1/* $NetBSD: local.c,v 1.4 2022/10/08 16:12:46 christos Exp $ */ 2 3/*++ 4/* NAME 5/* local 8 6/* SUMMARY 7/* Postfix local mail delivery 8/* SYNOPSIS 9/* \fBlocal\fR [generic Postfix daemon options] 10/* DESCRIPTION 11/* The \fBlocal\fR(8) daemon processes delivery requests from the 12/* Postfix queue manager to deliver mail to local recipients. 13/* Each delivery request specifies a queue file, a sender address, 14/* a domain or host to deliver to, and one or more recipients. 15/* This program expects to be run from the \fBmaster\fR(8) process 16/* manager. 17/* 18/* The \fBlocal\fR(8) daemon updates queue files and marks recipients 19/* as finished, or it informs the queue manager that delivery should 20/* be tried again at a later time. Delivery status reports are sent 21/* to the \fBbounce\fR(8), \fBdefer\fR(8) or \fBtrace\fR(8) daemon as 22/* appropriate. 23/* CASE FOLDING 24/* .ad 25/* .fi 26/* All delivery decisions are made using the bare recipient 27/* name (i.e. the address localpart), folded to lower case. 28/* See also under ADDRESS EXTENSION below for a few exceptions. 29/* SYSTEM-WIDE AND USER-LEVEL ALIASING 30/* .ad 31/* .fi 32/* The system administrator can set up one or more system-wide 33/* \fBsendmail\fR-style alias databases. 34/* Users can have \fBsendmail\fR-style ~/.\fBforward\fR files. 35/* Mail for \fIname\fR is delivered to the alias \fIname\fR, to 36/* destinations in ~\fIname\fR/.\fBforward\fR, to the mailbox owned 37/* by the user \fIname\fR, or it is sent back as undeliverable. 38/* 39/* The system administrator can specify a comma/space separated list 40/* of ~\fR/.\fBforward\fR like files through the \fBforward_path\fR 41/* configuration parameter. Upon delivery, the local delivery agent 42/* tries each pathname in the list until a file is found. 43/* 44/* Delivery via ~/.\fBforward\fR files is done with the privileges 45/* of the recipient. 46/* Thus, ~/.\fBforward\fR like files must be readable by the 47/* recipient, and their parent directory needs to have "execute" 48/* permission for the recipient. 49/* 50/* The \fBforward_path\fR parameter is subject to interpolation of 51/* \fB$user\fR (recipient username), \fB$home\fR (recipient home 52/* directory), \fB$shell\fR (recipient shell), \fB$recipient\fR 53/* (complete recipient address), \fB$extension\fR (recipient address 54/* extension), \fB$domain\fR (recipient domain), \fB$local\fR 55/* (entire recipient address localpart) and 56/* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR 57/* and \fI${name?{value}}\fR (Postfix 3.0 and later) expand 58/* conditionally to \fIvalue\fR when \fI$name\fR is defined, 59/* and the forms \fI${name:value}\fR \fI${name:{value}}\fR 60/* (Postfix 3.0 and later) expand conditionally to \fIvalue\fR 61/* when \fI$name\fR is not defined. The form 62/* \fI${name?{value1}:{value2}}\fR (Postfix 3.0 and later) 63/* expands conditionally to \fIvalue1\fR when \fI$name\fR is 64/* defined, or \fIvalue2\fR otherwise. Characters that may 65/* have special meaning to the shell or file system are replaced 66/* with underscores. The list of acceptable characters is 67/* specified with the \fBforward_expansion_filter\fR configuration 68/* parameter. 69/* 70/* An alias or ~/.\fBforward\fR file may list any combination of external 71/* commands, destination file names, \fB:include:\fR directives, or 72/* mail addresses. 73/* See \fBaliases\fR(5) for a precise description. Each line in a 74/* user's .\fBforward\fR file has the same syntax as the right-hand part 75/* of an alias. 76/* 77/* When an address is found in its own alias expansion, delivery is 78/* made to the user instead. When a user is listed in the user's own 79/* ~/.\fBforward\fR file, delivery is made to the user's mailbox instead. 80/* An empty ~/.\fBforward\fR file means do not forward mail. 81/* 82/* In order to prevent the mail system from using up unreasonable 83/* amounts of memory, input records read from \fB:include:\fR or from 84/* ~/.\fBforward\fR files are broken up into chunks of length 85/* \fBline_length_limit\fR. 86/* 87/* While expanding aliases, ~/.\fBforward\fR files, and so on, the 88/* program attempts to avoid duplicate deliveries. The 89/* \fBduplicate_filter_limit\fR configuration parameter limits the 90/* number of remembered recipients. 91/* MAIL FORWARDING 92/* .ad 93/* .fi 94/* For the sake of reliability, forwarded mail is re-submitted as 95/* a new message, so that each recipient has a separate on-file 96/* delivery status record. 97/* 98/* In order to stop mail forwarding loops early, the software adds an 99/* optional 100/* \fBDelivered-To:\fR header with the final envelope recipient address. If 101/* mail arrives for a recipient that is already listed in a 102/* \fBDelivered-To:\fR header, the message is bounced. 103/* MAILBOX DELIVERY 104/* .ad 105/* .fi 106/* The default per-user mailbox is a file in the UNIX mail spool 107/* directory (\fB/var/mail/\fIuser\fR or \fB/var/spool/mail/\fIuser\fR); 108/* the location can be specified with the \fBmail_spool_directory\fR 109/* configuration parameter. Specify a name ending in \fB/\fR for 110/* \fBqmail\fR-compatible \fBmaildir\fR delivery. 111/* 112/* Alternatively, the per-user mailbox can be a file in the user's home 113/* directory with a name specified via the \fBhome_mailbox\fR 114/* configuration parameter. Specify a relative path name. Specify a name 115/* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery. 116/* 117/* Mailbox delivery can be delegated to an external command specified 118/* with the \fBmailbox_command_maps\fR and \fBmailbox_command\fR 119/* configuration parameters. The command 120/* executes with the privileges of the recipient user (exceptions: 121/* secondary groups are not enabled; in case of delivery as root, 122/* the command executes with the privileges of \fBdefault_privs\fR). 123/* 124/* Mailbox delivery can be delegated to alternative message transports 125/* specified in the \fBmaster.cf\fR file. 126/* The \fBmailbox_transport_maps\fR and \fBmailbox_transport\fR 127/* configuration parameters specify an optional 128/* message transport that is to be used for all local recipients, 129/* regardless of whether they are found in the UNIX passwd database. 130/* The \fBfallback_transport_maps\fR and 131/* \fBfallback_transport\fR parameters specify an optional 132/* message transport 133/* for recipients that are not found in the aliases(5) or UNIX 134/* passwd database. 135/* 136/* In the case of UNIX-style mailbox delivery, 137/* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 138/* envelope header to each message, prepends an 139/* \fBX-Original-To:\fR header with the recipient address as given to 140/* Postfix, prepends an 141/* optional \fBDelivered-To:\fR header 142/* with the final envelope recipient address, prepends a \fBReturn-Path:\fR 143/* header with the envelope sender address, prepends a \fB>\fR character 144/* to lines beginning with "\fBFrom \fR", and appends an empty line. 145/* The mailbox is locked for exclusive access while delivery is in 146/* progress. In case of problems, an attempt is made to truncate the 147/* mailbox to its original length. 148/* 149/* In the case of \fBmaildir\fR delivery, the local daemon prepends 150/* an optional 151/* \fBDelivered-To:\fR header with the final envelope recipient address, 152/* prepends an 153/* \fBX-Original-To:\fR header with the recipient address as given to 154/* Postfix, 155/* and prepends a \fBReturn-Path:\fR header with the envelope sender 156/* address. 157/* EXTERNAL COMMAND DELIVERY 158/* .ad 159/* .fi 160/* The \fBallow_mail_to_commands\fR configuration parameter restricts 161/* delivery to external commands. The default setting (\fBalias, 162/* forward\fR) forbids command destinations in \fB:include:\fR files. 163/* 164/* Optionally, the process working directory is changed to the path 165/* specified with \fBcommand_execution_directory\fR (Postfix 2.2 and 166/* later). Failure to change directory causes mail to be deferred. 167/* 168/* The \fBcommand_execution_directory\fR parameter value is subject 169/* to interpolation of \fB$user\fR (recipient username), 170/* \fB$home\fR (recipient home directory), \fB$shell\fR 171/* (recipient shell), \fB$recipient\fR (complete recipient 172/* address), \fB$extension\fR (recipient address extension), 173/* \fB$domain\fR (recipient domain), \fB$local\fR (entire 174/* recipient address localpart) and \fB$recipient_delimiter.\fR 175/* The forms \fI${name?value}\fR and \fI${name?{value}}\fR 176/* (Postfix 3.0 and later) expand conditionally to \fIvalue\fR 177/* when \fI$name\fR is defined, and the forms \fI${name:value}\fR 178/* and \fI${name:{value}}\fR (Postfix 3.0 and later) expand 179/* conditionally to \fIvalue\fR when \fI$name\fR is not defined. 180/* The form \fI${name?{value1}:{value2}}\fR (Postfix 3.0 and 181/* later) expands conditionally to \fIvalue1\fR when \fI$name\fR 182/* is defined, or \fIvalue2\fR otherwise. Characters that may 183/* have special meaning to the shell or file system are replaced 184/* with underscores. The list of acceptable characters 185/* is specified with the \fBexecution_directory_expansion_filter\fR 186/* configuration parameter. 187/* 188/* The command is executed directly where possible. Assistance by the 189/* shell (\fB/bin/sh\fR on UNIX systems) is used only when the command 190/* contains shell magic characters, or when the command invokes a shell 191/* built-in command. 192/* 193/* A limited amount of command output (standard output and standard 194/* error) is captured for inclusion with non-delivery status reports. 195/* A command is forcibly terminated if it does not complete within 196/* \fBcommand_time_limit\fR seconds. Command exit status codes are 197/* expected to follow the conventions defined in <\fBsysexits.h\fR>. 198/* Exit status 0 means normal successful completion. 199/* 200/* Postfix version 2.3 and later support RFC 3463-style enhanced 201/* status codes. If a command terminates with a non-zero exit 202/* status, and the command output begins with an enhanced 203/* status code, this status code takes precedence over the 204/* non-zero exit status. 205/* 206/* A limited amount of message context is exported via environment 207/* variables. Characters that may have special meaning to the shell 208/* are replaced with underscores. The list of acceptable characters 209/* is specified with the \fBcommand_expansion_filter\fR configuration 210/* parameter. 211/* .IP \fBSHELL\fR 212/* The recipient user's login shell. 213/* .IP \fBHOME\fR 214/* The recipient user's home directory. 215/* .IP \fBUSER\fR 216/* The bare recipient name. 217/* .IP \fBEXTENSION\fR 218/* The optional recipient address extension. 219/* .IP \fBDOMAIN\fR 220/* The recipient address domain part. 221/* .IP \fBLOGNAME\fR 222/* The bare recipient name. 223/* .IP \fBLOCAL\fR 224/* The entire recipient address localpart (text to the left of the 225/* rightmost @ character). 226/* .IP \fBORIGINAL_RECIPIENT\fR 227/* The entire recipient address, before any address rewriting 228/* or aliasing (Postfix 2.5 and later). 229/* .IP \fBRECIPIENT\fR 230/* The entire recipient address. 231/* .IP \fBSENDER\fR 232/* The entire sender address. 233/* .PP 234/* Additional remote client information is made available via 235/* the following environment variables: 236/* .IP \fBCLIENT_ADDRESS\fR 237/* Remote client network address. Available as of Postfix 2.2. 238/* .IP \fBCLIENT_HELO\fR 239/* Remote client EHLO command parameter. Available as of Postfix 2.2. 240/* .IP \fBCLIENT_HOSTNAME\fR 241/* Remote client hostname. Available as of Postfix 2.2. 242/* .IP \fBCLIENT_PROTOCOL\fR 243/* Remote client protocol. Available as of Postfix 2.2. 244/* .IP \fBSASL_METHOD\fR 245/* SASL authentication method specified in the 246/* remote client AUTH command. Available as of Postfix 2.2. 247/* .IP \fBSASL_SENDER\fR 248/* SASL sender address specified in the remote client MAIL 249/* FROM command. Available as of Postfix 2.2. 250/* .IP \fBSASL_USERNAME\fR 251/* SASL username specified in the remote client AUTH command. 252/* Available as of Postfix 2.2. 253/* .PP 254/* The \fBPATH\fR environment variable is always reset to a 255/* system-dependent default path, and environment variables 256/* whose names are blessed by the \fBexport_environment\fR 257/* configuration parameter are exported unchanged. 258/* 259/* The current working directory is the mail queue directory. 260/* 261/* The \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 262/* envelope header to each message, prepends an 263/* \fBX-Original-To:\fR header with the recipient address as given to 264/* Postfix, prepends an 265/* optional \fBDelivered-To:\fR 266/* header with the final recipient envelope address, prepends a 267/* \fBReturn-Path:\fR header with the sender envelope address, 268/* and appends no empty line. 269/* EXTERNAL FILE DELIVERY 270/* .ad 271/* .fi 272/* The delivery format depends on the destination filename syntax. 273/* The default is to use UNIX-style mailbox format. Specify a name 274/* ending in \fB/\fR for \fBqmail\fR-compatible \fBmaildir\fR delivery. 275/* 276/* The \fBallow_mail_to_files\fR configuration parameter restricts 277/* delivery to external files. The default setting (\fBalias, 278/* forward\fR) forbids file destinations in \fB:include:\fR files. 279/* 280/* In the case of UNIX-style mailbox delivery, 281/* the \fBlocal\fR(8) daemon prepends a "\fBFrom \fIsender time_stamp\fR" 282/* envelope header to each message, prepends an 283/* \fBX-Original-To:\fR header with the recipient address as given to 284/* Postfix, prepends an 285/* optional \fBDelivered-To:\fR 286/* header with the final recipient envelope address, prepends a \fB>\fR 287/* character to lines beginning with "\fBFrom \fR", and appends an 288/* empty line. 289/* The envelope sender address is available in the \fBReturn-Path:\fR 290/* header. 291/* When the destination is a regular file, it is locked for exclusive 292/* access while delivery is in progress. In case of problems, an attempt 293/* is made to truncate a regular file to its original length. 294/* 295/* In the case of \fBmaildir\fR delivery, the local daemon prepends 296/* an optional 297/* \fBDelivered-To:\fR header with the final envelope recipient address, 298/* and prepends an 299/* \fBX-Original-To:\fR header with the recipient address as given to 300/* Postfix. 301/* The envelope sender address is available in the \fBReturn-Path:\fR 302/* header. 303/* ADDRESS EXTENSION 304/* .ad 305/* .fi 306/* The optional \fBrecipient_delimiter\fR configuration parameter 307/* specifies how to separate address extensions from local recipient 308/* names. 309/* 310/* For example, with "\fBrecipient_delimiter = +\fR", mail for 311/* \fIname\fR+\fIfoo\fR is delivered to the alias \fIname\fR+\fIfoo\fR 312/* or to the alias \fIname\fR, to the destinations listed in 313/* ~\fIname\fR/.\fBforward\fR+\fIfoo\fR or in ~\fIname\fR/.\fBforward\fR, 314/* to the mailbox owned by the user \fIname\fR, or it is sent back as 315/* undeliverable. 316/* DELIVERY RIGHTS 317/* .ad 318/* .fi 319/* Deliveries to external files and external commands are made with 320/* the rights of the receiving user on whose behalf the delivery is made. 321/* In the absence of a user context, the \fBlocal\fR(8) daemon uses the 322/* owner rights of the \fB:include:\fR file or alias database. 323/* When those files are owned by the superuser, delivery is made with 324/* the rights specified with the \fBdefault_privs\fR configuration 325/* parameter. 326/* STANDARDS 327/* RFC 822 (ARPA Internet Text Messages) 328/* RFC 3463 (Enhanced status codes) 329/* DIAGNOSTICS 330/* Problems and transactions are logged to \fBsyslogd\fR(8) 331/* or \fBpostlogd\fR(8). 332/* Corrupted message files are marked so that the queue 333/* manager can move them to the \fBcorrupt\fR queue afterwards. 334/* 335/* Depending on the setting of the \fBnotify_classes\fR parameter, 336/* the postmaster is notified of bounces and of other trouble. 337/* SECURITY 338/* .ad 339/* .fi 340/* The \fBlocal\fR(8) delivery agent needs a dual personality 341/* 1) to access the private Postfix queue and IPC mechanisms, 342/* 2) to impersonate the recipient and deliver to recipient-specified 343/* files or commands. It is therefore security sensitive. 344/* 345/* The \fBlocal\fR(8) delivery agent disallows regular expression 346/* substitution of $1 etc. in \fBalias_maps\fR, because that 347/* would open a security hole. 348/* 349/* The \fBlocal\fR(8) delivery agent will silently ignore 350/* requests to use the \fBproxymap\fR(8) server within 351/* \fBalias_maps\fR. Instead it will open the table directly. 352/* Before Postfix version 2.2, the \fBlocal\fR(8) delivery 353/* agent will terminate with a fatal error. 354/* BUGS 355/* For security reasons, the message delivery status of external commands 356/* or of external files is never checkpointed to file. As a result, 357/* the program may occasionally deliver more than once to a command or 358/* external file. Better safe than sorry. 359/* 360/* Mutually-recursive aliases or ~/.\fBforward\fR files are not detected 361/* early. The resulting mail forwarding loop is broken by the use of the 362/* \fBDelivered-To:\fR message header. 363/* CONFIGURATION PARAMETERS 364/* .ad 365/* .fi 366/* Changes to \fBmain.cf\fR are picked up automatically, as \fBlocal\fR(8) 367/* processes run for only a limited amount of time. Use the command 368/* "\fBpostfix reload\fR" to speed up a change. 369/* 370/* The text below provides only a parameter summary. See 371/* \fBpostconf\fR(5) for more details including examples. 372/* COMPATIBILITY CONTROLS 373/* .ad 374/* .fi 375/* .IP "\fBbiff (yes)\fR" 376/* Whether or not to use the local biff service. 377/* .IP "\fBexpand_owner_alias (no)\fR" 378/* When delivering to an alias "\fIaliasname\fR" that has an 379/* "owner-\fIaliasname\fR" companion alias, set the envelope sender 380/* address to the expansion of the "owner-\fIaliasname\fR" alias. 381/* .IP "\fBowner_request_special (yes)\fR" 382/* Enable special treatment for owner-\fIlistname\fR entries in the 383/* \fBaliases\fR(5) file, and don't split owner-\fIlistname\fR and 384/* \fIlistname\fR-request address localparts when the recipient_delimiter 385/* is set to "-". 386/* .IP "\fBsun_mailtool_compatibility (no)\fR" 387/* Obsolete SUN mailtool compatibility feature. 388/* .PP 389/* Available in Postfix version 2.3 and later: 390/* .IP "\fBfrozen_delivered_to (yes)\fR" 391/* Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To: 392/* address (see prepend_delivered_header) only once, at the start of 393/* a delivery attempt; do not update the Delivered-To: address while 394/* expanding aliases or .forward files. 395/* .PP 396/* Available in Postfix version 2.5.3 and later: 397/* .IP "\fBstrict_mailbox_ownership (yes)\fR" 398/* Defer delivery when a mailbox file is not owned by its recipient. 399/* .IP "\fBreset_owner_alias (no)\fR" 400/* Reset the \fBlocal\fR(8) delivery agent's idea of the owner-alias 401/* attribute, when delivering mail to a child alias that does not have 402/* its own owner alias. 403/* .PP 404/* Available in Postfix version 3.0 and later: 405/* .IP "\fBlocal_delivery_status_filter ($default_delivery_status_filter)\fR" 406/* Optional filter for the \fBlocal\fR(8) delivery agent to change the 407/* status code or explanatory text of successful or unsuccessful 408/* deliveries. 409/* DELIVERY METHOD CONTROLS 410/* .ad 411/* .fi 412/* The precedence of \fBlocal\fR(8) delivery methods from high to low is: 413/* aliases, .forward files, mailbox_transport_maps, 414/* mailbox_transport, mailbox_command_maps, mailbox_command, 415/* home_mailbox, mail_spool_directory, fallback_transport_maps, 416/* fallback_transport, and luser_relay. 417/* .IP "\fBalias_maps (see 'postconf -d' output)\fR" 418/* The alias databases that are used for \fBlocal\fR(8) delivery. 419/* .IP "\fBforward_path (see 'postconf -d' output)\fR" 420/* The \fBlocal\fR(8) delivery agent search list for finding a .forward 421/* file with user-specified delivery methods. 422/* .IP "\fBmailbox_transport_maps (empty)\fR" 423/* Optional lookup tables with per-recipient message delivery 424/* transports to use for \fBlocal\fR(8) mailbox delivery, whether or not the 425/* recipients are found in the UNIX passwd database. 426/* .IP "\fBmailbox_transport (empty)\fR" 427/* Optional message delivery transport that the \fBlocal\fR(8) delivery 428/* agent should use for mailbox delivery to all local recipients, 429/* whether or not they are found in the UNIX passwd database. 430/* .IP "\fBmailbox_command_maps (empty)\fR" 431/* Optional lookup tables with per-recipient external commands to use 432/* for \fBlocal\fR(8) mailbox delivery. 433/* .IP "\fBmailbox_command (empty)\fR" 434/* Optional external command that the \fBlocal\fR(8) delivery agent should 435/* use for mailbox delivery. 436/* .IP "\fBhome_mailbox (empty)\fR" 437/* Optional pathname of a mailbox file relative to a \fBlocal\fR(8) user's 438/* home directory. 439/* .IP "\fBmail_spool_directory (see 'postconf -d' output)\fR" 440/* The directory where \fBlocal\fR(8) UNIX-style mailboxes are kept. 441/* .IP "\fBfallback_transport_maps (empty)\fR" 442/* Optional lookup tables with per-recipient message delivery 443/* transports for recipients that the \fBlocal\fR(8) delivery agent could 444/* not find in the \fBaliases\fR(5) or UNIX password database. 445/* .IP "\fBfallback_transport (empty)\fR" 446/* Optional message delivery transport that the \fBlocal\fR(8) delivery 447/* agent should use for names that are not found in the \fBaliases\fR(5) 448/* or UNIX password database. 449/* .IP "\fBluser_relay (empty)\fR" 450/* Optional catch-all destination for unknown \fBlocal\fR(8) recipients. 451/* .PP 452/* Available in Postfix version 2.2 and later: 453/* .IP "\fBcommand_execution_directory (empty)\fR" 454/* The \fBlocal\fR(8) delivery agent working directory for delivery to 455/* external commands. 456/* MAILBOX LOCKING CONTROLS 457/* .ad 458/* .fi 459/* .IP "\fBdeliver_lock_attempts (20)\fR" 460/* The maximal number of attempts to acquire an exclusive lock on a 461/* mailbox file or \fBbounce\fR(8) logfile. 462/* .IP "\fBdeliver_lock_delay (1s)\fR" 463/* The time between attempts to acquire an exclusive lock on a mailbox 464/* file or \fBbounce\fR(8) logfile. 465/* .IP "\fBstale_lock_time (500s)\fR" 466/* The time after which a stale exclusive mailbox lockfile is removed. 467/* .IP "\fBmailbox_delivery_lock (see 'postconf -d' output)\fR" 468/* How to lock a UNIX-style \fBlocal\fR(8) mailbox before attempting delivery. 469/* RESOURCE AND RATE CONTROLS 470/* .ad 471/* .fi 472/* .IP "\fBcommand_time_limit (1000s)\fR" 473/* Time limit for delivery to external commands. 474/* .IP "\fBduplicate_filter_limit (1000)\fR" 475/* The maximal number of addresses remembered by the address 476/* duplicate filter for \fBaliases\fR(5) or \fBvirtual\fR(5) alias expansion, or 477/* for \fBshowq\fR(8) queue displays. 478/* .IP "\fBmailbox_size_limit (51200000)\fR" 479/* The maximal size of any \fBlocal\fR(8) individual mailbox or maildir 480/* file, or zero (no limit). 481/* .PP 482/* Implemented in the qmgr(8) daemon: 483/* .IP "\fBlocal_destination_concurrency_limit (2)\fR" 484/* The maximal number of parallel deliveries via the local mail 485/* delivery transport to the same recipient (when 486/* "local_destination_recipient_limit = 1") or the maximal number of 487/* parallel deliveries to the same local domain (when 488/* "local_destination_recipient_limit > 1"). 489/* .IP "\fBlocal_destination_recipient_limit (1)\fR" 490/* The maximal number of recipients per message delivery via the 491/* local mail delivery transport. 492/* SECURITY CONTROLS 493/* .ad 494/* .fi 495/* .IP "\fBallow_mail_to_commands (alias, forward)\fR" 496/* Restrict \fBlocal\fR(8) mail delivery to external commands. 497/* .IP "\fBallow_mail_to_files (alias, forward)\fR" 498/* Restrict \fBlocal\fR(8) mail delivery to external files. 499/* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR" 500/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in 501/* $name expansions of $mailbox_command and $command_execution_directory. 502/* .IP "\fBdefault_privs (nobody)\fR" 503/* The default rights used by the \fBlocal\fR(8) delivery agent for delivery 504/* to an external file or command. 505/* .IP "\fBforward_expansion_filter (see 'postconf -d' output)\fR" 506/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in 507/* $name expansions of $forward_path. 508/* .PP 509/* Available in Postfix version 2.2 and later: 510/* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR" 511/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows 512/* in $name expansions of $command_execution_directory. 513/* .PP 514/* Available in Postfix version 2.5.3 and later: 515/* .IP "\fBstrict_mailbox_ownership (yes)\fR" 516/* Defer delivery when a mailbox file is not owned by its recipient. 517/* MISCELLANEOUS CONTROLS 518/* .ad 519/* .fi 520/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" 521/* The default location of the Postfix main.cf and master.cf 522/* configuration files. 523/* .IP "\fBdaemon_timeout (18000s)\fR" 524/* How much time a Postfix daemon process may take to handle a 525/* request before it is terminated by a built-in watchdog timer. 526/* .IP "\fBdelay_logging_resolution_limit (2)\fR" 527/* The maximal number of digits after the decimal point when logging 528/* sub-second delay values. 529/* .IP "\fBexport_environment (see 'postconf -d' output)\fR" 530/* The list of environment variables that a Postfix process will export 531/* to non-Postfix processes. 532/* .IP "\fBipc_timeout (3600s)\fR" 533/* The time limit for sending or receiving information over an internal 534/* communication channel. 535/* .IP "\fBlocal_command_shell (empty)\fR" 536/* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix commands. 537/* .IP "\fBmax_idle (100s)\fR" 538/* The maximum amount of time that an idle Postfix daemon process waits 539/* for an incoming connection before terminating voluntarily. 540/* .IP "\fBmax_use (100)\fR" 541/* The maximal number of incoming connections that a Postfix daemon 542/* process will service before terminating voluntarily. 543/* .IP "\fBprepend_delivered_header (command, file, forward)\fR" 544/* The message delivery contexts where the Postfix \fBlocal\fR(8) delivery 545/* agent prepends a Delivered-To: message header with the address 546/* that the mail was delivered to. 547/* .IP "\fBprocess_id (read-only)\fR" 548/* The process ID of a Postfix command or daemon process. 549/* .IP "\fBprocess_name (read-only)\fR" 550/* The process name of a Postfix command or daemon process. 551/* .IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR" 552/* What address lookup tables copy an address extension from the lookup 553/* key to the lookup result. 554/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" 555/* The location of the Postfix top-level queue directory. 556/* .IP "\fBrecipient_delimiter (empty)\fR" 557/* The set of characters that can separate an email address 558/* localpart, user name, or a .forward file name from its extension. 559/* .IP "\fBrequire_home_directory (no)\fR" 560/* Require that a \fBlocal\fR(8) recipient's home directory exists 561/* before mail delivery is attempted. 562/* .IP "\fBsyslog_facility (mail)\fR" 563/* The syslog facility of Postfix logging. 564/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" 565/* A prefix that is prepended to the process name in syslog 566/* records, so that, for example, "smtpd" becomes "prefix/smtpd". 567/* .PP 568/* Available in Postfix version 3.3 and later: 569/* .IP "\fBenable_original_recipient (yes)\fR" 570/* Enable support for the original recipient address after an 571/* address is rewritten to a different address (for example with 572/* aliasing or with canonical mapping). 573/* .IP "\fBservice_name (read-only)\fR" 574/* The master.cf service name of a Postfix daemon process. 575/* .PP 576/* Available in Postfix 3.5 and later: 577/* .IP "\fBinfo_log_address_format (external)\fR" 578/* The email address form that will be used in non-debug logging 579/* (info, warning, etc.). 580/* FILES 581/* The following are examples; details differ between systems. 582/* $HOME/.forward, per-user aliasing 583/* /etc/aliases, system-wide alias database 584/* /var/spool/mail, system mailboxes 585/* SEE ALSO 586/* qmgr(8), queue manager 587/* bounce(8), delivery status reports 588/* newaliases(1), create/update alias database 589/* postalias(1), create/update alias database 590/* aliases(5), format of alias database 591/* postconf(5), configuration parameters 592/* master(5), generic daemon options 593/* postlogd(8), Postfix logging 594/* syslogd(8), system logging 595/* LICENSE 596/* .ad 597/* .fi 598/* The Secure Mailer license must be distributed with this software. 599/* HISTORY 600/* .ad 601/* .fi 602/* The \fBDelivered-To:\fR message header appears in the \fBqmail\fR 603/* system by Daniel Bernstein. 604/* 605/* The \fImaildir\fR structure appears in the \fBqmail\fR system 606/* by Daniel Bernstein. 607/* AUTHOR(S) 608/* Wietse Venema 609/* IBM T.J. Watson Research 610/* P.O. Box 704 611/* Yorktown Heights, NY 10598, USA 612/* 613/* Wietse Venema 614/* Google, Inc. 615/* 111 8th Avenue 616/* New York, NY 10011, USA 617/*--*/ 618 619/* System library. */ 620 621#include <sys_defs.h> 622#include <unistd.h> 623#include <stdlib.h> 624#include <string.h> 625#include <fcntl.h> 626#ifdef USE_PATHS_H 627#include <paths.h> 628#endif 629 630/* Utility library. */ 631 632#include <msg.h> 633#include <mymalloc.h> 634#include <htable.h> 635#include <vstring.h> 636#include <vstream.h> 637#include <iostuff.h> 638#include <name_mask.h> 639#include <set_eugid.h> 640#include <dict.h> 641 642/* Global library. */ 643 644#include <recipient_list.h> 645#include <deliver_request.h> 646#include <deliver_completed.h> 647#include <mail_params.h> 648#include <mail_addr.h> 649#include <mail_conf.h> 650#include <been_here.h> 651#include <mail_params.h> 652#include <mail_version.h> 653#include <ext_prop.h> 654#include <maps.h> 655#include <flush_clnt.h> 656 657/* Single server skeleton. */ 658 659#include <mail_server.h> 660 661/* Application-specific. */ 662 663#include "local.h" 664 665 /* 666 * Tunable parameters. 667 */ 668char *var_allow_commands; 669char *var_allow_files; 670char *var_alias_maps; 671int var_dup_filter_limit; 672int var_command_maxtime; /* You can now leave this here. */ 673char *var_home_mailbox; 674char *var_mailbox_command; 675char *var_mailbox_cmd_maps; 676char *var_rcpt_fdelim; 677char *var_local_cmd_shell; 678char *var_luser_relay; 679int var_biff; 680char *var_mail_spool_dir; 681char *var_mailbox_transport; 682char *var_mbox_transp_maps; 683char *var_fallback_transport; 684char *var_fbck_transp_maps; 685char *var_exec_directory; 686char *var_exec_exp_filter; 687char *var_forward_path; 688char *var_cmd_exp_filter; 689char *var_fwd_exp_filter; 690char *var_prop_extension; 691int var_exp_own_alias; 692char *var_deliver_hdr; 693int var_stat_home_dir; 694int var_mailtool_compat; 695char *var_mailbox_lock; 696long var_mailbox_limit; 697bool var_frozen_delivered; 698bool var_reset_owner_attr; 699bool var_strict_mbox_owner; 700 701int local_cmd_deliver_mask; 702int local_file_deliver_mask; 703int local_ext_prop_mask; 704int local_deliver_hdr_mask; 705int local_mbox_lock_mask; 706MAPS *alias_maps; 707char *var_local_dsn_filter; 708 709/* local_deliver - deliver message with extreme prejudice */ 710 711static int local_deliver(DELIVER_REQUEST *rqst, char *service) 712{ 713 const char *myname = "local_deliver"; 714 RECIPIENT *rcpt_end = rqst->rcpt_list.info + rqst->rcpt_list.len; 715 RECIPIENT *rcpt; 716 int rcpt_stat; 717 int msg_stat; 718 LOCAL_STATE state; 719 USER_ATTR usr_attr; 720 721 if (msg_verbose) 722 msg_info("local_deliver: %s from %s", rqst->queue_id, rqst->sender); 723 724 /* 725 * Initialize the delivery attributes that are not recipient specific. 726 * While messages are being delivered and while aliases or forward files 727 * are being expanded, this attribute list is being changed constantly. 728 * For this reason, the list is passed on by value (except when it is 729 * being initialized :-), so that there is no need to undo attribute 730 * changes made by lower-level routines. The alias/include/forward 731 * expansion attribute list is part of a tree with self and parent 732 * references (see the EXPAND_ATTR definitions). The user-specific 733 * attributes are security sensitive, and are therefore kept separate. 734 * All this results in a noticeable level of clumsiness, but passing 735 * things around by value gives good protection against accidental change 736 * by subroutines. 737 */ 738 state.level = 0; 739 deliver_attr_init(&state.msg_attr); 740 state.msg_attr.queue_name = rqst->queue_name; 741 state.msg_attr.queue_id = rqst->queue_id; 742 state.msg_attr.fp = rqst->fp; 743 state.msg_attr.offset = rqst->data_offset; 744 state.msg_attr.encoding = rqst->encoding; 745 state.msg_attr.smtputf8 = rqst->smtputf8; 746 state.msg_attr.sender = rqst->sender; 747 state.msg_attr.dsn_envid = rqst->dsn_envid; 748 state.msg_attr.dsn_ret = rqst->dsn_ret; 749 state.msg_attr.relay = service; 750 state.msg_attr.msg_stats = rqst->msg_stats; 751 state.msg_attr.request = rqst; 752 RESET_OWNER_ATTR(state.msg_attr, state.level); 753 RESET_USER_ATTR(usr_attr, state.level); 754 state.loop_info = delivered_hdr_init(rqst->fp, rqst->data_offset, 755 FOLD_ADDR_ALL); 756 state.request = rqst; 757 758 /* 759 * Iterate over each recipient named in the delivery request. When the 760 * mail delivery status for a given recipient is definite (i.e. bounced 761 * or delivered), update the message queue file and cross off the 762 * recipient. Update the per-message delivery status. 763 */ 764 for (msg_stat = 0, rcpt = rqst->rcpt_list.info; rcpt < rcpt_end; rcpt++) { 765 state.dup_filter = been_here_init(var_dup_filter_limit, BH_FLAG_FOLD); 766 forward_init(); 767 state.msg_attr.rcpt = *rcpt; 768 rcpt_stat = deliver_recipient(state, usr_attr); 769 rcpt_stat |= forward_finish(rqst, state.msg_attr, rcpt_stat); 770 if (rcpt_stat == 0 && (rqst->flags & DEL_REQ_FLAG_SUCCESS)) 771 deliver_completed(state.msg_attr.fp, rcpt->offset); 772 been_here_free(state.dup_filter); 773 msg_stat |= rcpt_stat; 774 } 775 776 /* 777 * Clean up. 778 */ 779 delivered_hdr_free(state.loop_info); 780 deliver_attr_free(&state.msg_attr); 781 782 return (msg_stat); 783} 784 785/* local_service - perform service for client */ 786 787static void local_service(VSTREAM *stream, char *service, char **argv) 788{ 789 DELIVER_REQUEST *request; 790 int status; 791 792 /* 793 * Sanity check. This service takes no command-line arguments. 794 */ 795 if (argv[0]) 796 msg_fatal("unexpected command-line argument: %s", argv[0]); 797 798 /* 799 * This routine runs whenever a client connects to the UNIX-domain socket 800 * that is dedicated to local mail delivery service. What we see below is 801 * a little protocol to (1) tell the client that we are ready, (2) read a 802 * delivery request from the client, and (3) report the completion status 803 * of that request. 804 */ 805 if ((request = deliver_request_read(stream)) != 0) { 806 status = local_deliver(request, service); 807 deliver_request_done(stream, request, status); 808 } 809} 810 811/* local_mask_init - initialize delivery restrictions */ 812 813static void local_mask_init(void) 814{ 815 static const NAME_MASK file_mask[] = { 816 "alias", EXPAND_TYPE_ALIAS, 817 "forward", EXPAND_TYPE_FWD, 818 "include", EXPAND_TYPE_INCL, 819 0, 820 }; 821 static const NAME_MASK command_mask[] = { 822 "alias", EXPAND_TYPE_ALIAS, 823 "forward", EXPAND_TYPE_FWD, 824 "include", EXPAND_TYPE_INCL, 825 0, 826 }; 827 static const NAME_MASK deliver_mask[] = { 828 "command", DELIVER_HDR_CMD, 829 "file", DELIVER_HDR_FILE, 830 "forward", DELIVER_HDR_FWD, 831 0, 832 }; 833 834 local_file_deliver_mask = name_mask(VAR_ALLOW_FILES, file_mask, 835 var_allow_files); 836 local_cmd_deliver_mask = name_mask(VAR_ALLOW_COMMANDS, command_mask, 837 var_allow_commands); 838 local_ext_prop_mask = 839 ext_prop_mask(VAR_PROP_EXTENSION, var_prop_extension); 840 local_deliver_hdr_mask = name_mask(VAR_DELIVER_HDR, deliver_mask, 841 var_deliver_hdr); 842 local_mbox_lock_mask = mbox_lock_mask(var_mailbox_lock); 843 if (var_mailtool_compat) { 844 msg_warn("%s: deprecated parameter, use \"%s = dotlock\" instead", 845 VAR_MAILTOOL_COMPAT, VAR_MAILBOX_LOCK); 846 local_mbox_lock_mask &= MBOX_DOT_LOCK; 847 } 848 if (local_mbox_lock_mask == 0) 849 msg_fatal("parameter %s specifies no applicable mailbox locking method", 850 VAR_MAILBOX_LOCK); 851} 852 853/* pre_accept - see if tables have changed */ 854 855static void pre_accept(char *unused_name, char **unused_argv) 856{ 857 const char *table; 858 859 if ((table = dict_changed_name()) != 0) { 860 msg_info("table %s has changed -- restarting", table); 861 exit(0); 862 } 863} 864 865/* post_init - post-jail initialization */ 866 867static void post_init(char *unused_name, char **unused_argv) 868{ 869 870 /* 871 * Drop privileges most of the time, and set up delivery restrictions. 872 */ 873 set_eugid(var_owner_uid, var_owner_gid); 874 local_mask_init(); 875} 876 877/* pre_init - pre-jail initialization */ 878 879static void pre_init(char *unused_name, char **unused_argv) 880{ 881 882 /* 883 * Reset the file size limit from the message size limit to the mailbox 884 * size limit. XXX This still isn't accurate because the file size limit 885 * also affects delivery to command. 886 * 887 * A file size limit protects the machine against runaway software errors. 888 * It is not suitable to enforce mail quota, because users can get around 889 * mail quota by delivering to /file/name or to |command. 890 * 891 * We can't have mailbox size limit smaller than the message size limit, 892 * because that prohibits the delivery agent from updating the queue 893 * file. 894 */ 895 if (ENFORCING_SIZE_LIMIT(var_mailbox_limit)) { 896 if (!ENFORCING_SIZE_LIMIT(var_message_limit)) 897 msg_fatal("configuration error: %s is limited but %s is " 898 "unlimited", VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); 899 if (var_mailbox_limit < var_message_limit) 900 msg_fatal("configuration error: %s is smaller than %s", 901 VAR_MAILBOX_LIMIT, VAR_MESSAGE_LIMIT); 902 set_file_limit(var_mailbox_limit); 903 } 904 alias_maps = maps_create("aliases", var_alias_maps, 905 DICT_FLAG_LOCK | DICT_FLAG_PARANOID 906 | DICT_FLAG_FOLD_FIX 907 | DICT_FLAG_UTF8_REQUEST); 908 909 flush_init(); 910} 911 912MAIL_VERSION_STAMP_DECLARE; 913 914/* main - pass control to the single-threaded skeleton */ 915 916int main(int argc, char **argv) 917{ 918 static const CONFIG_TIME_TABLE time_table[] = { 919 VAR_COMMAND_MAXTIME, DEF_COMMAND_MAXTIME, &var_command_maxtime, 1, 0, 920 0, 921 }; 922 static const CONFIG_INT_TABLE int_table[] = { 923 VAR_DUP_FILTER_LIMIT, DEF_DUP_FILTER_LIMIT, &var_dup_filter_limit, 0, 0, 924 0, 925 }; 926 static const CONFIG_LONG_TABLE long_table[] = { 927 VAR_MAILBOX_LIMIT, DEF_MAILBOX_LIMIT, &var_mailbox_limit, 0, 0, 928 0, 929 }; 930 static const CONFIG_STR_TABLE str_table[] = { 931 VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0, 932 VAR_HOME_MAILBOX, DEF_HOME_MAILBOX, &var_home_mailbox, 0, 0, 933 VAR_ALLOW_COMMANDS, DEF_ALLOW_COMMANDS, &var_allow_commands, 0, 0, 934 VAR_ALLOW_FILES, DEF_ALLOW_FILES, &var_allow_files, 0, 0, 935 VAR_LOCAL_CMD_SHELL, DEF_LOCAL_CMD_SHELL, &var_local_cmd_shell, 0, 0, 936 VAR_MAIL_SPOOL_DIR, DEF_MAIL_SPOOL_DIR, &var_mail_spool_dir, 0, 0, 937 VAR_MAILBOX_TRANSP, DEF_MAILBOX_TRANSP, &var_mailbox_transport, 0, 0, 938 VAR_MBOX_TRANSP_MAPS, DEF_MBOX_TRANSP_MAPS, &var_mbox_transp_maps, 0, 0, 939 VAR_FALLBACK_TRANSP, DEF_FALLBACK_TRANSP, &var_fallback_transport, 0, 0, 940 VAR_FBCK_TRANSP_MAPS, DEF_FBCK_TRANSP_MAPS, &var_fbck_transp_maps, 0, 0, 941 VAR_CMD_EXP_FILTER, DEF_CMD_EXP_FILTER, &var_cmd_exp_filter, 1, 0, 942 VAR_FWD_EXP_FILTER, DEF_FWD_EXP_FILTER, &var_fwd_exp_filter, 1, 0, 943 VAR_EXEC_EXP_FILTER, DEF_EXEC_EXP_FILTER, &var_exec_exp_filter, 1, 0, 944 VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0, 945 VAR_DELIVER_HDR, DEF_DELIVER_HDR, &var_deliver_hdr, 0, 0, 946 VAR_MAILBOX_LOCK, DEF_MAILBOX_LOCK, &var_mailbox_lock, 1, 0, 947 VAR_MAILBOX_CMD_MAPS, DEF_MAILBOX_CMD_MAPS, &var_mailbox_cmd_maps, 0, 0, 948 VAR_LOCAL_DSN_FILTER, DEF_LOCAL_DSN_FILTER, &var_local_dsn_filter, 0, 0, 949 0, 950 }; 951 static const CONFIG_BOOL_TABLE bool_table[] = { 952 VAR_BIFF, DEF_BIFF, &var_biff, 953 VAR_EXP_OWN_ALIAS, DEF_EXP_OWN_ALIAS, &var_exp_own_alias, 954 VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir, 955 VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat, 956 VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered, 957 VAR_RESET_OWNER_ATTR, DEF_RESET_OWNER_ATTR, &var_reset_owner_attr, 958 VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner, 959 0, 960 }; 961 962 /* Suppress $name expansion upon loading. */ 963 static const CONFIG_RAW_TABLE raw_table[] = { 964 VAR_EXEC_DIRECTORY, DEF_EXEC_DIRECTORY, &var_exec_directory, 0, 0, 965 VAR_FORWARD_PATH, DEF_FORWARD_PATH, &var_forward_path, 0, 0, 966 VAR_MAILBOX_COMMAND, DEF_MAILBOX_COMMAND, &var_mailbox_command, 0, 0, 967 VAR_LUSER_RELAY, DEF_LUSER_RELAY, &var_luser_relay, 0, 0, 968 0, 969 }; 970 971 /* 972 * Fingerprint executables and core dumps. 973 */ 974 MAIL_VERSION_STAMP_ALLOCATE; 975 976 single_server_main(argc, argv, local_service, 977 CA_MAIL_SERVER_INT_TABLE(int_table), 978 CA_MAIL_SERVER_LONG_TABLE(long_table), 979 CA_MAIL_SERVER_STR_TABLE(str_table), 980 CA_MAIL_SERVER_RAW_TABLE(raw_table), 981 CA_MAIL_SERVER_BOOL_TABLE(bool_table), 982 CA_MAIL_SERVER_TIME_TABLE(time_table), 983 CA_MAIL_SERVER_PRE_INIT(pre_init), 984 CA_MAIL_SERVER_POST_INIT(post_init), 985 CA_MAIL_SERVER_PRE_ACCEPT(pre_accept), 986 CA_MAIL_SERVER_PRIVILEGED, 987 CA_MAIL_SERVER_BOUNCE_INIT(VAR_LOCAL_DSN_FILTER, 988 &var_local_dsn_filter), 989 0); 990} 991