1 /* $NetBSD: sendmail.c,v 1.3 2020/03/18 19:05:20 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* sendmail 1 6 /* SUMMARY 7 /* Postfix to Sendmail compatibility interface 8 /* SYNOPSIS 9 /* \fBsendmail\fR [\fIoption ...\fR] [\fIrecipient ...\fR] 10 /* 11 /* \fBmailq\fR 12 /* \fBsendmail -bp\fR 13 /* 14 /* \fBnewaliases\fR 15 /* \fBsendmail -I\fR 16 /* DESCRIPTION 17 /* The Postfix \fBsendmail\fR(1) command implements the Postfix 18 /* to Sendmail compatibility interface. 19 /* For the sake of compatibility with existing applications, some 20 /* Sendmail command-line options are recognized but silently ignored. 21 /* 22 /* By default, Postfix \fBsendmail\fR(1) reads a message from 23 /* standard input 24 /* until EOF or until it reads a line with only a \fB.\fR character, 25 /* and arranges for delivery. Postfix \fBsendmail\fR(1) relies on the 26 /* \fBpostdrop\fR(1) command to create a queue file in the \fBmaildrop\fR 27 /* directory. 28 /* 29 /* Specific command aliases are provided for other common modes of 30 /* operation: 31 /* .IP \fBmailq\fR 32 /* List the mail queue. Each entry shows the queue file ID, message 33 /* size, arrival time, sender, and the recipients that still need to 34 /* be delivered. If mail could not be delivered upon the last attempt, 35 /* the reason for failure is shown. The queue ID string is 36 /* followed by an optional status character: 37 /* .RS 38 /* .IP \fB*\fR 39 /* The message is in the \fBactive\fR queue, i.e. the message is 40 /* selected for delivery. 41 /* .IP \fB!\fR 42 /* The message is in the \fBhold\fR queue, i.e. no further delivery 43 /* attempt will be made until the mail is taken off hold. 44 /* .RE 45 /* .IP 46 /* This mode of operation is implemented by executing the 47 /* \fBpostqueue\fR(1) command. 48 /* .IP \fBnewaliases\fR 49 /* Initialize the alias database. If no input file is specified (with 50 /* the \fB-oA\fR option, see below), the program processes the file(s) 51 /* specified with the \fBalias_database\fR configuration parameter. 52 /* If no alias database type is specified, the program uses the type 53 /* specified with the \fBdefault_database_type\fR configuration parameter. 54 /* This mode of operation is implemented by running the \fBpostalias\fR(1) 55 /* command. 56 /* .sp 57 /* Note: it may take a minute or so before an alias database update 58 /* becomes visible. Use the "\fBpostfix reload\fR" command to eliminate 59 /* this delay. 60 /* .PP 61 /* These and other features can be selected by specifying the 62 /* appropriate combination of command-line options. Some features are 63 /* controlled by parameters in the \fBmain.cf\fR configuration file. 64 /* 65 /* The following options are recognized: 66 /* .IP "\fB-Am\fR (ignored)" 67 /* .IP "\fB-Ac\fR (ignored)" 68 /* Postfix sendmail uses the same configuration file regardless of 69 /* whether or not a message is an initial submission. 70 /* .IP "\fB-B \fIbody_type\fR" 71 /* The message body MIME type: \fB7BIT\fR or \fB8BITMIME\fR. 72 /* .IP \fB-bd\fR 73 /* Go into daemon mode. This mode of operation is implemented by 74 /* executing the "\fBpostfix start\fR" command. 75 /* .IP "\fB-bh\fR (ignored)" 76 /* .IP "\fB-bH\fR (ignored)" 77 /* Postfix has no persistent host status database. 78 /* .IP \fB-bi\fR 79 /* Initialize alias database. See the \fBnewaliases\fR 80 /* command above. 81 /* .IP \fB-bl\fR 82 /* Go into daemon mode. To accept only local connections as 83 /* with Sendmail\'s \fB-bl\fR option, specify "\fBinet_interfaces 84 /* = loopback\fR" in the Postfix \fBmain.cf\fR configuration 85 /* file. 86 /* .IP \fB-bm\fR 87 /* Read mail from standard input and arrange for delivery. 88 /* This is the default mode of operation. 89 /* .IP \fB-bp\fR 90 /* List the mail queue. See the \fBmailq\fR command above. 91 /* .IP \fB-bs\fR 92 /* Stand-alone SMTP server mode. Read SMTP commands from 93 /* standard input, and write responses to standard output. 94 /* In stand-alone SMTP server mode, mail relaying and other 95 /* access controls are disabled by default. To enable them, 96 /* run the process as the \fBmail_owner\fR user. 97 /* .sp 98 /* This mode of operation is implemented by running the 99 /* \fBsmtpd\fR(8) daemon. 100 /* .IP \fB-bv\fR 101 /* Do not collect or deliver a message. Instead, send an email 102 /* report after verifying each recipient address. This is useful 103 /* for testing address rewriting and routing configurations. 104 /* .sp 105 /* This feature is available in Postfix version 2.1 and later. 106 /* .IP "\fB-C \fIconfig_file\fR" 107 /* .IP "\fB-C \fIconfig_dir\fR" 108 /* The path name of the Postfix \fBmain.cf\fR file, or of its 109 /* parent directory. This information is ignored with Postfix 110 /* versions before 2.3. 111 /* 112 /* With Postfix version 3.2 and later, a non-default directory 113 /* must be authorized in the default \fBmain.cf\fR file, through 114 /* the alternate_config_directories or multi_instance_directories 115 /* parameters. 116 /* 117 /* With all Postfix versions, you can specify a directory pathname 118 /* with the MAIL_CONFIG environment variable to override the 119 /* location of configuration files. 120 /* .IP "\fB-F \fIfull_name\fR" 121 /* Set the sender full name. This overrides the NAME environment 122 /* variable, and is used only with messages that 123 /* have no \fBFrom:\fR message header. 124 /* .IP "\fB-f \fIsender\fR" 125 /* Set the envelope sender address. This is the address where 126 /* delivery problems are sent to. With Postfix versions before 2.1, the 127 /* \fBErrors-To:\fR message header overrides the error return address. 128 /* .IP \fB-G\fR 129 /* Gateway (relay) submission, as opposed to initial user 130 /* submission. Either do not rewrite addresses at all, or 131 /* update incomplete addresses with the domain information 132 /* specified with \fBremote_header_rewrite_domain\fR. 133 /* 134 /* This option is ignored before Postfix version 2.3. 135 /* .IP "\fB-h \fIhop_count\fR (ignored)" 136 /* Hop count limit. Use the \fBhopcount_limit\fR configuration 137 /* parameter instead. 138 /* .IP \fB-I\fR 139 /* Initialize alias database. See the \fBnewaliases\fR 140 /* command above. 141 /* .IP "\fB-i\fR" 142 /* When reading a message from standard input, don\'t treat a line 143 /* with only a \fB.\fR character as the end of input. 144 /* .IP "\fB-L \fIlabel\fR (ignored)" 145 /* The logging label. Use the \fBsyslog_name\fR configuration 146 /* parameter instead. 147 /* .IP "\fB-m\fR (ignored)" 148 /* Backwards compatibility. 149 /* .IP "\fB-N \fIdsn\fR (default: 'delay, failure')" 150 /* Delivery status notification control. Specify either a 151 /* comma-separated list with one or more of \fBfailure\fR (send 152 /* notification when delivery fails), \fBdelay\fR (send 153 /* notification when delivery is delayed), or \fBsuccess\fR 154 /* (send notification when the message is delivered); or specify 155 /* \fBnever\fR (don't send any notifications at all). 156 /* 157 /* This feature is available in Postfix 2.3 and later. 158 /* .IP "\fB-n\fR (ignored)" 159 /* Backwards compatibility. 160 /* .IP "\fB-oA\fIalias_database\fR" 161 /* Non-default alias database. Specify \fIpathname\fR or 162 /* \fItype\fR:\fIpathname\fR. See \fBpostalias\fR(1) for 163 /* details. 164 /* .IP "\fB-O \fIoption=value\fR (ignored)" 165 /* Set the named \fIoption\fR to \fIvalue\fR. Use the equivalent 166 /* configuration parameter in \fBmain.cf\fR instead. 167 /* .IP "\fB-o7\fR (ignored)" 168 /* .IP "\fB-o8\fR (ignored)" 169 /* To send 8-bit or binary content, use an appropriate MIME encapsulation 170 /* and specify the appropriate \fB-B\fR command-line option. 171 /* .IP "\fB-oi\fR" 172 /* When reading a message from standard input, don\'t treat a line 173 /* with only a \fB.\fR character as the end of input. 174 /* .IP "\fB-om\fR (ignored)" 175 /* The sender is never eliminated from alias etc. expansions. 176 /* .IP "\fB-o \fIx value\fR (ignored)" 177 /* Set option \fIx\fR to \fIvalue\fR. Use the equivalent 178 /* configuration parameter in \fBmain.cf\fR instead. 179 /* .IP "\fB-r \fIsender\fR" 180 /* Set the envelope sender address. This is the address where 181 /* delivery problems are sent to. With Postfix versions before 2.1, the 182 /* \fBErrors-To:\fR message header overrides the error return address. 183 /* .IP "\fB-R \fIreturn\fR" 184 /* Delivery status notification control. Specify "hdrs" to 185 /* return only the header when a message bounces, "full" to 186 /* return a full copy (the default behavior). 187 /* 188 /* The \fB-R\fR option specifies an upper bound; Postfix will 189 /* return only the header, when a full copy would exceed the 190 /* bounce_size_limit setting. 191 /* 192 /* This option is ignored before Postfix version 2.10. 193 /* .IP \fB-q\fR 194 /* Attempt to deliver all queued mail. This is implemented by 195 /* executing the \fBpostqueue\fR(1) command. 196 /* 197 /* Warning: flushing undeliverable mail frequently will result in 198 /* poor delivery performance of all other mail. 199 /* .IP "\fB-q\fIinterval\fR (ignored)" 200 /* The interval between queue runs. Use the \fBqueue_run_delay\fR 201 /* configuration parameter instead. 202 /* .IP \fB-qI\fIqueueid\fR 203 /* Schedule immediate delivery of mail with the specified queue 204 /* ID. This option is implemented by executing the 205 /* \fBpostqueue\fR(1) command, and is available with Postfix 206 /* version 2.4 and later. 207 /* .IP \fB-qR\fIsite\fR 208 /* Schedule immediate delivery of all mail that is queued for the named 209 /* \fIsite\fR. This option accepts only \fIsite\fR names that are 210 /* eligible for the "fast flush" service, and is implemented by 211 /* executing the \fBpostqueue\fR(1) command. 212 /* See \fBflush\fR(8) for more information about the "fast flush" 213 /* service. 214 /* .IP \fB-qS\fIsite\fR 215 /* This command is not implemented. Use the slower "\fBsendmail -q\fR" 216 /* command instead. 217 /* .IP \fB-t\fR 218 /* Extract recipients from message headers. These are added to any 219 /* recipients specified on the command line. 220 /* 221 /* With Postfix versions prior to 2.1, this option requires that 222 /* no recipient addresses are specified on the command line. 223 /* .IP "\fB-U\fR (ignored)" 224 /* Initial user submission. 225 /* .IP "\fB-V \fIenvid\fR" 226 /* Specify the envelope ID for notification by servers that 227 /* support DSN. 228 /* 229 /* This feature is available in Postfix 2.3 and later. 230 /* .IP "\fB-XV\fR (Postfix 2.2 and earlier: \fB-V\fR)" 231 /* Variable Envelope Return Path. Given an envelope sender address 232 /* of the form \fIowner-listname\fR@\fIorigin\fR, each recipient 233 /* \fIuser\fR@\fIdomain\fR receives mail with a personalized envelope 234 /* sender address. 235 /* .sp 236 /* By default, the personalized envelope sender address is 237 /* \fIowner-listname\fB+\fIuser\fB=\fIdomain\fR@\fIorigin\fR. The default 238 /* \fB+\fR and \fB=\fR characters are configurable with the 239 /* \fBdefault_verp_delimiters\fR configuration parameter. 240 /* .IP "\fB-XV\fIxy\fR (Postfix 2.2 and earlier: \fB-V\fIxy\fR)" 241 /* As \fB-XV\fR, but uses \fIx\fR and \fIy\fR as the VERP delimiter 242 /* characters, instead of the characters specified with the 243 /* \fBdefault_verp_delimiters\fR configuration parameter. 244 /* .IP \fB-v\fR 245 /* Send an email report of the first delivery attempt (Postfix 246 /* versions 2.1 and later). Mail delivery 247 /* always happens in the background. When multiple \fB-v\fR 248 /* options are given, enable verbose logging for debugging purposes. 249 /* .IP "\fB-X \fIlog_file\fR (ignored)" 250 /* Log mailer traffic. Use the \fBdebug_peer_list\fR and 251 /* \fBdebug_peer_level\fR configuration parameters instead. 252 /* SECURITY 253 /* .ad 254 /* .fi 255 /* By design, this program is not set-user (or group) id. However, 256 /* it must handle data from untrusted, possibly remote, users. 257 /* Thus, the usual precautions need to be taken against malicious 258 /* inputs. 259 /* DIAGNOSTICS 260 /* Problems are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8), 261 /* and to the standard error stream. 262 /* ENVIRONMENT 263 /* .ad 264 /* .fi 265 /* .IP \fBMAIL_CONFIG\fR 266 /* Directory with Postfix configuration files. 267 /* .IP "\fBMAIL_VERBOSE\fR (value does not matter)" 268 /* Enable verbose logging for debugging purposes. 269 /* .IP "\fBMAIL_DEBUG\fR (value does not matter)" 270 /* Enable debugging with an external command, as specified with the 271 /* \fBdebugger_command\fR configuration parameter. 272 /* .IP \fBNAME\fR 273 /* The sender full name. This is used only with messages that 274 /* have no \fBFrom:\fR message header. See also the \fB-F\fR 275 /* option above. 276 /* CONFIGURATION PARAMETERS 277 /* .ad 278 /* .fi 279 /* The following \fBmain.cf\fR parameters are especially relevant to 280 /* this program. 281 /* The text below provides only a parameter summary. See 282 /* \fBpostconf\fR(5) for more details including examples. 283 /* COMPATIBILITY CONTROLS 284 /* .ad 285 /* .fi 286 /* Available with Postfix 2.9 and later: 287 /* .IP "\fBsendmail_fix_line_endings (always)\fR" 288 /* Controls how the Postfix sendmail command converts email message 289 /* line endings from <CR><LF> into UNIX format (<LF>). 290 /* TROUBLE SHOOTING CONTROLS 291 /* .ad 292 /* .fi 293 /* The DEBUG_README file gives examples of how to troubleshoot a 294 /* Postfix system. 295 /* .IP "\fBdebugger_command (empty)\fR" 296 /* The external command to execute when a Postfix daemon program is 297 /* invoked with the -D option. 298 /* .IP "\fBdebug_peer_level (2)\fR" 299 /* The increment in verbose logging level when a remote client or 300 /* server matches a pattern in the debug_peer_list parameter. 301 /* .IP "\fBdebug_peer_list (empty)\fR" 302 /* Optional list of remote client or server hostname or network 303 /* address patterns that cause the verbose logging level to increase 304 /* by the amount specified in $debug_peer_level. 305 /* ACCESS CONTROLS 306 /* .ad 307 /* .fi 308 /* Available in Postfix version 2.2 and later: 309 /* .IP "\fBauthorized_flush_users (static:anyone)\fR" 310 /* List of users who are authorized to flush the queue. 311 /* .IP "\fBauthorized_mailq_users (static:anyone)\fR" 312 /* List of users who are authorized to view the queue. 313 /* .IP "\fBauthorized_submit_users (static:anyone)\fR" 314 /* List of users who are authorized to submit mail with the \fBsendmail\fR(1) 315 /* command (and with the privileged \fBpostdrop\fR(1) helper command). 316 /* RESOURCE AND RATE CONTROLS 317 /* .ad 318 /* .fi 319 /* .IP "\fBbounce_size_limit (50000)\fR" 320 /* The maximal amount of original message text that is sent in a 321 /* non-delivery notification. 322 /* .IP "\fBfork_attempts (5)\fR" 323 /* The maximal number of attempts to fork() a child process. 324 /* .IP "\fBfork_delay (1s)\fR" 325 /* The delay between attempts to fork() a child process. 326 /* .IP "\fBhopcount_limit (50)\fR" 327 /* The maximal number of Received: message headers that is allowed 328 /* in the primary message headers. 329 /* .IP "\fBqueue_run_delay (300s)\fR" 330 /* The time between deferred queue scans by the queue manager; 331 /* prior to Postfix 2.4 the default value was 1000s. 332 /* FAST FLUSH CONTROLS 333 /* .ad 334 /* .fi 335 /* The ETRN_README file describes configuration and operation 336 /* details for the Postfix "fast flush" service. 337 /* .IP "\fBfast_flush_domains ($relay_domains)\fR" 338 /* Optional list of destinations that are eligible for per-destination 339 /* logfiles with mail that is queued to those destinations. 340 /* VERP CONTROLS 341 /* .ad 342 /* .fi 343 /* The VERP_README file describes configuration and operation 344 /* details of Postfix support for variable envelope return 345 /* path addresses. 346 /* .IP "\fBdefault_verp_delimiters (+=)\fR" 347 /* The two default VERP delimiter characters. 348 /* .IP "\fBverp_delimiter_filter (-=+)\fR" 349 /* The characters Postfix accepts as VERP delimiter characters on the 350 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands. 351 /* MISCELLANEOUS CONTROLS 352 /* .ad 353 /* .fi 354 /* .IP "\fBalias_database (see 'postconf -d' output)\fR" 355 /* The alias databases for \fBlocal\fR(8) delivery that are updated with 356 /* "\fBnewaliases\fR" or with "\fBsendmail -bi\fR". 357 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 358 /* The location of all postfix administrative commands. 359 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 360 /* The default location of the Postfix main.cf and master.cf 361 /* configuration files. 362 /* .IP "\fBdaemon_directory (see 'postconf -d' output)\fR" 363 /* The directory with Postfix support programs and daemon programs. 364 /* .IP "\fBdefault_database_type (see 'postconf -d' output)\fR" 365 /* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1) 366 /* and \fBpostmap\fR(1) commands. 367 /* .IP "\fBdelay_warning_time (0h)\fR" 368 /* The time after which the sender receives a copy of the message 369 /* headers of mail that is still queued. 370 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR" 371 /* The list of environment parameters that a privileged Postfix 372 /* process will import from a non-Postfix parent process, or name=value 373 /* environment overrides. 374 /* .IP "\fBmail_owner (postfix)\fR" 375 /* The UNIX system account that owns the Postfix queue and most Postfix 376 /* daemon processes. 377 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 378 /* The location of the Postfix top-level queue directory. 379 /* .IP "\fBremote_header_rewrite_domain (empty)\fR" 380 /* Don't rewrite message headers from remote clients at all when 381 /* this parameter is empty; otherwise, rewrite message headers and 382 /* append the specified domain name to incomplete addresses. 383 /* .IP "\fBsyslog_facility (mail)\fR" 384 /* The syslog facility of Postfix logging. 385 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 386 /* A prefix that is prepended to the process name in syslog 387 /* records, so that, for example, "smtpd" becomes "prefix/smtpd". 388 /* .PP 389 /* Postfix 3.2 and later: 390 /* .IP "\fBalternate_config_directories (empty)\fR" 391 /* A list of non-default Postfix configuration directories that may 392 /* be specified with "-c config_directory" on the command line (in the 393 /* case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG 394 /* environment parameter. 395 /* .IP "\fBmulti_instance_directories (empty)\fR" 396 /* An optional list of non-default Postfix configuration directories; 397 /* these directories belong to additional Postfix instances that share 398 /* the Postfix executable files and documentation with the default 399 /* Postfix instance, and that are started, stopped, etc., together 400 /* with the default Postfix instance. 401 /* FILES 402 /* /var/spool/postfix, mail queue 403 /* /etc/postfix, configuration files 404 /* SEE ALSO 405 /* pickup(8), mail pickup daemon 406 /* qmgr(8), queue manager 407 /* smtpd(8), SMTP server 408 /* flush(8), fast flush service 409 /* postsuper(1), queue maintenance 410 /* postalias(1), create/update/query alias database 411 /* postdrop(1), mail posting utility 412 /* postfix(1), mail system control 413 /* postqueue(1), mail queue control 414 /* postlogd(8), Postfix logging 415 /* syslogd(8), system logging 416 /* README_FILES 417 /* .ad 418 /* .fi 419 /* Use "\fBpostconf readme_directory\fR" or 420 /* "\fBpostconf html_directory\fR" to locate this information. 421 /* .na 422 /* .nf 423 /* DEBUG_README, Postfix debugging howto 424 /* ETRN_README, Postfix ETRN howto 425 /* VERP_README, Postfix VERP howto 426 /* LICENSE 427 /* .ad 428 /* .fi 429 /* The Secure Mailer license must be distributed with this software. 430 /* AUTHOR(S) 431 /* Wietse Venema 432 /* IBM T.J. Watson Research 433 /* P.O. Box 704 434 /* Yorktown Heights, NY 10598, USA 435 /* 436 /* Wietse Venema 437 /* Google, Inc. 438 /* 111 8th Avenue 439 /* New York, NY 10011, USA 440 /*--*/ 441 442 /* System library. */ 443 444 #include <sys_defs.h> 445 #include <sys/stat.h> 446 #include <unistd.h> 447 #include <string.h> 448 #include <stdio.h> /* remove() */ 449 #include <stdlib.h> 450 #include <signal.h> 451 #include <fcntl.h> 452 #include <time.h> 453 #include <errno.h> 454 #include <ctype.h> 455 #include <stdarg.h> 456 #include <sysexits.h> 457 458 /* Utility library. */ 459 460 #include <msg.h> 461 #include <mymalloc.h> 462 #include <vstream.h> 463 #include <msg_vstream.h> 464 #include <vstring_vstream.h> 465 #include <username.h> 466 #include <fullname.h> 467 #include <argv.h> 468 #include <safe.h> 469 #include <iostuff.h> 470 #include <stringops.h> 471 #include <set_ugid.h> 472 #include <connect.h> 473 #include <split_at.h> 474 #include <name_code.h> 475 #include <warn_stat.h> 476 #include <clean_env.h> 477 #include <maillog_client.h> 478 479 /* Global library. */ 480 481 #include <mail_queue.h> 482 #include <mail_proto.h> 483 #include <mail_params.h> 484 #include <mail_version.h> 485 #include <record.h> 486 #include <rec_type.h> 487 #include <rec_streamlf.h> 488 #include <mail_conf.h> 489 #include <cleanup_user.h> 490 #include <mail_task.h> 491 #include <mail_run.h> 492 #include <debug_process.h> 493 #include <tok822.h> 494 #include <mail_flush.h> 495 #include <mail_stream.h> 496 #include <verp_sender.h> 497 #include <deliver_request.h> 498 #include <mime_state.h> 499 #include <header_opts.h> 500 #include <mail_dict.h> 501 #include <user_acl.h> 502 #include <dsn_mask.h> 503 #include <mail_parm_split.h> 504 505 /* Application-specific. */ 506 507 /* 508 * Modes of operation. 509 */ 510 #define SM_MODE_ENQUEUE 1 /* delivery mode */ 511 #define SM_MODE_NEWALIAS 2 /* initialize alias database */ 512 #define SM_MODE_MAILQ 3 /* list mail queue */ 513 #define SM_MODE_DAEMON 4 /* daemon mode */ 514 #define SM_MODE_USER 5 /* user (stand-alone) mode */ 515 #define SM_MODE_FLUSHQ 6 /* user (stand-alone) mode */ 516 #define SM_MODE_IGNORE 7 /* ignore this mode */ 517 518 /* 519 * Flag parade. Flags 8-15 are reserved for delivery request trace flags. 520 */ 521 #define SM_FLAG_AEOF (1<<0) /* archaic EOF */ 522 #define SM_FLAG_XRCPT (1<<1) /* extract recipients from headers */ 523 524 #define SM_FLAG_DEFAULT (SM_FLAG_AEOF) 525 526 /* 527 * VERP support. 528 */ 529 static char *verp_delims; 530 531 /* 532 * Callback context for extracting recipients. 533 */ 534 typedef struct SM_STATE { 535 VSTREAM *dst; /* output stream */ 536 ARGV *recipients; /* recipients from regular headers */ 537 ARGV *resent_recip; /* recipients from resent headers */ 538 int resent; /* resent flag */ 539 const char *saved_sender; /* for error messages */ 540 uid_t uid; /* for error messages */ 541 VSTRING *temp; /* scratch buffer */ 542 } SM_STATE; 543 544 /* 545 * Mail submission ACL, line-end fixing. 546 */ 547 char *var_submit_acl; 548 char *var_sm_fix_eol; 549 550 static const CONFIG_STR_TABLE str_table[] = { 551 VAR_SUBMIT_ACL, DEF_SUBMIT_ACL, &var_submit_acl, 0, 0, 552 VAR_SM_FIX_EOL, DEF_SM_FIX_EOL, &var_sm_fix_eol, 1, 0, 553 0, 554 }; 555 556 /* 557 * Silly little macros (SLMs). 558 */ 559 #define STR vstring_str 560 561 /* output_text - output partial or complete text line */ 562 563 static void output_text(void *context, int rec_type, const char *buf, ssize_t len, 564 off_t unused_offset) 565 { 566 SM_STATE *state = (SM_STATE *) context; 567 568 if (rec_put(state->dst, rec_type, buf, len) < 0) 569 msg_fatal_status(EX_TEMPFAIL, 570 "%s(%ld): error writing queue file: %m", 571 state->saved_sender, (long) state->uid); 572 } 573 574 /* output_header - output one message header */ 575 576 static void output_header(void *context, int header_class, 577 const HEADER_OPTS *header_info, 578 VSTRING *buf, off_t offset) 579 { 580 SM_STATE *state = (SM_STATE *) context; 581 TOK822 *tree; 582 TOK822 **addr_list; 583 TOK822 **tpp; 584 ARGV *rcpt; 585 char *start; 586 char *line; 587 char *next_line; 588 ssize_t len; 589 590 /* 591 * Parse the header line, and save copies of recipient addresses in the 592 * appropriate place. 593 */ 594 if (header_class == MIME_HDR_PRIMARY 595 && header_info 596 && (header_info->flags & HDR_OPT_RECIP) 597 && (header_info->flags & HDR_OPT_EXTRACT) 598 && (state->resent == 0 || (header_info->flags & HDR_OPT_RR))) { 599 if (header_info->flags & HDR_OPT_RR) { 600 rcpt = state->resent_recip; 601 if (state->resent == 0) 602 state->resent = 1; 603 } else 604 rcpt = state->recipients; 605 tree = tok822_parse(STR(buf) + strlen(header_info->name) + 1); 606 addr_list = tok822_grep(tree, TOK822_ADDR); 607 for (tpp = addr_list; *tpp; tpp++) { 608 tok822_internalize(state->temp, tpp[0]->head, TOK822_STR_DEFL); 609 argv_add(rcpt, STR(state->temp), (char *) 0); 610 } 611 myfree((void *) addr_list); 612 tok822_free_tree(tree); 613 } 614 615 /* 616 * Pipe the unmodified message header through the header line folding 617 * routine, and ensure that long lines are chopped appropriately. 618 */ 619 for (line = start = STR(buf); line; line = next_line) { 620 next_line = split_at(line, '\n'); 621 len = next_line ? next_line - line - 1 : strlen(line); 622 do { 623 if (len > var_line_limit) { 624 output_text(context, REC_TYPE_CONT, line, var_line_limit, offset); 625 line += var_line_limit; 626 len -= var_line_limit; 627 offset += var_line_limit; 628 } else { 629 output_text(context, REC_TYPE_NORM, line, len, offset); 630 offset += len; 631 break; 632 } 633 } while (len > 0); 634 offset += 1; 635 } 636 } 637 638 /* enqueue - post one message */ 639 640 static void enqueue(const int flags, const char *encoding, 641 const char *dsn_envid, int dsn_ret, int dsn_notify, 642 const char *rewrite_context, const char *sender, 643 const char *full_name, char **recipients) 644 { 645 VSTRING *buf; 646 VSTREAM *dst; 647 char *saved_sender; 648 char **cpp; 649 int type; 650 char *start; 651 int skip_from_; 652 TOK822 *tree; 653 TOK822 *tp; 654 int rcpt_count = 0; 655 enum { 656 STRIP_CR_DUNNO, STRIP_CR_DO, STRIP_CR_DONT, STRIP_CR_ERROR 657 } strip_cr; 658 MAIL_STREAM *handle; 659 VSTRING *postdrop_command; 660 uid_t uid = getuid(); 661 int status; 662 int naddr; 663 int prev_type; 664 MIME_STATE *mime_state = 0; 665 SM_STATE state; 666 int mime_errs; 667 const char *errstr; 668 int addr_count; 669 int level; 670 static NAME_CODE sm_fix_eol_table[] = { 671 SM_FIX_EOL_ALWAYS, STRIP_CR_DO, 672 SM_FIX_EOL_STRICT, STRIP_CR_DUNNO, 673 SM_FIX_EOL_NEVER, STRIP_CR_DONT, 674 0, STRIP_CR_ERROR, 675 }; 676 677 /* 678 * Access control is enforced in the postdrop command. The code here 679 * merely produces a more user-friendly interface. 680 */ 681 if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, 682 var_submit_acl, uid)) != 0) 683 msg_fatal_status(EX_NOPERM, 684 "User %s(%ld) is not allowed to submit mail", errstr, (long) uid); 685 686 /* 687 * Initialize. 688 */ 689 buf = vstring_alloc(100); 690 691 /* 692 * Stop run-away process accidents by limiting the queue file size. This 693 * is not a defense against DOS attack. 694 */ 695 if (ENFORCING_SIZE_LIMIT(var_message_limit) 696 && get_file_limit() > var_message_limit) 697 set_file_limit((off_t) var_message_limit); 698 699 /* 700 * The sender name is provided by the user. In principle, the mail pickup 701 * service could deduce the sender name from queue file ownership, but: 702 * pickup would not be able to run chrooted, and it may not be desirable 703 * to use login names at all. 704 */ 705 if (sender != 0) { 706 VSTRING_RESET(buf); 707 VSTRING_TERMINATE(buf); 708 tree = tok822_parse(sender); 709 for (naddr = 0, tp = tree; tp != 0; tp = tp->next) 710 if (tp->type == TOK822_ADDR && naddr++ == 0) 711 tok822_internalize(buf, tp->head, TOK822_STR_DEFL); 712 tok822_free_tree(tree); 713 saved_sender = mystrdup(STR(buf)); 714 if (naddr > 1) 715 msg_warn("-f option specified malformed sender: %s", sender); 716 } else { 717 if ((sender = username()) == 0) 718 msg_fatal_status(EX_OSERR, "no login name found for user ID %lu", 719 (unsigned long) uid); 720 saved_sender = mystrdup(sender); 721 } 722 723 /* 724 * Let the postdrop command open the queue file for us, and sanity check 725 * the content. XXX Make postdrop a manifest constant. 726 */ 727 errno = 0; 728 postdrop_command = vstring_alloc(1000); 729 vstring_sprintf(postdrop_command, "%s/postdrop -r", var_command_dir); 730 for (level = 0; level < msg_verbose; level++) 731 vstring_strcat(postdrop_command, " -v"); 732 if ((handle = mail_stream_command(STR(postdrop_command))) == 0) 733 msg_fatal_status(EX_UNAVAILABLE, "%s(%ld): unable to execute %s: %m", 734 saved_sender, (long) uid, STR(postdrop_command)); 735 vstring_free(postdrop_command); 736 dst = handle->stream; 737 738 /* 739 * First, write envelope information to the output stream. 740 * 741 * For sendmail compatibility, parse each command-line recipient as if it 742 * were an RFC 822 message header; some MUAs specify comma-separated 743 * recipient lists; and some MUAs even specify "word word <address>". 744 * 745 * Sort-uniq-ing the recipient list is done after address canonicalization, 746 * before recipients are written to queue file. That's cleaner than 747 * having the queue manager nuke duplicate recipient status records. 748 * 749 * XXX Should limit the size of envelope records. 750 * 751 * With "sendmail -N", instead of a per-message NOTIFY record we store one 752 * per recipient so that we can simplify the implementation somewhat. 753 */ 754 if (dsn_envid) 755 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", 756 MAIL_ATTR_DSN_ENVID, dsn_envid); 757 if (dsn_ret) 758 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", 759 MAIL_ATTR_DSN_RET, dsn_ret); 760 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", 761 MAIL_ATTR_RWR_CONTEXT, rewrite_context); 762 if (full_name || (full_name = fullname()) != 0) 763 rec_fputs(dst, REC_TYPE_FULL, full_name); 764 rec_fputs(dst, REC_TYPE_FROM, saved_sender); 765 if (verp_delims && *saved_sender == 0) 766 msg_fatal_status(EX_USAGE, 767 "%s(%ld): -V option requires non-null sender address", 768 saved_sender, (long) uid); 769 if (encoding) 770 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%s", MAIL_ATTR_ENCODING, encoding); 771 if (DEL_REQ_TRACE_FLAGS(flags)) 772 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", MAIL_ATTR_TRACE_FLAGS, 773 DEL_REQ_TRACE_FLAGS(flags)); 774 if (verp_delims) 775 rec_fputs(dst, REC_TYPE_VERP, verp_delims); 776 if (recipients) { 777 for (cpp = recipients; *cpp != 0; cpp++) { 778 tree = tok822_parse(*cpp); 779 for (addr_count = 0, tp = tree; tp != 0; tp = tp->next) { 780 if (tp->type == TOK822_ADDR) { 781 tok822_internalize(buf, tp->head, TOK822_STR_DEFL); 782 if (dsn_notify) 783 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", 784 MAIL_ATTR_DSN_NOTIFY, dsn_notify); 785 if (REC_PUT_BUF(dst, REC_TYPE_RCPT, buf) < 0) 786 msg_fatal_status(EX_TEMPFAIL, 787 "%s(%ld): error writing queue file: %m", 788 saved_sender, (long) uid); 789 ++rcpt_count; 790 ++addr_count; 791 } 792 } 793 tok822_free_tree(tree); 794 if (addr_count == 0) { 795 if (rec_put(dst, REC_TYPE_RCPT, "", 0) < 0) 796 msg_fatal_status(EX_TEMPFAIL, 797 "%s(%ld): error writing queue file: %m", 798 saved_sender, (long) uid); 799 ++rcpt_count; 800 } 801 } 802 } 803 804 /* 805 * Append the message contents to the queue file. Write chunks of at most 806 * 1kbyte. Internally, we use different record types for data ending in 807 * LF and for data that doesn't, so we can actually be binary transparent 808 * for local mail. Unfortunately, SMTP has no record continuation 809 * convention, so there is no guarantee that arbitrary data will be 810 * delivered intact via SMTP. Strip leading From_ lines. For the benefit 811 * of UUCP environments, also get rid of leading >>>From_ lines. 812 */ 813 rec_fputs(dst, REC_TYPE_MESG, ""); 814 if (DEL_REQ_TRACE_ONLY(flags) != 0) { 815 if (flags & SM_FLAG_XRCPT) 816 msg_fatal_status(EX_USAGE, "%s(%ld): -t option cannot be used with -bv", 817 saved_sender, (long) uid); 818 if (*saved_sender) 819 rec_fprintf(dst, REC_TYPE_NORM, "From: %s", saved_sender); 820 rec_fprintf(dst, REC_TYPE_NORM, "Subject: probe"); 821 if (recipients) { 822 rec_fprintf(dst, REC_TYPE_CONT, "To:"); 823 for (cpp = recipients; *cpp != 0; cpp++) { 824 rec_fprintf(dst, REC_TYPE_NORM, " %s%s", 825 *cpp, cpp[1] ? "," : ""); 826 } 827 } 828 } else { 829 830 /* 831 * Initialize the MIME processor and set up the callback context. 832 */ 833 if (flags & SM_FLAG_XRCPT) { 834 state.dst = dst; 835 state.recipients = argv_alloc(2); 836 state.resent_recip = argv_alloc(2); 837 state.resent = 0; 838 state.saved_sender = saved_sender; 839 state.uid = uid; 840 state.temp = vstring_alloc(10); 841 mime_state = mime_state_alloc(MIME_OPT_DISABLE_MIME 842 | MIME_OPT_REPORT_TRUNC_HEADER, 843 output_header, 844 (MIME_STATE_ANY_END) 0, 845 output_text, 846 (MIME_STATE_ANY_END) 0, 847 (MIME_STATE_ERR_PRINT) 0, 848 (void *) &state); 849 } 850 851 /* 852 * Process header/body lines. 853 */ 854 skip_from_ = 1; 855 strip_cr = name_code(sm_fix_eol_table, NAME_CODE_FLAG_STRICT_CASE, 856 var_sm_fix_eol); 857 if (strip_cr == STRIP_CR_ERROR) 858 msg_fatal_status(EX_USAGE, 859 "invalid %s value: %s", VAR_SM_FIX_EOL, var_sm_fix_eol); 860 for (prev_type = 0; (type = rec_streamlf_get(VSTREAM_IN, buf, var_line_limit)) 861 != REC_TYPE_EOF; prev_type = type) { 862 if (strip_cr == STRIP_CR_DUNNO && type == REC_TYPE_NORM) { 863 if (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r') 864 strip_cr = STRIP_CR_DO; 865 else 866 strip_cr = STRIP_CR_DONT; 867 } 868 if (skip_from_) { 869 if (type == REC_TYPE_NORM) { 870 start = STR(buf); 871 if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) 872 continue; 873 } 874 skip_from_ = 0; 875 } 876 if (strip_cr == STRIP_CR_DO && type == REC_TYPE_NORM) 877 while (VSTRING_LEN(buf) > 0 && vstring_end(buf)[-1] == '\r') 878 vstring_truncate(buf, VSTRING_LEN(buf) - 1); 879 if ((flags & SM_FLAG_AEOF) && prev_type != REC_TYPE_CONT 880 && VSTRING_LEN(buf) == 1 && *STR(buf) == '.') 881 break; 882 if (mime_state) { 883 mime_errs = mime_state_update(mime_state, type, STR(buf), 884 VSTRING_LEN(buf)); 885 if (mime_errs) 886 msg_fatal_status(EX_DATAERR, 887 "%s(%ld): unable to extract recipients: %s", 888 saved_sender, (long) uid, 889 mime_state_error(mime_errs)); 890 } else { 891 if (REC_PUT_BUF(dst, type, buf) < 0) 892 msg_fatal_status(EX_TEMPFAIL, 893 "%s(%ld): error writing queue file: %m", 894 saved_sender, (long) uid); 895 } 896 } 897 } 898 899 /* 900 * Finish MIME processing. We need a final mime_state_update() call in 901 * order to flush text that is still buffered. That can happen when the 902 * last line did not end in newline. 903 */ 904 if (mime_state) { 905 mime_errs = mime_state_update(mime_state, REC_TYPE_EOF, "", 0); 906 if (mime_errs) 907 msg_fatal_status(EX_DATAERR, 908 "%s(%ld): unable to extract recipients: %s", 909 saved_sender, (long) uid, 910 mime_state_error(mime_errs)); 911 mime_state = mime_state_free(mime_state); 912 } 913 914 /* 915 * Append recipient addresses that were extracted from message headers. 916 */ 917 rec_fputs(dst, REC_TYPE_XTRA, ""); 918 if (flags & SM_FLAG_XRCPT) { 919 for (cpp = state.resent ? state.resent_recip->argv : 920 state.recipients->argv; *cpp; cpp++) { 921 if (dsn_notify) 922 rec_fprintf(dst, REC_TYPE_ATTR, "%s=%d", 923 MAIL_ATTR_DSN_NOTIFY, dsn_notify); 924 if (rec_put(dst, REC_TYPE_RCPT, *cpp, strlen(*cpp)) < 0) 925 msg_fatal_status(EX_TEMPFAIL, 926 "%s(%ld): error writing queue file: %m", 927 saved_sender, (long) uid); 928 ++rcpt_count; 929 } 930 argv_free(state.recipients); 931 argv_free(state.resent_recip); 932 vstring_free(state.temp); 933 } 934 if (rcpt_count == 0) 935 msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ? 936 "%s(%ld): No recipient addresses found in message header" : 937 "%s(%ld): Recipient addresses must be specified on" 938 " the command line or via the -t option", 939 saved_sender, (long) uid); 940 941 /* 942 * Identify the end of the queue file. 943 */ 944 rec_fputs(dst, REC_TYPE_END, ""); 945 946 /* 947 * Make sure that the message makes it to the file system. Once we have 948 * terminated with successful exit status we cannot lose the message due 949 * to "frivolous reasons". If all goes well, prevent the run-time error 950 * handler from removing the file. 951 */ 952 if (vstream_ferror(VSTREAM_IN)) 953 msg_fatal_status(EX_DATAERR, "%s(%ld): error reading input: %m", 954 saved_sender, (long) uid); 955 if ((status = mail_stream_finish(handle, (VSTRING *) 0)) != 0) 956 msg_fatal_status((status & CLEANUP_STAT_BAD) ? EX_SOFTWARE : 957 (status & CLEANUP_STAT_WRITE) ? EX_TEMPFAIL : 958 EX_UNAVAILABLE, "%s(%ld): %s", saved_sender, 959 (long) uid, cleanup_strerror(status)); 960 961 /* 962 * Don't leave them in the dark. 963 */ 964 if (DEL_REQ_TRACE_FLAGS(flags)) { 965 vstream_printf("Mail Delivery Status Report will be mailed to <%s>.\n", 966 saved_sender); 967 vstream_fflush(VSTREAM_OUT); 968 } 969 970 /* 971 * Cleanup. Not really necessary as we're about to exit, but good for 972 * debugging purposes. 973 */ 974 vstring_free(buf); 975 myfree(saved_sender); 976 } 977 978 /* tempfail - sanitize exit status after library run-time error */ 979 980 static void tempfail(void) 981 { 982 exit(EX_TEMPFAIL); 983 } 984 985 MAIL_VERSION_STAMP_DECLARE; 986 987 /* main - the main program */ 988 989 int main(int argc, char **argv) 990 { 991 static char *full_name = 0; /* sendmail -F */ 992 struct stat st; 993 char *slash; 994 char *sender = 0; /* sendmail -f */ 995 int c; 996 int fd; 997 int mode; 998 ARGV *ext_argv; 999 int debug_me = 0; 1000 int err; 1001 int n; 1002 int flags = SM_FLAG_DEFAULT; 1003 char *site_to_flush = 0; 1004 char *id_to_flush = 0; 1005 char *encoding = 0; 1006 char *qtime = 0; 1007 const char *errstr; 1008 uid_t uid; 1009 const char *rewrite_context = MAIL_ATTR_RWR_LOCAL; 1010 int dsn_notify = 0; 1011 int dsn_ret = 0; 1012 const char *dsn_envid = 0; 1013 int saved_optind; 1014 ARGV *import_env; 1015 1016 /* 1017 * Fingerprint executables and core dumps. 1018 */ 1019 MAIL_VERSION_STAMP_ALLOCATE; 1020 1021 /* 1022 * Be consistent with file permissions. 1023 */ 1024 umask(022); 1025 1026 /* 1027 * To minimize confusion, make sure that the standard file descriptors 1028 * are open before opening anything else. XXX Work around for 44BSD where 1029 * fstat can return EBADF on an open file descriptor. 1030 */ 1031 for (fd = 0; fd < 3; fd++) 1032 if (fstat(fd, &st) == -1 1033 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd) 1034 msg_fatal_status(EX_OSERR, "open /dev/null: %m"); 1035 1036 /* 1037 * The CDE desktop calendar manager leaks a parent file descriptor into 1038 * the child process. For the sake of sendmail compatibility we have to 1039 * close the file descriptor otherwise mail notification will hang. 1040 */ 1041 for ( /* void */ ; fd < 100; fd++) 1042 (void) close(fd); 1043 1044 /* 1045 * Process environment options as early as we can. We might be called 1046 * from a set-uid (set-gid) program, so be careful with importing 1047 * environment variables. 1048 */ 1049 if (safe_getenv(CONF_ENV_VERB)) 1050 msg_verbose = 1; 1051 if (safe_getenv(CONF_ENV_DEBUG)) 1052 debug_me = 1; 1053 1054 /* 1055 * Initialize. Set up logging. Read the global configuration file after 1056 * command-line processing. Set up signal handlers so that we can clean 1057 * up incomplete output. 1058 */ 1059 if ((slash = strrchr(argv[0], '/')) != 0 && slash[1]) 1060 argv[0] = slash + 1; 1061 msg_vstream_init(argv[0], VSTREAM_ERR); 1062 msg_cleanup(tempfail); 1063 maillog_client_init(mail_task("sendmail"), MAILLOG_CLIENT_FLAG_NONE); 1064 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0])); 1065 1066 /* 1067 * Check the Postfix library version as soon as we enable logging. 1068 */ 1069 MAIL_VERSION_CHECK; 1070 1071 /* 1072 * Some sites mistakenly install Postfix sendmail as set-uid root. Drop 1073 * set-uid privileges only when root, otherwise some systems will not 1074 * reset the saved set-userid, which would be a security vulnerability. 1075 */ 1076 if (geteuid() == 0 && getuid() != 0) { 1077 msg_warn("the Postfix sendmail command has set-uid root file permissions"); 1078 msg_warn("or the command is run from a set-uid root process"); 1079 msg_warn("the Postfix sendmail command must be installed without set-uid root file permissions"); 1080 set_ugid(getuid(), getgid()); 1081 } 1082 1083 /* 1084 * Further initialization. Load main.cf first, so that command-line 1085 * options can override main.cf settings. Pre-scan the argument list so 1086 * that we load the right main.cf file. 1087 */ 1088 #define GETOPT_LIST "A:B:C:F:GIL:N:O:R:UV:X:b:ce:f:h:imno:p:r:q:tvx" 1089 1090 saved_optind = optind; 1091 while (argv[OPTIND] != 0) { 1092 if (strcmp(argv[OPTIND], "-q") == 0) { /* not getopt compatible */ 1093 optind++; 1094 continue; 1095 } 1096 if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0) 1097 break; 1098 if (c == 'C') { 1099 VSTRING *buf = vstring_alloc(1); 1100 char *dir; 1101 1102 dir = strcmp(sane_basename(buf, optarg), MAIN_CONF_FILE) == 0 ? 1103 sane_dirname(buf, optarg) : optarg; 1104 if (strcmp(dir, DEF_CONFIG_DIR) != 0 && geteuid() != 0) 1105 mail_conf_checkdir(dir); 1106 if (setenv(CONF_ENV_PATH, dir, 1) < 0) 1107 msg_fatal_status(EX_UNAVAILABLE, "out of memory"); 1108 vstring_free(buf); 1109 } 1110 } 1111 optind = saved_optind; 1112 mail_conf_read(); 1113 /* Enforce consistent operation of different Postfix parts. */ 1114 import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ); 1115 update_env(import_env->argv); 1116 argv_free(import_env); 1117 /* Re-evaluate mail_task() after reading main.cf. */ 1118 maillog_client_init(mail_task("sendmail"), MAILLOG_CLIENT_FLAG_NONE); 1119 get_mail_conf_str_table(str_table); 1120 1121 mail_dict_init(); 1122 1123 if (chdir(var_queue_dir)) 1124 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); 1125 1126 signal(SIGPIPE, SIG_IGN); 1127 1128 /* 1129 * Optionally start the debugger on ourself. This must be done after 1130 * reading the global configuration file, because that file specifies 1131 * what debugger command to execute. 1132 */ 1133 if (debug_me) 1134 debug_process(); 1135 1136 /* 1137 * The default mode of operation is determined by the process name. It 1138 * can, however, be changed via command-line options (for example, 1139 * "newaliases -bp" will show the mail queue). 1140 */ 1141 if (strcmp(argv[0], "mailq") == 0) { 1142 mode = SM_MODE_MAILQ; 1143 } else if (strcmp(argv[0], "newaliases") == 0) { 1144 mode = SM_MODE_NEWALIAS; 1145 } else if (strcmp(argv[0], "smtpd") == 0) { 1146 mode = SM_MODE_DAEMON; 1147 } else { 1148 mode = SM_MODE_ENQUEUE; 1149 } 1150 1151 /* 1152 * Parse JCL. Sendmail has been around for a long time, and has acquired 1153 * a large number of options in the course of time. Some options such as 1154 * -q are not parsable with GETOPT() and get special treatment. 1155 */ 1156 #define OPTIND (optind > 0 ? optind : 1) 1157 1158 while (argv[OPTIND] != 0) { 1159 if (strcmp(argv[OPTIND], "-q") == 0) { 1160 if (mode == SM_MODE_DAEMON) 1161 msg_warn("ignoring -q option in daemon mode"); 1162 else 1163 mode = SM_MODE_FLUSHQ; 1164 optind++; 1165 continue; 1166 } 1167 if (strcmp(argv[OPTIND], "-V") == 0 1168 && argv[OPTIND + 1] != 0 && strlen(argv[OPTIND + 1]) == 2) { 1169 msg_warn("option -V is deprecated with Postfix 2.3; " 1170 "specify -XV instead"); 1171 argv[OPTIND] = "-XV"; 1172 } 1173 if (strncmp(argv[OPTIND], "-V", 2) == 0 && strlen(argv[OPTIND]) == 4) { 1174 msg_warn("option %s is deprecated with Postfix 2.3; " 1175 "specify -X%s instead", 1176 argv[OPTIND], argv[OPTIND] + 1); 1177 argv[OPTIND] = concatenate("-X", argv[OPTIND] + 1, (char *) 0); 1178 } 1179 if (strcmp(argv[OPTIND], "-XV") == 0) { 1180 verp_delims = var_verp_delims; 1181 optind++; 1182 continue; 1183 } 1184 if ((c = GETOPT(argc, argv, GETOPT_LIST)) <= 0) 1185 break; 1186 switch (c) { 1187 default: 1188 if (msg_verbose) 1189 msg_info("-%c option ignored", c); 1190 break; 1191 case 'n': 1192 msg_fatal_status(EX_USAGE, "-%c option not supported", c); 1193 case 'B': 1194 if (strcmp(optarg, "8BITMIME") == 0)/* RFC 1652 */ 1195 encoding = MAIL_ATTR_ENC_8BIT; 1196 else if (strcmp(optarg, "7BIT") == 0) /* RFC 1652 */ 1197 encoding = MAIL_ATTR_ENC_7BIT; 1198 else 1199 msg_fatal_status(EX_USAGE, "-B option needs 8BITMIME or 7BIT"); 1200 break; 1201 case 'F': /* full name */ 1202 full_name = optarg; 1203 break; 1204 case 'G': /* gateway submission */ 1205 rewrite_context = MAIL_ATTR_RWR_REMOTE; 1206 break; 1207 case 'I': /* newaliases */ 1208 mode = SM_MODE_NEWALIAS; 1209 break; 1210 case 'N': 1211 if ((dsn_notify = dsn_notify_mask(optarg)) == 0) 1212 msg_warn("bad -N option value -- ignored"); 1213 break; 1214 case 'R': 1215 if ((dsn_ret = dsn_ret_code(optarg)) == 0) 1216 msg_warn("bad -R option value -- ignored"); 1217 break; 1218 case 'V': /* DSN, was: VERP */ 1219 if (strlen(optarg) > 100) 1220 msg_warn("too long -V option value -- ignored"); 1221 else if (!allprint(optarg)) 1222 msg_warn("bad syntax in -V option value -- ignored"); 1223 else 1224 dsn_envid = optarg; 1225 break; 1226 case 'X': 1227 switch (*optarg) { 1228 default: 1229 msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg); 1230 case 'V': /* VERP */ 1231 if (verp_delims_verify(optarg + 1) != 0) 1232 msg_fatal_status(EX_USAGE, "-V requires two characters from %s", 1233 var_verp_filter); 1234 verp_delims = optarg + 1; 1235 break; 1236 } 1237 break; 1238 case 'b': 1239 switch (*optarg) { 1240 default: 1241 msg_fatal_status(EX_USAGE, "unsupported: -%c%c", c, *optarg); 1242 case 'd': /* daemon mode */ 1243 case 'l': /* daemon mode */ 1244 if (mode == SM_MODE_FLUSHQ) 1245 msg_warn("ignoring -q option in daemon mode"); 1246 mode = SM_MODE_DAEMON; 1247 break; 1248 case 'h': /* print host status */ 1249 case 'H': /* flush host status */ 1250 mode = SM_MODE_IGNORE; 1251 break; 1252 case 'i': /* newaliases */ 1253 mode = SM_MODE_NEWALIAS; 1254 break; 1255 case 'm': /* deliver mail */ 1256 mode = SM_MODE_ENQUEUE; 1257 break; 1258 case 'p': /* mailq */ 1259 mode = SM_MODE_MAILQ; 1260 break; 1261 case 's': /* stand-alone mode */ 1262 mode = SM_MODE_USER; 1263 break; 1264 case 'v': /* expand recipients */ 1265 flags |= DEL_REQ_FLAG_USR_VRFY; 1266 break; 1267 } 1268 break; 1269 case 'f': 1270 sender = optarg; 1271 break; 1272 case 'i': 1273 flags &= ~SM_FLAG_AEOF; 1274 break; 1275 case 'o': 1276 switch (*optarg) { 1277 default: 1278 if (msg_verbose) 1279 msg_info("-%c%c option ignored", c, *optarg); 1280 break; 1281 case 'A': 1282 if (optarg[1] == 0) 1283 msg_fatal_status(EX_USAGE, "-oA requires pathname"); 1284 myfree(var_alias_db_map); 1285 var_alias_db_map = mystrdup(optarg + 1); 1286 set_mail_conf_str(VAR_ALIAS_DB_MAP, var_alias_db_map); 1287 break; 1288 case '7': 1289 case '8': 1290 break; 1291 case 'i': 1292 flags &= ~SM_FLAG_AEOF; 1293 break; 1294 case 'm': 1295 break; 1296 } 1297 break; 1298 case 'r': /* obsoleted by -f */ 1299 sender = optarg; 1300 break; 1301 case 'q': 1302 if (ISDIGIT(optarg[0])) { 1303 qtime = optarg; 1304 } else if (optarg[0] == 'R') { 1305 site_to_flush = optarg + 1; 1306 if (*site_to_flush == 0) 1307 msg_fatal_status(EX_USAGE, "specify: -qRsitename"); 1308 } else if (optarg[0] == 'I') { 1309 id_to_flush = optarg + 1; 1310 if (*id_to_flush == 0) 1311 msg_fatal_status(EX_USAGE, "specify: -qIqueueid"); 1312 } else { 1313 msg_fatal_status(EX_USAGE, "-q%c is not implemented", 1314 optarg[0]); 1315 } 1316 break; 1317 case 't': 1318 flags |= SM_FLAG_XRCPT; 1319 break; 1320 case 'v': 1321 msg_verbose++; 1322 break; 1323 case '?': 1324 msg_fatal_status(EX_USAGE, "usage: %s [options]", argv[0]); 1325 } 1326 } 1327 1328 /* 1329 * Look for conflicting options and arguments. 1330 */ 1331 if ((flags & SM_FLAG_XRCPT) && mode != SM_MODE_ENQUEUE) 1332 msg_fatal_status(EX_USAGE, "-t can be used only in delivery mode"); 1333 1334 if (site_to_flush && mode != SM_MODE_ENQUEUE) 1335 msg_fatal_status(EX_USAGE, "-qR can be used only in delivery mode"); 1336 1337 if (id_to_flush && mode != SM_MODE_ENQUEUE) 1338 msg_fatal_status(EX_USAGE, "-qI can be used only in delivery mode"); 1339 1340 if (flags & DEL_REQ_FLAG_USR_VRFY) { 1341 if (flags & SM_FLAG_XRCPT) 1342 msg_fatal_status(EX_USAGE, "-t option cannot be used with -bv"); 1343 if (dsn_notify) 1344 msg_fatal_status(EX_USAGE, "-N option cannot be used with -bv"); 1345 if (dsn_ret) 1346 msg_fatal_status(EX_USAGE, "-R option cannot be used with -bv"); 1347 if (msg_verbose == 1) 1348 msg_fatal_status(EX_USAGE, "-v option cannot be used with -bv"); 1349 } 1350 1351 /* 1352 * The -v option plays double duty. One requests verbose delivery, more 1353 * than one requests verbose logging. 1354 */ 1355 if (msg_verbose == 1 && mode == SM_MODE_ENQUEUE) { 1356 msg_verbose = 0; 1357 flags |= DEL_REQ_FLAG_RECORD; 1358 } 1359 1360 /* 1361 * Start processing. Everything is delegated to external commands. 1362 */ 1363 if (qtime && mode != SM_MODE_DAEMON) 1364 exit(0); 1365 switch (mode) { 1366 default: 1367 msg_panic("unknown operation mode: %d", mode); 1368 /* NOTREACHED */ 1369 case SM_MODE_ENQUEUE: 1370 if (site_to_flush) { 1371 if (argv[OPTIND]) 1372 msg_fatal_status(EX_USAGE, "flush site requires no recipient"); 1373 ext_argv = argv_alloc(2); 1374 argv_add(ext_argv, "postqueue", "-s", site_to_flush, (char *) 0); 1375 for (n = 0; n < msg_verbose; n++) 1376 argv_add(ext_argv, "-v", (char *) 0); 1377 argv_terminate(ext_argv); 1378 mail_run_replace(var_command_dir, ext_argv->argv); 1379 /* NOTREACHED */ 1380 } else if (id_to_flush) { 1381 if (argv[OPTIND]) 1382 msg_fatal_status(EX_USAGE, "flush queue_id requires no recipient"); 1383 ext_argv = argv_alloc(2); 1384 argv_add(ext_argv, "postqueue", "-i", id_to_flush, (char *) 0); 1385 for (n = 0; n < msg_verbose; n++) 1386 argv_add(ext_argv, "-v", (char *) 0); 1387 argv_terminate(ext_argv); 1388 mail_run_replace(var_command_dir, ext_argv->argv); 1389 /* NOTREACHED */ 1390 } else { 1391 enqueue(flags, encoding, dsn_envid, dsn_ret, dsn_notify, 1392 rewrite_context, sender, full_name, argv + OPTIND); 1393 exit(0); 1394 /* NOTREACHED */ 1395 } 1396 break; 1397 case SM_MODE_MAILQ: 1398 if (argv[OPTIND]) 1399 msg_fatal_status(EX_USAGE, 1400 "display queue mode requires no recipient"); 1401 ext_argv = argv_alloc(2); 1402 argv_add(ext_argv, "postqueue", "-p", (char *) 0); 1403 for (n = 0; n < msg_verbose; n++) 1404 argv_add(ext_argv, "-v", (char *) 0); 1405 argv_terminate(ext_argv); 1406 mail_run_replace(var_command_dir, ext_argv->argv); 1407 /* NOTREACHED */ 1408 case SM_MODE_FLUSHQ: 1409 if (argv[OPTIND]) 1410 msg_fatal_status(EX_USAGE, 1411 "flush queue mode requires no recipient"); 1412 ext_argv = argv_alloc(2); 1413 argv_add(ext_argv, "postqueue", "-f", (char *) 0); 1414 for (n = 0; n < msg_verbose; n++) 1415 argv_add(ext_argv, "-v", (char *) 0); 1416 argv_terminate(ext_argv); 1417 mail_run_replace(var_command_dir, ext_argv->argv); 1418 /* NOTREACHED */ 1419 case SM_MODE_DAEMON: 1420 if (argv[OPTIND]) 1421 msg_fatal_status(EX_USAGE, "daemon mode requires no recipient"); 1422 ext_argv = argv_alloc(2); 1423 argv_add(ext_argv, "postfix", (char *) 0); 1424 for (n = 0; n < msg_verbose; n++) 1425 argv_add(ext_argv, "-v", (char *) 0); 1426 argv_add(ext_argv, "start", (char *) 0); 1427 argv_terminate(ext_argv); 1428 err = (mail_run_background(var_command_dir, ext_argv->argv) < 0); 1429 argv_free(ext_argv); 1430 exit(err); 1431 break; 1432 case SM_MODE_NEWALIAS: 1433 if (argv[OPTIND]) 1434 msg_fatal_status(EX_USAGE, 1435 "alias initialization mode requires no recipient"); 1436 if (*var_alias_db_map == 0) 1437 return (0); 1438 ext_argv = argv_alloc(2); 1439 argv_add(ext_argv, "postalias", (char *) 0); 1440 for (n = 0; n < msg_verbose; n++) 1441 argv_add(ext_argv, "-v", (char *) 0); 1442 argv_split_append(ext_argv, var_alias_db_map, CHARS_COMMA_SP); 1443 argv_terminate(ext_argv); 1444 mail_run_replace(var_command_dir, ext_argv->argv); 1445 /* NOTREACHED */ 1446 case SM_MODE_USER: 1447 if (argv[OPTIND]) 1448 msg_fatal_status(EX_USAGE, 1449 "stand-alone mode requires no recipient"); 1450 /* The actual enforcement happens in the postdrop command. */ 1451 if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl, 1452 uid = getuid())) != 0) 1453 msg_fatal_status(EX_NOPERM, 1454 "User %s(%ld) is not allowed to submit mail", 1455 errstr, (long) uid); 1456 ext_argv = argv_alloc(2); 1457 argv_add(ext_argv, "smtpd", "-S", (char *) 0); 1458 for (n = 0; n < msg_verbose; n++) 1459 argv_add(ext_argv, "-v", (char *) 0); 1460 argv_terminate(ext_argv); 1461 mail_run_replace(var_daemon_dir, ext_argv->argv); 1462 /* NOTREACHED */ 1463 case SM_MODE_IGNORE: 1464 exit(0); 1465 /* NOTREACHED */ 1466 } 1467 } 1468