1 /* $NetBSD: cleanup_api.c,v 1.3 2020/03/18 19:05:15 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* cleanup_api 3 6 /* SUMMARY 7 /* cleanup callable interface, message processing 8 /* SYNOPSIS 9 /* #include "cleanup.h" 10 /* 11 /* CLEANUP_STATE *cleanup_open(src) 12 /* VSTREAM *src; 13 /* 14 /* void cleanup_control(state, flags) 15 /* CLEANUP_STATE *state; 16 /* int flags; 17 /* 18 /* void CLEANUP_RECORD(state, type, buf, len) 19 /* CLEANUP_STATE *state; 20 /* int type; 21 /* char *buf; 22 /* int len; 23 /* 24 /* int cleanup_flush(state) 25 /* CLEANUP_STATE *state; 26 /* 27 /* int cleanup_free(state) 28 /* CLEANUP_STATE *state; 29 /* DESCRIPTION 30 /* This module implements a callable interface to the cleanup service 31 /* for processing one message and for writing it to queue file. 32 /* For a description of the cleanup service, see cleanup(8). 33 /* 34 /* cleanup_open() creates a new queue file and performs other 35 /* per-message initialization. The result is a handle that should be 36 /* given to the cleanup_control(), cleanup_record(), cleanup_flush() 37 /* and cleanup_free() routines. The name of the queue file is in the 38 /* queue_id result structure member. 39 /* 40 /* cleanup_control() processes per-message flags specified by the caller. 41 /* These flags control the handling of data errors, and must be set 42 /* before processing the first message record. 43 /* .IP CLEANUP_FLAG_BOUNCE 44 /* The cleanup server is responsible for returning undeliverable 45 /* mail (too many hops, message too large) to the sender. 46 /* .IP CLEANUP_FLAG_BCC_OK 47 /* It is OK to add automatic BCC recipient addresses. 48 /* .IP CLEANUP_FLAG_FILTER 49 /* Enable header/body filtering. This should be enabled only with mail 50 /* that enters Postfix, not with locally forwarded mail or with bounce 51 /* messages. 52 /* .IP CLEANUP_FLAG_MILTER 53 /* Enable Milter applications. This should be enabled only with mail 54 /* that enters Postfix, not with locally forwarded mail or with bounce 55 /* messages. 56 /* .IP CLEANUP_FLAG_MAP_OK 57 /* Enable canonical and virtual mapping, and address masquerading. 58 /* .PP 59 /* For convenience the CLEANUP_FLAG_MASK_EXTERNAL macro specifies 60 /* the options that are normally needed for mail that enters 61 /* Postfix from outside, and CLEANUP_FLAG_MASK_INTERNAL specifies 62 /* the options that are normally needed for internally generated or 63 /* forwarded mail. 64 /* 65 /* CLEANUP_RECORD() is a macro that processes one message record, 66 /* that copies the result to the queue file, and that maintains a 67 /* little state machine. The last record in a valid message has type 68 /* REC_TYPE_END. In order to find out if a message is corrupted, 69 /* the caller is encouraged to test the CLEANUP_OUT_OK(state) macro. 70 /* The result is false when further message processing is futile. 71 /* In that case, it is safe to call cleanup_flush() immediately. 72 /* 73 /* cleanup_flush() closes a queue file. In case of any errors, 74 /* the file is removed. The result value is non-zero in case of 75 /* problems. In some cases a human-readable text can be found in 76 /* the state->reason member. In all other cases, use cleanup_strerror() 77 /* to translate the result into human-readable text. 78 /* 79 /* cleanup_free() destroys its argument. 80 /* .IP CLEANUP_FLAG_SMTPUTF8 81 /* Request SMTPUTF8 support when delivering mail. 82 /* .IP CLEANUP_FLAG_AUTOUTF8 83 /* Autodetection: request SMTPUTF8 support if the message 84 /* contains an UTF8 message header, sender, or recipient. 85 /* DIAGNOSTICS 86 /* Problems and transactions are logged to \fBsyslogd\fR(8) 87 /* or \fBpostlogd\fR(8). 88 /* SEE ALSO 89 /* cleanup(8) cleanup service description. 90 /* cleanup_init(8) cleanup callable interface, initialization 91 /* LICENSE 92 /* .ad 93 /* .fi 94 /* The Secure Mailer license must be distributed with this software. 95 /* AUTHOR(S) 96 /* Wietse Venema 97 /* IBM T.J. Watson Research 98 /* P.O. Box 704 99 /* Yorktown Heights, NY 10598, USA 100 /* 101 /* Wietse Venema 102 /* Google, Inc. 103 /* 111 8th Avenue 104 /* New York, NY 10011, USA 105 /*--*/ 106 107 /* System library. */ 108 109 #include <sys_defs.h> 110 #include <errno.h> 111 112 /* Utility library. */ 113 114 #include <msg.h> 115 #include <vstring.h> 116 #include <mymalloc.h> 117 118 /* Global library. */ 119 120 #include <cleanup_user.h> 121 #include <mail_queue.h> 122 #include <mail_proto.h> 123 #include <bounce.h> 124 #include <mail_params.h> 125 #include <mail_stream.h> 126 #include <mail_flow.h> 127 #include <rec_type.h> 128 #include <smtputf8.h> 129 130 /* Milter library. */ 131 132 #include <milter.h> 133 134 /* Application-specific. */ 135 136 #include "cleanup.h" 137 138 /* cleanup_open - open queue file and initialize */ 139 140 CLEANUP_STATE *cleanup_open(VSTREAM *src) 141 { 142 CLEANUP_STATE *state; 143 static const char *log_queues[] = { 144 MAIL_QUEUE_DEFER, 145 MAIL_QUEUE_BOUNCE, 146 MAIL_QUEUE_TRACE, 147 0, 148 }; 149 const char **cpp; 150 151 /* 152 * Initialize private state. 153 */ 154 state = cleanup_state_alloc(src); 155 156 /* 157 * Open the queue file. Save the queue file name in a global variable, so 158 * that the runtime error handler can clean up in case of problems. 159 * 160 * XXX For now, a lot of detail is frozen that could be more useful if it 161 * were made configurable. 162 */ 163 state->queue_name = mystrdup(MAIL_QUEUE_INCOMING); 164 state->handle = mail_stream_file(state->queue_name, 165 MAIL_CLASS_PUBLIC, var_queue_service, 0); 166 state->dst = state->handle->stream; 167 cleanup_path = mystrdup(VSTREAM_PATH(state->dst)); 168 state->queue_id = mystrdup(state->handle->id); 169 if (msg_verbose) 170 msg_info("cleanup_open: open %s", cleanup_path); 171 172 /* 173 * If there is a time to get rid of spurious log files, this is it. The 174 * down side is that this costs performance for every message, while the 175 * probability of spurious log files is quite low. 176 * 177 * XXX The defer logfile is deleted when the message is moved into the 178 * active queue. We must also remove it now, otherwise mailq produces 179 * nonsense. 180 */ 181 for (cpp = log_queues; *cpp; cpp++) { 182 if (mail_queue_remove(*cpp, state->queue_id) == 0) 183 msg_warn("%s: removed spurious %s log", *cpp, state->queue_id); 184 else if (errno != ENOENT) 185 msg_fatal("%s: remove %s log: %m", *cpp, state->queue_id); 186 } 187 return (state); 188 } 189 190 /* cleanup_control - process client options */ 191 192 void cleanup_control(CLEANUP_STATE *state, int flags) 193 { 194 195 /* 196 * If the client requests us to do the bouncing in case of problems, 197 * throw away the input only in case of real show-stopper errors, such as 198 * unrecognizable data (which should never happen) or insufficient space 199 * for the queue file (which will happen occasionally). Otherwise, 200 * discard input after any lethal error. See the CLEANUP_OUT_OK() macro 201 * definition. 202 */ 203 if (msg_verbose) 204 msg_info("cleanup flags = %s", cleanup_strflags(flags)); 205 if ((state->flags = flags) & CLEANUP_FLAG_BOUNCE) { 206 state->err_mask = CLEANUP_STAT_MASK_INCOMPLETE; 207 } else { 208 state->err_mask = ~0; 209 } 210 if (state->flags & CLEANUP_FLAG_SMTPUTF8) 211 state->smtputf8 = SMTPUTF8_FLAG_REQUESTED; 212 } 213 214 /* cleanup_flush - finish queue file */ 215 216 int cleanup_flush(CLEANUP_STATE *state) 217 { 218 int status; 219 char *junk; 220 VSTRING *trace_junk; 221 222 /* 223 * Raise these errors only if we examined all queue file records. 224 */ 225 if (CLEANUP_OUT_OK(state)) { 226 if (state->recip == 0) 227 state->errs |= CLEANUP_STAT_RCPT; 228 if ((state->flags & CLEANUP_FLAG_END_SEEN) == 0) 229 state->errs |= CLEANUP_STAT_BAD; 230 } 231 232 /* 233 * Status sanitization. Always report success when the discard flag was 234 * raised by some user-specified access rule. 235 */ 236 if (state->flags & CLEANUP_FLAG_DISCARD) 237 state->errs = 0; 238 239 /* 240 * Apply external mail filter. 241 * 242 * XXX Include test for a built-in action to tempfail this message. 243 */ 244 if (CLEANUP_MILTER_OK(state)) { 245 if (state->milters) 246 cleanup_milter_inspect(state, state->milters); 247 else if (cleanup_milters) { 248 cleanup_milter_emul_data(state, cleanup_milters); 249 if (CLEANUP_MILTER_OK(state)) 250 cleanup_milter_inspect(state, cleanup_milters); 251 } 252 } 253 254 /* 255 * Update the preliminary message size and count fields with the actual 256 * values. 257 */ 258 if (CLEANUP_OUT_OK(state)) 259 cleanup_final(state); 260 261 /* 262 * If there was an error that requires us to generate a bounce message 263 * (mail submitted with the Postfix sendmail command, mail forwarded by 264 * the local(8) delivery agent, or mail re-queued with "postsuper -r"), 265 * send a bounce notification, reset the error flags in case of success, 266 * and request deletion of the the incoming queue file and of the 267 * optional DSN SUCCESS records from virtual alias expansion. 268 * 269 * XXX It would make no sense to knowingly report success after we already 270 * have bounced all recipients, especially because the information in the 271 * DSN SUCCESS notice is completely redundant compared to the information 272 * in the bounce notice (however, both may be incomplete when the queue 273 * file size would exceed the safety limit). 274 * 275 * An alternative is to keep the DSN SUCCESS records and to delegate bounce 276 * notification to the queue manager, just like we already delegate 277 * success notification. This requires that we leave the undeliverable 278 * message in the incoming queue; versions up to 20050726 did exactly 279 * that. Unfortunately, this broke with over-size queue files, because 280 * the queue manager cannot handle incomplete queue files (and it should 281 * not try to do so). 282 */ 283 #define CAN_BOUNCE() \ 284 ((state->errs & CLEANUP_STAT_MASK_CANT_BOUNCE) == 0 \ 285 && state->sender != 0 \ 286 && (state->flags & CLEANUP_FLAG_BOUNCE) != 0) 287 288 if (state->errs != 0 && CAN_BOUNCE()) 289 cleanup_bounce(state); 290 291 /* 292 * Optionally, place the message on hold, but only if the message was 293 * received successfully and only if it's not being discarded for other 294 * reasons. This involves renaming the queue file before "finishing" it 295 * (or else the queue manager would grab it too early) and updating our 296 * own idea of the queue file name for error recovery and for error 297 * reporting purposes. 298 * 299 * XXX Include test for a built-in action to tempfail this message. 300 */ 301 if (state->errs == 0 && (state->flags & CLEANUP_FLAG_DISCARD) == 0) { 302 if ((state->flags & CLEANUP_FLAG_HOLD) != 0 303 #ifdef DELAY_ACTION 304 || state->defer_delay > 0 305 #endif 306 ) { 307 myfree(state->queue_name); 308 #ifdef DELAY_ACTION 309 state->queue_name = mystrdup((state->flags & CLEANUP_FLAG_HOLD) ? 310 MAIL_QUEUE_HOLD : MAIL_QUEUE_DEFERRED); 311 #else 312 state->queue_name = mystrdup(MAIL_QUEUE_HOLD); 313 #endif 314 mail_stream_ctl(state->handle, 315 CA_MAIL_STREAM_CTL_QUEUE(state->queue_name), 316 CA_MAIL_STREAM_CTL_CLASS((char *) 0), 317 CA_MAIL_STREAM_CTL_SERVICE((char *) 0), 318 #ifdef DELAY_ACTION 319 CA_MAIL_STREAM_CTL_DELAY(state->defer_delay), 320 #endif 321 CA_MAIL_STREAM_CTL_END); 322 junk = cleanup_path; 323 cleanup_path = mystrdup(VSTREAM_PATH(state->handle->stream)); 324 myfree(junk); 325 326 /* 327 * XXX: When delivering to a non-incoming queue, do not consume 328 * in_flow tokens. Unfortunately we can't move the code that 329 * consumes tokens until after the mail is received, because that 330 * would increase the risk of duplicate deliveries (RFC 1047). 331 */ 332 (void) mail_flow_put(1); 333 } 334 state->errs = mail_stream_finish(state->handle, (VSTRING *) 0); 335 } else { 336 337 /* 338 * XXX: When discarding mail, should we consume in_flow tokens? See 339 * also the comments above for mail that is placed on hold. 340 */ 341 #if 0 342 (void) mail_flow_put(1); 343 #endif 344 mail_stream_cleanup(state->handle); 345 } 346 state->handle = 0; 347 state->dst = 0; 348 349 /* 350 * If there was an error, or if the message must be discarded for other 351 * reasons, remove the queue file and the optional trace file with DSN 352 * SUCCESS records from virtual alias expansion. 353 */ 354 if (state->errs != 0 || (state->flags & CLEANUP_FLAG_DISCARD) != 0) { 355 if (cleanup_trace_path) 356 (void) REMOVE(vstring_str(cleanup_trace_path)); 357 if (REMOVE(cleanup_path)) 358 msg_warn("remove %s: %m", cleanup_path); 359 } 360 361 /* 362 * Make sure that our queue file will not be deleted by the error handler 363 * AFTER we have taken responsibility for delivery. Better to deliver 364 * twice than to lose mail. 365 */ 366 trace_junk = cleanup_trace_path; 367 cleanup_trace_path = 0; /* don't delete upon error */ 368 junk = cleanup_path; 369 cleanup_path = 0; /* don't delete upon error */ 370 371 if (trace_junk) 372 vstring_free(trace_junk); 373 myfree(junk); 374 375 /* 376 * Cleanup internal state. This is simply complementary to the 377 * initializations at the beginning of cleanup_open(). 378 */ 379 if (msg_verbose) 380 msg_info("cleanup_flush: status %d", state->errs); 381 status = state->errs; 382 return (status); 383 } 384 385 /* cleanup_free - pay the last respects */ 386 387 void cleanup_free(CLEANUP_STATE *state) 388 { 389 390 /* 391 * Emulate disconnect event. CLEANUP_FLAG_MILTER may be turned off after 392 * we have started. 393 */ 394 if (cleanup_milters != 0 && state->milters == 0) 395 milter_disc_event(cleanup_milters); 396 cleanup_state_free(state); 397 } 398