| blob | fd42043bd78b6b423da11bfb97cb40d041535a2d |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* qmqpd 8
6 /* SUMMARY
7 /* Postfix QMQP server
8 /* SYNOPSIS
9 /* \fBqmqpd\fR [generic Postfix daemon options]
10 /* DESCRIPTION
11 /* The Postfix QMQP server receives one message per connection.
12 /* Each message is piped through the \fBcleanup\fR(8)
13 /* daemon, and is placed into the \fBincoming\fR queue as one
14 /* single queue file. The program expects to be run from the
15 /* \fBmaster\fR(8) process manager.
16 /*
17 /* The QMQP server implements one access policy: only explicitly
18 /* authorized client hosts are allowed to use the service.
19 /* SECURITY
20 /* .ad
21 /* .fi
22 /* The QMQP server is moderately security-sensitive. It talks to QMQP
23 /* clients and to DNS servers on the network. The QMQP server can be
24 /* run chrooted at fixed low privilege.
25 /* DIAGNOSTICS
26 /* Problems and transactions are logged to \fBsyslogd\fR(8).
27 /* BUGS
28 /* The QMQP protocol provides only one server reply per message
29 /* delivery. It is therefore not possible to reject individual
30 /* recipients.
31 /*
32 /* The QMQP protocol requires the server to receive the entire
33 /* message before replying. If a message is malformed, or if any
34 /* netstring component is longer than acceptable, Postfix replies
35 /* immediately and closes the connection. It is left up to the
36 /* client to handle the situation.
37 /* CONFIGURATION PARAMETERS
38 /* .ad
39 /* .fi
40 /* Changes to \fBmain.cf\fR are picked up automatically, as \fBqmqpd\fR(8)
41 /* processes run for only a limited amount of time. Use the command
42 /* "\fBpostfix reload\fR" to speed up a change.
43 /*
44 /* The text below provides only a parameter summary. See
45 /* \fBpostconf\fR(5) for more details including examples.
46 /* CONTENT INSPECTION CONTROLS
47 /* .ad
48 /* .fi
49 /* .IP "\fBcontent_filter (empty)\fR"
50 /* The name of a mail delivery transport that filters mail after
51 /* it is queued.
52 /* .IP "\fBreceive_override_options (empty)\fR"
53 /* Enable or disable recipient validation, built-in content
54 /* filtering, or address mapping.
55 /* RESOURCE AND RATE CONTROLS
56 /* .ad
57 /* .fi
58 /* .IP "\fBline_length_limit (2048)\fR"
59 /* Upon input, long lines are chopped up into pieces of at most
60 /* this length; upon delivery, long lines are reconstructed.
61 /* .IP "\fBhopcount_limit (50)\fR"
62 /* The maximal number of Received: message headers that is allowed
63 /* in the primary message headers.
64 /* .IP "\fBmessage_size_limit (10240000)\fR"
65 /* The maximal size in bytes of a message, including envelope information.
66 /* .IP "\fBqmqpd_timeout (300s)\fR"
67 /* The time limit for sending or receiving information over the network.
68 /* TROUBLE SHOOTING CONTROLS
69 /* .ad
70 /* .fi
71 /* .IP "\fBdebug_peer_level (2)\fR"
72 /* The increment in verbose logging level when a remote client or
73 /* server matches a pattern in the debug_peer_list parameter.
74 /* .IP "\fBdebug_peer_list (empty)\fR"
75 /* Optional list of remote client or server hostname or network
76 /* address patterns that cause the verbose logging level to increase
77 /* by the amount specified in $debug_peer_level.
78 /* .IP "\fBsoft_bounce (no)\fR"
79 /* Safety net to keep mail queued that would otherwise be returned to
80 /* the sender.
81 /* TARPIT CONTROLS
82 /* .ad
83 /* .fi
84 /* .IP "\fBqmqpd_error_delay (1s)\fR"
85 /* How long the QMQP server will pause before sending a negative reply
86 /* to the client.
87 /* MISCELLANEOUS CONTROLS
88 /* .ad
89 /* .fi
90 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
91 /* The default location of the Postfix main.cf and master.cf
92 /* configuration files.
93 /* .IP "\fBdaemon_timeout (18000s)\fR"
94 /* How much time a Postfix daemon process may take to handle a
95 /* request before it is terminated by a built-in watchdog timer.
96 /* .IP "\fBipc_timeout (3600s)\fR"
97 /* The time limit for sending or receiving information over an internal
98 /* communication channel.
99 /* .IP "\fBmax_idle (100s)\fR"
100 /* The maximum amount of time that an idle Postfix daemon process waits
101 /* for an incoming connection before terminating voluntarily.
102 /* .IP "\fBmax_use (100)\fR"
103 /* The maximal number of incoming connections that a Postfix daemon
104 /* process will service before terminating voluntarily.
105 /* .IP "\fBprocess_id (read-only)\fR"
106 /* The process ID of a Postfix command or daemon process.
107 /* .IP "\fBprocess_name (read-only)\fR"
108 /* The process name of a Postfix command or daemon process.
109 /* .IP "\fBqmqpd_authorized_clients (empty)\fR"
110 /* What clients are allowed to connect to the QMQP server port.
111 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
112 /* The location of the Postfix top-level queue directory.
113 /* .IP "\fBsyslog_facility (mail)\fR"
114 /* The syslog facility of Postfix logging.
115 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
116 /* The mail system name that is prepended to the process name in syslog
117 /* records, so that "smtpd" becomes, for example, "postfix/smtpd".
118 /* .IP "\fBverp_delimiter_filter (-=+)\fR"
119 /* The characters Postfix accepts as VERP delimiter characters on the
120 /* Postfix \fBsendmail\fR(1) command line and in SMTP commands.
121 /* .PP
122 /* Available in Postfix version 2.5 and later:
123 /* .IP "\fBqmqpd_client_port_logging (no)\fR"
124 /* Enable logging of the remote QMQP client port in addition to
125 /* the hostname and IP address.
126 /* SEE ALSO
127 /* http://cr.yp.to/proto/qmqp.html, QMQP protocol
128 /* cleanup(8), message canonicalization
129 /* master(8), process manager
130 /* syslogd(8), system logging
131 /* README FILES
132 /* .ad
133 /* .fi
134 /* Use "\fBpostconf readme_directory\fR" or
135 /* "\fBpostconf html_directory\fR" to locate this information.
136 /* .na
137 /* .nf
138 /* QMQP_README, Postfix ezmlm-idx howto.
139 /* LICENSE
140 /* .ad
141 /* .fi
142 /* The Secure Mailer license must be distributed with this software.
143 /* HISTORY
144 /* .ad
145 /* .fi
146 /* The qmqpd service was introduced with Postfix version 1.1.
147 /* AUTHOR(S)
148 /* Wietse Venema
149 /* IBM T.J. Watson Research
150 /* P.O. Box 704
151 /* Yorktown Heights, NY 10598, USA
152 /*--*/
154 /* System library. */
156 #include <sys_defs.h>
157 #include <string.h>
158 #include <unistd.h>
159 #include <stdlib.h>
160 #include <ctype.h>
161 #include <stdarg.h>
163 /* Utility library. */
165 #include <msg.h>
166 #include <mymalloc.h>
167 #include <vstring.h>
168 #include <vstream.h>
169 #include <netstring.h>
170 #include <dict.h>
172 /* Global library. */
174 #include <mail_params.h>
175 #include <mail_version.h>
176 #include <record.h>
177 #include <rec_type.h>
178 #include <mail_proto.h>
179 #include <cleanup_user.h>
180 #include <mail_date.h>
181 #include <mail_conf.h>
182 #include <debug_peer.h>
183 #include <mail_stream.h>
184 #include <namadr_list.h>
185 #include <quote_822_local.h>
186 #include <match_parent_style.h>
187 #include <lex_822.h>
188 #include <verp_sender.h>
189 #include <input_transp.h>
191 /* Single-threaded server skeleton. */
193 #include <mail_server.h>
195 /* Application-specific */
197 #include <qmqpd.h>
199 /*
200 * Tunable parameters. Make sure that there is some bound on the length of a
201 * netstring, so that the mail system stays in control even when a malicious
202 * client sends netstrings of unreasonable length. The recipient count limit
203 * is enforced by the message size limit.
204 */
212 /*
213 * Silly little macros.
214 */
215 #define STR(x) vstring_str(x)
216 #define LEN(x) VSTRING_LEN(x)
218 #define DO_LOG 1
219 #define DONT_LOG 0
221 /*
222 * Access control. This service should be exposed only to explicitly
223 * authorized clients. There is no default authorization.
224 */
227 /*
228 * Transparency: before mail is queued, do we allow address mapping,
229 * automatic bcc, header/body checks?
230 */
233 /* qmqpd_open_file - open a queue file */
236 {
239 /*
240 * Connect to the cleanup server. Log client name/address with queue ID.
241 */
243 qmqpd_input_transp_mask);
255 /*
256 * Record the time of arrival. Optionally, enable content filtering (not
257 * bloody likely, but present for the sake of consistency with all other
258 * Postfix points of entrance).
259 */
264 }
266 /* qmqpd_read_content - receive message content */
269 {
272 }
274 /* qmqpd_copy_sender - copy envelope sender */
277 {
283 /*
284 * If the sender address looks like prefix@origin-@[], then request
285 * variable envelope return path delivery, with an envelope sender
286 * address of prefi@origin, and with VERP delimiters of x and =. This
287 * way, the recipients will see envelope sender addresses that look like:
288 * prefixuser=domain@origin.
289 */
293 verp_requested =
303 vstring_sprintf(state->why_rejected, "Invalid VERP delimiters: \"%s\". Need two characters from \"%s\"",
305 }
308 }
317 }
319 /* qmqpd_write_attributes - save session attributes */
322 {
324 /*
325 * Logging attributes, also used for XFORWARD.
326 */
338 /*
339 * For consistency with the smtpd Milter client, we need to provide the
340 * real client attributes to the cleanup Milter client. This does not
341 * matter much with qmqpd which speaks to trusted clients only, but we
342 * want to be sure that the cleanup input protocol is ready when a new
343 * type of network daemon is added to receive mail from the Internet.
344 *
345 * See also the comments in smtpd.c.
346 */
358 /* XXX What about the address rewriting context? */
359 }
361 /* qmqpd_copy_recipients - copy message recipients */
364 {
367 /*
368 * Remember the first recipient. We are done when we read the over-all
369 * netstring terminator.
370 *
371 * XXX This approach violates abstractions, but it is a heck of a lot more
372 * convenient than counting the over-all byte count down to zero, like
373 * qmail does.
374 */
385 }
386 }
388 /* qmqpd_next_line - get line from buffer, return last char, newline, or -1 */
392 {
397 /*
398 * Stop at newline or at some limit. Don't look beyond the end of the
399 * buffer.
400 */
401 #define UCHARPTR(x) ((unsigned char *) (x))
410 }
411 }
413 /* qmqpd_write_content - write the message content segment */
416 {
424 /*
425 * Start the message content segment. Prepend our own Received: header to
426 * the message content. List the recipient only when a message has one
427 * recipient. Otherwise, don't list the recipient to avoid revealing Bcc:
428 * recipients that are supposed to be invisible.
429 */
449 }
450 #ifdef RECEIVED_ENVELOPE_FROM
454 #endif
456 /*
457 * Write the message content.
458 *
459 * XXX Force an empty record when the queue file content begins with
460 * whitespace, so that it won't be considered as being part of our own
461 * Received: header. What an ugly Kluge.
462 *
463 * XXX Deal with UNIX-style From_ lines at the start of message content just
464 * in case.
465 */
471 else
478 }
482 }
486 }
487 }
488 }
490 /* qmqpd_close_file - close queue file */
493 {
495 /*
496 * Send the end-of-segment markers.
497 */
504 /*
505 * Finish the queue file or finish the cleanup conversation.
506 */
509 else
512 }
514 /* qmqpd_reply - send status to client and optionally log message */
518 {
521 /*
522 * Optionally change hard errors into retryable ones. Send the reply and
523 * optionally log it. Always insert a delay before reporting a problem.
524 * This slows down software run-away conditions.
525 */
540 }
542 /* qmqpd_send_status - send mail transaction completion status */
545 {
547 /*
548 * One message may suffer from multiple errors, so complain only about
549 * the most severe error.
550 *
551 * See also: smtpd.c
552 */
583 }
584 }
586 /* qmqpd_receive - receive QMQP message+sender+recipients */
589 {
591 /*
592 * Open a queue file. This must be first so that we can simplify the
593 * error logging and always include the queue ID information.
594 */
597 /*
598 * Read and ignore the over-all netstring length indicator.
599 */
603 /*
604 * XXX Read the message content into memory, because Postfix expects to
605 * store the sender before storing the message content. Fixing that
606 * requires changes to pickup, cleanup, qmgr, and perhaps elsewhere, so
607 * that will have to happen later when I have more time. However, QMQP is
608 * used for mailing list distribution, so the bulk of the volume is
609 * expected to be not message content but recipients, and recipients are
610 * not accumulated in memory.
611 */
614 /*
615 * Read and write the envelope sender.
616 */
619 /*
620 * Record some session attributes.
621 */
624 /*
625 * Read and write the envelope recipients, including the optional big
626 * brother recipient.
627 */
630 /*
631 * Start the message content segment, prepend our own Received: header,
632 * and write the message content.
633 */
637 /*
638 * Close the queue file.
639 */
642 /*
643 * Report the completion status to the client.
644 */
646 }
648 /* qmqpd_proto - speak the QMQP "protocol" */
651 {
687 /*
688 * See if we want to talk to this client at all.
689 */
697 }
699 /*
700 * Log abnormal session termination. Indicate the last recognized state
701 * before things went wrong.
702 */
706 }
708 /* qmqpd_service - service one client */
711 {
714 /*
715 * Sanity check. This service takes no command-line arguments.
716 */
720 /*
721 * This routine runs when a client has connected to our network port.
722 * Look up and sanitize the peer name and initialize some connection-
723 * specific state.
724 */
727 /*
728 * See if we need to turn on verbose logging for this client.
729 */
732 /*
733 * Provide the QMQP service.
734 */
739 /*
740 * After the client has gone away, clean up whatever we have set up at
741 * connection time.
742 */
745 }
747 /* pre_accept - see if tables have changed */
750 {
756 }
757 }
759 /* pre_jail_init - pre-jail initialization */
762 {
764 qmqpd_clients =
766 var_qmqpd_clients);
767 }
769 /* post_jail_init - post-jail initialization */
772 {
774 /*
775 * Initialize the receive transparency options: do we want unknown
776 * recipient checks, do we want address mapping.
777 */
778 qmqpd_input_transp_mask =
780 }
782 MAIL_VERSION_STAMP_DECLARE;
784 /* main - the main program */
787 {
792 };
798 };
802 };
804 /*
805 * Fingerprint executables and core dumps.
806 */
807 MAIL_VERSION_STAMP_ALLOCATE;
809 /*
810 * Pass control to the single-threaded service skeleton.
811 */
820 }