From: Wietse Venema Date: Sat, 18 Sep 2004 05:00:00 +0000 (-0500) Subject: postfix-2.2-20040918 X-Git-Tag: v2.2.0-RC1~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3954a2853e66ed8c9e187d7bc0bd5043e9d24db1;p=thirdparty%2Fpostfix.git postfix-2.2-20040918 --- diff --git a/postfix/AAAREADME b/postfix/AAAREADME index 937c7091e..5340587de 100644 --- a/postfix/AAAREADME +++ b/postfix/AAAREADME @@ -134,6 +134,7 @@ Postfix daemons: src/anvil/ Connection count/rate limiter src/bounce/ Bounce or defer mail src/cleanup/ Canonicalize and enqueue mail + src/discard/ Trivial discard mailer src/error/ Trivial error mailer src/lmtp/ LMTP client src/local/ Local delivery diff --git a/postfix/HISTORY b/postfix/HISTORY index ae41bf429..41f7e0cba 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -9723,6 +9723,17 @@ Apologies for any names omitted. type when a Delivered-To: loop was detected for a mailing list alias. Nicolas Riendeau. File: bounce_notify_util.c. +20040918 + + Feature: authorized_flush_users, authorized_mailq_users, + authorized_sendmail_users to restrict what users can flush + the queue, list the queue, or submit mail locally. Victor + Duchovni, Morgan Stanley. Files: sendmail/sendmail.c, + postdrop/postdrop.c, postqueue/postqueue.c, global/user_acl.[hc]. + + Feature: discard(8) mail delivery agent. Victor Duchovni, + Morgan Stanley. File: discard/discard.c. + Open problems: Low: should the Delivered-To: test in local(8) be configurable? diff --git a/postfix/Makefile.in b/postfix/Makefile.in index 52faccc7f..a4b9e964e 100644 --- a/postfix/Makefile.in +++ b/postfix/Makefile.in @@ -7,7 +7,7 @@ DIRS = src/util src/global src/dns src/master src/postfix src/smtpstone \ src/pipe src/showq src/postalias src/postcat src/postconf src/postdrop \ src/postkick src/postlock src/postlog src/postmap src/postqueue \ src/postsuper src/qmqpd src/spawn src/flush src/verify \ - src/virtual src/proxymap src/anvil src/scache + src/virtual src/proxymap src/anvil src/scache src/discard MANDIRS = proto man html default: update diff --git a/postfix/README_FILES/OVERVIEW b/postfix/README_FILES/OVERVIEW index 8ea7eb0f7..873d390c0 100644 --- a/postfix/README_FILES/OVERVIEW +++ b/postfix/README_FILES/OVERVIEW @@ -104,10 +104,10 @@ unnumbered names inside shaded areas represent Postfix queues. * The queue manager (the qmgr(8) server process in the figure) is the heart of Postfix mail delivery. It contacts the smtp(8), lmtp(8), local(8), - virtual(8), pipe(8), or error(8) delivery agents, and sends a delivery - request for one or more recipient addresses. The error(8) delivery agent is - special: it always declares mail as undeliverable. It is not shown in the - figure above. + virtual(8), pipe(8), discard(8) or error(8) delivery agents, and sends a + delivery request for one or more recipient addresses. The discard(8) and + error(8) delivery agents are special: they discard or bounce all mail, they + are not shown in the figure above. The queue manager maintains a small active queue with the messages that it has opened for delivery. The active queue acts as a limited window on diff --git a/postfix/conf/master.cf b/postfix/conf/master.cf index 00ec103e1..ad74434a4 100644 --- a/postfix/conf/master.cf +++ b/postfix/conf/master.cf @@ -97,6 +97,7 @@ relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error +discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp diff --git a/postfix/conf/post-install b/postfix/conf/post-install index f23d9b5c1..abb106e8a 100644 --- a/postfix/conf/post-install +++ b/postfix/conf/post-install @@ -629,6 +629,15 @@ scache unix - - n - 1 scache EOF } + # Add missing discard service to master.cf. + + grep '^discard.*discard' $config_directory/master.cf >/dev/null || { + echo Editing $config_directory/master.cf, adding missing entry for discard service + cat >>$config_directory/master.cf <$@ + error.8.html: ../src/error/error.c PATH=../mantools:$$PATH; \ srctoman $? | $(AWK) | nroff -man | uniq | $(MAN2HTML) | postlink >$@ diff --git a/postfix/html/OVERVIEW.html b/postfix/html/OVERVIEW.html index f3e1c747b..bbf575663 100644 --- a/postfix/html/OVERVIEW.html +++ b/postfix/html/OVERVIEW.html @@ -321,10 +321,11 @@ href="QSHAPE_README.html#deferred_queue"> deferred

  • The queue manager (the qmgr(8) server process in the figure) is the heart of Postfix mail delivery. It contacts the -smtp(8), lmtp(8), local(8), virtual(8), pipe(8), or error(8) delivery -agents, and sends a delivery request for one or more recipient -addresses. The error(8) delivery agent is special: it always declares -mail as undeliverable. It is not shown in the figure above.

    +smtp(8), lmtp(8), local(8), virtual(8), pipe(8), discard(8) or +error(8) delivery agents, and sends a delivery request for one +or more recipient addresses. The discard(8) and error(8) delivery +agents are special: they discard or bounce all mail, they are not +shown in the figure above.

    The queue manager maintains a small active queue with the messages that it has opened for delivery. The active queue acts as diff --git a/postfix/html/discard.8.html b/postfix/html/discard.8.html new file mode 100644 index 000000000..930d7b56c --- /dev/null +++ b/postfix/html/discard.8.html @@ -0,0 +1,128 @@ + + + + Postfix manual - discard(8) + 

    +DISCARD(8)                                             DISCARD(8)
+
+NAME
+       discard - Postfix discard mail delivery agent
+
+SYNOPSIS
+       discard [generic Postfix daemon options]
+
+DESCRIPTION
+       The  Postfix  discard  delivery  agent  processes delivery
+       requests from the queue manager. Each request specifies  a
+       queue  file,  a sender address, a domain or host name that
+       is treated as the reason  for  discarding  the  mail,  and
+       recipient  information.   This  program  expects to be run
+       from the master(8) process manager.
+
+       The discard delivery agent pretends to deliver all recipi-
+       ents  in  the delivery request, logs the "next-hop" domain
+       or host information as the reason for discarding the mail,
+       updates the queue file and marks recipients as finished or
+       informs the queue manager that delivery  should  be  tried
+       again at a later time.
+
+       Delivery   status  reports  are  sent  to  the  bounce(8),
+       defer(8) or trace(8) daemon as appropriate.
+
+SECURITY
+       The discard mailer is not security-sensitive. It does  not
+       talk  to the network, and can be run chrooted at fixed low
+       privilege.
+
+STANDARDS
+       None.
+
+DIAGNOSTICS
+       Problems and transactions are logged to syslogd(8).
+
+       Depending on the setting of the notify_classes  parameter,
+       the  postmaster  is notified of bounces and of other trou-
+       ble.
+
+CONFIGURATION PARAMETERS
+       Changes to main.cf are picked  up  automatically  as  dis-
+       card(8)  processes  run for only a limited amount of time.
+       Use the command "postfix reload" to speed up a change.
+
+       The text below provides  only  a  parameter  summary.  See
+       postconf(5) for more details including examples.
+
+       config_directory (see 'postconf -d' output)
+              The  default  location  of  the Postfix main.cf and
+              master.cf configuration files.
+
+       daemon_timeout (18000s)
+              How much time a Postfix daemon process may take  to
+              handle  a  request  before  it  is  terminated by a
+              built-in watchdog timer.
+
+       double_bounce_sender (double-bounce)
+              The sender address of postmaster notifications that
+              are generated by the mail system.
+
+       ipc_timeout (3600s)
+              The time limit for sending or receiving information
+              over an internal communication channel.
+
+       max_idle (100s)
+              The maximum amount of time  that  an  idle  Postfix
+              daemon  process  waits for the next service request
+              before exiting.
+
+       max_use (100)
+              The maximal number of connection requests before  a
+              Postfix daemon process terminates.
+
+       process_id (read-only)
+              The  process ID of a Postfix command or daemon pro-
+              cess.
+
+       process_name (read-only)
+              The process name of a  Postfix  command  or  daemon
+              process.
+
+       queue_directory (see 'postconf -d' output)
+              The  location of the Postfix top-level queue direc-
+              tory.
+
+       syslog_facility (mail)
+              The syslog facility of Postfix logging.
+
+       syslog_name (postfix)
+              The mail system name that is prepended to the  pro-
+              cess  name  in  syslog  records,  so  that  "smtpd"
+              becomes, for example, "postfix/smtpd".
+
+SEE ALSO
+       qmgr(8), queue manager
+       bounce(8), delivery status reports
+       error(8), Postfix error delivery agent
+       postconf(5), configuration parameters
+       master(8), process manager
+       syslogd(8), system logging
+
+LICENSE
+       The Secure Mailer license must be  distributed  with  this
+       software.
+
+HISTORY
+       This service was introduced with Postfix version 2.2.
+
+AUTHOR(S)
+       Victor Duchovni
+       Morgan Stanley
+
+       Based on code by:
+       Wietse Venema
+       IBM T.J. Watson Research
+       P.O. Box 704
+       Yorktown Heights, NY 10598, USA
+
+                                                       DISCARD(8)
+
    diff --git a/postfix/html/error.8.html b/postfix/html/error.8.html index 1a17bac0d..e66fa3b39 100644 --- a/postfix/html/error.8.html +++ b/postfix/html/error.8.html @@ -116,6 +116,7 @@ ERROR(8) ERROR(8) SEE ALSO qmgr(8), queue manager bounce(8), delivery status reports + discard(8), Postfix discard delivery agent postconf(5), configuration parameters master(8), process manager syslogd(8), system logging diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index ee5633105..d9d1c55d9 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -717,6 +717,97 @@ This feature is available in Postfix 2.1 and later.

    + + +
    authorized_flush_users +(default: static:anyone)
    + +

    +List of users who are authorized to flush the queue. +

    + +

    +By default all users are allowed to flush the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to flush the queue +is listed in the system password file and the corresponding login name +is on the access list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + + +
    + +
    authorized_mailq_users +(default: static:anyone)
    + +

    +List of users who are authorized to view the queue. +

    + +

    +By default all users are allowed to view the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to view the queue +is listed in the system password file and the corresponding login name +is on the access list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + + +
    + +
    authorized_sendmail_users +(default: static:anyone)
    + +

    +List of users who are authorized to use the sendmail(1) command +(and the privileged postdrop(1) helper command) to submit mail. +

    + +

    +By default all users are allowed to submit mail. Otherwise, access is denied +unless the real uid of the process trying to submit mail is listed in +the system password file and the corresponding login name is on the +access list. To deny mail submission access to all users specify an +empty list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to right, +and the search stops on the first match. Specify "!name" to exclude a +name from the list. A "/file/name" pattern is replaced by its contents; +a "type:table" lookup table is matched when a name matches a lookup key +(the lookup result is ignored). Continue long lines by starting the +next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +
    authorized_verp_clients diff --git a/postfix/html/postdrop.1.html b/postfix/html/postdrop.1.html index dd48c6e7f..2dbcea3ca 100644 --- a/postfix/html/postdrop.1.html +++ b/postfix/html/postdrop.1.html @@ -96,6 +96,13 @@ POSTDROP(1) POSTDROP(1) daemon (for example, the pickup(8) or qmgr(8) dae- mon). + Available in Postfix version 2.2 and later: + + authorized_sendmail_users (static:anyone) + List of users who are authorized to use the send- + mail(1) command (and the privileged postdrop(1) + helper command) to submit mail. + FILES /var/spool/postfix/maildrop, maildrop queue diff --git a/postfix/html/postfix.1.html b/postfix/html/postfix.1.html index f1a905bad..952a42474 100644 --- a/postfix/html/postfix.1.html +++ b/postfix/html/postfix.1.html @@ -230,6 +230,7 @@ POSTFIX(1) POSTFIX(1) anvil(8), Postfix connection/rate limiting bounce(8), defer(8), trace(8), Delivery status reports cleanup(8), canonicalize and enqueue message + discard(8), Postfix discard delivery agent error(8), Postfix error delivery agent flush(8), Postfix fast ETRN service lmtp(8), Postfix LMTP client @@ -241,6 +242,7 @@ POSTFIX(1) POSTFIX(1) proxymap(8), Postfix lookup table proxy server qmgr(8), Postfix queue manager qmqpd(8), Postfix QMQP server + scache(8), Postfix session cache manager showq(8), list Postfix mail queue smtp(8), Postfix SMTP client smtpd(8), Postfix SMTP server diff --git a/postfix/html/postqueue.1.html b/postfix/html/postqueue.1.html index 92ac47743..0772461a8 100644 --- a/postfix/html/postqueue.1.html +++ b/postfix/html/postqueue.1.html @@ -141,6 +141,15 @@ POSTQUEUE(1) POSTQUEUE(1) daemon (for example, the pickup(8) or qmgr(8) dae- mon). + Available in Postfix version 2.2 and later: + + authorized_flush_users (static:anyone) + List of users who are authorized to flush the + queue. + + authorized_mailq_users (static:anyone) + List of users who are authorized to view the queue. + FILES /var/spool/postfix, mail queue diff --git a/postfix/html/sendmail.1.html b/postfix/html/sendmail.1.html index 58a3d61b4..1977303b6 100644 --- a/postfix/html/sendmail.1.html +++ b/postfix/html/sendmail.1.html @@ -291,6 +291,21 @@ SENDMAIL(1) SENDMAIL(1) logging level to increase by the amount specified in $debug_peer_level. +ACCESS CONTROLS + Available in Postfix version 2.2 and later: + + authorized_flush_users (static:anyone) + List of users who are authorized to flush the + queue. + + authorized_mailq_users (static:anyone) + List of users who are authorized to view the queue. + + authorized_sendmail_users (static:anyone) + List of users who are authorized to use the send- + mail(1) command (and the privileged postdrop(1) + helper command) to submit mail. + RESOURCE AND RATE CONTROLS bounce_size_limit (50000) The maximal amount of original message text that is diff --git a/postfix/man/Makefile.in b/postfix/man/Makefile.in index 9f3a3f683..8bcb4e41b 100644 --- a/postfix/man/Makefile.in +++ b/postfix/man/Makefile.in @@ -7,7 +7,7 @@ DAEMONS = man8/bounce.8 man8/defer.8 man8/cleanup.8 man8/error.8 man8/local.8 \ man8/showq.8 man8/smtp.8 man8/smtpd.8 man8/trivial-rewrite.8 \ man8/oqmgr.8 man8/spawn.8 man8/flush.8 man8/virtual.8 man8/qmqpd.8 \ man8/verify.8 man8/trace.8 man8/proxymap.8 man8/anvil.8 \ - man8/scache.8 + man8/scache.8 man8/discard.8 COMMANDS= man1/postalias.1 man1/postcat.1 man1/postconf.1 man1/postfix.1 \ man1/postkick.1 man1/postlock.1 man1/postlog.1 man1/postdrop.1 \ man1/postmap.1 man1/sendmail.1 man1/mailq.1 man1/newaliases.1 \ @@ -56,6 +56,11 @@ man8/scache.8: ../src/scache/scache.c (cmp -s junk $? || mv junk $?) ../mantools/srctoman $? >$@ +man8/discard.8: ../src/discard/discard.c + ../mantools/fixman ../proto/postconf.proto $? >junk && \ + (cmp -s junk $? || mv junk $?) + ../mantools/srctoman $? >$@ + man8/error.8: ../src/error/error.c ../mantools/fixman ../proto/postconf.proto $? >junk && \ (cmp -s junk $? || mv junk $?) diff --git a/postfix/man/man1/postdrop.1 b/postfix/man/man1/postdrop.1 index 47e4b115f..700748cd9 100644 --- a/postfix/man/man1/postdrop.1 +++ b/postfix/man/man1/postdrop.1 @@ -87,6 +87,11 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd". .IP "\fBtrigger_timeout (10s)\fR" The time limit for sending a trigger to a Postfix daemon (for example, the pickup(8) or qmgr(8) daemon). +.PP +Available in Postfix version 2.2 and later: +.IP "\fBauthorized_sendmail_users (static:anyone)\fR" +List of users who are authorized to use the sendmail(1) command +(and the privileged postdrop(1) helper command) to submit mail. .SH "FILES" .na .nf diff --git a/postfix/man/man1/postfix.1 b/postfix/man/man1/postfix.1 index 6661e4fd2..a8407c923 100644 --- a/postfix/man/man1/postfix.1 +++ b/postfix/man/man1/postfix.1 @@ -195,6 +195,7 @@ Daemon processes: anvil(8), Postfix connection/rate limiting bounce(8), defer(8), trace(8), Delivery status reports cleanup(8), canonicalize and enqueue message +discard(8), Postfix discard delivery agent error(8), Postfix error delivery agent flush(8), Postfix fast ETRN service lmtp(8), Postfix LMTP client @@ -206,6 +207,7 @@ pipe(8), deliver mail to non-Postfix command proxymap(8), Postfix lookup table proxy server qmgr(8), Postfix queue manager qmqpd(8), Postfix QMQP server +scache(8), Postfix session cache manager showq(8), list Postfix mail queue smtp(8), Postfix SMTP client smtpd(8), Postfix SMTP server diff --git a/postfix/man/man1/postqueue.1 b/postfix/man/man1/postqueue.1 index 30f72e150..c5af91802 100644 --- a/postfix/man/man1/postqueue.1 +++ b/postfix/man/man1/postqueue.1 @@ -128,6 +128,12 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd". .IP "\fBtrigger_timeout (10s)\fR" The time limit for sending a trigger to a Postfix daemon (for example, the pickup(8) or qmgr(8) daemon). +.PP +Available in Postfix version 2.2 and later: +.IP "\fBauthorized_flush_users (static:anyone)\fR" +List of users who are authorized to flush the queue. +.IP "\fBauthorized_mailq_users (static:anyone)\fR" +List of users who are authorized to view the queue. .SH "FILES" .na .nf diff --git a/postfix/man/man1/sendmail.1 b/postfix/man/man1/sendmail.1 index 1f996cf9e..594b099ee 100644 --- a/postfix/man/man1/sendmail.1 +++ b/postfix/man/man1/sendmail.1 @@ -247,6 +247,19 @@ server matches a pattern in the debug_peer_list parameter. Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level. +.SH "ACCESS CONTROLS" +.na +.nf +.ad +.fi +Available in Postfix version 2.2 and later: +.IP "\fBauthorized_flush_users (static:anyone)\fR" +List of users who are authorized to flush the queue. +.IP "\fBauthorized_mailq_users (static:anyone)\fR" +List of users who are authorized to view the queue. +.IP "\fBauthorized_sendmail_users (static:anyone)\fR" +List of users who are authorized to use the sendmail(1) command +(and the privileged postdrop(1) helper command) to submit mail. .SH "RESOURCE AND RATE CONTROLS" .na .nf diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index be6518246..d796dba4f 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -378,6 +378,61 @@ Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds). .PP This feature is available in Postfix 2.1 and later. +.SH authorized_flush_users (default: static:anyone) +List of users who are authorized to flush the queue. +.PP +By default all users are allowed to flush the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to flush the queue +is listed in the system password file and the corresponding login name +is on the access list. +.PP +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace. +.PP +This feature is available in Postfix 2.2 and later. +.SH authorized_mailq_users (default: static:anyone) +List of users who are authorized to view the queue. +.PP +By default all users are allowed to view the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to view the queue +is listed in the system password file and the corresponding login name +is on the access list. +.PP +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace. +.PP +This feature is available in Postfix 2.2 and later. +.SH authorized_sendmail_users (default: static:anyone) +List of users who are authorized to use the sendmail(1) command +(and the privileged postdrop(1) helper command) to submit mail. +.PP +By all users are allowed to submit mail. Otherwise, access is denied +unless the real uid of the process trying to submit mail is listed in +the system password file and the corresponding login name is on the +access list. To deny mail submission access to all users specify an +empty list. +.PP +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to right, +and the search stops on the first match. Specify "!name" to exclude a +name from the list. A "/file/name" pattern is replaced by its contents; +a "type:table" lookup table is matched when a name matches a lookup key +(the lookup result is ignored). Continue long lines by starting the +next line with whitespace. +.PP +This feature is available in Postfix 2.2 and later. .SH authorized_verp_clients (default: $mynetworks) What SMTP clients are allowed to specify the XVERP command. This command requests that mail be delivered one recipient at a diff --git a/postfix/man/man8/discard.8 b/postfix/man/man8/discard.8 new file mode 100644 index 000000000..2854b02cd --- /dev/null +++ b/postfix/man/man8/discard.8 @@ -0,0 +1,117 @@ +.TH DISCARD 8 +.ad +.fi +.SH NAME +discard +\- +Postfix discard mail delivery agent +.SH "SYNOPSIS" +.na +.nf +\fBdiscard\fR [generic Postfix daemon options] +.SH DESCRIPTION +.ad +.fi +The Postfix discard delivery agent processes delivery requests from +the queue manager. Each request specifies a queue file, a sender +address, a domain or host name that is treated as the reason for +discarding the mail, and recipient information. +This program expects to be run from the \fBmaster\fR(8) process +manager. + +The discard delivery agent pretends to deliver all recipients +in the delivery request, logs the "next-hop" domain or host +information as the reason for discarding the mail, updates the +queue file and marks recipients as finished or informs the +queue manager that delivery should be tried again at a later time. + +Delivery status reports are sent to the \fBbounce\fR(8), +\fBdefer\fR(8) or \fBtrace\fR(8) daemon as appropriate. +.SH "SECURITY" +.na +.nf +.ad +.fi +The discard mailer is not security-sensitive. It does not talk +to the network, and can be run chrooted at fixed low privilege. +.SH "STANDARDS" +.na +.nf +None. +.SH DIAGNOSTICS +.ad +.fi +Problems and transactions are logged to \fBsyslogd\fR(8). + +Depending on the setting of the \fBnotify_classes\fR parameter, +the postmaster is notified of bounces and of other trouble. +.SH "CONFIGURATION PARAMETERS" +.na +.nf +.ad +.fi +Changes to \fBmain.cf\fR are picked up automatically as discard(8) +processes run for only a limited amount of time. Use the command +"\fBpostfix reload\fR" to speed up a change. + +The text below provides only a parameter summary. See +postconf(5) for more details including examples. +.IP "\fBconfig_directory (see 'postconf -d' output)\fR" +The default location of the Postfix main.cf and master.cf +configuration files. +.IP "\fBdaemon_timeout (18000s)\fR" +How much time a Postfix daemon process may take to handle a +request before it is terminated by a built-in watchdog timer. +.IP "\fBdouble_bounce_sender (double-bounce)\fR" +The sender address of postmaster notifications that are generated +by the mail system. +.IP "\fBipc_timeout (3600s)\fR" +The time limit for sending or receiving information over an internal +communication channel. +.IP "\fBmax_idle (100s)\fR" +The maximum amount of time that an idle Postfix daemon process +waits for the next service request before exiting. +.IP "\fBmax_use (100)\fR" +The maximal number of connection requests before a Postfix daemon +process terminates. +.IP "\fBprocess_id (read-only)\fR" +The process ID of a Postfix command or daemon process. +.IP "\fBprocess_name (read-only)\fR" +The process name of a Postfix command or daemon process. +.IP "\fBqueue_directory (see 'postconf -d' output)\fR" +The location of the Postfix top-level queue directory. +.IP "\fBsyslog_facility (mail)\fR" +The syslog facility of Postfix logging. +.IP "\fBsyslog_name (postfix)\fR" +The mail system name that is prepended to the process name in syslog +records, so that "smtpd" becomes, for example, "postfix/smtpd". +.SH "SEE ALSO" +.na +.nf +qmgr(8), queue manager +bounce(8), delivery status reports +error(8), Postfix error delivery agent +postconf(5), configuration parameters +master(8), process manager +syslogd(8), system logging +.SH "LICENSE" +.na +.nf +.ad +.fi +The Secure Mailer license must be distributed with this software. +.SH "HISTORY" +.na +.nf +This service was introduced with Postfix version 2.2. +.SH "AUTHOR(S)" +.na +.nf +Victor Duchovni +Morgan Stanley + +Based on code by: +Wietse Venema +IBM T.J. Watson Research +P.O. Box 704 +Yorktown Heights, NY 10598, USA diff --git a/postfix/man/man8/error.8 b/postfix/man/man8/error.8 index c8c6e21a0..35d4c7d7a 100644 --- a/postfix/man/man8/error.8 +++ b/postfix/man/man8/error.8 @@ -99,6 +99,7 @@ records, so that "smtpd" becomes, for example, "postfix/smtpd". .nf qmgr(8), queue manager bounce(8), delivery status reports +discard(8), Postfix discard delivery agent postconf(5), configuration parameters master(8), process manager syslogd(8), system logging diff --git a/postfix/mantools/postlink b/postfix/mantools/postlink index d780e8a14..97be27f65 100755 --- a/postfix/mantools/postlink +++ b/postfix/mantools/postlink @@ -59,6 +59,9 @@ while (<>) { $printit = 0; next LINE; } + s;\bautho[-]*\n*[ ]*rized_flush_users\b;$&;g; + s;\bautho[-]*\n*[ ]*rized_mailq_users\b;$&;g; + s;\bautho[-]*\n*[ ]*rized_sendmail_users\b;$&;g; s;\bautho[-]*\n*[ ]*rized_verp_clients\b;$&;g; s;\bdebugger_command\b;$&;g; s;\b2bounce_notice_recipi[-]*\n*[ ]*ent\b;$&;g; @@ -445,6 +448,7 @@ while (<>) { s/[]*bounce[<\/bB>]*\(8\)/$&<\/a>/g; s/[]*cleanup[<\/bB>]*\(8\)/$&<\/a>/g; s/[]*defer[<\/bB>]*\(8\)/$&<\/a>/g; + s/[]*discard[<\/bB>]*\(8\)/$&<\/a>/g; s/[]*error[<\/bB>]*\(8\)/$&<\/a>/g; s/[]*flush[<\/bB>]*\(8\)/$&<\/a>/g; s/[]*lmtp[<\/bB>]*\(8\)/$&<\/a>/g; diff --git a/postfix/proto/OVERVIEW.html b/postfix/proto/OVERVIEW.html index 08f8314ea..0922cacc0 100644 --- a/postfix/proto/OVERVIEW.html +++ b/postfix/proto/OVERVIEW.html @@ -321,10 +321,11 @@ href="QSHAPE_README.html#deferred_queue"> deferred

  • The queue manager (the qmgr(8) server process in the figure) is the heart of Postfix mail delivery. It contacts the -smtp(8), lmtp(8), local(8), virtual(8), pipe(8), or error(8) delivery -agents, and sends a delivery request for one or more recipient -addresses. The error(8) delivery agent is special: it always declares -mail as undeliverable. It is not shown in the figure above.

    +smtp(8), lmtp(8), local(8), virtual(8), pipe(8), discard(8) or +error(8) delivery agents, and sends a delivery request for one +or more recipient addresses. The discard(8) and error(8) delivery +agents are special: they discard or bounce all mail, they are not +shown in the figure above.

    The queue manager maintains a small active queue with the messages that it has opened for delivery. The active queue acts as diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 49994026b..d06ffffbb 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -5510,6 +5510,85 @@ The default time unit is s (seconds). This feature is available in Postfix 2.1 and later.

    +%PARAM authorized_flush_users static:anyone + +

    +List of users who are authorized to flush the queue. +

    + +

    +By default all users are allowed to flush the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to flush the queue +is listed in the system password file and the corresponding login name +is on the access list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM authorized_mailq_users static:anyone + +

    +List of users who are authorized to view the queue. +

    + +

    +By default all users are allowed to view the queue. Otherwise if the +invoking user is neither the super-user nor the $mail_owner user, access +is denied unless the real uid of the process trying to view the queue +is listed in the system password file and the corresponding login name +is on the access list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to +right, and the search stops on the first match. Specify "!name" to +exclude a name from the list. A "/file/name" pattern is replaced +by its contents; a "type:table" lookup table is matched when a name +matches a lookup key (the lookup result is ignored). Continue long +lines by starting the next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + +%PARAM authorized_sendmail_users static:anyone + +

    +List of users who are authorized to use the sendmail(1) command +(and the privileged postdrop(1) helper command) to submit mail. +

    + +

    +By default all users are allowed to submit mail. Otherwise, access is denied +unless the real uid of the process trying to submit mail is listed in +the system password file and the corresponding login name is on the +access list. To deny mail submission access to all users specify an +empty list.

    + +

    +Specify a list of user names, "/file/name" or "type:table" patterns, +separated by commas and/or whitespace. The list is matched left to right, +and the search stops on the first match. Specify "!name" to exclude a +name from the list. A "/file/name" pattern is replaced by its contents; +a "type:table" lookup table is matched when a name matches a lookup key +(the lookup result is ignored). Continue long lines by starting the +next line with whitespace.

    + +

    +This feature is available in Postfix 2.2 and later. +

    + %PARAM backwards_bounce_logfile_compatibility yes

    diff --git a/postfix/proto/postconf.spec b/postfix/proto/postconf.spec index d2e50c019..930a2656b 100644 --- a/postfix/proto/postconf.spec +++ b/postfix/proto/postconf.spec @@ -35,6 +35,9 @@ %CLASS security %PARAM allow_min_user %PARAM alternate_config_directories +%PARAM authorized_flush_users +%PARAM authorized_mailq_users +%PARAM authorized_sendmail_users %PARAM default_privs %PARAM import_environment %PARAM proxy_read_maps diff --git a/postfix/src/discard/Makefile.in b/postfix/src/discard/Makefile.in new file mode 100644 index 000000000..f8a09a779 --- /dev/null +++ b/postfix/src/discard/Makefile.in @@ -0,0 +1,67 @@ +SHELL = /bin/sh +SRCS = discard.c +OBJS = discard.o +HDRS = +TESTSRC = +DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) +CFLAGS = $(DEBUG) $(OPT) $(DEFS) +TESTPROG= +PROG = discard +INC_DIR = ../../include +LIBS = ../../lib/libmaster.a ../../lib/libglobal.a ../../lib/libutil.a + +.c.o:; $(CC) $(CFLAGS) -c $*.c + +$(PROG): $(OBJS) $(LIBS) + $(CC) $(CFLAGS) -o $@ $(OBJS) $(LIBS) $(SYSLIBS) + +Makefile: Makefile.in + (set -e; echo "# DO NOT EDIT"; $(OPTS) $(SHELL) ../../makedefs && cat $?) >$@ + +test: $(TESTPROG) + +tests: test + +update: ../../libexec/$(PROG) + +../../libexec/$(PROG): $(PROG) + cp $(PROG) ../../libexec + +printfck: $(OBJS) $(PROG) + rm -rf printfck + mkdir printfck + sed '1,/^# do not edit/!d' Makefile >printfck/Makefile + set -e; for i in *.c; do printfck -f .printfck $$i >printfck/$$i; done + cd printfck; make "INC_DIR=../../../include" `cd ..; ls *.o` + +lint: + lint $(DEFS) $(SRCS) $(LINTFIX) + +clean: + rm -f *.o *core $(PROG) $(TESTPROG) junk + rm -rf printfck + +tidy: clean + +depend: $(MAKES) + (sed '1,/^# do not edit/!d' Makefile.in; \ + set -e; for i in [a-z][a-z0-9]*.c; do \ + $(CC) -E $(DEFS) $(INCL) $$i | sed -n -e '/^# *1 *"\([^"]*\)".*/{' \ + -e 's//'`echo $$i|sed 's/c$$/o/'`': \1/' -e 'p' -e '}'; \ + done) | grep -v '[.][o][:][ ][/]' >$$$$ && mv $$$$ Makefile.in + @$(EXPORT) make -f Makefile.in Makefile 1>&2 + +# do not edit below this line - it is generated by 'make depend' +discard.o: discard.c +discard.o: ../../include/sys_defs.h +discard.o: ../../include/msg.h +discard.o: ../../include/vstream.h +discard.o: ../../include/vbuf.h +discard.o: ../../include/deliver_request.h +discard.o: ../../include/vstring.h +discard.o: ../../include/recipient_list.h +discard.o: ../../include/mail_queue.h +discard.o: ../../include/bounce.h +discard.o: ../../include/deliver_completed.h +discard.o: ../../include/flush_clnt.h +discard.o: ../../include/mail_server.h diff --git a/postfix/src/discard/discard.c b/postfix/src/discard/discard.c new file mode 100644 index 000000000..f6ad47d5d --- /dev/null +++ b/postfix/src/discard/discard.c @@ -0,0 +1,224 @@ +/*++ +/* NAME +/* discard 8 +/* SUMMARY +/* Postfix discard mail delivery agent +/* SYNOPSIS +/* \fBdiscard\fR [generic Postfix daemon options] +/* DESCRIPTION +/* The Postfix discard delivery agent processes delivery requests from +/* the queue manager. Each request specifies a queue file, a sender +/* address, a domain or host name that is treated as the reason for +/* discarding the mail, and recipient information. +/* This program expects to be run from the \fBmaster\fR(8) process +/* manager. +/* +/* The discard delivery agent pretends to deliver all recipients +/* in the delivery request, logs the "next-hop" domain or host +/* information as the reason for discarding the mail, updates the +/* queue file and marks recipients as finished or informs the +/* queue manager that delivery should be tried again at a later time. +/* +/* Delivery status reports are sent to the \fBbounce\fR(8), +/* \fBdefer\fR(8) or \fBtrace\fR(8) daemon as appropriate. +/* SECURITY +/* .ad +/* .fi +/* The discard mailer is not security-sensitive. It does not talk +/* to the network, and can be run chrooted at fixed low privilege. +/* STANDARDS +/* None. +/* DIAGNOSTICS +/* Problems and transactions are logged to \fBsyslogd\fR(8). +/* +/* Depending on the setting of the \fBnotify_classes\fR parameter, +/* the postmaster is notified of bounces and of other trouble. +/* CONFIGURATION PARAMETERS +/* .ad +/* .fi +/* Changes to \fBmain.cf\fR are picked up automatically as discard(8) +/* processes run for only a limited amount of time. Use the command +/* "\fBpostfix reload\fR" to speed up a change. +/* +/* The text below provides only a parameter summary. See +/* postconf(5) for more details including examples. +/* .IP "\fBconfig_directory (see 'postconf -d' output)\fR" +/* The default location of the Postfix main.cf and master.cf +/* configuration files. +/* .IP "\fBdaemon_timeout (18000s)\fR" +/* How much time a Postfix daemon process may take to handle a +/* request before it is terminated by a built-in watchdog timer. +/* .IP "\fBdouble_bounce_sender (double-bounce)\fR" +/* The sender address of postmaster notifications that are generated +/* by the mail system. +/* .IP "\fBipc_timeout (3600s)\fR" +/* The time limit for sending or receiving information over an internal +/* communication channel. +/* .IP "\fBmax_idle (100s)\fR" +/* The maximum amount of time that an idle Postfix daemon process +/* waits for the next service request before exiting. +/* .IP "\fBmax_use (100)\fR" +/* The maximal number of connection requests before a Postfix daemon +/* process terminates. +/* .IP "\fBprocess_id (read-only)\fR" +/* The process ID of a Postfix command or daemon process. +/* .IP "\fBprocess_name (read-only)\fR" +/* The process name of a Postfix command or daemon process. +/* .IP "\fBqueue_directory (see 'postconf -d' output)\fR" +/* The location of the Postfix top-level queue directory. +/* .IP "\fBsyslog_facility (mail)\fR" +/* The syslog facility of Postfix logging. +/* .IP "\fBsyslog_name (postfix)\fR" +/* The mail system name that is prepended to the process name in syslog +/* records, so that "smtpd" becomes, for example, "postfix/smtpd". +/* SEE ALSO +/* qmgr(8), queue manager +/* bounce(8), delivery status reports +/* error(8), Postfix error delivery agent +/* postconf(5), configuration parameters +/* master(8), process manager +/* syslogd(8), system logging +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* HISTORY +/* This service was introduced with Postfix version 2.2. +/* AUTHOR(S) +/* Victor Duchovni +/* Morgan Stanley +/* +/* Based on code by: +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/*--*/ + +/* System library. */ + +#include +#include +#include + +/* Utility library. */ + +#include +#include + +/* Global library. */ + +#include +#include +#include +#include +#include + +/* Single server skeleton. */ + +#include + +/* deliver_message - deliver message with extreme prejudice */ + +static int deliver_message(DELIVER_REQUEST *request) +{ + char *myname = "deliver_message"; + VSTREAM *src; + int result = 0; + int status; + RECIPIENT *rcpt; + int nrcpt; + + if (msg_verbose) + msg_info("deliver_message: from %s", request->sender); + + /* + * Sanity checks. + */ + if (request->nexthop[0] == 0) + msg_fatal("empty nexthop hostname"); + if (request->rcpt_list.len <= 0) + msg_fatal("recipient count: %d", request->rcpt_list.len); + + /* + * Open the queue file. Opening the file can fail for a variety of + * reasons, such as the system running out of resources. Instead of + * throwing away mail, we're raising a fatal error which forces the mail + * system to back off, and retry later. + */ + src = mail_queue_open(request->queue_name, request->queue_id, + O_RDWR, 0); + if (src == 0) + msg_fatal("%s: open %s %s: %m", myname, + request->queue_name, request->queue_id); + if (msg_verbose) + msg_info("%s: file %s", myname, VSTREAM_PATH(src)); + + /* + * Discard all recipients. + */ +#define BOUNCE_FLAGS(request) DEL_REQ_TRACE_FLAGS(request->flags) + + for (nrcpt = 0; nrcpt < request->rcpt_list.len; nrcpt++) { + rcpt = request->rcpt_list.info + nrcpt; + if (rcpt->offset >= 0) { + status = sent(BOUNCE_FLAGS(request), request->queue_id, + rcpt->orig_addr, rcpt->address, rcpt->offset, "none", + request->arrival_time, "%s", request->nexthop); + if (status == 0 && (request->flags & DEL_REQ_FLAG_SUCCESS)) + deliver_completed(src, rcpt->offset); + result |= status; + } + } + + /* + * Clean up. + */ + if (vstream_fclose(src)) + msg_warn("close %s %s: %m", request->queue_name, request->queue_id); + + return (result); +} + +/* discard_service - perform service for client */ + +static void discard_service(VSTREAM *client_stream, char *unused_service, char **argv) +{ + DELIVER_REQUEST *request; + int status; + + /* + * Sanity check. This service takes no command-line arguments. + */ + if (argv[0]) + msg_fatal("unexpected command-line argument: %s", argv[0]); + + /* + * This routine runs whenever a client connects to the UNIX-domain socket + * dedicated to the discard mailer. What we see below is a little + * protocol to (1) tell the queue manager that we are ready, (2) read a + * request from the queue manager, and (3) report the completion status + * of that request. All connection-management stuff is handled by the + * common code in single_server.c. + */ + if ((request = deliver_request_read(client_stream)) != 0) { + status = deliver_message(request); + deliver_request_done(client_stream, request, status); + } +} + +/* pre_init - pre-jail initialization */ + +static void pre_init(char *unused_name, char **unused_argv) +{ + flush_init(); +} + +/* main - pass control to the single-threaded skeleton */ + +int main(int argc, char **argv) +{ + single_server_main(argc, argv, discard_service, + MAIL_SERVER_PRE_INIT, pre_init, + 0); +} diff --git a/postfix/src/error/error.c b/postfix/src/error/error.c index a51b1fc25..fc8d2986f 100644 --- a/postfix/src/error/error.c +++ b/postfix/src/error/error.c @@ -83,6 +83,7 @@ /* SEE ALSO /* qmgr(8), queue manager /* bounce(8), delivery status reports +/* discard(8), Postfix discard delivery agent /* postconf(5), configuration parameters /* master(8), process manager /* syslogd(8), system logging diff --git a/postfix/src/global/Makefile.in b/postfix/src/global/Makefile.in index 240749c1f..445c642e1 100644 --- a/postfix/src/global/Makefile.in +++ b/postfix/src/global/Makefile.in @@ -23,7 +23,7 @@ SRCS = abounce.c anvil_clnt.c been_here.c bounce.c bounce_log.c \ sys_exits.c timed_ipc.c tok822_find.c tok822_node.c tok822_parse.c \ tok822_resolve.c tok822_rewrite.c tok822_tree.c trace.c verify.c \ verify_clnt.c verp_sender.c virtual8_maps.c xtext.c scache_single.c \ - scache_clnt.c scache_multi.c + scache_clnt.c scache_multi.c user_acl.c OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ canon_addr.o cfg_parser.o cleanup_strerror.o cleanup_strflags.o \ clnt_stream.o debug_peer.o debug_process.o defer.o \ @@ -48,7 +48,7 @@ OBJS = abounce.o anvil_clnt.o been_here.o bounce.o bounce_log.o \ sys_exits.o timed_ipc.o tok822_find.o tok822_node.o tok822_parse.o \ tok822_resolve.o tok822_rewrite.o tok822_tree.o trace.o verify.o \ verify_clnt.o verp_sender.o virtual8_maps.o xtext.o scache_single.o \ - scache_clnt.o scache_multi.o + scache_clnt.o scache_multi.o user_acl.o HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ canon_addr.h cfg_parser.h cleanup_user.h clnt_stream.h config.h \ debug_peer.h debug_process.h defer.h deliver_completed.h \ @@ -69,7 +69,7 @@ HDRS = abounce.h anvil_clnt.h been_here.h bounce.h bounce_log.h \ resolve_local.h rewrite_clnt.h sent.h smtp_stream.h split_addr.h \ string_list.h strip_addr.h sys_exits.h timed_ipc.h tok822.h \ trace.h verify.h verify_clnt.h verp_sender.h virtual8_maps.h \ - xtext.h scache.h + xtext.h scache.h user_acl.h TESTSRC = rec2stream.c stream2rec.c recdump.c DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE) CFLAGS = $(DEBUG) $(OPT) $(DEFS) @@ -1406,6 +1406,15 @@ trace.o: recipient_list.h trace.o: log_adhoc.h trace.o: bounce.h trace.o: trace.h +user_acl.o: user_acl.c +user_acl.o: ../../include/sys_defs.h +user_acl.o: ../../include/vstring.h +user_acl.o: ../../include/vbuf.h +user_acl.o: string_list.h +user_acl.o: ../../include/match_list.h +user_acl.o: ../../include/match_ops.h +user_acl.o: mypwd.h +user_acl.o: user_acl.h verify.o: verify.c verify.o: ../../include/sys_defs.h verify.o: ../../include/msg.h diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 507ff0a07..05102375d 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -74,6 +74,21 @@ extern char *var_default_privs; extern uid_t var_default_uid; extern gid_t var_default_gid; + /* + * Access control for local privileged operations: + */ +#define VAR_FLUSH_ACL "authorized_flush_users" +#define DEF_FLUSH_ACL "static:anyone" +extern char *var_flush_acl; + +#define VAR_SHOWQ_ACL "authorized_mailq_users" +#define DEF_SHOWQ_ACL "static:anyone" +extern char *var_showq_acl; + +#define VAR_SENDMAIL_ACL "authorized_sendmail_users" +#define DEF_SENDMAIL_ACL "static:anyone" +extern char *var_sendmail_acl; + /* * What goes on the right-hand side of addresses of mail sent from this * machine. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 03e8adda8..09bf110f1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only. */ -#define MAIL_RELEASE_DATE "20040917" +#define MAIL_RELEASE_DATE "20040918" #define MAIL_VERSION_NUMBER "2.2" #define VAR_MAIL_VERSION "mail_version" diff --git a/postfix/src/global/user_acl.c b/postfix/src/global/user_acl.c new file mode 100644 index 000000000..445d7657b --- /dev/null +++ b/postfix/src/global/user_acl.c @@ -0,0 +1,94 @@ +/*++ +/* NAME +/* user_acl 3 +/* SUMMARY +/* Convert uid to username and check against given ACL. +/* SYNOPSIS +/* #include +/* +/* char *check_user_acl_byuid(acl, uid) +/* const char *acl; +/* uid_t uid; +/* DESCRIPTION +/* check_user_acl_byuid() checks the given uid against a +/* user name matchlist. If the uid cannot be resolved to a user +/* name, the numeric uid is used as the lookup key instead. +/* The result is NULL on success, "User \fIusername\fR" or +/* "UID \fIuid\fR" upon failure. The error result lives in +/* static storage and must be saved if it is to be used to +/* across calls. +/* +/* Arguments: +/* .IP acl +/* Authorized username list suitable for input to string_list_init(3). +/* .IP uid +/* The uid to be checked against the access list. +/* LICENSE +/* .ad +/* .fi +/* The Secure Mailer license must be distributed with this software. +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/* +/* Victor Duchovni +/* Morgan Stanley +/*--*/ + +/* System library. */ + +#include + +/* Utility library. */ + +#include + +/* Global library. */ + +#include +#include + +/* Application-specific. */ + +#include "user_acl.h" + +/* check_user_acl_byuid - check user authorization */ + +char *check_user_acl_byuid(char *acl, uid_t uid) +{ + struct mypasswd *mypwd; + STRING_LIST *list; + static VSTRING *why = 0; + VSTRING *uidbuf = 0; + int matched; + const char *name; + + /* + * XXX: we must perform a lookup for unresolved uids, so that + * static:anyone results in "permit" even when the uid is not found in + * the password file and the resulting error message is clear. + */ + if ((mypwd = mypwuid(uid)) == 0) { + uidbuf = vstring_alloc(10); + vstring_sprintf(uidbuf, "%ld", (long) uid); + name = vstring_str(uidbuf); + } else { + name = mypwd->pw_name; + } + + list = string_list_init(MATCH_FLAG_NONE, acl); + if ((matched = string_list_match(list, name)) == 0) { + if (!why) + why = vstring_alloc(100); + vstring_sprintf(why, "%s %s", mypwd ? "User" : "UID", name); + } + string_list_free(list); + if (mypwd) + mypwfree(mypwd); + else + vstring_free(uidbuf); + + return (matched ? 0 : vstring_str(why)); +} diff --git a/postfix/src/global/user_acl.h b/postfix/src/global/user_acl.h new file mode 100644 index 000000000..66123a29f --- /dev/null +++ b/postfix/src/global/user_acl.h @@ -0,0 +1,39 @@ +#ifndef _USER_ACL_H_INCLUDED_ +#define _USER_ACL_H_INCLUDED_ +/*++ +/* NAME +/* user_acl 3 +/* SUMMARY +/* Convert uid to username and check against given ACL. +/* SYNOPSIS +/* #include +/* +/* DESCRIPTION +/* .nf + + /* + * System library + */ +#include /* getuid()/geteuid() */ +#include /* uid_t */ + + /* + * Utility library. + */ +#include + + /* + * External interface + */ +extern char *check_user_acl_byuid(char *, uid_t); + +/* AUTHOR(S) +/* Wietse Venema +/* IBM T.J. Watson Research +/* P.O. Box 704 +/* Yorktown Heights, NY 10598, USA +/* +/* Victor Duchovni +/* Morgan Stanley +/*--*/ +#endif diff --git a/postfix/src/postdrop/Makefile.in b/postfix/src/postdrop/Makefile.in index e6946e11b..48af4b903 100644 --- a/postfix/src/postdrop/Makefile.in +++ b/postfix/src/postdrop/Makefile.in @@ -75,3 +75,4 @@ postdrop.o: ../../include/mail_stream.h postdrop.o: ../../include/cleanup_user.h postdrop.o: ../../include/record.h postdrop.o: ../../include/rec_type.h +postdrop.o: ../../include/user_acl.h diff --git a/postfix/src/postdrop/postdrop.c b/postfix/src/postdrop/postdrop.c index e5860102c..be61c274f 100644 --- a/postfix/src/postdrop/postdrop.c +++ b/postfix/src/postdrop/postdrop.c @@ -73,6 +73,11 @@ /* .IP "\fBtrigger_timeout (10s)\fR" /* The time limit for sending a trigger to a Postfix daemon (for /* example, the pickup(8) or qmgr(8) daemon). +/* .PP +/* Available in Postfix version 2.2 and later: +/* .IP "\fBauthorized_sendmail_users (static:anyone)\fR" +/* List of users who are authorized to use the sendmail(1) command +/* (and the privileged postdrop(1) helper command) to submit mail. /* FILES /* /var/spool/postfix/maildrop, maildrop queue /* SEE ALSO @@ -127,6 +132,7 @@ #include #include #include +#include /* Application-specific. */ @@ -143,6 +149,16 @@ * and so on. */ + /* + * Local mail submission access list. + */ +static char *var_sendmail_acl; + +static CONFIG_STR_TABLE str_table[] = { + VAR_SENDMAIL_ACL, DEF_SENDMAIL_ACL, &var_sendmail_acl, 0, 0, + 0, +}; + /* * Queue file name. Global, so that the cleanup routine can find it when * called by the run-time error handler. @@ -203,6 +219,7 @@ int main(int argc, char **argv) const char *error_text; char *attr_name; char *attr_value; + char *errstr; /* * Be consistent with file permissions. @@ -259,6 +276,14 @@ int main(int argc, char **argv) * perform some sanity checks on the input. */ mail_conf_read(); + get_mail_conf_str_table(str_table); + + /* + * Mail submission access control. Should this be in the user-land gate, + * or in the daemon process? + */ + if ((errstr = check_user_acl_byuid(var_sendmail_acl, uid)) != 0) + msg_fatal("%s is not allowed to submit mail", errstr); /* * Stop run-away process accidents by limiting the queue file size. This @@ -330,7 +355,7 @@ int main(int argc, char **argv) if (rec_type == REC_TYPE_EOF) { /* request cancelled */ mail_stream_cleanup(dst); if (remove(postdrop_path)) - msg_warn("uid=%ld: remove %s: %m", (long) getuid(), postdrop_path); + msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path); else if (msg_verbose) msg_info("remove %s", postdrop_path); myfree(postdrop_path); diff --git a/postfix/src/postfix/postfix.c b/postfix/src/postfix/postfix.c index ddc848f97..910d001b1 100644 --- a/postfix/src/postfix/postfix.c +++ b/postfix/src/postfix/postfix.c @@ -181,6 +181,7 @@ /* anvil(8), Postfix connection/rate limiting /* bounce(8), defer(8), trace(8), Delivery status reports /* cleanup(8), canonicalize and enqueue message +/* discard(8), Postfix discard delivery agent /* error(8), Postfix error delivery agent /* flush(8), Postfix fast ETRN service /* lmtp(8), Postfix LMTP client @@ -192,6 +193,7 @@ /* proxymap(8), Postfix lookup table proxy server /* qmgr(8), Postfix queue manager /* qmqpd(8), Postfix QMQP server +/* scache(8), Postfix session cache manager /* showq(8), list Postfix mail queue /* smtp(8), Postfix SMTP client /* smtpd(8), Postfix SMTP server diff --git a/postfix/src/postqueue/Makefile.in b/postfix/src/postqueue/Makefile.in index a90fe8d1d..470f03c15 100644 --- a/postfix/src/postqueue/Makefile.in +++ b/postfix/src/postqueue/Makefile.in @@ -77,3 +77,4 @@ postqueue.o: ../../include/mail_flush.h postqueue.o: ../../include/flush_clnt.h postqueue.o: ../../include/smtp_stream.h postqueue.o: ../../include/vstring.h +postqueue.o: ../../include/user_acl.h diff --git a/postfix/src/postqueue/postqueue.c b/postfix/src/postqueue/postqueue.c index 0d9bdda82..31ec6f622 100644 --- a/postfix/src/postqueue/postqueue.c +++ b/postfix/src/postqueue/postqueue.c @@ -114,6 +114,12 @@ /* .IP "\fBtrigger_timeout (10s)\fR" /* The time limit for sending a trigger to a Postfix daemon (for /* example, the pickup(8) or qmgr(8) daemon). +/* .PP +/* Available in Postfix version 2.2 and later: +/* .IP "\fBauthorized_flush_users (static:anyone)\fR" +/* List of users who are authorized to flush the queue. +/* .IP "\fBauthorized_mailq_users (static:anyone)\fR" +/* List of users who are authorized to view the queue. /* FILES /* /var/spool/postfix, mail queue /* SEE ALSO @@ -180,6 +186,7 @@ #include #include #include +#include /* Application-specific. */ @@ -209,13 +216,32 @@ */ #define STR vstring_str + /* + * Queue manipulation access lists. + */ +static char *var_flush_acl; +static char *var_showq_acl; + +static CONFIG_STR_TABLE str_table[] = { + VAR_FLUSH_ACL, DEF_FLUSH_ACL, &var_flush_acl, 0, 0, + VAR_SHOWQ_ACL, DEF_SHOWQ_ACL, &var_showq_acl, 0, 0, + 0, +}; + /* show_queue - show queue status */ static void show_queue(void) { + char *errstr; char buf[VSTREAM_BUFSIZE]; VSTREAM *showq; int n; + uid_t uid = getuid(); + + if (uid != 0 && uid != var_owner_uid + && (errstr = check_user_acl_byuid(var_showq_acl, uid)) != 0) + msg_fatal_status(EX_NOPERM, + "%s is not allowed to view the mail queue", errstr); /* * Connect to the show queue service. Terminate silently when piping into @@ -278,6 +304,13 @@ static void show_queue(void) static void flush_queue(void) { + char *errstr; + uid_t uid = getuid(); + + if (uid != 0 && uid != var_owner_uid + && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) + msg_fatal_status(EX_NOPERM, + "%s is not allowed to flush the mail queue", errstr); /* * Trigger the flush queue service. @@ -295,6 +328,13 @@ static void flush_queue(void) static void flush_site(const char *site) { int status; + char *errstr; + uid_t uid = getuid(); + + if (uid != 0 && uid != var_owner_uid + && (errstr = check_user_acl_byuid(var_flush_acl, uid)) != 0) + msg_fatal_status(EX_NOPERM, + "%s is not allowed to flush the mail queue", errstr); flush_init(); @@ -405,6 +445,7 @@ int main(int argc, char **argv) * Further initialization... */ mail_conf_read(); + get_mail_conf_str_table(str_table); /* * This program is designed to be set-gid, which makes it a potential diff --git a/postfix/src/sendmail/Makefile.in b/postfix/src/sendmail/Makefile.in index 0da0de758..c3ae7d2c3 100644 --- a/postfix/src/sendmail/Makefile.in +++ b/postfix/src/sendmail/Makefile.in @@ -92,3 +92,4 @@ sendmail.o: ../../include/deliver_request.h sendmail.o: ../../include/recipient_list.h sendmail.o: ../../include/mime_state.h sendmail.o: ../../include/header_opts.h +sendmail.o: ../../include/user_acl.h diff --git a/postfix/src/sendmail/sendmail.c b/postfix/src/sendmail/sendmail.c index 3db4f717b..737d1f07e 100644 --- a/postfix/src/sendmail/sendmail.c +++ b/postfix/src/sendmail/sendmail.c @@ -231,6 +231,17 @@ /* Optional list of remote client or server hostname or network /* address patterns that cause the verbose logging level to increase /* by the amount specified in $debug_peer_level. +/* ACCESS CONTROLS +/* .ad +/* .fi +/* Available in Postfix version 2.2 and later: +/* .IP "\fBauthorized_flush_users (static:anyone)\fR" +/* List of users who are authorized to flush the queue. +/* .IP "\fBauthorized_mailq_users (static:anyone)\fR" +/* List of users who are authorized to view the queue. +/* .IP "\fBauthorized_sendmail_users (static:anyone)\fR" +/* List of users who are authorized to use the sendmail(1) command +/* (and the privileged postdrop(1) helper command) to submit mail. /* RESOURCE AND RATE CONTROLS /* .ad /* .fi @@ -383,6 +394,7 @@ #include #include #include +#include /* Application-specific. */ @@ -408,7 +420,7 @@ /* * VERP support. */ -char *verp_delims; +static char *verp_delims; /* * Callback context for extracting recipients. @@ -423,6 +435,16 @@ typedef struct SM_STATE { VSTRING *temp; /* scratch buffer */ } SM_STATE; + /* + * Mail submission ACL + */ +static char *var_sendmail_acl; + +static CONFIG_STR_TABLE str_table[] = { + VAR_SENDMAIL_ACL, DEF_SENDMAIL_ACL, &var_sendmail_acl, 0, 0, + 0, +}; + /* * Silly little macros (SLMs). */ @@ -471,11 +493,11 @@ static void output_header(void *context, int header_class, state->resent = 1; } else rcpt = state->recipients; - tree = tok822_parse(vstring_str(buf) + strlen(header_info->name) + 1); + tree = tok822_parse(STR(buf) + strlen(header_info->name) + 1); addr_list = tok822_grep(tree, TOK822_ADDR); for (tpp = addr_list; *tpp; tpp++) { tok822_internalize(state->temp, tpp[0]->head, TOK822_STR_DEFL); - argv_add(rcpt, vstring_str(state->temp), (char *) 0); + argv_add(rcpt, STR(state->temp), (char *) 0); } myfree((char *) addr_list); tok822_free_tree(tree); @@ -519,6 +541,14 @@ static void enqueue(const int flags, const char *encoding, const char *sender, MIME_STATE *mime_state = 0; SM_STATE state; int mime_errs; + char *errstr; + + /* + * Access control is enforced in the postdrop command. The code here + * merely produces a more user-friendly interface. + */ + if ((errstr = check_user_acl_byuid(var_sendmail_acl, uid)) != 0) + msg_fatal_status(EX_NOPERM, "%s is not allowed to submit mail", errstr); /* * Initialize. @@ -670,7 +700,7 @@ static void enqueue(const int flags, const char *encoding, const char *sender, } if (skip_from_) { if (type == REC_TYPE_NORM) { - start = vstring_str(buf); + start = STR(buf); if (strncmp(start + strspn(start, ">"), "From ", 5) == 0) continue; } @@ -731,7 +761,6 @@ static void enqueue(const int flags, const char *encoding, const char *sender, argv_free(state.resent_recip); vstring_free(state.temp); } - if (rcpt_count == 0) msg_fatal_status(EX_USAGE, (flags & SM_FLAG_XRCPT) ? "No recipient addresses found in message header" : @@ -794,6 +823,7 @@ int main(int argc, char **argv) char *site_to_flush = 0; char *encoding = 0; char *qtime = 0; + char *errstr; /* * Be consistent with file permissions. @@ -855,6 +885,7 @@ int main(int argc, char **argv) * Further initialization... */ mail_conf_read(); + get_mail_conf_str_table(str_table); if (chdir(var_queue_dir)) msg_fatal_status(EX_UNAVAILABLE, "chdir %s: %m", var_queue_dir); @@ -1114,6 +1145,10 @@ int main(int argc, char **argv) if (argv[OPTIND]) msg_fatal_status(EX_USAGE, "stand-alone mode requires no recipient"); + /* The actual enforcement happens in the postdrop command. */ + if ((errstr = check_user_acl_byuid(var_sendmail_acl, getuid())) != 0) + msg_fatal_status(EX_NOPERM, "%s is not allowed to submit mail", + errstr); ext_argv = argv_alloc(2); argv_add(ext_argv, "smtpd", "-S", (char *) 0); for (n = 0; n < msg_verbose; n++)