search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Sync usage with man page.
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / src / postqueue / postqueue.c
blob3b14a2d088bf5634e21b52577e11f04c1fd46c9f
1 /* $NetBSD$ */
2
3 /*++
4 /* NAME
5 /* postqueue 1
6 /* SUMMARY
7 /* Postfix queue control
8 /* SYNOPSIS
9 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR
10 /* .br
11 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR
12 /* .br
13 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR
14 /* .br
15 /* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR
16 /* DESCRIPTION
17 /* The \fBpostqueue\fR(1) command implements the Postfix user interface
18 /* for queue management. It implements operations that are
19 /* traditionally available via the \fBsendmail\fR(1) command.
20 /* See the \fBpostsuper\fR(1) command for queue operations
21 /* that require super-user privileges such as deleting a message
22 /* from the queue or changing the status of a message.
23 /*
24 /* The following options are recognized:
25 /* .IP "\fB-c \fIconfig_dir\fR"
26 /* The \fBmain.cf\fR configuration file is in the named directory
27 /* instead of the default configuration directory. See also the
28 /* MAIL_CONFIG environment setting below.
29 /* .IP \fB-f\fR
30 /* Flush the queue: attempt to deliver all queued mail.
31 /*
32 /* This option implements the traditional "\fBsendmail -q\fR" command,
33 /* by contacting the Postfix \fBqmgr\fR(8) daemon.
34 /*
35 /* Warning: flushing undeliverable mail frequently will result in
36 /* poor delivery performance of all other mail.
37 /* .IP "\fB-i \fIqueue_id\fR"
38 /* Schedule immediate delivery of deferred mail with the
39 /* specified queue ID.
40 /*
41 /* This option implements the traditional \fBsendmail -qI\fR
42 /* command, by contacting the \fBflush\fR(8) server.
43 /*
44 /* This feature is available with Postfix version 2.4 and later.
45 /* .IP \fB-p\fR
46 /* Produce a traditional sendmail-style queue listing.
47 /* This option implements the traditional \fBmailq\fR command,
48 /* by contacting the Postfix \fBshowq\fR(8) daemon.
49 /*
50 /* Each queue entry shows the queue file ID, message
51 /* size, arrival time, sender, and the recipients that still need to
52 /* be delivered. If mail could not be delivered upon the last attempt,
53 /* the reason for failure is shown. This mode of operation is implemented
54 /* by executing the \fBpostqueue\fR(1) command. The queue ID string
55 /* is followed by an optional status character:
56 /* .RS
57 /* .IP \fB*\fR
58 /* The message is in the \fBactive\fR queue, i.e. the message is
59 /* selected for delivery.
60 /* .IP \fB!\fR
61 /* The message is in the \fBhold\fR queue, i.e. no further delivery
62 /* attempt will be made until the mail is taken off hold.
63 /* .RE
64 /* .IP "\fB-s \fIsite\fR"
65 /* Schedule immediate delivery of all mail that is queued for the named
66 /* \fIsite\fR. A numerical site must be specified as a valid RFC 2821
67 /* address literal enclosed in [], just like in email addresses.
68 /* The site must be eligible for the "fast flush" service.
69 /* See \fBflush\fR(8) for more information about the "fast flush"
70 /* service.
71 /*
72 /* This option implements the traditional "\fBsendmail -qR\fIsite\fR"
73 /* command, by contacting the Postfix \fBflush\fR(8) daemon.
74 /* .IP \fB-v\fR
75 /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
76 /* options make the software increasingly verbose. As of Postfix 2.3,
77 /* this option is available for the super-user only.
78 /* SECURITY
79 /* .ad
80 /* .fi
81 /* This program is designed to run with set-group ID privileges, so
82 /* that it can connect to Postfix daemon processes.
83 /* DIAGNOSTICS
84 /* Problems are logged to \fBsyslogd\fR(8) and to the standard error
85 /* stream.
86 /* ENVIRONMENT
87 /* .ad
88 /* .fi
89 /* .IP MAIL_CONFIG
90 /* Directory with the \fBmain.cf\fR file. In order to avoid exploitation
91 /* of set-group ID privileges, a non-standard directory is allowed only
92 /* if:
93 /* .RS
94 /* .IP \(bu
95 /* The name is listed in the standard \fBmain.cf\fR file with the
96 /* \fBalternate_config_directories\fR configuration parameter.
97 /* .IP \(bu
98 /* The command is invoked by the super-user.
99 /* .RE
100 /* CONFIGURATION PARAMETERS
101 /* .ad
102 /* .fi
103 /* The following \fBmain.cf\fR parameters are especially relevant to
104 /* this program.
105 /* The text below provides only a parameter summary. See
106 /* \fBpostconf\fR(5) for more details including examples.
107 /* .IP "\fBalternate_config_directories (empty)\fR"
108 /* A list of non-default Postfix configuration directories that may
109 /* be specified with "-c config_directory" on the command line, or
110 /* via the MAIL_CONFIG environment parameter.
111 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
112 /* The default location of the Postfix main.cf and master.cf
113 /* configuration files.
114 /* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
115 /* The location of all postfix administrative commands.
116 /* .IP "\fBfast_flush_domains ($relay_domains)\fR"
117 /* Optional list of destinations that are eligible for per-destination
118 /* logfiles with mail that is queued to those destinations.
119 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
120 /* The list of environment parameters that a Postfix process will
121 /* import from a non-Postfix parent process.
122 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
123 /* The location of the Postfix top-level queue directory.
124 /* .IP "\fBsyslog_facility (mail)\fR"
125 /* The syslog facility of Postfix logging.
126 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
127 /* The mail system name that is prepended to the process name in syslog
128 /* records, so that "smtpd" becomes, for example, "postfix/smtpd".
129 /* .IP "\fBtrigger_timeout (10s)\fR"
130 /* The time limit for sending a trigger to a Postfix daemon (for
131 /* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon).
132 /* .PP
133 /* Available in Postfix version 2.2 and later:
134 /* .IP "\fBauthorized_flush_users (static:anyone)\fR"
135 /* List of users who are authorized to flush the queue.
136 /* .IP "\fBauthorized_mailq_users (static:anyone)\fR"
137 /* List of users who are authorized to view the queue.
138 /* FILES
139 /* /var/spool/postfix, mail queue
140 /* SEE ALSO
141 /* qmgr(8), queue manager
142 /* showq(8), list mail queue
143 /* flush(8), fast flush service
144 /* sendmail(1), Sendmail-compatible user interface
145 /* postsuper(1), privileged queue operations
146 /* README FILES
147 /* .ad
148 /* .fi
149 /* Use "\fBpostconf readme_directory\fR" or
150 /* "\fBpostconf html_directory\fR" to locate this information.
151 /* .na
152 /* .nf
153 /* ETRN_README, Postfix ETRN howto
154 /* LICENSE
155 /* .ad
156 /* .fi
157 /* The Secure Mailer license must be distributed with this software.
158 /* HISTORY
159 /* .ad
160 /* .fi
161 /* The postqueue command was introduced with Postfix version 1.1.
162 /* AUTHOR(S)
163 /* Wietse Venema
164 /* IBM T.J. Watson Research
165 /* P.O. Box 704
166 /* Yorktown Heights, NY 10598, USA
167 /*--*/
168
169 /* System library. */
170
171 #include <sys_defs.h>
172 #include <sys/stat.h>
173 #include <unistd.h>
174 #include <string.h>
175 #include <stdlib.h>
176 #include <signal.h>
177 #include <sysexits.h>
178 #include <errno.h>
179
180 /* Utility library. */
181
182 #include <msg.h>
183 #include <mymalloc.h>
184 #include <clean_env.h>
185 #include <vstream.h>
186 #include <msg_vstream.h>
187 #include <msg_syslog.h>
188 #include <argv.h>
189 #include <safe.h>
190 #include <connect.h>
191 #include <valid_hostname.h>
192
193 /* Global library. */
194
195 #include <mail_proto.h>
196 #include <mail_params.h>
197 #include <mail_version.h>
198 #include <mail_conf.h>
199 #include <mail_task.h>
200 #include <mail_run.h>
201 #include <mail_flush.h>
202 #include <mail_queue.h>
203 #include <flush_clnt.h>
204 #include <smtp_stream.h>
205 #include <user_acl.h>
206 #include <valid_mailhost_addr.h>
207 #include <mail_dict.h>
208
209 /* Application-specific. */
210
211 /*
212 * WARNING WARNING WARNING
213 *
214 * This software is designed to run set-gid. In order to avoid exploitation of
215 * privilege, this software should not run any external commands, nor should
216 * it take any information from the user, unless that information can be
217 * properly sanitized. To get an idea of how much information a process can
218 * inherit from a potentially hostile user, examine all the members of the
219 * process structure (typically, in /usr/include/sys/proc.h): the current
220 * directory, open files, timers, signals, environment, command line, umask,
221 * and so on.
222 */
223
224 /*
225 * Modes of operation.
226 *
227 * XXX To support flush by recipient domain, or for destinations that have no
228 * mapping to logfile, the server has to defend against resource exhaustion
229 * attacks. A malicious user could fork off a postqueue client that starts
230 * an expensive requests and then kills the client immediately; this way she
231 * could create a high Postfix load on the system without ever exceeding her
232 * own per-user process limit. To prevent this, either the server needs to
233 * establish frequent proof of client liveliness with challenge/response, or
234 * the client needs to restrict expensive requests to privileged users only.
235 *
236 * We don't have this problem with queue listings. The showq server detects an
237 * EPIPE error after reporting a few queue entries.
238 */
239 #define PQ_MODE_DEFAULT 0 /* noop */
240 #define PQ_MODE_MAILQ_LIST 1 /* list mail queue */
241 #define PQ_MODE_FLUSH_QUEUE 2 /* flush queue */
242 #define PQ_MODE_FLUSH_SITE 3 /* flush site */
243 #define PQ_MODE_FLUSH_FILE 4 /* flush message */
244
245 /*
246 * Silly little macros (SLMs).
247 */
248 #define STR vstring_str
249
250 /*
251 * Queue manipulation access lists.
252 */
253 char *var_flush_acl;
254 char *var_showq_acl;
255
256 static const CONFIG_STR_TABLE str_table[] = {
257 VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0,
258 VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0,
259 0,
260 };
261
262 /* show_queue - show queue status */
263
264 static void show_queue(void)
265 {
266 const char *errstr;
267 char buf[VSTREAM_BUFSIZE];
268 VSTREAM *showq;
269 int n;
270 uid_t uid = getuid();
271
272 if (uid != 0 && uid != var_owner_uid
273 && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0)
274 msg_fatal_status(EX_NOPERM,
275 "User %s(%ld) is not allowed to view the mail queue",
276 errstr, (long) uid);
277
278 /*
279 * Connect to the show queue service. Terminate silently when piping into
280 * a program that terminates early.
281 */
282 if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) {
283 while ((n = vstream_fread(showq, buf, sizeof(buf))) > 0) {
284 if (vstream_fwrite(VSTREAM_OUT, buf, n) != n
285 || vstream_fflush(VSTREAM_OUT) != 0) {
286 if (errno == EPIPE)
287 break;
288 msg_fatal("write error: %m");
289 }
290 }
291 if (vstream_fclose(showq) && errno != EPIPE)
292 msg_warn("close: %m");
293 }
294
295 /*
296 * Don't assume that the mail system is down when the user has
297 * insufficient permission to access the showq socket.
298 */
299 else if (errno == EACCES) {
300 msg_fatal_status(EX_SOFTWARE,
301 "Connect to the %s %s service: %m",
302 var_mail_name, var_showq_service);
303 }
304
305 /*
306 * When the mail system is down, the superuser can still access the queue
307 * directly. Just run the showq program in stand-alone mode.
308 */
309 else if (geteuid() == 0) {
310 ARGV *argv;
311 int stat;
312
313 msg_warn("Mail system is down -- accessing queue directly");
314 argv = argv_alloc(6);
315 argv_add(argv, var_showq_service, "-u", "-S", (char *) 0);
316 for (n = 0; n < msg_verbose; n++)
317 argv_add(argv, "-v", (char *) 0);
318 argv_terminate(argv);
319 stat = mail_run_foreground(var_daemon_dir, argv->argv);
320 argv_free(argv);
321 }
322
323 /*
324 * When the mail system is down, unprivileged users are stuck, because by
325 * design the mail system contains no set_uid programs. The only way for
326 * an unprivileged user to cross protection boundaries is to talk to the
327 * showq daemon.
328 */
329 else {
330 msg_fatal_status(EX_UNAVAILABLE,
331 "Queue report unavailable - mail system is down");
332 }
333 }
334
335 /* flush_queue - force delivery */
336
337 static void flush_queue(void)
338 {
339 const char *errstr;
340 uid_t uid = getuid();
341
342 if (uid != 0 && uid != var_owner_uid
343 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
344 msg_fatal_status(EX_NOPERM,
345 "User %s(%ld) is not allowed to flush the mail queue",
346 errstr, (long) uid);
347
348 /*
349 * Trigger the flush queue service.
350 */
351 if (mail_flush_deferred() < 0)
352 msg_fatal_status(EX_UNAVAILABLE,
353 "Cannot flush mail queue - mail system is down");
354 if (mail_flush_maildrop() < 0)
355 msg_fatal_status(EX_UNAVAILABLE,
356 "Cannot flush mail queue - mail system is down");
357 }
358
359 /* flush_site - flush mail for site */
360
361 static void flush_site(const char *site)
362 {
363 int status;
364 const char *errstr;
365 uid_t uid = getuid();
366
367 if (uid != 0 && uid != var_owner_uid
368 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
369 msg_fatal_status(EX_NOPERM,
370 "User %s(%ld) is not allowed to flush the mail queue",
371 errstr, (long) uid);
372
373 flush_init();
374
375 switch (status = flush_send_site(site)) {
376 case FLUSH_STAT_OK:
377 exit(0);
378 case FLUSH_STAT_BAD:
379 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site);
380 case FLUSH_STAT_FAIL:
381 msg_fatal_status(EX_UNAVAILABLE,
382 "Cannot flush mail queue - mail system is down");
383 case FLUSH_STAT_DENY:
384 msg_fatal_status(EX_UNAVAILABLE,
385 "Flush service is not configured for destination \"%s\"",
386 site);
387 default:
388 msg_fatal_status(EX_SOFTWARE,
389 "Unknown flush server reply status %d", status);
390 }
391 }
392
393 /* flush_file - flush mail with specific queue ID */
394
395 static void flush_file(const char *queue_id)
396 {
397 int status;
398 const char *errstr;
399 uid_t uid = getuid();
400
401 if (uid != 0 && uid != var_owner_uid
402 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
403 msg_fatal_status(EX_NOPERM,
404 "User %s(%ld) is not allowed to flush the mail queue",
405 errstr, (long) uid);
406
407 switch (status = flush_send_file(queue_id)) {
408 case FLUSH_STAT_OK:
409 exit(0);
410 case FLUSH_STAT_BAD:
411 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id);
412 case FLUSH_STAT_FAIL:
413 msg_fatal_status(EX_UNAVAILABLE,
414 "Cannot flush mail queue - mail system is down");
415 default:
416 msg_fatal_status(EX_SOFTWARE,
417 "Unexpected flush server reply status %d", status);
418 }
419 }
420
421 /* unavailable - sanitize exit status from library run-time errors */
422
423 static void unavailable(void)
424 {
425 exit(EX_UNAVAILABLE);
426 }
427
428 /* usage - scream and die */
429
430 static NORETURN usage(void)
431 {
432 msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site");
433 }
434
435 MAIL_VERSION_STAMP_DECLARE;
436
437 /* main - the main program */
438
439 int main(int argc, char **argv)
440 {
441 struct stat st;
442 char *slash;
443 int c;
444 int fd;
445 int mode = PQ_MODE_DEFAULT;
446 char *site_to_flush = 0;
447 char *id_to_flush = 0;
448 ARGV *import_env;
449 int bad_site;
450
451 /*
452 * Fingerprint executables and core dumps.
453 */
454 MAIL_VERSION_STAMP_ALLOCATE;
455
456 /*
457 * Be consistent with file permissions.
458 */
459 umask(022);
460
461 /*
462 * To minimize confusion, make sure that the standard file descriptors
463 * are open before opening anything else. XXX Work around for 44BSD where
464 * fstat can return EBADF on an open file descriptor.
465 */
466 for (fd = 0; fd < 3; fd++)
467 if (fstat(fd, &st) == -1
468 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
469 msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m");
470
471 /*
472 * Initialize. Set up logging, read the global configuration file and
473 * extract configuration information. Set up signal handlers so that we
474 * can clean up incomplete output.
475 */
476 if ((slash = strrchr(argv[0], '/')) != 0 && slash[1])
477 argv[0] = slash + 1;
478 msg_vstream_init(argv[0], VSTREAM_ERR);
479 msg_cleanup(unavailable);
480 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
481 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
482
483 /*
484 * Parse JCL. This program is set-gid and must sanitize all command-line
485 * parameters. The configuration directory argument is validated by the
486 * mail configuration read routine. Don't do complex things until we have
487 * completed initializations.
488 */
489 while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) {
490 switch (c) {
491 case 'c': /* non-default configuration */
492 if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
493 msg_fatal_status(EX_UNAVAILABLE, "out of memory");
494 break;
495 case 'f': /* flush queue */
496 if (mode != PQ_MODE_DEFAULT)
497 usage();
498 mode = PQ_MODE_FLUSH_QUEUE;
499 break;
500 case 'i': /* flush queue file */
501 if (mode != PQ_MODE_DEFAULT)
502 usage();
503 mode = PQ_MODE_FLUSH_FILE;
504 id_to_flush = optarg;
505 break;
506 case 'p': /* traditional mailq */
507 if (mode != PQ_MODE_DEFAULT)
508 usage();
509 mode = PQ_MODE_MAILQ_LIST;
510 break;
511 case 's': /* flush site */
512 if (mode != PQ_MODE_DEFAULT)
513 usage();
514 mode = PQ_MODE_FLUSH_SITE;
515 site_to_flush = optarg;
516 break;
517 case 'v':
518 if (geteuid() == 0)
519 msg_verbose++;
520 break;
521 default:
522 usage();
523 }
524 }
525 if (argc > optind)
526 usage();
527
528 /*
529 * Further initialization...
530 */
531 mail_conf_read();
532 if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0)
533 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
534 mail_dict_init(); /* proxy, sql, ldap */
535 get_mail_conf_str_table(str_table);
536
537 /*
538 * This program is designed to be set-gid, which makes it a potential
539 * target for attack. If not running as root, strip the environment so we
540 * don't have to trust the C library. If running as root, don't strip the
541 * environment so that showq can receive non-default configuration
542 * directory info when the mail system is down.
543 */
544 if (geteuid() != 0) {
545 import_env = argv_split(var_import_environ, ", \t\r\n");
546 clean_env(import_env->argv);
547 argv_free(import_env);
548 }
549 if (chdir(var_queue_dir))
550 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
551
552 signal(SIGPIPE, SIG_IGN);
553
554 /* End of initializations. */
555
556 /*
557 * Further input validation.
558 */
559 if (site_to_flush != 0) {
560 bad_site = 0;
561 if (*site_to_flush == '[') {
562 bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE);
563 } else {
564 bad_site = !valid_hostname(site_to_flush, DONT_GRIPE);
565 }
566 if (bad_site)
567 msg_fatal_status(EX_USAGE,
568 "Cannot flush mail queue - invalid destination: \"%.100s%s\"",
569 site_to_flush, strlen(site_to_flush) > 100 ? "..." : "");
570 }
571 if (id_to_flush != 0) {
572 if (!mail_queue_id_ok(id_to_flush))
573 msg_fatal_status(EX_USAGE,
574 "Cannot flush queue ID - invalid name: \"%.100s%s\"",
575 id_to_flush, strlen(id_to_flush) > 100 ? "..." : "");
576 }
577
578 /*
579 * Start processing.
580 */
581 switch (mode) {
582 default:
583 msg_panic("unknown operation mode: %d", mode);
584 /* NOTREACHED */
585 case PQ_MODE_MAILQ_LIST:
586 show_queue();
587 exit(0);
588 break;
589 case PQ_MODE_FLUSH_SITE:
590 flush_site(site_to_flush);
591 exit(0);
592 break;
593 case PQ_MODE_FLUSH_FILE:
594 flush_file(id_to_flush);
595 exit(0);
596 break;
597 case PQ_MODE_FLUSH_QUEUE:
598 flush_queue();
599 exit(0);
600 break;
601 case PQ_MODE_DEFAULT:
602 usage();
603 /* NOTREACHED */
604 }
605 }
NetBSD on the FriendlyARM MINI2440