1 /* $NetBSD: postdrop.c,v 1.4 2022/10/08 16:12:47 christos Exp $ */
2
3 /*++
4 /* NAME
5 /* postdrop 1
6 /* SUMMARY
7 /* Postfix mail posting utility
8 /* SYNOPSIS
9 /* \fBpostdrop\fR [\fB-rv\fR] [\fB-c \fIconfig_dir\fR]
10 /* DESCRIPTION
11 /* The \fBpostdrop\fR(1) command creates a file in the \fBmaildrop\fR
12 /* directory and copies its standard input to the file.
13 /*
14 /* Options:
15 /* .IP "\fB-c \fIconfig_dir\fR"
16 /* The \fBmain.cf\fR configuration file is in the named directory
17 /* instead of the default configuration directory. See also the
18 /* MAIL_CONFIG environment setting below.
19 /* .IP \fB-r\fR
20 /* Use a Postfix-internal protocol for reading the message from
21 /* standard input, and for reporting status information on standard
22 /* output. This is currently the only supported method.
23 /* .IP \fB-v\fR
24 /* Enable verbose logging for debugging purposes. Multiple \fB-v\fR
25 /* options make the software increasingly verbose. As of Postfix 2.3,
26 /* this option is available for the super-user only.
27 /* SECURITY
28 /* .ad
29 /* .fi
30 /* The command is designed to run with set-group ID privileges, so
31 /* that it can write to the \fBmaildrop\fR queue directory and so that
32 /* it can connect to Postfix daemon processes.
33 /* DIAGNOSTICS
34 /* Fatal errors: malformed input, I/O error, out of memory. Problems
35 /* are logged to \fBsyslogd\fR(8) or \fBpostlogd\fR(8) and to
36 /* the standard error stream.
37 /* When the input is incomplete, or when the process receives a HUP,
38 /* INT, QUIT or TERM signal, the queue file is deleted.
39 /* ENVIRONMENT
40 /* .ad
41 /* .fi
42 /* .IP MAIL_CONFIG
43 /* Directory with the \fBmain.cf\fR file. In order to avoid exploitation
44 /* of set-group ID privileges, a non-standard directory is allowed only
45 /* if:
46 /* .RS
47 /* .IP \(bu
48 /* The name is listed in the standard \fBmain.cf\fR file with the
49 /* \fBalternate_config_directories\fR configuration parameter.
50 /* .IP \(bu
51 /* The command is invoked by the super-user.
52 /* .RE
53 /* CONFIGURATION PARAMETERS
54 /* .ad
55 /* .fi
56 /* The following \fBmain.cf\fR parameters are especially relevant to
57 /* this program.
58 /* The text below provides only a parameter summary. See
59 /* \fBpostconf\fR(5) for more details including examples.
60 /* .IP "\fBalternate_config_directories (empty)\fR"
61 /* A list of non-default Postfix configuration directories that may
62 /* be specified with "-c config_directory" on the command line (in the
63 /* case of \fBsendmail\fR(1), with the "-C" option), or via the MAIL_CONFIG
64 /* environment parameter.
65 /* .IP "\fBconfig_directory (see 'postconf -d' output)\fR"
66 /* The default location of the Postfix main.cf and master.cf
67 /* configuration files.
68 /* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
69 /* The list of environment parameters that a privileged Postfix
70 /* process will import from a non-Postfix parent process, or name=value
71 /* environment overrides.
72 /* .IP "\fBqueue_directory (see 'postconf -d' output)\fR"
73 /* The location of the Postfix top-level queue directory.
74 /* .IP "\fBsyslog_facility (mail)\fR"
75 /* The syslog facility of Postfix logging.
76 /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
77 /* A prefix that is prepended to the process name in syslog
78 /* records, so that, for example, "smtpd" becomes "prefix/smtpd".
79 /* .IP "\fBtrigger_timeout (10s)\fR"
80 /* The time limit for sending a trigger to a Postfix daemon (for
81 /* example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon).
82 /* .PP
83 /* Available in Postfix version 2.2 and later:
84 /* .IP "\fBauthorized_submit_users (static:anyone)\fR"
85 /* List of users who are authorized to submit mail with the \fBsendmail\fR(1)
86 /* command (and with the privileged \fBpostdrop\fR(1) helper command).
87 /* .PP
88 /* Available in Postfix version 3.6 and later:
89 /* .IP "\fBlocal_login_sender_maps (static:*)\fR"
90 /* A list of lookup tables that are searched by the UNIX login name,
91 /* and that return a list of allowed envelope sender patterns separated
92 /* by space or comma.
93 /* .IP "\fBempty_address_local_login_sender_maps_lookup_key (<>)\fR"
94 /* The lookup key to be used in local_login_sender_maps tables, instead
95 /* of the null sender address.
96 /* .IP "\fBrecipient_delimiter (empty)\fR"
97 /* The set of characters that can separate an email address
98 /* localpart, user name, or a .forward file name from its extension.
99 /* FILES
100 /* /var/spool/postfix/maildrop, maildrop queue
101 /* SEE ALSO
102 /* sendmail(1), compatibility interface
103 /* postconf(5), configuration parameters
104 /* postlogd(8), Postfix logging
105 /* syslogd(8), system logging
106 /* LICENSE
107 /* .ad
108 /* .fi
109 /* The Secure Mailer license must be distributed with this software.
110 /* AUTHOR(S)
111 /* Wietse Venema
112 /* IBM T.J. Watson Research
113 /* P.O. Box 704
114 /* Yorktown Heights, NY 10598, USA
115 /*
116 /* Wietse Venema
117 /* Google, Inc.
118 /* 111 8th Avenue
119 /* New York, NY 10011, USA
120 /*--*/
121
122 /* System library. */
123
124 #include <sys_defs.h>
125 #include <sys/stat.h>
126 #include <unistd.h>
127 #include <stdlib.h>
128 #include <stdio.h> /* remove() */
129 #include <string.h>
130 #include <stdlib.h>
131 #include <signal.h>
132 #include <errno.h>
133 #include <warn_stat.h>
134
135 /* Utility library. */
136
137 #include <msg.h>
138 #include <mymalloc.h>
139 #include <vstream.h>
140 #include <vstring.h>
141 #include <msg_vstream.h>
142 #include <argv.h>
143 #include <iostuff.h>
144 #include <stringops.h>
145 #include <mypwd.h>
146
147 /* Global library. */
148
149 #include <mail_proto.h>
150 #include <mail_queue.h>
151 #include <mail_params.h>
152 #include <mail_version.h>
153 #include <mail_conf.h>
154 #include <mail_task.h>
155 #include <clean_env.h>
156 #include <mail_stream.h>
157 #include <cleanup_user.h>
158 #include <record.h>
159 #include <rec_type.h>
160 #include <mail_dict.h>
161 #include <user_acl.h>
162 #include <rec_attr_map.h>
163 #include <mail_parm_split.h>
164 #include <maillog_client.h>
165 #include <login_sender_match.h>
166
167 /* Application-specific. */
168
169 /*
170 * WARNING WARNING WARNING
171 *
172 * This software is designed to run set-gid. In order to avoid exploitation of
173 * privilege, this software should not run any external commands, nor should
174 * it take any information from the user unless that information can be
175 * properly sanitized. To get an idea of how much information a process can
176 * inherit from a potentially hostile user, examine all the members of the
177 * process structure (typically, in /usr/include/sys/proc.h): the current
178 * directory, open files, timers, signals, environment, command line, umask,
179 * and so on.
180 */
181
182 /*
183 * Local mail submission access list.
184 */
185 char *var_submit_acl;
186 char *var_local_login_snd_maps;
187 char *var_null_local_login_snd_maps_key;
188
189 static const CONFIG_STR_TABLE str_table[] = {
190 VAR_SUBMIT_ACL, DEF_SUBMIT_ACL, &var_submit_acl, 0, 0,
191 VAR_LOCAL_LOGIN_SND_MAPS, DEF_LOCAL_LOGIN_SND_MAPS, &var_local_login_snd_maps, 0, 0,
192 VAR_NULL_LOCAL_LOGIN_SND_MAPS_KEY, DEF_NULL_LOCAL_LOGIN_SND_MAPS_KEY, &var_null_local_login_snd_maps_key, 0, 0,
193 0,
194 };
195
196 /*
197 * Queue file name. Global, so that the cleanup routine can find it when
198 * called by the run-time error handler.
199 */
200 static char *postdrop_path;
201
202 /* postdrop_sig - catch signal and clean up */
203
postdrop_sig(int sig)204 static void postdrop_sig(int sig)
205 {
206
207 /*
208 * This is the fatal error handler. Don't try to do anything fancy.
209 *
210 * To avoid privilege escalation in a set-gid program, Postfix logging
211 * functions must not be called from a user-triggered signal handler,
212 * because Postfix logging functions may allocate memory on the fly (as
213 * does the syslog() library function), and the memory allocator is not
214 * reentrant.
215 *
216 * Assume atomic signal() updates, even when emulated with sigaction(). We
217 * use the in-kernel SIGINT handler address as an atomic variable to
218 * prevent nested postdrop_sig() calls. For this reason, main() must
219 * configure postdrop_sig() as SIGINT handler before other signal
220 * handlers are allowed to invoke postdrop_sig().
221 */
222 if (signal(SIGINT, SIG_IGN) != SIG_IGN) {
223 (void) signal(SIGQUIT, SIG_IGN);
224 (void) signal(SIGTERM, SIG_IGN);
225 (void) signal(SIGHUP, SIG_IGN);
226 if (postdrop_path) {
227 (void) remove(postdrop_path);
228 postdrop_path = 0;
229 }
230 /* Future proofing. If you need exit() here then you broke Postfix. */
231 if (sig)
232 _exit(sig);
233 }
234 }
235
236 /* postdrop_cleanup - callback for the runtime error handler */
237
postdrop_cleanup(void)238 static void postdrop_cleanup(void)
239 {
240 postdrop_sig(0);
241 }
242
243 /* check_login_sender_acl - check if a user is authorized to use this sender */
244
check_login_sender_acl(uid_t uid,VSTRING * sender_buf,VSTRING * reason)245 static int check_login_sender_acl(uid_t uid, VSTRING *sender_buf,
246 VSTRING *reason)
247 {
248 const char myname[] = "check_login_sender_acl";
249 struct mypasswd *user_info;
250 char *user_name;
251 VSTRING *user_name_buf = 0;
252 LOGIN_SENDER_MATCH *lsm;
253 int res;
254
255 /*
256 * Sanity checks.
257 */
258 if (vstring_memchr(sender_buf, '\0') != 0) {
259 vstring_sprintf(reason, "NUL in FROM record");
260 return (CLEANUP_STAT_BAD);
261 }
262
263 /*
264 * Optimization.
265 */
266 #ifndef SNAPSHOT
267 if (strcmp(var_local_login_snd_maps, DEF_LOCAL_LOGIN_SND_MAPS) == 0)
268 return (CLEANUP_STAT_OK);
269 #endif
270
271 /*
272 * Get the username.
273 */
274 if ((user_info = mypwuid(uid)) != 0) {
275 user_name = user_info->pw_name;
276 } else {
277 user_name_buf = vstring_alloc(10);
278 vstring_sprintf(user_name_buf, "uid:%ld", (long) uid);
279 user_name = vstring_str(user_name_buf);
280 }
281
282
283 /*
284 * Apply the a login-sender matcher. TODO: add DICT flags.
285 */
286 lsm = login_sender_create(VAR_LOCAL_LOGIN_SND_MAPS,
287 var_local_login_snd_maps,
288 var_rcpt_delim,
289 var_null_local_login_snd_maps_key, "*");
290 res = login_sender_match(lsm, user_name, vstring_str(sender_buf));
291 login_sender_free(lsm);
292 if (user_name_buf)
293 vstring_free(user_name_buf);
294 switch (res) {
295 case LSM_STAT_FOUND:
296 return (CLEANUP_STAT_OK);
297 case LSM_STAT_NOTFOUND:
298 vstring_sprintf(reason, "not authorized to use sender='%s'",
299 vstring_str(sender_buf));
300 return (CLEANUP_STAT_NOPERM);
301 case LSM_STAT_RETRY:
302 case LSM_STAT_CONFIG:
303 vstring_sprintf(reason, "%s table lookup error for '%s'",
304 VAR_LOCAL_LOGIN_SND_MAPS, var_local_login_snd_maps);
305 return (CLEANUP_STAT_WRITE);
306 default:
307 msg_panic("%s: bad login_sender_match() result: %d", myname, res);
308 }
309 }
310
311 MAIL_VERSION_STAMP_DECLARE;
312
313 /* main - the main program */
314
main(int argc,char ** argv)315 int main(int argc, char **argv)
316 {
317 struct stat st;
318 int fd;
319 int c;
320 VSTRING *buf;
321 int status = CLEANUP_STAT_OK;
322 VSTRING *reason = vstring_alloc(100);
323 MAIL_STREAM *dst;
324 int rec_type;
325 static char *segment_info[] = {
326 REC_TYPE_POST_ENVELOPE, REC_TYPE_POST_CONTENT, REC_TYPE_POST_EXTRACT, ""
327 };
328 char **expected;
329 uid_t uid = getuid();
330 ARGV *import_env;
331 const char *error_text;
332 char *attr_name;
333 char *attr_value;
334 const char *errstr;
335 char *junk;
336 struct timeval start;
337 int saved_errno;
338 int from_count = 0;
339 int rcpt_count = 0;
340 int validate_input = 1;
341
342 /*
343 * Fingerprint executables and core dumps.
344 */
345 MAIL_VERSION_STAMP_ALLOCATE;
346
347 /*
348 * Be consistent with file permissions.
349 */
350 umask(022);
351
352 /*
353 * To minimize confusion, make sure that the standard file descriptors
354 * are open before opening anything else. XXX Work around for 44BSD where
355 * fstat can return EBADF on an open file descriptor.
356 */
357 for (fd = 0; fd < 3; fd++)
358 if (fstat(fd, &st) == -1
359 && (close(fd), open("/dev/null", O_RDWR, 0)) != fd)
360 msg_fatal("open /dev/null: %m");
361
362 /*
363 * Set up logging. Censor the process name: it is provided by the user.
364 */
365 argv[0] = "postdrop";
366 msg_vstream_init(argv[0], VSTREAM_ERR);
367 maillog_client_init(mail_task("postdrop"), MAILLOG_CLIENT_FLAG_NONE);
368 set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
369
370 /*
371 * Check the Postfix library version as soon as we enable logging.
372 */
373 MAIL_VERSION_CHECK;
374
375 /*
376 * Parse JCL. This program is set-gid and must sanitize all command-line
377 * arguments. The configuration directory argument is validated by the
378 * mail configuration read routine. Don't do complex things until we have
379 * completed initializations.
380 */
381 while ((c = GETOPT(argc, argv, "c:rv")) > 0) {
382 switch (c) {
383 case 'c':
384 if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
385 msg_fatal("out of memory");
386 break;
387 case 'r': /* forward compatibility */
388 break;
389 case 'v':
390 if (geteuid() == 0)
391 msg_verbose++;
392 break;
393 default:
394 msg_fatal("usage: %s [-c config_dir] [-v]", argv[0]);
395 }
396 }
397
398 /*
399 * Read the global configuration file and extract configuration
400 * information.
401 */
402 mail_conf_read();
403 /* Re-evaluate mail_task() after reading main.cf. */
404 maillog_client_init(mail_task("postdrop"), MAILLOG_CLIENT_FLAG_NONE);
405 get_mail_conf_str_table(str_table);
406
407 /*
408 * Stop run-away process accidents by limiting the queue file size. This
409 * is not a defense against DOS attack.
410 */
411 if (ENFORCING_SIZE_LIMIT(var_message_limit)
412 && get_file_limit() > var_message_limit)
413 set_file_limit((off_t) var_message_limit);
414
415 /*
416 * This program is installed with setgid privileges. Strip the process
417 * environment so that we don't have to trust the C library.
418 */
419 import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
420 clean_env(import_env->argv);
421 argv_free(import_env);
422
423 if (chdir(var_queue_dir))
424 msg_fatal("chdir %s: %m", var_queue_dir);
425 if (msg_verbose)
426 msg_info("chdir %s", var_queue_dir);
427
428 /*
429 * Set up signal handlers and a runtime error handler so that we can
430 * clean up incomplete output.
431 *
432 * postdrop_sig() uses the in-kernel SIGINT handler address as an atomic
433 * variable to prevent nested postdrop_sig() calls. For this reason, the
434 * SIGINT handler must be configured before other signal handlers are
435 * allowed to invoke postdrop_sig().
436 */
437 signal(SIGPIPE, SIG_IGN);
438 signal(SIGXFSZ, SIG_IGN);
439
440 signal(SIGINT, postdrop_sig);
441 signal(SIGQUIT, postdrop_sig);
442 if (signal(SIGTERM, SIG_IGN) == SIG_DFL)
443 signal(SIGTERM, postdrop_sig);
444 if (signal(SIGHUP, SIG_IGN) == SIG_DFL)
445 signal(SIGHUP, postdrop_sig);
446 msg_cleanup(postdrop_cleanup);
447
448 /* End of initializations. */
449
450 /*
451 * Mail submission access control. Should this be in the user-land gate,
452 * or in the daemon process?
453 */
454 mail_dict_init();
455 if ((errstr = check_user_acl_byuid(VAR_SUBMIT_ACL, var_submit_acl,
456 uid)) != 0)
457 msg_fatal("User %s(%ld) is not allowed to submit mail",
458 errstr, (long) uid);
459
460 /*
461 * Don't trust the caller's time information.
462 */
463 GETTIMEOFDAY(&start);
464
465 /*
466 * Create queue file. mail_stream_file() never fails. Send the queue ID
467 * to the caller. Stash away a copy of the queue file name so we can
468 * clean up in case of a fatal error or an interrupt.
469 */
470 dst = mail_stream_file(MAIL_QUEUE_MAILDROP, MAIL_CLASS_PUBLIC,
471 var_pickup_service, 0444);
472 attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
473 SEND_ATTR_STR(MAIL_ATTR_PROTO, MAIL_ATTR_PROTO_POSTDROP),
474 SEND_ATTR_STR(MAIL_ATTR_QUEUEID, dst->id),
475 ATTR_TYPE_END);
476 vstream_fflush(VSTREAM_OUT);
477 postdrop_path = mystrdup(VSTREAM_PATH(dst->stream));
478
479 /*
480 * Copy stdin to file. The format is checked so that we can recognize
481 * incomplete input and cancel the operation. With the sanity checks
482 * applied here, the pickup daemon could skip format checks and pass a
483 * file descriptor to the cleanup daemon. These are by no means all
484 * sanity checks - the cleanup service and queue manager services will
485 * reject messages that lack required information.
486 *
487 * If something goes wrong, slurp up the input before responding to the
488 * client, otherwise the client will give up after detecting SIGPIPE.
489 *
490 * Allow attribute records if the attribute specifies the MIME body type
491 * (sendmail -B).
492 */
493 vstream_control(VSTREAM_IN, CA_VSTREAM_CTL_PATH("stdin"), CA_VSTREAM_CTL_END);
494 buf = vstring_alloc(100);
495 expected = segment_info;
496 /* Override time information from the untrusted caller. */
497 rec_fprintf(dst->stream, REC_TYPE_TIME, REC_TYPE_TIME_FORMAT,
498 REC_TYPE_TIME_ARG(start));
499 for (;;) {
500 /* Don't allow PTR records. */
501 rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit, REC_FLAG_NONE);
502 if (rec_type == REC_TYPE_EOF) { /* request canceled */
503 mail_stream_cleanup(dst);
504 if (remove(postdrop_path))
505 msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
506 else if (msg_verbose)
507 msg_info("remove %s", postdrop_path);
508 myfree(postdrop_path);
509 postdrop_path = 0;
510 exit(0);
511 }
512 if (rec_type == REC_TYPE_ERROR)
513 msg_fatal("uid=%ld: malformed input", (long) uid);
514 if (strchr(*expected, rec_type) == 0)
515 msg_fatal("uid=%ld: unexpected record type: %d", (long) uid, rec_type);
516 if (rec_type == **expected)
517 expected++;
518 /* Override time information from the untrusted caller. */
519 if (rec_type == REC_TYPE_TIME)
520 continue;
521 /* Check these at submission time instead of pickup time. */
522 if (rec_type == REC_TYPE_FROM) {
523 status |= check_login_sender_acl(uid, buf, reason);
524 from_count++;
525 }
526 if (rec_type == REC_TYPE_RCPT)
527 rcpt_count++;
528 /* Limit the attribute types that users may specify. */
529 if (rec_type == REC_TYPE_ATTR) {
530 if ((error_text = split_nameval(vstring_str(buf), &attr_name,
531 &attr_value)) != 0) {
532 msg_warn("uid=%ld: ignoring malformed record: %s: %.200s",
533 (long) uid, error_text, vstring_str(buf));
534 continue;
535 }
536 #define STREQ(x,y) (strcmp(x,y) == 0)
537
538 if ((STREQ(attr_name, MAIL_ATTR_ENCODING)
539 && (STREQ(attr_value, MAIL_ATTR_ENC_7BIT)
540 || STREQ(attr_value, MAIL_ATTR_ENC_8BIT)
541 || STREQ(attr_value, MAIL_ATTR_ENC_NONE)))
542 || STREQ(attr_name, MAIL_ATTR_DSN_ENVID)
543 || STREQ(attr_name, MAIL_ATTR_DSN_NOTIFY)
544 || rec_attr_map(attr_name)
545 || (STREQ(attr_name, MAIL_ATTR_RWR_CONTEXT)
546 && (STREQ(attr_value, MAIL_ATTR_RWR_LOCAL)
547 || STREQ(attr_value, MAIL_ATTR_RWR_REMOTE)))
548 || STREQ(attr_name, MAIL_ATTR_TRACE_FLAGS)) { /* XXX */
549 rec_fprintf(dst->stream, REC_TYPE_ATTR, "%s=%s",
550 attr_name, attr_value);
551 } else {
552 msg_warn("uid=%ld: ignoring attribute record: %.200s=%.200s",
553 (long) uid, attr_name, attr_value);
554 }
555 continue;
556 }
557 if (status != CLEANUP_STAT_OK
558 || REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
559 /* rec_get() errors must not clobber errno. */
560 saved_errno = errno;
561 while ((rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit,
562 REC_FLAG_NONE)) != REC_TYPE_END
563 && rec_type != REC_TYPE_EOF)
564 if (rec_type == REC_TYPE_ERROR)
565 msg_fatal("uid=%ld: malformed input", (long) uid);
566 validate_input = 0;
567 errno = saved_errno;
568 break;
569 }
570 if (rec_type == REC_TYPE_END)
571 break;
572 }
573 vstring_free(buf);
574
575 /*
576 * As of Postfix 2.7 the pickup daemon discards mail without recipients.
577 * Such mail may enter the maildrop queue when "postsuper -r" is invoked
578 * before the queue manager deletes an already delivered message. Looking
579 * at file ownership is not a good way to make decisions on what mail to
580 * discard. Instead, the pickup server now requires that new submissions
581 * always have at least one recipient record.
582 *
583 * The Postfix sendmail command already rejects mail without recipients.
584 * However, in the future postdrop may receive mail via other programs,
585 * so we add a redundant recipient check here for future proofing.
586 *
587 * The test for the sender address is just for consistency of error
588 * reporting (report at submission time instead of pickup time). Besides
589 * the segment terminator records, there aren't any other mandatory
590 * records in a Postfix submission queue file.
591 *
592 * TODO: return an informative reason for missing sender, too many senders,
593 * or missing recipient.
594 */
595 if (validate_input && (from_count == 0 || rcpt_count == 0))
596 status |= CLEANUP_STAT_BAD;
597 if (status != CLEANUP_STAT_OK) {
598 mail_stream_cleanup(dst);
599 }
600
601 /*
602 * Finish the file.
603 */
604 else if ((status = mail_stream_finish(dst, reason)) != 0) {
605 msg_warn("uid=%ld: %m", (long) uid);
606 postdrop_cleanup();
607 }
608
609 /*
610 * Disable deletion on fatal error before reporting success, so the file
611 * will not be deleted after we have taken responsibility for delivery.
612 */
613 if (postdrop_path) {
614 junk = postdrop_path;
615 postdrop_path = 0;
616 myfree(junk);
617 }
618
619 /*
620 * Send the completion status to the caller and terminate.
621 */
622 attr_print(VSTREAM_OUT, ATTR_FLAG_NONE,
623 SEND_ATTR_INT(MAIL_ATTR_STATUS, status),
624 SEND_ATTR_STR(MAIL_ATTR_WHY, status != CLEANUP_STAT_OK
625 && VSTRING_LEN(reason) > 0 ?
626 vstring_str(reason) : ""),
627 ATTR_TYPE_END);
628 vstream_fflush(VSTREAM_OUT);
629 exit(status);
630 }
631