1 # include <signal.h>
2 # include <errno.h>
3 # include <sys/types.h>
4 # include <sys/stat.h>
5 # include "sendmail.h"
6 # ifdef LOG
7 # include <syslog.h>
8 # endif LOG
9
10 static char SccsId[] = "@(#)deliver.c 3.40 09/16/81";
11
12 /*
13 ** DELIVER -- Deliver a message to a list of addresses.
14 **
15 ** This routine delivers to everyone on the same host as the
16 ** user on the head of the list. It is clever about mailers
17 ** that don't handle multiple users. It is NOT guaranteed
18 ** that it will deliver to all these addresses however -- so
19 ** deliver should be called once for each address on the
20 ** list.
21 **
22 ** Parameters:
23 ** to -- head of the address list to deliver to.
24 ** editfcn -- if non-NULL, we want to call this function
25 ** to output the letter (instead of just out-
26 ** putting it raw).
27 **
28 ** Returns:
29 ** zero -- successfully delivered.
30 ** else -- some failure, see ExitStat for more info.
31 **
32 ** Side Effects:
33 ** The standard input is passed off to someone.
34 */
35
36 deliver(to, editfcn)
37 ADDRESS *to;
38 int (*editfcn)();
39 {
40 char *host;
41 char *user;
42 char **pvp;
43 register char **mvp;
44 register char *p;
45 register struct mailer *m;
46 register int i;
47 extern putmessage();
48 extern bool checkcompat();
49 char *pv[MAXPV+1];
50 char tobuf[MAXLINE];
51 char buf[MAXNAME];
52 ADDRESS *ctladdr;
53 extern ADDRESS *getctladdr();
54
55 if (!ForceMail && bitset(QDONTSEND, to->q_flags))
56 return (0);
57
58 # ifdef DEBUG
59 if (Debug)
60 printf("\n--deliver, mailer=%d, host=`%s', first user=`%s'\n",
61 to->q_mailer, to->q_host, to->q_user);
62 # endif DEBUG
63
64 /*
65 ** Do initial argv setup.
66 ** Insert the mailer name. Notice that $x expansion is
67 ** NOT done on the mailer name. Then, if the mailer has
68 ** a picky -f flag, we insert it as appropriate. This
69 ** code does not check for 'pv' overflow; this places a
70 ** manifest lower limit of 4 for MAXPV.
71 */
72
73 m = Mailer[to->q_mailer];
74 host = to->q_host;
75 define('g', m->m_from); /* translated from address */
76 define('h', host); /* to host */
77 Errors = 0;
78 errno = 0;
79 pvp = pv;
80 *pvp++ = m->m_argv[0];
81
82 /* insert -f or -r flag as appropriate */
83 if (bitset(M_FOPT|M_ROPT, m->m_flags) && FromFlag)
84 {
85 if (bitset(M_FOPT, m->m_flags))
86 *pvp++ = "-f";
87 else
88 *pvp++ = "-r";
89 (void) expand("$g", buf, &buf[sizeof buf - 1]);
90 *pvp++ = newstr(buf);
91 }
92
93 /*
94 ** Append the other fixed parts of the argv. These run
95 ** up to the first entry containing "$u". There can only
96 ** be one of these, and there are only a few more slots
97 ** in the pv after it.
98 */
99
100 for (mvp = m->m_argv; (p = *++mvp) != NULL; )
101 {
102 while ((p = index(p, '$')) != NULL)
103 if (*++p == 'u')
104 break;
105 if (p != NULL)
106 break;
107
108 /* this entry is safe -- go ahead and process it */
109 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
110 *pvp++ = newstr(buf);
111 if (pvp >= &pv[MAXPV - 3])
112 {
113 syserr("Too many parameters to %s before $u", pv[0]);
114 return (-1);
115 }
116 }
117 if (*mvp == NULL)
118 syserr("No $u in mailer argv for %s", pv[0]);
119
120 /*
121 ** At this point *mvp points to the argument with $u. We
122 ** run through our address list and append all the addresses
123 ** we can. If we run out of space, do not fret! We can
124 ** always send another copy later.
125 */
126
127 tobuf[0] = '\0';
128 To = tobuf;
129 ctladdr = NULL;
130 for (; to != NULL; to = to->q_next)
131 {
132 /* avoid sending multiple recipients to dumb mailers */
133 if (tobuf[0] != '\0' && !bitset(M_MUSER, m->m_flags))
134 break;
135
136 /* if already sent or not for this host, don't send */
137 if ((!ForceMail && bitset(QDONTSEND, to->q_flags)) ||
138 strcmp(to->q_host, host) != 0)
139 continue;
140
141 /* compute effective uid/gid when sending */
142 if (to->q_mailer == MN_PROG)
143 ctladdr = getctladdr(to);
144
145 user = to->q_user;
146 To = to->q_paddr;
147 to->q_flags |= QDONTSEND;
148 # ifdef DEBUG
149 if (Debug)
150 printf(" send to `%s'\n", user);
151 # endif DEBUG
152
153 /*
154 ** Check to see that these people are allowed to
155 ** talk to each other.
156 */
157
158 if (!checkcompat(to))
159 {
160 giveresponse(EX_UNAVAILABLE, TRUE, m);
161 continue;
162 }
163
164 /*
165 ** Strip quote bits from names if the mailer is dumb
166 ** about them.
167 */
168
169 if (bitset(M_STRIPQ, m->m_flags))
170 {
171 stripquotes(user, TRUE);
172 stripquotes(host, TRUE);
173 }
174 else
175 {
176 stripquotes(user, FALSE);
177 stripquotes(host, FALSE);
178 }
179
180 /*
181 ** If an error message has already been given, don't
182 ** bother to send to this address.
183 **
184 ** >>>>>>>>>> This clause assumes that the local mailer
185 ** >> NOTE >> cannot do any further aliasing; that
186 ** >>>>>>>>>> function is subsumed by sendmail.
187 */
188
189 if (bitset(QBADADDR, to->q_flags))
190 continue;
191
192 /* save statistics.... */
193 Stat.stat_nt[to->q_mailer]++;
194 Stat.stat_bt[to->q_mailer] += kbytes(MsgSize);
195
196 /*
197 ** See if this user name is "special".
198 ** If the user name has a slash in it, assume that this
199 ** is a file -- send it off without further ado.
200 ** Note that this means that editfcn's will not
201 ** be applied to the message. Also note that
202 ** this type of addresses is not processed along
203 ** with the others, so we fudge on the To person.
204 */
205
206 if (m == Mailer[MN_LOCAL])
207 {
208 if (index(user, '/') != NULL)
209 {
210 i = mailfile(user, getctladdr(to));
211 giveresponse(i, TRUE, m);
212 continue;
213 }
214 }
215
216 /*
217 ** Address is verified -- add this user to mailer
218 ** argv, and add it to the print list of recipients.
219 */
220
221 /* create list of users for error messages */
222 if (tobuf[0] != '\0')
223 (void) strcat(tobuf, ",");
224 (void) strcat(tobuf, to->q_paddr);
225 define('u', user); /* to user */
226 define('z', to->q_home); /* user's home */
227
228 /* expand out this user */
229 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
230 *pvp++ = newstr(buf);
231 if (pvp >= &pv[MAXPV - 2])
232 {
233 /* allow some space for trailing parms */
234 break;
235 }
236 }
237
238 /* see if any addresses still exist */
239 if (tobuf[0] == '\0')
240 return (0);
241
242 /* print out messages as full list */
243 To = tobuf;
244
245 /*
246 ** Fill out any parameters after the $u parameter.
247 */
248
249 while (*++mvp != NULL)
250 {
251 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
252 *pvp++ = newstr(buf);
253 if (pvp >= &pv[MAXPV])
254 syserr("deliver: pv overflow after $u for %s", pv[0]);
255 }
256 *pvp++ = NULL;
257
258 /*
259 ** Call the mailer.
260 ** The argument vector gets built, pipes
261 ** are created as necessary, and we fork & exec as
262 ** appropriate.
263 */
264
265 if (editfcn == NULL)
266 editfcn = putmessage;
267 if (ctladdr == NULL)
268 ctladdr = &From;
269 i = sendoff(m, pv, editfcn, ctladdr);
270
271 return (i);
272 }
273 �/*
274 ** DOFORK -- do a fork, retrying a couple of times on failure.
275 **
276 ** This MUST be a macro, since after a vfork we are running
277 ** two processes on the same stack!!!
278 **
279 ** Parameters:
280 ** none.
281 **
282 ** Returns:
283 ** From a macro??? You've got to be kidding!
284 **
285 ** Side Effects:
286 ** Modifies the ==> LOCAL <== variable 'pid', leaving:
287 ** pid of child in parent, zero in child.
288 ** -1 on unrecoverable error.
289 **
290 ** Notes:
291 ** I'm awfully sorry this looks so awful. That's
292 ** vfork for you.....
293 */
294
295 # define NFORKTRIES 5
296 # ifdef VFORK
297 # define XFORK vfork
298 # else VFORK
299 # define XFORK fork
300 # endif VFORK
301
302 # define DOFORK(fORKfN) \
303 {\
304 register int i;\
305 \
306 for (i = NFORKTRIES; i-- > 0; )\
307 {\
308 pid = fORKfN();\
309 if (pid >= 0)\
310 break;\
311 sleep((unsigned) NFORKTRIES - i);\
312 }\
313 }
314 �/*
315 ** SENDOFF -- send off call to mailer & collect response.
316 **
317 ** Parameters:
318 ** m -- mailer descriptor.
319 ** pvp -- parameter vector to send to it.
320 ** editfcn -- function to pipe it through.
321 ** ctladdr -- an address pointer controlling the
322 ** user/groupid etc. of the mailer.
323 **
324 ** Returns:
325 ** exit status of mailer.
326 **
327 ** Side Effects:
328 ** none.
329 */
330
331 sendoff(m, pvp, editfcn, ctladdr)
332 struct mailer *m;
333 char **pvp;
334 int (*editfcn)();
335 ADDRESS *ctladdr;
336 {
337 auto int st;
338 register int i;
339 int pid;
340 int pvect[2];
341 FILE *mfile;
342 extern putmessage();
343 extern FILE *fdopen();
344
345 # ifdef DEBUG
346 if (Debug)
347 {
348 printf("Sendoff:\n");
349 printav(pvp);
350 }
351 # endif DEBUG
352
353 /* create a pipe to shove the mail through */
354 if (pipe(pvect) < 0)
355 {
356 syserr("pipe");
357 return (-1);
358 }
359 DOFORK(XFORK);
360 /* pid is set by DOFORK */
361 if (pid < 0)
362 {
363 syserr("Cannot fork");
364 (void) close(pvect[0]);
365 (void) close(pvect[1]);
366 return (-1);
367 }
368 else if (pid == 0)
369 {
370 /* child -- set up input & exec mailer */
371 /* make diagnostic output be standard output */
372 (void) signal(SIGINT, SIG_DFL);
373 (void) signal(SIGHUP, SIG_DFL);
374 (void) signal(SIGTERM, SIG_DFL);
375 (void) close(2);
376 (void) dup(1);
377 (void) close(0);
378 if (dup(pvect[0]) < 0)
379 {
380 syserr("Cannot dup to zero!");
381 _exit(EX_OSERR);
382 }
383 (void) close(pvect[0]);
384 (void) close(pvect[1]);
385 if (!bitset(M_RESTR, m->m_flags))
386 {
387 (void) setuid(ctladdr->q_uid);
388 (void) setgid(ctladdr->q_gid);
389 }
390 # ifndef VFORK
391 /*
392 ** We have to be careful with vfork - we can't mung up the
393 ** memory but we don't want the mailer to inherit any extra
394 ** open files. Chances are the mailer won't
395 ** care about an extra file, but then again you never know.
396 ** Actually, we would like to close(fileno(pwf)), but it's
397 ** declared static so we can't. But if we fclose(pwf), which
398 ** is what endpwent does, it closes it in the parent too and
399 ** the next getpwnam will be slower. If you have a weird
400 ** mailer that chokes on the extra file you should do the
401 ** endpwent().
402 **
403 ** Similar comments apply to log. However, openlog is
404 ** clever enough to set the FIOCLEX mode on the file,
405 ** so it will be closed automatically on the exec.
406 */
407
408 endpwent();
409 # ifdef LOG
410 closelog();
411 # endif LOG
412 # endif VFORK
413 execv(m->m_mailer, pvp);
414 /* syserr fails because log is closed */
415 /* syserr("Cannot exec %s", m->m_mailer); */
416 printf("Cannot exec '%s' errno=%d\n", m->m_mailer, errno);
417 (void) fflush(stdout);
418 _exit(EX_UNAVAILABLE);
419 }
420
421 /* write out message to mailer */
422 (void) close(pvect[0]);
423 (void) signal(SIGPIPE, SIG_IGN);
424 mfile = fdopen(pvect[1], "w");
425 if (editfcn == NULL)
426 editfcn = putmessage;
427 (*editfcn)(mfile, m);
428 (void) fclose(mfile);
429
430 /*
431 ** Wait for child to die and report status.
432 ** We should never get fatal errors (e.g., segmentation
433 ** violation), so we report those specially. For other
434 ** errors, we choose a status message (into statmsg),
435 ** and if it represents an error, we print it.
436 */
437
438 while ((i = wait(&st)) > 0 && i != pid)
439 continue;
440 if (i < 0)
441 {
442 syserr("wait");
443 return (-1);
444 }
445 if ((st & 0377) != 0)
446 {
447 syserr("%s: stat %o", pvp[0], st);
448 ExitStat = EX_UNAVAILABLE;
449 return (-1);
450 }
451 i = (st >> 8) & 0377;
452 giveresponse(i, TRUE, m);
453 return (i);
454 }
455 �/*
456 ** GIVERESPONSE -- Interpret an error response from a mailer
457 **
458 ** Parameters:
459 ** stat -- the status code from the mailer (high byte
460 ** only; core dumps must have been taken care of
461 ** already).
462 ** force -- if set, force an error message output, even
463 ** if the mailer seems to like to print its own
464 ** messages.
465 ** m -- the mailer descriptor for this mailer.
466 **
467 ** Returns:
468 ** none.
469 **
470 ** Side Effects:
471 ** Errors may be incremented.
472 ** ExitStat may be set.
473 */
474
475 giveresponse(stat, force, m)
476 int stat;
477 int force;
478 register struct mailer *m;
479 {
480 register char *statmsg;
481 extern char *SysExMsg[];
482 register int i;
483 extern int N_SysEx;
484 char buf[30];
485
486 /*
487 ** Compute status message from code.
488 */
489
490 i = stat - EX__BASE;
491 if (i < 0 || i > N_SysEx)
492 statmsg = NULL;
493 else
494 statmsg = SysExMsg[i];
495 if (stat == 0)
496 {
497 if (bitset(M_LOCAL, m->m_flags))
498 statmsg = "delivered";
499 else
500 statmsg = "queued";
501 if (Verbose)
502 message(Arpa_Info, statmsg);
503 }
504 else
505 {
506 Errors++;
507 if (statmsg == NULL && m->m_badstat != 0)
508 {
509 stat = m->m_badstat;
510 i = stat - EX__BASE;
511 # ifdef DEBUG
512 if (i < 0 || i >= N_SysEx)
513 syserr("Bad m_badstat %d", stat);
514 else
515 # endif DEBUG
516 statmsg = SysExMsg[i];
517 }
518 if (statmsg == NULL)
519 usrerr("unknown mailer response %d", stat);
520 else if (force || !bitset(M_QUIET, m->m_flags) || Verbose)
521 usrerr("%s", statmsg);
522 }
523
524 /*
525 ** Final cleanup.
526 ** Log a record of the transaction. Compute the new
527 ** ExitStat -- if we already had an error, stick with
528 ** that.
529 */
530
531 if (statmsg == NULL)
532 {
533 (void) sprintf(buf, "error %d", stat);
534 statmsg = buf;
535 }
536
537 # ifdef LOG
538 syslog(LOG_INFO, "%s->%s: %ld: %s", From.q_paddr, To, MsgSize, statmsg);
539 # endif LOG
540 setstat(stat);
541 }
542 �/*
543 ** PUTMESSAGE -- output a message to the final mailer.
544 **
545 ** This routine takes care of recreating the header from the
546 ** in-core copy, etc.
547 **
548 ** Parameters:
549 ** fp -- file to output onto.
550 ** m -- a mailer descriptor.
551 **
552 ** Returns:
553 ** none.
554 **
555 ** Side Effects:
556 ** The message is written onto fp.
557 */
558
559 putmessage(fp, m)
560 FILE *fp;
561 struct mailer *m;
562 {
563 char buf[BUFSIZ];
564 register int i;
565 register HDR *h;
566 extern char *arpadate();
567 bool anyheader = FALSE;
568 extern char *capitalize();
569 extern char *hvalue();
570 extern bool samefrom();
571
572 /*
573 ** Output "From" line unless supressed
574 */
575
576 if (!bitset(M_NHDR, m->m_flags))
577 {
578 (void) expand("$l", buf, &buf[sizeof buf - 1]);
579 fprintf(fp, "%s\n", buf);
580 }
581
582 /*
583 ** Output all header lines
584 */
585
586 for (h = Header; h != NULL; h = h->h_link)
587 {
588 register char *p;
589 char *origfrom = OrigFrom;
590
591 if (bitset(H_CHECK|H_ACHECK, h->h_flags) && !bitset(h->h_mflags, m->m_flags))
592 {
593 p = ")><("; /* can't happen (I hope) */
594 goto checkfrom;
595 }
596 if (strcmp(h->h_field, "from") == 0 && origfrom != NULL &&
597 strcmp(m->m_from, "$f") == 0)
598 {
599 p = origfrom;
600 origfrom = NULL;
601 }
602 else if (bitset(H_DEFAULT, h->h_flags))
603 {
604 (void) expand(h->h_value, buf, &buf[sizeof buf]);
605 p = buf;
606 }
607 else
608 p = h->h_value;
609 if (*p == '\0')
610 continue;
611 fprintf(fp, "%s: %s\n", capitalize(h->h_field), p);
612 h->h_flags |= H_USED;
613 anyheader = TRUE;
614
615 /* hack, hack -- output Original-From field if different */
616 checkfrom:
617 if (strcmp(h->h_field, "from") == 0 && origfrom != NULL &&
618 !samefrom(p, origfrom) && hvalue("original-from") == NULL)
619 {
620 fprintf(fp, "Original-From: %s\n", origfrom);
621 anyheader = TRUE;
622 }
623 }
624 if (anyheader)
625 fprintf(fp, "\n");
626
627 /*
628 ** Output the body of the message
629 */
630
631 rewind(TempFile);
632 while (!ferror(fp) && (i = fread(buf, 1, BUFSIZ, TempFile)) > 0)
633 (void) fwrite(buf, 1, i, fp);
634
635 if (ferror(fp) && errno != EPIPE)
636 {
637 syserr("putmessage: write error");
638 setstat(EX_IOERR);
639 }
640 errno = 0;
641 }
642 �/*
643 ** SAMEFROM -- tell if two text addresses represent the same from address.
644 **
645 ** Parameters:
646 ** ifrom -- internally generated form of from address.
647 ** efrom -- external form of from address.
648 **
649 ** Returns:
650 ** TRUE -- if they convey the same info.
651 ** FALSE -- if any information has been lost.
652 **
653 ** Side Effects:
654 ** none.
655 */
656
657 bool
658 samefrom(ifrom, efrom)
659 char *ifrom;
660 char *efrom;
661 {
662 return (strcmp(ifrom, efrom) == 0);
663 }
664 �/*
665 ** MAILFILE -- Send a message to a file.
666 **
667 ** If the file has the setuid/setgid bits set, but NO execute
668 ** bits, sendmail will try to become the owner of that file
669 ** rather than the real user. Obviously, this only works if
670 ** sendmail runs as root.
671 **
672 ** Parameters:
673 ** filename -- the name of the file to send to.
674 ** ctladdr -- the controlling address header -- includes
675 ** the userid/groupid to be when sending.
676 **
677 ** Returns:
678 ** The exit code associated with the operation.
679 **
680 ** Side Effects:
681 ** none.
682 */
683
684 mailfile(filename, ctladdr)
685 char *filename;
686 ADDRESS *ctladdr;
687 {
688 register FILE *f;
689 register int pid;
690
691 /*
692 ** Fork so we can change permissions here.
693 ** Note that we MUST use fork, not vfork, because of
694 ** the complications of calling subroutines, etc.
695 */
696
697 DOFORK(fork);
698
699 if (pid < 0)
700 return (EX_OSERR);
701 else if (pid == 0)
702 {
703 /* child -- actually write to file */
704 struct stat stb;
705
706 (void) signal(SIGINT, SIG_DFL);
707 (void) signal(SIGHUP, SIG_DFL);
708 (void) signal(SIGTERM, SIG_DFL);
709 umask(OldUmask);
710 if (stat(filename, &stb) < 0)
711 stb.st_mode = 0;
712 if (bitset(0111, stb.st_mode))
713 exit(EX_CANTCREAT);
714 if (ctladdr == NULL)
715 ctladdr = &From;
716 if (!bitset(S_ISGID, stb.st_mode) || setgid(stb.st_gid) < 0)
717 (void) setgid(ctladdr->q_gid);
718 if (!bitset(S_ISUID, stb.st_mode) || setuid(stb.st_uid) < 0)
719 (void) setuid(ctladdr->q_uid);
720 f = fopen(filename, "a");
721 if (f == NULL)
722 exit(EX_CANTCREAT);
723
724 putmessage(f, Mailer[1]);
725 fputs("\n", f);
726 (void) fclose(f);
727 (void) fflush(stdout);
728 exit(EX_OK);
729 /*NOTREACHED*/
730 }
731 else
732 {
733 /* parent -- wait for exit status */
734 register int i;
735 auto int stat;
736
737 while ((i = wait(&stat)) != pid)
738 {
739 if (i < 0)
740 {
741 stat = EX_OSERR << 8;
742 break;
743 }
744 }
745 if ((stat & 0377) != 0)
746 stat = EX_UNAVAILABLE << 8;
747 return ((stat >> 8) & 0377);
748 }
749 }
750