src/anvil/ Connection count/rate limiter
src/bounce/ Bounce or defer mail
src/cleanup/ Canonicalize and enqueue mail
+ src/discard/ Trivial discard mailer
src/error/ Trivial error mailer
src/lmtp/ LMTP client
src/local/ Local delivery
type when a Delivered-To: loop was detected for a mailing
list alias. Nicolas Riendeau. File: bounce_notify_util.c.
+20040918
+
+ Feature: authorized_flush_users, authorized_mailq_users,
+ authorized_sendmail_users to restrict what users can flush
+ the queue, list the queue, or submit mail locally. Victor
+ Duchovni, Morgan Stanley. Files: sendmail/sendmail.c,
+ postdrop/postdrop.c, postqueue/postqueue.c, global/user_acl.[hc].
+
+ Feature: discard(8) mail delivery agent. Victor Duchovni,
+ Morgan Stanley. File: discard/discard.c.
+
Open problems:
Low: should the Delivered-To: test in local(8) be configurable?
src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \
src/postkick src/postlock src/postlog src/postmap src/postqueue \
src/postsuper src/qmqpd src/spawn src/flush src/verify \
- src/virtual src/proxymap src/anvil src/scache
+ src/virtual src/proxymap src/anvil src/scache src/discard
MANDIRS = proto man html
default: update
* The queue manager (the qmgr(8) server process in the figure) is the heart
of Postfix mail delivery. It contacts the smtp(8), lmtp(8), local(8),
- virtual(8), pipe(8), or error(8) delivery agents, and sends a delivery
- request for one or more recipient addresses. The error(8) delivery agent is
- special: it always declares mail as undeliverable. It is not shown in the
- figure above.
+ virtual(8), pipe(8), discard(8) or error(8) delivery agents, and sends a
+ delivery request for one or more recipient addresses. The discard(8) and
+ error(8) delivery agents are special: they discard or bounce all mail, they
+ are not shown in the figure above.
The queue manager maintains a small active queue with the messages that it
has opened for delivery. The active queue acts as a limited window on
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
+discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
EOF
}
+ # Add missing discard service to master.cf.
+
+ grep '^discard.*discard' $config_directory/master.cf >/dev/null || {
+ echo Editing $config_directory/master.cf, adding missing entry for discard service
+ cat >>$config_directory/master.cf <<EOF || exit 1
+discard unix - - n - - discard
+EOF
+ }
+
# Report (but do not remove) obsolete files.
test -n "$obsolete" && {
$daemon_directory/anvil:f:root:-:755
$daemon_directory/bounce:f:root:-:755
$daemon_directory/cleanup:f:root:-:755
+$daemon_directory/discard:f:root:-:755
$daemon_directory/error:f:root:-:755
$daemon_directory/flush:f:root:-:755
$daemon_directory/lmtp:f:root:-:755
$manpage_directory/man8/cleanup.8:f:root:-:644
$manpage_directory/man8/anvil.8:f:root:-:644
$manpage_directory/man8/defer.8:f:root:-:644
+$manpage_directory/man8/discard.8:f:root:-:644
$manpage_directory/man8/error.8:f:root:-:644
$manpage_directory/man8/flush.8:f:root:-:644
$manpage_directory/man8/lmtp.8:f:root:-:644
$html_directory/cidr_table.5.html:f:root:-:644
$html_directory/cleanup.8.html:f:root:-:644
$html_directory/defer.8.html:f:root:-:644
+$html_directory/discard.8.html:f:root:-:644
$html_directory/error.8.html:f:root:-:644
$html_directory/flush.8.html:f:root:-:644
$html_directory/header_checks.5.html:f:root:-:644
showq.8.html smtp.8.html smtpd.8.html trivial-rewrite.8.html \
oqmgr.8.html spawn.8.html flush.8.html virtual.8.html qmqpd.8.html \
trace.8.html verify.8.html proxymap.8.html anvil.8.html \
- scache.8.html
+ scache.8.html discard.8.html
COMMANDS= mailq.1.html newaliases.1.html postalias.1.html postcat.1.html \
postconf.1.html postfix.1.html postkick.1.html postlock.1.html \
postlog.1.html postdrop.1.html postmap.1.html sendmail.1.html \
rm -f $@
ln -s $? $@
+discard.8.html: ../src/discard/discard.c
+ PATH=../mantools:$$PATH; \
+ srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
+
error.8.html: ../src/error/error.c
PATH=../mantools:$$PATH; \
srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@
<li> <p> The queue manager (the <a href="qmgr.8.html">qmgr(8)</a> server process in the
figure) is the heart of Postfix mail delivery. It contacts the
-<a href="smtp.8.html">smtp(8)</a>, <a href="lmtp.8.html">lmtp(8)</a>, <a href="local.8.html">local(8)</a>, <a href="virtual.8.html">virtual(8)</a>, <a href="pipe.8.html">pipe(8)</a>, or <a href="error.8.html">error(8)</a> delivery
-agents, and sends a delivery request for one or more recipient
-addresses. The <a href="error.8.html">error(8)</a> delivery agent is special: it always declares
-mail as undeliverable. It is not shown in the figure above. </p>
+<a href="smtp.8.html">smtp(8)</a>, <a href="lmtp.8.html">lmtp(8)</a>, <a href="local.8.html">local(8)</a>, <a href="virtual.8.html">virtual(8)</a>, <a href="pipe.8.html">pipe(8)</a>, <a href="discard.8.html">discard(8)</a> or
+<a href="error.8.html">error(8)</a> delivery agents, and sends a delivery request for one
+or more recipient addresses. The <a href="discard.8.html">discard(8)</a> and <a href="error.8.html">error(8)</a> delivery
+agents are special: they discard or bounce all mail, they are not
+shown in the figure above. </p>
<p> The queue manager maintains a small <a href="QSHAPE_README.html#active_queue">active queue</a> with the
messages that it has opened for delivery. The <a href="QSHAPE_README.html#active_queue">active queue</a> acts as
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+<html> <head>
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+<title> Postfix manual - discard(8) </title>
+</head> <body> <pre>
+DISCARD(8) DISCARD(8)
+
+<b>NAME</b>
+ discard - Postfix discard mail delivery agent
+
+<b>SYNOPSIS</b>
+ <b>discard</b> [generic Postfix daemon options]
+
+<b>DESCRIPTION</b>
+ The Postfix discard delivery agent processes delivery
+ requests from the queue manager. Each request specifies a
+ queue file, a sender address, a domain or host name that
+ is treated as the reason for discarding the mail, and
+ recipient information. This program expects to be run
+ from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
+
+ The discard delivery agent pretends to deliver all recipi-
+ ents in the delivery request, logs the "next-hop" domain
+ or host information as the reason for discarding the mail,
+ updates the queue file and marks recipients as finished or
+ informs the queue manager that delivery should be tried
+ again at a later time.
+
+ Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>,
+ <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate.
+
+<b>SECURITY</b>
+ The discard mailer is not security-sensitive. It does not
+ talk to the network, and can be run chrooted at fixed low
+ privilege.
+
+<b>STANDARDS</b>
+ None.
+
+<b>DIAGNOSTICS</b>
+ Problems and transactions are logged to <b>syslogd</b>(8).
+
+ Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
+ the postmaster is notified of bounces and of other trou-
+ ble.
+
+<b>CONFIGURATION PARAMETERS</b>
+ Changes to <b>main.cf</b> are picked up automatically as dis-
+ card(8) processes run for only a limited amount of time.
+ Use the command "<b>postfix reload</b>" to speed up a change.
+
+ The text below provides only a parameter summary. See
+ <a href="postconf.5.html">postconf(5)</a> for more details including examples.
+
+ <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
+ The default location of the Postfix main.cf and
+ master.cf configuration files.
+
+ <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
+ built-in watchdog timer.
+
+ <b><a href="postconf.5.html#double_bounce_sender">double_bounce_sender</a> (double-bounce)</b>
+ The sender address of postmaster notifications that
+ are generated by the mail system.
+
+ <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
+ The time limit for sending or receiving information
+ over an internal communication channel.
+
+ <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
+ before exiting.
+
+ <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
+
+ <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
+ The process ID of a Postfix command or daemon pro-
+ cess.
+
+ <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
+ The process name of a Postfix command or daemon
+ process.
+
+ <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
+ The location of the Postfix top-level queue direc-
+ tory.
+
+ <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
+ The syslog facility of Postfix logging.
+
+ <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
+ The mail system name that is prepended to the pro-
+ cess name in syslog records, so that "smtpd"
+ becomes, for example, "postfix/smtpd".
+
+<b>SEE ALSO</b>
+ <a href="qmgr.8.html">qmgr(8)</a>, queue manager
+ <a href="bounce.8.html">bounce(8)</a>, delivery status reports
+ <a href="error.8.html">error(8)</a>, Postfix error delivery agent
+ <a href="postconf.5.html">postconf(5)</a>, configuration parameters
+ <a href="master.8.html">master(8)</a>, process manager
+ syslogd(8), system logging
+
+<b>LICENSE</b>
+ The Secure Mailer license must be distributed with this
+ software.
+
+<b>HISTORY</b>
+ This service was introduced with Postfix version 2.2.
+
+<b>AUTHOR(S)</b>
+ Victor Duchovni
+ Morgan Stanley
+
+ Based on code by:
+ Wietse Venema
+ IBM T.J. Watson Research
+ P.O. Box 704
+ Yorktown Heights, NY 10598, USA
+
+ DISCARD(8)
+</pre> </body> </html>
<b>SEE ALSO</b>
<a href="qmgr.8.html">qmgr(8)</a>, queue manager
<a href="bounce.8.html">bounce(8)</a>, delivery status reports
+ <a href="discard.8.html">discard(8)</a>, Postfix discard delivery agent
<a href="postconf.5.html">postconf(5)</a>, configuration parameters
<a href="master.8.html">master(8)</a>, process manager
syslogd(8), system logging
</p>
+</DD>
+
+<DT><b><a name="authorized_flush_users">authorized_flush_users</a>
+(default: static:anyone)</b></DT><DD>
+
+<p>
+List of users who are authorized to flush the queue.
+</p>
+
+<p>
+By default all users are allowed to flush the queue. Otherwise if the
+invoking user is neither the super-user nor the $<a href="postconf.5.html#mail_owner">mail_owner</a> user, access
+is denied unless the real uid of the process trying to flush the queue
+is listed in the system password file and the corresponding login name
+is on the access list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
+
+</DD>
+
+<DT><b><a name="authorized_mailq_users">authorized_mailq_users</a>
+(default: static:anyone)</b></DT><DD>
+
+<p>
+List of users who are authorized to view the queue.
+</p>
+
+<p>
+By default all users are allowed to view the queue. Otherwise if the
+invoking user is neither the super-user nor the $<a href="postconf.5.html#mail_owner">mail_owner</a> user, access
+is denied unless the real uid of the process trying to view the queue
+is listed in the system password file and the corresponding login name
+is on the access list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
+
+</DD>
+
+<DT><b><a name="authorized_sendmail_users">authorized_sendmail_users</a>
+(default: static:anyone)</b></DT><DD>
+
+<p>
+List of users who are authorized to use the <a href="sendmail.1.html">sendmail(1)</a> command
+(and the privileged <a href="postdrop.1.html">postdrop(1)</a> helper command) to submit mail.
+</p>
+
+<p>
+By default all users are allowed to submit mail. Otherwise, access is denied
+unless the real uid of the process trying to submit mail is listed in
+the system password file and the corresponding login name is on the
+access list. To deny mail submission access to all users specify an
+empty list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "<a href="DATABASE_README.html">type:table</a>" patterns,
+separated by commas and/or whitespace. The list is matched left to right,
+and the search stops on the first match. Specify "!name" to exclude a
+name from the list. A "/file/name" pattern is replaced by its contents;
+a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a name matches a lookup key
+(the lookup result is ignored). Continue long lines by starting the
+next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
+
</DD>
<DT><b><a name="authorized_verp_clients">authorized_verp_clients</a>
daemon (for example, the <a href="pickup.8.html">pickup(8)</a> or <a href="qmgr.8.html">qmgr(8)</a> dae-
mon).
+ Available in Postfix version 2.2 and later:
+
+ <b><a href="postconf.5.html#authorized_sendmail_users">authorized_sendmail_users</a> (static:anyone)</b>
+ List of users who are authorized to use the <a href="sendmail.1.html">send-</a>
+ <a href="sendmail.1.html">mail(1)</a> command (and the privileged <a href="postdrop.1.html">postdrop(1)</a>
+ helper command) to submit mail.
+
<b>FILES</b>
/var/spool/postfix/<a href="QSHAPE_README.html#maildrop_queue">maildrop</a>, <a href="QSHAPE_README.html#maildrop_queue">maildrop queue</a>
<a href="anvil.8.html">anvil(8)</a>, Postfix connection/rate limiting
<a href="bounce.8.html">bounce(8)</a>, <a href="defer.8.html">defer(8)</a>, <a href="trace.8.html">trace(8)</a>, Delivery status reports
<a href="cleanup.8.html">cleanup(8)</a>, canonicalize and enqueue message
+ <a href="discard.8.html">discard(8)</a>, Postfix discard delivery agent
<a href="error.8.html">error(8)</a>, Postfix error delivery agent
<a href="flush.8.html">flush(8)</a>, Postfix fast ETRN service
<a href="lmtp.8.html">lmtp(8)</a>, Postfix LMTP client
<a href="proxymap.8.html">proxymap(8)</a>, Postfix lookup table proxy server
<a href="qmgr.8.html">qmgr(8)</a>, Postfix queue manager
<a href="qmqpd.8.html">qmqpd(8)</a>, Postfix QMQP server
+ <a href="scache.8.html">scache(8)</a>, Postfix session cache manager
<a href="showq.8.html">showq(8)</a>, list Postfix mail queue
<a href="smtp.8.html">smtp(8)</a>, Postfix SMTP client
<a href="smtpd.8.html">smtpd(8)</a>, Postfix SMTP server
daemon (for example, the <a href="pickup.8.html">pickup(8)</a> or <a href="qmgr.8.html">qmgr(8)</a> dae-
mon).
+ Available in Postfix version 2.2 and later:
+
+ <b><a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a> (static:anyone)</b>
+ List of users who are authorized to flush the
+ queue.
+
+ <b><a href="postconf.5.html#authorized_mailq_users">authorized_mailq_users</a> (static:anyone)</b>
+ List of users who are authorized to view the queue.
+
<b>FILES</b>
/var/spool/postfix, mail queue
logging level to increase by the amount specified
in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
+<b>ACCESS CONTROLS</b>
+ Available in Postfix version 2.2 and later:
+
+ <b><a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a> (static:anyone)</b>
+ List of users who are authorized to flush the
+ queue.
+
+ <b><a href="postconf.5.html#authorized_mailq_users">authorized_mailq_users</a> (static:anyone)</b>
+ List of users who are authorized to view the queue.
+
+ <b><a href="postconf.5.html#authorized_sendmail_users">authorized_sendmail_users</a> (static:anyone)</b>
+ List of users who are authorized to use the <a href="sendmail.1.html">send-</a>
+ <a href="sendmail.1.html">mail(1)</a> command (and the privileged <a href="postdrop.1.html">postdrop(1)</a>
+ helper command) to submit mail.
+
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
The maximal amount of original message text that is
man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \
man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \
man8/verify.8 man8/trace.8 man8/proxymap.8 man8/anvil.8 \
- man8/scache.8
+ man8/scache.8 man8/discard.8
COMMANDS= man1/postalias.1 man1/postcat.1 man1/postconf.1 man1/postfix.1 \
man1/postkick.1 man1/postlock.1 man1/postlog.1 man1/postdrop.1 \
man1/postmap.1 man1/sendmail.1 man1/mailq.1 man1/newaliases.1 \
(cmp -s junk $? || mv junk $?)
../mantools/srctoman $? >$@
+man8/discard.8: ../src/discard/discard.c
+ ../mantools/fixman ../proto/postconf.proto $? >junk && \
+ (cmp -s junk $? || mv junk $?)
+ ../mantools/srctoman $? >$@
+
man8/error.8: ../src/error/error.c
../mantools/fixman ../proto/postconf.proto $? >junk && \
(cmp -s junk $? || mv junk $?)
.IP "\fBtrigger_timeout (10s)\fR"
The time limit for sending a trigger to a Postfix daemon (for
example, the pickup(8) or qmgr(8) daemon).
+.PP
+Available in Postfix version 2.2 and later:
+.IP "\fBauthorized_sendmail_users (static:anyone)\fR"
+List of users who are authorized to use the sendmail(1) command
+(and the privileged postdrop(1) helper command) to submit mail.
.SH "FILES"
.na
.nf
anvil(8), Postfix connection/rate limiting
bounce(8), defer(8), trace(8), Delivery status reports
cleanup(8), canonicalize and enqueue message
+discard(8), Postfix discard delivery agent
error(8), Postfix error delivery agent
flush(8), Postfix fast ETRN service
lmtp(8), Postfix LMTP client
proxymap(8), Postfix lookup table proxy server
qmgr(8), Postfix queue manager
qmqpd(8), Postfix QMQP server
+scache(8), Postfix session cache manager
showq(8), list Postfix mail queue
smtp(8), Postfix SMTP client
smtpd(8), Postfix SMTP server
.IP "\fBtrigger_timeout (10s)\fR"
The time limit for sending a trigger to a Postfix daemon (for
example, the pickup(8) or qmgr(8) daemon).
+.PP
+Available in Postfix version 2.2 and later:
+.IP "\fBauthorized_flush_users (static:anyone)\fR"
+List of users who are authorized to flush the queue.
+.IP "\fBauthorized_mailq_users (static:anyone)\fR"
+List of users who are authorized to view the queue.
.SH "FILES"
.na
.nf
Optional list of remote client or server hostname or network
address patterns that cause the verbose logging level to increase
by the amount specified in $debug_peer_level.
+.SH "ACCESS CONTROLS"
+.na
+.nf
+.ad
+.fi
+Available in Postfix version 2.2 and later:
+.IP "\fBauthorized_flush_users (static:anyone)\fR"
+List of users who are authorized to flush the queue.
+.IP "\fBauthorized_mailq_users (static:anyone)\fR"
+List of users who are authorized to view the queue.
+.IP "\fBauthorized_sendmail_users (static:anyone)\fR"
+List of users who are authorized to use the sendmail(1) command
+(and the privileged postdrop(1) helper command) to submit mail.
.SH "RESOURCE AND RATE CONTROLS"
.na
.nf
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
+.SH authorized_flush_users (default: static:anyone)
+List of users who are authorized to flush the queue.
+.PP
+By default all users are allowed to flush the queue. Otherwise if the
+invoking user is neither the super-user nor the $mail_owner user, access
+is denied unless the real uid of the process trying to flush the queue
+is listed in the system password file and the corresponding login name
+is on the access list.
+.PP
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "type:table" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace.
+.PP
+This feature is available in Postfix 2.2 and later.
+.SH authorized_mailq_users (default: static:anyone)
+List of users who are authorized to view the queue.
+.PP
+By default all users are allowed to view the queue. Otherwise if the
+invoking user is neither the super-user nor the $mail_owner user, access
+is denied unless the real uid of the process trying to view the queue
+is listed in the system password file and the corresponding login name
+is on the access list.
+.PP
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "type:table" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace.
+.PP
+This feature is available in Postfix 2.2 and later.
+.SH authorized_sendmail_users (default: static:anyone)
+List of users who are authorized to use the sendmail(1) command
+(and the privileged postdrop(1) helper command) to submit mail.
+.PP
+By all users are allowed to submit mail. Otherwise, access is denied
+unless the real uid of the process trying to submit mail is listed in
+the system password file and the corresponding login name is on the
+access list. To deny mail submission access to all users specify an
+empty list.
+.PP
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to right,
+and the search stops on the first match. Specify "!name" to exclude a
+name from the list. A "/file/name" pattern is replaced by its contents;
+a "type:table" lookup table is matched when a name matches a lookup key
+(the lookup result is ignored). Continue long lines by starting the
+next line with whitespace.
+.PP
+This feature is available in Postfix 2.2 and later.
.SH authorized_verp_clients (default: $mynetworks)
What SMTP clients are allowed to specify the XVERP command.
This command requests that mail be delivered one recipient at a
--- /dev/null
+.TH DISCARD 8
+.ad
+.fi
+.SH NAME
+discard
+\-
+Postfix discard mail delivery agent
+.SH "SYNOPSIS"
+.na
+.nf
+\fBdiscard\fR [generic Postfix daemon options]
+.SH DESCRIPTION
+.ad
+.fi
+The Postfix discard delivery agent processes delivery requests from
+the queue manager. Each request specifies a queue file, a sender
+address, a domain or host name that is treated as the reason for
+discarding the mail, and recipient information.
+This program expects to be run from the \fBmaster\fR(8) process
+manager.
+
+The discard delivery agent pretends to deliver all recipients
+in the delivery request, logs the "next-hop" domain or host
+information as the reason for discarding the mail, updates the
+queue file and marks recipients as finished or informs the
+queue manager that delivery should be tried again at a later time.
+
+Delivery status reports are sent to the \fBbounce\fR(8),
+\fBdefer\fR(8) or \fBtrace\fR(8) daemon as appropriate.
+.SH "SECURITY"
+.na
+.nf
+.ad
+.fi
+The discard mailer is not security-sensitive. It does not talk
+to the network, and can be run chrooted at fixed low privilege.
+.SH "STANDARDS"
+.na
+.nf
+None.
+.SH DIAGNOSTICS
+.ad
+.fi
+Problems and transactions are logged to \fBsyslogd\fR(8).
+
+Depending on the setting of the \fBnotify_classes\fR parameter,
+the postmaster is notified of bounces and of other trouble.
+.SH "CONFIGURATION PARAMETERS"
+.na
+.nf
+.ad
+.fi
+Changes to \fBmain.cf\fR are picked up automatically as discard(8)
+processes run for only a limited amount of time. Use the command
+"\fBpostfix reload\fR" to speed up a change.
+
+The text below provides only a parameter summary. See
+postconf(5) for more details including examples.
+.IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+The default location of the Postfix main.cf and master.cf
+configuration files.
+.IP "\fBdaemon_timeout (18000s)\fR"
+How much time a Postfix daemon process may take to handle a
+request before it is terminated by a built-in watchdog timer.
+.IP "\fBdouble_bounce_sender (double-bounce)\fR"
+The sender address of postmaster notifications that are generated
+by the mail system.
+.IP "\fBipc_timeout (3600s)\fR"
+The time limit for sending or receiving information over an internal
+communication channel.
+.IP "\fBmax_idle (100s)\fR"
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
+.IP "\fBmax_use (100)\fR"
+The maximal number of connection requests before a Postfix daemon
+process terminates.
+.IP "\fBprocess_id (read-only)\fR"
+The process ID of a Postfix command or daemon process.
+.IP "\fBprocess_name (read-only)\fR"
+The process name of a Postfix command or daemon process.
+.IP "\fBqueue_directory (see 'postconf -d' output)\fR"
+The location of the Postfix top-level queue directory.
+.IP "\fBsyslog_facility (mail)\fR"
+The syslog facility of Postfix logging.
+.IP "\fBsyslog_name (postfix)\fR"
+The mail system name that is prepended to the process name in syslog
+records, so that "smtpd" becomes, for example, "postfix/smtpd".
+.SH "SEE ALSO"
+.na
+.nf
+qmgr(8), queue manager
+bounce(8), delivery status reports
+error(8), Postfix error delivery agent
+postconf(5), configuration parameters
+master(8), process manager
+syslogd(8), system logging
+.SH "LICENSE"
+.na
+.nf
+.ad
+.fi
+The Secure Mailer license must be distributed with this software.
+.SH "HISTORY"
+.na
+.nf
+This service was introduced with Postfix version 2.2.
+.SH "AUTHOR(S)"
+.na
+.nf
+Victor Duchovni
+Morgan Stanley
+
+Based on code by:
+Wietse Venema
+IBM T.J. Watson Research
+P.O. Box 704
+Yorktown Heights, NY 10598, USA
.nf
qmgr(8), queue manager
bounce(8), delivery status reports
+discard(8), Postfix discard delivery agent
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
$printit = 0;
next LINE;
}
+ s;\bautho[-</bB>]*\n*[ <bB>]*rized_flush_users\b;<a href="postconf.5.html#authorized_flush_users">$&</a>;g;
+ s;\bautho[-</bB>]*\n*[ <bB>]*rized_mailq_users\b;<a href="postconf.5.html#authorized_mailq_users">$&</a>;g;
+ s;\bautho[-</bB>]*\n*[ <bB>]*rized_sendmail_users\b;<a href="postconf.5.html#authorized_sendmail_users">$&</a>;g;
s;\bautho[-</bB>]*\n*[ <bB>]*rized_verp_clients\b;<a href="postconf.5.html#authorized_verp_clients">$&</a>;g;
s;\bdebugger_command\b;<a href="postconf.5.html#debugger_command">$&</a>;g;
s;\b2bounce_notice_recipi[-</bB>]*\n*[ <bB>]*ent\b;<a href="postconf.5.html#2bounce_notice_recipient">$&</a>;g;
s/[<bB>]*bounce[<\/bB>]*\(8\)/<a href="bounce.8.html">$&<\/a>/g;
s/[<bB>]*cleanup[<\/bB>]*\(8\)/<a href="cleanup.8.html">$&<\/a>/g;
s/[<bB>]*defer[<\/bB>]*\(8\)/<a href="defer.8.html">$&<\/a>/g;
+ s/[<bB>]*discard[<\/bB>]*\(8\)/<a href="discard.8.html">$&<\/a>/g;
s/[<bB>]*error[<\/bB>]*\(8\)/<a href="error.8.html">$&<\/a>/g;
s/[<bB>]*flush[<\/bB>]*\(8\)/<a href="flush.8.html">$&<\/a>/g;
s/[<bB>]*lmtp[<\/bB>]*\(8\)/<a href="lmtp.8.html">$&<\/a>/g;
<li> <p> The queue manager (the qmgr(8) server process in the
figure) is the heart of Postfix mail delivery. It contacts the
-smtp(8), lmtp(8), local(8), virtual(8), pipe(8), or error(8) delivery
-agents, and sends a delivery request for one or more recipient
-addresses. The error(8) delivery agent is special: it always declares
-mail as undeliverable. It is not shown in the figure above. </p>
+smtp(8), lmtp(8), local(8), virtual(8), pipe(8), discard(8) or
+error(8) delivery agents, and sends a delivery request for one
+or more recipient addresses. The discard(8) and error(8) delivery
+agents are special: they discard or bounce all mail, they are not
+shown in the figure above. </p>
<p> The queue manager maintains a small active queue with the
messages that it has opened for delivery. The active queue acts as
This feature is available in Postfix 2.1 and later.
</p>
+%PARAM authorized_flush_users static:anyone
+
+<p>
+List of users who are authorized to flush the queue.
+</p>
+
+<p>
+By default all users are allowed to flush the queue. Otherwise if the
+invoking user is neither the super-user nor the $mail_owner user, access
+is denied unless the real uid of the process trying to flush the queue
+is listed in the system password file and the corresponding login name
+is on the access list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "type:table" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
+%PARAM authorized_mailq_users static:anyone
+
+<p>
+List of users who are authorized to view the queue.
+</p>
+
+<p>
+By default all users are allowed to view the queue. Otherwise if the
+invoking user is neither the super-user nor the $mail_owner user, access
+is denied unless the real uid of the process trying to view the queue
+is listed in the system password file and the corresponding login name
+is on the access list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to
+right, and the search stops on the first match. Specify "!name" to
+exclude a name from the list. A "/file/name" pattern is replaced
+by its contents; a "type:table" lookup table is matched when a name
+matches a lookup key (the lookup result is ignored). Continue long
+lines by starting the next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
+%PARAM authorized_sendmail_users static:anyone
+
+<p>
+List of users who are authorized to use the sendmail(1) command
+(and the privileged postdrop(1) helper command) to submit mail.
+</p>
+
+<p>
+By default all users are allowed to submit mail. Otherwise, access is denied
+unless the real uid of the process trying to submit mail is listed in
+the system password file and the corresponding login name is on the
+access list. To deny mail submission access to all users specify an
+empty list. </p>
+
+<p>
+Specify a list of user names, "/file/name" or "type:table" patterns,
+separated by commas and/or whitespace. The list is matched left to right,
+and the search stops on the first match. Specify "!name" to exclude a
+name from the list. A "/file/name" pattern is replaced by its contents;
+a "type:table" lookup table is matched when a name matches a lookup key
+(the lookup result is ignored). Continue long lines by starting the
+next line with whitespace. </p>
+
+<p>
+This feature is available in Postfix 2.2 and later.
+</p>
+
%PARAM backwards_bounce_logfile_compatibility yes
<p>
%CLASS security
%PARAM allow_min_user
%PARAM alternate_config_directories
+%PARAM authorized_flush_users
+%PARAM authorized_mailq_users
+%PARAM authorized_sendmail_users
%PARAM default_privs
%PARAM import_environment
%PARAM proxy_read_maps
--- /dev/null
+SHELL = /bin/sh
+SRCS = discard.c
+OBJS = discard.o
+HDRS =
+TESTSRC =
+DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
+CFLAGS = $(DEBUG) $(OPT) $(DEFS)
+TESTPROG=
+PROG = discard
+INC_DIR = ../../include
+LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a
+
+.c.o:; $(CC) $(CFLAGS) -c $*.c
+
+$(PROG): $(OBJS) $(LIBS)
+ $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS)
+
+Makefile: Makefile.in
+ (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@
+
+test: $(TESTPROG)
+
+tests: test
+
+update: ../../libexec/$(PROG)
+
+../../libexec/$(PROG): $(PROG)
+ cp $(PROG) ../../libexec
+
+printfck: $(OBJS) $(PROG)
+ rm -rf printfck
+ mkdir printfck
+ sed '1,/^# do not edit/!d' Makefile >printfck/Makefile
+ set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done
+ cd printfck; make "INC_DIR=../../../include" `cd ..; ls *.o`
+
+lint:
+ lint $(DEFS) $(SRCS) $(LINTFIX)
+
+clean:
+ rm -f *.o *core $(PROG) $(TESTPROG) junk
+ rm -rf printfck
+
+tidy: clean
+
+depend: $(MAKES)
+ (sed '1,/^# do not edit/!d' Makefile.in; \
+ set -e; for i in [a-z][a-z0-9]*.c; do \
+ $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \
+ -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \
+ done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in
+ @$(EXPORT) make -f Makefile.in Makefile 1>&2
+
+# do not edit below this line - it is generated by 'make depend'
+discard.o: discard.c
+discard.o: ../../include/sys_defs.h
+discard.o: ../../include/msg.h
+discard.o: ../../include/vstream.h
+discard.o: ../../include/vbuf.h
+discard.o: ../../include/deliver_request.h
+discard.o: ../../include/vstring.h
+discard.o: ../../include/recipient_list.h
+discard.o: ../../include/mail_queue.h
+discard.o: ../../include/bounce.h
+discard.o: ../../include/deliver_completed.h
+discard.o: ../../include/flush_clnt.h
+discard.o: ../../include/mail_server.h
--- /dev/null
+/*++
+/* NAME
+/* discard 8
+/* SUMMARY
+/* Postfix discard mail delivery agent
+/* SYNOPSIS
+/* \fBdiscard\fR [generic Postfix daemon options]
+/* DESCRIPTION
+/* The Postfix discard delivery agent processes delivery requests from
+/* the queue manager. Each request specifies a queue file, a sender
+/* address, a domain or host name that is treated as the reason for
+/* discarding the mail, and recipient information.
+/* This program expects to be run from the \fBmaster\fR(8) process
+/* manager.
+/*
+/* The discard delivery agent pretends to deliver all recipients
+/* in the delivery request, logs the "next-hop" domain or host
+/* information as the reason for discarding the mail, updates the
+/* queue file and marks recipients as finished or informs the
+/* queue manager that delivery should be tried again at a later time.
+/*
+/* Delivery status reports are sent to the \fBbounce\fR(8),
+/* \fBdefer\fR(8) or \fBtrace\fR(8) daemon as appropriate.
+/* SECURITY
+/* .ad
+/* .fi
+/* The discard mailer is not security-sensitive. It does not talk
+/* to the network, and can be run chrooted at fixed low privilege.
+/* STANDARDS
+/* None.
+/* DIAGNOSTICS
+/* Problems and transactions are logged to \fBsyslogd\fR(8).
+/*
+/* Depending on the setting of the \fBnotify_classes\fR parameter,
+/* the postmaster is notified of bounces and of other trouble.
+/* CONFIGURATION PARAMETERS
+/* .ad
+/* .fi
+/* Changes to \fBmain.cf\fR are picked up automatically as discard(8)
+/* processes run for only a limited amount of time. Use the command
+/* "\fBpostfix reload\fR" to speed up a change.
+/*
+/* The text below provides only a parameter summary. See
+/* postconf(5) for more details including examples.
+/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
+/* The default location of the Postfix main.cf and master.cf
+/* configuration files.
+/* .IP "\fBdaemon_timeout (18000s)\fR"
+/* How much time a Postfix daemon process may take to handle a
+/* request before it is terminated by a built-in watchdog timer.
+/* .IP "\fBdouble_bounce_sender (double-bounce)\fR"
+/* The sender address of postmaster notifications that are generated
+/* by the mail system.
+/* .IP "\fBipc_timeout (3600s)\fR"
+/* The time limit for sending or receiving information over an internal
+/* communication channel.
+/* .IP "\fBmax_idle (100s)\fR"
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
+/* .IP "\fBmax_use (100)\fR"
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
+/* .IP "\fBprocess_id (read-only)\fR"
+/* The process ID of a Postfix command or daemon process.
+/* .IP "\fBprocess_name (read-only)\fR"
+/* The process name of a Postfix command or daemon process.
+/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
+/* The location of the Postfix top-level queue directory.
+/* .IP "\fBsyslog_facility (mail)\fR"
+/* The syslog facility of Postfix logging.
+/* .IP "\fBsyslog_name (postfix)\fR"
+/* The mail system name that is prepended to the process name in syslog
+/* records, so that "smtpd" becomes, for example, "postfix/smtpd".
+/* SEE ALSO
+/* qmgr(8), queue manager
+/* bounce(8), delivery status reports
+/* error(8), Postfix error delivery agent
+/* postconf(5), configuration parameters
+/* master(8), process manager
+/* syslogd(8), system logging
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* HISTORY
+/* This service was introduced with Postfix version 2.2.
+/* AUTHOR(S)
+/* Victor Duchovni
+/* Morgan Stanley
+/*
+/* Based on code by:
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+/* Utility library. */
+
+#include <msg.h>
+#include <vstream.h>
+
+/* Global library. */
+
+#include <deliver_request.h>
+#include <mail_queue.h>
+#include <bounce.h>
+#include <deliver_completed.h>
+#include <flush_clnt.h>
+
+/* Single server skeleton. */
+
+#include <mail_server.h>
+
+/* deliver_message - deliver message with extreme prejudice */
+
+static int deliver_message(DELIVER_REQUEST *request)
+{
+ char *myname = "deliver_message";
+ VSTREAM *src;
+ int result = 0;
+ int status;
+ RECIPIENT *rcpt;
+ int nrcpt;
+
+ if (msg_verbose)
+ msg_info("deliver_message: from %s", request->sender);
+
+ /*
+ * Sanity checks.
+ */
+ if (request->nexthop[0] == 0)
+ msg_fatal("empty nexthop hostname");
+ if (request->rcpt_list.len <= 0)
+ msg_fatal("recipient count: %d", request->rcpt_list.len);
+
+ /*
+ * Open the queue file. Opening the file can fail for a variety of
+ * reasons, such as the system running out of resources. Instead of
+ * throwing away mail, we're raising a fatal error which forces the mail
+ * system to back off, and retry later.
+ */
+ src = mail_queue_open(request->queue_name, request->queue_id,
+ O_RDWR, 0);
+ if (src == 0)
+ msg_fatal("%s: open %s %s: %m", myname,
+ request->queue_name, request->queue_id);
+ if (msg_verbose)
+ msg_info("%s: file %s", myname, VSTREAM_PATH(src));
+
+ /*
+ * Discard all recipients.
+ */
+#define BOUNCE_FLAGS(request) DEL_REQ_TRACE_FLAGS(request->flags)
+
+ for (nrcpt = 0; nrcpt < request->rcpt_list.len; nrcpt++) {
+ rcpt = request->rcpt_list.info + nrcpt;
+ if (rcpt->offset >= 0) {
+ status = sent(BOUNCE_FLAGS(request), request->queue_id,
+ rcpt->orig_addr, rcpt->address, rcpt->offset, "none",
+ request->arrival_time, "%s", request->nexthop);
+ if (status == 0 && (request->flags & DEL_REQ_FLAG_SUCCESS))
+ deliver_completed(src, rcpt->offset);
+ result |= status;
+ }
+ }
+
+ /*
+ * Clean up.
+ */
+ if (vstream_fclose(src))
+ msg_warn("close %s %s: %m", request->queue_name, request->queue_id);
+
+ return (result);
+}
+
+/* discard_service - perform service for client */
+
+static void discard_service(VSTREAM *client_stream, char *unused_service, char **argv)
+{
+ DELIVER_REQUEST *request;
+ int status;
+
+ /*
+ * Sanity check. This service takes no command-line arguments.
+ */
+ if (argv[0])
+ msg_fatal("unexpected command-line argument: %s", argv[0]);
+
+ /*
+ * This routine runs whenever a client connects to the UNIX-domain socket
+ * dedicated to the discard mailer. What we see below is a little
+ * protocol to (1) tell the queue manager that we are ready, (2) read a
+ * request from the queue manager, and (3) report the completion status
+ * of that request. All connection-management stuff is handled by the
+ * common code in single_server.c.
+ */
+ if ((request = deliver_request_read(client_stream)) != 0) {
+ status = deliver_message(request);
+ deliver_request_done(client_stream, request, status);
+ }
+}
+
+/* pre_init - pre-jail initialization */
+
+static void pre_init(char *unused_name, char **unused_argv)
+{
+ flush_init();
+}
+
+/* main - pass control to the single-threaded skeleton */
+
+int main(int argc, char **argv)
+{
+ single_server_main(argc, argv, discard_service,
+ MAIL_SERVER_PRE_INIT, pre_init,
+ 0);
+}
/* SEE ALSO
/* qmgr(8), queue manager
/* bounce(8), delivery status reports
+/* discard(8), Postfix discard delivery agent
/* postconf(5), configuration parameters
/* master(8), process manager
/* syslogd(8), system logging
sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \
tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \
verify_clnt.c verp_sender.c virtual8_maps.c xtext.c scache_single.c \
- scache_clnt.c scache_multi.c
+ scache_clnt.c scache_multi.c user_acl.c
OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \
canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \
clnt_stream.o debug_peer.o debug_process.o defer.o \
sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \
tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \
verify_clnt.o verp_sender.o virtual8_maps.o xtext.o scache_single.o \
- scache_clnt.o scache_multi.o
+ scache_clnt.o scache_multi.o user_acl.o
HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \
canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \
debug_peer.h debug_process.h defer.h deliver_completed.h \
resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \
string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \
trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \
- xtext.h scache.h
+ xtext.h scache.h user_acl.h
TESTSRC = rec2stream.c stream2rec.c recdump.c
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
CFLAGS = $(DEBUG) $(OPT) $(DEFS)
trace.o: log_adhoc.h
trace.o: bounce.h
trace.o: trace.h
+user_acl.o: user_acl.c
+user_acl.o: ../../include/sys_defs.h
+user_acl.o: ../../include/vstring.h
+user_acl.o: ../../include/vbuf.h
+user_acl.o: string_list.h
+user_acl.o: ../../include/match_list.h
+user_acl.o: ../../include/match_ops.h
+user_acl.o: mypwd.h
+user_acl.o: user_acl.h
verify.o: verify.c
verify.o: ../../include/sys_defs.h
verify.o: ../../include/msg.h
extern uid_t var_default_uid;
extern gid_t var_default_gid;
+ /*
+ * Access control for local privileged operations:
+ */
+#define VAR_FLUSH_ACL "authorized_flush_users"
+#define DEF_FLUSH_ACL "static:anyone"
+extern char *var_flush_acl;
+
+#define VAR_SHOWQ_ACL "authorized_mailq_users"
+#define DEF_SHOWQ_ACL "static:anyone"
+extern char *var_showq_acl;
+
+#define VAR_SENDMAIL_ACL "authorized_sendmail_users"
+#define DEF_SENDMAIL_ACL "static:anyone"
+extern char *var_sendmail_acl;
+
/*
* What goes on the right-hand side of addresses of mail sent from this
* machine.
* Patches change the patchlevel and the release date. Snapshots change the
* release date only.
*/
-#define MAIL_RELEASE_DATE "20040917"
+#define MAIL_RELEASE_DATE "20040918"
#define MAIL_VERSION_NUMBER "2.2"
#define VAR_MAIL_VERSION "mail_version"
--- /dev/null
+/*++
+/* NAME
+/* user_acl 3
+/* SUMMARY
+/* Convert uid to username and check against given ACL.
+/* SYNOPSIS
+/* #include <user_acl.h>
+/*
+/* char *check_user_acl_byuid(acl, uid)
+/* const char *acl;
+/* uid_t uid;
+/* DESCRIPTION
+/* check_user_acl_byuid() checks the given uid against a
+/* user name matchlist. If the uid cannot be resolved to a user
+/* name, the numeric uid is used as the lookup key instead.
+/* The result is NULL on success, "User \fIusername\fR" or
+/* "UID \fIuid\fR" upon failure. The error result lives in
+/* static storage and must be saved if it is to be used to
+/* across calls.
+/*
+/* Arguments:
+/* .IP acl
+/* Authorized username list suitable for input to string_list_init(3).
+/* .IP uid
+/* The uid to be checked against the access list.
+/* LICENSE
+/* .ad
+/* .fi
+/* The Secure Mailer license must be distributed with this software.
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*
+/* Victor Duchovni
+/* Morgan Stanley
+/*--*/
+
+/* System library. */
+
+#include <sys_defs.h>
+
+/* Utility library. */
+
+#include <vstring.h>
+
+/* Global library. */
+
+#include <string_list.h>
+#include <mypwd.h>
+
+/* Application-specific. */
+
+#include "user_acl.h"
+
+/* check_user_acl_byuid - check user authorization */
+
+char *check_user_acl_byuid(char *acl, uid_t uid)
+{
+ struct mypasswd *mypwd;
+ STRING_LIST *list;
+ static VSTRING *why = 0;
+ VSTRING *uidbuf = 0;
+ int matched;
+ const char *name;
+
+ /*
+ * XXX: we must perform a lookup for unresolved uids, so that
+ * static:anyone results in "permit" even when the uid is not found in
+ * the password file and the resulting error message is clear.
+ */
+ if ((mypwd = mypwuid(uid)) == 0) {
+ uidbuf = vstring_alloc(10);
+ vstring_sprintf(uidbuf, "%ld", (long) uid);
+ name = vstring_str(uidbuf);
+ } else {
+ name = mypwd->pw_name;
+ }
+
+ list = string_list_init(MATCH_FLAG_NONE, acl);
+ if ((matched = string_list_match(list, name)) == 0) {
+ if (!why)
+ why = vstring_alloc(100);
+ vstring_sprintf(why, "%s %s", mypwd ? "User" : "UID", name);
+ }
+ string_list_free(list);
+ if (mypwd)
+ mypwfree(mypwd);
+ else
+ vstring_free(uidbuf);
+
+ return (matched ? 0 : vstring_str(why));
+}
--- /dev/null
+#ifndef _USER_ACL_H_INCLUDED_
+#define _USER_ACL_H_INCLUDED_
+/*++
+/* NAME
+/* user_acl 3
+/* SUMMARY
+/* Convert uid to username and check against given ACL.
+/* SYNOPSIS
+/* #include <user_acl.h>
+/*
+/* DESCRIPTION
+/* .nf
+
+ /*
+ * System library
+ */
+#include <unistd.h> /* getuid()/geteuid() */
+#include <sys/types.h> /* uid_t */
+
+ /*
+ * Utility library.
+ */
+#include <vstring.h>
+
+ /*
+ * External interface
+ */
+extern char *check_user_acl_byuid(char *, uid_t);
+
+/* AUTHOR(S)
+/* Wietse Venema
+/* IBM T.J. Watson Research
+/* P.O. Box 704
+/* Yorktown Heights, NY 10598, USA
+/*
+/* Victor Duchovni
+/* Morgan Stanley
+/*--*/
+#endif
postdrop.o: ../../include/cleanup_user.h
postdrop.o: ../../include/record.h
postdrop.o: ../../include/rec_type.h
+postdrop.o: ../../include/user_acl.h
/* .IP "\fBtrigger_timeout (10s)\fR"
/* The time limit for sending a trigger to a Postfix daemon (for
/* example, the pickup(8) or qmgr(8) daemon).
+/* .PP
+/* Available in Postfix version 2.2 and later:
+/* .IP "\fBauthorized_sendmail_users (static:anyone)\fR"
+/* List of users who are authorized to use the sendmail(1) command
+/* (and the privileged postdrop(1) helper command) to submit mail.
/* FILES
/* /var/spool/postfix/maildrop, maildrop queue
/* SEE ALSO
#include <cleanup_user.h>
#include <record.h>
#include <rec_type.h>
+#include <user_acl.h>
/* Application-specific. */
* and so on.
*/
+ /*
+ * Local mail submission access list.
+ */
+static char *var_sendmail_acl;
+
+static CONFIG_STR_TABLE str_table[] = {
+ VAR_SENDMAIL_ACL, DEF_SENDMAIL_ACL, &var_sendmail_acl, 0, 0,
+ 0,
+};
+
/*
* Queue file name. Global, so that the cleanup routine can find it when
* called by the run-time error handler.
const char *error_text;
char *attr_name;
char *attr_value;
+ char *errstr;
/*
* Be consistent with file permissions.
* perform some sanity checks on the input.
*/
mail_conf_read();
+ get_mail_conf_str_table(str_table);
+
+ /*
+ * Mail submission access control. Should this be in the user-land gate,
+ * or in the daemon process?
+ */
+ if ((errstr = check_user_acl_byuid(var_sendmail_acl, uid)) != 0)
+ msg_fatal("%s is not allowed to submit mail", errstr);
/*
* Stop run-away process accidents by limiting the queue file size. This
if (rec_type == REC_TYPE_EOF) { /* request cancelled */
mail_stream_cleanup(dst);
if (remove(postdrop_path))
- msg_warn("uid=%ld: remove %s: %m", (long) getuid(), postdrop_path);
+ msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
else if (msg_verbose)
msg_info("remove %s", postdrop_path);
myfree(postdrop_path);
/* anvil(8), Postfix connection/rate limiting
/* bounce(8), defer(8), trace(8), Delivery status reports
/* cleanup(8), canonicalize and enqueue message
+/* discard(8), Postfix discard delivery agent
/* error(8), Postfix error delivery agent
/* flush(8), Postfix fast ETRN service
/* lmtp(8), Postfix LMTP client
/* proxymap(8), Postfix lookup table proxy server
/* qmgr(8), Postfix queue manager
/* qmqpd(8), Postfix QMQP server
+/* scache(8), Postfix session cache manager
/* showq(8), list Postfix mail queue
/* smtp(8), Postfix SMTP client
/* smtpd(8), Postfix SMTP server
postqueue.o: ../../include/flush_clnt.h
postqueue.o: ../../include/smtp_stream.h
postqueue.o: ../../include/vstring.h
+postqueue.o: ../../include/user_acl.h
/* .IP "\fBtrigger_timeout (10s)\fR"
/* The time limit for sending a trigger to a Postfix daemon (for
/* example, the pickup(8) or qmgr(8) daemon).
+/* .PP
+/* Available in Postfix version 2.2 and later:
+/* .IP "\fBauthorized_flush_users (static:anyone)\fR"
+/* List of users who are authorized to flush the queue.
+/* .IP "\fBauthorized_mailq_users (static:anyone)\fR"
+/* List of users who are authorized to view the queue.
/* FILES
/* /var/spool/postfix, mail queue
/* SEE ALSO
#include <mail_flush.h>
#include <flush_clnt.h>
#include <smtp_stream.h>
+#include <user_acl.h>
/* Application-specific. */
*/
#define STR vstring_str
+ /*
+ * Queue manipulation access lists.
+ */
+static char *var_flush_acl;
+static char *var_showq_acl;
+
+static CONFIG_STR_TABLE str_table[] = {
+ VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0,
+ VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0,
+ 0,
+};
+
/* show_queue - show queue status */
static void show_queue(void)
{
+ char *errstr;
char buf[VSTREAM_BUFSIZE];
VSTREAM *showq;
int n;
+ uid_t uid = getuid();
+
+ if (uid != 0 && uid != var_owner_uid
+ && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0)
+ msg_fatal_status(EX_NOPERM,
+ "%s is not allowed to view the mail queue", errstr);
/*
* Connect to the show queue service. Terminate silently when piping into
static void flush_queue(void)
{
+ char *errstr;
+ uid_t uid = getuid();
+
+ if (uid != 0 && uid != var_owner_uid
+ && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
+ msg_fatal_status(EX_NOPERM,
+ "%s is not allowed to flush the mail queue", errstr);
/*
* Trigger the flush queue service.
static void flush_site(const char *site)
{
int status;
+ char *errstr;
+ uid_t uid = getuid();
+
+ if (uid != 0 && uid != var_owner_uid
+ && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0)
+ msg_fatal_status(EX_NOPERM,
+ "%s is not allowed to flush the mail queue", errstr);
flush_init();
* Further initialization...
*/
mail_conf_read();
+ get_mail_conf_str_table(str_table);
/*
* This program is designed to be set-gid, which makes it a potential
sendmail.o: ../../include/recipient_list.h
sendmail.o: ../../include/mime_state.h
sendmail.o: ../../include/header_opts.h
+sendmail.o: ../../include/user_acl.h
/* Optional list of remote client or server hostname or network
/* address patterns that cause the verbose logging level to increase
/* by the amount specified in $debug_peer_level.
+/* ACCESS CONTROLS
+/* .ad
+/* .fi
+/* Available in Postfix version 2.2 and later:
+/* .IP "\fBauthorized_flush_users (static:anyone)\fR"
+/* List of users who are authorized to flush the queue.
+/* .IP "\fBauthorized_mailq_users (static:anyone)\fR"
+/* List of users who are authorized to view the queue.
+/* .IP "\fBauthorized_sendmail_users (static:anyone)\fR"
+/* List of users who are authorized to use the sendmail(1) command
+/* (and the privileged postdrop(1) helper command) to submit mail.
/* RESOURCE AND RATE CONTROLS
/* .ad
/* .fi
#include <deliver_request.h>
#include <mime_state.h>
#include <header_opts.h>
+#include <user_acl.h>
/* Application-specific. */
/*
* VERP support.
*/
-char *verp_delims;
+static char *verp_delims;
/*
* Callback context for extracting recipients.
VSTRING *temp; /* scratch buffer */
} SM_STATE;
+ /*
+ * Mail submission ACL
+ */
+static char *var_sendmail_acl;
+
+static CONFIG_STR_TABLE str_table[] = {
+ VAR_SENDMAIL_ACL, DEF_SENDMAIL_ACL, &var_sendmail_acl, 0, 0,
+ 0,
+};
+
/*
* Silly little macros (SLMs).
*/
state->resent = 1;
} else
rcpt = state->recipients;
- tree = tok822_parse(vstring_str(buf) + strlen(header_info->name) + 1);
+ tree = tok822_parse(STR(buf) + strlen(header_info->name) + 1);
addr_list = tok822_grep(tree, TOK822_ADDR);
for (tpp = addr_list; *tpp; tpp++) {
tok822_internalize(state->temp, tpp[0]->head, TOK822_STR_DEFL);
- argv_add(rcpt, vstring_str(state->temp), (char *) 0);
+ argv_add(rcpt, STR(state->temp), (char *) 0);
}
myfree((char *) addr_list);
tok822_free_tree(tree);
MIME_STATE *mime_state = 0;
SM_STATE state;
int mime_errs;
+ char *errstr;
+
+ /*
+ * Access control is enforced in the postdrop command. The code here
+ * merely produces a more user-friendly interface.
+ */
+ if ((errstr = check_user_acl_byuid(var_sendmail_acl, uid)) != 0)
+ msg_fatal_status(EX_NOPERM, "%s is not allowed to submit mail", errstr);
/*
* Initialize.
}
if (skip_from_) {
if (type == REC_TYPE_NORM) {
- start = vstring_str(buf);
+ start = STR(buf);
if (strncmp(start + strspn(start, ">"), "From ", 5) == 0)
continue;
}
argv_free(state.resent_recip);
vstring_free(state.temp);
}
-
if (rcpt_count == 0)
msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ?
"No recipient addresses found in message header" :
char *site_to_flush = 0;
char *encoding = 0;
char *qtime = 0;
+ char *errstr;
/*
* Be consistent with file permissions.
* Further initialization...
*/
mail_conf_read();
+ get_mail_conf_str_table(str_table);
if (chdir(var_queue_dir))
msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir);
if (argv[OPTIND])
msg_fatal_status(EX_USAGE,
"stand-alone mode requires no recipient");
+ /* The actual enforcement happens in the postdrop command. */
+ if ((errstr = check_user_acl_byuid(var_sendmail_acl, getuid())) != 0)
+ msg_fatal_status(EX_NOPERM, "%s is not allowed to submit mail",
+ errstr);
ext_argv = argv_alloc(2);
argv_add(ext_argv, "smtpd", "-S", (char *) 0);
for (n = 0; n < msg_verbose; n++)
projects / thirdparty / postfix.git / commitdiff
