postqueue.c

[詳解]

/*++
/* NAME
/*  postqueue 1
/* SUMMARY
/*  Postfix queue control
/* SYNOPSIS
/* .ti -4
/*  \fBTo flush the mail queue\fR:
/*
/*  \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR
/*
/*  \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR
/*
/*  \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR
/*
/* .ti -4
/*  \fBTo list the mail queue\fR:
/*
/*  \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-j\fR
/*
/*  \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR
/* DESCRIPTION
/*  The \fBpostqueue\fR(1) command implements the Postfix user interface
/*  for queue management. It implements operations that are
/*  traditionally available via the \fBsendmail\fR(1) command.
/*  See the \fBpostsuper\fR(1) command for queue operations
/*  that require super-user privileges such as deleting a message
/*  from the queue or changing the status of a message.
/*
/*  The following options are recognized:
/* .IP "\fB-c \fIconfig_dir\fR"
/*  The \fBmain.cf\fR configuration file is in the named directory
/*  instead of the default configuration directory. See also the
/*  MAIL_CONFIG environment setting below.
/* .IP \fB-f\fR
/*  Flush the queue: attempt to deliver all queued mail.
/*
/*  This option implements the traditional "\fBsendmail -q\fR" command,
/*  by contacting the Postfix \fBqmgr\fR(8) daemon.
/*
/*  Warning: flushing undeliverable mail frequently will result in
/*  poor delivery performance of all other mail.
/* .IP "\fB-i \fIqueue_id\fR"
/*  Schedule immediate delivery of deferred mail with the
/*  specified queue ID.
/*
/*  This option implements the traditional \fBsendmail -qI\fR
/*  command, by contacting the \fBflush\fR(8) server.
/*
/*  This feature is available with Postfix version 2.4 and later.
/* .IP "\fB-j\fR"
/*  Produce a queue listing in JSON format, based on output
/*  from the showq(8) daemon.  The result is a stream of zero
/*  or more JSON objects, one per queue file.  Each object is
/*  followed by a newline character to support simple streaming
/*  parsers. See "\fBJSON OBJECT FORMAT\fR" below for details.
/*
/*  This feature is available in Postfix 3.1 and later.
/* .IP \fB-p\fR
/*  Produce a traditional sendmail-style queue listing.
/*  This option implements the traditional \fBmailq\fR command,
/*  by contacting the Postfix \fBshowq\fR(8) daemon.
/*
/*  Each queue entry shows the queue file ID, message
/*  size, arrival time, sender, and the recipients that still need to
/*  be delivered.  If mail could not be delivered upon the last attempt,
/*  the reason for failure is shown. The queue ID string
/*  is followed by an optional status character:
/* .RS
/* .IP \fB*\fR
/*  The message is in the \fBactive\fR queue, i.e. the message is
/*  selected for delivery.
/* .IP \fB!\fR
/*  The message is in the \fBhold\fR queue, i.e. no further delivery
/*  attempt will be made until the mail is taken off hold.
/* .RE
/* .IP "\fB-s \fIsite\fR"
/*  Schedule immediate delivery of all mail that is queued for the named
/*  \fIsite\fR. A numerical site must be specified as a valid RFC 5321
/*  address literal enclosed in [], just like in email addresses.
/*  The site must be eligible for the "fast flush" service.
/*  See \fBflush\fR(8) for more information about the "fast flush"
/*  service.
/*
/*  This option implements the traditional "\fBsendmail -qR\fIsite\fR"
/*  command, by contacting the Postfix \fBflush\fR(8) daemon.
/* .IP \fB-v\fR
/*  Enable verbose logging for debugging purposes. Multiple \fB-v\fR
/*  options make the software increasingly verbose. As of Postfix 2.3,
/*  this option is available for the super-user only.
/* JSON OBJECT FORMAT
/* .ad
/* .fi
/*  Each JSON object represents one queue file; it is emitted
/*  as a single text line followed by a newline character.
/*
/*  Object members have string values unless indicated otherwise.
/*  Programs should ignore object members that are not listed
/*  here; the list of members is expected to grow over time.
/* .IP \fBqueue_name\fR
/*  The name of the queue where the message was found.  Note
/*  that the contents of the mail queue may change while it is
/*  being listed; some messages may appear more than once, and
/*  some messages may be missed.
/* .IP \fBqueue_id\fR
/*  The queue file name. The queue_id may be reused within a
/*  Postfix instance unless "enable_long_queue_ids = true" and
/*  time is monotonic.  Even then, the queue_id is not expected
/*  to be unique between different Postfix instances.  Management
/*  tools that require a unique name should combine the queue_id
/*  with the myhostname setting of the Postfix instance.
/* .IP \fBarrival_time\fR
/*  The number of seconds since the start of the UNIX epoch.
/* .IP \fBmessage_size\fR
/*  The number of bytes in the message header and body. This
/*  number does not include message envelope information. It
/*  is approximately equal to the number of bytes that would
/*  be transmitted via SMTP including the <CR><LF> line endings.
/* .IP \fBsender\fR
/*  The envelope sender address.
/* .IP \fBrecipients\fR
/*  An array containing zero or more objects with members:
/* .RS
/* .IP \fBaddress\fR
/*  One recipient address.
/* .IP \fBdelay_reason\fR
/*  If present, the reason for delayed delivery.  Delayed
/*  recipients may have no delay reason, for example, while
/*  delivery is in progress, or after the system was stopped
/*  before it could record the reason.
/* .RE
/* SECURITY
/* .ad
/* .fi
/*  This program is designed to run with set-group ID privileges, so
/*  that it can connect to Postfix daemon processes.
/* STANDARDS
/*  RFC 7159 (JSON notation)
/* DIAGNOSTICS
/*  Problems are logged to \fBsyslogd\fR(8) and to the standard error
/*  stream.
/* ENVIRONMENT
/* .ad
/* .fi
/* .IP MAIL_CONFIG
/*  Directory with the \fBmain.cf\fR file. In order to avoid exploitation
/*  of set-group ID privileges, a non-standard directory is allowed only
/*  if:
/* .RS
/* .IP \(bu
/*  The name is listed in the standard \fBmain.cf\fR file with the
/*  \fBalternate_config_directories\fR configuration parameter.
/* .IP \(bu
/*  The command is invoked by the super-user.
/* .RE
/* CONFIGURATION PARAMETERS
/* .ad
/* .fi
/*  The following \fBmain.cf\fR parameters are especially relevant to
/*  this program.
/*  The text below provides only a parameter summary. See
/*  \fBpostconf\fR(5) for more details including examples.
/* .IP "\fBalternate_config_directories (empty)\fR"
/*  A list of non-default Postfix configuration directories that may
/*  be specified with "-c config_directory" on the command line (in the
/*  case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG
/*  environment parameter.
/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
/*  The default location of the Postfix main.cf and master.cf
/*  configuration files.
/* .IP "\fBcommand_directory (see 'postconf -d' output)\fR"
/*  The location of all postfix administrative commands.
/* .IP "\fBfast_flush_domains ($relay_domains)\fR"
/*  Optional list of destinations that are eligible for per-destination
/*  logfiles with mail that is queued to those destinations.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
/*  The list of environment parameters that a privileged Postfix
/*  process will import from a non-Postfix parent process, or name=value
/*  environment overrides.
/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
/*  The location of the Postfix top-level queue directory.
/* .IP "\fBsyslog_facility (mail)\fR"
/*  The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/*  A prefix that is prepended to the process name in syslog
/*  records, so that, for example, "smtpd" becomes "prefix/smtpd".
/* .IP "\fBtrigger_timeout (10s)\fR"
/*  The time limit for sending a trigger to a Postfix daemon (for
/*  example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon).
/* .PP
/*  Available in Postfix version 2.2 and later:
/* .IP "\fBauthorized_flush_users (static:anyone)\fR"
/*  List of users who are authorized to flush the queue.
/* .IP "\fBauthorized_mailq_users (static:anyone)\fR"
/*  List of users who are authorized to view the queue.
/* FILES
/*  /var/spool/postfix, mail queue
/* SEE ALSO
/*  qmgr(8), queue manager
/*  showq(8), list mail queue
/*  flush(8), fast flush service
/*  sendmail(1), Sendmail-compatible user interface
/*  postsuper(1), privileged queue operations
/* README FILES
/* .ad
/* .fi
/*  Use "\fBpostconf readme_directory\fR" or
/*  "\fBpostconf html_directory\fR" to locate this information.
/* .na
/* .nf
/*  ETRN_README, Postfix ETRN howto
/* LICENSE
/* .ad
/* .fi
/*  The Secure Mailer license must be distributed with this software.
/* HISTORY
/* .ad
/* .fi
/*  The postqueue command was introduced with Postfix version 1.1.
/* AUTHOR(S)
/*  Wietse Venema
/*  IBM T.J. Watson Research
/*  P.O. Box 704
/*  Yorktown Heights, NY 10598, USA
/*
/*  Wietse Venema
/*  Google, Inc.
/*  111 8th Avenue
/*  New York, NY 10011, USA
/*--*/

/* System library. */

#include <sys_defs.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <signal.h>
#include <sysexits.h>
#include <errno.h>

/* Utility library. */

#include <msg.h>
#include <mymalloc.h>
#include <clean_env.h>
#include <vstream.h>
#include <msg_vstream.h>
#include <msg_syslog.h>
#include <argv.h>
#include <safe.h>
#include <connect.h>
#include <valid_hostname.h>
#include <warn_stat.h>
#include <events.h>
#include <stringops.h>

/* Global library. */

#include <mail_proto.h>
#include <mail_params.h>
#include <mail_version.h>
#include <mail_conf.h>
#include <mail_task.h>
#include <mail_run.h>
#include <mail_flush.h>
#include <mail_queue.h>
#include <flush_clnt.h>
#include <smtp_stream.h>
#include <user_acl.h>
#include <valid_mailhost_addr.h>
#include <mail_dict.h>
#include <mail_parm_split.h>

/* Application-specific. */

#include <postqueue.h>

 /*
  * WARNING WARNING WARNING
  * 
  * This software is designed to run set-gid. In order to avoid exploitation of
  * privilege, this software should not run any external commands, nor should
  * it take any information from the user, unless that information can be
  * properly sanitized. To get an idea of how much information a process can
  * inherit from a potentially hostile user, examine all the members of the
  * process structure (typically, in /usr/include/sys/proc.h): the current
  * directory, open files, timers, signals, environment, command line, umask,
  * and so on.
  */

 /*
  * Modes of operation.
  * 
  * XXX To support flush by recipient domain, or for destinations that have no
  * mapping to logfile, the server has to defend against resource exhaustion
  * attacks. A malicious user could fork off a postqueue client that starts
  * an expensive requests and then kills the client immediately; this way she
  * could create a high Postfix load on the system without ever exceeding her
  * own per-user process limit. To prevent this, either the server needs to
  * establish frequent proof of client liveliness with challenge/response, or
  * the client needs to restrict expensive requests to privileged users only.
  * 
  * We don't have this problem with queue listings. The showq server detects an
  * EPIPE error after reporting a few queue entries.
  */
#define PQ_MODE_DEFAULT     0   /* noop */
#define PQ_MODE_MAILQ_LIST  1   /* list mail queue */
#define PQ_MODE_FLUSH_QUEUE 2   /* flush queue */
#define PQ_MODE_FLUSH_SITE  3   /* flush site */
#define PQ_MODE_FLUSH_FILE  4   /* flush message */
#define PQ_MODE_JSON_LIST   5   /* JSON-format queue listing */

 /*
  * Silly little macros (SLMs).
  */
#define STR vstring_str

 /*
  * Queue manipulation access lists.
  */
char   *var_flush_acl;
char   *var_showq_acl;

static const CONFIG_STR_TABLE str_table[] = {
    VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0,
    VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0,
    0,
};

/* show_queue - show queue status */

static void show_queue(int mode)
{
    const char *errstr;
    VSTREAM *showq;
    int     n;
    uid_t   uid = getuid();

    if (uid != 0 && uid != var_owner_uid
    && (errstr = check_user_acl_byuid(VAR_SHOWQ_ACL, var_showq_acl,
                      uid)) != 0)
    msg_fatal_status(EX_NOPERM,
               "User %s(%ld) is not allowed to view the mail queue",
             errstr, (long) uid);

    /*
     * Connect to the show queue service.
     */
    if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) {
    switch (mode) {
    case PQ_MODE_MAILQ_LIST:
        showq_compat(showq);
        break;
    case PQ_MODE_JSON_LIST:
        showq_json(showq);
        break;
    default:
        msg_panic("show_queue: unknown mode %d", mode);
    }
    if (vstream_fclose(showq))
        msg_warn("close: %m");
    }

    /*
     * Don't assume that the mail system is down when the user has
     * insufficient permission to access the showq socket.
     */
    else if (errno == EACCES) {
    msg_fatal_status(EX_SOFTWARE,
             "Connect to the %s %s service: %m",
             var_mail_name, var_showq_service);
    }

    /*
     * When the mail system is down, the superuser can still access the queue
     * directly. Just run the showq program in stand-alone mode.
     */
    else if (geteuid() == 0) {
    char   *showq_path;
    ARGV   *argv;
    int     stat;

    msg_warn("Mail system is down -- accessing queue directly");
    showq_path = concatenate(var_daemon_dir, "/", var_showq_service,
                 (char *) 0);
    argv = argv_alloc(6);
    argv_add(argv, showq_path, "-u", "-S", (char *) 0);
    for (n = 0; n < msg_verbose; n++)
        argv_add(argv, "-v", (char *) 0);
    argv_terminate(argv);
    if ((showq = vstream_popen(O_RDONLY,
                   CA_VSTREAM_POPEN_ARGV(argv->argv),
                   CA_VSTREAM_POPEN_END)) == 0) {
        stat = -1;
    } else {
        switch (mode) {
        case PQ_MODE_MAILQ_LIST:
        showq_compat(showq);
        break;
        case PQ_MODE_JSON_LIST:
        showq_json(showq);
        break;
        default:
        msg_panic("show_queue: unknown mode %d", mode);
        }
        stat = vstream_pclose(showq);
    }
    argv_free(argv);
    if (stat != 0)
        msg_fatal_status(stat < 0 ? EX_OSERR : EX_SOFTWARE,
                 "Error running %s", showq_path);
    myfree(showq_path);
    }

    /*
     * When the mail system is down, unprivileged users are stuck, because by
     * design the mail system contains no set_uid programs. The only way for
     * an unprivileged user to cross protection boundaries is to talk to the
     * showq daemon.
     */
    else {
    msg_fatal_status(EX_UNAVAILABLE,
             "Queue report unavailable - mail system is down");
    }
}

/* flush_queue - force delivery */

static void flush_queue(void)
{
    const char *errstr;
    uid_t   uid = getuid();

    if (uid != 0 && uid != var_owner_uid
    && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
                      uid)) != 0)
    msg_fatal_status(EX_NOPERM,
              "User %s(%ld) is not allowed to flush the mail queue",
             errstr, (long) uid);

    /*
     * Trigger the flush queue service.
     */
    if (mail_flush_deferred() < 0)
    msg_fatal_status(EX_UNAVAILABLE,
             "Cannot flush mail queue - mail system is down");
    if (mail_flush_maildrop() < 0)
    msg_fatal_status(EX_UNAVAILABLE,
             "Cannot flush mail queue - mail system is down");
    event_drain(2);
}

/* flush_site - flush mail for site */

static void flush_site(const char *site)
{
    int     status;
    const char *errstr;
    uid_t   uid = getuid();

    if (uid != 0 && uid != var_owner_uid
    && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
                      uid)) != 0)
    msg_fatal_status(EX_NOPERM,
              "User %s(%ld) is not allowed to flush the mail queue",
             errstr, (long) uid);

    flush_init();

    switch (status = flush_send_site(site)) {
    case FLUSH_STAT_OK:
    exit(0);
    case FLUSH_STAT_BAD:
    msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site);
    case FLUSH_STAT_FAIL:
    msg_fatal_status(EX_UNAVAILABLE,
             "Cannot flush mail queue - mail system is down");
    case FLUSH_STAT_DENY:
    msg_fatal_status(EX_UNAVAILABLE,
           "Flush service is not configured for destination \"%s\"",
             site);
    default:
    msg_fatal_status(EX_SOFTWARE,
             "Unknown flush server reply status %d", status);
    }
}

/* flush_file - flush mail with specific queue ID */

static void flush_file(const char *queue_id)
{
    int     status;
    const char *errstr;
    uid_t   uid = getuid();

    if (uid != 0 && uid != var_owner_uid
    && (errstr = check_user_acl_byuid(VAR_FLUSH_ACL, var_flush_acl,
                      uid)) != 0)
    msg_fatal_status(EX_NOPERM,
              "User %s(%ld) is not allowed to flush the mail queue",
             errstr, (long) uid);

    switch (status = flush_send_file(queue_id)) {
    case FLUSH_STAT_OK:
    exit(0);
    case FLUSH_STAT_BAD:
    msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id);
    case FLUSH_STAT_FAIL:
    msg_fatal_status(EX_UNAVAILABLE,
             "Cannot flush mail queue - mail system is down");
    default:
    msg_fatal_status(EX_SOFTWARE,
             "Unexpected flush server reply status %d", status);
    }
}

/* unavailable - sanitize exit status from library run-time errors */

static void unavailable(void)
{
    exit(EX_UNAVAILABLE);
}

/* usage - scream and die */

static NORETURN usage(void)
{
    msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -j | postqueue -p | postqueue -s site");
}

MAIL_VERSION_STAMP_DECLARE;

/* main - the main program */

int     main(int argc, char **argv)
{
    struct stat st;
    char   *slash;
    int     c;
    int     fd;
    int     mode = PQ_MODE_DEFAULT;
    char   *site_to_flush = 0;
    char   *id_to_flush = 0;
    ARGV   *import_env;
    int     bad_site;

    /*
     * Fingerprint executables and core dumps.
     */
    MAIL_VERSION_STAMP_ALLOCATE;

    /*
     * Be consistent with file permissions.
     */
    umask(022);

    /*
     * To minimize confusion, make sure that the standard file descriptors
     * are open before opening anything else. XXX Work around for 44BSD where
     * fstat can return EBADF on an open file descriptor.
     */
    for (fd = 0; fd < 3; fd++)
    if (fstat(fd, &st) == -1
        && (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
        msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m");

    /*
     * Initialize. Set up logging, read the global configuration file and
     * extract configuration information. Set up signal handlers so that we
     * can clean up incomplete output.
     * Censor the process name: it is provided by the user.
     */
    argv[0] = "postqueue";
    msg_vstream_init(argv[0], VSTREAM_ERR);
    msg_cleanup(unavailable);
    msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
    set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));

    /*
     * Check the Postfix library version as soon as we enable logging.
     */
    MAIL_VERSION_CHECK;

    /*
     * Parse JCL. This program is set-gid and must sanitize all command-line
     * parameters. The configuration directory argument is validated by the
     * mail configuration read routine. Don't do complex things until we have
     * completed initializations.
     */
    while ((c = GETOPT(argc, argv, "c:fi:jps:v")) > 0) {
    switch (c) {
    case 'c':               /* non-default configuration */
        if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
        msg_fatal_status(EX_UNAVAILABLE, "out of memory");
        break;
    case 'f':               /* flush queue */
        if (mode != PQ_MODE_DEFAULT)
        usage();
        mode = PQ_MODE_FLUSH_QUEUE;
        break;
    case 'i':               /* flush queue file */
        if (mode != PQ_MODE_DEFAULT)
        usage();
        mode = PQ_MODE_FLUSH_FILE;
        id_to_flush = optarg;
        break;
    case 'j':
        if (mode != PQ_MODE_DEFAULT)
        usage();
        mode = PQ_MODE_JSON_LIST;
        break;
    case 'p':               /* traditional mailq */
        if (mode != PQ_MODE_DEFAULT)
        usage();
        mode = PQ_MODE_MAILQ_LIST;
        break;
    case 's':               /* flush site */
        if (mode != PQ_MODE_DEFAULT)
        usage();
        mode = PQ_MODE_FLUSH_SITE;
        site_to_flush = optarg;
        break;
    case 'v':
        if (geteuid() == 0)
        msg_verbose++;
        break;
    default:
        usage();
    }
    }
    if (argc > optind)
    usage();

    /*
     * Further initialization...
     */
    mail_conf_read();
    /* Re-evaluate mail_task() after reading main.cf. */
    msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY);
    mail_dict_init();               /* proxy, sql, ldap */
    get_mail_conf_str_table(str_table);

    /*
     * This program is designed to be set-gid, which makes it a potential
     * target for attack. Strip and optionally override the process
     * environment so that we don't have to trust the C library.
     */
    import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
    clean_env(import_env->argv);
    argv_free(import_env);

    if (chdir(var_queue_dir))
    msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);

    signal(SIGPIPE, SIG_IGN);

    /* End of initializations. */

    /*
     * Further input validation.
     */
    if (site_to_flush != 0) {
    bad_site = 0;
    if (*site_to_flush == '[') {
        bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE);
    } else {
        bad_site = !valid_hostname(site_to_flush, DONT_GRIPE);
    }
    if (bad_site)
        msg_fatal_status(EX_USAGE,
          "Cannot flush mail queue - invalid destination: \"%.100s%s\"",
           site_to_flush, strlen(site_to_flush) > 100 ? "..." : "");
    }
    if (id_to_flush != 0) {
    if (!mail_queue_id_ok(id_to_flush))
        msg_fatal_status(EX_USAGE,
               "Cannot flush queue ID - invalid name: \"%.100s%s\"",
               id_to_flush, strlen(id_to_flush) > 100 ? "..." : "");
    }

    /*
     * Start processing.
     */
    switch (mode) {
    default:
    msg_panic("unknown operation mode: %d", mode);
    /* NOTREACHED */
    case PQ_MODE_MAILQ_LIST:
    case PQ_MODE_JSON_LIST:
    show_queue(mode);
    exit(0);
    break;
    case PQ_MODE_FLUSH_SITE:
    flush_site(site_to_flush);
    exit(0);
    break;
    case PQ_MODE_FLUSH_FILE:
    flush_file(id_to_flush);
    exit(0);
    break;
    case PQ_MODE_FLUSH_QUEUE:
    flush_queue();
    exit(0);
    break;
    case PQ_MODE_DEFAULT:
    usage();
    /* NOTREACHED */
    }
}