1/* $NetBSD: postqueue.c,v 1.1.1.3 2012/06/09 11:27:17 tron Exp $ */ 2 3/*++ 4/* NAME 5/* postqueue 1 6/* SUMMARY 7/* Postfix queue control 8/* SYNOPSIS 9/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR 10/* .br 11/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR 12/* .br 13/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR 14/* .br 15/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR 16/* DESCRIPTION 17/* The \fBpostqueue\fR(1) command implements the Postfix user interface 18/* for queue management. It implements operations that are 19/* traditionally available via the \fBsendmail\fR(1) command. 20/* See the \fBpostsuper\fR(1) command for queue operations 21/* that require super-user privileges such as deleting a message 22/* from the queue or changing the status of a message. 23/* 24/* The following options are recognized: 25/* .IP "\fB-c \fIconfig_dir\fR" 26/* The \fBmain.cf\fR configuration file is in the named directory 27/* instead of the default configuration directory. See also the 28/* MAIL_CONFIG environment setting below. 29/* .IP \fB-f\fR 30/* Flush the queue: attempt to deliver all queued mail. 31/* 32/* This option implements the traditional "\fBsendmail -q\fR" command, 33/* by contacting the Postfix \fBqmgr\fR(8) daemon. 34/* 35/* Warning: flushing undeliverable mail frequently will result in 36/* poor delivery performance of all other mail. 37/* .IP "\fB-i \fIqueue_id\fR" 38/* Schedule immediate delivery of deferred mail with the 39/* specified queue ID. 40/* 41/* This option implements the traditional \fBsendmail -qI\fR 42/* command, by contacting the \fBflush\fR(8) server. 43/* 44/* This feature is available with Postfix version 2.4 and later. 45/* .IP \fB-p\fR 46/* Produce a traditional sendmail-style queue listing. 47/* This option implements the traditional \fBmailq\fR command, 48/* by contacting the Postfix \fBshowq\fR(8) daemon. 49/* 50/* Each queue entry shows the queue file ID, message 51/* size, arrival time, sender, and the recipients that still need to 52/* be delivered. If mail could not be delivered upon the last attempt, 53/* the reason for failure is shown. The queue ID string 54/* is followed by an optional status character: 55/* .RS 56/* .IP \fB*\fR 57/* The message is in the \fBactive\fR queue, i.e. the message is 58/* selected for delivery. 59/* .IP \fB!\fR 60/* The message is in the \fBhold\fR queue, i.e. no further delivery 61/* attempt will be made until the mail is taken off hold. 62/* .RE 63/* .IP "\fB-s \fIsite\fR" 64/* Schedule immediate delivery of all mail that is queued for the named 65/* \fIsite\fR. A numerical site must be specified as a valid RFC 2821 66/* address literal enclosed in [], just like in email addresses. 67/* The site must be eligible for the "fast flush" service. 68/* See \fBflush\fR(8) for more information about the "fast flush" 69/* service. 70/* 71/* This option implements the traditional "\fBsendmail -qR\fIsite\fR" 72/* command, by contacting the Postfix \fBflush\fR(8) daemon. 73/* .IP \fB-v\fR 74/* Enable verbose logging for debugging purposes. Multiple \fB-v\fR 75/* options make the software increasingly verbose. As of Postfix 2.3, 76/* this option is available for the super-user only. 77/* SECURITY 78/* .ad 79/* .fi 80/* This program is designed to run with set-group ID privileges, so 81/* that it can connect to Postfix daemon processes. 82/* DIAGNOSTICS 83/* Problems are logged to \fBsyslogd\fR(8) and to the standard error 84/* stream. 85/* ENVIRONMENT 86/* .ad 87/* .fi 88/* .IP MAIL_CONFIG 89/* Directory with the \fBmain.cf\fR file. In order to avoid exploitation 90/* of set-group ID privileges, a non-standard directory is allowed only 91/* if: 92/* .RS 93/* .IP \(bu 94/* The name is listed in the standard \fBmain.cf\fR file with the 95/* \fBalternate_config_directories\fR configuration parameter. 96/* .IP \(bu 97/* The command is invoked by the super-user. 98/* .RE 99/* CONFIGURATION PARAMETERS 100/* .ad 101/* .fi 102/* The following \fBmain.cf\fR parameters are especially relevant to 103/* this program. 104/* The text below provides only a parameter summary. See 105/* \fBpostconf\fR(5) for more details including examples. 106/* .IP "\fBalternate_config_directories (empty)\fR" 107/* A list of non-default Postfix configuration directories that may 108/* be specified with "-c config_directory" on the command line, or 109/* via the MAIL_CONFIG environment parameter. 110/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 111/* The default location of the Postfix main.cf and master.cf 112/* configuration files. 113/* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 114/* The location of all postfix administrative commands. 115/* .IP "\fBfast_flush_domains ($relay_domains)\fR" 116/* Optional list of destinations that are eligible for per-destination 117/* logfiles with mail that is queued to those destinations. 118/* .IP "\fBimport_environment (see 'postconf -d' output)\fR" 119/* The list of environment parameters that a Postfix process will 120/* import from a non-Postfix parent process. 121/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 122/* The location of the Postfix top-level queue directory. 123/* .IP "\fBsyslog_facility (mail)\fR" 124/* The syslog facility of Postfix logging. 125/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 126/* The mail system name that is prepended to the process name in syslog 127/* records, so that "smtpd" becomes, for example, "postfix/smtpd". 128/* .IP "\fBtrigger_timeout (10s)\fR" 129/* The time limit for sending a trigger to a Postfix daemon (for 130/* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon). 131/* .PP 132/* Available in Postfix version 2.2 and later: 133/* .IP "\fBauthorized_flush_users (static:anyone)\fR" 134/* List of users who are authorized to flush the queue. 135/* .IP "\fBauthorized_mailq_users (static:anyone)\fR" 136/* List of users who are authorized to view the queue. 137/* FILES 138/* /var/spool/postfix, mail queue 139/* SEE ALSO 140/* qmgr(8), queue manager 141/* showq(8), list mail queue 142/* flush(8), fast flush service 143/* sendmail(1), Sendmail-compatible user interface 144/* postsuper(1), privileged queue operations 145/* README FILES 146/* .ad 147/* .fi 148/* Use "\fBpostconf readme_directory\fR" or 149/* "\fBpostconf html_directory\fR" to locate this information. 150/* .na 151/* .nf 152/* ETRN_README, Postfix ETRN howto 153/* LICENSE 154/* .ad 155/* .fi 156/* The Secure Mailer license must be distributed with this software. 157/* HISTORY 158/* .ad 159/* .fi 160/* The postqueue command was introduced with Postfix version 1.1. 161/* AUTHOR(S) 162/* Wietse Venema 163/* IBM T.J. Watson Research 164/* P.O. Box 704 165/* Yorktown Heights, NY 10598, USA 166/*--*/ 167 168/* System library. */ 169 170#include <sys_defs.h> 171#include <sys/stat.h> 172#include <unistd.h> 173#include <string.h> 174#include <stdlib.h> 175#include <signal.h> 176#include <sysexits.h> 177#include <errno.h> 178 179/* Utility library. */ 180 181#include <msg.h> 182#include <mymalloc.h> 183#include <clean_env.h> 184#include <vstream.h> 185#include <msg_vstream.h> 186#include <msg_syslog.h> 187#include <argv.h> 188#include <safe.h> 189#include <connect.h> 190#include <valid_hostname.h> 191#include <events.h> 192 193/* Global library. */ 194 195#include <mail_proto.h> 196#include <mail_params.h> 197#include <mail_version.h> 198#include <mail_conf.h> 199#include <mail_task.h> 200#include <mail_run.h> 201#include <mail_flush.h> 202#include <mail_queue.h> 203#include <flush_clnt.h> 204#include <smtp_stream.h> 205#include <user_acl.h> 206#include <valid_mailhost_addr.h> 207#include <mail_dict.h> 208 209/* Application-specific. */ 210 211 /* 212 * WARNING WARNING WARNING 213 * 214 * This software is designed to run set-gid. In order to avoid exploitation of 215 * privilege, this software should not run any external commands, nor should 216 * it take any information from the user, unless that information can be 217 * properly sanitized. To get an idea of how much information a process can 218 * inherit from a potentially hostile user, examine all the members of the 219 * process structure (typically, in /usr/include/sys/proc.h): the current 220 * directory, open files, timers, signals, environment, command line, umask, 221 * and so on. 222 */ 223 224 /* 225 * Modes of operation. 226 * 227 * XXX To support flush by recipient domain, or for destinations that have no 228 * mapping to logfile, the server has to defend against resource exhaustion 229 * attacks. A malicious user could fork off a postqueue client that starts 230 * an expensive requests and then kills the client immediately; this way she 231 * could create a high Postfix load on the system without ever exceeding her 232 * own per-user process limit. To prevent this, either the server needs to 233 * establish frequent proof of client liveliness with challenge/response, or 234 * the client needs to restrict expensive requests to privileged users only. 235 * 236 * We don't have this problem with queue listings. The showq server detects an 237 * EPIPE error after reporting a few queue entries. 238 */ 239#define PQ_MODE_DEFAULT 0 /* noop */ 240#define PQ_MODE_MAILQ_LIST 1 /* list mail queue */ 241#define PQ_MODE_FLUSH_QUEUE 2 /* flush queue */ 242#define PQ_MODE_FLUSH_SITE 3 /* flush site */ 243#define PQ_MODE_FLUSH_FILE 4 /* flush message */ 244 245 /* 246 * Silly little macros (SLMs). 247 */ 248#define STR vstring_str 249 250 /* 251 * Queue manipulation access lists. 252 */ 253char *var_flush_acl; 254char *var_showq_acl; 255 256static const CONFIG_STR_TABLE str_table[] = { 257 VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0, 258 VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0, 259 0, 260}; 261 262/* show_queue - show queue status */ 263 264static void show_queue(void) 265{ 266 const char *errstr; 267 char buf[VSTREAM_BUFSIZE]; 268 VSTREAM *showq; 269 int n; 270 uid_t uid = getuid(); 271 272 if (uid != 0 && uid != var_owner_uid 273 && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0) 274 msg_fatal_status(EX_NOPERM, 275 "User %s(%ld) is not allowed to view the mail queue", 276 errstr, (long) uid); 277 278 /* 279 * Connect to the show queue service. Terminate silently when piping into 280 * a program that terminates early. 281 */ 282 if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) { 283 while ((n = vstream_fread(showq, buf, sizeof(buf))) > 0) { 284 if (vstream_fwrite(VSTREAM_OUT, buf, n) != n 285 || vstream_fflush(VSTREAM_OUT) != 0) { 286 if (errno == EPIPE) 287 break; 288 msg_fatal("write error: %m"); 289 } 290 } 291 if (vstream_fclose(showq) && errno != EPIPE) 292 msg_warn("close: %m"); 293 } 294 295 /* 296 * Don't assume that the mail system is down when the user has 297 * insufficient permission to access the showq socket. 298 */ 299 else if (errno == EACCES) { 300 msg_fatal_status(EX_SOFTWARE, 301 "Connect to the %s %s service: %m", 302 var_mail_name, var_showq_service); 303 } 304 305 /* 306 * When the mail system is down, the superuser can still access the queue 307 * directly. Just run the showq program in stand-alone mode. 308 */ 309 else if (geteuid() == 0) { 310 ARGV *argv; 311 int stat; 312 313 msg_warn("Mail system is down -- accessing queue directly"); 314 argv = argv_alloc(6); 315 argv_add(argv, var_showq_service, "-u", "-S", (char *) 0); 316 for (n = 0; n < msg_verbose; n++) 317 argv_add(argv, "-v", (char *) 0); 318 argv_terminate(argv); 319 stat = mail_run_foreground(var_daemon_dir, argv->argv); 320 argv_free(argv); 321 } 322 323 /* 324 * When the mail system is down, unprivileged users are stuck, because by 325 * design the mail system contains no set_uid programs. The only way for 326 * an unprivileged user to cross protection boundaries is to talk to the 327 * showq daemon. 328 */ 329 else { 330 msg_fatal_status(EX_UNAVAILABLE, 331 "Queue report unavailable - mail system is down"); 332 } 333} 334 335/* flush_queue - force delivery */ 336 337static void flush_queue(void) 338{ 339 const char *errstr; 340 uid_t uid = getuid(); 341 342 if (uid != 0 && uid != var_owner_uid 343 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 344 msg_fatal_status(EX_NOPERM, 345 "User %s(%ld) is not allowed to flush the mail queue", 346 errstr, (long) uid); 347 348 /* 349 * Trigger the flush queue service. 350 */ 351 if (mail_flush_deferred() < 0) 352 msg_fatal_status(EX_UNAVAILABLE, 353 "Cannot flush mail queue - mail system is down"); 354 if (mail_flush_maildrop() < 0) 355 msg_fatal_status(EX_UNAVAILABLE, 356 "Cannot flush mail queue - mail system is down"); 357 event_drain(2); 358} 359 360/* flush_site - flush mail for site */ 361 362static void flush_site(const char *site) 363{ 364 int status; 365 const char *errstr; 366 uid_t uid = getuid(); 367 368 if (uid != 0 && uid != var_owner_uid 369 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 370 msg_fatal_status(EX_NOPERM, 371 "User %s(%ld) is not allowed to flush the mail queue", 372 errstr, (long) uid); 373 374 flush_init(); 375 376 switch (status = flush_send_site(site)) { 377 case FLUSH_STAT_OK: 378 exit(0); 379 case FLUSH_STAT_BAD: 380 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site); 381 case FLUSH_STAT_FAIL: 382 msg_fatal_status(EX_UNAVAILABLE, 383 "Cannot flush mail queue - mail system is down"); 384 case FLUSH_STAT_DENY: 385 msg_fatal_status(EX_UNAVAILABLE, 386 "Flush service is not configured for destination \"%s\"", 387 site); 388 default: 389 msg_fatal_status(EX_SOFTWARE, 390 "Unknown flush server reply status %d", status); 391 } 392} 393 394/* flush_file - flush mail with specific queue ID */ 395 396static void flush_file(const char *queue_id) 397{ 398 int status; 399 const char *errstr; 400 uid_t uid = getuid(); 401 402 if (uid != 0 && uid != var_owner_uid 403 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 404 msg_fatal_status(EX_NOPERM, 405 "User %s(%ld) is not allowed to flush the mail queue", 406 errstr, (long) uid); 407 408 switch (status = flush_send_file(queue_id)) { 409 case FLUSH_STAT_OK: 410 exit(0); 411 case FLUSH_STAT_BAD: 412 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id); 413 case FLUSH_STAT_FAIL: 414 msg_fatal_status(EX_UNAVAILABLE, 415 "Cannot flush mail queue - mail system is down"); 416 default: 417 msg_fatal_status(EX_SOFTWARE, 418 "Unexpected flush server reply status %d", status); 419 } 420} 421 422/* unavailable - sanitize exit status from library run-time errors */ 423 424static void unavailable(void) 425{ 426 exit(EX_UNAVAILABLE); 427} 428 429/* usage - scream and die */ 430 431static NORETURN usage(void) 432{ 433 msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site"); 434} 435 436MAIL_VERSION_STAMP_DECLARE; 437 438/* main - the main program */ 439 440int main(int argc, char **argv) 441{ 442 struct stat st; 443 char *slash; 444 int c; 445 int fd; 446 int mode = PQ_MODE_DEFAULT; 447 char *site_to_flush = 0; 448 char *id_to_flush = 0; 449 ARGV *import_env; 450 int bad_site; 451 452 /* 453 * Fingerprint executables and core dumps. 454 */ 455 MAIL_VERSION_STAMP_ALLOCATE; 456 457 /* 458 * Be consistent with file permissions. 459 */ 460 umask(022); 461 462 /* 463 * To minimize confusion, make sure that the standard file descriptors 464 * are open before opening anything else. XXX Work around for 44BSD where 465 * fstat can return EBADF on an open file descriptor. 466 */ 467 for (fd = 0; fd < 3; fd++) 468 if (fstat(fd, &st) == -1 469 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd) 470 msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m"); 471 472 /* 473 * Initialize. Set up logging, read the global configuration file and 474 * extract configuration information. Set up signal handlers so that we 475 * can clean up incomplete output. 476 */ 477 if ((slash = strrchr(argv[0], '/')) != 0 && slash[1]) 478 argv[0] = slash + 1; 479 msg_vstream_init(argv[0], VSTREAM_ERR); 480 msg_cleanup(unavailable); 481 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 482 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0])); 483 484 /* 485 * Parse JCL. This program is set-gid and must sanitize all command-line 486 * parameters. The configuration directory argument is validated by the 487 * mail configuration read routine. Don't do complex things until we have 488 * completed initializations. 489 */ 490 while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) { 491 switch (c) { 492 case 'c': /* non-default configuration */ 493 if (setenv(CONF_ENV_PATH, optarg, 1) < 0) 494 msg_fatal_status(EX_UNAVAILABLE, "out of memory"); 495 break; 496 case 'f': /* flush queue */ 497 if (mode != PQ_MODE_DEFAULT) 498 usage(); 499 mode = PQ_MODE_FLUSH_QUEUE; 500 break; 501 case 'i': /* flush queue file */ 502 if (mode != PQ_MODE_DEFAULT) 503 usage(); 504 mode = PQ_MODE_FLUSH_FILE; 505 id_to_flush = optarg; 506 break; 507 case 'p': /* traditional mailq */ 508 if (mode != PQ_MODE_DEFAULT) 509 usage(); 510 mode = PQ_MODE_MAILQ_LIST; 511 break; 512 case 's': /* flush site */ 513 if (mode != PQ_MODE_DEFAULT) 514 usage(); 515 mode = PQ_MODE_FLUSH_SITE; 516 site_to_flush = optarg; 517 break; 518 case 'v': 519 if (geteuid() == 0) 520 msg_verbose++; 521 break; 522 default: 523 usage(); 524 } 525 } 526 if (argc > optind) 527 usage(); 528 529 /* 530 * Further initialization... 531 */ 532 mail_conf_read(); 533 if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0) 534 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 535 mail_dict_init(); /* proxy, sql, ldap */ 536 get_mail_conf_str_table(str_table); 537 538 /* 539 * This program is designed to be set-gid, which makes it a potential 540 * target for attack. If not running as root, strip the environment so we 541 * don't have to trust the C library. If running as root, don't strip the 542 * environment so that showq can receive non-default configuration 543 * directory info when the mail system is down. 544 */ 545 if (geteuid() != 0) { 546 import_env = argv_split(var_import_environ, ", \t\r\n"); 547 clean_env(import_env->argv); 548 argv_free(import_env); 549 } 550 if (chdir(var_queue_dir)) 551 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); 552 553 signal(SIGPIPE, SIG_IGN); 554 555 /* End of initializations. */ 556 557 /* 558 * Further input validation. 559 */ 560 if (site_to_flush != 0) { 561 bad_site = 0; 562 if (*site_to_flush == '[') { 563 bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE); 564 } else { 565 bad_site = !valid_hostname(site_to_flush, DONT_GRIPE); 566 } 567 if (bad_site) 568 msg_fatal_status(EX_USAGE, 569 "Cannot flush mail queue - invalid destination: \"%.100s%s\"", 570 site_to_flush, strlen(site_to_flush) > 100 ? "..." : ""); 571 } 572 if (id_to_flush != 0) { 573 if (!mail_queue_id_ok(id_to_flush)) 574 msg_fatal_status(EX_USAGE, 575 "Cannot flush queue ID - invalid name: \"%.100s%s\"", 576 id_to_flush, strlen(id_to_flush) > 100 ? "..." : ""); 577 } 578 579 /* 580 * Start processing. 581 */ 582 switch (mode) { 583 default: 584 msg_panic("unknown operation mode: %d", mode); 585 /* NOTREACHED */ 586 case PQ_MODE_MAILQ_LIST: 587 show_queue(); 588 exit(0); 589 break; 590 case PQ_MODE_FLUSH_SITE: 591 flush_site(site_to_flush); 592 exit(0); 593 break; 594 case PQ_MODE_FLUSH_FILE: 595 flush_file(id_to_flush); 596 exit(0); 597 break; 598 case PQ_MODE_FLUSH_QUEUE: 599 flush_queue(); 600 exit(0); 601 break; 602 case PQ_MODE_DEFAULT: 603 usage(); 604 /* NOTREACHED */ 605 } 606} 607