static void post_jail_init(char *service_name, char **unused_argv)
{
/*
* Special case: dump bounce templates. This is not part of the master(5)
* public interface. This internal interface is used by the postconf
* command. It was implemented before bounce templates were isolated into
* modules that could have been called directly.
*/
if (strcmp(service_name, "dump_templates") == 0) {
bounce_templates_dump(VSTREAM_OUT, bounce_templates);
vstream_fflush(VSTREAM_OUT);
exit(0);
}
if (strcmp(service_name, "expand_templates") == 0) {
bounce_templates_expand(VSTREAM_OUT, bounce_templates);
vstream_fflush(VSTREAM_OUT);
exit(0);
}
/*
* Initialize. We're single threaded so we can reuse some memory upon
* successive requests.
*/
queue_id = vstring_alloc(10);
queue_name = vstring_alloc(10);
rcpt_buf = rcpb_create();
encoding = vstring_alloc(10);
sender = vstring_alloc(10);
dsn_envid = vstring_alloc(10);
verp_delims = vstring_alloc(10);
dsn_buf = dsb_create();
}
SMTP_STATE *smtp_state_alloc(void)
{
SMTP_STATE *state = (SMTP_STATE *) mymalloc(sizeof(*state));
state->misc_flags = 0;
state->src = 0;
state->service = 0;
state->request = 0;
state->session = 0;
state->status = 0;
state->space_left = 0;
state->nexthop_domain = 0;
if (var_smtp_cache_conn) {
state->dest_label = vstring_alloc(10);
state->dest_prop = vstring_alloc(10);
state->endp_label = vstring_alloc(10);
state->endp_prop = vstring_alloc(10);
state->cache_used = htable_create(1);
} else {
state->dest_label = 0;
state->dest_prop = 0;
state->endp_label = 0;
state->endp_prop = 0;
state->cache_used = 0;
}
state->why = dsb_create();
/*
* The process name, "smtp" or "lmtp", is also used as the DSN server
* reply type and for SASL service information lookup. Since all three
* external representations are identical there is no reason to transform
* from some external form X to some Postfix-specific canonical internal
* form, and then to transform from the internal form to external forms Y
* and Z.
*/
if (strcmp(var_procname, "lmtp") == 0) {
state->misc_flags |= SMTP_MISC_FLAG_USE_LMTP;
} else if (strcmp(var_procname, "smtp") == 0) {
/* void */
} else {
msg_fatal("unexpected process name \"%s\" - "
"specify \"smtp\" or \"lmtp\"",
var_procname);
}
return (state);
}
void deliver_attr_init(DELIVER_ATTR *attrp)
{
attrp->level = 0;
attrp->fp = 0;
attrp->queue_name = 0;
attrp->queue_id = 0;
attrp->offset = 0;
attrp->sender = 0;
RECIPIENT_ASSIGN(&(attrp->rcpt), 0, 0, 0, 0, 0);
attrp->domain = 0;
attrp->local = 0;
attrp->user = 0;
attrp->extension = 0;
attrp->unmatched = 0;
attrp->owner = 0;
attrp->delivered = 0;
attrp->relay = 0;
attrp->exp_type = 0;
attrp->exp_from = 0;
attrp->why = dsb_create();
}
static void qmgr_deliver_update(int unused_event, char *context)
{
QMGR_ENTRY *entry = (QMGR_ENTRY *) context;
QMGR_QUEUE *queue = entry->queue;
QMGR_TRANSPORT *transport = queue->transport;
QMGR_MESSAGE *message = entry->message;
static DSN_BUF *dsb;
int status;
/*
* Release the delivery agent from a "hot" queue entry.
*/
#define QMGR_DELIVER_RELEASE_AGENT(entry) do { \
event_disable_readwrite(vstream_fileno(entry->stream)); \
(void) vstream_fclose(entry->stream); \
entry->stream = 0; \
qmgr_deliver_concurrency--; \
} while (0)
if (dsb == 0)
dsb = dsb_create();
/*
* The message transport has responded. Stop the watchdog timer.
*/
event_cancel_timer(qmgr_deliver_abort, context);
/*
* Retrieve the delivery agent status report. The numerical status code
* indicates if delivery should be tried again. The reason text is sent
* only when a site should be avoided for a while, so that the queue
* manager can log why it does not even try to schedule delivery to the
* affected recipients.
*/
status = qmgr_deliver_final_reply(entry->stream, dsb);
/*
* The mail delivery process failed for some reason (although delivery
* may have been successful). Back off with this transport type for a
* while. Dispose of queue entries for this transport that await
* selection (the todo lists). Stay away from queue entries that have
* been selected (the busy lists), or we would have dangling pointers.
* The queue itself won't go away before we dispose of the current queue
* entry.
*/
if (status == DELIVER_STAT_CRASH) {
message->flags |= DELIVER_STAT_DEFER;
#if 0
whatsup = concatenate("unknown ", transport->name,
" mail transport error", (char *) 0);
qmgr_transport_throttle(transport,
DSN_SIMPLE(&dsb->dsn, "4.3.0", whatsup));
myfree(whatsup);
#else
qmgr_transport_throttle(transport,
DSN_SIMPLE(&dsb->dsn, "4.3.0",
"unknown mail transport error"));
#endif
msg_warn("transport %s failure -- see a previous warning/fatal/panic logfile record for the problem description",
transport->name);
/*
* Assume the worst and write a defer logfile record for each
* recipient. This omission was already present in the first queue
* manager implementation of 199703, and was fixed 200511.
*
* To avoid the synchronous qmgr_defer_recipient() operation for each
* recipient of this queue entry, release the delivery process and
* move the entry back to the todo queue. Let qmgr_defer_transport()
* log the recipient asynchronously if possible, and get out of here.
* Note: if asynchronous logging is not possible,
* qmgr_defer_transport() eventually invokes qmgr_entry_done() and
* the entry becomes a dangling pointer.
*/
QMGR_DELIVER_RELEASE_AGENT(entry);
qmgr_entry_unselect(queue, entry);
qmgr_defer_transport(transport, &dsb->dsn);
return;
}
/*
* This message must be tried again.
*
* If we have a problem talking to this site, back off with this site for a
* while; dispose of queue entries for this site that await selection
* (the todo list); stay away from queue entries that have been selected
* (the busy list), or we would have dangling pointers. The queue itself
* won't go away before we dispose of the current queue entry.
*
* XXX Caution: DSN_COPY() will panic on empty status or reason.
*/
#define SUSPENDED "delivery temporarily suspended: "
if (status == DELIVER_STAT_DEFER) {
message->flags |= DELIVER_STAT_DEFER;
if (VSTRING_LEN(dsb->status)) {
/* Sanitize the DSN status/reason from the delivery agent. */
if (!dsn_valid(vstring_str(dsb->status)))
vstring_strcpy(dsb->status, "4.0.0");
if (VSTRING_LEN(dsb->reason) == 0)
vstring_strcpy(dsb->reason, "unknown error");
vstring_prepend(dsb->reason, SUSPENDED, sizeof(SUSPENDED) - 1);
if (QMGR_QUEUE_READY(queue)) {
qmgr_queue_throttle(queue, DSN_FROM_DSN_BUF(dsb));
if (QMGR_QUEUE_THROTTLED(queue))
qmgr_defer_todo(queue, &dsb->dsn);
}
}
}
/*
* No problems detected. Mark the transport and queue as alive. The queue
* itself won't go away before we dispose of the current queue entry.
*/
if (status != DELIVER_STAT_CRASH && VSTRING_LEN(dsb->reason) == 0) {
qmgr_transport_unthrottle(transport);
qmgr_queue_unthrottle(queue);
}
/*
* Release the delivery process, and give some other queue entry a chance
* to be delivered. When all recipients for a message have been tried,
* decide what to do next with this message: defer, bounce, delete.
*/
QMGR_DELIVER_RELEASE_AGENT(entry);
qmgr_entry_done(entry, QMGR_QUEUE_BUSY);
}
static void *policy_create(const char *unused_key, void *context)
{
SMTP_ITERATOR *iter = (SMTP_ITERATOR *) context;
int site_level;
const char *dest = STR(iter->dest);
const char *host = STR(iter->host);
/*
* Prepare a pristine policy object.
*/
SMTP_TLS_POLICY *tls = (SMTP_TLS_POLICY *) mymalloc(sizeof(*tls));
smtp_tls_policy_init(tls, dsb_create());
/*
* Compute the per-site TLS enforcement level. For compatibility with the
* original TLS patch, this algorithm is gives equal precedence to host
* and next-hop policies.
*/
tls->level = global_tls_level();
site_level = TLS_LEV_NOTFOUND;
if (tls_policy) {
tls_policy_lookup(tls, &site_level, dest, "next-hop destination");
} else if (tls_per_site) {
tls_site_lookup(tls, &site_level, dest, "next-hop destination");
if (site_level != TLS_LEV_INVALID
&& strcasecmp(dest, host) != 0)
tls_site_lookup(tls, &site_level, host, "server hostname");
/*
* Override a wild-card per-site policy with a more specific global
* policy.
*
* With the original TLS patch, 1) a per-site ENCRYPT could not override
* a global VERIFY, and 2) a combined per-site (NONE+MAY) policy
* produced inconsistent results: it changed a global VERIFY into
* NONE, while producing MAY with all weaker global policy settings.
*
* With the current implementation, a combined per-site (NONE+MAY)
* consistently overrides global policy with NONE, and global policy
* can override only a per-site MAY wildcard. That is, specific
* policies consistently override wildcard policies, and
* (non-wildcard) per-site policies consistently override global
* policies.
*/
if (site_level == TLS_LEV_MAY && tls->level > TLS_LEV_MAY)
site_level = tls->level;
}
switch (site_level) {
default:
tls->level = site_level;
case TLS_LEV_NOTFOUND:
break;
case TLS_LEV_INVALID:
return ((void *) tls);
}
/*
* DANE initialization may change the security level to something else,
* so do this early, so that we use the right level below. Note that
* "dane-only" changes to "dane" once we obtain the requisite TLSA
* records.
*/
if (tls->level == TLS_LEV_DANE || tls->level == TLS_LEV_DANE_ONLY)
dane_init(tls, iter);
if (tls->level == TLS_LEV_INVALID)
return ((void *) tls);
/*
* Use main.cf protocols setting if not set in per-destination table.
*/
if (tls->level > TLS_LEV_NONE && tls->protocols == 0)
tls->protocols =
mystrdup((tls->level == TLS_LEV_MAY) ?
var_smtp_tls_proto : var_smtp_tls_mand_proto);
/*
* Compute cipher grade (if set in per-destination table, else
* set_cipher() uses main.cf settings) and security level dependent
* cipher exclusion list.
*/
set_cipher_grade(tls);
/*
* Use main.cf cert_match setting if not set in per-destination table.
*/
switch (tls->level) {
case TLS_LEV_INVALID:
case TLS_LEV_NONE:
case TLS_LEV_MAY:
case TLS_LEV_ENCRYPT:
case TLS_LEV_DANE:
break;
case TLS_LEV_FPRINT:
if (tls->dane == 0)
tls->dane = tls_dane_alloc();
if (!TLS_DANE_HASEE(tls->dane)) {
tls_dane_add_ee_digests(tls->dane, var_smtp_tls_fpt_dgst,
var_smtp_tls_fpt_cmatch, "\t\n\r, ");
if (!TLS_DANE_HASEE(tls->dane)) {
msg_warn("nexthop domain %s: configured at fingerprint "
"security level, but with no fingerprints to match.",
dest);
MARK_INVALID(tls->why, &tls->level);
return ((void *) tls);
}
}
break;
case TLS_LEV_VERIFY:
case TLS_LEV_SECURE:
if (tls->matchargv == 0)
tls->matchargv =
argv_split(tls->level == TLS_LEV_VERIFY ?
var_smtp_tls_vfy_cmatch : var_smtp_tls_sec_cmatch,
"\t\n\r, :");
if (*var_smtp_tls_tafile) {
if (tls->dane == 0)
tls->dane = tls_dane_alloc();
if (!TLS_DANE_HASTA(tls->dane)
&& !load_tas(tls->dane, var_smtp_tls_tafile)) {
MARK_INVALID(tls->why, &tls->level);
return ((void *) tls);
}
}
break;
default:
msg_panic("unexpected TLS security level: %d", tls->level);
}
if (msg_verbose && tls->level != global_tls_level())
msg_info("%s TLS level: %s", "effective", policy_name(tls->level));
return ((void *) tls);
}
static int deliver_message(DELIVER_REQUEST *request, char *service, char **argv)
{
const char *myname = "deliver_message";
static PIPE_PARAMS conf;
static PIPE_ATTR attr;
RECIPIENT_LIST *rcpt_list = &request->rcpt_list;
DSN_BUF *why = dsb_create();
VSTRING *buf;
ARGV *expanded_argv = 0;
int deliver_status;
int command_status;
ARGV *export_env;
const char *sender;
#define DELIVER_MSG_CLEANUP() { \
dsb_free(why); \
if (expanded_argv) argv_free(expanded_argv); \
}
if (msg_verbose)
msg_info("%s: from <%s>", myname, request->sender);
/*
* Sanity checks. The get_service_params() and get_service_attr()
* routines also do some sanity checks. Look up service attributes and
* config information only once. This is safe since the information comes
* from a trusted source, not from the delivery request.
*/
if (request->nexthop[0] == 0)
msg_fatal("empty nexthop hostname");
if (rcpt_list->len <= 0)
msg_fatal("recipient count: %d", rcpt_list->len);
if (attr.command == 0) {
get_service_params(&conf, service);
get_service_attr(&attr, argv);
}
/*
* The D flag cannot be specified for multi-recipient deliveries.
*/
if ((attr.flags & MAIL_COPY_DELIVERED) && (rcpt_list->len > 1)) {
dsb_simple(why, "4.3.5", "mail system configuration error");
deliver_status = eval_command_status(PIPE_STAT_DEFER, service,
request, &attr, why);
msg_warn("pipe flag `D' requires %s_destination_recipient_limit = 1",
service);
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
/*
* The O flag cannot be specified for multi-recipient deliveries.
*/
if ((attr.flags & MAIL_COPY_ORIG_RCPT) && (rcpt_list->len > 1)) {
dsb_simple(why, "4.3.5", "mail system configuration error");
deliver_status = eval_command_status(PIPE_STAT_DEFER, service,
request, &attr, why);
msg_warn("pipe flag `O' requires %s_destination_recipient_limit = 1",
service);
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
/*
* Check that this agent accepts messages this large.
*/
if (attr.size_limit != 0 && request->data_size > attr.size_limit) {
if (msg_verbose)
msg_info("%s: too big: size_limit = %ld, request->data_size = %ld",
myname, (long) attr.size_limit, request->data_size);
dsb_simple(why, "5.2.3", "message too large");
deliver_status = eval_command_status(PIPE_STAT_BOUNCE, service,
request, &attr, why);
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
/*
* Don't deliver a trace-only request.
*/
if (DEL_REQ_TRACE_ONLY(request->flags)) {
RECIPIENT *rcpt;
int status;
int n;
deliver_status = 0;
dsb_simple(why, "2.0.0", "delivers to command: %s", attr.command[0]);
(void) DSN_FROM_DSN_BUF(why);
for (n = 0; n < request->rcpt_list.len; n++) {
rcpt = request->rcpt_list.info + n;
status = sent(DEL_REQ_TRACE_FLAGS(request->flags),
request->queue_id, &request->msg_stats,
rcpt, service, &why->dsn);
if (status == 0 && (request->flags & DEL_REQ_FLAG_SUCCESS))
deliver_completed(request->fp, rcpt->offset);
deliver_status |= status;
}
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
/*
* Report mail delivery loops. By definition, this requires
* single-recipient delivery. Don't silently lose recipients.
*/
if (attr.flags & MAIL_COPY_DELIVERED) {
DELIVERED_HDR_INFO *info;
RECIPIENT *rcpt;
int loop_found;
if (request->rcpt_list.len > 1)
msg_panic("%s: delivered-to enabled with multi-recipient request",
myname);
info = delivered_hdr_init(request->fp, request->data_offset,
FOLD_ADDR_ALL);
rcpt = request->rcpt_list.info;
loop_found = delivered_hdr_find(info, rcpt->address);
delivered_hdr_free(info);
if (loop_found) {
dsb_simple(why, "5.4.6", "mail forwarding loop for %s",
rcpt->address);
deliver_status = eval_command_status(PIPE_STAT_BOUNCE, service,
request, &attr, why);
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
}
/*
* Deliver. Set the nexthop and sender variables, and expand the command
* argument vector. Recipients will be expanded on the fly. XXX Rewrite
* envelope and header addresses according to transport-specific
* rewriting rules.
*/
if (vstream_fseek(request->fp, request->data_offset, SEEK_SET) < 0)
msg_fatal("seek queue file %s: %m", VSTREAM_PATH(request->fp));
/*
* A non-empty null sender replacement is subject to the 'q' flag.
*/
buf = vstring_alloc(10);
sender = *request->sender ? request->sender : STR(attr.null_sender);
if (*sender && (attr.flags & PIPE_OPT_QUOTE_LOCAL)) {
quote_822_local(buf, sender);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SENDER, STR(buf));
} else
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SENDER, sender);
if (attr.flags & PIPE_OPT_FOLD_HOST) {
vstring_strcpy(buf, request->nexthop);
lowercase(STR(buf));
dict_update(PIPE_DICT_TABLE, PIPE_DICT_NEXTHOP, STR(buf));
} else
dict_update(PIPE_DICT_TABLE, PIPE_DICT_NEXTHOP, request->nexthop);
vstring_sprintf(buf, "%ld", (long) request->data_size);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SIZE, STR(buf));
dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_ADDR,
request->client_addr);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_HELO,
request->client_helo);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_NAME,
request->client_name);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_PORT,
request->client_port);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_CLIENT_PROTO,
request->client_proto);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_METHOD,
request->sasl_method);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_USERNAME,
request->sasl_username);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_SASL_SENDER,
request->sasl_sender);
dict_update(PIPE_DICT_TABLE, PIPE_DICT_QUEUE_ID,
request->queue_id);
vstring_free(buf);
if ((expanded_argv = expand_argv(service, attr.command,
rcpt_list, attr.flags)) == 0) {
dsb_simple(why, "4.3.5", "mail system configuration error");
deliver_status = eval_command_status(PIPE_STAT_DEFER, service,
request, &attr, why);
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
export_env = argv_split(var_export_environ, ", \t\r\n");
command_status = pipe_command(request->fp, why,
PIPE_CMD_UID, attr.uid,
PIPE_CMD_GID, attr.gid,
PIPE_CMD_SENDER, sender,
PIPE_CMD_COPY_FLAGS, attr.flags,
PIPE_CMD_ARGV, expanded_argv->argv,
PIPE_CMD_TIME_LIMIT, conf.time_limit,
PIPE_CMD_EOL, STR(attr.eol),
PIPE_CMD_EXPORT, export_env->argv,
PIPE_CMD_CWD, attr.exec_dir,
PIPE_CMD_CHROOT, attr.chroot_dir,
PIPE_CMD_ORIG_RCPT, rcpt_list->info[0].orig_addr,
PIPE_CMD_DELIVERED, rcpt_list->info[0].address,
PIPE_CMD_END);
argv_free(export_env);
deliver_status = eval_command_status(command_status, service, request,
&attr, why);
/*
* Clean up.
*/
DELIVER_MSG_CLEANUP();
return (deliver_status);
}
