1
/* $Cambridge: exim/exim-src/src/exim.c,v 1.65 2009/11/16 19:50:36 nm4 Exp $ */
3
/*************************************************
4
* Exim - an Internet mail transport agent *
5
*************************************************/
7
/* Copyright (c) University of Cambridge 1995 - 2009 */
8
/* See the file NOTICE for conditions of use and distribution. */
11
/* The main function: entry point, initialization, and high-level control.
12
Also a few functions that don't naturally fit elsewhere. */
19
/*************************************************
20
* Function interface to store functions *
21
*************************************************/
23
/* We need some real functions to pass to the PCRE regular expression library
24
for store allocation via Exim's store manager. The normal calls are actually
25
macros that pass over location information to make tracing easier. These
26
functions just interface to the standard macro calls. A good compiler will
27
optimize out the tail recursion and so not make them too expensive. There
28
are two sets of functions; one for use when we want to retain the compiled
29
regular expression for a long time; the other for short-term use. */
32
function_store_get(size_t size)
34
return store_get((int)size);
38
function_dummy_free(void *block) { block = block; }
41
function_store_malloc(size_t size)
43
return store_malloc((int)size);
47
function_store_free(void *block)
55
/*************************************************
56
* Compile regular expression and panic on fail *
57
*************************************************/
59
/* This function is called when failure to compile a regular expression leads
60
to a panic exit. In other cases, pcre_compile() is called directly. In many
61
cases where this function is used, the results of the compilation are to be
62
placed in long-lived store, so we temporarily reset the store management
63
functions that PCRE uses if the use_malloc flag is set.
66
pattern the pattern to compile
67
caseless TRUE if caseless matching is required
68
use_malloc TRUE if compile into malloc store
70
Returns: pointer to the compiled pattern
74
regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
77
int options = PCRE_COPT;
82
pcre_malloc = function_store_malloc;
83
pcre_free = function_store_free;
85
if (caseless) options |= PCRE_CASELESS;
86
yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
87
pcre_malloc = function_store_get;
88
pcre_free = function_dummy_free;
90
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
91
"%s at offset %d while compiling %s", error, offset, pattern);
98
/*************************************************
99
* Execute regular expression and set strings *
100
*************************************************/
102
/* This function runs a regular expression match, and sets up the pointers to
103
the matched substrings.
106
re the compiled expression
107
subject the subject string
108
options additional PCRE options
109
setup if < 0 do full setup
110
if >= 0 setup from setup+1 onwards,
111
excluding the full matched string
113
Returns: TRUE or FALSE
117
regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
119
int ovector[3*(EXPAND_MAXN+1)];
120
int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
121
PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
123
if (n == 0) n = EXPAND_MAXN + 1;
127
expand_nmax = (setup < 0)? 0 : setup + 1;
128
for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
130
expand_nstring[expand_nmax] = subject + ovector[nn];
131
expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
141
/*************************************************
142
* Handler for SIGUSR1 *
143
*************************************************/
145
/* SIGUSR1 causes any exim process to write to the process log details of
146
what it is currently doing. It will only be used if the OS is capable of
147
setting up a handler that causes automatic restarting of any system call
148
that is in progress at the time.
150
Argument: the signal number (SIGUSR1)
155
usr1_handler(int sig)
157
sig = sig; /* Keep picky compilers happy */
158
log_write(0, LOG_PROCESS, "%s", process_info);
160
os_restarting_signal(SIGUSR1, usr1_handler);
165
/*************************************************
167
*************************************************/
169
/* This handler is enabled most of the time that Exim is running. The handler
170
doesn't actually get used unless alarm() has been called to set a timer, to
171
place a time limit on a system call of some kind. When the handler is run, it
174
There are some other SIGALRM handlers that are used in special cases when more
175
than just a flag setting is required; for example, when reading a message's
176
input. These are normally set up in the code module that uses them, and the
177
SIGALRM handler is reset to this one afterwards.
179
Argument: the signal value (SIGALRM)
184
sigalrm_handler(int sig)
186
sig = sig; /* Keep picky compilers happy */
188
os_non_restarting_signal(SIGALRM, sigalrm_handler);
193
/*************************************************
194
* Sleep for a fractional time interval *
195
*************************************************/
197
/* This function is called by millisleep() and exim_wait_tick() to wait for a
198
period of time that may include a fraction of a second. The coding is somewhat
199
tedious. We do not expect setitimer() ever to fail, but if it does, the process
200
will wait for ever, so we panic in this instance. (There was a case of this
201
when a bug in a function that calls milliwait() caused it to pass invalid data.
202
That's when I added the check. :-)
204
Argument: an itimerval structure containing the interval
209
milliwait(struct itimerval *itval)
212
sigset_t old_sigmask;
213
(void)sigemptyset(&sigmask); /* Empty mask */
214
(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
215
(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
216
if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
217
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
218
"setitimer() failed: %s", strerror(errno));
219
(void)sigfillset(&sigmask); /* All signals */
220
(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
221
(void)sigsuspend(&sigmask); /* Until SIGALRM */
222
(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
228
/*************************************************
229
* Millisecond sleep function *
230
*************************************************/
232
/* The basic sleep() function has a granularity of 1 second, which is too rough
233
in some cases - for example, when using an increasing delay to slow down
236
Argument: number of millseconds
243
struct itimerval itval;
244
itval.it_interval.tv_sec = 0;
245
itval.it_interval.tv_usec = 0;
246
itval.it_value.tv_sec = msec/1000;
247
itval.it_value.tv_usec = (msec % 1000) * 1000;
253
/*************************************************
254
* Compare microsecond times *
255
*************************************************/
262
Returns: -1, 0, or +1
266
exim_tvcmp(struct timeval *t1, struct timeval *t2)
268
if (t1->tv_sec > t2->tv_sec) return +1;
269
if (t1->tv_sec < t2->tv_sec) return -1;
270
if (t1->tv_usec > t2->tv_usec) return +1;
271
if (t1->tv_usec < t2->tv_usec) return -1;
278
/*************************************************
279
* Clock tick wait function *
280
*************************************************/
282
/* Exim uses a time + a pid to generate a unique identifier in two places: its
283
message IDs, and in file names for maildir deliveries. Because some OS now
284
re-use pids within the same second, sub-second times are now being used.
285
However, for absolute certaintly, we must ensure the clock has ticked before
286
allowing the relevant process to complete. At the time of implementation of
287
this code (February 2003), the speed of processors is such that the clock will
288
invariably have ticked already by the time a process has done its job. This
289
function prepares for the time when things are faster - and it also copes with
290
clocks that go backwards.
293
then_tv A timeval which was used to create uniqueness; its usec field
294
has been rounded down to the value of the resolution.
295
We want to be sure the current time is greater than this.
296
resolution The resolution that was used to divide the microseconds
297
(1 for maildir, larger for message ids)
303
exim_wait_tick(struct timeval *then_tv, int resolution)
305
struct timeval now_tv;
306
long int now_true_usec;
308
(void)gettimeofday(&now_tv, NULL);
309
now_true_usec = now_tv.tv_usec;
310
now_tv.tv_usec = (now_true_usec/resolution) * resolution;
312
if (exim_tvcmp(&now_tv, then_tv) <= 0)
314
struct itimerval itval;
315
itval.it_interval.tv_sec = 0;
316
itval.it_interval.tv_usec = 0;
317
itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
318
itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
320
/* We know that, overall, "now" is less than or equal to "then". Therefore, a
321
negative value for the microseconds is possible only in the case when "now"
322
is more than a second less than "then". That means that itval.it_value.tv_sec
323
is greater than zero. The following correction is therefore safe. */
325
if (itval.it_value.tv_usec < 0)
327
itval.it_value.tv_usec += 1000000;
328
itval.it_value.tv_sec -= 1;
331
DEBUG(D_transport|D_receive)
333
if (!running_in_test_harness)
335
debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
336
then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
337
debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
338
itval.it_value.tv_usec);
349
/*************************************************
350
* Set up processing details *
351
*************************************************/
353
/* Save a text string for dumping when SIGUSR1 is received.
354
Do checks for overruns.
356
Arguments: format and arguments, as for printf()
361
set_process_info(char *format, ...)
365
sprintf(CS process_info, "%5d ", (int)getpid());
366
len = Ustrlen(process_info);
367
va_start(ap, format);
368
if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
369
Ustrcpy(process_info + len, "**** string overflowed buffer ****");
370
DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
378
/*************************************************
379
* Call fopen() with umask 777 and adjust mode *
380
*************************************************/
382
/* Exim runs with umask(0) so that files created with open() have the mode that
383
is specified in the open() call. However, there are some files, typically in
384
the spool directory, that are created with fopen(). They end up world-writeable
385
if no precautions are taken. Although the spool directory is not accessible to
386
the world, this is an untidiness. So this is a wrapper function for fopen()
387
that sorts out the mode of the created file.
390
filename the file name
391
options the fopen() options
392
mode the required mode
394
Returns: the fopened FILE or NULL
398
modefopen(uschar *filename, char *options, mode_t mode)
400
mode_t saved_umask = umask(0777);
401
FILE *f = Ufopen(filename, options);
402
(void)umask(saved_umask);
403
if (f != NULL) (void)fchmod(fileno(f), mode);
410
/*************************************************
411
* Ensure stdin, stdout, and stderr exist *
412
*************************************************/
414
/* Some operating systems grumble if an exec() happens without a standard
415
input, output, and error (fds 0, 1, 2) being defined. The worry is that some
416
file will be opened and will use these fd values, and then some other bit of
417
code will assume, for example, that it can write error messages to stderr.
418
This function ensures that fds 0, 1, and 2 are open if they do not already
419
exist, by connecting them to /dev/null.
421
This function is also used to ensure that std{in,out,err} exist at all times,
422
so that if any library that Exim calls tries to use them, it doesn't crash.
434
for (i = 0; i <= 2; i++)
436
if (fstat(i, &statbuf) < 0 && errno == EBADF)
438
if (devnull < 0) devnull = open("/dev/null", O_RDWR);
439
if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
440
string_open_failed(errno, "/dev/null"));
441
if (devnull != i) (void)dup2(devnull, i);
444
if (devnull > 2) (void)close(devnull);
450
/*************************************************
451
* Close unwanted file descriptors for delivery *
452
*************************************************/
454
/* This function is called from a new process that has been forked to deliver
455
an incoming message, either directly, or using exec.
457
We want any smtp input streams to be closed in this new process. However, it
458
has been observed that using fclose() here causes trouble. When reading in -bS
459
input, duplicate copies of messages have been seen. The files will be sharing a
460
file pointer with the parent process, and it seems that fclose() (at least on
461
some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
462
least sometimes. Hence we go for closing the underlying file descriptors.
464
If TLS is active, we want to shut down the TLS library, but without molesting
465
the parent's SSL connection.
467
For delivery of a non-SMTP message, we want to close stdin and stdout (and
468
stderr unless debugging) because the calling process might have set them up as
469
pipes and be waiting for them to close before it waits for the submission
470
process to terminate. If they aren't closed, they hold up the calling process
471
until the initial delivery process finishes, which is not what we want.
473
Exception: We do want it for synchronous delivery!
475
And notwithstanding all the above, if D_resolver is set, implying resolver
476
debugging, leave stdout open, because that's where the resolver writes its
479
When we close stderr (which implies we've also closed stdout), we also get rid
480
of any controlling terminal.
492
tls_close(FALSE); /* Shut down the TLS library */
494
(void)close(fileno(smtp_in));
495
(void)close(fileno(smtp_out));
500
(void)close(0); /* stdin */
501
if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
502
if (debug_selector == 0) /* stderr */
504
if (!synchronous_delivery)
517
/*************************************************
519
*************************************************/
521
/* This function sets a new uid and gid permanently, optionally calling
522
initgroups() to set auxiliary groups. There are some special cases when running
523
Exim in unprivileged modes. In these situations the effective uid will not be
524
root; if we already have the right effective uid/gid, and don't need to
525
initialize any groups, leave things as they are.
530
igflag TRUE if initgroups() wanted
531
msg text to use in debugging output and failure log
533
Returns: nothing; bombs out on failure
537
exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
539
uid_t euid = geteuid();
540
gid_t egid = getegid();
542
if (euid == root_uid || euid != uid || egid != gid || igflag)
544
/* At least one OS returns +1 for initgroups failure, so just check for
549
struct passwd *pw = getpwuid(uid);
552
if (initgroups(pw->pw_name, gid) != 0)
553
log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
554
(long int)uid, strerror(errno));
556
else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
557
"no passwd entry for uid=%ld", (long int)uid);
560
if (setgid(gid) < 0 || setuid(uid) < 0)
562
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
563
"(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
567
/* Debugging output included uid/gid and all groups */
572
gid_t group_list[NGROUPS_MAX];
573
debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
574
(long int)geteuid(), (long int)getegid(), (long int)getpid());
575
group_count = getgroups(NGROUPS_MAX, group_list);
576
debug_printf(" auxiliary group list:");
580
for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
582
else debug_printf(" <none>");
590
/*************************************************
592
*************************************************/
594
/* Exim exits via this function so that it always clears up any open
600
Returns: does not return
608
debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
609
">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
616
/*************************************************
617
* Extract port from host address *
618
*************************************************/
620
/* Called to extract the port from the values given to -oMa and -oMi.
621
It also checks the syntax of the address, and terminates it before the
622
port data when a port is extracted.
625
address the address, with possible port on the end
627
Returns: the port, or zero if there isn't one
628
bombs out on a syntax error
632
check_port(uschar *address)
634
int port = host_address_extract_port(address);
635
if (string_is_ip_address(address, NULL) == 0)
637
fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
645
/*************************************************
646
* Test/verify an address *
647
*************************************************/
649
/* This function is called by the -bv and -bt code. It extracts a working
650
address from a full RFC 822 address. This isn't really necessary per se, but it
651
has the effect of collapsing source routes.
655
flags flag bits for verify_address()
656
exit_value to be set for failures
662
test_address(uschar *s, int flags, int *exit_value)
664
int start, end, domain;
665
uschar *parse_error = NULL;
666
uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
670
fprintf(stdout, "syntax error: %s\n", parse_error);
675
int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
676
-1, -1, NULL, NULL, NULL);
677
if (rc == FAIL) *exit_value = 2;
678
else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
684
/*************************************************
685
* Decode bit settings for log/debug *
686
*************************************************/
688
/* This function decodes a string containing bit settings in the form of +name
689
and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
690
also recognizes a numeric setting of the form =<number>, but this is not
691
intended for user use. It's an easy way for Exim to pass the debug settings
692
when it is re-exec'ed.
694
The log options are held in two unsigned ints (because there became too many
695
for one). The top bit in the table means "put in 2nd selector". This does not
696
yet apply to debug options, so the "=" facility sets only the first selector.
698
The "all" selector, which must be equal to 0xffffffff, is recognized specially.
699
It sets all the bits in both selectors. However, there is a facility for then
700
unsetting certain bits, because we want to turn off "memory" in the debug case.
702
A bad value for a debug setting is treated as an unknown option - error message
703
to stderr and die. For log settings, which come from the configuration file,
704
we write to the log on the way out...
707
selector1 address of the first bit string
708
selector2 address of the second bit string, or NULL
709
notall1 bits to exclude from "all" for selector1
710
notall2 bits to exclude from "all" for selector2
711
string the configured string
712
options the table of option names
714
which "log" or "debug"
716
Returns: nothing on success - bomb out on failure
720
decode_bits(unsigned int *selector1, unsigned int *selector2, int notall1,
721
int notall2, uschar *string, bit_table *options, int count, uschar *which)
724
if (string == NULL) return;
728
char *end; /* Not uschar */
729
*selector1 = strtoul(CS string+1, &end, 0);
730
if (*end == 0) return;
731
errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
736
/* Handle symbolic setting */
743
bit_table *start, *end;
745
while (isspace(*string)) string++;
746
if (*string == 0) return;
748
if (*string != '+' && *string != '-')
750
errmsg = string_sprintf("malformed %s_selector setting: "
751
"+ or - expected but found \"%s\"", which, string);
755
adding = *string++ == '+';
757
while (isalnum(*string) || *string == '_') string++;
761
end = options + count;
765
bit_table *middle = start + (end - start)/2;
766
int c = Ustrncmp(s, middle->name, len);
769
if (middle->name[len] != 0) c = -1; else
771
unsigned int bit = middle->bit;
772
unsigned int *selector;
774
/* The value with all bits set means "force all bits in both selectors"
775
in the case where two are being handled. However, the top bit in the
776
second selector is never set. When setting, some bits can be excluded.
779
if (bit == 0xffffffff)
783
*selector1 = 0xffffffff ^ notall1;
784
if (selector2 != NULL) *selector2 = 0x7fffffff ^ notall2;
789
if (selector2 != NULL) *selector2 = 0;
793
/* Otherwise, the 0x80000000 bit means "this value, without the top
794
bit, belongs in the second selector". */
798
if ((bit & 0x80000000) != 0)
800
selector = selector2;
803
else selector = selector1;
804
if (adding) *selector |= bit; else *selector &= ~bit;
806
break; /* Out of loop to match selector name */
809
if (c < 0) end = middle; else start = middle + 1;
810
} /* Loop to match selector name */
814
errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
815
adding? '+' : '-', len, s);
818
} /* Loop for selector names */
820
/* Handle disasters */
823
if (Ustrcmp(which, "debug") == 0)
825
fprintf(stderr, "exim: %s\n", errmsg);
828
else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
833
/*************************************************
834
* Show supported features *
835
*************************************************/
837
/* This function is called for -bV and for -d to output the optional features
838
of the current Exim binary.
840
Arguments: a FILE for printing
845
show_whats_supported(FILE *f)
847
#ifdef DB_VERSION_STRING
848
fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
849
#elif defined(BTREEVERSION) && defined(HASHVERSION)
851
fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
853
fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
855
#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
856
fprintf(f, "Probably ndbm\n");
857
#elif defined(USE_TDB)
858
fprintf(f, "Using tdb\n");
861
fprintf(f, "Probably GDBM (native mode)\n");
863
fprintf(f, "Probably GDBM (compatibility mode)\n");
867
fprintf(f, "Support for:");
868
#ifdef SUPPORT_CRYPTEQ
869
fprintf(f, " crypteq");
872
fprintf(f, " iconv()");
877
#ifdef HAVE_SETCLASSRESOURCES
878
fprintf(f, " use_setclassresources");
887
fprintf(f, " Expand_dlfunc");
889
#ifdef USE_TCP_WRAPPERS
890
fprintf(f, " TCPwrappers");
894
fprintf(f, " GnuTLS");
896
fprintf(f, " OpenSSL");
899
#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
900
fprintf(f, " translate_ip_address");
902
#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
903
fprintf(f, " move_frozen_messages");
905
#ifdef WITH_CONTENT_SCAN
906
fprintf(f, " Content_Scanning");
911
#ifdef WITH_OLD_DEMIME
912
fprintf(f, " Old_Demime");
914
#ifdef EXPERIMENTAL_SPF
915
fprintf(f, " Experimental_SPF");
917
#ifdef EXPERIMENTAL_SRS
918
fprintf(f, " Experimental_SRS");
920
#ifdef EXPERIMENTAL_BRIGHTMAIL
921
fprintf(f, " Experimental_Brightmail");
923
#ifdef EXPERIMENTAL_DCC
924
fprintf(f, " Experimental_DCC");
928
fprintf(f, "Lookups:");
929
#ifdef LOOKUP_LSEARCH
930
fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
936
fprintf(f, " dbm dbmnz");
939
fprintf(f, " dnsdb");
941
#ifdef LOOKUP_DSEARCH
942
fprintf(f, " dsearch");
945
fprintf(f, " ibase");
948
fprintf(f, " ldap ldapdn ldapm");
951
fprintf(f, " mysql");
954
fprintf(f, " nis nis0");
956
#ifdef LOOKUP_NISPLUS
957
fprintf(f, " nisplus");
960
fprintf(f, " oracle");
963
fprintf(f, " passwd");
966
fprintf(f, " pgsql");
969
fprintf(f, " sqlite");
972
fprintf(f, " testdb");
975
fprintf(f, " whoson");
979
fprintf(f, "Authenticators:");
981
fprintf(f, " cram_md5");
983
#ifdef AUTH_CYRUS_SASL
984
fprintf(f, " cyrus_sasl");
987
fprintf(f, " dovecot");
989
#ifdef AUTH_PLAINTEXT
990
fprintf(f, " plaintext");
997
fprintf(f, "Routers:");
999
fprintf(f, " accept");
1001
#ifdef ROUTER_DNSLOOKUP
1002
fprintf(f, " dnslookup");
1004
#ifdef ROUTER_IPLITERAL
1005
fprintf(f, " ipliteral");
1007
#ifdef ROUTER_IPLOOKUP
1008
fprintf(f, " iplookup");
1010
#ifdef ROUTER_MANUALROUTE
1011
fprintf(f, " manualroute");
1013
#ifdef ROUTER_QUERYPROGRAM
1014
fprintf(f, " queryprogram");
1016
#ifdef ROUTER_REDIRECT
1017
fprintf(f, " redirect");
1021
fprintf(f, "Transports:");
1022
#ifdef TRANSPORT_APPENDFILE
1023
fprintf(f, " appendfile");
1024
#ifdef SUPPORT_MAILDIR
1025
fprintf(f, "/maildir");
1027
#ifdef SUPPORT_MAILSTORE
1028
fprintf(f, "/mailstore");
1034
#ifdef TRANSPORT_AUTOREPLY
1035
fprintf(f, " autoreply");
1037
#ifdef TRANSPORT_LMTP
1038
fprintf(f, " lmtp");
1040
#ifdef TRANSPORT_PIPE
1041
fprintf(f, " pipe");
1043
#ifdef TRANSPORT_SMTP
1044
fprintf(f, " smtp");
1048
if (fixed_never_users[0] > 0)
1051
fprintf(f, "Fixed never_users: ");
1052
for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1053
fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
1054
fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
1057
fprintf(f, "Size of off_t: %d\n", sizeof(off_t));
1059
/* This runtime check is to help diagnose library linkage mismatches which
1060
result in segfaults and the like; as such, it's left until the end,
1061
just in case. There will still be a "Configuration file is" line still to
1064
tls_version_report(f);
1071
/*************************************************
1072
* Quote a local part *
1073
*************************************************/
1075
/* This function is used when a sender address or a From: or Sender: header
1076
line is being created from the caller's login, or from an authenticated_id. It
1077
applies appropriate quoting rules for a local part.
1079
Argument: the local part
1080
Returns: the local part, quoted if necessary
1084
local_part_quote(uschar *lpart)
1086
BOOL needs_quote = FALSE;
1091
for (t = lpart; !needs_quote && *t != 0; t++)
1093
needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1094
(*t != '.' || t == lpart || t[1] == 0);
1097
if (!needs_quote) return lpart;
1100
yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1104
uschar *nq = US Ustrpbrk(lpart, "\\\"");
1107
yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1110
yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1111
yield = string_cat(yield, &size, &ptr, US"\\", 1);
1112
yield = string_cat(yield, &size, &ptr, nq, 1);
1116
yield = string_cat(yield, &size, &ptr, US"\"", 1);
1124
/*************************************************
1125
* Load readline() functions *
1126
*************************************************/
1128
/* This function is called from testing executions that read data from stdin,
1129
but only when running as the calling user. Currently, only -be does this. The
1130
function loads the readline() function library and passes back the functions.
1131
On some systems, it needs the curses library, so load that too, but try without
1132
it if loading fails. All this functionality has to be requested at build time.
1135
fn_readline_ptr pointer to where to put the readline pointer
1136
fn_addhist_ptr pointer to where to put the addhistory function
1138
Returns: the dlopen handle or NULL on failure
1142
set_readline(char * (**fn_readline_ptr)(char *),
1143
char * (**fn_addhist_ptr)(char *))
1146
void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
1148
dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1149
if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1151
if (dlhandle != NULL)
1153
*fn_readline_ptr = (char *(*)(char*))dlsym(dlhandle, "readline");
1154
*fn_addhist_ptr = (char *(*)(char*))dlsym(dlhandle, "add_history");
1158
DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1167
/*************************************************
1168
* Get a line from stdin for testing things *
1169
*************************************************/
1171
/* This function is called when running tests that can take a number of lines
1172
of input (for example, -be and -bt). It handles continuations and trailing
1173
spaces. And prompting and a blank line output on eof. If readline() is in use,
1174
the arguments are non-NULL and provide the relevant functions.
1177
fn_readline readline function or NULL
1178
fn_addhist addhist function or NULL
1180
Returns: pointer to dynamic memory, or NULL at end of file
1184
get_stdinput(char *(*fn_readline)(char *), char *(*fn_addhist)(char *))
1189
uschar *yield = NULL;
1191
if (fn_readline == NULL) { printf("> "); fflush(stdout); }
1195
uschar buffer[1024];
1199
char *readline_line = NULL;
1200
if (fn_readline != NULL)
1202
if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1203
if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1204
p = US readline_line;
1209
/* readline() not in use */
1212
if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1216
/* Handle the line */
1218
ss = p + (int)Ustrlen(p);
1219
while (ss > p && isspace(ss[-1])) ss--;
1223
while (p < ss && isspace(*p)) p++; /* leading space after cont */
1226
yield = string_cat(yield, &size, &ptr, p, ss - p);
1229
if (fn_readline != NULL) free(readline_line);
1232
if (ss == p || yield[ptr-1] != '\\')
1240
if (yield == NULL) printf("\n");
1246
/*************************************************
1247
* Output usage information for the program *
1248
*************************************************/
1250
/* This function is called when there are no recipients
1251
or a specific --help argument was added.
1254
progname information on what name we were called by
1256
Returns: DOES NOT RETURN
1260
exim_usage(uschar *progname)
1263
/* Handle specific program invocation varients */
1264
if (Ustrcmp(progname, US"-mailq") == 0)
1267
"mailq - list the contents of the mail queue\n\n"
1268
"For a list of options, see the Exim documentation.\n");
1272
/* Generic usage - we output this whatever happens */
1274
"Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1275
"not directly from a shell command line. Options and/or arguments control\n"
1276
"what it does when called. For a list of options, see the Exim documentation.\n");
1283
/*************************************************
1284
* Validate that the macros given are okay *
1285
*************************************************/
1287
/* Typically, Exim will drop privileges if macros are supplied. In some
1288
cases, we want to not do so.
1290
Arguments: none (macros is a global)
1291
Returns: true if trusted, false otherwise
1295
macros_trusted(void)
1297
#ifdef WHITELIST_D_MACROS
1299
uschar *whitelisted, *end, *p, **whites, **w;
1300
int white_count, i, n;
1302
BOOL prev_char_item, found;
1307
#ifndef WHITELIST_D_MACROS
1311
/* We only trust -D overrides for some invoking users:
1312
root, the exim run-time user, the optional config owner user.
1313
I don't know why config-owner would be needed, but since they can own the
1314
config files anyway, there's no security risk to letting them override -D. */
1315
if ( ! ((real_uid == root_uid)
1316
|| (real_uid == exim_uid)
1317
#ifdef CONFIGURE_OWNER
1318
|| (real_uid == config_uid)
1322
debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1326
/* Get a list of macros which are whitelisted */
1327
whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1328
prev_char_item = FALSE;
1330
for (p = whitelisted; *p != '\0'; ++p)
1332
if (*p == ':' || isspace(*p))
1337
prev_char_item = FALSE;
1340
if (!prev_char_item)
1341
prev_char_item = TRUE;
1348
whites = store_malloc(sizeof(uschar *) * (white_count+1));
1349
for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1354
if (i == white_count)
1356
while (*p != '\0' && p < end)
1362
/* The list of macros should be very short. Accept the N*M complexity. */
1363
for (m = macros; m != NULL; m = m->next)
1366
for (w = whites; *w; ++w)
1367
if (Ustrcmp(*w, m->name) == 0)
1374
if (m->replacement == NULL)
1376
len = Ustrlen(m->replacement);
1379
n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1380
0, PCRE_EOPT, NULL, 0);
1383
if (n != PCRE_ERROR_NOMATCH)
1384
debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1388
debug_printf("macros_trusted overriden to true by whitelisting\n");
1394
/*************************************************
1395
* Entry point and high-level code *
1396
*************************************************/
1398
/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1399
the appropriate action. All the necessary functions are present in the one
1400
binary. I originally thought one should split it up, but it turns out that so
1401
much of the apparatus is needed in each chunk that one might as well just have
1402
it all available all the time, which then makes the coding easier as well.
1405
argc count of entries in argv
1406
argv argument strings, with argv[0] being the program name
1408
Returns: EXIT_SUCCESS if terminated successfully
1409
EXIT_FAILURE otherwise, except when a message has been sent
1410
to the sender, and -oee was given
1414
main(int argc, char **cargv)
1416
uschar **argv = USS cargv;
1417
int arg_receive_timeout = -1;
1418
int arg_smtp_receive_timeout = -1;
1419
int arg_error_handling = error_handling;
1420
int filter_sfd = -1;
1421
int filter_ufd = -1;
1424
int list_queue_option = 0;
1426
int msg_action_arg = -1;
1427
int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1428
int queue_only_reason = 0;
1430
int perl_start_option = 0;
1432
int recipients_arg = argc;
1433
int sender_address_domain = 0;
1434
int test_retry_arg = -1;
1435
int test_rewrite_arg = -1;
1436
BOOL arg_queue_only = FALSE;
1437
BOOL bi_option = FALSE;
1438
BOOL checking = FALSE;
1439
BOOL count_queue = FALSE;
1440
BOOL expansion_test = FALSE;
1441
BOOL extract_recipients = FALSE;
1442
BOOL forced_delivery = FALSE;
1443
BOOL f_end_dot = FALSE;
1444
BOOL deliver_give_up = FALSE;
1445
BOOL list_queue = FALSE;
1446
BOOL list_options = FALSE;
1447
BOOL local_queue_only;
1449
BOOL one_msg_action = FALSE;
1450
BOOL queue_only_set = FALSE;
1451
BOOL receiving_message = TRUE;
1452
BOOL sender_ident_set = FALSE;
1453
BOOL session_local_queue_only;
1455
BOOL removed_privilege = FALSE;
1456
BOOL usage_wanted = FALSE;
1457
BOOL verify_address_mode = FALSE;
1458
BOOL verify_as_sender = FALSE;
1459
BOOL version_printed = FALSE;
1460
uschar *alias_arg = NULL;
1461
uschar *called_as = US"";
1462
uschar *start_queue_run_id = NULL;
1463
uschar *stop_queue_run_id = NULL;
1464
uschar *expansion_test_message = NULL;
1465
uschar *ftest_domain = NULL;
1466
uschar *ftest_localpart = NULL;
1467
uschar *ftest_prefix = NULL;
1468
uschar *ftest_suffix = NULL;
1469
uschar *real_sender_address;
1470
uschar *originator_home = US"/";
1474
struct stat statbuf;
1475
pid_t passed_qr_pid = (pid_t)0;
1476
int passed_qr_pipe = -1;
1477
gid_t group_list[NGROUPS_MAX];
1479
/* Possible options for -R and -S */
1481
static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1483
/* Need to define this in case we need to change the environment in order
1484
to get rid of a bogus time zone. We have to make it char rather than uschar
1485
because some OS define it in /usr/include/unistd.h. */
1487
extern char **environ;
1489
/* If the Exim user and/or group and/or the configuration file owner/group were
1490
defined by ref:name at build time, we must now find the actual uid/gid values.
1491
This is a feature to make the lives of binary distributors easier. */
1493
#ifdef EXIM_USERNAME
1494
if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1496
exim_gid = pw->pw_gid;
1500
fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1506
#ifdef EXIM_GROUPNAME
1507
if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1509
fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1515
#ifdef CONFIGURE_OWNERNAME
1516
if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1518
fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1519
CONFIGURE_OWNERNAME);
1524
/* We default the system_filter_user to be the Exim run-time user, as a
1525
sane non-root value. */
1526
system_filter_uid = exim_uid;
1528
#ifdef CONFIGURE_GROUPNAME
1529
if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1531
fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1532
CONFIGURE_GROUPNAME);
1537
/* In the Cygwin environment, some initialization needs doing. It is fudged
1538
in by means of this macro. */
1544
/* Check a field which is patched when we are running Exim within its
1545
testing harness; do a fast initial check, and then the whole thing. */
1547
running_in_test_harness =
1548
*running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1550
/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1551
at the start of a program; however, it seems that some environments do not
1552
follow this. A "strange" locale can affect the formatting of timestamps, so we
1555
setlocale(LC_ALL, "C");
1557
/* Set up the default handler for timing using alarm(). */
1559
os_non_restarting_signal(SIGALRM, sigalrm_handler);
1561
/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1562
because store_malloc writes a log entry on failure. */
1564
log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1565
if (log_buffer == NULL)
1567
fprintf(stderr, "exim: failed to get store for log buffer\n");
1571
/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1572
NULL when the daemon is run and the file is closed. We have to use this
1573
indirection, because some systems don't allow writing to the variable "stderr".
1576
if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1578
/* Arrange for the PCRE regex library to use our store functions. Note that
1579
the normal calls are actually macros that add additional arguments for
1580
debugging purposes so we have to assign specially constructed functions here.
1581
The default is to use store in the stacking pool, but this is overridden in the
1582
regex_must_compile() function. */
1584
pcre_malloc = function_store_get;
1585
pcre_free = function_dummy_free;
1587
/* Ensure there is a big buffer for temporary use in several places. It is put
1588
in malloc store so that it can be freed for enlargement if necessary. */
1590
big_buffer = store_malloc(big_buffer_size);
1592
/* Set up the handler for the data request signal, and set the initial
1593
descriptive text. */
1595
set_process_info("initializing");
1596
os_restarting_signal(SIGUSR1, usr1_handler);
1598
/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1599
in the daemon code. For the rest of Exim's uses, we ignore it. */
1601
signal(SIGHUP, SIG_IGN);
1603
/* We don't want to die on pipe errors as the code is written to handle
1604
the write error instead. */
1606
signal(SIGPIPE, SIG_IGN);
1608
/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1609
set to SIG_IGN. This causes subprocesses that complete before the parent
1610
process waits for them not to hang around, so when Exim calls wait(), nothing
1611
is there. The wait() code has been made robust against this, but let's ensure
1612
that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1613
ending status. We use sigaction rather than plain signal() on those OS where
1614
SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1615
problem on AIX with this.) */
1619
struct sigaction act;
1620
act.sa_handler = SIG_DFL;
1621
sigemptyset(&(act.sa_mask));
1623
sigaction(SIGCHLD, &act, NULL);
1626
signal(SIGCHLD, SIG_DFL);
1629
/* Save the arguments for use if we re-exec exim as a daemon after receiving
1634
/* Set up the version number. Set up the leading 'E' for the external form of
1635
message ids, set the pointer to the internal form, and initialize it to
1636
indicate no message being processed. */
1639
message_id_option[0] = '-';
1640
message_id_external = message_id_option + 1;
1641
message_id_external[0] = 'E';
1642
message_id = message_id_external + 1;
1645
/* Set the umask to zero so that any files Exim creates using open() are
1646
created with the modes that it specifies. NOTE: Files created with fopen() have
1647
a problem, which was not recognized till rather late (February 2006). With this
1648
umask, such files will be world writeable. (They are all content scanning files
1649
in the spool directory, which isn't world-accessible, so this is not a
1650
disaster, but it's untidy.) I don't want to change this overall setting,
1651
however, because it will interact badly with the open() calls. Instead, there's
1652
now a function called modefopen() that fiddles with the umask while calling
1657
/* Precompile the regular expression for matching a message id. Keep this in
1658
step with the code that generates ids in the accept.c module. We need to do
1659
this here, because the -M options check their arguments for syntactic validity
1660
using mac_ismsgid, which uses this. */
1663
regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1665
/* Precompile the regular expression that is used for matching an SMTP error
1666
code, possibly extended, at the start of an error message. Note that the
1667
terminating whitespace character is included. */
1670
regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1673
#ifdef WHITELIST_D_MACROS
1674
/* Precompile the regular expression used to filter the content of macros
1675
given to -D for permissibility. */
1677
regex_whitelisted_macro =
1678
regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1682
/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1683
this seems to be a generally accepted convention, since one finds symbolic
1684
links called "mailq" in standard OS configurations. */
1686
if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1687
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1690
receiving_message = FALSE;
1691
called_as = US"-mailq";
1694
/* If the program is called as "rmail" treat it as equivalent to
1695
"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1696
i.e. preventing a single dot on a line from terminating the message, and
1697
returning with zero return code, even in cases of error (provided an error
1698
message has been sent). */
1700
if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1701
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1704
called_as = US"-rmail";
1705
errors_sender_rc = EXIT_SUCCESS;
1708
/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1709
this is a smail convention. */
1711
if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1712
(namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1714
smtp_input = smtp_batched_input = TRUE;
1715
called_as = US"-rsmtp";
1718
/* If the program is called as "runq" treat it as equivalent to "exim -q";
1719
this is a smail convention. */
1721
if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1722
(namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1725
receiving_message = FALSE;
1726
called_as = US"-runq";
1729
/* If the program is called as "newaliases" treat it as equivalent to
1730
"exim -bi"; this is a sendmail convention. */
1732
if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1733
(namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1736
receiving_message = FALSE;
1737
called_as = US"-newaliases";
1740
/* Save the original effective uid for a couple of uses later. It should
1741
normally be root, but in some esoteric environments it may not be. */
1743
original_euid = geteuid();
1745
/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1746
to be the same as the real ones. This makes a difference only if Exim is setuid
1747
(or setgid) to something other than root, which could be the case in some
1748
special configurations. */
1750
real_uid = getuid();
1751
real_gid = getgid();
1753
if (real_uid == root_uid)
1759
/* If neither the original real uid nor the original euid was root, Exim is
1760
running in an unprivileged state. */
1762
unprivileged = (real_uid != root_uid && original_euid != root_uid);
1764
/* If the first argument is --help, set usage_wanted and pretend there
1765
are no arguments. This will cause a brief message to be given. We do
1766
the message generation downstream so we can pick up how we were invoked */
1768
if (argc > 1 && Ustrcmp(argv[1], "--help") == 0)
1771
usage_wanted = TRUE;
1774
/* Scan the program's arguments. Some can be dealt with right away; others are
1775
simply recorded for checking and handling afterwards. Do a high-level switch
1776
on the second character (the one after '-'), to save some effort. */
1778
for (i = 1; i < argc; i++)
1780
BOOL badarg = FALSE;
1781
uschar *arg = argv[i];
1785
/* An argument not starting with '-' is the start of a recipients list;
1786
break out of the options-scanning loop. */
1794
/* An option consistion of -- terminates the options */
1796
if (Ustrcmp(arg, "--") == 0)
1798
recipients_arg = i + 1;
1802
/* Handle flagged options */
1804
switchchar = arg[1];
1807
/* Make all -ex options synonymous with -oex arguments, since that
1808
is assumed by various callers. Also make -qR options synonymous with -R
1809
options, as that seems to be required as well. Allow for -qqR too, and
1810
the same for -S options. */
1812
if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1813
Ustrncmp(arg+1, "qR", 2) == 0 ||
1814
Ustrncmp(arg+1, "qS", 2) == 0)
1816
switchchar = arg[2];
1819
else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1821
switchchar = arg[3];
1823
queue_2stage = TRUE;
1826
/* Make -r synonymous with -f, since it is a documented alias */
1828
else if (arg[1] == 'r') switchchar = 'f';
1830
/* Make -ov synonymous with -v */
1832
else if (Ustrcmp(arg, "-ov") == 0)
1838
/* High-level switch on active initial letter */
1842
/* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1843
so has no need of it. */
1846
if (*argrest == 0) i++; /* Skip over the type */
1851
receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1853
/* -bd: Run in daemon mode, awaiting SMTP connections.
1854
-bdf: Ditto, but in the foreground.
1857
if (*argrest == 'd')
1859
daemon_listen = TRUE;
1860
if (*(++argrest) == 'f') background_daemon = FALSE;
1861
else if (*argrest != 0) { badarg = TRUE; break; }
1864
/* -be: Run in expansion test mode
1865
-bem: Ditto, but read a message from a file first
1868
else if (*argrest == 'e')
1870
expansion_test = checking = TRUE;
1871
if (argrest[1] == 'm')
1873
if (++i >= argc) { badarg = TRUE; break; }
1874
expansion_test_message = argv[i];
1877
if (argrest[1] != 0) { badarg = TRUE; break; }
1880
/* -bF: Run system filter test */
1882
else if (*argrest == 'F')
1884
filter_test |= FTEST_SYSTEM;
1885
if (*(++argrest) != 0) { badarg = TRUE; break; }
1886
if (++i < argc) filter_test_sfile = argv[i]; else
1888
fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1893
/* -bf: Run user filter test
1894
-bfd: Set domain for filter testing
1895
-bfl: Set local part for filter testing
1896
-bfp: Set prefix for filter testing
1897
-bfs: Set suffix for filter testing
1900
else if (*argrest == 'f')
1902
if (*(++argrest) == 0)
1904
filter_test |= FTEST_USER;
1905
if (++i < argc) filter_test_ufile = argv[i]; else
1907
fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1915
fprintf(stderr, "exim: string expected after %s\n", arg);
1918
if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1919
else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1920
else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1921
else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1922
else { badarg = TRUE; break; }
1926
/* -bh: Host checking - an IP address must follow. */
1928
else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1930
if (++i >= argc) { badarg = TRUE; break; }
1931
sender_host_address = argv[i];
1932
host_checking = checking = log_testing_mode = TRUE;
1933
host_checking_callout = argrest[1] == 'c';
1936
/* -bi: This option is used by sendmail to initialize *the* alias file,
1937
though it has the -oA option to specify a different file. Exim has no
1938
concept of *the* alias file, but since Sun's YP make script calls
1939
sendmail this way, some support must be provided. */
1941
else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1943
/* -bm: Accept and deliver message - the default option. Reinstate
1944
receiving_message, which got turned off for all -b options. */
1946
else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1948
/* -bnq: For locally originating messages, do not qualify unqualified
1949
addresses. In the envelope, this causes errors; in header lines they
1952
else if (Ustrcmp(argrest, "nq") == 0)
1954
allow_unqualified_sender = FALSE;
1955
allow_unqualified_recipient = FALSE;
1958
/* -bpxx: List the contents of the mail queue, in various forms. If
1959
the option is -bpc, just a queue count is needed. Otherwise, if the
1960
first letter after p is r, then order is random. */
1962
else if (*argrest == 'p')
1964
if (*(++argrest) == 'c')
1967
if (*(++argrest) != 0) badarg = TRUE;
1971
if (*argrest == 'r')
1973
list_queue_option = 8;
1976
else list_queue_option = 0;
1980
/* -bp: List the contents of the mail queue, top-level only */
1982
if (*argrest == 0) {}
1984
/* -bpu: List the contents of the mail queue, top-level undelivered */
1986
else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1988
/* -bpa: List the contents of the mail queue, including all delivered */
1990
else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1992
/* Unknown after -bp[r] */
2002
/* -bP: List the configuration variables given as the address list.
2003
Force -v, so configuration errors get displayed. */
2005
else if (Ustrcmp(argrest, "P") == 0)
2007
list_options = TRUE;
2008
debug_selector |= D_v;
2009
debug_file = stderr;
2012
/* -brt: Test retry configuration lookup */
2014
else if (Ustrcmp(argrest, "rt") == 0)
2016
test_retry_arg = i + 1;
2020
/* -brw: Test rewrite configuration */
2022
else if (Ustrcmp(argrest, "rw") == 0)
2024
test_rewrite_arg = i + 1;
2028
/* -bS: Read SMTP commands on standard input, but produce no replies -
2029
all errors are reported by sending messages. */
2031
else if (Ustrcmp(argrest, "S") == 0)
2032
smtp_input = smtp_batched_input = receiving_message = TRUE;
2034
/* -bs: Read SMTP commands on standard input and produce SMTP replies
2035
on standard output. */
2037
else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2039
/* -bt: address testing mode */
2041
else if (Ustrcmp(argrest, "t") == 0)
2042
address_test_mode = checking = log_testing_mode = TRUE;
2044
/* -bv: verify addresses */
2046
else if (Ustrcmp(argrest, "v") == 0)
2047
verify_address_mode = checking = log_testing_mode = TRUE;
2049
/* -bvs: verify sender addresses */
2051
else if (Ustrcmp(argrest, "vs") == 0)
2053
verify_address_mode = checking = log_testing_mode = TRUE;
2054
verify_as_sender = TRUE;
2057
/* -bV: Print version string and support details */
2059
else if (Ustrcmp(argrest, "V") == 0)
2061
printf("Exim version %s #%s built %s\n", version_string,
2062
version_cnumber, version_date);
2063
printf("%s\n", CS version_copyright);
2064
version_printed = TRUE;
2065
show_whats_supported(stdout);
2072
/* -C: change configuration file list; ignore if it isn't really
2073
a change! Enforce a prefix check if required. */
2078
if(++i < argc) argrest = argv[i]; else
2079
{ badarg = TRUE; break; }
2081
if (Ustrcmp(config_main_filelist, argrest) != 0)
2083
#ifdef ALT_CONFIG_PREFIX
2085
int len = Ustrlen(ALT_CONFIG_PREFIX);
2086
uschar *list = argrest;
2088
while((filename = string_nextinlist(&list, &sep, big_buffer,
2089
big_buffer_size)) != NULL)
2091
if ((Ustrlen(filename) < len ||
2092
Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2093
Ustrstr(filename, "/../") != NULL) &&
2094
(Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2096
fprintf(stderr, "-C Permission denied\n");
2101
if (real_uid != root_uid)
2103
#ifdef TRUSTED_CONFIG_LIST
2105
if (real_uid != exim_uid
2106
#ifdef CONFIGURE_OWNER
2107
&& real_uid != config_uid
2110
trusted_config = FALSE;
2113
FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2116
struct stat statbuf;
2118
if (fstat(fileno(trust_list), &statbuf) != 0 ||
2119
(statbuf.st_uid != root_uid /* owner not root */
2120
#ifdef CONFIGURE_OWNER
2121
&& statbuf.st_uid != config_uid /* owner not the special one */
2124
(statbuf.st_gid != root_gid /* group not root */
2125
#ifdef CONFIGURE_GROUP
2126
&& statbuf.st_gid != config_gid /* group not the special one */
2128
&& (statbuf.st_mode & 020) != 0 /* group writeable */
2130
(statbuf.st_mode & 2) != 0) /* world writeable */
2132
trusted_config = FALSE;
2137
/* Well, the trust list at least is up to scratch... */
2138
void *reset_point = store_get(0);
2139
uschar *trusted_configs[32];
2143
while (Ufgets(big_buffer, big_buffer_size, trust_list))
2145
uschar *start = big_buffer, *nl;
2146
while (*start && isspace(*start))
2150
nl = Ustrchr(start, '\n');
2153
trusted_configs[nr_configs++] = string_copy(start);
2154
if (nr_configs == 32)
2162
uschar *list = argrest;
2164
while (trusted_config && (filename = string_nextinlist(&list,
2165
&sep, big_buffer, big_buffer_size)) != NULL)
2167
for (i=0; i < nr_configs; i++)
2169
if (Ustrcmp(filename, trusted_configs[i]) == 0)
2172
if (i == nr_configs)
2174
trusted_config = FALSE;
2178
store_reset(reset_point);
2182
/* No valid prefixes found in trust_list file. */
2183
trusted_config = FALSE;
2189
/* Could not open trust_list file. */
2190
trusted_config = FALSE;
2194
/* Not root; don't trust config */
2195
trusted_config = FALSE;
2199
config_main_filelist = argrest;
2200
config_changed = TRUE;
2205
/* -D: set up a macro definition */
2208
#ifdef DISABLE_D_OPTION
2209
fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2214
macro_item *mlast = NULL;
2217
uschar *s = argrest;
2219
while (isspace(*s)) s++;
2221
if (*s < 'A' || *s > 'Z')
2223
fprintf(stderr, "exim: macro name set by -D must start with "
2224
"an upper case letter\n");
2228
while (isalnum(*s) || *s == '_')
2230
if (ptr < sizeof(name)-1) name[ptr++] = *s;
2234
if (ptr == 0) { badarg = TRUE; break; }
2235
while (isspace(*s)) s++;
2238
if (*s++ != '=') { badarg = TRUE; break; }
2239
while (isspace(*s)) s++;
2242
for (m = macros; m != NULL; m = m->next)
2244
if (Ustrcmp(m->name, name) == 0)
2246
fprintf(stderr, "exim: duplicated -D in command line\n");
2252
m = store_get(sizeof(macro_item) + Ustrlen(name));
2254
m->command_line = TRUE;
2255
if (mlast == NULL) macros = m; else mlast->next = m;
2256
Ustrcpy(m->name, name);
2257
m->replacement = string_copy(s);
2259
if (clmacro_count >= MAX_CLMACROS)
2261
fprintf(stderr, "exim: too many -D options on command line\n");
2264
clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2270
/* -d: Set debug level (see also -v below) or set the drop_cr option.
2271
The latter is now a no-op, retained for compatibility only. If -dd is used,
2272
debugging subprocesses of the daemon is disabled. */
2275
if (Ustrcmp(argrest, "ropcr") == 0)
2277
/* drop_cr = TRUE; */
2280
/* Use an intermediate variable so that we don't set debugging while
2281
decoding the debugging bits. */
2285
unsigned int selector = D_default;
2288
if (*argrest == 'd')
2290
debug_daemon = TRUE;
2294
decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
2295
debug_options_count, US"debug");
2296
debug_selector = selector;
2301
/* -E: This is a local error message. This option is not intended for
2302
external use at all, but is not restricted to trusted callers because it
2303
does no harm (just suppresses certain error messages) and if Exim is run
2304
not setuid root it won't always be trusted when it generates error
2305
messages using this option. If there is a message id following -E, point
2306
message_reference at it, for logging. */
2309
local_error_message = TRUE;
2310
if (mac_ismsgid(argrest)) message_reference = argrest;
2314
/* -ex: The vacation program calls sendmail with the undocumented "-eq"
2315
option, so it looks as if historically the -oex options are also callable
2316
without the leading -o. So we have to accept them. Before the switch,
2317
anything starting -oe has been converted to -e. Exim does not support all
2318
of the sendmail error options. */
2321
if (Ustrcmp(argrest, "e") == 0)
2323
arg_error_handling = ERRORS_SENDER;
2324
errors_sender_rc = EXIT_SUCCESS;
2326
else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2327
else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2328
else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2329
else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2334
/* -F: Set sender's full name, used instead of the gecos entry from
2335
the password file. Since users can usually alter their gecos entries,
2336
there's no security involved in using this instead. The data can follow
2337
the -F or be in the next argument. */
2342
if(++i < argc) argrest = argv[i]; else
2343
{ badarg = TRUE; break; }
2345
originator_name = argrest;
2346
sender_name_forced = TRUE;
2350
/* -f: Set sender's address - this value is only actually used if Exim is
2351
run by a trusted user, or if untrusted_set_sender is set and matches the
2352
address, except that the null address can always be set by any user. The
2353
test for this happens later, when the value given here is ignored when not
2354
permitted. For an untrusted user, the actual sender is still put in Sender:
2355
if it doesn't match the From: header (unless no_local_from_check is set).
2356
The data can follow the -f or be in the next argument. The -r switch is an
2357
obsolete form of -f but since there appear to be programs out there that
2358
use anything that sendmail has ever supported, better accept it - the
2359
synonymizing is done before the switch above.
2361
At this stage, we must allow domain literal addresses, because we don't
2362
know what the setting of allow_domain_literals is yet. Ditto for trailing
2363
dots and strip_trailing_dot. */
2371
if (i+1 < argc) argrest = argv[++i]; else
2372
{ badarg = TRUE; break; }
2376
sender_address = string_sprintf(""); /* Ensure writeable memory */
2380
uschar *temp = argrest + Ustrlen(argrest) - 1;
2381
while (temp >= argrest && isspace(*temp)) temp--;
2382
if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2383
allow_domain_literals = TRUE;
2384
strip_trailing_dot = TRUE;
2385
sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2386
&sender_address_domain, TRUE);
2387
allow_domain_literals = FALSE;
2388
strip_trailing_dot = FALSE;
2389
if (sender_address == NULL)
2391
fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2392
return EXIT_FAILURE;
2395
sender_address_forced = TRUE;
2399
/* This is some Sendmail thing which can be ignored */
2404
/* -h: Set the hop count for an incoming message. Exim does not currently
2405
support this; it always computes it by counting the Received: headers.
2406
To put it in will require a change to the spool header file format. */
2411
if(++i < argc) argrest = argv[i]; else
2412
{ badarg = TRUE; break; }
2414
if (!isdigit(*argrest)) badarg = TRUE;
2418
/* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2419
not to be documented for sendmail but mailx (at least) uses it) */
2422
if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2427
receiving_message = FALSE;
2429
/* -MC: continue delivery of another message via an existing open
2430
file descriptor. This option is used for an internal call by the
2431
smtp transport when there is a pending message waiting to go to an
2432
address to which it has got a connection. Five subsequent arguments are
2433
required: transport name, host name, IP address, sequence number, and
2434
message_id. Transports may decline to create new processes if the sequence
2435
number gets too big. The channel is stdin. This (-MC) must be the last
2436
argument. There's a subsequent check that the real-uid is privileged.
2438
If we are running in the test harness. delay for a bit, to let the process
2439
that set this one up complete. This makes for repeatability of the logging,
2442
if (Ustrcmp(argrest, "C") == 0)
2444
union sockaddr_46 interface_sock;
2445
EXIM_SOCKLEN_T size = sizeof(interface_sock);
2449
fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2450
return EXIT_FAILURE;
2453
if (msg_action_arg >= 0)
2455
fprintf(stderr, "exim: incompatible arguments\n");
2456
return EXIT_FAILURE;
2459
continue_transport = argv[++i];
2460
continue_hostname = argv[++i];
2461
continue_host_address = argv[++i];
2462
continue_sequence = Uatoi(argv[++i]);
2463
msg_action = MSG_DELIVER;
2464
msg_action_arg = ++i;
2465
forced_delivery = TRUE;
2466
queue_run_pid = passed_qr_pid;
2467
queue_run_pipe = passed_qr_pipe;
2469
if (!mac_ismsgid(argv[i]))
2471
fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2473
return EXIT_FAILURE;
2476
/* Set up $sending_ip_address and $sending_port */
2478
if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2480
sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2484
fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2486
return EXIT_FAILURE;
2489
if (running_in_test_harness) millisleep(500);
2493
/* -MCA: set the smtp_authenticated flag; this is useful only when it
2494
precedes -MC (see above). The flag indicates that the host to which
2495
Exim is connected has accepted an AUTH sequence. */
2497
else if (Ustrcmp(argrest, "CA") == 0)
2499
smtp_authenticated = TRUE;
2503
/* -MCP: set the smtp_use_pipelining flag; this is useful only when
2504
it preceded -MC (see above) */
2506
else if (Ustrcmp(argrest, "CP") == 0)
2508
smtp_use_pipelining = TRUE;
2512
/* -MCQ: pass on the pid of the queue-running process that started
2513
this chain of deliveries and the fd of its synchronizing pipe; this
2514
is useful only when it precedes -MC (see above) */
2516
else if (Ustrcmp(argrest, "CQ") == 0)
2518
if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2520
if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2525
/* -MCS: set the smtp_use_size flag; this is useful only when it
2526
precedes -MC (see above) */
2528
else if (Ustrcmp(argrest, "CS") == 0)
2530
smtp_use_size = TRUE;
2534
/* -MCT: set the tls_offered flag; this is useful only when it
2535
precedes -MC (see above). The flag indicates that the host to which
2536
Exim is connected has offered TLS support. */
2539
else if (Ustrcmp(argrest, "CT") == 0)
2546
/* -M[x]: various operations on the following list of message ids:
2547
-M deliver the messages, ignoring next retry times and thawing
2548
-Mc deliver the messages, checking next retry times, no thawing
2549
-Mf freeze the messages
2550
-Mg give up on the messages
2551
-Mt thaw the messages
2552
-Mrm remove the messages
2553
In the above cases, this must be the last option. There are also the
2554
following options which are followed by a single message id, and which
2555
act on that message. Some of them use the "recipient" addresses as well.
2556
-Mar add recipient(s)
2557
-Mmad mark all recipients delivered
2558
-Mmd mark recipients(s) delivered
2560
-Mset load a message for use with -be
2562
-Mvc show copy (of whole message, in RFC 2822 format)
2567
else if (*argrest == 0)
2569
msg_action = MSG_DELIVER;
2570
forced_delivery = deliver_force_thaw = TRUE;
2572
else if (Ustrcmp(argrest, "ar") == 0)
2574
msg_action = MSG_ADD_RECIPIENT;
2575
one_msg_action = TRUE;
2577
else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2578
else if (Ustrcmp(argrest, "es") == 0)
2580
msg_action = MSG_EDIT_SENDER;
2581
one_msg_action = TRUE;
2583
else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2584
else if (Ustrcmp(argrest, "g") == 0)
2586
msg_action = MSG_DELIVER;
2587
deliver_give_up = TRUE;
2589
else if (Ustrcmp(argrest, "mad") == 0)
2591
msg_action = MSG_MARK_ALL_DELIVERED;
2593
else if (Ustrcmp(argrest, "md") == 0)
2595
msg_action = MSG_MARK_DELIVERED;
2596
one_msg_action = TRUE;
2598
else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2599
else if (Ustrcmp(argrest, "set") == 0)
2601
msg_action = MSG_LOAD;
2602
one_msg_action = TRUE;
2604
else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2605
else if (Ustrcmp(argrest, "vb") == 0)
2607
msg_action = MSG_SHOW_BODY;
2608
one_msg_action = TRUE;
2610
else if (Ustrcmp(argrest, "vc") == 0)
2612
msg_action = MSG_SHOW_COPY;
2613
one_msg_action = TRUE;
2615
else if (Ustrcmp(argrest, "vh") == 0)
2617
msg_action = MSG_SHOW_HEADER;
2618
one_msg_action = TRUE;
2620
else if (Ustrcmp(argrest, "vl") == 0)
2622
msg_action = MSG_SHOW_LOG;
2623
one_msg_action = TRUE;
2625
else { badarg = TRUE; break; }
2627
/* All the -Mxx options require at least one message id. */
2629
msg_action_arg = i + 1;
2630
if (msg_action_arg >= argc)
2632
fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2633
return EXIT_FAILURE;
2636
/* Some require only message ids to follow */
2638
if (!one_msg_action)
2641
for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2643
fprintf(stderr, "exim: malformed message id %s after %s option\n",
2645
return EXIT_FAILURE;
2647
goto END_ARG; /* Remaining args are ids */
2650
/* Others require only one message id, possibly followed by addresses,
2651
which will be handled as normal arguments. */
2655
if (!mac_ismsgid(argv[msg_action_arg]))
2657
fprintf(stderr, "exim: malformed message id %s after %s option\n",
2658
argv[msg_action_arg], arg);
2659
return EXIT_FAILURE;
2666
/* Some programs seem to call the -om option without the leading o;
2667
for sendmail it askes for "me too". Exim always does this. */
2670
if (*argrest != 0) badarg = TRUE;
2674
/* -N: don't do delivery - a debugging option that stops transports doing
2675
their thing. It implies debugging at the D_v level. */
2680
dont_deliver = TRUE;
2681
debug_selector |= D_v;
2682
debug_file = stderr;
2688
/* -n: This means "don't alias" in sendmail, apparently. Just ignore
2694
/* -O: Just ignore it. In sendmail, apparently -O option=value means set
2695
option to the specified value. This form uses long names. We need to handle
2696
-O option=value and -Ooption=value. */
2703
fprintf(stderr, "exim: string expected after -O\n");
2711
/* -oA: Set an argument for the bi command (sendmail's "alternate alias
2714
if (*argrest == 'A')
2716
alias_arg = argrest + 1;
2717
if (alias_arg[0] == 0)
2719
if (i+1 < argc) alias_arg = argv[++i]; else
2721
fprintf(stderr, "exim: string expected after -oA\n");
2727
/* -oB: Set a connection message max value for remote deliveries */
2729
else if (*argrest == 'B')
2731
uschar *p = argrest + 1;
2734
if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2736
connection_max_messages = 1;
2745
fprintf(stderr, "exim: number expected after -oB\n");
2748
connection_max_messages = Uatoi(p);
2752
/* -odb: background delivery */
2754
else if (Ustrcmp(argrest, "db") == 0)
2756
synchronous_delivery = FALSE;
2757
arg_queue_only = FALSE;
2758
queue_only_set = TRUE;
2761
/* -odf: foreground delivery (smail-compatible option); same effect as
2762
-odi: interactive (synchronous) delivery (sendmail-compatible option)
2765
else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2767
synchronous_delivery = TRUE;
2768
arg_queue_only = FALSE;
2769
queue_only_set = TRUE;
2772
/* -odq: queue only */
2774
else if (Ustrcmp(argrest, "dq") == 0)
2776
synchronous_delivery = FALSE;
2777
arg_queue_only = TRUE;
2778
queue_only_set = TRUE;
2781
/* -odqs: queue SMTP only - do local deliveries and remote routing,
2782
but no remote delivery */
2784
else if (Ustrcmp(argrest, "dqs") == 0)
2787
arg_queue_only = FALSE;
2788
queue_only_set = TRUE;
2791
/* -oex: Sendmail error flags. As these are also accepted without the
2792
leading -o prefix, for compatibility with vacation and other callers,
2793
they are handled with -e above. */
2795
/* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2796
-oitrue: Another sendmail syntax for the same */
2798
else if (Ustrcmp(argrest, "i") == 0 ||
2799
Ustrcmp(argrest, "itrue") == 0)
2802
/* -oM*: Set various characteristics for an incoming message; actually
2803
acted on for trusted callers only. */
2805
else if (*argrest == 'M')
2809
fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2813
/* -oMa: Set sender host address */
2815
if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2817
/* -oMaa: Set authenticator name */
2819
else if (Ustrcmp(argrest, "Maa") == 0)
2820
sender_host_authenticated = argv[++i];
2822
/* -oMas: setting authenticated sender */
2824
else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2826
/* -oMai: setting authenticated id */
2828
else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2830
/* -oMi: Set incoming interface address */
2832
else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2834
/* -oMr: Received protocol */
2836
else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2838
/* -oMs: Set sender host name */
2840
else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2842
/* -oMt: Set sender ident */
2844
else if (Ustrcmp(argrest, "Mt") == 0)
2846
sender_ident_set = TRUE;
2847
sender_ident = argv[++i];
2850
/* Else a bad argument */
2859
/* -om: Me-too flag for aliases. Exim always does this. Some programs
2860
seem to call this as -m (undocumented), so that is also accepted (see
2863
else if (Ustrcmp(argrest, "m") == 0) {}
2865
/* -oo: An ancient flag for old-style addresses which still seems to
2866
crop up in some calls (see in SCO). */
2868
else if (Ustrcmp(argrest, "o") == 0) {}
2870
/* -oP <name>: set pid file path for daemon */
2872
else if (Ustrcmp(argrest, "P") == 0)
2873
override_pid_file_path = argv[++i];
2875
/* -or <n>: set timeout for non-SMTP acceptance
2876
-os <n>: set timeout for SMTP acceptance */
2878
else if (*argrest == 'r' || *argrest == 's')
2880
int *tp = (*argrest == 'r')?
2881
&arg_receive_timeout : &arg_smtp_receive_timeout;
2882
if (argrest[1] == 0)
2884
if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2886
else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2889
fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2894
/* -oX <list>: Override local_interfaces and/or default daemon ports */
2896
else if (Ustrcmp(argrest, "X") == 0)
2897
override_local_interfaces = argv[++i];
2899
/* Unknown -o argument */
2905
/* -ps: force Perl startup; -pd force delayed Perl startup */
2909
if (*argrest == 's' && argrest[1] == 0)
2911
perl_start_option = 1;
2914
if (*argrest == 'd' && argrest[1] == 0)
2916
perl_start_option = -1;
2921
/* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2922
which sets the host protocol and host name */
2926
if (i+1 < argc) argrest = argv[++i]; else
2927
{ badarg = TRUE; break; }
2932
uschar *hn = Ustrchr(argrest, ':');
2935
received_protocol = argrest;
2939
received_protocol = string_copyn(argrest, hn - argrest);
2940
sender_host_name = hn + 1;
2947
receiving_message = FALSE;
2948
if (queue_interval >= 0)
2950
fprintf(stderr, "exim: -q specified more than once\n");
2954
/* -qq...: Do queue runs in a 2-stage manner */
2956
if (*argrest == 'q')
2958
queue_2stage = TRUE;
2962
/* -qi...: Do only first (initial) deliveries */
2964
if (*argrest == 'i')
2966
queue_run_first_delivery = TRUE;
2970
/* -qf...: Run the queue, forcing deliveries
2971
-qff..: Ditto, forcing thawing as well */
2973
if (*argrest == 'f')
2975
queue_run_force = TRUE;
2976
if (*(++argrest) == 'f')
2978
deliver_force_thaw = TRUE;
2983
/* -q[f][f]l...: Run the queue only on local deliveries */
2985
if (*argrest == 'l')
2987
queue_run_local = TRUE;
2991
/* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2992
optionally starting from a given message id. */
2994
if (*argrest == 0 &&
2995
(i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2998
if (i+1 < argc && mac_ismsgid(argv[i+1]))
2999
start_queue_run_id = argv[++i];
3000
if (i+1 < argc && mac_ismsgid(argv[i+1]))
3001
stop_queue_run_id = argv[++i];
3004
/* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
3005
optionally local only. */
3010
queue_interval = readconf_readtime(argrest, 0, FALSE);
3012
queue_interval = readconf_readtime(argv[++i], 0, FALSE);
3013
if (queue_interval <= 0)
3015
fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3022
case 'R': /* Synonymous with -qR... */
3023
receiving_message = FALSE;
3025
/* -Rf: As -R (below) but force all deliveries,
3026
-Rff: Ditto, but also thaw all frozen messages,
3027
-Rr: String is regex
3028
-Rrf: Regex and force
3029
-Rrff: Regex and force and thaw
3031
in all cases provided there are no further characters in this
3037
for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3039
if (Ustrcmp(argrest, rsopts[i]) == 0)
3041
if (i != 2) queue_run_force = TRUE;
3042
if (i >= 2) deliver_selectstring_regex = TRUE;
3043
if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3044
argrest += Ustrlen(rsopts[i]);
3049
/* -R: Set string to match in addresses for forced queue run to
3050
pick out particular messages. */
3054
if (i+1 < argc) deliver_selectstring = argv[++i]; else
3056
fprintf(stderr, "exim: string expected after -R\n");
3060
else deliver_selectstring = argrest;
3064
/* -r: an obsolete synonym for -f (see above) */
3067
/* -S: Like -R but works on sender. */
3069
case 'S': /* Synonymous with -qS... */
3070
receiving_message = FALSE;
3072
/* -Sf: As -S (below) but force all deliveries,
3073
-Sff: Ditto, but also thaw all frozen messages,
3074
-Sr: String is regex
3075
-Srf: Regex and force
3076
-Srff: Regex and force and thaw
3078
in all cases provided there are no further characters in this
3084
for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3086
if (Ustrcmp(argrest, rsopts[i]) == 0)
3088
if (i != 2) queue_run_force = TRUE;
3089
if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3090
if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3091
argrest += Ustrlen(rsopts[i]);
3096
/* -S: Set string to match in addresses for forced queue run to
3097
pick out particular messages. */
3101
if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3103
fprintf(stderr, "exim: string expected after -S\n");
3107
else deliver_selectstring_sender = argrest;
3110
/* -Tqt is an option that is exclusively for use by the testing suite.
3111
It is not recognized in other circumstances. It allows for the setting up
3112
of explicit "queue times" so that various warning/retry things can be
3113
tested. Otherwise variability of clock ticks etc. cause problems. */
3116
if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3117
fudged_queue_times = argv[++i];
3122
/* -t: Set flag to extract recipients from body of message. */
3125
if (*argrest == 0) extract_recipients = TRUE;
3127
/* -ti: Set flag to extract recipients from body of message, and also
3128
specify that dot does not end the message. */
3130
else if (Ustrcmp(argrest, "i") == 0)
3132
extract_recipients = TRUE;
3136
/* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3139
else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3146
/* -U: This means "initial user submission" in sendmail, apparently. The
3147
doc claims that in future sendmail may refuse syntactically invalid
3148
messages instead of fixing them. For the moment, we just ignore it. */
3154
/* -v: verify things - this is a very low-level debugging */
3159
debug_selector |= D_v;
3160
debug_file = stderr;
3166
/* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3168
The -x flag tells the sendmail command that mail from a local
3169
mail program has National Language Support (NLS) extended characters
3170
in the body of the mail item. The sendmail command can send mail with
3171
extended NLS characters across networks that normally corrupts these
3174
As Exim is 8-bit clean, it just ignores this flag. */
3177
if (*argrest != 0) badarg = TRUE;
3180
/* All other initial characters are errors */
3185
} /* End of high-level switch statement */
3187
/* Failed to recognize the option, or syntax error */
3191
fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3192
"option %s\n", arg);
3198
/* If -R or -S have been specified without -q, assume a single queue run. */
3200
if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3201
queue_interval < 0) queue_interval = 0;
3205
/* If usage_wanted is set we call the usage function - which never returns */
3206
if (usage_wanted) exim_usage(called_as);
3208
/* Arguments have been processed. Check for incompatibilities. */
3210
(smtp_input || extract_recipients || recipients_arg < argc) &&
3211
(daemon_listen || queue_interval >= 0 || bi_option ||
3212
test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3213
filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3216
msg_action_arg > 0 &&
3217
(daemon_listen || queue_interval >= 0 || list_options ||
3218
(checking && msg_action != MSG_LOAD) ||
3219
bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3222
(daemon_listen || queue_interval >= 0) &&
3223
(sender_address != NULL || list_options || list_queue || checking ||
3227
daemon_listen && queue_interval == 0
3231
(checking || smtp_input || extract_recipients ||
3232
filter_test != FTEST_NONE || bi_option)
3235
verify_address_mode &&
3236
(address_test_mode || smtp_input || extract_recipients ||
3237
filter_test != FTEST_NONE || bi_option)
3240
address_test_mode && (smtp_input || extract_recipients ||
3241
filter_test != FTEST_NONE || bi_option)
3244
smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3248
deliver_selectstring != NULL && queue_interval < 0
3251
msg_action == MSG_LOAD &&
3252
(!expansion_test || expansion_test_message != NULL)
3256
fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3260
/* If debugging is set up, set the file and the file descriptor to pass on to
3261
child processes. It should, of course, be 2 for stderr. Also, force the daemon
3262
to run in the foreground. */
3264
if (debug_selector != 0)
3266
debug_file = stderr;
3267
debug_fd = fileno(debug_file);
3268
background_daemon = FALSE;
3269
if (running_in_test_harness) millisleep(100); /* lets caller finish */
3270
if (debug_selector != D_v) /* -v only doesn't show this */
3272
debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3273
version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3275
show_whats_supported(stderr);
3279
/* When started with root privilege, ensure that the limits on the number of
3280
open files and the number of processes (where that is accessible) are
3281
sufficiently large, or are unset, in case Exim has been called from an
3282
environment where the limits are screwed down. Not all OS have the ability to
3283
change some of these limits. */
3287
DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3293
#ifdef RLIMIT_NOFILE
3294
if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3296
log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3298
rlp.rlim_cur = rlp.rlim_max = 0;
3301
/* I originally chose 1000 as a nice big number that was unlikely to
3302
be exceeded. It turns out that some older OS have a fixed upper limit of
3305
if (rlp.rlim_cur < 1000)
3307
rlp.rlim_cur = rlp.rlim_max = 1000;
3308
if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3310
rlp.rlim_cur = rlp.rlim_max = 256;
3311
if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3312
log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3319
if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3321
log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3323
rlp.rlim_cur = rlp.rlim_max = 0;
3326
#ifdef RLIM_INFINITY
3327
if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3329
rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3331
if (rlp.rlim_cur < 1000)
3333
rlp.rlim_cur = rlp.rlim_max = 1000;
3335
if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3336
log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3342
/* Exim is normally entered as root (but some special configurations are
3343
possible that don't do this). However, it always spins off sub-processes that
3344
set their uid and gid as required for local delivery. We don't want to pass on
3345
any extra groups that root may belong to, so we want to get rid of them all at
3348
We need to obey setgroups() at this stage, before possibly giving up root
3349
privilege for a changed configuration file, but later on we might need to
3350
check on the additional groups for the admin user privilege - can't do that
3351
till after reading the config, which might specify the exim gid. Therefore,
3352
save the group list here first. */
3354
group_count = getgroups(NGROUPS_MAX, group_list);
3356
/* There is a fundamental difference in some BSD systems in the matter of
3357
groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3358
known not to be different. On the "different" systems there is a single group
3359
list, and the first entry in it is the current group. On all other versions of
3360
Unix there is a supplementary group list, which is in *addition* to the current
3361
group. Consequently, to get rid of all extraneous groups on a "standard" system
3362
you pass over 0 groups to setgroups(), while on a "different" system you pass
3363
over a single group - the current group, which is always the first group in the
3364
list. Calling setgroups() with zero groups on a "different" system results in
3365
an error return. The following code should cope with both types of system.
3367
However, if this process isn't running as root, setgroups() can't be used
3368
since you have to be root to run it, even if throwing away groups. Not being
3369
root here happens only in some unusual configurations. We just ignore the
3372
if (setgroups(0, NULL) != 0)
3374
if (setgroups(1, group_list) != 0 && !unprivileged)
3376
fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3381
/* If the configuration file name has been altered by an argument on the
3382
command line (either a new file name or a macro definition) and the caller is
3383
not root, or if this is a filter testing run, remove any setuid privilege the
3384
program has and run as the underlying user.
3386
The exim user is locked out of this, which severely restricts the use of -C
3389
Otherwise, set the real ids to the effective values (should be root unless run
3390
from inetd, which it can either be root or the exim uid, if one is configured).
3392
There is a private mechanism for bypassing some of this, in order to make it
3393
possible to test lots of configurations automatically, without having either to
3394
recompile each time, or to patch in an actual configuration file name and other
3395
values (such as the path name). If running in the test harness, pretend that
3396
configuration file changes and macro definitions haven't happened. */
3399
(!trusted_config || /* Config changed, or */
3400
!macros_trusted()) && /* impermissible macros and */
3401
real_uid != root_uid && /* Not root, and */
3402
!running_in_test_harness /* Not fudged */
3404
expansion_test /* expansion testing */
3406
filter_test != FTEST_NONE) /* Filter testing */
3408
setgroups(group_count, group_list);
3409
exim_setugid(real_uid, real_gid, FALSE,
3410
US"-C, -D, -be or -bf forces real uid");
3411
removed_privilege = TRUE;
3413
/* In the normal case when Exim is called like this, stderr is available
3414
and should be used for any logging information because attempts to write
3415
to the log will usually fail. To arrange this, we unset really_exim. However,
3416
if no stderr is available there is no point - we might as well have a go
3417
at the log (if it fails, syslog will be written).
3419
Note that if the invoker is Exim, the logs remain available. Messing with
3420
this causes unlogged successful deliveries. */
3422
if ((log_stderr != NULL) && (real_uid != exim_uid))
3423
really_exim = FALSE;
3426
/* Privilege is to be retained for the moment. It may be dropped later,
3427
depending on the job that this Exim process has been asked to do. For now, set
3428
the real uid to the effective so that subsequent re-execs of Exim are done by a
3431
else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3433
/* If testing a filter, open the file(s) now, before wasting time doing other
3434
setups and reading the message. */
3436
if ((filter_test & FTEST_SYSTEM) != 0)
3438
filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3441
fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3443
return EXIT_FAILURE;
3447
if ((filter_test & FTEST_USER) != 0)
3449
filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3452
fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
3454
return EXIT_FAILURE;
3458
/* Read the main runtime configuration data; this gives up if there
3459
is a failure. It leaves the configuration file open so that the subsequent
3460
configuration data for delivery can be read if needed. */
3464
/* Handle the decoding of logging options. */
3466
decode_bits(&log_write_selector, &log_extra_selector, 0, 0, log_selector_string,
3467
log_options, log_options_count, US"log");
3471
debug_printf("configuration file is %s\n", config_main_filename);
3472
debug_printf("log selectors = %08x %08x\n", log_write_selector,
3473
log_extra_selector);
3476
/* If domain literals are not allowed, check the sender address that was
3477
supplied with -f. Ditto for a stripped trailing dot. */
3479
if (sender_address != NULL)
3481
if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3483
fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3484
"allowed\n", sender_address);
3485
return EXIT_FAILURE;
3487
if (f_end_dot && !strip_trailing_dot)
3489
fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3490
"(trailing dot not allowed)\n", sender_address);
3491
return EXIT_FAILURE;
3495
/* Paranoia check of maximum lengths of certain strings. There is a check
3496
on the length of the log file path in log.c, which will come into effect
3497
if there are any calls to write the log earlier than this. However, if we
3498
get this far but the string is very long, it is better to stop now than to
3499
carry on and (e.g.) receive a message and then have to collapse. The call to
3500
log_write() from here will cause the ultimate panic collapse if the complete
3501
file name exceeds the buffer length. */
3503
if (Ustrlen(log_file_path) > 200)
3504
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3505
"log_file_path is longer than 200 chars: aborting");
3507
if (Ustrlen(pid_file_path) > 200)
3508
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3509
"pid_file_path is longer than 200 chars: aborting");
3511
if (Ustrlen(spool_directory) > 200)
3512
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3513
"spool_directory is longer than 200 chars: aborting");
3515
/* Length check on the process name given to syslog for its TAG field,
3516
which is only permitted to be 32 characters or less. See RFC 3164. */
3518
if (Ustrlen(syslog_processname) > 32)
3519
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3520
"syslog_processname is longer than 32 chars: aborting");
3522
/* In some operating systems, the environment variable TMPDIR controls where
3523
temporary files are created; Exim doesn't use these (apart from when delivering
3524
to MBX mailboxes), but called libraries such as DBM libraries may require them.
3525
If TMPDIR is found in the environment, reset it to the value defined in the
3526
TMPDIR macro, if this macro is defined. */
3531
for (p = USS environ; *p != NULL; p++)
3533
if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3534
Ustrcmp(*p+7, TMPDIR) != 0)
3536
uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3537
sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3539
DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3545
/* Timezone handling. If timezone_string is "utc", set a flag to cause all
3546
timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3547
we may need to get rid of a bogus timezone setting. This can arise when Exim is
3548
called by a user who has set the TZ variable. This then affects the timestamps
3549
in log files and in Received: headers, and any created Date: header lines. The
3550
required timezone is settable in the configuration file, so nothing can be done
3551
about this earlier - but hopefully nothing will normally be logged earlier than
3552
this. We have to make a new environment if TZ is wrong, but don't bother if
3553
timestamps_utc is set, because then all times are in UTC anyway. */
3555
if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3557
timestamps_utc = TRUE;
3561
uschar *envtz = US getenv("TZ");
3562
if ((envtz == NULL && timezone_string != NULL) ||
3564
(timezone_string == NULL ||
3565
Ustrcmp(timezone_string, envtz) != 0)))
3567
uschar **p = USS environ;
3571
while (*p++ != NULL) count++;
3572
if (envtz == NULL) count++;
3573
newp = new = malloc(sizeof(uschar *) * (count + 1));
3574
for (p = USS environ; *p != NULL; p++)
3576
if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3579
if (timezone_string != NULL)
3581
*newp = malloc(Ustrlen(timezone_string) + 4);
3582
sprintf(CS *newp++, "TZ=%s", timezone_string);
3587
DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3588
tod_stamp(tod_log));
3592
/* Handle the case when we have removed the setuid privilege because of -C or
3593
-D. This means that the caller of Exim was not root.
3595
There is a problem if we were running as the Exim user. The sysadmin may
3596
expect this case to retain privilege because "the binary was called by the
3597
Exim user", but it hasn't, because either the -D option set macros, or the
3598
-C option set a non-trusted configuration file. There are two possibilities:
3600
(1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3601
to do message deliveries. Thus, the fact that it is running as a
3602
non-privileged user is plausible, and might be wanted in some special
3603
configurations. However, really_exim will have been set false when
3604
privilege was dropped, to stop Exim trying to write to its normal log
3605
files. Therefore, re-enable normal log processing, assuming the sysadmin
3606
has set up the log directory correctly.
3608
(2) If deliver_drop_privilege is not set, the configuration won't work as
3609
apparently intended, and so we log a panic message. In order to retain
3610
root for -C or -D, the caller must either be root or be invoking a
3611
trusted configuration file (when deliver_drop_privilege is false). */
3613
if (removed_privilege && (!trusted_config || macros != NULL) &&
3614
real_uid == exim_uid)
3616
if (deliver_drop_privilege)
3617
really_exim = TRUE; /* let logging work normally */
3619
log_write(0, LOG_MAIN|LOG_PANIC,
3620
"exim user lost privilege for using %s option",
3621
trusted_config? "-D" : "-C");
3624
/* Start up Perl interpreter if Perl support is configured and there is a
3625
perl_startup option, and the configuration or the command line specifies
3626
initializing starting. Note that the global variables are actually called
3627
opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3630
if (perl_start_option != 0)
3631
opt_perl_at_start = (perl_start_option > 0);
3632
if (opt_perl_at_start && opt_perl_startup != NULL)
3635
DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3636
errstr = init_perl(opt_perl_startup);
3639
fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3640
return EXIT_FAILURE;
3642
opt_perl_started = TRUE;
3644
#endif /* EXIM_PERL */
3646
/* Log the arguments of the call if the configuration file said so. This is
3647
a debugging feature for finding out what arguments certain MUAs actually use.
3648
Don't attempt it if logging is disabled, or if listing variables or if
3649
verifying/testing addresses or expansions. */
3651
if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3652
&& really_exim && !list_options && !checking)
3655
uschar *p = big_buffer;
3657
(void)getcwd(CS p+4, big_buffer_size - 4);
3659
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3661
for (i = 0; i < argc; i++)
3663
int len = Ustrlen(argv[i]);
3666
if (p + len + 8 >= big_buffer + big_buffer_size)
3669
log_write(0, LOG_MAIN, "%s", big_buffer);
3670
Ustrcpy(big_buffer, "...");
3673
printing = string_printing(argv[i]);
3674
if (printing[0] == 0) quote = US"\""; else
3676
uschar *pp = printing;
3678
while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3680
sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3681
(p - big_buffer) - 4), printing, quote);
3685
if ((log_extra_selector & LX_arguments) != 0)
3686
log_write(0, LOG_MAIN, "%s", big_buffer);
3688
debug_printf("%s\n", big_buffer);
3691
/* Set the working directory to be the top-level spool directory. We don't rely
3692
on this in the code, which always uses fully qualified names, but it's useful
3693
for core dumps etc. Don't complain if it fails - the spool directory might not
3694
be generally accessible and calls with the -C option (and others) have lost
3695
privilege by now. Before the chdir, we try to ensure that the directory exists.
3698
if (Uchdir(spool_directory) != 0)
3700
(void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3701
(void)Uchdir(spool_directory);
3704
/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3705
alias file. Exim doesn't have such a concept, but this call is screwed into
3706
Sun's YP makefiles. Handle this by calling a configured script, as the real
3707
user who called Exim. The -oA option can be used to pass an argument to the
3712
(void)fclose(config_file);
3713
if (bi_command != NULL)
3717
argv[i++] = bi_command;
3718
if (alias_arg != NULL) argv[i++] = alias_arg;
3721
setgroups(group_count, group_list);
3722
exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3724
DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3725
(argv[1] == NULL)? US"" : argv[1]);
3727
execv(CS argv[0], (char *const *)argv);
3728
fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3733
DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3738
/* If an action on specific messages is requested, or if a daemon or queue
3739
runner is being started, we need to know if Exim was called by an admin user.
3740
This is the case if the real user is root or exim, or if the real group is
3741
exim, or if one of the supplementary groups is exim or a group listed in
3742
admin_groups. We don't fail all message actions immediately if not admin_user,
3743
since some actions can be performed by non-admin users. Instead, set admin_user
3744
for later interrogation. */
3746
if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3751
for (i = 0; i < group_count; i++)
3753
if (group_list[i] == exim_gid) admin_user = TRUE;
3754
else if (admin_groups != NULL)
3756
for (j = 1; j <= (int)(admin_groups[0]); j++)
3757
if (admin_groups[j] == group_list[i])
3758
{ admin_user = TRUE; break; }
3760
if (admin_user) break;
3764
/* Another group of privileged users are the trusted users. These are root,
3765
exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3766
are permitted to specify sender_addresses with -f on the command line, and
3767
other message parameters as well. */
3769
if (real_uid == root_uid || real_uid == exim_uid)
3770
trusted_caller = TRUE;
3775
if (trusted_users != NULL)
3777
for (i = 1; i <= (int)(trusted_users[0]); i++)
3778
if (trusted_users[i] == real_uid)
3779
{ trusted_caller = TRUE; break; }
3782
if (!trusted_caller && trusted_groups != NULL)
3784
for (i = 1; i <= (int)(trusted_groups[0]); i++)
3786
if (trusted_groups[i] == real_gid)
3787
trusted_caller = TRUE;
3788
else for (j = 0; j < group_count; j++)
3790
if (trusted_groups[i] == group_list[j])
3791
{ trusted_caller = TRUE; break; }
3793
if (trusted_caller) break;
3798
if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3799
if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3801
/* Only an admin user may start the daemon or force a queue run in the default
3802
configuration, but the queue run restriction can be relaxed. Only an admin
3803
user may request that a message be returned to its sender forthwith. Only an
3804
admin user may specify a debug level greater than D_v (because it might show
3805
passwords, etc. in lookup queries). Only an admin user may request a queue
3810
BOOL debugset = (debug_selector & ~D_v) != 0;
3811
if (deliver_give_up || daemon_listen ||
3812
(count_queue && queue_list_requires_admin) ||
3813
(list_queue && queue_list_requires_admin) ||
3814
(queue_interval >= 0 && prod_requires_admin) ||
3815
(debugset && !running_in_test_harness))
3817
fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3822
/* If the real user is not root or the exim uid, the argument for passing
3823
in an open TCP/IP connection for another message is not permitted, nor is
3824
running with the -N option for any delivery action, unless this call to exim is
3825
one that supplied an input message, or we are using a patched exim for
3826
regression testing. */
3828
if (real_uid != root_uid && real_uid != exim_uid &&
3829
(continue_hostname != NULL ||
3831
(queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3832
)) && !running_in_test_harness)
3834
fprintf(stderr, "exim: Permission denied\n");
3835
return EXIT_FAILURE;
3838
/* If the caller is not trusted, certain arguments are ignored when running for
3839
real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3840
Note that authority for performing certain actions on messages is tested in the
3841
queue_action() function. */
3843
if (!trusted_caller && !checking && filter_test == FTEST_NONE)
3845
sender_host_name = sender_host_address = interface_address =
3846
sender_ident = received_protocol = NULL;
3847
sender_host_port = interface_port = 0;
3848
sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3851
/* If a sender host address is set, extract the optional port number off the
3852
end of it and check its syntax. Do the same thing for the interface address.
3853
Exim exits if the syntax is bad. */
3857
if (sender_host_address != NULL)
3858
sender_host_port = check_port(sender_host_address);
3859
if (interface_address != NULL)
3860
interface_port = check_port(interface_address);
3863
/* If an SMTP message is being received check to see if the standard input is a
3864
TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3865
caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3870
union sockaddr_46 inetd_sock;
3871
EXIM_SOCKLEN_T size = sizeof(inetd_sock);
3872
if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3874
int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3875
if (family == AF_INET || family == AF_INET6)
3877
union sockaddr_46 interface_sock;
3878
size = sizeof(interface_sock);
3880
if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3881
interface_address = host_ntoa(-1, &interface_sock, NULL,
3884
if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3886
if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3889
sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3890
NULL, &sender_host_port);
3891
if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3892
"inetd is not supported when mua_wrapper is set");
3897
"exim: Permission denied (unprivileged user, unprivileged port)\n");
3898
return EXIT_FAILURE;
3904
/* If the load average is going to be needed while receiving a message, get it
3905
now for those OS that require the first call to os_getloadavg() to be done as
3906
root. There will be further calls later for each message received. */
3908
#ifdef LOAD_AVG_NEEDS_ROOT
3909
if (receiving_message &&
3910
(queue_only_load >= 0 ||
3911
(is_inetd && smtp_load_reserve >= 0)
3914
load_average = OS_GETLOADAVG();
3918
/* The queue_only configuration option can be overridden by -odx on the command
3919
line, except that if queue_only_override is false, queue_only cannot be unset
3920
from the command line. */
3922
if (queue_only_set && (queue_only_override || arg_queue_only))
3923
queue_only = arg_queue_only;
3925
/* The receive_timeout and smtp_receive_timeout options can be overridden by
3928
if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3929
if (arg_smtp_receive_timeout >= 0)
3930
smtp_receive_timeout = arg_smtp_receive_timeout;
3932
/* If Exim was started with root privilege, unless we have already removed the
3933
root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3934
except when starting the daemon or doing some kind of delivery or address
3935
testing (-bt). These are the only cases when root need to be retained. We run
3936
as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
3937
retained only for starting the daemon. We always do the initgroups() in this
3938
situation (controlled by the TRUE below), in order to be as close as possible
3939
to the state Exim usually runs in. */
3941
if (!unprivileged && /* originally had root AND */
3942
!removed_privilege && /* still got root AND */
3943
!daemon_listen && /* not starting the daemon */
3944
queue_interval <= 0 && /* (either kind of daemon) */
3946
deliver_drop_privilege || /* requested unprivileged */
3948
queue_interval < 0 && /* not running the queue */
3949
(msg_action_arg < 0 || /* and */
3950
msg_action != MSG_DELIVER) && /* not delivering and */
3951
(!checking || !address_test_mode) /* not address checking */
3955
exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
3958
/* When we are retaining a privileged uid, we still change to the exim gid. */
3960
else setgid(exim_gid);
3962
/* Handle a request to list the delivery queue */
3966
set_process_info("listing the queue");
3967
queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
3971
/* Handle a request to count the delivery queue */
3975
set_process_info("counting the queue");
3980
/* Handle actions on specific messages, except for the force delivery and
3981
message load actions, which are done below. Some actions take a whole list of
3982
message ids, which are known to continue up to the end of the arguments. Others
3983
take a single message id and then operate on the recipients list. */
3985
if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
3987
int yield = EXIT_SUCCESS;
3988
set_process_info("acting on specified messages");
3990
if (!one_msg_action)
3992
for (i = msg_action_arg; i < argc; i++)
3993
if (!queue_action(argv[i], msg_action, NULL, 0, 0))
3994
yield = EXIT_FAILURE;
3997
else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
3998
recipients_arg)) yield = EXIT_FAILURE;
4002
/* All the modes below here require the remaining configuration sections
4003
to be read, except that we can skip over the ACL setting when delivering
4004
specific messages, or doing a queue run. (For various testing cases we could
4005
skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
4008
readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
4010
/* The configuration data will have been read into POOL_PERM because we won't
4011
ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
4012
this is just a bit of pedantic tidiness. It wouldn't really matter if the
4013
configuration were read into POOL_MAIN, because we don't do any resets till
4014
later on. However, it seems right, and it does ensure that both pools get used.
4017
store_pool = POOL_MAIN;
4019
/* Handle the -brt option. This is for checking out retry configurations.
4020
The next three arguments are a domain name or a complete address, and
4021
optionally two error numbers. All it does is to call the function that
4022
scans the retry configuration data. */
4024
if (test_retry_arg >= 0)
4026
retry_config *yield;
4027
int basic_errno = 0;
4031
if (test_retry_arg >= argc)
4033
printf("-brt needs a domain or address argument\n");
4034
exim_exit(EXIT_FAILURE);
4036
s1 = argv[test_retry_arg++];
4039
/* If the first argument contains no @ and no . it might be a local user
4040
or it might be a single-component name. Treat as a domain. */
4042
if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
4044
printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
4045
"being \ntreated as a one-component domain, not as a local part.\n\n",
4049
/* There may be an optional second domain arg. */
4051
if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
4052
s2 = argv[test_retry_arg++];
4054
/* The final arg is an error name */
4056
if (test_retry_arg < argc)
4058
uschar *ss = argv[test_retry_arg];
4060
readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
4063
printf("%s\n", CS error);
4064
return EXIT_FAILURE;
4067
/* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
4068
code > 100 as an error is for matching codes to the decade. Turn them into
4069
a real error code, off the decade. */
4071
if (basic_errno == ERRNO_MAIL4XX ||
4072
basic_errno == ERRNO_RCPT4XX ||
4073
basic_errno == ERRNO_DATA4XX)
4075
int code = (more_errno >> 8) & 255;
4077
more_errno = (more_errno & 0xffff00ff) | (21 << 8);
4078
else if (code > 100)
4079
more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
4083
yield = retry_find_config(s1, s2, basic_errno, more_errno);
4084
if (yield == NULL) printf("No retry information found\n"); else
4087
more_errno = yield->more_errno;
4088
printf("Retry rule: %s ", yield->pattern);
4090
if (yield->basic_errno == ERRNO_EXIMQUOTA)
4092
printf("quota%s%s ",
4093
(more_errno > 0)? "_" : "",
4094
(more_errno > 0)? readconf_printtime(more_errno) : US"");
4096
else if (yield->basic_errno == ECONNREFUSED)
4098
printf("refused%s%s ",
4099
(more_errno > 0)? "_" : "",
4100
(more_errno == 'M')? "MX" :
4101
(more_errno == 'A')? "A" : "");
4103
else if (yield->basic_errno == ETIMEDOUT)
4106
if ((more_errno & RTEF_CTOUT) != 0) printf("_connect");
4108
if (more_errno != 0) printf("_%s",
4109
(more_errno == 'M')? "MX" : "A");
4112
else if (yield->basic_errno == ERRNO_AUTHFAIL)
4113
printf("auth_failed ");
4116
for (r = yield->rules; r != NULL; r = r->next)
4118
printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */
4119
printf(",%s", readconf_printtime(r->p1)); /* amalgamate */
4125
printf(",%d.", x/1000);
4139
exim_exit(EXIT_SUCCESS);
4142
/* Handle a request to list one or more configuration options */
4146
set_process_info("listing variables");
4147
if (recipients_arg >= argc) readconf_print(US"all", NULL);
4148
else for (i = recipients_arg; i < argc; i++)
4151
(Ustrcmp(argv[i], "router") == 0 ||
4152
Ustrcmp(argv[i], "transport") == 0 ||
4153
Ustrcmp(argv[i], "authenticator") == 0 ||
4154
Ustrcmp(argv[i], "macro") == 0))
4156
readconf_print(argv[i+1], argv[i]);
4159
else readconf_print(argv[i], NULL);
4161
exim_exit(EXIT_SUCCESS);
4165
/* Handle a request to deliver one or more messages that are already on the
4166
queue. Values of msg_action other than MSG_DELIVER and MSG_LOAD are dealt with
4167
above. MSG_LOAD is handled with -be (which is the only time it applies) below.
4169
Delivery of specific messages is typically used for a small number when
4170
prodding by hand (when the option forced_delivery will be set) or when
4171
re-execing to regain root privilege. Each message delivery must happen in a
4172
separate process, so we fork a process for each one, and run them sequentially
4173
so that debugging output doesn't get intertwined, and to avoid spawning too
4174
many processes if a long list is given. However, don't fork for the last one;
4175
this saves a process in the common case when Exim is called to deliver just one
4178
if (msg_action_arg > 0 && msg_action != MSG_LOAD)
4180
if (prod_requires_admin && !admin_user)
4182
fprintf(stderr, "exim: Permission denied\n");
4183
exim_exit(EXIT_FAILURE);
4185
set_process_info("delivering specified messages");
4186
if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE;
4187
for (i = msg_action_arg; i < argc; i++)
4192
(void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4193
else if ((pid = fork()) == 0)
4195
(void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4196
_exit(EXIT_SUCCESS);
4200
fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i],
4202
exim_exit(EXIT_FAILURE);
4206
exim_exit(EXIT_SUCCESS);
4210
/* If only a single queue run is requested, without SMTP listening, we can just
4211
turn into a queue runner, with an optional starting message id. */
4213
if (queue_interval == 0 && !daemon_listen)
4215
DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
4216
(start_queue_run_id == NULL)? US"" : US" starting at ",
4217
(start_queue_run_id == NULL)? US"" : start_queue_run_id,
4218
(stop_queue_run_id == NULL)? US"" : US" stopping at ",
4219
(stop_queue_run_id == NULL)? US"" : stop_queue_run_id);
4220
set_process_info("running the queue (single queue run)");
4221
queue_run(start_queue_run_id, stop_queue_run_id, FALSE);
4222
exim_exit(EXIT_SUCCESS);
4226
/* Find the login name of the real user running this process. This is always
4227
needed when receiving a message, because it is written into the spool file. It
4228
may also be used to construct a from: or a sender: header, and in this case we
4229
need the user's full name as well, so save a copy of it, checked for RFC822
4230
syntax and munged if necessary, if it hasn't previously been set by the -F
4231
argument. We may try to get the passwd entry more than once, in case NIS or
4232
other delays are in evidence. Save the home directory for use in filter testing
4237
if ((pw = getpwuid(real_uid)) != NULL)
4239
originator_login = string_copy(US pw->pw_name);
4240
originator_home = string_copy(US pw->pw_dir);
4242
/* If user name has not been set by -F, set it from the passwd entry
4243
unless -f has been used to set the sender address by a trusted user. */
4245
if (originator_name == NULL)
4247
if (sender_address == NULL ||
4248
(!trusted_caller && filter_test == FTEST_NONE))
4250
uschar *name = US pw->pw_gecos;
4251
uschar *amp = Ustrchr(name, '&');
4254
/* Most Unix specify that a '&' character in the gecos field is
4255
replaced by a copy of the login name, and some even specify that
4256
the first character should be upper cased, so that's what we do. */
4261
string_format(buffer, sizeof(buffer), "%.*s%n%s%s",
4262
amp - name, name, &loffset, originator_login, amp + 1);
4263
buffer[loffset] = toupper(buffer[loffset]);
4267
/* If a pattern for matching the gecos field was supplied, apply
4268
it and then expand the name string. */
4270
if (gecos_pattern != NULL && gecos_name != NULL)
4273
re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */
4275
if (regex_match_and_setup(re, name, 0, -1))
4277
uschar *new_name = expand_string(gecos_name);
4279
if (new_name != NULL)
4281
DEBUG(D_receive) debug_printf("user name \"%s\" extracted from "
4282
"gecos field \"%s\"\n", new_name, name);
4285
else DEBUG(D_receive) debug_printf("failed to expand gecos_name string "
4286
"\"%s\": %s\n", gecos_name, expand_string_message);
4288
else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match "
4289
"gecos field \"%s\"\n", gecos_pattern, name);
4290
store_free((void *)re);
4292
originator_name = string_copy(name);
4295
/* A trusted caller has used -f but not -F */
4297
else originator_name = US"";
4300
/* Break the retry loop */
4305
if (++i > finduser_retries) break;
4309
/* If we cannot get a user login, log the incident and give up, unless the
4310
configuration specifies something to use. When running in the test harness,
4311
any setting of unknown_login overrides the actual name. */
4313
if (originator_login == NULL || running_in_test_harness)
4315
if (unknown_login != NULL)
4317
originator_login = expand_string(unknown_login);
4318
if (originator_name == NULL && unknown_username != NULL)
4319
originator_name = expand_string(unknown_username);
4320
if (originator_name == NULL) originator_name = US"";
4322
if (originator_login == NULL)
4323
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d",
4327
/* Ensure that the user name is in a suitable form for use as a "phrase" in an
4330
originator_name = string_copy(parse_fix_phrase(originator_name,
4331
Ustrlen(originator_name), big_buffer, big_buffer_size));
4333
/* If a message is created by this call of Exim, the uid/gid of its originator
4334
are those of the caller. These values are overridden if an existing message is
4335
read in from the spool. */
4337
originator_uid = real_uid;
4338
originator_gid = real_gid;
4340
DEBUG(D_receive) debug_printf("originator: uid=%d gid=%d login=%s name=%s\n",
4341
(int)originator_uid, (int)originator_gid, originator_login, originator_name);
4343
/* Run in daemon and/or queue-running mode. The function daemon_go() never
4344
returns. We leave this till here so that the originator_ fields are available
4345
for incoming messages via the daemon. The daemon cannot be run in mua_wrapper
4348
if (daemon_listen || queue_interval > 0)
4352
fprintf(stderr, "Daemon cannot be run when mua_wrapper is set\n");
4353
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Daemon cannot be run when "
4354
"mua_wrapper is set");
4359
/* If the sender ident has not been set (by a trusted caller) set it to
4360
the caller. This will get overwritten below for an inetd call. If a trusted
4361
caller has set it empty, unset it. */
4363
if (sender_ident == NULL) sender_ident = originator_login;
4364
else if (sender_ident[0] == 0) sender_ident = NULL;
4366
/* Handle the -brw option, which is for checking out rewriting rules. Cause log
4367
writes (on errors) to go to stderr instead. Can't do this earlier, as want the
4368
originator_* variables set. */
4370
if (test_rewrite_arg >= 0)
4372
really_exim = FALSE;
4373
if (test_rewrite_arg >= argc)
4375
printf("-brw needs an address argument\n");
4376
exim_exit(EXIT_FAILURE);
4378
rewrite_test(argv[test_rewrite_arg]);
4379
exim_exit(EXIT_SUCCESS);
4382
/* A locally-supplied message is considered to be coming from a local user
4383
unless a trusted caller supplies a sender address with -f, or is passing in the
4384
message via SMTP (inetd invocation or otherwise). */
4386
if ((sender_address == NULL && !smtp_input) ||
4387
(!trusted_caller && filter_test == FTEST_NONE))
4389
sender_local = TRUE;
4391
/* A trusted caller can supply authenticated_sender and authenticated_id
4392
via -oMas and -oMai and if so, they will already be set. Otherwise, force
4393
defaults except when host checking. */
4395
if (authenticated_sender == NULL && !host_checking)
4396
authenticated_sender = string_sprintf("%s@%s", originator_login,
4397
qualify_domain_sender);
4398
if (authenticated_id == NULL && !host_checking)
4399
authenticated_id = originator_login;
4402
/* Trusted callers are always permitted to specify the sender address.
4403
Untrusted callers may specify it if it matches untrusted_set_sender, or if what
4404
is specified is the empty address. However, if a trusted caller does not
4405
specify a sender address for SMTP input, we leave sender_address unset. This
4406
causes the MAIL commands to be honoured. */
4408
if ((!smtp_input && sender_address == NULL) ||
4409
!receive_check_set_sender(sender_address))
4411
/* Either the caller is not permitted to set a general sender, or this is
4412
non-SMTP input and the trusted caller has not set a sender. If there is no
4413
sender, or if a sender other than <> is set, override with the originator's
4414
login (which will get qualified below), except when checking things. */
4416
if (sender_address == NULL /* No sender_address set */
4418
(sender_address[0] != 0 && /* Non-empty sender address, AND */
4419
!checking && /* Not running tests, AND */
4420
filter_test == FTEST_NONE)) /* Not testing a filter */
4422
sender_address = originator_login;
4423
sender_address_forced = FALSE;
4424
sender_address_domain = 0;
4428
/* Remember whether an untrusted caller set the sender address */
4430
sender_set_untrusted = sender_address != originator_login && !trusted_caller;
4432
/* Ensure that the sender address is fully qualified unless it is the empty
4433
address, which indicates an error message, or doesn't exist (root caller, smtp
4434
interface, no -f argument). */
4436
if (sender_address != NULL && sender_address[0] != 0 &&
4437
sender_address_domain == 0)
4438
sender_address = string_sprintf("%s@%s", local_part_quote(sender_address),
4439
qualify_domain_sender);
4441
DEBUG(D_receive) debug_printf("sender address = %s\n", sender_address);
4443
/* Handle a request to verify a list of addresses, or test them for delivery.
4444
This must follow the setting of the sender address, since routers can be
4445
predicated upon the sender. If no arguments are given, read addresses from
4446
stdin. Set debug_level to at least D_v to get full output for address testing.
4449
if (verify_address_mode || address_test_mode)
4452
int flags = vopt_qualify;
4454
if (verify_address_mode)
4456
if (!verify_as_sender) flags |= vopt_is_recipient;
4457
DEBUG(D_verify) debug_print_ids(US"Verifying:");
4462
flags |= vopt_is_recipient;
4463
debug_selector |= D_v;
4464
debug_file = stderr;
4465
debug_fd = fileno(debug_file);
4466
DEBUG(D_verify) debug_print_ids(US"Address testing:");
4469
if (recipients_arg < argc)
4471
while (recipients_arg < argc)
4473
uschar *s = argv[recipients_arg++];
4476
BOOL finished = FALSE;
4477
uschar *ss = parse_find_address_end(s, FALSE);
4478
if (*ss == ',') *ss = 0; else finished = TRUE;
4479
test_address(s, flags, &exit_value);
4482
while (*(++s) != 0 && (*s == ',' || isspace(*s)));
4489
uschar *s = get_stdinput(NULL, NULL);
4490
if (s == NULL) break;
4491
test_address(s, flags, &exit_value);
4495
exim_exit(exit_value);
4498
/* Handle expansion checking. Either expand items on the command line, or read
4499
from stdin if there aren't any. If -Mset was specified, load the message so
4500
that its variables can be used, but restrict this facility to admin users.
4501
Otherwise, if -bem was used, read a message from stdin. */
4505
if (msg_action_arg > 0 && msg_action == MSG_LOAD)
4507
uschar spoolname[256]; /* Not big_buffer; used in spool_read_header() */
4510
fprintf(stderr, "exim: permission denied\n");
4513
message_id = argv[msg_action_arg];
4514
(void)string_format(spoolname, sizeof(spoolname), "%s-H", message_id);
4515
if (!spool_open_datafile(message_id))
4516
printf ("Failed to load message datafile %s\n", message_id);
4517
if (spool_read_header(spoolname, TRUE, FALSE) != spool_read_OK)
4518
printf ("Failed to load message %s\n", message_id);
4521
/* Read a test message from a file. We fudge it up to be on stdin, saving
4522
stdin itself for later reading of expansion strings. */
4524
else if (expansion_test_message != NULL)
4526
int save_stdin = dup(0);
4527
int fd = Uopen(expansion_test_message, O_RDONLY, 0);
4530
fprintf(stderr, "exim: failed to open %s: %s\n", expansion_test_message,
4532
return EXIT_FAILURE;
4535
filter_test = FTEST_USER; /* Fudge to make it look like filter test */
4536
message_ended = END_NOTENDED;
4537
read_message_body(receive_msg(extract_recipients));
4538
message_linecount += body_linecount;
4539
(void)dup2(save_stdin, 0);
4540
(void)close(save_stdin);
4541
clearerr(stdin); /* Required by Darwin */
4544
/* Allow $recipients for this testing */
4546
enable_dollar_recipients = TRUE;
4548
/* Expand command line items */
4550
if (recipients_arg < argc)
4552
while (recipients_arg < argc)
4554
uschar *s = argv[recipients_arg++];
4555
uschar *ss = expand_string(s);
4556
if (ss == NULL) printf ("Failed: %s\n", expand_string_message);
4557
else printf("%s\n", CS ss);
4565
char *(*fn_readline)(char *) = NULL;
4566
char *(*fn_addhist)(char *) = NULL;
4569
void *dlhandle = set_readline(&fn_readline, &fn_addhist);
4575
uschar *source = get_stdinput(fn_readline, fn_addhist);
4576
if (source == NULL) break;
4577
ss = expand_string(source);
4579
printf ("Failed: %s\n", expand_string_message);
4580
else printf("%s\n", CS ss);
4584
if (dlhandle != NULL) dlclose(dlhandle);
4588
/* The data file will be open after -Mset */
4590
if (deliver_datafile >= 0)
4592
(void)close(deliver_datafile);
4593
deliver_datafile = -1;
4596
exim_exit(EXIT_SUCCESS);
4600
/* The active host name is normally the primary host name, but it can be varied
4601
for hosts that want to play several parts at once. We need to ensure that it is
4602
set for host checking, and for receiving messages. */
4604
smtp_active_hostname = primary_hostname;
4605
if (raw_active_hostname != NULL)
4607
uschar *nah = expand_string(raw_active_hostname);
4610
if (!expand_string_forcedfail)
4611
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" "
4612
"(smtp_active_hostname): %s", raw_active_hostname,
4613
expand_string_message);
4615
else if (nah[0] != 0) smtp_active_hostname = nah;
4618
/* Handle host checking: this facility mocks up an incoming SMTP call from a
4619
given IP address so that the blocking and relay configuration can be tested.
4620
Unless a sender_ident was set by -oMt, we discard it (the default is the
4621
caller's login name). An RFC 1413 call is made only if we are running in the
4622
test harness and an incoming interface and both ports are specified, because
4623
there is no TCP/IP call to find the ident for. */
4630
if (!sender_ident_set)
4632
sender_ident = NULL;
4633
if (running_in_test_harness && sender_host_port != 0 &&
4634
interface_address != NULL && interface_port != 0)
4635
verify_get_ident(1413);
4638
/* In case the given address is a non-canonical IPv6 address, canonicize
4639
it. The code works for both IPv4 and IPv6, as it happens. */
4641
size = host_aton(sender_host_address, x);
4642
sender_host_address = store_get(48); /* large enough for full IPv6 */
4643
(void)host_nmtoa(size, x, -1, sender_host_address, ':');
4645
/* Now set up for testing */
4647
host_build_sender_fullhost();
4651
sender_local = FALSE;
4652
sender_host_notsocket = TRUE;
4653
debug_file = stderr;
4654
debug_fd = fileno(debug_file);
4655
fprintf(stdout, "\n**** SMTP testing session as if from host %s\n"
4656
"**** but without any ident (RFC 1413) callback.\n"
4657
"**** This is not for real!\n\n",
4658
sender_host_address);
4660
if (verify_check_host(&hosts_connection_nolog) == OK)
4661
log_write_selector &= ~L_smtp_connection;
4662
log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4664
/* NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4665
because a log line has already been written for all its failure exists
4666
(usually "connection refused: <reason>") and writing another one is
4667
unnecessary clutter. */
4669
if (smtp_start_session())
4671
reset_point = store_get(0);
4674
store_reset(reset_point);
4675
if (smtp_setup_msg() <= 0) break;
4676
if (!receive_msg(FALSE)) break;
4680
exim_exit(EXIT_SUCCESS);
4684
/* Arrange for message reception if recipients or SMTP were specified;
4685
otherwise complain unless a version print (-bV) happened or this is a filter
4686
verification test. In the former case, show the configuration file name. */
4688
if (recipients_arg >= argc && !extract_recipients && !smtp_input)
4690
if (version_printed)
4692
printf("Configuration file is %s\n", config_main_filename);
4693
return EXIT_SUCCESS;
4696
if (filter_test == FTEST_NONE)
4697
exim_usage(called_as);
4701
/* If mua_wrapper is set, Exim is being used to turn an MUA that submits on the
4702
standard input into an MUA that submits to a smarthost over TCP/IP. We know
4703
that we are not called from inetd, because that is rejected above. The
4704
following configuration settings are forced here:
4706
(1) Synchronous delivery (-odi)
4707
(2) Errors to stderr (-oep == -oeq)
4708
(3) No parallel remote delivery
4709
(4) Unprivileged delivery
4711
We don't force overall queueing options because there are several of them;
4712
instead, queueing is avoided below when mua_wrapper is set. However, we do need
4713
to override any SMTP queueing. */
4717
synchronous_delivery = TRUE;
4718
arg_error_handling = ERRORS_STDERR;
4719
remote_max_parallel = 1;
4720
deliver_drop_privilege = TRUE;
4722
queue_smtp_domains = NULL;
4726
/* Prepare to accept one or more new messages on the standard input. When a
4727
message has been read, its id is returned in message_id[]. If doing immediate
4728
delivery, we fork a delivery process for each received message, except for the
4729
last one, where we can save a process switch.
4731
It is only in non-smtp mode that error_handling is allowed to be changed from
4732
its default of ERRORS_SENDER by argument. (Idle thought: are any of the
4733
sendmail error modes other than -oem ever actually used? Later: yes.) */
4735
if (!smtp_input) error_handling = arg_error_handling;
4737
/* If this is an inetd call, ensure that stderr is closed to prevent panic
4738
logging being sent down the socket and make an identd call to get the
4743
(void)fclose(stderr);
4744
exim_nullstd(); /* Re-open to /dev/null */
4745
verify_get_ident(IDENT_PORT);
4746
host_build_sender_fullhost();
4747
set_process_info("handling incoming connection from %s via inetd",
4751
/* If the sender host address has been set, build sender_fullhost if it hasn't
4752
already been done (which it will have been for inetd). This caters for the
4753
case when it is forced by -oMa. However, we must flag that it isn't a socket,
4754
so that the test for IP options is skipped for -bs input. */
4756
if (sender_host_address != NULL && sender_fullhost == NULL)
4758
host_build_sender_fullhost();
4759
set_process_info("handling incoming connection from %s via -oMa",
4761
sender_host_notsocket = TRUE;
4764
/* Otherwise, set the sender host as unknown except for inetd calls. This
4765
prevents host checking in the case of -bs not from inetd and also for -bS. */
4767
else if (!is_inetd) sender_host_unknown = TRUE;
4769
/* If stdout does not exist, then dup stdin to stdout. This can happen
4770
if exim is started from inetd. In this case fd 0 will be set to the socket,
4771
but fd 1 will not be set. This also happens for passed SMTP channels. */
4773
if (fstat(1, &statbuf) < 0) (void)dup2(0, 1);
4775
/* Set up the incoming protocol name and the state of the program. Root is
4776
allowed to force received protocol via the -oMr option above. If we have come
4777
via inetd, the process info has already been set up. We don't set
4778
received_protocol here for smtp input, as it varies according to
4779
batch/HELO/EHLO/AUTH/TLS. */
4783
if (!is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
4784
smtp_batched_input? "batched " : "",
4785
(sender_address!= NULL)? sender_address : originator_login);
4789
if (received_protocol == NULL)
4790
received_protocol = string_sprintf("local%s", called_as);
4791
set_process_info("accepting a local non-SMTP message from <%s>",
4795
/* Initialize the session_local_queue-only flag (this will be ignored if
4796
mua_wrapper is set) */
4799
session_local_queue_only = queue_only;
4801
/* For non-SMTP and for batched SMTP input, check that there is enough space on
4802
the spool if so configured. On failure, we must not attempt to send an error
4803
message! (For interactive SMTP, the check happens at MAIL FROM and an SMTP
4804
error code is given.) */
4806
if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0))
4808
fprintf(stderr, "exim: insufficient disk space\n");
4809
return EXIT_FAILURE;
4812
/* If this is smtp input of any kind, real or batched, handle the start of the
4815
NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4816
because a log line has already been written for all its failure exists
4817
(usually "connection refused: <reason>") and writing another one is
4818
unnecessary clutter. */
4824
if (verify_check_host(&hosts_connection_nolog) == OK)
4825
log_write_selector &= ~L_smtp_connection;
4826
log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4827
if (!smtp_start_session())
4830
exim_exit(EXIT_SUCCESS);
4834
/* Otherwise, set up the input size limit here. */
4838
thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
4839
if (expand_string_message != NULL)
4841
if (thismessage_size_limit == -1)
4842
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand "
4843
"message_size_limit: %s", expand_string_message);
4845
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "invalid value for "
4846
"message_size_limit: %s", expand_string_message);
4850
/* Loop for several messages when reading SMTP input. If we fork any child
4851
processes, we don't want to wait for them unless synchronous delivery is
4852
requested, so set SIGCHLD to SIG_IGN in that case. This is not necessarily the
4853
same as SIG_DFL, despite the fact that documentation often lists the default as
4854
"ignore". This is a confusing area. This is what I know:
4856
At least on some systems (e.g. Solaris), just setting SIG_IGN causes child
4857
processes that complete simply to go away without ever becoming defunct. You
4858
can't then wait for them - but we don't want to wait for them in the
4859
non-synchronous delivery case. However, this behaviour of SIG_IGN doesn't
4860
happen for all OS (e.g. *BSD is different).
4862
But that's not the end of the story. Some (many? all?) systems have the
4863
SA_NOCLDWAIT option for sigaction(). This requests the behaviour that Solaris
4864
has by default, so it seems that the difference is merely one of default
4865
(compare restarting vs non-restarting signals).
4867
To cover all cases, Exim sets SIG_IGN with SA_NOCLDWAIT here if it can. If not,
4868
it just sets SIG_IGN. To be on the safe side it also calls waitpid() at the end
4869
of the loop below. Paranoia rules.
4871
February 2003: That's *still* not the end of the story. There are now versions
4872
of Linux (where SIG_IGN does work) that are picky. If, having set SIG_IGN, a
4873
process then calls waitpid(), a grumble is written to the system log, because
4874
this is logically inconsistent. In other words, it doesn't like the paranoia.
4875
As a consequenc of this, the waitpid() below is now excluded if we are sure
4876
that SIG_IGN works. */
4878
if (!synchronous_delivery)
4881
struct sigaction act;
4882
act.sa_handler = SIG_IGN;
4883
sigemptyset(&(act.sa_mask));
4884
act.sa_flags = SA_NOCLDWAIT;
4885
sigaction(SIGCHLD, &act, NULL);
4887
signal(SIGCHLD, SIG_IGN);
4891
/* Save the current store pool point, for resetting at the start of
4892
each message, and save the real sender address, if any. */
4894
reset_point = store_get(0);
4895
real_sender_address = sender_address;
4897
/* Loop to receive messages; receive_msg() returns TRUE if there are more
4898
messages to be read (SMTP input), or FALSE otherwise (not SMTP, or SMTP channel
4903
store_reset(reset_point);
4906
/* Handle the SMTP case; call smtp_setup_mst() to deal with the initial SMTP
4907
input and build the recipients list, before calling receive_msg() to read the
4908
message proper. Whatever sender address is given in the SMTP transaction is
4909
often ignored for local senders - we use the actual sender, which is normally
4910
either the underlying user running this process or a -f argument provided by
4911
a trusted caller. It is saved in real_sender_address. The test for whether to
4912
accept the SMTP sender is encapsulated in receive_check_set_sender(). */
4917
if ((rc = smtp_setup_msg()) > 0)
4919
if (real_sender_address != NULL &&
4920
!receive_check_set_sender(sender_address))
4922
sender_address = raw_sender = real_sender_address;
4923
sender_address_unrewritten = NULL;
4926
/* For batched SMTP, we have to run the acl_not_smtp_start ACL, since it
4927
isn't really SMTP, so no other ACL will run until the acl_not_smtp one at
4928
the very end. The result of the ACL is ignored (as for other non-SMTP
4929
messages). It is run for its potential side effects. */
4931
if (smtp_batched_input && acl_not_smtp_start != NULL)
4933
uschar *user_msg, *log_msg;
4934
enable_dollar_recipients = TRUE;
4935
(void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
4936
&user_msg, &log_msg);
4937
enable_dollar_recipients = FALSE;
4940
/* Now get the data for the message */
4942
more = receive_msg(extract_recipients);
4943
if (message_id[0] == 0)
4946
smtp_log_no_mail(); /* Log no mail if configured */
4947
exim_exit(EXIT_FAILURE);
4952
smtp_log_no_mail(); /* Log no mail if configured */
4953
exim_exit((rc == 0)? EXIT_SUCCESS : EXIT_FAILURE);
4957
/* In the non-SMTP case, we have all the information from the command
4958
line, but must process it in case it is in the more general RFC822
4959
format, and in any case, to detect syntax errors. Also, it appears that
4960
the use of comma-separated lists as single arguments is common, so we
4961
had better support them. */
4967
int count = argc - recipients_arg;
4968
uschar **list = argv + recipients_arg;
4970
/* These options cannot be changed dynamically for non-SMTP messages */
4972
active_local_sender_retain = local_sender_retain;
4973
active_local_from_check = local_from_check;
4975
/* Save before any rewriting */
4977
raw_sender = string_copy(sender_address);
4979
/* Loop for each argument */
4981
for (i = 0; i < count; i++)
4983
int start, end, domain;
4985
uschar *s = list[i];
4987
/* Loop for each comma-separated address */
4991
BOOL finished = FALSE;
4993
uschar *ss = parse_find_address_end(s, FALSE);
4995
if (*ss == ',') *ss = 0; else finished = TRUE;
4997
/* Check max recipients - if -t was used, these aren't recipients */
4999
if (recipients_max > 0 && ++rcount > recipients_max &&
5000
!extract_recipients)
5002
if (error_handling == ERRORS_STDERR)
5004
fprintf(stderr, "exim: too many recipients\n");
5005
exim_exit(EXIT_FAILURE);
5010
moan_to_sender(ERRMESS_TOOMANYRECIP, NULL, NULL, stdin, TRUE)?
5011
errors_sender_rc : EXIT_FAILURE;
5016
parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
5018
if (domain == 0 && !allow_unqualified_recipient)
5021
errmess = US"unqualified recipient address not allowed";
5024
if (recipient == NULL)
5026
if (error_handling == ERRORS_STDERR)
5028
fprintf(stderr, "exim: bad recipient address \"%s\": %s\n",
5029
string_printing(list[i]), errmess);
5030
exim_exit(EXIT_FAILURE);
5036
eblock.text1 = string_printing(list[i]);
5037
eblock.text2 = errmess;
5039
moan_to_sender(ERRMESS_BADARGADDRESS, &eblock, NULL, stdin, TRUE)?
5040
errors_sender_rc : EXIT_FAILURE;
5044
receive_add_recipient(recipient, -1);
5047
while (*(++s) != 0 && (*s == ',' || isspace(*s)));
5051
/* Show the recipients when debugging */
5056
if (sender_address != NULL) debug_printf("Sender: %s\n", sender_address);
5057
if (recipients_list != NULL)
5059
debug_printf("Recipients:\n");
5060
for (i = 0; i < recipients_count; i++)
5061
debug_printf(" %s\n", recipients_list[i].address);
5065
/* Run the acl_not_smtp_start ACL if required. The result of the ACL is
5066
ignored; rejecting here would just add complication, and it can just as
5067
well be done later. Allow $recipients to be visible in the ACL. */
5069
if (acl_not_smtp_start != NULL)
5071
uschar *user_msg, *log_msg;
5072
enable_dollar_recipients = TRUE;
5073
(void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
5074
&user_msg, &log_msg);
5075
enable_dollar_recipients = FALSE;
5078
/* Read the data for the message. If filter_test is not FTEST_NONE, this
5079
will just read the headers for the message, and not write anything onto the
5082
message_ended = END_NOTENDED;
5083
more = receive_msg(extract_recipients);
5085
/* more is always FALSE here (not SMTP message) when reading a message
5086
for real; when reading the headers of a message for filter testing,
5087
it is TRUE if the headers were terminated by '.' and FALSE otherwise. */
5089
if (message_id[0] == 0) exim_exit(EXIT_FAILURE);
5090
} /* Non-SMTP message reception */
5092
/* If this is a filter testing run, there are headers in store, but
5093
no message on the spool. Run the filtering code in testing mode, setting
5094
the domain to the qualify domain and the local part to the current user,
5095
unless they have been set by options. The prefix and suffix are left unset
5096
unless specified. The the return path is set to to the sender unless it has
5097
already been set from a return-path header in the message. */
5099
if (filter_test != FTEST_NONE)
5101
deliver_domain = (ftest_domain != NULL)?
5102
ftest_domain : qualify_domain_recipient;
5103
deliver_domain_orig = deliver_domain;
5104
deliver_localpart = (ftest_localpart != NULL)?
5105
ftest_localpart : originator_login;
5106
deliver_localpart_orig = deliver_localpart;
5107
deliver_localpart_prefix = ftest_prefix;
5108
deliver_localpart_suffix = ftest_suffix;
5109
deliver_home = originator_home;
5111
if (return_path == NULL)
5113
printf("Return-path copied from sender\n");
5114
return_path = string_copy(sender_address);
5118
printf("Return-path = %s\n", (return_path[0] == 0)? US"<>" : return_path);
5120
printf("Sender = %s\n", (sender_address[0] == 0)? US"<>" : sender_address);
5122
receive_add_recipient(
5123
string_sprintf("%s%s%s@%s",
5124
(ftest_prefix == NULL)? US"" : ftest_prefix,
5126
(ftest_suffix == NULL)? US"" : ftest_suffix,
5127
deliver_domain), -1);
5129
printf("Recipient = %s\n", recipients_list[0].address);
5130
if (ftest_prefix != NULL) printf("Prefix = %s\n", ftest_prefix);
5131
if (ftest_suffix != NULL) printf("Suffix = %s\n", ftest_suffix);
5133
(void)chdir("/"); /* Get away from wherever the user is running this from */
5135
/* Now we run either a system filter test, or a user filter test, or both.
5136
In the latter case, headers added by the system filter will persist and be
5137
available to the user filter. We need to copy the filter variables
5140
if ((filter_test & FTEST_SYSTEM) != 0)
5142
if (!filter_runtest(filter_sfd, filter_test_sfile, TRUE, more))
5143
exim_exit(EXIT_FAILURE);
5146
memcpy(filter_sn, filter_n, sizeof(filter_sn));
5148
if ((filter_test & FTEST_USER) != 0)
5150
if (!filter_runtest(filter_ufd, filter_test_ufile, FALSE, more))
5151
exim_exit(EXIT_FAILURE);
5154
exim_exit(EXIT_SUCCESS);
5157
/* Else act on the result of message reception. We should not get here unless
5158
message_id[0] is non-zero. If queue_only is set, session_local_queue_only
5159
will be TRUE. If it is not, check on the number of messages received in this
5162
if (!session_local_queue_only &&
5163
smtp_accept_queue_per_connection > 0 &&
5164
receive_messagecount > smtp_accept_queue_per_connection)
5166
session_local_queue_only = TRUE;
5167
queue_only_reason = 2;
5170
/* Initialize local_queue_only from session_local_queue_only. If it is false,
5171
and queue_only_load is set, check that the load average is below it. If it is
5172
not, set local_queue_only TRUE. If queue_only_load_latch is true (the
5173
default), we put the whole session into queue_only mode. It then remains this
5174
way for any subsequent messages on the same SMTP connection. This is a
5175
deliberate choice; even though the load average may fall, it doesn't seem
5176
right to deliver later messages on the same call when not delivering earlier
5177
ones. However, there are odd cases where this is not wanted, so this can be
5178
changed by setting queue_only_load_latch false. */
5180
local_queue_only = session_local_queue_only;
5181
if (!local_queue_only && queue_only_load >= 0)
5183
local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load;
5184
if (local_queue_only)
5186
queue_only_reason = 3;
5187
if (queue_only_load_latch) session_local_queue_only = TRUE;
5191
/* If running as an MUA wrapper, all queueing options and freezing options
5195
local_queue_only = queue_only_policy = deliver_freeze = FALSE;
5197
/* Log the queueing here, when it will get a message id attached, but
5198
not if queue_only is set (case 0). Case 1 doesn't happen here (too many
5201
if (local_queue_only) switch(queue_only_reason)
5204
log_write(L_delay_delivery,
5205
LOG_MAIN, "no immediate delivery: more than %d messages "
5206
"received in one connection", smtp_accept_queue_per_connection);
5210
log_write(L_delay_delivery,
5211
LOG_MAIN, "no immediate delivery: load average %.2f",
5212
(double)load_average/1000.0);
5216
/* Else do the delivery unless the ACL or local_scan() called for queue only
5217
or froze the message. Always deliver in a separate process. A fork failure is
5218
not a disaster, as the delivery will eventually happen on a subsequent queue
5219
run. The search cache must be tidied before the fork, as the parent will
5220
do it before exiting. The child will trigger a lookup failure and
5221
thereby defer the delivery if it tries to use (for example) a cached ldap
5222
connection that the parent has called unbind on. */
5224
else if (!queue_only_policy && !deliver_freeze)
5229
if ((pid = fork()) == 0)
5232
close_unwanted(); /* Close unwanted file descriptors and TLS */
5233
exim_nullstd(); /* Ensure std{in,out,err} exist */
5235
/* Re-exec Exim if we need to regain privilege (note: in mua_wrapper
5236
mode, deliver_drop_privilege is forced TRUE). */
5238
if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged)
5240
(void)child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 2, US"-Mc",
5242
/* Control does not return here. */
5245
/* No need to re-exec */
5247
rc = deliver_message(message_id, FALSE, FALSE);
5249
_exit((!mua_wrapper || rc == DELIVER_MUA_SUCCEEDED)?
5250
EXIT_SUCCESS : EXIT_FAILURE);
5255
log_write(0, LOG_MAIN|LOG_PANIC, "failed to fork automatic delivery "
5256
"process: %s", strerror(errno));
5259
/* In the parent, wait if synchronous delivery is required. This will
5260
always be the case in MUA wrapper mode. */
5262
else if (synchronous_delivery)
5265
while (wait(&status) != pid);
5266
if ((status & 0x00ff) != 0)
5267
log_write(0, LOG_MAIN|LOG_PANIC,
5268
"process %d crashed with signal %d while delivering %s",
5269
(int)pid, status & 0x00ff, message_id);
5270
if (mua_wrapper && (status & 0xffff) != 0) exim_exit(EXIT_FAILURE);
5274
/* The loop will repeat if more is TRUE. If we do not know know that the OS
5275
automatically reaps children (see comments above the loop), clear away any
5276
finished subprocesses here, in case there are lots of messages coming in
5277
from the same source. */
5279
#ifndef SIG_IGN_WORKS
5280
while (waitpid(-1, NULL, WNOHANG) > 0);
5284
exim_exit(EXIT_SUCCESS); /* Never returns */
5285
return 0; /* To stop compiler warning */