1 # include <signal.h>
2 # include <errno.h>
3 # include <sys/types.h>
4 # include <sys/stat.h>
5 # include "sendmail.h"
6 # ifdef LOG
7 # include <syslog.h>
8 # endif LOG
9
10 static char SccsId[] = "@(#)deliver.c 3.42 09/20/81";
11
12 /*
13 ** DELIVER -- Deliver a message to a list of addresses.
14 **
15 ** This routine delivers to everyone on the same host as the
16 ** user on the head of the list. It is clever about mailers
17 ** that don't handle multiple users. It is NOT guaranteed
18 ** that it will deliver to all these addresses however -- so
19 ** deliver should be called once for each address on the
20 ** list.
21 **
22 ** Parameters:
23 ** to -- head of the address list to deliver to.
24 ** editfcn -- if non-NULL, we want to call this function
25 ** to output the letter (instead of just out-
26 ** putting it raw).
27 **
28 ** Returns:
29 ** zero -- successfully delivered.
30 ** else -- some failure, see ExitStat for more info.
31 **
32 ** Side Effects:
33 ** The standard input is passed off to someone.
34 */
35
36 deliver(to, editfcn)
37 ADDRESS *to;
38 int (*editfcn)();
39 {
40 char *host;
41 char *user;
42 char **pvp;
43 register char **mvp;
44 register char *p;
45 register struct mailer *m;
46 register int i;
47 extern putmessage();
48 extern bool checkcompat();
49 char *pv[MAXPV+1];
50 char tobuf[MAXLINE];
51 char buf[MAXNAME];
52 ADDRESS *ctladdr;
53 extern ADDRESS *getctladdr();
54
55 if (!ForceMail && bitset(QDONTSEND, to->q_flags))
56 return (0);
57
58 # ifdef DEBUG
59 if (Debug)
60 printf("\n--deliver, mailer=%d, host=`%s', first user=`%s'\n",
61 to->q_mailer, to->q_host, to->q_user);
62 # endif DEBUG
63
64 /*
65 ** Do initial argv setup.
66 ** Insert the mailer name. Notice that $x expansion is
67 ** NOT done on the mailer name. Then, if the mailer has
68 ** a picky -f flag, we insert it as appropriate. This
69 ** code does not check for 'pv' overflow; this places a
70 ** manifest lower limit of 4 for MAXPV.
71 */
72
73 m = Mailer[to->q_mailer];
74 host = to->q_host;
75 define('g', m->m_from); /* translated from address */
76 define('h', host); /* to host */
77 Errors = 0;
78 errno = 0;
79 pvp = pv;
80 *pvp++ = m->m_argv[0];
81
82 /* insert -f or -r flag as appropriate */
83 if (bitset(M_FOPT|M_ROPT, m->m_flags) && FromFlag)
84 {
85 if (bitset(M_FOPT, m->m_flags))
86 *pvp++ = "-f";
87 else
88 *pvp++ = "-r";
89 (void) expand("$g", buf, &buf[sizeof buf - 1]);
90 *pvp++ = newstr(buf);
91 }
92
93 /*
94 ** Append the other fixed parts of the argv. These run
95 ** up to the first entry containing "$u". There can only
96 ** be one of these, and there are only a few more slots
97 ** in the pv after it.
98 */
99
100 for (mvp = m->m_argv; (p = *++mvp) != NULL; )
101 {
102 while ((p = index(p, '$')) != NULL)
103 if (*++p == 'u')
104 break;
105 if (p != NULL)
106 break;
107
108 /* this entry is safe -- go ahead and process it */
109 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
110 *pvp++ = newstr(buf);
111 if (pvp >= &pv[MAXPV - 3])
112 {
113 syserr("Too many parameters to %s before $u", pv[0]);
114 return (-1);
115 }
116 }
117 if (*mvp == NULL)
118 syserr("No $u in mailer argv for %s", pv[0]);
119
120 /*
121 ** At this point *mvp points to the argument with $u. We
122 ** run through our address list and append all the addresses
123 ** we can. If we run out of space, do not fret! We can
124 ** always send another copy later.
125 */
126
127 tobuf[0] = '\0';
128 To = tobuf;
129 ctladdr = NULL;
130 for (; to != NULL; to = to->q_next)
131 {
132 /* avoid sending multiple recipients to dumb mailers */
133 if (tobuf[0] != '\0' && !bitset(M_MUSER, m->m_flags))
134 break;
135
136 /* if already sent or not for this host, don't send */
137 if ((!ForceMail && bitset(QDONTSEND, to->q_flags)) ||
138 strcmp(to->q_host, host) != 0)
139 continue;
140
141 /* compute effective uid/gid when sending */
142 if (to->q_mailer == MN_PROG)
143 ctladdr = getctladdr(to);
144
145 user = to->q_user;
146 To = to->q_paddr;
147 to->q_flags |= QDONTSEND;
148 # ifdef DEBUG
149 if (Debug)
150 printf(" send to `%s'\n", user);
151 # endif DEBUG
152
153 /*
154 ** Check to see that these people are allowed to
155 ** talk to each other.
156 */
157
158 if (!checkcompat(to))
159 {
160 giveresponse(EX_UNAVAILABLE, TRUE, m);
161 continue;
162 }
163
164 /*
165 ** Strip quote bits from names if the mailer is dumb
166 ** about them.
167 */
168
169 if (bitset(M_STRIPQ, m->m_flags))
170 {
171 stripquotes(user, TRUE);
172 stripquotes(host, TRUE);
173 }
174 else
175 {
176 stripquotes(user, FALSE);
177 stripquotes(host, FALSE);
178 }
179
180 /*
181 ** If an error message has already been given, don't
182 ** bother to send to this address.
183 **
184 ** >>>>>>>>>> This clause assumes that the local mailer
185 ** >> NOTE >> cannot do any further aliasing; that
186 ** >>>>>>>>>> function is subsumed by sendmail.
187 */
188
189 if (bitset(QBADADDR, to->q_flags))
190 continue;
191
192 /* save statistics.... */
193 Stat.stat_nt[to->q_mailer]++;
194 Stat.stat_bt[to->q_mailer] += kbytes(MsgSize);
195
196 /*
197 ** See if this user name is "special".
198 ** If the user name has a slash in it, assume that this
199 ** is a file -- send it off without further ado.
200 ** Note that this means that editfcn's will not
201 ** be applied to the message. Also note that
202 ** this type of addresses is not processed along
203 ** with the others, so we fudge on the To person.
204 */
205
206 if (m == Mailer[MN_LOCAL])
207 {
208 if (index(user, '/') != NULL)
209 {
210 i = mailfile(user, getctladdr(to));
211 giveresponse(i, TRUE, m);
212 continue;
213 }
214 }
215
216 /*
217 ** Address is verified -- add this user to mailer
218 ** argv, and add it to the print list of recipients.
219 */
220
221 /* create list of users for error messages */
222 if (tobuf[0] != '\0')
223 (void) strcat(tobuf, ",");
224 (void) strcat(tobuf, to->q_paddr);
225 define('u', user); /* to user */
226 define('z', to->q_home); /* user's home */
227
228 /* expand out this user */
229 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
230 *pvp++ = newstr(buf);
231 if (pvp >= &pv[MAXPV - 2])
232 {
233 /* allow some space for trailing parms */
234 break;
235 }
236 }
237
238 /* see if any addresses still exist */
239 if (tobuf[0] == '\0')
240 return (0);
241
242 /* print out messages as full list */
243 To = tobuf;
244
245 /*
246 ** Fill out any parameters after the $u parameter.
247 */
248
249 while (*++mvp != NULL)
250 {
251 (void) expand(*mvp, buf, &buf[sizeof buf - 1]);
252 *pvp++ = newstr(buf);
253 if (pvp >= &pv[MAXPV])
254 syserr("deliver: pv overflow after $u for %s", pv[0]);
255 }
256 *pvp++ = NULL;
257
258 /*
259 ** Call the mailer.
260 ** The argument vector gets built, pipes
261 ** are created as necessary, and we fork & exec as
262 ** appropriate.
263 */
264
265 if (editfcn == NULL)
266 editfcn = putmessage;
267 if (ctladdr == NULL)
268 ctladdr = &From;
269 i = sendoff(m, pv, editfcn, ctladdr);
270
271 return (i);
272 }
273 �/*
274 ** DOFORK -- do a fork, retrying a couple of times on failure.
275 **
276 ** This MUST be a macro, since after a vfork we are running
277 ** two processes on the same stack!!!
278 **
279 ** Parameters:
280 ** none.
281 **
282 ** Returns:
283 ** From a macro??? You've got to be kidding!
284 **
285 ** Side Effects:
286 ** Modifies the ==> LOCAL <== variable 'pid', leaving:
287 ** pid of child in parent, zero in child.
288 ** -1 on unrecoverable error.
289 **
290 ** Notes:
291 ** I'm awfully sorry this looks so awful. That's
292 ** vfork for you.....
293 */
294
295 # define NFORKTRIES 5
296 # ifdef VFORK
297 # define XFORK vfork
298 # else VFORK
299 # define XFORK fork
300 # endif VFORK
301
302 # define DOFORK(fORKfN) \
303 {\
304 register int i;\
305 \
306 for (i = NFORKTRIES; i-- > 0; )\
307 {\
308 pid = fORKfN();\
309 if (pid >= 0)\
310 break;\
311 sleep((unsigned) NFORKTRIES - i);\
312 }\
313 }
314 �/*
315 ** SENDOFF -- send off call to mailer & collect response.
316 **
317 ** Parameters:
318 ** m -- mailer descriptor.
319 ** pvp -- parameter vector to send to it.
320 ** editfcn -- function to pipe it through.
321 ** ctladdr -- an address pointer controlling the
322 ** user/groupid etc. of the mailer.
323 **
324 ** Returns:
325 ** exit status of mailer.
326 **
327 ** Side Effects:
328 ** none.
329 */
330
331 sendoff(m, pvp, editfcn, ctladdr)
332 struct mailer *m;
333 char **pvp;
334 int (*editfcn)();
335 ADDRESS *ctladdr;
336 {
337 auto int st;
338 register int i;
339 int pid;
340 int pvect[2];
341 FILE *mfile;
342 extern putmessage();
343 extern FILE *fdopen();
344
345 # ifdef DEBUG
346 if (Debug)
347 {
348 printf("Sendoff:\n");
349 printav(pvp);
350 }
351 # endif DEBUG
352
353 /* create a pipe to shove the mail through */
354 if (pipe(pvect) < 0)
355 {
356 syserr("pipe");
357 return (-1);
358 }
359 DOFORK(XFORK);
360 /* pid is set by DOFORK */
361 if (pid < 0)
362 {
363 syserr("Cannot fork");
364 (void) close(pvect[0]);
365 (void) close(pvect[1]);
366 return (-1);
367 }
368 else if (pid == 0)
369 {
370 /* child -- set up input & exec mailer */
371 /* make diagnostic output be standard output */
372 (void) signal(SIGINT, SIG_DFL);
373 (void) signal(SIGHUP, SIG_DFL);
374 (void) signal(SIGTERM, SIG_DFL);
375 (void) close(2);
376 (void) dup(1);
377 (void) close(0);
378 if (dup(pvect[0]) < 0)
379 {
380 syserr("Cannot dup to zero!");
381 _exit(EX_OSERR);
382 }
383 (void) close(pvect[0]);
384 (void) close(pvect[1]);
385 if (!bitset(M_RESTR, m->m_flags))
386 {
387 if (ctladdr->q_uid == 0)
388 {
389 extern int DefUid, DefGid;
390
391 (void) setgid(DefGid);
392 (void) setuid(DefUid);
393 }
394 else
395 {
396 (void) setgid(ctladdr->q_gid);
397 (void) setuid(ctladdr->q_uid);
398 }
399 }
400 # ifndef VFORK
401 /*
402 ** We have to be careful with vfork - we can't mung up the
403 ** memory but we don't want the mailer to inherit any extra
404 ** open files. Chances are the mailer won't
405 ** care about an extra file, but then again you never know.
406 ** Actually, we would like to close(fileno(pwf)), but it's
407 ** declared static so we can't. But if we fclose(pwf), which
408 ** is what endpwent does, it closes it in the parent too and
409 ** the next getpwnam will be slower. If you have a weird
410 ** mailer that chokes on the extra file you should do the
411 ** endpwent().
412 **
413 ** Similar comments apply to log. However, openlog is
414 ** clever enough to set the FIOCLEX mode on the file,
415 ** so it will be closed automatically on the exec.
416 */
417
418 endpwent();
419 # ifdef LOG
420 closelog();
421 # endif LOG
422 # endif VFORK
423 execv(m->m_mailer, pvp);
424 /* syserr fails because log is closed */
425 /* syserr("Cannot exec %s", m->m_mailer); */
426 printf("Cannot exec '%s' errno=%d\n", m->m_mailer, errno);
427 (void) fflush(stdout);
428 _exit(EX_UNAVAILABLE);
429 }
430
431 /* write out message to mailer */
432 (void) close(pvect[0]);
433 (void) signal(SIGPIPE, SIG_IGN);
434 mfile = fdopen(pvect[1], "w");
435 if (editfcn == NULL)
436 editfcn = putmessage;
437 (*editfcn)(mfile, m);
438 (void) fclose(mfile);
439
440 /*
441 ** Wait for child to die and report status.
442 ** We should never get fatal errors (e.g., segmentation
443 ** violation), so we report those specially. For other
444 ** errors, we choose a status message (into statmsg),
445 ** and if it represents an error, we print it.
446 */
447
448 while ((i = wait(&st)) > 0 && i != pid)
449 continue;
450 if (i < 0)
451 {
452 syserr("wait");
453 return (-1);
454 }
455 if ((st & 0377) != 0)
456 {
457 syserr("%s: stat %o", pvp[0], st);
458 ExitStat = EX_UNAVAILABLE;
459 return (-1);
460 }
461 i = (st >> 8) & 0377;
462 giveresponse(i, TRUE, m);
463 return (i);
464 }
465 �/*
466 ** GIVERESPONSE -- Interpret an error response from a mailer
467 **
468 ** Parameters:
469 ** stat -- the status code from the mailer (high byte
470 ** only; core dumps must have been taken care of
471 ** already).
472 ** force -- if set, force an error message output, even
473 ** if the mailer seems to like to print its own
474 ** messages.
475 ** m -- the mailer descriptor for this mailer.
476 **
477 ** Returns:
478 ** none.
479 **
480 ** Side Effects:
481 ** Errors may be incremented.
482 ** ExitStat may be set.
483 */
484
485 giveresponse(stat, force, m)
486 int stat;
487 int force;
488 register struct mailer *m;
489 {
490 register char *statmsg;
491 extern char *SysExMsg[];
492 register int i;
493 extern int N_SysEx;
494 char buf[30];
495
496 /*
497 ** Compute status message from code.
498 */
499
500 i = stat - EX__BASE;
501 if (i < 0 || i > N_SysEx)
502 statmsg = NULL;
503 else
504 statmsg = SysExMsg[i];
505 if (stat == 0)
506 {
507 if (bitset(M_LOCAL, m->m_flags))
508 statmsg = "delivered";
509 else
510 statmsg = "queued";
511 if (Verbose)
512 message(Arpa_Info, statmsg);
513 }
514 else
515 {
516 Errors++;
517 if (statmsg == NULL && m->m_badstat != 0)
518 {
519 stat = m->m_badstat;
520 i = stat - EX__BASE;
521 # ifdef DEBUG
522 if (i < 0 || i >= N_SysEx)
523 syserr("Bad m_badstat %d", stat);
524 else
525 # endif DEBUG
526 statmsg = SysExMsg[i];
527 }
528 if (statmsg == NULL)
529 usrerr("unknown mailer response %d", stat);
530 else if (force || !bitset(M_QUIET, m->m_flags) || Verbose)
531 usrerr("%s", statmsg);
532 }
533
534 /*
535 ** Final cleanup.
536 ** Log a record of the transaction. Compute the new
537 ** ExitStat -- if we already had an error, stick with
538 ** that.
539 */
540
541 if (statmsg == NULL)
542 {
543 (void) sprintf(buf, "error %d", stat);
544 statmsg = buf;
545 }
546
547 # ifdef LOG
548 syslog(LOG_INFO, "%s->%s: %ld: %s", From.q_paddr, To, MsgSize, statmsg);
549 # endif LOG
550 setstat(stat);
551 }
552 �/*
553 ** PUTMESSAGE -- output a message to the final mailer.
554 **
555 ** This routine takes care of recreating the header from the
556 ** in-core copy, etc.
557 **
558 ** Parameters:
559 ** fp -- file to output onto.
560 ** m -- a mailer descriptor.
561 **
562 ** Returns:
563 ** none.
564 **
565 ** Side Effects:
566 ** The message is written onto fp.
567 */
568
569 putmessage(fp, m)
570 FILE *fp;
571 struct mailer *m;
572 {
573 char buf[BUFSIZ];
574 register int i;
575 register HDR *h;
576 extern char *arpadate();
577 bool anyheader = FALSE;
578 extern char *capitalize();
579 extern char *hvalue();
580 extern bool samefrom();
581
582 /*
583 ** Output "From" line unless supressed
584 */
585
586 if (!bitset(M_NHDR, m->m_flags))
587 {
588 (void) expand("$l", buf, &buf[sizeof buf - 1]);
589 fprintf(fp, "%s\n", buf);
590 }
591
592 /*
593 ** Output all header lines
594 */
595
596 for (h = Header; h != NULL; h = h->h_link)
597 {
598 register char *p;
599 char *origfrom = OrigFrom;
600
601 if (bitset(H_CHECK|H_ACHECK, h->h_flags) && !bitset(h->h_mflags, m->m_flags))
602 {
603 p = ")><("; /* can't happen (I hope) */
604 goto checkfrom;
605 }
606 if (strcmp(h->h_field, "from") == 0 && origfrom != NULL &&
607 strcmp(m->m_from, "$f") == 0)
608 {
609 p = origfrom;
610 origfrom = NULL;
611 }
612 else if (bitset(H_DEFAULT, h->h_flags))
613 {
614 (void) expand(h->h_value, buf, &buf[sizeof buf]);
615 p = buf;
616 }
617 else
618 p = h->h_value;
619 if (*p == '\0')
620 continue;
621 fprintf(fp, "%s: %s\n", capitalize(h->h_field), p);
622 h->h_flags |= H_USED;
623 anyheader = TRUE;
624
625 /* hack, hack -- output Original-From field if different */
626 checkfrom:
627 if (strcmp(h->h_field, "from") == 0 && origfrom != NULL &&
628 !samefrom(p, origfrom) && hvalue("original-from") == NULL)
629 {
630 fprintf(fp, "Original-From: %s\n", origfrom);
631 anyheader = TRUE;
632 }
633 }
634 if (anyheader)
635 fprintf(fp, "\n");
636
637 /*
638 ** Output the body of the message
639 */
640
641 rewind(TempFile);
642 while (!ferror(fp) && (i = fread(buf, 1, BUFSIZ, TempFile)) > 0)
643 (void) fwrite(buf, 1, i, fp);
644
645 if (ferror(fp) && errno != EPIPE)
646 {
647 syserr("putmessage: write error");
648 setstat(EX_IOERR);
649 }
650 errno = 0;
651 }
652 �/*
653 ** SAMEFROM -- tell if two text addresses represent the same from address.
654 **
655 ** Parameters:
656 ** ifrom -- internally generated form of from address.
657 ** efrom -- external form of from address.
658 **
659 ** Returns:
660 ** TRUE -- if they convey the same info.
661 ** FALSE -- if any information has been lost.
662 **
663 ** Side Effects:
664 ** none.
665 */
666
667 bool
668 samefrom(ifrom, efrom)
669 char *ifrom;
670 char *efrom;
671 {
672 return (strcmp(ifrom, efrom) == 0);
673 }
674 �/*
675 ** MAILFILE -- Send a message to a file.
676 **
677 ** If the file has the setuid/setgid bits set, but NO execute
678 ** bits, sendmail will try to become the owner of that file
679 ** rather than the real user. Obviously, this only works if
680 ** sendmail runs as root.
681 **
682 ** Parameters:
683 ** filename -- the name of the file to send to.
684 ** ctladdr -- the controlling address header -- includes
685 ** the userid/groupid to be when sending.
686 **
687 ** Returns:
688 ** The exit code associated with the operation.
689 **
690 ** Side Effects:
691 ** none.
692 */
693
694 mailfile(filename, ctladdr)
695 char *filename;
696 ADDRESS *ctladdr;
697 {
698 register FILE *f;
699 register int pid;
700
701 /*
702 ** Fork so we can change permissions here.
703 ** Note that we MUST use fork, not vfork, because of
704 ** the complications of calling subroutines, etc.
705 */
706
707 DOFORK(fork);
708
709 if (pid < 0)
710 return (EX_OSERR);
711 else if (pid == 0)
712 {
713 /* child -- actually write to file */
714 struct stat stb;
715 extern int DefUid, DefGid;
716
717 (void) signal(SIGINT, SIG_DFL);
718 (void) signal(SIGHUP, SIG_DFL);
719 (void) signal(SIGTERM, SIG_DFL);
720 umask(OldUmask);
721 if (stat(filename, &stb) < 0)
722 stb.st_mode = 0;
723 if (bitset(0111, stb.st_mode))
724 exit(EX_CANTCREAT);
725 if (ctladdr == NULL)
726 ctladdr = &From;
727 if (!bitset(S_ISGID, stb.st_mode) || setgid(stb.st_gid) < 0)
728 {
729 if (ctladdr->q_uid == 0)
730 (void) setgid(DefGid);
731 else
732 (void) setgid(ctladdr->q_gid);
733 }
734 if (!bitset(S_ISUID, stb.st_mode) || setuid(stb.st_uid) < 0)
735 {
736 if (ctladdr->q_uid == 0)
737 (void) setuid(DefUid);
738 else
739 (void) setuid(ctladdr->q_uid);
740 }
741 f = fopen(filename, "a");
742 if (f == NULL)
743 exit(EX_CANTCREAT);
744
745 putmessage(f, Mailer[1]);
746 fputs("\n", f);
747 (void) fclose(f);
748 (void) fflush(stdout);
749
750 /* reset ISUID & ISGID bits */
751 (void) chmod(filename, stb.st_mode);
752 exit(EX_OK);
753 /*NOTREACHED*/
754 }
755 else
756 {
757 /* parent -- wait for exit status */
758 register int i;
759 auto int stat;
760
761 while ((i = wait(&stat)) != pid)
762 {
763 if (i < 0)
764 {
765 stat = EX_OSERR << 8;
766 break;
767 }
768 }
769 if ((stat & 0377) != 0)
770 stat = EX_UNAVAILABLE << 8;
771 return ((stat >> 8) & 0377);
772 }
773 }
774