diff options
Diffstat (limited to '')
-rw-r--r-- | src/sendmail/sendmail.c | 1510 |
1 files changed, 1510 insertions, 0 deletions
diff --git a/src/sendmail/sendmail.c b/src/sendmail/sendmail.c new file mode 100644 index 0000000..27b3543 --- /dev/null +++ b/src/sendmail/sendmail.c @@ -0,0 +1,1510 @@ +/*++ +/* NAME +/* sendmail 1 +/* SUMMARY +/* Postfix to Sendmail compatibility interface +/* SYNOPSIS +/* \fBsendmail\fR [\fIoption ...\fR] [\fIrecipient ...\fR] +/* +/* \fBmailq\fR +/* \fBsendmail -bp\fR +/* +/* \fBnewaliases\fR +/* \fBsendmail -I\fR +/* DESCRIPTION +/* The Postfix \fBsendmail\fR(1) command implements the Postfix +/* to Sendmail compatibility interface. +/* For the sake of compatibility with existing applications, some +/* Sendmail command-line options are recognized but silently ignored. +/* +/* By default, Postfix \fBsendmail\fR(1) reads a message from +/* standard input +/* until EOF or until it reads a line with only a \fB.\fR character, +/* and arranges for delivery. Postfix \fBsendmail\fR(1) relies on the +/* \fBpostdrop\fR(1) command to create a queue file in the \fBmaildrop\fR +/* directory. +/* +/* Specific command aliases are provided for other common modes of +/* operation: +/* .IP \fBmailq\fR +/* List the mail queue. Each entry shows the queue file ID, message +/* size, arrival time, sender, and the recipients that still need to +/* be delivered. If mail could not be delivered upon the last attempt, +/* the reason for failure is shown. The queue ID string is +/* followed by an optional status character: +/* .RS +/* .IP \fB*\fR +/* The message is in the \fBactive\fR queue, i.e. the message is +/* selected for delivery. +/* .IP \fB!\fR +/* The message is in the \fBhold\fR queue, i.e. no further delivery +/* attempt will be made until the mail is taken off hold. +/* .IP \fB#\fR +/* The message is forced to expire. See the \fBpostsuper\fR(1) +/* options \fB-e\fR or \fB-f\fR. +/* .RE +/* .IP +/* This mode of operation is implemented by executing the +/* \fBpostqueue\fR(1) command. +/* .IP \fBnewaliases\fR +/* Initialize the alias database. If no input file is specified (with +/* the \fB-oA\fR option, see below), the program processes the file(s) +/* specified with the \fBalias_database\fR configuration parameter. +/* If no alias database type is specified, the program uses the type +/* specified with the \fBdefault_database_type\fR configuration parameter. +/* This mode of operation is implemented by running the \fBpostalias\fR(1) +/* command. +/* .sp +/* Note: it may take a minute or so before an alias database update +/* becomes visible. Use the "\fBpostfix reload\fR" command to eliminate +/* this delay. +/* .PP +/* These and other features can be selected by specifying the +/* appropriate combination of command-line options. Some features are +/* controlled by parameters in the \fBmain.cf\fR configuration file. +/* +/* The following options are recognized: +/* .IP "\fB-Am\fR (ignored)" +/* .IP "\fB-Ac\fR (ignored)" +/* Postfix sendmail uses the same configuration file regardless of +/* whether or not a message is an initial submission. +/* .IP "\fB-B \fIbody_type\fR" +/* The message body MIME type: \fB7BIT\fR or \fB8BITMIME\fR. +/* .IP \fB-bd\fR +/* Go into daemon mode. This mode of operation is implemented by +/* executing the "\fBpostfix start\fR" command. +/* .IP "\fB-bh\fR (ignored)" +/* .IP "\fB-bH\fR (ignored)" +/* Postfix has no persistent host status database. +/* .IP \fB-bi\fR +/* Initialize alias database. See the \fBnewaliases\fR +/* command above. +/* .IP \fB-bl\fR +/* Go into daemon mode. To accept only local connections as +/* with Sendmail's \fB-bl\fR option, specify "\fBinet_interfaces +/* = loopback\fR" in the Postfix \fBmain.cf\fR configuration +/* file. +/* .IP \fB-bm\fR +/* Read mail from standard input and arrange for delivery. +/* This is the default mode of operation. +/* .IP \fB-bp\fR +/* List the mail queue. See the \fBmailq\fR command above. +/* .IP \fB-bs\fR +/* Stand-alone SMTP server mode. Read SMTP commands from +/* standard input, and write responses to standard output. +/* In stand-alone SMTP server mode, mail relaying and other +/* access controls are disabled by default. To enable them, +/* run the process as the \fBmail_owner\fR user. +/* .sp +/* This mode of operation is implemented by running the +/* \fBsmtpd\fR(8) daemon. +/* .IP \fB-bv\fR +/* Do not collect or deliver a message. Instead, send an email +/* report after verifying each recipient address. This is useful +/* for testing address rewriting and routing configurations. +/* .sp +/* This feature is available in Postfix version 2.1 and later. +/* .IP "\fB-C \fIconfig_file\fR" +/* .IP "\fB-C \fIconfig_dir\fR" +/* The path name of the Postfix \fBmain.cf\fR file, or of its +/* parent directory. This information is ignored with Postfix +/* versions before 2.3. +/* +/* With Postfix version 3.2 and later, a non-default directory +/* must be authorized in the default \fBmain.cf\fR file, through +/* the alternate_config_directories or multi_instance_directories +/* parameters. +/* +/* With all Postfix versions, you can specify a directory pathname +/* with the MAIL_CONFIG environment variable to override the +/* location of configuration files. +/* .IP "\fB-F \fIfull_name\fR" +/* Set the sender full name. This overrides the NAME environment +/* variable, and is used only with messages that +/* have no \fBFrom:\fR message header. +/* .IP "\fB-f \fIsender\fR" +/* Set the envelope sender address. This is the address where +/* delivery problems are sent to. With Postfix versions before 2.1, the +/* \fBErrors-To:\fR message header overrides the error return address. +/* .IP \fB-G\fR +/* Gateway (relay) submission, as opposed to initial user +/* submission. Either do not rewrite addresses at all, or +/* update incomplete addresses with the domain information +/* specified with \fBremote_header_rewrite_domain\fR. +/* +/* This option is ignored before Postfix version 2.3. +/* .IP "\fB-h \fIhop_count\fR (ignored)" +/* Hop count limit. Use the \fBhopcount_limit\fR configuration +/* parameter instead. +/* .IP \fB-I\fR +/* Initialize alias database. See the \fBnewaliases\fR +/* command above. +/* .IP "\fB-i\fR" +/* When reading a message from standard input, don't treat a line +/* with only a \fB.\fR character as the end of input. +/* .IP "\fB-L \fIlabel\fR (ignored)" +/* The logging label. Use the \fBsyslog_name\fR configuration +/* parameter instead. +/* .IP "\fB-m\fR (ignored)" +/* Backwards compatibility. +/* .IP "\fB-N \fIdsn\fR (default: 'delay, failure')" +/* Delivery status notification control. Specify either a +/* comma-separated list with one or more of \fBfailure\fR (send +/* notification when delivery fails), \fBdelay\fR (send +/* notification when delivery is delayed), or \fBsuccess\fR +/* (send notification when the message is delivered); or specify +/* \fBnever\fR (don't send any notifications at all). +/* +/* This feature is available in Postfix 2.3 and later. +/* .IP "\fB-n\fR (ignored)" +/* Backwards compatibility. +/* .IP "\fB-oA\fIalias_database\fR" +/* Non-default alias database. Specify \fIpathname\fR or +/* \fItype\fR:\fIpathname\fR. See \fBpostalias\fR(1) for +/* details. +/* .IP "\fB-O \fIoption=value\fR (ignored)" +/* Set the named \fIoption\fR to \fIvalue\fR. Use the equivalent +/* configuration parameter in \fBmain.cf\fR instead. +/* .IP "\fB-o7\fR (ignored)" +/* .IP "\fB-o8\fR (ignored)" +/* To send 8-bit or binary content, use an appropriate MIME encapsulation +/* and specify the appropriate \fB-B\fR command-line option. +/* .IP "\fB-oi\fR" +/* When reading a message from standard input, don't treat a line +/* with only a \fB.\fR character as the end of input. +/* .IP "\fB-om\fR (ignored)" +/* The sender is never eliminated from alias etc. expansions. +/* .IP "\fB-o \fIx value\fR (ignored)" +/* Set option \fIx\fR to \fIvalue\fR. Use the equivalent +/* configuration parameter in \fBmain.cf\fR instead. +/* .IP "\fB-r \fIsender\fR" +/* Set the envelope sender address. This is the address where +/* delivery problems are sent to. With Postfix versions before 2.1, the +/* \fBErrors-To:\fR message header overrides the error return address. +/* .IP "\fB-R \fIreturn\fR" +/* Delivery status notification control. Specify "hdrs" to +/* return only the header when a message bounces, "full" to +/* return a full copy (the default behavior). +/* +/* The \fB-R\fR option specifies an upper bound; Postfix will +/* return only the header, when a full copy would exceed the +/* bounce_size_limit setting. +/* +/* This option is ignored before Postfix version 2.10. +/* .IP \fB-q\fR +/* Attempt to deliver all queued mail. This is implemented by +/* executing the \fBpostqueue\fR(1) command. +/* +/* Warning: flushing undeliverable mail frequently will result in +/* poor delivery performance of all other mail. +/* .IP "\fB-q\fIinterval\fR (ignored)" +/* The interval between queue runs. Use the \fBqueue_run_delay\fR +/* configuration parameter instead. +/* .IP \fB-qI\fIqueueid\fR +/* Schedule immediate delivery of mail with the specified queue +/* ID. This option is implemented by executing the +/* \fBpostqueue\fR(1) command, and is available with Postfix +/* version 2.4 and later. +/* .IP \fB-qR\fIsite\fR +/* Schedule immediate delivery of all mail that is queued for the named +/* \fIsite\fR. This option accepts only \fIsite\fR names that are +/* eligible for the "fast flush" service, and is implemented by +/* executing the \fBpostqueue\fR(1) command. +/* See \fBflush\fR(8) for more information about the "fast flush" +/* service. +/* .IP \fB-qS\fIsite\fR +/* This command is not implemented. Use the slower "\fBsendmail -q\fR" +/* command instead. +/* .IP \fB-t\fR +/* Extract recipients from message headers. These are added to any +/* recipients specified on the command line. +/* +/* With Postfix versions prior to 2.1, this option requires that +/* no recipient addresses are specified on the command line. +/* .IP "\fB-U\fR (ignored)" +/* Initial user submission. +/* .IP "\fB-V \fIenvid\fR" +/* Specify the envelope ID for notification by servers that +/* support DSN. +/* +/* This feature is available in Postfix 2.3 and later. +/* .IP "\fB-XV\fR (Postfix 2.2 and earlier: \fB-V\fR)" +/* Variable Envelope Return Path. Given an envelope sender address +/* of the form \fIowner-listname\fR@\fIorigin\fR, each recipient +/* \fIuser\fR@\fIdomain\fR receives mail with a personalized envelope +/* sender address. +/* .sp +/* By default, the personalized envelope sender address is +/* \fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default +/* \fB+\fR and \fB=\fR characters are configurable with the +/* \fBdefault_verp_delimiters\fR configuration parameter. +/* .IP "\fB-XV\fIxy\fR (Postfix 2.2 and earlier: \fB-V\fIxy\fR)" +/* As \fB-XV\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter +/* characters, instead of the characters specified with the +/* \fBdefault_verp_delimiters\fR configuration parameter. +/* .IP \fB-v\fR +/* Send an email report of the first delivery attempt (Postfix +/* versions 2.1 and later). Mail delivery +/* always happens in the background. When multiple \fB-v\fR +/* options are given, enable verbose logging for debugging purposes. +/* .IP "\fB-X \fIlog_file\fR (ignored)" +/* Log mailer traffic. Use the \fBdebug_peer_list\fR and +/* \fBdebug_peer_level\fR configuration parameters instead. +/* SECURITY +/* .ad +/* .fi +/* By design, this program is not set-user (or group) id. +/* It is prepared to handle message content from untrusted, +/* possibly remote, users. +/* +/* However, like most Postfix programs, this program does not +/* enforce a security policy on its command-line arguments. +/* Instead, it relies on the UNIX system to enforce access +/* policies based on the effective user and group IDs of the +/* process. Concretely, this means that running Postfix commands +/* as root (from sudo or equivalent) on behalf of a non-root +/* user is likely to create privilege escalation opportunities. +/* +/* If an application runs any Postfix programs on behalf of +/* users that do not have normal shell access to Postfix +/* commands, then that application MUST restrict user-specified +/* command-line arguments to avoid privilege escalation. +/* .IP \(bu +/* Filter all command-line arguments, for example arguments +/* that contain a pathname or that specify a database access +/* method. These pathname checks must reject user-controlled +/* symlinks or hardlinks to sensitive files, and must not be +/* vulnerable to TOCTOU race attacks. +/* .IP \(bu +/* Disable command options processing for all command arguments +/* that contain user-specified data. For example, the Postfix +/* \fBsendmail\fR(1) command line MUST be structured as follows: +/* +/* .nf +/* \fB/path/to/sendmail\fR \fIsystem-arguments\fR \fB--\fR \fIuser-arguments\fR +/* .fi +/* +/* Here, the "\fB--\fR" disables command option processing for +/* all \fIuser-arguments\fR that follow. +/* .IP +/* Without the "\fB--\fR", a malicious user could enable Postfix +/* \fBsendmail\fR(1) command options, by specifying an email +/* address that starts with "\fB-\fR". +/* DIAGNOSTICS +/* Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8), +/* and to the standard error stream. +/* ENVIRONMENT +/* .ad +/* .fi +/* .IP \fBMAIL_CONFIG\fR +/* Directory with Postfix configuration files. +/* .IP "\fBMAIL_VERBOSE\fR (value does not matter)" +/* Enable verbose logging for debugging purposes. +/* .IP "\fBMAIL_DEBUG\fR (value does not matter)" +/* Enable debugging with an external command, as specified with the +/* \fBdebugger_command\fR configuration parameter. +/* .IP \fBNAME\fR +/* The sender full name. This is used only with messages that +/* have no \fBFrom:\fR message header. See also the \fB-F\fR +/* option above. +/* CONFIGURATION PARAMETERS +/* .ad +/* .fi +/* The following \fBmain.cf\fR parameters are especially relevant to +/* this program. +/* The text below provides only a parameter summary. See +/* \fBpostconf\fR(5) for more details including examples. +/* COMPATIBILITY CONTROLS +/* .ad +/* .fi +/* Available with Postfix 2.9 and later: +/* .IP "\fBsendmail_fix_line_endings (always)\fR" +/* Controls how the Postfix sendmail command converts email message +/* line endings from <CR><LF> into UNIX format (<LF>). +/* TROUBLE SHOOTING CONTROLS +/* .ad +/* .fi +/* The DEBUG_README file gives examples of how to troubleshoot a +/* Postfix system. +/* .IP "\fBdebugger_command (empty)\fR" +/* The external command to execute when a Postfix daemon program is +/* invoked with the -D option. +/* .IP "\fBdebug_peer_level (2)\fR" +/* The increment in verbose logging level when a nexthop destination, +/* remote client or server name or network address matches a pattern +/* given with the debug_peer_list parameter. +/* .IP "\fBdebug_peer_list (empty)\fR" +/* Optional list of nexthop destination, remote client or server +/* name or network address patterns that, if matched, cause the verbose +/* logging level to increase by the amount specified in $debug_peer_level. +/* ACCESS CONTROLS +/* .ad +/* .fi +/* Available in Postfix version 2.2 and later: +/* .IP "\fBauthorized_flush_users (static:anyone)\fR" +/* List of users who are authorized to flush the queue. +/* .IP "\fBauthorized_mailq_users (static:anyone)\fR" +/* List of users who are authorized to view the queue. +/* .IP "\fBauthorized_submit_users (static:anyone)\fR" +/* List of users who are authorized to submit mail with the \fBsendmail\fR(1) +/* command (and with the privileged \fBpostdrop\fR(1) helper command). +/* RESOURCE AND RATE CONTROLS +/* .ad +/* .fi +/* .IP "\fBbounce_size_limit (50000)\fR" +/* The maximal amount of original message text that is sent in a +/* non-delivery notification. +/* .IP "\fBfork_attempts (5)\fR" +/* The maximal number of attempts to fork() a child process. +/* .IP "\fBfork_delay (1s)\fR" +/* The delay between attempts to fork() a child process. +/* .IP "\fBhopcount_limit (50)\fR" +/* The maximal number of Received: message headers that is allowed +/* in the primary message headers. +/* .IP "\fBqueue_run_delay (300s)\fR" +/* The time between deferred queue scans by the queue manager; +/* prior to Postfix 2.4 the default value was 1000s. +/* FAST FLUSH CONTROLS +/* .ad +/* .fi +/* The ETRN_README file describes configuration and operation +/* details for the Postfix "fast flush" service. +/* .IP "\fBfast_flush_domains ($relay_domains)\fR" +/* Optional list of destinations that are eligible for per-destination +/* logfiles with mail that is queued to those destinations. +/* VERP CONTROLS +/* .ad +/* .fi +/* The VERP_README file describes configuration and operation +/* details of Postfix support for variable envelope return +/* path addresses. +/* .IP "\fBdefault_verp_delimiters (+=)\fR" +/* The two default VERP delimiter characters. +/* .IP "\fBverp_delimiter_filter (-=+)\fR" +/* The characters Postfix accepts as VERP delimiter characters on the +/* Postfix \fBsendmail\fR(1) command line and in SMTP commands. +/* MISCELLANEOUS CONTROLS +/* .ad +/* .fi +/* .IP "\fBalias_database (see 'postconf -d' output)\fR" +/* The alias databases for \fBlocal\fR(8) delivery that are updated with +/* "\fBnewaliases\fR" or with "\fBsendmail -bi\fR". +/* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" +/* The location of all postfix administrative commands. +/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" +/* The default location of the Postfix main.cf and master.cf +/* configuration files. +/* .IP "\fBdaemon_directory (see 'postconf -d' output)\fR" +/* The directory with Postfix support programs and daemon programs. +/* .IP "\fBdefault_database_type (see 'postconf -d' output)\fR" +/* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1) +/* and \fBpostmap\fR(1) commands. +/* .IP "\fBdelay_warning_time (0h)\fR" +/* The time after which the sender receives a copy of the message +/* headers of mail that is still queued. +/* .IP "\fBimport_environment (see 'postconf -d' output)\fR" +/* The list of environment variables that a privileged Postfix +/* process will import from a non-Postfix parent process, or name=value +/* environment overrides. +/* .IP "\fBmail_owner (postfix)\fR" +/* The UNIX system account that owns the Postfix queue and most Postfix +/* daemon processes. +/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" +/* The location of the Postfix top-level queue directory. +/* .IP "\fBremote_header_rewrite_domain (empty)\fR" +/* Don't rewrite message headers from remote clients at all when +/* this parameter is empty; otherwise, rewrite message headers and +/* append the specified domain name to incomplete addresses. +/* .IP "\fBsyslog_facility (mail)\fR" +/* The syslog facility of Postfix logging. +/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" +/* A prefix that is prepended to the process name in syslog +/* records, so that, for example, "smtpd" becomes "prefix/smtpd". +/* .PP +/* Postfix 3.2 and later: +/* .IP "\fBalternate_config_directories (empty)\fR" +/* A list of non-default Postfix configuration directories that may +/* be specified with "-c config_directory" on the command line (in the +/* case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG +/* environment parameter. +/* .IP "\fBmulti_instance_directories (empty)\fR" +/* An optional list of non-default Postfix configuration directories; +/* these directories belong to additional Postfix instances that share +/* the Postfix executable files and documentation with the default +/* Postfix instance, and that are started, stopped, etc., together +/* with the default Postfix instance. +/* FILES +/* /var/spool/postfix, mail queue +/* /etc/postfix, configuration files +/* SEE ALSO +/* pickup(8), mail pickup daemon +/* qmgr(8), queue manager +/* smtpd(8), SMTP server +/* flush(8), fast flush service +/* postsuper(1), queue maintenance +/* postalias(1), create/update/query alias database +/* postdrop(1), mail posting utility +/* postfix(1), mail system control +/* postqueue(1), mail queue control +/* postlogd(8), Postfix logging +/* syslogd(8), system logging +/* README_FILES +/* .ad +/* .fi +/* Use "\fBpostconf readme_directory\fR" or +/* "\fBpostconf html_directory\fR" to locate this information. +/* .na +/* .nf +/* DEBUG_README, Postfix debugging howto +/* ETRN_README, Postfix ETRN howto +/* VERP_README, Postfix VERP howto +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/* +/* Wietse Venema +/* Google, Inc. +/* 111 8th Avenue +/* New York, NY 10011, USA +/*--*/ + +/* System library. */ + +#include <sys_defs.h> +#include <sys/stat.h> +#include <unistd.h> +#include <string.h> +#include <stdio.h> /* remove() */ +#include <stdlib.h> +#include <signal.h> +#include <fcntl.h> +#include <time.h> +#include <errno.h> +#include <ctype.h> +#include <stdarg.h> +#include <sysexits.h> + +/* Utility library. */ + +#include <msg.h> +#include <mymalloc.h> +#include <vstream.h> +#include <msg_vstream.h> +#include <vstring_vstream.h> +#include <username.h> +#include <fullname.h> +#include <argv.h> +#include <safe.h> +#include <iostuff.h> +#include <stringops.h> +#include <set_ugid.h> +#include <connect.h> +#include <split_at.h> +#include <name_code.h> +#include <warn_stat.h> +#include <clean_env.h> +#include <maillog_client.h> + +/* Global library. */ + +#include <mail_queue.h> +#include <mail_proto.h> +#include <mail_params.h> +#include <mail_version.h> +#include <record.h> +#include <rec_type.h> +#include <rec_streamlf.h> +#include <mail_conf.h> +#include <cleanup_user.h> +#include <mail_task.h> +#include <mail_run.h> +#include <debug_process.h> +#include <tok822.h> +#include <mail_flush.h> +#include <mail_stream.h> +#include <verp_sender.h> +#include <deliver_request.h> +#include <mime_state.h> +#include <header_opts.h> +#include <mail_dict.h> +#include <user_acl.h> +#include <dsn_mask.h> +#include <mail_parm_split.h> + +/* Application-specific. */ + + /* + * Modes of operation. + */ +#define SM_MODE_ENQUEUE 1 /* delivery mode */ +#define SM_MODE_NEWALIAS 2 /* initialize alias database */ +#define SM_MODE_MAILQ 3 /* list mail queue */ +#define SM_MODE_DAEMON 4 /* daemon mode */ +#define SM_MODE_USER 5 /* user (stand-alone) mode */ +#define SM_MODE_FLUSHQ 6 /* user (stand-alone) mode */ +#define SM_MODE_IGNORE 7 /* ignore this mode */ + + /* + * Flag parade. Flags 8-15 are reserved for delivery request trace flags. + */ +#define SM_FLAG_AEOF (1<<0) /* archaic EOF */ +#define SM_FLAG_XRCPT (1<<1) /* extract recipients from headers */ + +#define SM_FLAG_DEFAULT (SM_FLAG_AEOF) + + /* + * VERP support. + */ +static char *verp_delims; + + /* + * Callback context for extracting recipients. + */ +typedef struct SM_STATE { + VSTREAM *dst; /* output stream */ + ARGV *recipients; /* recipients from regular headers */ + ARGV *resent_recip; /* recipients from resent headers */ + int resent; /* resent flag */ + const char *saved_sender; /* for error messages */ + uid_t uid; /* for error messages */ + VSTRING *temp; /* scratch buffer */ +} SM_STATE; + + /* + * Mail submission ACL, line-end fixing. + */ +char *var_submit_acl; +char *var_sm_fix_eol; + +static const CONFIG_STR_TABLE str_table[] = { + VAR_SUBMIT_ACL, DEF_SUBMIT_ACL, &var_submit_acl, 0, 0, + VAR_SM_FIX_EOL, DEF_SM_FIX_EOL, &var_sm_fix_eol, 1, 0, + 0, +}; + + /* + * Silly little macros (SLMs). + */ +#define STR vstring_str + +/* output_text - output partial or complete text line */ + +static void output_text(void *context, int rec_type, const char *buf, ssize_t len, + off_t unused_offset) +{ + SM_STATE *state = (SM_STATE *) context; + + if (rec_put(state->dst, rec_type, buf, len) < 0) + msg_fatal_status(EX_TEMPFAIL, + "%s(%ld): error writing queue file: %m", + state->saved_sender, (long) state->uid); +} + +/* output_header - output one message header */ + +static void output_header(void *context, int header_class, + const HEADER_OPTS *header_info, + VSTRING *buf, off_t offset) +{ + SM_STATE *state = (SM_STATE *) context; + TOK822 *tree; + TOK822 **addr_list; + TOK822 **tpp; + ARGV *rcpt; + char *start; + char *line; + char *next_line; + ssize_t len; + + /* + * Parse the header line, and save copies of recipient addresses in the + * appropriate place. + */ + if (header_class == MIME_HDR_PRIMARY + && header_info + && (header_info->flags & HDR_OPT_RECIP) + && (header_info->flags & HDR_OPT_EXTRACT) + && (state->resent == 0 || (header_info->flags & HDR_OPT_RR))) { + if (header_info->flags & HDR_OPT_RR) { + rcpt = state->resent_recip; + if (state->resent == 0) + state->resent = 1; + } else + rcpt = state->recipients; + tree = tok822_parse(STR(buf) + strlen(header_info->name) + 1); + addr_list = tok822_grep(tree, TOK822_ADDR); + for (tpp = addr_list; *tpp; tpp++) { + tok822_internalize(state->temp, tpp[0]->head, TOK822_STR_DEFL); + argv_add(rcpt, STR(state->temp), (char *) 0); + } + myfree((void *) addr_list); + tok822_free_tree(tree); + } + + /* + * Pipe the unmodified message header through the header line folding + * routine, and ensure that long lines are chopped appropriately. + */ + for (line = start = STR(buf); line; line = next_line) { + next_line = split_at(line, '\n'); + len = next_line ? next_line - line - 1 : strlen(line); + do { + if (len > var_line_limit) { + output_text(context, REC_TYPE_CONT, line, var_line_limit, offset); + line += var_line_limit; + len -= var_line_limit; + offset += var_line_limit; + } else { + output_text(context, REC_TYPE_NORM, line, len, offset); + offset += len; + break; + } + } while (len > 0); + offset += 1; + } +} + +/* enqueue - post one message */ + +static void enqueue(const int flags, const char *encoding, + const char *dsn_envid, int dsn_ret, int dsn_notify, + const char *rewrite_context, const char *sender, + const char *full_name, char **recipients) +{ + VSTRING *buf; + VSTREAM *dst; + char *saved_sender; + char **cpp; + int type; + char *start; + int skip_from_; + TOK822 *tree; + TOK822 *tp; + int rcpt_count = 0; + enum { + STRIP_CR_DUNNO, STRIP_CR_DO, STRIP_CR_DONT, STRIP_CR_ERROR + } strip_cr; + MAIL_STREAM *handle; + VSTRING *postdrop_command; + uid_t uid = getuid(); + int status; + VSTRING *why; /* postdrop status message */ + int naddr; + int prev_type; + MIME_STATE *mime_state = 0; + SM_STATE state; + int mime_errs; + const char *errstr; + int addr_count; + int level; + static NAME_CODE sm_fix_eol_table[] = { + SM_FIX_EOL_ALWAYS, STRIP_CR_DO, + SM_FIX_EOL_STRICT, STRIP_CR_DUNNO, + SM_FIX_EOL_NEVER, STRIP_CR_DONT, + 0, STRIP_CR_ERROR, + }; + + /* + * Access control is enforced in the postdrop command. The code here + * merely produces a more user-friendly interface. + */ + if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, + var_submit_acl, uid)) != 0) + msg_fatal_status(EX_NOPERM, + "User %s(%ld) is not allowed to submit mail", errstr, (long) uid); + + /* + * Initialize. + */ + buf = vstring_alloc(100); + + /* + * Stop run-away process accidents by limiting the queue file size. This + * is not a defense against DOS attack. + */ + if (ENFORCING_SIZE_LIMIT(var_message_limit) + && get_file_limit() > var_message_limit) + set_file_limit((off_t) var_message_limit); + + /* + * The sender name is provided by the user. In principle, the mail pickup + * service could deduce the sender name from queue file ownership, but: + * pickup would not be able to run chrooted, and it may not be desirable + * to use login names at all. + */ + if (sender != 0) { + VSTRING_RESET(buf); + VSTRING_TERMINATE(buf); + tree = tok822_parse(sender); + for (naddr = 0, tp = tree; tp != 0; tp = tp->next) + if (tp->type == TOK822_ADDR && naddr++ == 0) + tok822_internalize(buf, tp->head, TOK822_STR_DEFL); + tok822_free_tree(tree); + saved_sender = mystrdup(STR(buf)); + if (naddr > 1) + msg_warn("-f option specified malformed sender: %s", sender); + } else { + if ((sender = username()) == 0) + msg_fatal_status(EX_OSERR, "no login name found for user ID %lu", + (unsigned long) uid); + saved_sender = mystrdup(sender); + } + + /* + * Let the postdrop command open the queue file for us, and sanity check + * the content. XXX Make postdrop a manifest constant. + */ + errno = 0; + postdrop_command = vstring_alloc(1000); + vstring_sprintf(postdrop_command, "%s/postdrop -r", var_command_dir); + for (level = 0; level < msg_verbose; level++) + vstring_strcat(postdrop_command, " -v"); + if ((handle = mail_stream_command(STR(postdrop_command))) == 0) + msg_fatal_status(EX_UNAVAILABLE, "%s(%ld): unable to execute %s: %m", + saved_sender, (long) uid, STR(postdrop_command)); + vstring_free(postdrop_command); + dst = handle->stream; + + /* + * First, write envelope information to the output stream. + * + * For sendmail compatibility, parse each command-line recipient as if it + * were an RFC 822 message header; some MUAs specify comma-separated + * recipient lists; and some MUAs even specify "word word <address>". + * + * Sort-uniq-ing the recipient list is done after address canonicalization, + * before recipients are written to queue file. That's cleaner than + * having the queue manager nuke duplicate recipient status records. + * + * XXX Should limit the size of envelope records. + * + * With "sendmail -N", instead of a per-message NOTIFY record we store one + * per recipient so that we can simplify the implementation somewhat. + */ + if (dsn_envid) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", + MAIL_ATTR_DSN_ENVID, dsn_envid); + if (dsn_ret) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", + MAIL_ATTR_DSN_RET, dsn_ret); + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", + MAIL_ATTR_RWR_CONTEXT, rewrite_context); + if (full_name || (full_name = fullname()) != 0) + rec_fputs(dst, REC_TYPE_FULL, full_name); + rec_fputs(dst, REC_TYPE_FROM, saved_sender); + if (verp_delims && *saved_sender == 0) + msg_fatal_status(EX_USAGE, + "%s(%ld): -V option requires non-null sender address", + saved_sender, (long) uid); + if (encoding) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", MAIL_ATTR_ENCODING, encoding); + if (DEL_REQ_TRACE_FLAGS(flags)) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", MAIL_ATTR_TRACE_FLAGS, + DEL_REQ_TRACE_FLAGS(flags)); + if (verp_delims) + rec_fputs(dst, REC_TYPE_VERP, verp_delims); + if (recipients) { + for (cpp = recipients; *cpp != 0; cpp++) { + tree = tok822_parse(*cpp); + for (addr_count = 0, tp = tree; tp != 0; tp = tp->next) { + if (tp->type == TOK822_ADDR) { + tok822_internalize(buf, tp->head, TOK822_STR_DEFL); + if (dsn_notify) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", + MAIL_ATTR_DSN_NOTIFY, dsn_notify); + if (REC_PUT_BUF(dst, REC_TYPE_RCPT, buf) < 0) + msg_fatal_status(EX_TEMPFAIL, + "%s(%ld): error writing queue file: %m", + saved_sender, (long) uid); + ++rcpt_count; + ++addr_count; + } + } + tok822_free_tree(tree); + if (addr_count == 0) { + if (rec_put(dst, REC_TYPE_RCPT, "", 0) < 0) + msg_fatal_status(EX_TEMPFAIL, + "%s(%ld): error writing queue file: %m", + saved_sender, (long) uid); + ++rcpt_count; + } + } + } + + /* + * Append the message contents to the queue file. Write chunks of at most + * 1kbyte. Internally, we use different record types for data ending in + * LF and for data that doesn't, so we can actually be binary transparent + * for local mail. Unfortunately, SMTP has no record continuation + * convention, so there is no guarantee that arbitrary data will be + * delivered intact via SMTP. Strip leading From_ lines. For the benefit + * of UUCP environments, also get rid of leading >>>From_ lines. + */ + rec_fputs(dst, REC_TYPE_MESG, ""); + if (DEL_REQ_TRACE_ONLY(flags) != 0) { + if (flags & SM_FLAG_XRCPT) + msg_fatal_status(EX_USAGE, "%s(%ld): -t option cannot be used with -bv", + saved_sender, (long) uid); + if (*saved_sender) + rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender); + rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe"); + if (recipients) { + rec_fprintf(dst, REC_TYPE_CONT, "To:"); + for (cpp = recipients; *cpp != 0; cpp++) { + rec_fprintf(dst, REC_TYPE_NORM, " %s%s", + *cpp, cpp[1] ? "," : ""); + } + } + } else { + + /* + * Initialize the MIME processor and set up the callback context. + */ + if (flags & SM_FLAG_XRCPT) { + state.dst = dst; + state.recipients = argv_alloc(2); + state.resent_recip = argv_alloc(2); + state.resent = 0; + state.saved_sender = saved_sender; + state.uid = uid; + state.temp = vstring_alloc(10); + mime_state = mime_state_alloc(MIME_OPT_DISABLE_MIME + | MIME_OPT_REPORT_TRUNC_HEADER, + output_header, + (MIME_STATE_ANY_END) 0, + output_text, + (MIME_STATE_ANY_END) 0, + (MIME_STATE_ERR_PRINT) 0, + (void *) &state); + } + + /* + * Process header/body lines. + */ + skip_from_ = 1; + strip_cr = name_code(sm_fix_eol_table, NAME_CODE_FLAG_STRICT_CASE, + var_sm_fix_eol); + if (strip_cr == STRIP_CR_ERROR) + msg_fatal_status(EX_USAGE, + "invalid %s value: %s", VAR_SM_FIX_EOL, var_sm_fix_eol); + for (prev_type = 0; (type = rec_streamlf_get(VSTREAM_IN, buf, var_line_limit)) + != REC_TYPE_EOF; prev_type = type) { + if (strip_cr == STRIP_CR_DUNNO && type == REC_TYPE_NORM) { + if (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r') + strip_cr = STRIP_CR_DO; + else + strip_cr = STRIP_CR_DONT; + } + if (skip_from_) { + if (type == REC_TYPE_NORM) { + start = STR(buf); + if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) + continue; + } + skip_from_ = 0; + } + if (strip_cr == STRIP_CR_DO && type == REC_TYPE_NORM) + while (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r') + vstring_truncate(buf, VSTRING_LEN(buf) - 1); + if ((flags & SM_FLAG_AEOF) && prev_type != REC_TYPE_CONT + && VSTRING_LEN(buf) == 1 && *STR(buf) == '.') + break; + if (mime_state) { + mime_errs = mime_state_update(mime_state, type, STR(buf), + VSTRING_LEN(buf)); + if (mime_errs) + msg_fatal_status(EX_DATAERR, + "%s(%ld): unable to extract recipients: %s", + saved_sender, (long) uid, + mime_state_error(mime_errs)); + } else { + if (REC_PUT_BUF(dst, type, buf) < 0) + msg_fatal_status(EX_TEMPFAIL, + "%s(%ld): error writing queue file: %m", + saved_sender, (long) uid); + } + } + } + + /* + * Finish MIME processing. We need a final mime_state_update() call in + * order to flush text that is still buffered. That can happen when the + * last line did not end in newline. + */ + if (mime_state) { + mime_errs = mime_state_update(mime_state, REC_TYPE_EOF, "", 0); + if (mime_errs) + msg_fatal_status(EX_DATAERR, + "%s(%ld): unable to extract recipients: %s", + saved_sender, (long) uid, + mime_state_error(mime_errs)); + mime_state = mime_state_free(mime_state); + } + + /* + * Append recipient addresses that were extracted from message headers. + */ + rec_fputs(dst, REC_TYPE_XTRA, ""); + if (flags & SM_FLAG_XRCPT) { + for (cpp = state.resent ? state.resent_recip->argv : + state.recipients->argv; *cpp; cpp++) { + if (dsn_notify) + rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", + MAIL_ATTR_DSN_NOTIFY, dsn_notify); + if (rec_put(dst, REC_TYPE_RCPT, *cpp, strlen(*cpp)) < 0) + msg_fatal_status(EX_TEMPFAIL, + "%s(%ld): error writing queue file: %m", + saved_sender, (long) uid); + ++rcpt_count; + } + argv_free(state.recipients); + argv_free(state.resent_recip); + vstring_free(state.temp); + } + if (rcpt_count == 0) + msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ? + "%s(%ld): No recipient addresses found in message header" : + "%s(%ld): Recipient addresses must be specified on" + " the command line or via the -t option", + saved_sender, (long) uid); + + /* + * Identify the end of the queue file. + */ + rec_fputs(dst, REC_TYPE_END, ""); + + /* + * Make sure that the message makes it to the file system. Once we have + * terminated with successful exit status we cannot lose the message due + * to "frivolous reasons". If all goes well, prevent the run-time error + * handler from removing the file. + */ + if (vstream_ferror(VSTREAM_IN)) + msg_fatal_status(EX_DATAERR, "%s(%ld): error reading input: %m", + saved_sender, (long) uid); + why = vstring_alloc(100); + if ((status = mail_stream_finish(handle, why)) != CLEANUP_STAT_OK) + msg_fatal_status((status & CLEANUP_STAT_BAD) ? EX_SOFTWARE : + (status & CLEANUP_STAT_WRITE) ? EX_TEMPFAIL : + (status & CLEANUP_STAT_NOPERM) ? EX_NOPERM : + EX_UNAVAILABLE, "%s(%ld): %s", saved_sender, + (long) uid, VSTRING_LEN(why) ? + STR(why) : cleanup_strerror(status)); + vstring_free(why); + + /* + * Don't leave them in the dark. + */ + if (DEL_REQ_TRACE_FLAGS(flags)) { + vstream_printf("Mail Delivery Status Report will be mailed to <%s>.\n", + saved_sender); + vstream_fflush(VSTREAM_OUT); + } + + /* + * Cleanup. Not really necessary as we're about to exit, but good for + * debugging purposes. + */ + vstring_free(buf); + myfree(saved_sender); +} + +/* tempfail - sanitize exit status after library run-time error */ + +static void tempfail(void) +{ + exit(EX_TEMPFAIL); +} + +MAIL_VERSION_STAMP_DECLARE; + +/* main - the main program */ + +int main(int argc, char **argv) +{ + static char *full_name = 0; /* sendmail -F */ + struct stat st; + char *slash; + char *sender = 0; /* sendmail -f */ + int c; + int fd; + int mode; + ARGV *ext_argv; + int debug_me = 0; + int err; + int n; + int flags = SM_FLAG_DEFAULT; + char *site_to_flush = 0; + char *id_to_flush = 0; + char *encoding = 0; + char *qtime = 0; + const char *errstr; + uid_t uid; + const char *rewrite_context = MAIL_ATTR_RWR_LOCAL; + int dsn_notify = 0; + int dsn_ret = 0; + const char *dsn_envid = 0; + int saved_optind; + ARGV *import_env; + char *alias_map_from_args = 0; + + /* + * Fingerprint executables and core dumps. + */ + MAIL_VERSION_STAMP_ALLOCATE; + + /* + * Be consistent with file permissions. + */ + umask(022); + + /* + * To minimize confusion, make sure that the standard file descriptors + * are open before opening anything else. XXX Work around for 44BSD where + * fstat can return EBADF on an open file descriptor. + */ + for (fd = 0; fd < 3; fd++) + if (fstat(fd, &st) == -1 + && (close(fd), open("/dev/null", O_RDWR, 0)) != fd) + msg_fatal_status(EX_OSERR, "open /dev/null: %m"); + + /* + * The CDE desktop calendar manager leaks a parent file descriptor into + * the child process. For the sake of sendmail compatibility we have to + * close the file descriptor otherwise mail notification will hang. + */ + for ( /* void */ ; fd < 100; fd++) + (void) close(fd); + + /* + * Process environment options as early as we can. We might be called + * from a set-uid (set-gid) program, so be careful with importing + * environment variables. + */ + if (safe_getenv(CONF_ENV_VERB)) + msg_verbose = 1; + if (safe_getenv(CONF_ENV_DEBUG)) + debug_me = 1; + + /* + * Initialize. Set up logging. Read the global configuration file after + * command-line processing. Set up signal handlers so that we can clean + * up incomplete output. + */ + if ((slash = strrchr(argv[0], '/')) != 0 && slash[1]) + argv[0] = slash + 1; + msg_vstream_init(argv[0], VSTREAM_ERR); + msg_cleanup(tempfail); + maillog_client_init(mail_task("sendmail"), MAILLOG_CLIENT_FLAG_NONE); + set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0])); + + /* + * Check the Postfix library version as soon as we enable logging. + */ + MAIL_VERSION_CHECK; + + /* + * Some sites mistakenly install Postfix sendmail as set-uid root. Drop + * set-uid privileges only when root, otherwise some systems will not + * reset the saved set-userid, which would be a security vulnerability. + */ + if (geteuid() == 0 && getuid() != 0) { + msg_warn("the Postfix sendmail command has set-uid root file permissions"); + msg_warn("or the command is run from a set-uid root process"); + msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions"); + set_ugid(getuid(), getgid()); + } + + /* + * Further initialization. Load main.cf first, so that command-line + * options can override main.cf settings. Pre-scan the argument list so + * that we load the right main.cf file. + */ +#define GETOPT_LIST "A:B:C:F:GIL:N:O:R:UV:X:b:ce:f:h:imno:p:r:q:tvx" + + saved_optind = optind; + while (argv[OPTIND] != 0) { + if (strcmp(argv[OPTIND], "-q") == 0) { /* not getopt compatible */ + optind++; + continue; + } + if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0) + break; + if (c == 'C') { + VSTRING *buf = vstring_alloc(1); + char *dir; + + dir = strcmp(sane_basename(buf, optarg), MAIN_CONF_FILE) == 0 ? + sane_dirname(buf, optarg) : optarg; + if (strcmp(dir, DEF_CONFIG_DIR) != 0 && geteuid() != 0) + mail_conf_checkdir(dir); + if (setenv(CONF_ENV_PATH, dir, 1) < 0) + msg_fatal_status(EX_UNAVAILABLE, "out of memory"); + vstring_free(buf); + } + } + optind = saved_optind; + mail_conf_read(); + /* Enforce consistent operation of different Postfix parts. */ + import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ); + update_env(import_env->argv); + argv_free(import_env); + /* Re-evaluate mail_task() after reading main.cf. */ + maillog_client_init(mail_task("sendmail"), MAILLOG_CLIENT_FLAG_NONE); + get_mail_conf_str_table(str_table); + + mail_dict_init(); + + if (chdir(var_queue_dir)) + msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); + + signal(SIGPIPE, SIG_IGN); + + /* + * Optionally start the debugger on ourself. This must be done after + * reading the global configuration file, because that file specifies + * what debugger command to execute. + */ + if (debug_me) + debug_process(); + + /* + * The default mode of operation is determined by the process name. It + * can, however, be changed via command-line options (for example, + * "newaliases -bp" will show the mail queue). + */ + if (strcmp(argv[0], "mailq") == 0) { + mode = SM_MODE_MAILQ; + } else if (strcmp(argv[0], "newaliases") == 0) { + mode = SM_MODE_NEWALIAS; + } else if (strcmp(argv[0], "smtpd") == 0) { + mode = SM_MODE_DAEMON; + } else { + mode = SM_MODE_ENQUEUE; + } + + /* + * Parse JCL. Sendmail has been around for a long time, and has acquired + * a large number of options in the course of time. Some options such as + * -q are not parsable with GETOPT() and get special treatment. + */ +#define OPTIND (optind > 0 ? optind : 1) + + while (argv[OPTIND] != 0) { + if (strcmp(argv[OPTIND], "-q") == 0) { + if (mode == SM_MODE_DAEMON) + msg_warn("ignoring -q option in daemon mode"); + else + mode = SM_MODE_FLUSHQ; + optind++; + continue; + } + if (strcmp(argv[OPTIND], "-V") == 0 + && argv[OPTIND + 1] != 0 && strlen(argv[OPTIND + 1]) == 2) { + msg_warn("option -V is deprecated with Postfix 2.3; " + "specify -XV instead"); + argv[OPTIND] = "-XV"; + } + if (strncmp(argv[OPTIND], "-V", 2) == 0 && strlen(argv[OPTIND]) == 4) { + msg_warn("option %s is deprecated with Postfix 2.3; " + "specify -X%s instead", + argv[OPTIND], argv[OPTIND] + 1); + argv[OPTIND] = concatenate("-X", argv[OPTIND] + 1, (char *) 0); + } + if (strcmp(argv[OPTIND], "-XV") == 0) { + verp_delims = var_verp_delims; + optind++; + continue; + } + if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0) + break; + switch (c) { + default: + if (msg_verbose) + msg_info("-%c option ignored", c); + break; + case 'n': + msg_fatal_status(EX_USAGE, "-%c option not supported", c); + case 'B': + if (strcmp(optarg, "8BITMIME") == 0)/* RFC 1652 */ + encoding = MAIL_ATTR_ENC_8BIT; + else if (strcmp(optarg, "7BIT") == 0) /* RFC 1652 */ + encoding = MAIL_ATTR_ENC_7BIT; + else + msg_fatal_status(EX_USAGE, "-B option needs 8BITMIME or 7BIT"); + break; + case 'F': /* full name */ + full_name = optarg; + break; + case 'G': /* gateway submission */ + rewrite_context = MAIL_ATTR_RWR_REMOTE; + break; + case 'I': /* newaliases */ + mode = SM_MODE_NEWALIAS; + break; + case 'N': + if ((dsn_notify = dsn_notify_mask(optarg)) == 0) + msg_warn("bad -N option value -- ignored"); + break; + case 'R': + if ((dsn_ret = dsn_ret_code(optarg)) == 0) + msg_warn("bad -R option value -- ignored"); + break; + case 'V': /* DSN, was: VERP */ + if (strlen(optarg) > 100) + msg_warn("too long -V option value -- ignored"); + else if (!allprint(optarg)) + msg_warn("bad syntax in -V option value -- ignored"); + else + dsn_envid = optarg; + break; + case 'X': + switch (*optarg) { + default: + msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg); + case 'V': /* VERP */ + if (verp_delims_verify(optarg + 1) != 0) + msg_fatal_status(EX_USAGE, "-V requires two characters from %s", + var_verp_filter); + verp_delims = optarg + 1; + break; + } + break; + case 'b': + switch (*optarg) { + default: + msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg); + case 'd': /* daemon mode */ + case 'l': /* daemon mode */ + if (mode == SM_MODE_FLUSHQ) + msg_warn("ignoring -q option in daemon mode"); + mode = SM_MODE_DAEMON; + break; + case 'h': /* print host status */ + case 'H': /* flush host status */ + mode = SM_MODE_IGNORE; + break; + case 'i': /* newaliases */ + mode = SM_MODE_NEWALIAS; + break; + case 'm': /* deliver mail */ + mode = SM_MODE_ENQUEUE; + break; + case 'p': /* mailq */ + mode = SM_MODE_MAILQ; + break; + case 's': /* stand-alone mode */ + mode = SM_MODE_USER; + break; + case 'v': /* expand recipients */ + flags |= DEL_REQ_FLAG_USR_VRFY; + break; + } + break; + case 'f': + sender = optarg; + break; + case 'i': + flags &= ~SM_FLAG_AEOF; + break; + case 'o': + switch (*optarg) { + default: + if (msg_verbose) + msg_info("-%c%c option ignored", c, *optarg); + break; + case 'A': + if (optarg[1] == 0) + msg_fatal_status(EX_USAGE, "-oA requires pathname"); + alias_map_from_args = optarg + 1; + break; + case '7': + case '8': + break; + case 'i': + flags &= ~SM_FLAG_AEOF; + break; + case 'm': + break; + } + break; + case 'r': /* obsoleted by -f */ + sender = optarg; + break; + case 'q': + if (ISDIGIT(optarg[0])) { + qtime = optarg; + } else if (optarg[0] == 'R') { + site_to_flush = optarg + 1; + if (*site_to_flush == 0) + msg_fatal_status(EX_USAGE, "specify: -qRsitename"); + } else if (optarg[0] == 'I') { + id_to_flush = optarg + 1; + if (*id_to_flush == 0) + msg_fatal_status(EX_USAGE, "specify: -qIqueueid"); + } else { + msg_fatal_status(EX_USAGE, "-q%c is not implemented", + optarg[0]); + } + break; + case 't': + flags |= SM_FLAG_XRCPT; + break; + case 'v': + msg_verbose++; + break; + case '?': + msg_fatal_status(EX_USAGE, "usage: %s [options]", argv[0]); + } + } + + /* + * Look for conflicting options and arguments. + */ + if ((flags & SM_FLAG_XRCPT) && mode != SM_MODE_ENQUEUE) + msg_fatal_status(EX_USAGE, "-t can be used only in delivery mode"); + + if (site_to_flush && mode != SM_MODE_ENQUEUE) + msg_fatal_status(EX_USAGE, "-qR can be used only in delivery mode"); + + if (id_to_flush && mode != SM_MODE_ENQUEUE) + msg_fatal_status(EX_USAGE, "-qI can be used only in delivery mode"); + + if (flags & DEL_REQ_FLAG_USR_VRFY) { + if (flags & SM_FLAG_XRCPT) + msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv"); + if (dsn_notify) + msg_fatal_status(EX_USAGE, "-N option cannot be used with -bv"); + if (dsn_ret) + msg_fatal_status(EX_USAGE, "-R option cannot be used with -bv"); + if (msg_verbose == 1) + msg_fatal_status(EX_USAGE, "-v option cannot be used with -bv"); + } + + /* + * The -v option plays double duty. One requests verbose delivery, more + * than one requests verbose logging. + */ + if (msg_verbose == 1 && mode == SM_MODE_ENQUEUE) { + msg_verbose = 0; + flags |= DEL_REQ_FLAG_RECORD; + } + + /* + * Start processing. Everything is delegated to external commands. + */ + if (qtime && mode != SM_MODE_DAEMON) + exit(0); + switch (mode) { + default: + msg_panic("unknown operation mode: %d", mode); + /* NOTREACHED */ + case SM_MODE_ENQUEUE: + if (site_to_flush) { + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, "flush site requires no recipient"); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "postqueue", "-s", site_to_flush, (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_terminate(ext_argv); + mail_run_replace(var_command_dir, ext_argv->argv); + /* NOTREACHED */ + } else if (id_to_flush) { + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, "flush queue_id requires no recipient"); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "postqueue", "-i", id_to_flush, (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_terminate(ext_argv); + mail_run_replace(var_command_dir, ext_argv->argv); + /* NOTREACHED */ + } else { + enqueue(flags, encoding, dsn_envid, dsn_ret, dsn_notify, + rewrite_context, sender, full_name, argv + OPTIND); + exit(0); + /* NOTREACHED */ + } + break; + case SM_MODE_MAILQ: + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, + "display queue mode requires no recipient"); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "postqueue", "-p", (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_terminate(ext_argv); + mail_run_replace(var_command_dir, ext_argv->argv); + /* NOTREACHED */ + case SM_MODE_FLUSHQ: + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, + "flush queue mode requires no recipient"); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "postqueue", "-f", (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_terminate(ext_argv); + mail_run_replace(var_command_dir, ext_argv->argv); + /* NOTREACHED */ + case SM_MODE_DAEMON: + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, "daemon mode requires no recipient"); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "postfix", (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_add(ext_argv, "start", (char *) 0); + argv_terminate(ext_argv); + err = (mail_run_background(var_command_dir, ext_argv->argv) < 0); + argv_free(ext_argv); + exit(err); + break; + case SM_MODE_NEWALIAS: + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, + "alias initialization mode requires no recipient"); + if (alias_map_from_args == 0 && *var_alias_db_map == 0) + return (0); + ext_argv = argv_alloc(3); + argv_add(ext_argv, "postalias", (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_add(ext_argv, "--", (char *) 0); + if (alias_map_from_args != 0) + argv_add(ext_argv, alias_map_from_args, (char *) 0); + else + argv_split_append(ext_argv, var_alias_db_map, CHARS_COMMA_SP); + argv_terminate(ext_argv); + mail_run_replace(var_command_dir, ext_argv->argv); + /* NOTREACHED */ + case SM_MODE_USER: + if (argv[OPTIND]) + msg_fatal_status(EX_USAGE, + "stand-alone mode requires no recipient"); + /* The actual enforcement happens in the postdrop command. */ + if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl, + uid = getuid())) != 0) + msg_fatal_status(EX_NOPERM, + "User %s(%ld) is not allowed to submit mail", + errstr, (long) uid); + ext_argv = argv_alloc(2); + argv_add(ext_argv, "smtpd", "-S", (char *) 0); + for (n = 0; n < msg_verbose; n++) + argv_add(ext_argv, "-v", (char *) 0); + argv_terminate(ext_argv); + mail_run_replace(var_daemon_dir, ext_argv->argv); + /* NOTREACHED */ + case SM_MODE_IGNORE: + exit(0); + /* NOTREACHED */ + } +} |