summaryrefslogtreecommitdiffstats
path: root/src/cleanup/cleanup_api.c
blob: 4fc5e2eac5867780fab11222b5e961ed8ea6e9ad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
/*++
/* NAME
/*	cleanup_api 3
/* SUMMARY
/*	cleanup callable interface, message processing
/* SYNOPSIS
/*	#include "cleanup.h"
/*
/*	CLEANUP_STATE *cleanup_open(src)
/*	VSTREAM	*src;
/*
/*	void	cleanup_control(state, flags)
/*	CLEANUP_STATE *state;
/*	int	flags;
/*
/*	void	CLEANUP_RECORD(state, type, buf, len)
/*	CLEANUP_STATE *state;
/*	int	type;
/*	char	*buf;
/*	int	len;
/*
/*	int	cleanup_flush(state)
/*	CLEANUP_STATE *state;
/*
/*	int	cleanup_free(state)
/*	CLEANUP_STATE *state;
/* DESCRIPTION
/*	This module implements a callable interface to the cleanup service
/*	for processing one message and for writing it to queue file.
/*	For a description of the cleanup service, see cleanup(8).
/*
/*	cleanup_open() creates a new queue file and performs other
/*	per-message initialization. The result is a handle that should be
/*	given to the cleanup_control(), cleanup_record(), cleanup_flush()
/*	and cleanup_free() routines. The name of the queue file is in the
/*	queue_id result structure member.
/*
/*	cleanup_control() processes per-message flags specified by the caller.
/*	These flags control the handling of data errors, and must be set
/*	before processing the first message record.
/* .IP CLEANUP_FLAG_BOUNCE
/*	The cleanup server is responsible for returning undeliverable
/*	mail (too many hops, message too large) to the sender.
/* .IP CLEANUP_FLAG_BCC_OK
/*	It is OK to add automatic BCC recipient addresses.
/* .IP CLEANUP_FLAG_FILTER
/*	Enable header/body filtering. This should be enabled only with mail
/*	that enters Postfix, not with locally forwarded mail or with bounce
/*	messages.
/* .IP CLEANUP_FLAG_MILTER
/*	Enable Milter applications. This should be enabled only with mail
/*	that enters Postfix, not with locally forwarded mail or with bounce
/*	messages.
/* .IP CLEANUP_FLAG_MAP_OK
/*	Enable canonical and virtual mapping, and address masquerading.
/* .PP
/*	For convenience the CLEANUP_FLAG_MASK_EXTERNAL macro specifies
/*	the options that are normally needed for mail that enters
/*	Postfix from outside, and CLEANUP_FLAG_MASK_INTERNAL specifies
/*	the options that are normally needed for internally generated or
/*	forwarded mail.
/*
/*	CLEANUP_RECORD() is a macro that processes one message record,
/*	that copies the result to the queue file, and that maintains a
/*	little state machine. The last record in a valid message has type
/*	REC_TYPE_END.  In order to find out if a message is corrupted,
/*	the caller is encouraged to test the CLEANUP_OUT_OK(state) macro.
/*	The result is false when further message processing is futile.
/*	In that case, it is safe to call cleanup_flush() immediately.
/*
/*	cleanup_flush() closes a queue file. In case of any errors,
/*	the file is removed. The result value is non-zero in case of
/*	problems. In some cases a human-readable text can be found in
/*	the state->reason member. In all other cases, use cleanup_strerror()
/*	to translate the result into human-readable text.
/*
/*	cleanup_free() destroys its argument.
/* .IP CLEANUP_FLAG_SMTPUTF8
/*	Request SMTPUTF8 support when delivering mail.
/* .IP CLEANUP_FLAG_AUTOUTF8
/*	Autodetection: request SMTPUTF8 support if the message
/*	contains an UTF8 message header, sender, or recipient.
/* DIAGNOSTICS
/*	Problems and transactions are logged to \fBsyslogd\fR(8)
/*	or \fBpostlogd\fR(8).
/* SEE ALSO
/*	cleanup(8) cleanup service description.
/*	cleanup_init(8) cleanup callable interface, initialization
/* LICENSE
/* .ad
/* .fi
/*	The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/*	Wietse Venema
/*	IBM T.J. Watson Research
/*	P.O. Box 704
/*	Yorktown Heights, NY 10598, USA
/*
/*	Wietse Venema
/*	Google, Inc.
/*	111 8th Avenue
/*	New York, NY 10011, USA
/*--*/

/* System library. */

#include <sys_defs.h>
#include <errno.h>

/* Utility library. */

#include <msg.h>
#include <vstring.h>
#include <mymalloc.h>

/* Global library. */

#include <cleanup_user.h>
#include <mail_queue.h>
#include <mail_proto.h>
#include <bounce.h>
#include <mail_params.h>
#include <mail_stream.h>
#include <mail_flow.h>
#include <rec_type.h>
#include <smtputf8.h>

/* Milter library. */

#include <milter.h>

/* Application-specific. */

#include "cleanup.h"

/* cleanup_open - open queue file and initialize */

CLEANUP_STATE *cleanup_open(VSTREAM *src)
{
    CLEANUP_STATE *state;
    static const char *log_queues[] = {
	MAIL_QUEUE_DEFER,
	MAIL_QUEUE_BOUNCE,
	MAIL_QUEUE_TRACE,
	0,
    };
    const char **cpp;

    /*
     * Initialize private state.
     */
    state = cleanup_state_alloc(src);

    /*
     * Open the queue file. Save the queue file name in a global variable, so
     * that the runtime error handler can clean up in case of problems.
     * 
     * XXX For now, a lot of detail is frozen that could be more useful if it
     * were made configurable.
     */
    state->queue_name = mystrdup(MAIL_QUEUE_INCOMING);
    state->handle = mail_stream_file(state->queue_name,
				   MAIL_CLASS_PUBLIC, var_queue_service, 0);
    state->dst = state->handle->stream;
    cleanup_path = mystrdup(VSTREAM_PATH(state->dst));
    state->queue_id = mystrdup(state->handle->id);
    if (msg_verbose)
	msg_info("cleanup_open: open %s", cleanup_path);

    /*
     * If there is a time to get rid of spurious log files, this is it. The
     * down side is that this costs performance for every message, while the
     * probability of spurious log files is quite low.
     * 
     * XXX The defer logfile is deleted when the message is moved into the
     * active queue. We must also remove it now, otherwise mailq produces
     * nonsense.
     */
    for (cpp = log_queues; *cpp; cpp++) {
	if (mail_queue_remove(*cpp, state->queue_id) == 0)
	    msg_warn("%s: removed spurious %s log", *cpp, state->queue_id);
	else if (errno != ENOENT)
	    msg_fatal("%s: remove %s log: %m", *cpp, state->queue_id);
    }
    return (state);
}

/* cleanup_control - process client options */

void    cleanup_control(CLEANUP_STATE *state, int flags)
{

    /*
     * If the client requests us to do the bouncing in case of problems,
     * throw away the input only in case of real show-stopper errors, such as
     * unrecognizable data (which should never happen) or insufficient space
     * for the queue file (which will happen occasionally). Otherwise,
     * discard input after any lethal error. See the CLEANUP_OUT_OK() macro
     * definition.
     */
    if (msg_verbose)
	msg_info("cleanup flags = %s", cleanup_strflags(flags));
    if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) {
	state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE;
    } else {
	state->err_mask = ~0;
    }
    if (state->flags & CLEANUP_FLAG_SMTPUTF8)
	state->smtputf8 = SMTPUTF8_FLAG_REQUESTED;
}

/* cleanup_flush - finish queue file */

int     cleanup_flush(CLEANUP_STATE *state)
{
    int     status;
    char   *junk;
    VSTRING *trace_junk;

    /*
     * Raise these errors only if we examined all queue file records.
     */
    if (CLEANUP_OUT_OK(state)) {
	if (state->recip == 0)
	    state->errs |= CLEANUP_STAT_RCPT;
	if ((state->flags & CLEANUP_FLAG_END_SEEN) == 0)
	    state->errs |= CLEANUP_STAT_BAD;
    }

    /*
     * Status sanitization. Always report success when the discard flag was
     * raised by some user-specified access rule.
     */
    if (state->flags & CLEANUP_FLAG_DISCARD)
	state->errs = 0;

    /*
     * Apply external mail filter.
     * 
     * XXX Include test for a built-in action to tempfail this message.
     */
    if (CLEANUP_MILTER_OK(state)) {
	if (state->milters)
	    cleanup_milter_inspect(state, state->milters);
	else if (cleanup_milters) {
	    cleanup_milter_emul_data(state, cleanup_milters);
	    if (CLEANUP_MILTER_OK(state))
		cleanup_milter_inspect(state, cleanup_milters);
	}
    }

    /*
     * Update the preliminary message size and count fields with the actual
     * values.
     */
    if (CLEANUP_OUT_OK(state))
	cleanup_final(state);

    /*
     * If there was an error that requires us to generate a bounce message
     * (mail submitted with the Postfix sendmail command, mail forwarded by
     * the local(8) delivery agent, or mail re-queued with "postsuper -r"),
     * send a bounce notification, reset the error flags in case of success,
     * and request deletion of the the incoming queue file and of the
     * optional DSN SUCCESS records from virtual alias expansion.
     * 
     * XXX It would make no sense to knowingly report success after we already
     * have bounced all recipients, especially because the information in the
     * DSN SUCCESS notice is completely redundant compared to the information
     * in the bounce notice (however, both may be incomplete when the queue
     * file size would exceed the safety limit).
     * 
     * An alternative is to keep the DSN SUCCESS records and to delegate bounce
     * notification to the queue manager, just like we already delegate
     * success notification. This requires that we leave the undeliverable
     * message in the incoming queue; versions up to 20050726 did exactly
     * that. Unfortunately, this broke with over-size queue files, because
     * the queue manager cannot handle incomplete queue files (and it should
     * not try to do so).
     */
#define CAN_BOUNCE() \
	((state->errs & CLEANUP_STAT_MASK_CANT_BOUNCE) == 0 \
	    && state->sender != 0 \
	    && (state->flags & CLEANUP_FLAG_BOUNCE) != 0)

    if (state->errs != 0 && CAN_BOUNCE())
	cleanup_bounce(state);

    /*
     * Optionally, place the message on hold, but only if the message was
     * received successfully and only if it's not being discarded for other
     * reasons. This involves renaming the queue file before "finishing" it
     * (or else the queue manager would grab it too early) and updating our
     * own idea of the queue file name for error recovery and for error
     * reporting purposes.
     * 
     * XXX Include test for a built-in action to tempfail this message.
     */
    if (state->errs == 0 && (state->flags & CLEANUP_FLAG_DISCARD) == 0) {
	if ((state->flags & CLEANUP_FLAG_HOLD) != 0
#ifdef DELAY_ACTION
	    || state->defer_delay > 0
#endif
	    ) {
	    myfree(state->queue_name);
#ifdef DELAY_ACTION
	    state->queue_name = mystrdup((state->flags & CLEANUP_FLAG_HOLD) ?
				     MAIL_QUEUE_HOLD : MAIL_QUEUE_DEFERRED);
#else
	    state->queue_name = mystrdup(MAIL_QUEUE_HOLD);
#endif
	    mail_stream_ctl(state->handle,
			    CA_MAIL_STREAM_CTL_QUEUE(state->queue_name),
			    CA_MAIL_STREAM_CTL_CLASS((char *) 0),
			    CA_MAIL_STREAM_CTL_SERVICE((char *) 0),
#ifdef DELAY_ACTION
			    CA_MAIL_STREAM_CTL_DELAY(state->defer_delay),
#endif
			    CA_MAIL_STREAM_CTL_END);
	    junk = cleanup_path;
	    cleanup_path = mystrdup(VSTREAM_PATH(state->handle->stream));
	    myfree(junk);

	    /*
	     * XXX: When delivering to a non-incoming queue, do not consume
	     * in_flow tokens. Unfortunately we can't move the code that
	     * consumes tokens until after the mail is received, because that
	     * would increase the risk of duplicate deliveries (RFC 1047).
	     */
	    (void) mail_flow_put(1);
	}
	state->errs = mail_stream_finish(state->handle, (VSTRING *) 0);
    } else {

	/*
	 * XXX: When discarding mail, should we consume in_flow tokens? See
	 * also the comments above for mail that is placed on hold.
	 */
#if 0
	(void) mail_flow_put(1);
#endif
	mail_stream_cleanup(state->handle);
    }
    state->handle = 0;
    state->dst = 0;

    /*
     * If there was an error, or if the message must be discarded for other
     * reasons, remove the queue file and the optional trace file with DSN
     * SUCCESS records from virtual alias expansion.
     */
    if (state->errs != 0 || (state->flags & CLEANUP_FLAG_DISCARD) != 0) {
	if (cleanup_trace_path)
	    (void) REMOVE(vstring_str(cleanup_trace_path));
	if (REMOVE(cleanup_path))
	    msg_warn("remove %s: %m", cleanup_path);
    }

    /*
     * Make sure that our queue file will not be deleted by the error handler
     * AFTER we have taken responsibility for delivery. Better to deliver
     * twice than to lose mail.
     */
    trace_junk = cleanup_trace_path;
    cleanup_trace_path = 0;			/* don't delete upon error */
    junk = cleanup_path;
    cleanup_path = 0;				/* don't delete upon error */

    if (trace_junk)
	vstring_free(trace_junk);
    myfree(junk);

    /*
     * Cleanup internal state. This is simply complementary to the
     * initializations at the beginning of cleanup_open().
     */
    if (msg_verbose)
	msg_info("cleanup_flush: status %d", state->errs);
    status = state->errs;
    return (status);
}

/* cleanup_free - pay the last respects */

void    cleanup_free(CLEANUP_STATE *state)
{

    /*
     * Emulate disconnect event. CLEANUP_FLAG_MILTER may be turned off after
     * we have started.
     */
    if (cleanup_milters != 0 && state->milters == 0)
	milter_disc_event(cleanup_milters);
    cleanup_state_free(state);
}