1 /* $NetBSD: local.c,v 1.3 2020/03/18 19:05:16 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* local 8 6 /* SUMMARY 7 /* Postfix local mail delivery 8 /* SYNOPSIS 9 /* \fBlocal\fR [generic Postfix daemon options] 10 /* DESCRIPTION 11 /* The \fBlocal\fR(8) daemon processes delivery requests from the 12 /* Postfix queue manager to deliver mail to local recipients. 13 /* Each delivery request specifies a queue file, a sender address, 14 /* a domain or host to deliver to, and one or more recipients. 15 /* This program expects to be run from the \fBmaster\fR(8) process 16 /* manager. 17 /* 18 /* The \fBlocal\fR(8) daemon updates queue files and marks recipients 19 /* as finished, or it informs the queue manager that delivery should 20 /* be tried again at a later time. Delivery status reports are sent 21 /* to the \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemon as 22 /* appropriate. 23 /* CASE FOLDING 24 /* .ad 25 /* .fi 26 /* All delivery decisions are made using the bare recipient 27 /* name (i.e. the address localpart), folded to lower case. 28 /* See also under ADDRESS EXTENSION below for a few exceptions. 29 /* SYSTEM-WIDE AND USER-LEVEL ALIASING 30 /* .ad 31 /* .fi 32 /* The system administrator can set up one or more system-wide 33 /* \fBsendmail\fR-style alias databases. 34 /* Users can have \fBsendmail\fR-style ~/.\fBforward\fR files. 35 /* Mail for \fIname\fR is delivered to the alias \fIname\fR, to 36 /* destinations in ~\fIname\fR/.\fBforward\fR, to the mailbox owned 37 /* by the user \fIname\fR, or it is sent back as undeliverable. 38 /* 39 /* The system administrator can specify a comma/space separated list 40 /* of ~\fR/.\fBforward\fR like files through the \fBforward_path\fR 41 /* configuration parameter. Upon delivery, the local delivery agent 42 /* tries each pathname in the list until a file is found. 43 /* 44 /* Delivery via ~/.\fBforward\fR files is done with the privileges 45 /* of the recipient. 46 /* Thus, ~/.\fBforward\fR like files must be readable by the 47 /* recipient, and their parent directory needs to have "execute" 48 /* permission for the recipient. 49 /* 50 /* The \fBforward_path\fR parameter is subject to interpolation of 51 /* \fB$user\fR (recipient username), \fB$home\fR (recipient home 52 /* directory), \fB$shell\fR (recipient shell), \fB$recipient\fR 53 /* (complete recipient address), \fB$extension\fR (recipient address 54 /* extension), \fB$domain\fR (recipient domain), \fB$local\fR 55 /* (entire recipient address localpart) and 56 /* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR and 57 /* \fI${name:value}\fR expand conditionally to \fIvalue\fR when 58 /* \fI$name\fR is (is not) defined. 59 /* Characters that may have special meaning to the shell or file system 60 /* are replaced by underscores. The list of acceptable characters 61 /* is specified with the \fBforward_expansion_filter\fR configuration 62 /* parameter. 63 /* 64 /* An alias or ~/.\fBforward\fR file may list any combination of external 65 /* commands, destination file names, \fB:include:\fR directives, or 66 /* mail addresses. 67 /* See \fBaliases\fR(5) for a precise description. Each line in a 68 /* user's .\fBforward\fR file has the same syntax as the right-hand part 69 /* of an alias. 70 /* 71 /* When an address is found in its own alias expansion, delivery is 72 /* made to the user instead. When a user is listed in the user's own 73 /* ~/.\fBforward\fR file, delivery is made to the user's mailbox instead. 74 /* An empty ~/.\fBforward\fR file means do not forward mail. 75 /* 76 /* In order to prevent the mail system from using up unreasonable 77 /* amounts of memory, input records read from \fB:include:\fR or from 78 /* ~/.\fBforward\fR files are broken up into chunks of length 79 /* \fBline_length_limit\fR. 80 /* 81 /* While expanding aliases, ~/.\fBforward\fR files, and so on, the 82 /* program attempts to avoid duplicate deliveries. The 83 /* \fBduplicate_filter_limit\fR configuration parameter limits the 84 /* number of remembered recipients. 85 /* MAIL FORWARDING 86 /* .ad 87 /* .fi 88 /* For the sake of reliability, forwarded mail is re-submitted as 89 /* a new message, so that each recipient has a separate on-file 90 /* delivery status record. 91 /* 92 /* In order to stop mail forwarding loops early, the software adds an 93 /* optional 94 /* \fBDelivered-To:\fR header with the final envelope recipient address. If 95 /* mail arrives for a recipient that is already listed in a 96 /* \fBDelivered-To:\fR header, the message is bounced. 97 /* MAILBOX DELIVERY 98 /* .ad 99 /* .fi 100 /* The default per-user mailbox is a file in the UNIX mail spool 101 /* directory (\fB/var/mail/\fIuser\fR or \fB/var/spool/mail/\fIuser\fR); 102 /* the location can be specified with the \fBmail_spool_directory\fR 103 /* configuration parameter. Specify a name ending in \fB/\fR for 104 /* \fBqmail\fR-compatible \fBmaildir\fR delivery. 105 /* 106 /* Alternatively, the per-user mailbox can be a file in the user's home 107 /* directory with a name specified via the \fBhome_mailbox\fR 108 /* configuration parameter. Specify a relative path name. Specify a name 109 /* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery. 110 /* 111 /* Mailbox delivery can be delegated to an external command specified 112 /* with the \fBmailbox_command_maps\fR and \fBmailbox_command\fR 113 /* configuration parameters. The command 114 /* executes with the privileges of the recipient user (exceptions: 115 /* secondary groups are not enabled; in case of delivery as root, 116 /* the command executes with the privileges of \fBdefault_privs\fR). 117 /* 118 /* Mailbox delivery can be delegated to alternative message transports 119 /* specified in the \fBmaster.cf\fR file. 120 /* The \fBmailbox_transport_maps\fR and \fBmailbox_transport\fR 121 /* configuration parameters specify an optional 122 /* message transport that is to be used for all local recipients, 123 /* regardless of whether they are found in the UNIX passwd database. 124 /* The \fBfallback_transport_maps\fR and 125 /* \fBfallback_transport\fR parameters specify an optional 126 /* message transport 127 /* for recipients that are not found in the aliases(5) or UNIX 128 /* passwd database. 129 /* 130 /* In the case of UNIX-style mailbox delivery, 131 /* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 132 /* envelope header to each message, prepends an 133 /* \fBX-Original-To:\fR header with the recipient address as given to 134 /* Postfix, prepends an 135 /* optional \fBDelivered-To:\fR header 136 /* with the final envelope recipient address, prepends a \fBReturn-Path:\fR 137 /* header with the envelope sender address, prepends a \fB>\fR character 138 /* to lines beginning with "\fBFrom \fR", and appends an empty line. 139 /* The mailbox is locked for exclusive access while delivery is in 140 /* progress. In case of problems, an attempt is made to truncate the 141 /* mailbox to its original length. 142 /* 143 /* In the case of \fBmaildir\fR delivery, the local daemon prepends 144 /* an optional 145 /* \fBDelivered-To:\fR header with the final envelope recipient address, 146 /* prepends an 147 /* \fBX-Original-To:\fR header with the recipient address as given to 148 /* Postfix, 149 /* and prepends a \fBReturn-Path:\fR header with the envelope sender 150 /* address. 151 /* EXTERNAL COMMAND DELIVERY 152 /* .ad 153 /* .fi 154 /* The \fBallow_mail_to_commands\fR configuration parameter restricts 155 /* delivery to external commands. The default setting (\fBalias, 156 /* forward\fR) forbids command destinations in \fB:include:\fR files. 157 /* 158 /* Optionally, the process working directory is changed to the path 159 /* specified with \fBcommand_execution_directory\fR (Postfix 2.2 and 160 /* later). Failure to change directory causes mail to be deferred. 161 /* 162 /* The \fBcommand_execution_directory\fR parameter value is subject 163 /* to interpolation of \fB$user\fR (recipient username), 164 /* \fB$home\fR (recipient home directory), \fB$shell\fR 165 /* (recipient shell), \fB$recipient\fR (complete recipient 166 /* address), \fB$extension\fR (recipient address extension), 167 /* \fB$domain\fR (recipient domain), \fB$local\fR (entire 168 /* recipient address localpart) and \fB$recipient_delimiter.\fR 169 /* The forms \fI${name?value}\fR and \fI${name:value}\fR expand 170 /* conditionally to \fIvalue\fR when \fI$name\fR is (is not) 171 /* defined. Characters that may have special meaning to the 172 /* shell or file system are replaced by underscores. The list 173 /* of acceptable characters is specified with the 174 /* \fBexecution_directory_expansion_filter\fR configuration 175 /* parameter. 176 /* 177 /* The command is executed directly where possible. Assistance by the 178 /* shell (\fB/bin/sh\fR on UNIX systems) is used only when the command 179 /* contains shell magic characters, or when the command invokes a shell 180 /* built-in command. 181 /* 182 /* A limited amount of command output (standard output and standard 183 /* error) is captured for inclusion with non-delivery status reports. 184 /* A command is forcibly terminated if it does not complete within 185 /* \fBcommand_time_limit\fR seconds. Command exit status codes are 186 /* expected to follow the conventions defined in <\fBsysexits.h\fR>. 187 /* Exit status 0 means normal successful completion. 188 /* 189 /* Postfix version 2.3 and later support RFC 3463-style enhanced 190 /* status codes. If a command terminates with a non-zero exit 191 /* status, and the command output begins with an enhanced 192 /* status code, this status code takes precedence over the 193 /* non-zero exit status. 194 /* 195 /* A limited amount of message context is exported via environment 196 /* variables. Characters that may have special meaning to the shell 197 /* are replaced by underscores. The list of acceptable characters 198 /* is specified with the \fBcommand_expansion_filter\fR configuration 199 /* parameter. 200 /* .IP \fBSHELL\fR 201 /* The recipient user's login shell. 202 /* .IP \fBHOME\fR 203 /* The recipient user's home directory. 204 /* .IP \fBUSER\fR 205 /* The bare recipient name. 206 /* .IP \fBEXTENSION\fR 207 /* The optional recipient address extension. 208 /* .IP \fBDOMAIN\fR 209 /* The recipient address domain part. 210 /* .IP \fBLOGNAME\fR 211 /* The bare recipient name. 212 /* .IP \fBLOCAL\fR 213 /* The entire recipient address localpart (text to the left of the 214 /* rightmost @ character). 215 /* .IP \fBORIGINAL_RECIPIENT\fR 216 /* The entire recipient address, before any address rewriting 217 /* or aliasing (Postfix 2.5 and later). 218 /* .IP \fBRECIPIENT\fR 219 /* The entire recipient address. 220 /* .IP \fBSENDER\fR 221 /* The entire sender address. 222 /* .PP 223 /* Additional remote client information is made available via 224 /* the following environment variables: 225 /* .IP \fBCLIENT_ADDRESS\fR 226 /* Remote client network address. Available as of Postfix 2.2. 227 /* .IP \fBCLIENT_HELO\fR 228 /* Remote client EHLO command parameter. Available as of Postfix 2.2. 229 /* .IP \fBCLIENT_HOSTNAME\fR 230 /* Remote client hostname. Available as of Postfix 2.2. 231 /* .IP \fBCLIENT_PROTOCOL\fR 232 /* Remote client protocol. Available as of Postfix 2.2. 233 /* .IP \fBSASL_METHOD\fR 234 /* SASL authentication method specified in the 235 /* remote client AUTH command. Available as of Postfix 2.2. 236 /* .IP \fBSASL_SENDER\fR 237 /* SASL sender address specified in the remote client MAIL 238 /* FROM command. Available as of Postfix 2.2. 239 /* .IP \fBSASL_USERNAME\fR 240 /* SASL username specified in the remote client AUTH command. 241 /* Available as of Postfix 2.2. 242 /* .PP 243 /* The \fBPATH\fR environment variable is always reset to a 244 /* system-dependent default path, and environment variables 245 /* whose names are blessed by the \fBexport_environment\fR 246 /* configuration parameter are exported unchanged. 247 /* 248 /* The current working directory is the mail queue directory. 249 /* 250 /* The \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 251 /* envelope header to each message, prepends an 252 /* \fBX-Original-To:\fR header with the recipient address as given to 253 /* Postfix, prepends an 254 /* optional \fBDelivered-To:\fR 255 /* header with the final recipient envelope address, prepends a 256 /* \fBReturn-Path:\fR header with the sender envelope address, 257 /* and appends no empty line. 258 /* EXTERNAL FILE DELIVERY 259 /* .ad 260 /* .fi 261 /* The delivery format depends on the destination filename syntax. 262 /* The default is to use UNIX-style mailbox format. Specify a name 263 /* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery. 264 /* 265 /* The \fBallow_mail_to_files\fR configuration parameter restricts 266 /* delivery to external files. The default setting (\fBalias, 267 /* forward\fR) forbids file destinations in \fB:include:\fR files. 268 /* 269 /* In the case of UNIX-style mailbox delivery, 270 /* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 271 /* envelope header to each message, prepends an 272 /* \fBX-Original-To:\fR header with the recipient address as given to 273 /* Postfix, prepends an 274 /* optional \fBDelivered-To:\fR 275 /* header with the final recipient envelope address, prepends a \fB>\fR 276 /* character to lines beginning with "\fBFrom \fR", and appends an 277 /* empty line. 278 /* The envelope sender address is available in the \fBReturn-Path:\fR 279 /* header. 280 /* When the destination is a regular file, it is locked for exclusive 281 /* access while delivery is in progress. In case of problems, an attempt 282 /* is made to truncate a regular file to its original length. 283 /* 284 /* In the case of \fBmaildir\fR delivery, the local daemon prepends 285 /* an optional 286 /* \fBDelivered-To:\fR header with the final envelope recipient address, 287 /* and prepends an 288 /* \fBX-Original-To:\fR header with the recipient address as given to 289 /* Postfix. 290 /* The envelope sender address is available in the \fBReturn-Path:\fR 291 /* header. 292 /* ADDRESS EXTENSION 293 /* .ad 294 /* .fi 295 /* The optional \fBrecipient_delimiter\fR configuration parameter 296 /* specifies how to separate address extensions from local recipient 297 /* names. 298 /* 299 /* For example, with "\fBrecipient_delimiter = +\fR", mail for 300 /* \fIname\fR+\fIfoo\fR is delivered to the alias \fIname\fR+\fIfoo\fR 301 /* or to the alias \fIname\fR, to the destinations listed in 302 /* ~\fIname\fR/.\fBforward\fR+\fIfoo\fR or in ~\fIname\fR/.\fBforward\fR, 303 /* to the mailbox owned by the user \fIname\fR, or it is sent back as 304 /* undeliverable. 305 /* DELIVERY RIGHTS 306 /* .ad 307 /* .fi 308 /* Deliveries to external files and external commands are made with 309 /* the rights of the receiving user on whose behalf the delivery is made. 310 /* In the absence of a user context, the \fBlocal\fR(8) daemon uses the 311 /* owner rights of the \fB:include:\fR file or alias database. 312 /* When those files are owned by the superuser, delivery is made with 313 /* the rights specified with the \fBdefault_privs\fR configuration 314 /* parameter. 315 /* STANDARDS 316 /* RFC 822 (ARPA Internet Text Messages) 317 /* RFC 3463 (Enhanced status codes) 318 /* DIAGNOSTICS 319 /* Problems and transactions are logged to \fBsyslogd\fR(8) 320 /* or \fBpostlogd\fR(8). 321 /* Corrupted message files are marked so that the queue 322 /* manager can move them to the \fBcorrupt\fR queue afterwards. 323 /* 324 /* Depending on the setting of the \fBnotify_classes\fR parameter, 325 /* the postmaster is notified of bounces and of other trouble. 326 /* SECURITY 327 /* .ad 328 /* .fi 329 /* The \fBlocal\fR(8) delivery agent needs a dual personality 330 /* 1) to access the private Postfix queue and IPC mechanisms, 331 /* 2) to impersonate the recipient and deliver to recipient-specified 332 /* files or commands. It is therefore security sensitive. 333 /* 334 /* The \fBlocal\fR(8) delivery agent disallows regular expression 335 /* substitution of $1 etc. in \fBalias_maps\fR, because that 336 /* would open a security hole. 337 /* 338 /* The \fBlocal\fR(8) delivery agent will silently ignore 339 /* requests to use the \fBproxymap\fR(8) server within 340 /* \fBalias_maps\fR. Instead it will open the table directly. 341 /* Before Postfix version 2.2, the \fBlocal\fR(8) delivery 342 /* agent will terminate with a fatal error. 343 /* BUGS 344 /* For security reasons, the message delivery status of external commands 345 /* or of external files is never checkpointed to file. As a result, 346 /* the program may occasionally deliver more than once to a command or 347 /* external file. Better safe than sorry. 348 /* 349 /* Mutually-recursive aliases or ~/.\fBforward\fR files are not detected 350 /* early. The resulting mail forwarding loop is broken by the use of the 351 /* \fBDelivered-To:\fR message header. 352 /* CONFIGURATION PARAMETERS 353 /* .ad 354 /* .fi 355 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBlocal\fR(8) 356 /* processes run for only a limited amount of time. Use the command 357 /* "\fBpostfix reload\fR" to speed up a change. 358 /* 359 /* The text below provides only a parameter summary. See 360 /* \fBpostconf\fR(5) for more details including examples. 361 /* COMPATIBILITY CONTROLS 362 /* .ad 363 /* .fi 364 /* .IP "\fBbiff (yes)\fR" 365 /* Whether or not to use the local biff service. 366 /* .IP "\fBexpand_owner_alias (no)\fR" 367 /* When delivering to an alias "\fIaliasname\fR" that has an 368 /* "owner-\fIaliasname\fR" companion alias, set the envelope sender 369 /* address to the expansion of the "owner-\fIaliasname\fR" alias. 370 /* .IP "\fBowner_request_special (yes)\fR" 371 /* Enable special treatment for owner-\fIlistname\fR entries in the 372 /* \fBaliases\fR(5) file, and don't split owner-\fIlistname\fR and 373 /* \fIlistname\fR-request address localparts when the recipient_delimiter 374 /* is set to "-". 375 /* .IP "\fBsun_mailtool_compatibility (no)\fR" 376 /* Obsolete SUN mailtool compatibility feature. 377 /* .PP 378 /* Available in Postfix version 2.3 and later: 379 /* .IP "\fBfrozen_delivered_to (yes)\fR" 380 /* Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To: 381 /* address (see prepend_delivered_header) only once, at the start of 382 /* a delivery attempt; do not update the Delivered-To: address while 383 /* expanding aliases or .forward files. 384 /* .PP 385 /* Available in Postfix version 2.5.3 and later: 386 /* .IP "\fBstrict_mailbox_ownership (yes)\fR" 387 /* Defer delivery when a mailbox file is not owned by its recipient. 388 /* .IP "\fBreset_owner_alias (no)\fR" 389 /* Reset the \fBlocal\fR(8) delivery agent's idea of the owner-alias 390 /* attribute, when delivering mail to a child alias that does not have 391 /* its own owner alias. 392 /* .PP 393 /* Available in Postfix version 3.0 and later: 394 /* .IP "\fBlocal_delivery_status_filter ($default_delivery_status_filter)\fR" 395 /* Optional filter for the \fBlocal\fR(8) delivery agent to change the 396 /* status code or explanatory text of successful or unsuccessful 397 /* deliveries. 398 /* DELIVERY METHOD CONTROLS 399 /* .ad 400 /* .fi 401 /* The precedence of \fBlocal\fR(8) delivery methods from high to low is: 402 /* aliases, .forward files, mailbox_transport_maps, 403 /* mailbox_transport, mailbox_command_maps, mailbox_command, 404 /* home_mailbox, mail_spool_directory, fallback_transport_maps, 405 /* fallback_transport, and luser_relay. 406 /* .IP "\fBalias_maps (see 'postconf -d' output)\fR" 407 /* The alias databases that are used for \fBlocal\fR(8) delivery. 408 /* .IP "\fBforward_path (see 'postconf -d' output)\fR" 409 /* The \fBlocal\fR(8) delivery agent search list for finding a .forward 410 /* file with user-specified delivery methods. 411 /* .IP "\fBmailbox_transport_maps (empty)\fR" 412 /* Optional lookup tables with per-recipient message delivery 413 /* transports to use for \fBlocal\fR(8) mailbox delivery, whether or not the 414 /* recipients are found in the UNIX passwd database. 415 /* .IP "\fBmailbox_transport (empty)\fR" 416 /* Optional message delivery transport that the \fBlocal\fR(8) delivery 417 /* agent should use for mailbox delivery to all local recipients, 418 /* whether or not they are found in the UNIX passwd database. 419 /* .IP "\fBmailbox_command_maps (empty)\fR" 420 /* Optional lookup tables with per-recipient external commands to use 421 /* for \fBlocal\fR(8) mailbox delivery. 422 /* .IP "\fBmailbox_command (empty)\fR" 423 /* Optional external command that the \fBlocal\fR(8) delivery agent should 424 /* use for mailbox delivery. 425 /* .IP "\fBhome_mailbox (empty)\fR" 426 /* Optional pathname of a mailbox file relative to a \fBlocal\fR(8) user's 427 /* home directory. 428 /* .IP "\fBmail_spool_directory (see 'postconf -d' output)\fR" 429 /* The directory where \fBlocal\fR(8) UNIX-style mailboxes are kept. 430 /* .IP "\fBfallback_transport_maps (empty)\fR" 431 /* Optional lookup tables with per-recipient message delivery 432 /* transports for recipients that the \fBlocal\fR(8) delivery agent could 433 /* not find in the \fBaliases\fR(5) or UNIX password database. 434 /* .IP "\fBfallback_transport (empty)\fR" 435 /* Optional message delivery transport that the \fBlocal\fR(8) delivery 436 /* agent should use for names that are not found in the \fBaliases\fR(5) 437 /* or UNIX password database. 438 /* .IP "\fBluser_relay (empty)\fR" 439 /* Optional catch-all destination for unknown \fBlocal\fR(8) recipients. 440 /* .PP 441 /* Available in Postfix version 2.2 and later: 442 /* .IP "\fBcommand_execution_directory (empty)\fR" 443 /* The \fBlocal\fR(8) delivery agent working directory for delivery to 444 /* external command. 445 /* MAILBOX LOCKING CONTROLS 446 /* .ad 447 /* .fi 448 /* .IP "\fBdeliver_lock_attempts (20)\fR" 449 /* The maximal number of attempts to acquire an exclusive lock on a 450 /* mailbox file or \fBbounce\fR(8) logfile. 451 /* .IP "\fBdeliver_lock_delay (1s)\fR" 452 /* The time between attempts to acquire an exclusive lock on a mailbox 453 /* file or \fBbounce\fR(8) logfile. 454 /* .IP "\fBstale_lock_time (500s)\fR" 455 /* The time after which a stale exclusive mailbox lockfile is removed. 456 /* .IP "\fBmailbox_delivery_lock (see 'postconf -d' output)\fR" 457 /* How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery. 458 /* RESOURCE AND RATE CONTROLS 459 /* .ad 460 /* .fi 461 /* .IP "\fBcommand_time_limit (1000s)\fR" 462 /* Time limit for delivery to external commands. 463 /* .IP "\fBduplicate_filter_limit (1000)\fR" 464 /* The maximal number of addresses remembered by the address 465 /* duplicate filter for \fBaliases\fR(5) or \fBvirtual\fR(5) alias expansion, or 466 /* for \fBshowq\fR(8) queue displays. 467 /* .IP "\fBmailbox_size_limit (51200000)\fR" 468 /* The maximal size of any \fBlocal\fR(8) individual mailbox or maildir 469 /* file, or zero (no limit). 470 /* .PP 471 /* Implemented in the qmgr(8) daemon: 472 /* .IP "\fBlocal_destination_concurrency_limit (2)\fR" 473 /* The maximal number of parallel deliveries via the local mail 474 /* delivery transport to the same recipient (when 475 /* "local_destination_recipient_limit = 1") or the maximal number of 476 /* parallel deliveries to the same local domain (when 477 /* "local_destination_recipient_limit > 1"). 478 /* .IP "\fBlocal_destination_recipient_limit (1)\fR" 479 /* The maximal number of recipients per message delivery via the 480 /* local mail delivery transport. 481 /* SECURITY CONTROLS 482 /* .ad 483 /* .fi 484 /* .IP "\fBallow_mail_to_commands (alias, forward)\fR" 485 /* Restrict \fBlocal\fR(8) mail delivery to external commands. 486 /* .IP "\fBallow_mail_to_files (alias, forward)\fR" 487 /* Restrict \fBlocal\fR(8) mail delivery to external files. 488 /* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" 489 /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in 490 /* $name expansions of $mailbox_command and $command_execution_directory. 491 /* .IP "\fBdefault_privs (nobody)\fR" 492 /* The default rights used by the \fBlocal\fR(8) delivery agent for delivery 493 /* to external file or command. 494 /* .IP "\fBforward_expansion_filter (see 'postconf -d' output)\fR" 495 /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in 496 /* $name expansions of $forward_path. 497 /* .PP 498 /* Available in Postfix version 2.2 and later: 499 /* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" 500 /* Restrict the characters that the \fBlocal\fR(8) delivery agent allows 501 /* in $name expansions of $command_execution_directory. 502 /* .PP 503 /* Available in Postfix version 2.5.3 and later: 504 /* .IP "\fBstrict_mailbox_ownership (yes)\fR" 505 /* Defer delivery when a mailbox file is not owned by its recipient. 506 /* MISCELLANEOUS CONTROLS 507 /* .ad 508 /* .fi 509 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 510 /* The default location of the Postfix main.cf and master.cf 511 /* configuration files. 512 /* .IP "\fBdaemon_timeout (18000s)\fR" 513 /* How much time a Postfix daemon process may take to handle a 514 /* request before it is terminated by a built-in watchdog timer. 515 /* .IP "\fBdelay_logging_resolution_limit (2)\fR" 516 /* The maximal number of digits after the decimal point when logging 517 /* sub-second delay values. 518 /* .IP "\fBexport_environment (see 'postconf -d' output)\fR" 519 /* The list of environment variables that a Postfix process will export 520 /* to non-Postfix processes. 521 /* .IP "\fBipc_timeout (3600s)\fR" 522 /* The time limit for sending or receiving information over an internal 523 /* communication channel. 524 /* .IP "\fBlocal_command_shell (empty)\fR" 525 /* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command. 526 /* .IP "\fBmax_idle (100s)\fR" 527 /* The maximum amount of time that an idle Postfix daemon process waits 528 /* for an incoming connection before terminating voluntarily. 529 /* .IP "\fBmax_use (100)\fR" 530 /* The maximal number of incoming connections that a Postfix daemon 531 /* process will service before terminating voluntarily. 532 /* .IP "\fBprepend_delivered_header (command, file, forward)\fR" 533 /* The message delivery contexts where the Postfix \fBlocal\fR(8) delivery 534 /* agent prepends a Delivered-To: message header with the address 535 /* that the mail was delivered to. 536 /* .IP "\fBprocess_id (read-only)\fR" 537 /* The process ID of a Postfix command or daemon process. 538 /* .IP "\fBprocess_name (read-only)\fR" 539 /* The process name of a Postfix command or daemon process. 540 /* .IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR" 541 /* What address lookup tables copy an address extension from the lookup 542 /* key to the lookup result. 543 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 544 /* The location of the Postfix top-level queue directory. 545 /* .IP "\fBrecipient_delimiter (empty)\fR" 546 /* The set of characters that can separate a user name from its 547 /* extension (example: user+foo), or a .forward file name from its 548 /* extension (example: .forward+foo). 549 /* .IP "\fBrequire_home_directory (no)\fR" 550 /* Require that a \fBlocal\fR(8) recipient's home directory exists 551 /* before mail delivery is attempted. 552 /* .IP "\fBsyslog_facility (mail)\fR" 553 /* The syslog facility of Postfix logging. 554 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 555 /* A prefix that is prepended to the process name in syslog 556 /* records, so that, for example, "smtpd" becomes "prefix/smtpd". 557 /* .PP 558 /* Available in Postfix version 3.3 and later: 559 /* .IP "\fBenable_original_recipient (yes)\fR" 560 /* Enable support for the original recipient address after an 561 /* address is rewritten to a different address (for example with 562 /* aliasing or with canonical mapping). 563 /* .IP "\fBservice_name (read-only)\fR" 564 /* The master.cf service name of a Postfix daemon process. 565 /* .PP 566 /* Available in Postfix 3.5 and later: 567 /* .IP "\fBinfo_log_address_format (external)\fR" 568 /* The email address form that will be used in non-debug logging 569 /* (info, warning, etc.). 570 /* FILES 571 /* The following are examples; details differ between systems. 572 /* $HOME/.forward, per-user aliasing 573 /* /etc/aliases, system-wide alias database 574 /* /var/spool/mail, system mailboxes 575 /* SEE ALSO 576 /* qmgr(8), queue manager 577 /* bounce(8), delivery status reports 578 /* newaliases(1), create/update alias database 579 /* postalias(1), create/update alias database 580 /* aliases(5), format of alias database 581 /* postconf(5), configuration parameters 582 /* master(5), generic daemon options 583 /* postlogd(8), Postfix logging 584 /* syslogd(8), system logging 585 /* LICENSE 586 /* .ad 587 /* .fi 588 /* The Secure Mailer license must be distributed with this software. 589 /* HISTORY 590 /* .ad 591 /* .fi 592 /* The \fBDelivered-To:\fR message header appears in the \fBqmail\fR 593 /* system by Daniel Bernstein. 594 /* 595 /* The \fImaildir\fR structure appears in the \fBqmail\fR system 596 /* by Daniel Bernstein. 597 /* AUTHOR(S) 598 /* Wietse Venema 599 /* IBM T.J. Watson Research 600 /* P.O. Box 704 601 /* Yorktown Heights, NY 10598, USA 602 /* 603 /* Wietse Venema 604 /* Google, Inc. 605 /* 111 8th Avenue 606 /* New York, NY 10011, USA 607 /*--*/ 608 609 /* System library. */ 610 611 #include <sys_defs.h> 612 #include <unistd.h> 613 #include <stdlib.h> 614 #include <string.h> 615 #include <fcntl.h> 616 #ifdef USE_PATHS_H 617 #include <paths.h> 618 #endif 619 620 /* Utility library. */ 621 622 #include <msg.h> 623 #include <mymalloc.h> 624 #include <htable.h> 625 #include <vstring.h> 626 #include <vstream.h> 627 #include <iostuff.h> 628 #include <name_mask.h> 629 #include <set_eugid.h> 630 #include <dict.h> 631 632 /* Global library. */ 633 634 #include <recipient_list.h> 635 #include <deliver_request.h> 636 #include <deliver_completed.h> 637 #include <mail_params.h> 638 #include <mail_addr.h> 639 #include <mail_conf.h> 640 #include <been_here.h> 641 #include <mail_params.h> 642 #include <mail_version.h> 643 #include <ext_prop.h> 644 #include <maps.h> 645 #include <flush_clnt.h> 646 647 /* Single server skeleton. */ 648 649 #include <mail_server.h> 650 651 /* Application-specific. */ 652 653 #include "local.h" 654 655 /* 656 * Tunable parameters. 657 */ 658 char *var_allow_commands; 659 char *var_allow_files; 660 char *var_alias_maps; 661 int var_dup_filter_limit; 662 int var_command_maxtime; /* You can now leave this here. */ 663 char *var_home_mailbox; 664 char *var_mailbox_command; 665 char *var_mailbox_cmd_maps; 666 char *var_rcpt_fdelim; 667 char *var_local_cmd_shell; 668 char *var_luser_relay; 669 int var_biff; 670 char *var_mail_spool_dir; 671 char *var_mailbox_transport; 672 char *var_mbox_transp_maps; 673 char *var_fallback_transport; 674 char *var_fbck_transp_maps; 675 char *var_exec_directory; 676 char *var_exec_exp_filter; 677 char *var_forward_path; 678 char *var_cmd_exp_filter; 679 char *var_fwd_exp_filter; 680 char *var_prop_extension; 681 int var_exp_own_alias; 682 char *var_deliver_hdr; 683 int var_stat_home_dir; 684 int var_mailtool_compat; 685 char *var_mailbox_lock; 686 long var_mailbox_limit; 687 bool var_frozen_delivered; 688 bool var_reset_owner_attr; 689 bool var_strict_mbox_owner; 690 691 int local_cmd_deliver_mask; 692 int local_file_deliver_mask; 693 int local_ext_prop_mask; 694 int local_deliver_hdr_mask; 695 int local_mbox_lock_mask; 696 MAPS *alias_maps; 697 char *var_local_dsn_filter; 698 699 /* local_deliver - deliver message with extreme prejudice */ 700 701 static int local_deliver(DELIVER_REQUEST *rqst, char *service) 702 { 703 const char *myname = "local_deliver"; 704 RECIPIENT *rcpt_end = rqst->rcpt_list.info + rqst->rcpt_list.len; 705 RECIPIENT *rcpt; 706 int rcpt_stat; 707 int msg_stat; 708 LOCAL_STATE state; 709 USER_ATTR usr_attr; 710 711 if (msg_verbose) 712 msg_info("local_deliver: %s from %s", rqst->queue_id, rqst->sender); 713 714 /* 715 * Initialize the delivery attributes that are not recipient specific. 716 * While messages are being delivered and while aliases or forward files 717 * are being expanded, this attribute list is being changed constantly. 718 * For this reason, the list is passed on by value (except when it is 719 * being initialized :-), so that there is no need to undo attribute 720 * changes made by lower-level routines. The alias/include/forward 721 * expansion attribute list is part of a tree with self and parent 722 * references (see the EXPAND_ATTR definitions). The user-specific 723 * attributes are security sensitive, and are therefore kept separate. 724 * All this results in a noticeable level of clumsiness, but passing 725 * things around by value gives good protection against accidental change 726 * by subroutines. 727 */ 728 state.level = 0; 729 deliver_attr_init(&state.msg_attr); 730 state.msg_attr.queue_name = rqst->queue_name; 731 state.msg_attr.queue_id = rqst->queue_id; 732 state.msg_attr.fp = rqst->fp; 733 state.msg_attr.offset = rqst->data_offset; 734 state.msg_attr.encoding = rqst->encoding; 735 state.msg_attr.smtputf8 = rqst->smtputf8; 736 state.msg_attr.sender = rqst->sender; 737 state.msg_attr.dsn_envid = rqst->dsn_envid; 738 state.msg_attr.dsn_ret = rqst->dsn_ret; 739 state.msg_attr.relay = service; 740 state.msg_attr.msg_stats = rqst->msg_stats; 741 state.msg_attr.request = rqst; 742 RESET_OWNER_ATTR(state.msg_attr, state.level); 743 RESET_USER_ATTR(usr_attr, state.level); 744 state.loop_info = delivered_hdr_init(rqst->fp, rqst->data_offset, 745 FOLD_ADDR_ALL); 746 state.request = rqst; 747 748 /* 749 * Iterate over each recipient named in the delivery request. When the 750 * mail delivery status for a given recipient is definite (i.e. bounced 751 * or delivered), update the message queue file and cross off the 752 * recipient. Update the per-message delivery status. 753 */ 754 for (msg_stat = 0, rcpt = rqst->rcpt_list.info; rcpt < rcpt_end; rcpt++) { 755 state.dup_filter = been_here_init(var_dup_filter_limit, BH_FLAG_FOLD); 756 forward_init(); 757 state.msg_attr.rcpt = *rcpt; 758 rcpt_stat = deliver_recipient(state, usr_attr); 759 rcpt_stat |= forward_finish(rqst, state.msg_attr, rcpt_stat); 760 if (rcpt_stat == 0 && (rqst->flags & DEL_REQ_FLAG_SUCCESS)) 761 deliver_completed(state.msg_attr.fp, rcpt->offset); 762 been_here_free(state.dup_filter); 763 msg_stat |= rcpt_stat; 764 } 765 766 /* 767 * Clean up. 768 */ 769 delivered_hdr_free(state.loop_info); 770 deliver_attr_free(&state.msg_attr); 771 772 return (msg_stat); 773 } 774 775 /* local_service - perform service for client */ 776 777 static void local_service(VSTREAM *stream, char *service, char **argv) 778 { 779 DELIVER_REQUEST *request; 780 int status; 781 782 /* 783 * Sanity check. This service takes no command-line arguments. 784 */ 785 if (argv[0]) 786 msg_fatal("unexpected command-line argument: %s", argv[0]); 787 788 /* 789 * This routine runs whenever a client connects to the UNIX-domain socket 790 * that is dedicated to local mail delivery service. What we see below is 791 * a little protocol to (1) tell the client that we are ready, (2) read a 792 * delivery request from the client, and (3) report the completion status 793 * of that request. 794 */ 795 if ((request = deliver_request_read(stream)) != 0) { 796 status = local_deliver(request, service); 797 deliver_request_done(stream, request, status); 798 } 799 } 800 801 /* local_mask_init - initialize delivery restrictions */ 802 803 static void local_mask_init(void) 804 { 805 static const NAME_MASK file_mask[] = { 806 "alias", EXPAND_TYPE_ALIAS, 807 "forward", EXPAND_TYPE_FWD, 808 "include", EXPAND_TYPE_INCL, 809 0, 810 }; 811 static const NAME_MASK command_mask[] = { 812 "alias", EXPAND_TYPE_ALIAS, 813 "forward", EXPAND_TYPE_FWD, 814 "include", EXPAND_TYPE_INCL, 815 0, 816 }; 817 static const NAME_MASK deliver_mask[] = { 818 "command", DELIVER_HDR_CMD, 819 "file", DELIVER_HDR_FILE, 820 "forward", DELIVER_HDR_FWD, 821 0, 822 }; 823 824 local_file_deliver_mask = name_mask(VAR_ALLOW_FILES, file_mask, 825 var_allow_files); 826 local_cmd_deliver_mask = name_mask(VAR_ALLOW_COMMANDS, command_mask, 827 var_allow_commands); 828 local_ext_prop_mask = 829 ext_prop_mask(VAR_PROP_EXTENSION, var_prop_extension); 830 local_deliver_hdr_mask = name_mask(VAR_DELIVER_HDR, deliver_mask, 831 var_deliver_hdr); 832 local_mbox_lock_mask = mbox_lock_mask(var_mailbox_lock); 833 if (var_mailtool_compat) { 834 msg_warn("%s: deprecated parameter, use \"%s = dotlock\" instead", 835 VAR_MAILTOOL_COMPAT, VAR_MAILBOX_LOCK); 836 local_mbox_lock_mask &= MBOX_DOT_LOCK; 837 } 838 if (local_mbox_lock_mask == 0) 839 msg_fatal("parameter %s specifies no applicable mailbox locking method", 840 VAR_MAILBOX_LOCK); 841 } 842 843 /* pre_accept - see if tables have changed */ 844 845 static void pre_accept(char *unused_name, char **unused_argv) 846 { 847 const char *table; 848 849 if ((table = dict_changed_name()) != 0) { 850 msg_info("table %s has changed -- restarting", table); 851 exit(0); 852 } 853 } 854 855 /* post_init - post-jail initialization */ 856 857 static void post_init(char *unused_name, char **unused_argv) 858 { 859 860 /* 861 * Drop privileges most of the time, and set up delivery restrictions. 862 */ 863 set_eugid(var_owner_uid, var_owner_gid); 864 local_mask_init(); 865 } 866 867 /* pre_init - pre-jail initialization */ 868 869 static void pre_init(char *unused_name, char **unused_argv) 870 { 871 872 /* 873 * Reset the file size limit from the message size limit to the mailbox 874 * size limit. XXX This still isn't accurate because the file size limit 875 * also affects delivery to command. 876 * 877 * A file size limit protects the machine against runaway software errors. 878 * It is not suitable to enforce mail quota, because users can get around 879 * mail quota by delivering to /file/name or to |command. 880 * 881 * We can't have mailbox size limit smaller than the message size limit, 882 * because that prohibits the delivery agent from updating the queue 883 * file. 884 */ 885 if (ENFORCING_SIZE_LIMIT(var_mailbox_limit)) { 886 if (!ENFORCING_SIZE_LIMIT(var_message_limit)) 887 msg_fatal("configuration error: %s is limited but %s is " 888 "unlimited", VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); 889 if (var_mailbox_limit < var_message_limit) 890 msg_fatal("configuration error: %s is smaller than %s", 891 VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); 892 set_file_limit(var_mailbox_limit); 893 } 894 alias_maps = maps_create("aliases", var_alias_maps, 895 DICT_FLAG_LOCK | DICT_FLAG_PARANOID 896 | DICT_FLAG_FOLD_FIX 897 | DICT_FLAG_UTF8_REQUEST); 898 899 flush_init(); 900 } 901 902 MAIL_VERSION_STAMP_DECLARE; 903 904 /* main - pass control to the single-threaded skeleton */ 905 906 int main(int argc, char **argv) 907 { 908 static const CONFIG_TIME_TABLE time_table[] = { 909 VAR_COMMAND_MAXTIME, DEF_COMMAND_MAXTIME, &var_command_maxtime, 1, 0, 910 0, 911 }; 912 static const CONFIG_INT_TABLE int_table[] = { 913 VAR_DUP_FILTER_LIMIT, DEF_DUP_FILTER_LIMIT, &var_dup_filter_limit, 0, 0, 914 0, 915 }; 916 static const CONFIG_LONG_TABLE long_table[] = { 917 VAR_MAILBOX_LIMIT, DEF_MAILBOX_LIMIT, &var_mailbox_limit, 0, 0, 918 0, 919 }; 920 static const CONFIG_STR_TABLE str_table[] = { 921 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0, 922 VAR_HOME_MAILBOX, DEF_HOME_MAILBOX, &var_home_mailbox, 0, 0, 923 VAR_ALLOW_COMMANDS, DEF_ALLOW_COMMANDS, &var_allow_commands, 0, 0, 924 VAR_ALLOW_FILES, DEF_ALLOW_FILES, &var_allow_files, 0, 0, 925 VAR_LOCAL_CMD_SHELL, DEF_LOCAL_CMD_SHELL, &var_local_cmd_shell, 0, 0, 926 VAR_MAIL_SPOOL_DIR, DEF_MAIL_SPOOL_DIR, &var_mail_spool_dir, 0, 0, 927 VAR_MAILBOX_TRANSP, DEF_MAILBOX_TRANSP, &var_mailbox_transport, 0, 0, 928 VAR_MBOX_TRANSP_MAPS, DEF_MBOX_TRANSP_MAPS, &var_mbox_transp_maps, 0, 0, 929 VAR_FALLBACK_TRANSP, DEF_FALLBACK_TRANSP, &var_fallback_transport, 0, 0, 930 VAR_FBCK_TRANSP_MAPS, DEF_FBCK_TRANSP_MAPS, &var_fbck_transp_maps, 0, 0, 931 VAR_CMD_EXP_FILTER, DEF_CMD_EXP_FILTER, &var_cmd_exp_filter, 1, 0, 932 VAR_FWD_EXP_FILTER, DEF_FWD_EXP_FILTER, &var_fwd_exp_filter, 1, 0, 933 VAR_EXEC_EXP_FILTER, DEF_EXEC_EXP_FILTER, &var_exec_exp_filter, 1, 0, 934 VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0, 935 VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0, 936 VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0, 937 VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, 938 VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_dsn_filter, 0, 0, 939 0, 940 }; 941 static const CONFIG_BOOL_TABLE bool_table[] = { 942 VAR_BIFF, DEF_BIFF, &var_biff, 943 VAR_EXP_OWN_ALIAS, DEF_EXP_OWN_ALIAS, &var_exp_own_alias, 944 VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir, 945 VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat, 946 VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered, 947 VAR_RESET_OWNER_ATTR, DEF_RESET_OWNER_ATTR, &var_reset_owner_attr, 948 VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, 949 0, 950 }; 951 952 /* Suppress $name expansion upon loading. */ 953 static const CONFIG_RAW_TABLE raw_table[] = { 954 VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0, 955 VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0, 956 VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0, 957 VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0, 958 0, 959 }; 960 961 /* 962 * Fingerprint executables and core dumps. 963 */ 964 MAIL_VERSION_STAMP_ALLOCATE; 965 966 single_server_main(argc, argv, local_service, 967 CA_MAIL_SERVER_INT_TABLE(int_table), 968 CA_MAIL_SERVER_LONG_TABLE(long_table), 969 CA_MAIL_SERVER_STR_TABLE(str_table), 970 CA_MAIL_SERVER_RAW_TABLE(raw_table), 971 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 972 CA_MAIL_SERVER_TIME_TABLE(time_table), 973 CA_MAIL_SERVER_PRE_INIT(pre_init), 974 CA_MAIL_SERVER_POST_INIT(post_init), 975 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 976 CA_MAIL_SERVER_PRIVILEGED, 977 CA_MAIL_SERVER_BOUNCE_INIT(VAR_LOCAL_DSN_FILTER, 978 &var_local_dsn_filter), 979 0); 980 } 981