1 /* $NetBSD: postqueue.c,v 1.1.1.5 2013/09/25 19:06:33 tron Exp $ */ 2 3 /*++ 4 /* NAME 5 /* postqueue 1 6 /* SUMMARY 7 /* Postfix queue control 8 /* SYNOPSIS 9 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR 10 /* .br 11 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR 12 /* .br 13 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR 14 /* .br 15 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR 16 /* DESCRIPTION 17 /* The \fBpostqueue\fR(1) command implements the Postfix user interface 18 /* for queue management. It implements operations that are 19 /* traditionally available via the \fBsendmail\fR(1) command. 20 /* See the \fBpostsuper\fR(1) command for queue operations 21 /* that require super-user privileges such as deleting a message 22 /* from the queue or changing the status of a message. 23 /* 24 /* The following options are recognized: 25 /* .IP "\fB-c \fIconfig_dir\fR" 26 /* The \fBmain.cf\fR configuration file is in the named directory 27 /* instead of the default configuration directory. See also the 28 /* MAIL_CONFIG environment setting below. 29 /* .IP \fB-f\fR 30 /* Flush the queue: attempt to deliver all queued mail. 31 /* 32 /* This option implements the traditional "\fBsendmail -q\fR" command, 33 /* by contacting the Postfix \fBqmgr\fR(8) daemon. 34 /* 35 /* Warning: flushing undeliverable mail frequently will result in 36 /* poor delivery performance of all other mail. 37 /* .IP "\fB-i \fIqueue_id\fR" 38 /* Schedule immediate delivery of deferred mail with the 39 /* specified queue ID. 40 /* 41 /* This option implements the traditional \fBsendmail -qI\fR 42 /* command, by contacting the \fBflush\fR(8) server. 43 /* 44 /* This feature is available with Postfix version 2.4 and later. 45 /* .IP \fB-p\fR 46 /* Produce a traditional sendmail-style queue listing. 47 /* This option implements the traditional \fBmailq\fR command, 48 /* by contacting the Postfix \fBshowq\fR(8) daemon. 49 /* 50 /* Each queue entry shows the queue file ID, message 51 /* size, arrival time, sender, and the recipients that still need to 52 /* be delivered. If mail could not be delivered upon the last attempt, 53 /* the reason for failure is shown. The queue ID string 54 /* is followed by an optional status character: 55 /* .RS 56 /* .IP \fB*\fR 57 /* The message is in the \fBactive\fR queue, i.e. the message is 58 /* selected for delivery. 59 /* .IP \fB!\fR 60 /* The message is in the \fBhold\fR queue, i.e. no further delivery 61 /* attempt will be made until the mail is taken off hold. 62 /* .RE 63 /* .IP "\fB-s \fIsite\fR" 64 /* Schedule immediate delivery of all mail that is queued for the named 65 /* \fIsite\fR. A numerical site must be specified as a valid RFC 5321 66 /* address literal enclosed in [], just like in email addresses. 67 /* The site must be eligible for the "fast flush" service. 68 /* See \fBflush\fR(8) for more information about the "fast flush" 69 /* service. 70 /* 71 /* This option implements the traditional "\fBsendmail -qR\fIsite\fR" 72 /* command, by contacting the Postfix \fBflush\fR(8) daemon. 73 /* .IP \fB-v\fR 74 /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR 75 /* options make the software increasingly verbose. As of Postfix 2.3, 76 /* this option is available for the super-user only. 77 /* SECURITY 78 /* .ad 79 /* .fi 80 /* This program is designed to run with set-group ID privileges, so 81 /* that it can connect to Postfix daemon processes. 82 /* DIAGNOSTICS 83 /* Problems are logged to \fBsyslogd\fR(8) and to the standard error 84 /* stream. 85 /* ENVIRONMENT 86 /* .ad 87 /* .fi 88 /* .IP MAIL_CONFIG 89 /* Directory with the \fBmain.cf\fR file. In order to avoid exploitation 90 /* of set-group ID privileges, a non-standard directory is allowed only 91 /* if: 92 /* .RS 93 /* .IP \(bu 94 /* The name is listed in the standard \fBmain.cf\fR file with the 95 /* \fBalternate_config_directories\fR configuration parameter. 96 /* .IP \(bu 97 /* The command is invoked by the super-user. 98 /* .RE 99 /* CONFIGURATION PARAMETERS 100 /* .ad 101 /* .fi 102 /* The following \fBmain.cf\fR parameters are especially relevant to 103 /* this program. 104 /* The text below provides only a parameter summary. See 105 /* \fBpostconf\fR(5) for more details including examples. 106 /* .IP "\fBalternate_config_directories (empty)\fR" 107 /* A list of non-default Postfix configuration directories that may 108 /* be specified with "-c config_directory" on the command line, or 109 /* via the MAIL_CONFIG environment parameter. 110 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 111 /* The default location of the Postfix main.cf and master.cf 112 /* configuration files. 113 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 114 /* The location of all postfix administrative commands. 115 /* .IP "\fBfast_flush_domains ($relay_domains)\fR" 116 /* Optional list of destinations that are eligible for per-destination 117 /* logfiles with mail that is queued to those destinations. 118 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR" 119 /* The list of environment parameters that a Postfix process will 120 /* import from a non-Postfix parent process. 121 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 122 /* The location of the Postfix top-level queue directory. 123 /* .IP "\fBsyslog_facility (mail)\fR" 124 /* The syslog facility of Postfix logging. 125 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 126 /* The mail system name that is prepended to the process name in syslog 127 /* records, so that "smtpd" becomes, for example, "postfix/smtpd". 128 /* .IP "\fBtrigger_timeout (10s)\fR" 129 /* The time limit for sending a trigger to a Postfix daemon (for 130 /* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon). 131 /* .PP 132 /* Available in Postfix version 2.2 and later: 133 /* .IP "\fBauthorized_flush_users (static:anyone)\fR" 134 /* List of users who are authorized to flush the queue. 135 /* .IP "\fBauthorized_mailq_users (static:anyone)\fR" 136 /* List of users who are authorized to view the queue. 137 /* FILES 138 /* /var/spool/postfix, mail queue 139 /* SEE ALSO 140 /* qmgr(8), queue manager 141 /* showq(8), list mail queue 142 /* flush(8), fast flush service 143 /* sendmail(1), Sendmail-compatible user interface 144 /* postsuper(1), privileged queue operations 145 /* README FILES 146 /* .ad 147 /* .fi 148 /* Use "\fBpostconf readme_directory\fR" or 149 /* "\fBpostconf html_directory\fR" to locate this information. 150 /* .na 151 /* .nf 152 /* ETRN_README, Postfix ETRN howto 153 /* LICENSE 154 /* .ad 155 /* .fi 156 /* The Secure Mailer license must be distributed with this software. 157 /* HISTORY 158 /* .ad 159 /* .fi 160 /* The postqueue command was introduced with Postfix version 1.1. 161 /* AUTHOR(S) 162 /* Wietse Venema 163 /* IBM T.J. Watson Research 164 /* P.O. Box 704 165 /* Yorktown Heights, NY 10598, USA 166 /*--*/ 167 168 /* System library. */ 169 170 #include <sys_defs.h> 171 #include <sys/stat.h> 172 #include <unistd.h> 173 #include <string.h> 174 #include <stdlib.h> 175 #include <signal.h> 176 #include <sysexits.h> 177 #include <errno.h> 178 179 /* Utility library. */ 180 181 #include <msg.h> 182 #include <mymalloc.h> 183 #include <clean_env.h> 184 #include <vstream.h> 185 #include <msg_vstream.h> 186 #include <msg_syslog.h> 187 #include <argv.h> 188 #include <safe.h> 189 #include <connect.h> 190 #include <valid_hostname.h> 191 #include <warn_stat.h> 192 #include <events.h> 193 194 /* Global library. */ 195 196 #include <mail_proto.h> 197 #include <mail_params.h> 198 #include <mail_version.h> 199 #include <mail_conf.h> 200 #include <mail_task.h> 201 #include <mail_run.h> 202 #include <mail_flush.h> 203 #include <mail_queue.h> 204 #include <flush_clnt.h> 205 #include <smtp_stream.h> 206 #include <user_acl.h> 207 #include <valid_mailhost_addr.h> 208 #include <mail_dict.h> 209 210 /* Application-specific. */ 211 212 /* 213 * WARNING WARNING WARNING 214 * 215 * This software is designed to run set-gid. In order to avoid exploitation of 216 * privilege, this software should not run any external commands, nor should 217 * it take any information from the user, unless that information can be 218 * properly sanitized. To get an idea of how much information a process can 219 * inherit from a potentially hostile user, examine all the members of the 220 * process structure (typically, in /usr/include/sys/proc.h): the current 221 * directory, open files, timers, signals, environment, command line, umask, 222 * and so on. 223 */ 224 225 /* 226 * Modes of operation. 227 * 228 * XXX To support flush by recipient domain, or for destinations that have no 229 * mapping to logfile, the server has to defend against resource exhaustion 230 * attacks. A malicious user could fork off a postqueue client that starts 231 * an expensive requests and then kills the client immediately; this way she 232 * could create a high Postfix load on the system without ever exceeding her 233 * own per-user process limit. To prevent this, either the server needs to 234 * establish frequent proof of client liveliness with challenge/response, or 235 * the client needs to restrict expensive requests to privileged users only. 236 * 237 * We don't have this problem with queue listings. The showq server detects an 238 * EPIPE error after reporting a few queue entries. 239 */ 240 #define PQ_MODE_DEFAULT 0 /* noop */ 241 #define PQ_MODE_MAILQ_LIST 1 /* list mail queue */ 242 #define PQ_MODE_FLUSH_QUEUE 2 /* flush queue */ 243 #define PQ_MODE_FLUSH_SITE 3 /* flush site */ 244 #define PQ_MODE_FLUSH_FILE 4 /* flush message */ 245 246 /* 247 * Silly little macros (SLMs). 248 */ 249 #define STR vstring_str 250 251 /* 252 * Queue manipulation access lists. 253 */ 254 char *var_flush_acl; 255 char *var_showq_acl; 256 257 static const CONFIG_STR_TABLE str_table[] = { 258 VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0, 259 VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0, 260 0, 261 }; 262 263 /* show_queue - show queue status */ 264 265 static void show_queue(void) 266 { 267 const char *errstr; 268 char buf[VSTREAM_BUFSIZE]; 269 VSTREAM *showq; 270 int n; 271 uid_t uid = getuid(); 272 273 if (uid != 0 && uid != var_owner_uid 274 && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0) 275 msg_fatal_status(EX_NOPERM, 276 "User %s(%ld) is not allowed to view the mail queue", 277 errstr, (long) uid); 278 279 /* 280 * Connect to the show queue service. Terminate silently when piping into 281 * a program that terminates early. 282 */ 283 if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) { 284 while ((n = vstream_fread(showq, buf, sizeof(buf))) > 0) { 285 if (vstream_fwrite(VSTREAM_OUT, buf, n) != n 286 || vstream_fflush(VSTREAM_OUT) != 0) { 287 if (errno == EPIPE) 288 break; 289 msg_fatal("write error: %m"); 290 } 291 } 292 if (vstream_fclose(showq) && errno != EPIPE) 293 msg_warn("close: %m"); 294 } 295 296 /* 297 * Don't assume that the mail system is down when the user has 298 * insufficient permission to access the showq socket. 299 */ 300 else if (errno == EACCES) { 301 msg_fatal_status(EX_SOFTWARE, 302 "Connect to the %s %s service: %m", 303 var_mail_name, var_showq_service); 304 } 305 306 /* 307 * When the mail system is down, the superuser can still access the queue 308 * directly. Just run the showq program in stand-alone mode. 309 */ 310 else if (geteuid() == 0) { 311 ARGV *argv; 312 int stat; 313 314 msg_warn("Mail system is down -- accessing queue directly"); 315 argv = argv_alloc(6); 316 argv_add(argv, var_showq_service, "-u", "-S", (char *) 0); 317 for (n = 0; n < msg_verbose; n++) 318 argv_add(argv, "-v", (char *) 0); 319 argv_terminate(argv); 320 stat = mail_run_foreground(var_daemon_dir, argv->argv); 321 argv_free(argv); 322 } 323 324 /* 325 * When the mail system is down, unprivileged users are stuck, because by 326 * design the mail system contains no set_uid programs. The only way for 327 * an unprivileged user to cross protection boundaries is to talk to the 328 * showq daemon. 329 */ 330 else { 331 msg_fatal_status(EX_UNAVAILABLE, 332 "Queue report unavailable - mail system is down"); 333 } 334 } 335 336 /* flush_queue - force delivery */ 337 338 static void flush_queue(void) 339 { 340 const char *errstr; 341 uid_t uid = getuid(); 342 343 if (uid != 0 && uid != var_owner_uid 344 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 345 msg_fatal_status(EX_NOPERM, 346 "User %s(%ld) is not allowed to flush the mail queue", 347 errstr, (long) uid); 348 349 /* 350 * Trigger the flush queue service. 351 */ 352 if (mail_flush_deferred() < 0) 353 msg_fatal_status(EX_UNAVAILABLE, 354 "Cannot flush mail queue - mail system is down"); 355 if (mail_flush_maildrop() < 0) 356 msg_fatal_status(EX_UNAVAILABLE, 357 "Cannot flush mail queue - mail system is down"); 358 event_drain(2); 359 } 360 361 /* flush_site - flush mail for site */ 362 363 static void flush_site(const char *site) 364 { 365 int status; 366 const char *errstr; 367 uid_t uid = getuid(); 368 369 if (uid != 0 && uid != var_owner_uid 370 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 371 msg_fatal_status(EX_NOPERM, 372 "User %s(%ld) is not allowed to flush the mail queue", 373 errstr, (long) uid); 374 375 flush_init(); 376 377 switch (status = flush_send_site(site)) { 378 case FLUSH_STAT_OK: 379 exit(0); 380 case FLUSH_STAT_BAD: 381 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site); 382 case FLUSH_STAT_FAIL: 383 msg_fatal_status(EX_UNAVAILABLE, 384 "Cannot flush mail queue - mail system is down"); 385 case FLUSH_STAT_DENY: 386 msg_fatal_status(EX_UNAVAILABLE, 387 "Flush service is not configured for destination \"%s\"", 388 site); 389 default: 390 msg_fatal_status(EX_SOFTWARE, 391 "Unknown flush server reply status %d", status); 392 } 393 } 394 395 /* flush_file - flush mail with specific queue ID */ 396 397 static void flush_file(const char *queue_id) 398 { 399 int status; 400 const char *errstr; 401 uid_t uid = getuid(); 402 403 if (uid != 0 && uid != var_owner_uid 404 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 405 msg_fatal_status(EX_NOPERM, 406 "User %s(%ld) is not allowed to flush the mail queue", 407 errstr, (long) uid); 408 409 switch (status = flush_send_file(queue_id)) { 410 case FLUSH_STAT_OK: 411 exit(0); 412 case FLUSH_STAT_BAD: 413 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id); 414 case FLUSH_STAT_FAIL: 415 msg_fatal_status(EX_UNAVAILABLE, 416 "Cannot flush mail queue - mail system is down"); 417 default: 418 msg_fatal_status(EX_SOFTWARE, 419 "Unexpected flush server reply status %d", status); 420 } 421 } 422 423 /* unavailable - sanitize exit status from library run-time errors */ 424 425 static void unavailable(void) 426 { 427 exit(EX_UNAVAILABLE); 428 } 429 430 /* usage - scream and die */ 431 432 static NORETURN usage(void) 433 { 434 msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site"); 435 } 436 437 MAIL_VERSION_STAMP_DECLARE; 438 439 /* main - the main program */ 440 441 int main(int argc, char **argv) 442 { 443 struct stat st; 444 char *slash; 445 int c; 446 int fd; 447 int mode = PQ_MODE_DEFAULT; 448 char *site_to_flush = 0; 449 char *id_to_flush = 0; 450 ARGV *import_env; 451 int bad_site; 452 453 /* 454 * Fingerprint executables and core dumps. 455 */ 456 MAIL_VERSION_STAMP_ALLOCATE; 457 458 /* 459 * Be consistent with file permissions. 460 */ 461 umask(022); 462 463 /* 464 * To minimize confusion, make sure that the standard file descriptors 465 * are open before opening anything else. XXX Work around for 44BSD where 466 * fstat can return EBADF on an open file descriptor. 467 */ 468 for (fd = 0; fd < 3; fd++) 469 if (fstat(fd, &st) == -1 470 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd) 471 msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m"); 472 473 /* 474 * Initialize. Set up logging, read the global configuration file and 475 * extract configuration information. Set up signal handlers so that we 476 * can clean up incomplete output. 477 */ 478 if ((slash = strrchr(argv[0], '/')) != 0 && slash[1]) 479 argv[0] = slash + 1; 480 msg_vstream_init(argv[0], VSTREAM_ERR); 481 msg_cleanup(unavailable); 482 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 483 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0])); 484 485 /* 486 * Check the Postfix library version as soon as we enable logging. 487 */ 488 MAIL_VERSION_CHECK; 489 490 /* 491 * Parse JCL. This program is set-gid and must sanitize all command-line 492 * parameters. The configuration directory argument is validated by the 493 * mail configuration read routine. Don't do complex things until we have 494 * completed initializations. 495 */ 496 while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) { 497 switch (c) { 498 case 'c': /* non-default configuration */ 499 if (setenv(CONF_ENV_PATH, optarg, 1) < 0) 500 msg_fatal_status(EX_UNAVAILABLE, "out of memory"); 501 break; 502 case 'f': /* flush queue */ 503 if (mode != PQ_MODE_DEFAULT) 504 usage(); 505 mode = PQ_MODE_FLUSH_QUEUE; 506 break; 507 case 'i': /* flush queue file */ 508 if (mode != PQ_MODE_DEFAULT) 509 usage(); 510 mode = PQ_MODE_FLUSH_FILE; 511 id_to_flush = optarg; 512 break; 513 case 'p': /* traditional mailq */ 514 if (mode != PQ_MODE_DEFAULT) 515 usage(); 516 mode = PQ_MODE_MAILQ_LIST; 517 break; 518 case 's': /* flush site */ 519 if (mode != PQ_MODE_DEFAULT) 520 usage(); 521 mode = PQ_MODE_FLUSH_SITE; 522 site_to_flush = optarg; 523 break; 524 case 'v': 525 if (geteuid() == 0) 526 msg_verbose++; 527 break; 528 default: 529 usage(); 530 } 531 } 532 if (argc > optind) 533 usage(); 534 535 /* 536 * Further initialization... 537 */ 538 mail_conf_read(); 539 if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0) 540 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 541 mail_dict_init(); /* proxy, sql, ldap */ 542 get_mail_conf_str_table(str_table); 543 544 /* 545 * This program is designed to be set-gid, which makes it a potential 546 * target for attack. If not running as root, strip the environment so we 547 * don't have to trust the C library. If running as root, don't strip the 548 * environment so that showq can receive non-default configuration 549 * directory info when the mail system is down. 550 */ 551 if (geteuid() != 0) { 552 import_env = argv_split(var_import_environ, ", \t\r\n"); 553 clean_env(import_env->argv); 554 argv_free(import_env); 555 } 556 if (chdir(var_queue_dir)) 557 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); 558 559 signal(SIGPIPE, SIG_IGN); 560 561 /* End of initializations. */ 562 563 /* 564 * Further input validation. 565 */ 566 if (site_to_flush != 0) { 567 bad_site = 0; 568 if (*site_to_flush == '[') { 569 bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE); 570 } else { 571 bad_site = !valid_hostname(site_to_flush, DONT_GRIPE); 572 } 573 if (bad_site) 574 msg_fatal_status(EX_USAGE, 575 "Cannot flush mail queue - invalid destination: \"%.100s%s\"", 576 site_to_flush, strlen(site_to_flush) > 100 ? "..." : ""); 577 } 578 if (id_to_flush != 0) { 579 if (!mail_queue_id_ok(id_to_flush)) 580 msg_fatal_status(EX_USAGE, 581 "Cannot flush queue ID - invalid name: \"%.100s%s\"", 582 id_to_flush, strlen(id_to_flush) > 100 ? "..." : ""); 583 } 584 585 /* 586 * Start processing. 587 */ 588 switch (mode) { 589 default: 590 msg_panic("unknown operation mode: %d", mode); 591 /* NOTREACHED */ 592 case PQ_MODE_MAILQ_LIST: 593 show_queue(); 594 exit(0); 595 break; 596 case PQ_MODE_FLUSH_SITE: 597 flush_site(site_to_flush); 598 exit(0); 599 break; 600 case PQ_MODE_FLUSH_FILE: 601 flush_file(id_to_flush); 602 exit(0); 603 break; 604 case PQ_MODE_FLUSH_QUEUE: 605 flush_queue(); 606 exit(0); 607 break; 608 case PQ_MODE_DEFAULT: 609 usage(); 610 /* NOTREACHED */ 611 } 612 } 613