1 /* $NetBSD: postqueue.c,v 1.5 2023/12/23 20:30:44 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* postqueue 1
6 /* SUMMARY
7 /* Postfix queue control
8 /* SYNOPSIS
9 /* .ti -4
10 /* \fBTo flush the mail queue\fR:
11 /*
12 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR
13 /*
14 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR
15 /*
16 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR
17 /*
18 /* .ti -4
19 /* \fBTo list the mail queue\fR:
20 /*
21 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-j\fR
22 /*
23 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR
24 /* DESCRIPTION
25 /* The \fBpostqueue\fR(1) command implements the Postfix user interface
26 /* for queue management. It implements operations that are
27 /* traditionally available via the \fBsendmail\fR(1) command.
28 /* See the \fBpostsuper\fR(1) command for queue operations
29 /* that require super-user privileges such as deleting a message
30 /* from the queue or changing the status of a message.
31 /*
32 /* The following options are recognized:
33 /* .IP "\fB-c \fIconfig_dir\fR"
34 /* The \fBmain.cf\fR configuration file is in the named directory
35 /* instead of the default configuration directory. See also the
36 /* MAIL_CONFIG environment setting below.
37 /* .IP \fB-f\fR
38 /* Flush the queue: attempt to deliver all queued mail.
39 /*
40 /* This option implements the traditional "\fBsendmail -q\fR" command,
41 /* by contacting the Postfix \fBqmgr\fR(8) daemon.
42 /*
43 /* Warning: flushing undeliverable mail frequently will result in
44 /* poor delivery performance of all other mail.
45 /* .IP "\fB-i \fIqueue_id\fR"
46 /* Schedule immediate delivery of deferred mail with the
47 /* specified queue ID.
48 /*
49 /* This option implements the traditional \fBsendmail -qI\fR
50 /* command, by contacting the \fBflush\fR(8) server.
51 /*
52 /* This feature is available with Postfix version 2.4 and later.
53 /* .IP "\fB-j\fR"
54 /* Produce a queue listing in JSON LINES format, based on
55 /* output from the showq(8) daemon. See "\fBJSON OBJECT
56 /* FORMAT\fR" below for details.
57 /*
58 /* This feature is available in Postfix 3.1 and later.
59 /* .IP \fB-p\fR
60 /* Produce a traditional sendmail-style queue listing.
61 /* This option implements the traditional \fBmailq\fR command,
62 /* by contacting the Postfix \fBshowq\fR(8) daemon.
63 /*
64 /* Each queue entry shows the queue file ID, message
65 /* size, arrival time, sender, and the recipients that still need to
66 /* be delivered. If mail could not be delivered upon the last attempt,
67 /* the reason for failure is shown. The queue ID string
68 /* is followed by an optional status character:
69 /* .RS
70 /* .IP \fB*\fR
71 /* The message is in the \fBactive\fR queue, i.e. the message is
72 /* selected for delivery.
73 /* .IP \fB!\fR
74 /* The message is in the \fBhold\fR queue, i.e. no further delivery
75 /* attempt will be made until the mail is taken off hold.
76 /* .IP \fB#\fR
77 /* The message is forced to expire. See the \fBpostsuper\fR(1)
78 /* options \fB-e\fR or \fB-f\fR.
79 /* .sp
80 /* This feature is available in Postfix 3.5 and later.
81 /* .RE
82 /* .IP "\fB-s \fIsite\fR"
83 /* Schedule immediate delivery of all mail that is queued for the named
84 /* \fIsite\fR. A numerical site must be specified as a valid RFC 5321
85 /* address literal enclosed in [], just like in email addresses.
86 /* The site must be eligible for the "fast flush" service.
87 /* See \fBflush\fR(8) for more information about the "fast flush"
88 /* service.
89 /*
90 /* This option implements the traditional "\fBsendmail -qR\fIsite\fR"
91 /* command, by contacting the Postfix \fBflush\fR(8) daemon.
92 /* .IP \fB-v\fR
93 /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
94 /* options make the software increasingly verbose. As of Postfix 2.3,
95 /* this option is available for the super-user only.
96 /* JSON OBJECT FORMAT
97 /* .ad
98 /* .fi
99 /* Each JSON object represents one queue file; it is emitted
100 /* as a single text line followed by a newline character.
101 /*
102 /* Object members have string values unless indicated otherwise.
103 /* Programs should ignore object members that are not listed
104 /* here; the list of members is expected to grow over time.
105 /* .IP \fBqueue_name\fR
106 /* The name of the queue where the message was found. Note
107 /* that the contents of the mail queue may change while it is
108 /* being listed; some messages may appear more than once, and
109 /* some messages may be missed.
110 /* .IP \fBqueue_id\fR
111 /* The queue file name. The queue_id may be reused within a
112 /* Postfix instance unless "enable_long_queue_ids = true" and
113 /* time is monotonic. Even then, the queue_id is not expected
114 /* to be unique between different Postfix instances. Management
115 /* tools that require a unique name should combine the queue_id
116 /* with the myhostname setting of the Postfix instance.
117 /* .IP \fBarrival_time\fR
118 /* The number of seconds since the start of the UNIX epoch.
119 /* .IP \fBmessage_size\fR
120 /* The number of bytes in the message header and body. This
121 /* number does not include message envelope information. It
122 /* is approximately equal to the number of bytes that would
123 /* be transmitted via SMTP including the <CR><LF> line endings.
124 /* .IP \fBforced_expire\fR
125 /* The message is forced to expire (\fBtrue\fR or \fBfalse\fR).
126 /* See the \fBpostsuper\fR(1) options \fB-e\fR or \fB-f\fR.
127 /* .sp
128 /* This feature is available in Postfix 3.5 and later.
129 /* .IP \fBsender\fR
130 /* The envelope sender address.
131 /* .IP \fBrecipients\fR
132 /* An array containing zero or more objects with members:
133 /* .RS
134 /* .IP \fBaddress\fR
135 /* One recipient address.
136 /* .IP \fBdelay_reason\fR
137 /* If present, the reason for delayed delivery. Delayed
138 /* recipients may have no delay reason, for example, while
139 /* delivery is in progress, or after the system was stopped
140 /* before it could record the reason.
141 /* .RE
142 /* SECURITY
143 /* .ad
144 /* .fi
145 /* This program is designed to run with set-group ID privileges, so
146 /* that it can connect to Postfix daemon processes.
147 /* STANDARDS
148 /* RFC 7159 (JSON notation)
149 /* DIAGNOSTICS
150 /* Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8),
151 /* and to the standard error stream.
152 /* ENVIRONMENT
153 /* .ad
154 /* .fi
155 /* .IP MAIL_CONFIG
156 /* Directory with the \fBmain.cf\fR file. In order to avoid exploitation
157 /* of set-group ID privileges, a non-standard directory is allowed only
158 /* if:
159 /* .RS
160 /* .IP \(bu
161 /* The name is listed in the standard \fBmain.cf\fR file with the
162 /* \fBalternate_config_directories\fR configuration parameter.
163 /* .IP \(bu
164 /* The command is invoked by the super-user.
165 /* .RE
166 /* CONFIGURATION PARAMETERS
167 /* .ad
168 /* .fi
169 /* The following \fBmain.cf\fR parameters are especially relevant to
170 /* this program.
171 /* The text below provides only a parameter summary. See
172 /* \fBpostconf\fR(5) for more details including examples.
173 /* .IP "\fBalternate_config_directories (empty)\fR"
174 /* A list of non-default Postfix configuration directories that may
175 /* be specified with "-c config_directory" on the command line (in the
176 /* case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG
177 /* environment parameter.
178 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
179 /* The default location of the Postfix main.cf and master.cf
180 /* configuration files.
181 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
182 /* The location of all postfix administrative commands.
183 /* .IP "\fBfast_flush_domains ($relay_domains)\fR"
184 /* Optional list of destinations that are eligible for per-destination
185 /* logfiles with mail that is queued to those destinations.
186 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
187 /* The list of environment variables that a privileged Postfix
188 /* process will import from a non-Postfix parent process, or name=value
189 /* environment overrides.
190 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
191 /* The location of the Postfix top-level queue directory.
192 /* .IP "\fBsyslog_facility (mail)\fR"
193 /* The syslog facility of Postfix logging.
194 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
195 /* A prefix that is prepended to the process name in syslog
196 /* records, so that, for example, "smtpd" becomes "prefix/smtpd".
197 /* .IP "\fBtrigger_timeout (10s)\fR"
198 /* The time limit for sending a trigger to a Postfix daemon (for
199 /* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon).
200 /* .PP
201 /* Available in Postfix version 2.2 and later:
202 /* .IP "\fBauthorized_flush_users (static:anyone)\fR"
203 /* List of users who are authorized to flush the queue.
204 /* .IP "\fBauthorized_mailq_users (static:anyone)\fR"
205 /* List of users who are authorized to view the queue.
206 /* FILES
207 /* /var/spool/postfix, mail queue
208 /* SEE ALSO
209 /* qmgr(8), queue manager
210 /* showq(8), list mail queue
211 /* flush(8), fast flush service
212 /* sendmail(1), Sendmail-compatible user interface
213 /* postsuper(1), privileged queue operations
214 /* postlogd(8), Postfix logging
215 /* syslogd(8), system logging
216 /* README FILES
217 /* .ad
218 /* .fi
219 /* Use "\fBpostconf readme_directory\fR" or
220 /* "\fBpostconf html_directory\fR" to locate this information.
221 /* .na
222 /* .nf
223 /* ETRN_README, Postfix ETRN howto
224 /* LICENSE
225 /* .ad
226 /* .fi
227 /* The Secure Mailer license must be distributed with this software.
228 /* HISTORY
229 /* .ad
230 /* .fi
231 /* The postqueue command was introduced with Postfix version 1.1.
232 /* AUTHOR(S)
233 /* Wietse Venema
234 /* IBM T.J. Watson Research
235 /* P.O. Box 704
236 /* Yorktown Heights, NY 10598, USA
237 /*
238 /* Wietse Venema
239 /* Google, Inc.
240 /* 111 8th Avenue
241 /* New York, NY 10011, USA
242 /*--*/
243
244 /* System library. */
245
246 #include <sys_defs.h>
247 #include <sys/stat.h>
248 #include <unistd.h>
249 #include <string.h>
250 #include <stdlib.h>
251 #include <signal.h>
252 #include <sysexits.h>
253 #include <errno.h>
254
255 /* Utility library. */
256
257 #include <msg.h>
258 #include <mymalloc.h>
259 #include <clean_env.h>
260 #include <vstream.h>
261 #include <msg_vstream.h>
262 #include <argv.h>
263 #include <safe.h>
264 #include <connect.h>
265 #include <valid_hostname.h>
266 #include <warn_stat.h>
267 #include <events.h>
268 #include <stringops.h>
269
270 /* Global library. */
271
272 #include <mail_proto.h>
273 #include <mail_params.h>
274 #include <mail_version.h>
275 #include <mail_conf.h>
276 #include <mail_task.h>
277 #include <mail_run.h>
278 #include <mail_flush.h>
279 #include <mail_queue.h>
280 #include <flush_clnt.h>
281 #include <smtp_stream.h>
282 #include <user_acl.h>
283 #include <valid_mailhost_addr.h>
284 #include <mail_dict.h>
285 #include <mail_parm_split.h>
286 #include <maillog_client.h>
287
288 /* Application-specific. */
289
290 #include <postqueue.h>
291
292 /*
293 * WARNING WARNING WARNING
294 *
295 * This software is designed to run set-gid. In order to avoid exploitation of
296 * privilege, this software should not run any external commands, nor should
297 * it take any information from the user, unless that information can be
298 * properly sanitized. To get an idea of how much information a process can
299 * inherit from a potentially hostile user, examine all the members of the
300 * process structure (typically, in /usr/include/sys/proc.h): the current
301 * directory, open files, timers, signals, environment, command line, umask,
302 * and so on.
303 */
304
305 /*
306 * Modes of operation.
307 *
308 * XXX To support flush by recipient domain, or for destinations that have no
309 * mapping to logfile, the server has to defend against resource exhaustion
310 * attacks. A malicious user could fork off a postqueue client that starts
311 * an expensive requests and then kills the client immediately; this way she
312 * could create a high Postfix load on the system without ever exceeding her
313 * own per-user process limit. To prevent this, either the server needs to
314 * establish frequent proof of client liveliness with challenge/response, or
315 * the client needs to restrict expensive requests to privileged users only.
316 *
317 * We don't have this problem with queue listings. The showq server detects an
318 * EPIPE error after reporting a few queue entries.
319 */
320 #define PQ_MODE_DEFAULT 0 /* noop */
321 #define PQ_MODE_MAILQ_LIST 1 /* list mail queue */
322 #define PQ_MODE_FLUSH_QUEUE 2 /* flush queue */
323 #define PQ_MODE_FLUSH_SITE 3 /* flush site */
324 #define PQ_MODE_FLUSH_FILE 4 /* flush message */
325 #define PQ_MODE_JSON_LIST 5 /* JSON-format queue listing */
326
327 /*
328 * Silly little macros (SLMs).
329 */
330 #define STR vstring_str
331
332 /*
333 * Queue manipulation access lists.
334 */
335 char *var_flush_acl;
336 char *var_showq_acl;
337
338 static const CONFIG_STR_TABLE str_table[] = {
339 VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0,
340 VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0,
341 0,
342 };
343
344 /* showq_client - run the appropriate showq protocol client */
345
showq_client(int mode,VSTREAM * showq)346 static void showq_client(int mode, VSTREAM *showq)
347 {
348 if (attr_scan(showq, ATTR_FLAG_STRICT,
349 RECV_ATTR_STREQ(MAIL_ATTR_PROTO, MAIL_ATTR_PROTO_SHOWQ),
350 ATTR_TYPE_END) != 0)
351 msg_fatal_status(EX_SOFTWARE, "malformed showq server response");
352 switch (mode) {
353 case PQ_MODE_MAILQ_LIST:
354 showq_compat(showq);
355 break;
356 case PQ_MODE_JSON_LIST:
357 showq_json(showq);
358 break;
359 default:
360 msg_panic("show_queue: unknown mode %d", mode);
361 }
362 }
363
364 /* show_queue - show queue status */
365
show_queue(int mode)366 static void show_queue(int mode)
367 {
368 const char *errstr;
369 VSTREAM *showq;
370 int n;
371 uid_t uid = getuid();
372
373 if (uid != 0 && uid != var_owner_uid
374 && (errstr = check_user_acl_byuid(VAR_SHOWQ_ACL, var_showq_acl,
375 uid)) != 0)
376 msg_fatal_status(EX_NOPERM,
377 "User %s(%ld) is not allowed to view the mail queue",
378 errstr, (long) uid);
379
380 /*
381 * Connect to the show queue service.
382 */
383 if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) {
384 showq_client(mode, showq);
385 if (vstream_fclose(showq))
386 msg_warn("close: %m");
387 }
388
389 /*
390 * Don't assume that the mail system is down when the user has
391 * insufficient permission to access the showq socket.
392 */
393 else if (errno == EACCES || errno == EPERM) {
394 msg_fatal_status(EX_SOFTWARE,
395 "Connect to the %s %s service: %m",
396 var_mail_name, var_showq_service);
397 }
398
399 /*
400 * When the mail system is down, the superuser can still access the queue
401 * directly. Just run the showq program in stand-alone mode.
402 */
403 else if (geteuid() == 0) {
404 char *showq_path;
405 ARGV *argv;
406 int stat;
407
408 msg_warn("Mail system is down -- accessing queue directly"
409 " (Connect to the %s %s service: %m)",
410 var_mail_name, var_showq_service);
411 showq_path = concatenate(var_daemon_dir, "/", var_showq_service,
412 (char *) 0);
413 argv = argv_alloc(6);
414 argv_add(argv, showq_path, "-u", "-S", (char *) 0);
415 for (n = 0; n < msg_verbose; n++)
416 argv_add(argv, "-v", (char *) 0);
417 argv_terminate(argv);
418 if ((showq = vstream_popen(O_RDONLY,
419 CA_VSTREAM_POPEN_ARGV(argv->argv),
420 CA_VSTREAM_POPEN_END)) == 0) {
421 stat = -1;
422 } else {
423 showq_client(mode, showq);
424 stat = vstream_pclose(showq);
425 }
426 argv_free(argv);
427 myfree(showq_path);
428 if (stat != 0)
429 msg_fatal_status(stat < 0 ? EX_OSERR : EX_SOFTWARE,
430 "Error running %s", showq_path);
431 }
432
433 /*
434 * When the mail system is down, unprivileged users are stuck, because by
435 * design the mail system contains no set_uid programs. The only way for
436 * an unprivileged user to cross protection boundaries is to talk to the
437 * showq daemon.
438 */
439 else {
440 msg_fatal_status(EX_UNAVAILABLE,
441 "Queue report unavailable - mail system is down"
442 " (Connect to the %s %s service: %m)",
443 var_mail_name, var_showq_service);
444 }
445 }
446
447 /* flush_queue - force delivery */
448
flush_queue(void)449 static void flush_queue(void)
450 {
451 const char *errstr;
452 uid_t uid = getuid();
453
454 if (uid != 0 && uid != var_owner_uid
455 && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
456 uid)) != 0)
457 msg_fatal_status(EX_NOPERM,
458 "User %s(%ld) is not allowed to flush the mail queue",
459 errstr, (long) uid);
460
461 /*
462 * Trigger the flush queue service.
463 */
464 if (mail_flush_deferred() < 0)
465 msg_fatal_status(EX_UNAVAILABLE,
466 "Cannot flush mail queue - mail system is down");
467 if (mail_flush_maildrop() < 0)
468 msg_fatal_status(EX_UNAVAILABLE,
469 "Cannot flush mail queue - mail system is down");
470 event_drain(2);
471 }
472
473 /* flush_site - flush mail for site */
474
flush_site(const char * site)475 static void flush_site(const char *site)
476 {
477 int status;
478 const char *errstr;
479 uid_t uid = getuid();
480
481 if (uid != 0 && uid != var_owner_uid
482 && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
483 uid)) != 0)
484 msg_fatal_status(EX_NOPERM,
485 "User %s(%ld) is not allowed to flush the mail queue",
486 errstr, (long) uid);
487
488 flush_init();
489
490 switch (status = flush_send_site(site)) {
491 case FLUSH_STAT_OK:
492 exit(0);
493 case FLUSH_STAT_BAD:
494 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site);
495 case FLUSH_STAT_FAIL:
496 msg_fatal_status(EX_UNAVAILABLE,
497 "Cannot flush mail queue - mail system is down");
498 case FLUSH_STAT_DENY:
499 msg_fatal_status(EX_UNAVAILABLE,
500 "Flush service is not configured for destination \"%s\"",
501 site);
502 default:
503 msg_fatal_status(EX_SOFTWARE,
504 "Unknown flush server reply status %d", status);
505 }
506 }
507
508 /* flush_file - flush mail with specific queue ID */
509
flush_file(const char * queue_id)510 static void flush_file(const char *queue_id)
511 {
512 int status;
513 const char *errstr;
514 uid_t uid = getuid();
515
516 if (uid != 0 && uid != var_owner_uid
517 && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
518 uid)) != 0)
519 msg_fatal_status(EX_NOPERM,
520 "User %s(%ld) is not allowed to flush the mail queue",
521 errstr, (long) uid);
522
523 switch (status = flush_send_file(queue_id)) {
524 case FLUSH_STAT_OK:
525 exit(0);
526 case FLUSH_STAT_BAD:
527 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id);
528 case FLUSH_STAT_FAIL:
529 msg_fatal_status(EX_UNAVAILABLE,
530 "Cannot flush mail queue - mail system is down");
531 default:
532 msg_fatal_status(EX_SOFTWARE,
533 "Unexpected flush server reply status %d", status);
534 }
535 }
536
537 /* unavailable - sanitize exit status from library run-time errors */
538
unavailable(void)539 static void unavailable(void)
540 {
541 exit(EX_UNAVAILABLE);
542 }
543
544 /* usage - scream and die */
545
usage(void)546 static NORETURN usage(void)
547 {
548 msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -j | postqueue -p | postqueue -s site");
549 }
550
551 MAIL_VERSION_STAMP_DECLARE;
552
553 /* main - the main program */
554
main(int argc,char ** argv)555 int main(int argc, char **argv)
556 {
557 struct stat st;
558 int c;
559 int fd;
560 int mode = PQ_MODE_DEFAULT;
561 char *site_to_flush = 0;
562 char *id_to_flush = 0;
563 ARGV *import_env;
564 int bad_site;
565
566 /*
567 * Fingerprint executables and core dumps.
568 */
569 MAIL_VERSION_STAMP_ALLOCATE;
570
571 /*
572 * Be consistent with file permissions.
573 */
574 umask(022);
575
576 /*
577 * To minimize confusion, make sure that the standard file descriptors
578 * are open before opening anything else. XXX Work around for 44BSD where
579 * fstat can return EBADF on an open file descriptor.
580 */
581 for (fd = 0; fd < 3; fd++)
582 if (fstat(fd, &st) == -1
583 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
584 msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m");
585
586 /*
587 * Initialize. Set up logging. Read the global configuration file after
588 * parsing command-line arguments. Censor the process name: it is
589 * provided by the user.
590 */
591 argv[0] = "postqueue";
592 msg_vstream_init(argv[0], VSTREAM_ERR);
593 msg_cleanup(unavailable);
594 maillog_client_init(mail_task("postqueue"), MAILLOG_CLIENT_FLAG_NONE);
595 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
596
597 /*
598 * Check the Postfix library version as soon as we enable logging.
599 */
600 MAIL_VERSION_CHECK;
601
602 /*
603 * Parse JCL. This program is set-gid and must sanitize all command-line
604 * parameters. The configuration directory argument is validated by the
605 * mail configuration read routine. Don't do complex things until we have
606 * completed initializations.
607 */
608 while ((c = GETOPT(argc, argv, "c:fi:jps:v")) > 0) {
609 switch (c) {
610 case 'c': /* non-default configuration */
611 if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
612 msg_fatal_status(EX_UNAVAILABLE, "out of memory");
613 break;
614 case 'f': /* flush queue */
615 if (mode != PQ_MODE_DEFAULT)
616 usage();
617 mode = PQ_MODE_FLUSH_QUEUE;
618 break;
619 case 'i': /* flush queue file */
620 if (mode != PQ_MODE_DEFAULT)
621 usage();
622 mode = PQ_MODE_FLUSH_FILE;
623 id_to_flush = optarg;
624 break;
625 case 'j':
626 if (mode != PQ_MODE_DEFAULT)
627 usage();
628 mode = PQ_MODE_JSON_LIST;
629 break;
630 case 'p': /* traditional mailq */
631 if (mode != PQ_MODE_DEFAULT)
632 usage();
633 mode = PQ_MODE_MAILQ_LIST;
634 break;
635 case 's': /* flush site */
636 if (mode != PQ_MODE_DEFAULT)
637 usage();
638 mode = PQ_MODE_FLUSH_SITE;
639 site_to_flush = optarg;
640 break;
641 case 'v':
642 if (geteuid() == 0)
643 msg_verbose++;
644 break;
645 default:
646 usage();
647 }
648 }
649 if (argc > optind)
650 usage();
651
652 /*
653 * Further initialization...
654 */
655 mail_conf_read();
656 /* Re-evaluate mail_task() after reading main.cf. */
657 maillog_client_init(mail_task("postqueue"), MAILLOG_CLIENT_FLAG_NONE);
658 mail_dict_init(); /* proxy, sql, ldap */
659 get_mail_conf_str_table(str_table);
660
661 /*
662 * This program is designed to be set-gid, which makes it a potential
663 * target for attack. Strip and optionally override the process
664 * environment so that we don't have to trust the C library.
665 */
666 import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
667 clean_env(import_env->argv);
668 argv_free(import_env);
669
670 if (chdir(var_queue_dir))
671 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
672
673 signal(SIGPIPE, SIG_IGN);
674
675 /* End of initializations. */
676
677 /*
678 * Further input validation.
679 */
680 if (site_to_flush != 0) {
681 bad_site = 0;
682 if (*site_to_flush == '[') {
683 bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE);
684 } else {
685 bad_site = !valid_hostname(site_to_flush, DONT_GRIPE);
686 }
687 if (bad_site)
688 msg_fatal_status(EX_USAGE,
689 "Cannot flush mail queue - invalid destination: \"%.100s%s\"",
690 site_to_flush, strlen(site_to_flush) > 100 ? "..." : "");
691 }
692 if (id_to_flush != 0) {
693 if (!mail_queue_id_ok(id_to_flush))
694 msg_fatal_status(EX_USAGE,
695 "Cannot flush queue ID - invalid name: \"%.100s%s\"",
696 id_to_flush, strlen(id_to_flush) > 100 ? "..." : "");
697 }
698
699 /*
700 * Start processing.
701 */
702 switch (mode) {
703 default:
704 msg_panic("unknown operation mode: %d", mode);
705 /* NOTREACHED */
706 case PQ_MODE_MAILQ_LIST:
707 case PQ_MODE_JSON_LIST:
708 show_queue(mode);
709 exit(0);
710 break;
711 case PQ_MODE_FLUSH_SITE:
712 flush_site(site_to_flush);
713 exit(0);
714 break;
715 case PQ_MODE_FLUSH_FILE:
716 flush_file(id_to_flush);
717 exit(0);
718 break;
719 case PQ_MODE_FLUSH_QUEUE:
720 flush_queue();
721 exit(0);
722 break;
723 case PQ_MODE_DEFAULT:
724 usage();
725 /* NOTREACHED */
726 }
727 }
728