| blob | ce83cd17e0836edde2963e8dbf70b48bc9c1db09 |
1 /* $NetBSD$ */
3 /*++
4 /* NAME
5 /* pickup 8
6 /* SUMMARY
7 /* Postfix local mail pickup
8 /* SYNOPSIS
9 /* \fBpickup\fR [generic Postfix daemon options]
10 /* DESCRIPTION
11 /* The \fBpickup\fR(8) daemon waits for hints that new mail has been
12 /* dropped into the \fBmaildrop\fR directory, and feeds it into the
13 /* \fBcleanup\fR(8) daemon.
14 /* Ill-formatted files are deleted without notifying the originator.
15 /* This program expects to be run from the \fBmaster\fR(8) process
16 /* manager.
17 /* STANDARDS
18 /* .ad
19 /* .fi
20 /* None. The \fBpickup\fR(8) daemon does not interact with
21 /* the outside world.
22 /* SECURITY
23 /* .ad
24 /* .fi
25 /* The \fBpickup\fR(8) daemon is moderately security sensitive. It runs
26 /* with fixed low privilege and can run in a chrooted environment.
27 /* However, the program reads files from potentially hostile users.
28 /* The \fBpickup\fR(8) daemon opens no files for writing, is careful about
29 /* what files it opens for reading, and does not actually touch any data
30 /* that is sent to its public service endpoint.
31 /* DIAGNOSTICS
32 /* Problems and transactions are logged to \fBsyslogd\fR(8).
33 /* BUGS
34 /* The \fBpickup\fR(8) daemon copies mail from file to the \fBcleanup\fR(8)
35 /* daemon. It could avoid message copying overhead by sending a file
36 /* descriptor instead of file data, but then the already complex
37 /* \fBcleanup\fR(8) daemon would have to deal with unfiltered user data.
38 /* CONFIGURATION PARAMETERS
39 /* .ad
40 /* .fi
41 /* As the \fBpickup\fR(8) daemon is a relatively long-running process, up
42 /* to an hour may pass before a \fBmain.cf\fR change takes effect.
43 /* Use the command "\fBpostfix reload\fR" command to speed up a change.
44 /*
45 /* The text below provides only a parameter summary. See
46 /* \fBpostconf\fR(5) for more details including examples.
47 /* CONTENT INSPECTION CONTROLS
48 /* .ad
49 /* .fi
50 /* .IP "\fBcontent_filter (empty)\fR"
51 /* The name of a mail delivery transport that filters mail after
52 /* it is queued.
53 /* .IP "\fBreceive_override_options (empty)\fR"
54 /* Enable or disable recipient validation, built-in content
55 /* filtering, or address mapping.
56 /* MISCELLANEOUS CONTROLS
57 /* .ad
58 /* .fi
59 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
60 /* The default location of the Postfix main.cf and master.cf
61 /* configuration files.
62 /* .IP "\fBipc_timeout (3600s)\fR"
63 /* The time limit for sending or receiving information over an internal
64 /* communication channel.
65 /* .IP "\fBline_length_limit (2048)\fR"
66 /* Upon input, long lines are chopped up into pieces of at most
67 /* this length; upon delivery, long lines are reconstructed.
68 /* .IP "\fBmax_idle (100s)\fR"
69 /* The maximum amount of time that an idle Postfix daemon process waits
70 /* for an incoming connection before terminating voluntarily.
71 /* .IP "\fBmax_use (100)\fR"
72 /* The maximal number of incoming connections that a Postfix daemon
73 /* process will service before terminating voluntarily.
74 /* .IP "\fBprocess_id (read-only)\fR"
75 /* The process ID of a Postfix command or daemon process.
76 /* .IP "\fBprocess_name (read-only)\fR"
77 /* The process name of a Postfix command or daemon process.
78 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
79 /* The location of the Postfix top-level queue directory.
80 /* .IP "\fBsyslog_facility (mail)\fR"
81 /* The syslog facility of Postfix logging.
82 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
83 /* The mail system name that is prepended to the process name in syslog
84 /* records, so that "smtpd" becomes, for example, "postfix/smtpd".
85 /* SEE ALSO
86 /* cleanup(8), message canonicalization
87 /* sendmail(1), Sendmail-compatible interface
88 /* postdrop(1), mail posting agent
89 /* postconf(5), configuration parameters
90 /* master(5), generic daemon options
91 /* master(8), process manager
92 /* syslogd(8), system logging
93 /* LICENSE
94 /* .ad
95 /* .fi
96 /* The Secure Mailer license must be distributed with this software.
97 /* AUTHOR(S)
98 /* Wietse Venema
99 /* IBM T.J. Watson Research
100 /* P.O. Box 704
101 /* Yorktown Heights, NY 10598, USA
102 /*--*/
104 /* System library. */
106 #include <sys_defs.h>
107 #include <sys/stat.h>
108 #include <dirent.h>
109 #include <unistd.h>
110 #include <stdlib.h>
111 #include <time.h>
112 #include <string.h>
113 #include <fcntl.h>
114 #include <errno.h>
115 #include <ctype.h>
117 /* Utility library. */
119 #include <msg.h>
120 #include <scan_dir.h>
121 #include <vstring.h>
122 #include <vstream.h>
123 #include <set_ugid.h>
124 #include <safe_open.h>
125 #include <watchdog.h>
126 #include <stringops.h>
128 /* Global library. */
130 #include <mail_queue.h>
131 #include <mail_open_ok.h>
132 #include <mymalloc.h>
133 #include <mail_proto.h>
134 #include <cleanup_user.h>
135 #include <mail_date.h>
136 #include <mail_params.h>
137 #include <mail_conf.h>
138 #include <record.h>
139 #include <rec_type.h>
140 #include <lex_822.h>
141 #include <input_transp.h>
142 #include <rec_attr_map.h>
143 #include <mail_version.h>
145 /* Single-threaded server skeleton. */
147 #include <mail_server.h>
149 /* Application-specific. */
154 /*
155 * Structure to bundle a bunch of information about a queue file.
156 */
164 /*
165 * What action should be taken after attempting to deliver a message: remove
166 * the file from the maildrop, or leave it alone. The latter is also used
167 * for files that are still being written to.
168 */
169 #define REMOVE_MESSAGE_FILE 1
170 #define KEEP_MESSAGE_FILE 2
172 /*
173 * Transparency: before mail is queued, do we allow address mapping,
174 * automatic bcc, header/body checks?
175 */
178 /* file_read_error - handle error while reading queue file */
181 {
185 }
187 /* cleanup_service_error_reason - handle error writing to cleanup service. */
191 {
193 /*
194 * XXX If the cleanup server gave a reason, then it was already logged.
195 * Don't bother logging it another time.
196 */
201 }
203 #define cleanup_service_error(info, status) \
204 cleanup_service_error_reason((info), (status), (char *) 0)
206 /* copy_segment - copy a record group */
210 {
219 /*
220 * Limit the input record size. All front-end programs should protect the
221 * mail system against unreasonable inputs. This also requires that we
222 * limit the size of envelope records written by the local posting agent.
223 *
224 * Records with named attributes are filtered by postdrop(1).
225 *
226 * We must allow PTR records here because of "postsuper -r".
227 */
239 /* Compatibility with Postfix < 2.3. */
243 }
247 /*
248 * XXX Workaround: REC_TYPE_FILT (used in envelopes) == REC_TYPE_CONT
249 * (used in message content).
250 *
251 * As documented in postsuper(1), ignore content filter record.
252 */
255 /* Discard FILTER record after "postsuper -r". */
258 /* Discard REDIRECT record after "postsuper -r". */
260 }
263 /* Discard return-receipt record after "postsuper -r". */
266 /* Discard errors-to record after "postsuper -r". */
274 /* Discard other/header/body action after "postsuper -r". */
277 }
278 }
280 /*
281 * XXX Force an empty record when the queue file content begins with
282 * whitespace, so that it won't be considered as being part of our
283 * own Received: header. What an ugly Kluge.
284 */
290 }
293 }
295 }
297 /* pickup_copy - copy message to cleanup service */
301 {
306 /*
307 * Protect against time-warped time stamps. Warn about mail that has been
308 * queued for an excessive amount of time. Allow for some time drift with
309 * network clients that mount the maildrop remotely - especially clients
310 * that can't get their daylight savings offsets right.
311 */
312 #define DAY_SECONDS 86400
313 #define HOUR_SECONDS 3600
322 }
324 /*
325 * Add content inspection transport. See also postsuper(1).
326 */
330 /*
331 * Copy the message envelope segment. Allow only those records that we
332 * expect to see in the envelope section. The envelope segment must
333 * contain an envelope sender address.
334 */
341 }
343 /*
344 * For messages belonging to $mail_owner also log the maildrop queue id.
345 * This supports message tracking for mail requeued via "postsuper -r".
346 */
347 #define MAIL_IS_REQUEUED(info) \
348 ((info)->st.st_uid == var_owner_uid && ((info)->st.st_mode & S_IROTH) == 0)
358 }
360 /*
361 * Message content segment. Send a dummy message length. Prepend a
362 * Received: header to the message contents. For tracing purposes,
363 * include the message file ownership, without revealing the login name.
364 */
371 /*
372 * Copy the message content segment. Allow only those records that we
373 * expect to see in the message content section.
374 */
378 /*
379 * Send the segment with information extracted from message headers.
380 * Permit a non-empty extracted segment, so that list manager software
381 * can to output recipients after the message, and so that sysadmins can
382 * re-inject messages after a change of configuration.
383 */
388 /*
389 * There are no errors. Send the end-of-data marker, and get the cleanup
390 * service completion status. XXX Since the pickup service is unable to
391 * bounce, the cleanup service can report only soft errors here.
392 */
400 /*
401 * Depending on the cleanup service completion status, delete the message
402 * file, or try again later. Bounces are dealt with by the cleanup
403 * service itself. The master process wakes up the cleanup service every
404 * now and then.
405 */
410 }
411 }
413 /* pickup_file - initialize for file copy and cleanup */
416 {
423 /*
424 * Open the submitted file. If we cannot open it, and we're not having a
425 * file descriptor leak problem, delete the submitted file, so that we
426 * won't keep complaining about the same file again and again. XXX
427 * Perhaps we should save "bad" files elsewhere for further inspection.
428 * XXX How can we delete a file when open() fails with ENOENT?
429 */
440 }
442 /*
443 * Contact the cleanup service and read the queue ID that it has
444 * allocated. In case of trouble, request that the cleanup service
445 * bounces its copy of the message. because the original input file is
446 * not readable by the bounce service.
447 *
448 * If mail is re-injected with "postsuper -r", disable Milter applications.
449 * If they were run before the mail was queued then there is no need to
450 * run them again. Moreover, the queue file does not contain enough
451 * information to reproduce the exact same SMTP events and Sendmail
452 * macros that Milters received when the mail originally arrived in
453 * Postfix.
454 *
455 * The actual message copying code is in a separate routine, so that it is
456 * easier to implement the many possible error exits without forgetting
457 * to close files, or to release memory.
458 */
459 cleanup_flags =
461 pickup_input_transp_mask);
462 /* As documented in postsuper(1). */
477 }
482 }
484 /* pickup_init - init info structure */
487 {
491 }
493 /* pickup_free - wipe info structure */
496 {
497 #define SAFE_FREE(x) { if (x) myfree(x); }
502 }
504 /* pickup_service - service client */
508 {
511 PICKUP_INFO info;
516 /*
517 * Sanity check. This service takes no command-line arguments.
518 */
522 /*
523 * Skip over things that we don't want to open, such as files that are
524 * still being written, or garbage. Leave it up to the sysadmin to remove
525 * garbage. Keep scanning the queue directory until we stop removing
526 * files from it.
527 *
528 * When we find a file, stroke the watchdog so that it will not bark while
529 * some application is keeping us busy by injecting lots of mail into the
530 * maildrop directory.
531 */
544 else
545 file_count++;
546 }
548 }
549 }
552 }
554 /* post_jail_init - drop privileges */
557 {
559 /*
560 * In case master.cf was not updated for unprivileged service.
561 */
565 /*
566 * Initialize the receive transparency options: do we want unknown
567 * recipient checks, do we want address mapping.
568 */
569 pickup_input_transp_mask =
571 }
573 MAIL_VERSION_STAMP_DECLARE;
575 /* main - pass control to the multi-threaded server skeleton */
578 {
583 };
585 /*
586 * Fingerprint executables and core dumps.
587 */
588 MAIL_VERSION_STAMP_ALLOCATE;
590 /*
591 * Use the multi-threaded skeleton, because no-one else should be
592 * monitoring our service socket while this process runs.
593 *
594 * XXX The default watchdog timeout for trigger servers is 1000s, while the
595 * cleanup server watchdog timeout is $daemon_timeout (i.e. several
596 * hours). We override the default 1000s timeout to avoid problems with
597 * slow mail submission. The real problem is of course that the
598 * single-threaded pickup server is not a good solution for mail
599 * submissions.
600 */
604 MAIL_SERVER_SOLITARY,
607 }