int deliver_command(LOCAL_STATE state, USER_ATTR usr_attr, const char *command)
{
const char *myname = "deliver_command";
DSN_BUF *why = state.msg_attr.why;
int cmd_status;
int deliver_status;
ARGV *env;
int copy_flags;
char **cpp;
char *cp;
ARGV *export_env;
VSTRING *exec_dir;
int expand_status;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this command if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "command %s:%ld %s",
state.msg_attr.user, (long) usr_attr.uid, command))
return (0);
/*
* Don't deliver a trace-only request.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to command: %s", command);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Choose a default uid and gid when none have been selected (i.e. values
* are still zero).
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* Deliver.
*/
copy_flags = MAIL_COPY_FROM | MAIL_COPY_RETURN_PATH
| MAIL_COPY_ORIG_RCPT;
if (local_deliver_hdr_mask & DELIVER_HDR_CMD)
copy_flags |= MAIL_COPY_DELIVERED;
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("%s: seek queue file %s: %m",
myname, VSTREAM_PATH(state.msg_attr.fp));
/*
* Pass additional environment information. XXX This should be
* configurable. However, passing untrusted information via environment
* parameters opens up a whole can of worms. Lesson from web servers:
* don't let any network data even near a shell. It causes trouble.
*/
env = argv_alloc(1);
if (usr_attr.home)
argv_add(env, "HOME", usr_attr.home, ARGV_END);
argv_add(env,
"LOGNAME", state.msg_attr.user,
"USER", state.msg_attr.user,
"SENDER", state.msg_attr.sender,
"RECIPIENT", state.msg_attr.rcpt.address,
"LOCAL", state.msg_attr.local,
ARGV_END);
if (usr_attr.shell)
argv_add(env, "SHELL", usr_attr.shell, ARGV_END);
if (state.msg_attr.domain)
argv_add(env, "DOMAIN", state.msg_attr.domain, ARGV_END);
if (state.msg_attr.extension)
argv_add(env, "EXTENSION", state.msg_attr.extension, ARGV_END);
if (state.msg_attr.rcpt.orig_addr && state.msg_attr.rcpt.orig_addr[0])
argv_add(env, "ORIGINAL_RECIPIENT", state.msg_attr.rcpt.orig_addr,
ARGV_END);
#define EXPORT_REQUEST(name, value) \
if ((value)[0]) argv_add(env, (name), (value), ARGV_END);
EXPORT_REQUEST("CLIENT_HOSTNAME", state.msg_attr.request->client_name);
EXPORT_REQUEST("CLIENT_ADDRESS", state.msg_attr.request->client_addr);
EXPORT_REQUEST("CLIENT_HELO", state.msg_attr.request->client_helo);
EXPORT_REQUEST("CLIENT_PROTOCOL", state.msg_attr.request->client_proto);
EXPORT_REQUEST("SASL_METHOD", state.msg_attr.request->sasl_method);
EXPORT_REQUEST("SASL_SENDER", state.msg_attr.request->sasl_sender);
EXPORT_REQUEST("SASL_USERNAME", state.msg_attr.request->sasl_username);
argv_terminate(env);
/*
* Censor out undesirable characters from exported data.
*/
for (cpp = env->argv; *cpp; cpp += 2)
for (cp = cpp[1]; *(cp += strspn(cp, var_cmd_exp_filter)) != 0;)
*cp++ = '_';
/*
* Evaluate the command execution directory. Defer delivery if expansion
* fails.
*/
export_env = mail_parm_split(VAR_EXPORT_ENVIRON, var_export_environ);
exec_dir = vstring_alloc(10);
expand_status = local_expand(exec_dir, var_exec_directory,
&state, &usr_attr, var_exec_exp_filter);
if (expand_status & MAC_PARSE_ERROR) {
cmd_status = PIPE_STAT_DEFER;
dsb_simple(why, "4.3.5", "mail system configuration error");
msg_warn("bad parameter value syntax for %s: %s",
VAR_EXEC_DIRECTORY, var_exec_directory);
} else {
cmd_status = pipe_command(state.msg_attr.fp, why,
PIPE_CMD_UID, usr_attr.uid,
PIPE_CMD_GID, usr_attr.gid,
PIPE_CMD_COMMAND, command,
PIPE_CMD_COPY_FLAGS, copy_flags,
PIPE_CMD_SENDER, state.msg_attr.sender,
PIPE_CMD_ORIG_RCPT, state.msg_attr.rcpt.orig_addr,
PIPE_CMD_DELIVERED, state.msg_attr.delivered,
PIPE_CMD_TIME_LIMIT, var_command_maxtime,
PIPE_CMD_ENV, env->argv,
PIPE_CMD_EXPORT, export_env->argv,
PIPE_CMD_SHELL, var_local_cmd_shell,
PIPE_CMD_CWD, *STR(exec_dir) ?
STR(exec_dir) : (char *) 0,
PIPE_CMD_END);
}
vstring_free(exec_dir);
argv_free(export_env);
argv_free(env);
/*
* Depending on the result, bounce or defer the message.
*/
switch (cmd_status) {
case PIPE_STAT_OK:
dsb_simple(why, "2.0.0", "delivered to command: %s", command);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
break;
case PIPE_STAT_BOUNCE:
case PIPE_STAT_DEFER:
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
break;
case PIPE_STAT_CORRUPT:
deliver_status = DEL_STAT_DEFER;
break;
default:
msg_panic("%s: bad status %d", myname, cmd_status);
/* NOTREACHED */
}
return (deliver_status);
}
int deliver_recipient(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_recipient";
int rcpt_stat;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Duplicate filter.
*/
if (been_here(state.dup_filter, "recipient %d %s",
state.level, state.msg_attr.rcpt.address))
return (0);
/*
* With each level of recursion, detect and break external message
* forwarding loops.
*
* If the looping recipient address has an owner- alias, send the error
* report there instead.
*
* XXX A delivery agent cannot change the envelope sender address for
* bouncing. As a workaround we use a one-recipient bounce procedure.
*
* The proper fix would be to record in the bounce logfile an error return
* address for each individual recipient. This would also eliminate the
* need for VERP specific bouncing code, at the cost of complicating the
* normal bounce sending procedure, but would simplify the code below.
*/
if (delivered_hdr_find(state.loop_info, state.msg_attr.rcpt.address)) {
dsb_simple(state.msg_attr.why, "5.4.6", "mail forwarding loop for %s",
state.msg_attr.rcpt.address);
/* Account for possible owner- sender address override. */
return (bounce_workaround(state));
}
/*
* Set up the recipient-specific attributes. If this is forwarded mail,
* leave the delivered attribute alone, so that the forwarded message
* will show the correct forwarding recipient.
*/
if (state.msg_attr.delivered == 0)
state.msg_attr.delivered = state.msg_attr.rcpt.address;
state.msg_attr.local = mystrdup(state.msg_attr.rcpt.address);
lowercase(state.msg_attr.local);
if ((state.msg_attr.domain = split_at_right(state.msg_attr.local, '@')) == 0)
msg_warn("no @ in recipient address: %s", state.msg_attr.local);
/*
* Address extension management.
*/
state.msg_attr.user = mystrdup(state.msg_attr.local);
if (*var_rcpt_delim) {
state.msg_attr.extension =
split_addr(state.msg_attr.user, *var_rcpt_delim);
if (state.msg_attr.extension && strchr(state.msg_attr.extension, '/')) {
msg_warn("%s: address with illegal extension: %s",
state.msg_attr.queue_id, state.msg_attr.local);
state.msg_attr.extension = 0;
}
} else
state.msg_attr.extension = 0;
state.msg_attr.unmatched = state.msg_attr.extension;
/*
* Do not allow null usernames.
*/
if (state.msg_attr.user[0] == 0) {
dsb_simple(state.msg_attr.why, "5.1.3",
"null username in \"%s\"", state.msg_attr.rcpt.address);
return (bounce_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr)));
}
/*
* Run the recipient through the delivery switch.
*/
if (msg_verbose)
deliver_attr_dump(&state.msg_attr);
rcpt_stat = deliver_switch(state, usr_attr);
/*
* Clean up.
*/
myfree(state.msg_attr.local);
myfree(state.msg_attr.user);
return (rcpt_stat);
}
int deliver_file(LOCAL_STATE state, USER_ATTR usr_attr, char *path)
{
const char *myname = "deliver_file";
struct stat st;
MBOX *mp;
DSN_BUF *why = state.msg_attr.why;
int mail_copy_status = MAIL_COPY_STAT_WRITE;
int deliver_status;
int copy_flags;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this file if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "file %ld %s", (long) usr_attr.uid, path))
return (0);
/*
* DELIVERY POLICY
*
* Do we allow delivery to files?
*/
if ((local_file_deliver_mask & state.msg_attr.exp_type) == 0) {
dsb_simple(why, "5.7.1", "mail to file is restricted");
/* Account for possible owner- sender address override. */
return (bounce_workaround(state));
}
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to file: %s", path);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Use a default uid/gid when none are given.
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* If the name ends in /, use maildir-style delivery instead.
*/
if (path[strlen(path) - 1] == '/')
return (deliver_maildir(state, usr_attr, path));
/*
* Deliver. From here on, no early returns or we have a memory leak.
*/
if (msg_verbose)
msg_info("deliver_file (%ld,%ld): %s",
(long) usr_attr.uid, (long) usr_attr.gid, path);
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek queue file %s: %m", state.msg_attr.queue_id);
/*
* As the specified user, open or create the file, lock it, and append
* the message.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(usr_attr.uid, usr_attr.gid);
mp = mbox_open(path, O_APPEND | O_CREAT | O_WRONLY,
S_IRUSR | S_IWUSR, &st, -1, -1,
local_mbox_lock_mask | MBOX_DOT_LOCK_MAY_FAIL,
"5.2.0", why);
if (mp != 0) {
if (S_ISREG(st.st_mode) && st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.7.1", "file is executable");
} else {
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
S_ISREG(st.st_mode) ? copy_flags :
(copy_flags & ~MAIL_COPY_TOFILE),
"\n", why);
}
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot append message to file %s: ", path);
if (STR(why->status)[0] == '4')
deliver_status =
defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
else
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
} else {
dsb_simple(why, "2.0.0", "delivered to file: %s", path);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
return (deliver_status);
}
