add SENDER to mda environment and teach lmtp to use that instead of command

line parameter. this allows simplifying lmtp command line and it would have
prevented the unpriv command exec for LMTP in recent advisory.

ok millert@ and jung@

usr.sbin/smtpd/mail.lmtp.c

@@ -41,6 +41,7 @@ enum phase {
 struct session {
 	const char	*lhlo;
 	const char	*mailfrom;
+	char		*rcptto;
 
 	char		**rcpts;
 	int		n_rcpts;
@@ -62,9 +63,9 @@ main(int argc, char *argv[])
 		errx(EX_TEMPFAIL, "mail.lmtp: may not be executed as root");
 
 	session.lhlo = "localhost";
-	session.mailfrom = NULL;
+	session.mailfrom = getenv("SENDER");
 
-	while ((ch = getopt(argc, argv, "d:l:f:")) != -1) {
+	while ((ch = getopt(argc, argv, "d:l:f:ru")) != -1) {
 		switch (ch) {
 		case 'd':
 			destination = optarg;
@@ -75,6 +76,15 @@ main(int argc, char *argv[])
 		case 'f':
 			session.mailfrom = optarg;
 			break;
+
+		case 'r':
+			session.rcptto = getenv("RECIPIENT");
+			break;
+
+		case 'u':
+			session.rcptto = getenv("USER");
+			break;
+
 		default:
 			break;
 		}
@@ -85,11 +95,17 @@ main(int argc, char *argv[])
 	if (session.mailfrom == NULL)
 		errx(EX_TEMPFAIL, "sender must be specified with -f");
 
-	if (argc == 0)
+	if (argc == 0 && session.rcptto == NULL)
 		errx(EX_TEMPFAIL, "no recipient was specified");
 
-	session.rcpts = argv;
-	session.n_rcpts = argc;
+	if (session.rcptto) {
+		session.rcpts = &session.rcptto;
+		session.n_rcpts = 1;
+	}
+	else {
+		session.rcpts = argv;
+		session.n_rcpts = argc;
+	}
 
 	conn = lmtp_connect(destination);
 	lmtp_engine(conn, &session);

usr.sbin/smtpd/mda_unpriv.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: mda_unpriv.c,v 1.5 2018/12/27 15:41:50 gilles Exp $	*/
+/*	$OpenBSD: mda_unpriv.c,v 1.6 2020/02/02 22:13:48 gilles Exp $	*/
 
 /*
  * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org>
@@ -40,7 +40,7 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
     const char *pw_name, const char *pw_dir)
 {
 	int		idx;
-	char	       *mda_environ[10];
+	char	       *mda_environ[11];
 	char		mda_exec[LINE_MAX];
 	char		mda_wrapper[LINE_MAX];
 	const char     *mda_command;
@@ -72,6 +72,12 @@ mda_unpriv(struct dispatcher *dsp, struct deliver *deliver,
 	xasprintf(&mda_environ[idx++], "LOGNAME=%s", pw_name);
 	xasprintf(&mda_environ[idx++], "USER=%s", pw_name);
 
+	if (deliver->sender.user[0])
+		xasprintf(&mda_environ[idx++], "SENDER=%s@%s",
+		    deliver->sender.user, deliver->sender.domain);
+	else
+		xasprintf(&mda_environ[idx++], "SENDER=");
+
 	if (deliver->mda_subaddress[0])
 		xasprintf(&mda_environ[idx++], "EXTENSION=%s", deliver->mda_subaddress);
 

usr.sbin/smtpd/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.274 2020/01/31 22:01:20 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.275 2020/02/02 22:13:48 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -690,11 +690,11 @@ MBOX {
 } dispatcher_local_options
 | LMTP STRING {
 	asprintf(&dispatcher->u.local.command,
-	    "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{user.username}", $2);
+	    "/usr/libexec/mail.lmtp -d %s -u", $2);
 } dispatcher_local_options
 | LMTP STRING RCPT_TO {
 	asprintf(&dispatcher->u.local.command,
-	    "/usr/libexec/mail.lmtp -f \"%%{sender}\" -d %s %%{dest}", $2);
+	    "/usr/libexec/mail.lmtp -d %s -r", $2);
 } dispatcher_local_options
 | MDA STRING {
 	asprintf(&dispatcher->u.local.command,