| blob | 3669b14b6702eae304f8afbcf066a2b9b3c729cb |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* mail_stream 3
6 /* SUMMARY
7 /* mail stream management
8 /* SYNOPSIS
9 /* #include <mail_stream.h>
10 /*
11 /* typedef struct {
12 /* .in +4
13 /* VSTREAM *stream; /* read/write stream */
14 /* char *id; /* queue ID */
15 /* struct timeval ctime; /* create time */
16 /* private members...
17 /* .in -4
18 /* } MAIL_STREAM;
19 /*
20 /* MAIL_STREAM *mail_stream_file(queue, class, service, mode)
21 /* const char *queue;
22 /* const char *class;
23 /* const char *service;
24 /* int mode;
25 /*
26 /* MAIL_STREAM *mail_stream_service(class, service)
27 /* const char *class;
28 /* const char *service;
29 /*
30 /* MAIL_STREAM *mail_stream_command(command)
31 /* const char *command;
32 /*
33 /* void mail_stream_cleanup(info)
34 /* MAIL_STREAM *info;
35 /*
36 /* int mail_stream_finish(info, why)
37 /* MAIL_STREAM *info;
38 /* VSTRING *why;
39 /*
40 /* void mail_stream_ctl(info, op, ...)
41 /* MAIL_STREAM *info;
42 /* int op;
43 /* DESCRIPTION
44 /* This module provides a generic interface to Postfix queue file
45 /* format messages to file, to Postfix server, or to external command.
46 /* The routines that open a stream return a handle with an initialized
47 /* stream and queue id member. The handle is either given to a cleanup
48 /* routine, to dispose of a failed request, or to a finish routine, to
49 /* complete the request.
50 /*
51 /* mail_stream_file() opens a mail stream to a newly-created file and
52 /* arranges for trigger delivery at finish time. This call never fails.
53 /* But it may take forever. The mode argument specifies additional
54 /* file permissions that will be OR-ed in when the file is finished.
55 /* While embryonic files have mode 0600, finished files have mode 0700.
56 /*
57 /* mail_stream_command() opens a mail stream to external command,
58 /* and receives queue ID information from the command. The result
59 /* is a null pointer when the initial handshake fails. The command
60 /* is given to the shell only when necessary. At finish time, the
61 /* command is expected to send a completion status.
62 /*
63 /* mail_stream_service() opens a mail stream to Postfix service,
64 /* and receives queue ID information from the command. The result
65 /* is a null pointer when the initial handshake fails. At finish
66 /* time, the daemon is expected to send a completion status.
67 /*
68 /* mail_stream_cleanup() cancels the operation that was started with
69 /* any of the mail_stream_xxx() routines, and destroys the argument.
70 /* It is up to the caller to remove incomplete file objects.
71 /*
72 /* mail_stream_finish() completes the operation that was started with
73 /* any of the mail_stream_xxx() routines, and destroys the argument.
74 /* The result is any of the status codes defined in <cleanup_user.h>.
75 /* It is up to the caller to remove incomplete file objects.
76 /* The why argument can be a null pointer.
77 /*
78 /* mail_stream_ctl() selectively overrides information that
79 /* was specified with mail_stream_file(); none of the attributes
80 /* are applicable for other mail stream types. The arguments
81 /* are a list of (operation, value) pairs, terminated with
82 /* MAIL_STREAM_CTL_END. The following lists the operation
83 /* codes and the types of the corresponding value arguments.
84 /* .IP "MAIL_STREAM_CTL_QUEUE (char *)"
85 /* The argument specifies an alternate destination queue. The
86 /* queue file is moved to the specified queue before the call
87 /* returns. Failure to rename the queue file results in a fatal
88 /* error.
89 /* .IP "MAIL_STREAM_CTL_CLASS (char *)"
90 /* The argument specifies an alternate trigger class.
91 /* .IP "MAIL_STREAM_CTL_SERVICE (char *)"
92 /* The argument specifies an alternate trigger service.
93 /* .IP "MAIL_STREAM_CTL_MODE (int)"
94 /* The argument specifies alternate permissions that override
95 /* the permissions specified with mail_stream_file().
96 /* .IP "MAIL_STREAM_CTL_DELAY (int)"
97 /* Attempt to postpone initial delivery by advancing the queue
98 /* file modification time stamp by this amount. This has
99 /* effect only within the deferred mail queue.
100 /* This feature may have no effect with remote file systems.
101 /* LICENSE
102 /* .ad
103 /* .fi
104 /* The Secure Mailer license must be distributed with this software.
105 /* AUTHOR(S)
106 /* Wietse Venema
107 /* IBM T.J. Watson Research
108 /* P.O. Box 704
109 /* Yorktown Heights, NY 10598, USA
110 /*--*/
112 /* System library. */
114 #include <sys_defs.h>
115 #include <sys/stat.h>
116 #include <unistd.h>
117 #include <errno.h>
118 #include <utime.h>
119 #include <string.h>
120 #include <stdarg.h>
122 /* Utility library. */
124 #include <msg.h>
125 #include <mymalloc.h>
126 #include <vstring.h>
127 #include <vstream.h>
128 #include <stringops.h>
129 #include <argv.h>
130 #include <sane_fsops.h>
132 /* Global library. */
134 #include <cleanup_user.h>
135 #include <mail_proto.h>
136 #include <mail_queue.h>
137 #include <opened.h>
138 #include <mail_params.h>
139 #include <mail_stream.h>
141 /* Application-specific. */
145 #define FREE_AND_WIPE(free, arg) do { if (arg) free(arg); arg = 0; } while (0)
147 #define STR(x) vstring_str(x)
149 /* mail_stream_cleanup - clean up after success or failure */
152 {
159 }
161 #if defined(HAS_FUTIMES_AT)
162 #define CAN_STAMP_BY_STREAM
164 /* stamp_stream - update open file [am]time stamp */
167 {
176 }
177 }
179 #elif defined(HAS_FUTIMES)
180 #define CAN_STAMP_BY_STREAM
182 /* stamp_stream - update open file [am]time stamp */
185 {
194 }
195 }
197 #endif
199 /* stamp_path - update file [am]time stamp by pathname */
202 {
210 }
211 }
213 /* mail_stream_finish_file - finish file mail stream */
216 {
228 /*
229 * Make sure the message makes it to file. Set the execute bit when no
230 * write error was detected. Some people believe that this code has a
231 * problem if the system crashes before fsync() returns; fchmod() could
232 * take effect before all the data blocks are written. Wietse claims that
233 * this is not a problem. Postfix rejects incomplete queue files, even
234 * when the +x attribute is set. Every Postfix queue file record has a
235 * type code and a length field. Files with missing records are rejected,
236 * as are files with unknown record type codes. Every Postfix queue file
237 * must end with an explicit END record. Postfix queue files without END
238 * record are discarded.
239 *
240 * Attempt to detect file system clocks that are ahead of local time, but
241 * don't check the file system clock all the time. The effect of file
242 * system clock drift can be difficult to understand (Postfix ignores new
243 * mail until the local clock catches up with the file mtime stamp).
244 *
245 * This clock drift detection code may not work with file systems that work
246 * on a local copy of the file and that update the server only after the
247 * file is closed.
248 *
249 * Optionally set a cooldown time.
250 *
251 * XXX: We assume that utime() does control the file modification time even
252 * when followed by an fchmod(), fsync(), close() sequence. This may fail
253 * with remote file systems when fsync() actually updates the file. Even
254 * then, we still delay the average message by 1/2 of the
255 * queue_run_delay.
256 *
257 * XXX: Victor does not like running utime() after the close(), since this
258 * creates a race even with local filesystems. But Wietse is not
259 * confident that utime() before fsync() and close() will work reliably
260 * with remote file systems.
261 *
262 * XXX Don't run the clock skew tests with Postfix sendmail submissions.
263 * Don't whine against unsuspecting users or applications.
264 */
265 check_incoming_fs_clock =
268 #ifdef DELAY_ACTION
273 else
274 #endif
277 /*
278 * If we can cheaply set the file time stamp (no pathname lookup) do it
279 * anyway, so that we can avoid whining later about file server/client
280 * clock skew.
281 *
282 * Otherwise, if we must set the file time stamp for delayed delivery, use
283 * whatever means we have to get the job done, no matter if it is
284 * expensive.
285 *
286 * XXX Unfortunately, Linux futimes() is not usable because it uses /proc.
287 * This may not be available because of chroot, or because of access
288 * restrictions after a process changes privileges.
289 */
291 #ifdef CAN_STAMP_BY_STREAM
293 #else
295 #endif
297 #ifdef HAS_FSYNC
299 #endif
300 || (check_incoming_fs_clock
302 )
304 #ifdef TEST
306 #endif
308 /*
309 * Work around file system clock skew. If the file system clock is ahead
310 * of the local clock, Postfix won't deliver mail immediately, which is
311 * bad for performance. If the file system clock falls behind the local
312 * clock, it just looks silly in mail headers.
313 */
315 /* Do NOT use time() result from before fsync(). */
324 }
330 }
331 }
333 /*
334 * Close the queue file and mark it as closed. Be prepared for
335 * vstream_fclose() to fail even after vstream_fflush() and fsync()
336 * reported no error. Reason: after a file is closed, some networked file
337 * systems copy the file out to another machine. Running the queue on a
338 * remote file system is not recommended, if only for performance
339 * reasons.
340 */
346 /*
347 * Work around file system clocks that are ahead of local time.
348 */
353 }
355 }
357 /*
358 * When all is well, notify the next service that a new message has been
359 * queued.
360 */
364 /*
365 * Cleanup.
366 */
369 }
371 /* mail_stream_finish_ipc - finish IPC mail stream */
374 {
377 /*
378 * Receive the peer's completion status.
379 */
389 /*
390 * Cleanup.
391 */
394 }
396 /* mail_stream_finish - finish action */
399 {
401 }
403 /* mail_stream_file - destination is file */
407 {
425 #ifdef DELAY_ACTION
427 #endif
430 }
432 /* mail_stream_service - destination is service */
435 {
457 }
458 }
460 /* mail_stream_command - destination is command */
463 {
472 /*
473 * Treat fork() failure as a transient problem. Treat bad handshake as a
474 * permanent error.
475 *
476 * XXX Are we invoking a Postfix process or a non-Postfix process? In the
477 * former case we can share the full environment; in the latter case only
478 * a restricted environment should be propagated. Even though we are
479 * talking a Postfix-internal protocol there is no way we can tell what
480 * is being executed except by duplicating a lot of existing code.
481 */
489 }
493 VSTREAM_CTL_END);
510 }
511 }
513 /* mail_stream_ctl - update file-based mail stream properties */
516 {
522 /*
523 * Sanity check. None of the attributes below are applicable unless the
524 * target is a file-based stream.
525 */
534 /*
535 * Change the queue directory. We do this at the end of this
536 * call.
537 */
541 myname);
544 /*
545 * Change the service that needs to be notified.
546 */
559 /*
560 * Change the (finished) file access mode.
561 */
566 /*
567 * Advance the (finished) file modification time.
568 */
569 #ifdef DELAY_ACTION
574 #endif
578 }
579 }
582 /*
583 * Rename the queue file after allocating memory for new information, so
584 * that the caller can still remove an embryonic file when memory
585 * allocation fails (there is no risk of deleting the wrong file).
586 *
587 * Wietse opposed the idea to update run-time error handler information
588 * here, because this module wasn't designed to defend against internal
589 * concurrency issues with error handlers that attempt to follow dangling
590 * pointers.
591 *
592 * This code duplicates mail_queue_rename(), except that we need the new
593 * path to update the stream pathname.
594 */
603 VSTREAM_CTL_END);
613 }
618 }
619 }