static void spawn_service(VSTREAM *client_stream, char *service, char **argv)
{
const char *myname = "spawn_service";
static SPAWN_ATTR attr;
WAIT_STATUS_T status;
ARGV *export_env;
/*
* This routine runs whenever a client connects to the UNIX-domain socket
* dedicated to running an external command.
*/
if (msg_verbose)
msg_info("%s: service=%s, command=%s...", myname, service, argv[0]);
/*
* Look up service attributes and config information only once. This is
* safe since the information comes from a trusted source.
*/
if (attr.argv == 0) {
get_service_attr(&attr, service, argv);
}
/*
* Execute the command.
*/
export_env = mail_parm_split(VAR_EXPORT_ENVIRON, var_export_environ);
status = spawn_command(CA_SPAWN_CMD_STDIN(vstream_fileno(client_stream)),
CA_SPAWN_CMD_STDOUT(vstream_fileno(client_stream)),
CA_SPAWN_CMD_STDERR(vstream_fileno(client_stream)),
CA_SPAWN_CMD_UID(attr.uid),
CA_SPAWN_CMD_GID(attr.gid),
CA_SPAWN_CMD_ARGV(attr.argv),
CA_SPAWN_CMD_TIME_LIMIT(attr.time_limit),
CA_SPAWN_CMD_EXPORT(export_env->argv),
CA_SPAWN_CMD_END);
argv_free(export_env);
/*
* Warn about unsuccessful completion.
*/
if (!NORMAL_EXIT_STATUS(status)) {
if (WIFEXITED(status))
msg_warn("command %s exit status %d",
attr.argv[0], WEXITSTATUS(status));
if (WIFSIGNALED(status))
msg_warn("command %s killed by signal %d",
attr.argv[0], WTERMSIG(status));
}
}
int main(int argc, char **argv)
{
struct stat st;
char *slash;
int c;
int fd;
int mode = PQ_MODE_DEFAULT;
char *site_to_flush = 0;
char *id_to_flush = 0;
ARGV *import_env;
int bad_site;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m");
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information. Set up signal handlers so that we
* can clean up incomplete output.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_cleanup(unavailable);
msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Parse JCL. This program is set-gid and must sanitize all command-line
* parameters. The configuration directory argument is validated by the
* mail configuration read routine. Don't do complex things until we have
* completed initializations.
*/
while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) {
switch (c) {
case 'c': /* non-default configuration */
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal_status(EX_UNAVAILABLE, "out of memory");
break;
case 'f': /* flush queue */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_QUEUE;
break;
case 'i': /* flush queue file */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_FILE;
id_to_flush = optarg;
break;
case 'p': /* traditional mailq */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_MAILQ_LIST;
break;
case 's': /* flush site */
if (mode != PQ_MODE_DEFAULT)
usage();
mode = PQ_MODE_FLUSH_SITE;
site_to_flush = optarg;
break;
case 'v':
if (geteuid() == 0)
msg_verbose++;
break;
default:
usage();
}
}
if (argc > optind)
usage();
/*
* Further initialization...
*/
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
mail_dict_init(); /* proxy, sql, ldap */
get_mail_conf_str_table(str_table);
/*
* This program is designed to be set-gid, which makes it a potential
* target for attack. If not running as root, strip the environment so we
* don't have to trust the C library. If running as root, don't strip the
* environment so that showq can receive non-default configuration
* directory info when the mail system is down.
*/
if (geteuid() != 0) {
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
}
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
signal(SIGPIPE, SIG_IGN);
/* End of initializations. */
/*
* Further input validation.
*/
if (site_to_flush != 0) {
bad_site = 0;
if (*site_to_flush == '[') {
bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE);
} else {
bad_site = !valid_hostname(site_to_flush, DONT_GRIPE);
}
if (bad_site)
msg_fatal_status(EX_USAGE,
"Cannot flush mail queue - invalid destination: \"%.100s%s\"",
site_to_flush, strlen(site_to_flush) > 100 ? "..." : "");
}
if (id_to_flush != 0) {
if (!mail_queue_id_ok(id_to_flush))
msg_fatal_status(EX_USAGE,
"Cannot flush queue ID - invalid name: \"%.100s%s\"",
id_to_flush, strlen(id_to_flush) > 100 ? "..." : "");
}
/*
* Start processing.
*/
switch (mode) {
default:
msg_panic("unknown operation mode: %d", mode);
/* NOTREACHED */
case PQ_MODE_MAILQ_LIST:
show_queue();
exit(0);
break;
case PQ_MODE_FLUSH_SITE:
flush_site(site_to_flush);
exit(0);
break;
case PQ_MODE_FLUSH_FILE:
flush_file(id_to_flush);
exit(0);
break;
case PQ_MODE_FLUSH_QUEUE:
flush_queue();
exit(0);
break;
case PQ_MODE_DEFAULT:
usage();
/* NOTREACHED */
}
}
int deliver_command(LOCAL_STATE state, USER_ATTR usr_attr, const char *command)
{
const char *myname = "deliver_command";
DSN_BUF *why = state.msg_attr.why;
int cmd_status;
int deliver_status;
ARGV *env;
int copy_flags;
char **cpp;
char *cp;
ARGV *export_env;
VSTRING *exec_dir;
int expand_status;
/*
* Make verbose logging easier to understand.
*/
state.level++;
if (msg_verbose)
MSG_LOG_STATE(myname, state);
/*
* DUPLICATE ELIMINATION
*
* Skip this command if it was already delivered to as this user.
*/
if (been_here(state.dup_filter, "command %s:%ld %s",
state.msg_attr.user, (long) usr_attr.uid, command))
return (0);
/*
* Don't deliver a trace-only request.
*/
if (DEL_REQ_TRACE_ONLY(state.request->flags)) {
dsb_simple(why, "2.0.0", "delivers to command: %s", command);
return (sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr)));
}
/*
* DELIVERY RIGHTS
*
* Choose a default uid and gid when none have been selected (i.e. values
* are still zero).
*/
if (usr_attr.uid == 0 && (usr_attr.uid = var_default_uid) == 0)
msg_panic("privileged default user id");
if (usr_attr.gid == 0 && (usr_attr.gid = var_default_gid) == 0)
msg_panic("privileged default group id");
/*
* Deliver.
*/
copy_flags = MAIL_COPY_FROM | MAIL_COPY_RETURN_PATH
| MAIL_COPY_ORIG_RCPT;
if (local_deliver_hdr_mask & DELIVER_HDR_CMD)
copy_flags |= MAIL_COPY_DELIVERED;
if (vstream_fseek(state.msg_attr.fp, state.msg_attr.offset, SEEK_SET) < 0)
msg_fatal("%s: seek queue file %s: %m",
myname, VSTREAM_PATH(state.msg_attr.fp));
/*
* Pass additional environment information. XXX This should be
* configurable. However, passing untrusted information via environment
* parameters opens up a whole can of worms. Lesson from web servers:
* don't let any network data even near a shell. It causes trouble.
*/
env = argv_alloc(1);
if (usr_attr.home)
argv_add(env, "HOME", usr_attr.home, ARGV_END);
argv_add(env,
"LOGNAME", state.msg_attr.user,
"USER", state.msg_attr.user,
"SENDER", state.msg_attr.sender,
"RECIPIENT", state.msg_attr.rcpt.address,
"LOCAL", state.msg_attr.local,
ARGV_END);
if (usr_attr.shell)
argv_add(env, "SHELL", usr_attr.shell, ARGV_END);
if (state.msg_attr.domain)
argv_add(env, "DOMAIN", state.msg_attr.domain, ARGV_END);
if (state.msg_attr.extension)
argv_add(env, "EXTENSION", state.msg_attr.extension, ARGV_END);
if (state.msg_attr.rcpt.orig_addr && state.msg_attr.rcpt.orig_addr[0])
argv_add(env, "ORIGINAL_RECIPIENT", state.msg_attr.rcpt.orig_addr,
ARGV_END);
#define EXPORT_REQUEST(name, value) \
if ((value)[0]) argv_add(env, (name), (value), ARGV_END);
EXPORT_REQUEST("CLIENT_HOSTNAME", state.msg_attr.request->client_name);
EXPORT_REQUEST("CLIENT_ADDRESS", state.msg_attr.request->client_addr);
EXPORT_REQUEST("CLIENT_HELO", state.msg_attr.request->client_helo);
EXPORT_REQUEST("CLIENT_PROTOCOL", state.msg_attr.request->client_proto);
EXPORT_REQUEST("SASL_METHOD", state.msg_attr.request->sasl_method);
EXPORT_REQUEST("SASL_SENDER", state.msg_attr.request->sasl_sender);
EXPORT_REQUEST("SASL_USERNAME", state.msg_attr.request->sasl_username);
argv_terminate(env);
/*
* Censor out undesirable characters from exported data.
*/
for (cpp = env->argv; *cpp; cpp += 2)
for (cp = cpp[1]; *(cp += strspn(cp, var_cmd_exp_filter)) != 0;)
*cp++ = '_';
/*
* Evaluate the command execution directory. Defer delivery if expansion
* fails.
*/
export_env = mail_parm_split(VAR_EXPORT_ENVIRON, var_export_environ);
exec_dir = vstring_alloc(10);
expand_status = local_expand(exec_dir, var_exec_directory,
&state, &usr_attr, var_exec_exp_filter);
if (expand_status & MAC_PARSE_ERROR) {
cmd_status = PIPE_STAT_DEFER;
dsb_simple(why, "4.3.5", "mail system configuration error");
msg_warn("bad parameter value syntax for %s: %s",
VAR_EXEC_DIRECTORY, var_exec_directory);
} else {
cmd_status = pipe_command(state.msg_attr.fp, why,
PIPE_CMD_UID, usr_attr.uid,
PIPE_CMD_GID, usr_attr.gid,
PIPE_CMD_COMMAND, command,
PIPE_CMD_COPY_FLAGS, copy_flags,
PIPE_CMD_SENDER, state.msg_attr.sender,
PIPE_CMD_ORIG_RCPT, state.msg_attr.rcpt.orig_addr,
PIPE_CMD_DELIVERED, state.msg_attr.delivered,
PIPE_CMD_TIME_LIMIT, var_command_maxtime,
PIPE_CMD_ENV, env->argv,
PIPE_CMD_EXPORT, export_env->argv,
PIPE_CMD_SHELL, var_local_cmd_shell,
PIPE_CMD_CWD, *STR(exec_dir) ?
STR(exec_dir) : (char *) 0,
PIPE_CMD_END);
}
vstring_free(exec_dir);
argv_free(export_env);
argv_free(env);
/*
* Depending on the result, bounce or defer the message.
*/
switch (cmd_status) {
case PIPE_STAT_OK:
dsb_simple(why, "2.0.0", "delivered to command: %s", command);
deliver_status = sent(BOUNCE_FLAGS(state.request),
SENT_ATTR(state.msg_attr));
break;
case PIPE_STAT_BOUNCE:
case PIPE_STAT_DEFER:
/* Account for possible owner- sender address override. */
deliver_status = bounce_workaround(state);
break;
case PIPE_STAT_CORRUPT:
deliver_status = DEL_STAT_DEFER;
break;
default:
msg_panic("%s: bad status %d", myname, cmd_status);
/* NOTREACHED */
}
return (deliver_status);
}
int main(int argc, char **argv)
{
static VSTREAM *lock_fp;
static VSTREAM *data_lock_fp;
VSTRING *lock_path;
VSTRING *data_lock_path;
off_t inherited_limit;
int debug_me = 0;
int keep_stdout = 0;
int ch;
int fd;
int n;
int test_lock = 0;
VSTRING *why;
WATCHDOG *watchdog;
ARGV *import_env;
int wait_flag = 0;
int monitor_fd = -1;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Initialize.
*/
umask(077); /* never fails! */
/*
* Process environment options as early as we can.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
if (getenv(CONF_ENV_DEBUG))
debug_me = 1;
/*
* Don't die when a process goes away unexpectedly.
*/
signal(SIGPIPE, SIG_IGN);
/*
* Strip and save the process name for diagnostics etc.
*/
var_procname = mystrdup(basename(argv[0]));
/*
* When running a child process, don't leak any open files that were
* leaked to us by our own (privileged) parent process. Descriptors 0-2
* are taken care of after we have initialized error logging.
*
* Some systems such as AIX have a huge per-process open file limit. In
* those cases, limit the search for potential file descriptor leaks to
* just the first couple hundred.
*
* The Debian post-installation script passes an open file descriptor into
* the master process and waits forever for someone to close it. Because
* of this we have to close descriptors > 2, and pray that doing so does
* not break things.
*/
closefrom(3);
/*
* Initialize logging and exit handler.
*/
maillog_client_init(mail_task(var_procname),
MAILLOG_CLIENT_FLAG_LOGWRITER_FALLBACK);
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* The mail system must be run by the superuser so it can revoke
* privileges for selected operations. That's right - it takes privileges
* to toss privileges.
*/
if (getuid() != 0)
msg_fatal("the master command is reserved for the superuser");
if (unsafe() != 0)
msg_fatal("the master command must not run as a set-uid process");
/*
* Process JCL.
*/
while ((ch = GETOPT(argc, argv, "c:Dde:istvw")) > 0) {
switch (ch) {
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'd':
master_detach = 0;
break;
case 'e':
event_request_timer(master_exit_event, (void *) 0, atoi(optarg));
break;
case 'i':
if (getpid() != 1)
msg_fatal("-i is allowed only for PID 1 process");
init_mode = 1;
keep_stdout = 1;
break;
case 'D':
debug_me = 1;
break;
case 's':
keep_stdout = 1;
break;
case 't':
test_lock = 1;
break;
case 'v':
msg_verbose++;
break;
case 'w':
wait_flag = 1;
break;
default:
usage(argv[0]);
/* NOTREACHED */
}
}
/*
* This program takes no other arguments.
*/
if (argc > optind)
usage(argv[0]);
/*
* Sanity check.
*/
if (test_lock && wait_flag)
msg_fatal("the -t and -w options cannot be used together");
if (init_mode && (debug_me || !master_detach || wait_flag))
msg_fatal("the -i option cannot be used with -D, -d, or -w");
/*
* Run a foreground monitor process that returns an exit status of 0 when
* the child background process reports successful initialization as a
* daemon process. We use a generous limit in case main/master.cf specify
* symbolic hosts/ports and the naming service is slow.
*/
#define MASTER_INIT_TIMEOUT 100 /* keep this limit generous */
if (wait_flag)
monitor_fd = master_monitor(MASTER_INIT_TIMEOUT);
/*
* If started from a terminal, get rid of any tty association. This also
* means that all errors and warnings must go to the syslog daemon.
* Some new world has no terminals and prefers logging to stdout.
*/
if (master_detach)
for (fd = 0; fd < 3; fd++) {
if (fd == STDOUT_FILENO && keep_stdout)
continue;
(void) close(fd);
if (open("/dev/null", O_RDWR, 0) != fd)
msg_fatal("open /dev/null: %m");
}
/*
* Run in a separate process group, so that "postfix stop" can terminate
* all MTA processes cleanly. Give up if we can't separate from our
* parent process. We're not supposed to blow away the parent.
*/
if (init_mode == 0 && debug_me == 0 && master_detach != 0
&& setsid() == -1 && getsid(0) != getpid())
msg_fatal("unable to set session and process group ID: %m");
/*
* Make some room for plumbing with file descriptors. XXX This breaks
* when a service listens on many ports. In order to do this right we
* must change the master-child interface so that descriptors do not need
* to have fixed numbers.
*
* In a child we need two descriptors for the flow control pipe, one for
* child->master status updates and at least one for listening.
*/
for (n = 0; n < 5; n++) {
if (close_on_exec(dup(0), CLOSE_ON_EXEC) < 0)
msg_fatal("dup(0): %m");
}
/*
* Final initializations. Unfortunately, we must read the global Postfix
* configuration file after doing command-line processing, so that we get
* consistent results when we SIGHUP the server to reload configuration
* files.
*/
master_vars_init();
/*
* In case of multi-protocol support. This needs to be done because
* master does not invoke mail_params_init() (it was written before that
* code existed).
*/
(void) inet_proto_init(VAR_INET_PROTOCOLS, var_inet_protocols);
/*
* Environment import filter, to enforce consistent behavior whether
* Postfix is started by hand, or at system boot time.
*/
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
if ((inherited_limit = get_file_limit()) < 0)
set_file_limit(OFF_T_MAX);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
/*
* Lock down the master.pid file. In test mode, no file means that it
* isn't locked.
*/
lock_path = vstring_alloc(10);
data_lock_path = vstring_alloc(10);
why = vstring_alloc(10);
vstring_sprintf(lock_path, "%s/%s.pid", DEF_PID_DIR, var_procname);
if (test_lock && access(vstring_str(lock_path), F_OK) < 0)
exit(0);
lock_fp = open_lock(vstring_str(lock_path), O_RDWR | O_CREAT, 0644, why);
if (test_lock)
exit(lock_fp ? 0 : 1);
if (lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(lock_path), vstring_str(why));
vstream_fprintf(lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(lock_path));
close_on_exec(vstream_fileno(lock_fp), CLOSE_ON_EXEC);
/*
* Lock down the Postfix-writable data directory.
*/
vstring_sprintf(data_lock_path, "%s/%s.lock", var_data_dir, var_procname);
set_eugid(var_owner_uid, var_owner_gid);
data_lock_fp =
open_lock(vstring_str(data_lock_path), O_RDWR | O_CREAT, 0644, why);
set_ugid(getuid(), getgid());
if (data_lock_fp == 0)
msg_fatal("open lock file %s: %s",
vstring_str(data_lock_path), vstring_str(why));
vstream_fprintf(data_lock_fp, "%*lu\n", (int) sizeof(unsigned long) * 4,
(unsigned long) var_pid);
if (vstream_fflush(data_lock_fp))
msg_fatal("cannot update lock file %s: %m", vstring_str(data_lock_path));
close_on_exec(vstream_fileno(data_lock_fp), CLOSE_ON_EXEC);
/*
* Clean up.
*/
vstring_free(why);
vstring_free(lock_path);
vstring_free(data_lock_path);
/*
* Optionally start the debugger on ourself.
*/
if (debug_me)
debug_process();
/*
* Finish initialization, last part. We must process configuration files
* after processing command-line parameters, so that we get consistent
* results when we SIGHUP the server to reload configuration files.
*/
master_config();
master_sigsetup();
master_flow_init();
maillog_client_init(mail_task(var_procname),
MAILLOG_CLIENT_FLAG_LOGWRITER_FALLBACK);
msg_info("daemon started -- version %s, configuration %s",
var_mail_version, var_config_dir);
/*
* Report successful initialization to the foreground monitor process.
*/
if (monitor_fd >= 0) {
write(monitor_fd, "", 1);
(void) close(monitor_fd);
}
/*
* Process events. The event handler will execute the read/write/timer
* action routines. Whenever something has happened, see if we received
* any signal in the mean time. Although the master process appears to do
* multiple things at the same time, it really is all a single thread, so
* that there are no concurrency conflicts within the master process.
*/
#define MASTER_WATCHDOG_TIME 1000
watchdog = watchdog_create(MASTER_WATCHDOG_TIME, (WATCHDOG_FN) 0, (void *) 0);
for (;;) {
#ifdef HAS_VOLATILE_LOCKS
if (myflock(vstream_fileno(lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
if (myflock(vstream_fileno(data_lock_fp), INTERNAL_LOCK,
MYFLOCK_OP_EXCLUSIVE) < 0)
msg_fatal("refresh exclusive lock: %m");
#endif
watchdog_start(watchdog); /* same as trigger servers */
event_loop(MASTER_WATCHDOG_TIME / 2);
if (master_gotsighup) {
msg_info("reload -- version %s, configuration %s",
var_mail_version, var_config_dir);
master_gotsighup = 0; /* this first */
master_vars_init(); /* then this */
master_refresh(); /* then this */
maillog_client_init(mail_task(var_procname),
MAILLOG_CLIENT_FLAG_LOGWRITER_FALLBACK);
}
if (master_gotsigchld) {
if (msg_verbose)
msg_info("got sigchld");
master_gotsigchld = 0; /* this first */
master_reap_child(); /* then this */
}
}
}
int main(int argc, char **argv)
{
struct stat st;
int fd;
int c;
VSTRING *buf;
int status;
MAIL_STREAM *dst;
int rec_type;
static char *segment_info[] = {
REC_TYPE_POST_ENVELOPE, REC_TYPE_POST_CONTENT, REC_TYPE_POST_EXTRACT, ""
};
char **expected;
uid_t uid = getuid();
ARGV *import_env;
const char *error_text;
char *attr_name;
char *attr_value;
const char *errstr;
char *junk;
struct timeval start;
int saved_errno;
int from_count = 0;
int rcpt_count = 0;
int validate_input = 1;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Set up logging. Censor the process name: it is provided by the user.
*/
argv[0] = "postdrop";
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Parse JCL. This program is set-gid and must sanitize all command-line
* arguments. The configuration directory argument is validated by the
* mail configuration read routine. Don't do complex things until we have
* completed initializations.
*/
while ((c = GETOPT(argc, argv, "c:rv")) > 0) {
switch (c) {
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'r': /* forward compatibility */
break;
case 'v':
if (geteuid() == 0)
msg_verbose++;
break;
default:
msg_fatal("usage: %s [-c config_dir] [-v]", argv[0]);
}
}
/*
* Read the global configuration file and extract configuration
* information. Some claim that the user should supply the working
* directory instead. That might be OK, given that this command needs
* write permission in a subdirectory called "maildrop". However we still
* need to reliably detect incomplete input, and so we must perform
* record-level I/O. With that, we should also take the opportunity to
* perform some sanity checks on the input.
*/
mail_conf_read();
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task("postdrop"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
/*
* Mail submission access control. Should this be in the user-land gate,
* or in the daemon process?
*/
mail_dict_init();
if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
uid)) != 0)
msg_fatal("User %s(%ld) is not allowed to submit mail",
errstr, (long) uid);
/*
* Stop run-away process accidents by limiting the queue file size. This
* is not a defense against DOS attack.
*/
if (var_message_limit > 0 && get_file_limit() > var_message_limit)
set_file_limit((off_t) var_message_limit);
/*
* This program is installed with setgid privileges. Strip the process
* environment so that we don't have to trust the C library.
*/
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
clean_env(import_env->argv);
argv_free(import_env);
if (chdir(var_queue_dir))
msg_fatal("chdir %s: %m", var_queue_dir);
if (msg_verbose)
msg_info("chdir %s", var_queue_dir);
/*
* Set up signal handlers and a runtime error handler so that we can
* clean up incomplete output.
*
* postdrop_sig() uses the in-kernel SIGINT handler address as an atomic
* variable to prevent nested postdrop_sig() calls. For this reason, the
* SIGINT handler must be configured before other signal handlers are
* allowed to invoke postdrop_sig().
*/
signal(SIGPIPE, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
signal(SIGINT, postdrop_sig);
signal(SIGQUIT, postdrop_sig);
if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
signal(SIGTERM, postdrop_sig);
if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
signal(SIGHUP, postdrop_sig);
msg_cleanup(postdrop_cleanup);
/* End of initializations. */
/*
* Don't trust the caller's time information.
*/
GETTIMEOFDAY(&start);
/*
* Create queue file. mail_stream_file() never fails. Send the queue ID
* to the caller. Stash away a copy of the queue file name so we can
* clean up in case of a fatal error or an interrupt.
*/
dst = mail_stream_file(MAIL_QUEUE_MAILDROP, MAIL_CLASS_PUBLIC,
var_pickup_service, 0444);
attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
SEND_ATTR_STR(MAIL_ATTR_QUEUEID, dst->id),
ATTR_TYPE_END);
vstream_fflush(VSTREAM_OUT);
postdrop_path = mystrdup(VSTREAM_PATH(dst->stream));
/*
* Copy stdin to file. The format is checked so that we can recognize
* incomplete input and cancel the operation. With the sanity checks
* applied here, the pickup daemon could skip format checks and pass a
* file descriptor to the cleanup daemon. These are by no means all
* sanity checks - the cleanup service and queue manager services will
* reject messages that lack required information.
*
* If something goes wrong, slurp up the input before responding to the
* client, otherwise the client will give up after detecting SIGPIPE.
*
* Allow attribute records if the attribute specifies the MIME body type
* (sendmail -B).
*/
vstream_control(VSTREAM_IN, CA_VSTREAM_CTL_PATH("stdin"), CA_VSTREAM_CTL_END);
buf = vstring_alloc(100);
expected = segment_info;
/* Override time information from the untrusted caller. */
rec_fprintf(dst->stream, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
REC_TYPE_TIME_ARG(start));
for (;;) {
/* Don't allow PTR records. */
rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit, REC_FLAG_NONE);
if (rec_type == REC_TYPE_EOF) { /* request cancelled */
mail_stream_cleanup(dst);
if (remove(postdrop_path))
msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
else if (msg_verbose)
msg_info("remove %s", postdrop_path);
myfree(postdrop_path);
postdrop_path = 0;
exit(0);
}
if (rec_type == REC_TYPE_ERROR)
msg_fatal("uid=%ld: malformed input", (long) uid);
if (strchr(*expected, rec_type) == 0)
msg_fatal("uid=%ld: unexpected record type: %d", (long) uid, rec_type);
if (rec_type == **expected)
expected++;
/* Override time information from the untrusted caller. */
if (rec_type == REC_TYPE_TIME)
continue;
/* Check these at submission time instead of pickup time. */
if (rec_type == REC_TYPE_FROM)
from_count++;
if (rec_type == REC_TYPE_RCPT)
rcpt_count++;
/* Limit the attribute types that users may specify. */
if (rec_type == REC_TYPE_ATTR) {
if ((error_text = split_nameval(vstring_str(buf), &attr_name,
&attr_value)) != 0) {
msg_warn("uid=%ld: ignoring malformed record: %s: %.200s",
(long) uid, error_text, vstring_str(buf));
continue;
}
#define STREQ(x,y) (strcmp(x,y) == 0)
if ((STREQ(attr_name, MAIL_ATTR_ENCODING)
&& (STREQ(attr_value, MAIL_ATTR_ENC_7BIT)
|| STREQ(attr_value, MAIL_ATTR_ENC_8BIT)
|| STREQ(attr_value, MAIL_ATTR_ENC_NONE)))
|| STREQ(attr_name, MAIL_ATTR_DSN_ENVID)
|| STREQ(attr_name, MAIL_ATTR_DSN_NOTIFY)
|| rec_attr_map(attr_name)
|| (STREQ(attr_name, MAIL_ATTR_RWR_CONTEXT)
&& (STREQ(attr_value, MAIL_ATTR_RWR_LOCAL)
|| STREQ(attr_value, MAIL_ATTR_RWR_REMOTE)))
|| STREQ(attr_name, MAIL_ATTR_TRACE_FLAGS)) { /* XXX */
rec_fprintf(dst->stream, REC_TYPE_ATTR, "%s=%s",
attr_name, attr_value);
} else {
msg_warn("uid=%ld: ignoring attribute record: %.200s=%.200s",
(long) uid, attr_name, attr_value);
}
continue;
}
if (REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
/* rec_get() errors must not clobber errno. */
saved_errno = errno;
while ((rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit,
REC_FLAG_NONE)) != REC_TYPE_END
&& rec_type != REC_TYPE_EOF)
if (rec_type == REC_TYPE_ERROR)
msg_fatal("uid=%ld: malformed input", (long) uid);
validate_input = 0;
errno = saved_errno;
break;
}
if (rec_type == REC_TYPE_END)
break;
}
vstring_free(buf);
/*
* As of Postfix 2.7 the pickup daemon discards mail without recipients.
* Such mail may enter the maildrop queue when "postsuper -r" is invoked
* before the queue manager deletes an already delivered message. Looking
* at file ownership is not a good way to make decisions on what mail to
* discard. Instead, the pickup server now requires that new submissions
* always have at least one recipient record.
*
* The Postfix sendmail command already rejects mail without recipients.
* However, in the future postdrop may receive mail via other programs,
* so we add a redundant recipient check here for future proofing.
*
* The test for the sender address is just for consistency of error
* reporting (report at submission time instead of pickup time). Besides
* the segment terminator records, there aren't any other mandatory
* records in a Postfix submission queue file.
*/
if (validate_input && (from_count == 0 || rcpt_count == 0)) {
status = CLEANUP_STAT_BAD;
mail_stream_cleanup(dst);
}
/*
* Finish the file.
*/
else if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
msg_warn("uid=%ld: %m", (long) uid);
postdrop_cleanup();
}
/*
* Disable deletion on fatal error before reporting success, so the file
* will not be deleted after we have taken responsibility for delivery.
*/
if (postdrop_path) {
junk = postdrop_path;
postdrop_path = 0;
myfree(junk);
}
/*
* Send the completion status to the caller and terminate.
*/
attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
SEND_ATTR_INT(MAIL_ATTR_STATUS, status),
SEND_ATTR_STR(MAIL_ATTR_WHY, ""),
ATTR_TYPE_END);
vstream_fflush(VSTREAM_OUT);
exit(status);
}
int main(int argc, char **argv)
{
char *path_name;
int ch;
int fd;
char *slash;
struct stat st;
int postalias_flags = POSTALIAS_FLAG_AS_OWNER | POSTALIAS_FLAG_SAVE_PERM;
int open_flags = O_RDWR | O_CREAT | O_TRUNC;
int dict_flags = (DICT_FLAG_DUP_WARN | DICT_FLAG_FOLD_FIX
| DICT_FLAG_UTF8_REQUEST);
char *query = 0;
char *delkey = 0;
int sequence = 0;
int found;
ARGV *import_env;
/*
* Fingerprint executables and core dumps.
*/
MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
*/
umask(022);
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
* fstat can return EBADF on an open file descriptor.
*/
for (fd = 0; fd < 3; fd++)
if (fstat(fd, &st) == -1
&& (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
msg_fatal("open /dev/null: %m");
/*
* Process environment options as early as we can. We are not set-uid,
* and we are supposed to be running in a controlled environment.
*/
if (getenv(CONF_ENV_VERB))
msg_verbose = 1;
/*
* Initialize. Set up logging, read the global configuration file and
* extract configuration information.
*/
if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
argv[0] = slash + 1;
msg_vstream_init(argv[0], VSTREAM_ERR);
msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);
/*
* Check the Postfix library version as soon as we enable logging.
*/
MAIL_VERSION_CHECK;
/*
* Parse JCL.
*/
while ((ch = GETOPT(argc, argv, "Nc:d:finopq:rsuvw")) > 0) {
switch (ch) {
default:
usage(argv[0]);
break;
case 'N':
dict_flags |= DICT_FLAG_TRY1NULL;
dict_flags &= ~DICT_FLAG_TRY0NULL;
break;
case 'c':
if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
msg_fatal("out of memory");
break;
case 'd':
if (sequence || query || delkey)
msg_fatal("specify only one of -s -q or -d");
delkey = optarg;
break;
case 'f':
dict_flags &= ~DICT_FLAG_FOLD_FIX;
break;
case 'i':
open_flags &= ~O_TRUNC;
break;
case 'n':
dict_flags |= DICT_FLAG_TRY0NULL;
dict_flags &= ~DICT_FLAG_TRY1NULL;
break;
case 'o':
postalias_flags &= ~POSTALIAS_FLAG_AS_OWNER;
break;
case 'p':
postalias_flags &= ~POSTALIAS_FLAG_SAVE_PERM;
break;
case 'q':
if (sequence || query || delkey)
msg_fatal("specify only one of -s -q or -d");
query = optarg;
break;
case 'r':
dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_IGNORE);
dict_flags |= DICT_FLAG_DUP_REPLACE;
break;
case 's':
if (query || delkey)
msg_fatal("specify only one of -s or -q or -d");
sequence = 1;
break;
case 'u':
dict_flags &= ~DICT_FLAG_UTF8_REQUEST;
break;
case 'v':
msg_verbose++;
break;
case 'w':
dict_flags &= ~(DICT_FLAG_DUP_WARN | DICT_FLAG_DUP_REPLACE);
dict_flags |= DICT_FLAG_DUP_IGNORE;
break;
}
}
mail_conf_read();
/* Enforce consistent operation of different Postfix parts. */
import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
update_env(import_env->argv);
argv_free(import_env);
/* Re-evaluate mail_task() after reading main.cf. */
msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);
mail_dict_init();
/*
* Use the map type specified by the user, or fall back to a default
* database type.
*/
if (delkey) { /* remove entry */
if (optind + 1 > argc)
usage(argv[0]);
if (strcmp(delkey, "-") == 0)
exit(postalias_deletes(VSTREAM_IN, argv + optind, argc - optind,
dict_flags | DICT_FLAG_LOCK) == 0);
found = 0;
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
found |= postalias_delete(argv[optind], path_name, delkey,
dict_flags | DICT_FLAG_LOCK);
} else {
found |= postalias_delete(var_db_type, argv[optind], delkey,
dict_flags | DICT_FLAG_LOCK);
}
optind++;
}
exit(found ? 0 : 1);
} else if (query) { /* query map(s) */
if (optind + 1 > argc)
usage(argv[0]);
if (strcmp(query, "-") == 0)
exit(postalias_queries(VSTREAM_IN, argv + optind, argc - optind,
dict_flags | DICT_FLAG_LOCK) == 0);
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
found = postalias_query(argv[optind], path_name, query,
dict_flags | DICT_FLAG_LOCK);
} else {
found = postalias_query(var_db_type, argv[optind], query,
dict_flags | DICT_FLAG_LOCK);
}
if (found)
exit(0);
optind++;
}
exit(1);
} else if (sequence) {
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
postalias_seq(argv[optind], path_name,
dict_flags | DICT_FLAG_LOCK);
} else {
postalias_seq(var_db_type, argv[optind],
dict_flags | DICT_FLAG_LOCK);
}
exit(0);
}
exit(1);
} else { /* create/update map(s) */
if (optind + 1 > argc)
usage(argv[0]);
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
postalias(argv[optind], path_name, postalias_flags,
open_flags, dict_flags);
} else {
postalias(var_db_type, argv[optind], postalias_flags,
open_flags, dict_flags);
}
optind++;
}
exit(0);
}
}
