| blob | df75114b48d8e106f1b7bb5977176b84e6730f49 |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* cleanup_milter 3
6 /* SUMMARY
7 /* external mail filter support
8 /* SYNOPSIS
9 /* #include <cleanup.h>
10 /*
11 /* void cleanup_milter_receive(state, count)
12 /* CLEANUP_STATE *state;
13 /* int count;
14 /*
15 /* void cleanup_milter_inspect(state, milters)
16 /* CLEANUP_STATE *state;
17 /* MILTERS *milters;
18 /*
19 /* cleanup_milter_emul_mail(state, milters, sender)
20 /* CLEANUP_STATE *state;
21 /* MILTERS *milters;
22 /* const char *sender;
23 /*
24 /* cleanup_milter_emul_rcpt(state, milters, recipient)
25 /* CLEANUP_STATE *state;
26 /* MILTERS *milters;
27 /* const char *recipient;
28 /*
29 /* cleanup_milter_emul_data(state, milters)
30 /* CLEANUP_STATE *state;
31 /* MILTERS *milters;
32 /* DESCRIPTION
33 /* This module implements support for Sendmail-style mail
34 /* filter (milter) applications, including in-place queue file
35 /* modification.
36 /*
37 /* cleanup_milter_receive() receives mail filter definitions,
38 /* typically from an smtpd(8) server process, and registers
39 /* local call-back functions for macro expansion and for queue
40 /* file modification.
41 /*
42 /* cleanup_milter_inspect() sends the current message headers
43 /* and body to the mail filters that were received with
44 /* cleanup_milter_receive(), or that are specified with the
45 /* cleanup_milters configuration parameter.
46 /*
47 /* cleanup_milter_emul_mail() emulates connect, helo and mail
48 /* events for mail that does not arrive via the smtpd(8) server.
49 /* The emulation pretends that mail arrives from localhost/127.0.0.1
50 /* via ESMTP. Milters can reject emulated connect, helo, mail
51 /* or data events, but not emulated rcpt events as described
52 /* next.
53 /*
54 /* cleanup_milter_emul_rcpt() emulates an rcpt event for mail
55 /* that does not arrive via the smtpd(8) server. This reports
56 /* a server configuration error condition when the milter
57 /* rejects an emulated rcpt event.
58 /*
59 /* cleanup_milter_emul_data() emulates a data event for mail
60 /* that does not arrive via the smtpd(8) server. It's OK for
61 /* milters to reject emulated data events.
62 /* SEE ALSO
63 /* milter(3) generic mail filter interface
64 /* DIAGNOSTICS
65 /* Fatal errors: memory allocation problem.
66 /* Panic: interface violation.
67 /* Warnings: I/O errors (state->errs is updated accordingly).
68 /* LICENSE
69 /* .ad
70 /* .fi
71 /* The Secure Mailer license must be distributed with this software.
72 /* AUTHOR(S)
73 /* Wietse Venema
74 /* IBM T.J. Watson Research
75 /* P.O. Box 704
76 /* Yorktown Heights, NY 10598, USA
77 /*--*/
79 /* System library. */
81 #include <sys_defs.h>
83 #include <string.h>
84 #include <errno.h>
86 #ifdef STRCASECMP_IN_STRINGS_H
87 #include <strings.h>
88 #endif
90 /* Utility library. */
92 #include <msg.h>
93 #include <vstream.h>
94 #include <vstring.h>
95 #include <stringops.h>
97 /* Global library. */
99 #include <off_cvt.h>
100 #include <dsn_mask.h>
101 #include <rec_type.h>
102 #include <cleanup_user.h>
103 #include <record.h>
104 #include <rec_attr_map.h>
105 #include <mail_proto.h>
106 #include <mail_params.h>
107 #include <lex_822.h>
108 #include <is_header.h>
109 #include <quote_821_local.h>
111 /* Application-specific. */
113 #include <cleanup.h>
115 /*
116 * How Postfix 2.4 edits queue file information:
117 *
118 * Mail filter applications (Milters) can send modification requests after
119 * receiving the end of the message body. Postfix implements these
120 * modifications in the cleanup server, so that it can edit the queue file
121 * in place. This avoids the temporary files that would be needed when
122 * modifications were implemented in the SMTP server (Postfix normally does
123 * not store the whole message in main memory). Once a Milter is done
124 * editing, the queue file can be used as input for the next Milter, and so
125 * on. Finally, the cleanup server changes file permissions, calls fsync(),
126 * and waits for successful completion.
127 *
128 * To implement in-place queue file edits, we need to introduce surprisingly
129 * little change to the existing Postfix queue file structure. All we need
130 * is a way to mark a record as deleted, and to jump from one place in the
131 * queue file to another. We could implement deleted records with jumps, but
132 * marking is sometimes simpler.
133 *
134 * Postfix does not store queue files as plain text files. Instead all
135 * information is stored in records with an explicit type and length, for
136 * sender, recipient, arrival time, and so on. Even the content that makes
137 * up the message header and body is stored as records with explicit types
138 * and lengths. This organization makes it very easy to mark a record as
139 * deleted, and to introduce the pointer records that we will use to jump
140 * from one place in a queue file to another place.
141 *
142 * - Deleting a recipient is easiest - simply modify the record type into one
143 * that is skipped by the software that delivers mail. We won't try to reuse
144 * the deleted recipient for other purposes. When deleting a recipient, we
145 * may need to delete multiple recipient records that result from virtual
146 * alias expansion of the original recipient address.
147 *
148 * - Replacing a header record involves pointer records. A record is replaced
149 * by overwriting it with a forward pointer to space after the end of the
150 * queue file, putting the new record there, followed by a reverse pointer
151 * to the record that follows the replaced header. To simplify
152 * implementation we follow a short header record with a filler record so
153 * that we can always overwrite a header record with a pointer.
154 *
155 * N.B. This is a major difference with Postfix version 2.3, which needed
156 * complex code to save records that follow a short header, before it could
157 * overwrite a short header record. This code contained two of the three
158 * post-release bugs that were found with Postfix header editing.
159 *
160 * - Inserting a header record is like replacing one, except that we also
161 * relocate the record that is being overwritten by the forward pointer.
162 *
163 * - Deleting a message header is simplest when we replace it by a "skip"
164 * pointer to the information that follows the header. With a multi-line
165 * header we need to update only the first line.
166 *
167 * - Appending a recipient or header record involves pointer records as well.
168 * To make this convenient, the queue file already contains dummy pointer
169 * records at the locations where we want to append recipient or header
170 * content. To append, change the dummy pointer into a forward pointer to
171 * space after the end of a message, put the new recipient or header record
172 * there, followed by a reverse pointer to the record that follows the
173 * forward pointer.
174 *
175 * - To append another header or recipient record, replace the reverse pointer
176 * by a forward pointer to space after the end of a message, put the new
177 * record there, followed by the value of the reverse pointer that we
178 * replace. Thus, there is no one-to-one correspondence between forward and
179 * backward pointers. Instead, there can be multiple forward pointers for
180 * one reverse pointer.
181 *
182 * - When a mail filter wants to replace an entire body, we overwrite existing
183 * body records until we run out of space, and then write a pointer to space
184 * after the end of the queue file, followed by more body content. There may
185 * be multiple regions with body content; regions are connected by forward
186 * pointers, and the last region ends with a pointer to the marker that ends
187 * the message content segment. Body regions can be large and therefore they
188 * are reused to avoid wasting space. Sendmail mail filters currently do not
189 * replace individual body records, and that is a good thing.
190 *
191 * Making queue file modifications safe:
192 *
193 * Postfix queue files are segmented. The first segment is for envelope
194 * records, the second for message header and body content, and the third
195 * segment is for information that was extracted or generated from the
196 * message header or body content. Each segment is terminated by a marker
197 * record. For now we don't want to change their location. That is, we want
198 * to avoid moving the records that mark the start or end of a queue file
199 * segment.
200 *
201 * To ensure that we can always replace a header or body record by a pointer
202 * record, without having to relocate a marker record, the cleanup server
203 * places a dummy pointer record at the end of the recipients and at the end
204 * of the message header. To support message body modifications, a dummy
205 * pointer record is also placed at the end of the message content.
206 *
207 * With all these changes in queue file organization, REC_TYPE_END is no longer
208 * guaranteed to be the last record in a queue file. If an application were
209 * to read beyond the REC_TYPE_END marker, it would go into an infinite
210 * loop, because records after REC_TYPE_END alternate with reverse pointers
211 * to the middle of the queue file. For robustness, the record reading
212 * routine skips forward to the end-of-file position after reading the
213 * REC_TYPE_END marker.
214 */
216 /*#define msg_verbose 2*/
218 #define STR(x) vstring_str(x)
219 #define LEN(x) VSTRING_LEN(x)
221 /*
222 * Milter replies.
223 */
224 #define CLEANUP_MILTER_SET_REASON(__state, __reason) do { \
225 if ((__state)->reason) \
226 myfree((__state)->reason); \
227 (__state)->reason = mystrdup(__reason); \
228 if ((__state)->smtp_reply) { \
229 myfree((__state)->smtp_reply); \
230 (__state)->smtp_reply = 0; \
231 } \
232 } while (0)
234 #define CLEANUP_MILTER_SET_SMTP_REPLY(__state, __smtp_reply) do { \
235 if ((__state)->reason) \
236 myfree((__state)->reason); \
237 (__state)->reason = mystrdup(__smtp_reply + 4); \
239 if ((__state)->smtp_reply) \
240 myfree((__state)->smtp_reply); \
241 (__state)->smtp_reply = mystrdup(__smtp_reply); \
242 } while (0)
244 /* cleanup_milter_set_error - set error flag from errno */
247 {
254 }
255 }
257 /* cleanup_milter_error - return dummy error description */
260 {
264 /*
265 * For consistency with error reporting within the milter infrastructure,
266 * content manipulation routines return a null pointer on success, and an
267 * SMTP-like response on error.
268 *
269 * However, when cleanup_milter_apply() receives this error response from
270 * the milter infrastructure, it ignores the text since the appropriate
271 * cleanup error flags were already set by cleanup_milter_set_error().
272 *
273 * Specify a null error number when the "errno to error flag" mapping was
274 * already done elsewhere, possibly outside this module.
275 */
285 }
287 /* cleanup_add_header - append message header */
292 {
296 off_t reverse_ptr_offset;
297 off_t new_hdr_offset;
299 /*
300 * To simplify implementation, the cleanup server writes a dummy "header
301 * append" pointer record after the last message header. We cache both
302 * the location and the target of the current "header append" pointer
303 * record.
304 */
310 /*
311 * Allocate space after the end of the queue file, and write the header
312 * record(s), followed by a reverse pointer record that points to the
313 * target of the old "header append" pointer record. This reverse pointer
314 * record becomes the new "header append" pointer record.
315 */
319 }
327 }
331 /*
332 * Pointer flipping: update the old "header append" pointer record value
333 * with the location of the new header record.
334 *
335 * XXX To avoid unnecessary seek operations when the new header immediately
336 * follows the old append header pointer, write a null pointer or make
337 * the record reading loop smarter. Making vstream_fseek() smarter does
338 * not help, because it doesn't know if we're going to read or write
339 * after a write+seek sequence.
340 */
344 }
348 /*
349 * Update the in-memory "header append" pointer record location with the
350 * location of the reverse pointer record that follows the new header.
351 * The target of the "header append" pointer record does not change; it's
352 * always the record that follows the dummy pointer record that was
353 * written while Postfix received the message.
354 */
357 /*
358 * In case of error while doing record output.
359 */
361 }
363 /* cleanup_find_header_start - find specific header instance */
371 {
378 ssize_t len;
385 /*
386 * Sanity checks.
387 */
391 /*
392 * Skip to the start of the message content, and read records until we
393 * either find the specified header, or until we hit the end of the
394 * headers.
395 *
396 * The index specifies the header instance: 1 is the first one. The header
397 * label specifies the header name. A null pointer matches any header.
398 *
399 * When the specified header is not found, the result value is -1.
400 *
401 * When the specified header is found, its first record is stored in the
402 * caller-provided read buffer, and the result value is the queue file
403 * offset of that record. The file read position is left at the start of
404 * the next (non-filler) queue file record, which can be the remainder of
405 * a multi-record header.
406 *
407 * When a header is found and allow_ptr_backup is non-zero, then the result
408 * is either the first record of that header, or it is the pointer record
409 * that points to the first record of that header. In the latter case,
410 * the file read position is undefined. Returning the pointer allows us
411 * to do some optimizations when inserting text multiple times at the
412 * same place.
413 *
414 * XXX We can't use the MIME processor here. It not only buffers up the
415 * input, it also reads the record that follows a complete header before
416 * it invokes the header call-back action. This complicates the way that
417 * we discover header offsets and boundaries. Worse is that the MIME
418 * processor is unaware that multi-record message headers can have PTR
419 * records in the middle.
420 *
421 * XXX The draw-back of not using the MIME processor is that we have to
422 * duplicate some of its logic here and in the routine that finds the end
423 * of the header record. To minimize the duplication we define an ugly
424 * macro that is used in all code that scans for header boundaries.
425 *
426 * XXX Sendmail compatibility (based on Sendmail 8.13.6 measurements).
427 *
428 * - When changing Received: header #1, we change the Received: header that
429 * follows our own one; a request to change Received: header #0 is
430 * silently treated as a request to change Received: header #1.
431 *
432 * - When changing Date: header #1, we change the first Date: header; a
433 * request to change Date: header #0 is silently treated as a request to
434 * change Date: header #1.
435 *
436 * Thus, header change requests are relative to the content as received,
437 * that is, the content after our own Received: header. They can affect
438 * only the headers that the MTA actually exposes to mail filter
439 * applications.
440 *
441 * - However, when inserting a header at position 0, the new header appears
442 * before our own Received: header, and when inserting at position 1, the
443 * new header appears after our own Received: header.
444 *
445 * Thus, header insert operations are relative to the content as delivered,
446 * that is, the content including our own Received: header.
447 *
448 * None of the above is applicable after a Milter inserts a header before
449 * our own Received: header. From then on, our own Received: header
450 * becomes just like other headers.
451 */
452 #define CLEANUP_FIND_HEADER_NOTFOUND (-1)
453 #define CLEANUP_FIND_HEADER_IOERROR (-2)
455 #define CLEANUP_FIND_HEADER_RETURN(offs) do { \
456 if (ptr_buf) \
457 vstring_free(ptr_buf); \
458 return (offs); \
459 } while (0)
461 #define GET_NEXT_TEXT_OR_PTR_RECORD(rec_type, state, buf, curr_offset, quit) \
462 if ((rec_type = rec_get_raw(state->dst, buf, 0, REC_FLAG_NONE)) < 0) { \
464 cleanup_milter_set_error(state, errno); \
465 do { quit; } while (0); \
466 } \
467 if (msg_verbose > 1) \
469 LEN(buf) > 30 ? 30 : (int) LEN(buf), STR(buf)); \
470 if (rec_type == REC_TYPE_DTXT) \
471 continue; \
472 if (rec_type != REC_TYPE_NORM && rec_type != REC_TYPE_CONT \
473 && rec_type != REC_TYPE_PTR) \
474 break;
475 /* End of hairy macros. */
481 }
487 }
488 /* Don't follow the "append header" pointer. */
491 /* Caution: this macro terminates the loop at end-of-message. */
492 /* Don't do complex processing while breaking out of this loop. */
495 /* Caution: don't assume ptr->header. This may be header-ptr->body. */
501 }
502 /* Save PTR record, in case it points to the start of a header. */
508 }
509 /* Don't update last_type; PTR can happen after REC_TYPE_CONT. */
511 }
512 /* The middle of a multi-record header. */
514 /* Reset the saved PTR record and update last_type. */
515 }
516 /* No more message headers. */
519 }
520 /* This the start of a message header. */
528 /* If we have a saved PTR record, it points to start of header. */
530 }
533 }
535 /*
536 * In case of failure, return negative start position.
537 */
542 /*
543 * Skip over short-header padding, so that the file read pointer is
544 * always positioned at the first non-padding record after the header
545 * record. Insist on padding after short a header record, so that a
546 * short header record can safely be overwritten by a pointer record.
547 */
557 }
560 }
562 /*
563 * Optionally return a pointer to the message header, instead of the
564 * start of the message header itself. In that case the file read
565 * position is undefined (actually it is at the first non-padding
566 * record that follows the message header record).
567 */
572 }
574 }
581 }
583 /* cleanup_find_header_end - find end of header */
588 {
590 off_t read_offset;
593 /*
594 * This routine is called immediately after cleanup_find_header_start().
595 * rec_buf is the cleanup_find_header_start() result record; last_type is
596 * the corresponding record type: REC_TYPE_PTR or REC_TYPE_NORM; the file
597 * read position is at the first non-padding record after the result
598 * header record.
599 */
605 }
606 /* Don't follow the "append header" pointer. */
609 /* Caution: this macro terminates the loop at end-of-message. */
610 /* Don't do complex processing while breaking out of this loop. */
612 /* Warning and errno->error mapping are done elsewhere. */
619 }
620 /* Don't update last_type; PTR may follow REC_TYPE_CONT. */
622 }
623 /* Start of header or message body. */
627 }
629 }
631 /* cleanup_patch_header - patch new header into an existing header */
637 off_t old_rec_offset,
640 off_t next_offset)
641 {
644 off_t new_hdr_offset;
646 #define CLEANUP_PATCH_HEADER_RETURN(ret) do { \
647 vstring_free(buf); \
648 return (ret); \
649 } while (0)
655 /*
656 * Allocate space after the end of the queue file for the new header and
657 * optionally save an existing record to make room for a forward pointer
658 * record. If the saved record was not a PTR record, follow the saved
659 * record by a reverse pointer record that points to the record after the
660 * original location of the saved record.
661 *
662 * We update the queue file in a safe manner: save the new header and the
663 * existing records after the end of the queue file, write the reverse
664 * pointer, and only then overwrite the saved records with the forward
665 * pointer to the new header.
666 *
667 * old_rec_offset, old_rec_type, and old_rec_buf specify the record that we
668 * are about to overwrite with a pointer record. If the record needs to
669 * be saved (i.e. old_rec_type > 0), the buffer contains the data content
670 * of exactly one PTR or text record.
671 *
672 * next_offset specifies the record that follows the to-be-overwritten
673 * record. It is ignored when the to-be-saved record is a pointer record.
674 */
676 /*
677 * Write the new header to a new location after the end of the queue
678 * file.
679 */
683 }
690 /*
691 * Optionally, save the existing text record or pointer record that will
692 * be overwritten with the forward pointer. Pad a short saved record to
693 * ensure that it, too, can be overwritten by a pointer.
694 */
703 }
705 /*
706 * If the saved record wasn't a PTR record, write the reverse pointer
707 * after the saved records. A reverse pointer value of -1 means we were
708 * confused about what we were going to save.
709 */
718 }
720 /*
721 * Write the forward pointer over the old record. Generally, a pointer
722 * record will be shorter than a header record, so there will be a gap in
723 * the queue file before the next record. In other words, we must always
724 * follow pointer records otherwise we get out of sync with the data.
725 */
729 }
736 /*
737 * In case of error while doing record output.
738 */
742 /*
743 * Note: state->append_hdr_pt_target never changes.
744 */
745 }
747 /* cleanup_ins_header - insert message header */
753 {
757 off_t old_rec_offset;
759 off_t next_offset;
762 #define CLEANUP_INS_HEADER_RETURN(ret) do { \
763 vstring_free(old_rec_buf); \
764 return (ret); \
765 } while (0)
771 /*
772 * Look for a header at the specified position.
773 *
774 * The lookup result may be a pointer record. This allows us to make some
775 * optimization when multiple insert operations happen in the same place.
776 *
777 * Index 1 is the top-most header.
778 */
779 #define NO_HEADER_NAME ((char *) 0)
780 #define ALLOW_PTR_BACKUP 1
781 #define SKIP_ONE_HEADER 1
782 #define DONT_SKIP_HEADERS 0
788 ALLOW_PTR_BACKUP,
789 DONT_SKIP_HEADERS);
791 /* Warning and errno->error mapping are done elsewhere. */
794 /*
795 * If the header does not exist, simply append the header to the linked
796 * list at the "header append" pointer record.
797 */
802 /*
803 * If the header does exist, save both the new and the existing header to
804 * new storage at the end of the queue file, and link the new storage
805 * with a forward and reverse pointer (don't write a reverse pointer if
806 * we are starting with a pointer record).
807 */
814 }
815 }
820 }
822 /* cleanup_upd_header - modify or append message header */
828 {
832 off_t old_rec_offset;
833 off_t next_offset;
841 /*
842 * Sanity check.
843 */
847 /*
848 * Find the header that is being modified.
849 *
850 * The lookup result will never be a pointer record.
851 *
852 * Index 1 is the first matching header instance.
853 *
854 * XXX When a header is updated repeatedly we create jumps to jumps. To
855 * eliminate this, rewrite the loop below so that we can start with the
856 * pointer record that points to the header that's being edited.
857 */
858 #define DONT_SAVE_RECORD 0
859 #define NO_PTR_BACKUP 0
861 #define CLEANUP_UPD_HEADER_RETURN(ret) do { \
862 vstring_free(rec_buf); \
863 return (ret); \
864 } while (0)
869 NO_PTR_BACKUP,
870 SKIP_ONE_HEADER);
872 /* Warning and errno->error mapping are done elsewhere. */
875 /*
876 * If no old header is found, simply append the new header to the linked
877 * list at the "header append" pointer record.
878 */
883 /*
884 * If the old header is found, find the end of the old header, save the
885 * new header to new storage at the end of the queue file, and link the
886 * new storage with a forward and reverse pointer.
887 */
889 /* Warning and errno->error mapping are done elsewhere. */
895 }
897 /* cleanup_del_header - delete message header */
901 {
905 off_t header_offset;
906 off_t next_offset;
912 /*
913 * Sanity check.
914 */
918 /*
919 * Find the header that is being deleted.
920 *
921 * The lookup result will never be a pointer record.
922 *
923 * Index 1 is the first matching header instance.
924 */
925 #define CLEANUP_DEL_HEADER_RETURN(ret) do { \
926 vstring_free(rec_buf); \
927 return (ret); \
928 } while (0)
933 SKIP_ONE_HEADER);
935 /* Warning and errno->error mapping are done elsewhere. */
938 /*
939 * Overwrite the beginning of the header record with a pointer to the
940 * information that follows the header. We can't simply overwrite the
941 * header with cleanup_out_header() and a special record type, because
942 * there may be a PTR record in the middle of a multi-line header.
943 */
946 /* Warning and errno->error mapping are done elsewhere. */
948 /* Mark the header as deleted. */
952 }
955 }
958 /*
959 * In case of error while doing record output.
960 */
962 }
964 /* cleanup_chg_from - replace sender address, ignore ESMTP arguments */
968 {
971 off_t new_sender_offset;
984 /*
985 * The cleanup server remembers the location of the the original sender
986 * address record (offset in sender_pt_offset) and the file offset of the
987 * record that follows the sender address (offset in sender_pt_target).
988 * Short original sender records are padded, so that they can safely be
989 * overwritten with a pointer record to the new sender address record.
990 */
996 /*
997 * Allocate space after the end of the queue file, and write the new
998 * sender record, followed by a reverse pointer record that points to the
999 * record that follows the original sender address record. No padding is
1000 * needed for a "new" short sender record, since the record is not meant
1001 * to be overwritten. When the "new" sender is replaced, we allocate a
1002 * new record at the end of the queue file.
1003 *
1004 * We update the queue file in a safe manner: save the new sender after the
1005 * end of the queue file, write the reverse pointer, and only then
1006 * overwrite the old sender record with the forward pointer to the new
1007 * sender.
1008 */
1012 }
1014 /*
1015 * Transform the address from external form to internal form. This also
1016 * removes the enclosing <>, if present.
1017 *
1018 * XXX vstring_alloc() rejects zero-length requests.
1019 */
1031 }
1032 }
1033 }
1040 /*
1041 * Overwrite the original sender record with the pointer to the new
1042 * sender address record.
1043 */
1047 }
1051 /*
1052 * In case of error while doing record output.
1053 */
1055 }
1057 /* cleanup_add_rcpt - append recipient address */
1060 {
1063 off_t new_rcpt_offset;
1064 off_t reverse_ptr_offset;
1073 /*
1074 * To simplify implementation, the cleanup server writes a dummy
1075 * "recipient append" pointer record after the last recipient. We cache
1076 * both the location and the target of the current "recipient append"
1077 * pointer record.
1078 */
1084 /*
1085 * Allocate space after the end of the queue file, and write the
1086 * recipient record, followed by a reverse pointer record that points to
1087 * the target of the old "recipient append" pointer record. This reverse
1088 * pointer record becomes the new "recipient append" pointer record.
1089 *
1090 * We update the queue file in a safe manner: save the new recipient after
1091 * the end of the queue file, write the reverse pointer, and only then
1092 * overwrite the old "recipient append" pointer with the forward pointer
1093 * to the new recipient.
1094 */
1095 #define NO_DSN_ORCPT ((char *) 0)
1100 }
1102 /*
1103 * Transform recipient from external form to internal form. This also
1104 * removes the enclosing <>, if present.
1105 *
1106 * XXX vstring_alloc() rejects zero-length requests.
1107 */
1119 }
1120 }
1121 }
1129 }
1133 }
1137 /*
1138 * Pointer flipping: update the old "recipient append" pointer record
1139 * value to the location of the new recipient record.
1140 */
1144 }
1148 /*
1149 * Update the in-memory "recipient append" pointer record location with
1150 * the location of the reverse pointer record that follows the new
1151 * recipient. The target of the "recipient append" pointer record does
1152 * not change; it's always the record that follows the dummy pointer
1153 * record that was written while Postfix received the message.
1154 */
1157 /*
1158 * In case of error while doing record output.
1159 */
1161 }
1163 /* cleanup_add_rcpt_par - append recipient address, ignore ESMTP arguments */
1167 {
1175 }
1177 /* cleanup_del_rcpt - remove recipient and all its expansions */
1180 {
1183 off_t curr_offset;
1202 /*
1203 * Virtual aliasing and other address rewriting happens after the mail
1204 * filter sees the envelope address. Therefore we must delete all
1205 * recipient records whose Postfix (not DSN) original recipient address
1206 * matches the specified address.
1207 *
1208 * As the number of recipients may be very large we can't do an efficient
1209 * two-pass implementation (collect record offsets first, then mark
1210 * records as deleted). Instead we mark records as soon as we find them.
1211 * This is less efficient because we do (seek-write-read) for each marked
1212 * recipient, instead of (seek-write). It's unlikely that VSTREAMs will
1213 * be made smart enough to eliminate unnecessary I/O with small seeks.
1214 *
1215 * XXX When Postfix original recipients are turned off, we have no option
1216 * but to match against the expanded and rewritten recipient address.
1217 *
1218 * XXX Remove the (dsn_orcpt, dsn_notify, orcpt, recip) tuple from the
1219 * duplicate recipient filter. This requires that we maintain reference
1220 * counts.
1221 */
1225 }
1226 #define CLEANUP_DEL_RCPT_RETURN(ret) do { \
1227 if (orig_rcpt != 0) \
1228 myfree(orig_rcpt); \
1229 if (dsn_orcpt != 0) \
1230 myfree(dsn_orcpt); \
1231 vstring_free(buf); \
1232 vstring_free(int_rcpt_buf); \
1233 return (ret); \
1234 } while (0)
1236 /*
1237 * Transform recipient from external form to internal form. This also
1238 * removes the enclosing <>, if present.
1239 *
1240 * XXX vstring_alloc() rejects zero-length requests.
1241 */
1253 }
1254 }
1255 }
1261 /* Warning and errno->error mapping are done elsewhere. */
1266 }
1270 }
1273 /* Skip over message content. */
1278 }
1280 }
1286 }
1288 }
1289 /* Map attribute names to pseudo record type. */
1297 }
1298 }
1309 else
1322 }
1326 }
1327 count++;
1328 }
1329 /* FALLTHROUGH */
1335 }
1339 }
1342 }
1343 }
1350 }
1352 /* cleanup_repl_body - replace message body */
1355 {
1360 /*
1361 * XXX Sendmail compatibility: milters don't see the first body line, so
1362 * don't expect they will send one.
1363 */
1381 }
1383 }
1385 /* cleanup_milter_eval - expand macro */
1388 {
1391 /*
1392 * Note: if we use XFORWARD attributes here, then consistency requires
1393 * that we forward all Sendmail macros via XFORWARD.
1394 */
1396 /*
1397 * Canonicalize the name.
1398 */
1402 }
1404 /*
1405 * System macros.
1406 */
1412 /*
1413 * Connect macros.
1414 */
1415 #ifndef CLIENT_ATTR_UNKNOWN
1417 #endif
1425 }
1439 /*
1440 * MAIL FROM macros.
1441 */
1444 #ifdef USE_SASL_AUTH
1451 #endif
1455 /*
1456 * RCPT TO macros.
1457 */
1461 }
1463 /* cleanup_milter_receive - receive milter instances */
1466 {
1481 }
1483 /* cleanup_milter_apply - apply Milter reponse, non-zero if rejecting */
1487 {
1497 /*
1498 * Sanity check.
1499 */
1503 /*
1504 * We don't report errors that were already reported by the content
1505 * editing call-back routines. See cleanup_milter_error() above.
1506 */
1511 /* XXX Should log the reason here. */
1524 /* XXX Can this happen after end-of-message? */
1530 /*
1531 * Override permanent reject with temporary reject. This happens when
1532 * the cleanup server has to bounce (hard reject) but is unable to
1533 * store the message (soft reject). After a temporary reject we stop
1534 * inspecting queue file records, so it can't be overruled by
1535 * something else.
1536 *
1537 * CLEANUP_STAT_CONT and CLEANUP_STAT_DEFER both update the reason
1538 * attribute, but CLEANUP_STAT_DEFER takes precedence. It terminates
1539 * queue record processing, and prevents bounces from being sent.
1540 */
1557 }
1572 }
1574 /* cleanup_milter_client_init - initialize real or ersatz client info */
1577 {
1580 /*
1581 * Either the cleanup client specifies a name, address and protocol, or
1582 * we have a local submission and pretend localhost/127.0.0.1/AF_INET.
1583 */
1602 /* Compatibility with pre-2.5 queue files. */
1605 }
1607 /* cleanup_milter_inspect - run message through mail filter */
1610 {
1617 /*
1618 * Initialize, in case we're called via smtpd(8).
1619 */
1623 /*
1624 * Process mail filter replies. The reply format is verified by the mail
1625 * filter library.
1626 */
1632 }
1634 /* cleanup_milter_emul_mail - emulate connect/ehlo/mail event */
1639 {
1644 /*
1645 * Per-connection initialization.
1646 */
1657 /*
1658 * Emulate SMTP events.
1659 */
1664 }
1665 #define PRETEND_ESMTP 1
1673 }
1674 }
1678 /* Sendmail 8.13 does not externalize the null address. */
1681 else
1688 }
1689 }
1690 }
1692 /* cleanup_milter_emul_rcpt - emulate rcpt event */
1697 {
1702 /*
1703 * Sanity check.
1704 */
1708 /*
1709 * CLEANUP_STAT_CONT and CLEANUP_STAT_DEFER both update the reason
1710 * attribute, but CLEANUP_STAT_DEFER takes precedence. It terminates
1711 * queue record processing, and prevents bounces from being sent.
1712 */
1715 /* Sendmail 8.13 does not externalize the null address. */
1718 else
1729 }
1730 }
1732 /* cleanup_milter_emul_data - emulate data event */
1735 {
1739 /*
1740 * Sanity check.
1741 */
1747 }
1749 #ifdef TEST
1751 /*
1752 * Queue file editing driver for regression tests. In this case it is OK to
1753 * report fatal errors after I/O errors.
1754 */
1755 #include <stdio.h>
1756 #include <msg_vstream.h>
1757 #include <vstring_vstream.h>
1758 #include <mail_addr.h>
1759 #include <mail_version.h>
1761 #undef msg_verbose
1785 /* Dummies to satisfy unused external references. */
1788 {
1790 }
1794 {
1797 }
1801 {
1803 }
1807 {
1809 }
1812 ssize_t len)
1813 {
1815 }
1818 {
1829 }
1831 /* flatten_args - unparse partial command line */
1834 {
1842 }
1844 }
1846 /* open_queue_file - open an unedited queue file (all-zero dummy PTRs) */
1849 {
1851 off_t curr_offset;
1864 }
1887 cleanup_path);
1903 }
1913 }
1914 }
1915 }
1919 }
1927 }
1928 }
1930 }
1933 {
1938 }
1941 {
1956 ssize_t index;
1961 }
1969 }
1986 }
1991 }
1996 }
2007 }
2016 }
2025 }
2033 }
2039 }
2045 }
2051 }
2057 }
2075 }
2076 }
2079 }
2081 }
2087 }
2089 #endif