TYPE_NORM) {
start = STR(buf);
if (strncmp(start + strspn(start, ">"), "From ", 5) == 0)
continue;
}
skip_from_ = 0;
}
if (strip_cr == STRIP_CR_DO && type == REC_TYPE_NORM)
while (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r')
vstring_truncate(buf, VSTRING_LEN(buf) - 1);
if ((flags & SM_FLAG_AEOF) && prev_type != REC_TYPE_CONT
&& VSTRING_LEN(buf) == 1 && *STR(buf) == '.')
break;
if (mime_state) {
mime_errs = mime_state_update(mime_state, type, STR(buf),
VSTRING_LEN(buf));
if (mime_errs)
msg_fatal_status(EX_DATAERR,
"%s(%ld): unable to extract recipients: %s",
saved_sender, (long) uid,
mime_state_error(mime_errs));
} else {
if (REC_PUT_BUF(dst, type, buf) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
}
}
}
/*
* Finish MIME processing. We need a final mime_state_update() call in
* order to flush text that is still buffered. That can happen when the
* last line did not end in newline.
*/
if (mime_state) {
mime_errs = mime_state_update(mime_state, REC_TYPE_EOF, "", 0);
if (mime_errs)
msg_fatal_status(EX_DATAERR,
"%s(%ld): unable to extract recipients: %s",
saved_sender, (long) uid,
mime_state_error(mime_errs));
mime_state = mime_state_free(mime_state);
}
/*
* Append recipient addresses that were extracted from message headers.
*/
rec_fputs(dst, REC_TYPE_XTRA, "");
if (flags & SM_FLAG_XRCPT) {
for (cpp = state.resent ? state.resent_recip->argv :
state.recipients->argv; *cpp; cpp++) {
if (dsn_notify)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_NOTIFY, dsn_notify);
if (rec_put(dst, REC_TYPE_RCPT, *cpp, strlen(*cpp)) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
}
argv_free(state.recipients);
argv_free(state.resent_recip);
vstring_free(state.temp);
}
if (rcpt_count == 0)
msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ?
"%s(%ld): No recipient addresses found in message header" :
"%s(%ld): Recipient addresses must be specified on"
" the command line or via the -t option",
saved_sender, (long) uid);
/*
* Identify the end of the queue file.
*/
rec_fputs(dst, REC_TYPE_END, "");
/*
* Make sure that the message makes it to the file system. Once we have
* terminated with successful exit status we cannot lose the message due
* to "frivolous reasons". If all goes well, prevent the run-time error
* handler from removing the file.
*/
if (vstream_ferror(VSTREAM_IN))
msg_fatal_status(EX_DATAERR, "%s(%ld): error reading input: %m",
saved_sender, (long) uid);
if ((status = mail_stream_finish(handle, (VSTRING *) 0)) != 0)
msg_fatal_status((status & CLEANUP_STAT_BAD) ? EX_SOFTWARE :
(status & CLEANUP_STAT_WRITE) ? EX_TEMPFAIL :
EX_UNAVAILABLE, "%s(%ld): %s", saved_sender,
(long) uid, cleanup_strerror(status));
/*
* Don't leave them in the dark.
*/
if (DEL_REQ_TRACE_FLAGS(flags)) {
vstream_printf("Mail Delivery Status Report will be mailed to <%s>.\n",
saved_sender);
vstream_fflush(VSTREAM_OUT);
}
/*
* Cleanup. Not really necessary as we're about to exit, but good for
* debugging purposes.
*/
vstring_free(buf);
myfree(saved_sender);
}
static int get_next_inet_entry( int fd, pset_h sconfs,
struct service_config *defaults)
{
char *p;
str_h strp;
char *line = next_line(fd);
struct service_config *scp;
unsigned u, i;
const char *func = "get_next_inet_entry";
char *name = NULL, *rpcvers = NULL, *rpcproto = NULL;
char *group, *proto, *stype;
const struct name_value *nvp;
struct protoent *pep ;
struct passwd *pw ;
struct group *grp ;
const char *dot = ".";
const char *slash = "/";
pset_h args;
if( line == CHAR_NULL )
return -2;
strp = str_parse( line, " \t", STR_RETURN_ERROR, INT_NULL ) ;
if( strp == NULL )
{
parsemsg( LOG_CRIT, func, "inetd.conf - str_parse failed" ) ;
return( -1 ) ;
}
if( (args = pset_create(10,10)) == NULL )
{
out_of_memory(func);
return -1;
}
/* Break the line into components, based on spaces */
while( (p = str_component( strp )) )
{
if( pset_add(args, p) == NULL )
{
parsemsg( LOG_CRIT, func, ES_NOMEM );
pset_destroy(args);
return -1;
}
}
str_endparse( strp );
/* get the service name */
name = new_string((char *)pset_pointer( args, 0 ));
if( name == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - Invalid service name" );
pset_destroy(args);
return -1;
}
/* Check to find the '/' for specifying RPC version numbers */
if( (rpcvers = strstr(name, slash)) != NULL ) {
*rpcvers = '\0';
rpcvers++;
}
scp = sc_alloc( name );
if( scp == NULL )
{
pset_destroy(args);
free( name );
return -1;
}
/*
* sc_alloc makes its own copy of name. At this point, sc_alloc worked
* so we will free our copy to avoid leaks.
*/
free( name );
/* Replicate inetd behavior in this regard. Also makes sure the
* service actually works on system where setgroups(0,NULL) doesn't
* work.
*/
SC_GROUPS(scp) = YES;
SC_SPECIFY( scp, A_GROUPS );
/* Get the socket type (stream dgram) */
stype = (char *)pset_pointer(args, 1);
if( stype == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - Invalid socket type" );
pset_destroy(args);
sc_free(scp);
return -1;
}
nvp = nv_find_value( socket_types, stype );
if( nvp == NULL )
{
parsemsg( LOG_ERR, func, "inetd.conf - Bad socket type: %s", p);
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_SOCKET_TYPE(scp) = nvp->value;
/* Get the protocol type */
proto = (char *)pset_pointer(args,2);
if( strstr(proto, "rpc") != NULL )
{
int rpcmin, rpcmax;
struct rpc_data *rdp = SC_RPCDATA( scp ) ;
if( rpcvers == NULL ) {
pset_destroy(args);
sc_free(scp);
return -1;
/* uh oh */
}
p = strchr(rpcvers, '-');
if( p && parse_int(rpcvers, 10, '-', &rpcmin) == 0 ) {
if( parse_base10(p + 1, &rpcmax) || rpcmin > rpcmax ) {
pset_destroy(args);
sc_free(scp);
return -1;
}
} else {
if( parse_base10(rpcvers, &rpcmin) ) {
pset_destroy(args);
sc_free(scp);
return -1;
}
rpcmax = rpcmin;
}
/* now have min and max rpc versions */
rdp->rd_min_version = rpcmin;
rdp->rd_max_version = rpcmax;
rpcproto = strstr(proto, slash);
if( rpcproto == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - bad rpc version numbers" );
pset_destroy(args);
sc_free(scp);
return -1;
}
*rpcproto = '\0';
rpcproto++;
proto = rpcproto;
/* Set the RPC type field */
nvp = nv_find_value( service_types, "RPC" );
if ( nvp == NULL )
{
parsemsg( LOG_WARNING, func, "inetd.conf - Bad foo %s", name ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
M_SET(SC_TYPE(scp), nvp->value);
}
if ( ( pep = getprotobyname( proto ) ) == NULL )
{
parsemsg( LOG_ERR, func, "inetd.conf - Protocol %s not in /etc/protocols",
proto ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_PROTONAME(scp) = new_string( proto ) ;
if ( SC_PROTONAME(scp) == NULL )
{
out_of_memory( func ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_PROTOVAL(scp) = pep->p_proto;
SC_SPECIFY(scp, A_PROTOCOL);
/* Get the wait attribute */
p = (char *)pset_pointer(args, 3);
if ( p == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - No value specified for wait" );
sc_free(scp);
return -1;
}
if ( EQ( p, "wait" ) )
SC_WAIT(scp) = YES ;
else if ( EQ( p, "nowait" ) )
SC_WAIT(scp) = NO ;
else
parsemsg( LOG_ERR, func, "inetd.conf - Bad value for wait: %s", p ) ;
/* Get the user to run as */
p = (char *)pset_pointer(args, 4);
if ( p == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - No value specified for user" );
sc_free(scp);
return -1;
}
if( (group = strstr(p, dot)) )
{
*group = '\0';
group++;
grp = (struct group *)getgrnam( (char *)group ) ;
if ( grp == NULL )
{
parsemsg( LOG_ERR, func, "inetd.conf - Unknown group: %s", group ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_GID(scp) = ((struct group *)grp)->gr_gid;
SC_SPECIFY( scp, A_GROUP );
}
pw = getpwnam( p );
if ( pw == NULL )
{
parsemsg( LOG_ERR, func, "inetd.conf - Unknown user: %s", p ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
str_fill( pw->pw_passwd, ' ' );
SC_UID(scp) = pw->pw_uid;
SC_USER_GID(scp) = pw->pw_gid;
/* Get server name, or flag as internal */
p = (char *)pset_pointer(args, 5);
if ( p == NULL ) {
parsemsg( LOG_ERR, func, "inetd.conf - No value specified for user" );
sc_free(scp);
return -1;
}
if( EQ( p, "internal" ) )
{
nvp = nv_find_value( service_types, "INTERNAL" );
if ( nvp == NULL )
{
parsemsg( LOG_WARNING, func, "inetd.conf - Bad foo %s", name ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
M_SET(SC_TYPE(scp), nvp->value);
if( EQ( SC_NAME(scp), "time" ) ) {
if( EQ( proto, "stream" ) )
SC_ID(scp) = new_string("time-stream");
else
SC_ID(scp) = new_string("time-dgram");
}
if( EQ( SC_NAME(scp), "daytime" ) ) {
if( EQ( proto, "stream" ) )
SC_ID(scp) = new_string("daytime-stream");
else
SC_ID(scp) = new_string("daytime-dgram");
}
if( EQ( SC_NAME(scp), "chargen" ) ) {
if( EQ( proto, "stream" ) )
SC_ID(scp) = new_string("chargen-stream");
else
SC_ID(scp) = new_string("chargen-dgram");
}
if( EQ( SC_NAME(scp), "echo" ) ) {
if( EQ( proto, "stream" ) )
SC_ID(scp) = new_string("echo-stream");
else
SC_ID(scp) = new_string("echo-dgram");
}
if( EQ( SC_NAME(scp), "discard" ) )
{
parsemsg(LOG_WARNING, func,
"inetd.conf - service discard not supported");
pset_destroy(args);
sc_free(scp);
return -1;
}
}
else
{
SC_SERVER(scp) = new_string( p );
if ( SC_SERVER(scp) == NULL )
{
out_of_memory( func ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_SPECIFY( scp, A_SERVER);
/* Get argv */
SC_SERVER_ARGV(scp) = (char **)argv_alloc(pset_count(args)+1);
for( u = 0; u < pset_count(args)-6 ; u++ )
{
p = new_string((char *)pset_pointer(args, u+6));
if( p == NULL )
{
for ( i = 1 ; i < u ; i++ )
free( SC_SERVER_ARGV(scp)[i] );
free( SC_SERVER_ARGV(scp) );
pset_destroy(args);
sc_free(scp);
return -1;
}
SC_SERVER_ARGV(scp)[u] = p;
}
/* Set the reuse flag, as this is the default for inetd */
nvp = nv_find_value( service_flags, "REUSE" );
if ( nvp == NULL )
{
parsemsg( LOG_WARNING, func, "inetd.conf - Bad foo %s", name ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
M_SET(SC_XFLAGS(scp), nvp->value);
/* Set the NOLIBWRAP flag, since inetd doesn't have libwrap built in */
nvp = nv_find_value( service_flags, "NOLIBWRAP" );
if ( nvp == NULL )
{
parsemsg( LOG_WARNING, func, "inetd.conf - Bad foo %s", name ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
M_SET(SC_XFLAGS(scp), nvp->value);
/* Set the NAMEINARGS flag, as that's the default for inetd */
nvp = nv_find_value( service_flags, "NAMEINARGS" );
if ( nvp == NULL )
{
parsemsg( LOG_WARNING, func, "inetd.conf - Bad foo %s", name ) ;
pset_destroy(args);
sc_free(scp);
return (-1);
}
M_SET(SC_XFLAGS(scp), nvp->value);
SC_SPECIFY( scp, A_SERVER_ARGS );
if ( (SC_ID(scp) = new_string( SC_NAME(scp) )) )
SC_PRESENT( scp, A_ID ) ;
else
{
out_of_memory( func ) ;
pset_destroy(args);
sc_free(scp);
return -1;
}
}
SC_SPECIFY( scp, A_PROTOCOL );
SC_SPECIFY( scp, A_USER );
SC_SPECIFY( scp, A_SOCKET_TYPE );
SC_SPECIFY( scp, A_WAIT );
if( ! pset_add(sconfs, scp) )
{
out_of_memory( func );
pset_destroy(args);
sc_free(scp);
return -1;
}
pset_destroy(args);
parsemsg( LOG_DEBUG, func, "added service %s", SC_NAME(scp));
return 0;
}