~ubuntu-branches/ubuntu/maverick/exim4/maverick-updates
» Revision
34
: .pc/82_CVE-2011-0017.patch/src/exim.c
« back to all changes in this revision
Viewing changes to .pc/82_CVE-2011-0017.patch/src/exim.c
- browse files at revision 34
- compare with another revision
- download diff
- download tarball
- view history from revision 34
- Committer: Bazaar Package Importer
- Author(s): Marc Deslauriers
- Date: 2011-02-08 09:46:29 UTC
- Revision ID: james.westby@ubuntu.com-20110208094629-m5jc7c9lr7h3x2rm
Tags: 4.72-1ubuntu1.1
* SECURITY UPDATE: local privilege escalation via alternate config file
(LP: #697934)
- debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
altering changes from upstream git to fix issue.
- debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
changes.
- debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
in utility scripts. This would not work with ALT_CONFIG_PREFIX.
Patch obtained from Debian's 4.69-9+lenny2.
- Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
exim will not regain root privileges (usually necessary for local
delivery) if the -D option was used. Macro identifiers listed in
WHITELIST_D_MACROS are exempted from this restriction. mailscanner
(4.79.11-2.2) uses -DOUTGOING.
- Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
security update, exim will not re-gain root privileges (usually
necessary for local delivery) if the -C option was used. This makes
it impossible to start a fully functional damon with an alternate
configuration file. /etc/exim4/trusted_configs (can) contain a list
of filenames (one per line, full path given) to which this
restriction does not apply.
- debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
Debian and Andreas Metzler for the text.
- CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
- debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
codes in src/exim.c, src/log.c.
- CVE-2011-0017
* debian/rules: disable debconf-updatepo so the security update doesn't
alter translations.
(LP: #697934)
- debian/patches/80_CVE-2010-4345.patch: backport massive behaviour-
altering changes from upstream git to fix issue.
- debian/patches/81_CVE-2010-4345-docs.patch: backport documentation
changes.
- debian/patches/67_unnecessaryCopt.dpatch: Do not use exim's -C option
in utility scripts. This would not work with ALT_CONFIG_PREFIX.
Patch obtained from Debian's 4.69-9+lenny2.
- Build with WHITELIST_D_MACROS=OUTGOING. After this security update,
exim will not regain root privileges (usually necessary for local
delivery) if the -D option was used. Macro identifiers listed in
WHITELIST_D_MACROS are exempted from this restriction. mailscanner
(4.79.11-2.2) uses -DOUTGOING.
- Build with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. After this
security update, exim will not re-gain root privileges (usually
necessary for local delivery) if the -C option was used. This makes
it impossible to start a fully functional damon with an alternate
configuration file. /etc/exim4/trusted_configs (can) contain a list
of filenames (one per line, full path given) to which this
restriction does not apply.
- debian/exim4-daemon-*.NEWS: Add description of changes. Thanks to
Debian and Andreas Metzler for the text.
- CVE-2010-4345
* SECURITY UPDATE: arbitrary file append via symlink attack (LP: #708023)
- debian/patches/82_CVE-2011-0017.patch: check setuid and setgid return
codes in src/exim.c, src/log.c.
- CVE-2011-0017
* debian/rules: disable debconf-updatepo so the security update doesn't
alter translations.
- files added:
- .pc/67_unnecessaryCopt.dpatch
- .pc/67_unnecessaryCopt.dpatch/src
- .pc/80_CVE-2010-4345.patch
- .pc/80_CVE-2010-4345.patch/src
- .pc/81_CVE-2010-4345-docs.patch
- .pc/81_CVE-2010-4345-docs.patch/doc
- .pc/82_CVE-2011-0017.patch
- .pc/82_CVE-2011-0017.patch/src
- files modified:
- .pc/applied-patches
added
removed
.pc/82_CVE-2011-0017.patch/src/exim.c
1
/* $Cambridge: exim/exim-src/src/exim.c,v 1.65 2009/11/16 19:50:36 nm4 Exp $ */
2
3
/*************************************************
4
* Exim - an Internet mail transport agent *
5
*************************************************/
6
7
/* Copyright (c) University of Cambridge 1995 - 2009 */
8
/* See the file NOTICE for conditions of use and distribution. */
9
10
11
/* The main function: entry point, initialization, and high-level control.
12
Also a few functions that don't naturally fit elsewhere. */
13
14
15
#include "exim.h"
16
17
18
19
/*************************************************
20
* Function interface to store functions *
21
*************************************************/
22
23
/* We need some real functions to pass to the PCRE regular expression library
24
for store allocation via Exim's store manager. The normal calls are actually
25
macros that pass over location information to make tracing easier. These
26
functions just interface to the standard macro calls. A good compiler will
27
optimize out the tail recursion and so not make them too expensive. There
28
are two sets of functions; one for use when we want to retain the compiled
29
regular expression for a long time; the other for short-term use. */
30
31
static void *
32
function_store_get(size_t size)
33
{
34
return store_get((int)size);
35
}
36
37
static void
38
function_dummy_free(void *block) { block = block; }
39
40
static void *
41
function_store_malloc(size_t size)
42
{
43
return store_malloc((int)size);
44
}
45
46
static void
47
function_store_free(void *block)
48
{
49
store_free(block);
50
}
51
52
53
54
55
/*************************************************
56
* Compile regular expression and panic on fail *
57
*************************************************/
58
59
/* This function is called when failure to compile a regular expression leads
60
to a panic exit. In other cases, pcre_compile() is called directly. In many
61
cases where this function is used, the results of the compilation are to be
62
placed in long-lived store, so we temporarily reset the store management
63
functions that PCRE uses if the use_malloc flag is set.
64
65
Argument:
66
pattern the pattern to compile
67
caseless TRUE if caseless matching is required
68
use_malloc TRUE if compile into malloc store
69
70
Returns: pointer to the compiled pattern
71
*/
72
73
const pcre *
74
regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
75
{
76
int offset;
77
int options = PCRE_COPT;
78
const pcre *yield;
79
const uschar *error;
80
if (use_malloc)
81
{
82
pcre_malloc = function_store_malloc;
83
pcre_free = function_store_free;
84
}
85
if (caseless) options |= PCRE_CASELESS;
86
yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
87
pcre_malloc = function_store_get;
88
pcre_free = function_dummy_free;
89
if (yield == NULL)
90
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
91
"%s at offset %d while compiling %s", error, offset, pattern);
92
return yield;
93
}
94
95
96
97
98
/*************************************************
99
* Execute regular expression and set strings *
100
*************************************************/
101
102
/* This function runs a regular expression match, and sets up the pointers to
103
the matched substrings.
104
105
Arguments:
106
re the compiled expression
107
subject the subject string
108
options additional PCRE options
109
setup if < 0 do full setup
110
if >= 0 setup from setup+1 onwards,
111
excluding the full matched string
112
113
Returns: TRUE or FALSE
114
*/
115
116
BOOL
117
regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
118
{
119
int ovector[3*(EXPAND_MAXN+1)];
120
int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
121
PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
122
BOOL yield = n >= 0;
123
if (n == 0) n = EXPAND_MAXN + 1;
124
if (yield)
125
{
126
int nn;
127
expand_nmax = (setup < 0)? 0 : setup + 1;
128
for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
129
{
130
expand_nstring[expand_nmax] = subject + ovector[nn];
131
expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
132
}
133
expand_nmax--;
134
}
135
return yield;
136
}
137
138
139
140
141
/*************************************************
142
* Handler for SIGUSR1 *
143
*************************************************/
144
145
/* SIGUSR1 causes any exim process to write to the process log details of
146
what it is currently doing. It will only be used if the OS is capable of
147
setting up a handler that causes automatic restarting of any system call
148
that is in progress at the time.
149
150
Argument: the signal number (SIGUSR1)
151
Returns: nothing
152
*/
153
154
static void
155
usr1_handler(int sig)
156
{
157
sig = sig; /* Keep picky compilers happy */
158
log_write(0, LOG_PROCESS, "%s", process_info);
159
log_close_all();
160
os_restarting_signal(SIGUSR1, usr1_handler);
161
}
162
163
164
165
/*************************************************
166
* Timeout handler *
167
*************************************************/
168
169
/* This handler is enabled most of the time that Exim is running. The handler
170
doesn't actually get used unless alarm() has been called to set a timer, to
171
place a time limit on a system call of some kind. When the handler is run, it
172
re-enables itself.
173
174
There are some other SIGALRM handlers that are used in special cases when more
175
than just a flag setting is required; for example, when reading a message's
176
input. These are normally set up in the code module that uses them, and the
177
SIGALRM handler is reset to this one afterwards.
178
179
Argument: the signal value (SIGALRM)
180
Returns: nothing
181
*/
182
183
void
184
sigalrm_handler(int sig)
185
{
186
sig = sig; /* Keep picky compilers happy */
187
sigalrm_seen = TRUE;
188
os_non_restarting_signal(SIGALRM, sigalrm_handler);
189
}
190
191
192
193
/*************************************************
194
* Sleep for a fractional time interval *
195
*************************************************/
196
197
/* This function is called by millisleep() and exim_wait_tick() to wait for a
198
period of time that may include a fraction of a second. The coding is somewhat
199
tedious. We do not expect setitimer() ever to fail, but if it does, the process
200
will wait for ever, so we panic in this instance. (There was a case of this
201
when a bug in a function that calls milliwait() caused it to pass invalid data.
202
That's when I added the check. :-)
203
204
Argument: an itimerval structure containing the interval
205
Returns: nothing
206
*/
207
208
static void
209
milliwait(struct itimerval *itval)
210
{
211
sigset_t sigmask;
212
sigset_t old_sigmask;
213
(void)sigemptyset(&sigmask); /* Empty mask */
214
(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
215
(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
216
if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
217
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
218
"setitimer() failed: %s", strerror(errno));
219
(void)sigfillset(&sigmask); /* All signals */
220
(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
221
(void)sigsuspend(&sigmask); /* Until SIGALRM */
222
(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
223
}
224
225
226
227
228
/*************************************************
229
* Millisecond sleep function *
230
*************************************************/
231
232
/* The basic sleep() function has a granularity of 1 second, which is too rough
233
in some cases - for example, when using an increasing delay to slow down
234
spammers.
235
236
Argument: number of millseconds
237
Returns: nothing
238
*/
239
240
void
241
millisleep(int msec)
242
{
243
struct itimerval itval;
244
itval.it_interval.tv_sec = 0;
245
itval.it_interval.tv_usec = 0;
246
itval.it_value.tv_sec = msec/1000;
247
itval.it_value.tv_usec = (msec % 1000) * 1000;
248
milliwait(&itval);
249
}
250
251
252
253
/*************************************************
254
* Compare microsecond times *
255
*************************************************/
256
257
/*
258
Arguments:
259
tv1 the first time
260
tv2 the second time
261
262
Returns: -1, 0, or +1
263
*/
264
265
int
266
exim_tvcmp(struct timeval *t1, struct timeval *t2)
267
{
268
if (t1->tv_sec > t2->tv_sec) return +1;
269
if (t1->tv_sec < t2->tv_sec) return -1;
270
if (t1->tv_usec > t2->tv_usec) return +1;
271
if (t1->tv_usec < t2->tv_usec) return -1;
272
return 0;
273
}
274
275
276
277
278
/*************************************************
279
* Clock tick wait function *
280
*************************************************/
281
282
/* Exim uses a time + a pid to generate a unique identifier in two places: its
283
message IDs, and in file names for maildir deliveries. Because some OS now
284
re-use pids within the same second, sub-second times are now being used.
285
However, for absolute certaintly, we must ensure the clock has ticked before
286
allowing the relevant process to complete. At the time of implementation of
287
this code (February 2003), the speed of processors is such that the clock will
288
invariably have ticked already by the time a process has done its job. This
289
function prepares for the time when things are faster - and it also copes with
290
clocks that go backwards.
291
292
Arguments:
293
then_tv A timeval which was used to create uniqueness; its usec field
294
has been rounded down to the value of the resolution.
295
We want to be sure the current time is greater than this.
296
resolution The resolution that was used to divide the microseconds
297
(1 for maildir, larger for message ids)
298
299
Returns: nothing
300
*/
301
302
void
303
exim_wait_tick(struct timeval *then_tv, int resolution)
304
{
305
struct timeval now_tv;
306
long int now_true_usec;
307
308
(void)gettimeofday(&now_tv, NULL);
309
now_true_usec = now_tv.tv_usec;
310
now_tv.tv_usec = (now_true_usec/resolution) * resolution;
311
312
if (exim_tvcmp(&now_tv, then_tv) <= 0)
313
{
314
struct itimerval itval;
315
itval.it_interval.tv_sec = 0;
316
itval.it_interval.tv_usec = 0;
317
itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
318
itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
319
320
/* We know that, overall, "now" is less than or equal to "then". Therefore, a
321
negative value for the microseconds is possible only in the case when "now"
322
is more than a second less than "then". That means that itval.it_value.tv_sec
323
is greater than zero. The following correction is therefore safe. */
324
325
if (itval.it_value.tv_usec < 0)
326
{
327
itval.it_value.tv_usec += 1000000;
328
itval.it_value.tv_sec -= 1;
329
}
330
331
DEBUG(D_transport|D_receive)
332
{
333
if (!running_in_test_harness)
334
{
335
debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
336
then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
337
debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
338
itval.it_value.tv_usec);
339
}
340
}
341
342
milliwait(&itval);
343
}
344
}
345
346
347
348
349
/*************************************************
350
* Set up processing details *
351
*************************************************/
352
353
/* Save a text string for dumping when SIGUSR1 is received.
354
Do checks for overruns.
355
356
Arguments: format and arguments, as for printf()
357
Returns: nothing
358
*/
359
360
void
361
set_process_info(char *format, ...)
362
{
363
int len;
364
va_list ap;
365
sprintf(CS process_info, "%5d ", (int)getpid());
366
len = Ustrlen(process_info);
367
va_start(ap, format);
368
if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
369
Ustrcpy(process_info + len, "**** string overflowed buffer ****");
370
DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
371
va_end(ap);
372
}
373
374
375
376
377
378
/*************************************************
379
* Call fopen() with umask 777 and adjust mode *
380
*************************************************/
381
382
/* Exim runs with umask(0) so that files created with open() have the mode that
383
is specified in the open() call. However, there are some files, typically in
384
the spool directory, that are created with fopen(). They end up world-writeable
385
if no precautions are taken. Although the spool directory is not accessible to
386
the world, this is an untidiness. So this is a wrapper function for fopen()
387
that sorts out the mode of the created file.
388
389
Arguments:
390
filename the file name
391
options the fopen() options
392
mode the required mode
393
394
Returns: the fopened FILE or NULL
395
*/
396
397
FILE *
398
modefopen(uschar *filename, char *options, mode_t mode)
399
{
400
mode_t saved_umask = umask(0777);
401
FILE *f = Ufopen(filename, options);
402
(void)umask(saved_umask);
403
if (f != NULL) (void)fchmod(fileno(f), mode);
404
return f;
405
}
406
407
408
409
410
/*************************************************
411
* Ensure stdin, stdout, and stderr exist *
412
*************************************************/
413
414
/* Some operating systems grumble if an exec() happens without a standard
415
input, output, and error (fds 0, 1, 2) being defined. The worry is that some
416
file will be opened and will use these fd values, and then some other bit of
417
code will assume, for example, that it can write error messages to stderr.
418
This function ensures that fds 0, 1, and 2 are open if they do not already
419
exist, by connecting them to /dev/null.
420
421
This function is also used to ensure that std{in,out,err} exist at all times,
422
so that if any library that Exim calls tries to use them, it doesn't crash.
423
424
Arguments: None
425
Returns: Nothing
426
*/
427
428
void
429
exim_nullstd(void)
430
{
431
int i;
432
int devnull = -1;
433
struct stat statbuf;
434
for (i = 0; i <= 2; i++)
435
{
436
if (fstat(i, &statbuf) < 0 && errno == EBADF)
437
{
438
if (devnull < 0) devnull = open("/dev/null", O_RDWR);
439
if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
440
string_open_failed(errno, "/dev/null"));
441
if (devnull != i) (void)dup2(devnull, i);
442
}
443
}
444
if (devnull > 2) (void)close(devnull);
445
}
446
447
448
449
450
/*************************************************
451
* Close unwanted file descriptors for delivery *
452
*************************************************/
453
454
/* This function is called from a new process that has been forked to deliver
455
an incoming message, either directly, or using exec.
456
457
We want any smtp input streams to be closed in this new process. However, it
458
has been observed that using fclose() here causes trouble. When reading in -bS
459
input, duplicate copies of messages have been seen. The files will be sharing a
460
file pointer with the parent process, and it seems that fclose() (at least on
461
some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
462
least sometimes. Hence we go for closing the underlying file descriptors.
463
464
If TLS is active, we want to shut down the TLS library, but without molesting
465
the parent's SSL connection.
466
467
For delivery of a non-SMTP message, we want to close stdin and stdout (and
468
stderr unless debugging) because the calling process might have set them up as
469
pipes and be waiting for them to close before it waits for the submission
470
process to terminate. If they aren't closed, they hold up the calling process
471
until the initial delivery process finishes, which is not what we want.
472
473
Exception: We do want it for synchronous delivery!
474
475
And notwithstanding all the above, if D_resolver is set, implying resolver
476
debugging, leave stdout open, because that's where the resolver writes its
477
debugging output.
478
479
When we close stderr (which implies we've also closed stdout), we also get rid
480
of any controlling terminal.
481
482
Arguments: None
483
Returns: Nothing
484
*/
485
486
static void
487
close_unwanted(void)
488
{
489
if (smtp_input)
490
{
491
#ifdef SUPPORT_TLS
492
tls_close(FALSE); /* Shut down the TLS library */
493
#endif
494
(void)close(fileno(smtp_in));
495
(void)close(fileno(smtp_out));
496
smtp_in = NULL;
497
}
498
else
499
{
500
(void)close(0); /* stdin */
501
if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
502
if (debug_selector == 0) /* stderr */
503
{
504
if (!synchronous_delivery)
505
{
506
(void)close(2);
507
log_stderr = NULL;
508
}
509
(void)setsid();
510
}
511
}
512
}
513
514
515
516
517
/*************************************************
518
* Set uid and gid *
519
*************************************************/
520
521
/* This function sets a new uid and gid permanently, optionally calling
522
initgroups() to set auxiliary groups. There are some special cases when running
523
Exim in unprivileged modes. In these situations the effective uid will not be
524
root; if we already have the right effective uid/gid, and don't need to
525
initialize any groups, leave things as they are.
526
527
Arguments:
528
uid the uid
529
gid the gid
530
igflag TRUE if initgroups() wanted
531
msg text to use in debugging output and failure log
532
533
Returns: nothing; bombs out on failure
534
*/
535
536
void
537
exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
538
{
539
uid_t euid = geteuid();
540
gid_t egid = getegid();
541
542
if (euid == root_uid || euid != uid || egid != gid || igflag)
543
{
544
/* At least one OS returns +1 for initgroups failure, so just check for
545
non-zero. */
546
547
if (igflag)
548
{
549
struct passwd *pw = getpwuid(uid);
550
if (pw != NULL)
551
{
552
if (initgroups(pw->pw_name, gid) != 0)
553
log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
554
(long int)uid, strerror(errno));
555
}
556
else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
557
"no passwd entry for uid=%ld", (long int)uid);
558
}
559
560
if (setgid(gid) < 0 || setuid(uid) < 0)
561
{
562
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
563
"(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
564
}
565
}
566
567
/* Debugging output included uid/gid and all groups */
568
569
DEBUG(D_uid)
570
{
571
int group_count;
572
gid_t group_list[NGROUPS_MAX];
573
debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
574
(long int)geteuid(), (long int)getegid(), (long int)getpid());
575
group_count = getgroups(NGROUPS_MAX, group_list);
576
debug_printf(" auxiliary group list:");
577
if (group_count > 0)
578
{
579
int i;
580
for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
581
}
582
else debug_printf(" <none>");
583
debug_printf("\n");
584
}
585
}
586
587
588
589
590
/*************************************************
591
* Exit point *
592
*************************************************/
593
594
/* Exim exits via this function so that it always clears up any open
595
databases.
596
597
Arguments:
598
rc return code
599
600
Returns: does not return
601
*/
602
603
void
604
exim_exit(int rc)
605
{
606
search_tidyup();
607
DEBUG(D_any)
608
debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
609
">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
610
exit(rc);
611
}
612
613
614
615
616
/*************************************************
617
* Extract port from host address *
618
*************************************************/
619
620
/* Called to extract the port from the values given to -oMa and -oMi.
621
It also checks the syntax of the address, and terminates it before the
622
port data when a port is extracted.
623
624
Argument:
625
address the address, with possible port on the end
626
627
Returns: the port, or zero if there isn't one
628
bombs out on a syntax error
629
*/
630
631
static int
632
check_port(uschar *address)
633
{
634
int port = host_address_extract_port(address);
635
if (string_is_ip_address(address, NULL) == 0)
636
{
637
fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
638
exit(EXIT_FAILURE);
639
}
640
return port;
641
}
642
643
644
645
/*************************************************
646
* Test/verify an address *
647
*************************************************/
648
649
/* This function is called by the -bv and -bt code. It extracts a working
650
address from a full RFC 822 address. This isn't really necessary per se, but it
651
has the effect of collapsing source routes.
652
653
Arguments:
654
s the address string
655
flags flag bits for verify_address()
656
exit_value to be set for failures
657
658
Returns: nothing
659
*/
660
661
static void
662
test_address(uschar *s, int flags, int *exit_value)
663
{
664
int start, end, domain;
665
uschar *parse_error = NULL;
666
uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
667
FALSE);
668
if (address == NULL)
669
{
670
fprintf(stdout, "syntax error: %s\n", parse_error);
671
*exit_value = 2;
672
}
673
else
674
{
675
int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
676
-1, -1, NULL, NULL, NULL);
677
if (rc == FAIL) *exit_value = 2;
678
else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
679
}
680
}
681
682
683
684
/*************************************************
685
* Decode bit settings for log/debug *
686
*************************************************/
687
688
/* This function decodes a string containing bit settings in the form of +name
689
and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
690
also recognizes a numeric setting of the form =<number>, but this is not
691
intended for user use. It's an easy way for Exim to pass the debug settings
692
when it is re-exec'ed.
693
694
The log options are held in two unsigned ints (because there became too many
695
for one). The top bit in the table means "put in 2nd selector". This does not
696
yet apply to debug options, so the "=" facility sets only the first selector.
697
698
The "all" selector, which must be equal to 0xffffffff, is recognized specially.
699
It sets all the bits in both selectors. However, there is a facility for then
700
unsetting certain bits, because we want to turn off "memory" in the debug case.
701
702
A bad value for a debug setting is treated as an unknown option - error message
703
to stderr and die. For log settings, which come from the configuration file,
704
we write to the log on the way out...
705
706
Arguments:
707
selector1 address of the first bit string
708
selector2 address of the second bit string, or NULL
709
notall1 bits to exclude from "all" for selector1
710
notall2 bits to exclude from "all" for selector2
711
string the configured string
712
options the table of option names
713
count size of table
714
which "log" or "debug"
715
716
Returns: nothing on success - bomb out on failure
717
*/
718
719
static void
720
decode_bits(unsigned int *selector1, unsigned int *selector2, int notall1,
721
int notall2, uschar *string, bit_table *options, int count, uschar *which)
722
{
723
uschar *errmsg;
724
if (string == NULL) return;
725
726
if (*string == '=')
727
{
728
char *end; /* Not uschar */
729
*selector1 = strtoul(CS string+1, &end, 0);
730
if (*end == 0) return;
731
errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
732
string);
733
goto ERROR_RETURN;
734
}
735
736
/* Handle symbolic setting */
737
738
else for(;;)
739
{
740
BOOL adding;
741
uschar *s;
742
int len;
743
bit_table *start, *end;
744
745
while (isspace(*string)) string++;
746
if (*string == 0) return;
747
748
if (*string != '+' && *string != '-')
749
{
750
errmsg = string_sprintf("malformed %s_selector setting: "
751
"+ or - expected but found \"%s\"", which, string);
752
goto ERROR_RETURN;
753
}
754
755
adding = *string++ == '+';
756
s = string;
757
while (isalnum(*string) || *string == '_') string++;
758
len = string - s;
759
760
start = options;
761
end = options + count;
762
763
while (start < end)
764
{
765
bit_table *middle = start + (end - start)/2;
766
int c = Ustrncmp(s, middle->name, len);
767
if (c == 0)
768
{
769
if (middle->name[len] != 0) c = -1; else
770
{
771
unsigned int bit = middle->bit;
772
unsigned int *selector;
773
774
/* The value with all bits set means "force all bits in both selectors"
775
in the case where two are being handled. However, the top bit in the
776
second selector is never set. When setting, some bits can be excluded.
777
*/
778
779
if (bit == 0xffffffff)
780
{
781
if (adding)
782
{
783
*selector1 = 0xffffffff ^ notall1;
784
if (selector2 != NULL) *selector2 = 0x7fffffff ^ notall2;
785
}
786
else
787
{
788
*selector1 = 0;
789
if (selector2 != NULL) *selector2 = 0;
790
}
791
}
792
793
/* Otherwise, the 0x80000000 bit means "this value, without the top
794
bit, belongs in the second selector". */
795
796
else
797
{
798
if ((bit & 0x80000000) != 0)
799
{
800
selector = selector2;
801
bit &= 0x7fffffff;
802
}
803
else selector = selector1;
804
if (adding) *selector |= bit; else *selector &= ~bit;
805
}
806
break; /* Out of loop to match selector name */
807
}
808
}
809
if (c < 0) end = middle; else start = middle + 1;
810
} /* Loop to match selector name */
811
812
if (start >= end)
813
{
814
errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
815
adding? '+' : '-', len, s);
816
goto ERROR_RETURN;
817
}
818
} /* Loop for selector names */
819
820
/* Handle disasters */
821
822
ERROR_RETURN:
823
if (Ustrcmp(which, "debug") == 0)
824
{
825
fprintf(stderr, "exim: %s\n", errmsg);
826
exit(EXIT_FAILURE);
827
}
828
else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
829
}
830
831
832
833
/*************************************************
834
* Show supported features *
835
*************************************************/
836
837
/* This function is called for -bV and for -d to output the optional features
838
of the current Exim binary.
839
840
Arguments: a FILE for printing
841
Returns: nothing
842
*/
843
844
static void
845
show_whats_supported(FILE *f)
846
{
847
#ifdef DB_VERSION_STRING
848
fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
849
#elif defined(BTREEVERSION) && defined(HASHVERSION)
850
#ifdef USE_DB
851
fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
852
#else
853
fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
854
#endif
855
#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
856
fprintf(f, "Probably ndbm\n");
857
#elif defined(USE_TDB)
858
fprintf(f, "Using tdb\n");
859
#else
860
#ifdef USE_GDBM
861
fprintf(f, "Probably GDBM (native mode)\n");
862
#else
863
fprintf(f, "Probably GDBM (compatibility mode)\n");
864
#endif
865
#endif
866
867
fprintf(f, "Support for:");
868
#ifdef SUPPORT_CRYPTEQ
869
fprintf(f, " crypteq");
870
#endif
871
#if HAVE_ICONV
872
fprintf(f, " iconv()");
873
#endif
874
#if HAVE_IPV6
875
fprintf(f, " IPv6");
876
#endif
877
#ifdef HAVE_SETCLASSRESOURCES
878
fprintf(f, " use_setclassresources");
879
#endif
880
#ifdef SUPPORT_PAM
881
fprintf(f, " PAM");
882
#endif
883
#ifdef EXIM_PERL
884
fprintf(f, " Perl");
885
#endif
886
#ifdef EXPAND_DLFUNC
887
fprintf(f, " Expand_dlfunc");
888
#endif
889
#ifdef USE_TCP_WRAPPERS
890
fprintf(f, " TCPwrappers");
891
#endif
892
#ifdef SUPPORT_TLS
893
#ifdef USE_GNUTLS
894
fprintf(f, " GnuTLS");
895
#else
896
fprintf(f, " OpenSSL");
897
#endif
898
#endif
899
#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
900
fprintf(f, " translate_ip_address");
901
#endif
902
#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
903
fprintf(f, " move_frozen_messages");
904
#endif
905
#ifdef WITH_CONTENT_SCAN
906
fprintf(f, " Content_Scanning");
907
#endif
908
#ifndef DISABLE_DKIM
909
fprintf(f, " DKIM");
910
#endif
911
#ifdef WITH_OLD_DEMIME
912
fprintf(f, " Old_Demime");
913
#endif
914
#ifdef EXPERIMENTAL_SPF
915
fprintf(f, " Experimental_SPF");
916
#endif
917
#ifdef EXPERIMENTAL_SRS
918
fprintf(f, " Experimental_SRS");
919
#endif
920
#ifdef EXPERIMENTAL_BRIGHTMAIL
921
fprintf(f, " Experimental_Brightmail");
922
#endif
923
#ifdef EXPERIMENTAL_DCC
924
fprintf(f, " Experimental_DCC");
925
#endif
926
fprintf(f, "\n");
927
928
fprintf(f, "Lookups:");
929
#ifdef LOOKUP_LSEARCH
930
fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
931
#endif
932
#ifdef LOOKUP_CDB
933
fprintf(f, " cdb");
934
#endif
935
#ifdef LOOKUP_DBM
936
fprintf(f, " dbm dbmnz");
937
#endif
938
#ifdef LOOKUP_DNSDB
939
fprintf(f, " dnsdb");
940
#endif
941
#ifdef LOOKUP_DSEARCH
942
fprintf(f, " dsearch");
943
#endif
944
#ifdef LOOKUP_IBASE
945
fprintf(f, " ibase");
946
#endif
947
#ifdef LOOKUP_LDAP
948
fprintf(f, " ldap ldapdn ldapm");
949
#endif
950
#ifdef LOOKUP_MYSQL
951
fprintf(f, " mysql");
952
#endif
953
#ifdef LOOKUP_NIS
954
fprintf(f, " nis nis0");
955
#endif
956
#ifdef LOOKUP_NISPLUS
957
fprintf(f, " nisplus");
958
#endif
959
#ifdef LOOKUP_ORACLE
960
fprintf(f, " oracle");
961
#endif
962
#ifdef LOOKUP_PASSWD
963
fprintf(f, " passwd");
964
#endif
965
#ifdef LOOKUP_PGSQL
966
fprintf(f, " pgsql");
967
#endif
968
#ifdef LOOKUP_SQLITE
969
fprintf(f, " sqlite");
970
#endif
971
#ifdef LOOKUP_TESTDB
972
fprintf(f, " testdb");
973
#endif
974
#ifdef LOOKUP_WHOSON
975
fprintf(f, " whoson");
976
#endif
977
fprintf(f, "\n");
978
979
fprintf(f, "Authenticators:");
980
#ifdef AUTH_CRAM_MD5
981
fprintf(f, " cram_md5");
982
#endif
983
#ifdef AUTH_CYRUS_SASL
984
fprintf(f, " cyrus_sasl");
985
#endif
986
#ifdef AUTH_DOVECOT
987
fprintf(f, " dovecot");
988
#endif
989
#ifdef AUTH_PLAINTEXT
990
fprintf(f, " plaintext");
991
#endif
992
#ifdef AUTH_SPA
993
fprintf(f, " spa");
994
#endif
995
fprintf(f, "\n");
996
997
fprintf(f, "Routers:");
998
#ifdef ROUTER_ACCEPT
999
fprintf(f, " accept");
1000
#endif
1001
#ifdef ROUTER_DNSLOOKUP
1002
fprintf(f, " dnslookup");
1003
#endif
1004
#ifdef ROUTER_IPLITERAL
1005
fprintf(f, " ipliteral");
1006
#endif
1007
#ifdef ROUTER_IPLOOKUP
1008
fprintf(f, " iplookup");
1009
#endif
1010
#ifdef ROUTER_MANUALROUTE
1011
fprintf(f, " manualroute");
1012
#endif
1013
#ifdef ROUTER_QUERYPROGRAM
1014
fprintf(f, " queryprogram");
1015
#endif
1016
#ifdef ROUTER_REDIRECT
1017
fprintf(f, " redirect");
1018
#endif
1019
fprintf(f, "\n");
1020
1021
fprintf(f, "Transports:");
1022
#ifdef TRANSPORT_APPENDFILE
1023
fprintf(f, " appendfile");
1024
#ifdef SUPPORT_MAILDIR
1025
fprintf(f, "/maildir");
1026
#endif
1027
#ifdef SUPPORT_MAILSTORE
1028
fprintf(f, "/mailstore");
1029
#endif
1030
#ifdef SUPPORT_MBX
1031
fprintf(f, "/mbx");
1032
#endif
1033
#endif
1034
#ifdef TRANSPORT_AUTOREPLY
1035
fprintf(f, " autoreply");
1036
#endif
1037
#ifdef TRANSPORT_LMTP
1038
fprintf(f, " lmtp");
1039
#endif
1040
#ifdef TRANSPORT_PIPE
1041
fprintf(f, " pipe");
1042
#endif
1043
#ifdef TRANSPORT_SMTP
1044
fprintf(f, " smtp");
1045
#endif
1046
fprintf(f, "\n");
1047
1048
if (fixed_never_users[0] > 0)
1049
{
1050
int i;
1051
fprintf(f, "Fixed never_users: ");
1052
for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1053
fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
1054
fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
1055
}
1056
1057
fprintf(f, "Size of off_t: %d\n", sizeof(off_t));
1058
1059
/* This runtime check is to help diagnose library linkage mismatches which
1060
result in segfaults and the like; as such, it's left until the end,
1061
just in case. There will still be a "Configuration file is" line still to
1062
come. */
1063
#ifdef SUPPORT_TLS
1064
tls_version_report(f);
1065
#endif
1066
}
1067
1068
1069
1070
1071
/*************************************************
1072
* Quote a local part *
1073
*************************************************/
1074
1075
/* This function is used when a sender address or a From: or Sender: header
1076
line is being created from the caller's login, or from an authenticated_id. It
1077
applies appropriate quoting rules for a local part.
1078
1079
Argument: the local part
1080
Returns: the local part, quoted if necessary
1081
*/
1082
1083
uschar *
1084
local_part_quote(uschar *lpart)
1085
{
1086
BOOL needs_quote = FALSE;
1087
int size, ptr;
1088
uschar *yield;
1089
uschar *t;
1090
1091
for (t = lpart; !needs_quote && *t != 0; t++)
1092
{
1093
needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1094
(*t != '.' || t == lpart || t[1] == 0);
1095
}
1096
1097
if (!needs_quote) return lpart;
1098
1099
size = ptr = 0;
1100
yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1101
1102
for (;;)
1103
{
1104
uschar *nq = US Ustrpbrk(lpart, "\\\"");
1105
if (nq == NULL)
1106
{
1107
yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1108
break;
1109
}
1110
yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1111
yield = string_cat(yield, &size, &ptr, US"\\", 1);
1112
yield = string_cat(yield, &size, &ptr, nq, 1);
1113
lpart = nq + 1;
1114
}
1115
1116
yield = string_cat(yield, &size, &ptr, US"\"", 1);
1117
yield[ptr] = 0;
1118
return yield;
1119
}
1120
1121
1122
1123
#ifdef USE_READLINE
1124
/*************************************************
1125
* Load readline() functions *
1126
*************************************************/
1127
1128
/* This function is called from testing executions that read data from stdin,
1129
but only when running as the calling user. Currently, only -be does this. The
1130
function loads the readline() function library and passes back the functions.
1131
On some systems, it needs the curses library, so load that too, but try without
1132
it if loading fails. All this functionality has to be requested at build time.
1133
1134
Arguments:
1135
fn_readline_ptr pointer to where to put the readline pointer
1136
fn_addhist_ptr pointer to where to put the addhistory function
1137
1138
Returns: the dlopen handle or NULL on failure
1139
*/
1140
1141
static void *
1142
set_readline(char * (**fn_readline_ptr)(char *),
1143
char * (**fn_addhist_ptr)(char *))
1144
{
1145
void *dlhandle;
1146
void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
1147
1148
dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1149
if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1150
1151
if (dlhandle != NULL)
1152
{
1153
*fn_readline_ptr = (char *(*)(char*))dlsym(dlhandle, "readline");
1154
*fn_addhist_ptr = (char *(*)(char*))dlsym(dlhandle, "add_history");
1155
}
1156
else
1157
{
1158
DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1159
}
1160
1161
return dlhandle;
1162
}
1163
#endif
1164
1165
1166
1167
/*************************************************
1168
* Get a line from stdin for testing things *
1169
*************************************************/
1170
1171
/* This function is called when running tests that can take a number of lines
1172
of input (for example, -be and -bt). It handles continuations and trailing
1173
spaces. And prompting and a blank line output on eof. If readline() is in use,
1174
the arguments are non-NULL and provide the relevant functions.
1175
1176
Arguments:
1177
fn_readline readline function or NULL
1178
fn_addhist addhist function or NULL
1179
1180
Returns: pointer to dynamic memory, or NULL at end of file
1181
*/
1182
1183
static uschar *
1184
get_stdinput(char *(*fn_readline)(char *), char *(*fn_addhist)(char *))
1185
{
1186
int i;
1187
int size = 0;
1188
int ptr = 0;
1189
uschar *yield = NULL;
1190
1191
if (fn_readline == NULL) { printf("> "); fflush(stdout); }
1192
1193
for (i = 0;; i++)
1194
{
1195
uschar buffer[1024];
1196
uschar *p, *ss;
1197
1198
#ifdef USE_READLINE
1199
char *readline_line = NULL;
1200
if (fn_readline != NULL)
1201
{
1202
if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1203
if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1204
p = US readline_line;
1205
}
1206
else
1207
#endif
1208
1209
/* readline() not in use */
1210
1211
{
1212
if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1213
p = buffer;
1214
}
1215
1216
/* Handle the line */
1217
1218
ss = p + (int)Ustrlen(p);
1219
while (ss > p && isspace(ss[-1])) ss--;
1220
1221
if (i > 0)
1222
{
1223
while (p < ss && isspace(*p)) p++; /* leading space after cont */
1224
}
1225
1226
yield = string_cat(yield, &size, &ptr, p, ss - p);
1227
1228
#ifdef USE_READLINE
1229
if (fn_readline != NULL) free(readline_line);
1230
#endif
1231
1232
if (ss == p || yield[ptr-1] != '\\')
1233
{
1234
yield[ptr] = 0;
1235
break;
1236
}
1237
yield[--ptr] = 0;
1238
}
1239
1240
if (yield == NULL) printf("\n");
1241
return yield;
1242
}
1243
1244
1245
1246
/*************************************************
1247
* Output usage information for the program *
1248
*************************************************/
1249
1250
/* This function is called when there are no recipients
1251
or a specific --help argument was added.
1252
1253
Arguments:
1254
progname information on what name we were called by
1255
1256
Returns: DOES NOT RETURN
1257
*/
1258
1259
static void
1260
exim_usage(uschar *progname)
1261
{
1262
1263
/* Handle specific program invocation varients */
1264
if (Ustrcmp(progname, US"-mailq") == 0)
1265
{
1266
fprintf(stderr,
1267
"mailq - list the contents of the mail queue\n\n"
1268
"For a list of options, see the Exim documentation.\n");
1269
exit(EXIT_FAILURE);
1270
}
1271
1272
/* Generic usage - we output this whatever happens */
1273
fprintf(stderr,
1274
"Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1275
"not directly from a shell command line. Options and/or arguments control\n"
1276
"what it does when called. For a list of options, see the Exim documentation.\n");
1277
1278
exit(EXIT_FAILURE);
1279
}
1280
1281
1282
1283
/*************************************************
1284
* Validate that the macros given are okay *
1285
*************************************************/
1286
1287
/* Typically, Exim will drop privileges if macros are supplied. In some
1288
cases, we want to not do so.
1289
1290
Arguments: none (macros is a global)
1291
Returns: true if trusted, false otherwise
1292
*/
1293
1294
static BOOL
1295
macros_trusted(void)
1296
{
1297
#ifdef WHITELIST_D_MACROS
1298
macro_item *m;
1299
uschar *whitelisted, *end, *p, **whites, **w;
1300
int white_count, i, n;
1301
size_t len;
1302
BOOL prev_char_item, found;
1303
#endif
1304
1305
if (macros == NULL)
1306
return TRUE;
1307
#ifndef WHITELIST_D_MACROS
1308
return FALSE;
1309
#else
1310
1311
/* We only trust -D overrides for some invoking users:
1312
root, the exim run-time user, the optional config owner user.
1313
I don't know why config-owner would be needed, but since they can own the
1314
config files anyway, there's no security risk to letting them override -D. */
1315
if ( ! ((real_uid == root_uid)
1316
|| (real_uid == exim_uid)
1317
#ifdef CONFIGURE_OWNER
1318
|| (real_uid == config_uid)
1319
#endif
1320
))
1321
{
1322
debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1323
return FALSE;
1324
}
1325
1326
/* Get a list of macros which are whitelisted */
1327
whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1328
prev_char_item = FALSE;
1329
white_count = 0;
1330
for (p = whitelisted; *p != '\0'; ++p)
1331
{
1332
if (*p == ':' || isspace(*p))
1333
{
1334
*p = '\0';
1335
if (prev_char_item)
1336
++white_count;
1337
prev_char_item = FALSE;
1338
continue;
1339
}
1340
if (!prev_char_item)
1341
prev_char_item = TRUE;
1342
}
1343
end = p;
1344
if (prev_char_item)
1345
++white_count;
1346
if (!white_count)
1347
return FALSE;
1348
whites = store_malloc(sizeof(uschar *) * (white_count+1));
1349
for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1350
{
1351
if (*p != '\0')
1352
{
1353
whites[i++] = p;
1354
if (i == white_count)
1355
break;
1356
while (*p != '\0' && p < end)
1357
++p;
1358
}
1359
}
1360
whites[i] = NULL;
1361
1362
/* The list of macros should be very short. Accept the N*M complexity. */
1363
for (m = macros; m != NULL; m = m->next)
1364
{
1365
found = FALSE;
1366
for (w = whites; *w; ++w)
1367
if (Ustrcmp(*w, m->name) == 0)
1368
{
1369
found = TRUE;
1370
break;
1371
}
1372
if (!found)
1373
return FALSE;
1374
if (m->replacement == NULL)
1375
continue;
1376
len = Ustrlen(m->replacement);
1377
if (len == 0)
1378
continue;
1379
n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1380
0, PCRE_EOPT, NULL, 0);
1381
if (n < 0)
1382
{
1383
if (n != PCRE_ERROR_NOMATCH)
1384
debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1385
return FALSE;
1386
}
1387
}
1388
debug_printf("macros_trusted overriden to true by whitelisting\n");
1389
return TRUE;
1390
#endif
1391
}
1392
1393
1394
/*************************************************
1395
* Entry point and high-level code *
1396
*************************************************/
1397
1398
/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1399
the appropriate action. All the necessary functions are present in the one
1400
binary. I originally thought one should split it up, but it turns out that so
1401
much of the apparatus is needed in each chunk that one might as well just have
1402
it all available all the time, which then makes the coding easier as well.
1403
1404
Arguments:
1405
argc count of entries in argv
1406
argv argument strings, with argv[0] being the program name
1407
1408
Returns: EXIT_SUCCESS if terminated successfully
1409
EXIT_FAILURE otherwise, except when a message has been sent
1410
to the sender, and -oee was given
1411
*/
1412
1413
int
1414
main(int argc, char **cargv)
1415
{
1416
uschar **argv = USS cargv;
1417
int arg_receive_timeout = -1;
1418
int arg_smtp_receive_timeout = -1;
1419
int arg_error_handling = error_handling;
1420
int filter_sfd = -1;
1421
int filter_ufd = -1;
1422
int group_count;
1423
int i;
1424
int list_queue_option = 0;
1425
int msg_action = 0;
1426
int msg_action_arg = -1;
1427
int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1428
int queue_only_reason = 0;
1429
#ifdef EXIM_PERL
1430
int perl_start_option = 0;
1431
#endif
1432
int recipients_arg = argc;
1433
int sender_address_domain = 0;
1434
int test_retry_arg = -1;
1435
int test_rewrite_arg = -1;
1436
BOOL arg_queue_only = FALSE;
1437
BOOL bi_option = FALSE;
1438
BOOL checking = FALSE;
1439
BOOL count_queue = FALSE;
1440
BOOL expansion_test = FALSE;
1441
BOOL extract_recipients = FALSE;
1442
BOOL forced_delivery = FALSE;
1443
BOOL f_end_dot = FALSE;
1444
BOOL deliver_give_up = FALSE;
1445
BOOL list_queue = FALSE;
1446
BOOL list_options = FALSE;
1447
BOOL local_queue_only;
1448
BOOL more = TRUE;
1449
BOOL one_msg_action = FALSE;
1450
BOOL queue_only_set = FALSE;
1451
BOOL receiving_message = TRUE;
1452
BOOL sender_ident_set = FALSE;
1453
BOOL session_local_queue_only;
1454
BOOL unprivileged;
1455
BOOL removed_privilege = FALSE;
1456
BOOL usage_wanted = FALSE;
1457
BOOL verify_address_mode = FALSE;
1458
BOOL verify_as_sender = FALSE;
1459
BOOL version_printed = FALSE;
1460
uschar *alias_arg = NULL;
1461
uschar *called_as = US"";
1462
uschar *start_queue_run_id = NULL;
1463
uschar *stop_queue_run_id = NULL;
1464
uschar *expansion_test_message = NULL;
1465
uschar *ftest_domain = NULL;
1466
uschar *ftest_localpart = NULL;
1467
uschar *ftest_prefix = NULL;
1468
uschar *ftest_suffix = NULL;
1469
uschar *real_sender_address;
1470
uschar *originator_home = US"/";
1471
void *reset_point;
1472
1473
struct passwd *pw;
1474
struct stat statbuf;
1475
pid_t passed_qr_pid = (pid_t)0;
1476
int passed_qr_pipe = -1;
1477
gid_t group_list[NGROUPS_MAX];
1478
1479
/* Possible options for -R and -S */
1480
1481
static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1482
1483
/* Need to define this in case we need to change the environment in order
1484
to get rid of a bogus time zone. We have to make it char rather than uschar
1485
because some OS define it in /usr/include/unistd.h. */
1486
1487
extern char **environ;
1488
1489
/* If the Exim user and/or group and/or the configuration file owner/group were
1490
defined by ref:name at build time, we must now find the actual uid/gid values.
1491
This is a feature to make the lives of binary distributors easier. */
1492
1493
#ifdef EXIM_USERNAME
1494
if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1495
{
1496
exim_gid = pw->pw_gid;
1497
}
1498
else
1499
{
1500
fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1501
EXIM_USERNAME);
1502
exit(EXIT_FAILURE);
1503
}
1504
#endif
1505
1506
#ifdef EXIM_GROUPNAME
1507
if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1508
{
1509
fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1510
EXIM_GROUPNAME);
1511
exit(EXIT_FAILURE);
1512
}
1513
#endif
1514
1515
#ifdef CONFIGURE_OWNERNAME
1516
if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1517
{
1518
fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1519
CONFIGURE_OWNERNAME);
1520
exit(EXIT_FAILURE);
1521
}
1522
#endif
1523
1524
/* We default the system_filter_user to be the Exim run-time user, as a
1525
sane non-root value. */
1526
system_filter_uid = exim_uid;
1527
1528
#ifdef CONFIGURE_GROUPNAME
1529
if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1530
{
1531
fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1532
CONFIGURE_GROUPNAME);
1533
exit(EXIT_FAILURE);
1534
}
1535
#endif
1536
1537
/* In the Cygwin environment, some initialization needs doing. It is fudged
1538
in by means of this macro. */
1539
1540
#ifdef OS_INIT
1541
OS_INIT
1542
#endif
1543
1544
/* Check a field which is patched when we are running Exim within its
1545
testing harness; do a fast initial check, and then the whole thing. */
1546
1547
running_in_test_harness =
1548
*running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1549
1550
/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1551
at the start of a program; however, it seems that some environments do not
1552
follow this. A "strange" locale can affect the formatting of timestamps, so we
1553
make quite sure. */
1554
1555
setlocale(LC_ALL, "C");
1556
1557
/* Set up the default handler for timing using alarm(). */
1558
1559
os_non_restarting_signal(SIGALRM, sigalrm_handler);
1560
1561
/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1562
because store_malloc writes a log entry on failure. */
1563
1564
log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1565
if (log_buffer == NULL)
1566
{
1567
fprintf(stderr, "exim: failed to get store for log buffer\n");
1568
exit(EXIT_FAILURE);
1569
}
1570
1571
/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1572
NULL when the daemon is run and the file is closed. We have to use this
1573
indirection, because some systems don't allow writing to the variable "stderr".
1574
*/
1575
1576
if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1577
1578
/* Arrange for the PCRE regex library to use our store functions. Note that
1579
the normal calls are actually macros that add additional arguments for
1580
debugging purposes so we have to assign specially constructed functions here.
1581
The default is to use store in the stacking pool, but this is overridden in the
1582
regex_must_compile() function. */
1583
1584
pcre_malloc = function_store_get;
1585
pcre_free = function_dummy_free;
1586
1587
/* Ensure there is a big buffer for temporary use in several places. It is put
1588
in malloc store so that it can be freed for enlargement if necessary. */
1589
1590
big_buffer = store_malloc(big_buffer_size);
1591
1592
/* Set up the handler for the data request signal, and set the initial
1593
descriptive text. */
1594
1595
set_process_info("initializing");
1596
os_restarting_signal(SIGUSR1, usr1_handler);
1597
1598
/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1599
in the daemon code. For the rest of Exim's uses, we ignore it. */
1600
1601
signal(SIGHUP, SIG_IGN);
1602
1603
/* We don't want to die on pipe errors as the code is written to handle
1604
the write error instead. */
1605
1606
signal(SIGPIPE, SIG_IGN);
1607
1608
/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1609
set to SIG_IGN. This causes subprocesses that complete before the parent
1610
process waits for them not to hang around, so when Exim calls wait(), nothing
1611
is there. The wait() code has been made robust against this, but let's ensure
1612
that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1613
ending status. We use sigaction rather than plain signal() on those OS where
1614
SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1615
problem on AIX with this.) */
1616
1617
#ifdef SA_NOCLDWAIT
1618
{
1619
struct sigaction act;
1620
act.sa_handler = SIG_DFL;
1621
sigemptyset(&(act.sa_mask));
1622
act.sa_flags = 0;
1623
sigaction(SIGCHLD, &act, NULL);
1624
}
1625
#else
1626
signal(SIGCHLD, SIG_DFL);
1627
#endif
1628
1629
/* Save the arguments for use if we re-exec exim as a daemon after receiving
1630
SIGHUP. */
1631
1632
sighup_argv = argv;
1633
1634
/* Set up the version number. Set up the leading 'E' for the external form of
1635
message ids, set the pointer to the internal form, and initialize it to
1636
indicate no message being processed. */
1637
1638
version_init();
1639
message_id_option[0] = '-';
1640
message_id_external = message_id_option + 1;
1641
message_id_external[0] = 'E';
1642
message_id = message_id_external + 1;
1643
message_id[0] = 0;
1644
1645
/* Set the umask to zero so that any files Exim creates using open() are
1646
created with the modes that it specifies. NOTE: Files created with fopen() have
1647
a problem, which was not recognized till rather late (February 2006). With this
1648
umask, such files will be world writeable. (They are all content scanning files
1649
in the spool directory, which isn't world-accessible, so this is not a
1650
disaster, but it's untidy.) I don't want to change this overall setting,
1651
however, because it will interact badly with the open() calls. Instead, there's
1652
now a function called modefopen() that fiddles with the umask while calling
1653
fopen(). */
1654
1655
(void)umask(0);
1656
1657
/* Precompile the regular expression for matching a message id. Keep this in
1658
step with the code that generates ids in the accept.c module. We need to do
1659
this here, because the -M options check their arguments for syntactic validity
1660
using mac_ismsgid, which uses this. */
1661
1662
regex_ismsgid =
1663
regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1664
1665
/* Precompile the regular expression that is used for matching an SMTP error
1666
code, possibly extended, at the start of an error message. Note that the
1667
terminating whitespace character is included. */
1668
1669
regex_smtp_code =
1670
regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1671
FALSE, TRUE);
1672
1673
#ifdef WHITELIST_D_MACROS
1674
/* Precompile the regular expression used to filter the content of macros
1675
given to -D for permissibility. */
1676
1677
regex_whitelisted_macro =
1678
regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1679
#endif
1680
1681
1682
/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1683
this seems to be a generally accepted convention, since one finds symbolic
1684
links called "mailq" in standard OS configurations. */
1685
1686
if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1687
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1688
{
1689
list_queue = TRUE;
1690
receiving_message = FALSE;
1691
called_as = US"-mailq";
1692
}
1693
1694
/* If the program is called as "rmail" treat it as equivalent to
1695
"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1696
i.e. preventing a single dot on a line from terminating the message, and
1697
returning with zero return code, even in cases of error (provided an error
1698
message has been sent). */
1699
1700
if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1701
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1702
{
1703
dot_ends = FALSE;
1704
called_as = US"-rmail";
1705
errors_sender_rc = EXIT_SUCCESS;
1706
}
1707
1708
/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1709
this is a smail convention. */
1710
1711
if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1712
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1713
{
1714
smtp_input = smtp_batched_input = TRUE;
1715
called_as = US"-rsmtp";
1716
}
1717
1718
/* If the program is called as "runq" treat it as equivalent to "exim -q";
1719
this is a smail convention. */
1720
1721
if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1722
(namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1723
{
1724
queue_interval = 0;
1725
receiving_message = FALSE;
1726
called_as = US"-runq";
1727
}
1728
1729
/* If the program is called as "newaliases" treat it as equivalent to
1730
"exim -bi"; this is a sendmail convention. */
1731
1732
if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1733
(namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1734
{
1735
bi_option = TRUE;
1736
receiving_message = FALSE;
1737
called_as = US"-newaliases";
1738
}
1739
1740
/* Save the original effective uid for a couple of uses later. It should
1741
normally be root, but in some esoteric environments it may not be. */
1742
1743
original_euid = geteuid();
1744
1745
/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1746
to be the same as the real ones. This makes a difference only if Exim is setuid
1747
(or setgid) to something other than root, which could be the case in some
1748
special configurations. */
1749
1750
real_uid = getuid();
1751
real_gid = getgid();
1752
1753
if (real_uid == root_uid)
1754
{
1755
setgid(real_gid);
1756
setuid(real_uid);
1757
}
1758
1759
/* If neither the original real uid nor the original euid was root, Exim is
1760
running in an unprivileged state. */
1761
1762
unprivileged = (real_uid != root_uid && original_euid != root_uid);
1763
1764
/* If the first argument is --help, set usage_wanted and pretend there
1765
are no arguments. This will cause a brief message to be given. We do
1766
the message generation downstream so we can pick up how we were invoked */
1767
1768
if (argc > 1 && Ustrcmp(argv[1], "--help") == 0)
1769
{
1770
argc = 1;
1771
usage_wanted = TRUE;
1772
}
1773
1774
/* Scan the program's arguments. Some can be dealt with right away; others are
1775
simply recorded for checking and handling afterwards. Do a high-level switch
1776
on the second character (the one after '-'), to save some effort. */
1777
1778
for (i = 1; i < argc; i++)
1779
{
1780
BOOL badarg = FALSE;
1781
uschar *arg = argv[i];
1782
uschar *argrest;
1783
int switchchar;
1784
1785
/* An argument not starting with '-' is the start of a recipients list;
1786
break out of the options-scanning loop. */
1787
1788
if (arg[0] != '-')
1789
{
1790
recipients_arg = i;
1791
break;
1792
}
1793
1794
/* An option consistion of -- terminates the options */
1795
1796
if (Ustrcmp(arg, "--") == 0)
1797
{
1798
recipients_arg = i + 1;
1799
break;
1800
}
1801
1802
/* Handle flagged options */
1803
1804
switchchar = arg[1];
1805
argrest = arg+2;
1806
1807
/* Make all -ex options synonymous with -oex arguments, since that
1808
is assumed by various callers. Also make -qR options synonymous with -R
1809
options, as that seems to be required as well. Allow for -qqR too, and
1810
the same for -S options. */
1811
1812
if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1813
Ustrncmp(arg+1, "qR", 2) == 0 ||
1814
Ustrncmp(arg+1, "qS", 2) == 0)
1815
{
1816
switchchar = arg[2];
1817
argrest++;
1818
}
1819
else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1820
{
1821
switchchar = arg[3];
1822
argrest += 2;
1823
queue_2stage = TRUE;
1824
}
1825
1826
/* Make -r synonymous with -f, since it is a documented alias */
1827
1828
else if (arg[1] == 'r') switchchar = 'f';
1829
1830
/* Make -ov synonymous with -v */
1831
1832
else if (Ustrcmp(arg, "-ov") == 0)
1833
{
1834
switchchar = 'v';
1835
argrest++;
1836
}
1837
1838
/* High-level switch on active initial letter */
1839
1840
switch(switchchar)
1841
{
1842
/* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1843
so has no need of it. */
1844
1845
case 'B':
1846
if (*argrest == 0) i++; /* Skip over the type */
1847
break;
1848
1849
1850
case 'b':
1851
receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1852
1853
/* -bd: Run in daemon mode, awaiting SMTP connections.
1854
-bdf: Ditto, but in the foreground.
1855
*/
1856
1857
if (*argrest == 'd')
1858
{
1859
daemon_listen = TRUE;
1860
if (*(++argrest) == 'f') background_daemon = FALSE;
1861
else if (*argrest != 0) { badarg = TRUE; break; }
1862
}
1863
1864
/* -be: Run in expansion test mode
1865
-bem: Ditto, but read a message from a file first
1866
*/
1867
1868
else if (*argrest == 'e')
1869
{
1870
expansion_test = checking = TRUE;
1871
if (argrest[1] == 'm')
1872
{
1873
if (++i >= argc) { badarg = TRUE; break; }
1874
expansion_test_message = argv[i];
1875
argrest++;
1876
}
1877
if (argrest[1] != 0) { badarg = TRUE; break; }
1878
}
1879
1880
/* -bF: Run system filter test */
1881
1882
else if (*argrest == 'F')
1883
{
1884
filter_test |= FTEST_SYSTEM;
1885
if (*(++argrest) != 0) { badarg = TRUE; break; }
1886
if (++i < argc) filter_test_sfile = argv[i]; else
1887
{
1888
fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1889
exit(EXIT_FAILURE);
1890
}
1891
}
1892
1893
/* -bf: Run user filter test
1894
-bfd: Set domain for filter testing
1895
-bfl: Set local part for filter testing
1896
-bfp: Set prefix for filter testing
1897
-bfs: Set suffix for filter testing
1898
*/
1899
1900
else if (*argrest == 'f')
1901
{
1902
if (*(++argrest) == 0)
1903
{
1904
filter_test |= FTEST_USER;
1905
if (++i < argc) filter_test_ufile = argv[i]; else
1906
{
1907
fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1908
exit(EXIT_FAILURE);
1909
}
1910
}
1911
else
1912
{
1913
if (++i >= argc)
1914
{
1915
fprintf(stderr, "exim: string expected after %s\n", arg);
1916
exit(EXIT_FAILURE);
1917
}
1918
if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1919
else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1920
else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1921
else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1922
else { badarg = TRUE; break; }
1923
}
1924
}
1925
1926
/* -bh: Host checking - an IP address must follow. */
1927
1928
else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1929
{
1930
if (++i >= argc) { badarg = TRUE; break; }
1931
sender_host_address = argv[i];
1932
host_checking = checking = log_testing_mode = TRUE;
1933
host_checking_callout = argrest[1] == 'c';
1934
}
1935
1936
/* -bi: This option is used by sendmail to initialize *the* alias file,
1937
though it has the -oA option to specify a different file. Exim has no
1938
concept of *the* alias file, but since Sun's YP make script calls
1939
sendmail this way, some support must be provided. */
1940
1941
else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1942
1943
/* -bm: Accept and deliver message - the default option. Reinstate
1944
receiving_message, which got turned off for all -b options. */
1945
1946
else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1947
1948
/* -bnq: For locally originating messages, do not qualify unqualified
1949
addresses. In the envelope, this causes errors; in header lines they
1950
just get left. */
1951
1952
else if (Ustrcmp(argrest, "nq") == 0)
1953
{
1954
allow_unqualified_sender = FALSE;
1955
allow_unqualified_recipient = FALSE;
1956
}
1957
1958
/* -bpxx: List the contents of the mail queue, in various forms. If
1959
the option is -bpc, just a queue count is needed. Otherwise, if the
1960
first letter after p is r, then order is random. */
1961
1962
else if (*argrest == 'p')
1963
{
1964
if (*(++argrest) == 'c')
1965
{
1966
count_queue = TRUE;
1967
if (*(++argrest) != 0) badarg = TRUE;
1968
break;
1969
}
1970
1971
if (*argrest == 'r')
1972
{
1973
list_queue_option = 8;
1974
argrest++;
1975
}
1976
else list_queue_option = 0;
1977
1978
list_queue = TRUE;
1979
1980
/* -bp: List the contents of the mail queue, top-level only */
1981
1982
if (*argrest == 0) {}
1983
1984
/* -bpu: List the contents of the mail queue, top-level undelivered */
1985
1986
else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1987
1988
/* -bpa: List the contents of the mail queue, including all delivered */
1989
1990
else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1991
1992
/* Unknown after -bp[r] */
1993
1994
else
1995
{
1996
badarg = TRUE;
1997
break;
1998
}
1999
}
2000
2001
2002
/* -bP: List the configuration variables given as the address list.
2003
Force -v, so configuration errors get displayed. */
2004
2005
else if (Ustrcmp(argrest, "P") == 0)
2006
{
2007
list_options = TRUE;
2008
debug_selector |= D_v;
2009
debug_file = stderr;
2010
}
2011
2012
/* -brt: Test retry configuration lookup */
2013
2014
else if (Ustrcmp(argrest, "rt") == 0)
2015
{
2016
test_retry_arg = i + 1;
2017
goto END_ARG;
2018
}
2019
2020
/* -brw: Test rewrite configuration */
2021
2022
else if (Ustrcmp(argrest, "rw") == 0)
2023
{
2024
test_rewrite_arg = i + 1;
2025
goto END_ARG;
2026
}
2027
2028
/* -bS: Read SMTP commands on standard input, but produce no replies -
2029
all errors are reported by sending messages. */
2030
2031
else if (Ustrcmp(argrest, "S") == 0)
2032
smtp_input = smtp_batched_input = receiving_message = TRUE;
2033
2034
/* -bs: Read SMTP commands on standard input and produce SMTP replies
2035
on standard output. */
2036
2037
else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2038
2039
/* -bt: address testing mode */
2040
2041
else if (Ustrcmp(argrest, "t") == 0)
2042
address_test_mode = checking = log_testing_mode = TRUE;
2043
2044
/* -bv: verify addresses */
2045
2046
else if (Ustrcmp(argrest, "v") == 0)
2047
verify_address_mode = checking = log_testing_mode = TRUE;
2048
2049
/* -bvs: verify sender addresses */
2050
2051
else if (Ustrcmp(argrest, "vs") == 0)
2052
{
2053
verify_address_mode = checking = log_testing_mode = TRUE;
2054
verify_as_sender = TRUE;
2055
}
2056
2057
/* -bV: Print version string and support details */
2058
2059
else if (Ustrcmp(argrest, "V") == 0)
2060
{
2061
printf("Exim version %s #%s built %s\n", version_string,
2062
version_cnumber, version_date);
2063
printf("%s\n", CS version_copyright);
2064
version_printed = TRUE;
2065
show_whats_supported(stdout);
2066
}
2067
2068
else badarg = TRUE;
2069
break;
2070
2071
2072
/* -C: change configuration file list; ignore if it isn't really
2073
a change! Enforce a prefix check if required. */
2074
2075
case 'C':
2076
if (*argrest == 0)
2077
{
2078
if(++i < argc) argrest = argv[i]; else
2079
{ badarg = TRUE; break; }
2080
}
2081
if (Ustrcmp(config_main_filelist, argrest) != 0)
2082
{
2083
#ifdef ALT_CONFIG_PREFIX
2084
int sep = 0;
2085
int len = Ustrlen(ALT_CONFIG_PREFIX);
2086
uschar *list = argrest;
2087
uschar *filename;
2088
while((filename = string_nextinlist(&list, &sep, big_buffer,
2089
big_buffer_size)) != NULL)
2090
{
2091
if ((Ustrlen(filename) < len ||
2092
Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2093
Ustrstr(filename, "/../") != NULL) &&
2094
(Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2095
{
2096
fprintf(stderr, "-C Permission denied\n");
2097
exit(EXIT_FAILURE);
2098
}
2099
}
2100
#endif
2101
if (real_uid != root_uid)
2102
{
2103
#ifdef TRUSTED_CONFIG_LIST
2104
2105
if (real_uid != exim_uid
2106
#ifdef CONFIGURE_OWNER
2107
&& real_uid != config_uid
2108
#endif
2109
)
2110
trusted_config = FALSE;
2111
else
2112
{
2113
FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2114
if (trust_list)
2115
{
2116
struct stat statbuf;
2117
2118
if (fstat(fileno(trust_list), &statbuf) != 0 ||
2119
(statbuf.st_uid != root_uid /* owner not root */
2120
#ifdef CONFIGURE_OWNER
2121
&& statbuf.st_uid != config_uid /* owner not the special one */
2122
#endif
2123
) || /* or */
2124
(statbuf.st_gid != root_gid /* group not root */
2125
#ifdef CONFIGURE_GROUP
2126
&& statbuf.st_gid != config_gid /* group not the special one */
2127
#endif
2128
&& (statbuf.st_mode & 020) != 0 /* group writeable */
2129
) || /* or */
2130
(statbuf.st_mode & 2) != 0) /* world writeable */
2131
{
2132
trusted_config = FALSE;
2133
fclose(trust_list);
2134
}
2135
else
2136
{
2137
/* Well, the trust list at least is up to scratch... */
2138
void *reset_point = store_get(0);
2139
uschar *trusted_configs[32];
2140
int nr_configs = 0;
2141
int i = 0;
2142
2143
while (Ufgets(big_buffer, big_buffer_size, trust_list))
2144
{
2145
uschar *start = big_buffer, *nl;
2146
while (*start && isspace(*start))
2147
start++;
2148
if (*start != '/')
2149
continue;
2150
nl = Ustrchr(start, '\n');
2151
if (nl)
2152
*nl = 0;
2153
trusted_configs[nr_configs++] = string_copy(start);
2154
if (nr_configs == 32)
2155
break;
2156
}
2157
fclose(trust_list);
2158
2159
if (nr_configs)
2160
{
2161
int sep = 0;
2162
uschar *list = argrest;
2163
uschar *filename;
2164
while (trusted_config && (filename = string_nextinlist(&list,
2165
&sep, big_buffer, big_buffer_size)) != NULL)
2166
{
2167
for (i=0; i < nr_configs; i++)
2168
{
2169
if (Ustrcmp(filename, trusted_configs[i]) == 0)
2170
break;
2171
}
2172
if (i == nr_configs)
2173
{
2174
trusted_config = FALSE;
2175
break;
2176
}
2177
}
2178
store_reset(reset_point);
2179
}
2180
else
2181
{
2182
/* No valid prefixes found in trust_list file. */
2183
trusted_config = FALSE;
2184
}
2185
}
2186
}
2187
else
2188
{
2189
/* Could not open trust_list file. */
2190
trusted_config = FALSE;
2191
}
2192
}
2193
#else
2194
/* Not root; don't trust config */
2195
trusted_config = FALSE;
2196
#endif
2197
}
2198
2199
config_main_filelist = argrest;
2200
config_changed = TRUE;
2201
}
2202
break;
2203
2204
2205
/* -D: set up a macro definition */
2206
2207
case 'D':
2208
#ifdef DISABLE_D_OPTION
2209
fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2210
exit(EXIT_FAILURE);
2211
#else
2212
{
2213
int ptr = 0;
2214
macro_item *mlast = NULL;
2215
macro_item *m;
2216
uschar name[24];
2217
uschar *s = argrest;
2218
2219
while (isspace(*s)) s++;
2220
2221
if (*s < 'A' || *s > 'Z')
2222
{
2223
fprintf(stderr, "exim: macro name set by -D must start with "
2224
"an upper case letter\n");
2225
exit(EXIT_FAILURE);
2226
}
2227
2228
while (isalnum(*s) || *s == '_')
2229
{
2230
if (ptr < sizeof(name)-1) name[ptr++] = *s;
2231
s++;
2232
}
2233
name[ptr] = 0;
2234
if (ptr == 0) { badarg = TRUE; break; }
2235
while (isspace(*s)) s++;
2236
if (*s != 0)
2237
{
2238
if (*s++ != '=') { badarg = TRUE; break; }
2239
while (isspace(*s)) s++;
2240
}
2241
2242
for (m = macros; m != NULL; m = m->next)
2243
{
2244
if (Ustrcmp(m->name, name) == 0)
2245
{
2246
fprintf(stderr, "exim: duplicated -D in command line\n");
2247
exit(EXIT_FAILURE);
2248
}
2249
mlast = m;
2250
}
2251
2252
m = store_get(sizeof(macro_item) + Ustrlen(name));
2253
m->next = NULL;
2254
m->command_line = TRUE;
2255
if (mlast == NULL) macros = m; else mlast->next = m;
2256
Ustrcpy(m->name, name);
2257
m->replacement = string_copy(s);
2258
2259
if (clmacro_count >= MAX_CLMACROS)
2260
{
2261
fprintf(stderr, "exim: too many -D options on command line\n");
2262
exit(EXIT_FAILURE);
2263
}
2264
clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2265
m->replacement);
2266
}
2267
#endif
2268
break;
2269
2270
/* -d: Set debug level (see also -v below) or set the drop_cr option.
2271
The latter is now a no-op, retained for compatibility only. If -dd is used,
2272
debugging subprocesses of the daemon is disabled. */
2273
2274
case 'd':
2275
if (Ustrcmp(argrest, "ropcr") == 0)
2276
{
2277
/* drop_cr = TRUE; */
2278
}
2279
2280
/* Use an intermediate variable so that we don't set debugging while
2281
decoding the debugging bits. */
2282
2283
else
2284
{
2285
unsigned int selector = D_default;
2286
debug_selector = 0;
2287
debug_file = NULL;
2288
if (*argrest == 'd')
2289
{
2290
debug_daemon = TRUE;
2291
argrest++;
2292
}
2293
if (*argrest != 0)
2294
decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
2295
debug_options_count, US"debug");
2296
debug_selector = selector;
2297
}
2298
break;
2299
2300
2301
/* -E: This is a local error message. This option is not intended for
2302
external use at all, but is not restricted to trusted callers because it
2303
does no harm (just suppresses certain error messages) and if Exim is run
2304
not setuid root it won't always be trusted when it generates error
2305
messages using this option. If there is a message id following -E, point
2306
message_reference at it, for logging. */
2307
2308
case 'E':
2309
local_error_message = TRUE;
2310
if (mac_ismsgid(argrest)) message_reference = argrest;
2311
break;
2312
2313
2314
/* -ex: The vacation program calls sendmail with the undocumented "-eq"
2315
option, so it looks as if historically the -oex options are also callable
2316
without the leading -o. So we have to accept them. Before the switch,
2317
anything starting -oe has been converted to -e. Exim does not support all
2318
of the sendmail error options. */
2319
2320
case 'e':
2321
if (Ustrcmp(argrest, "e") == 0)
2322
{
2323
arg_error_handling = ERRORS_SENDER;
2324
errors_sender_rc = EXIT_SUCCESS;
2325
}
2326
else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2327
else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2328
else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2329
else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2330
else badarg = TRUE;
2331
break;
2332
2333
2334
/* -F: Set sender's full name, used instead of the gecos entry from
2335
the password file. Since users can usually alter their gecos entries,
2336
there's no security involved in using this instead. The data can follow
2337
the -F or be in the next argument. */
2338
2339
case 'F':
2340
if (*argrest == 0)
2341
{
2342
if(++i < argc) argrest = argv[i]; else
2343
{ badarg = TRUE; break; }
2344
}
2345
originator_name = argrest;
2346
sender_name_forced = TRUE;
2347
break;
2348
2349
2350
/* -f: Set sender's address - this value is only actually used if Exim is
2351
run by a trusted user, or if untrusted_set_sender is set and matches the
2352
address, except that the null address can always be set by any user. The
2353
test for this happens later, when the value given here is ignored when not
2354
permitted. For an untrusted user, the actual sender is still put in Sender:
2355
if it doesn't match the From: header (unless no_local_from_check is set).
2356
The data can follow the -f or be in the next argument. The -r switch is an
2357
obsolete form of -f but since there appear to be programs out there that
2358
use anything that sendmail has ever supported, better accept it - the
2359
synonymizing is done before the switch above.
2360
2361
At this stage, we must allow domain literal addresses, because we don't
2362
know what the setting of allow_domain_literals is yet. Ditto for trailing
2363
dots and strip_trailing_dot. */
2364
2365
case 'f':
2366
{
2367
int start, end;
2368
uschar *errmess;
2369
if (*argrest == 0)
2370
{
2371
if (i+1 < argc) argrest = argv[++i]; else
2372
{ badarg = TRUE; break; }
2373
}
2374
if (*argrest == 0)
2375
{
2376
sender_address = string_sprintf(""); /* Ensure writeable memory */
2377
}
2378
else
2379
{
2380
uschar *temp = argrest + Ustrlen(argrest) - 1;
2381
while (temp >= argrest && isspace(*temp)) temp--;
2382
if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2383
allow_domain_literals = TRUE;
2384
strip_trailing_dot = TRUE;
2385
sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2386
&sender_address_domain, TRUE);
2387
allow_domain_literals = FALSE;
2388
strip_trailing_dot = FALSE;
2389
if (sender_address == NULL)
2390
{
2391
fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2392
return EXIT_FAILURE;
2393
}
2394
}
2395
sender_address_forced = TRUE;
2396
}
2397
break;
2398
2399
/* This is some Sendmail thing which can be ignored */
2400
2401
case 'G':
2402
break;
2403
2404
/* -h: Set the hop count for an incoming message. Exim does not currently
2405
support this; it always computes it by counting the Received: headers.
2406
To put it in will require a change to the spool header file format. */
2407
2408
case 'h':
2409
if (*argrest == 0)
2410
{
2411
if(++i < argc) argrest = argv[i]; else
2412
{ badarg = TRUE; break; }
2413
}
2414
if (!isdigit(*argrest)) badarg = TRUE;
2415
break;
2416
2417
2418
/* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2419
not to be documented for sendmail but mailx (at least) uses it) */
2420
2421
case 'i':
2422
if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2423
break;
2424
2425
2426
case 'M':
2427
receiving_message = FALSE;
2428
2429
/* -MC: continue delivery of another message via an existing open
2430
file descriptor. This option is used for an internal call by the
2431
smtp transport when there is a pending message waiting to go to an
2432
address to which it has got a connection. Five subsequent arguments are
2433
required: transport name, host name, IP address, sequence number, and
2434
message_id. Transports may decline to create new processes if the sequence
2435
number gets too big. The channel is stdin. This (-MC) must be the last
2436
argument. There's a subsequent check that the real-uid is privileged.
2437
2438
If we are running in the test harness. delay for a bit, to let the process
2439
that set this one up complete. This makes for repeatability of the logging,
2440
etc. output. */
2441
2442
if (Ustrcmp(argrest, "C") == 0)
2443
{
2444
union sockaddr_46 interface_sock;
2445
EXIM_SOCKLEN_T size = sizeof(interface_sock);
2446
2447
if (argc != i + 6)
2448
{
2449
fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2450
return EXIT_FAILURE;
2451
}
2452
2453
if (msg_action_arg >= 0)
2454
{
2455
fprintf(stderr, "exim: incompatible arguments\n");
2456
return EXIT_FAILURE;
2457
}
2458
2459
continue_transport = argv[++i];
2460
continue_hostname = argv[++i];
2461
continue_host_address = argv[++i];
2462
continue_sequence = Uatoi(argv[++i]);
2463
msg_action = MSG_DELIVER;
2464
msg_action_arg = ++i;
2465
forced_delivery = TRUE;
2466
queue_run_pid = passed_qr_pid;
2467
queue_run_pipe = passed_qr_pipe;
2468
2469
if (!mac_ismsgid(argv[i]))
2470
{
2471
fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2472
argv[i]);
2473
return EXIT_FAILURE;
2474
}
2475
2476
/* Set up $sending_ip_address and $sending_port */
2477
2478
if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2479
&size) == 0)
2480
sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2481
&sending_port);
2482
else
2483
{
2484
fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2485
strerror(errno));
2486
return EXIT_FAILURE;
2487
}
2488
2489
if (running_in_test_harness) millisleep(500);
2490
break;
2491
}
2492
2493
/* -MCA: set the smtp_authenticated flag; this is useful only when it
2494
precedes -MC (see above). The flag indicates that the host to which
2495
Exim is connected has accepted an AUTH sequence. */
2496
2497
else if (Ustrcmp(argrest, "CA") == 0)
2498
{
2499
smtp_authenticated = TRUE;
2500
break;
2501
}
2502
2503
/* -MCP: set the smtp_use_pipelining flag; this is useful only when
2504
it preceded -MC (see above) */
2505
2506
else if (Ustrcmp(argrest, "CP") == 0)
2507
{
2508
smtp_use_pipelining = TRUE;
2509
break;
2510
}
2511
2512
/* -MCQ: pass on the pid of the queue-running process that started
2513
this chain of deliveries and the fd of its synchronizing pipe; this
2514
is useful only when it precedes -MC (see above) */
2515
2516
else if (Ustrcmp(argrest, "CQ") == 0)
2517
{
2518
if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2519
else badarg = TRUE;
2520
if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2521
else badarg = TRUE;
2522
break;
2523
}
2524
2525
/* -MCS: set the smtp_use_size flag; this is useful only when it
2526
precedes -MC (see above) */
2527
2528
else if (Ustrcmp(argrest, "CS") == 0)
2529
{
2530
smtp_use_size = TRUE;
2531
break;
2532
}
2533
2534
/* -MCT: set the tls_offered flag; this is useful only when it
2535
precedes -MC (see above). The flag indicates that the host to which
2536
Exim is connected has offered TLS support. */
2537
2538
#ifdef SUPPORT_TLS
2539
else if (Ustrcmp(argrest, "CT") == 0)
2540
{
2541
tls_offered = TRUE;
2542
break;
2543
}
2544
#endif
2545
2546
/* -M[x]: various operations on the following list of message ids:
2547
-M deliver the messages, ignoring next retry times and thawing
2548
-Mc deliver the messages, checking next retry times, no thawing
2549
-Mf freeze the messages
2550
-Mg give up on the messages
2551
-Mt thaw the messages
2552
-Mrm remove the messages
2553
In the above cases, this must be the last option. There are also the
2554
following options which are followed by a single message id, and which
2555
act on that message. Some of them use the "recipient" addresses as well.
2556
-Mar add recipient(s)
2557
-Mmad mark all recipients delivered
2558
-Mmd mark recipients(s) delivered
2559
-Mes edit sender
2560
-Mset load a message for use with -be
2561
-Mvb show body
2562
-Mvc show copy (of whole message, in RFC 2822 format)
2563
-Mvh show header
2564
-Mvl show log
2565
*/
2566
2567
else if (*argrest == 0)
2568
{
2569
msg_action = MSG_DELIVER;
2570
forced_delivery = deliver_force_thaw = TRUE;
2571
}
2572
else if (Ustrcmp(argrest, "ar") == 0)
2573
{
2574
msg_action = MSG_ADD_RECIPIENT;
2575
one_msg_action = TRUE;
2576
}
2577
else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2578
else if (Ustrcmp(argrest, "es") == 0)
2579
{
2580
msg_action = MSG_EDIT_SENDER;
2581
one_msg_action = TRUE;
2582
}
2583
else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2584
else if (Ustrcmp(argrest, "g") == 0)
2585
{
2586
msg_action = MSG_DELIVER;
2587
deliver_give_up = TRUE;
2588
}
2589
else if (Ustrcmp(argrest, "mad") == 0)
2590
{
2591
msg_action = MSG_MARK_ALL_DELIVERED;
2592
}
2593
else if (Ustrcmp(argrest, "md") == 0)
2594
{
2595
msg_action = MSG_MARK_DELIVERED;
2596
one_msg_action = TRUE;
2597
}
2598
else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2599
else if (Ustrcmp(argrest, "set") == 0)
2600
{
2601
msg_action = MSG_LOAD;
2602
one_msg_action = TRUE;
2603
}
2604
else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2605
else if (Ustrcmp(argrest, "vb") == 0)
2606
{
2607
msg_action = MSG_SHOW_BODY;
2608
one_msg_action = TRUE;
2609
}
2610
else if (Ustrcmp(argrest, "vc") == 0)
2611
{
2612
msg_action = MSG_SHOW_COPY;
2613
one_msg_action = TRUE;
2614
}
2615
else if (Ustrcmp(argrest, "vh") == 0)
2616
{
2617
msg_action = MSG_SHOW_HEADER;
2618
one_msg_action = TRUE;
2619
}
2620
else if (Ustrcmp(argrest, "vl") == 0)
2621
{
2622
msg_action = MSG_SHOW_LOG;
2623
one_msg_action = TRUE;
2624
}
2625
else { badarg = TRUE; break; }
2626
2627
/* All the -Mxx options require at least one message id. */
2628
2629
msg_action_arg = i + 1;
2630
if (msg_action_arg >= argc)
2631
{
2632
fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2633
return EXIT_FAILURE;
2634
}
2635
2636
/* Some require only message ids to follow */
2637
2638
if (!one_msg_action)
2639
{
2640
int j;
2641
for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2642
{
2643
fprintf(stderr, "exim: malformed message id %s after %s option\n",
2644
argv[j], arg);
2645
return EXIT_FAILURE;
2646
}
2647
goto END_ARG; /* Remaining args are ids */
2648
}
2649
2650
/* Others require only one message id, possibly followed by addresses,
2651
which will be handled as normal arguments. */
2652
2653
else
2654
{
2655
if (!mac_ismsgid(argv[msg_action_arg]))
2656
{
2657
fprintf(stderr, "exim: malformed message id %s after %s option\n",
2658
argv[msg_action_arg], arg);
2659
return EXIT_FAILURE;
2660
}
2661
i++;
2662
}
2663
break;
2664
2665
2666
/* Some programs seem to call the -om option without the leading o;
2667
for sendmail it askes for "me too". Exim always does this. */
2668
2669
case 'm':
2670
if (*argrest != 0) badarg = TRUE;
2671
break;
2672
2673
2674
/* -N: don't do delivery - a debugging option that stops transports doing
2675
their thing. It implies debugging at the D_v level. */
2676
2677
case 'N':
2678
if (*argrest == 0)
2679
{
2680
dont_deliver = TRUE;
2681
debug_selector |= D_v;
2682
debug_file = stderr;
2683
}
2684
else badarg = TRUE;
2685
break;
2686
2687
2688
/* -n: This means "don't alias" in sendmail, apparently. Just ignore
2689
it. */
2690
2691
case 'n':
2692
break;
2693
2694
/* -O: Just ignore it. In sendmail, apparently -O option=value means set
2695
option to the specified value. This form uses long names. We need to handle
2696
-O option=value and -Ooption=value. */
2697
2698
case 'O':
2699
if (*argrest == 0)
2700
{
2701
if (++i >= argc)
2702
{
2703
fprintf(stderr, "exim: string expected after -O\n");
2704
exit(EXIT_FAILURE);
2705
}
2706
}
2707
break;
2708
2709
case 'o':
2710
2711
/* -oA: Set an argument for the bi command (sendmail's "alternate alias
2712
file" option). */
2713
2714
if (*argrest == 'A')
2715
{
2716
alias_arg = argrest + 1;
2717
if (alias_arg[0] == 0)
2718
{
2719
if (i+1 < argc) alias_arg = argv[++i]; else
2720
{
2721
fprintf(stderr, "exim: string expected after -oA\n");
2722
exit(EXIT_FAILURE);
2723
}
2724
}
2725
}
2726
2727
/* -oB: Set a connection message max value for remote deliveries */
2728
2729
else if (*argrest == 'B')
2730
{
2731
uschar *p = argrest + 1;
2732
if (p[0] == 0)
2733
{
2734
if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2735
{
2736
connection_max_messages = 1;
2737
p = NULL;
2738
}
2739
}
2740
2741
if (p != NULL)
2742
{
2743
if (!isdigit(*p))
2744
{
2745
fprintf(stderr, "exim: number expected after -oB\n");
2746
exit(EXIT_FAILURE);
2747
}
2748
connection_max_messages = Uatoi(p);
2749
}
2750
}
2751
2752
/* -odb: background delivery */
2753
2754
else if (Ustrcmp(argrest, "db") == 0)
2755
{
2756
synchronous_delivery = FALSE;
2757
arg_queue_only = FALSE;
2758
queue_only_set = TRUE;
2759
}
2760
2761
/* -odf: foreground delivery (smail-compatible option); same effect as
2762
-odi: interactive (synchronous) delivery (sendmail-compatible option)
2763
*/
2764
2765
else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2766
{
2767
synchronous_delivery = TRUE;
2768
arg_queue_only = FALSE;
2769
queue_only_set = TRUE;
2770
}
2771
2772
/* -odq: queue only */
2773
2774
else if (Ustrcmp(argrest, "dq") == 0)
2775
{
2776
synchronous_delivery = FALSE;
2777
arg_queue_only = TRUE;
2778
queue_only_set = TRUE;
2779
}
2780
2781
/* -odqs: queue SMTP only - do local deliveries and remote routing,
2782
but no remote delivery */
2783
2784
else if (Ustrcmp(argrest, "dqs") == 0)
2785
{
2786
queue_smtp = TRUE;
2787
arg_queue_only = FALSE;
2788
queue_only_set = TRUE;
2789
}
2790
2791
/* -oex: Sendmail error flags. As these are also accepted without the
2792
leading -o prefix, for compatibility with vacation and other callers,
2793
they are handled with -e above. */
2794
2795
/* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2796
-oitrue: Another sendmail syntax for the same */
2797
2798
else if (Ustrcmp(argrest, "i") == 0 ||
2799
Ustrcmp(argrest, "itrue") == 0)
2800
dot_ends = FALSE;
2801
2802
/* -oM*: Set various characteristics for an incoming message; actually
2803
acted on for trusted callers only. */
2804
2805
else if (*argrest == 'M')
2806
{
2807
if (i+1 >= argc)
2808
{
2809
fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2810
exit(EXIT_FAILURE);
2811
}
2812
2813
/* -oMa: Set sender host address */
2814
2815
if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2816
2817
/* -oMaa: Set authenticator name */
2818
2819
else if (Ustrcmp(argrest, "Maa") == 0)
2820
sender_host_authenticated = argv[++i];
2821
2822
/* -oMas: setting authenticated sender */
2823
2824
else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2825
2826
/* -oMai: setting authenticated id */
2827
2828
else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2829
2830
/* -oMi: Set incoming interface address */
2831
2832
else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2833
2834
/* -oMr: Received protocol */
2835
2836
else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2837
2838
/* -oMs: Set sender host name */
2839
2840
else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2841
2842
/* -oMt: Set sender ident */
2843
2844
else if (Ustrcmp(argrest, "Mt") == 0)
2845
{
2846
sender_ident_set = TRUE;
2847
sender_ident = argv[++i];
2848
}
2849
2850
/* Else a bad argument */
2851
2852
else
2853
{
2854
badarg = TRUE;
2855
break;
2856
}
2857
}
2858
2859
/* -om: Me-too flag for aliases. Exim always does this. Some programs
2860
seem to call this as -m (undocumented), so that is also accepted (see
2861
above). */
2862
2863
else if (Ustrcmp(argrest, "m") == 0) {}
2864
2865
/* -oo: An ancient flag for old-style addresses which still seems to
2866
crop up in some calls (see in SCO). */
2867
2868
else if (Ustrcmp(argrest, "o") == 0) {}
2869
2870
/* -oP <name>: set pid file path for daemon */
2871
2872
else if (Ustrcmp(argrest, "P") == 0)
2873
override_pid_file_path = argv[++i];
2874
2875
/* -or <n>: set timeout for non-SMTP acceptance
2876
-os <n>: set timeout for SMTP acceptance */
2877
2878
else if (*argrest == 'r' || *argrest == 's')
2879
{
2880
int *tp = (*argrest == 'r')?
2881
&arg_receive_timeout : &arg_smtp_receive_timeout;
2882
if (argrest[1] == 0)
2883
{
2884
if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2885
}
2886
else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2887
if (*tp < 0)
2888
{
2889
fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2890
exit(EXIT_FAILURE);
2891
}
2892
}
2893
2894
/* -oX <list>: Override local_interfaces and/or default daemon ports */
2895
2896
else if (Ustrcmp(argrest, "X") == 0)
2897
override_local_interfaces = argv[++i];
2898
2899
/* Unknown -o argument */
2900
2901
else badarg = TRUE;
2902
break;
2903
2904
2905
/* -ps: force Perl startup; -pd force delayed Perl startup */
2906
2907
case 'p':
2908
#ifdef EXIM_PERL
2909
if (*argrest == 's' && argrest[1] == 0)
2910
{
2911
perl_start_option = 1;
2912
break;
2913
}
2914
if (*argrest == 'd' && argrest[1] == 0)
2915
{
2916
perl_start_option = -1;
2917
break;
2918
}
2919
#endif
2920
2921
/* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2922
which sets the host protocol and host name */
2923
2924
if (*argrest == 0)
2925
{
2926
if (i+1 < argc) argrest = argv[++i]; else
2927
{ badarg = TRUE; break; }
2928
}
2929
2930
if (*argrest != 0)
2931
{
2932
uschar *hn = Ustrchr(argrest, ':');
2933
if (hn == NULL)
2934
{
2935
received_protocol = argrest;
2936
}
2937
else
2938
{
2939
received_protocol = string_copyn(argrest, hn - argrest);
2940
sender_host_name = hn + 1;
2941
}
2942
}
2943
break;
2944
2945
2946
case 'q':
2947
receiving_message = FALSE;
2948
if (queue_interval >= 0)
2949
{
2950
fprintf(stderr, "exim: -q specified more than once\n");
2951
exit(EXIT_FAILURE);
2952
}
2953
2954
/* -qq...: Do queue runs in a 2-stage manner */
2955
2956
if (*argrest == 'q')
2957
{
2958
queue_2stage = TRUE;
2959
argrest++;
2960
}
2961
2962
/* -qi...: Do only first (initial) deliveries */
2963
2964
if (*argrest == 'i')
2965
{
2966
queue_run_first_delivery = TRUE;
2967
argrest++;
2968
}
2969
2970
/* -qf...: Run the queue, forcing deliveries
2971
-qff..: Ditto, forcing thawing as well */
2972
2973
if (*argrest == 'f')
2974
{
2975
queue_run_force = TRUE;
2976
if (*(++argrest) == 'f')
2977
{
2978
deliver_force_thaw = TRUE;
2979
argrest++;
2980
}
2981
}
2982
2983
/* -q[f][f]l...: Run the queue only on local deliveries */
2984
2985
if (*argrest == 'l')
2986
{
2987
queue_run_local = TRUE;
2988
argrest++;
2989
}
2990
2991
/* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2992
optionally starting from a given message id. */
2993
2994
if (*argrest == 0 &&
2995
(i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2996
{
2997
queue_interval = 0;
2998
if (i+1 < argc && mac_ismsgid(argv[i+1]))
2999
start_queue_run_id = argv[++i];
3000
if (i+1 < argc && mac_ismsgid(argv[i+1]))
3001
stop_queue_run_id = argv[++i];
3002
}
3003
3004
/* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
3005
optionally local only. */
3006
3007
else
3008
{
3009
if (*argrest != 0)
3010
queue_interval = readconf_readtime(argrest, 0, FALSE);
3011
else
3012
queue_interval = readconf_readtime(argv[++i], 0, FALSE);
3013
if (queue_interval <= 0)
3014
{
3015
fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3016
exit(EXIT_FAILURE);
3017
}
3018
}
3019
break;
3020
3021
3022
case 'R': /* Synonymous with -qR... */
3023
receiving_message = FALSE;
3024
3025
/* -Rf: As -R (below) but force all deliveries,
3026
-Rff: Ditto, but also thaw all frozen messages,
3027
-Rr: String is regex
3028
-Rrf: Regex and force
3029
-Rrff: Regex and force and thaw
3030
3031
in all cases provided there are no further characters in this
3032
argument. */
3033
3034
if (*argrest != 0)
3035
{
3036
int i;
3037
for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3038
{
3039
if (Ustrcmp(argrest, rsopts[i]) == 0)
3040
{
3041
if (i != 2) queue_run_force = TRUE;
3042
if (i >= 2) deliver_selectstring_regex = TRUE;
3043
if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3044
argrest += Ustrlen(rsopts[i]);
3045
}
3046
}
3047
}
3048
3049
/* -R: Set string to match in addresses for forced queue run to
3050
pick out particular messages. */
3051
3052
if (*argrest == 0)
3053
{
3054
if (i+1 < argc) deliver_selectstring = argv[++i]; else
3055
{
3056
fprintf(stderr, "exim: string expected after -R\n");
3057
exit(EXIT_FAILURE);
3058
}
3059
}
3060
else deliver_selectstring = argrest;
3061
break;
3062
3063
3064
/* -r: an obsolete synonym for -f (see above) */
3065
3066
3067
/* -S: Like -R but works on sender. */
3068
3069
case 'S': /* Synonymous with -qS... */
3070
receiving_message = FALSE;
3071
3072
/* -Sf: As -S (below) but force all deliveries,
3073
-Sff: Ditto, but also thaw all frozen messages,
3074
-Sr: String is regex
3075
-Srf: Regex and force
3076
-Srff: Regex and force and thaw
3077
3078
in all cases provided there are no further characters in this
3079
argument. */
3080
3081
if (*argrest != 0)
3082
{
3083
int i;
3084
for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3085
{
3086
if (Ustrcmp(argrest, rsopts[i]) == 0)
3087
{
3088
if (i != 2) queue_run_force = TRUE;
3089
if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3090
if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3091
argrest += Ustrlen(rsopts[i]);
3092
}
3093
}
3094
}
3095
3096
/* -S: Set string to match in addresses for forced queue run to
3097
pick out particular messages. */
3098
3099
if (*argrest == 0)
3100
{
3101
if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3102
{
3103
fprintf(stderr, "exim: string expected after -S\n");
3104
exit(EXIT_FAILURE);
3105
}
3106
}
3107
else deliver_selectstring_sender = argrest;
3108
break;
3109
3110
/* -Tqt is an option that is exclusively for use by the testing suite.
3111
It is not recognized in other circumstances. It allows for the setting up
3112
of explicit "queue times" so that various warning/retry things can be
3113
tested. Otherwise variability of clock ticks etc. cause problems. */
3114
3115
case 'T':
3116
if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3117
fudged_queue_times = argv[++i];
3118
else badarg = TRUE;
3119
break;
3120
3121
3122
/* -t: Set flag to extract recipients from body of message. */
3123
3124
case 't':
3125
if (*argrest == 0) extract_recipients = TRUE;
3126
3127
/* -ti: Set flag to extract recipients from body of message, and also
3128
specify that dot does not end the message. */
3129
3130
else if (Ustrcmp(argrest, "i") == 0)
3131
{
3132
extract_recipients = TRUE;
3133
dot_ends = FALSE;
3134
}
3135
3136
/* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3137
3138
#ifdef SUPPORT_TLS
3139
else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3140
#endif
3141
3142
else badarg = TRUE;
3143
break;
3144
3145
3146
/* -U: This means "initial user submission" in sendmail, apparently. The
3147
doc claims that in future sendmail may refuse syntactically invalid
3148
messages instead of fixing them. For the moment, we just ignore it. */
3149
3150
case 'U':
3151
break;
3152
3153
3154
/* -v: verify things - this is a very low-level debugging */
3155
3156
case 'v':
3157
if (*argrest == 0)
3158
{
3159
debug_selector |= D_v;
3160
debug_file = stderr;
3161
}
3162
else badarg = TRUE;
3163
break;
3164
3165
3166
/* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3167
3168
The -x flag tells the sendmail command that mail from a local
3169
mail program has National Language Support (NLS) extended characters
3170
in the body of the mail item. The sendmail command can send mail with
3171
extended NLS characters across networks that normally corrupts these
3172
8-bit characters.
3173
3174
As Exim is 8-bit clean, it just ignores this flag. */
3175
3176
case 'x':
3177
if (*argrest != 0) badarg = TRUE;
3178
break;
3179
3180
/* All other initial characters are errors */
3181
3182
default:
3183
badarg = TRUE;
3184
break;
3185
} /* End of high-level switch statement */
3186
3187
/* Failed to recognize the option, or syntax error */
3188
3189
if (badarg)
3190
{
3191
fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3192
"option %s\n", arg);
3193
exit(EXIT_FAILURE);
3194
}
3195
}
3196
3197
3198
/* If -R or -S have been specified without -q, assume a single queue run. */
3199
3200
if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3201
queue_interval < 0) queue_interval = 0;
3202
3203
3204
END_ARG:
3205
/* If usage_wanted is set we call the usage function - which never returns */
3206
if (usage_wanted) exim_usage(called_as);
3207
3208
/* Arguments have been processed. Check for incompatibilities. */
3209
if ((
3210
(smtp_input || extract_recipients || recipients_arg < argc) &&
3211
(daemon_listen || queue_interval >= 0 || bi_option ||
3212
test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3213
filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3214
) ||
3215
(
3216
msg_action_arg > 0 &&
3217
(daemon_listen || queue_interval >= 0 || list_options ||
3218
(checking && msg_action != MSG_LOAD) ||
3219
bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3220
) ||
3221
(
3222
(daemon_listen || queue_interval >= 0) &&
3223
(sender_address != NULL || list_options || list_queue || checking ||
3224
bi_option)
3225
) ||
3226
(
3227
daemon_listen && queue_interval == 0
3228
) ||
3229
(
3230
list_options &&
3231
(checking || smtp_input || extract_recipients ||
3232
filter_test != FTEST_NONE || bi_option)
3233
) ||
3234
(
3235
verify_address_mode &&
3236
(address_test_mode || smtp_input || extract_recipients ||
3237
filter_test != FTEST_NONE || bi_option)
3238
) ||
3239
(
3240
address_test_mode && (smtp_input || extract_recipients ||
3241
filter_test != FTEST_NONE || bi_option)
3242
) ||
3243
(
3244
smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3245
extract_recipients)
3246
) ||
3247
(
3248
deliver_selectstring != NULL && queue_interval < 0
3249
) ||
3250
(
3251
msg_action == MSG_LOAD &&
3252
(!expansion_test || expansion_test_message != NULL)
3253
)
3254
)
3255
{
3256
fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3257
exit(EXIT_FAILURE);
3258
}
3259
3260
/* If debugging is set up, set the file and the file descriptor to pass on to
3261
child processes. It should, of course, be 2 for stderr. Also, force the daemon
3262
to run in the foreground. */
3263
3264
if (debug_selector != 0)
3265
{
3266
debug_file = stderr;
3267
debug_fd = fileno(debug_file);
3268
background_daemon = FALSE;
3269
if (running_in_test_harness) millisleep(100); /* lets caller finish */
3270
if (debug_selector != D_v) /* -v only doesn't show this */
3271
{
3272
debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3273
version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3274
debug_selector);
3275
show_whats_supported(stderr);
3276
}
3277
}
3278
3279
/* When started with root privilege, ensure that the limits on the number of
3280
open files and the number of processes (where that is accessible) are
3281
sufficiently large, or are unset, in case Exim has been called from an
3282
environment where the limits are screwed down. Not all OS have the ability to
3283
change some of these limits. */
3284
3285
if (unprivileged)
3286
{
3287
DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3288
}
3289
else
3290
{
3291
struct rlimit rlp;
3292
3293
#ifdef RLIMIT_NOFILE
3294
if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3295
{
3296
log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3297
strerror(errno));
3298
rlp.rlim_cur = rlp.rlim_max = 0;
3299
}
3300
3301
/* I originally chose 1000 as a nice big number that was unlikely to
3302
be exceeded. It turns out that some older OS have a fixed upper limit of
3303
256. */
3304
3305
if (rlp.rlim_cur < 1000)
3306
{
3307
rlp.rlim_cur = rlp.rlim_max = 1000;
3308
if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3309
{
3310
rlp.rlim_cur = rlp.rlim_max = 256;
3311
if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3312
log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3313
strerror(errno));
3314
}
3315
}
3316
#endif
3317
3318
#ifdef RLIMIT_NPROC
3319
if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3320
{
3321
log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3322
strerror(errno));
3323
rlp.rlim_cur = rlp.rlim_max = 0;
3324
}
3325
3326
#ifdef RLIM_INFINITY
3327
if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3328
{
3329
rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3330
#else
3331
if (rlp.rlim_cur < 1000)
3332
{
3333
rlp.rlim_cur = rlp.rlim_max = 1000;
3334
#endif
3335
if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3336
log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3337
strerror(errno));
3338
}
3339
#endif
3340
}
3341
3342
/* Exim is normally entered as root (but some special configurations are
3343
possible that don't do this). However, it always spins off sub-processes that
3344
set their uid and gid as required for local delivery. We don't want to pass on
3345
any extra groups that root may belong to, so we want to get rid of them all at
3346
this point.
3347
3348
We need to obey setgroups() at this stage, before possibly giving up root
3349
privilege for a changed configuration file, but later on we might need to
3350
check on the additional groups for the admin user privilege - can't do that
3351
till after reading the config, which might specify the exim gid. Therefore,
3352
save the group list here first. */
3353
3354
group_count = getgroups(NGROUPS_MAX, group_list);
3355
3356
/* There is a fundamental difference in some BSD systems in the matter of
3357
groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3358
known not to be different. On the "different" systems there is a single group
3359
list, and the first entry in it is the current group. On all other versions of
3360
Unix there is a supplementary group list, which is in *addition* to the current
3361
group. Consequently, to get rid of all extraneous groups on a "standard" system
3362
you pass over 0 groups to setgroups(), while on a "different" system you pass
3363
over a single group - the current group, which is always the first group in the
3364
list. Calling setgroups() with zero groups on a "different" system results in
3365
an error return. The following code should cope with both types of system.
3366
3367
However, if this process isn't running as root, setgroups() can't be used
3368
since you have to be root to run it, even if throwing away groups. Not being
3369
root here happens only in some unusual configurations. We just ignore the
3370
error. */
3371
3372
if (setgroups(0, NULL) != 0)
3373
{
3374
if (setgroups(1, group_list) != 0 && !unprivileged)
3375
{
3376
fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3377
exit(EXIT_FAILURE);
3378
}
3379
}
3380
3381
/* If the configuration file name has been altered by an argument on the
3382
command line (either a new file name or a macro definition) and the caller is
3383
not root, or if this is a filter testing run, remove any setuid privilege the
3384
program has and run as the underlying user.
3385
3386
The exim user is locked out of this, which severely restricts the use of -C
3387
for some purposes.
3388
3389
Otherwise, set the real ids to the effective values (should be root unless run
3390
from inetd, which it can either be root or the exim uid, if one is configured).
3391
3392
There is a private mechanism for bypassing some of this, in order to make it
3393
possible to test lots of configurations automatically, without having either to
3394
recompile each time, or to patch in an actual configuration file name and other
3395
values (such as the path name). If running in the test harness, pretend that
3396
configuration file changes and macro definitions haven't happened. */
3397
3398
if (( /* EITHER */
3399
(!trusted_config || /* Config changed, or */
3400
!macros_trusted()) && /* impermissible macros and */
3401
real_uid != root_uid && /* Not root, and */
3402
!running_in_test_harness /* Not fudged */
3403
) || /* OR */
3404
expansion_test /* expansion testing */
3405
|| /* OR */
3406
filter_test != FTEST_NONE) /* Filter testing */
3407
{
3408
setgroups(group_count, group_list);
3409
exim_setugid(real_uid, real_gid, FALSE,
3410
US"-C, -D, -be or -bf forces real uid");
3411
removed_privilege = TRUE;
3412
3413
/* In the normal case when Exim is called like this, stderr is available
3414
and should be used for any logging information because attempts to write
3415
to the log will usually fail. To arrange this, we unset really_exim. However,
3416
if no stderr is available there is no point - we might as well have a go
3417
at the log (if it fails, syslog will be written).
3418
3419
Note that if the invoker is Exim, the logs remain available. Messing with
3420
this causes unlogged successful deliveries. */
3421
3422
if ((log_stderr != NULL) && (real_uid != exim_uid))
3423
really_exim = FALSE;
3424
}
3425
3426
/* Privilege is to be retained for the moment. It may be dropped later,
3427
depending on the job that this Exim process has been asked to do. For now, set
3428
the real uid to the effective so that subsequent re-execs of Exim are done by a
3429
privileged user. */
3430
3431
else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3432
3433
/* If testing a filter, open the file(s) now, before wasting time doing other
3434
setups and reading the message. */
3435
3436
if ((filter_test & FTEST_SYSTEM) != 0)
3437
{
3438
filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3439
if (filter_sfd < 0)
3440
{
3441
fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3442
strerror(errno));
3443
return EXIT_FAILURE;
3444
}
3445
}
3446
3447
if ((filter_test & FTEST_USER) != 0)
3448
{
3449
filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3450
if (filter_ufd < 0)
3451
{
3452
fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
3453
strerror(errno));
3454
return EXIT_FAILURE;
3455
}
3456
}
3457
3458
/* Read the main runtime configuration data; this gives up if there
3459
is a failure. It leaves the configuration file open so that the subsequent
3460
configuration data for delivery can be read if needed. */
3461
3462
readconf_main();
3463
3464
/* Handle the decoding of logging options. */
3465
3466
decode_bits(&log_write_selector, &log_extra_selector, 0, 0, log_selector_string,
3467
log_options, log_options_count, US"log");
3468
3469
DEBUG(D_any)
3470
{
3471
debug_printf("configuration file is %s\n", config_main_filename);
3472
debug_printf("log selectors = %08x %08x\n", log_write_selector,
3473
log_extra_selector);
3474
}
3475
3476
/* If domain literals are not allowed, check the sender address that was
3477
supplied with -f. Ditto for a stripped trailing dot. */
3478
3479
if (sender_address != NULL)
3480
{
3481
if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3482
{
3483
fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3484
"allowed\n", sender_address);
3485
return EXIT_FAILURE;
3486
}
3487
if (f_end_dot && !strip_trailing_dot)
3488
{
3489
fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3490
"(trailing dot not allowed)\n", sender_address);
3491
return EXIT_FAILURE;
3492
}
3493
}
3494
3495
/* Paranoia check of maximum lengths of certain strings. There is a check
3496
on the length of the log file path in log.c, which will come into effect
3497
if there are any calls to write the log earlier than this. However, if we
3498
get this far but the string is very long, it is better to stop now than to
3499
carry on and (e.g.) receive a message and then have to collapse. The call to
3500
log_write() from here will cause the ultimate panic collapse if the complete
3501
file name exceeds the buffer length. */
3502
3503
if (Ustrlen(log_file_path) > 200)
3504
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3505
"log_file_path is longer than 200 chars: aborting");
3506
3507
if (Ustrlen(pid_file_path) > 200)
3508
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3509
"pid_file_path is longer than 200 chars: aborting");
3510
3511
if (Ustrlen(spool_directory) > 200)
3512
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3513
"spool_directory is longer than 200 chars: aborting");
3514
3515
/* Length check on the process name given to syslog for its TAG field,
3516
which is only permitted to be 32 characters or less. See RFC 3164. */
3517
3518
if (Ustrlen(syslog_processname) > 32)
3519
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3520
"syslog_processname is longer than 32 chars: aborting");
3521
3522
/* In some operating systems, the environment variable TMPDIR controls where
3523
temporary files are created; Exim doesn't use these (apart from when delivering
3524
to MBX mailboxes), but called libraries such as DBM libraries may require them.
3525
If TMPDIR is found in the environment, reset it to the value defined in the
3526
TMPDIR macro, if this macro is defined. */
3527
3528
#ifdef TMPDIR
3529
{
3530
uschar **p;
3531
for (p = USS environ; *p != NULL; p++)
3532
{
3533
if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3534
Ustrcmp(*p+7, TMPDIR) != 0)
3535
{
3536
uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3537
sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3538
*p = newp;
3539
DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3540
}
3541
}
3542
}
3543
#endif
3544
3545
/* Timezone handling. If timezone_string is "utc", set a flag to cause all
3546
timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3547
we may need to get rid of a bogus timezone setting. This can arise when Exim is
3548
called by a user who has set the TZ variable. This then affects the timestamps
3549
in log files and in Received: headers, and any created Date: header lines. The
3550
required timezone is settable in the configuration file, so nothing can be done
3551
about this earlier - but hopefully nothing will normally be logged earlier than
3552
this. We have to make a new environment if TZ is wrong, but don't bother if
3553
timestamps_utc is set, because then all times are in UTC anyway. */
3554
3555
if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3556
{
3557
timestamps_utc = TRUE;
3558
}
3559
else
3560
{
3561
uschar *envtz = US getenv("TZ");
3562
if ((envtz == NULL && timezone_string != NULL) ||
3563
(envtz != NULL &&
3564
(timezone_string == NULL ||
3565
Ustrcmp(timezone_string, envtz) != 0)))
3566
{
3567
uschar **p = USS environ;
3568
uschar **new;
3569
uschar **newp;
3570
int count = 0;
3571
while (*p++ != NULL) count++;
3572
if (envtz == NULL) count++;
3573
newp = new = malloc(sizeof(uschar *) * (count + 1));
3574
for (p = USS environ; *p != NULL; p++)
3575
{
3576
if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3577
*newp++ = *p;
3578
}
3579
if (timezone_string != NULL)
3580
{
3581
*newp = malloc(Ustrlen(timezone_string) + 4);
3582
sprintf(CS *newp++, "TZ=%s", timezone_string);
3583
}
3584
*newp = NULL;
3585
environ = CSS new;
3586
tzset();
3587
DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3588
tod_stamp(tod_log));
3589
}
3590
}
3591
3592
/* Handle the case when we have removed the setuid privilege because of -C or
3593
-D. This means that the caller of Exim was not root.
3594
3595
There is a problem if we were running as the Exim user. The sysadmin may
3596
expect this case to retain privilege because "the binary was called by the
3597
Exim user", but it hasn't, because either the -D option set macros, or the
3598
-C option set a non-trusted configuration file. There are two possibilities:
3599
3600
(1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3601
to do message deliveries. Thus, the fact that it is running as a
3602
non-privileged user is plausible, and might be wanted in some special
3603
configurations. However, really_exim will have been set false when
3604
privilege was dropped, to stop Exim trying to write to its normal log
3605
files. Therefore, re-enable normal log processing, assuming the sysadmin
3606
has set up the log directory correctly.
3607
3608
(2) If deliver_drop_privilege is not set, the configuration won't work as
3609
apparently intended, and so we log a panic message. In order to retain
3610
root for -C or -D, the caller must either be root or be invoking a
3611
trusted configuration file (when deliver_drop_privilege is false). */
3612
3613
if (removed_privilege && (!trusted_config || macros != NULL) &&
3614
real_uid == exim_uid)
3615
{
3616
if (deliver_drop_privilege)
3617
really_exim = TRUE; /* let logging work normally */
3618
else
3619
log_write(0, LOG_MAIN|LOG_PANIC,
3620
"exim user lost privilege for using %s option",
3621
trusted_config? "-D" : "-C");
3622
}
3623
3624
/* Start up Perl interpreter if Perl support is configured and there is a
3625
perl_startup option, and the configuration or the command line specifies
3626
initializing starting. Note that the global variables are actually called
3627
opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3628
3629
#ifdef EXIM_PERL
3630
if (perl_start_option != 0)
3631
opt_perl_at_start = (perl_start_option > 0);
3632
if (opt_perl_at_start && opt_perl_startup != NULL)
3633
{
3634
uschar *errstr;
3635
DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3636
errstr = init_perl(opt_perl_startup);
3637
if (errstr != NULL)
3638
{
3639
fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3640
return EXIT_FAILURE;
3641
}
3642
opt_perl_started = TRUE;
3643
}
3644
#endif /* EXIM_PERL */
3645
3646
/* Log the arguments of the call if the configuration file said so. This is
3647
a debugging feature for finding out what arguments certain MUAs actually use.
3648
Don't attempt it if logging is disabled, or if listing variables or if
3649
verifying/testing addresses or expansions. */
3650
3651
if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3652
&& really_exim && !list_options && !checking)
3653
{
3654
int i;
3655
uschar *p = big_buffer;
3656
Ustrcpy(p, "cwd=");
3657
(void)getcwd(CS p+4, big_buffer_size - 4);
3658
while (*p) p++;
3659
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3660
while (*p) p++;
3661
for (i = 0; i < argc; i++)
3662
{
3663
int len = Ustrlen(argv[i]);
3664
uschar *printing;
3665
uschar *quote;
3666
if (p + len + 8 >= big_buffer + big_buffer_size)
3667
{
3668
Ustrcpy(p, " ...");
3669
log_write(0, LOG_MAIN, "%s", big_buffer);
3670
Ustrcpy(big_buffer, "...");
3671
p = big_buffer + 3;
3672
}
3673
printing = string_printing(argv[i]);
3674
if (printing[0] == 0) quote = US"\""; else
3675
{
3676
uschar *pp = printing;
3677
quote = US"";
3678
while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3679
}
3680
sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3681
(p - big_buffer) - 4), printing, quote);
3682
while (*p) p++;
3683
}
3684
3685
if ((log_extra_selector & LX_arguments) != 0)
3686
log_write(0, LOG_MAIN, "%s", big_buffer);
3687
else
3688
debug_printf("%s\n", big_buffer);
3689
}
3690
3691
/* Set the working directory to be the top-level spool directory. We don't rely
3692
on this in the code, which always uses fully qualified names, but it's useful
3693
for core dumps etc. Don't complain if it fails - the spool directory might not
3694
be generally accessible and calls with the -C option (and others) have lost
3695
privilege by now. Before the chdir, we try to ensure that the directory exists.
3696
*/
3697
3698
if (Uchdir(spool_directory) != 0)
3699
{
3700
(void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3701
(void)Uchdir(spool_directory);
3702
}
3703
3704
/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3705
alias file. Exim doesn't have such a concept, but this call is screwed into
3706
Sun's YP makefiles. Handle this by calling a configured script, as the real
3707
user who called Exim. The -oA option can be used to pass an argument to the
3708
script. */
3709
3710
if (bi_option)
3711
{
3712
(void)fclose(config_file);
3713
if (bi_command != NULL)
3714
{
3715
int i = 0;
3716
uschar *argv[3];
3717
argv[i++] = bi_command;
3718
if (alias_arg != NULL) argv[i++] = alias_arg;
3719
argv[i++] = NULL;
3720
3721
setgroups(group_count, group_list);
3722
exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3723
3724
DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3725
(argv[1] == NULL)? US"" : argv[1]);
3726
3727
execv(CS argv[0], (char *const *)argv);
3728
fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3729
exit(EXIT_FAILURE);
3730
}
3731
else
3732
{
3733
DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3734
exit(EXIT_SUCCESS);
3735
}
3736
}
3737
3738
/* If an action on specific messages is requested, or if a daemon or queue
3739
runner is being started, we need to know if Exim was called by an admin user.
3740
This is the case if the real user is root or exim, or if the real group is
3741
exim, or if one of the supplementary groups is exim or a group listed in
3742
admin_groups. We don't fail all message actions immediately if not admin_user,
3743
since some actions can be performed by non-admin users. Instead, set admin_user
3744
for later interrogation. */
3745
3746
if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3747
admin_user = TRUE;
3748
else
3749
{
3750
int i, j;
3751
for (i = 0; i < group_count; i++)
3752
{
3753
if (group_list[i] == exim_gid) admin_user = TRUE;
3754
else if (admin_groups != NULL)
3755
{
3756
for (j = 1; j <= (int)(admin_groups[0]); j++)
3757
if (admin_groups[j] == group_list[i])
3758
{ admin_user = TRUE; break; }
3759
}
3760
if (admin_user) break;
3761
}
3762
}
3763
3764
/* Another group of privileged users are the trusted users. These are root,
3765
exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3766
are permitted to specify sender_addresses with -f on the command line, and
3767
other message parameters as well. */
3768
3769
if (real_uid == root_uid || real_uid == exim_uid)
3770
trusted_caller = TRUE;
3771
else
3772
{
3773
int i, j;
3774
3775
if (trusted_users != NULL)
3776
{
3777
for (i = 1; i <= (int)(trusted_users[0]); i++)
3778
if (trusted_users[i] == real_uid)
3779
{ trusted_caller = TRUE; break; }
3780
}
3781
3782
if (!trusted_caller && trusted_groups != NULL)
3783
{
3784
for (i = 1; i <= (int)(trusted_groups[0]); i++)
3785
{
3786
if (trusted_groups[i] == real_gid)
3787
trusted_caller = TRUE;
3788
else for (j = 0; j < group_count; j++)
3789
{
3790
if (trusted_groups[i] == group_list[j])
3791
{ trusted_caller = TRUE; break; }
3792
}
3793
if (trusted_caller) break;
3794
}
3795
}
3796
}
3797
3798
if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3799
if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3800
3801
/* Only an admin user may start the daemon or force a queue run in the default
3802
configuration, but the queue run restriction can be relaxed. Only an admin
3803
user may request that a message be returned to its sender forthwith. Only an
3804
admin user may specify a debug level greater than D_v (because it might show
3805
passwords, etc. in lookup queries). Only an admin user may request a queue
3806
count. */
3807
3808
if (!admin_user)
3809
{
3810
BOOL debugset = (debug_selector & ~D_v) != 0;
3811
if (deliver_give_up || daemon_listen ||
3812
(count_queue && queue_list_requires_admin) ||
3813
(list_queue && queue_list_requires_admin) ||
3814
(queue_interval >= 0 && prod_requires_admin) ||
3815
(debugset && !running_in_test_harness))
3816
{
3817
fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3818
exit(EXIT_FAILURE);
3819
}
3820
}
3821
3822
/* If the real user is not root or the exim uid, the argument for passing
3823
in an open TCP/IP connection for another message is not permitted, nor is
3824
running with the -N option for any delivery action, unless this call to exim is
3825
one that supplied an input message, or we are using a patched exim for
3826
regression testing. */
3827
3828
if (real_uid != root_uid && real_uid != exim_uid &&
3829
(continue_hostname != NULL ||
3830
(dont_deliver &&
3831
(queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3832
)) && !running_in_test_harness)
3833
{
3834
fprintf(stderr, "exim: Permission denied\n");
3835
return EXIT_FAILURE;
3836
}
3837
3838
/* If the caller is not trusted, certain arguments are ignored when running for
3839
real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3840
Note that authority for performing certain actions on messages is tested in the
3841
queue_action() function. */
3842
3843
if (!trusted_caller && !checking && filter_test == FTEST_NONE)
3844
{
3845
sender_host_name = sender_host_address = interface_address =
3846
sender_ident = received_protocol = NULL;
3847
sender_host_port = interface_port = 0;
3848
sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3849
}
3850
3851
/* If a sender host address is set, extract the optional port number off the
3852
end of it and check its syntax. Do the same thing for the interface address.
3853
Exim exits if the syntax is bad. */
3854
3855
else
3856
{
3857
if (sender_host_address != NULL)
3858
sender_host_port = check_port(sender_host_address);
3859
if (interface_address != NULL)
3860
interface_port = check_port(interface_address);
3861
}
3862
3863
/* If an SMTP message is being received check to see if the standard input is a
3864
TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3865
caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3866
barf. */
3867
3868
if (smtp_input)
3869
{
3870
union sockaddr_46 inetd_sock;
3871
EXIM_SOCKLEN_T size = sizeof(inetd_sock);
3872
if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3873
{
3874
int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3875
if (family == AF_INET || family == AF_INET6)
3876
{
3877
union sockaddr_46 interface_sock;
3878
size = sizeof(interface_sock);
3879
3880
if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3881
interface_address = host_ntoa(-1, &interface_sock, NULL,
3882
&interface_port);
3883
3884
if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3885
3886
if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3887
{
3888
is_inetd = TRUE;
3889
sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3890
NULL, &sender_host_port);
3891
if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3892
"inetd is not supported when mua_wrapper is set");
3893
}
3894
else
3895
{
3896
fprintf(stderr,
3897
"exim: Permission denied (unprivileged user, unprivileged port)\n");
3898
return EXIT_FAILURE;
3899
}
3900
}
3901
}
3902
}
3903
3904
/* If the load average is going to be needed while receiving a message, get it
3905
now for those OS that require the first call to os_getloadavg() to be done as
3906
root. There will be further calls later for each message received. */
3907
3908
#ifdef LOAD_AVG_NEEDS_ROOT
3909
if (receiving_message &&
3910
(queue_only_load >= 0 ||
3911
(is_inetd && smtp_load_reserve >= 0)
3912
))
3913
{
3914
load_average = OS_GETLOADAVG();
3915
}
3916
#endif
3917
3918
/* The queue_only configuration option can be overridden by -odx on the command
3919
line, except that if queue_only_override is false, queue_only cannot be unset
3920
from the command line. */
3921
3922
if (queue_only_set && (queue_only_override || arg_queue_only))
3923
queue_only = arg_queue_only;
3924
3925
/* The receive_timeout and smtp_receive_timeout options can be overridden by
3926
-or and -os. */
3927
3928
if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3929
if (arg_smtp_receive_timeout >= 0)
3930
smtp_receive_timeout = arg_smtp_receive_timeout;
3931
3932
/* If Exim was started with root privilege, unless we have already removed the
3933
root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3934
except when starting the daemon or doing some kind of delivery or address
3935
testing (-bt). These are the only cases when root need to be retained. We run
3936
as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
3937
retained only for starting the daemon. We always do the initgroups() in this
3938
situation (controlled by the TRUE below), in order to be as close as possible
3939
to the state Exim usually runs in. */
3940
3941
if (!unprivileged && /* originally had root AND */
3942
!removed_privilege && /* still got root AND */
3943
!daemon_listen && /* not starting the daemon */
3944
queue_interval <= 0 && /* (either kind of daemon) */
3945
( /* AND EITHER */
3946
deliver_drop_privilege || /* requested unprivileged */
3947
( /* OR */
3948
queue_interval < 0 && /* not running the queue */
3949
(msg_action_arg < 0 || /* and */
3950
msg_action != MSG_DELIVER) && /* not delivering and */
3951
(!checking || !address_test_mode) /* not address checking */
3952
)
3953
))
3954
{
3955
exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
3956
}
3957
3958
/* When we are retaining a privileged uid, we still change to the exim gid. */
3959
3960
else setgid(exim_gid);
3961
3962
/* Handle a request to list the delivery queue */
3963
3964
if (list_queue)
3965
{
3966
set_process_info("listing the queue");
3967
queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
3968
exit(EXIT_SUCCESS);
3969
}
3970
3971
/* Handle a request to count the delivery queue */
3972
3973
if (count_queue)
3974
{
3975
set_process_info("counting the queue");
3976
queue_count();
3977
exit(EXIT_SUCCESS);
3978
}
3979
3980
/* Handle actions on specific messages, except for the force delivery and
3981
message load actions, which are done below. Some actions take a whole list of
3982
message ids, which are known to continue up to the end of the arguments. Others
3983
take a single message id and then operate on the recipients list. */
3984
3985
if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
3986
{
3987
int yield = EXIT_SUCCESS;
3988
set_process_info("acting on specified messages");
3989
3990
if (!one_msg_action)
3991
{
3992
for (i = msg_action_arg; i < argc; i++)
3993
if (!queue_action(argv[i], msg_action, NULL, 0, 0))
3994
yield = EXIT_FAILURE;
3995
}
3996
3997
else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
3998
recipients_arg)) yield = EXIT_FAILURE;
3999
exit(yield);
4000
}
4001
4002
/* All the modes below here require the remaining configuration sections
4003
to be read, except that we can skip over the ACL setting when delivering
4004
specific messages, or doing a queue run. (For various testing cases we could
4005
skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
4006
for skipping. */
4007
4008
readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
4009
4010
/* The configuration data will have been read into POOL_PERM because we won't
4011
ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
4012
this is just a bit of pedantic tidiness. It wouldn't really matter if the
4013
configuration were read into POOL_MAIN, because we don't do any resets till
4014
later on. However, it seems right, and it does ensure that both pools get used.
4015
*/
4016
4017
store_pool = POOL_MAIN;
4018
4019
/* Handle the -brt option. This is for checking out retry configurations.
4020
The next three arguments are a domain name or a complete address, and
4021
optionally two error numbers. All it does is to call the function that
4022
scans the retry configuration data. */
4023
4024
if (test_retry_arg >= 0)
4025
{
4026
retry_config *yield;
4027
int basic_errno = 0;
4028
int more_errno = 0;
4029
uschar *s1, *s2;
4030
4031
if (test_retry_arg >= argc)
4032
{
4033
printf("-brt needs a domain or address argument\n");
4034
exim_exit(EXIT_FAILURE);
4035
}
4036
s1 = argv[test_retry_arg++];
4037
s2 = NULL;
4038
4039
/* If the first argument contains no @ and no . it might be a local user
4040
or it might be a single-component name. Treat as a domain. */
4041
4042
if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
4043
{
4044
printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
4045
"being \ntreated as a one-component domain, not as a local part.\n\n",
4046
s1);
4047
}
4048
4049
/* There may be an optional second domain arg. */
4050
4051
if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
4052
s2 = argv[test_retry_arg++];
4053
4054
/* The final arg is an error name */
4055
4056
if (test_retry_arg < argc)
4057
{
4058
uschar *ss = argv[test_retry_arg];
4059
uschar *error =
4060
readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
4061
if (error != NULL)
4062
{
4063
printf("%s\n", CS error);
4064
return EXIT_FAILURE;
4065
}
4066
4067
/* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
4068
code > 100 as an error is for matching codes to the decade. Turn them into
4069
a real error code, off the decade. */
4070
4071
if (basic_errno == ERRNO_MAIL4XX ||
4072
basic_errno == ERRNO_RCPT4XX ||
4073
basic_errno == ERRNO_DATA4XX)
4074
{
4075
int code = (more_errno >> 8) & 255;
4076
if (code == 255)
4077
more_errno = (more_errno & 0xffff00ff) | (21 << 8);
4078
else if (code > 100)
4079
more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
4080
}
4081
}
4082
4083
yield = retry_find_config(s1, s2, basic_errno, more_errno);
4084
if (yield == NULL) printf("No retry information found\n"); else
4085
{
4086
retry_rule *r;
4087
more_errno = yield->more_errno;
4088
printf("Retry rule: %s ", yield->pattern);
4089
4090
if (yield->basic_errno == ERRNO_EXIMQUOTA)
4091
{
4092
printf("quota%s%s ",
4093
(more_errno > 0)? "_" : "",
4094
(more_errno > 0)? readconf_printtime(more_errno) : US"");
4095
}
4096
else if (yield->basic_errno == ECONNREFUSED)
4097
{
4098
printf("refused%s%s ",
4099
(more_errno > 0)? "_" : "",
4100
(more_errno == 'M')? "MX" :
4101
(more_errno == 'A')? "A" : "");
4102
}
4103
else if (yield->basic_errno == ETIMEDOUT)
4104
{
4105
printf("timeout");
4106
if ((more_errno & RTEF_CTOUT) != 0) printf("_connect");
4107
more_errno &= 255;
4108
if (more_errno != 0) printf("_%s",
4109
(more_errno == 'M')? "MX" : "A");
4110
printf(" ");
4111
}
4112
else if (yield->basic_errno == ERRNO_AUTHFAIL)
4113
printf("auth_failed ");
4114
else printf("* ");
4115
4116
for (r = yield->rules; r != NULL; r = r->next)
4117
{
4118
printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */
4119
printf(",%s", readconf_printtime(r->p1)); /* amalgamate */
4120
if (r->rule == 'G')
4121
{
4122
int x = r->p2;
4123
int f = x % 1000;
4124
int d = 100;
4125
printf(",%d.", x/1000);
4126
do
4127
{
4128
printf("%d", f/d);
4129
f %= d;
4130
d /= 10;
4131
}
4132
while (f != 0);
4133
}
4134
printf("; ");
4135
}
4136
4137
printf("\n");
4138
}
4139
exim_exit(EXIT_SUCCESS);
4140
}
4141
4142
/* Handle a request to list one or more configuration options */
4143
4144
if (list_options)
4145
{
4146
set_process_info("listing variables");
4147
if (recipients_arg >= argc) readconf_print(US"all", NULL);
4148
else for (i = recipients_arg; i < argc; i++)
4149
{
4150
if (i < argc - 1 &&
4151
(Ustrcmp(argv[i], "router") == 0 ||
4152
Ustrcmp(argv[i], "transport") == 0 ||
4153
Ustrcmp(argv[i], "authenticator") == 0 ||
4154
Ustrcmp(argv[i], "macro") == 0))
4155
{
4156
readconf_print(argv[i+1], argv[i]);
4157
i++;
4158
}
4159
else readconf_print(argv[i], NULL);
4160
}
4161
exim_exit(EXIT_SUCCESS);
4162
}
4163
4164
4165
/* Handle a request to deliver one or more messages that are already on the
4166
queue. Values of msg_action other than MSG_DELIVER and MSG_LOAD are dealt with
4167
above. MSG_LOAD is handled with -be (which is the only time it applies) below.
4168
4169
Delivery of specific messages is typically used for a small number when
4170
prodding by hand (when the option forced_delivery will be set) or when
4171
re-execing to regain root privilege. Each message delivery must happen in a
4172
separate process, so we fork a process for each one, and run them sequentially
4173
so that debugging output doesn't get intertwined, and to avoid spawning too
4174
many processes if a long list is given. However, don't fork for the last one;
4175
this saves a process in the common case when Exim is called to deliver just one
4176
message. */
4177
4178
if (msg_action_arg > 0 && msg_action != MSG_LOAD)
4179
{
4180
if (prod_requires_admin && !admin_user)
4181
{
4182
fprintf(stderr, "exim: Permission denied\n");
4183
exim_exit(EXIT_FAILURE);
4184
}
4185
set_process_info("delivering specified messages");
4186
if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE;
4187
for (i = msg_action_arg; i < argc; i++)
4188
{
4189
int status;
4190
pid_t pid;
4191
if (i == argc - 1)
4192
(void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4193
else if ((pid = fork()) == 0)
4194
{
4195
(void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4196
_exit(EXIT_SUCCESS);
4197
}
4198
else if (pid < 0)
4199
{
4200
fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i],
4201
strerror(errno));
4202
exim_exit(EXIT_FAILURE);
4203
}
4204
else wait(&status);
4205
}
4206
exim_exit(EXIT_SUCCESS);
4207
}
4208
4209
4210
/* If only a single queue run is requested, without SMTP listening, we can just
4211
turn into a queue runner, with an optional starting message id. */
4212
4213
if (queue_interval == 0 && !daemon_listen)
4214
{
4215
DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
4216
(start_queue_run_id == NULL)? US"" : US" starting at ",
4217
(start_queue_run_id == NULL)? US"" : start_queue_run_id,
4218
(stop_queue_run_id == NULL)? US"" : US" stopping at ",
4219
(stop_queue_run_id == NULL)? US"" : stop_queue_run_id);
4220
set_process_info("running the queue (single queue run)");
4221
queue_run(start_queue_run_id, stop_queue_run_id, FALSE);
4222
exim_exit(EXIT_SUCCESS);
4223
}
4224
4225
4226
/* Find the login name of the real user running this process. This is always
4227
needed when receiving a message, because it is written into the spool file. It
4228
may also be used to construct a from: or a sender: header, and in this case we
4229
need the user's full name as well, so save a copy of it, checked for RFC822
4230
syntax and munged if necessary, if it hasn't previously been set by the -F
4231
argument. We may try to get the passwd entry more than once, in case NIS or
4232
other delays are in evidence. Save the home directory for use in filter testing
4233
(only). */
4234
4235
for (i = 0;;)
4236
{
4237
if ((pw = getpwuid(real_uid)) != NULL)
4238
{
4239
originator_login = string_copy(US pw->pw_name);
4240
originator_home = string_copy(US pw->pw_dir);
4241
4242
/* If user name has not been set by -F, set it from the passwd entry
4243
unless -f has been used to set the sender address by a trusted user. */
4244
4245
if (originator_name == NULL)
4246
{
4247
if (sender_address == NULL ||
4248
(!trusted_caller && filter_test == FTEST_NONE))
4249
{
4250
uschar *name = US pw->pw_gecos;
4251
uschar *amp = Ustrchr(name, '&');
4252
uschar buffer[256];
4253
4254
/* Most Unix specify that a '&' character in the gecos field is
4255
replaced by a copy of the login name, and some even specify that
4256
the first character should be upper cased, so that's what we do. */
4257
4258
if (amp != NULL)
4259
{
4260
int loffset;
4261
string_format(buffer, sizeof(buffer), "%.*s%n%s%s",
4262
amp - name, name, &loffset, originator_login, amp + 1);
4263
buffer[loffset] = toupper(buffer[loffset]);
4264
name = buffer;
4265
}
4266
4267
/* If a pattern for matching the gecos field was supplied, apply
4268
it and then expand the name string. */
4269
4270
if (gecos_pattern != NULL && gecos_name != NULL)
4271
{
4272
const pcre *re;
4273
re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */
4274
4275
if (regex_match_and_setup(re, name, 0, -1))
4276
{
4277
uschar *new_name = expand_string(gecos_name);
4278
expand_nmax = -1;
4279
if (new_name != NULL)
4280
{
4281
DEBUG(D_receive) debug_printf("user name \"%s\" extracted from "
4282
"gecos field \"%s\"\n", new_name, name);
4283
name = new_name;
4284
}
4285
else DEBUG(D_receive) debug_printf("failed to expand gecos_name string "
4286
"\"%s\": %s\n", gecos_name, expand_string_message);
4287
}
4288
else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match "
4289
"gecos field \"%s\"\n", gecos_pattern, name);
4290
store_free((void *)re);
4291
}
4292
originator_name = string_copy(name);
4293
}
4294
4295
/* A trusted caller has used -f but not -F */
4296
4297
else originator_name = US"";
4298
}
4299
4300
/* Break the retry loop */
4301
4302
break;
4303
}
4304
4305
if (++i > finduser_retries) break;
4306
sleep(1);
4307
}
4308
4309
/* If we cannot get a user login, log the incident and give up, unless the
4310
configuration specifies something to use. When running in the test harness,
4311
any setting of unknown_login overrides the actual name. */
4312
4313
if (originator_login == NULL || running_in_test_harness)
4314
{
4315
if (unknown_login != NULL)
4316
{
4317
originator_login = expand_string(unknown_login);
4318
if (originator_name == NULL && unknown_username != NULL)
4319
originator_name = expand_string(unknown_username);
4320
if (originator_name == NULL) originator_name = US"";
4321
}
4322
if (originator_login == NULL)
4323
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d",
4324
(int)real_uid);
4325
}
4326
4327
/* Ensure that the user name is in a suitable form for use as a "phrase" in an
4328
RFC822 address.*/
4329
4330
originator_name = string_copy(parse_fix_phrase(originator_name,
4331
Ustrlen(originator_name), big_buffer, big_buffer_size));
4332
4333
/* If a message is created by this call of Exim, the uid/gid of its originator
4334
are those of the caller. These values are overridden if an existing message is
4335
read in from the spool. */
4336
4337
originator_uid = real_uid;
4338
originator_gid = real_gid;
4339
4340
DEBUG(D_receive) debug_printf("originator: uid=%d gid=%d login=%s name=%s\n",
4341
(int)originator_uid, (int)originator_gid, originator_login, originator_name);
4342
4343
/* Run in daemon and/or queue-running mode. The function daemon_go() never
4344
returns. We leave this till here so that the originator_ fields are available
4345
for incoming messages via the daemon. The daemon cannot be run in mua_wrapper
4346
mode. */
4347
4348
if (daemon_listen || queue_interval > 0)
4349
{
4350
if (mua_wrapper)
4351
{
4352
fprintf(stderr, "Daemon cannot be run when mua_wrapper is set\n");
4353
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Daemon cannot be run when "
4354
"mua_wrapper is set");
4355
}
4356
daemon_go();
4357
}
4358
4359
/* If the sender ident has not been set (by a trusted caller) set it to
4360
the caller. This will get overwritten below for an inetd call. If a trusted
4361
caller has set it empty, unset it. */
4362
4363
if (sender_ident == NULL) sender_ident = originator_login;
4364
else if (sender_ident[0] == 0) sender_ident = NULL;
4365
4366
/* Handle the -brw option, which is for checking out rewriting rules. Cause log
4367
writes (on errors) to go to stderr instead. Can't do this earlier, as want the
4368
originator_* variables set. */
4369
4370
if (test_rewrite_arg >= 0)
4371
{
4372
really_exim = FALSE;
4373
if (test_rewrite_arg >= argc)
4374
{
4375
printf("-brw needs an address argument\n");
4376
exim_exit(EXIT_FAILURE);
4377
}
4378
rewrite_test(argv[test_rewrite_arg]);
4379
exim_exit(EXIT_SUCCESS);
4380
}
4381
4382
/* A locally-supplied message is considered to be coming from a local user
4383
unless a trusted caller supplies a sender address with -f, or is passing in the
4384
message via SMTP (inetd invocation or otherwise). */
4385
4386
if ((sender_address == NULL && !smtp_input) ||
4387
(!trusted_caller && filter_test == FTEST_NONE))
4388
{
4389
sender_local = TRUE;
4390
4391
/* A trusted caller can supply authenticated_sender and authenticated_id
4392
via -oMas and -oMai and if so, they will already be set. Otherwise, force
4393
defaults except when host checking. */
4394
4395
if (authenticated_sender == NULL && !host_checking)
4396
authenticated_sender = string_sprintf("%s@%s", originator_login,
4397
qualify_domain_sender);
4398
if (authenticated_id == NULL && !host_checking)
4399
authenticated_id = originator_login;
4400
}
4401
4402
/* Trusted callers are always permitted to specify the sender address.
4403
Untrusted callers may specify it if it matches untrusted_set_sender, or if what
4404
is specified is the empty address. However, if a trusted caller does not
4405
specify a sender address for SMTP input, we leave sender_address unset. This
4406
causes the MAIL commands to be honoured. */
4407
4408
if ((!smtp_input && sender_address == NULL) ||
4409
!receive_check_set_sender(sender_address))
4410
{
4411
/* Either the caller is not permitted to set a general sender, or this is
4412
non-SMTP input and the trusted caller has not set a sender. If there is no
4413
sender, or if a sender other than <> is set, override with the originator's
4414
login (which will get qualified below), except when checking things. */
4415
4416
if (sender_address == NULL /* No sender_address set */
4417
|| /* OR */
4418
(sender_address[0] != 0 && /* Non-empty sender address, AND */
4419
!checking && /* Not running tests, AND */
4420
filter_test == FTEST_NONE)) /* Not testing a filter */
4421
{
4422
sender_address = originator_login;
4423
sender_address_forced = FALSE;
4424
sender_address_domain = 0;
4425
}
4426
}
4427
4428
/* Remember whether an untrusted caller set the sender address */
4429
4430
sender_set_untrusted = sender_address != originator_login && !trusted_caller;
4431
4432
/* Ensure that the sender address is fully qualified unless it is the empty
4433
address, which indicates an error message, or doesn't exist (root caller, smtp
4434
interface, no -f argument). */
4435
4436
if (sender_address != NULL && sender_address[0] != 0 &&
4437
sender_address_domain == 0)
4438
sender_address = string_sprintf("%s@%s", local_part_quote(sender_address),
4439
qualify_domain_sender);
4440
4441
DEBUG(D_receive) debug_printf("sender address = %s\n", sender_address);
4442
4443
/* Handle a request to verify a list of addresses, or test them for delivery.
4444
This must follow the setting of the sender address, since routers can be
4445
predicated upon the sender. If no arguments are given, read addresses from
4446
stdin. Set debug_level to at least D_v to get full output for address testing.
4447
*/
4448
4449
if (verify_address_mode || address_test_mode)
4450
{
4451
int exit_value = 0;
4452
int flags = vopt_qualify;
4453
4454
if (verify_address_mode)
4455
{
4456
if (!verify_as_sender) flags |= vopt_is_recipient;
4457
DEBUG(D_verify) debug_print_ids(US"Verifying:");
4458
}
4459
4460
else
4461
{
4462
flags |= vopt_is_recipient;
4463
debug_selector |= D_v;
4464
debug_file = stderr;
4465
debug_fd = fileno(debug_file);
4466
DEBUG(D_verify) debug_print_ids(US"Address testing:");
4467
}
4468
4469
if (recipients_arg < argc)
4470
{
4471
while (recipients_arg < argc)
4472
{
4473
uschar *s = argv[recipients_arg++];
4474
while (*s != 0)
4475
{
4476
BOOL finished = FALSE;
4477
uschar *ss = parse_find_address_end(s, FALSE);
4478
if (*ss == ',') *ss = 0; else finished = TRUE;
4479
test_address(s, flags, &exit_value);
4480
s = ss;
4481
if (!finished)
4482
while (*(++s) != 0 && (*s == ',' || isspace(*s)));
4483
}
4484
}
4485
}
4486
4487
else for (;;)
4488
{
4489
uschar *s = get_stdinput(NULL, NULL);
4490
if (s == NULL) break;
4491
test_address(s, flags, &exit_value);
4492
}
4493
4494
route_tidyup();
4495
exim_exit(exit_value);
4496
}
4497
4498
/* Handle expansion checking. Either expand items on the command line, or read
4499
from stdin if there aren't any. If -Mset was specified, load the message so
4500
that its variables can be used, but restrict this facility to admin users.
4501
Otherwise, if -bem was used, read a message from stdin. */
4502
4503
if (expansion_test)
4504
{
4505
if (msg_action_arg > 0 && msg_action == MSG_LOAD)
4506
{
4507
uschar spoolname[256]; /* Not big_buffer; used in spool_read_header() */
4508
if (!admin_user)
4509
{
4510
fprintf(stderr, "exim: permission denied\n");
4511
exit(EXIT_FAILURE);
4512
}
4513
message_id = argv[msg_action_arg];
4514
(void)string_format(spoolname, sizeof(spoolname), "%s-H", message_id);
4515
if (!spool_open_datafile(message_id))
4516
printf ("Failed to load message datafile %s\n", message_id);
4517
if (spool_read_header(spoolname, TRUE, FALSE) != spool_read_OK)
4518
printf ("Failed to load message %s\n", message_id);
4519
}
4520
4521
/* Read a test message from a file. We fudge it up to be on stdin, saving
4522
stdin itself for later reading of expansion strings. */
4523
4524
else if (expansion_test_message != NULL)
4525
{
4526
int save_stdin = dup(0);
4527
int fd = Uopen(expansion_test_message, O_RDONLY, 0);
4528
if (fd < 0)
4529
{
4530
fprintf(stderr, "exim: failed to open %s: %s\n", expansion_test_message,
4531
strerror(errno));
4532
return EXIT_FAILURE;
4533
}
4534
(void) dup2(fd, 0);
4535
filter_test = FTEST_USER; /* Fudge to make it look like filter test */
4536
message_ended = END_NOTENDED;
4537
read_message_body(receive_msg(extract_recipients));
4538
message_linecount += body_linecount;
4539
(void)dup2(save_stdin, 0);
4540
(void)close(save_stdin);
4541
clearerr(stdin); /* Required by Darwin */
4542
}
4543
4544
/* Allow $recipients for this testing */
4545
4546
enable_dollar_recipients = TRUE;
4547
4548
/* Expand command line items */
4549
4550
if (recipients_arg < argc)
4551
{
4552
while (recipients_arg < argc)
4553
{
4554
uschar *s = argv[recipients_arg++];
4555
uschar *ss = expand_string(s);
4556
if (ss == NULL) printf ("Failed: %s\n", expand_string_message);
4557
else printf("%s\n", CS ss);
4558
}
4559
}
4560
4561
/* Read stdin */
4562
4563
else
4564
{
4565
char *(*fn_readline)(char *) = NULL;
4566
char *(*fn_addhist)(char *) = NULL;
4567
4568
#ifdef USE_READLINE
4569
void *dlhandle = set_readline(&fn_readline, &fn_addhist);
4570
#endif
4571
4572
for (;;)
4573
{
4574
uschar *ss;
4575
uschar *source = get_stdinput(fn_readline, fn_addhist);
4576
if (source == NULL) break;
4577
ss = expand_string(source);
4578
if (ss == NULL)
4579
printf ("Failed: %s\n", expand_string_message);
4580
else printf("%s\n", CS ss);
4581
}
4582
4583
#ifdef USE_READLINE
4584
if (dlhandle != NULL) dlclose(dlhandle);
4585
#endif
4586
}
4587
4588
/* The data file will be open after -Mset */
4589
4590
if (deliver_datafile >= 0)
4591
{
4592
(void)close(deliver_datafile);
4593
deliver_datafile = -1;
4594
}
4595
4596
exim_exit(EXIT_SUCCESS);
4597
}
4598
4599
4600
/* The active host name is normally the primary host name, but it can be varied
4601
for hosts that want to play several parts at once. We need to ensure that it is
4602
set for host checking, and for receiving messages. */
4603
4604
smtp_active_hostname = primary_hostname;
4605
if (raw_active_hostname != NULL)
4606
{
4607
uschar *nah = expand_string(raw_active_hostname);
4608
if (nah == NULL)
4609
{
4610
if (!expand_string_forcedfail)
4611
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" "
4612
"(smtp_active_hostname): %s", raw_active_hostname,
4613
expand_string_message);
4614
}
4615
else if (nah[0] != 0) smtp_active_hostname = nah;
4616
}
4617
4618
/* Handle host checking: this facility mocks up an incoming SMTP call from a
4619
given IP address so that the blocking and relay configuration can be tested.
4620
Unless a sender_ident was set by -oMt, we discard it (the default is the
4621
caller's login name). An RFC 1413 call is made only if we are running in the
4622
test harness and an incoming interface and both ports are specified, because
4623
there is no TCP/IP call to find the ident for. */
4624
4625
if (host_checking)
4626
{
4627
int x[4];
4628
int size;
4629
4630
if (!sender_ident_set)
4631
{
4632
sender_ident = NULL;
4633
if (running_in_test_harness && sender_host_port != 0 &&
4634
interface_address != NULL && interface_port != 0)
4635
verify_get_ident(1413);
4636
}
4637
4638
/* In case the given address is a non-canonical IPv6 address, canonicize
4639
it. The code works for both IPv4 and IPv6, as it happens. */
4640
4641
size = host_aton(sender_host_address, x);
4642
sender_host_address = store_get(48); /* large enough for full IPv6 */
4643
(void)host_nmtoa(size, x, -1, sender_host_address, ':');
4644
4645
/* Now set up for testing */
4646
4647
host_build_sender_fullhost();
4648
smtp_input = TRUE;
4649
smtp_in = stdin;
4650
smtp_out = stdout;
4651
sender_local = FALSE;
4652
sender_host_notsocket = TRUE;
4653
debug_file = stderr;
4654
debug_fd = fileno(debug_file);
4655
fprintf(stdout, "\n**** SMTP testing session as if from host %s\n"
4656
"**** but without any ident (RFC 1413) callback.\n"
4657
"**** This is not for real!\n\n",
4658
sender_host_address);
4659
4660
if (verify_check_host(&hosts_connection_nolog) == OK)
4661
log_write_selector &= ~L_smtp_connection;
4662
log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4663
4664
/* NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4665
because a log line has already been written for all its failure exists
4666
(usually "connection refused: <reason>") and writing another one is
4667
unnecessary clutter. */
4668
4669
if (smtp_start_session())
4670
{
4671
reset_point = store_get(0);
4672
for (;;)
4673
{
4674
store_reset(reset_point);
4675
if (smtp_setup_msg() <= 0) break;
4676
if (!receive_msg(FALSE)) break;
4677
}
4678
smtp_log_no_mail();
4679
}
4680
exim_exit(EXIT_SUCCESS);
4681
}
4682
4683
4684
/* Arrange for message reception if recipients or SMTP were specified;
4685
otherwise complain unless a version print (-bV) happened or this is a filter
4686
verification test. In the former case, show the configuration file name. */
4687
4688
if (recipients_arg >= argc && !extract_recipients && !smtp_input)
4689
{
4690
if (version_printed)
4691
{
4692
printf("Configuration file is %s\n", config_main_filename);
4693
return EXIT_SUCCESS;
4694
}
4695
4696
if (filter_test == FTEST_NONE)
4697
exim_usage(called_as);
4698
}
4699
4700
4701
/* If mua_wrapper is set, Exim is being used to turn an MUA that submits on the
4702
standard input into an MUA that submits to a smarthost over TCP/IP. We know
4703
that we are not called from inetd, because that is rejected above. The
4704
following configuration settings are forced here:
4705
4706
(1) Synchronous delivery (-odi)
4707
(2) Errors to stderr (-oep == -oeq)
4708
(3) No parallel remote delivery
4709
(4) Unprivileged delivery
4710
4711
We don't force overall queueing options because there are several of them;
4712
instead, queueing is avoided below when mua_wrapper is set. However, we do need
4713
to override any SMTP queueing. */
4714
4715
if (mua_wrapper)
4716
{
4717
synchronous_delivery = TRUE;
4718
arg_error_handling = ERRORS_STDERR;
4719
remote_max_parallel = 1;
4720
deliver_drop_privilege = TRUE;
4721
queue_smtp = FALSE;
4722
queue_smtp_domains = NULL;
4723
}
4724
4725
4726
/* Prepare to accept one or more new messages on the standard input. When a
4727
message has been read, its id is returned in message_id[]. If doing immediate
4728
delivery, we fork a delivery process for each received message, except for the
4729
last one, where we can save a process switch.
4730
4731
It is only in non-smtp mode that error_handling is allowed to be changed from
4732
its default of ERRORS_SENDER by argument. (Idle thought: are any of the
4733
sendmail error modes other than -oem ever actually used? Later: yes.) */
4734
4735
if (!smtp_input) error_handling = arg_error_handling;
4736
4737
/* If this is an inetd call, ensure that stderr is closed to prevent panic
4738
logging being sent down the socket and make an identd call to get the
4739
sender_ident. */
4740
4741
else if (is_inetd)
4742
{
4743
(void)fclose(stderr);
4744
exim_nullstd(); /* Re-open to /dev/null */
4745
verify_get_ident(IDENT_PORT);
4746
host_build_sender_fullhost();
4747
set_process_info("handling incoming connection from %s via inetd",
4748
sender_fullhost);
4749
}
4750
4751
/* If the sender host address has been set, build sender_fullhost if it hasn't
4752
already been done (which it will have been for inetd). This caters for the
4753
case when it is forced by -oMa. However, we must flag that it isn't a socket,
4754
so that the test for IP options is skipped for -bs input. */
4755
4756
if (sender_host_address != NULL && sender_fullhost == NULL)
4757
{
4758
host_build_sender_fullhost();
4759
set_process_info("handling incoming connection from %s via -oMa",
4760
sender_fullhost);
4761
sender_host_notsocket = TRUE;
4762
}
4763
4764
/* Otherwise, set the sender host as unknown except for inetd calls. This
4765
prevents host checking in the case of -bs not from inetd and also for -bS. */
4766
4767
else if (!is_inetd) sender_host_unknown = TRUE;
4768
4769
/* If stdout does not exist, then dup stdin to stdout. This can happen
4770
if exim is started from inetd. In this case fd 0 will be set to the socket,
4771
but fd 1 will not be set. This also happens for passed SMTP channels. */
4772
4773
if (fstat(1, &statbuf) < 0) (void)dup2(0, 1);
4774
4775
/* Set up the incoming protocol name and the state of the program. Root is
4776
allowed to force received protocol via the -oMr option above. If we have come
4777
via inetd, the process info has already been set up. We don't set
4778
received_protocol here for smtp input, as it varies according to
4779
batch/HELO/EHLO/AUTH/TLS. */
4780
4781
if (smtp_input)
4782
{
4783
if (!is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
4784
smtp_batched_input? "batched " : "",
4785
(sender_address!= NULL)? sender_address : originator_login);
4786
}
4787
else
4788
{
4789
if (received_protocol == NULL)
4790
received_protocol = string_sprintf("local%s", called_as);
4791
set_process_info("accepting a local non-SMTP message from <%s>",
4792
sender_address);
4793
}
4794
4795
/* Initialize the session_local_queue-only flag (this will be ignored if
4796
mua_wrapper is set) */
4797
4798
queue_check_only();
4799
session_local_queue_only = queue_only;
4800
4801
/* For non-SMTP and for batched SMTP input, check that there is enough space on
4802
the spool if so configured. On failure, we must not attempt to send an error
4803
message! (For interactive SMTP, the check happens at MAIL FROM and an SMTP
4804
error code is given.) */
4805
4806
if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0))
4807
{
4808
fprintf(stderr, "exim: insufficient disk space\n");
4809
return EXIT_FAILURE;
4810
}
4811
4812
/* If this is smtp input of any kind, real or batched, handle the start of the
4813
SMTP session.
4814
4815
NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4816
because a log line has already been written for all its failure exists
4817
(usually "connection refused: <reason>") and writing another one is
4818
unnecessary clutter. */
4819
4820
if (smtp_input)
4821
{
4822
smtp_in = stdin;
4823
smtp_out = stdout;
4824
if (verify_check_host(&hosts_connection_nolog) == OK)
4825
log_write_selector &= ~L_smtp_connection;
4826
log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4827
if (!smtp_start_session())
4828
{
4829
mac_smtp_fflush();
4830
exim_exit(EXIT_SUCCESS);
4831
}
4832
}
4833
4834
/* Otherwise, set up the input size limit here. */
4835
4836
else
4837
{
4838
thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
4839
if (expand_string_message != NULL)
4840
{
4841
if (thismessage_size_limit == -1)
4842
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand "
4843
"message_size_limit: %s", expand_string_message);
4844
else
4845
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "invalid value for "
4846
"message_size_limit: %s", expand_string_message);
4847
}
4848
}
4849
4850
/* Loop for several messages when reading SMTP input. If we fork any child
4851
processes, we don't want to wait for them unless synchronous delivery is
4852
requested, so set SIGCHLD to SIG_IGN in that case. This is not necessarily the
4853
same as SIG_DFL, despite the fact that documentation often lists the default as
4854
"ignore". This is a confusing area. This is what I know:
4855
4856
At least on some systems (e.g. Solaris), just setting SIG_IGN causes child
4857
processes that complete simply to go away without ever becoming defunct. You
4858
can't then wait for them - but we don't want to wait for them in the
4859
non-synchronous delivery case. However, this behaviour of SIG_IGN doesn't
4860
happen for all OS (e.g. *BSD is different).
4861
4862
But that's not the end of the story. Some (many? all?) systems have the
4863
SA_NOCLDWAIT option for sigaction(). This requests the behaviour that Solaris
4864
has by default, so it seems that the difference is merely one of default
4865
(compare restarting vs non-restarting signals).
4866
4867
To cover all cases, Exim sets SIG_IGN with SA_NOCLDWAIT here if it can. If not,
4868
it just sets SIG_IGN. To be on the safe side it also calls waitpid() at the end
4869
of the loop below. Paranoia rules.
4870
4871
February 2003: That's *still* not the end of the story. There are now versions
4872
of Linux (where SIG_IGN does work) that are picky. If, having set SIG_IGN, a
4873
process then calls waitpid(), a grumble is written to the system log, because
4874
this is logically inconsistent. In other words, it doesn't like the paranoia.
4875
As a consequenc of this, the waitpid() below is now excluded if we are sure
4876
that SIG_IGN works. */
4877
4878
if (!synchronous_delivery)
4879
{
4880
#ifdef SA_NOCLDWAIT
4881
struct sigaction act;
4882
act.sa_handler = SIG_IGN;
4883
sigemptyset(&(act.sa_mask));
4884
act.sa_flags = SA_NOCLDWAIT;
4885
sigaction(SIGCHLD, &act, NULL);
4886
#else
4887
signal(SIGCHLD, SIG_IGN);
4888
#endif
4889
}
4890
4891
/* Save the current store pool point, for resetting at the start of
4892
each message, and save the real sender address, if any. */
4893
4894
reset_point = store_get(0);
4895
real_sender_address = sender_address;
4896
4897
/* Loop to receive messages; receive_msg() returns TRUE if there are more
4898
messages to be read (SMTP input), or FALSE otherwise (not SMTP, or SMTP channel
4899
collapsed). */
4900
4901
while (more)
4902
{
4903
store_reset(reset_point);
4904
message_id[0] = 0;
4905
4906
/* Handle the SMTP case; call smtp_setup_mst() to deal with the initial SMTP
4907
input and build the recipients list, before calling receive_msg() to read the
4908
message proper. Whatever sender address is given in the SMTP transaction is
4909
often ignored for local senders - we use the actual sender, which is normally
4910
either the underlying user running this process or a -f argument provided by
4911
a trusted caller. It is saved in real_sender_address. The test for whether to
4912
accept the SMTP sender is encapsulated in receive_check_set_sender(). */
4913
4914
if (smtp_input)
4915
{
4916
int rc;
4917
if ((rc = smtp_setup_msg()) > 0)
4918
{
4919
if (real_sender_address != NULL &&
4920
!receive_check_set_sender(sender_address))
4921
{
4922
sender_address = raw_sender = real_sender_address;
4923
sender_address_unrewritten = NULL;
4924
}
4925
4926
/* For batched SMTP, we have to run the acl_not_smtp_start ACL, since it
4927
isn't really SMTP, so no other ACL will run until the acl_not_smtp one at
4928
the very end. The result of the ACL is ignored (as for other non-SMTP
4929
messages). It is run for its potential side effects. */
4930
4931
if (smtp_batched_input && acl_not_smtp_start != NULL)
4932
{
4933
uschar *user_msg, *log_msg;
4934
enable_dollar_recipients = TRUE;
4935
(void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
4936
&user_msg, &log_msg);
4937
enable_dollar_recipients = FALSE;
4938
}
4939
4940
/* Now get the data for the message */
4941
4942
more = receive_msg(extract_recipients);
4943
if (message_id[0] == 0)
4944
{
4945
if (more) continue;
4946
smtp_log_no_mail(); /* Log no mail if configured */
4947
exim_exit(EXIT_FAILURE);
4948
}
4949
}
4950
else
4951
{
4952
smtp_log_no_mail(); /* Log no mail if configured */
4953
exim_exit((rc == 0)? EXIT_SUCCESS : EXIT_FAILURE);
4954
}
4955
}
4956
4957
/* In the non-SMTP case, we have all the information from the command
4958
line, but must process it in case it is in the more general RFC822
4959
format, and in any case, to detect syntax errors. Also, it appears that
4960
the use of comma-separated lists as single arguments is common, so we
4961
had better support them. */
4962
4963
else
4964
{
4965
int i;
4966
int rcount = 0;
4967
int count = argc - recipients_arg;
4968
uschar **list = argv + recipients_arg;
4969
4970
/* These options cannot be changed dynamically for non-SMTP messages */
4971
4972
active_local_sender_retain = local_sender_retain;
4973
active_local_from_check = local_from_check;
4974
4975
/* Save before any rewriting */
4976
4977
raw_sender = string_copy(sender_address);
4978
4979
/* Loop for each argument */
4980
4981
for (i = 0; i < count; i++)
4982
{
4983
int start, end, domain;
4984
uschar *errmess;
4985
uschar *s = list[i];
4986
4987
/* Loop for each comma-separated address */
4988
4989
while (*s != 0)
4990
{
4991
BOOL finished = FALSE;
4992
uschar *recipient;
4993
uschar *ss = parse_find_address_end(s, FALSE);
4994
4995
if (*ss == ',') *ss = 0; else finished = TRUE;
4996
4997
/* Check max recipients - if -t was used, these aren't recipients */
4998
4999
if (recipients_max > 0 && ++rcount > recipients_max &&
5000
!extract_recipients)
5001
{
5002
if (error_handling == ERRORS_STDERR)
5003
{
5004
fprintf(stderr, "exim: too many recipients\n");
5005
exim_exit(EXIT_FAILURE);
5006
}
5007
else
5008
{
5009
return
5010
moan_to_sender(ERRMESS_TOOMANYRECIP, NULL, NULL, stdin, TRUE)?
5011
errors_sender_rc : EXIT_FAILURE;
5012
}
5013
}
5014
5015
recipient =
5016
parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
5017
5018
if (domain == 0 && !allow_unqualified_recipient)
5019
{
5020
recipient = NULL;
5021
errmess = US"unqualified recipient address not allowed";
5022
}
5023
5024
if (recipient == NULL)
5025
{
5026
if (error_handling == ERRORS_STDERR)
5027
{
5028
fprintf(stderr, "exim: bad recipient address \"%s\": %s\n",
5029
string_printing(list[i]), errmess);
5030
exim_exit(EXIT_FAILURE);
5031
}
5032
else
5033
{
5034
error_block eblock;
5035
eblock.next = NULL;
5036
eblock.text1 = string_printing(list[i]);
5037
eblock.text2 = errmess;
5038
return
5039
moan_to_sender(ERRMESS_BADARGADDRESS, &eblock, NULL, stdin, TRUE)?
5040
errors_sender_rc : EXIT_FAILURE;
5041
}
5042
}
5043
5044
receive_add_recipient(recipient, -1);
5045
s = ss;
5046
if (!finished)
5047
while (*(++s) != 0 && (*s == ',' || isspace(*s)));
5048
}
5049
}
5050
5051
/* Show the recipients when debugging */
5052
5053
DEBUG(D_receive)
5054
{
5055
int i;
5056
if (sender_address != NULL) debug_printf("Sender: %s\n", sender_address);
5057
if (recipients_list != NULL)
5058
{
5059
debug_printf("Recipients:\n");
5060
for (i = 0; i < recipients_count; i++)
5061
debug_printf(" %s\n", recipients_list[i].address);
5062
}
5063
}
5064
5065
/* Run the acl_not_smtp_start ACL if required. The result of the ACL is
5066
ignored; rejecting here would just add complication, and it can just as
5067
well be done later. Allow $recipients to be visible in the ACL. */
5068
5069
if (acl_not_smtp_start != NULL)
5070
{
5071
uschar *user_msg, *log_msg;
5072
enable_dollar_recipients = TRUE;
5073
(void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
5074
&user_msg, &log_msg);
5075
enable_dollar_recipients = FALSE;
5076
}
5077
5078
/* Read the data for the message. If filter_test is not FTEST_NONE, this
5079
will just read the headers for the message, and not write anything onto the
5080
spool. */
5081
5082
message_ended = END_NOTENDED;
5083
more = receive_msg(extract_recipients);
5084
5085
/* more is always FALSE here (not SMTP message) when reading a message
5086
for real; when reading the headers of a message for filter testing,
5087
it is TRUE if the headers were terminated by '.' and FALSE otherwise. */
5088
5089
if (message_id[0] == 0) exim_exit(EXIT_FAILURE);
5090
} /* Non-SMTP message reception */
5091
5092
/* If this is a filter testing run, there are headers in store, but
5093
no message on the spool. Run the filtering code in testing mode, setting
5094
the domain to the qualify domain and the local part to the current user,
5095
unless they have been set by options. The prefix and suffix are left unset
5096
unless specified. The the return path is set to to the sender unless it has
5097
already been set from a return-path header in the message. */
5098
5099
if (filter_test != FTEST_NONE)
5100
{
5101
deliver_domain = (ftest_domain != NULL)?
5102
ftest_domain : qualify_domain_recipient;
5103
deliver_domain_orig = deliver_domain;
5104
deliver_localpart = (ftest_localpart != NULL)?
5105
ftest_localpart : originator_login;
5106
deliver_localpart_orig = deliver_localpart;
5107
deliver_localpart_prefix = ftest_prefix;
5108
deliver_localpart_suffix = ftest_suffix;
5109
deliver_home = originator_home;
5110
5111
if (return_path == NULL)
5112
{
5113
printf("Return-path copied from sender\n");
5114
return_path = string_copy(sender_address);
5115
}
5116
else
5117
{
5118
printf("Return-path = %s\n", (return_path[0] == 0)? US"<>" : return_path);
5119
}
5120
printf("Sender = %s\n", (sender_address[0] == 0)? US"<>" : sender_address);
5121
5122
receive_add_recipient(
5123
string_sprintf("%s%s%s@%s",
5124
(ftest_prefix == NULL)? US"" : ftest_prefix,
5125
deliver_localpart,
5126
(ftest_suffix == NULL)? US"" : ftest_suffix,
5127
deliver_domain), -1);
5128
5129
printf("Recipient = %s\n", recipients_list[0].address);
5130
if (ftest_prefix != NULL) printf("Prefix = %s\n", ftest_prefix);
5131
if (ftest_suffix != NULL) printf("Suffix = %s\n", ftest_suffix);
5132
5133
(void)chdir("/"); /* Get away from wherever the user is running this from */
5134
5135
/* Now we run either a system filter test, or a user filter test, or both.
5136
In the latter case, headers added by the system filter will persist and be
5137
available to the user filter. We need to copy the filter variables
5138
explicitly. */
5139
5140
if ((filter_test & FTEST_SYSTEM) != 0)
5141
{
5142
if (!filter_runtest(filter_sfd, filter_test_sfile, TRUE, more))
5143
exim_exit(EXIT_FAILURE);
5144
}
5145
5146
memcpy(filter_sn, filter_n, sizeof(filter_sn));
5147
5148
if ((filter_test & FTEST_USER) != 0)
5149
{
5150
if (!filter_runtest(filter_ufd, filter_test_ufile, FALSE, more))
5151
exim_exit(EXIT_FAILURE);
5152
}
5153
5154
exim_exit(EXIT_SUCCESS);
5155
}
5156
5157
/* Else act on the result of message reception. We should not get here unless
5158
message_id[0] is non-zero. If queue_only is set, session_local_queue_only
5159
will be TRUE. If it is not, check on the number of messages received in this
5160
connection. */
5161
5162
if (!session_local_queue_only &&
5163
smtp_accept_queue_per_connection > 0 &&
5164
receive_messagecount > smtp_accept_queue_per_connection)
5165
{
5166
session_local_queue_only = TRUE;
5167
queue_only_reason = 2;
5168
}
5169
5170
/* Initialize local_queue_only from session_local_queue_only. If it is false,
5171
and queue_only_load is set, check that the load average is below it. If it is
5172
not, set local_queue_only TRUE. If queue_only_load_latch is true (the
5173
default), we put the whole session into queue_only mode. It then remains this
5174
way for any subsequent messages on the same SMTP connection. This is a
5175
deliberate choice; even though the load average may fall, it doesn't seem
5176
right to deliver later messages on the same call when not delivering earlier
5177
ones. However, there are odd cases where this is not wanted, so this can be
5178
changed by setting queue_only_load_latch false. */
5179
5180
local_queue_only = session_local_queue_only;
5181
if (!local_queue_only && queue_only_load >= 0)
5182
{
5183
local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load;
5184
if (local_queue_only)
5185
{
5186
queue_only_reason = 3;
5187
if (queue_only_load_latch) session_local_queue_only = TRUE;
5188
}
5189
}
5190
5191
/* If running as an MUA wrapper, all queueing options and freezing options
5192
are ignored. */
5193
5194
if (mua_wrapper)
5195
local_queue_only = queue_only_policy = deliver_freeze = FALSE;
5196
5197
/* Log the queueing here, when it will get a message id attached, but
5198
not if queue_only is set (case 0). Case 1 doesn't happen here (too many
5199
connections). */
5200
5201
if (local_queue_only) switch(queue_only_reason)
5202
{
5203
case 2:
5204
log_write(L_delay_delivery,
5205
LOG_MAIN, "no immediate delivery: more than %d messages "
5206
"received in one connection", smtp_accept_queue_per_connection);
5207
break;
5208
5209
case 3:
5210
log_write(L_delay_delivery,
5211
LOG_MAIN, "no immediate delivery: load average %.2f",
5212
(double)load_average/1000.0);
5213
break;
5214
}
5215
5216
/* Else do the delivery unless the ACL or local_scan() called for queue only
5217
or froze the message. Always deliver in a separate process. A fork failure is
5218
not a disaster, as the delivery will eventually happen on a subsequent queue
5219
run. The search cache must be tidied before the fork, as the parent will
5220
do it before exiting. The child will trigger a lookup failure and
5221
thereby defer the delivery if it tries to use (for example) a cached ldap
5222
connection that the parent has called unbind on. */
5223
5224
else if (!queue_only_policy && !deliver_freeze)
5225
{
5226
pid_t pid;
5227
search_tidyup();
5228
5229
if ((pid = fork()) == 0)
5230
{
5231
int rc;
5232
close_unwanted(); /* Close unwanted file descriptors and TLS */
5233
exim_nullstd(); /* Ensure std{in,out,err} exist */
5234
5235
/* Re-exec Exim if we need to regain privilege (note: in mua_wrapper
5236
mode, deliver_drop_privilege is forced TRUE). */
5237
5238
if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged)
5239
{
5240
(void)child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 2, US"-Mc",
5241
message_id);
5242
/* Control does not return here. */
5243
}
5244
5245
/* No need to re-exec */
5246
5247
rc = deliver_message(message_id, FALSE, FALSE);
5248
search_tidyup();
5249
_exit((!mua_wrapper || rc == DELIVER_MUA_SUCCEEDED)?
5250
EXIT_SUCCESS : EXIT_FAILURE);
5251
}
5252
5253
if (pid < 0)
5254
{
5255
log_write(0, LOG_MAIN|LOG_PANIC, "failed to fork automatic delivery "
5256
"process: %s", strerror(errno));
5257
}
5258
5259
/* In the parent, wait if synchronous delivery is required. This will
5260
always be the case in MUA wrapper mode. */
5261
5262
else if (synchronous_delivery)
5263
{
5264
int status;
5265
while (wait(&status) != pid);
5266
if ((status & 0x00ff) != 0)
5267
log_write(0, LOG_MAIN|LOG_PANIC,
5268
"process %d crashed with signal %d while delivering %s",
5269
(int)pid, status & 0x00ff, message_id);
5270
if (mua_wrapper && (status & 0xffff) != 0) exim_exit(EXIT_FAILURE);
5271
}
5272
}
5273
5274
/* The loop will repeat if more is TRUE. If we do not know know that the OS
5275
automatically reaps children (see comments above the loop), clear away any
5276
finished subprocesses here, in case there are lots of messages coming in
5277
from the same source. */
5278
5279
#ifndef SIG_IGN_WORKS
5280
while (waitpid(-1, NULL, WNOHANG) > 0);
5281
#endif
5282
}
5283
5284
exim_exit(EXIT_SUCCESS); /* Never returns */
5285
return 0; /* To stop compiler warning */
5286
}
5287
5288
/* End of exim.c */
Loggerhead is a web-based interface for Breezy
Version: 2.0.1