1/*++ 2/* NAME 3/* postqueue 1 4/* SUMMARY 5/* Postfix queue control 6/* SYNOPSIS 7/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-f\fR 8/* .br 9/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-i \fIqueue_id\fR 10/* .br 11/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-p\fR 12/* .br 13/* \fBpostqueue\fR [\fB-v\fR] [\fB-c \fIconfig_dir\fR] \fB-s \fIsite\fR 14/* DESCRIPTION 15/* The \fBpostqueue\fR(1) command implements the Postfix user interface 16/* for queue management. It implements operations that are 17/* traditionally available via the \fBsendmail\fR(1) command. 18/* See the \fBpostsuper\fR(1) command for queue operations 19/* that require super-user privileges such as deleting a message 20/* from the queue or changing the status of a message. 21/* 22/* The following options are recognized: 23/* .IP "\fB-c \fIconfig_dir\fR" 24/* The \fBmain.cf\fR configuration file is in the named directory 25/* instead of the default configuration directory. See also the 26/* MAIL_CONFIG environment setting below. 27/* .IP \fB-f\fR 28/* Flush the queue: attempt to deliver all queued mail. 29/* 30/* This option implements the traditional "\fBsendmail -q\fR" command, 31/* by contacting the Postfix \fBqmgr\fR(8) daemon. 32/* 33/* Warning: flushing undeliverable mail frequently will result in 34/* poor delivery performance of all other mail. 35/* .IP "\fB-i \fIqueue_id\fR" 36/* Schedule immediate delivery of deferred mail with the 37/* specified queue ID. 38/* 39/* This option implements the traditional \fBsendmail -qI\fR 40/* command, by contacting the \fBflush\fR(8) server. 41/* 42/* This feature is available with Postfix version 2.4 and later. 43/* .IP \fB-p\fR 44/* Produce a traditional sendmail-style queue listing. 45/* This option implements the traditional \fBmailq\fR command, 46/* by contacting the Postfix \fBshowq\fR(8) daemon. 47/* 48/* Each queue entry shows the queue file ID, message 49/* size, arrival time, sender, and the recipients that still need to 50/* be delivered. If mail could not be delivered upon the last attempt, 51/* the reason for failure is shown. The queue ID string 52/* is followed by an optional status character: 53/* .RS 54/* .IP \fB*\fR 55/* The message is in the \fBactive\fR queue, i.e. the message is 56/* selected for delivery. 57/* .IP \fB!\fR 58/* The message is in the \fBhold\fR queue, i.e. no further delivery 59/* attempt will be made until the mail is taken off hold. 60/* .RE 61/* .IP "\fB-s \fIsite\fR" 62/* Schedule immediate delivery of all mail that is queued for the named 63/* \fIsite\fR. A numerical site must be specified as a valid RFC 2821 64/* address literal enclosed in [], just like in email addresses. 65/* The site must be eligible for the "fast flush" service. 66/* See \fBflush\fR(8) for more information about the "fast flush" 67/* service. 68/* 69/* This option implements the traditional "\fBsendmail -qR\fIsite\fR" 70/* command, by contacting the Postfix \fBflush\fR(8) daemon. 71/* .IP \fB-v\fR 72/* Enable verbose logging for debugging purposes. Multiple \fB-v\fR 73/* options make the software increasingly verbose. As of Postfix 2.3, 74/* this option is available for the super-user only. 75/* SECURITY 76/* .ad 77/* .fi 78/* This program is designed to run with set-group ID privileges, so 79/* that it can connect to Postfix daemon processes. 80/* DIAGNOSTICS 81/* Problems are logged to \fBsyslogd\fR(8) and to the standard error 82/* stream. 83/* ENVIRONMENT 84/* .ad 85/* .fi 86/* .IP MAIL_CONFIG 87/* Directory with the \fBmain.cf\fR file. In order to avoid exploitation 88/* of set-group ID privileges, a non-standard directory is allowed only 89/* if: 90/* .RS 91/* .IP \(bu 92/* The name is listed in the standard \fBmain.cf\fR file with the 93/* \fBalternate_config_directories\fR configuration parameter. 94/* .IP \(bu 95/* The command is invoked by the super-user. 96/* .RE 97/* CONFIGURATION PARAMETERS 98/* .ad 99/* .fi 100/* The following \fBmain.cf\fR parameters are especially relevant to 101/* this program. 102/* The text below provides only a parameter summary. See 103/* \fBpostconf\fR(5) for more details including examples. 104/* .IP "\fBalternate_config_directories (empty)\fR" 105/* A list of non-default Postfix configuration directories that may 106/* be specified with "-c config_directory" on the command line, or 107/* via the MAIL_CONFIG environment parameter. 108/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 109/* The default location of the Postfix main.cf and master.cf 110/* configuration files. 111/* .IP "\fBcommand_directory (see 'postconf -d' output)\fR" 112/* The location of all postfix administrative commands. 113/* .IP "\fBfast_flush_domains ($relay_domains)\fR" 114/* Optional list of destinations that are eligible for per-destination 115/* logfiles with mail that is queued to those destinations. 116/* .IP "\fBimport_environment (see 'postconf -d' output)\fR" 117/* The list of environment parameters that a Postfix process will 118/* import from a non-Postfix parent process. 119/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 120/* The location of the Postfix top-level queue directory. 121/* .IP "\fBsyslog_facility (mail)\fR" 122/* The syslog facility of Postfix logging. 123/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 124/* The mail system name that is prepended to the process name in syslog 125/* records, so that "smtpd" becomes, for example, "postfix/smtpd". 126/* .IP "\fBtrigger_timeout (10s)\fR" 127/* The time limit for sending a trigger to a Postfix daemon (for 128/* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon). 129/* .PP 130/* Available in Postfix version 2.2 and later: 131/* .IP "\fBauthorized_flush_users (static:anyone)\fR" 132/* List of users who are authorized to flush the queue. 133/* .IP "\fBauthorized_mailq_users (static:anyone)\fR" 134/* List of users who are authorized to view the queue. 135/* FILES 136/* /var/spool/postfix, mail queue 137/* SEE ALSO 138/* qmgr(8), queue manager 139/* showq(8), list mail queue 140/* flush(8), fast flush service 141/* sendmail(1), Sendmail-compatible user interface 142/* postsuper(1), privileged queue operations 143/* README FILES 144/* .ad 145/* .fi 146/* Use "\fBpostconf readme_directory\fR" or 147/* "\fBpostconf html_directory\fR" to locate this information. 148/* .na 149/* .nf 150/* ETRN_README, Postfix ETRN howto 151/* LICENSE 152/* .ad 153/* .fi 154/* The Secure Mailer license must be distributed with this software. 155/* HISTORY 156/* .ad 157/* .fi 158/* The postqueue command was introduced with Postfix version 1.1. 159/* AUTHOR(S) 160/* Wietse Venema 161/* IBM T.J. Watson Research 162/* P.O. Box 704 163/* Yorktown Heights, NY 10598, USA 164/*--*/ 165 166/* System library. */ 167 168#include <sys_defs.h> 169#include <sys/stat.h> 170#include <unistd.h> 171#include <string.h> 172#include <stdlib.h> 173#include <signal.h> 174#include <sysexits.h> 175#include <errno.h> 176 177/* Utility library. */ 178 179#include <msg.h> 180#include <mymalloc.h> 181#include <clean_env.h> 182#include <vstream.h> 183#include <msg_vstream.h> 184#include <msg_syslog.h> 185#include <argv.h> 186#include <safe.h> 187#include <connect.h> 188#include <valid_hostname.h> 189#include <warn_stat.h> 190 191/* Global library. */ 192 193#include <mail_proto.h> 194#include <mail_params.h> 195#include <mail_version.h> 196#include <mail_conf.h> 197#include <mail_task.h> 198#include <mail_run.h> 199#include <mail_flush.h> 200#include <mail_queue.h> 201#include <flush_clnt.h> 202#include <smtp_stream.h> 203#include <user_acl.h> 204#include <valid_mailhost_addr.h> 205#include <mail_dict.h> 206 207/* Application-specific. */ 208 209 /* 210 * WARNING WARNING WARNING 211 * 212 * This software is designed to run set-gid. In order to avoid exploitation of 213 * privilege, this software should not run any external commands, nor should 214 * it take any information from the user, unless that information can be 215 * properly sanitized. To get an idea of how much information a process can 216 * inherit from a potentially hostile user, examine all the members of the 217 * process structure (typically, in /usr/include/sys/proc.h): the current 218 * directory, open files, timers, signals, environment, command line, umask, 219 * and so on. 220 */ 221 222 /* 223 * Modes of operation. 224 * 225 * XXX To support flush by recipient domain, or for destinations that have no 226 * mapping to logfile, the server has to defend against resource exhaustion 227 * attacks. A malicious user could fork off a postqueue client that starts 228 * an expensive requests and then kills the client immediately; this way she 229 * could create a high Postfix load on the system without ever exceeding her 230 * own per-user process limit. To prevent this, either the server needs to 231 * establish frequent proof of client liveliness with challenge/response, or 232 * the client needs to restrict expensive requests to privileged users only. 233 * 234 * We don't have this problem with queue listings. The showq server detects an 235 * EPIPE error after reporting a few queue entries. 236 */ 237#define PQ_MODE_DEFAULT 0 /* noop */ 238#define PQ_MODE_MAILQ_LIST 1 /* list mail queue */ 239#define PQ_MODE_FLUSH_QUEUE 2 /* flush queue */ 240#define PQ_MODE_FLUSH_SITE 3 /* flush site */ 241#define PQ_MODE_FLUSH_FILE 4 /* flush message */ 242 243 /* 244 * Silly little macros (SLMs). 245 */ 246#define STR vstring_str 247 248 /* 249 * Queue manipulation access lists. 250 */ 251char *var_flush_acl; 252char *var_showq_acl; 253 254static const CONFIG_STR_TABLE str_table[] = { 255 VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0, 256 VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0, 257 0, 258}; 259 260/* show_queue - show queue status */ 261 262static void show_queue(void) 263{ 264 const char *errstr; 265 char buf[VSTREAM_BUFSIZE]; 266 VSTREAM *showq; 267 int n; 268 uid_t uid = getuid(); 269 270 if (uid != 0 && uid != var_owner_uid 271 && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0) 272 msg_fatal_status(EX_NOPERM, 273 "User %s(%ld) is not allowed to view the mail queue", 274 errstr, (long) uid); 275 276 /* 277 * Connect to the show queue service. Terminate silently when piping into 278 * a program that terminates early. 279 */ 280 if ((showq = mail_connect(MAIL_CLASS_PUBLIC, var_showq_service, BLOCKING)) != 0) { 281 while ((n = vstream_fread(showq, buf, sizeof(buf))) > 0) { 282 if (vstream_fwrite(VSTREAM_OUT, buf, n) != n 283 || vstream_fflush(VSTREAM_OUT) != 0) { 284 if (errno == EPIPE) 285 break; 286 msg_fatal("write error: %m"); 287 } 288 } 289 if (vstream_fclose(showq) && errno != EPIPE) 290 msg_warn("close: %m"); 291 } 292 293 /* 294 * Don't assume that the mail system is down when the user has 295 * insufficient permission to access the showq socket. 296 */ 297 else if (errno == EACCES) { 298 msg_fatal_status(EX_SOFTWARE, 299 "Connect to the %s %s service: %m", 300 var_mail_name, var_showq_service); 301 } 302 303 /* 304 * When the mail system is down, the superuser can still access the queue 305 * directly. Just run the showq program in stand-alone mode. 306 */ 307 else if (geteuid() == 0) { 308 ARGV *argv; 309 int stat; 310 311 msg_warn("Mail system is down -- accessing queue directly"); 312 argv = argv_alloc(6); 313 argv_add(argv, var_showq_service, "-u", "-S", (char *) 0); 314 for (n = 0; n < msg_verbose; n++) 315 argv_add(argv, "-v", (char *) 0); 316 argv_terminate(argv); 317 stat = mail_run_foreground(var_daemon_dir, argv->argv); 318 argv_free(argv); 319 } 320 321 /* 322 * When the mail system is down, unprivileged users are stuck, because by 323 * design the mail system contains no set_uid programs. The only way for 324 * an unprivileged user to cross protection boundaries is to talk to the 325 * showq daemon. 326 */ 327 else { 328 msg_fatal_status(EX_UNAVAILABLE, 329 "Queue report unavailable - mail system is down"); 330 } 331} 332 333/* flush_queue - force delivery */ 334 335static void flush_queue(void) 336{ 337 const char *errstr; 338 uid_t uid = getuid(); 339 340 if (uid != 0 && uid != var_owner_uid 341 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 342 msg_fatal_status(EX_NOPERM, 343 "User %s(%ld) is not allowed to flush the mail queue", 344 errstr, (long) uid); 345 346 /* 347 * Trigger the flush queue service. 348 */ 349 if (mail_flush_deferred() < 0) 350 msg_fatal_status(EX_UNAVAILABLE, 351 "Cannot flush mail queue - mail system is down"); 352 if (mail_flush_maildrop() < 0) 353 msg_fatal_status(EX_UNAVAILABLE, 354 "Cannot flush mail queue - mail system is down"); 355} 356 357/* flush_site - flush mail for site */ 358 359static void flush_site(const char *site) 360{ 361 int status; 362 const char *errstr; 363 uid_t uid = getuid(); 364 365 if (uid != 0 && uid != var_owner_uid 366 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 367 msg_fatal_status(EX_NOPERM, 368 "User %s(%ld) is not allowed to flush the mail queue", 369 errstr, (long) uid); 370 371 flush_init(); 372 373 switch (status = flush_send_site(site)) { 374 case FLUSH_STAT_OK: 375 exit(0); 376 case FLUSH_STAT_BAD: 377 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", site); 378 case FLUSH_STAT_FAIL: 379 msg_fatal_status(EX_UNAVAILABLE, 380 "Cannot flush mail queue - mail system is down"); 381 case FLUSH_STAT_DENY: 382 msg_fatal_status(EX_UNAVAILABLE, 383 "Flush service is not configured for destination \"%s\"", 384 site); 385 default: 386 msg_fatal_status(EX_SOFTWARE, 387 "Unknown flush server reply status %d", status); 388 } 389} 390 391/* flush_file - flush mail with specific queue ID */ 392 393static void flush_file(const char *queue_id) 394{ 395 int status; 396 const char *errstr; 397 uid_t uid = getuid(); 398 399 if (uid != 0 && uid != var_owner_uid 400 && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) 401 msg_fatal_status(EX_NOPERM, 402 "User %s(%ld) is not allowed to flush the mail queue", 403 errstr, (long) uid); 404 405 switch (status = flush_send_file(queue_id)) { 406 case FLUSH_STAT_OK: 407 exit(0); 408 case FLUSH_STAT_BAD: 409 msg_fatal_status(EX_USAGE, "Invalid request: \"%s\"", queue_id); 410 case FLUSH_STAT_FAIL: 411 msg_fatal_status(EX_UNAVAILABLE, 412 "Cannot flush mail queue - mail system is down"); 413 default: 414 msg_fatal_status(EX_SOFTWARE, 415 "Unexpected flush server reply status %d", status); 416 } 417} 418 419/* unavailable - sanitize exit status from library run-time errors */ 420 421static void unavailable(void) 422{ 423 exit(EX_UNAVAILABLE); 424} 425 426/* usage - scream and die */ 427 428static NORETURN usage(void) 429{ 430 msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site"); 431} 432 433MAIL_VERSION_STAMP_DECLARE; 434 435/* main - the main program */ 436 437int main(int argc, char **argv) 438{ 439 struct stat st; 440 char *slash; 441 int c; 442 int fd; 443 int mode = PQ_MODE_DEFAULT; 444 char *site_to_flush = 0; 445 char *id_to_flush = 0; 446 ARGV *import_env; 447 int bad_site; 448 449 /* 450 * Fingerprint executables and core dumps. 451 */ 452 MAIL_VERSION_STAMP_ALLOCATE; 453 454 /* 455 * Be consistent with file permissions. 456 */ 457 umask(022); 458 459 /* 460 * To minimize confusion, make sure that the standard file descriptors 461 * are open before opening anything else. XXX Work around for 44BSD where 462 * fstat can return EBADF on an open file descriptor. 463 */ 464 for (fd = 0; fd < 3; fd++) 465 if (fstat(fd, &st) == -1 466 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd) 467 msg_fatal_status(EX_UNAVAILABLE, "open /dev/null: %m"); 468 469 /* 470 * Initialize. Set up logging, read the global configuration file and 471 * extract configuration information. Set up signal handlers so that we 472 * can clean up incomplete output. 473 */ 474 if ((slash = strrchr(argv[0], '/')) != 0 && slash[1]) 475 argv[0] = slash + 1; 476 msg_vstream_init(argv[0], VSTREAM_ERR); 477 msg_cleanup(unavailable); 478 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 479 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0])); 480 481 /* 482 * Check the Postfix library version as soon as we enable logging. 483 */ 484 MAIL_VERSION_CHECK; 485 486 /* 487 * Parse JCL. This program is set-gid and must sanitize all command-line 488 * parameters. The configuration directory argument is validated by the 489 * mail configuration read routine. Don't do complex things until we have 490 * completed initializations. 491 */ 492 while ((c = GETOPT(argc, argv, "c:fi:ps:v")) > 0) { 493 switch (c) { 494 case 'c': /* non-default configuration */ 495 if (setenv(CONF_ENV_PATH, optarg, 1) < 0) 496 msg_fatal_status(EX_UNAVAILABLE, "out of memory"); 497 break; 498 case 'f': /* flush queue */ 499 if (mode != PQ_MODE_DEFAULT) 500 usage(); 501 mode = PQ_MODE_FLUSH_QUEUE; 502 break; 503 case 'i': /* flush queue file */ 504 if (mode != PQ_MODE_DEFAULT) 505 usage(); 506 mode = PQ_MODE_FLUSH_FILE; 507 id_to_flush = optarg; 508 break; 509 case 'p': /* traditional mailq */ 510 if (mode != PQ_MODE_DEFAULT) 511 usage(); 512 mode = PQ_MODE_MAILQ_LIST; 513 break; 514 case 's': /* flush site */ 515 if (mode != PQ_MODE_DEFAULT) 516 usage(); 517 mode = PQ_MODE_FLUSH_SITE; 518 site_to_flush = optarg; 519 break; 520 case 'v': 521 if (geteuid() == 0) 522 msg_verbose++; 523 break; 524 default: 525 usage(); 526 } 527 } 528 if (argc > optind) 529 usage(); 530 531 /* 532 * Further initialization... 533 */ 534 mail_conf_read(); 535 if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0) 536 msg_syslog_init(mail_task("postqueue"), LOG_PID, LOG_FACILITY); 537 mail_dict_init(); /* proxy, sql, ldap */ 538 get_mail_conf_str_table(str_table); 539 540 /* 541 * This program is designed to be set-gid, which makes it a potential 542 * target for attack. If not running as root, strip the environment so we 543 * don't have to trust the C library. If running as root, don't strip the 544 * environment so that showq can receive non-default configuration 545 * directory info when the mail system is down. 546 */ 547 if (geteuid() != 0) { 548 import_env = argv_split(var_import_environ, ", \t\r\n"); 549 clean_env(import_env->argv); 550 argv_free(import_env); 551 } 552 if (chdir(var_queue_dir)) 553 msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); 554 555 signal(SIGPIPE, SIG_IGN); 556 557 /* End of initializations. */ 558 559 /* 560 * Further input validation. 561 */ 562 if (site_to_flush != 0) { 563 bad_site = 0; 564 if (*site_to_flush == '[') { 565 bad_site = !valid_mailhost_literal(site_to_flush, DONT_GRIPE); 566 } else { 567 bad_site = !valid_hostname(site_to_flush, DONT_GRIPE); 568 } 569 if (bad_site) 570 msg_fatal_status(EX_USAGE, 571 "Cannot flush mail queue - invalid destination: \"%.100s%s\"", 572 site_to_flush, strlen(site_to_flush) > 100 ? "..." : ""); 573 } 574 if (id_to_flush != 0) { 575 if (!mail_queue_id_ok(id_to_flush)) 576 msg_fatal_status(EX_USAGE, 577 "Cannot flush queue ID - invalid name: \"%.100s%s\"", 578 id_to_flush, strlen(id_to_flush) > 100 ? "..." : ""); 579 } 580 581 /* 582 * Start processing. 583 */ 584 switch (mode) { 585 default: 586 msg_panic("unknown operation mode: %d", mode); 587 /* NOTREACHED */ 588 case PQ_MODE_MAILQ_LIST: 589 show_queue(); 590 exit(0); 591 break; 592 case PQ_MODE_FLUSH_SITE: 593 flush_site(site_to_flush); 594 exit(0); 595 break; 596 case PQ_MODE_FLUSH_FILE: 597 flush_file(id_to_flush); 598 exit(0); 599 break; 600 case PQ_MODE_FLUSH_QUEUE: 601 flush_queue(); 602 exit(0); 603 break; 604 case PQ_MODE_DEFAULT: 605 usage(); 606 /* NOTREACHED */ 607 } 608} 609