static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_mailbox_file";
DSN_BUF *why = state.msg_attr.why;
MBOX *mp;
int mail_copy_status;
int deliver_status;
int copy_flags;
long end;
struct stat st;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to mailbox");
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
/*
* Lock the mailbox and open/create the mailbox file.
*
* Write the file as the recipient, so that file quota work.
*/
copy_flags = MAIL_COPY_MBOX;
set_eugid(usr_attr.uid, usr_attr.gid);
mp = mbox_open(usr_attr.mailbox, O_APPEND | O_WRONLY | O_CREAT,
S_IRUSR | S_IWUSR, &st, -1, -1,
virtual_mbox_lock_mask, "4.2.0", why);
if (mp != 0) {
if (S_ISREG(st.st_mode) == 0) {
vstream_fclose(mp->fp);
msg_warn("recipient %s: destination %s is not a regular file",
state.msg_attr.rcpt.address, usr_attr.mailbox);
dsb_simple(why, "5.3.5", "mail system configuration error");
} else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
vstream_fclose(mp->fp);
dsb_simple(why, "4.2.0",
"destination %s is not owned by recipient", usr_attr.mailbox);
msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
copy_flags, "\n", why);
}
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason, "delivery failed to mailbox %s: ",
usr_attr.mailbox);
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to mailbox");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
return (deliver_status);
}
int deliver_file(LOCAL_STATE state, USER_ATTR usr_attr, char *path)
{
const char *myname = "deliver_file";
struct stat st;
MBOX *mp;
DSN_BUF *why = state.msg_attr.why;
int mail_copy_status = MAIL_COPY_STAT_WRITE;
int deliver_status;
int copy_flags;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this file if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "file %ld %s", (long) usr_attr.uid, path))
return (0);
/*
* DELIVERY POLICY
*
* Do we allow delivery to files?
*/
if ((local_file_deliver_mask & state.msg_attr.exp_type) == 0) {
dsb_simple(why, "5.7.1", "mail to file is restricted");
/* Account for possible owner- sender address override. */
return (bounce_workaround(state));
}
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to file: %s", path);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Use a default uid/gid when none are given.
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* If the name ends in /, use maildir-style delivery instead.
*/
if (path[strlen(path) - 1] == '/')
return (deliver_maildir(state, usr_attr, path));
/*
* Deliver. From here on, no early returns or we have a memory leak.
*/
if (msg_verbose)
msg_info("deliver_file (%ld,%ld): %s",
(long) usr_attr.uid, (long) usr_attr.gid, path);
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek queue file %s: %m", state.msg_attr.queue_id);
/*
* As the specified user, open or create the file, lock it, and append
* the message.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(usr_attr.uid, usr_attr.gid);
mp = mbox_open(path, O_APPEND | O_CREAT | O_WRONLY,
S_IRUSR | S_IWUSR, &st, -1, -1,
local_mbox_lock_mask | MBOX_DOT_LOCK_MAY_FAIL,
"5.2.0", why);
if (mp != 0) {
if (S_ISREG(st.st_mode) && st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.7.1", "file is executable");
} else {
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
S_ISREG(st.st_mode) ? copy_flags :
(copy_flags & ~MAIL_COPY_TOFILE),
"\n", why);
}
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot append message to file %s: ", path);
if (STR(why->status)[0] == '4')
deliver_status =
defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
else
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
} else {
dsb_simple(why, "2.0.0", "delivered to file: %s", path);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
return (deliver_status);
}
static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_mailbox_file";
char *spool_dir;
char *mailbox;
DSN_BUF *why = state.msg_attr.why;
MBOX *mp;
int mail_copy_status;
int deliver_status;
int copy_flags;
VSTRING *biff;
long end;
struct stat st;
uid_t spool_uid;
gid_t spool_gid;
uid_t chown_uid;
gid_t chown_gid;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to mailbox");
return (sent(BOUNCE_FLAGS(state.request), SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
if (var_frozen_delivered == 0)
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
if (*var_home_mailbox) {
spool_dir = 0;
mailbox = concatenate(usr_attr.home, "/", var_home_mailbox, (char *) 0);
} else {
spool_dir = var_mail_spool_dir;
mailbox = concatenate(spool_dir, "/", state.msg_attr.user, (char *) 0);
}
/*
* Mailbox delivery with least privilege. As long as we do not use root
* privileges this code may also work over NFS.
*
* If delivering to the recipient's home directory, perform all operations
* (including file locking) as that user (Mike Muuss, Army Research
* Laboratory, USA).
*
* If delivering to the mail spool directory, and the spool directory is
* world-writable, deliver as the recipient; if the spool directory is
* group-writable, use the recipient user id and the mail spool group id.
*
* Otherwise, use root privileges and chown the mailbox.
*/
if (spool_dir == 0
|| stat(spool_dir, &st) < 0
|| (st.st_mode & S_IWOTH) != 0) {
spool_uid = usr_attr.uid;
spool_gid = usr_attr.gid;
} else if ((st.st_mode & S_IWGRP) != 0) {
spool_uid = usr_attr.uid;
spool_gid = st.st_gid;
} else {
spool_uid = 0;
spool_gid = 0;
}
if (spool_uid == usr_attr.uid) {
chown_uid = -1;
chown_gid = -1;
} else {
chown_uid = usr_attr.uid;
chown_gid = usr_attr.gid;
}
if (msg_verbose)
msg_info("spool_uid/gid %ld/%ld chown_uid/gid %ld/%ld",
(long) spool_uid, (long) spool_gid,
(long) chown_uid, (long) chown_gid);
/*
* Lock the mailbox and open/create the mailbox file. Depending on the
* type of locking used, we lock first or we open first.
*
* Write the file as the recipient, so that file quota work.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(spool_uid, spool_gid);
mp = mbox_open(mailbox, O_APPEND | O_WRONLY | O_CREAT,
S_IRUSR | S_IWUSR, &st, chown_uid, chown_gid,
local_mbox_lock_mask, "5.2.0", why);
if (mp != 0) {
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(usr_attr.uid, usr_attr.gid);
if (S_ISREG(st.st_mode) == 0) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.2.0",
"destination %s is not a regular file", mailbox);
} else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
vstream_fclose(mp->fp);
dsb_simple(why, "4.2.0",
"destination %s is not owned by recipient", mailbox);
msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
copy_flags, "\n", why);
}
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(spool_uid, spool_gid);
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot update mailbox %s for user %s. ",
mailbox, state.msg_attr.user);
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request), BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to mailbox");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
if (var_biff) {
biff = vstring_alloc(100);
vstring_sprintf(biff, "%s@%ld", usr_attr.logname, (long) end);
biff_notify(STR(biff), VSTRING_LEN(biff) + 1);
vstring_free(biff);
}
}
/*
* Clean up.
*/
myfree(mailbox);
return (deliver_status);
}
int deliver_maildir(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_maildir";
char *newdir;
char *tmpdir;
char *curdir;
char *tmpfile;
char *newfile;
DSN_BUF *why = state.msg_attr.why;
VSTRING *buf;
VSTREAM *dst;
int mail_copy_status;
int deliver_status;
int copy_flags;
struct stat st;
struct timeval starttime;
GETTIMEOFDAY(&starttime);
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to maildir");
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
buf = vstring_alloc(100);
copy_flags = MAIL_COPY_TOFILE | MAIL_COPY_RETURN_PATH
| MAIL_COPY_DELIVERED | MAIL_COPY_ORIG_RCPT;
newdir = concatenate(usr_attr.mailbox, "new/", (char *) 0);
tmpdir = concatenate(usr_attr.mailbox, "tmp/", (char *) 0);
curdir = concatenate(usr_attr.mailbox, "cur/", (char *) 0);
/*
* Create and write the file as the recipient, so that file quota work.
* Create any missing directories on the fly. The file name is chosen
* according to ftp://koobera.math.uic.edu/www/proto/maildir.html:
*
* "A unique name has three pieces, separated by dots. On the left is the
* result of time(). On the right is the result of gethostname(). In the
* middle is something that doesn't repeat within one second on a single
* host. I fork a new process for each delivery, so I just use the
* process ID. If you're delivering several messages from one process,
* use starttime.pid_count.host, where starttime is the time that your
* process started, and count is the number of messages you've
* delivered."
*
* Well, that stopped working on fast machines, and on operating systems
* that randomize process ID values. When creating a file in tmp/ we use
* the process ID because it still is an exclusive resource. When moving
* the file to new/ we use the device number and inode number. I do not
* care if this breaks on a remote AFS file system, because people should
* know better.
*
* On January 26, 2003, http://cr.yp.to/proto/maildir.html said:
*
* A unique name has three pieces, separated by dots. On the left is the
* result of time() or the second counter from gettimeofday(). On the
* right is the result of gethostname(). (To deal with invalid host
* names, replace / with \057 and : with \072.) In the middle is a
* delivery identifier, discussed below.
*
* [...]
*
* Modern delivery identifiers are created by concatenating enough of the
* following strings to guarantee uniqueness:
*
* [...]
*
* In, where n is (in hexadecimal) the UNIX inode number of this file.
* Unfortunately, inode numbers aren't always available through NFS.
*
* Vn, where n is (in hexadecimal) the UNIX device number of this file.
* Unfortunately, device numbers aren't always available through NFS.
* (Device numbers are also not helpful with the standard UNIX
* filesystem: a maildir has to be within a single UNIX device for link()
* and rename() to work.)
*
* Mn, where n is (in decimal) the microsecond counter from the same
* gettimeofday() used for the left part of the unique name.
*
* Pn, where n is (in decimal) the process ID.
*
* [...]
*/
set_eugid(usr_attr.uid, usr_attr.gid);
vstring_sprintf(buf, "%lu.P%d.%s",
(unsigned long) starttime.tv_sec, var_pid, get_hostname());
tmpfile = concatenate(tmpdir, STR(buf), (char *) 0);
newfile = 0;
if ((dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0
&& (errno != ENOENT
|| make_dirs(tmpdir, 0700) < 0
|| (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) {
dsb_simple(why, mbox_dsn(errno, "4.2.0"),
"create maildir file %s: %m", tmpfile);
} else if (fstat(vstream_fileno(dst), &st) < 0) {
/*
* Coverity 200604: file descriptor leak in code that never executes.
* Code replaced by msg_fatal(), as it is not worthwhile to continue
* after an impossible error condition.
*/
msg_fatal("fstat %s: %m", tmpfile);
} else {
vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s",
(unsigned long) starttime.tv_sec,
(unsigned long) st.st_dev,
(unsigned long) st.st_ino,
(unsigned long) starttime.tv_usec,
get_hostname());
newfile = concatenate(newdir, STR(buf), (char *) 0);
if ((mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr),
dst, copy_flags, "\n",
why)) == 0) {
if (sane_link(tmpfile, newfile) < 0
&& (errno != ENOENT
|| (make_dirs(curdir, 0700), make_dirs(newdir, 0700)) < 0
|| sane_link(tmpfile, newfile) < 0)) {
dsb_simple(why, mbox_dsn(errno, "4.2.0"),
"create maildir file %s: %m", newfile);
mail_copy_status = MAIL_COPY_STAT_WRITE;
}
}
if (unlink(tmpfile) < 0)
msg_warn("remove %s: %m", tmpfile);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* The maildir location is controlled by the mail administrator. If
* delivery fails, try again later. We would just bounce when the maildir
* location possibly under user control.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
if (errno == EACCES) {
msg_warn("maildir access problem for UID/GID=%lu/%lu: %s",
(long) usr_attr.uid, (long) usr_attr.gid,
STR(why->reason));
msg_warn("perhaps you need to create the maildirs in advance");
}
vstring_sprintf_prepend(why->reason, "maildir delivery failed: ");
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to maildir");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
vstring_free(buf);
myfree(newdir);
myfree(tmpdir);
myfree(curdir);
myfree(tmpfile);
if (newfile)
myfree(newfile);
return (deliver_status);
}
