/*
 * Copyright (c) 2006-2017 Hypertriton, Inc. <http://hypertriton.com/>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR
 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
 * USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include <config/compat_qmail.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/wait.h>
#include <sys/time.h>

#include <string.h>
#include <errno.h>
#include <syslog.h>
#include <ctype.h>
#include <unistd.h>
#include <fcntl.h>
#include <pwd.h>
#include <grp.h>
#include <time.h>

#include "mailprocd.h"
#include "pathnames.h"

#define ENVELOPE_BUF_MAX (164+(ADDRESS_MAX*3))

static char   myname[MAXHOSTNAMELEN];		/* Hostname */
static char   envelope[ENVELOPE_BUF_MAX];	/* Envelope prepend buffer */
static size_t envelopeLen = 0;

TBL *Tmailbox, *Tuid, *Tgid, *Trules, *Tlists;	/* Tables */
static char *pathMailbox, *pathUID, *pathGID, *pathRules, *pathLists;
static char *suspShell, *sendmailPath, *relayAddr, *relayPort;
static char *ruleHeader, *loopHeader;
static int emulQmail, suspBounce;

int
LOCAL_Init(CFG_File *cf)
{
	FILE *f;
	char *ln;
	size_t len;
	char *key, *val, *c;
	int using_flock = 0;

	if (gethostname(myname, sizeof(myname)) == -1)
		Strlcpy(myname, "unknown", sizeof(myname));

	CFG_GetInt(cf, "local.emul-qmail", &emulQmail, 1);
	CFG_GetStr(cf, "local.susp-shell", &suspShell, _PATH_SUSPENDED_SH);
	CFG_GetInt(cf, "local.susp-bounce", &suspBounce, 1);
	CFG_GetStr(cf, "local.sendmail-path", &sendmailPath, _PATH_SENDMAIL);
	CFG_GetStr(cf, "local.relay-addr", &relayAddr, "127.0.0.1");
	CFG_GetStr(cf, "local.relay-port", &relayPort, "425");
	CFG_GetStr(cf, "local.rule-header", &ruleHeader, "X-Csoft-Rule: ");
	CFG_GetStr(cf, "local.loop-header", &loopHeader, "X-Csoft-Pipe: ");
	
	CFG_GetStr(cf, "mailbox-db", &pathMailbox, _PATH_DB_MAILBOX);
	CFG_GetStr(cf, "uid-db", &pathUID, _PATH_DB_UID);
	CFG_GetStr(cf, "gid-db", &pathGID, _PATH_DB_GID);
	CFG_GetStr(cf, "rules-db", &pathRules, _PATH_DB_RULES);
	CFG_GetStr(cf, "lists-db", &pathLists, _PATH_DB_LISTS);

	/*
	 * Make damn sure that Postfix is using flock() locking for
	 * delivering to mailboxes.
	 */
	if ((f = fopen(_PATH_POSTFIX_MAIN_CF, "r")) != NULL) {
		while ((ln = Fgetln(f, &len)) != NULL) {
			if (ln[0] == '#' || ln[0] == '\n' ||
			    ln[len-1] != '\n') {
				continue;
			}
			ln[len-1] = '\0';
			if ((key = strsep(&ln, "=")) == NULL ||
			    (val = strsep(&ln, "=")) == NULL) {
				continue;
			}
			for (; isspace(*key); key++)
				;;
			for (; isspace(*val); val++)
				;;
			for (c = &key[0]; *c != '\0' && !isspace(*c); c++)
				;;
			*c = '\0';
			for (c = &val[0]; *c != '\0' && !isspace(*c); c++)
				;;
			*c = '\0';
	
			if (strcmp(key, "virtual_mailbox_lock") == 0) {
				if (strcmp(val, "flock") == 0)
					using_flock = 1;
			}
		}
		if (!using_flock) {
			MPD_SetError("Please set $virtual_mailbox_lock = "
			             "flock in %s", _PATH_POSTFIX_MAIN_CF);
			return (-1);
		}
		fclose(f);
	}
	return LOCAL_OpenDatabases();
}

void
LOCAL_Destroy(void)
{
	LOCAL_CloseDatabases();
}

int
LOCAL_OpenDatabases(void)
{
	if ((Tmailbox = TBL_Load(pathMailbox)) == NULL||
	    (Tuid = TBL_Load(pathUID)) == NULL ||
	    (Tgid = TBL_Load(pathGID)) == NULL ||
	    (Trules = TBL_Load(pathRules)) == NULL ||
	    (Tlists = TBL_Load(pathLists)) == NULL) {
		return (-1);
	}
	return (0);
}

void
LOCAL_CloseDatabases(void)
{
	TBL_Destroy(Tmailbox);
	TBL_Destroy(Tuid);
	TBL_Destroy(Tgid);
	TBL_Destroy(Trules);
	TBL_Destroy(Tlists);
}

static int
LOCAL_DatabaseUpdate(TBL **pTbl, const char *path)
{
	TBL *nTbl;
#if 0
	struct stat sb;

	if (fstat((*pTbl)->fd, &sb) == -1) {
		syslog(LOG_ERR, "fstat(%s): %s", path, strerror(errno));
		return (-1);
	}
#endif
	fprintf(mpdLog, "Reloading database: %s\n", path);
	if ((nTbl = TBL_Load(path)) == NULL) {
		fprintf(mpdLog, "%s: Reload failed: %s\n", path, MPD_GetError());
		syslog(LOG_ERR, "%s: Reload failed: %s", path, MPD_GetError());
		return (-1);
	}
	TBL_Destroy(*pTbl);
	*pTbl = nTbl;
	return (0);
}

void
LOCAL_ReloadDatabases(void)
{
	LOCAL_DatabaseUpdate(&Tmailbox, pathMailbox);
	LOCAL_DatabaseUpdate(&Tuid, pathUID);
	LOCAL_DatabaseUpdate(&Tgid, pathGID);
	LOCAL_DatabaseUpdate(&Trules, pathRules);
	LOCAL_DatabaseUpdate(&Tlists, pathLists);
}

static __inline__ int
LOCAL_DropEffectivePrivs(uid_t uid, gid_t gid)
{
	sigset_t allsigs;
	
	sigfillset(&allsigs);
	sigprocmask(SIG_BLOCK, &allsigs, NULL);

	if (setegid(gid) < 0) {
		MPD_SetErrorS("setegid failed!");
		goto fail;
	}
	if (seteuid(uid) < 0) {
		MPD_SetErrorS("seteuid failed!");
		setegid(getgid());
		goto fail;
	}

	sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
	return (0);
fail:
	sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
	return (-1);
}
	
static __inline__ void
LOCAL_RegainEffectivePrivs(void)
{
	sigset_t allsigs;
	
	sigfillset(&allsigs);
	sigprocmask(SIG_BLOCK, &allsigs, NULL);

	if (seteuid(0) < 0) {
		sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
		syslog(LOG_CRIT, "could not regain euid");
		abort();
	}
	if (setegid(0) < 0) {
		sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
		syslog(LOG_CRIT, "could not regain egid");
		abort();
	}

	sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
}

/* Check if a given user is suspended. */
int
LOCAL_SuspendedUser(struct passwd *pwd)
{
	if (strcmp(pwd->pw_shell, suspShell) == 0) {
		MPD_SetErrorS("Account is temporarily suspended");
		return (1);
	}
	return (0);
}

/* Look up the named symbolic ruleset. */
MPD_Ruleset *
LOCAL_GetRulesetByName(char *name)
{
	char *data;

	if ((data = TBL_Lookup(Trules, name)) == NULL) {
		MPD_SetError("No such ruleset: %s", name);
		return (NULL);
	}
	return (MPD_RulesetParse(name, data));
}

/*
 * Return the ruleset matching the given recipient address (or -1).
 * Search Order: <user@domain>, <domain.tld>.
 */
MPD_Ruleset *
LOCAL_GetRulesetByRcpt(char *rcpt)
{
	char *data, *dom;

	if ((data = TBL_Lookup(Trules, rcpt)) == NULL) {
		for (dom = &rcpt[0];
		    *dom != '@' && *dom != '\0';
		     dom++)
			;;
		if (dom[0] == '@' && dom[1] != '\0') {
			if ((data = TBL_Lookup(Trules, &dom[0])) == NULL)
				return (NULL);
		} else {
			return (NULL);
		}
	}
	return (MPD_RulesetParse(rcpt, data));
}

/*
 * Lookup the default UID and GID of the given recipient.
 * Search Order: <user@domain>, <domain.tld>.
 */
int
LOCAL_GetDefaultRecipientUID(char *rcpt, uid_t *uid, gid_t *gid)
{
	char *key, *uid_data, *gid_data;
	char *dom, *ep;

	key = rcpt;
	if ((uid_data = TBL_Lookup(Tuid, key)) == NULL ||
	    (gid_data = TBL_Lookup(Tgid, key)) == NULL) {
		for (dom = &rcpt[0];
		    *dom != '@' && *dom != '\0';
		     dom++)
			;;
		if (dom[0] == '@' && dom[1] != '\0') {
			key = dom;
			if ((uid_data = TBL_Lookup(Tuid, key)) == NULL ||
			    (gid_data = TBL_Lookup(Tgid, key)) == NULL) {
				MPD_SetError("No uid/gid for %s", key);
				return (-1);
			}
		} else {
			MPD_SetError("No uid/gid for %s", key);
			return (-1);
		}
	}
	*uid = (uid_t)strtoul(uid_data, &ep, 10);
	if (*uid < QMGR_UIDMIN || *ep != '\0') {
		syslog(LOG_ERR, "Bad uid entry (%s)", key);
		MPD_SetErrorS("Bad uid");
		return (-1);
	}
	*gid = (gid_t)strtoul(gid_data, &ep, 10);
	if (*gid < QMGR_GIDMIN || *ep != '\0') {
		syslog(LOG_ERR, "Bad gid entry (%s)", key);
		MPD_SetErrorS("Bad gid");
		return (-1);
	}
	return (0);
}

/*
 * Prepend the "Return-Path" and "X-Original-To" headers, along with optional
 * "From", "X-Csoft-Rule" and "X-Csoft-Pipe" headers.
 */
#define ENVELOPE_FROM	0x01		/* From <mail_from> <time> */
#define ENVELOPE_RULE	0x02		/* X-Csoft-Rule (condition) */
#define ENVELOPE_PIPED	0x04		/* X-Csoft-Pipe (loop detection) */

static void
LOCAL_AddHeaders(MPD_Message *msg, MPD_Recipient *rcpt, const char *rule,
    Uint flags)
{
	char *buf = envelope;
	size_t len = sizeof(envelope);

	if (flags & ENVELOPE_FROM) {
		time_t now;
	
		time(&now);
		Strlcpy(buf, "From ", len);
		Strlcat(buf, msg->mail_from, len);
		Strlcat(buf, " ", len);
		Strlcat(buf, asctime(localtime(&now)), len);
	} else {
		buf[0] = '\0';
	}

	Strlcat(buf, "Return-Path: <", len);
	Strlcat(buf, msg->mail_from, len);
	Strlcat(buf, ">\nX-Original-To: ", len);
	Strlcat(buf, rcpt->addr, len);

	if (flags & ENVELOPE_RULE) {
		Strlcat(buf, "\n", len);
		Strlcat(buf, ruleHeader, len);
		Strlcat(buf, rule, len);
	}
	if (flags & ENVELOPE_PIPED) {
		Strlcat(buf, "\n", len);
		Strlcat(buf, loopHeader, len);
		Strlcat(buf, rcpt->addr, len);
	}
	Strlcat(buf, "\n", len);

	envelopeLen = strlen(envelope);
}

/*
 * Deliver a message to a local mailbox file.
 * Context: QMGR Worker -> MPD_MessageProcess().
 */
int
LOCAL_DeliverToMailbox(MPD_Message *msg, MPD_Recipient *rcpt, const char *path,
    const char *filter, uid_t uid, gid_t gid)
{
	off_t lenOriginal;
	struct iovec vec[3];
	int fd;
	
	Debug("Delivering to mailbox %s (as %d:%d)", path,
	    (int)uid, (int)gid);

	if (LOCAL_DropEffectivePrivs(uid, gid) == -1) {
		return (-1);
	}
try_open:
	if ((fd = open(path, O_WRONLY|O_APPEND|O_CREAT|O_EXLOCK, 0600)) == -1) {
		switch (errno) {
		case EINTR:
			if (QMGR_CheckSignals()) {
				goto fail_temp;
			}
			goto try_open;
		case EROFS:
		case EMFILE:
		case ENFILE:
		case ENOSPC:
		case EIO:
			MPD_SetError("%s: %s", path, strerror(errno));
			goto fail_temp;
		default:
			MPD_SetError("%s: %s", path, strerror(errno));
			goto fail_perm;
		}
	}
	if ((lenOriginal = lseek(fd, 0, SEEK_END)) == -1) {
		MPD_SetError("lseek: %s", path, strerror(errno));
		close(fd);
		goto fail_temp;
	}

	LOCAL_AddHeaders(msg, rcpt, filter, ENVELOPE_FROM | ENVELOPE_RULE);
	vec[0].iov_base = envelope;
	vec[0].iov_len =  envelopeLen;
	vec[1].iov_base = msg->text;
	vec[1].iov_len =  msg->text_len;
	vec[2].iov_base = "\n\n";
	vec[2].iov_len = 2;
	if (QMGR_Writev(fd, vec, 3) == -1) {
		syslog(LOG_ERR, "%s: Write error (%s); truncating", path, strerror(errno));
		if (ftruncate(fd, lenOriginal) == -1) {
			syslog(LOG_CRIT, "%s: ftruncate: %s", path, strerror(errno));
		}
		fsync(fd);
		close(fd);
		goto fail_temp;
	}
	fsync(fd);
	close(fd);
	LOCAL_RegainEffectivePrivs();
	return (0);
fail_temp:
	LOCAL_RegainEffectivePrivs();
	return (1);
fail_perm:
	LOCAL_RegainEffectivePrivs();
	return (-1);
}

static int
BuildMaildir(const char *maildir)
{
	char dir[MAILBOX_PATH_MAX];
	const char *subdirs[] = { "/cur", "/new", "/tmp" };
	int i;

	if (mkdir(maildir, 0700) == -1) {
		MPD_SetError("mk %s: %s", maildir, strerror(errno));
		return (-1);
	}
	for (i = 0; i < 3; i++) {
		Strlcpy(dir, maildir, sizeof(dir));
		Strlcat(dir, subdirs[i], sizeof(dir));
		if (mkdir(dir, 0700) == -1) {
			MPD_SetError("mk %s: %s", dir, strerror(errno));
			return (-1);
		}
	}
	return (0);
}

/*
 * Deliver a message to a local maildir.
 * Context: QMGR Worker -> MPD_MessageProcess().
 */
int
LOCAL_DeliverToMaildir(MPD_Message *msg, MPD_Recipient *rcpt, const char *maildir,
    const char *filter, uid_t uid, gid_t gid)
{
	char dir[MAILBOX_PATH_MAX];
	char tmp_file[MAILBOX_PATH_MAX];
	char new_file[MAILBOX_PATH_MAX];
	struct timeval tStart;
	struct iovec vec[2];
	struct stat sb;
	int fd, creatDir=0;
	
	Debug("Delivering to maildir %s (as %d:%d)", maildir, uid, gid);
	
	if (LOCAL_DropEffectivePrivs(uid, gid) == -1)
		return (-1);

	if (stat(maildir, &sb) == -1 &&
	    BuildMaildir(maildir) == -1)
		goto fail_perm;

	/* Make sure ./cur exists. */
	Strlcpy(dir, maildir, sizeof(dir));
	Strlcat(dir, "/cur", sizeof(dir));
	if (stat(dir, &sb) == -1 &&
	    mkdir(dir, 0700) == -1) {
		MPD_SetError("mk %s: %s", dir, strerror(errno));
		goto fail_perm;
	}

	/* Write the message to a temporary file in ./tmp. */
	gettimeofday(&tStart, (struct timezone *)0);
	Strlcpy(dir, maildir, sizeof(dir));
	Strlcat(dir, "/tmp", sizeof(dir));
	snprintf(tmp_file, sizeof(tmp_file), "%s/%lu.P%u.%s", dir,
	    (Ulong)tStart.tv_sec, getpid(), myname);
try_open:
	if ((fd = open(tmp_file, O_WRONLY|O_CREAT|O_EXCL, 0600)) == -1) {
		if (errno == ENOENT && !creatDir) {
			Debug("Creating missing: %s", dir);
			if (mkdir(dir, 0700) == -1) {
				MPD_SetError("mk %s: %s", dir, strerror(errno));
				goto fail_perm;
			}
			creatDir = 1;
			goto try_open;
		} else if (errno == EINTR) {
			if (QMGR_CheckSignals()) {
				goto fail_temp;
			}
			goto try_open;
		} else if (errno == EROFS || errno == EMFILE || errno == ENFILE ||
		           errno == ENOSPC || errno == EIO) {
			MPD_SetError("%s: %s (TEMP)", tmp_file, strerror(errno));
			goto fail_temp;
		} else {
			MPD_SetError("%s: %s", tmp_file, strerror(errno));
			goto fail_perm;
		}
	}

	/* Write the envelope and message contents to the file. */
	LOCAL_AddHeaders(msg, rcpt, filter, ENVELOPE_RULE);
	vec[0].iov_base = envelope;
	vec[0].iov_len =  envelopeLen;
	vec[1].iov_base = msg->text;
	vec[1].iov_len =  msg->text_len;
	if (QMGR_Writev(fd, vec, 2) == -1) {
		close(fd);
		goto fail_temp;
	}

	/* Link the destination file in ./new. */
	if (fstat(fd, &sb) == -1) {
		MPD_SetError("fstat: %s", strerror(errno));
		close(fd);
		goto fail_temp;
	}
	Strlcpy(dir, maildir, sizeof(dir));
	Strlcat(dir, "/new", sizeof(dir));
	snprintf(new_file, sizeof(new_file), "%s/%lu.V%xI%xM%lu.%s", dir,
	    (Ulong)tStart.tv_sec,
	    (Uint)sb.st_dev,
	    (Uint)sb.st_ino,
	    (Ulong)tStart.tv_usec,
	    myname);
	if (link(tmp_file, new_file) == -1) {
		if (errno == ENOENT) {
			if (mkdir(dir, 0700) == -1) {
				MPD_SetError("mk %s: %s", dir, strerror(errno));
				close(fd);
				goto fail_temp;
			}
			if (link(tmp_file, new_file) == -1) {
				MPD_SetError("link %s: %s", new_file,
				    strerror(errno));
				close(fd);
				goto fail_temp;
			}
		} else {
			MPD_SetError("link %s: %s", new_file, strerror(errno));
			close(fd);
			goto fail_temp;
		}
	}
	fsync(fd);
	close(fd);
	Unlink(tmp_file);
	LOCAL_RegainEffectivePrivs();
	return (0);
fail_temp:
	LOCAL_RegainEffectivePrivs();
	return (1);
fail_perm:
	LOCAL_RegainEffectivePrivs();
	return (-1);
}

/*
 * Forward a message to a target e-mail address via sendmail.
 * Context: QMGR Worker -> MPD_MessageProcess().
 */
int
LOCAL_DeliverToAddress(MPD_Message *msg, MPD_Recipient *rcpt, const char *dest,
    uid_t uid, gid_t gid)
{
	char *dom;

	if (!ValidEmailAddress(dest) || (dom = strchr(dest, '@')) == NULL ||
	    *dom == '\0') {
		MPD_SetError("Invalid address: %s", dest);
		return (-1);
	}
	if (MPD_DomainForcedFiltering(&dom[1]) &&
	    msg->status.score >= forceFilterThreshold) {
		Debug("Dropping spam to <%s> (%s rule)", dest, &dom[1]);
		return (0);
	}
	Debug("Forwarding to <%s> (as %d:%d)", dest, uid, gid);
	return LOCAL_ForwardSMTP(msg, relayAddr, relayPort, dest);
#if 0
	int pp[2], status;
	pid_t pid;
	if (pipe(pp) == -1) {
		MPD_SetError("pipe: %s", strerror(errno));
		return (1);
	}
	if ((pid = fork()) == -1) {
		MPD_SetError("fork: %s", strerror(errno));
		return (1);
	}
	if (pid == 0) {					/* Child */
		sigset_t allsigs;
		char *args[3];

		Setproctitle("forward");
		close(pp[1]);
		if (dup2(pp[0], 0) == -1) {
			MPD_SetError("dup2: %s", strerror(errno));
			goto chld_fail;
		}
		close(STDOUT_FILENO);

		/* Drop privileges irrevocably. */
		sigfillset(&allsigs);
		sigprocmask(SIG_BLOCK, &allsigs, NULL);
		if (setegid(gid) < 0 || setgid(gid) < 0 ||
		    seteuid(uid) < 0 || setuid(uid) < 0) {
			sigprocmask(SIG_UNBLOCK, &allsigs, NULL);
			MPD_Fatal("sete[ug]id(%d,%d -> %d,%d): %s",
			    geteuid(), getegid(), uid, gid, strerror(errno));
			/* NOTREACHED */
		}
		sigprocmask(SIG_UNBLOCK, &allsigs, NULL);

		args[0] = sendmailPath;
		args[1] = (char *)dest;
		args[2] = NULL;
		if (execv(args[0], args) == -1) {
			exit(1);
		} else {
			exit(0);
		}
		MPD_SetError("execv: %s", strerror(errno));
chld_fail:
		syslog(LOG_ERR, "sendmail process: %s", MPD_GetError());
		exit(1);
	}

	close(pp[0]);					/* In parent */

	if (QMGR_Write(pp[1], msg->text, msg->text_len) == -1) {
		close(pp[1]);
		goto fail_temp;
	}
	close(pp[1]);
wait_sendmail:
	if (waitpid(pid, &status, 0) == -1) {
		if (errno == EINTR) {
			if (QMGR_CheckSignals()) {
				goto fail_temp;
			}
			goto wait_sendmail;
		}
		MPD_SetError("waitpid: %s", strerror(errno));
		goto fail_temp;
	}
	if (WIFSIGNALED(status)) {
		MPD_SetError("sendmail: signal %d", WTERMSIG(status));
		goto fail_temp;
	} else if (WIFEXITED(status) && WEXITSTATUS(status)) {
		MPD_SetError("sendmail: error %d", WEXITSTATUS(status));
		goto fail_temp;
	}
	return (0);
fail_temp:
	syslog(LOG_ERR, "DeliverToAddress: %s (TEMP)", MPD_GetError());
	return (1);
#endif
}

static int
SMTP_Expect(FILE *f, const char *code, int *retCode)
{
	char *buf, *lbuf = NULL;
	size_t len;

	if ((buf = Fgetln(f, &len)) == NULL) {
		MPD_SetErrorS("EOF from server");
		return (0);
	}
	if (buf[len-1] == '\n') {
		buf[len-1] = '\0';
	} else {
		if ((lbuf = malloc(len+1)) == NULL) {
			MPD_SetErrorS("malloc linebuf");
			return (0);
		}
		memcpy(lbuf, buf, len);
		lbuf[len] = '\0';
		buf = lbuf;
	}
	if (strncmp(buf, code, 3) != 0) {
		*retCode = (int)strtoul(buf, NULL, 10);
		MPD_SetError("SMTP error %d", *retCode);
	} else {
		*retCode = 0;
	}
	Free(lbuf);
	return (1);
}

/* Forward a message back to the MTA on a local port. */
int
LOCAL_ForwardSMTP(MPD_Message *msg, const char *rhost, const char *rport,
    const char *rcpt)
{
	struct addrinfo hints, *res, *res0;
	const char *cause = NULL;
	int rv, s, errCode;
	FILE *f;

/*	Debug("ForwardSMTP: To=<%s> via [%s:%s] (%lu bytes)", 
	    rcpt, rhost, rport, (Ulong)msg->text_len); */

	memset(&hints, 0, sizeof(hints));
	hints.ai_family = PF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	if ((rv = getaddrinfo(rhost, rport, &hints, &res0)) != 0) {
		MPD_SetError("%s:%s: %s", rhost, rport, gai_strerror(rv));
		return (1);
	}
	for (s = -1, res = res0;
	     res != NULL;
	     res = res->ai_next) {
		s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
		if (s < 0) {
			cause = "socket";
			continue;
		}
		if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
			cause = "connect";
			close(s);
			s = -1;
			continue;
		}
		break;
	}
	if (s == -1) {
		MPD_SetError("%s: %s", cause, strerror(errno));
		freeaddrinfo(res0);
		return (1);			/* Temp */
	}
tryopen:
	if ((f = fdopen(s, "w+")) == NULL) {
		if (errno == EINTR) {
			goto tryopen;
		}
		MPD_SetErrorS("fdopen");
		goto fail_temp;
	}
	setvbuf(f, NULL, _IOLBF, 0);

	if (!SMTP_Expect(f, "220", &errCode)) { goto fail_temp; }
	fputs("HELO [127.0.0.1]\n", f);
	if (!SMTP_Expect(f, "250", &errCode)) { goto fail_temp; }

	fputs("MAIL FROM:<", f);
	fputs(msg->mail_from, f);
	fputs(">\n", f);
	if (!SMTP_Expect(f, "250", &errCode)) { goto fail_temp; }

	fputs("RCPT TO:<", f);
	fputs(rcpt, f);
	fputs(">\n", f);
	if (!SMTP_Expect(f, "250", &errCode)) { goto fail_temp; }

	fputs("DATA\n", f);
	if (!SMTP_Expect(f, "354", &errCode)) { goto fail_temp; }
	fputs(msg->text, f);
	fputs("\r\n.\r\n", f);
	if (!SMTP_Expect(f, "250", &errCode)) { goto fail_temp; }
	fputs("QUIT\r\n", f);
	SMTP_Expect(f, "221", &errCode);
	fflush(f);

	close(s);
	freeaddrinfo(res0);
	return (0);
fail_temp:
	close(s);
	freeaddrinfo(res0);
	return (1);
}

#ifdef COMPAT_QMAIL
static void
EmulateQmailEnv(struct passwd *pw, MPD_Message *msg, MPD_Recipient *mr)
{
	char rcpt[ADDRESS_MAX+16];
	char line[ADDRESS_MAX+16];
	time_t now;

	setenv("HOST", mr->domain_part, 1);
	setenv("SENDER", msg->mail_from, 1);
	setenv("NEWSENDER", msg->mail_from, 1);

	Strlcpy(rcpt, pw->pw_name,	sizeof(rcpt));
	Strlcat(rcpt, "-",		sizeof(rcpt));
	Strlcat(rcpt, mr->domain_part, sizeof(rcpt));
	Strlcat(rcpt, "-",		sizeof(rcpt));
	Strlcat(rcpt, mr->user_part,	sizeof(rcpt));
	setenv("LOCAL", rcpt, 1);
	Strlcat(rcpt, "@",		sizeof(rcpt));
	Strlcat(rcpt, mr->domain_part,	sizeof(rcpt));
	setenv("RECIPIENT", rcpt, 1);
			
	Strlcpy(line, mr->domain_part, sizeof(line));
	Strlcat(line, "-",		sizeof(line));
	Strlcat(line, mr->user_part,	sizeof(line));
	setenv("EXT", line, 1);
	
	time(&now);
	Strlcpy(line, "From ",		sizeof(line));
	Strlcat(line, msg->mail_from,	sizeof(line));
	Strlcat(line, " ",		sizeof(line));
	Strlcat(line, asctime(localtime(&now)), sizeof(line));
	setenv("UFLINE", line, 1);

	Strlcpy(line, "Delivered-To: ",	sizeof(line));
	Strlcat(line, rcpt,		sizeof(line));
	Strlcat(line, "\n",		sizeof(line));
	setenv("DTLINE", line, 1);

	Strlcpy(line, "Return-Path: ",	sizeof(line));
	Strlcat(line, msg->mail_from,	sizeof(line));
	Strlcat(line, "\n",		sizeof(line));
	setenv("RPLINE", line, 1);
}
#endif /* COMPAT_QMAIL */

/*
 * Pipe the message to a user-specified command.
 * Context: QMGR Worker -> MPD_MessageProcess().
 */
int
LOCAL_FeedToPipe(MPD_Message *msg, MPD_Recipient *rcpt, const char *cmd,
    const char *filter, uid_t uid, gid_t gid)
{
	struct passwd *pw;
	int pp[2];
	pid_t pid;
	int status;
	struct sigaction sa;
	struct iovec vec[2];

	Debug("Pipe: %s (as %d:%d)", cmd, (int)uid, (int)gid);

	if ((pw = getpwuid(uid)) == NULL) {
		MPD_SetError("No such UID: %d", (int)uid);
		return (-1);
	}
	if (LOCAL_SuspendedUser(pw)) {
	   	MPD_SetError("Account suspended (mail-to-pipe not allowed)");
		return suspBounce ? -1 : 1;
	}
	if (pipe(pp) == -1) {
		MPD_SetError("pipe: %s", strerror(errno));
		return (1);
	}
	if ((pid = fork()) == -1) {
		MPD_SetError("fork: %s", strerror(errno));
		return (1);
	}
	if (pid == 0) {					/* Child */
		char *args[4];
		extern char **environ;
		sigset_t allsigs;
		int fdNull;

		/* Reset signal handlers */
		sigemptyset(&sa.sa_mask);
		sa.sa_handler = SIG_DFL;
		sa.sa_flags = 0;
		sigaction(SIGCHLD, &sa, NULL);
		sigaction(SIGHUP, &sa, NULL);
		sigaction(SIGUSR1, &sa, NULL);
		sigaction(SIGUSR2, &sa, NULL);
		sigfillset(&sa.sa_mask);
		sigaction(SIGTERM, &sa, NULL);

		/* Feed message to stdin. */
		close(pp[1]);
		if (dup2(pp[0], STDIN_FILENO) == -1) {
			MPD_SetError("dup2: %s", strerror(errno));
			goto chld_fail;
		}

		/* Ignore any stdout/stderr output. */
		if ((fdNull = open("/dev/null", O_WRONLY)) != -1) {
			if (dup2(fdNull, STDOUT_FILENO) == -1)
				close(STDOUT_FILENO);
		} else {
			close(STDOUT_FILENO);
		}
		if ((fdNull = open("/dev/null", O_WRONLY)) != -1) {
			if (dup2(fdNull, STDERR_FILENO) == -1)
				close(STDERR_FILENO);
		} else {
			close(STDERR_FILENO);
		}

		/* Drop privileges irrevocably. */
		sigfillset(&allsigs);
		sigprocmask(SIG_BLOCK, &allsigs, NULL);
		if (gid != 0) {
			if (setegid(gid) < 0 || setgid(gid) < 0) {
				sigprocmask(SIG_UNBLOCK, &allsigs,NULL);
				MPD_SetErrorS("set(e)gid");
				goto chld_fail;
			}
		}
		if (uid != 0) {
			if (seteuid(uid) < 0 || setuid(uid) < 0) {
				sigprocmask(SIG_UNBLOCK, &allsigs,NULL);
				MPD_SetErrorS("set(e)uid");
				goto chld_fail;
			}
		}
		sigprocmask(SIG_UNBLOCK, &allsigs, NULL);

		/* Move to the user's home and forge the environment vars. */
		if (chdir(pw->pw_dir) == -1) {
			MPD_SetError("chdir %s: %s", pw->pw_dir, strerror(errno));
			goto chld_fail;
		}
		if ((environ = calloc(1, sizeof(char *))) == NULL) {
			MPD_SetError("Out of memory");
			goto chld_fail;
		}
		setenv("USER", pw->pw_name, 1);
		setenv("SHELL", mpdSafeShell, 1);
		setenv("HOME", pw->pw_dir, 1);
		setenv("PATH", mpdSafePath, 1);
#ifdef COMPAT_QMAIL
		if (emulQmail)
			EmulateQmailEnv(pw, msg, rcpt);
#endif
		args[0] = mpdSafeShell;
		args[1] = "-c";
		args[2] = (char *)cmd;			/* XXX */
		args[3] = NULL;
		execv(args[0], args);
		MPD_SetError("execv: %s", strerror(errno));
chld_fail:
		syslog(LOG_ERR, "pipe error: %s", MPD_GetError());
		exit(1);
	}

	close(pp[0]);

	/* Prepend envelope; append "X-Csoft-Pipe" for loop-detection. */
	LOCAL_AddHeaders(msg, rcpt, filter, ENVELOPE_FROM | ENVELOPE_PIPED);
	vec[0].iov_base = envelope;
	vec[0].iov_len =  envelopeLen;
	vec[1].iov_base = msg->text;
	vec[1].iov_len =  msg->text_len;
	if (QMGR_Writev(pp[1], vec, 2) == -1) {
		close(pp[1]);
		goto fail_temp;
	}
	close(pp[1]);
wait_pipe:
	if (waitpid(pid, &status, 0) == -1) {
		if (errno == EINTR) {
			if (QMGR_CheckSignals()) {
				goto fail_temp;
			}
			goto wait_pipe;
		}
		MPD_SetError("waitpid: %s", strerror(errno));
		goto fail_perm;
	}
	if (WIFSIGNALED(status)) {
		MPD_SetError("user pipe: signal %d", WTERMSIG(status));
		goto fail_temp;
	} else if (WIFEXITED(status) && WEXITSTATUS(status)) {
#ifdef COMPAT_QMAIL
		if (emulQmail && WEXITSTATUS(status) == 99) { goto fail_qmail; }
#endif
		MPD_SetError("user pipe: code %d", WEXITSTATUS(status));
		goto fail_perm;
	}
	return (0);
fail_temp:
	syslog(LOG_ERR, "Pipe error (TEMP): %s", MPD_GetError());
	return (1);
fail_perm:
	syslog(LOG_ERR, "Pipe error (PERM): %s", MPD_GetError());
	return (-1);
#ifdef COMPAT_QMAIL
fail_qmail:
	return (99);
#endif
}