static int verify_parse_entry(char *buf, int *status, long *probed,
long *updated, char **text)
{
char *probed_text;
char *updated_text;
if ((probed_text = split_at(buf, ':')) != 0
&& (updated_text = split_at(probed_text, ':')) != 0
&& (*text = split_at(updated_text, ':')) != 0
&& alldig(buf)
&& alldig(probed_text)
&& alldig(updated_text)) {
*probed = atol(probed_text);
*updated = atol(updated_text);
*status = atoi(buf);
/*
* Coverity 200604: the code incorrectly tested (probed || updated),
* so that the sanity check never detected all-zero time stamps. Such
* records are never written. If we read a record with all-zero time
* stamps, then something is badly broken.
*/
if ((*status == DEL_RCPT_STAT_OK
|| *status == DEL_RCPT_STAT_DEFER
|| *status == DEL_RCPT_STAT_BOUNCE
|| *status == DEL_RCPT_STAT_TODO)
&& (*probed || *updated))
return (0);
}
msg_warn("bad address verify table entry: %.100s", buf);
return (-1);
}
static int mac_exp_eval(const char *left, int tok_val,
const char *rite)
{
static const char myname[] = "mac_exp_eval";
long delta;
/*
* Numerical or string comparison.
*/
if (alldig(left) && alldig(rite)) {
delta = atol_or_die(left) - atol_or_die(rite);
} else {
delta = strcmp(left, rite);
}
switch (tok_val) {
case MAC_EXP_OP_TOK_EQ:
return (delta == 0);
case MAC_EXP_OP_TOK_NE:
return (delta != 0);
case MAC_EXP_OP_TOK_LT:
return (delta < 0);
case MAC_EXP_OP_TOK_LE:
return (delta <= 0);
case MAC_EXP_OP_TOK_GE:
return (delta >= 0);
case MAC_EXP_OP_TOK_GT:
return (delta > 0);
default:
msg_panic("%s: unknown operator: %d",
myname, tok_val);
}
}
static char *smtp_parse_destination(char *destination, char *def_service,
char **hostp, unsigned *portp)
{
char *buf = mystrdup(destination);
char *service;
struct servent *sp;
char *protocol = "tcp"; /* XXX configurable? */
unsigned port;
const char *err;
if (msg_verbose)
msg_info("smtp_parse_destination: %s %s", destination, def_service);
/*
* Parse the host/port information. We're working with a copy of the
* destination argument so the parsing can be destructive.
*/
if ((err = host_port(buf, hostp, (char *) 0, &service, def_service)) != 0)
msg_fatal("%s in server description: %s", err, destination);
/*
* Convert service to port number, network byte order.
*/
if (alldig(service)) {
if ((port = atoi(service)) >= 65536 || port == 0)
msg_fatal("bad network port in destination: %s", destination);
*portp = htons(port);
} else {
if ((sp = getservbyname(service, protocol)) == 0)
msg_fatal("unknown service: %s/%s", service, protocol);
*portp = sp->s_port;
}
return (buf);
}
int find_inet_port(const char *service, const char *protocol)
{
struct servent *sp;
int port;
if (alldig(service) && (port = atoi(service)) != 0) {
return (htons(port));
} else {
if ((sp = getservbyname(service, protocol)) == 0)
msg_fatal("unknown service: %s/%s", service, protocol);
return (sp->s_port);
}
}
static void add_request(DICT_CACHE_TEST *tp, ARGV *argv)
{
DICT_CACHE_SREQ_INFO *rp;
DICT_CACHE_SREQ *cp;
int req_flags;
int count;
char *cmd = argv->argv[0];
char *suffix = (argv->argc > 1 ? argv->argv[1] : 0);
char *todo = (argv->argc > 2 ? argv->argv[2] : "1"); /* XXX */
if (tp->used >= tp->size) {
msg_warn("%s: request list is full", cmd);
return;
}
for (rp = req_info; /* See below */ ; rp++) {
if (rp->name == 0) {
vstream_printf("usage: %s\n", USAGE);
return;
}
if (strcmp(rp->name, argv->argv[0]) == 0
&& rp->argc == argv->argc)
break;
}
req_flags = rp->req_flags;
if (todo[0] == '-') {
req_flags |= DICT_CACHE_SREQ_FLAG_REVERSE;
todo += 1;
}
if (!alldig(todo) || (count = atoi(todo)) == 0) {
msg_warn("%s: bad count: %s", cmd, todo);
return;
}
if (tp->flags & rp->test_flags) {
msg_warn("%s: command conflicts with other command", cmd);
return;
}
tp->flags |= rp->test_flags;
cp = tp->job_list + tp->used;
cp->cmd = mystrdup(cmd);
cp->action = rp->action;
if (suffix)
cp->suffix = mystrdup(suffix);
cp->done = 0;
cp->flags = req_flags;
cp->todo = count;
tp->used += 1;
}
const char *host_port(char *buf, char **host, char *def_host,
char **port, char *def_service)
{
char *cp = buf;
/*
* [host]:port, [host]:, [host].
*/
if (*cp == '[') {
*host = ++cp;
if ((cp = split_at(cp, ']')) == 0)
return ("missing \"]\"");
if (*cp && *cp++ != ':')
return ("garbage after \"]\"");
*port = *cp ? cp : def_service;
}
/*
* host:port, host:, host, :port, port.
*/
else {
if ((cp = split_at_right(buf, ':')) != 0) {
*host = *buf ? buf : def_host;
*port = *cp ? cp : def_service;
} else {
*host = def_host ? def_host : (*buf ? buf : 0);
*port = def_service ? def_service : (*buf ? buf : 0);
}
}
if (*host == 0)
return ("missing host information");
if (*port == 0)
return ("missing service information");
/*
* Final sanity checks. We're still sloppy, allowing bare numerical
* network addresses instead of requiring proper [ipaddress] forms.
*/
if (*host != def_host && !valid_hostname(*host, DONT_GRIPE)
&& !valid_hostaddr(*host, DONT_GRIPE))
return ("valid hostname or network address required");
if (*port != def_service && ISDIGIT(**port) && !alldig(*port))
return ("garbage after numerical service");
return (0);
}
static int match_parse_mask(const char *pattern, unsigned long *net_bits,
unsigned int *mask_shift)
{
char *saved_pattern;
char *mask;
#define BITS_PER_ADDR 32
saved_pattern = mystrdup(pattern);
if ((mask = split_at(saved_pattern, '/')) != 0) {
if (!alldig(mask) || (*mask_shift = atoi(mask)) > BITS_PER_ADDR
|| (*net_bits = inet_addr(saved_pattern)) == INADDR_NONE) {
msg_fatal("bad net/mask pattern: %s", pattern);
}
}
myfree(saved_pattern);
return (mask != 0);
}
int main(int argc, char **argv)
{
DNS_RR *rr;
MAI_HOSTADDR_STR hostaddr;
MAI_SERVPORT_STR portnum;
struct sockaddr_storage ss;
struct sockaddr *sa = (struct sockaddr *) &ss;
SOCKADDR_SIZE sa_length = sizeof(ss);
VSTRING *why;
int type;
int port;
myname = argv[0];
if (argc < 4)
usage();
why = vstring_alloc(1);
while (*++argv) {
if (argv[1] == 0 || argv[2] == 0)
usage();
if ((type = dns_type(argv[0])) == 0)
usage();
if (!alldig(argv[2]) || (port = atoi(argv[2])) > 65535)
usage();
if (dns_lookup(argv[1], type, 0, &rr, (VSTRING *) 0, why) != DNS_OK)
msg_fatal("%s: %s", argv[1], vstring_str(why));
sa_length = sizeof(ss);
if (dns_rr_to_sa(rr, htons(port), sa, &sa_length) != 0)
msg_fatal("dns_rr_to_sa: %m");
SOCKADDR_TO_HOSTADDR(sa, sa_length, &hostaddr, &portnum, 0);
vstream_printf("%s %s -> %s %s\n",
argv[1], argv[2], hostaddr.buf, portnum.buf);
vstream_fflush(VSTREAM_OUT);
argv += 2;
dns_rr_free(rr);
}
vstring_free(why);
return (0);
}
static int dict_pcre_prescan(int type, VSTRING *buf, char *context)
{
DICT_PCRE_PRESCAN_CONTEXT *ctxt = (DICT_PCRE_PRESCAN_CONTEXT *) context;
size_t n;
/*
* Keep a copy of literal text (with $$ already replaced by $) if and
* only if the replacement text contains no $number expression. This way
* we can avoid having to scan the replacement text at lookup time.
*/
if (type == MAC_PARSE_VARNAME) {
if (ctxt->literal) {
myfree(ctxt->literal);
ctxt->literal = 0;
}
if (!alldig(vstring_str(buf))) {
msg_warn("pcre map %s, line %d: non-numeric replacement index \"%s\"",
ctxt->mapname, ctxt->lineno, vstring_str(buf));
return (MAC_PARSE_ERROR);
}
n = atoi(vstring_str(buf));
if (n < 1) {
msg_warn("pcre map %s, line %d: out of range replacement index \"%s\"",
ctxt->mapname, ctxt->lineno, vstring_str(buf));
return (MAC_PARSE_ERROR);
}
if (n > ctxt->max_sub)
ctxt->max_sub = n;
} else if (type == MAC_PARSE_LITERAL && ctxt->max_sub == 0) {
if (ctxt->literal)
msg_panic("pcre map %s, line %d: multiple literals but no $number",
ctxt->mapname, ctxt->lineno);
ctxt->literal = mystrdup(vstring_str(buf));
}
return (MAC_PARSE_OK);
}
VSTRING *cidr_match_parse(CIDR_MATCH *ip, char *pattern, VSTRING *why)
{
const char *myname = "cidr_match_parse";
char *mask_search;
char *mask;
MAI_HOSTADDR_STR hostaddr;
unsigned char *np;
unsigned char *mp;
/*
* Strip [] from [addr/len] or [addr]/len, destroying the pattern. CIDR
* maps don't need [] to eliminate syntax ambiguity, but matchlists need
* it. While stripping [], figure out where we should start looking for
* /mask information.
*/
if (*pattern == '[') {
pattern++;
if ((mask_search = split_at(pattern, ']')) == 0) {
vstring_sprintf(why ? why : (why = vstring_alloc(20)),
"missing ']' character after \"[%s\"", pattern);
return (why);
} else if (*mask_search != '/') {
if (*mask_search != 0) {
vstring_sprintf(why ? why : (why = vstring_alloc(20)),
"garbage after \"[%s]\"", pattern);
return (why);
}
mask_search = pattern;
}
} else
mask_search = pattern;
/*
* Parse the pattern into network and mask, destroying the pattern.
*/
if ((mask = split_at(mask_search, '/')) != 0) {
ip->addr_family = CIDR_MATCH_ADDR_FAMILY(pattern);
ip->addr_bit_count = CIDR_MATCH_ADDR_BIT_COUNT(ip->addr_family);
ip->addr_byte_count = CIDR_MATCH_ADDR_BYTE_COUNT(ip->addr_family);
if (!alldig(mask)
|| (ip->mask_shift = atoi(mask)) > ip->addr_bit_count
|| inet_pton(ip->addr_family, pattern, ip->net_bytes) != 1) {
vstring_sprintf(why ? why : (why = vstring_alloc(20)),
"bad net/mask pattern: \"%s/%s\"", pattern, mask);
return (why);
}
if (ip->mask_shift > 0) {
/* Allow for bytes > 8. */
memset(ip->mask_bytes, ~0U, ip->addr_byte_count);
mask_addr(ip->mask_bytes, ip->addr_byte_count, ip->mask_shift);
} else
memset(ip->mask_bytes, 0, ip->addr_byte_count);
/*
* Sanity check: all host address bits must be zero.
*/
for (np = ip->net_bytes, mp = ip->mask_bytes;
np < ip->net_bytes + ip->addr_byte_count; np++, mp++) {
if (*np & ~(*mp)) {
mask_addr(ip->net_bytes, ip->addr_byte_count, ip->mask_shift);
if (inet_ntop(ip->addr_family, ip->net_bytes, hostaddr.buf,
sizeof(hostaddr.buf)) == 0)
msg_fatal("inet_ntop: %m");
vstring_sprintf(why ? why : (why = vstring_alloc(20)),
"non-null host address bits in \"%s/%s\", "
"perhaps you should use \"%s/%d\" instead",
pattern, mask, hostaddr.buf, ip->mask_shift);
return (why);
}
}
}
/*
* No /mask specified. Treat a bare network address as /allbits.
*/
else {
ip->addr_family = CIDR_MATCH_ADDR_FAMILY(pattern);
ip->addr_bit_count = CIDR_MATCH_ADDR_BIT_COUNT(ip->addr_family);
ip->addr_byte_count = CIDR_MATCH_ADDR_BYTE_COUNT(ip->addr_family);
if (inet_pton(ip->addr_family, pattern, ip->net_bytes) != 1) {
vstring_sprintf(why ? why : (why = vstring_alloc(20)),
"bad address pattern: \"%s\"", pattern);
return (why);
}
ip->mask_shift = ip->addr_bit_count;
/* Allow for bytes > 8. */
memset(ip->mask_bytes, ~0U, ip->addr_byte_count);
}
/*
* Wrap up the result.
*/
ip->next = 0;
return (0);
}
int cleanup_bounce(CLEANUP_STATE *state)
{
const char *myname = "cleanup_bounce";
VSTRING *buf = vstring_alloc(100);
const CLEANUP_STAT_DETAIL *detail;
DSN_SPLIT dp;
const char *dsn_status;
const char *dsn_text;
char *rcpt = 0;
RECIPIENT recipient;
DSN dsn;
char *attr_name;
char *attr_value;
char *dsn_orcpt = 0;
int dsn_notify = 0;
char *orig_rcpt = 0;
char *start;
int rec_type;
int junk;
long curr_offset;
const char *encoding;
const char *dsn_envid;
int dsn_ret;
int bounce_err;
/*
* Parse the failure reason if one was given, otherwise use a generic
* mapping from cleanup-internal error code to (DSN + text).
*/
if (state->reason) {
dsn_split(&dp, "5.0.0", state->reason);
dsn_status = DSN_STATUS(dp.dsn);
dsn_text = dp.text;
} else {
detail = cleanup_stat_detail(state->errs);
dsn_status = detail->dsn;
dsn_text = detail->text;
}
/*
* Create a bounce logfile with one entry for each final recipient.
* Degrade gracefully in case of no recipients or no queue file.
*
* Victor Duchovni observes that the number of recipients in the queue file
* can potentially be very large due to virtual alias expansion. This can
* expand the recipient count by virtual_alias_expansion_limit (default:
* 1000) times.
*
* After a queue file write error, purge any unwritten data (so that
* vstream_fseek() won't fail while trying to flush it) and reset the
* stream error flags to avoid false alarms.
*/
if (vstream_ferror(state->dst) || vstream_fflush(state->dst)) {
(void) vstream_fpurge(state->dst, VSTREAM_PURGE_BOTH);
vstream_clearerr(state->dst);
}
if (vstream_fseek(state->dst, 0L, SEEK_SET) < 0)
msg_fatal("%s: seek %s: %m", myname, cleanup_path);
while ((state->errs & CLEANUP_STAT_WRITE) == 0) {
if ((curr_offset = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m", myname, cleanup_path);
if ((rec_type = rec_get(state->dst, buf, 0)) <= 0
|| rec_type == REC_TYPE_END)
break;
start = STR(buf);
if (rec_type == REC_TYPE_ATTR) {
if (split_nameval(STR(buf), &attr_name, &attr_value) != 0
|| *attr_value == 0)
continue;
/* Map attribute names to pseudo record type. */
if ((junk = rec_attr_map(attr_name)) != 0) {
start = attr_value;
rec_type = junk;
}
}
switch (rec_type) {
case REC_TYPE_DSN_ORCPT: /* RCPT TO ORCPT parameter */
if (dsn_orcpt != 0) /* can't happen */
myfree(dsn_orcpt);
dsn_orcpt = mystrdup(start);
break;
case REC_TYPE_DSN_NOTIFY: /* RCPT TO NOTIFY parameter */
if (alldig(start) && (junk = atoi(start)) > 0
&& DSN_NOTIFY_OK(junk))
dsn_notify = junk;
else
dsn_notify = 0;
break;
case REC_TYPE_ORCP: /* unmodified RCPT TO address */
if (orig_rcpt != 0) /* can't happen */
myfree(orig_rcpt);
orig_rcpt = mystrdup(start);
break;
case REC_TYPE_RCPT: /* rewritten RCPT TO address */
rcpt = start;
RECIPIENT_ASSIGN(&recipient, curr_offset,
dsn_orcpt ? dsn_orcpt : "", dsn_notify,
orig_rcpt ? orig_rcpt : rcpt, rcpt);
(void) DSN_SIMPLE(&dsn, dsn_status, dsn_text);
cleanup_bounce_append(state, &recipient, &dsn);
/* FALLTHROUGH */
case REC_TYPE_DRCP: /* canceled recipient */
case REC_TYPE_DONE: /* can't happen */
if (orig_rcpt != 0) {
myfree(orig_rcpt);
orig_rcpt = 0;
}
if (dsn_orcpt != 0) {
myfree(dsn_orcpt);
dsn_orcpt = 0;
}
dsn_notify = 0;
break;
}
}
if (orig_rcpt != 0) /* can't happen */
myfree(orig_rcpt);
if (dsn_orcpt != 0) /* can't happen */
myfree(dsn_orcpt);
/*
* No recipients. Yes, this can happen.
*/
if ((state->errs & CLEANUP_STAT_WRITE) == 0 && rcpt == 0) {
RECIPIENT_ASSIGN(&recipient, 0, "", 0, "", "unknown");
(void) DSN_SIMPLE(&dsn, dsn_status, dsn_text);
cleanup_bounce_append(state, &recipient, &dsn);
}
vstring_free(buf);
/*
* Flush the bounce logfile to the sender. See also qmgr_active.c.
*/
if ((state->errs & CLEANUP_STAT_WRITE) == 0) {
if ((encoding = nvtable_find(state->attr, MAIL_ATTR_ENCODING)) == 0)
encoding = MAIL_ATTR_ENC_NONE;
dsn_envid = state->dsn_envid ?
state->dsn_envid : "";
/* Do not send unfiltered (body) content. */
dsn_ret = (state->errs & (CLEANUP_STAT_CONT | CLEANUP_STAT_SIZE)) ?
DSN_RET_HDRS : state->dsn_ret;
if (state->verp_delims == 0 || var_verp_bounce_off) {
bounce_err =
bounce_flush(BOUNCE_FLAG_CLEAN,
state->queue_name, state->queue_id,
encoding, state->sender, dsn_envid,
dsn_ret);
} else {
bounce_err =
bounce_flush_verp(BOUNCE_FLAG_CLEAN,
state->queue_name, state->queue_id,
encoding, state->sender, dsn_envid,
dsn_ret, state->verp_delims);
}
if (bounce_err != 0) {
msg_warn("%s: bounce message failure", state->queue_id);
state->errs |= CLEANUP_STAT_WRITE;
}
}
/*
* Schedule this message (and trace logfile) for deletion when all is
* well. When all is not well these files would be deleted too, but the
* client would get a different completion status so we have to carefully
* maintain the bits anyway.
*/
if ((state->errs &= CLEANUP_STAT_WRITE) == 0)
state->flags |= CLEANUP_FLAG_DISCARD;
return (state->errs);
}
void cleanup_extracted_process(CLEANUP_STATE *state, int type,
const char *buf, ssize_t len)
{
const char *myname = "cleanup_extracted_process";
const char *encoding;
char *attr_name;
char *attr_value;
const char *error_text;
int extra_opts;
int junk;
#ifdef DELAY_ACTION
int defer_delay;
#endif
if (msg_verbose)
msg_info("extracted envelope %c %.*s", type, (int) len, buf);
if (type == REC_TYPE_FLGS) {
/* Not part of queue file format. */
extra_opts = atoi(buf);
if (extra_opts & ~CLEANUP_FLAG_MASK_EXTRA)
msg_warn("%s: ignoring bad extra flags: 0x%x",
state->queue_id, extra_opts);
else
state->flags |= extra_opts;
return;
}
#ifdef DELAY_ACTION
if (type == REC_TYPE_DELAY) {
/* Not part of queue file format. */
defer_delay = atoi(buf);
if (defer_delay <= 0)
msg_warn("%s: ignoring bad delay time: %s", state->queue_id, buf);
else
state->defer_delay = defer_delay;
return;
}
#endif
if (strchr(REC_TYPE_EXTRACT, type) == 0) {
msg_warn("%s: message rejected: "
"unexpected record type %d in extracted envelope",
state->queue_id, type);
state->errs |= CLEANUP_STAT_BAD;
return;
}
/*
* Map DSN attribute name to pseudo record type so that we don't have to
* pollute the queue file with records that are incompatible with past
* Postfix versions. Preferably, people should be able to back out from
* an upgrade without losing mail.
*/
if (type == REC_TYPE_ATTR) {
vstring_strcpy(state->attr_buf, buf);
error_text = split_nameval(STR(state->attr_buf), &attr_name, &attr_value);
if (error_text != 0) {
msg_warn("%s: message rejected: malformed attribute: %s: %.100s",
state->queue_id, error_text, buf);
state->errs |= CLEANUP_STAT_BAD;
return;
}
/* Zero-length values are place holders for unavailable values. */
if (*attr_value == 0) {
msg_warn("%s: spurious null attribute value for \"%s\" -- ignored",
state->queue_id, attr_name);
return;
}
if ((junk = rec_attr_map(attr_name)) != 0) {
buf = attr_value;
type = junk;
}
}
/*
* On the transition from non-recipient records to recipient records,
* emit optional information from header/body content.
*/
if ((state->flags & CLEANUP_FLAG_INRCPT) == 0
&& strchr(REC_TYPE_EXT_RECIPIENT, type) != 0) {
if (state->filter != 0)
cleanup_out_string(state, REC_TYPE_FILT, state->filter);
if (state->redirect != 0)
cleanup_out_string(state, REC_TYPE_RDR, state->redirect);
if ((encoding = nvtable_find(state->attr, MAIL_ATTR_ENCODING)) != 0)
cleanup_out_format(state, REC_TYPE_ATTR, "%s=%s",
MAIL_ATTR_ENCODING, encoding);
state->flags |= CLEANUP_FLAG_INRCPT;
/* Make room to append more meta records. */
if (state->milters || cleanup_milters) {
if ((state->append_meta_pt_offset = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT, 0L);
if ((state->append_meta_pt_target = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
}
}
/*
* Extracted envelope recipient record processing.
*/
if (type == REC_TYPE_RCPT) {
if (state->sender == 0) { /* protect showq */
msg_warn("%s: message rejected: envelope recipient precedes sender",
state->queue_id);
state->errs |= CLEANUP_STAT_BAD;
return;
}
if (state->orig_rcpt == 0)
state->orig_rcpt = mystrdup(buf);
cleanup_addr_recipient(state, buf);
if (cleanup_milters != 0
&& state->milters == 0
&& CLEANUP_MILTER_OK(state))
cleanup_milter_emul_rcpt(state, cleanup_milters, state->recip);
myfree(state->orig_rcpt);
state->orig_rcpt = 0;
if (state->dsn_orcpt != 0) {
myfree(state->dsn_orcpt);
state->dsn_orcpt = 0;
}
state->dsn_notify = 0;
return;
}
if (type == REC_TYPE_DONE || type == REC_TYPE_DRCP) {
if (state->orig_rcpt != 0) {
myfree(state->orig_rcpt);
state->orig_rcpt = 0;
}
if (state->dsn_orcpt != 0) {
myfree(state->dsn_orcpt);
state->dsn_orcpt = 0;
}
state->dsn_notify = 0;
return;
}
if (type == REC_TYPE_DSN_ORCPT) {
if (state->dsn_orcpt) {
msg_warn("%s: ignoring out-of-order DSN original recipient record <%.200s>",
state->queue_id, state->dsn_orcpt);
myfree(state->dsn_orcpt);
}
state->dsn_orcpt = mystrdup(buf);
return;
}
if (type == REC_TYPE_DSN_NOTIFY) {
if (state->dsn_notify) {
msg_warn("%s: ignoring out-of-order DSN notify record <%d>",
state->queue_id, state->dsn_notify);
state->dsn_notify = 0;
}
if (!alldig(buf) || (junk = atoi(buf)) == 0 || DSN_NOTIFY_OK(junk) == 0)
msg_warn("%s: ignoring malformed dsn notify record <%.200s>",
state->queue_id, buf);
else
state->qmgr_opts |=
QMGR_READ_FLAG_FROM_DSN(state->dsn_notify = junk);
return;
}
if (type == REC_TYPE_ORCP) {
if (state->orig_rcpt != 0) {
msg_warn("%s: ignoring out-of-order original recipient record <%.200s>",
state->queue_id, buf);
myfree(state->orig_rcpt);
}
state->orig_rcpt = mystrdup(buf);
return;
}
if (type == REC_TYPE_END) {
/* Make room to append recipient. */
if ((state->milters || cleanup_milters)
&& state->append_rcpt_pt_offset < 0) {
if ((state->append_rcpt_pt_offset = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
cleanup_out_format(state, REC_TYPE_PTR, REC_TYPE_PTR_FORMAT, 0L);
if ((state->append_rcpt_pt_target = vstream_ftell(state->dst)) < 0)
msg_fatal("%s: vstream_ftell %s: %m:", myname, cleanup_path);
}
state->flags &= ~CLEANUP_FLAG_INRCPT;
state->flags |= CLEANUP_FLAG_END_SEEN;
cleanup_extracted_finish(state);
return;
}
/*
* Extracted envelope non-recipient record processing.
*/
if (state->flags & CLEANUP_FLAG_INRCPT)
/* Tell qmgr that recipient records are mixed with other information. */
state->qmgr_opts |= QMGR_READ_FLAG_MIXED_RCPT_OTHER;
cleanup_out(state, type, buf, len);
return;
}
SMTP_SESSION *smtp_session_activate(int fd, VSTRING *dest_prop,
VSTRING *endp_prop)
{
const char *myname = "smtp_session_activate";
SMTP_SESSION *session;
char *dest_props;
char *endp_props;
const char *prop;
const char *dest;
const char *host;
const char *addr;
unsigned port;
unsigned features; /* server features */
time_t expire_time; /* session re-use expiration time */
unsigned reuse_count; /* # times reused */
/*
* XXX it would be nice to have a VSTRING to VSTREAM adapter so that we
* can de-serialize the properties with attr_scan(), instead of using
* ad-hoc, non-reusable code.
*
* XXX As a preliminary solution we use mystrtok(), but that function is not
* suitable for zero-length fields.
*/
endp_props = STR(endp_prop);
if ((prop = mystrtok(&endp_props, "\n")) == 0 || !alldig(prop)) {
msg_warn("%s: bad cached session reuse count property", myname);
return (0);
}
reuse_count = atoi(prop);
if ((dest = mystrtok(&endp_props, "\n")) == 0) {
msg_warn("%s: missing cached session destination property", myname);
return (0);
}
if ((host = mystrtok(&endp_props, "\n")) == 0) {
msg_warn("%s: missing cached session hostname property", myname);
return (0);
}
if ((addr = mystrtok(&endp_props, "\n")) == 0) {
msg_warn("%s: missing cached session address property", myname);
return (0);
}
if ((prop = mystrtok(&endp_props, "\n")) == 0 || !alldig(prop)) {
msg_warn("%s: bad cached session port property", myname);
return (0);
}
port = atoi(prop);
if ((prop = mystrtok(&endp_props, "\n")) == 0 || !alldig(prop)) {
msg_warn("%s: bad cached session features property", myname);
return (0);
}
features = atoi(prop);
if ((prop = mystrtok(&endp_props, "\n")) == 0 || !alldig(prop)) {
msg_warn("%s: bad cached session expiration time property", myname);
return (0);
}
#ifdef MISSING_STRTOUL
expire_time = strtol(prop, 0, 10);
#else
expire_time = strtoul(prop, 0, 10);
#endif
if (dest_prop && VSTRING_LEN(dest_prop)) {
dest_props = STR(dest_prop);
if ((prop = mystrtok(&dest_props, "\n")) == 0 || !alldig(prop)) {
msg_warn("%s: bad cached destination features property", myname);
return (0);
}
features |= atoi(prop);
}
/*
* Allright, bundle up what we have sofar.
*/
#define NO_FLAGS 0
session = smtp_session_alloc(vstream_fdopen(fd, O_RDWR), dest, host,
addr, port, (time_t) 0, NO_FLAGS);
session->features = (features | SMTP_FEATURE_FROM_CACHE);
CACHE_THIS_SESSION_UNTIL(expire_time);
session->reuse_count = ++reuse_count;
if (msg_verbose)
msg_info("%s: dest=%s host=%s addr=%s port=%u features=0x%x, "
"ttl=%ld, reuse=%d",
myname, dest, host, addr, ntohs(port), features,
(long) (expire_time - time((time_t *) 0)), reuse_count);
/*
* Re-activate the SASL attributes.
*/
#ifdef notdef
if (smtp_sasl_enable && smtp_sasl_activate(session, endp_props) < 0) {
vstream_fdclose(session->stream);
session->stream = 0;
smtp_session_free(session);
return (0);
}
#endif
return (session);
}
static int smtpd_proxy_replay_send(SMTPD_STATE *state)
{
const char *myname = "smtpd_proxy_replay_send";
static VSTRING *replay_buf = 0;
SMTPD_PROXY *proxy = state->proxy;
int rec_type;
int expect = SMTPD_PROX_WANT_BAD;
/*
* Sanity check.
*/
if (smtpd_proxy_replay_stream == 0)
msg_panic("%s: no before-queue filter speed-adjust log", myname);
/*
* Errors first.
*/
if (vstream_ferror(smtpd_proxy_replay_stream)
|| vstream_feof(smtpd_proxy_replay_stream)
|| rec_put(smtpd_proxy_replay_stream, REC_TYPE_END, "", 0) != REC_TYPE_END
|| vstream_fflush(smtpd_proxy_replay_stream))
/* NOT: fsync(vstream_fileno(smtpd_proxy_replay_stream)) */
return (smtpd_proxy_replay_rdwr_error(state));
/*
* Delayed connection to the before-queue filter.
*/
if (smtpd_proxy_connect(state) < 0)
return (-1);
/*
* Replay the speed-match log. We do sanity check record content, but we
* don't implement a protocol state engine here, since we are reading
* from a file that we just wrote ourselves.
*
* This is different than the MailChannels patented solution that
* multiplexes a large number of slowed-down inbound connections over a
* small number of fast connections to a local MTA.
*
* - MailChannels receives mail directly from the Internet. It uses one
* connection to the local MTA to reject invalid recipients before
* receiving the entire email message at reduced bit rates, and then uses
* a different connection to quickly deliver the message to the local
* MTA.
*
* - Postfix receives mail directly from the Internet. The Postfix SMTP
* server rejects invalid recipients before receiving the entire message
* over the Internet, and then delivers the message quickly to a local
* SMTP-based content filter.
*/
if (replay_buf == 0)
replay_buf = vstring_alloc(100);
if (vstream_fseek(smtpd_proxy_replay_stream, (off_t) 0, SEEK_SET) < 0)
return (smtpd_proxy_replay_rdwr_error(state));
for (;;) {
switch (rec_type = rec_get(smtpd_proxy_replay_stream, replay_buf,
REC_FLAG_NONE)) {
/*
* Message content.
*/
case REC_TYPE_NORM:
case REC_TYPE_CONT:
if (smtpd_proxy_rec_put(proxy->service_stream, rec_type,
STR(replay_buf), LEN(replay_buf)) < 0)
return (-1);
break;
/*
* Expected server reply type.
*/
case REC_TYPE_RCPT:
if (!alldig(STR(replay_buf))
|| (expect = atoi(STR(replay_buf))) == SMTPD_PROX_WANT_BAD)
msg_panic("%s: malformed server reply type: %s",
myname, STR(replay_buf));
break;
/*
* Client command, or void. Bail out on the first negative proxy
* response. This is OK, because the filter must use the same
* reply code for all recipients of a multi-recipient message.
*/
case REC_TYPE_FROM:
if (expect == SMTPD_PROX_WANT_BAD)
msg_panic("%s: missing server reply type", myname);
if (smtpd_proxy_cmd(state, expect, *STR(replay_buf) ? "%s" :
SMTPD_PROXY_CONN_FMT, STR(replay_buf)) < 0)
return (-1);
expect = SMTPD_PROX_WANT_BAD;
break;
/*
* Explicit end marker, instead of implicit EOF.
*/
case REC_TYPE_END:
return (0);
/*
* Errors.
*/
case REC_TYPE_ERROR:
return (smtpd_proxy_replay_rdwr_error(state));
default:
msg_panic("%s: unexpected record type; %d", myname, rec_type);
}
}
}
static DICT_CIDR_ENTRY *dict_cidr_parse_rule(const char *mapname, int lineno,
char *p)
{
DICT_CIDR_ENTRY *rule;
char *key;
char *value;
char *mask;
int mask_shift;
unsigned long net_bits;
unsigned long mask_bits;
struct in_addr net_addr;
/*
* Split the rule into key and value. We already eliminated leading
* whitespace, comments, empty lines or lines with whitespace only. This
* means a null key can't happen but we will handle this anyway.
*/
key = p;
while (*p && !ISSPACE(*p)) /* Skip over key */
p++;
if (*p) /* Terminate key */
*p++ = 0;
while (*p && ISSPACE(*p)) /* Skip whitespace */
p++;
value = p;
trimblanks(value, 0)[0] = 0; /* Trim trailing blanks */
if (*key == 0) {
msg_warn("cidr map %s, line %d: no address pattern: skipping this rule",
mapname, lineno);
return (0);
}
if (*value == 0) {
msg_warn("cidr map %s, line %d: no lookup result: skipping this rule",
mapname, lineno);
return (0);
}
/*
* Parse the key into network and mask, and destroy the key. Treat a bare
* network address as /32.
*
* We need explicit code for /0. The result of << is undefined when the
* shift is greater or equal to the number of bits in the shifted
* operand.
*/
if ((mask = split_at(key, '/')) != 0) {
if (!alldig(mask) || (mask_shift = atoi(mask)) > BITS_PER_ADDR
|| (net_bits = inet_addr(key)) == INADDR_NONE) {
msg_warn("cidr map %s, line %d: bad net/mask pattern: \"%s/%s\": "
"skipping this rule", mapname, lineno, key, mask);
return (0);
}
mask_bits = mask_shift > 0 ?
htonl((0xffffffff) << (BITS_PER_ADDR - mask_shift)) : 0;
if (net_bits & ~mask_bits) {
net_addr.s_addr = (net_bits & mask_bits);
msg_warn("cidr map %s, line %d: net/mask pattern \"%s/%s\" with "
"non-null host portion: skipping this rule",
mapname, lineno, key, mask);
msg_warn("specify \"%s/%d\" if this is really what you want",
inet_ntoa(net_addr), mask_shift);
return (0);
}
} else {
if ((net_bits = inet_addr(key)) == INADDR_NONE) {
msg_warn("cidr map %s, line %d: bad address pattern: \"%s\": "
"skipping this rule", mapname, lineno, key);
return (0);
}
mask_shift = 32;
mask_bits = htonl(0xffffffff);
}
/*
* Bundle up the result.
*/
rule = (DICT_CIDR_ENTRY *) mymalloc(sizeof(DICT_CIDR_ENTRY));
rule->net_bits = net_bits;
rule->mask_bits = mask_bits;
rule->value = mystrdup(value);
rule->next = 0;
if (msg_verbose)
msg_info("dict_cidr_open: %s: %lu/%d %s",
mapname, rule->net_bits, mask_shift, rule->value);
return (rule);
}
NORETURN multi_server_main(int argc, char **argv, MULTI_SERVER_FN service,...)
{
const char *myname = "multi_server_main";
VSTREAM *stream = 0;
char *root_dir = 0;
char *user_name = 0;
int debug_me = 0;
int daemon_mode = 1;
char *service_name = basename(argv[0]);
int delay;
int c;
int fd;
va_list ap;
MAIL_SERVER_INIT_FN pre_init = 0;
MAIL_SERVER_INIT_FN post_init = 0;
MAIL_SERVER_LOOP_FN loop = 0;
int key;
char *transport = 0;
#if 0
char *lock_path;
VSTRING *why;
#endif
int alone = 0;
int zerolimit = 0;
WATCHDOG *watchdog;
char *oname_val;
char *oname;
char *oval;
const char *err;
char *generation;
int msg_vstream_needed = 0;
int redo_syslog_init = 0;
/*
* Process environment options as early as we can.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Don't die when a process goes away unexpectedly.
*/
signal(SIGPIPE, SIG_IGN);
/*
* Don't die for frivolous reasons.
*/
#ifdef SIGXFSZ
signal(SIGXFSZ, SIG_IGN);
#endif
/*
* May need this every now and then.
*/
var_procname = mystrdup(basename(argv[0]));
set_mail_conf_str(VAR_PROCNAME, var_procname);
/*
* Initialize logging and exit handler. Do the syslog first, so that its
* initialization completes before we enter the optional chroot jail.
*/
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
if (msg_verbose)
msg_info("daemon started");
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Initialize from the configuration file. Allow command-line options to
* override compiled-in defaults or configured parameter values.
*/
mail_conf_suck();
/*
* Register dictionaries that use higher-level interfaces and protocols.
*/
mail_dict_init();
/*
* After database open error, continue execution with reduced
* functionality.
*/
dict_allow_surrogate = 1;
/*
* Pick up policy settings from master process. Shut up error messages to
* stderr, because no-one is going to see them.
*/
opterr = 0;
while ((c = GETOPT(argc, argv, "cdDi:lm:n:o:s:St:uvVz")) > 0) {
switch (c) {
case 'c':
root_dir = "setme";
break;
case 'd':
daemon_mode = 0;
break;
case 'D':
debug_me = 1;
break;
case 'i':
mail_conf_update(VAR_MAX_IDLE, optarg);
break;
case 'l':
alone = 1;
break;
case 'm':
mail_conf_update(VAR_MAX_USE, optarg);
break;
case 'n':
service_name = optarg;
break;
case 'o':
oname_val = mystrdup(optarg);
if ((err = split_nameval(oname_val, &oname, &oval)) != 0)
msg_fatal("invalid \"-o %s\" option value: %s", optarg, err);
mail_conf_update(oname, oval);
if (strcmp(oname, VAR_SYSLOG_NAME) == 0)
redo_syslog_init = 1;
myfree(oname_val);
break;
case 's':
if ((socket_count = atoi(optarg)) <= 0)
msg_fatal("invalid socket_count: %s", optarg);
break;
case 'S':
stream = VSTREAM_IN;
break;
case 'u':
user_name = "setme";
break;
case 't':
transport = optarg;
break;
case 'v':
msg_verbose++;
break;
case 'V':
if (++msg_vstream_needed == 1)
msg_vstream_init(mail_task(var_procname), VSTREAM_ERR);
break;
case 'z':
zerolimit = 1;
break;
default:
msg_fatal("invalid option: %c", c);
break;
}
}
/*
* Initialize generic parameters.
*/
mail_params_init();
if (redo_syslog_init)
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
/*
* If not connected to stdin, stdin must not be a terminal.
*/
if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
msg_vstream_init(var_procname, VSTREAM_ERR);
msg_fatal("do not run this command by hand");
}
/*
* Application-specific initialization.
*/
va_start(ap, service);
while ((key = va_arg(ap, int)) != 0) {
switch (key) {
case MAIL_SERVER_INT_TABLE:
get_mail_conf_int_table(va_arg(ap, CONFIG_INT_TABLE *));
break;
case MAIL_SERVER_LONG_TABLE:
get_mail_conf_long_table(va_arg(ap, CONFIG_LONG_TABLE *));
break;
case MAIL_SERVER_STR_TABLE:
get_mail_conf_str_table(va_arg(ap, CONFIG_STR_TABLE *));
break;
case MAIL_SERVER_BOOL_TABLE:
get_mail_conf_bool_table(va_arg(ap, CONFIG_BOOL_TABLE *));
break;
case MAIL_SERVER_TIME_TABLE:
get_mail_conf_time_table(va_arg(ap, CONFIG_TIME_TABLE *));
break;
case MAIL_SERVER_RAW_TABLE:
get_mail_conf_raw_table(va_arg(ap, CONFIG_RAW_TABLE *));
break;
case MAIL_SERVER_NINT_TABLE:
get_mail_conf_nint_table(va_arg(ap, CONFIG_NINT_TABLE *));
break;
case MAIL_SERVER_NBOOL_TABLE:
get_mail_conf_nbool_table(va_arg(ap, CONFIG_NBOOL_TABLE *));
break;
case MAIL_SERVER_PRE_INIT:
pre_init = va_arg(ap, MAIL_SERVER_INIT_FN);
break;
case MAIL_SERVER_POST_INIT:
post_init = va_arg(ap, MAIL_SERVER_INIT_FN);
break;
case MAIL_SERVER_LOOP:
loop = va_arg(ap, MAIL_SERVER_LOOP_FN);
break;
case MAIL_SERVER_EXIT:
multi_server_onexit = va_arg(ap, MAIL_SERVER_EXIT_FN);
break;
case MAIL_SERVER_PRE_ACCEPT:
multi_server_pre_accept = va_arg(ap, MAIL_SERVER_ACCEPT_FN);
break;
case MAIL_SERVER_PRE_DISCONN:
multi_server_pre_disconn = va_arg(ap, MAIL_SERVER_DISCONN_FN);
break;
case MAIL_SERVER_IN_FLOW_DELAY:
multi_server_in_flow_delay = 1;
break;
case MAIL_SERVER_SOLITARY:
if (stream == 0 && !alone)
msg_fatal("service %s requires a process limit of 1",
service_name);
break;
case MAIL_SERVER_UNLIMITED:
if (stream == 0 && !zerolimit)
msg_fatal("service %s requires a process limit of 0",
service_name);
break;
case MAIL_SERVER_PRIVILEGED:
if (user_name)
msg_fatal("service %s requires privileged operation",
service_name);
break;
default:
msg_panic("%s: unknown argument type: %d", myname, key);
}
}
va_end(ap);
if (root_dir)
root_dir = var_queue_dir;
if (user_name)
user_name = var_mail_owner;
/*
* Can options be required?
*/
if (stream == 0) {
if (transport == 0)
msg_fatal("no transport type specified");
if (strcasecmp(transport, MASTER_XPORT_NAME_INET) == 0)
multi_server_accept = multi_server_accept_inet;
else if (strcasecmp(transport, MASTER_XPORT_NAME_UNIX) == 0)
multi_server_accept = multi_server_accept_local;
#ifdef MASTER_XPORT_NAME_PASS
else if (strcasecmp(transport, MASTER_XPORT_NAME_PASS) == 0)
multi_server_accept = multi_server_accept_pass;
#endif
else
msg_fatal("unsupported transport type: %s", transport);
}
/*
* Retrieve process generation from environment.
*/
if ((generation = getenv(MASTER_GEN_NAME)) != 0) {
if (!alldig(generation))
msg_fatal("bad generation: %s", generation);
OCTAL_TO_UNSIGNED(multi_server_generation, generation);
if (msg_verbose)
msg_info("process generation: %s (%o)",
generation, multi_server_generation);
}
/*
* Optionally start the debugger on ourself.
*/
if (debug_me)
debug_process();
/*
* Traditionally, BSD select() can't handle multiple processes selecting
* on the same socket, and wakes up every process in select(). See TCP/IP
* Illustrated volume 2 page 532. We avoid select() collisions with an
* external lock file.
*/
/*
* XXX Can't compete for exclusive access to the listen socket because we
* also have to monitor existing client connections for service requests.
*/
#if 0
if (stream == 0 && !alone) {
lock_path = concatenate(DEF_PID_DIR, "/", transport,
".", service_name, (char *) 0);
why = vstring_alloc(1);
if ((multi_server_lock = safe_open(lock_path, O_CREAT | O_RDWR, 0600,
(struct stat *) 0, -1, -1, why)) == 0)
msg_fatal("open lock file %s: %s", lock_path, vstring_str(why));
close_on_exec(vstream_fileno(multi_server_lock), CLOSE_ON_EXEC);
myfree(lock_path);
vstring_free(why);
}
#endif
/*
* Set up call-back info.
*/
multi_server_service = service;
multi_server_name = service_name;
multi_server_argv = argv + optind;
/*
* Run pre-jail initialization.
*/
if (chdir(var_queue_dir) < 0)
msg_fatal("chdir(\"%s\"): %m", var_queue_dir);
if (pre_init)
pre_init(multi_server_name, multi_server_argv);
/*
* Optionally, restrict the damage that this process can do.
*/
resolve_local_init();
tzset();
chroot_uid(root_dir, user_name);
/*
* Run post-jail initialization.
*/
if (post_init)
post_init(multi_server_name, multi_server_argv);
/*
* Are we running as a one-shot server with the client connection on
* standard input? If so, make sure the output is written to stdout so as
* to satisfy common expectation.
*/
if (stream != 0) {
vstream_control(stream,
VSTREAM_CTL_DOUBLE,
VSTREAM_CTL_WRITE_FD, STDOUT_FILENO,
VSTREAM_CTL_END);
service(stream, multi_server_name, multi_server_argv);
vstream_fflush(stream);
multi_server_exit();
}
/*
* Running as a semi-resident server. Service connection requests.
* Terminate when we have serviced a sufficient number of clients, when
* no-one has been talking to us for a configurable amount of time, or
* when the master process terminated abnormally.
*/
if (var_idle_limit > 0)
event_request_timer(multi_server_timeout, (char *) 0, var_idle_limit);
for (fd = MASTER_LISTEN_FD; fd < MASTER_LISTEN_FD + socket_count; fd++) {
event_enable_read(fd, multi_server_accept, CAST_INT_TO_CHAR_PTR(fd));
close_on_exec(fd, CLOSE_ON_EXEC);
}
event_enable_read(MASTER_STATUS_FD, multi_server_abort, (char *) 0);
close_on_exec(MASTER_STATUS_FD, CLOSE_ON_EXEC);
close_on_exec(MASTER_FLOW_READ, CLOSE_ON_EXEC);
close_on_exec(MASTER_FLOW_WRITE, CLOSE_ON_EXEC);
watchdog = watchdog_create(var_daemon_timeout, (WATCHDOG_FN) 0, (char *) 0);
/*
* The event loop, at last.
*/
while (var_use_limit == 0 || use_count < var_use_limit || client_count > 0) {
if (multi_server_lock != 0) {
watchdog_stop(watchdog);
if (myflock(vstream_fileno(multi_server_lock), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("select lock: %m");
}
watchdog_start(watchdog);
delay = loop ? loop(multi_server_name, multi_server_argv) : -1;
event_loop(delay);
}
multi_server_exit();
}
static int qmgr_message_read(QMGR_MESSAGE *message)
{
VSTRING *buf;
int rec_type;
long curr_offset;
long save_offset = message->rcpt_offset; /* save a flag */
int save_unread = message->rcpt_unread; /* save a count */
char *start;
int recipient_limit;
const char *error_text;
char *name;
char *value;
char *orig_rcpt = 0;
int count;
int dsn_notify = 0;
char *dsn_orcpt = 0;
int n;
int have_log_client_attr = 0;
/*
* Initialize. No early returns or we have a memory leak.
*/
buf = vstring_alloc(100);
/*
* If we re-open this file, skip over on-file recipient records that we
* already looked at, and refill the in-core recipient address list.
*
* For the first time, the message recipient limit is calculated from the
* global recipient limit. This is to avoid reading little recipients
* when the active queue is near empty. When the queue becomes full, only
* the necessary amount is read in core. Such priming is necessary
* because there are no message jobs yet.
*
* For the next time, the recipient limit is based solely on the message
* jobs' positions in the job lists and/or job stacks.
*/
if (message->rcpt_offset) {
if (message->rcpt_list.len)
msg_panic("%s: recipient list not empty on recipient reload",
message->queue_id);
if (vstream_fseek(message->fp, message->rcpt_offset, SEEK_SET) < 0)
msg_fatal("seek file %s: %m", VSTREAM_PATH(message->fp));
message->rcpt_offset = 0;
recipient_limit = message->rcpt_limit - message->rcpt_count;
} else {
recipient_limit = var_qmgr_rcpt_limit - qmgr_recipient_count;
if (recipient_limit < message->rcpt_limit)
recipient_limit = message->rcpt_limit;
}
/* Keep interrupt latency in check. */
if (recipient_limit > 5000)
recipient_limit = 5000;
if (recipient_limit <= 0)
msg_panic("%s: no recipient slots available", message->queue_id);
if (msg_verbose)
msg_info("%s: recipient limit %d", message->queue_id, recipient_limit);
/*
* Read envelope records. XXX Rely on the front-end programs to enforce
* record size limits. Read up to recipient_limit recipients from the
* queue file, to protect against memory exhaustion. Recipient records
* may appear before or after the message content, so we keep reading
* from the queue file until we have enough recipients (rcpt_offset != 0)
* and until we know all the non-recipient information.
*
* Note that the total recipient count record is accurate only for fresh
* queue files. After some of the recipients are marked as done and the
* queue file is deferred, it can be used as upper bound estimate only.
* Fortunately, this poses no major problem on the scheduling algorithm,
* as the only impact is that the already deferred messages are not
* chosen by qmgr_job_candidate() as often as they could.
*
* On the first open, we must examine all non-recipient records.
*
* Optimization: when we know that recipient records are not mixed with
* non-recipient records, as is typical with mailing list mail, then we
* can avoid having to examine all the queue file records before we can
* start deliveries. This avoids some file system thrashing with huge
* mailing lists.
*/
for (;;) {
if ((curr_offset = vstream_ftell(message->fp)) < 0)
msg_fatal("vstream_ftell %s: %m", VSTREAM_PATH(message->fp));
if (curr_offset == message->data_offset && curr_offset > 0) {
if (vstream_fseek(message->fp, message->data_size, SEEK_CUR) < 0)
msg_fatal("seek file %s: %m", VSTREAM_PATH(message->fp));
curr_offset += message->data_size;
}
rec_type = rec_get_raw(message->fp, buf, 0, REC_FLAG_NONE);
start = vstring_str(buf);
if (msg_verbose > 1)
msg_info("record %c %s", rec_type, start);
if (rec_type == REC_TYPE_PTR) {
if ((rec_type = rec_goto(message->fp, start)) == REC_TYPE_ERROR)
break;
/* Need to update curr_offset after pointer jump. */
continue;
}
if (rec_type <= 0) {
msg_warn("%s: message rejected: missing end record",
message->queue_id);
break;
}
if (rec_type == REC_TYPE_END) {
message->rflags |= QMGR_READ_FLAG_SEEN_ALL_NON_RCPT;
break;
}
/*
* Map named attributes to pseudo record types, so that we don't have
* to pollute the queue file with records that are incompatible with
* past Postfix versions. Preferably, people should be able to back
* out from an upgrade without losing mail.
*/
if (rec_type == REC_TYPE_ATTR) {
if ((error_text = split_nameval(start, &name, &value)) != 0) {
msg_warn("%s: ignoring bad attribute: %s: %.200s",
message->queue_id, error_text, start);
rec_type = REC_TYPE_ERROR;
break;
}
if ((n = rec_attr_map(name)) != 0) {
start = value;
rec_type = n;
}
}
/*
* Process recipient records.
*/
if (rec_type == REC_TYPE_RCPT) {
/* See also below for code setting orig_rcpt etc. */
if (message->rcpt_offset == 0) {
message->rcpt_unread--;
recipient_list_add(&message->rcpt_list, curr_offset,
dsn_orcpt ? dsn_orcpt : "",
dsn_notify ? dsn_notify : 0,
orig_rcpt ? orig_rcpt : "", start);
if (dsn_orcpt) {
myfree(dsn_orcpt);
dsn_orcpt = 0;
}
if (orig_rcpt) {
myfree(orig_rcpt);
orig_rcpt = 0;
}
if (dsn_notify)
dsn_notify = 0;
if (message->rcpt_list.len >= recipient_limit) {
if ((message->rcpt_offset = vstream_ftell(message->fp)) < 0)
msg_fatal("vstream_ftell %s: %m",
VSTREAM_PATH(message->fp));
if (message->rflags & QMGR_READ_FLAG_SEEN_ALL_NON_RCPT)
/* We already examined all non-recipient records. */
break;
if (message->rflags & QMGR_READ_FLAG_MIXED_RCPT_OTHER)
/* Examine all remaining non-recipient records. */
continue;
/* Optimizations for "pure recipient" record sections. */
if (curr_offset > message->data_offset) {
/* We already examined all non-recipient records. */
message->rflags |= QMGR_READ_FLAG_SEEN_ALL_NON_RCPT;
break;
}
/* Examine non-recipient records in extracted segment. */
if (vstream_fseek(message->fp, message->data_offset
+ message->data_size, SEEK_SET) < 0)
msg_fatal("seek file %s: %m", VSTREAM_PATH(message->fp));
continue;
}
}
continue;
}
if (rec_type == REC_TYPE_DONE || rec_type == REC_TYPE_DRCP) {
if (message->rcpt_offset == 0) {
message->rcpt_unread--;
if (dsn_orcpt) {
myfree(dsn_orcpt);
dsn_orcpt = 0;
}
if (orig_rcpt) {
myfree(orig_rcpt);
orig_rcpt = 0;
}
if (dsn_notify)
dsn_notify = 0;
}
continue;
}
if (rec_type == REC_TYPE_DSN_ORCPT) {
/* See also above for code clearing dsn_orcpt. */
if (dsn_orcpt != 0) {
msg_warn("%s: ignoring out-of-order DSN original recipient address <%.200s>",
message->queue_id, dsn_orcpt);
myfree(dsn_orcpt);
dsn_orcpt = 0;
}
if (message->rcpt_offset == 0)
dsn_orcpt = mystrdup(start);
continue;
}
if (rec_type == REC_TYPE_DSN_NOTIFY) {
/* See also above for code clearing dsn_notify. */
if (dsn_notify != 0) {
msg_warn("%s: ignoring out-of-order DSN notify flags <%d>",
message->queue_id, dsn_notify);
dsn_notify = 0;
}
if (message->rcpt_offset == 0) {
if (!alldig(start) || (n = atoi(start)) == 0 || !DSN_NOTIFY_OK(n))
msg_warn("%s: ignoring malformed DSN notify flags <%.200s>",
message->queue_id, start);
else
dsn_notify = n;
continue;
}
}
if (rec_type == REC_TYPE_ORCP) {
/* See also above for code clearing orig_rcpt. */
if (orig_rcpt != 0) {
msg_warn("%s: ignoring out-of-order original recipient <%.200s>",
message->queue_id, orig_rcpt);
myfree(orig_rcpt);
orig_rcpt = 0;
}
if (message->rcpt_offset == 0)
orig_rcpt = mystrdup(start);
continue;
}
/*
* Process non-recipient records.
*/
if (message->rflags & QMGR_READ_FLAG_SEEN_ALL_NON_RCPT)
/* We already examined all non-recipient records. */
continue;
if (rec_type == REC_TYPE_SIZE) {
if (message->data_offset == 0) {
if ((count = sscanf(start, "%ld %ld %d %d %ld %d",
&message->data_size, &message->data_offset,
&message->rcpt_unread, &message->rflags,
&message->cont_length,
&message->smtputf8)) >= 3) {
/* Postfix >= 1.0 (a.k.a. 20010228). */
if (message->data_offset <= 0 || message->data_size <= 0) {
msg_warn("%s: invalid size record: %.100s",
message->queue_id, start);
rec_type = REC_TYPE_ERROR;
break;
}
if (message->rflags & ~QMGR_READ_FLAG_USER) {
msg_warn("%s: invalid flags in size record: %.100s",
message->queue_id, start);
rec_type = REC_TYPE_ERROR;
break;
}
} else if (count == 1) {
/* Postfix < 1.0 (a.k.a. 20010228). */
qmgr_message_oldstyle_scan(message);
} else {
/* Can't happen. */
msg_warn("%s: message rejected: weird size record",
message->queue_id);
rec_type = REC_TYPE_ERROR;
break;
}
}
/* Postfix < 2.4 compatibility. */
if (message->cont_length == 0) {
message->cont_length = message->data_size;
} else if (message->cont_length < 0) {
msg_warn("%s: invalid size record: %.100s",
message->queue_id, start);
rec_type = REC_TYPE_ERROR;
break;
}
continue;
}
if (rec_type == REC_TYPE_TIME) {
if (message->arrival_time.tv_sec == 0)
REC_TYPE_TIME_SCAN(start, message->arrival_time);
continue;
}
if (rec_type == REC_TYPE_CTIME) {
if (message->create_time == 0)
message->create_time = atol(start);
continue;
}
if (rec_type == REC_TYPE_FILT) {
if (message->filter_xport != 0)
myfree(message->filter_xport);
message->filter_xport = mystrdup(start);
continue;
}
if (rec_type == REC_TYPE_INSP) {
if (message->inspect_xport != 0)
myfree(message->inspect_xport);
message->inspect_xport = mystrdup(start);
continue;
}
if (rec_type == REC_TYPE_RDR) {
if (message->redirect_addr != 0)
myfree(message->redirect_addr);
message->redirect_addr = mystrdup(start);
continue;
}
if (rec_type == REC_TYPE_FROM) {
if (message->sender == 0) {
message->sender = mystrdup(start);
opened(message->queue_id, message->sender,
message->cont_length, message->rcpt_unread,
"queue %s", message->queue_name);
}
continue;
}
if (rec_type == REC_TYPE_DSN_ENVID) {
if (message->dsn_envid == 0)
message->dsn_envid = mystrdup(start);
}
if (rec_type == REC_TYPE_DSN_RET) {
if (message->dsn_ret == 0) {
if (!alldig(start) || (n = atoi(start)) == 0 || !DSN_RET_OK(n))
msg_warn("%s: ignoring malformed DSN RET flags in queue file record:%.100s",
message->queue_id, start);
else
message->dsn_ret = n;
}
}
if (rec_type == REC_TYPE_ATTR) {
/* Allow extra segment to override envelope segment info. */
if (strcmp(name, MAIL_ATTR_ENCODING) == 0) {
if (message->encoding != 0)
myfree(message->encoding);
message->encoding = mystrdup(value);
}
/*
* Backwards compatibility. Before Postfix 2.3, the logging
* attributes were called client_name, etc. Now they are called
* log_client_name. etc., and client_name is used for the actual
* client information. To support old queue files we accept both
* names for the purpose of logging; the new name overrides the
* old one.
*
* XXX Do not use the "legacy" client_name etc. attribute values for
* initializing the logging attributes, when this file already
* contains the "modern" log_client_name etc. logging attributes.
* Otherwise, logging attributes that are not present in the
* queue file would be set with information from the real client.
*/
else if (strcmp(name, MAIL_ATTR_ACT_CLIENT_NAME) == 0) {
if (have_log_client_attr == 0 && message->client_name == 0)
message->client_name = mystrdup(value);
} else if (strcmp(name, MAIL_ATTR_ACT_CLIENT_ADDR) == 0) {
if (have_log_client_attr == 0 && message->client_addr == 0)
message->client_addr = mystrdup(value);
} else if (strcmp(name, MAIL_ATTR_ACT_CLIENT_PORT) == 0) {
if (have_log_client_attr == 0 && message->client_port == 0)
message->client_port = mystrdup(value);
} else if (strcmp(name, MAIL_ATTR_ACT_PROTO_NAME) == 0) {
if (have_log_client_attr == 0 && message->client_proto == 0)
message->client_proto = mystrdup(value);
} else if (strcmp(name, MAIL_ATTR_ACT_HELO_NAME) == 0) {
if (have_log_client_attr == 0 && message->client_helo == 0)
message->client_helo = mystrdup(value);
}
/* Original client attributes. */
else if (strcmp(name, MAIL_ATTR_LOG_CLIENT_NAME) == 0) {
if (message->client_name != 0)
myfree(message->client_name);
message->client_name = mystrdup(value);
have_log_client_attr = 1;
} else if (strcmp(name, MAIL_ATTR_LOG_CLIENT_ADDR) == 0) {
if (message->client_addr != 0)
myfree(message->client_addr);
message->client_addr = mystrdup(value);
have_log_client_attr = 1;
} else if (strcmp(name, MAIL_ATTR_LOG_CLIENT_PORT) == 0) {
if (message->client_port != 0)
myfree(message->client_port);
message->client_port = mystrdup(value);
have_log_client_attr = 1;
} else if (strcmp(name, MAIL_ATTR_LOG_PROTO_NAME) == 0) {
if (message->client_proto != 0)
myfree(message->client_proto);
message->client_proto = mystrdup(value);
have_log_client_attr = 1;
} else if (strcmp(name, MAIL_ATTR_LOG_HELO_NAME) == 0) {
if (message->client_helo != 0)
myfree(message->client_helo);
message->client_helo = mystrdup(value);
have_log_client_attr = 1;
} else if (strcmp(name, MAIL_ATTR_SASL_METHOD) == 0) {
if (message->sasl_method == 0)
message->sasl_method = mystrdup(value);
else
msg_warn("%s: ignoring multiple %s attribute: %s",
message->queue_id, MAIL_ATTR_SASL_METHOD, value);
} else if (strcmp(name, MAIL_ATTR_SASL_USERNAME) == 0) {
if (message->sasl_username == 0)
message->sasl_username = mystrdup(value);
else
msg_warn("%s: ignoring multiple %s attribute: %s",
message->queue_id, MAIL_ATTR_SASL_USERNAME, value);
} else if (strcmp(name, MAIL_ATTR_SASL_SENDER) == 0) {
if (message->sasl_sender == 0)
message->sasl_sender = mystrdup(value);
else
msg_warn("%s: ignoring multiple %s attribute: %s",
message->queue_id, MAIL_ATTR_SASL_SENDER, value);
} else if (strcmp(name, MAIL_ATTR_LOG_IDENT) == 0) {
if (message->log_ident == 0)
message->log_ident = mystrdup(value);
else
msg_warn("%s: ignoring multiple %s attribute: %s",
message->queue_id, MAIL_ATTR_LOG_IDENT, value);
} else if (strcmp(name, MAIL_ATTR_RWR_CONTEXT) == 0) {
if (message->rewrite_context == 0)
message->rewrite_context = mystrdup(value);
else
msg_warn("%s: ignoring multiple %s attribute: %s",
message->queue_id, MAIL_ATTR_RWR_CONTEXT, value);
}
/*
* Optional tracing flags (verify, sendmail -v, sendmail -bv).
* This record is killed after a trace logfile report is sent and
* after the logfile is deleted.
*/
else if (strcmp(name, MAIL_ATTR_TRACE_FLAGS) == 0) {
message->tflags = DEL_REQ_TRACE_FLAGS(atoi(value));
if (message->tflags == DEL_REQ_FLAG_RECORD)
message->tflags_offset = curr_offset;
else
message->tflags_offset = 0;
}
continue;
}
if (rec_type == REC_TYPE_WARN) {
if (message->warn_offset == 0) {
message->warn_offset = curr_offset;
REC_TYPE_WARN_SCAN(start, message->warn_time);
}
continue;
}
if (rec_type == REC_TYPE_VERP) {
if (message->verp_delims == 0) {
if (message->sender == 0 || message->sender[0] == 0) {
msg_warn("%s: ignoring VERP request for null sender",
message->queue_id);
} else if (verp_delims_verify(start) != 0) {
msg_warn("%s: ignoring bad VERP request: \"%.100s\"",
message->queue_id, start);
} else {
if (msg_verbose)
msg_info("%s: enabling VERP for sender \"%.100s\"",
message->queue_id, message->sender);
message->single_rcpt = 1;
message->verp_delims = mystrdup(start);
}
}
continue;
}
}
/*
* Grr.
*/
if (dsn_orcpt != 0) {
if (rec_type > 0)
msg_warn("%s: ignoring out-of-order DSN original recipient <%.200s>",
message->queue_id, dsn_orcpt);
myfree(dsn_orcpt);
}
if (orig_rcpt != 0) {
if (rec_type > 0)
msg_warn("%s: ignoring out-of-order original recipient <%.200s>",
message->queue_id, orig_rcpt);
myfree(orig_rcpt);
}
/*
* After sending a "delayed" warning, request sender notification when
* message delivery is completed. While "mail delayed" notifications are
* bad enough because they multiply the amount of email traffic, "delay
* cleared" notifications are even worse because they come in a sudden
* burst when the queue drains after a network outage.
*/
if (var_dsn_delay_cleared && message->warn_time < 0)
message->tflags |= DEL_REQ_FLAG_REC_DLY_SENT;
/*
* Remember when we have read the last recipient batch. Note that we do
* it here after reading as reading might have used considerable amount
* of time.
*/
message->refill_time = sane_time();
/*
* Avoid clumsiness elsewhere in the program. When sending data across an
* IPC channel, sending an empty string is more convenient than sending a
* null pointer.
*/
if (message->dsn_envid == 0)
message->dsn_envid = mystrdup("");
if (message->encoding == 0)
message->encoding = mystrdup(MAIL_ATTR_ENC_NONE);
if (message->client_name == 0)
message->client_name = mystrdup("");
if (message->client_addr == 0)
message->client_addr = mystrdup("");
if (message->client_port == 0)
message->client_port = mystrdup("");
if (message->client_proto == 0)
message->client_proto = mystrdup("");
if (message->client_helo == 0)
message->client_helo = mystrdup("");
if (message->sasl_method == 0)
message->sasl_method = mystrdup("");
if (message->sasl_username == 0)
message->sasl_username = mystrdup("");
if (message->sasl_sender == 0)
message->sasl_sender = mystrdup("");
if (message->log_ident == 0)
message->log_ident = mystrdup("");
if (message->rewrite_context == 0)
message->rewrite_context = mystrdup(MAIL_ATTR_RWR_LOCAL);
/* Postfix < 2.3 compatibility. */
if (message->create_time == 0)
message->create_time = message->arrival_time.tv_sec;
/*
* Clean up.
*/
vstring_free(buf);
/*
* Sanity checks. Verify that all required information was found,
* including the queue file end marker.
*/
if (message->rcpt_unread < 0
|| (message->rcpt_offset == 0 && message->rcpt_unread != 0)) {
msg_warn("%s: rcpt count mismatch (%d)",
message->queue_id, message->rcpt_unread);
message->rcpt_unread = 0;
}
if (rec_type <= 0) {
/* Already logged warning. */
} else if (message->arrival_time.tv_sec == 0) {
msg_warn("%s: message rejected: missing arrival time record",
message->queue_id);
} else if (message->sender == 0) {
msg_warn("%s: message rejected: missing sender record",
message->queue_id);
} else if (message->data_offset == 0) {
msg_warn("%s: message rejected: missing size record",
message->queue_id);
} else {
return (0);
}
message->rcpt_offset = save_offset; /* restore flag */
message->rcpt_unread = save_unread; /* restore count */
recipient_list_free(&message->rcpt_list);
recipient_list_init(&message->rcpt_list, RCPT_LIST_INIT_QUEUE);
return (-1);
}
static int smtpd_proxy_replay_send(SMTPD_STATE *state)
{
const char *myname = "smtpd_proxy_replay_send";
static VSTRING *replay_buf = 0;
SMTPD_PROXY *proxy = state->proxy;
int rec_type;
int expect = SMTPD_PROX_WANT_BAD;
/*
* Sanity check.
*/
if (smtpd_proxy_replay_stream == 0)
msg_panic("%s: no before-queue filter speed-adjust log", myname);
/*
* Errors first.
*/
if (vstream_ferror(smtpd_proxy_replay_stream)
|| vstream_feof(smtpd_proxy_replay_stream)
|| rec_put(smtpd_proxy_replay_stream, REC_TYPE_END, "", 0) != REC_TYPE_END
|| vstream_fflush(smtpd_proxy_replay_stream))
/* NOT: fsync(vstream_fileno(smtpd_proxy_replay_stream)) */
return (smtpd_proxy_replay_rdwr_error(state));
/*
* Delayed connection to the before-queue filter.
*/
if (smtpd_proxy_connect(state) < 0)
return (-1);
/*
* Replay the speed-match log. We do sanity check record content, but we
* don't implement a protocol state engine here, since we are reading
* from a file that we just wrote ourselves.
*/
if (replay_buf == 0)
replay_buf = vstring_alloc(100);
if (vstream_fseek(smtpd_proxy_replay_stream, (off_t) 0, SEEK_SET) < 0)
return (smtpd_proxy_replay_rdwr_error(state));
for (;;) {
switch (rec_type = rec_get(smtpd_proxy_replay_stream, replay_buf,
REC_FLAG_NONE)) {
/*
* Message content.
*/
case REC_TYPE_NORM:
case REC_TYPE_CONT:
if (smtpd_proxy_rec_put(proxy->service_stream, rec_type,
STR(replay_buf), LEN(replay_buf)) < 0)
return (-1);
break;
/*
* Expected server reply type.
*/
case REC_TYPE_RCPT:
if (!alldig(STR(replay_buf))
|| (expect = atoi(STR(replay_buf))) == SMTPD_PROX_WANT_BAD)
msg_panic("%s: malformed server reply type: %s",
myname, STR(replay_buf));
break;
/*
* Client command, or void. Bail out on the first negative proxy
* response. This is OK, because the filter must use the same
* reply code for all recipients of a multi-recipient message.
*/
case REC_TYPE_FROM:
if (expect == SMTPD_PROX_WANT_BAD)
msg_panic("%s: missing server reply type", myname);
if (smtpd_proxy_cmd(state, expect, *STR(replay_buf) ? "%s" :
SMTPD_PROXY_CONN_FMT, STR(replay_buf)) < 0)
return (-1);
expect = SMTPD_PROX_WANT_BAD;
break;
/*
* Explicit end marker, instead of implicit EOF.
*/
case REC_TYPE_END:
return (0);
/*
* Errors.
*/
case REC_TYPE_ERROR:
return (smtpd_proxy_replay_rdwr_error(state));
default:
msg_panic("%s: unexpected record type; %d", myname, rec_type);
}
}
}
