int main(int argc, char **argv)
{
struct stat st;
char *slash;
int c;
int fd;
int mode = PQ_MODE_DEFAULT;
char *site_to_flush = 0;
char *id_to_flush = 0;
ARGV *import_env;
int bad_site;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m");
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information. Set up signal handlers so that we
* can clean up incomplete output.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(unavailable);
msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Parse JCL. This program is set-gid and must sanitize all command-line
* parameters. The configuration directory argument is validated by the
* mail configuration read routine. Don't do complex things until we have
* completed initializations.
*/
while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) {
switch (c) {
case 'c': /* non-default configuration */
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal_status(EX_UNAVAILABLE, "out of memory");
break;
case 'f': /* flush queue */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_QUEUE;
break;
case 'i': /* flush queue file */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_FILE;
id_to_flush = optarg;
break;
case 'p': /* traditional mailq */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_MAILQ_LIST;
break;
case 's': /* flush site */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_SITE;
site_to_flush = optarg;
break;
case 'v':
if (geteuid() == 0)
msg_verbose++;
break;
default:
usage();
}
}
if (argc > optind)
usage();
/*
* Further initialization...
*/
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
mail_dict_init(); /* proxy, sql, ldap */
get_mail_conf_str_table(str_table);
/*
* This program is designed to be set-gid, which makes it a potential
* target for attack. If not running as root, strip the environment so we
* don't have to trust the C library. If running as root, don't strip the
* environment so that showq can receive non-default configuration
* directory info when the mail system is down.
*/
if (geteuid() != 0) {
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
}
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
signal(SIGPIPE, SIG_IGN);
/* End of initializations. */
/*
* Further input validation.
*/
if (site_to_flush != 0) {
bad_site = 0;
if (*site_to_flush == '[') {
bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE);
} else {
bad_site = !valid_hostname(site_to_flush, DONT_GRIPE);
}
if (bad_site)
msg_fatal_status(EX_USAGE,
"Cannot flush mail queue - invalid destination: \"%.100s%s\"",
site_to_flush, strlen(site_to_flush) > 100 ? "..." : "");
}
if (id_to_flush != 0) {
if (!mail_queue_id_ok(id_to_flush))
msg_fatal_status(EX_USAGE,
"Cannot flush queue ID - invalid name: \"%.100s%s\"",
id_to_flush, strlen(id_to_flush) > 100 ? "..." : "");
}
/*
* Start processing.
*/
switch (mode) {
default:
msg_panic("unknown operation mode: %d", mode);
/* NOTREACHED */
case PQ_MODE_MAILQ_LIST:
show_queue();
exit(0);
break;
case PQ_MODE_FLUSH_SITE:
flush_site(site_to_flush);
exit(0);
break;
case PQ_MODE_FLUSH_FILE:
flush_file(id_to_flush);
exit(0);
break;
case PQ_MODE_FLUSH_QUEUE:
flush_queue();
exit(0);
break;
case PQ_MODE_DEFAULT:
usage();
/* NOTREACHED */
}
}
void mail_params_init()
{
static const CONFIG_STR_TABLE first_str_defaults[] = {
VAR_SYSLOG_FACILITY, DEF_SYSLOG_FACILITY, &var_syslog_facility, 1, 0,
VAR_INET_PROTOCOLS, DEF_INET_PROTOCOLS, &var_inet_protocols, 0, 0,
VAR_MULTI_CONF_DIRS, DEF_MULTI_CONF_DIRS, &var_multi_conf_dirs, 0, 0,
/* multi_instance_wrapper may have dependencies but not dependents. */
VAR_MULTI_GROUP, DEF_MULTI_GROUP, &var_multi_group, 0, 0,
VAR_MULTI_NAME, DEF_MULTI_NAME, &var_multi_name, 0, 0,
0,
};
static const CONFIG_BOOL_TABLE first_bool_defaults[] = {
/* read and process the following before opening tables. */
VAR_DAEMON_OPEN_FATAL, DEF_DAEMON_OPEN_FATAL, &var_daemon_open_fatal,
0,
};
static const CONFIG_STR_FN_TABLE function_str_defaults[] = {
VAR_MYHOSTNAME, check_myhostname, &var_myhostname, 1, 0,
VAR_MYDOMAIN, check_mydomainname, &var_mydomain, 1, 0,
0,
};
static const CONFIG_STR_TABLE other_str_defaults[] = {
VAR_MAIL_NAME, DEF_MAIL_NAME, &var_mail_name, 1, 0,
VAR_SYSLOG_NAME, DEF_SYSLOG_NAME, &var_syslog_name, 1, 0,
VAR_MAIL_OWNER, DEF_MAIL_OWNER, &var_mail_owner, 1, 0,
VAR_SGID_GROUP, DEF_SGID_GROUP, &var_sgid_group, 1, 0,
VAR_MYDEST, DEF_MYDEST, &var_mydest, 0, 0,
VAR_MYORIGIN, DEF_MYORIGIN, &var_myorigin, 1, 0,
VAR_RELAYHOST, DEF_RELAYHOST, &var_relayhost, 0, 0,
VAR_DAEMON_DIR, DEF_DAEMON_DIR, &var_daemon_dir, 1, 0,
VAR_DATA_DIR, DEF_DATA_DIR, &var_data_dir, 1, 0,
VAR_COMMAND_DIR, DEF_COMMAND_DIR, &var_command_dir, 1, 0,
VAR_QUEUE_DIR, DEF_QUEUE_DIR, &var_queue_dir, 1, 0,
VAR_PID_DIR, DEF_PID_DIR, &var_pid_dir, 1, 0,
VAR_INET_INTERFACES, DEF_INET_INTERFACES, &var_inet_interfaces, 0, 0,
VAR_PROXY_INTERFACES, DEF_PROXY_INTERFACES, &var_proxy_interfaces, 0, 0,
VAR_DOUBLE_BOUNCE, DEF_DOUBLE_BOUNCE, &var_double_bounce_sender, 1, 0,
VAR_DEFAULT_PRIVS, DEF_DEFAULT_PRIVS, &var_default_privs, 1, 0,
VAR_ALIAS_DB_MAP, DEF_ALIAS_DB_MAP, &var_alias_db_map, 0, 0,
VAR_MAIL_RELEASE, DEF_MAIL_RELEASE, &var_mail_release, 1, 0,
VAR_MAIL_VERSION, DEF_MAIL_VERSION, &var_mail_version, 1, 0,
VAR_DB_TYPE, DEF_DB_TYPE, &var_db_type, 1, 0,
VAR_HASH_QUEUE_NAMES, DEF_HASH_QUEUE_NAMES, &var_hash_queue_names, 1, 0,
VAR_RCPT_DELIM, DEF_RCPT_DELIM, &var_rcpt_delim, 0, 0,
VAR_RELAY_DOMAINS, DEF_RELAY_DOMAINS, &var_relay_domains, 0, 0,
VAR_FFLUSH_DOMAINS, DEF_FFLUSH_DOMAINS, &var_fflush_domains, 0, 0,
VAR_EXPORT_ENVIRON, DEF_EXPORT_ENVIRON, &var_export_environ, 0, 0,
VAR_IMPORT_ENVIRON, DEF_IMPORT_ENVIRON, &var_import_environ, 0, 0,
VAR_MYNETWORKS_STYLE, DEF_MYNETWORKS_STYLE, &var_mynetworks_style, 1, 0,
VAR_DEBUG_PEER_LIST, DEF_DEBUG_PEER_LIST, &var_debug_peer_list, 0, 0,
VAR_VERP_DELIMS, DEF_VERP_DELIMS, &var_verp_delims, 2, 2,
VAR_VERP_FILTER, DEF_VERP_FILTER, &var_verp_filter, 1, 0,
VAR_PAR_DOM_MATCH, DEF_PAR_DOM_MATCH, &var_par_dom_match, 0, 0,
VAR_CONFIG_DIRS, DEF_CONFIG_DIRS, &var_config_dirs, 0, 0,
VAR_BOUNCE_SERVICE, DEF_BOUNCE_SERVICE, &var_bounce_service, 1, 0,
VAR_CLEANUP_SERVICE, DEF_CLEANUP_SERVICE, &var_cleanup_service, 1, 0,
VAR_DEFER_SERVICE, DEF_DEFER_SERVICE, &var_defer_service, 1, 0,
VAR_PICKUP_SERVICE, DEF_PICKUP_SERVICE, &var_pickup_service, 1, 0,
VAR_QUEUE_SERVICE, DEF_QUEUE_SERVICE, &var_queue_service, 1, 0,
VAR_REWRITE_SERVICE, DEF_REWRITE_SERVICE, &var_rewrite_service, 1, 0,
VAR_SHOWQ_SERVICE, DEF_SHOWQ_SERVICE, &var_showq_service, 1, 0,
VAR_ERROR_SERVICE, DEF_ERROR_SERVICE, &var_error_service, 1, 0,
VAR_FLUSH_SERVICE, DEF_FLUSH_SERVICE, &var_flush_service, 1, 0,
VAR_VERIFY_SERVICE, DEF_VERIFY_SERVICE, &var_verify_service, 1, 0,
VAR_TRACE_SERVICE, DEF_TRACE_SERVICE, &var_trace_service, 1, 0,
VAR_PROXYMAP_SERVICE, DEF_PROXYMAP_SERVICE, &var_proxymap_service, 1, 0,
VAR_PROXYWRITE_SERVICE, DEF_PROXYWRITE_SERVICE, &var_proxywrite_service, 1, 0,
VAR_INT_FILT_CLASSES, DEF_INT_FILT_CLASSES, &var_int_filt_classes, 0, 0,
/* multi_instance_wrapper may have dependencies but not dependents. */
VAR_MULTI_WRAPPER, DEF_MULTI_WRAPPER, &var_multi_wrapper, 0, 0,
0,
};
static const CONFIG_STR_FN_TABLE function_str_defaults_2[] = {
VAR_MYNETWORKS, mynetworks, &var_mynetworks, 0, 0,
0,
};
static const CONFIG_INT_TABLE other_int_defaults[] = {
VAR_PROC_LIMIT, DEF_PROC_LIMIT, &var_proc_limit, 1, 0,
VAR_MAX_USE, DEF_MAX_USE, &var_use_limit, 1, 0,
VAR_DONT_REMOVE, DEF_DONT_REMOVE, &var_dont_remove, 0, 0,
VAR_LINE_LIMIT, DEF_LINE_LIMIT, &var_line_limit, 512, 0,
VAR_HASH_QUEUE_DEPTH, DEF_HASH_QUEUE_DEPTH, &var_hash_queue_depth, 1, 0,
VAR_FORK_TRIES, DEF_FORK_TRIES, &var_fork_tries, 1, 0,
VAR_FLOCK_TRIES, DEF_FLOCK_TRIES, &var_flock_tries, 1, 0,
VAR_DEBUG_PEER_LEVEL, DEF_DEBUG_PEER_LEVEL, &var_debug_peer_level, 1, 0,
VAR_FAULT_INJ_CODE, DEF_FAULT_INJ_CODE, &var_fault_inj_code, 0, 0,
VAR_DB_CREATE_BUF, DEF_DB_CREATE_BUF, &var_db_create_buf, 1, 0,
VAR_DB_READ_BUF, DEF_DB_READ_BUF, &var_db_read_buf, 1, 0,
VAR_HEADER_LIMIT, DEF_HEADER_LIMIT, &var_header_limit, 1, 0,
VAR_TOKEN_LIMIT, DEF_TOKEN_LIMIT, &var_token_limit, 1, 0,
VAR_MIME_MAXDEPTH, DEF_MIME_MAXDEPTH, &var_mime_maxdepth, 1, 0,
VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
VAR_DELAY_MAX_RES, DEF_DELAY_MAX_RES, &var_delay_max_res, MIN_DELAY_MAX_RES, MAX_DELAY_MAX_RES,
VAR_INET_WINDOW, DEF_INET_WINDOW, &var_inet_windowsize, 0, 0,
0,
};
static const CONFIG_LONG_TABLE long_defaults[] = {
VAR_MESSAGE_LIMIT, DEF_MESSAGE_LIMIT, &var_message_limit, 0, 0,
VAR_LMDB_MAP_SIZE, DEF_LMDB_MAP_SIZE, &var_lmdb_map_size, 1, 0,
0,
};
static const CONFIG_TIME_TABLE time_defaults[] = {
VAR_EVENT_DRAIN, DEF_EVENT_DRAIN, &var_event_drain, 1, 0,
VAR_MAX_IDLE, DEF_MAX_IDLE, &var_idle_limit, 1, 0,
VAR_IPC_TIMEOUT, DEF_IPC_TIMEOUT, &var_ipc_timeout, 1, 0,
VAR_IPC_IDLE, DEF_IPC_IDLE, &var_ipc_idle_limit, 1, 0,
VAR_IPC_TTL, DEF_IPC_TTL, &var_ipc_ttl_limit, 1, 0,
VAR_TRIGGER_TIMEOUT, DEF_TRIGGER_TIMEOUT, &var_trigger_timeout, 1, 0,
VAR_FORK_DELAY, DEF_FORK_DELAY, &var_fork_delay, 1, 0,
VAR_FLOCK_DELAY, DEF_FLOCK_DELAY, &var_flock_delay, 1, 0,
VAR_FLOCK_STALE, DEF_FLOCK_STALE, &var_flock_stale, 1, 0,
VAR_DAEMON_TIMEOUT, DEF_DAEMON_TIMEOUT, &var_daemon_timeout, 1, 0,
VAR_IN_FLOW_DELAY, DEF_IN_FLOW_DELAY, &var_in_flow_delay, 0, 10,
0,
};
static const CONFIG_BOOL_TABLE bool_defaults[] = {
VAR_DISABLE_DNS, DEF_DISABLE_DNS, &var_disable_dns,
VAR_SOFT_BOUNCE, DEF_SOFT_BOUNCE, &var_soft_bounce,
VAR_OWNREQ_SPECIAL, DEF_OWNREQ_SPECIAL, &var_ownreq_special,
VAR_STRICT_8BITMIME, DEF_STRICT_8BITMIME, &var_strict_8bitmime,
VAR_STRICT_7BIT_HDRS, DEF_STRICT_7BIT_HDRS, &var_strict_7bit_hdrs,
VAR_STRICT_8BIT_BODY, DEF_STRICT_8BIT_BODY, &var_strict_8bit_body,
VAR_STRICT_ENCODING, DEF_STRICT_ENCODING, &var_strict_encoding,
VAR_DISABLE_MIME_INPUT, DEF_DISABLE_MIME_INPUT, &var_disable_mime_input,
VAR_DISABLE_MIME_OCONV, DEF_DISABLE_MIME_OCONV, &var_disable_mime_oconv,
VAR_VERIFY_NEG_CACHE, DEF_VERIFY_NEG_CACHE, &var_verify_neg_cache,
VAR_OLDLOG_COMPAT, DEF_OLDLOG_COMPAT, &var_oldlog_compat,
VAR_HELPFUL_WARNINGS, DEF_HELPFUL_WARNINGS, &var_helpful_warnings,
VAR_CYRUS_SASL_AUTHZID, DEF_CYRUS_SASL_AUTHZID, &var_cyrus_sasl_authzid,
VAR_MULTI_ENABLE, DEF_MULTI_ENABLE, &var_multi_enable,
VAR_LONG_QUEUE_IDS, DEF_LONG_QUEUE_IDS, &var_long_queue_ids,
0,
};
const char *cp;
INET_PROTO_INFO *proto_info;
/*
* Extract syslog_facility early, so that from here on all errors are
* logged with the proper facility.
*/
get_mail_conf_str_table(first_str_defaults);
if (!msg_syslog_facility(var_syslog_facility))
msg_fatal("file %s/%s: parameter %s: unrecognized value: %s",
var_config_dir, MAIN_CONF_FILE,
VAR_SYSLOG_FACILITY, var_syslog_facility);
/*
* Should daemons terminate after table open error, or should they
* continue execution with reduced functionality?
*/
get_mail_conf_bool_table(first_bool_defaults);
if (var_daemon_open_fatal)
dict_allow_surrogate = 0;
/*
* What protocols should we attempt to support? The result is stored in
* the global inet_proto_table variable.
*/
proto_info = inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols);
/*
* Variables whose defaults are determined at runtime. Some sites use
* short hostnames in the host table; some sites name their system after
* the domain.
*/
get_mail_conf_str_fn_table(function_str_defaults);
if (!valid_hostname(var_myhostname, DO_GRIPE))
msg_fatal("file %s/%s: parameter %s: bad parameter value: %s",
var_config_dir, MAIN_CONF_FILE,
VAR_MYHOSTNAME, var_myhostname);
if (!valid_hostname(var_mydomain, DO_GRIPE))
msg_fatal("file %s/%s: parameter %s: bad parameter value: %s",
var_config_dir, MAIN_CONF_FILE,
VAR_MYDOMAIN, var_mydomain);
/*
* Variables that are needed by almost every program.
*
* XXX Reading the myorigin value from file is originally a Debian Linux
* feature. This code is not enabled by default because of problems: 1)
* it re-implements its own parameter syntax checks, and 2) it does not
* implement $name expansions.
*/
get_mail_conf_str_table(other_str_defaults);
#ifdef MYORIGIN_FROM_FILE
if (*var_myorigin == '/') {
char *origin = read_param_from_file(var_myorigin);
if (*origin == 0)
msg_fatal("%s file %s is empty", VAR_MYORIGIN, var_myorigin);
myfree(var_myorigin); /* FIX 20070501 */
var_myorigin = origin;
}
#endif
get_mail_conf_int_table(other_int_defaults);
get_mail_conf_long_table(long_defaults);
get_mail_conf_bool_table(bool_defaults);
get_mail_conf_time_table(time_defaults);
check_default_privs();
check_mail_owner();
check_sgid_group();
check_overlap();
#ifdef HAS_DB
dict_db_cache_size = var_db_read_buf;
#endif
#ifdef HAS_LMDB
dict_lmdb_map_size = var_lmdb_map_size;
#endif
inet_windowsize = var_inet_windowsize;
/*
* Variables whose defaults are determined at runtime, after other
* variables have been set. This dependency is admittedly a bit tricky.
* XXX Perhaps we should just register variables, and let the evaluator
* figure out in what order to evaluate things.
*/
get_mail_conf_str_fn_table(function_str_defaults_2);
/*
* FIX 200412 The IPv6 patch did not call own_inet_addr_list() before
* entering the chroot jail on Linux IPv6 systems. Linux has the IPv6
* interface list in /proc, which is not available after chrooting.
*/
(void) own_inet_addr_list();
/*
* The PID variable cannot be set from the configuration file!!
*/
set_mail_conf_int(VAR_PID, var_pid = getpid());
/*
* Neither can the start time variable. It isn't even visible.
*/
time(&var_starttime);
/*
* Export the syslog name so children can inherit and use it before they
* have initialized.
*/
if ((cp = safe_getenv(CONF_ENV_LOGTAG)) == 0
|| strcmp(cp, var_syslog_name) != 0)
if (setenv(CONF_ENV_LOGTAG, var_syslog_name, 1) < 0)
msg_fatal("setenv %s %s: %m", CONF_ENV_LOGTAG, var_syslog_name);
/*
* I have seen this happen just too often.
*/
if (strcasecmp(var_myhostname, var_relayhost) == 0)
msg_fatal("%s and %s parameter settings must not be identical: %s",
VAR_MYHOSTNAME, VAR_RELAYHOST, var_myhostname);
/*
* XXX These should be caught by a proper parameter parsing algorithm.
*/
if (var_myorigin[strcspn(var_myorigin, ", \t\r\n")])
msg_fatal("%s parameter setting must not contain multiple values: %s",
VAR_MYORIGIN, var_myorigin);
if (var_relayhost[strcspn(var_relayhost, ", \t\r\n")])
msg_fatal("%s parameter setting must not contain multiple values: %s",
VAR_RELAYHOST, var_relayhost);
/*
* One more sanity check.
*/
if ((cp = verp_delims_verify(var_verp_delims)) != 0)
msg_fatal("file %s/%s: parameters %s and %s: %s",
var_config_dir, MAIN_CONF_FILE,
VAR_VERP_DELIMS, VAR_VERP_FILTER, cp);
}
int main(int argc, char **argv)
{
struct stat st;
int fd;
int c;
VSTRING *buf;
int status;
MAIL_STREAM *dst;
int rec_type;
static char *segment_info[] = {
REC_TYPE_POST_ENVELOPE, REC_TYPE_POST_CONTENT, REC_TYPE_POST_EXTRACT, ""
};
char **expected;
uid_t uid = getuid();
ARGV *import_env;
const char *error_text;
char *attr_name;
char *attr_value;
const char *errstr;
char *junk;
struct timeval start;
int saved_errno;
int from_count = 0;
int rcpt_count = 0;
int validate_input = 1;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up logging. Censor the process name: it is provided by the user.
*/
argv[0] = "postdrop";
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Parse JCL. This program is set-gid and must sanitize all command-line
* arguments. The configuration directory argument is validated by the
* mail configuration read routine. Don't do complex things until we have
* completed initializations.
*/
while ((c = GETOPT(argc, argv, "c:rv")) > 0) {
switch (c) {
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'r': /* forward compatibility */
break;
case 'v':
if (geteuid() == 0)
msg_verbose++;
break;
default:
msg_fatal("usage: %s [-c config_dir] [-v]", argv[0]);
}
}
/*
* Read the global configuration file and extract configuration
* information. Some claim that the user should supply the working
* directory instead. That might be OK, given that this command needs
* write permission in a subdirectory called "maildrop". However we still
* need to reliably detect incomplete input, and so we must perform
* record-level I/O. With that, we should also take the opportunity to
* perform some sanity checks on the input.
*/
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
/*
* Mail submission access control. Should this be in the user-land gate,
* or in the daemon process?
*/
mail_dict_init();
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid)) != 0)
msg_fatal("User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);
/*
* Stop run-away process accidents by limiting the queue file size. This
* is not a defense against DOS attack.
*/
if (var_message_limit > 0 && get_file_limit() > var_message_limit)
set_file_limit((off_t) var_message_limit);
/*
* This program is installed with setgid privileges. Strip the process
* environment so that we don't have to trust the C library.
*/
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
if (msg_verbose)
msg_info("chdir %s", var_queue_dir);
/*
* Set up signal handlers and a runtime error handler so that we can
* clean up incomplete output.
*
* postdrop_sig() uses the in-kernel SIGINT handler address as an atomic
* variable to prevent nested postdrop_sig() calls. For this reason, the
* SIGINT handler must be configured before other signal handlers are
* allowed to invoke postdrop_sig().
*/
signal(SIGPIPE, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
signal(SIGINT, postdrop_sig);
signal(SIGQUIT, postdrop_sig);
if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
signal(SIGTERM, postdrop_sig);
if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
signal(SIGHUP, postdrop_sig);
msg_cleanup(postdrop_cleanup);
/* End of initializations. */
/*
* Don't trust the caller's time information.
*/
GETTIMEOFDAY(&start);
/*
* Create queue file. mail_stream_file() never fails. Send the queue ID
* to the caller. Stash away a copy of the queue file name so we can
* clean up in case of a fatal error or an interrupt.
*/
dst = mail_stream_file(MAIL_QUEUE_MAILDROP, MAIL_CLASS_PUBLIC,
var_pickup_service, 0444);
attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
SEND_ATTR_STR(MAIL_ATTR_QUEUEID, dst->id),
ATTR_TYPE_END);
vstream_fflush(VSTREAM_OUT);
postdrop_path = mystrdup(VSTREAM_PATH(dst->stream));
/*
* Copy stdin to file. The format is checked so that we can recognize
* incomplete input and cancel the operation. With the sanity checks
* applied here, the pickup daemon could skip format checks and pass a
* file descriptor to the cleanup daemon. These are by no means all
* sanity checks - the cleanup service and queue manager services will
* reject messages that lack required information.
*
* If something goes wrong, slurp up the input before responding to the
* client, otherwise the client will give up after detecting SIGPIPE.
*
* Allow attribute records if the attribute specifies the MIME body type
* (sendmail -B).
*/
vstream_control(VSTREAM_IN, CA_VSTREAM_CTL_PATH("stdin"), CA_VSTREAM_CTL_END);
buf = vstring_alloc(100);
expected = segment_info;
/* Override time information from the untrusted caller. */
rec_fprintf(dst->stream, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
REC_TYPE_TIME_ARG(start));
for (;;) {
/* Don't allow PTR records. */
rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit, REC_FLAG_NONE);
if (rec_type == REC_TYPE_EOF) { /* request cancelled */
mail_stream_cleanup(dst);
if (remove(postdrop_path))
msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
else if (msg_verbose)
msg_info("remove %s", postdrop_path);
myfree(postdrop_path);
postdrop_path = 0;
exit(0);
}
if (rec_type == REC_TYPE_ERROR)
msg_fatal("uid=%ld: malformed input", (long) uid);
if (strchr(*expected, rec_type) == 0)
msg_fatal("uid=%ld: unexpected record type: %d", (long) uid, rec_type);
if (rec_type == **expected)
expected++;
/* Override time information from the untrusted caller. */
if (rec_type == REC_TYPE_TIME)
continue;
/* Check these at submission time instead of pickup time. */
if (rec_type == REC_TYPE_FROM)
from_count++;
if (rec_type == REC_TYPE_RCPT)
rcpt_count++;
/* Limit the attribute types that users may specify. */
if (rec_type == REC_TYPE_ATTR) {
if ((error_text = split_nameval(vstring_str(buf), &attr_name,
&attr_value)) != 0) {
msg_warn("uid=%ld: ignoring malformed record: %s: %.200s",
(long) uid, error_text, vstring_str(buf));
continue;
}
#define STREQ(x,y) (strcmp(x,y) == 0)
if ((STREQ(attr_name, MAIL_ATTR_ENCODING)
&& (STREQ(attr_value, MAIL_ATTR_ENC_7BIT)
|| STREQ(attr_value, MAIL_ATTR_ENC_8BIT)
|| STREQ(attr_value, MAIL_ATTR_ENC_NONE)))
|| STREQ(attr_name, MAIL_ATTR_DSN_ENVID)
|| STREQ(attr_name, MAIL_ATTR_DSN_NOTIFY)
|| rec_attr_map(attr_name)
|| (STREQ(attr_name, MAIL_ATTR_RWR_CONTEXT)
&& (STREQ(attr_value, MAIL_ATTR_RWR_LOCAL)
|| STREQ(attr_value, MAIL_ATTR_RWR_REMOTE)))
|| STREQ(attr_name, MAIL_ATTR_TRACE_FLAGS)) { /* XXX */
rec_fprintf(dst->stream, REC_TYPE_ATTR, "%s=%s",
attr_name, attr_value);
} else {
msg_warn("uid=%ld: ignoring attribute record: %.200s=%.200s",
(long) uid, attr_name, attr_value);
}
continue;
}
if (REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
/* rec_get() errors must not clobber errno. */
saved_errno = errno;
while ((rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit,
REC_FLAG_NONE)) != REC_TYPE_END
&& rec_type != REC_TYPE_EOF)
if (rec_type == REC_TYPE_ERROR)
msg_fatal("uid=%ld: malformed input", (long) uid);
validate_input = 0;
errno = saved_errno;
break;
}
if (rec_type == REC_TYPE_END)
break;
}
vstring_free(buf);
/*
* As of Postfix 2.7 the pickup daemon discards mail without recipients.
* Such mail may enter the maildrop queue when "postsuper -r" is invoked
* before the queue manager deletes an already delivered message. Looking
* at file ownership is not a good way to make decisions on what mail to
* discard. Instead, the pickup server now requires that new submissions
* always have at least one recipient record.
*
* The Postfix sendmail command already rejects mail without recipients.
* However, in the future postdrop may receive mail via other programs,
* so we add a redundant recipient check here for future proofing.
*
* The test for the sender address is just for consistency of error
* reporting (report at submission time instead of pickup time). Besides
* the segment terminator records, there aren't any other mandatory
* records in a Postfix submission queue file.
*/
if (validate_input && (from_count == 0 || rcpt_count == 0)) {
status = CLEANUP_STAT_BAD;
mail_stream_cleanup(dst);
}
/*
* Finish the file.
*/
else if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
msg_warn("uid=%ld: %m", (long) uid);
postdrop_cleanup();
}
/*
* Disable deletion on fatal error before reporting success, so the file
* will not be deleted after we have taken responsibility for delivery.
*/
if (postdrop_path) {
junk = postdrop_path;
postdrop_path = 0;
myfree(junk);
}
/*
* Send the completion status to the caller and terminate.
*/
attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
SEND_ATTR_INT(MAIL_ATTR_STATUS, status),
SEND_ATTR_STR(MAIL_ATTR_WHY, ""),
ATTR_TYPE_END);
vstream_fflush(VSTREAM_OUT);
exit(status);
}
int main(int argc, char **argv)
{
static char *full_name = 0; /* sendmail -F */
struct stat st;
char *slash;
char *sender = 0; /* sendmail -f */
int c;
int fd;
int mode;
ARGV *ext_argv;
int debug_me = 0;
int err;
int n;
int flags = SM_FLAG_DEFAULT;
char *site_to_flush = 0;
char *id_to_flush = 0;
char *encoding = 0;
char *qtime = 0;
const char *errstr;
uid_t uid;
const char *rewrite_context = MAIL_ATTR_RWR_LOCAL;
int dsn_notify = 0;
int dsn_ret = 0;
const char *dsn_envid = 0;
int saved_optind;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal_status(EX_OSERR, "open /dev/null: %m");
/*
* The CDE desktop calendar manager leaks a parent file descriptor into
* the child process. For the sake of sendmail compatibility we have to
* close the file descriptor otherwise mail notification will hang.
*/
for ( /* void */ ; fd < 100; fd++)
(void) close(fd);
/*
* Process environment options as early as we can. We might be called
* from a set-uid (set-gid) program, so be careful with importing
* environment variables.
*/
if (safe_getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (safe_getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information. Set up signal handlers so that we
* can clean up incomplete output.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(tempfail);
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Some sites mistakenly install Postfix sendmail as set-uid root. Drop
* set-uid privileges only when root, otherwise some systems will not
* reset the saved set-userid, which would be a security vulnerability.
*/
if (geteuid() == 0 && getuid() != 0) {
msg_warn("the Postfix sendmail command has set-uid root file permissions");
msg_warn("or the command is run from a set-uid root process");
msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
set_ugid(getuid(), getgid());
}
/*
* Further initialization. Load main.cf first, so that command-line
* options can override main.cf settings. Pre-scan the argument list so
* that we load the right main.cf file.
*/
#define GETOPT_LIST "A:B:C:F:GIL:N:O:R:UV:X:b:ce:f:h:imno:p:r:q:tvx"
saved_optind = optind;
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) { /* not getopt compatible */
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
if (c == 'C') {
VSTRING *buf = vstring_alloc(1);
if (setenv(CONF_ENV_PATH,
strcmp(sane_basename(buf, optarg), MAIN_CONF_FILE) == 0 ?
sane_dirname(buf, optarg) : optarg, 1) < 0)
msg_fatal_status(EX_UNAVAILABLE, "out of memory");
vstring_free(buf);
}
}
optind = saved_optind;
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
signal(SIGPIPE, SIG_IGN);
/*
* Optionally start the debugger on ourself. This must be done after
* reading the global configuration file, because that file specifies
* what debugger command to execute.
*/
if (debug_me)
debug_process();
/*
* The default mode of operation is determined by the process name. It
* can, however, be changed via command-line options (for example,
* "newaliases -bp" will show the mail queue).
*/
if (strcmp(argv[0], "mailq") == 0) {
mode = SM_MODE_MAILQ;
} else if (strcmp(argv[0], "newaliases") == 0) {
mode = SM_MODE_NEWALIAS;
} else if (strcmp(argv[0], "smtpd") == 0) {
mode = SM_MODE_DAEMON;
} else {
mode = SM_MODE_ENQUEUE;
}
/*
* Parse JCL. Sendmail has been around for a long time, and has acquired
* a large number of options in the course of time. Some options such as
* -q are not parsable with GETOPT() and get special treatment.
*/
#define OPTIND (optind > 0 ? optind : 1)
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) {
if (mode == SM_MODE_DAEMON)
msg_warn("ignoring -q option in daemon mode");
else
mode = SM_MODE_FLUSHQ;
optind++;
continue;
}
if (strcmp(argv[OPTIND], "-V") == 0
&& argv[OPTIND + 1] != 0 && strlen(argv[OPTIND + 1]) == 2) {
msg_warn("option -V is deprecated with Postfix 2.3; "
"specify -XV instead");
argv[OPTIND] = "-XV";
}
if (strncmp(argv[OPTIND], "-V", 2) == 0 && strlen(argv[OPTIND]) == 4) {
msg_warn("option %s is deprecated with Postfix 2.3; "
"specify -X%s instead",
argv[OPTIND], argv[OPTIND] + 1);
argv[OPTIND] = concatenate("-X", argv[OPTIND] + 1, (char *) 0);
}
if (strcmp(argv[OPTIND], "-XV") == 0) {
verp_delims = var_verp_delims;
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
switch (c) {
default:
if (msg_verbose)
msg_info("-%c option ignored", c);
break;
case 'n':
msg_fatal_status(EX_USAGE, "-%c option not supported", c);
case 'B':
if (strcmp(optarg, "8BITMIME") == 0)/* RFC 1652 */
encoding = MAIL_ATTR_ENC_8BIT;
else if (strcmp(optarg, "7BIT") == 0) /* RFC 1652 */
encoding = MAIL_ATTR_ENC_7BIT;
else
msg_fatal_status(EX_USAGE, "-B option needs 8BITMIME or 7BIT");
break;
case 'F': /* full name */
full_name = optarg;
break;
case 'G': /* gateway submission */
rewrite_context = MAIL_ATTR_RWR_REMOTE;
break;
case 'I': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'N':
if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
msg_warn("bad -N option value -- ignored");
break;
case 'R':
if ((dsn_ret = dsn_ret_code(optarg)) == 0)
msg_warn("bad -R option value -- ignored");
break;
case 'V': /* DSN, was: VERP */
if (strlen(optarg) > 100)
msg_warn("too long -V option value -- ignored");
else if (!allprint(optarg))
msg_warn("bad syntax in -V option value -- ignored");
else
dsn_envid = optarg;
break;
case 'X':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'V': /* VERP */
if (verp_delims_verify(optarg + 1) != 0)
msg_fatal_status(EX_USAGE, "-V requires two characters from %s",
var_verp_filter);
verp_delims = optarg + 1;
break;
}
break;
case 'b':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'd': /* daemon mode */
case 'l': /* daemon mode */
if (mode == SM_MODE_FLUSHQ)
msg_warn("ignoring -q option in daemon mode");
mode = SM_MODE_DAEMON;
break;
case 'h': /* print host status */
case 'H': /* flush host status */
mode = SM_MODE_IGNORE;
break;
case 'i': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'm': /* deliver mail */
mode = SM_MODE_ENQUEUE;
break;
case 'p': /* mailq */
mode = SM_MODE_MAILQ;
break;
case 's': /* stand-alone mode */
mode = SM_MODE_USER;
break;
case 'v': /* expand recipients */
flags |= DEL_REQ_FLAG_USR_VRFY;
break;
}
break;
case 'f':
sender = optarg;
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'o':
switch (*optarg) {
default:
if (msg_verbose)
msg_info("-%c%c option ignored", c, *optarg);
break;
case 'A':
if (optarg[1] == 0)
msg_fatal_status(EX_USAGE, "-oA requires pathname");
myfree(var_alias_db_map);
var_alias_db_map = mystrdup(optarg + 1);
set_mail_conf_str(VAR_ALIAS_DB_MAP, var_alias_db_map);
break;
case '7':
case '8':
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'm':
break;
}
break;
case 'r': /* obsoleted by -f */
sender = optarg;
break;
case 'q':
if (ISDIGIT(optarg[0])) {
qtime = optarg;
} else if (optarg[0] == 'R') {
site_to_flush = optarg + 1;
if (*site_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qRsitename");
} else if (optarg[0] == 'I') {
id_to_flush = optarg + 1;
if (*id_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qIqueueid");
} else {
msg_fatal_status(EX_USAGE, "-q%c is not implemented",
optarg[0]);
}
break;
case 't':
flags |= SM_FLAG_XRCPT;
break;
case 'v':
msg_verbose++;
break;
case '?':
msg_fatal_status(EX_USAGE, "usage: %s [options]", argv[0]);
}
}
/*
* Look for conflicting options and arguments.
*/
if ((flags & SM_FLAG_XRCPT) && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-t can be used only in delivery mode");
if (site_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qR can be used only in delivery mode");
if (id_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qI can be used only in delivery mode");
if (flags & DEL_REQ_FLAG_USR_VRFY) {
if (flags & SM_FLAG_XRCPT)
msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv");
if (dsn_notify)
msg_fatal_status(EX_USAGE, "-N option cannot be used with -bv");
if (dsn_ret)
msg_fatal_status(EX_USAGE, "-R option cannot be used with -bv");
if (msg_verbose == 1)
msg_fatal_status(EX_USAGE, "-v option cannot be used with -bv");
}
/*
* The -v option plays double duty. One requests verbose delivery, more
* than one requests verbose logging.
*/
if (msg_verbose == 1 && mode == SM_MODE_ENQUEUE) {
msg_verbose = 0;
flags |= DEL_REQ_FLAG_RECORD;
}
/*
* Start processing. Everything is delegated to external commands.
*/
if (qtime && mode != SM_MODE_DAEMON)
exit(0);
switch (mode) {
default:
msg_panic("unknown operation mode: %d", mode);
/* NOTREACHED */
case SM_MODE_ENQUEUE:
if (site_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush site requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-s", site_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else if (id_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush queue_id requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-i", id_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else {
enqueue(flags, encoding, dsn_envid, dsn_ret, dsn_notify,
rewrite_context, sender, full_name, argv + OPTIND);
exit(0);
/* NOTREACHED */
}
break;
case SM_MODE_MAILQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"display queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-p", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_FLUSHQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"flush queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-f", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_DAEMON:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "daemon mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postfix", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_add(ext_argv, "start", (char *) 0);
argv_terminate(ext_argv);
err = (mail_run_background(var_command_dir, ext_argv->argv) < 0);
argv_free(ext_argv);
exit(err);
break;
case SM_MODE_NEWALIAS:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"alias initialization mode requires no recipient");
if (*var_alias_db_map == 0)
return (0);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postalias", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_split_append(ext_argv, var_alias_db_map, CHARS_COMMA_SP);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_USER:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"stand-alone mode requires no recipient");
/* The actual enforcement happens in the postdrop command. */
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid = getuid())) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "smtpd", "-S", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_daemon_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_IGNORE:
exit(0);
/* NOTREACHED */
}
}
int main(int argc, char **argv)
{
char *script;
struct stat st;
char *slash;
int fd;
int ch;
ARGV *import_env;
static const CONFIG_STR_TABLE str_table[] = {
VAR_SENDMAIL_PATH, DEF_SENDMAIL_PATH, &var_sendmail_path, 1, 0,
VAR_MAILQ_PATH, DEF_MAILQ_PATH, &var_mailq_path, 1, 0,
VAR_NEWALIAS_PATH, DEF_NEWALIAS_PATH, &var_newalias_path, 1, 0,
VAR_MANPAGE_DIR, DEF_MANPAGE_DIR, &var_manpage_dir, 1, 0,
VAR_SAMPLE_DIR, DEF_SAMPLE_DIR, &var_sample_dir, 1, 0,
VAR_README_DIR, DEF_README_DIR, &var_readme_dir, 1, 0,
VAR_HTML_DIR, DEF_HTML_DIR, &var_html_dir, 1, 0,
0,
};
int force_single_instance;
ARGV *my_argv;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up diagnostics. XXX What if stdin is the system console during
* boot time? It seems a bad idea to log startup errors to the console.
* This is UNIX, a system that can run without hand holding.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
if (isatty(STDERR_FILENO))
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_syslog_init(argv[0], LOG_PID, LOG_FACILITY);
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* The mail system must be run by the superuser so it can revoke
* privileges for selected operations. That's right - it takes privileges
* to toss privileges.
*/
if (getuid() != 0) {
msg_error("to submit mail, use the Postfix sendmail command");
msg_fatal("the postfix command is reserved for the superuser");
}
if (unsafe() != 0)
msg_fatal("the postfix command must not run as a set-uid process");
/*
* Parse switches.
*/
while ((ch = GETOPT(argc, argv, "c:Dv")) > 0) {
switch (ch) {
default:
msg_fatal("usage: %s [-c config_dir] [-Dv] command", argv[0]);
case 'c':
if (*optarg != '/')
msg_fatal("-c requires absolute pathname");
check_setenv(CONF_ENV_PATH, optarg);
break;
case 'D':
check_setenv(CONF_ENV_DEBUG, "");
break;
case 'v':
msg_verbose++;
check_setenv(CONF_ENV_VERB, "");
break;
}
}
force_single_instance = (getenv(CONF_ENV_PATH) != 0);
/*
* Copy a bunch of configuration parameters into the environment for easy
* access by the maintenance shell script.
*/
mail_conf_read();
get_mail_conf_str_table(str_table);
/*
* Environment import filter, to enforce consistent behavior whether this
* command is started by hand, or at system boot time. This is necessary
* because some shell scripts use environment settings to override
* main.cf settings.
*/
import_env = argv_split(var_import_environ, ", \t\r\n");
clean_env(import_env->argv);
argv_free(import_env);
check_setenv("PATH", ROOT_PATH); /* sys_defs.h */
check_setenv(CONF_ENV_PATH, var_config_dir);/* mail_conf.h */
check_setenv(VAR_COMMAND_DIR, var_command_dir); /* main.cf */
check_setenv(VAR_DAEMON_DIR, var_daemon_dir); /* main.cf */
check_setenv(VAR_DATA_DIR, var_data_dir); /* main.cf */
check_setenv(VAR_QUEUE_DIR, var_queue_dir); /* main.cf */
check_setenv(VAR_CONFIG_DIR, var_config_dir); /* main.cf */
/*
* Do we want to keep adding things here as shell scripts evolve?
*/
check_setenv(VAR_MAIL_OWNER, var_mail_owner); /* main.cf */
check_setenv(VAR_SGID_GROUP, var_sgid_group); /* main.cf */
check_setenv(VAR_SENDMAIL_PATH, var_sendmail_path); /* main.cf */
check_setenv(VAR_MAILQ_PATH, var_mailq_path); /* main.cf */
check_setenv(VAR_NEWALIAS_PATH, var_newalias_path); /* main.cf */
check_setenv(VAR_MANPAGE_DIR, var_manpage_dir); /* main.cf */
check_setenv(VAR_SAMPLE_DIR, var_sample_dir); /* main.cf */
check_setenv(VAR_README_DIR, var_readme_dir); /* main.cf */
check_setenv(VAR_HTML_DIR, var_html_dir); /* main.cf */
/*
* Make sure these directories exist. Run the maintenance scripts with as
* current directory the mail database.
*/
if (chdir(var_command_dir))
msg_fatal("chdir(%s): %m", var_command_dir);
if (chdir(var_daemon_dir))
msg_fatal("chdir(%s): %m", var_daemon_dir);
if (chdir(var_queue_dir))
msg_fatal("chdir(%s): %m", var_queue_dir);
/*
* Run the management script.
*/
if (force_single_instance
|| argv_split(var_multi_conf_dirs, "\t\r\n, ")->argc == 0) {
script = concatenate(var_daemon_dir, "/postfix-script", (char *) 0);
if (optind < 1)
msg_panic("bad optind value");
argv[optind - 1] = script;
execvp(script, argv + optind - 1);
msg_fatal("%s: %m", script);
}
/*
* Hand off control to a multi-instance manager.
*/
else {
if (*var_multi_wrapper == 0)
msg_fatal("multi-instance support is requested, but %s is empty",
VAR_MULTI_WRAPPER);
my_argv = argv_split(var_multi_wrapper, " \t\r\n");
do {
argv_add(my_argv, argv[optind], (char *) 0);
} while (argv[optind++] != 0);
execvp(my_argv->argv[0], my_argv->argv);
msg_fatal("%s: %m", my_argv->argv[0]);
}
}
