/* Copyright (c) 2005-2018 Dovecot authors, see the included COPYING file */ #include "lib.h" #include "lib-signals.h" #include "ioloop.h" #include "env-util.h" #include "istream.h" #include "istream-seekable.h" #include "path-util.h" #include "safe-mkstemp.h" #include "eacces-error.h" #include "ipwd.h" #include "str.h" #include "str-sanitize.h" #include "strescape.h" #include "unichar.h" #include "rfc822-parser.h" #include "message-address.h" #include "smtp-address.h" #include "settings-parser.h" #include "master-service.h" #include "master-service-settings.h" #include "mail-storage-service.h" #include "mail-namespace.h" #include "raw-storage.h" #include "mail-deliver.h" #include "mail-send.h" #include "mbox-from.h" #include "smtp-submit-settings.h" #include "lda-settings.h" #include #include const struct smtp_address default_envelope_sender = { .localpart = "MAILER-DAEMON", }; /* After buffer grows larger than this, create a temporary file to /tmp where to read the mail. */ #define MAIL_MAX_MEMORY_BUFFER (1024*128) struct event_category event_category_lda = { .name = "lda", }; static const char *wanted_headers[] = { "From", "To", "Message-ID", "Subject", "Return-Path", NULL }; static int seekable_fd_callback(const char **path_r, void *context) { struct mail_deliver_input *dinput = context; string_t *path; int fd; path = t_str_new(128); mail_user_set_get_temp_prefix(path, dinput->rcpt_user->set); fd = safe_mkstemp(path, 0600, (uid_t)-1, (gid_t)-1); if (fd == -1) { i_error("safe_mkstemp(%s) failed: %m", str_c(path)); return -1; } /* we just want the fd, unlink it */ if (i_unlink(str_c(path)) < 0) { /* shouldn't happen.. */ i_close_fd(&fd); return -1; } *path_r = str_c(path); return fd; } static struct istream * create_raw_stream(struct mail_deliver_input *dinput, int fd, time_t *mtime_r) { struct istream *input, *input2, *input_list[2]; const unsigned char *data; const char *error; char *sender = NULL; size_t i, size; int ret, tz; *mtime_r = (time_t)-1; fd_set_nonblock(fd, FALSE); input = i_stream_create_fd(fd, 4096); input->blocking = TRUE; /* If input begins with a From-line, drop it */ ret = i_stream_read_bytes(input, &data, &size, 5); if (ret > 0 && memcmp(data, "From ", 5) == 0) { /* skip until the first LF */ i_stream_skip(input, 5); while (i_stream_read_more(input, &data, &size) > 0) { for (i = 0; i < size; i++) { if (data[i] == '\n') break; } if (i != size) { (void)mbox_from_parse(data, i, mtime_r, &tz, &sender); i_stream_skip(input, i + 1); break; } i_stream_skip(input, size); } } if (sender != NULL && dinput->mail_from == NULL) { struct smtp_address *mail_from = NULL; /* use the envelope sender from From_-line, but only if it hasn't been specified with -f already. */ if (smtp_address_parse_mailbox(pool_datastack_create(), sender, 0, &mail_from, &error) < 0) { i_warning("Failed to parse address from `From_'-line: %s", error); } dinput->mail_from = mail_from; } i_free(sender); if (input->v_offset == 0) { input2 = input; i_stream_ref(input2); } else { input2 = i_stream_create_limit(input, UOFF_T_MAX); } i_stream_unref(&input); input_list[0] = input2; input_list[1] = NULL; input = i_stream_create_seekable(input_list, MAIL_MAX_MEMORY_BUFFER, seekable_fd_callback, dinput); i_stream_unref(&input2); return input; } static struct mail * lda_raw_mail_open(struct mail_deliver_input *dinput, const char *path) { struct mail_user *raw_mail_user; struct mailbox *box; struct mailbox_transaction_context *t; struct mail *mail; struct mailbox_header_lookup_ctx *headers_ctx; const struct smtp_address *mail_from; struct istream *input; void **sets; time_t mtime; int ret; sets = master_service_settings_get_others(master_service); raw_mail_user = raw_storage_create_from_set(dinput->rcpt_user->set_info, sets[0]); mail_from = (dinput->mail_from != NULL ? dinput->mail_from : &default_envelope_sender); if (path == NULL) { input = create_raw_stream(dinput, 0, &mtime); i_stream_set_name(input, "stdin"); ret = raw_mailbox_alloc_stream(raw_mail_user, input, mtime, smtp_address_encode(mail_from), &box); i_stream_unref(&input); } else { ret = raw_mailbox_alloc_path(raw_mail_user, path, (time_t)-1, smtp_address_encode(mail_from), &box); } if (ret < 0) { i_fatal("Can't open delivery mail as raw: %s", mailbox_get_last_internal_error(box, NULL)); } mail_user_unref(&raw_mail_user); t = mailbox_transaction_begin(box, 0, __func__); headers_ctx = mailbox_header_lookup_init(box, wanted_headers); mail = mail_alloc(t, 0, headers_ctx); mailbox_header_lookup_unref(&headers_ctx); mail_set_seq(mail, 1); return mail; } static void lda_set_rcpt_to(struct mail_deliver_input *dinput, const struct smtp_address *rcpt_to, const char *user, const char *rcpt_to_source) { const char *error; if (rcpt_to == NULL && *dinput->set->lda_original_recipient_header != '\0') { rcpt_to = mail_deliver_get_address( dinput->src_mail, dinput->set->lda_original_recipient_header); rcpt_to_source = t_strconcat( dinput->set->lda_original_recipient_header, " header", NULL); } if (rcpt_to == NULL) { struct smtp_address *user_addr; if (smtp_address_parse_username(pool_datastack_create(), user, &user_addr, &error) < 0) { i_fatal_status(EX_USAGE, "Cannot obtain SMTP address from username `%s': %s", user, error); } if (user_addr->domain == NULL) user_addr->domain = dinput->set->hostname; rcpt_to = user_addr; rcpt_to_source = "user@hostname"; } dinput->rcpt_params.orcpt.addr = rcpt_to; if (dinput->rcpt_to == NULL) dinput->rcpt_to = rcpt_to; e_debug(dinput->rcpt_user->event, "Destination address: %s (source: %s)", smtp_address_encode_path(rcpt_to), rcpt_to_source); } static int lda_do_deliver(struct mail_deliver_context *ctx, bool stderr_rejection) { enum mail_deliver_error error_code; const char *error; int ret; if (mail_deliver(ctx, &error_code, &error) >= 0) return EX_OK; if (error_code == MAIL_DELIVER_ERROR_INTERNAL) { /* This shouldn't happen */ return EX_TEMPFAIL; } if (stderr_rejection) { /* write to stderr also for tempfails so that MTA can log the reason if it wants to. */ fprintf(stderr, "%s\n", error); } switch (error_code) { case MAIL_DELIVER_ERROR_NONE: i_unreached(); case MAIL_DELIVER_ERROR_TEMPORARY: return EX_TEMPFAIL; case MAIL_DELIVER_ERROR_REJECTED: break; case MAIL_DELIVER_ERROR_NOQUOTA: if (ctx->set->quota_full_tempfail) return EX_TEMPFAIL; ctx->mailbox_full = TRUE; break; case MAIL_DELIVER_ERROR_INTERNAL: i_unreached(); } /* Rejected */ ctx->dsn = TRUE; /* we'll have to reply with permanent failure */ mail_deliver_log(ctx, "rejected: %s", str_sanitize(error, 512)); if (stderr_rejection) return EX_NOPERM; ret = mail_send_rejection(ctx, ctx->rcpt_to, error); if (ret != 0) return ret < 0 ? EX_TEMPFAIL : ret; /* ok, rejection sent */ return EX_OK; } static int lda_deliver(struct mail_deliver_input *dinput, struct mail_storage_service_user *service_user, const char *user, const char *path, struct smtp_address *rcpt_to, const char *rcpt_to_source, bool stderr_rejection) { struct mail_deliver_context ctx; const struct var_expand_table *var_table; struct lda_settings *lda_set; struct smtp_submit_settings *smtp_set; const char *errstr; int ret; var_table = mail_user_var_expand_table(dinput->rcpt_user); smtp_set = mail_storage_service_user_get_set(service_user)[1]; lda_set = mail_storage_service_user_get_set(service_user)[2]; ret = settings_var_expand( &lda_setting_parser_info, lda_set, dinput->rcpt_user->pool, var_table, &errstr); if (ret > 0) { ret = settings_var_expand( &smtp_submit_setting_parser_info, smtp_set, dinput->rcpt_user->pool, var_table, &errstr); } if (ret <= 0) i_fatal("Failed to expand settings: %s", errstr); dinput->set = lda_set; dinput->smtp_set = smtp_set; dinput->src_mail = lda_raw_mail_open(dinput, path); lda_set_rcpt_to(dinput, rcpt_to, user, rcpt_to_source); mail_deliver_init(&ctx, dinput); ret = lda_do_deliver(&ctx, stderr_rejection); mail_deliver_deinit(&ctx); return ret; } static void failure_exit_callback(int *status) { /* we want all our exit codes to be sysexits.h compatible. if we failed because of a logging related error, we most likely aren't writing to stderr, so try writing there to give some kind of a clue what's wrong. FATAL_LOGOPEN failure already wrote to stderr, so don't duplicate it. */ switch (*status) { case FATAL_LOGWRITE: fputs("Failed to write to log file", stderr); break; case FATAL_LOGERROR: fputs("Internal logging error", stderr); break; case FATAL_LOGOPEN: case FATAL_OUTOFMEM: case FATAL_EXEC: case FATAL_DEFAULT: break; default: return; } *status = EX_TEMPFAIL; } static void print_help(void) { printf( "Usage: dovecot-lda [-c ] [-d ] [-p ]\n" " [-m ] [-e] [-k] [-f ]\n" " [-a ]\n" " [-r ] \n"); } int main(int argc, char *argv[]) { const struct setting_parser_info *set_roots[] = { &smtp_submit_setting_parser_info, &lda_setting_parser_info, NULL }; struct mail_deliver_input dinput; enum mail_storage_service_flags service_flags = 0; const char *user, *errstr, *path; struct smtp_address *rcpt_to, *final_rcpt_to, *mail_from; struct mail_storage_service_ctx *storage_service; struct mail_storage_service_user *service_user; struct mail_storage_service_input service_input; struct event *event; const char *user_source = "", *rcpt_to_source = "", *mail_from_error; uid_t process_euid; bool stderr_rejection = FALSE; int ret, c; if (getuid() != geteuid() && geteuid() == 0) { /* running setuid - don't allow this if the binary is executable by anyone */ struct stat st; if (stat(argv[0], &st) < 0) { fprintf(stderr, "stat(%s) failed: %s\n", argv[0], strerror(errno)); return EX_TEMPFAIL; } else if ((st.st_mode & 1) != 0 && (st.st_mode & 04000) != 0) { fprintf(stderr, "%s must not be both world-executable " "and setuid-root. This allows root exploits. " "See http://wiki2.dovecot.org/LDA#multipleuids\n", argv[0]); return EX_TEMPFAIL; } } i_set_failure_exit_callback(failure_exit_callback); master_service = master_service_init("lda", MASTER_SERVICE_FLAG_STANDALONE | MASTER_SERVICE_FLAG_DONT_LOG_TO_STDERR | MASTER_SERVICE_FLAG_NO_INIT_DATASTACK_FRAME, &argc, &argv, "a:d:ef:m:p:r:"); event = event_create(NULL); event_add_category(event, &event_category_lda); i_zero(&dinput); dinput.session = mail_deliver_session_init(); dinput.rcpt_default_mailbox = "INBOX"; path = NULL; user = getenv("USER"); mail_from = final_rcpt_to = rcpt_to = NULL; mail_from_error = NULL; while ((c = master_getopt(master_service)) > 0) { switch (c) { case 'a': /* original recipient address */ if (smtp_address_parse_path( pool_datastack_create(), optarg, SMTP_ADDRESS_PARSE_FLAG_ALLOW_LOCALPART | SMTP_ADDRESS_PARSE_FLAG_BRACKETS_OPTIONAL, &rcpt_to, &errstr) < 0) { i_fatal_status(EX_USAGE, "Invalid -a parameter: %s", errstr); } rcpt_to_source = "-a parameter"; break; case 'd': /* destination user */ user = optarg; service_flags |= MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP; break; case 'e': stderr_rejection = TRUE; break; case 'f': /* envelope sender address */ ret = smtp_address_parse_path( pool_datastack_create(), optarg, SMTP_ADDRESS_PARSE_FLAG_BRACKETS_OPTIONAL | SMTP_ADDRESS_PARSE_FLAG_ALLOW_LOCALPART | SMTP_ADDRESS_PARSE_FLAG_ALLOW_EMPTY | SMTP_ADDRESS_PARSE_FLAG_IGNORE_BROKEN | SMTP_ADDRESS_PARSE_FLAG_PRESERVE_RAW, &mail_from, &errstr); if (ret < 0 && !smtp_address_is_broken(mail_from)) { i_fatal_status(EX_USAGE, "Invalid -f parameter: %s", errstr); } if (ret < 0) mail_from_error = errstr; break; case 'm': /* destination mailbox. Ignore -m "". This allows doing -m ${extension} in Postfix to handle user+mailbox */ if (*optarg != '\0') T_BEGIN { if (!uni_utf8_str_is_valid(optarg)) { i_fatal("Mailbox name not UTF-8: %s", optarg); } dinput.rcpt_default_mailbox = optarg; } T_END; break; case 'p': /* input path */ if (t_abspath(optarg, &path, &errstr) < 0) { i_fatal("t_abspath(%s) failed: %s", optarg, errstr); } break; case 'r': /* final recipient address */ if (smtp_address_parse_path( pool_datastack_create(), optarg, SMTP_ADDRESS_PARSE_FLAG_ALLOW_LOCALPART | SMTP_ADDRESS_PARSE_FLAG_BRACKETS_OPTIONAL, &final_rcpt_to, &errstr) < 0) { i_fatal_status(EX_USAGE, "Invalid -r parameter: %s", errstr); } break; default: print_help(); return EX_USAGE; } } if (optind != argc) { print_help(); i_fatal_status(EX_USAGE, "Unknown argument: %s", argv[optind]); } process_euid = geteuid(); if ((service_flags & MAIL_STORAGE_SERVICE_FLAG_USERDB_LOOKUP) != 0) ; else if (process_euid != 0) { /* we're non-root. get our username and possibly our home. */ struct passwd pw; const char *home; home = getenv("HOME"); if (user != NULL && home != NULL) { /* no need for a pw lookup */ user_source = "USER environment"; } else if ((ret = i_getpwuid(process_euid, &pw)) > 0) { user = t_strdup(pw.pw_name); if (home == NULL) env_put("HOME", pw.pw_dir); user_source = "passwd lookup for process euid"; } else if (ret < 0) { /* temporary failure */ i_fatal("getpwuid() failed: %m"); } else if (user == NULL) { i_fatal_status(EX_USAGE, "Couldn't lookup our username (uid=%s)", dec2str(process_euid)); } } else { i_fatal_status(EX_USAGE, "destination user parameter (-d user) not given"); } master_service_init_finish(master_service); dinput.mail_from = mail_from; dinput.rcpt_to = final_rcpt_to; event_add_str(event, "protocol", "lda"); event_add_str(event, "user", user); if (mail_from != NULL) { event_add_str(event, "mail_from", smtp_address_encode(mail_from)); } if (final_rcpt_to != NULL) { event_add_str(event, "rcpt_to", smtp_address_encode(final_rcpt_to)); } dinput.event_parent = event; i_zero(&service_input); service_input.module = "lda"; service_input.service = "lda"; service_input.username = user; service_input.event_parent = event; service_flags |= MAIL_STORAGE_SERVICE_FLAG_USE_SYSEXITS; storage_service = mail_storage_service_init(master_service, set_roots, service_flags); mail_deliver_hooks_init(); /* set before looking up the user (or ideally we'd do this between _lookup() and _next(), but don't bother) */ dinput.delivery_time_started = ioloop_timeval; ret = mail_storage_service_lookup_next(storage_service, &service_input, &service_user, &dinput.rcpt_user, &errstr); if (ret <= 0) { if (ret < 0) i_fatal("%s", errstr); ret = EX_NOUSER; } else { #ifdef SIGXFSZ lib_signals_ignore(SIGXFSZ, TRUE); #endif if (*user_source != '\0') { e_debug(dinput.rcpt_user->event, "userdb lookup skipped, username taken from %s", user_source); } if (mail_from_error != NULL) { e_debug(event, "Broken -f parameter: %s " "(proceeding with <> as sender)", mail_from_error); } ret = lda_deliver(&dinput, service_user, user, path, rcpt_to, rcpt_to_source, stderr_rejection); struct mailbox_transaction_context *t = dinput.src_mail->transaction; struct mailbox *box = dinput.src_mail->box; mail_free(&dinput.src_mail); mailbox_transaction_rollback(&t); mailbox_free(&box); mail_user_deinit(&dinput.rcpt_user); mail_storage_service_user_unref(&service_user); } mail_deliver_session_deinit(&dinput.session); mail_storage_service_deinit(&storage_service); event_unref(&event); master_service_deinit(&master_service); return ret; }