int mark_corrupt(VSTREAM *src)
{
const char *myname = "mark_corrupt";
uid_t saved_uid;
gid_t saved_gid;
/*
* If not running as the mail system, change privileges first.
*/
if ((saved_uid = geteuid()) != var_owner_uid) {
saved_gid = getegid();
set_eugid(var_owner_uid, var_owner_gid);
}
/*
* For now, the result value is -1; this may become a bit mask, or
* something even more advanced than that, when the delivery status
* becomes more than just done/deferred.
*/
msg_warn("corrupted queue file: %s", VSTREAM_PATH(src));
if (fchmod(vstream_fileno(src), MAIL_QUEUE_STAT_CORRUPT))
msg_fatal("%s: fchmod %s: %m", myname, VSTREAM_PATH(src));
/*
* Restore privileges.
*/
if (saved_uid != var_owner_uid)
set_eugid(saved_uid, saved_gid);
return (DEL_STAT_DEFER);
}
static void post_init(char *unused_name, char **unused_argv)
{
/*
* Drop privileges most of the time.
*/
set_eugid(var_owner_uid, var_owner_gid);
/*
* No case folding needed: the recipient address is case folded.
*/
virtual_mailbox_maps =
maps_create(VAR_VIRT_MAILBOX_MAPS, var_virt_mailbox_maps,
DICT_FLAG_LOCK | DICT_FLAG_PARANOID);
virtual_uid_maps =
maps_create(VAR_VIRT_UID_MAPS, var_virt_uid_maps,
DICT_FLAG_LOCK | DICT_FLAG_PARANOID);
virtual_gid_maps =
maps_create(VAR_VIRT_GID_MAPS, var_virt_gid_maps,
DICT_FLAG_LOCK | DICT_FLAG_PARANOID);
virtual_mbox_lock_mask = mbox_lock_mask(var_virt_mailbox_lock);
}
static void post_init(char *unused_name, char **unused_argv)
{
/*
* Drop privileges most of the time, and set up delivery restrictions.
*/
set_eugid(var_owner_uid, var_owner_gid);
local_mask_init();
}
int open_as(const char *path, int flags, int mode, uid_t euid, gid_t egid)
{
uid_t saved_euid = geteuid();
gid_t saved_egid = getegid();
int fd;
/*
* Switch to the target user privileges.
*/
set_eugid(euid, egid);
/*
* Open that file.
*/
fd = open(path, flags, mode);
/*
* Restore saved privileges.
*/
set_eugid(saved_euid, saved_egid);
return (fd);
}
int stat_as(const char *path, struct stat * st, uid_t euid, gid_t egid)
{
uid_t saved_euid = geteuid();
gid_t saved_egid = getegid();
int status;
/*
* Switch to the target user privileges.
*/
set_eugid(euid, egid);
/*
* Stat that file.
*/
status = stat(path, st);
/*
* Restore saved privileges.
*/
set_eugid(saved_euid, saved_egid);
return (status);
}
int main(int argc, char **argv)
{
static VSTREAM *lock_fp;
static VSTREAM *data_lock_fp;
VSTRING *lock_path;
VSTRING *data_lock_path;
off_t inherited_limit;
int debug_me = 0;
int ch;
int fd;
int n;
int test_lock = 0;
VSTRING *why;
WATCHDOG *watchdog;
ARGV *import_env;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Initialize.
*/
umask(077); /* never fails! */
/*
* Process environment options as early as we can.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Don't die when a process goes away unexpectedly.
*/
signal(SIGPIPE, SIG_IGN);
/*
* Strip and save the process name for diagnostics etc.
*/
var_procname = mystrdup(basename(argv[0]));
/*
* When running a child process, don't leak any open files that were
* leaked to us by our own (privileged) parent process. Descriptors 0-2
* are taken care of after we have initialized error logging.
*
* Some systems such as AIX have a huge per-process open file limit. In
* those cases, limit the search for potential file descriptor leaks to
* just the first couple hundred.
*
* The Debian post-installation script passes an open file descriptor into
* the master process and waits forever for someone to close it. Because
* of this we have to close descriptors > 2, and pray that doing so does
* not break things.
*/
closefrom(3);
/*
* Initialize logging and exit handler.
*/
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* The mail system must be run by the superuser so it can revoke
* privileges for selected operations. That's right - it takes privileges
* to toss privileges.
*/
if (getuid() != 0)
msg_fatal("the master command is reserved for the superuser");
if (unsafe() != 0)
msg_fatal("the master command must not run as a set-uid process");
/*
* Process JCL.
*/
while ((ch = GETOPT(argc, argv, "c:Dde:tv")) > 0) {
switch (ch) {
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'd':
master_detach = 0;
break;
case 'e':
event_request_timer(master_exit_event, (char *) 0, atoi(optarg));
break;
case 'D':
debug_me = 1;
break;
case 't':
test_lock = 1;
break;
case 'v':
msg_verbose++;
break;
default:
usage(argv[0]);
/* NOTREACHED */
}
}
/*
* This program takes no other arguments.
*/
if (argc > optind)
usage(argv[0]);
/*
* If started from a terminal, get rid of any tty association. This also
* means that all errors and warnings must go to the syslog daemon.
*/
if (master_detach)
for (fd = 0; fd < 3; fd++) {
(void) close(fd);
if (open("/dev/null", O_RDWR, 0) != fd)
msg_fatal("open /dev/null: %m");
}
/*
* Run in a separate process group, so that "postfix stop" can terminate
* all MTA processes cleanly. Give up if we can't separate from our
* parent process. We're not supposed to blow away the parent.
*/
if (debug_me == 0 && master_detach != 0 && setsid() == -1 && getsid(0) != getpid())
msg_fatal("unable to set session and process group ID: %m");
/*
* Make some room for plumbing with file descriptors. XXX This breaks
* when a service listens on many ports. In order to do this right we
* must change the master-child interface so that descriptors do not need
* to have fixed numbers.
*
* In a child we need two descriptors for the flow control pipe, one for
* child->master status updates and at least one for listening.
*/
for (n = 0; n < 5; n++) {
if (close_on_exec(dup(0), CLOSE_ON_EXEC) < 0)
msg_fatal("dup(0): %m");
}
/*
* Final initializations. Unfortunately, we must read the global Postfix
* configuration file after doing command-line processing, so that we get
* consistent results when we SIGHUP the server to reload configuration
* files.
*/
master_vars_init();
/*
* In case of multi-protocol support. This needs to be done because
* master does not invoke mail_params_init() (it was written before that
* code existed).
*/
(void) inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols);
/*
* Environment import filter, to enforce consistent behavior whether
* Postfix is started by hand, or at system boot time.
*/
import_env = argv_split(var_import_environ, ", \t\r\n");
clean_env(import_env->argv);
argv_free(import_env);
if ((inherited_limit = get_file_limit()) < 0)
set_file_limit(OFF_T_MAX);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
/*
* Lock down the master.pid file. In test mode, no file means that it
* isn't locked.
*/
lock_path = vstring_alloc(10);
data_lock_path = vstring_alloc(10);
why = vstring_alloc(10);
vstring_sprintf(lock_path, "%s/%s.pid", DEF_PID_DIR, var_procname);
if (test_lock && access(vstring_str(lock_path), F_OK) < 0)
exit(0);
lock_fp = open_lock(vstring_str(lock_path), O_RDWR | O_CREAT, 0644, why);
if (test_lock)
exit(lock_fp ? 0 : 1);
if (lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(lock_path), vstring_str(why));
vstream_fprintf(lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(lock_path));
close_on_exec(vstream_fileno(lock_fp), CLOSE_ON_EXEC);
/*
* Lock down the Postfix-writable data directory.
*/
vstring_sprintf(data_lock_path, "%s/%s.lock", var_data_dir, var_procname);
set_eugid(var_owner_uid, var_owner_gid);
data_lock_fp =
open_lock(vstring_str(data_lock_path), O_RDWR | O_CREAT, 0644, why);
set_ugid(getuid(), getgid());
if (data_lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(data_lock_path), vstring_str(why));
vstream_fprintf(data_lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(data_lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(data_lock_path));
close_on_exec(vstream_fileno(data_lock_fp), CLOSE_ON_EXEC);
/*
* Clean up.
*/
vstring_free(why);
vstring_free(lock_path);
vstring_free(data_lock_path);
/*
* Optionally start the debugger on ourself.
*/
if (debug_me)
debug_process();
/*
* Finish initialization, last part. We must process configuration files
* after processing command-line parameters, so that we get consistent
* results when we SIGHUP the server to reload configuration files.
*/
master_config();
master_sigsetup();
master_flow_init();
msg_info("daemon started -- version %s, configuration %s",
var_mail_version, var_config_dir);
/*
* Process events. The event handler will execute the read/write/timer
* action routines. Whenever something has happened, see if we received
* any signal in the mean time. Although the master process appears to do
* multiple things at the same time, it really is all a single thread, so
* that there are no concurrency conflicts within the master process.
*/
#define MASTER_WATCHDOG_TIME 1000
watchdog = watchdog_create(MASTER_WATCHDOG_TIME, (WATCHDOG_FN) 0, (char *) 0);
for (;;) {
#ifdef HAS_VOLATILE_LOCKS
if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
if (myflock(vstream_fileno(data_lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
#endif
watchdog_start(watchdog); /* same as trigger servers */
event_loop(MASTER_WATCHDOG_TIME / 2);
if (master_gotsighup) {
msg_info("reload -- version %s, configuration %s",
var_mail_version, var_config_dir);
master_gotsighup = 0; /* this first */
master_vars_init(); /* then this */
master_refresh(); /* then this */
}
if (master_gotsigchld) {
if (msg_verbose)
msg_info("got sigchld");
master_gotsigchld = 0; /* this first */
master_reap_child(); /* then this */
}
}
}
static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_mailbox_file";
DSN_BUF *why = state.msg_attr.why;
MBOX *mp;
int mail_copy_status;
int deliver_status;
int copy_flags;
long end;
struct stat st;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to mailbox");
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
/*
* Lock the mailbox and open/create the mailbox file.
*
* Write the file as the recipient, so that file quota work.
*/
copy_flags = MAIL_COPY_MBOX;
set_eugid(usr_attr.uid, usr_attr.gid);
mp = mbox_open(usr_attr.mailbox, O_APPEND | O_WRONLY | O_CREAT,
S_IRUSR | S_IWUSR, &st, -1, -1,
virtual_mbox_lock_mask, "4.2.0", why);
if (mp != 0) {
if (S_ISREG(st.st_mode) == 0) {
vstream_fclose(mp->fp);
msg_warn("recipient %s: destination %s is not a regular file",
state.msg_attr.rcpt.address, usr_attr.mailbox);
dsb_simple(why, "5.3.5", "mail system configuration error");
} else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
vstream_fclose(mp->fp);
dsb_simple(why, "4.2.0",
"destination %s is not owned by recipient", usr_attr.mailbox);
msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
copy_flags, "\n", why);
}
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason, "delivery failed to mailbox %s: ",
usr_attr.mailbox);
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to mailbox");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
return (deliver_status);
}
static void drop_privileges(char *unused_name, char **unused_argv)
{
set_eugid(var_owner_uid, var_owner_gid);
}
static void master_wakeup_timer_event(int unused_event, char *context)
{
const char *myname = "master_wakeup_timer_event";
MASTER_SERV *serv = (MASTER_SERV *) context;
int status;
static char wakeup = TRIGGER_REQ_WAKEUP;
/*
* Don't wakeup services whose automatic wakeup feature was turned off in
* the mean time.
*/
if (serv->wakeup_time == 0)
return;
/*
* Don't wake up services that are throttled. Find out what transport to
* use. We can't block here so we choose a short timeout.
*/
#define BRIEFLY 1
if (MASTER_THROTTLED(serv) == 0) {
if (msg_verbose)
msg_info("%s: service %s", myname, serv->name);
switch (serv->type) {
case MASTER_SERV_TYPE_INET:
status = inet_trigger(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
break;
case MASTER_SERV_TYPE_UNIX:
status = LOCAL_TRIGGER(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
break;
#ifdef MASTER_SERV_TYPE_PASS
case MASTER_SERV_TYPE_PASS:
status = PASS_TRIGGER(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
break;
#endif
/*
* If someone compromises the postfix account then this must not
* overwrite files outside the chroot jail. Countermeasures:
*
* - Limit the damage by accessing the FIFO as postfix not root.
*
* - Have fifo_trigger() call safe_open() so we won't follow
* arbitrary hard/symlinks to files in/outside the chroot jail.
*
* - All non-chroot postfix-related files must be root owned (or
* postfix check complains).
*
* - The postfix user and group ID must not be shared with other
* applications (says the INSTALL documentation).
*
* Result of a discussion with Michael Tokarev, who received his
* insights from Solar Designer, who tested Postfix with a kernel
* module that is paranoid about open() calls.
*/
case MASTER_SERV_TYPE_FIFO:
set_eugid(var_owner_uid, var_owner_gid);
status = fifo_trigger(serv->name, &wakeup, sizeof(wakeup), BRIEFLY);
set_ugid(getuid(), getgid());
break;
default:
msg_panic("%s: unknown service type: %d", myname, serv->type);
}
if (status < 0)
msg_warn("%s: service %s(%s): %m",
myname, serv->ext_name, serv->name);
}
/*
* Schedule another wakeup event.
*/
event_request_timer(master_wakeup_timer_event, (char *) serv,
serv->wakeup_time);
}
static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_mailbox_file";
char *spool_dir;
char *mailbox;
DSN_BUF *why = state.msg_attr.why;
MBOX *mp;
int mail_copy_status;
int deliver_status;
int copy_flags;
VSTRING *biff;
long end;
struct stat st;
uid_t spool_uid;
gid_t spool_gid;
uid_t chown_uid;
gid_t chown_gid;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to mailbox");
return (sent(BOUNCE_FLAGS(state.request), SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
if (var_frozen_delivered == 0)
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
if (*var_home_mailbox) {
spool_dir = 0;
mailbox = concatenate(usr_attr.home, "/", var_home_mailbox, (char *) 0);
} else {
spool_dir = var_mail_spool_dir;
mailbox = concatenate(spool_dir, "/", state.msg_attr.user, (char *) 0);
}
/*
* Mailbox delivery with least privilege. As long as we do not use root
* privileges this code may also work over NFS.
*
* If delivering to the recipient's home directory, perform all operations
* (including file locking) as that user (Mike Muuss, Army Research
* Laboratory, USA).
*
* If delivering to the mail spool directory, and the spool directory is
* world-writable, deliver as the recipient; if the spool directory is
* group-writable, use the recipient user id and the mail spool group id.
*
* Otherwise, use root privileges and chown the mailbox.
*/
if (spool_dir == 0
|| stat(spool_dir, &st) < 0
|| (st.st_mode & S_IWOTH) != 0) {
spool_uid = usr_attr.uid;
spool_gid = usr_attr.gid;
} else if ((st.st_mode & S_IWGRP) != 0) {
spool_uid = usr_attr.uid;
spool_gid = st.st_gid;
} else {
spool_uid = 0;
spool_gid = 0;
}
if (spool_uid == usr_attr.uid) {
chown_uid = -1;
chown_gid = -1;
} else {
chown_uid = usr_attr.uid;
chown_gid = usr_attr.gid;
}
if (msg_verbose)
msg_info("spool_uid/gid %ld/%ld chown_uid/gid %ld/%ld",
(long) spool_uid, (long) spool_gid,
(long) chown_uid, (long) chown_gid);
/*
* Lock the mailbox and open/create the mailbox file. Depending on the
* type of locking used, we lock first or we open first.
*
* Write the file as the recipient, so that file quota work.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(spool_uid, spool_gid);
mp = mbox_open(mailbox, O_APPEND | O_WRONLY | O_CREAT,
S_IRUSR | S_IWUSR, &st, chown_uid, chown_gid,
local_mbox_lock_mask, "5.2.0", why);
if (mp != 0) {
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(usr_attr.uid, usr_attr.gid);
if (S_ISREG(st.st_mode) == 0) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.2.0",
"destination %s is not a regular file", mailbox);
} else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
vstream_fclose(mp->fp);
dsb_simple(why, "4.2.0",
"destination %s is not owned by recipient", mailbox);
msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
copy_flags, "\n", why);
}
if (spool_uid != usr_attr.uid || spool_gid != usr_attr.gid)
set_eugid(spool_uid, spool_gid);
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot update mailbox %s for user %s. ",
mailbox, state.msg_attr.user);
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request), BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to mailbox");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
if (var_biff) {
biff = vstring_alloc(100);
vstring_sprintf(biff, "%s@%ld", usr_attr.logname, (long) end);
biff_notify(STR(biff), VSTRING_LEN(biff) + 1);
vstring_free(biff);
}
}
/*
* Clean up.
*/
myfree(mailbox);
return (deliver_status);
}
int deliver_file(LOCAL_STATE state, USER_ATTR usr_attr, char *path)
{
const char *myname = "deliver_file";
struct stat st;
MBOX *mp;
DSN_BUF *why = state.msg_attr.why;
int mail_copy_status = MAIL_COPY_STAT_WRITE;
int deliver_status;
int copy_flags;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this file if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "file %ld %s", (long) usr_attr.uid, path))
return (0);
/*
* DELIVERY POLICY
*
* Do we allow delivery to files?
*/
if ((local_file_deliver_mask & state.msg_attr.exp_type) == 0) {
dsb_simple(why, "5.7.1", "mail to file is restricted");
/* Account for possible owner- sender address override. */
return (bounce_workaround(state));
}
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to file: %s", path);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Use a default uid/gid when none are given.
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* If the name ends in /, use maildir-style delivery instead.
*/
if (path[strlen(path) - 1] == '/')
return (deliver_maildir(state, usr_attr, path));
/*
* Deliver. From here on, no early returns or we have a memory leak.
*/
if (msg_verbose)
msg_info("deliver_file (%ld,%ld): %s",
(long) usr_attr.uid, (long) usr_attr.gid, path);
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek queue file %s: %m", state.msg_attr.queue_id);
/*
* As the specified user, open or create the file, lock it, and append
* the message.
*/
copy_flags = MAIL_COPY_MBOX;
if ((local_deliver_hdr_mask & DELIVER_HDR_FILE) == 0)
copy_flags &= ~MAIL_COPY_DELIVERED;
set_eugid(usr_attr.uid, usr_attr.gid);
mp = mbox_open(path, O_APPEND | O_CREAT | O_WRONLY,
S_IRUSR | S_IWUSR, &st, -1, -1,
local_mbox_lock_mask | MBOX_DOT_LOCK_MAY_FAIL,
"5.2.0", why);
if (mp != 0) {
if (S_ISREG(st.st_mode) && st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) {
vstream_fclose(mp->fp);
dsb_simple(why, "5.7.1", "file is executable");
} else {
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
S_ISREG(st.st_mode) ? copy_flags :
(copy_flags & ~MAIL_COPY_TOFILE),
"\n", why);
}
mbox_release(mp);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* As the mail system, bounce, defer delivery, or report success.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
vstring_sprintf_prepend(why->reason,
"cannot append message to file %s: ", path);
if (STR(why->status)[0] == '4')
deliver_status =
defer_append(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
else
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
} else {
dsb_simple(why, "2.0.0", "delivered to file: %s", path);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
return (deliver_status);
}
static void postmap(char *map_type, char *path_name, int postmap_flags,
int open_flags, int dict_flags)
{
VSTREAM *NOCLOBBER source_fp;
VSTRING *line_buffer;
MKMAP *mkmap;
int lineno;
int last_line;
char *key;
char *value;
struct stat st;
mode_t saved_mask;
/*
* Initialize.
*/
line_buffer = vstring_alloc(100);
if ((open_flags & O_TRUNC) == 0) {
/* Incremental mode. */
source_fp = VSTREAM_IN;
vstream_control(source_fp, CA_VSTREAM_CTL_PATH("stdin"), CA_VSTREAM_CTL_END);
} else {
/* Create database. */
if (strcmp(map_type, DICT_TYPE_PROXY) == 0)
msg_fatal("can't create maps via the proxy service");
dict_flags |= DICT_FLAG_BULK_UPDATE;
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);
/*
* Turn off group/other read permissions as indicated in the source file.
*/
if ((postmap_flags & POSTMAP_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
saved_mask = umask(022 | (~st.st_mode & 077));
/*
* If running as root, run as the owner of the source file, so that the
* result shows proper ownership, and so that a bug in postmap does not
* allow privilege escalation.
*/
if ((postmap_flags & POSTMAP_FLAG_AS_OWNER) && getuid() == 0
&& (st.st_uid != geteuid() || st.st_gid != getegid()))
set_eugid(st.st_uid, st.st_gid);
/*
* Open the database, optionally create it when it does not exist,
* optionally truncate it when it does exist, and lock out any
* spectators.
*/
mkmap = mkmap_open(map_type, path_name, open_flags, dict_flags);
/*
* And restore the umask, in case it matters.
*/
if ((postmap_flags & POSTMAP_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
umask(saved_mask);
/*
* Trap "exceptions" so that we can restart a bulk-mode update after a
* recoverable error.
*/
for (;;) {
if (dict_isjmp(mkmap->dict) != 0
&& dict_setjmp(mkmap->dict) != 0
&& vstream_fseek(source_fp, SEEK_SET, 0) < 0)
msg_fatal("seek %s: %m", VSTREAM_PATH(source_fp));
/*
* Add records to the database.
*/
last_line = 0;
while (readllines(line_buffer, source_fp, &last_line, &lineno)) {
/*
* First some UTF-8 checks sans casefolding.
*/
if ((mkmap->dict->flags & DICT_FLAG_UTF8_ACTIVE)
&& !allascii(STR(line_buffer))
&& !valid_utf8_string(STR(line_buffer), LEN(line_buffer))) {
msg_warn("%s, line %d: non-UTF-8 input \"%s\""
" -- ignoring this line",
VSTREAM_PATH(source_fp), lineno, STR(line_buffer));
continue;
}
/*
* Split on the first whitespace character, then trim leading and
* trailing whitespace from key and value.
*/
key = STR(line_buffer);
value = key + strcspn(key, CHARS_SPACE);
if (*value)
*value++ = 0;
while (ISSPACE(*value))
value++;
trimblanks(key, 0)[0] = 0;
trimblanks(value, 0)[0] = 0;
/*
* Enforce the "key whitespace value" format. Disallow missing
* keys or missing values.
*/
if (*key == 0 || *value == 0) {
msg_warn("%s, line %d: expected format: key whitespace value",
VSTREAM_PATH(source_fp), lineno);
continue;
}
if (key[strlen(key) - 1] == ':')
msg_warn("%s, line %d: record is in \"key: value\" format; is this an alias file?",
VSTREAM_PATH(source_fp), lineno);
/*
* Store the value under a case-insensitive key.
*/
mkmap_append(mkmap, key, value);
if (mkmap->dict->error)
msg_fatal("table %s:%s: write error: %m",
mkmap->dict->type, mkmap->dict->name);
}
break;
}
/*
* Close the mapping database, and release the lock.
*/
mkmap_close(mkmap);
/*
* Cleanup. We're about to terminate, but it is a good sanity check.
*/
vstring_free(line_buffer);
if (source_fp != VSTREAM_IN)
vstream_fclose(source_fp);
}
void master_listen_init(MASTER_SERV *serv)
{
const char *myname = "master_listen_init";
char *end_point;
int n;
MAI_HOSTADDR_STR hostaddr;
struct sockaddr *sa;
/*
* Find out what transport we should use, then create one or more
* listener sockets. Make the listener sockets non-blocking, so that
* child processes don't block in accept() when multiple processes are
* selecting on the same socket and only one of them gets the connection.
*/
switch (serv->type) {
/*
* UNIX-domain or stream listener endpoints always come as singlets.
*/
case MASTER_SERV_TYPE_UNIX:
set_eugid(var_owner_uid, var_owner_gid);
serv->listen_fd[0] =
LOCAL_LISTEN(serv->name, serv->max_proc > var_proc_limit ?
serv->max_proc : var_proc_limit, NON_BLOCKING);
close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
set_ugid(getuid(), getgid());
break;
/*
* FIFO listener endpoints always come as singlets.
*/
case MASTER_SERV_TYPE_FIFO:
set_eugid(var_owner_uid, var_owner_gid);
serv->listen_fd[0] = fifo_listen(serv->name, 0622, NON_BLOCKING);
close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
set_ugid(getuid(), getgid());
break;
/*
* INET-domain listener endpoints can be wildcarded (the default) or
* bound to specific interface addresses.
*
* With dual-stack IPv4/6 systems it does not matter, we have to specify
* the addresses anyway, either explicit or wild-card.
*/
case MASTER_SERV_TYPE_INET:
for (n = 0; n < serv->listen_fd_count; n++) {
sa = SOCK_ADDR_PTR(MASTER_INET_ADDRLIST(serv)->addrs + n);
SOCKADDR_TO_HOSTADDR(sa, SOCK_ADDR_LEN(sa), &hostaddr,
(MAI_SERVPORT_STR *) 0, 0);
end_point = concatenate(hostaddr.buf,
":", MASTER_INET_PORT(serv), (char *) 0);
serv->listen_fd[n]
= inet_listen(end_point, serv->max_proc > var_proc_limit ?
serv->max_proc : var_proc_limit, NON_BLOCKING);
close_on_exec(serv->listen_fd[n], CLOSE_ON_EXEC);
myfree(end_point);
}
break;
/*
* Descriptor passing endpoints always come as singlets.
*/
#ifdef MASTER_SERV_TYPE_PASS
case MASTER_SERV_TYPE_PASS:
set_eugid(var_owner_uid, var_owner_gid);
serv->listen_fd[0] =
PASS_LISTEN(serv->name, serv->max_proc > var_proc_limit ?
serv->max_proc : var_proc_limit, NON_BLOCKING);
close_on_exec(serv->listen_fd[0], CLOSE_ON_EXEC);
set_ugid(getuid(), getgid());
break;
#endif
default:
msg_panic("%s: unknown service type: %d", myname, serv->type);
}
}
static void postmap(char *map_type, char *path_name, int postmap_flags,
int open_flags, int dict_flags)
{
VSTREAM *source_fp;
VSTRING *line_buffer;
MKMAP *mkmap;
int lineno;
char *key;
char *value;
struct stat st;
mode_t saved_mask;
/*
* Initialize.
*/
line_buffer = vstring_alloc(100);
if ((open_flags & O_TRUNC) == 0) {
source_fp = VSTREAM_IN;
vstream_control(source_fp, VSTREAM_CTL_PATH, "stdin", VSTREAM_CTL_END);
} else if (strcmp(map_type, DICT_TYPE_PROXY) == 0) {
msg_fatal("can't create maps via the proxy service");
} else if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0) {
msg_fatal("open %s: %m", path_name);
}
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);
/*
* Turn off group/other read permissions as indicated in the source file.
*/
if ((postmap_flags & POSTMAP_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
saved_mask = umask(022 | (~st.st_mode & 077));
/*
* If running as root, run as the owner of the source file, so that the
* result shows proper ownership, and so that a bug in postmap does not
* allow privilege escalation.
*/
if ((postmap_flags & POSTMAP_FLAG_AS_OWNER) && getuid() == 0
&& (st.st_uid != geteuid() || st.st_gid != getegid()))
set_eugid(st.st_uid, st.st_gid);
/*
* Open the database, optionally create it when it does not exist,
* optionally truncate it when it does exist, and lock out any
* spectators.
*/
mkmap = mkmap_open(map_type, path_name, open_flags, dict_flags);
/*
* And restore the umask, in case it matters.
*/
if ((postmap_flags & POSTMAP_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
umask(saved_mask);
/*
* Add records to the database.
*/
lineno = 0;
while (readlline(line_buffer, source_fp, &lineno)) {
/*
* Split on the first whitespace character, then trim leading and
* trailing whitespace from key and value.
*/
key = STR(line_buffer);
value = key + strcspn(key, " \t\r\n");
if (*value)
*value++ = 0;
while (ISSPACE(*value))
value++;
trimblanks(key, 0)[0] = 0;
trimblanks(value, 0)[0] = 0;
/*
* Enforce the "key whitespace value" format. Disallow missing keys
* or missing values.
*/
if (*key == 0 || *value == 0) {
msg_warn("%s, line %d: expected format: key whitespace value",
VSTREAM_PATH(source_fp), lineno);
continue;
}
if (key[strlen(key) - 1] == ':')
msg_warn("%s, line %d: record is in \"key: value\" format; is this an alias file?",
VSTREAM_PATH(source_fp), lineno);
/*
* Store the value under a case-insensitive key.
*/
mkmap_append(mkmap, key, value);
if (mkmap->dict->error)
msg_fatal("table %s:%s: write error: %m",
mkmap->dict->type, mkmap->dict->name);
}
/*
* Close the mapping database, and release the lock.
*/
mkmap_close(mkmap);
/*
* Cleanup. We're about to terminate, but it is a good sanity check.
*/
vstring_free(line_buffer);
if (source_fp != VSTREAM_IN)
vstream_fclose(source_fp);
}
static void postalias(char *map_type, char *path_name, int postalias_flags,
int open_flags, int dict_flags)
{
VSTREAM *NOCLOBBER source_fp;
VSTRING *line_buffer;
MKMAP *mkmap;
int lineno;
int last_line;
VSTRING *key_buffer;
VSTRING *value_buffer;
TOK822 *tok_list;
TOK822 *key_list;
TOK822 *colon;
TOK822 *value_list;
struct stat st;
mode_t saved_mask;
/*
* Initialize.
*/
line_buffer = vstring_alloc(100);
key_buffer = vstring_alloc(100);
value_buffer = vstring_alloc(100);
if ((open_flags & O_TRUNC) == 0) {
/* Incremental mode. */
source_fp = VSTREAM_IN;
vstream_control(source_fp, CA_VSTREAM_CTL_PATH("stdin"), CA_VSTREAM_CTL_END);
} else {
/* Create database. */
if (strcmp(map_type, DICT_TYPE_PROXY) == 0)
msg_fatal("can't create maps via the proxy service");
dict_flags |= DICT_FLAG_BULK_UPDATE;
if ((source_fp = vstream_fopen(path_name, O_RDONLY, 0)) == 0)
msg_fatal("open %s: %m", path_name);
}
if (fstat(vstream_fileno(source_fp), &st) < 0)
msg_fatal("fstat %s: %m", path_name);
/*
* Turn off group/other read permissions as indicated in the source file.
*/
if ((postalias_flags & POSTALIAS_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
saved_mask = umask(022 | (~st.st_mode & 077));
/*
* If running as root, run as the owner of the source file, so that the
* result shows proper ownership, and so that a bug in postalias does not
* allow privilege escalation.
*/
if ((postalias_flags & POSTALIAS_FLAG_AS_OWNER) && getuid() == 0
&& (st.st_uid != geteuid() || st.st_gid != getegid()))
set_eugid(st.st_uid, st.st_gid);
/*
* Open the database, create it when it does not exist, truncate it when
* it does exist, and lock out any spectators.
*/
mkmap = mkmap_open(map_type, path_name, open_flags, dict_flags);
/*
* And restore the umask, in case it matters.
*/
if ((postalias_flags & POSTALIAS_FLAG_SAVE_PERM) && S_ISREG(st.st_mode))
umask(saved_mask);
/*
* Trap "exceptions" so that we can restart a bulk-mode update after a
* recoverable error.
*/
for (;;) {
if (dict_isjmp(mkmap->dict) != 0
&& dict_setjmp(mkmap->dict) != 0
&& vstream_fseek(source_fp, SEEK_SET, 0) < 0)
msg_fatal("seek %s: %m", VSTREAM_PATH(source_fp));
/*
* Add records to the database.
*/
last_line = 0;
while (readllines(line_buffer, source_fp, &last_line, &lineno)) {
/*
* First some UTF-8 checks sans casefolding.
*/
if ((mkmap->dict->flags & DICT_FLAG_UTF8_ACTIVE)
&& !allascii(STR(line_buffer))
&& !valid_utf8_string(STR(line_buffer), LEN(line_buffer))) {
msg_warn("%s, line %d: non-UTF-8 input \"%s\""
" -- ignoring this line",
VSTREAM_PATH(source_fp), lineno, STR(line_buffer));
continue;
}
/*
* Tokenize the input, so that we do the right thing when a
* quoted localpart contains special characters such as "@", ":"
* and so on.
*/
if ((tok_list = tok822_scan(STR(line_buffer), (TOK822 **) 0)) == 0)
continue;
/*
* Enforce the key:value format. Disallow missing keys,
* multi-address keys, or missing values. In order to specify an
* empty string or value, enclose it in double quotes.
*/
if ((colon = tok822_find_type(tok_list, ':')) == 0
|| colon->prev == 0 || colon->next == 0
|| tok822_rfind_type(colon, ',')) {
msg_warn("%s, line %d: need name:value pair",
VSTREAM_PATH(source_fp), lineno);
tok822_free_tree(tok_list);
continue;
}
/*
* Key must be local. XXX We should use the Postfix rewriting and
* resolving services to handle all address forms correctly.
* However, we can't count on the mail system being up when the
* alias database is being built, so we're guessing a bit.
*/
if (tok822_rfind_type(colon, '@') || tok822_rfind_type(colon, '%')) {
msg_warn("%s, line %d: name must be local",
VSTREAM_PATH(source_fp), lineno);
tok822_free_tree(tok_list);
continue;
}
/*
* Split the input into key and value parts, and convert from
* token representation back to string representation. Convert
* the key to internal (unquoted) form, because the resolver
* produces addresses in internal form. Convert the value to
* external (quoted) form, because it will have to be re-parsed
* upon lookup. Discard the token representation when done.
*/
key_list = tok_list;
tok_list = 0;
value_list = tok822_cut_after(colon);
tok822_unlink(colon);
tok822_free(colon);
tok822_internalize(key_buffer, key_list, TOK822_STR_DEFL);
tok822_free_tree(key_list);
tok822_externalize(value_buffer, value_list, TOK822_STR_DEFL);
tok822_free_tree(value_list);
/*
* Store the value under a case-insensitive key.
*/
mkmap_append(mkmap, STR(key_buffer), STR(value_buffer));
if (mkmap->dict->error)
msg_fatal("table %s:%s: write error: %m",
mkmap->dict->type, mkmap->dict->name);
}
break;
}
/*
* Update or append sendmail and NIS signatures.
*/
if ((open_flags & O_TRUNC) == 0)
mkmap->dict->flags |= DICT_FLAG_DUP_REPLACE;
/*
* Sendmail compatibility: add the @:@ signature to indicate that the
* database is complete. This might be needed by NIS clients running
* sendmail.
*/
mkmap_append(mkmap, "@", "@");
if (mkmap->dict->error)
msg_fatal("table %s:%s: write error: %m",
mkmap->dict->type, mkmap->dict->name);
/*
* NIS compatibility: add time and master info. Unlike other information,
* this information MUST be written without a trailing null appended to
* key or value.
*/
mkmap->dict->flags &= ~DICT_FLAG_TRY1NULL;
mkmap->dict->flags |= DICT_FLAG_TRY0NULL;
vstring_sprintf(value_buffer, "%010ld", (long) time((time_t *) 0));
#if (defined(HAS_NIS) || defined(HAS_NISPLUS))
mkmap->dict->flags &= ~DICT_FLAG_FOLD_FIX;
mkmap_append(mkmap, "YP_LAST_MODIFIED", STR(value_buffer));
mkmap_append(mkmap, "YP_MASTER_NAME", var_myhostname);
#endif
/*
* Close the alias database, and release the lock.
*/
mkmap_close(mkmap);
/*
* Cleanup. We're about to terminate, but it is a good sanity check.
*/
vstring_free(value_buffer);
vstring_free(key_buffer);
vstring_free(line_buffer);
if (source_fp != VSTREAM_IN)
vstream_fclose(source_fp);
}
int deliver_maildir(LOCAL_STATE state, USER_ATTR usr_attr)
{
const char *myname = "deliver_maildir";
char *newdir;
char *tmpdir;
char *curdir;
char *tmpfile;
char *newfile;
DSN_BUF *why = state.msg_attr.why;
VSTRING *buf;
VSTREAM *dst;
int mail_copy_status;
int deliver_status;
int copy_flags;
struct stat st;
struct timeval starttime;
GETTIMEOFDAY(&starttime);
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* Don't deliver trace-only requests.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to maildir");
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* Initialize. Assume the operation will fail. Set the delivered
* attribute to reflect the final recipient.
*/
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("seek message file %s: %m", VSTREAM_PATH(state.msg_attr.fp));
state.msg_attr.delivered = state.msg_attr.rcpt.address;
mail_copy_status = MAIL_COPY_STAT_WRITE;
buf = vstring_alloc(100);
copy_flags = MAIL_COPY_TOFILE | MAIL_COPY_RETURN_PATH
| MAIL_COPY_DELIVERED | MAIL_COPY_ORIG_RCPT;
newdir = concatenate(usr_attr.mailbox, "new/", (char *) 0);
tmpdir = concatenate(usr_attr.mailbox, "tmp/", (char *) 0);
curdir = concatenate(usr_attr.mailbox, "cur/", (char *) 0);
/*
* Create and write the file as the recipient, so that file quota work.
* Create any missing directories on the fly. The file name is chosen
* according to ftp://koobera.math.uic.edu/www/proto/maildir.html:
*
* "A unique name has three pieces, separated by dots. On the left is the
* result of time(). On the right is the result of gethostname(). In the
* middle is something that doesn't repeat within one second on a single
* host. I fork a new process for each delivery, so I just use the
* process ID. If you're delivering several messages from one process,
* use starttime.pid_count.host, where starttime is the time that your
* process started, and count is the number of messages you've
* delivered."
*
* Well, that stopped working on fast machines, and on operating systems
* that randomize process ID values. When creating a file in tmp/ we use
* the process ID because it still is an exclusive resource. When moving
* the file to new/ we use the device number and inode number. I do not
* care if this breaks on a remote AFS file system, because people should
* know better.
*
* On January 26, 2003, http://cr.yp.to/proto/maildir.html said:
*
* A unique name has three pieces, separated by dots. On the left is the
* result of time() or the second counter from gettimeofday(). On the
* right is the result of gethostname(). (To deal with invalid host
* names, replace / with \057 and : with \072.) In the middle is a
* delivery identifier, discussed below.
*
* [...]
*
* Modern delivery identifiers are created by concatenating enough of the
* following strings to guarantee uniqueness:
*
* [...]
*
* In, where n is (in hexadecimal) the UNIX inode number of this file.
* Unfortunately, inode numbers aren't always available through NFS.
*
* Vn, where n is (in hexadecimal) the UNIX device number of this file.
* Unfortunately, device numbers aren't always available through NFS.
* (Device numbers are also not helpful with the standard UNIX
* filesystem: a maildir has to be within a single UNIX device for link()
* and rename() to work.)
*
* Mn, where n is (in decimal) the microsecond counter from the same
* gettimeofday() used for the left part of the unique name.
*
* Pn, where n is (in decimal) the process ID.
*
* [...]
*/
set_eugid(usr_attr.uid, usr_attr.gid);
vstring_sprintf(buf, "%lu.P%d.%s",
(unsigned long) starttime.tv_sec, var_pid, get_hostname());
tmpfile = concatenate(tmpdir, STR(buf), (char *) 0);
newfile = 0;
if ((dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0
&& (errno != ENOENT
|| make_dirs(tmpdir, 0700) < 0
|| (dst = vstream_fopen(tmpfile, O_WRONLY | O_CREAT | O_EXCL, 0600)) == 0)) {
dsb_simple(why, mbox_dsn(errno, "4.2.0"),
"create maildir file %s: %m", tmpfile);
} else if (fstat(vstream_fileno(dst), &st) < 0) {
/*
* Coverity 200604: file descriptor leak in code that never executes.
* Code replaced by msg_fatal(), as it is not worthwhile to continue
* after an impossible error condition.
*/
msg_fatal("fstat %s: %m", tmpfile);
} else {
vstring_sprintf(buf, "%lu.V%lxI%lxM%lu.%s",
(unsigned long) starttime.tv_sec,
(unsigned long) st.st_dev,
(unsigned long) st.st_ino,
(unsigned long) starttime.tv_usec,
get_hostname());
newfile = concatenate(newdir, STR(buf), (char *) 0);
if ((mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr),
dst, copy_flags, "\n",
why)) == 0) {
if (sane_link(tmpfile, newfile) < 0
&& (errno != ENOENT
|| (make_dirs(curdir, 0700), make_dirs(newdir, 0700)) < 0
|| sane_link(tmpfile, newfile) < 0)) {
dsb_simple(why, mbox_dsn(errno, "4.2.0"),
"create maildir file %s: %m", newfile);
mail_copy_status = MAIL_COPY_STAT_WRITE;
}
}
if (unlink(tmpfile) < 0)
msg_warn("remove %s: %m", tmpfile);
}
set_eugid(var_owner_uid, var_owner_gid);
/*
* The maildir location is controlled by the mail administrator. If
* delivery fails, try again later. We would just bounce when the maildir
* location possibly under user control.
*/
if (mail_copy_status & MAIL_COPY_STAT_CORRUPT) {
deliver_status = DEL_STAT_DEFER;
} else if (mail_copy_status != 0) {
if (errno == EACCES) {
msg_warn("maildir access problem for UID/GID=%lu/%lu: %s",
(long) usr_attr.uid, (long) usr_attr.gid,
STR(why->reason));
msg_warn("perhaps you need to create the maildirs in advance");
}
vstring_sprintf_prepend(why->reason, "maildir delivery failed: ");
deliver_status =
(STR(why->status)[0] == '4' ?
defer_append : bounce_append)
(BOUNCE_FLAGS(state.request),
BOUNCE_ATTR(state.msg_attr));
} else {
dsb_simple(why, "2.0.0", "delivered to maildir");
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
}
vstring_free(buf);
myfree(newdir);
myfree(tmpdir);
myfree(curdir);
myfree(tmpfile);
if (newfile)
myfree(newfile);
return (deliver_status);
}