1 /* $NetBSD: virtual.c,v 1.2 2017/02/14 01:16:49 christos Exp $ */ 2 3 /*++ 4 /* NAME 5 /* virtual 8 6 /* SUMMARY 7 /* Postfix virtual domain mail delivery agent 8 /* SYNOPSIS 9 /* \fBvirtual\fR [generic Postfix daemon options] 10 /* DESCRIPTION 11 /* The \fBvirtual\fR(8) delivery agent is designed for virtual mail 12 /* hosting services. Originally based on the Postfix \fBlocal\fR(8) 13 /* delivery 14 /* agent, this agent looks up recipients with map lookups of their 15 /* full recipient address, instead of using hard-coded unix password 16 /* file lookups of the address local part only. 17 /* 18 /* This delivery agent only delivers mail. Other features such as 19 /* mail forwarding, out-of-office notifications, etc., must be 20 /* configured via virtual_alias maps or via similar lookup mechanisms. 21 /* MAILBOX LOCATION 22 /* .ad 23 /* .fi 24 /* The mailbox location is controlled by the \fBvirtual_mailbox_base\fR 25 /* and \fBvirtual_mailbox_maps\fR configuration parameters (see below). 26 /* The \fBvirtual_mailbox_maps\fR table is indexed by the recipient 27 /* address as described under TABLE SEARCH ORDER below. 28 /* 29 /* The mailbox pathname is constructed as follows: 30 /* 31 /* .nf 32 /* \fB$virtual_mailbox_base/$virtual_mailbox_maps(\fIrecipient\fB)\fR 33 /* .fi 34 /* 35 /* where \fIrecipient\fR is the full recipient address. 36 /* UNIX MAILBOX FORMAT 37 /* .ad 38 /* .fi 39 /* When the mailbox location does not end in \fB/\fR, the message 40 /* is delivered in UNIX mailbox format. This format stores multiple 41 /* messages in one textfile. 42 /* 43 /* The \fBvirtual\fR(8) delivery agent prepends a "\fBFrom \fIsender 44 /* time_stamp\fR" envelope header to each message, prepends a 45 /* \fBDelivered-To:\fR message header with the envelope recipient 46 /* address, 47 /* prepends an \fBX-Original-To:\fR header with the recipient address as 48 /* given to Postfix, 49 /* prepends a \fBReturn-Path:\fR message header with the 50 /* envelope sender address, prepends a \fB>\fR character to lines 51 /* beginning with "\fBFrom \fR", and appends an empty line. 52 /* 53 /* The mailbox is locked for exclusive access while delivery is in 54 /* progress. In case of problems, an attempt is made to truncate the 55 /* mailbox to its original length. 56 /* QMAIL MAILDIR FORMAT 57 /* .ad 58 /* .fi 59 /* When the mailbox location ends in \fB/\fR, the message is delivered 60 /* in qmail \fBmaildir\fR format. This format stores one message per file. 61 /* 62 /* The \fBvirtual\fR(8) delivery agent prepends a \fBDelivered-To:\fR 63 /* message header with the final envelope recipient address, 64 /* prepends an \fBX-Original-To:\fR header with the recipient address as 65 /* given to Postfix, and prepends a 66 /* \fBReturn-Path:\fR message header with the envelope sender address. 67 /* 68 /* By definition, \fBmaildir\fR format does not require application-level 69 /* file locking during mail delivery or retrieval. 70 /* MAILBOX OWNERSHIP 71 /* .ad 72 /* .fi 73 /* Mailbox ownership is controlled by the \fBvirtual_uid_maps\fR 74 /* and \fBvirtual_gid_maps\fR lookup tables, which are indexed 75 /* with the full recipient address. Each table provides 76 /* a string with the numerical user and group ID, respectively. 77 /* 78 /* The \fBvirtual_minimum_uid\fR parameter imposes a lower bound on 79 /* numerical user ID values that may be specified in any 80 /* \fBvirtual_uid_maps\fR. 81 /* CASE FOLDING 82 /* .ad 83 /* .fi 84 /* All delivery decisions are made using the full recipient 85 /* address, folded to lower case. See also the next section 86 /* for a few exceptions with optional address extensions. 87 /* TABLE SEARCH ORDER 88 /* .ad 89 /* .fi 90 /* Normally, a lookup table is specified as a text file that 91 /* serves as input to the \fBpostmap\fR(1) command. The result, an 92 /* indexed file in \fBdbm\fR or \fBdb\fR format, is used for fast 93 /* searching by the mail system. 94 /* 95 /* The search order is as follows. The search stops 96 /* upon the first successful lookup. 97 /* .IP \(bu 98 /* When the recipient has an optional address extension the 99 /* \fIuser+extension@domain.tld\fR address is looked up first. 100 /* .sp 101 /* With Postfix versions before 2.1, the optional address extension 102 /* is always ignored. 103 /* .IP \(bu 104 /* The \fIuser@domain.tld\fR address, without address extension, 105 /* is looked up next. 106 /* .IP \(bu 107 /* Finally, the recipient \fI@domain\fR is looked up. 108 /* .PP 109 /* When the table is provided via other means such as NIS, LDAP 110 /* or SQL, the same lookups are done as for ordinary indexed files. 111 /* 112 /* Alternatively, a table can be provided as a regular-expression 113 /* map where patterns are given as regular expressions. In that case, 114 /* only the full recipient address is given to the regular-expression 115 /* map. 116 /* SECURITY 117 /* .ad 118 /* .fi 119 /* The \fBvirtual\fR(8) delivery agent is not security sensitive, provided 120 /* that the lookup tables with recipient user/group ID information are 121 /* adequately protected. This program is not designed to run chrooted. 122 /* 123 /* The \fBvirtual\fR(8) delivery agent disallows regular expression 124 /* substitution of $1 etc. in regular expression lookup tables, 125 /* because that would open a security hole. 126 /* 127 /* The \fBvirtual\fR(8) delivery agent will silently ignore requests 128 /* to use the \fBproxymap\fR(8) server. Instead it will open the 129 /* table directly. Before Postfix version 2.2, the virtual 130 /* delivery agent will terminate with a fatal error. 131 /* STANDARDS 132 /* RFC 822 (ARPA Internet Text Messages) 133 /* DIAGNOSTICS 134 /* Mail bounces when the recipient has no mailbox or when the 135 /* recipient is over disk quota. In all other cases, mail for 136 /* an existing recipient is deferred and a warning is logged. 137 /* 138 /* Problems and transactions are logged to \fBsyslogd\fR(8). 139 /* Corrupted message files are marked so that the queue 140 /* manager can move them to the \fBcorrupt\fR queue afterwards. 141 /* 142 /* Depending on the setting of the \fBnotify_classes\fR parameter, 143 /* the postmaster is notified of bounces and of other trouble. 144 /* BUGS 145 /* This delivery agent supports address extensions in email 146 /* addresses and in lookup table keys, but does not propagate 147 /* address extension information to the result of table lookup. 148 /* 149 /* Postfix should have lookup tables that can return multiple result 150 /* attributes. In order to avoid the inconvenience of maintaining 151 /* three tables, use an LDAP or MYSQL database. 152 /* CONFIGURATION PARAMETERS 153 /* .ad 154 /* .fi 155 /* Changes to \fBmain.cf\fR are picked up automatically, as 156 /* \fBvirtual\fR(8) 157 /* processes run for only a limited amount of time. Use the command 158 /* "\fBpostfix reload\fR" to speed up a change. 159 /* 160 /* The text below provides only a parameter summary. See 161 /* \fBpostconf\fR(5) for more details including examples. 162 /* MAILBOX DELIVERY CONTROLS 163 /* .ad 164 /* .fi 165 /* .IP "\fBvirtual_mailbox_base (empty)\fR" 166 /* A prefix that the \fBvirtual\fR(8) delivery agent prepends to all pathname 167 /* results from $virtual_mailbox_maps table lookups. 168 /* .IP "\fBvirtual_mailbox_maps (empty)\fR" 169 /* Optional lookup tables with all valid addresses in the domains that 170 /* match $virtual_mailbox_domains. 171 /* .IP "\fBvirtual_minimum_uid (100)\fR" 172 /* The minimum user ID value that the \fBvirtual\fR(8) delivery agent accepts 173 /* as a result from $virtual_uid_maps table lookup. 174 /* .IP "\fBvirtual_uid_maps (empty)\fR" 175 /* Lookup tables with the per-recipient user ID that the \fBvirtual\fR(8) 176 /* delivery agent uses while writing to the recipient's mailbox. 177 /* .IP "\fBvirtual_gid_maps (empty)\fR" 178 /* Lookup tables with the per-recipient group ID for \fBvirtual\fR(8) mailbox 179 /* delivery. 180 /* .PP 181 /* Available in Postfix version 2.0 and later: 182 /* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR" 183 /* Postfix is final destination for the specified list of domains; 184 /* mail is delivered via the $virtual_transport mail delivery transport. 185 /* .IP "\fBvirtual_transport (virtual)\fR" 186 /* The default mail delivery transport and next-hop destination for 187 /* final delivery to domains listed with $virtual_mailbox_domains. 188 /* .PP 189 /* Available in Postfix version 2.5.3 and later: 190 /* .IP "\fBstrict_mailbox_ownership (yes)\fR" 191 /* Defer delivery when a mailbox file is not owned by its recipient. 192 /* LOCKING CONTROLS 193 /* .ad 194 /* .fi 195 /* .IP "\fBvirtual_mailbox_lock (see 'postconf -d' output)\fR" 196 /* How to lock a UNIX-style \fBvirtual\fR(8) mailbox before attempting 197 /* delivery. 198 /* .IP "\fBdeliver_lock_attempts (20)\fR" 199 /* The maximal number of attempts to acquire an exclusive lock on a 200 /* mailbox file or \fBbounce\fR(8) logfile. 201 /* .IP "\fBdeliver_lock_delay (1s)\fR" 202 /* The time between attempts to acquire an exclusive lock on a mailbox 203 /* file or \fBbounce\fR(8) logfile. 204 /* .IP "\fBstale_lock_time (500s)\fR" 205 /* The time after which a stale exclusive mailbox lockfile is removed. 206 /* RESOURCE AND RATE CONTROLS 207 /* .ad 208 /* .fi 209 /* .IP "\fBvirtual_destination_concurrency_limit ($default_destination_concurrency_limit)\fR" 210 /* The maximal number of parallel deliveries to the same destination 211 /* via the virtual message delivery transport. 212 /* .IP "\fBvirtual_destination_recipient_limit ($default_destination_recipient_limit)\fR" 213 /* The maximal number of recipients per message for the virtual 214 /* message delivery transport. 215 /* .IP "\fBvirtual_mailbox_limit (51200000)\fR" 216 /* The maximal size in bytes of an individual \fBvirtual\fR(8) mailbox or 217 /* maildir file, or zero (no limit). 218 /* MISCELLANEOUS CONTROLS 219 /* .ad 220 /* .fi 221 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 222 /* The default location of the Postfix main.cf and master.cf 223 /* configuration files. 224 /* .IP "\fBdaemon_timeout (18000s)\fR" 225 /* How much time a Postfix daemon process may take to handle a 226 /* request before it is terminated by a built-in watchdog timer. 227 /* .IP "\fBdelay_logging_resolution_limit (2)\fR" 228 /* The maximal number of digits after the decimal point when logging 229 /* sub-second delay values. 230 /* .IP "\fBipc_timeout (3600s)\fR" 231 /* The time limit for sending or receiving information over an internal 232 /* communication channel. 233 /* .IP "\fBmax_idle (100s)\fR" 234 /* The maximum amount of time that an idle Postfix daemon process waits 235 /* for an incoming connection before terminating voluntarily. 236 /* .IP "\fBmax_use (100)\fR" 237 /* The maximal number of incoming connections that a Postfix daemon 238 /* process will service before terminating voluntarily. 239 /* .IP "\fBprocess_id (read-only)\fR" 240 /* The process ID of a Postfix command or daemon process. 241 /* .IP "\fBprocess_name (read-only)\fR" 242 /* The process name of a Postfix command or daemon process. 243 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 244 /* The location of the Postfix top-level queue directory. 245 /* .IP "\fBsyslog_facility (mail)\fR" 246 /* The syslog facility of Postfix logging. 247 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 248 /* The mail system name that is prepended to the process name in syslog 249 /* records, so that "smtpd" becomes, for example, "postfix/smtpd". 250 /* .PP 251 /* Available in Postfix version 3.0 and later: 252 /* .IP "\fBvirtual_delivery_status_filter ($default_delivery_status_filter)\fR" 253 /* Optional filter for the \fBvirtual\fR(8) delivery agent to change the 254 /* delivery status code or explanatory text of successful or unsuccessful 255 /* deliveries. 256 /* SEE ALSO 257 /* qmgr(8), queue manager 258 /* bounce(8), delivery status reports 259 /* postconf(5), configuration parameters 260 /* syslogd(8), system logging 261 /* README_FILES 262 /* Use "\fBpostconf readme_directory\fR" or 263 /* "\fBpostconf html_directory\fR" to locate this information. 264 /* VIRTUAL_README, domain hosting howto 265 /* LICENSE 266 /* .ad 267 /* .fi 268 /* The Secure Mailer license must be distributed with this software. 269 /* HISTORY 270 /* .ad 271 /* .fi 272 /* This delivery agent was originally based on the Postfix local delivery 273 /* agent. Modifications mainly consisted of removing code that either 274 /* was not applicable or that was not safe in this context: aliases, 275 /* ~user/.forward files, delivery to "|command" or to /file/name. 276 /* 277 /* The \fBDelivered-To:\fR message header appears in the \fBqmail\fR 278 /* system by Daniel Bernstein. 279 /* 280 /* The \fBmaildir\fR structure appears in the \fBqmail\fR system 281 /* by Daniel Bernstein. 282 /* AUTHOR(S) 283 /* Wietse Venema 284 /* IBM T.J. Watson Research 285 /* P.O. Box 704 286 /* Yorktown Heights, NY 10598, USA 287 /* 288 /* Wietse Venema 289 /* Google, Inc. 290 /* 111 8th Avenue 291 /* New York, NY 10011, USA 292 /* 293 /* Andrew McNamara 294 /* andrewm@connect.com.au 295 /* connect.com.au Pty. Ltd. 296 /* Level 3, 213 Miller St 297 /* North Sydney 2060, NSW, Australia 298 /*--*/ 299 300 /* System library. */ 301 302 #include <sys_defs.h> 303 #include <stdlib.h> 304 #ifdef USE_PATHS_H 305 #include <paths.h> /* XXX mail_spool_dir dependency */ 306 #endif 307 308 /* Utility library. */ 309 310 #include <msg.h> 311 #include <vstring.h> 312 #include <vstream.h> 313 #include <iostuff.h> 314 #include <set_eugid.h> 315 #include <dict.h> 316 317 /* Global library. */ 318 319 #include <mail_queue.h> 320 #include <recipient_list.h> 321 #include <deliver_request.h> 322 #include <deliver_completed.h> 323 #include <mail_params.h> 324 #include <mail_version.h> 325 #include <mail_conf.h> 326 #include <mail_params.h> 327 #include <mail_addr_find.h> 328 #include <flush_clnt.h> 329 330 /* Single server skeleton. */ 331 332 #include <mail_server.h> 333 334 /* Application-specific. */ 335 336 #include "virtual.h" 337 338 /* 339 * Tunable parameters. 340 */ 341 char *var_virt_mailbox_maps; 342 char *var_virt_uid_maps; 343 char *var_virt_gid_maps; 344 int var_virt_minimum_uid; 345 char *var_virt_mailbox_base; 346 char *var_virt_mailbox_lock; 347 long var_virt_mailbox_limit; 348 char *var_mail_spool_dir; /* XXX dependency fix */ 349 bool var_strict_mbox_owner; 350 char *var_virt_dsn_filter; 351 352 /* 353 * Mappings. 354 */ 355 MAPS *virtual_mailbox_maps; 356 MAPS *virtual_uid_maps; 357 MAPS *virtual_gid_maps; 358 359 /* 360 * Bit masks. 361 */ 362 int virtual_mbox_lock_mask; 363 364 /* local_deliver - deliver message with extreme prejudice */ 365 366 static int local_deliver(DELIVER_REQUEST *rqst, char *service) 367 { 368 const char *myname = "local_deliver"; 369 RECIPIENT *rcpt_end = rqst->rcpt_list.info + rqst->rcpt_list.len; 370 RECIPIENT *rcpt; 371 int rcpt_stat; 372 int msg_stat; 373 LOCAL_STATE state; 374 USER_ATTR usr_attr; 375 376 if (msg_verbose) 377 msg_info("local_deliver: %s from %s", rqst->queue_id, rqst->sender); 378 379 /* 380 * Initialize the delivery attributes that are not recipient specific. 381 */ 382 state.level = 0; 383 deliver_attr_init(&state.msg_attr); 384 state.msg_attr.queue_name = rqst->queue_name; 385 state.msg_attr.queue_id = rqst->queue_id; 386 state.msg_attr.fp = rqst->fp; 387 state.msg_attr.offset = rqst->data_offset; 388 state.msg_attr.sender = rqst->sender; 389 state.msg_attr.dsn_envid = rqst->dsn_envid; 390 state.msg_attr.dsn_ret = rqst->dsn_ret; 391 state.msg_attr.relay = service; 392 state.msg_attr.msg_stats = rqst->msg_stats; 393 RESET_USER_ATTR(usr_attr, state.level); 394 state.request = rqst; 395 396 /* 397 * Iterate over each recipient named in the delivery request. When the 398 * mail delivery status for a given recipient is definite (i.e. bounced 399 * or delivered), update the message queue file and cross off the 400 * recipient. Update the per-message delivery status. 401 */ 402 for (msg_stat = 0, rcpt = rqst->rcpt_list.info; rcpt < rcpt_end; rcpt++) { 403 state.msg_attr.rcpt = *rcpt; 404 rcpt_stat = deliver_recipient(state, usr_attr); 405 if (rcpt_stat == 0 && (rqst->flags & DEL_REQ_FLAG_SUCCESS)) 406 deliver_completed(state.msg_attr.fp, rcpt->offset); 407 msg_stat |= rcpt_stat; 408 } 409 410 deliver_attr_free(&state.msg_attr); 411 return (msg_stat); 412 } 413 414 /* local_service - perform service for client */ 415 416 static void local_service(VSTREAM *stream, char *service, char **argv) 417 { 418 DELIVER_REQUEST *request; 419 int status; 420 421 /* 422 * Sanity check. This service takes no command-line arguments. 423 */ 424 if (argv[0]) 425 msg_fatal("unexpected command-line argument: %s", argv[0]); 426 427 /* 428 * This routine runs whenever a client connects to the UNIX-domain socket 429 * that is dedicated to local mail delivery service. What we see below is 430 * a little protocol to (1) tell the client that we are ready, (2) read a 431 * delivery request from the client, and (3) report the completion status 432 * of that request. 433 */ 434 if ((request = deliver_request_read(stream)) != 0) { 435 status = local_deliver(request, service); 436 deliver_request_done(stream, request, status); 437 } 438 } 439 440 /* pre_accept - see if tables have changed */ 441 442 static void pre_accept(char *unused_name, char **unused_argv) 443 { 444 const char *table; 445 446 if ((table = dict_changed_name()) != 0) { 447 msg_info("table %s has changed -- restarting", table); 448 exit(0); 449 } 450 } 451 452 /* post_init - post-jail initialization */ 453 454 static void post_init(char *unused_name, char **unused_argv) 455 { 456 457 /* 458 * Drop privileges most of the time. 459 */ 460 set_eugid(var_owner_uid, var_owner_gid); 461 462 /* 463 * No case folding needed: the recipient address is case folded. 464 */ 465 virtual_mailbox_maps = 466 maps_create(VAR_VIRT_MAILBOX_MAPS, var_virt_mailbox_maps, 467 DICT_FLAG_LOCK | DICT_FLAG_PARANOID 468 | DICT_FLAG_UTF8_REQUEST); 469 470 virtual_uid_maps = 471 maps_create(VAR_VIRT_UID_MAPS, var_virt_uid_maps, 472 DICT_FLAG_LOCK | DICT_FLAG_PARANOID 473 | DICT_FLAG_UTF8_REQUEST); 474 475 virtual_gid_maps = 476 maps_create(VAR_VIRT_GID_MAPS, var_virt_gid_maps, 477 DICT_FLAG_LOCK | DICT_FLAG_PARANOID 478 | DICT_FLAG_UTF8_REQUEST); 479 480 virtual_mbox_lock_mask = mbox_lock_mask(var_virt_mailbox_lock); 481 } 482 483 /* pre_init - pre-jail initialization */ 484 485 static void pre_init(char *unused_name, char **unused_argv) 486 { 487 488 /* 489 * Reset the file size limit from the message size limit to the mailbox 490 * size limit. 491 * 492 * We can't have mailbox size limit smaller than the message size limit, 493 * because that prohibits the delivery agent from updating the queue 494 * file. 495 */ 496 if (var_virt_mailbox_limit) { 497 if (var_virt_mailbox_limit < var_message_limit || var_message_limit == 0) 498 msg_fatal("main.cf configuration error: %s is smaller than %s", 499 VAR_VIRT_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); 500 set_file_limit(var_virt_mailbox_limit); 501 } 502 503 /* 504 * flush client. 505 */ 506 flush_init(); 507 } 508 509 MAIL_VERSION_STAMP_DECLARE; 510 511 /* main - pass control to the single-threaded skeleton */ 512 513 int main(int argc, char **argv) 514 { 515 static const CONFIG_INT_TABLE int_table[] = { 516 VAR_VIRT_MINUID, DEF_VIRT_MINUID, &var_virt_minimum_uid, 1, 0, 517 0, 518 }; 519 static const CONFIG_LONG_TABLE long_table[] = { 520 VAR_VIRT_MAILBOX_LIMIT, DEF_VIRT_MAILBOX_LIMIT, &var_virt_mailbox_limit, 0, 0, 521 0, 522 }; 523 static const CONFIG_STR_TABLE str_table[] = { 524 VAR_MAIL_SPOOL_DIR, DEF_MAIL_SPOOL_DIR, &var_mail_spool_dir, 0, 0, 525 VAR_VIRT_MAILBOX_MAPS, DEF_VIRT_MAILBOX_MAPS, &var_virt_mailbox_maps, 0, 0, 526 VAR_VIRT_UID_MAPS, DEF_VIRT_UID_MAPS, &var_virt_uid_maps, 0, 0, 527 VAR_VIRT_GID_MAPS, DEF_VIRT_GID_MAPS, &var_virt_gid_maps, 0, 0, 528 VAR_VIRT_MAILBOX_BASE, DEF_VIRT_MAILBOX_BASE, &var_virt_mailbox_base, 1, 0, 529 VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0, 530 VAR_VIRT_DSN_FILTER, DEF_VIRT_DSN_FILTER, &var_virt_dsn_filter, 0, 0, 531 0, 532 }; 533 static const CONFIG_BOOL_TABLE bool_table[] = { 534 VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, 535 0, 536 }; 537 538 /* 539 * Fingerprint executables and core dumps. 540 */ 541 MAIL_VERSION_STAMP_ALLOCATE; 542 543 single_server_main(argc, argv, local_service, 544 CA_MAIL_SERVER_INT_TABLE(int_table), 545 CA_MAIL_SERVER_LONG_TABLE(long_table), 546 CA_MAIL_SERVER_STR_TABLE(str_table), 547 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 548 CA_MAIL_SERVER_PRE_INIT(pre_init), 549 CA_MAIL_SERVER_POST_INIT(post_init), 550 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 551 CA_MAIL_SERVER_PRIVILEGED, 552 CA_MAIL_SERVER_BOUNCE_INIT(VAR_VIRT_DSN_FILTER, 553 &var_virt_dsn_filter), 554 0); 555 } 556