static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
{
const char *myname = "xsasl_dovecot_server_connect";
VSTRING *line_str;
VSTREAM *sasl_stream;
char *line, *cmd, *mech_name;
unsigned int major_version, minor_version;
int fd, success;
int sec_props;
const char *path;
if (msg_verbose)
msg_info("%s: Connecting", myname);
/*
* Not documented, but necessary for testing.
*/
path = xp->socket_path;
if (strncmp(path, "inet:", 5) == 0) {
fd = inet_connect(path + 5, BLOCKING, AUTH_TIMEOUT);
} else {
if (strncmp(path, "unix:", 5) == 0)
path += 5;
fd = unix_connect(path, BLOCKING, AUTH_TIMEOUT);
}
if (fd < 0) {
msg_warn("SASL: Connect to %s failed: %m", xp->socket_path);
return (-1);
}
sasl_stream = vstream_fdopen(fd, O_RDWR);
vstream_control(sasl_stream,
VSTREAM_CTL_PATH, xp->socket_path,
VSTREAM_CTL_TIMEOUT, AUTH_TIMEOUT,
VSTREAM_CTL_END);
/* XXX Encapsulate for logging. */
vstream_fprintf(sasl_stream,
"VERSION\t%u\t%u\n"
"CPID\t%u\n",
AUTH_PROTOCOL_MAJOR_VERSION,
AUTH_PROTOCOL_MINOR_VERSION,
(unsigned int) getpid());
if (vstream_fflush(sasl_stream) == VSTREAM_EOF) {
msg_warn("SASL: Couldn't send handshake: %m");
return (-1);
}
success = 0;
line_str = vstring_alloc(256);
/* XXX Encapsulate for logging. */
while (vstring_get_nonl(line_str, sasl_stream) != VSTREAM_EOF) {
line = vstring_str(line_str);
if (msg_verbose)
msg_info("%s: auth reply: %s", myname, line);
cmd = line;
line = split_at(line, '\t');
if (strcmp(cmd, "VERSION") == 0) {
if (sscanf(line, "%u\t%u", &major_version, &minor_version) != 2) {
msg_warn("SASL: Protocol version error");
break;
}
if (major_version != AUTH_PROTOCOL_MAJOR_VERSION) {
/* Major version is different from ours. */
msg_warn("SASL: Protocol version mismatch (%d vs. %d)",
major_version, AUTH_PROTOCOL_MAJOR_VERSION);
break;
}
} else if (strcmp(cmd, "MECH") == 0 && line != NULL) {
mech_name = line;
line = split_at(line, '\t');
if (line != 0) {
sec_props =
name_mask_delim_opt(myname,
xsasl_dovecot_serv_sec_props,
line, "\t",
NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
if ((sec_props & SEC_PROPS_PRIVATE) != 0)
continue;
} else
sec_props = 0;
xsasl_dovecot_server_mech_append(&xp->mechanism_list, mech_name,
sec_props);
} else if (strcmp(cmd, "DONE") == 0) {
/* Handshake finished. */
success = 1;
break;
} else {
/* ignore any unknown commands */
}
}
vstring_free(line_str);
if (!success) {
/* handshake failed */
(void) vstream_fclose(sasl_stream);
return (-1);
}
xp->sasl_stream = sasl_stream;
return (0);
}
int main(int argc, char **argv)
{
VSTRING *buffer;
VSTREAM *fp;
int ch;
int fd;
struct stat st;
int flags = 0;
static char *queue_names[] = {
MAIL_QUEUE_MAILDROP,
MAIL_QUEUE_INCOMING,
MAIL_QUEUE_ACTIVE,
MAIL_QUEUE_DEFERRED,
MAIL_QUEUE_HOLD,
MAIL_QUEUE_SAVED,
0,
};
char **cpp;
int tries;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up logging.
*/
msg_vstream_init(argv[0], VSTREAM_ERR);
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "bc:dehoqv")) > 0) {
switch (ch) {
case 'b':
flags |= PC_FLAG_PRINT_BODY;
break;
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'd':
flags |= PC_FLAG_PRINT_RTYPE_DEC;
break;
case 'e':
flags |= PC_FLAG_PRINT_ENV;
break;
case 'h':
flags |= PC_FLAG_PRINT_HEADER;
break;
case 'o':
flags |= PC_FLAG_PRINT_OFFSET;
break;
case 'q':
flags |= PC_FLAG_SEARCH_QUEUE;
break;
case 'v':
msg_verbose++;
break;
default:
usage(argv[0]);
}
}
if ((flags & PC_MASK_PRINT_ALL) == 0)
flags |= PC_MASK_PRINT_ALL;
/*
* Further initialization...
*/
mail_conf_read();
/*
* Initialize.
*/
buffer = vstring_alloc(10);
/*
* If no file names are given, copy stdin.
*/
if (argc == optind) {
vstream_control(VSTREAM_IN,
VSTREAM_CTL_PATH, "stdin",
VSTREAM_CTL_END);
postcat(VSTREAM_IN, buffer, flags);
}
/*
* Copy the named queue files in the specified order.
*/
else if (flags & PC_FLAG_SEARCH_QUEUE) {
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
while (optind < argc) {
if (!mail_queue_id_ok(argv[optind]))
msg_fatal("bad mail queue ID: %s", argv[optind]);
for (fp = 0, tries = 0; fp == 0 && tries < 2; tries++)
for (cpp = queue_names; fp == 0 && *cpp != 0; cpp++)
fp = mail_queue_open(*cpp, argv[optind], O_RDONLY, 0);
if (fp == 0)
msg_fatal("open queue file %s: %m", argv[optind]);
postcat(fp, buffer, flags);
if (vstream_fclose(fp))
msg_warn("close %s: %m", argv[optind]);
optind++;
}
}
/*
* Copy the named files in the specified order.
*/
else {
while (optind < argc) {
if ((fp = vstream_fopen(argv[optind], O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", argv[optind]);
postcat(fp, buffer, flags);
if (vstream_fclose(fp))
msg_warn("close %s: %m", argv[optind]);
optind++;
}
}
/*
* Clean up.
*/
vstring_free(buffer);
exit(0);
}
int main(int argc, char **argv)
{
static char *full_name = 0; /* sendmail -F */
struct stat st;
char *slash;
char *sender = 0; /* sendmail -f */
int c;
int fd;
int mode;
ARGV *ext_argv;
int debug_me = 0;
int err;
int n;
int flags = SM_FLAG_DEFAULT;
char *site_to_flush = 0;
char *id_to_flush = 0;
char *encoding = 0;
char *qtime = 0;
const char *errstr;
uid_t uid;
const char *rewrite_context = MAIL_ATTR_RWR_LOCAL;
int dsn_notify = 0;
int dsn_ret = 0;
const char *dsn_envid = 0;
int saved_optind;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal_status(EX_OSERR, "open /dev/null: %m");
/*
* The CDE desktop calendar manager leaks a parent file descriptor into
* the child process. For the sake of sendmail compatibility we have to
* close the file descriptor otherwise mail notification will hang.
*/
for ( /* void */ ; fd < 100; fd++)
(void) close(fd);
/*
* Process environment options as early as we can. We might be called
* from a set-uid (set-gid) program, so be careful with importing
* environment variables.
*/
if (safe_getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (safe_getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information. Set up signal handlers so that we
* can clean up incomplete output.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(tempfail);
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Some sites mistakenly install Postfix sendmail as set-uid root. Drop
* set-uid privileges only when root, otherwise some systems will not
* reset the saved set-userid, which would be a security vulnerability.
*/
if (geteuid() == 0 && getuid() != 0) {
msg_warn("the Postfix sendmail command has set-uid root file permissions");
msg_warn("or the command is run from a set-uid root process");
msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions");
set_ugid(getuid(), getgid());
}
/*
* Further initialization. Load main.cf first, so that command-line
* options can override main.cf settings. Pre-scan the argument list so
* that we load the right main.cf file.
*/
#define GETOPT_LIST "A:B:C:F:GIL:N:O:R:UV:X:b:ce:f:h:imno:p:r:q:tvx"
saved_optind = optind;
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) { /* not getopt compatible */
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
if (c == 'C') {
VSTRING *buf = vstring_alloc(1);
if (setenv(CONF_ENV_PATH,
strcmp(sane_basename(buf, optarg), MAIN_CONF_FILE) == 0 ?
sane_dirname(buf, optarg) : optarg, 1) < 0)
msg_fatal_status(EX_UNAVAILABLE, "out of memory");
vstring_free(buf);
}
}
optind = saved_optind;
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
signal(SIGPIPE, SIG_IGN);
/*
* Optionally start the debugger on ourself. This must be done after
* reading the global configuration file, because that file specifies
* what debugger command to execute.
*/
if (debug_me)
debug_process();
/*
* The default mode of operation is determined by the process name. It
* can, however, be changed via command-line options (for example,
* "newaliases -bp" will show the mail queue).
*/
if (strcmp(argv[0], "mailq") == 0) {
mode = SM_MODE_MAILQ;
} else if (strcmp(argv[0], "newaliases") == 0) {
mode = SM_MODE_NEWALIAS;
} else if (strcmp(argv[0], "smtpd") == 0) {
mode = SM_MODE_DAEMON;
} else {
mode = SM_MODE_ENQUEUE;
}
/*
* Parse JCL. Sendmail has been around for a long time, and has acquired
* a large number of options in the course of time. Some options such as
* -q are not parsable with GETOPT() and get special treatment.
*/
#define OPTIND (optind > 0 ? optind : 1)
while (argv[OPTIND] != 0) {
if (strcmp(argv[OPTIND], "-q") == 0) {
if (mode == SM_MODE_DAEMON)
msg_warn("ignoring -q option in daemon mode");
else
mode = SM_MODE_FLUSHQ;
optind++;
continue;
}
if (strcmp(argv[OPTIND], "-V") == 0
&& argv[OPTIND + 1] != 0 && strlen(argv[OPTIND + 1]) == 2) {
msg_warn("option -V is deprecated with Postfix 2.3; "
"specify -XV instead");
argv[OPTIND] = "-XV";
}
if (strncmp(argv[OPTIND], "-V", 2) == 0 && strlen(argv[OPTIND]) == 4) {
msg_warn("option %s is deprecated with Postfix 2.3; "
"specify -X%s instead",
argv[OPTIND], argv[OPTIND] + 1);
argv[OPTIND] = concatenate("-X", argv[OPTIND] + 1, (char *) 0);
}
if (strcmp(argv[OPTIND], "-XV") == 0) {
verp_delims = var_verp_delims;
optind++;
continue;
}
if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0)
break;
switch (c) {
default:
if (msg_verbose)
msg_info("-%c option ignored", c);
break;
case 'n':
msg_fatal_status(EX_USAGE, "-%c option not supported", c);
case 'B':
if (strcmp(optarg, "8BITMIME") == 0)/* RFC 1652 */
encoding = MAIL_ATTR_ENC_8BIT;
else if (strcmp(optarg, "7BIT") == 0) /* RFC 1652 */
encoding = MAIL_ATTR_ENC_7BIT;
else
msg_fatal_status(EX_USAGE, "-B option needs 8BITMIME or 7BIT");
break;
case 'F': /* full name */
full_name = optarg;
break;
case 'G': /* gateway submission */
rewrite_context = MAIL_ATTR_RWR_REMOTE;
break;
case 'I': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'N':
if ((dsn_notify = dsn_notify_mask(optarg)) == 0)
msg_warn("bad -N option value -- ignored");
break;
case 'R':
if ((dsn_ret = dsn_ret_code(optarg)) == 0)
msg_warn("bad -R option value -- ignored");
break;
case 'V': /* DSN, was: VERP */
if (strlen(optarg) > 100)
msg_warn("too long -V option value -- ignored");
else if (!allprint(optarg))
msg_warn("bad syntax in -V option value -- ignored");
else
dsn_envid = optarg;
break;
case 'X':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'V': /* VERP */
if (verp_delims_verify(optarg + 1) != 0)
msg_fatal_status(EX_USAGE, "-V requires two characters from %s",
var_verp_filter);
verp_delims = optarg + 1;
break;
}
break;
case 'b':
switch (*optarg) {
default:
msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg);
case 'd': /* daemon mode */
case 'l': /* daemon mode */
if (mode == SM_MODE_FLUSHQ)
msg_warn("ignoring -q option in daemon mode");
mode = SM_MODE_DAEMON;
break;
case 'h': /* print host status */
case 'H': /* flush host status */
mode = SM_MODE_IGNORE;
break;
case 'i': /* newaliases */
mode = SM_MODE_NEWALIAS;
break;
case 'm': /* deliver mail */
mode = SM_MODE_ENQUEUE;
break;
case 'p': /* mailq */
mode = SM_MODE_MAILQ;
break;
case 's': /* stand-alone mode */
mode = SM_MODE_USER;
break;
case 'v': /* expand recipients */
flags |= DEL_REQ_FLAG_USR_VRFY;
break;
}
break;
case 'f':
sender = optarg;
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'o':
switch (*optarg) {
default:
if (msg_verbose)
msg_info("-%c%c option ignored", c, *optarg);
break;
case 'A':
if (optarg[1] == 0)
msg_fatal_status(EX_USAGE, "-oA requires pathname");
myfree(var_alias_db_map);
var_alias_db_map = mystrdup(optarg + 1);
set_mail_conf_str(VAR_ALIAS_DB_MAP, var_alias_db_map);
break;
case '7':
case '8':
break;
case 'i':
flags &= ~SM_FLAG_AEOF;
break;
case 'm':
break;
}
break;
case 'r': /* obsoleted by -f */
sender = optarg;
break;
case 'q':
if (ISDIGIT(optarg[0])) {
qtime = optarg;
} else if (optarg[0] == 'R') {
site_to_flush = optarg + 1;
if (*site_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qRsitename");
} else if (optarg[0] == 'I') {
id_to_flush = optarg + 1;
if (*id_to_flush == 0)
msg_fatal_status(EX_USAGE, "specify: -qIqueueid");
} else {
msg_fatal_status(EX_USAGE, "-q%c is not implemented",
optarg[0]);
}
break;
case 't':
flags |= SM_FLAG_XRCPT;
break;
case 'v':
msg_verbose++;
break;
case '?':
msg_fatal_status(EX_USAGE, "usage: %s [options]", argv[0]);
}
}
/*
* Look for conflicting options and arguments.
*/
if ((flags & SM_FLAG_XRCPT) && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-t can be used only in delivery mode");
if (site_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qR can be used only in delivery mode");
if (id_to_flush && mode != SM_MODE_ENQUEUE)
msg_fatal_status(EX_USAGE, "-qI can be used only in delivery mode");
if (flags & DEL_REQ_FLAG_USR_VRFY) {
if (flags & SM_FLAG_XRCPT)
msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv");
if (dsn_notify)
msg_fatal_status(EX_USAGE, "-N option cannot be used with -bv");
if (dsn_ret)
msg_fatal_status(EX_USAGE, "-R option cannot be used with -bv");
if (msg_verbose == 1)
msg_fatal_status(EX_USAGE, "-v option cannot be used with -bv");
}
/*
* The -v option plays double duty. One requests verbose delivery, more
* than one requests verbose logging.
*/
if (msg_verbose == 1 && mode == SM_MODE_ENQUEUE) {
msg_verbose = 0;
flags |= DEL_REQ_FLAG_RECORD;
}
/*
* Start processing. Everything is delegated to external commands.
*/
if (qtime && mode != SM_MODE_DAEMON)
exit(0);
switch (mode) {
default:
msg_panic("unknown operation mode: %d", mode);
/* NOTREACHED */
case SM_MODE_ENQUEUE:
if (site_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush site requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-s", site_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else if (id_to_flush) {
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "flush queue_id requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-i", id_to_flush, (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
} else {
enqueue(flags, encoding, dsn_envid, dsn_ret, dsn_notify,
rewrite_context, sender, full_name, argv + OPTIND);
exit(0);
/* NOTREACHED */
}
break;
case SM_MODE_MAILQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"display queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-p", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_FLUSHQ:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"flush queue mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postqueue", "-f", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_DAEMON:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE, "daemon mode requires no recipient");
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postfix", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_add(ext_argv, "start", (char *) 0);
argv_terminate(ext_argv);
err = (mail_run_background(var_command_dir, ext_argv->argv) < 0);
argv_free(ext_argv);
exit(err);
break;
case SM_MODE_NEWALIAS:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"alias initialization mode requires no recipient");
if (*var_alias_db_map == 0)
return (0);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "postalias", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_split_append(ext_argv, var_alias_db_map, CHARS_COMMA_SP);
argv_terminate(ext_argv);
mail_run_replace(var_command_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_USER:
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"stand-alone mode requires no recipient");
/* The actual enforcement happens in the postdrop command. */
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid = getuid())) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "smtpd", "-S", (char *) 0);
for (n = 0; n < msg_verbose; n++)
argv_add(ext_argv, "-v", (char *) 0);
argv_terminate(ext_argv);
mail_run_replace(var_daemon_dir, ext_argv->argv);
/* NOTREACHED */
case SM_MODE_IGNORE:
exit(0);
/* NOTREACHED */
}
}
int main(int argc, char **argv)
{
static VSTREAM *lock_fp;
static VSTREAM *data_lock_fp;
VSTRING *lock_path;
VSTRING *data_lock_path;
off_t inherited_limit;
int debug_me = 0;
int ch;
int fd;
int n;
int test_lock = 0;
VSTRING *why;
WATCHDOG *watchdog;
ARGV *import_env;
int wait_flag = 0;
int monitor_fd = -1;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Initialize.
*/
umask(077); /* never fails! */
/*
* Process environment options as early as we can.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Don't die when a process goes away unexpectedly.
*/
signal(SIGPIPE, SIG_IGN);
/*
* Strip and save the process name for diagnostics etc.
*/
var_procname = mystrdup(basename(argv[0]));
/*
* When running a child process, don't leak any open files that were
* leaked to us by our own (privileged) parent process. Descriptors 0-2
* are taken care of after we have initialized error logging.
*
* Some systems such as AIX have a huge per-process open file limit. In
* those cases, limit the search for potential file descriptor leaks to
* just the first couple hundred.
*
* The Debian post-installation script passes an open file descriptor into
* the master process and waits forever for someone to close it. Because
* of this we have to close descriptors > 2, and pray that doing so does
* not break things.
*/
closefrom(3);
/*
* Initialize logging and exit handler.
*/
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* The mail system must be run by the superuser so it can revoke
* privileges for selected operations. That's right - it takes privileges
* to toss privileges.
*/
if (getuid() != 0)
msg_fatal("the master command is reserved for the superuser");
if (unsafe() != 0)
msg_fatal("the master command must not run as a set-uid process");
/*
* Process JCL.
*/
while ((ch = GETOPT(argc, argv, "c:Dde:tvw")) > 0) {
switch (ch) {
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'd':
master_detach = 0;
break;
case 'e':
event_request_timer(master_exit_event, (char *) 0, atoi(optarg));
break;
case 'D':
debug_me = 1;
break;
case 't':
test_lock = 1;
break;
case 'v':
msg_verbose++;
break;
case 'w':
wait_flag = 1;
break;
default:
usage(argv[0]);
/* NOTREACHED */
}
}
/*
* This program takes no other arguments.
*/
if (argc > optind)
usage(argv[0]);
/*
* Sanity check.
*/
if (test_lock && wait_flag)
msg_fatal("the -t and -w options cannot be used together");
/*
* Run a foreground monitor process that returns an exit status of 0 when
* the child background process reports successful initialization as a
* daemon process. We use a generous limit in case main/master.cf specify
* symbolic hosts/ports and the naming service is slow.
*/
#define MASTER_INIT_TIMEOUT 100 /* keep this limit generous */
if (wait_flag)
monitor_fd = master_monitor(MASTER_INIT_TIMEOUT);
/*
* If started from a terminal, get rid of any tty association. This also
* means that all errors and warnings must go to the syslog daemon.
*/
if (master_detach)
for (fd = 0; fd < 3; fd++) {
(void) close(fd);
if (open("/dev/null", O_RDWR, 0) != fd)
msg_fatal("open /dev/null: %m");
}
/*
* Run in a separate process group, so that "postfix stop" can terminate
* all MTA processes cleanly. Give up if we can't separate from our
* parent process. We're not supposed to blow away the parent.
*/
if (debug_me == 0 && master_detach != 0 && setsid() == -1 && getsid(0) != getpid())
msg_fatal("unable to set session and process group ID: %m");
/*
* Make some room for plumbing with file descriptors. XXX This breaks
* when a service listens on many ports. In order to do this right we
* must change the master-child interface so that descriptors do not need
* to have fixed numbers.
*
* In a child we need two descriptors for the flow control pipe, one for
* child->master status updates and at least one for listening.
*/
for (n = 0; n < 5; n++) {
if (close_on_exec(dup(0), CLOSE_ON_EXEC) < 0)
msg_fatal("dup(0): %m");
}
/*
* Final initializations. Unfortunately, we must read the global Postfix
* configuration file after doing command-line processing, so that we get
* consistent results when we SIGHUP the server to reload configuration
* files.
*/
master_vars_init();
/*
* In case of multi-protocol support. This needs to be done because
* master does not invoke mail_params_init() (it was written before that
* code existed).
*/
(void) inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols);
/*
* Environment import filter, to enforce consistent behavior whether
* Postfix is started by hand, or at system boot time.
*/
import_env = argv_split(var_import_environ, ", \t\r\n");
clean_env(import_env->argv);
argv_free(import_env);
if ((inherited_limit = get_file_limit()) < 0)
set_file_limit(OFF_T_MAX);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
/*
* Lock down the master.pid file. In test mode, no file means that it
* isn't locked.
*/
lock_path = vstring_alloc(10);
data_lock_path = vstring_alloc(10);
why = vstring_alloc(10);
vstring_sprintf(lock_path, "%s/%s.pid", DEF_PID_DIR, var_procname);
if (test_lock && access(vstring_str(lock_path), F_OK) < 0)
exit(0);
lock_fp = open_lock(vstring_str(lock_path), O_RDWR | O_CREAT, 0644, why);
if (test_lock)
exit(lock_fp ? 0 : 1);
if (lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(lock_path), vstring_str(why));
vstream_fprintf(lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(lock_path));
close_on_exec(vstream_fileno(lock_fp), CLOSE_ON_EXEC);
/*
* Lock down the Postfix-writable data directory.
*/
vstring_sprintf(data_lock_path, "%s/%s.lock", var_data_dir, var_procname);
set_eugid(var_owner_uid, var_owner_gid);
data_lock_fp =
open_lock(vstring_str(data_lock_path), O_RDWR | O_CREAT, 0644, why);
set_ugid(getuid(), getgid());
if (data_lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(data_lock_path), vstring_str(why));
vstream_fprintf(data_lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(data_lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(data_lock_path));
close_on_exec(vstream_fileno(data_lock_fp), CLOSE_ON_EXEC);
/*
* Clean up.
*/
vstring_free(why);
vstring_free(lock_path);
vstring_free(data_lock_path);
/*
* Optionally start the debugger on ourself.
*/
if (debug_me)
debug_process();
/*
* Finish initialization, last part. We must process configuration files
* after processing command-line parameters, so that we get consistent
* results when we SIGHUP the server to reload configuration files.
*/
master_config();
master_sigsetup();
master_flow_init();
msg_info("daemon started -- version %s, configuration %s",
var_mail_version, var_config_dir);
/*
* Report successful initialization to the foreground monitor process.
*/
if (monitor_fd >= 0) {
write(monitor_fd, "", 1);
(void) close(monitor_fd);
}
/*
* Process events. The event handler will execute the read/write/timer
* action routines. Whenever something has happened, see if we received
* any signal in the mean time. Although the master process appears to do
* multiple things at the same time, it really is all a single thread, so
* that there are no concurrency conflicts within the master process.
*/
#define MASTER_WATCHDOG_TIME 1000
watchdog = watchdog_create(MASTER_WATCHDOG_TIME, (WATCHDOG_FN) 0, (char *) 0);
for (;;) {
#ifdef HAS_VOLATILE_LOCKS
if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
if (myflock(vstream_fileno(data_lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
#endif
watchdog_start(watchdog); /* same as trigger servers */
event_loop(MASTER_WATCHDOG_TIME / 2);
if (master_gotsighup) {
msg_info("reload -- version %s, configuration %s",
var_mail_version, var_config_dir);
master_gotsighup = 0; /* this first */
master_vars_init(); /* then this */
master_refresh(); /* then this */
}
if (master_gotsigchld) {
if (msg_verbose)
msg_info("got sigchld");
master_gotsigchld = 0; /* this first */
master_reap_child(); /* then this */
}
}
}
int deliver_alias(LOCAL_STATE state, USER_ATTR usr_attr,
char *name, int *statusp)
{
const char *myname = "deliver_alias";
const char *alias_result;
char *saved_alias_result;
char *owner;
char **cpp;
uid_t alias_uid;
struct mypasswd *alias_pwd;
VSTRING *canon_owner;
DICT *dict;
const char *owner_rhs; /* owner alias, RHS */
int alias_count;
int dsn_notify;
char *dsn_envid;
int dsn_ret;
const char *dsn_orcpt;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE/LOOP ELIMINATION
*
* We cannot do duplicate elimination here. Sendmail compatibility requires
* that we allow multiple deliveries to the same alias, even recursively!
* For example, we must deliver to mailbox any messags that are addressed
* to the alias of a user that lists that same alias in her own .forward
* file. Yuck! This is just an example of some really perverse semantics
* that people will expect Postfix to implement just like sendmail.
*
* We can recognize one special case: when an alias includes its own name,
* deliver to the user instead, just like sendmail. Otherwise, we just
* bail out when nesting reaches some unreasonable depth, and blame it on
* a possible alias loop.
*/
if (state.msg_attr.exp_from != 0
&& strcasecmp(state.msg_attr.exp_from, name) == 0)
return (NO);
if (state.level > 100) {
msg_warn("alias database loop for %s", name);
dsb_simple(state.msg_attr.why, "5.4.6",
"alias database loop for %s", name);
*statusp = bounce_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
return (YES);
}
state.msg_attr.exp_from = name;
/*
* There are a bunch of roles that we're trying to keep track of.
*
* First, there's the issue of whose rights should be used when delivering
* to "|command" or to /file/name. With alias databases, the rights are
* those of who owns the alias, i.e. the database owner. With aliases
* owned by root, a default user is used instead. When an alias with
* default rights references an include file owned by an ordinary user,
* we must use the rights of the include file owner, otherwise the
* include file owner could take control of the default account.
*
* Secondly, there's the question of who to notify of delivery problems.
* With aliases that have an owner- alias, the latter is used to set the
* sender and owner attributes. Otherwise, the owner attribute is reset
* (the alias is globally visible and could be sent to by anyone).
*/
for (cpp = alias_maps->argv->argv; *cpp; cpp++) {
if ((dict = dict_handle(*cpp)) == 0)
msg_panic("%s: dictionary not found: %s", myname, *cpp);
if ((alias_result = dict_get(dict, name)) != 0) {
if (msg_verbose)
msg_info("%s: %s: %s = %s", myname, *cpp, name, alias_result);
/*
* Don't expand a verify-only request.
*/
if (state.request->flags & DEL_REQ_FLAG_MTA_VRFY) {
dsb_simple(state.msg_attr.why, "2.0.0",
"aliased to %s", alias_result);
*statusp = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
return (YES);
}
/*
* DELIVERY POLICY
*
* Update the expansion type attribute, so we can decide if
* deliveries to |command and /file/name are allowed at all.
*/
state.msg_attr.exp_type = EXPAND_TYPE_ALIAS;
/*
* DELIVERY RIGHTS
*
* What rights to use for |command and /file/name deliveries? The
* command and file code will use default rights when the alias
* database is owned by root, otherwise it will use the rights of
* the alias database owner.
*/
if ((alias_uid = dict_owner(*cpp)) == 0) {
alias_pwd = 0;
RESET_USER_ATTR(usr_attr, state.level);
} else {
if ((alias_pwd = mypwuid(alias_uid)) == 0) {
msg_warn("cannot find alias database owner for %s", *cpp);
dsb_simple(state.msg_attr.why, "4.3.0",
"cannot find alias database owner");
*statusp = defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
return (YES);
}
SET_USER_ATTR(usr_attr, alias_pwd, state.level);
}
/*
* WHERE TO REPORT DELIVERY PROBLEMS.
*
* Use the owner- alias if one is specified, otherwise reset the
* owner attribute and use the include file ownership if we can.
* Save the dict_lookup() result before something clobbers it.
*
* Don't match aliases that are based on regexps.
*/
#define OWNER_ASSIGN(own) \
(own = (var_ownreq_special == 0 ? 0 : \
concatenate("owner-", name, (char *) 0)))
saved_alias_result = mystrdup(alias_result);
if (OWNER_ASSIGN(owner) != 0
&& (owner_rhs = maps_find(alias_maps, owner, DICT_FLAG_NONE)) != 0) {
canon_owner = canon_addr_internal(vstring_alloc(10),
var_exp_own_alias ? owner_rhs : owner);
/* Set envelope sender and owner attribute. */
SET_OWNER_ATTR(state.msg_attr, STR(canon_owner), state.level);
} else {
canon_owner = 0;
/* Note: this does not reset the envelope sender. */
if (var_reset_owner_attr)
RESET_OWNER_ATTR(state.msg_attr, state.level);
}
/*
* EXTERNAL LOOP CONTROL
*
* Set the delivered message attribute to the recipient, so that
* this message will list the correct forwarding address.
*/
if (var_frozen_delivered == 0)
state.msg_attr.delivered = state.msg_attr.rcpt.address;
/*
* Deliver.
*/
alias_count = 0;
if (dict_errno != 0) {
dsb_simple(state.msg_attr.why, "4.3.0",
"alias database unavailable");
*statusp = defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
/*
* XXX DSN
*
* When delivering to a mailing list (i.e. the envelope sender
* is replaced) the ENVID, NOTIFY, RET, and ORCPT parameters
* which accompany the redistributed message MUST NOT be
* derived from those of the original message.
*
* When delivering to an alias (i.e. the envelope sender is not
* replaced) any ENVID, RET, or ORCPT parameters are
* propagated to all forwarding addresses associated with
* that alias. The NOTIFY parameter is propagated to the
* forwarding addresses, except that any SUCCESS keyword is
* removed.
*/
#define DSN_SAVE_UPDATE(saved, old, new) do { \
saved = old; \
old = new; \
} while (0)
DSN_SAVE_UPDATE(dsn_notify, state.msg_attr.rcpt.dsn_notify,
dsn_notify == DSN_NOTIFY_SUCCESS ?
DSN_NOTIFY_NEVER :
dsn_notify & ~DSN_NOTIFY_SUCCESS);
if (canon_owner != 0) {
DSN_SAVE_UPDATE(dsn_envid, state.msg_attr.dsn_envid, "");
DSN_SAVE_UPDATE(dsn_ret, state.msg_attr.dsn_ret, 0);
DSN_SAVE_UPDATE(dsn_orcpt, state.msg_attr.rcpt.dsn_orcpt, "");
state.msg_attr.rcpt.orig_addr = "";
}
*statusp =
deliver_token_string(state, usr_attr, saved_alias_result,
&alias_count);
#if 0
if (var_ownreq_special
&& strncmp("owner-", state.msg_attr.sender, 6) != 0
&& alias_count > 10)
msg_warn("mailing list \"%s\" needs an \"owner-%s\" alias",
name, name);
#endif
if (alias_count < 1) {
msg_warn("no recipient in alias lookup result for %s", name);
dsb_simple(state.msg_attr.why, "4.3.0",
"alias database unavailable");
*statusp = defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
/*
* XXX DSN
*
* When delivering to a mailing list (i.e. the envelope
* sender address is replaced) and NOTIFY=SUCCESS was
* specified, report a DSN of "delivered".
*
* When delivering to an alias (i.e. the envelope sender
* address is not replaced) and NOTIFY=SUCCESS was
* specified, report a DSN of "expanded".
*/
if (dsn_notify & DSN_NOTIFY_SUCCESS) {
state.msg_attr.rcpt.dsn_notify = dsn_notify;
if (canon_owner != 0) {
state.msg_attr.dsn_envid = dsn_envid;
state.msg_attr.dsn_ret = dsn_ret;
state.msg_attr.rcpt.dsn_orcpt = dsn_orcpt;
}
dsb_update(state.msg_attr.why, "2.0.0", canon_owner ?
"delivered" : "expanded",
DSB_SKIP_RMTA, DSB_SKIP_REPLY,
"alias expanded");
(void) trace_append(BOUNCE_FLAG_NONE,
SENT_ATTR(state.msg_attr));
}
}
}
myfree(saved_alias_result);
if (owner)
myfree(owner);
if (canon_owner)
vstring_free(canon_owner);
if (alias_pwd)
mypwfree(alias_pwd);
return (YES);
}
/*
* If the alias database was inaccessible for some reason, defer
* further delivery for the current top-level recipient.
*/
if (dict_errno != 0) {
dsb_simple(state.msg_attr.why, "4.3.0",
"alias database unavailable");
*statusp = defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
return (YES);
} else {
if (msg_verbose)
msg_info("%s: %s: %s not found", myname, *cpp, name);
}
}
/*
* Try delivery to a local user instead.
*/
return (NO);
}
int main(int unused_argc, char **argv)
{
VSTRING *inbuf = vstring_alloc(1);
char *bufp;
char *cmd;
ssize_t cmd_len;
char *service;
char *addr;
int count;
int rate;
int msgs;
int rcpts;
int newtls;
ANVIL_CLNT *anvil;
msg_vstream_init(argv[0], VSTREAM_ERR);
mail_conf_read();
msg_info("using config files in %s", var_config_dir);
if (chdir(var_queue_dir) < 0)
msg_fatal("chdir %s: %m", var_queue_dir);
msg_verbose++;
anvil = anvil_clnt_create();
while (vstring_fgets_nonl(inbuf, VSTREAM_IN)) {
bufp = vstring_str(inbuf);
if ((cmd = mystrtok(&bufp, " ")) == 0 || *bufp == 0
|| (service = mystrtok(&bufp, " ")) == 0 || *service == 0
|| (addr = mystrtok(&bufp, " ")) == 0 || *addr == 0
|| mystrtok(&bufp, " ") != 0) {
vstream_printf("bad command syntax\n");
usage();
vstream_fflush(VSTREAM_OUT);
continue;
}
cmd_len = strlen(cmd);
if (strncmp(cmd, ANVIL_REQ_CONN, cmd_len) == 0) {
if (anvil_clnt_connect(anvil, service, addr, &count, &rate) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("count=%d, rate=%d\n", count, rate);
} else if (strncmp(cmd, ANVIL_REQ_MAIL, cmd_len) == 0) {
if (anvil_clnt_mail(anvil, service, addr, &msgs) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("rate=%d\n", msgs);
} else if (strncmp(cmd, ANVIL_REQ_RCPT, cmd_len) == 0) {
if (anvil_clnt_rcpt(anvil, service, addr, &rcpts) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("rate=%d\n", rcpts);
} else if (strncmp(cmd, ANVIL_REQ_NTLS, cmd_len) == 0) {
if (anvil_clnt_newtls(anvil, service, addr, &newtls) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("rate=%d\n", newtls);
} else if (strncmp(cmd, ANVIL_REQ_NTLS_STAT, cmd_len) == 0) {
if (anvil_clnt_newtls_stat(anvil, service, addr, &newtls) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("rate=%d\n", newtls);
} else if (strncmp(cmd, ANVIL_REQ_DISC, cmd_len) == 0) {
if (anvil_clnt_disconnect(anvil, service, addr) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("OK\n");
} else if (strncmp(cmd, ANVIL_REQ_LOOKUP, cmd_len) == 0) {
if (anvil_clnt_lookup(anvil, service, addr, &count, &rate,
&msgs, &rcpts, &newtls) != ANVIL_STAT_OK)
msg_warn("error!");
else
vstream_printf("count=%d, rate=%d msgs=%d rcpts=%d newtls=%d\n",
count, rate, msgs, rcpts, newtls);
} else {
vstream_printf("bad command: \"%s\"\n", cmd);
usage();
}
vstream_fflush(VSTREAM_OUT);
}
vstring_free(inbuf);
anvil_clnt_free(anvil);
return (0);
}
static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_mailbox_file";
char *spool_dir;
char *mailbox;
DSN_BUF *why = state.msg_attr.why;
MBOX *mp;
int mail_copy_status;
int deliver_status;
int copy_flags;
VSTRING *biff;
long end;
struct stat st;
uid_t spool_uid;
gid_t spool_gid;
uid_t chown_uid;
gid_t chown_gid;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to mailbox");
return (sent(BOUNCE_FLAGS(state.request), SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
if (var_frozen_delivered == 0)
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
if (*var_home_mailbox) {
spool_dir = 0;
mailbox = concatenate(usr_attr.home, "/", var_home_mailbox, (char *) 0);
} else {
spool_dir = var_mail_spool_dir;
mailbox = concatenate(spool_dir, "/", state.msg_attr.user, (char *) 0);
}
/*
* Mailbox delivery with least privilege. As long as we do not use root
* privileges this code may also work over NFS.
*
* If delivering to the recipient's home directory, perform all operations
* (including file locking) as that user (Mike Muuss, Army Research
* Laboratory, USA).
*
* If delivering to the mail spool directory, and the spool directory is
* world-writable, deliver as the recipient; if the spool directory is
* group-writable, use the recipient user id and the mail spool group id.
*
* Otherwise, use root privileges and chown the mailbox.
*/
if (spool_dir == 0
|| stat(spool_dir, &st) < 0
|| (st.st_mode & S_IWOTH) != 0) {
spool_uid = usr_attr.uid;
spool_gid = usr_attr.gid;
} else if ((st.st_mode & S_IWGRP) != 0) {
spool_uid = usr_attr.uid;
spool_gid = st.st_gid;
} else {
spool_uid = 0;
spool_gid = 0;
}
if (spool_uid == usr_attr.uid) {
chown_uid = -1;
chown_gid = -1;
} else {
chown_uid = usr_attr.uid;
chown_gid = usr_attr.gid;
}
if (msg_verbose)
msg_info("spool_uid/gid %ld/%ld chown_uid/gid %ld/%ld",
(long) spool_uid, (long) spool_gid,
(long) chown_uid, (long) chown_gid);
/*
* Lock the mailbox and open/create the mailbox file. Depending on the
* type of locking used, we lock first or we open first.
*
* Write the file as the recipient, so that file quota work.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(spool_uid, spool_gid);
mp = mbox_open(mailbox, O_APPEND | O_WRONLY | O_CREAT,
S_IRUSR | S_IWUSR, &st, chown_uid, chown_gid,
local_mbox_lock_mask, "5.2.0", why);
if (mp != 0) {
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(usr_attr.uid, usr_attr.gid);
if (S_ISREG(st.st_mode) == 0) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.2.0",
"destination %s is not a regular file", mailbox);
} else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
vstream_fclose(mp->fp);
dsb_simple(why, "4.2.0",
"destination %s is not owned by recipient", mailbox);
msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
copy_flags, "\n", why);
}
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(spool_uid, spool_gid);
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot update mailbox %s for user %s. ",
mailbox, state.msg_attr.user);
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request), BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to mailbox");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
if (var_biff) {
biff = vstring_alloc(100);
vstring_sprintf(biff, "%s@%ld", usr_attr.logname, (long) end);
biff_notify(STR(biff), VSTRING_LEN(biff) + 1);
vstring_free(biff);
}
}
/*
* Clean up.
*/
myfree(mailbox);
return (deliver_status);
}
static int smtpd_proxy_connect(SMTPD_STATE *state)
{
SMTPD_PROXY *proxy = state->proxy;
int fd;
char *lines;
char *words;
VSTRING *buf;
int bad;
char *word;
static const NAME_CODE known_xforward_features[] = {
XFORWARD_NAME, SMTPD_PROXY_XFORWARD_NAME,
XFORWARD_ADDR, SMTPD_PROXY_XFORWARD_ADDR,
XFORWARD_PORT, SMTPD_PROXY_XFORWARD_PORT,
XFORWARD_PROTO, SMTPD_PROXY_XFORWARD_PROTO,
XFORWARD_HELO, SMTPD_PROXY_XFORWARD_HELO,
XFORWARD_IDENT, SMTPD_PROXY_XFORWARD_IDENT,
XFORWARD_DOMAIN, SMTPD_PROXY_XFORWARD_DOMAIN,
0, 0,
};
int server_xforward_features;
int (*connect_fn) (const char *, int, int);
const char *endpoint;
/*
* Find connection method (default inet)
*/
if (strncasecmp("unix:", proxy->service_name, 5) == 0) {
endpoint = proxy->service_name + 5;
connect_fn = unix_connect;
} else {
if (strncasecmp("inet:", proxy->service_name, 5) == 0)
endpoint = proxy->service_name + 5;
else
endpoint = proxy->service_name;
connect_fn = inet_connect;
}
/*
* Connect to proxy.
*/
if ((fd = connect_fn(endpoint, BLOCKING, proxy->timeout)) < 0) {
msg_warn("connect to proxy filter %s: %m", proxy->service_name);
return (smtpd_proxy_rdwr_error(state, 0));
}
proxy->service_stream = vstream_fdopen(fd, O_RDWR);
/* Needed by our DATA-phase record emulation routines. */
vstream_control(proxy->service_stream, VSTREAM_CTL_CONTEXT,
(char *) state, VSTREAM_CTL_END);
/* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
if (connect_fn == inet_connect)
vstream_tweak_tcp(proxy->service_stream);
smtp_timeout_setup(proxy->service_stream, proxy->timeout);
/*
* Get server greeting banner.
*
* If this fails then we have a problem because the proxy should always
* accept our connection. Make up our own response instead of passing
* back a negative greeting banner: the proxy open is delayed to the
* point that the client expects a MAIL FROM or RCPT TO reply.
*/
if (smtpd_proxy_cmd(state, SMTPD_PROX_WANT_OK, SMTPD_PROXY_CONN_FMT)) {
smtpd_proxy_fake_server_reply(state, CLEANUP_STAT_PROXY);
smtpd_proxy_close(state);
return (-1);
}
/*
* Send our own EHLO command. If this fails then we have a problem
* because the proxy should always accept our EHLO command. Make up our
* own response instead of passing back a negative EHLO reply: the proxy
* open is delayed to the point that the remote SMTP client expects a
* MAIL FROM or RCPT TO reply.
*/
if (smtpd_proxy_cmd(state, SMTPD_PROX_WANT_OK, "EHLO %s",
proxy->ehlo_name)) {
smtpd_proxy_fake_server_reply(state, CLEANUP_STAT_PROXY);
smtpd_proxy_close(state);
return (-1);
}
/*
* Parse the EHLO reply and see if we can forward logging information.
*/
server_xforward_features = 0;
lines = STR(proxy->reply);
while ((words = mystrtok(&lines, "\n")) != 0) {
if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t")) != 0) {
if (strcasecmp(word, XFORWARD_CMD) == 0)
while ((word = mystrtok(&words, " \t")) != 0)
server_xforward_features |=
name_code(known_xforward_features,
NAME_CODE_FLAG_NONE, word);
}
}
/*
* Send XFORWARD attributes. For robustness, explicitly specify what SMTP
* session attributes are known and unknown. Make up our own response
* instead of passing back a negative XFORWARD reply: the proxy open is
* delayed to the point that the remote SMTP client expects a MAIL FROM
* or RCPT TO reply.
*/
if (server_xforward_features) {
buf = vstring_alloc(100);
bad =
(((server_xforward_features & SMTPD_PROXY_XFORWARD_NAME)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_NAME,
IS_AVAIL_CLIENT_NAME(FORWARD_NAME(state)),
FORWARD_NAME(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_ADDR)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_ADDR,
IS_AVAIL_CLIENT_ADDR(FORWARD_ADDR(state)),
FORWARD_ADDR(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_PORT)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_PORT,
IS_AVAIL_CLIENT_PORT(FORWARD_PORT(state)),
FORWARD_PORT(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_HELO)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_HELO,
IS_AVAIL_CLIENT_HELO(FORWARD_HELO(state)),
FORWARD_HELO(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_IDENT)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_IDENT,
IS_AVAIL_CLIENT_IDENT(FORWARD_IDENT(state)),
FORWARD_IDENT(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_PROTO)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_PROTO,
IS_AVAIL_CLIENT_PROTO(FORWARD_PROTO(state)),
FORWARD_PROTO(state)))
|| ((server_xforward_features & SMTPD_PROXY_XFORWARD_DOMAIN)
&& smtpd_proxy_xforward_send(state, buf, XFORWARD_DOMAIN, 1,
STREQ(FORWARD_DOMAIN(state), MAIL_ATTR_RWR_LOCAL) ?
XFORWARD_DOM_LOCAL : XFORWARD_DOM_REMOTE))
|| smtpd_proxy_xforward_flush(state, buf));
vstring_free(buf);
if (bad) {
smtpd_proxy_fake_server_reply(state, CLEANUP_STAT_PROXY);
smtpd_proxy_close(state);
return (-1);
}
}
/*
* Pass-through the remote SMTP client's MAIL FROM command. If this
* fails, then we have a problem because the proxy should always accept
* any MAIL FROM command that was accepted by us.
*/
if (smtpd_proxy_cmd(state, SMTPD_PROX_WANT_OK, "%s",
proxy->mail_from) != 0) {
/* NOT: smtpd_proxy_fake_server_reply(state, CLEANUP_STAT_PROXY); */
smtpd_proxy_close(state);
return (-1);
}
return (0);
}
DICT *dict_pcre_open(const char *mapname, int open_flags, int dict_flags)
{
DICT_PCRE *dict_pcre;
VSTREAM *map_fp;
struct stat st;
VSTRING *line_buffer;
DICT_PCRE_RULE *last_rule = 0;
DICT_PCRE_RULE *rule;
int lineno = 0;
int nesting = 0;
char *p;
/*
* Sanity checks.
*/
if (open_flags != O_RDONLY)
return (dict_surrogate(DICT_TYPE_PCRE, mapname, open_flags, dict_flags,
"%s:%s map requires O_RDONLY access mode",
DICT_TYPE_PCRE, mapname));
/*
* Open the configuration file.
*/
if ((map_fp = vstream_fopen(mapname, O_RDONLY, 0)) == 0)
return (dict_surrogate(DICT_TYPE_PCRE, mapname, open_flags, dict_flags,
"open %s: %m", mapname));
if (fstat(vstream_fileno(map_fp), &st) < 0)
msg_fatal("fstat %s: %m", mapname);
line_buffer = vstring_alloc(100);
dict_pcre = (DICT_PCRE *) dict_alloc(DICT_TYPE_PCRE, mapname,
sizeof(*dict_pcre));
dict_pcre->dict.lookup = dict_pcre_lookup;
dict_pcre->dict.close = dict_pcre_close;
dict_pcre->dict.flags = dict_flags | DICT_FLAG_PATTERN;
if (dict_flags & DICT_FLAG_FOLD_MUL)
dict_pcre->dict.fold_buf = vstring_alloc(10);
dict_pcre->head = 0;
dict_pcre->expansion_buf = 0;
if (dict_pcre_init == 0) {
pcre_malloc = (void *(*) (size_t)) mymalloc;
pcre_free = (void (*) (void *)) myfree;
dict_pcre_init = 1;
}
dict_pcre->dict.owner.uid = st.st_uid;
dict_pcre->dict.owner.status = (st.st_uid != 0);
/*
* Parse the pcre table.
*/
while (readlline(line_buffer, map_fp, &lineno)) {
p = vstring_str(line_buffer);
trimblanks(p, 0)[0] = 0; /* Trim space at end */
if (*p == 0)
continue;
rule = dict_pcre_parse_rule(mapname, lineno, p, nesting, dict_flags);
if (rule == 0)
continue;
if (rule->op == DICT_PCRE_OP_IF) {
nesting++;
} else if (rule->op == DICT_PCRE_OP_ENDIF) {
nesting--;
}
if (last_rule == 0)
dict_pcre->head = rule;
else
last_rule->next = rule;
last_rule = rule;
}
if (nesting)
msg_warn("pcre map %s, line %d: more IFs than ENDIFs",
mapname, lineno);
vstring_free(line_buffer);
vstream_fclose(map_fp);
return (DICT_DEBUG (&dict_pcre->dict));
}
VSTRING *tok822_externalize(VSTRING *vp, TOK822 *tree, int flags)
{
VSTRING *tmp;
TOK822 *tp;
int start;
TOK822 *addr;
int addr_len;
/*
* Guard against a Sendmail buffer overflow (CERT advisory CA-2003-07).
* The problem was that Sendmail could store too much non-address text
* (comments, phrases, etc.) into a static 256-byte buffer.
*
* When the buffer fills up, fixed Sendmail versions remove comments etc.
* and reduce the information to just <$g>, which expands to <address>.
* No change is made when an address expression (text separated by
* commas) contains no address. This fix reportedly also protects
* Sendmail systems that are still vulnerable to this problem.
*
* Postfix takes the same approach, grudgingly. To avoid unnecessary damage,
* Postfix removes comments etc. only when the amount of non-address text
* in an address expression (text separated by commas) exceeds 250 bytes.
*
* With Sendmail, the address part of an address expression is the
* right-most <> instance in that expression. If an address expression
* contains no <>, then Postfix guarantees that it contains at most one
* non-comment string; that string is the address part of the address
* expression, so there is no ambiguity.
*
* Finally, we note that stress testing shows that other code in Sendmail
* 8.12.8 bluntly truncates ``text <address>'' to 256 bytes even when
* this means chopping the <address> somewhere in the middle. This is a
* loss of control that we're not entirely comfortable with. However,
* unbalanced quotes and dangling backslash do not seem to influence the
* way that Sendmail parses headers, so this is not an urgent problem.
*/
#define MAX_NONADDR_LENGTH 250
#define RESET_NONADDR_LENGTH { \
start = VSTRING_LEN(vp); \
addr = 0; \
addr_len = 0; \
}
#define ENFORCE_NONADDR_LENGTH do { \
if (addr && VSTRING_LEN(vp) - addr_len > start + MAX_NONADDR_LENGTH) \
strip_address(vp, start, addr->head); \
} while(0)
if (flags & TOK822_STR_WIPE)
VSTRING_RESET(vp);
if (flags & TOK822_STR_TRNC)
RESET_NONADDR_LENGTH;
for (tp = tree; tp; tp = tp->next) {
switch (tp->type) {
case ',':
if (flags & TOK822_STR_TRNC)
ENFORCE_NONADDR_LENGTH;
VSTRING_ADDCH(vp, tp->type);
VSTRING_ADDCH(vp, (flags & TOK822_STR_LINE) ? '\n' : ' ');
if (flags & TOK822_STR_TRNC)
RESET_NONADDR_LENGTH;
continue;
/*
* XXX In order to correctly externalize an address, it is not
* sufficient to quote individual atoms. There are higher-level
* rules that say when an address localpart needs to be quoted.
* We wing it with the quote_822_local() routine, which ignores
* the issue of atoms in the domain part that would need quoting.
*/
case TOK822_ADDR:
addr = tp;
tmp = vstring_alloc(100);
tok822_internalize(tmp, tp->head, TOK822_STR_TERM);
addr_len = VSTRING_LEN(vp);
quote_822_local_flags(vp, vstring_str(tmp),
QUOTE_FLAG_8BITCLEAN | QUOTE_FLAG_APPEND);
addr_len = VSTRING_LEN(vp) - addr_len;
vstring_free(tmp);
break;
case TOK822_ATOM:
case TOK822_COMMENT:
vstring_strcat(vp, vstring_str(tp->vstr));
break;
case TOK822_QSTRING:
VSTRING_ADDCH(vp, '"');
tok822_copy_quoted(vp, vstring_str(tp->vstr), "\"\\\r\n");
VSTRING_ADDCH(vp, '"');
break;
case TOK822_DOMLIT:
VSTRING_ADDCH(vp, '[');
tok822_copy_quoted(vp, vstring_str(tp->vstr), "\\\r\n");
VSTRING_ADDCH(vp, ']');
break;
case TOK822_STARTGRP:
VSTRING_ADDCH(vp, ':');
break;
case '<':
if (tp->next && tp->next->type == '>') {
addr = tp;
addr_len = 0;
}
VSTRING_ADDCH(vp, '<');
break;
default:
if (tp->type >= TOK822_MINTOK)
msg_panic("tok822_externalize: unknown operator %d", tp->type);
VSTRING_ADDCH(vp, tp->type);
}
if (tok822_append_space(tp))
VSTRING_ADDCH(vp, ' ');
}
if (flags & TOK822_STR_TRNC)
ENFORCE_NONADDR_LENGTH;
if (flags & TOK822_STR_TERM)
VSTRING_TERMINATE(vp);
return (vp);
}
static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
{
const char *myname = "xsasl_dovecot_server_connect";
VSTRING *line_str;
VSTREAM *sasl_stream;
char *line, *cmd, *mech_name;
unsigned int major_version, minor_version;
int fd, success, have_mech_line;
int sec_props;
const char *path;
if (msg_verbose)
msg_info("%s: Connecting", myname);
/*
* Not documented, but necessary for testing.
*/
path = xp->socket_path;
if (strncmp(path, "inet:", 5) == 0) {
fd = inet_connect(path + 5, BLOCKING, AUTH_TIMEOUT);
} else {
if (strncmp(path, "unix:", 5) == 0)
path += 5;
fd = unix_connect(path, BLOCKING, AUTH_TIMEOUT);
}
if (fd < 0) {
msg_warn("SASL: Connect to %s failed: %m", xp->socket_path);
return (-1);
}
sasl_stream = vstream_fdopen(fd, O_RDWR);
vstream_control(sasl_stream,
CA_VSTREAM_CTL_PATH(xp->socket_path),
CA_VSTREAM_CTL_TIMEOUT(AUTH_TIMEOUT),
CA_VSTREAM_CTL_END);
/* XXX Encapsulate for logging. */
vstream_fprintf(sasl_stream,
"VERSION\t%u\t%u\n"
"CPID\t%u\n",
AUTH_PROTOCOL_MAJOR_VERSION,
AUTH_PROTOCOL_MINOR_VERSION,
(unsigned int) getpid());
if (vstream_fflush(sasl_stream) == VSTREAM_EOF) {
msg_warn("SASL: Couldn't send handshake: %m");
return (-1);
}
success = 0;
have_mech_line = 0;
line_str = vstring_alloc(256);
/* XXX Encapsulate for logging. */
while (vstring_get_nonl(line_str, sasl_stream) != VSTREAM_EOF) {
line = vstring_str(line_str);
if (msg_verbose)
msg_info("%s: auth reply: %s", myname, line);
cmd = line;
line = split_at(line, '\t');
if (strcmp(cmd, "VERSION") == 0) {
if (sscanf(line, "%u\t%u", &major_version, &minor_version) != 2) {
msg_warn("SASL: Protocol version error");
break;
}
if (major_version != AUTH_PROTOCOL_MAJOR_VERSION) {
/* Major version is different from ours. */
msg_warn("SASL: Protocol version mismatch (%d vs. %d)",
major_version, AUTH_PROTOCOL_MAJOR_VERSION);
break;
}
} else if (strcmp(cmd, "MECH") == 0 && line != NULL) {
mech_name = line;
have_mech_line = 1;
line = split_at(line, '\t');
if (line != 0) {
sec_props =
name_mask_delim_opt(myname,
xsasl_dovecot_serv_sec_props,
line, "\t",
NAME_MASK_ANY_CASE | NAME_MASK_IGNORE);
if ((sec_props & SEC_PROPS_PRIVATE) != 0)
continue;
} else
sec_props = 0;
xsasl_dovecot_server_mech_append(&xp->mechanism_list, mech_name,
sec_props);
} else if (strcmp(cmd, "SPID") == 0) {
/*
* Unfortunately the auth protocol handshake wasn't designed well
* to differentiate between auth-client/userdb/master.
* auth-userdb and auth-master send VERSION + SPID lines only and
* nothing afterwards, while auth-client sends VERSION + MECH +
* SPID + CUID + more. The simplest way that we can determine if
* we've connected to the correct socket is to see if MECH line
* exists or not (alternatively we'd have to have a small timeout
* after SPID to see if CUID is sent or not).
*/
if (!have_mech_line) {
msg_warn("SASL: Connected to wrong auth socket (auth-master instead of auth-client)");
break;
}
} else if (strcmp(cmd, "DONE") == 0) {
/* Handshake finished. */
success = 1;
break;
} else {
/* ignore any unknown commands */
}
}
vstring_free(line_str);
if (!success) {
/* handshake failed */
(void) vstream_fclose(sasl_stream);
return (-1);
}
xp->sasl_stream = sasl_stream;
return (0);
}
int sent(int flags, const char *id, MSG_STATS *stats,
RECIPIENT *recipient, const char *relay,
DSN *dsn)
{
DSN my_dsn = *dsn;
int status;
/*
* Sanity check.
*/
if (my_dsn.status[0] != '2' || !dsn_valid(my_dsn.status)) {
msg_warn("sent: ignoring dsn code \"%s\"", my_dsn.status);
my_dsn.status = "2.0.0";
}
/*
* MTA-requested address verification information is stored in the verify
* service database.
*/
if (flags & DEL_REQ_FLAG_MTA_VRFY) {
my_dsn.action = "deliverable";
status = verify_append(id, stats, recipient, relay, &my_dsn,
DEL_RCPT_STAT_OK);
return (status);
}
/*
* User-requested address verification information is logged and mailed
* to the requesting user.
*/
if (flags & DEL_REQ_FLAG_USR_VRFY) {
my_dsn.action = "deliverable";
status = trace_append(flags, id, stats, recipient, relay, &my_dsn);
return (status);
}
/*
* Normal mail delivery. May also send a delivery record to the user.
*/
else {
if (my_dsn.action == 0 || my_dsn.action[0] == 0)
my_dsn.action = "delivered";
if (((flags & DEL_REQ_FLAG_RECORD) == 0
|| trace_append(flags, id, stats, recipient, relay, &my_dsn) == 0)
&& ((recipient->dsn_notify & DSN_NOTIFY_SUCCESS) == 0
|| trace_append(flags, id, stats, recipient, relay, &my_dsn) == 0)) {
log_adhoc(id, stats, recipient, relay, &my_dsn, "sent");
status = 0;
} else {
VSTRING *junk = vstring_alloc(100);
vstring_sprintf(junk, "%s: %s service failed",
id, var_trace_service);
my_dsn.reason = vstring_str(junk);
my_dsn.status ="4.3.0";
status = defer_append(flags, id, stats, recipient, relay, &my_dsn);
vstring_free(junk);
}
return (status);
}
}
int smtpd_peer_from_haproxy(SMTPD_STATE *state)
{
const char *myname = "smtpd_peer_from_haproxy";
MAI_HOSTADDR_STR smtp_client_addr;
MAI_SERVPORT_STR smtp_client_port;
MAI_HOSTADDR_STR smtp_server_addr;
MAI_SERVPORT_STR smtp_server_port;
const char *proxy_err;
int io_err;
VSTRING *escape_buf;
/*
* While reading HAProxy handshake information, don't buffer input beyond
* the end-of-line. That would break the TLS wrappermode handshake.
*/
vstream_control(state->client,
VSTREAM_CTL_BUFSIZE, 1,
VSTREAM_CTL_END);
/*
* Note: the haproxy_srvr_parse() routine performs address protocol
* checks, address and port syntax checks, and converts IPv4-in-IPv6
* address string syntax (:ffff::1.2.3.4) to IPv4 syntax where permitted
* by the main.cf:inet_protocols setting, but logs no warnings.
*/
#define ENABLE_DEADLINE 1
smtp_stream_setup(state->client, var_smtpd_uproxy_tmout, ENABLE_DEADLINE);
switch (io_err = vstream_setjmp(state->client)) {
default:
msg_panic("%s: unhandled I/O error %d", myname, io_err);
case SMTP_ERR_EOF:
msg_warn("haproxy read: unexpected EOF");
return (-1);
case SMTP_ERR_TIME:
msg_warn("haproxy read: timeout error");
return (-1);
case 0:
if (smtp_get(state->buffer, state->client, HAPROXY_MAX_LEN,
SMTP_GET_FLAG_NONE) != '\n') {
msg_warn("haproxy read: line > %d characters", HAPROXY_MAX_LEN);
return (-1);
}
if ((proxy_err = haproxy_srvr_parse(STR(state->buffer),
&smtp_client_addr, &smtp_client_port,
&smtp_server_addr, &smtp_server_port)) != 0) {
escape_buf = vstring_alloc(HAPROXY_MAX_LEN + 2);
escape(escape_buf, STR(state->buffer), LEN(state->buffer));
msg_warn("haproxy read: %s: %s", proxy_err, STR(escape_buf));
vstring_free(escape_buf);
return (-1);
}
state->addr = mystrdup(smtp_client_addr.buf);
if (strrchr(state->addr, ':') != 0) {
state->rfc_addr = concatenate(IPV6_COL, state->addr, (char *) 0);
state->addr_family = AF_INET6;
} else {
state->rfc_addr = mystrdup(state->addr);
state->addr_family = AF_INET;
}
state->port = mystrdup(smtp_client_port.buf);
/*
* The Dovecot authentication server needs the server IP address.
*/
state->dest_addr = mystrdup(smtp_server_addr.buf);
state->dest_port = mystrdup(smtp_server_port.buf);
/*
* Enable normal buffering.
*/
vstream_control(state->client,
VSTREAM_CTL_BUFSIZE, VSTREAM_BUFSIZE,
VSTREAM_CTL_END);
return (0);
}
}
int mail_copy(const char *sender,
const char *orig_rcpt,
const char *delivered,
VSTREAM *src, VSTREAM *dst,
int flags, const char *eol, DSN_BUF *why)
{
const char *myname = "mail_copy";
VSTRING *buf;
char *bp;
off_t orig_length;
int read_error;
int write_error;
int corrupt_error = 0;
time_t now;
int type;
int prev_type;
struct stat st;
off_t size_limit;
/*
* Workaround 20090114. This will hopefully get someone's attention. The
* problem with file_size_limit < message_size_limit is that mail will be
* delivered again and again until someone removes it from the queue by
* hand, because Postfix cannot mark a recipient record as "completed".
*/
if (fstat(vstream_fileno(src), &st) < 0)
msg_fatal("fstat: %m");
if ((size_limit = get_file_limit()) < st.st_size)
msg_panic("file size limit %lu < message size %lu. This "
"causes large messages to be delivered repeatedly "
"after they were submitted with \"sendmail -t\" "
"or after recipients were added with the Milter "
"SMFIR_ADDRCPT request",
(unsigned long) size_limit,
(unsigned long) st.st_size);
/*
* Initialize.
*/
#ifndef NO_TRUNCATE
if ((flags & MAIL_COPY_TOFILE) != 0)
if ((orig_length = vstream_fseek(dst, (off_t) 0, SEEK_END)) < 0)
msg_fatal("seek file %s: %m", VSTREAM_PATH(dst));
#endif
buf = vstring_alloc(100);
/*
* Prepend a bunch of headers to the message.
*/
if (flags & (MAIL_COPY_FROM | MAIL_COPY_RETURN_PATH)) {
if (sender == 0)
msg_panic("%s: null sender", myname);
quote_822_local(buf, sender);
if (flags & MAIL_COPY_FROM) {
time(&now);
vstream_fprintf(dst, "From %s %.24s%s", *sender == 0 ?
MAIL_ADDR_MAIL_DAEMON : vstring_str(buf),
asctime(localtime(&now)), eol);
}
if (flags & MAIL_COPY_RETURN_PATH) {
vstream_fprintf(dst, "Return-Path: <%s>%s",
*sender ? vstring_str(buf) : "", eol);
}
}
if (flags & MAIL_COPY_ORIG_RCPT) {
if (orig_rcpt == 0)
msg_panic("%s: null orig_rcpt", myname);
/*
* An empty original recipient record almost certainly means that
* original recipient processing was disabled.
*/
if (*orig_rcpt) {
quote_822_local(buf, orig_rcpt);
vstream_fprintf(dst, "X-Original-To: %s%s", vstring_str(buf), eol);
}
}
if (flags & MAIL_COPY_DELIVERED) {
if (delivered == 0)
msg_panic("%s: null delivered", myname);
quote_822_local(buf, delivered);
vstream_fprintf(dst, "Delivered-To: %s%s", vstring_str(buf), eol);
}
/*
* Copy the message. Escape lines that could be confused with the ugly
* From_ line. Make sure that there is a blank line at the end of the
* message so that the next ugly From_ can be found by mail reading
* software.
*
* XXX Rely on the front-end services to enforce record size limits.
*/
#define VSTREAM_FWRITE_BUF(s,b) \
vstream_fwrite((s),vstring_str(b),VSTRING_LEN(b))
prev_type = REC_TYPE_NORM;
while ((type = rec_get(src, buf, 0)) > 0) {
if (type != REC_TYPE_NORM && type != REC_TYPE_CONT)
break;
bp = vstring_str(buf);
if (prev_type == REC_TYPE_NORM) {
if ((flags & MAIL_COPY_QUOTE) && *bp == 'F' && !strncmp(bp, "From ", 5))
VSTREAM_PUTC('>', dst);
if ((flags & MAIL_COPY_DOT) && *bp == '.')
VSTREAM_PUTC('.', dst);
}
if (VSTRING_LEN(buf) && VSTREAM_FWRITE_BUF(dst, buf) != VSTRING_LEN(buf))
break;
if (type == REC_TYPE_NORM && vstream_fputs(eol, dst) == VSTREAM_EOF)
break;
prev_type = type;
}
if (vstream_ferror(dst) == 0) {
if (var_fault_inj_code == 1)
type = 0;
if (type != REC_TYPE_XTRA) {
/* XXX Where is the queue ID? */
msg_warn("bad record type: %d in message content", type);
corrupt_error = mark_corrupt(src);
}
if (prev_type != REC_TYPE_NORM)
vstream_fputs(eol, dst);
if (flags & MAIL_COPY_BLANK)
vstream_fputs(eol, dst);
}
vstring_free(buf);
/*
* Make sure we read and wrote all. Truncate the file to its original
* length when the delivery failed. POSIX does not require ftruncate(),
* so we may have a portability problem. Note that fclose() may fail even
* while fflush and fsync() succeed. Think of remote file systems such as
* AFS that copy the file back to the server upon close. Oh well, no
* point optimizing the error case. XXX On systems that use flock()
* locking, we must truncate the file file before closing it (and losing
* the exclusive lock).
*/
read_error = vstream_ferror(src);
write_error = vstream_fflush(dst);
#ifdef HAS_FSYNC
if ((flags & MAIL_COPY_TOFILE) != 0)
write_error |= fsync(vstream_fileno(dst));
#endif
if (var_fault_inj_code == 2) {
read_error = 1;
errno = ENOENT;
}
if (var_fault_inj_code == 3) {
write_error = 1;
errno = ENOENT;
}
#ifndef NO_TRUNCATE
if ((flags & MAIL_COPY_TOFILE) != 0)
if (corrupt_error || read_error || write_error)
/* Complain about ignored "undo" errors? So sue me. */
(void) ftruncate(vstream_fileno(dst), orig_length);
#endif
write_error |= vstream_fclose(dst);
/*
* Return the optional verbose error description.
*/
#define TRY_AGAIN_ERROR(errno) \
(errno == EAGAIN || errno == ESTALE)
if (why && read_error)
dsb_unix(why, TRY_AGAIN_ERROR(errno) ? "4.3.0" : "5.3.0",
sys_exits_detail(EX_IOERR)->text,
"error reading message: %m");
if (why && write_error)
dsb_unix(why, mbox_dsn(errno, "5.3.0"),
sys_exits_detail(EX_IOERR)->text,
"error writing message: %m");
/*
* Use flag+errno description when the optional verbose description is
* not desired.
*/
return ((corrupt_error ? MAIL_COPY_STAT_CORRUPT : 0)
| (read_error ? MAIL_COPY_STAT_READ : 0)
| (write_error ? MAIL_COPY_STAT_WRITE : 0));
}
static int qmgr_deliver_send_request(QMGR_ENTRY *entry, VSTREAM *stream)
{
QMGR_RCPT_LIST list = entry->rcpt_list;
QMGR_RCPT *recipient;
QMGR_MESSAGE *message = entry->message;
VSTRING *sender_buf = 0;
char *sender;
int flags;
/*
* If variable envelope return path is requested, change prefix+@origin
* into prefix+user=domain@origin. Note that with VERP there is only one
* recipient per delivery.
*/
if (message->verp_delims == 0) {
sender = message->sender;
} else {
sender_buf = vstring_alloc(100);
verp_sender(sender_buf, message->verp_delims,
message->sender, list.info->address);
sender = vstring_str(sender_buf);
}
flags = message->tflags
| (message->inspect_xport ? DEL_REQ_FLAG_BOUNCE : DEL_REQ_FLAG_DEFLT);
attr_print(stream, ATTR_FLAG_MORE,
ATTR_TYPE_NUM, MAIL_ATTR_FLAGS, flags,
ATTR_TYPE_STR, MAIL_ATTR_QUEUE, message->queue_name,
ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, message->queue_id,
ATTR_TYPE_LONG, MAIL_ATTR_OFFSET, message->data_offset,
ATTR_TYPE_LONG, MAIL_ATTR_SIZE, message->data_size,
ATTR_TYPE_STR, MAIL_ATTR_NEXTHOP, entry->queue->nexthop,
ATTR_TYPE_STR, MAIL_ATTR_ENCODING, message->encoding,
ATTR_TYPE_STR, MAIL_ATTR_SENDER, sender,
ATTR_TYPE_STR, MAIL_ATTR_ERRTO, message->errors_to,
ATTR_TYPE_STR, MAIL_ATTR_RRCPT, message->return_receipt,
ATTR_TYPE_LONG, MAIL_ATTR_TIME, message->arrival_time,
ATTR_TYPE_STR, MAIL_ATTR_CLIENT_NAME, message->client_name,
ATTR_TYPE_STR, MAIL_ATTR_CLIENT_ADDR, message->client_addr,
ATTR_TYPE_STR, MAIL_ATTR_PROTO_NAME, message->client_proto,
ATTR_TYPE_STR, MAIL_ATTR_HELO_NAME, message->client_helo,
ATTR_TYPE_END);
if (sender_buf != 0)
vstring_free(sender_buf);
for (recipient = list.info; recipient < list.info + list.len; recipient++)
attr_print(stream, ATTR_FLAG_MORE,
ATTR_TYPE_LONG, MAIL_ATTR_OFFSET, recipient->offset,
ATTR_TYPE_STR, MAIL_ATTR_ORCPT, recipient->orig_rcpt,
ATTR_TYPE_STR, MAIL_ATTR_RECIP, recipient->address,
ATTR_TYPE_END);
attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_NUM, MAIL_ATTR_OFFSET, 0,
ATTR_TYPE_END);
if (vstream_fflush(stream) != 0) {
msg_warn("write to process (%s): %m", entry->queue->transport->name);
return (-1);
} else {
if (msg_verbose)
msg_info("qmgr_deliver: site `%s'", entry->queue->name);
return (0);
}
}
/**********************************************************************
* public interface dict_mysql_lookup
* find database entry return 0 if no alias found, set dict_errno
* on errors to DICT_ERRBO_RETRY and set dict_errno to 0 on success
*********************************************************************/
static const char *dict_mysql_lookup(DICT *dict, const char *name)
{
MYSQL_RES *query_res;
MYSQL_ROW row;
DICT_MYSQL *dict_mysql;
PLMYSQL *pldb;
static VSTRING *result;
static VSTRING *query = 0;
int i,
j,
numrows;
char *name_escaped = 0;
dict_mysql = (DICT_MYSQL *) dict;
pldb = dict_mysql->pldb;
/* initialization for query */
query = vstring_alloc(24);
vstring_strcpy(query, "");
if ((name_escaped = (char *) mymalloc((sizeof(char) * (strlen(name) * 2) +1))) == NULL) {
msg_fatal("dict_mysql_lookup: out of memory.");
}
/* prepare the query */
mysql_escape_string(name_escaped, name, (unsigned int) strlen(name));
vstring_sprintf(query, "select %s from %s where %s = '%s' %s", dict_mysql->name->select_field,
dict_mysql->name->table, dict_mysql->name->where_field, name_escaped,
dict_mysql->name->additional_conditions);
if (msg_verbose)
msg_info("dict_mysql_lookup using sql query: %s", vstring_str(query));
/* free mem associated with preparing the query */
myfree(name_escaped);
/* do the query - set dict_errno & cleanup if there's an error */
if ((query_res = plmysql_query(pldb,
vstring_str(query),
dict_mysql->name->dbname,
dict_mysql->name->username,
dict_mysql->name->password)) == 0) {
dict_errno = DICT_ERR_RETRY;
vstring_free(query);
return 0;
}
dict_errno = 0;
/* free the vstring query */
vstring_free(query);
numrows = mysql_num_rows(query_res);
if (msg_verbose)
msg_info("dict_mysql_lookup: retrieved %d rows", numrows);
if (numrows == 0) {
mysql_free_result(query_res);
return 0;
}
if (result == 0)
result = vstring_alloc(10);
vstring_strcpy(result, "");
for (i = 0; i < numrows; i++) {
row = mysql_fetch_row(query_res);
if (i > 0)
vstring_strcat(result, ",");
for (j = 0; j < mysql_num_fields(query_res); j++) {
if (row[j] == 0) {
if (msg_verbose > 1)
msg_info("dict_mysql_lookup: null field #%d row #%d", j, i);
mysql_free_result(query_res);
return (0);
}
if (j > 0)
vstring_strcat(result, ",");
vstring_strcat(result, row[j]);
if (msg_verbose > 1)
msg_info("dict_mysql_lookup: retrieved field: %d: %s", j, row[j]);
}
}
mysql_free_result(query_res);
return vstring_str(result);
}
static void qmgr_deliver_update(int unused_event, char *context)
{
QMGR_ENTRY *entry = (QMGR_ENTRY *) context;
QMGR_QUEUE *queue = entry->queue;
QMGR_TRANSPORT *transport = queue->transport;
QMGR_MESSAGE *message = entry->message;
VSTRING *reason = vstring_alloc(1);
int status;
/*
* The message transport has responded. Stop the watchdog timer.
*/
event_cancel_timer(qmgr_deliver_abort, context);
/*
* Retrieve the delivery agent status report. The numerical status code
* indicates if delivery should be tried again. The reason text is sent
* only when a site should be avoided for a while, so that the queue
* manager can log why it does not even try to schedule delivery to the
* affected recipients.
*/
status = qmgr_deliver_final_reply(entry->stream, reason);
/*
* The mail delivery process failed for some reason (although delivery
* may have been successful). Back off with this transport type for a
* while. Dispose of queue entries for this transport that await
* selection (the todo lists). Stay away from queue entries that have
* been selected (the busy lists), or we would have dangling pointers.
* The queue itself won't go away before we dispose of the current queue
* entry.
*/
if (status == DELIVER_STAT_CRASH) {
message->flags |= DELIVER_STAT_DEFER;
qmgr_transport_throttle(transport, "unknown mail transport error");
msg_warn("transport %s failure -- see a previous warning/fatal/panic logfile record for the problem description",
transport->name);
qmgr_defer_transport(transport, transport->reason);
}
/*
* This message must be tried again.
*
* If we have a problem talking to this site, back off with this site for a
* while; dispose of queue entries for this site that await selection
* (the todo list); stay away from queue entries that have been selected
* (the busy list), or we would have dangling pointers. The queue itself
* won't go away before we dispose of the current queue entry.
*/
if (status == DELIVER_STAT_DEFER) {
message->flags |= DELIVER_STAT_DEFER;
if (VSTRING_LEN(reason)) {
qmgr_queue_throttle(queue, vstring_str(reason));
if (queue->window == 0)
qmgr_defer_todo(queue, queue->reason);
}
}
/*
* No problems detected. Mark the transport and queue as alive. The queue
* itself won't go away before we dispose of the current queue entry.
*/
if (VSTRING_LEN(reason) == 0) {
qmgr_transport_unthrottle(transport);
qmgr_queue_unthrottle(queue);
}
/*
* Release the delivery process, and give some other queue entry a chance
* to be delivered. When all recipients for a message have been tried,
* decide what to do next with this message: defer, bounce, delete.
*/
event_disable_readwrite(vstream_fileno(entry->stream));
if (vstream_fclose(entry->stream) != 0)
msg_warn("qmgr_deliver_update: close delivery stream: %m");
entry->stream = 0;
qmgr_deliver_concurrency--;
qmgr_entry_done(entry, QMGR_QUEUE_BUSY);
vstring_free(reason);
}
int bounce_one_service(int flags, char *queue_name, char *queue_id,
char *encoding, char *orig_sender,
char *dsn_envid, int dsn_ret,
RCPT_BUF *rcpt_buf, DSN_BUF *dsn_buf,
BOUNCE_TEMPLATES *ts)
{
BOUNCE_INFO *bounce_info;
int bounce_status = 1;
int postmaster_status = 1;
VSTREAM *bounce;
int notify_mask = name_mask(VAR_NOTIFY_CLASSES, mail_error_masks,
var_notify_classes);
VSTRING *new_id = vstring_alloc(10);
/*
* Initialize. Open queue file, bounce log, etc.
*/
bounce_info = bounce_mail_one_init(queue_name, queue_id, encoding,
dsn_envid, rcpt_buf, dsn_buf,
ts->failure);
#define NULL_SENDER MAIL_ADDR_EMPTY /* special address */
#define NULL_TRACE_FLAGS 0
/*
* The choice of bounce sender address depends on the original sender
* address. For a single bounce (a non-delivery notification to the
* message originator), the sender address is the empty string. For a
* double bounce (typically a failed single bounce, or a postmaster
* notification that was produced by any of the mail processes) the
* sender address is defined by the var_double_bounce_sender
* configuration variable. When a double bounce cannot be delivered, the
* queue manager blackholes the resulting triple bounce message.
*/
/*
* Double bounce failed. Never send a triple bounce.
*
* However, this does not prevent double bounces from bouncing on other
* systems. In order to cope with this, either the queue manager must
* recognize the double-bounce original sender address and discard mail,
* or every delivery agent must recognize the double-bounce sender
* address and substitute something else so mail does not come back at
* us.
*/
if (strcasecmp(orig_sender, mail_addr_double_bounce()) == 0) {
msg_warn("%s: undeliverable postmaster notification discarded",
queue_id);
bounce_status = 0;
}
/*
* Single bounce failed. Optionally send a double bounce to postmaster,
* subject to notify_classes restrictions.
*/
#define ANY_BOUNCE (MAIL_ERROR_2BOUNCE | MAIL_ERROR_BOUNCE)
#define SEND_POSTMASTER_ANY_BOUNCE_NOTICE (notify_mask & ANY_BOUNCE)
else if (*orig_sender == 0) {
if (!SEND_POSTMASTER_ANY_BOUNCE_NOTICE) {
bounce_status = 0;
} else {
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_2bounce_rcpt,
INT_FILT_MASK_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
/*
* Double bounce to Postmaster. This is the last opportunity
* for this message to be delivered. Send the text with
* reason for the bounce, and the headers of the original
* message. Don't bother sending the boiler-plate text.
*/
if (!bounce_header(bounce, bounce_info, var_2bounce_rcpt,
POSTMASTER_COPY)
&& bounce_recipient_log(bounce, bounce_info) == 0
&& bounce_header_dsn(bounce, bounce_info) == 0
&& bounce_recipient_dsn(bounce, bounce_info) == 0)
bounce_original(bounce, bounce_info, DSN_RET_FULL);
bounce_status = post_mail_fclose(bounce);
if (bounce_status == 0)
msg_info("%s: postmaster non-delivery notification: %s",
queue_id, STR(new_id));
}
}
}
/*
* Non-bounce failed. Send a single bounce, subject to DSN NOTIFY
* restrictions.
*/
else {
RECIPIENT *rcpt = &bounce_info->rcpt_buf->rcpt;
if (rcpt->dsn_notify != 0 /* compat */
&& (rcpt->dsn_notify & DSN_NOTIFY_FAILURE) == 0) {
bounce_status = 0;
} else {
if ((bounce = post_mail_fopen_nowait(NULL_SENDER, orig_sender,
INT_FILT_MASK_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
/*
* Send the bounce message header, some boilerplate text that
* pretends that we are a polite mail system, the text with
* reason for the bounce, and a copy of the original message.
*/
if (bounce_header(bounce, bounce_info, orig_sender,
NO_POSTMASTER_COPY) == 0
&& bounce_boilerplate(bounce, bounce_info) == 0
&& bounce_recipient_log(bounce, bounce_info) == 0
&& bounce_header_dsn(bounce, bounce_info) == 0
&& bounce_recipient_dsn(bounce, bounce_info) == 0)
bounce_original(bounce, bounce_info, dsn_ret ?
dsn_ret : DSN_RET_FULL);
bounce_status = post_mail_fclose(bounce);
if (bounce_status == 0)
msg_info("%s: sender non-delivery notification: %s",
queue_id, STR(new_id));
}
}
/*
* Optionally send a postmaster notice, subject to notify_classes
* restrictions.
*
* This postmaster notice is not critical, so if it fails don't
* retransmit the bounce that we just generated, just log a warning.
*/
#define SEND_POSTMASTER_SINGLE_BOUNCE_NOTICE (notify_mask & MAIL_ERROR_BOUNCE)
if (bounce_status == 0 && SEND_POSTMASTER_SINGLE_BOUNCE_NOTICE
&& strcasecmp(orig_sender, mail_addr_double_bounce()) != 0) {
/*
* Send the text with reason for the bounce, and the headers of
* the original message. Don't bother sending the boiler-plate
* text. This postmaster notice is not critical, so if it fails
* don't retransmit the bounce that we just generated, just log a
* warning.
*/
if ((bounce = post_mail_fopen_nowait(mail_addr_double_bounce(),
var_bounce_rcpt,
INT_FILT_MASK_BOUNCE,
NULL_TRACE_FLAGS,
new_id)) != 0) {
if (bounce_header(bounce, bounce_info, var_bounce_rcpt,
POSTMASTER_COPY) == 0
&& bounce_recipient_log(bounce, bounce_info) == 0
&& bounce_header_dsn(bounce, bounce_info) == 0
&& bounce_recipient_dsn(bounce, bounce_info) == 0)
bounce_original(bounce, bounce_info, DSN_RET_HDRS);
postmaster_status = post_mail_fclose(bounce);
if (postmaster_status == 0)
msg_info("%s: postmaster non-delivery notification: %s",
queue_id, STR(new_id));
}
if (postmaster_status)
msg_warn("%s: postmaster notice failed while bouncing to %s",
queue_id, orig_sender);
}
}
/*
* Optionally, delete the recipient from the queue file.
*/
if (bounce_status == 0 && (flags & BOUNCE_FLAG_DELRCPT))
bounce_delrcpt_one(bounce_info);
/*
* Cleanup.
*/
bounce_mail_free(bounce_info);
vstring_free(new_id);
return (bounce_status);
}
ARGV *mail_addr_map(MAPS *path, const char *address, int propagate)
{
VSTRING *buffer = 0;
const char *myname = "mail_addr_map";
const char *string;
char *ratsign;
char *extension = 0;
ARGV *argv = 0;
int i;
/*
* Look up the full address; if no match is found, look up the address
* with the extension stripped off, and remember the unmatched extension.
*/
if ((string = mail_addr_find(path, address, &extension)) != 0) {
/*
* Prepend the original user to @otherdomain, but do not propagate
* the unmatched address extension.
*/
if (*string == '@') {
buffer = vstring_alloc(100);
if ((ratsign = strrchr(address, '@')) != 0)
vstring_strncpy(buffer, address, ratsign - address);
else
vstring_strcpy(buffer, address);
if (extension)
vstring_truncate(buffer, LEN(buffer) - strlen(extension));
vstring_strcat(buffer, string);
string = STR(buffer);
}
/*
* Canonicalize and externalize the result, and propagate the
* unmatched extension to each address found.
*/
argv = mail_addr_crunch(string, propagate ? extension : 0);
if (buffer)
vstring_free(buffer);
if (msg_verbose)
for (i = 0; i < argv->argc; i++)
msg_info("%s: %s -> %d: %s", myname, address, i, argv->argv[i]);
if (argv->argc == 0) {
msg_warn("%s lookup of %s returns non-address result \"%s\"",
path->title, address, string);
argv = argv_free(argv);
path->error = DICT_ERR_RETRY;
}
}
/*
* No match found.
*/
else {
if (msg_verbose)
msg_info("%s: %s -> %s", myname, address,
path->error ? "(try again)" : "(not found)");
}
/*
* Cleanup.
*/
if (extension)
myfree(extension);
return (argv);
}
static void dict_nis_close(DICT *dict)
{
if (dict->fold_buf)
vstring_free(dict->fold_buf);
dict_free(dict);
}
NORETURN single_server_main(int argc, char **argv, SINGLE_SERVER_FN service,...)
{
const char *myname = "single_server_main";
VSTREAM *stream = 0;
char *root_dir = 0;
char *user_name = 0;
int debug_me = 0;
int daemon_mode = 1;
char *service_name = basename(argv[0]);
int delay;
int c;
int socket_count = 1;
int fd;
va_list ap;
MAIL_SERVER_INIT_FN pre_init = 0;
MAIL_SERVER_INIT_FN post_init = 0;
MAIL_SERVER_LOOP_FN loop = 0;
int key;
char *transport = 0;
char *lock_path;
VSTRING *why;
int alone = 0;
int zerolimit = 0;
WATCHDOG *watchdog;
char *oname_val;
char *oname;
char *oval;
const char *err;
char *generation;
int msg_vstream_needed = 0;
int redo_syslog_init = 0;
const char *dsn_filter_title;
const char **dsn_filter_maps;
/*
* Process environment options as early as we can.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Don't die when a process goes away unexpectedly.
*/
signal(SIGPIPE, SIG_IGN);
/*
* Don't die for frivolous reasons.
*/
#ifdef SIGXFSZ
signal(SIGXFSZ, SIG_IGN);
#endif
/*
* May need this every now and then.
*/
var_procname = mystrdup(basename(argv[0]));
set_mail_conf_str(VAR_PROCNAME, var_procname);
/*
* Initialize logging and exit handler. Do the syslog first, so that its
* initialization completes before we enter the optional chroot jail.
*/
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
if (msg_verbose)
msg_info("daemon started");
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Initialize from the configuration file. Allow command-line options to
* override compiled-in defaults or configured parameter values.
*/
mail_conf_suck();
/*
* After database open error, continue execution with reduced
* functionality.
*/
dict_allow_surrogate = 1;
/*
* Pick up policy settings from master process. Shut up error messages to
* stderr, because no-one is going to see them.
*/
opterr = 0;
while ((c = GETOPT(argc, argv, "cdDi:lm:n:o:s:St:uvVz")) > 0) {
switch (c) {
case 'c':
root_dir = "setme";
break;
case 'd':
daemon_mode = 0;
break;
case 'D':
debug_me = 1;
break;
case 'i':
mail_conf_update(VAR_MAX_IDLE, optarg);
break;
case 'l':
alone = 1;
break;
case 'm':
mail_conf_update(VAR_MAX_USE, optarg);
break;
case 'n':
service_name = optarg;
break;
case 'o':
oname_val = mystrdup(optarg);
if ((err = split_nameval(oname_val, &oname, &oval)) != 0)
msg_fatal("invalid \"-o %s\" option value: %s", optarg, err);
mail_conf_update(oname, oval);
if (strcmp(oname, VAR_SYSLOG_NAME) == 0)
redo_syslog_init = 1;
myfree(oname_val);
break;
case 's':
if ((socket_count = atoi(optarg)) <= 0)
msg_fatal("invalid socket_count: %s", optarg);
break;
case 'S':
stream = VSTREAM_IN;
break;
case 'u':
user_name = "setme";
break;
case 't':
transport = optarg;
break;
case 'v':
msg_verbose++;
break;
case 'V':
if (++msg_vstream_needed == 1)
msg_vstream_init(mail_task(var_procname), VSTREAM_ERR);
break;
case 'z':
zerolimit = 1;
break;
default:
msg_fatal("invalid option: %c", c);
break;
}
}
/*
* Initialize generic parameters.
*/
mail_params_init();
if (redo_syslog_init)
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
/*
* Register higher-level dictionaries and initialize the support for
* dynamically-loaded dictionarles.
*/
mail_dict_init();
/*
* If not connected to stdin, stdin must not be a terminal.
*/
if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
msg_vstream_init(var_procname, VSTREAM_ERR);
msg_fatal("do not run this command by hand-3");
}
/*
* Application-specific initialization.
*/
va_start(ap, service);
while ((key = va_arg(ap, int)) != 0) {
switch (key) {
case MAIL_SERVER_INT_TABLE:
get_mail_conf_int_table(va_arg(ap, CONFIG_INT_TABLE *));
break;
case MAIL_SERVER_LONG_TABLE:
get_mail_conf_long_table(va_arg(ap, CONFIG_LONG_TABLE *));
break;
case MAIL_SERVER_STR_TABLE:
get_mail_conf_str_table(va_arg(ap, CONFIG_STR_TABLE *));
break;
case MAIL_SERVER_BOOL_TABLE:
get_mail_conf_bool_table(va_arg(ap, CONFIG_BOOL_TABLE *));
break;
case MAIL_SERVER_TIME_TABLE:
get_mail_conf_time_table(va_arg(ap, CONFIG_TIME_TABLE *));
break;
case MAIL_SERVER_RAW_TABLE:
get_mail_conf_raw_table(va_arg(ap, CONFIG_RAW_TABLE *));
break;
case MAIL_SERVER_NINT_TABLE:
get_mail_conf_nint_table(va_arg(ap, CONFIG_NINT_TABLE *));
break;
case MAIL_SERVER_NBOOL_TABLE:
get_mail_conf_nbool_table(va_arg(ap, CONFIG_NBOOL_TABLE *));
break;
case MAIL_SERVER_PRE_INIT:
pre_init = va_arg(ap, MAIL_SERVER_INIT_FN);
break;
case MAIL_SERVER_POST_INIT:
post_init = va_arg(ap, MAIL_SERVER_INIT_FN);
break;
case MAIL_SERVER_LOOP:
loop = va_arg(ap, MAIL_SERVER_LOOP_FN);
break;
case MAIL_SERVER_EXIT:
single_server_onexit = va_arg(ap, MAIL_SERVER_EXIT_FN);
break;
case MAIL_SERVER_PRE_ACCEPT:
single_server_pre_accept = va_arg(ap, MAIL_SERVER_ACCEPT_FN);
break;
case MAIL_SERVER_IN_FLOW_DELAY:
single_server_in_flow_delay = 1;
break;
case MAIL_SERVER_SOLITARY:
if (stream == 0 && !alone)
msg_fatal("service %s requires a process limit of 1",
service_name);
break;
case MAIL_SERVER_UNLIMITED:
if (stream == 0 && !zerolimit)
msg_fatal("service %s requires a process limit of 0",
service_name);
break;
case MAIL_SERVER_PRIVILEGED:
if (user_name)
msg_fatal("service %s requires privileged operation",
service_name);
break;
case MAIL_SERVER_BOUNCE_INIT:
dsn_filter_title = va_arg(ap, const char *);
dsn_filter_maps = va_arg(ap, const char **);
bounce_client_init(dsn_filter_title, *dsn_filter_maps);
break;
default:
msg_panic("%s: unknown argument type: %d", myname, key);
}
}
va_end(ap);
if (root_dir)
root_dir = var_queue_dir;
if (user_name)
user_name = var_mail_owner;
/*
* Can options be required?
*/
if (stream == 0) {
if (transport == 0)
msg_fatal("no transport type specified");
if (strcasecmp(transport, MASTER_XPORT_NAME_INET) == 0)
single_server_accept = single_server_accept_inet;
else if (strcasecmp(transport, MASTER_XPORT_NAME_UNIX) == 0)
single_server_accept = single_server_accept_local;
#ifdef MASTER_XPORT_NAME_PASS
else if (strcasecmp(transport, MASTER_XPORT_NAME_PASS) == 0)
single_server_accept = single_server_accept_pass;
#endif
else
msg_fatal("unsupported transport type: %s", transport);
}
/*
* Retrieve process generation from environment.
*/
if ((generation = getenv(MASTER_GEN_NAME)) != 0) {
if (!alldig(generation))
msg_fatal("bad generation: %s", generation);
OCTAL_TO_UNSIGNED(single_server_generation, generation);
if (msg_verbose)
msg_info("process generation: %s (%o)",
generation, single_server_generation);
}
/*
* Optionally start the debugger on ourself.
*/
if (debug_me)
debug_process();
/*
* Traditionally, BSD select() can't handle multiple processes selecting
* on the same socket, and wakes up every process in select(). See TCP/IP
* Illustrated volume 2 page 532. We avoid select() collisions with an
* external lock file.
*/
if (stream == 0 && !alone) {
lock_path = concatenate(DEF_PID_DIR, "/", transport,
".", service_name, (void *) 0);
why = vstring_alloc(1);
if ((single_server_lock = safe_open(lock_path, O_CREAT | O_RDWR, 0600,
(struct stat *) 0, -1, -1, why)) == 0)
msg_fatal("open lock file %s: %s", lock_path, vstring_str(why));
close_on_exec(vstream_fileno(single_server_lock), CLOSE_ON_EXEC);
myfree(lock_path);
vstring_free(why);
}
/*
* Set up call-back info.
*/
single_server_service = service;
single_server_name = service_name;
single_server_argv = argv + optind;
/*
* Run pre-jail initialization.
*/
if (chdir(var_queue_dir) < 0)
msg_fatal("chdir(\"%s\"): %m", var_queue_dir);
if (pre_init)
pre_init(single_server_name, single_server_argv);
/*
* Optionally, restrict the damage that this process can do.
*/
resolve_local_init();
tzset();
chroot_uid(root_dir, user_name);
/*
* Run post-jail initialization.
*/
if (post_init)
post_init(single_server_name, single_server_argv);
/*
* Are we running as a one-shot server with the client connection on
* standard input? If so, make sure the output is written to stdout so as
* to satisfy common expectation.
*/
if (stream != 0) {
vstream_control(stream,
CA_VSTREAM_CTL_DOUBLE,
CA_VSTREAM_CTL_WRITE_FD(STDOUT_FILENO),
CA_VSTREAM_CTL_END);
service(stream, single_server_name, single_server_argv);
vstream_fflush(stream);
single_server_exit();
}
/*
* Running as a semi-resident server. Service connection requests.
* Terminate when we have serviced a sufficient number of clients, when
* no-one has been talking to us for a configurable amount of time, or
* when the master process terminated abnormally.
*/
if (var_idle_limit > 0)
event_request_timer(single_server_timeout, (void *) 0, var_idle_limit);
for (fd = MASTER_LISTEN_FD; fd < MASTER_LISTEN_FD + socket_count; fd++) {
event_enable_read(fd, single_server_accept, CAST_INT_TO_VOID_PTR(fd));
close_on_exec(fd, CLOSE_ON_EXEC);
}
event_enable_read(MASTER_STATUS_FD, single_server_abort, (void *) 0);
close_on_exec(MASTER_STATUS_FD, CLOSE_ON_EXEC);
close_on_exec(MASTER_FLOW_READ, CLOSE_ON_EXEC);
close_on_exec(MASTER_FLOW_WRITE, CLOSE_ON_EXEC);
watchdog = watchdog_create(var_daemon_timeout, (WATCHDOG_FN) 0, (void *) 0);
/*
* The event loop, at last.
*/
while (var_use_limit == 0 || use_count < var_use_limit) {
if (single_server_lock != 0) {
watchdog_stop(watchdog);
if (myflock(vstream_fileno(single_server_lock), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("select lock: %m");
}
watchdog_start(watchdog);
delay = loop ? loop(single_server_name, single_server_argv) : -1;
event_loop(delay);
}
single_server_exit();
}
static int ial_siocglif(INET_ADDR_LIST *addr_list,
INET_ADDR_LIST *mask_list,
int af)
{
const char *myname = "inet_addr_local[siocglif]";
struct lifconf lifc;
struct lifreq *lifr;
struct lifreq *lifr_mask;
struct lifreq *the_end;
struct sockaddr *sa;
int sock;
VSTRING *buf;
/*
* See also comments in ial_siocgif()
*/
if (af != AF_INET && af != AF_INET6)
msg_fatal("%s: address family was %d, must be AF_INET (%d) or "
"AF_INET6 (%d)", myname, af, AF_INET, AF_INET6);
sock = ial_socket(af);
if (sock < 0)
return (0);
buf = vstring_alloc(1024);
for (;;) {
memset(&lifc, 0, sizeof(lifc));
lifc.lifc_family = AF_UNSPEC; /* XXX Why??? */
lifc.lifc_len = vstring_avail(buf);
lifc.lifc_buf = vstring_str(buf);
if (ioctl(sock, SIOCGLIFCONF, (char *) &lifc) < 0) {
if (errno != EINVAL)
msg_fatal("%s: ioctl SIOCGLIFCONF: %m", myname);
} else if (lifc.lifc_len < vstring_avail(buf) / 2)
break;
VSTRING_SPACE(buf, vstring_avail(buf) * 2);
}
the_end = (struct lifreq *) (lifc.lifc_buf + lifc.lifc_len);
for (lifr = lifc.lifc_req; lifr < the_end;) {
sa = (struct sockaddr *) &lifr->lifr_addr;
if (sa->sa_family != af) {
lifr = NEXT_INTERFACE(lifr);
continue;
}
if (af == AF_INET) {
if (SOCK_ADDR_IN_ADDR(sa).s_addr == INADDR_ANY) {
lifr = NEXT_INTERFACE(lifr);
continue;
}
#ifdef HAS_IPV6
} else if (af == AF_INET6) {
if (IN6_IS_ADDR_UNSPECIFIED(&SOCK_ADDR_IN6_ADDR(sa))) {
lifr = NEXT_INTERFACE(lifr);
continue;
}
}
#endif
inet_addr_list_append(addr_list, sa);
if (mask_list) {
lifr_mask = (struct lifreq *) mymalloc(sizeof(struct lifreq));
memcpy((void *) lifr_mask, (void *) lifr, sizeof(struct lifreq));
if (ioctl(sock, SIOCGLIFNETMASK, lifr_mask) < 0)
msg_fatal("%s: ioctl(SIOCGLIFNETMASK): %m", myname);
/* XXX: Check whether sa_len/family are honoured --dcs */
inet_addr_list_append(mask_list,
(struct sockaddr *) &lifr_mask->lifr_addr);
myfree((void *) lifr_mask);
}
lifr = NEXT_INTERFACE(lifr);
}
vstring_free(buf);
(void) close(sock);
return (0);
}
static void pre_jail_init(char *unused_name, char **unused_argv)
{
VSTRING *redirect;
/*
* Open read-only maps before dropping privilege, for consistency with
* other Postfix daemons.
*/
psc_acl_pre_jail_init(var_mynetworks, VAR_PSC_ACL);
if (*var_psc_acl)
psc_acl = psc_acl_parse(var_psc_acl, VAR_PSC_ACL);
/* Ignore smtpd_forbid_cmds lookup errors. Non-critical feature. */
if (*var_psc_forbid_cmds)
psc_forbid_cmds = string_list_init(MATCH_FLAG_RETURN,
var_psc_forbid_cmds);
if (*var_psc_dnsbl_reply)
psc_dnsbl_reply = dict_open(var_psc_dnsbl_reply, O_RDONLY,
DICT_FLAG_DUP_WARN);
/*
* Never, ever, get killed by a master signal, as that would corrupt the
* database when we're in the middle of an update.
*/
if (setsid() < 0)
msg_warn("setsid: %m");
/*
* Security: don't create root-owned files that contain untrusted data.
* And don't create Postfix-owned files in root-owned directories,
* either. We want a correct relationship between (file or directory)
* ownership and (file or directory) content. To open files before going
* to jail, temporarily drop root privileges.
*/
SAVE_AND_SET_EUGID(var_owner_uid, var_owner_gid);
redirect = vstring_alloc(100);
/*
* Keep state in persistent external map. As a safety measure we sync the
* database on each update. This hurts on LINUX file systems that sync
* all dirty disk blocks whenever any application invokes fsync().
*
* Start the cache maintenance pseudo thread after dropping privileges.
*/
#define PSC_DICT_OPEN_FLAGS (DICT_FLAG_DUP_REPLACE | DICT_FLAG_SYNC_UPDATE | \
DICT_FLAG_OPEN_LOCK)
if (*var_psc_cache_map)
psc_cache_map =
dict_cache_open(data_redirect_map(redirect, var_psc_cache_map),
O_CREAT | O_RDWR, PSC_DICT_OPEN_FLAGS);
/*
* Clean up and restore privilege.
*/
vstring_free(redirect);
RESTORE_SAVED_EUGID();
/*
* Initialize the dummy SMTP engine.
*/
psc_smtpd_pre_jail_init();
}
static int ial_siocgif(INET_ADDR_LIST *addr_list,
INET_ADDR_LIST *mask_list,
int af)
{
const char *myname = "inet_addr_local[siocgif]";
struct in_addr addr;
struct ifconf ifc;
struct ifreq *ifr;
struct ifreq *ifr_mask;
struct ifreq *the_end;
int sock;
VSTRING *buf;
/*
* Get the network interface list. XXX The socket API appears to have no
* function that returns the number of network interfaces, so we have to
* guess how much space is needed to store the result.
*
* On BSD-derived systems, ioctl SIOCGIFCONF returns as much information as
* possible, leaving it up to the application to repeat the request with
* a larger buffer if the result caused a tight fit.
*
* Other systems, such as Solaris 2.5, generate an EINVAL error when the
* buffer is too small for the entire result. Workaround: ignore EINVAL
* errors and repeat the request with a larger buffer. The downside is
* that the program can run out of memory due to a non-memory problem,
* making it more difficult than necessary to diagnose the real problem.
*/
sock = ial_socket(af);
if (sock < 0)
return (0);
buf = vstring_alloc(1024);
for (;;) {
ifc.ifc_len = vstring_avail(buf);
ifc.ifc_buf = vstring_str(buf);
if (ioctl(sock, SIOCGIFCONF, (char *) &ifc) < 0) {
if (errno != EINVAL)
msg_fatal("%s: ioctl SIOCGIFCONF: %m", myname);
} else if (ifc.ifc_len < vstring_avail(buf) / 2)
break;
VSTRING_SPACE(buf, vstring_avail(buf) * 2);
}
the_end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len);
for (ifr = ifc.ifc_req; ifr < the_end;) {
if (ifr->ifr_addr.sa_family != af) {
ifr = NEXT_INTERFACE(ifr);
continue;
}
if (af == AF_INET) {
addr = ((struct sockaddr_in *) & ifr->ifr_addr)->sin_addr;
if (addr.s_addr != INADDR_ANY) {
inet_addr_list_append(addr_list, &ifr->ifr_addr);
if (mask_list) {
ifr_mask = (struct ifreq *) mymalloc(IFREQ_SIZE(ifr));
memcpy((void *) ifr_mask, (void *) ifr, IFREQ_SIZE(ifr));
if (ioctl(sock, SIOCGIFNETMASK, ifr_mask) < 0)
msg_fatal("%s: ioctl SIOCGIFNETMASK: %m", myname);
/*
* Note that this SIOCGIFNETMASK has truly screwed up the
* contents of sa_len/sa_family. We must fix this
* manually to have correct addresses. --dcs
*/
ifr_mask->ifr_addr.sa_family = af;
#ifdef HAS_SA_LEN
ifr_mask->ifr_addr.sa_len = sizeof(struct sockaddr_in);
#endif
inet_addr_list_append(mask_list, &ifr_mask->ifr_addr);
myfree((void *) ifr_mask);
}
}
}
#ifdef HAS_IPV6
else if (af == AF_INET6) {
struct sockaddr *sa;
sa = SOCK_ADDR_PTR(&ifr->ifr_addr);
if (!(IN6_IS_ADDR_UNSPECIFIED(&SOCK_ADDR_IN6_ADDR(sa)))) {
inet_addr_list_append(addr_list, sa);
if (mask_list) {
/* XXX Assume /128 for everything */
struct sockaddr_in6 mask6;
mask6 = *SOCK_ADDR_IN6_PTR(sa);
memset((void *) &mask6.sin6_addr, ~0,
sizeof(mask6.sin6_addr));
inet_addr_list_append(mask_list, SOCK_ADDR_PTR(&mask6));
}
}
}
#endif
ifr = NEXT_INTERFACE(ifr);
}
vstring_free(buf);
(void) close(sock);
return (0);
}
static void cleanup_service(VSTREAM *src, char *unused_service, char **argv)
{
VSTRING *buf = vstring_alloc(100);
CLEANUP_STATE *state;
int flags;
int type = 0;
int status;
/*
* Sanity check. This service takes no command-line arguments.
*/
if (argv[0])
msg_fatal("unexpected command-line argument: %s", argv[0]);
/*
* Open a queue file and initialize state.
*/
state = cleanup_open(src);
/*
* Send the queue id to the client. Read client processing options. If we
* can't read the client processing options we can pretty much forget
* about the whole operation.
*/
attr_print(src, ATTR_FLAG_NONE,
SEND_ATTR_STR(MAIL_ATTR_QUEUEID, state->queue_id),
ATTR_TYPE_END);
if (attr_scan(src, ATTR_FLAG_STRICT,
RECV_ATTR_INT(MAIL_ATTR_FLAGS, &flags),
ATTR_TYPE_END) != 1) {
state->errs |= CLEANUP_STAT_BAD;
flags = 0;
}
cleanup_control(state, flags);
/*
* XXX Rely on the front-end programs to enforce record size limits.
*
* First, copy the envelope records to the queue file. Then, copy the
* message content (headers and body). Finally, attach any information
* extracted from message headers.
*/
while (CLEANUP_OUT_OK(state)) {
if ((type = rec_get_raw(src, buf, 0, REC_FLAG_NONE)) < 0) {
state->errs |= CLEANUP_STAT_BAD;
break;
}
if (REC_GET_HIDDEN_TYPE(type)) {
msg_warn("%s: record type %d not allowed - discarding this message",
state->queue_id, type);
state->errs |= CLEANUP_STAT_BAD;
break;
}
CLEANUP_RECORD(state, type, vstring_str(buf), VSTRING_LEN(buf));
if (type == REC_TYPE_END)
break;
}
/*
* Keep reading in case of problems, until the sender is ready to receive
* our status report.
*/
if (CLEANUP_OUT_OK(state) == 0 && type > 0) {
while (type != REC_TYPE_END
&& (type = rec_get_raw(src, buf, 0, REC_FLAG_NONE)) > 0) {
if (type == REC_TYPE_MILT_COUNT) {
int milter_count = atoi(vstring_str(buf));
/* Avoid deadlock. */
if (milter_count >= 0)
cleanup_milter_receive(state, milter_count);
}
}
}
/*
* Log something to make timeout errors easier to debug.
*/
if (vstream_ftimeout(src))
msg_warn("%s: read timeout on %s",
state->queue_id, VSTREAM_PATH(src));
/*
* Finish this message, and report the result status to the client.
*/
status = cleanup_flush(state); /* in case state is modified */
attr_print(src, ATTR_FLAG_NONE,
SEND_ATTR_INT(MAIL_ATTR_STATUS, status),
SEND_ATTR_STR(MAIL_ATTR_WHY,
(state->flags & CLEANUP_FLAG_SMTP_REPLY)
&& state->smtp_reply ? state->smtp_reply :
state->reason ? state->reason : ""),
ATTR_TYPE_END);
cleanup_free(state);
/*
* Cleanup.
*/
vstring_free(buf);
}
int main(int argc, char **argv)
{
VSTRING *line_buffer = vstring_alloc(1);
VSTRING *fold_buffer = vstring_alloc(1);
ARGV *cmd;
char **args;
msg_vstream_init(argv[0], VSTREAM_ERR);
util_utf8_enable = 1;
while (vstring_fgets_nonl(line_buffer, VSTREAM_IN)) {
vstream_printf("> %s\n", STR(line_buffer));
cmd = argv_split(STR(line_buffer), CHARS_SPACE);
if (cmd->argc == 0 || cmd->argv[0][0] == '#') {
argv_free(cmd);
continue;
}
args = cmd->argv;
/*
* Fold the host.
*/
if (strcmp(args[0], "host") == 0 && cmd->argc == 2) {
vstream_printf("\"%s\" -> \"%s\"\n", args[1], fold_addr(fold_buffer,
args[1], FOLD_ADDR_HOST));
}
/*
* Fold the user.
*/
else if (strcmp(args[0], "user") == 0 && cmd->argc == 2) {
vstream_printf("\"%s\" -> \"%s\"\n", args[1], fold_addr(fold_buffer,
args[1], FOLD_ADDR_USER));
}
/*
* Fold user and host.
*/
else if (strcmp(args[0], "all") == 0 && cmd->argc == 2) {
vstream_printf("\"%s\" -> \"%s\"\n", args[1], fold_addr(fold_buffer,
args[1], FOLD_ADDR_ALL));
}
/*
* Fold none.
*/
else if (strcmp(args[0], "none") == 0 && cmd->argc == 2) {
vstream_printf("\"%s\" -> \"%s\"\n", args[1], fold_addr(fold_buffer,
args[1], 0));
}
/*
* Usage.
*/
else {
vstream_printf("Usage: %s host <addr> | user <addr> | all <addr>\n",
argv[0]);
}
vstream_fflush(VSTREAM_OUT);
argv_free(cmd);
}
vstring_free(line_buffer);
vstring_free(fold_buffer);
exit(0);
}
static void enqueue(const int flags, const char *encoding,
const char *dsn_envid, int dsn_ret, int dsn_notify,
const char *rewrite_context, const char *sender,
const char *full_name, char **recipients)
{
VSTRING *buf;
VSTREAM *dst;
char *saved_sender;
char **cpp;
int type;
char *start;
int skip_from_;
TOK822 *tree;
TOK822 *tp;
int rcpt_count = 0;
enum {
STRIP_CR_DUNNO, STRIP_CR_DO, STRIP_CR_DONT, STRIP_CR_ERROR
} strip_cr;
MAIL_STREAM *handle;
VSTRING *postdrop_command;
uid_t uid = getuid();
int status;
int naddr;
int prev_type;
MIME_STATE *mime_state = 0;
SM_STATE state;
int mime_errs;
const char *errstr;
int addr_count;
int level;
static NAME_CODE sm_fix_eol_table[] = {
SM_FIX_EOL_ALWAYS, STRIP_CR_DO,
SM_FIX_EOL_STRICT, STRIP_CR_DUNNO,
SM_FIX_EOL_NEVER, STRIP_CR_DONT,
0, STRIP_CR_ERROR,
};
/*
* Access control is enforced in the postdrop command. The code here
* merely produces a more user-friendly interface.
*/
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL,
var_submit_acl, uid)) != 0)
msg_fatal_status(EX_NOPERM,
"User %s(%ld) is not allowed to submit mail", errstr, (long) uid);
/*
* Initialize.
*/
buf = vstring_alloc(100);
/*
* Stop run-away process accidents by limiting the queue file size. This
* is not a defense against DOS attack.
*/
if (var_message_limit > 0 && get_file_limit() > var_message_limit)
set_file_limit((off_t) var_message_limit);
/*
* The sender name is provided by the user. In principle, the mail pickup
* service could deduce the sender name from queue file ownership, but:
* pickup would not be able to run chrooted, and it may not be desirable
* to use login names at all.
*/
if (sender != 0) {
VSTRING_RESET(buf);
VSTRING_TERMINATE(buf);
tree = tok822_parse(sender);
for (naddr = 0, tp = tree; tp != 0; tp = tp->next)
if (tp->type == TOK822_ADDR && naddr++ == 0)
tok822_internalize(buf, tp->head, TOK822_STR_DEFL);
tok822_free_tree(tree);
saved_sender = mystrdup(STR(buf));
if (naddr > 1)
msg_warn("-f option specified malformed sender: %s", sender);
} else {
if ((sender = username()) == 0)
msg_fatal_status(EX_OSERR, "no login name found for user ID %lu",
(unsigned long) uid);
saved_sender = mystrdup(sender);
}
/*
* Let the postdrop command open the queue file for us, and sanity check
* the content. XXX Make postdrop a manifest constant.
*/
errno = 0;
postdrop_command = vstring_alloc(1000);
vstring_sprintf(postdrop_command, "%s/postdrop -r", var_command_dir);
for (level = 0; level < msg_verbose; level++)
vstring_strcat(postdrop_command, " -v");
if ((handle = mail_stream_command(STR(postdrop_command))) == 0)
msg_fatal_status(EX_UNAVAILABLE, "%s(%ld): unable to execute %s: %m",
saved_sender, (long) uid, STR(postdrop_command));
vstring_free(postdrop_command);
dst = handle->stream;
/*
* First, write envelope information to the output stream.
*
* For sendmail compatibility, parse each command-line recipient as if it
* were an RFC 822 message header; some MUAs specify comma-separated
* recipient lists; and some MUAs even specify "word word <address>".
*
* Sort-uniq-ing the recipient list is done after address canonicalization,
* before recipients are written to queue file. That's cleaner than
* having the queue manager nuke duplicate recipient status records.
*
* XXX Should limit the size of envelope records.
*
* With "sendmail -N", instead of a per-message NOTIFY record we store one
* per recipient so that we can simplify the implementation somewhat.
*/
if (dsn_envid)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_DSN_ENVID, dsn_envid);
if (dsn_ret)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_RET, dsn_ret);
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_RWR_CONTEXT, rewrite_context);
if (full_name || (full_name = fullname()) != 0)
rec_fputs(dst, REC_TYPE_FULL, full_name);
rec_fputs(dst, REC_TYPE_FROM, saved_sender);
if (verp_delims && *saved_sender == 0)
msg_fatal_status(EX_USAGE,
"%s(%ld): -V option requires non-null sender address",
saved_sender, (long) uid);
if (encoding)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", MAIL_ATTR_ENCODING, encoding);
if (DEL_REQ_TRACE_FLAGS(flags))
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", MAIL_ATTR_TRACE_FLAGS,
DEL_REQ_TRACE_FLAGS(flags));
if (verp_delims)
rec_fputs(dst, REC_TYPE_VERP, verp_delims);
if (recipients) {
for (cpp = recipients; *cpp != 0; cpp++) {
tree = tok822_parse(*cpp);
for (addr_count = 0, tp = tree; tp != 0; tp = tp->next) {
if (tp->type == TOK822_ADDR) {
tok822_internalize(buf, tp->head, TOK822_STR_DEFL);
if (dsn_notify)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_NOTIFY, dsn_notify);
if (REC_PUT_BUF(dst, REC_TYPE_RCPT, buf) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
++addr_count;
}
}
tok822_free_tree(tree);
if (addr_count == 0) {
if (rec_put(dst, REC_TYPE_RCPT, "", 0) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
}
}
}
/*
* Append the message contents to the queue file. Write chunks of at most
* 1kbyte. Internally, we use different record types for data ending in
* LF and for data that doesn't, so we can actually be binary transparent
* for local mail. Unfortunately, SMTP has no record continuation
* convention, so there is no guarantee that arbitrary data will be
* delivered intact via SMTP. Strip leading From_ lines. For the benefit
* of UUCP environments, also get rid of leading >>>From_ lines.
*/
rec_fputs(dst, REC_TYPE_MESG, "");
if (DEL_REQ_TRACE_ONLY(flags) != 0) {
if (flags & SM_FLAG_XRCPT)
msg_fatal_status(EX_USAGE, "%s(%ld): -t option cannot be used with -bv",
saved_sender, (long) uid);
if (*saved_sender)
rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender);
rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe");
if (recipients) {
rec_fprintf(dst, REC_TYPE_CONT, "To:");
for (cpp = recipients; *cpp != 0; cpp++) {
rec_fprintf(dst, REC_TYPE_NORM, " %s%s",
*cpp, cpp[1] ? "," : "");
}
}
} else {
/*
* Initialize the MIME processor and set up the callback context.
*/
if (flags & SM_FLAG_XRCPT) {
state.dst = dst;
state.recipients = argv_alloc(2);
state.resent_recip = argv_alloc(2);
state.resent = 0;
state.saved_sender = saved_sender;
state.uid = uid;
state.temp = vstring_alloc(10);
mime_state = mime_state_alloc(MIME_OPT_DISABLE_MIME
| MIME_OPT_REPORT_TRUNC_HEADER,
output_header,
(MIME_STATE_ANY_END) 0,
output_text,
(MIME_STATE_ANY_END) 0,
(MIME_STATE_ERR_PRINT) 0,
(void *) &state);
}
/*
* Process header/body lines.
*/
skip_from_ = 1;
strip_cr = name_code(sm_fix_eol_table, NAME_CODE_FLAG_STRICT_CASE,
var_sm_fix_eol);
if (strip_cr == STRIP_CR_ERROR)
msg_fatal_status(EX_USAGE,
"invalid %s value: %s", VAR_SM_FIX_EOL, var_sm_fix_eol);
for (prev_type = 0; (type = rec_streamlf_get(VSTREAM_IN, buf, var_line_limit))
!= REC_TYPE_EOF; prev_type = type) {
if (strip_cr == STRIP_CR_DUNNO && type == REC_TYPE_NORM) {
if (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r')
strip_cr = STRIP_CR_DO;
else
strip_cr = STRIP_CR_DONT;
}
if (skip_from_) {
if (type == REC_TYPE_NORM) {
start = STR(buf);
if (strncmp(start + strspn(start, ">"), "From ", 5) == 0)
continue;
}
skip_from_ = 0;
}
if (strip_cr == STRIP_CR_DO && type == REC_TYPE_NORM)
while (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r')
vstring_truncate(buf, VSTRING_LEN(buf) - 1);
if ((flags & SM_FLAG_AEOF) && prev_type != REC_TYPE_CONT
&& VSTRING_LEN(buf) == 1 && *STR(buf) == '.')
break;
if (mime_state) {
mime_errs = mime_state_update(mime_state, type, STR(buf),
VSTRING_LEN(buf));
if (mime_errs)
msg_fatal_status(EX_DATAERR,
"%s(%ld): unable to extract recipients: %s",
saved_sender, (long) uid,
mime_state_error(mime_errs));
} else {
if (REC_PUT_BUF(dst, type, buf) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
}
}
}
/*
* Finish MIME processing. We need a final mime_state_update() call in
* order to flush text that is still buffered. That can happen when the
* last line did not end in newline.
*/
if (mime_state) {
mime_errs = mime_state_update(mime_state, REC_TYPE_EOF, "", 0);
if (mime_errs)
msg_fatal_status(EX_DATAERR,
"%s(%ld): unable to extract recipients: %s",
saved_sender, (long) uid,
mime_state_error(mime_errs));
mime_state = mime_state_free(mime_state);
}
/*
* Append recipient addresses that were extracted from message headers.
*/
rec_fputs(dst, REC_TYPE_XTRA, "");
if (flags & SM_FLAG_XRCPT) {
for (cpp = state.resent ? state.resent_recip->argv :
state.recipients->argv; *cpp; cpp++) {
if (dsn_notify)
rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d",
MAIL_ATTR_DSN_NOTIFY, dsn_notify);
if (rec_put(dst, REC_TYPE_RCPT, *cpp, strlen(*cpp)) < 0)
msg_fatal_status(EX_TEMPFAIL,
"%s(%ld): error writing queue file: %m",
saved_sender, (long) uid);
++rcpt_count;
}
argv_free(state.recipients);
argv_free(state.resent_recip);
vstring_free(state.temp);
}
if (rcpt_count == 0)
msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ?
"%s(%ld): No recipient addresses found in message header" :
"%s(%ld): Recipient addresses must be specified on"
" the command line or via the -t option",
saved_sender, (long) uid);
/*
* Identify the end of the queue file.
*/
rec_fputs(dst, REC_TYPE_END, "");
/*
* Make sure that the message makes it to the file system. Once we have
* terminated with successful exit status we cannot lose the message due
* to "frivolous reasons". If all goes well, prevent the run-time error
* handler from removing the file.
*/
if (vstream_ferror(VSTREAM_IN))
msg_fatal_status(EX_DATAERR, "%s(%ld): error reading input: %m",
saved_sender, (long) uid);
if ((status = mail_stream_finish(handle, (VSTRING *) 0)) != 0)
msg_fatal_status((status & CLEANUP_STAT_BAD) ? EX_SOFTWARE :
(status & CLEANUP_STAT_WRITE) ? EX_TEMPFAIL :
EX_UNAVAILABLE, "%s(%ld): %s", saved_sender,
(long) uid, cleanup_strerror(status));
/*
* Don't leave them in the dark.
*/
if (DEL_REQ_TRACE_FLAGS(flags)) {
vstream_printf("Mail Delivery Status Report will be mailed to <%s>.\n",
saved_sender);
vstream_fflush(VSTREAM_OUT);
}
/*
* Cleanup. Not really necessary as we're about to exit, but good for
* debugging purposes.
*/
vstring_free(buf);
myfree(saved_sender);
}
/*
* This is the actual startup routine for the connection. We expect that the
* buffers are flushed and the "220 Ready to start TLS" was received by us,
* so that we can immediately start the TLS handshake process.
*/
TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
{
int sts;
int protomask;
const char *cipher_list;
SSL_SESSION *session;
const SSL_CIPHER *cipher;
X509 *peercert;
TLS_SESS_STATE *TLScontext;
TLS_APPL_STATE *app_ctx = props->ctx;
VSTRING *myserverid;
int log_mask = app_ctx->log_mask;
/*
* When certificate verification is required, log trust chain validation
* errors even when disabled by default for opportunistic sessions.
*/
if (props->tls_level >= TLS_LEV_VERIFY)
log_mask |= TLS_LOG_UNTRUSTED;
if (log_mask & TLS_LOG_VERBOSE)
msg_info("setting up TLS connection to %s", props->namaddr);
/*
* First make sure we have valid protocol and cipher parameters
*
* The cipherlist will be applied to the global SSL context, where it can be
* repeatedly reset if necessary, but the protocol restrictions will be
* is applied to the SSL connection, because protocol restrictions in the
* global context cannot be cleared.
*/
/*
* OpenSSL will ignore cached sessions that use the wrong protocol. So we
* do not need to filter out cached sessions with the "wrong" protocol,
* rather OpenSSL will simply negotiate a new session.
*
* Still, we salt the session lookup key with the protocol list, so that
* sessions found in the cache are always acceptable.
*/
protomask = tls_protocol_mask(props->protocols);
if (protomask == TLS_PROTOCOL_INVALID) {
/* tls_protocol_mask() logs no warning. */
msg_warn("%s: Invalid TLS protocol list \"%s\": aborting TLS session",
props->namaddr, props->protocols);
return (0);
}
myserverid = vstring_alloc(100);
vstring_sprintf_append(myserverid, "%s&p=%d", props->serverid, protomask);
/*
* Per session cipher selection for sessions with mandatory encryption
*
* By the time a TLS client is negotiating ciphers it has already offered to
* re-use a session, it is too late to renege on the offer. So we must
* not attempt to re-use sessions whose ciphers are too weak. We salt the
* session lookup key with the cipher list, so that sessions found in the
* cache are always acceptable.
*/
cipher_list = tls_set_ciphers(app_ctx, "TLS", props->cipher_grade,
props->cipher_exclusions);
if (cipher_list == 0) {
msg_warn("%s: %s: aborting TLS session",
props->namaddr, vstring_str(app_ctx->why));
vstring_free(myserverid);
return (0);
}
if (log_mask & TLS_LOG_VERBOSE)
msg_info("%s: TLS cipher list \"%s\"", props->namaddr, cipher_list);
vstring_sprintf_append(myserverid, "&c=%s", cipher_list);
/*
* Finally, salt the session key with the OpenSSL library version,
* (run-time, rather than compile-time, just in case that matters).
*/
vstring_sprintf_append(myserverid, "&l=%ld", (long) SSLeay());
/*
* Allocate a new TLScontext for the new connection and get an SSL
* structure. Add the location of TLScontext to the SSL to later retrieve
* the information inside the tls_verify_certificate_callback().
*
* If session caching was enabled when TLS was initialized, the cache type
* is stored in the client SSL context.
*/
TLScontext = tls_alloc_sess_context(log_mask, props->namaddr);
TLScontext->cache_type = app_ctx->cache_type;
TLScontext->serverid = vstring_export(myserverid);
TLScontext->stream = props->stream;
if ((TLScontext->con = SSL_new(app_ctx->ssl_ctx)) == NULL) {
msg_warn("Could not allocate 'TLScontext->con' with SSL_new()");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
}
if (!SSL_set_ex_data(TLScontext->con, TLScontext_index, TLScontext)) {
msg_warn("Could not set application data for 'TLScontext->con'");
tls_print_errors();
tls_free_context(TLScontext);
return (0);
}
/*
* Apply session protocol restrictions.
*/
if (protomask != 0)
SSL_set_options(TLScontext->con,
((protomask & TLS_PROTOCOL_TLSv1) ? SSL_OP_NO_TLSv1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_1) ? SSL_OP_NO_TLSv1_1 : 0L)
| ((protomask & TLS_PROTOCOL_TLSv1_2) ? SSL_OP_NO_TLSv1_2 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L)
| ((protomask & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L));
/*
* XXX To avoid memory leaks we must always call SSL_SESSION_free() after
* calling SSL_set_session(), regardless of whether or not the session
* will be reused.
*/
if (TLScontext->cache_type) {
session = load_clnt_session(TLScontext);
if (session) {
SSL_set_session(TLScontext->con, session);
SSL_SESSION_free(session); /* 200411 */
#if (OPENSSL_VERSION_NUMBER < 0x00906011L) || (OPENSSL_VERSION_NUMBER == 0x00907000L)
/*
* Ugly Hack: OpenSSL before 0.9.6a does not store the verify
* result in sessions for the client side. We modify the session
* directly which is version specific, but this bug is version
* specific, too.
*
* READ: 0-09-06-01-1 = 0-9-6-a-beta1: all versions before beta1
* have this bug, it has been fixed during development of 0.9.6a.
* The development version of 0.9.7 can have this bug, too. It
* has been fixed on 2000/11/29.
*/
SSL_set_verify_result(TLScontext->con, session->verify_result);
#endif
}
}
/*
* Before really starting anything, try to seed the PRNG a little bit
* more.
*/
tls_int_seed();
(void) tls_ext_seed(var_tls_daemon_rand_bytes);
/*
* Initialize the SSL connection to connect state. This should not be
* necessary anymore since 0.9.3, but the call is still in the library
* and maintaining compatibility never hurts.
*/
SSL_set_connect_state(TLScontext->con);
/*
* Connect the SSL connection with the network socket.
*/
if (SSL_set_fd(TLScontext->con, vstream_fileno(props->stream)) != 1) {
msg_info("SSL_set_fd error to %s", props->namaddr);
tls_print_errors();
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
}
/*
* Turn on non-blocking I/O so that we can enforce timeouts on network
* I/O.
*/
non_blocking(vstream_fileno(props->stream), NON_BLOCKING);
/*
* If the debug level selected is high enough, all of the data is dumped:
* TLS_LOG_TLSPKTS will dump the SSL negotiation, TLS_LOG_ALLPKTS will
* dump everything.
*
* We do have an SSL_set_fd() and now suddenly a BIO_ routine is called?
* Well there is a BIO below the SSL routines that is automatically
* created for us, so we can use it for debugging purposes.
*/
if (log_mask & TLS_LOG_TLSPKTS)
BIO_set_callback(SSL_get_rbio(TLScontext->con), tls_bio_dump_cb);
/*
* Start TLS negotiations. This process is a black box that invokes our
* call-backs for certificate verification.
*
* Error handling: If the SSL handhake fails, we print out an error message
* and remove all TLS state concerning this session.
*/
sts = tls_bio_connect(vstream_fileno(props->stream), props->timeout,
TLScontext);
if (sts <= 0) {
if (ERR_peek_error() != 0) {
msg_info("SSL_connect error to %s: %d", props->namaddr, sts);
tls_print_errors();
} else if (errno != 0) {
msg_info("SSL_connect error to %s: %m", props->namaddr);
} else {
msg_info("SSL_connect error to %s: lost connection",
props->namaddr);
}
uncache_session(app_ctx->ssl_ctx, TLScontext);
tls_free_context(TLScontext);
return (0);
}
/* Turn off packet dump if only dumping the handshake */
if ((log_mask & TLS_LOG_ALLPKTS) == 0)
BIO_set_callback(SSL_get_rbio(TLScontext->con), 0);
/*
* The caller may want to know if this session was reused or if a new
* session was negotiated.
*/
TLScontext->session_reused = SSL_session_reused(TLScontext->con);
if ((log_mask & TLS_LOG_CACHE) && TLScontext->session_reused)
msg_info("%s: Reusing old session", TLScontext->namaddr);
/*
* Do peername verification if requested and extract useful information
* from the certificate for later use.
*/
if ((peercert = SSL_get_peer_certificate(TLScontext->con)) != 0) {
TLScontext->peer_status |= TLS_CERT_FLAG_PRESENT;
/*
* Peer name or fingerprint verification as requested.
* Unconditionally set peer_CN, issuer_CN and peer_fingerprint.
*/
verify_extract_name(TLScontext, peercert, props);
verify_extract_print(TLScontext, peercert, props);
if (TLScontext->log_mask &
(TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE | TLS_LOG_PEERCERT))
msg_info("%s: subject_CN=%s, issuer_CN=%s, "
"fingerprint %s, pkey_fingerprint=%s", props->namaddr,
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint,
TLScontext->peer_pkey_fprint);
X509_free(peercert);
} else {
TLScontext->issuer_CN = mystrdup("");
TLScontext->peer_CN = mystrdup("");
TLScontext->peer_fingerprint = mystrdup("");
TLScontext->peer_pkey_fprint = mystrdup("");
}
/*
* Finally, collect information about protocol and cipher for logging
*/
TLScontext->protocol = SSL_get_version(TLScontext->con);
cipher = SSL_get_current_cipher(TLScontext->con);
TLScontext->cipher_name = SSL_CIPHER_get_name(cipher);
TLScontext->cipher_usebits = SSL_CIPHER_get_bits(cipher,
&(TLScontext->cipher_algbits));
/*
* The TLS engine is active. Switch to the tls_timed_read/write()
* functions and make the TLScontext available to those functions.
*/
tls_stream_start(props->stream, TLScontext);
/*
* All the key facts in a single log entry.
*/
if (log_mask & TLS_LOG_SUMMARY)
msg_info("%s TLS connection established to %s: %s with cipher %s "
"(%d/%d bits)", TLS_CERT_IS_MATCHED(TLScontext) ? "Verified" :
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
props->namaddr, TLScontext->protocol, TLScontext->cipher_name,
TLScontext->cipher_usebits, TLScontext->cipher_algbits);
tls_int_seed();
return (TLScontext);
}
int bounce_append_service(int unused_flags, char *service, char *queue_id,
RECIPIENT *rcpt, DSN *dsn)
{
VSTRING *in_buf = vstring_alloc(100);
VSTREAM *log;
long orig_length;
/*
* This code is paranoid for a good reason. Once the bounce service takes
* responsibility, the mail system will make no further attempts to
* deliver this recipient. Whenever file access fails, assume that the
* system is under stress or that something has been mis-configured, and
* force a backoff by raising a fatal run-time error.
*/
log = mail_queue_open(service, queue_id,
O_WRONLY | O_APPEND | O_CREAT, 0600);
if (log == 0)
msg_fatal("open file %s %s: %m", service, queue_id);
/*
* Lock out other processes to avoid truncating someone else's data in
* case of trouble.
*/
if (deliver_flock(vstream_fileno(log), INTERNAL_LOCK, (VSTRING *) 0) < 0)
msg_fatal("lock file %s %s: %m", service, queue_id);
/*
* Now, go for it. Append a record. Truncate the log to the original
* length when the append operation fails. We use the plain stream-lf
* file format because we do not need anything more complicated. As a
* benefit, we can still recover some data when the file is a little
* garbled.
*
* XXX addresses in defer logfiles are in printable quoted form, while
* addresses in message envelope records are in raw unquoted form. This
* may change once we replace the present ad-hoc bounce/defer logfile
* format by one that is transparent for control etc. characters. See
* also: showq/showq.c.
*
* While migrating from old format to new format, allow backwards
* compatibility by writing an old-style record before the new-style
* records.
*/
if ((orig_length = vstream_fseek(log, 0L, SEEK_END)) < 0)
msg_fatal("seek file %s %s: %m", service, queue_id);
#define NOT_NULL_EMPTY(s) ((s) != 0 && *(s) != 0)
#define STR(x) vstring_str(x)
vstream_fputs("\n", log);
if (var_oldlog_compat) {
vstream_fprintf(log, "<%s>: %s\n", *rcpt->address == 0 ? "" :
STR(quote_822_local(in_buf, rcpt->address)),
dsn->reason);
}
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_RECIP, *rcpt->address ?
STR(quote_822_local(in_buf, rcpt->address)) : "<>");
if (NOT_NULL_EMPTY(rcpt->orig_addr)
&& strcasecmp(rcpt->address, rcpt->orig_addr) != 0)
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_ORCPT,
STR(quote_822_local(in_buf, rcpt->orig_addr)));
if (rcpt->offset > 0)
vstream_fprintf(log, "%s=%ld\n", MAIL_ATTR_OFFSET, rcpt->offset);
if (NOT_NULL_EMPTY(rcpt->dsn_orcpt))
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_ORCPT, rcpt->dsn_orcpt);
if (rcpt->dsn_notify != 0)
vstream_fprintf(log, "%s=%d\n", MAIL_ATTR_DSN_NOTIFY, rcpt->dsn_notify);
if (NOT_NULL_EMPTY(dsn->status))
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_STATUS, dsn->status);
if (NOT_NULL_EMPTY(dsn->action))
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_ACTION, dsn->action);
if (NOT_NULL_EMPTY(dsn->dtype) && NOT_NULL_EMPTY(dsn->dtext)) {
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_DTYPE, dsn->dtype);
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_DTEXT, dsn->dtext);
}
if (NOT_NULL_EMPTY(dsn->mtype) && NOT_NULL_EMPTY(dsn->mname)) {
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_MTYPE, dsn->mtype);
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_DSN_MNAME, dsn->mname);
}
if (NOT_NULL_EMPTY(dsn->reason))
vstream_fprintf(log, "%s=%s\n", MAIL_ATTR_WHY, dsn->reason);
vstream_fputs("\n", log);
if (vstream_fflush(log) != 0 || fsync(vstream_fileno(log)) < 0) {
#ifndef NO_TRUNCATE
if (ftruncate(vstream_fileno(log), (off_t) orig_length) < 0)
msg_fatal("truncate file %s %s: %m", service, queue_id);
#endif
msg_fatal("append file %s %s: %m", service, queue_id);
}
/*
* Darn. If closing the log detects a problem, the only way to undo the
* damage is to open the log once more, and to truncate the log to the
* original length. But, this could happen only when the log is kept on a
* remote file system, and that is not recommended practice anyway.
*/
if (vstream_fclose(log) != 0)
msg_warn("append file %s %s: %m", service, queue_id);
vstring_free(in_buf);
return (0);
}
static void resolve_addr(RES_CONTEXT *rp, char *addr,
VSTRING *channel, VSTRING *nexthop,
VSTRING *nextrcpt, int *flags)
{
char *myname = "resolve_addr";
VSTRING *addr_buf = vstring_alloc(100);
TOK822 *tree = 0;
TOK822 *saved_domain = 0;
TOK822 *domain = 0;
char *destination;
const char *blame = 0;
const char *rcpt_domain;
int addr_len;
int loop_count;
int loop_max;
char *local;
char *oper;
char *junk;
*flags = 0;
vstring_strcpy(channel, "CHANNEL NOT UPDATED");
vstring_strcpy(nexthop, "NEXTHOP NOT UPDATED");
vstring_strcpy(nextrcpt, "NEXTRCPT NOT UPDATED");
/*
* The address is in internalized (unquoted) form.
*
* In an ideal world we would parse the externalized address form as given
* to us by the sender.
*
* However, in the real world we have to look for routing characters like
* %@! in the address local-part, even when that information is quoted
* due to the presence of special characters or whitespace. Although
* technically incorrect, this is needed to stop user@domain@domain relay
* attempts when forwarding mail to a Sendmail MX host.
*
* This suggests that we parse the address in internalized (unquoted) form.
* Unfortunately, if we do that, the unparser generates incorrect white
* space between adjacent non-operator tokens. Example: ``first last''
* needs white space, but ``stuff[stuff]'' does not. This is is not a
* problem when unparsing the result from parsing externalized forms,
* because the parser/unparser were designed for valid externalized forms
* where ``stuff[stuff]'' does not happen.
*
* As a workaround we start with the quoted form and then dequote the
* local-part only where needed. This will do the right thing in most
* (but not all) cases.
*/
addr_len = strlen(addr);
quote_822_local(addr_buf, addr);
tree = tok822_scan_addr(vstring_str(addr_buf));
/*
* Let the optimizer replace multiple expansions of this macro by a GOTO
* to a single instance.
*/
#define FREE_MEMORY_AND_RETURN { \
if (saved_domain) \
tok822_free_tree(saved_domain); \
if(tree) \
tok822_free_tree(tree); \
if (addr_buf) \
vstring_free(addr_buf); \
return; \
}
/*
* Preliminary resolver: strip off all instances of the local domain.
* Terminate when no destination domain is left over, or when the
* destination domain is remote.
*
* XXX To whom it may concern. If you change the resolver loop below, or
* quote_822_local.c, or tok822_parse.c, be sure to re-run the tests
* under "make resolve_clnt_test" in the global directory.
*/
#define RESOLVE_LOCAL(domain) \
resolve_local(STR(tok822_internalize(addr_buf, domain, TOK822_STR_DEFL)))
dict_errno = 0;
for (loop_count = 0, loop_max = addr_len + 100; /* void */ ; loop_count++) {
/*
* Grr. resolve_local() table lookups may fail. It may be OK for
* local file lookup code to abort upon failure, but with
* network-based tables it is preferable to return an error
* indication to the requestor.
*/
if (dict_errno) {
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
/*
* XXX Should never happen, but if this happens with some
* pathological address, then that is not sufficient reason to
* disrupt the operation of an MTA.
*/
if (loop_count > loop_max) {
msg_warn("resolve_addr: <%s>: giving up after %d iterations",
addr, loop_count);
break;
}
/*
* Strip trailing dot at end of domain, but not dot-dot or at-dot.
* This merely makes diagnostics more accurate by leaving bogus
* addresses alone.
*/
if (tree->tail
&& tree->tail->type == '.'
&& tok822_rfind_type(tree->tail, '@') != 0
&& tree->tail->prev->type != '.'
&& tree->tail->prev->type != '@')
tok822_free_tree(tok822_sub_keep_before(tree, tree->tail));
/*
* Strip trailing @.
*/
if (var_resolve_nulldom
&& tree->tail
&& tree->tail->type == '@')
tok822_free_tree(tok822_sub_keep_before(tree, tree->tail));
/*
* Strip (and save) @domain if local.
*/
if ((domain = tok822_rfind_type(tree->tail, '@')) != 0) {
if (domain->next && RESOLVE_LOCAL(domain->next) == 0)
break;
tok822_sub_keep_before(tree, domain);
if (saved_domain)
tok822_free_tree(saved_domain);
saved_domain = domain;
domain = 0; /* safety for future change */
}
/*
* After stripping the local domain, if any, replace foo%bar by
* foo@bar, site!user by user@site, rewrite to canonical form, and
* retry.
*/
if (tok822_rfind_type(tree->tail, '@')
|| (var_swap_bangpath && tok822_rfind_type(tree->tail, '!'))
|| (var_percent_hack && tok822_rfind_type(tree->tail, '%'))) {
rewrite_tree(REWRITE_CANON, tree);
continue;
}
/*
* If the local-part is a quoted string, crack it open when we're
* permitted to do so and look for routing operators. This is
* technically incorrect, but is needed to stop relaying problems.
*
* XXX Do another feeble attempt to keep local-part info quoted.
*/
if (var_resolve_dequoted
&& tree->head && tree->head == tree->tail
&& tree->head->type == TOK822_QSTRING
&& ((oper = strrchr(local = STR(tree->head->vstr), '@')) != 0
|| (var_percent_hack && (oper = strrchr(local, '%')) != 0)
|| (var_swap_bangpath && (oper = strrchr(local, '!')) != 0))) {
if (*oper == '%')
*oper = '@';
tok822_internalize(addr_buf, tree->head, TOK822_STR_DEFL);
if (*oper == '@') {
junk = mystrdup(STR(addr_buf));
quote_822_local(addr_buf, junk);
myfree(junk);
}
tok822_free(tree->head);
tree->head = tok822_scan(STR(addr_buf), &tree->tail);
rewrite_tree(REWRITE_CANON, tree);
continue;
}
/*
* An empty local-part or an empty quoted string local-part becomes
* the local MAILER-DAEMON, for consistency with our own From:
* message headers.
*/
if (tree->head && tree->head == tree->tail
&& tree->head->type == TOK822_QSTRING
&& VSTRING_LEN(tree->head->vstr) == 0) {
tok822_free(tree->head);
tree->head = 0;
}
/* XXX must be localpart only, not user@domain form. */
if (tree->head == 0)
tree->head = tok822_scan(var_empty_addr, &tree->tail);
/*
* We're done. There are no domains left to strip off the address,
* and all null local-part information is sanitized.
*/
domain = 0;
break;
}
vstring_free(addr_buf);
addr_buf = 0;
/*
* Make sure the resolved envelope recipient has the user@domain form. If
* no domain was specified in the address, assume the local machine. See
* above for what happens with an empty address.
*/
if (domain == 0) {
if (saved_domain) {
tok822_sub_append(tree, saved_domain);
saved_domain = 0;
} else {
tok822_sub_append(tree, tok822_alloc('@', (char *) 0));
tok822_sub_append(tree, tok822_scan(var_myhostname, (TOK822 **) 0));
}
}
/*
* Transform the recipient address back to internal form.
*
* XXX This may produce incorrect results if we cracked open a quoted
* local-part with routing operators; see discussion above at the top of
* the big loop.
*/
tok822_internalize(nextrcpt, tree, TOK822_STR_DEFL);
rcpt_domain = strrchr(STR(nextrcpt), '@') + 1;
if (*rcpt_domain == '[' ? !valid_hostliteral(rcpt_domain, DONT_GRIPE) :
(!valid_hostname(rcpt_domain, DONT_GRIPE)
|| valid_hostaddr(rcpt_domain, DONT_GRIPE)))
*flags |= RESOLVE_FLAG_ERROR;
tok822_free_tree(tree);
tree = 0;
/*
* XXX Short-cut invalid address forms.
*/
if (*flags & RESOLVE_FLAG_ERROR) {
*flags |= RESOLVE_CLASS_DEFAULT;
FREE_MEMORY_AND_RETURN;
}
/*
* Recognize routing operators in the local-part, even when we do not
* recognize ! or % as valid routing operators locally. This is needed to
* prevent backup MX hosts from relaying third-party destinations through
* primary MX hosts, otherwise the backup host could end up on black
* lists. Ignore local swap_bangpath and percent_hack settings because we
* can't know how the next MX host is set up.
*/
if (strcmp(STR(nextrcpt) + strcspn(STR(nextrcpt), "@!%") + 1, rcpt_domain))
*flags |= RESOLVE_FLAG_ROUTED;
/*
* With local, virtual, relay, or other non-local destinations, give the
* highest precedence to transport associated nexthop information.
*
* Otherwise, with relay or other non-local destinations, the relayhost
* setting overrides the destination domain name.
*
* XXX Nag if the recipient domain is listed in multiple domain lists. The
* result is implementation defined, and may break when internals change.
*
* For now, we distinguish only a fixed number of address classes.
* Eventually this may become extensible, so that new classes can be
* configured with their own domain list, delivery transport, and
* recipient table.
*/
#define STREQ(x,y) (strcmp((x), (y)) == 0)
dict_errno = 0;
if (domain != 0) {
/*
* Virtual alias domain.
*/
if (virt_alias_doms
&& string_list_match(virt_alias_doms, rcpt_domain)) {
if (var_helpful_warnings) {
if (virt_mailbox_doms
&& string_list_match(virt_mailbox_doms, rcpt_domain))
msg_warn("do not list domain %s in BOTH %s and %s",
rcpt_domain, VAR_VIRT_ALIAS_DOMS,
VAR_VIRT_MAILBOX_DOMS);
if (relay_domains
&& domain_list_match(relay_domains, rcpt_domain))
msg_warn("do not list domain %s in BOTH %s and %s",
rcpt_domain, VAR_VIRT_ALIAS_DOMS,
VAR_RELAY_DOMAINS);
#if 0
if (strcasecmp(rcpt_domain, var_myorigin) == 0)
msg_warn("do not list $%s (%s) in %s",
VAR_MYORIGIN, var_myorigin, VAR_VIRT_ALIAS_DOMS);
#endif
}
vstring_strcpy(channel, MAIL_SERVICE_ERROR);
vstring_sprintf(nexthop, "User unknown%s",
var_show_unk_rcpt_table ?
" in virtual alias table" : "");
*flags |= RESOLVE_CLASS_ALIAS;
} else if (dict_errno != 0) {
msg_warn("%s lookup failure", VAR_VIRT_ALIAS_DOMS);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
/*
* Virtual mailbox domain.
*/
else if (virt_mailbox_doms
&& string_list_match(virt_mailbox_doms, rcpt_domain)) {
if (var_helpful_warnings) {
if (relay_domains
&& domain_list_match(relay_domains, rcpt_domain))
msg_warn("do not list domain %s in BOTH %s and %s",
rcpt_domain, VAR_VIRT_MAILBOX_DOMS,
VAR_RELAY_DOMAINS);
}
vstring_strcpy(channel, RES_PARAM_VALUE(rp->virt_transport));
vstring_strcpy(nexthop, rcpt_domain);
blame = rp->virt_transport_name;
*flags |= RESOLVE_CLASS_VIRTUAL;
} else if (dict_errno != 0) {
msg_warn("%s lookup failure", VAR_VIRT_MAILBOX_DOMS);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
} else {
/*
* Off-host relay destination.
*/
if (relay_domains
&& domain_list_match(relay_domains, rcpt_domain)) {
vstring_strcpy(channel, RES_PARAM_VALUE(rp->relay_transport));
blame = rp->relay_transport_name;
*flags |= RESOLVE_CLASS_RELAY;
} else if (dict_errno != 0) {
msg_warn("%s lookup failure", VAR_RELAY_DOMAINS);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
/*
* Other off-host destination.
*/
else {
vstring_strcpy(channel, RES_PARAM_VALUE(rp->def_transport));
blame = rp->def_transport_name;
*flags |= RESOLVE_CLASS_DEFAULT;
}
/*
* With off-host delivery, relayhost overrides recipient domain.
*/
if (*RES_PARAM_VALUE(rp->relayhost))
vstring_strcpy(nexthop, RES_PARAM_VALUE(rp->relayhost));
else
vstring_strcpy(nexthop, rcpt_domain);
}
}
/*
* Local delivery.
*
* XXX Nag if the domain is listed in multiple domain lists. The effect is
* implementation defined, and may break when internals change.
*/
else {
if (var_helpful_warnings) {
if (virt_alias_doms
&& string_list_match(virt_alias_doms, rcpt_domain))
msg_warn("do not list domain %s in BOTH %s and %s",
rcpt_domain, VAR_MYDEST, VAR_VIRT_ALIAS_DOMS);
if (virt_mailbox_doms
&& string_list_match(virt_mailbox_doms, rcpt_domain))
msg_warn("do not list domain %s in BOTH %s and %s",
rcpt_domain, VAR_MYDEST, VAR_VIRT_MAILBOX_DOMS);
}
vstring_strcpy(channel, RES_PARAM_VALUE(rp->local_transport));
vstring_strcpy(nexthop, rcpt_domain);
blame = rp->local_transport_name;
*flags |= RESOLVE_CLASS_LOCAL;
}
/*
* An explicit main.cf transport:nexthop setting overrides the nexthop.
*
* XXX We depend on this mechanism to enforce per-recipient concurrencies
* for local recipients. With "local_transport = local:$myhostname" we
* force mail for any domain in $mydestination/${proxy,inet}_interfaces
* to share the same queue.
*/
if ((destination = split_at(STR(channel), ':')) != 0 && *destination)
vstring_strcpy(nexthop, destination);
/*
* Sanity checks.
*/
if (*STR(channel) == 0) {
if (blame == 0)
msg_panic("%s: null blame", myname);
msg_warn("file %s/%s: parameter %s: null transport is not allowed",
var_config_dir, MAIN_CONF_FILE, blame);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
if (*STR(nexthop) == 0)
msg_panic("%s: null nexthop", myname);
/*
* The transport map can selectively override any transport and/or
* nexthop host info that is set up above. Unfortunately, the syntax for
* nexthop information is transport specific. We therefore need sane and
* intuitive semantics for transport map entries that specify a channel
* but no nexthop.
*
* With non-error transports, the initial nexthop information is the
* recipient domain. However, specific main.cf transport definitions may
* specify a transport-specific destination, such as a host + TCP socket,
* or the pathname of a UNIX-domain socket. With less precedence than
* main.cf transport definitions, a main.cf relayhost definition may also
* override nexthop information for off-host deliveries.
*
* With the error transport, the nexthop information is free text that
* specifies the reason for non-delivery.
*
* Because nexthop syntax is transport specific we reset the nexthop
* information to the recipient domain when the transport table specifies
* a transport without also specifying the nexthop information.
*
* Subtle note: reset nexthop even when the transport table does not change
* the transport. Otherwise it is hard to get rid of main.cf specified
* nexthop information.
*
* XXX Don't override the virtual alias class (error:User unknown) result.
*/
if (rp->transport_info && !(*flags & RESOLVE_CLASS_ALIAS)) {
if (transport_lookup(rp->transport_info, STR(nextrcpt),
rcpt_domain, channel, nexthop) == 0
&& dict_errno != 0) {
msg_warn("%s lookup failure", rp->transport_maps_name);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
}
/*
* Bounce recipients that have moved, regardless of domain address class.
* We do this last, in anticipation of transport maps that can override
* the recipient address.
*
* The downside of not doing this in delivery agents is that this table has
* no effect on local alias expansion results. Such mail will have to
* make almost an entire iteration through the mail system.
*/
#define IGNORE_ADDR_EXTENSION ((char **) 0)
if (relocated_maps != 0) {
const char *newloc;
if ((newloc = mail_addr_find(relocated_maps, STR(nextrcpt),
IGNORE_ADDR_EXTENSION)) != 0) {
vstring_strcpy(channel, MAIL_SERVICE_ERROR);
vstring_sprintf(nexthop, "User has moved to %s", newloc);
} else if (dict_errno != 0) {
msg_warn("%s lookup failure", VAR_RELOCATED_MAPS);
*flags |= RESOLVE_FLAG_FAIL;
FREE_MEMORY_AND_RETURN;
}
}
/*
* Clean up.
*/
FREE_MEMORY_AND_RETURN;
}