Commit | Line | Data |
---|---|---|
1a46a8c5 | 1 | /* $Cambridge: exim/src/src/exim.c,v 1.17 2005/03/22 14:11:54 ph10 Exp $ */ |
059ec3d9 PH |
2 | |
3 | /************************************************* | |
4 | * Exim - an Internet mail transport agent * | |
5 | *************************************************/ | |
6 | ||
c988f1f4 | 7 | /* Copyright (c) University of Cambridge 1995 - 2005 */ |
059ec3d9 PH |
8 | /* See the file NOTICE for conditions of use and distribution. */ |
9 | ||
10 | ||
11 | /* The main function: entry point, initialization, and high-level control. | |
12 | Also a few functions that don't naturally fit elsewhere. */ | |
13 | ||
14 | ||
15 | #include "exim.h" | |
16 | ||
17 | ||
18 | ||
19 | /************************************************* | |
20 | * Function interface to store functions * | |
21 | *************************************************/ | |
22 | ||
23 | /* We need some real functions to pass to the PCRE regular expression library | |
24 | for store allocation via Exim's store manager. The normal calls are actually | |
25 | macros that pass over location information to make tracing easier. These | |
26 | functions just interface to the standard macro calls. A good compiler will | |
27 | optimize out the tail recursion and so not make them too expensive. There | |
28 | are two sets of functions; one for use when we want to retain the compiled | |
29 | regular expression for a long time; the other for short-term use. */ | |
30 | ||
31 | static void * | |
32 | function_store_get(size_t size) | |
33 | { | |
34 | return store_get((int)size); | |
35 | } | |
36 | ||
37 | static void | |
38 | function_dummy_free(void *block) { block = block; } | |
39 | ||
40 | static void * | |
41 | function_store_malloc(size_t size) | |
42 | { | |
43 | return store_malloc((int)size); | |
44 | } | |
45 | ||
46 | static void | |
47 | function_store_free(void *block) | |
48 | { | |
49 | store_free(block); | |
50 | } | |
51 | ||
52 | ||
53 | ||
54 | ||
55 | /************************************************* | |
56 | * Compile regular expression and panic on fail * | |
57 | *************************************************/ | |
58 | ||
59 | /* This function is called when failure to compile a regular expression leads | |
60 | to a panic exit. In other cases, pcre_compile() is called directly. In many | |
61 | cases where this function is used, the results of the compilation are to be | |
62 | placed in long-lived store, so we temporarily reset the store management | |
63 | functions that PCRE uses if the use_malloc flag is set. | |
64 | ||
65 | Argument: | |
66 | pattern the pattern to compile | |
67 | caseless TRUE if caseless matching is required | |
68 | use_malloc TRUE if compile into malloc store | |
69 | ||
70 | Returns: pointer to the compiled pattern | |
71 | */ | |
72 | ||
73 | const pcre * | |
74 | regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc) | |
75 | { | |
76 | int offset; | |
77 | int options = PCRE_COPT; | |
78 | const pcre *yield; | |
79 | const uschar *error; | |
80 | if (use_malloc) | |
81 | { | |
82 | pcre_malloc = function_store_malloc; | |
83 | pcre_free = function_store_free; | |
84 | } | |
85 | if (caseless) options |= PCRE_CASELESS; | |
86 | yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL); | |
87 | pcre_malloc = function_store_get; | |
88 | pcre_free = function_dummy_free; | |
89 | if (yield == NULL) | |
90 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: " | |
91 | "%s at offset %d while compiling %s", error, offset, pattern); | |
92 | return yield; | |
93 | } | |
94 | ||
95 | ||
96 | ||
97 | ||
98 | /************************************************* | |
99 | * Execute regular expression and set strings * | |
100 | *************************************************/ | |
101 | ||
102 | /* This function runs a regular expression match, and sets up the pointers to | |
103 | the matched substrings. | |
104 | ||
105 | Arguments: | |
106 | re the compiled expression | |
107 | subject the subject string | |
108 | options additional PCRE options | |
109 | setup if < 0 do full setup | |
110 | if >= 0 setup from setup+1 onwards, | |
111 | excluding the full matched string | |
112 | ||
113 | Returns: TRUE or FALSE | |
114 | */ | |
115 | ||
116 | BOOL | |
117 | regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup) | |
118 | { | |
119 | int ovector[3*(EXPAND_MAXN+1)]; | |
120 | int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0, | |
121 | PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int)); | |
122 | BOOL yield = n >= 0; | |
123 | if (n == 0) n = EXPAND_MAXN + 1; | |
124 | if (yield) | |
125 | { | |
126 | int nn; | |
127 | expand_nmax = (setup < 0)? 0 : setup + 1; | |
128 | for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2) | |
129 | { | |
130 | expand_nstring[expand_nmax] = subject + ovector[nn]; | |
131 | expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn]; | |
132 | } | |
133 | expand_nmax--; | |
134 | } | |
135 | return yield; | |
136 | } | |
137 | ||
138 | ||
139 | ||
140 | ||
141 | /************************************************* | |
142 | * Handler for SIGUSR1 * | |
143 | *************************************************/ | |
144 | ||
145 | /* SIGUSR1 causes any exim process to write to the process log details of | |
146 | what it is currently doing. It will only be used if the OS is capable of | |
147 | setting up a handler that causes automatic restarting of any system call | |
148 | that is in progress at the time. | |
149 | ||
150 | Argument: the signal number (SIGUSR1) | |
151 | Returns: nothing | |
152 | */ | |
153 | ||
154 | static void | |
155 | usr1_handler(int sig) | |
156 | { | |
157 | sig = sig; /* Keep picky compilers happy */ | |
158 | log_write(0, LOG_PROCESS, "%s", process_info); | |
159 | log_close_all(); | |
160 | os_restarting_signal(SIGUSR1, usr1_handler); | |
161 | } | |
162 | ||
163 | ||
164 | ||
165 | /************************************************* | |
166 | * Timeout handler * | |
167 | *************************************************/ | |
168 | ||
169 | /* This handler is enabled most of the time that Exim is running. The handler | |
170 | doesn't actually get used unless alarm() has been called to set a timer, to | |
171 | place a time limit on a system call of some kind. When the handler is run, it | |
172 | re-enables itself. | |
173 | ||
174 | There are some other SIGALRM handlers that are used in special cases when more | |
175 | than just a flag setting is required; for example, when reading a message's | |
176 | input. These are normally set up in the code module that uses them, and the | |
177 | SIGALRM handler is reset to this one afterwards. | |
178 | ||
179 | Argument: the signal value (SIGALRM) | |
180 | Returns: nothing | |
181 | */ | |
182 | ||
183 | void | |
184 | sigalrm_handler(int sig) | |
185 | { | |
186 | sig = sig; /* Keep picky compilers happy */ | |
187 | sigalrm_seen = TRUE; | |
188 | os_non_restarting_signal(SIGALRM, sigalrm_handler); | |
189 | } | |
190 | ||
191 | ||
192 | ||
193 | /************************************************* | |
194 | * Sleep for a fractional time interval * | |
195 | *************************************************/ | |
196 | ||
197 | /* This function is called by millisleep() and exim_wait_tick() to wait for a | |
198 | period of time that may include a fraction of a second. The coding is somewhat | |
eb2c0248 PH |
199 | tedious. We do not expect setitimer() ever to fail, but if it does, the process |
200 | will wait for ever, so we panic in this instance. (There was a case of this | |
201 | when a bug in a function that calls milliwait() caused it to pass invalid data. | |
7086e875 | 202 | That's when I added the check. :-) |
059ec3d9 PH |
203 | |
204 | Argument: an itimerval structure containing the interval | |
205 | Returns: nothing | |
206 | */ | |
207 | ||
208 | static void | |
209 | milliwait(struct itimerval *itval) | |
210 | { | |
211 | sigset_t sigmask; | |
212 | sigset_t old_sigmask; | |
213 | (void)sigemptyset(&sigmask); /* Empty mask */ | |
214 | (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */ | |
215 | (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */ | |
7086e875 | 216 | if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */ |
eb2c0248 PH |
217 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, |
218 | "setitimer() failed: %s", strerror(errno)); | |
059ec3d9 PH |
219 | (void)sigfillset(&sigmask); /* All signals */ |
220 | (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */ | |
221 | (void)sigsuspend(&sigmask); /* Until SIGALRM */ | |
222 | (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */ | |
223 | } | |
224 | ||
225 | ||
226 | ||
227 | ||
228 | /************************************************* | |
229 | * Millisecond sleep function * | |
230 | *************************************************/ | |
231 | ||
232 | /* The basic sleep() function has a granularity of 1 second, which is too rough | |
233 | in some cases - for example, when using an increasing delay to slow down | |
234 | spammers. | |
235 | ||
236 | Argument: number of millseconds | |
237 | Returns: nothing | |
238 | */ | |
239 | ||
240 | void | |
241 | millisleep(int msec) | |
242 | { | |
243 | struct itimerval itval; | |
244 | itval.it_interval.tv_sec = 0; | |
245 | itval.it_interval.tv_usec = 0; | |
246 | itval.it_value.tv_sec = msec/1000; | |
247 | itval.it_value.tv_usec = (msec % 1000) * 1000; | |
248 | milliwait(&itval); | |
249 | } | |
250 | ||
251 | ||
252 | ||
253 | /************************************************* | |
254 | * Compare microsecond times * | |
255 | *************************************************/ | |
256 | ||
257 | /* | |
258 | Arguments: | |
259 | tv1 the first time | |
260 | tv2 the second time | |
261 | ||
262 | Returns: -1, 0, or +1 | |
263 | */ | |
264 | ||
265 | int | |
266 | exim_tvcmp(struct timeval *t1, struct timeval *t2) | |
267 | { | |
268 | if (t1->tv_sec > t2->tv_sec) return +1; | |
269 | if (t1->tv_sec < t2->tv_sec) return -1; | |
270 | if (t1->tv_usec > t2->tv_usec) return +1; | |
271 | if (t1->tv_usec < t2->tv_usec) return -1; | |
272 | return 0; | |
273 | } | |
274 | ||
275 | ||
276 | ||
277 | ||
278 | /************************************************* | |
279 | * Clock tick wait function * | |
280 | *************************************************/ | |
281 | ||
282 | /* Exim uses a time + a pid to generate a unique identifier in two places: its | |
283 | message IDs, and in file names for maildir deliveries. Because some OS now | |
284 | re-use pids within the same second, sub-second times are now being used. | |
285 | However, for absolute certaintly, we must ensure the clock has ticked before | |
286 | allowing the relevant process to complete. At the time of implementation of | |
287 | this code (February 2003), the speed of processors is such that the clock will | |
288 | invariably have ticked already by the time a process has done its job. This | |
289 | function prepares for the time when things are faster - and it also copes with | |
290 | clocks that go backwards. | |
291 | ||
292 | Arguments: | |
293 | then_tv A timeval which was used to create uniqueness; its usec field | |
294 | has been rounded down to the value of the resolution. | |
295 | We want to be sure the current time is greater than this. | |
296 | resolution The resolution that was used to divide the microseconds | |
297 | (1 for maildir, larger for message ids) | |
298 | ||
299 | Returns: nothing | |
300 | */ | |
301 | ||
302 | void | |
303 | exim_wait_tick(struct timeval *then_tv, int resolution) | |
304 | { | |
305 | struct timeval now_tv; | |
306 | long int now_true_usec; | |
307 | ||
308 | (void)gettimeofday(&now_tv, NULL); | |
309 | now_true_usec = now_tv.tv_usec; | |
310 | now_tv.tv_usec = (now_true_usec/resolution) * resolution; | |
311 | ||
312 | if (exim_tvcmp(&now_tv, then_tv) <= 0) | |
313 | { | |
314 | struct itimerval itval; | |
315 | itval.it_interval.tv_sec = 0; | |
316 | itval.it_interval.tv_usec = 0; | |
317 | itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec; | |
318 | itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec; | |
319 | ||
320 | /* We know that, overall, "now" is less than or equal to "then". Therefore, a | |
321 | negative value for the microseconds is possible only in the case when "now" | |
322 | is more than a second less than "then". That means that itval.it_value.tv_sec | |
323 | is greater than zero. The following correction is therefore safe. */ | |
324 | ||
325 | if (itval.it_value.tv_usec < 0) | |
326 | { | |
327 | itval.it_value.tv_usec += 1000000; | |
328 | itval.it_value.tv_sec -= 1; | |
329 | } | |
330 | ||
331 | DEBUG(D_transport|D_receive) | |
332 | { | |
333 | if (!running_in_test_harness) | |
334 | { | |
335 | debug_printf("tick check: %lu.%06lu %lu.%06lu\n", | |
336 | then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec); | |
337 | debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec, | |
338 | itval.it_value.tv_usec); | |
339 | } | |
340 | } | |
341 | ||
342 | milliwait(&itval); | |
343 | } | |
344 | } | |
345 | ||
346 | ||
347 | ||
348 | ||
349 | /************************************************* | |
350 | * Set up processing details * | |
351 | *************************************************/ | |
352 | ||
353 | /* Save a text string for dumping when SIGUSR1 is received. | |
354 | Do checks for overruns. | |
355 | ||
356 | Arguments: format and arguments, as for printf() | |
357 | Returns: nothing | |
358 | */ | |
359 | ||
360 | void | |
361 | set_process_info(char *format, ...) | |
362 | { | |
363 | int len; | |
364 | va_list ap; | |
365 | sprintf(CS process_info, "%5d ", (int)getpid()); | |
366 | len = Ustrlen(process_info); | |
367 | va_start(ap, format); | |
368 | if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap)) | |
369 | Ustrcpy(process_info + len, "**** string overflowed buffer ****"); | |
370 | DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info); | |
371 | va_end(ap); | |
372 | } | |
373 | ||
374 | ||
375 | ||
376 | ||
377 | ||
378 | /************************************************* | |
379 | * Ensure stdin, stdout, and stderr exist * | |
380 | *************************************************/ | |
381 | ||
382 | /* Some operating systems grumble if an exec() happens without a standard | |
383 | input, output, and error (fds 0, 1, 2) being defined. The worry is that some | |
384 | file will be opened and will use these fd values, and then some other bit of | |
385 | code will assume, for example, that it can write error messages to stderr. | |
386 | This function ensures that fds 0, 1, and 2 are open if they do not already | |
387 | exist, by connecting them to /dev/null. | |
388 | ||
389 | This function is also used to ensure that std{in,out,err} exist at all times, | |
390 | so that if any library that Exim calls tries to use them, it doesn't crash. | |
391 | ||
392 | Arguments: None | |
393 | Returns: Nothing | |
394 | */ | |
395 | ||
396 | void | |
397 | exim_nullstd(void) | |
398 | { | |
399 | int i; | |
400 | int devnull = -1; | |
401 | struct stat statbuf; | |
402 | for (i = 0; i <= 2; i++) | |
403 | { | |
404 | if (fstat(i, &statbuf) < 0 && errno == EBADF) | |
405 | { | |
406 | if (devnull < 0) devnull = open("/dev/null", O_RDWR); | |
407 | if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", | |
408 | string_open_failed(errno, "/dev/null")); | |
409 | if (devnull != i) dup2(devnull, i); | |
410 | } | |
411 | } | |
412 | if (devnull > 2) close(devnull); | |
413 | } | |
414 | ||
415 | ||
416 | ||
417 | ||
418 | /************************************************* | |
419 | * Close unwanted file descriptors for delivery * | |
420 | *************************************************/ | |
421 | ||
422 | /* This function is called from a new process that has been forked to deliver | |
423 | an incoming message, either directly, or using exec. | |
424 | ||
425 | We want any smtp input streams to be closed in this new process. However, it | |
426 | has been observed that using fclose() here causes trouble. When reading in -bS | |
427 | input, duplicate copies of messages have been seen. The files will be sharing a | |
428 | file pointer with the parent process, and it seems that fclose() (at least on | |
429 | some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at | |
430 | least sometimes. Hence we go for closing the underlying file descriptors. | |
431 | ||
432 | If TLS is active, we want to shut down the TLS library, but without molesting | |
433 | the parent's SSL connection. | |
434 | ||
435 | For delivery of a non-SMTP message, we want to close stdin and stdout (and | |
436 | stderr unless debugging) because the calling process might have set them up as | |
437 | pipes and be waiting for them to close before it waits for the submission | |
438 | process to terminate. If they aren't closed, they hold up the calling process | |
439 | until the initial delivery process finishes, which is not what we want. | |
440 | ||
441 | Exception: We do want it for synchronous delivery! | |
442 | ||
443 | And notwithstanding all the above, if D_resolver is set, implying resolver | |
444 | debugging, leave stdout open, because that's where the resolver writes its | |
445 | debugging output. | |
446 | ||
447 | When we close stderr (which implies we've also closed stdout), we also get rid | |
448 | of any controlling terminal. | |
449 | ||
450 | Arguments: None | |
451 | Returns: Nothing | |
452 | */ | |
453 | ||
454 | static void | |
455 | close_unwanted(void) | |
456 | { | |
457 | if (smtp_input) | |
458 | { | |
459 | #ifdef SUPPORT_TLS | |
460 | tls_close(FALSE); /* Shut down the TLS library */ | |
461 | #endif | |
462 | close(fileno(smtp_in)); | |
463 | close(fileno(smtp_out)); | |
464 | smtp_in = NULL; | |
465 | } | |
466 | else | |
467 | { | |
468 | close(0); /* stdin */ | |
469 | if ((debug_selector & D_resolver) == 0) close(1); /* stdout */ | |
470 | if (debug_selector == 0) /* stderr */ | |
471 | { | |
472 | if (!synchronous_delivery) | |
473 | { | |
474 | close(2); | |
475 | log_stderr = NULL; | |
476 | } | |
477 | (void)setsid(); | |
478 | } | |
479 | } | |
480 | } | |
481 | ||
482 | ||
483 | ||
484 | ||
485 | /************************************************* | |
486 | * Set uid and gid * | |
487 | *************************************************/ | |
488 | ||
489 | /* This function sets a new uid and gid permanently, optionally calling | |
490 | initgroups() to set auxiliary groups. There are some special cases when running | |
491 | Exim in unprivileged modes. In these situations the effective uid will not be | |
492 | root; if we already have the right effective uid/gid, and don't need to | |
493 | initialize any groups, leave things as they are. | |
494 | ||
495 | Arguments: | |
496 | uid the uid | |
497 | gid the gid | |
498 | igflag TRUE if initgroups() wanted | |
499 | msg text to use in debugging output and failure log | |
500 | ||
501 | Returns: nothing; bombs out on failure | |
502 | */ | |
503 | ||
504 | void | |
505 | exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg) | |
506 | { | |
507 | uid_t euid = geteuid(); | |
508 | gid_t egid = getegid(); | |
509 | ||
510 | if (euid == root_uid || euid != uid || egid != gid || igflag) | |
511 | { | |
512 | /* At least one OS returns +1 for initgroups failure, so just check for | |
513 | non-zero. */ | |
514 | ||
515 | if (igflag) | |
516 | { | |
517 | struct passwd *pw = getpwuid(uid); | |
518 | if (pw != NULL) | |
519 | { | |
520 | if (initgroups(pw->pw_name, gid) != 0) | |
521 | log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s", | |
522 | (long int)uid, strerror(errno)); | |
523 | } | |
524 | else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): " | |
525 | "no passwd entry for uid=%ld", (long int)uid); | |
526 | } | |
527 | ||
528 | if (setgid(gid) < 0 || setuid(uid) < 0) | |
529 | { | |
530 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld " | |
531 | "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg); | |
532 | } | |
533 | } | |
534 | ||
535 | /* Debugging output included uid/gid and all groups */ | |
536 | ||
537 | DEBUG(D_uid) | |
538 | { | |
539 | int group_count; | |
540 | gid_t group_list[NGROUPS_MAX]; | |
541 | debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg, | |
542 | (long int)geteuid(), (long int)getegid(), (long int)getpid()); | |
543 | group_count = getgroups(NGROUPS_MAX, group_list); | |
544 | debug_printf(" auxiliary group list:"); | |
545 | if (group_count > 0) | |
546 | { | |
547 | int i; | |
548 | for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]); | |
549 | } | |
550 | else debug_printf(" <none>"); | |
551 | debug_printf("\n"); | |
552 | } | |
553 | } | |
554 | ||
555 | ||
556 | ||
557 | ||
558 | /************************************************* | |
559 | * Exit point * | |
560 | *************************************************/ | |
561 | ||
562 | /* Exim exits via this function so that it always clears up any open | |
563 | databases. | |
564 | ||
565 | Arguments: | |
566 | rc return code | |
567 | ||
568 | Returns: does not return | |
569 | */ | |
570 | ||
571 | void | |
572 | exim_exit(int rc) | |
573 | { | |
574 | search_tidyup(); | |
575 | DEBUG(D_any) | |
576 | debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d " | |
577 | ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc); | |
578 | exit(rc); | |
579 | } | |
580 | ||
581 | ||
582 | ||
583 | ||
584 | /************************************************* | |
585 | * Extract port from host address * | |
586 | *************************************************/ | |
587 | ||
588 | /* Called to extract the port from the values given to -oMa and -oMi. | |
589 | It also checks the syntax of the address. | |
590 | ||
591 | Argument: | |
592 | address the address, with possible port on the end | |
593 | ||
594 | Returns: the port, or zero if there isn't one | |
595 | bombs out on a syntax error | |
596 | */ | |
597 | ||
598 | static int | |
599 | check_port(uschar *address) | |
600 | { | |
601 | int port = host_extract_port(address); | |
8e669ac1 | 602 | if (string_is_ip_address(address, NULL) == 0) |
059ec3d9 PH |
603 | { |
604 | fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address); | |
605 | exit(EXIT_FAILURE); | |
606 | } | |
607 | return port; | |
608 | } | |
609 | ||
610 | ||
611 | ||
612 | /************************************************* | |
613 | * Test/verify an address * | |
614 | *************************************************/ | |
615 | ||
616 | /* This function is called by the -bv and -bt code. It extracts a working | |
617 | address from a full RFC 822 address. This isn't really necessary per se, but it | |
618 | has the effect of collapsing source routes. | |
619 | ||
620 | Arguments: | |
621 | s the address string | |
622 | flags flag bits for verify_address() | |
623 | exit_value to be set for failures | |
624 | ||
a5a28604 | 625 | Returns: nothing |
059ec3d9 PH |
626 | */ |
627 | ||
628 | static void | |
629 | test_address(uschar *s, int flags, int *exit_value) | |
630 | { | |
631 | int start, end, domain; | |
632 | uschar *parse_error = NULL; | |
633 | uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain, | |
634 | FALSE); | |
635 | if (address == NULL) | |
636 | { | |
637 | fprintf(stdout, "syntax error: %s\n", parse_error); | |
638 | *exit_value = 2; | |
639 | } | |
640 | else | |
641 | { | |
642 | int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1, | |
4deaf07d | 643 | -1, -1, NULL, NULL, NULL); |
059ec3d9 PH |
644 | if (rc == FAIL) *exit_value = 2; |
645 | else if (rc == DEFER && *exit_value == 0) *exit_value = 1; | |
646 | } | |
647 | } | |
648 | ||
649 | ||
650 | ||
651 | /************************************************* | |
652 | * Decode bit settings for log/debug * | |
653 | *************************************************/ | |
654 | ||
655 | /* This function decodes a string containing bit settings in the form of +name | |
656 | and/or -name sequences, and sets/unsets bits in a bit string accordingly. It | |
657 | also recognizes a numeric setting of the form =<number>, but this is not | |
658 | intended for user use. It's an easy way for Exim to pass the debug settings | |
659 | when it is re-exec'ed. | |
660 | ||
661 | The log options are held in two unsigned ints (because there became too many | |
662 | for one). The top bit in the table means "put in 2nd selector". This does not | |
663 | yet apply to debug options, so the "=" facility sets only the first selector. | |
664 | ||
665 | A bad value for a debug setting is treated as an unknown option - error message | |
666 | to stderr and die. For log settings, which come from the configuration file, | |
667 | we write to the log on the way out... | |
668 | ||
669 | Arguments: | |
670 | selector1 address of the first bit string | |
671 | selector2 address of the second bit string, or NULL | |
672 | string the configured string | |
673 | options the table of option names | |
674 | count size of table | |
675 | which "log" or "debug" | |
676 | ||
677 | Returns: nothing on success - bomb out on failure | |
678 | */ | |
679 | ||
680 | static void | |
681 | decode_bits(unsigned int *selector1, unsigned int *selector2, uschar *string, | |
682 | bit_table *options, int count, uschar *which) | |
683 | { | |
684 | uschar *errmsg; | |
685 | if (string == NULL) return; | |
686 | ||
687 | if (*string == '=') | |
688 | { | |
689 | char *end; /* Not uschar */ | |
690 | *selector1 = strtoul(CS string+1, &end, 0); | |
691 | if (*end == 0) return; | |
692 | errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which, | |
693 | string); | |
694 | goto ERROR_RETURN; | |
695 | } | |
696 | ||
697 | /* Handle symbolic setting */ | |
698 | ||
699 | else for(;;) | |
700 | { | |
701 | BOOL adding; | |
702 | uschar *s; | |
703 | int len; | |
704 | bit_table *start, *end; | |
705 | ||
706 | while (isspace(*string)) string++; | |
707 | if (*string == 0) return; | |
708 | ||
709 | if (*string != '+' && *string != '-') | |
710 | { | |
711 | errmsg = string_sprintf("malformed %s_selector setting: " | |
712 | "+ or - expected but found \"%s\"", which, string); | |
713 | goto ERROR_RETURN; | |
714 | } | |
715 | ||
716 | adding = *string++ == '+'; | |
717 | s = string; | |
718 | while (isalnum(*string) || *string == '_') string++; | |
719 | len = string - s; | |
720 | ||
721 | start = options; | |
722 | end = options + count; | |
723 | ||
724 | while (start < end) | |
725 | { | |
726 | bit_table *middle = start + (end - start)/2; | |
727 | int c = Ustrncmp(s, middle->name, len); | |
728 | if (c == 0) | |
729 | { | |
730 | if (middle->name[len] != 0) c = -1; else | |
731 | { | |
732 | unsigned int bit = middle->bit; | |
733 | unsigned int *selector; | |
734 | ||
735 | /* The value with all bits set means "set all bits in both selectors" | |
736 | in the case where two are being handled. However, the top bit in the | |
737 | second selector is never set. */ | |
738 | ||
739 | if (bit == 0xffffffff) | |
740 | { | |
741 | *selector1 = adding? bit : 0; | |
742 | if (selector2 != NULL) *selector2 = adding? 0x7fffffff : 0; | |
743 | } | |
744 | ||
745 | /* Otherwise, the 0x80000000 bit means "this value, without the top | |
746 | bit, belongs in the second selector". */ | |
747 | ||
748 | else | |
749 | { | |
750 | if ((bit & 0x80000000) != 0) | |
751 | { | |
752 | selector = selector2; | |
753 | bit &= 0x7fffffff; | |
754 | } | |
755 | else selector = selector1; | |
756 | if (adding) *selector |= bit; else *selector &= ~bit; | |
757 | } | |
758 | break; /* Out of loop to match selector name */ | |
759 | } | |
760 | } | |
761 | if (c < 0) end = middle; else start = middle + 1; | |
762 | } /* Loop to match selector name */ | |
763 | ||
764 | if (start >= end) | |
765 | { | |
766 | errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which, | |
767 | adding? '+' : '-', len, s); | |
768 | goto ERROR_RETURN; | |
769 | } | |
770 | } /* Loop for selector names */ | |
771 | ||
772 | /* Handle disasters */ | |
773 | ||
774 | ERROR_RETURN: | |
775 | if (Ustrcmp(which, "debug") == 0) | |
776 | { | |
777 | fprintf(stderr, "exim: %s\n", errmsg); | |
778 | exit(EXIT_FAILURE); | |
779 | } | |
780 | else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg); | |
781 | } | |
782 | ||
783 | ||
784 | ||
785 | /************************************************* | |
786 | * Show supported features * | |
787 | *************************************************/ | |
788 | ||
789 | /* This function is called for -bV and for -d to output the optional features | |
790 | of the current Exim binary. | |
791 | ||
792 | Arguments: a FILE for printing | |
793 | Returns: nothing | |
794 | */ | |
795 | ||
796 | static void | |
797 | show_whats_supported(FILE *f) | |
798 | { | |
799 | #ifdef DB_VERSION_STRING | |
800 | fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING); | |
801 | #elif defined(BTREEVERSION) && defined(HASHVERSION) | |
802 | #ifdef USE_DB | |
803 | fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n"); | |
804 | #else | |
805 | fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n"); | |
806 | #endif | |
807 | #elif defined(_DBM_RDONLY) || defined(dbm_dirfno) | |
808 | fprintf(f, "Probably ndbm\n"); | |
809 | #elif defined(USE_TDB) | |
810 | fprintf(f, "Using tdb\n"); | |
811 | #else | |
812 | #ifdef USE_GDBM | |
813 | fprintf(f, "Probably GDBM (native mode)\n"); | |
814 | #else | |
815 | fprintf(f, "Probably GDBM (compatibility mode)\n"); | |
816 | #endif | |
817 | #endif | |
818 | ||
819 | fprintf(f, "Support for:"); | |
820 | #if HAVE_ICONV | |
821 | fprintf(f, " iconv()"); | |
822 | #endif | |
823 | #if HAVE_IPV6 | |
824 | fprintf(f, " IPv6"); | |
825 | #endif | |
826 | #ifdef SUPPORT_PAM | |
827 | fprintf(f, " PAM"); | |
828 | #endif | |
829 | #ifdef EXIM_PERL | |
830 | fprintf(f, " Perl"); | |
831 | #endif | |
1a46a8c5 PH |
832 | #ifdef EXPAND_DLFUNC |
833 | fprintf(f, " Expand_dlfunc"); | |
834 | #endif | |
059ec3d9 PH |
835 | #ifdef USE_TCP_WRAPPERS |
836 | fprintf(f, " TCPwrappers"); | |
837 | #endif | |
838 | #ifdef SUPPORT_TLS | |
839 | #ifdef USE_GNUTLS | |
840 | fprintf(f, " GnuTLS"); | |
841 | #else | |
842 | fprintf(f, " OpenSSL"); | |
843 | #endif | |
844 | #endif | |
8523533c TK |
845 | #ifdef WITH_CONTENT_SCAN |
846 | fprintf(f, " Content_Scanning"); | |
847 | #endif | |
848 | #ifdef WITH_OLD_DEMIME | |
849 | fprintf(f, " Old_Demime"); | |
850 | #endif | |
851 | #ifdef EXPERIMENTAL_SPF | |
852 | fprintf(f, " Experimental_SPF"); | |
853 | #endif | |
854 | #ifdef EXPERIMENTAL_SRS | |
855 | fprintf(f, " Experimental_SRS"); | |
856 | #endif | |
857 | #ifdef EXPERIMENTAL_BRIGHTMAIL | |
858 | fprintf(f, " Experimental_Brightmail"); | |
859 | #endif | |
fb2274d4 TK |
860 | #ifdef EXPERIMENTAL_DOMAINKEYS |
861 | fprintf(f, " Experimental_DomainKeys"); | |
862 | #endif | |
059ec3d9 PH |
863 | fprintf(f, "\n"); |
864 | ||
865 | fprintf(f, "Lookups:"); | |
866 | #ifdef LOOKUP_LSEARCH | |
867 | fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch"); | |
868 | #endif | |
869 | #ifdef LOOKUP_CDB | |
870 | fprintf(f, " cdb"); | |
871 | #endif | |
872 | #ifdef LOOKUP_DBM | |
873 | fprintf(f, " dbm dbmnz"); | |
874 | #endif | |
875 | #ifdef LOOKUP_DNSDB | |
876 | fprintf(f, " dnsdb"); | |
877 | #endif | |
878 | #ifdef LOOKUP_DSEARCH | |
879 | fprintf(f, " dsearch"); | |
880 | #endif | |
881 | #ifdef LOOKUP_IBASE | |
882 | fprintf(f, " ibase"); | |
883 | #endif | |
884 | #ifdef LOOKUP_LDAP | |
885 | fprintf(f, " ldap ldapdn ldapm"); | |
886 | #endif | |
887 | #ifdef LOOKUP_MYSQL | |
888 | fprintf(f, " mysql"); | |
889 | #endif | |
890 | #ifdef LOOKUP_NIS | |
891 | fprintf(f, " nis nis0"); | |
892 | #endif | |
893 | #ifdef LOOKUP_NISPLUS | |
894 | fprintf(f, " nisplus"); | |
895 | #endif | |
896 | #ifdef LOOKUP_ORACLE | |
897 | fprintf(f, " oracle"); | |
898 | #endif | |
899 | #ifdef LOOKUP_PASSWD | |
900 | fprintf(f, " passwd"); | |
901 | #endif | |
902 | #ifdef LOOKUP_PGSQL | |
903 | fprintf(f, " pgsql"); | |
904 | #endif | |
905 | #ifdef LOOKUP_TESTDB | |
906 | fprintf(f, " testdb"); | |
907 | #endif | |
908 | #ifdef LOOKUP_WHOSON | |
909 | fprintf(f, " whoson"); | |
910 | #endif | |
911 | fprintf(f, "\n"); | |
912 | ||
913 | fprintf(f, "Authenticators:"); | |
914 | #ifdef AUTH_CRAM_MD5 | |
915 | fprintf(f, " cram_md5"); | |
916 | #endif | |
917 | #ifdef AUTH_CYRUS_SASL | |
918 | fprintf(f, " cyrus_sasl"); | |
919 | #endif | |
920 | #ifdef AUTH_PLAINTEXT | |
921 | fprintf(f, " plaintext"); | |
922 | #endif | |
923 | #ifdef AUTH_SPA | |
924 | fprintf(f, " spa"); | |
925 | #endif | |
926 | fprintf(f, "\n"); | |
927 | ||
928 | fprintf(f, "Routers:"); | |
929 | #ifdef ROUTER_ACCEPT | |
930 | fprintf(f, " accept"); | |
931 | #endif | |
932 | #ifdef ROUTER_DNSLOOKUP | |
933 | fprintf(f, " dnslookup"); | |
934 | #endif | |
935 | #ifdef ROUTER_IPLITERAL | |
936 | fprintf(f, " ipliteral"); | |
937 | #endif | |
938 | #ifdef ROUTER_IPLOOKUP | |
939 | fprintf(f, " iplookup"); | |
940 | #endif | |
941 | #ifdef ROUTER_MANUALROUTE | |
942 | fprintf(f, " manualroute"); | |
943 | #endif | |
944 | #ifdef ROUTER_QUERYPROGRAM | |
945 | fprintf(f, " queryprogram"); | |
946 | #endif | |
947 | #ifdef ROUTER_REDIRECT | |
948 | fprintf(f, " redirect"); | |
949 | #endif | |
950 | fprintf(f, "\n"); | |
951 | ||
952 | fprintf(f, "Transports:"); | |
953 | #ifdef TRANSPORT_APPENDFILE | |
954 | fprintf(f, " appendfile"); | |
955 | #ifdef SUPPORT_MAILDIR | |
956 | fprintf(f, "/maildir"); | |
957 | #endif | |
958 | #ifdef SUPPORT_MAILSTORE | |
959 | fprintf(f, "/mailstore"); | |
960 | #endif | |
961 | #ifdef SUPPORT_MBX | |
962 | fprintf(f, "/mbx"); | |
963 | #endif | |
964 | #endif | |
965 | #ifdef TRANSPORT_AUTOREPLY | |
966 | fprintf(f, " autoreply"); | |
967 | #endif | |
968 | #ifdef TRANSPORT_LMTP | |
969 | fprintf(f, " lmtp"); | |
970 | #endif | |
971 | #ifdef TRANSPORT_PIPE | |
972 | fprintf(f, " pipe"); | |
973 | #endif | |
974 | #ifdef TRANSPORT_SMTP | |
975 | fprintf(f, " smtp"); | |
976 | #endif | |
977 | fprintf(f, "\n"); | |
978 | ||
979 | if (fixed_never_users[0] > 0) | |
980 | { | |
981 | int i; | |
982 | fprintf(f, "Fixed never_users: "); | |
983 | for (i = 1; i <= (int)fixed_never_users[0] - 1; i++) | |
984 | fprintf(f, "%d:", (unsigned int)fixed_never_users[i]); | |
985 | fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]); | |
986 | } | |
987 | } | |
988 | ||
989 | ||
990 | ||
991 | ||
992 | /************************************************* | |
993 | * Quote a local part * | |
994 | *************************************************/ | |
995 | ||
996 | /* This function is used when a sender address or a From: or Sender: header | |
997 | line is being created from the caller's login, or from an authenticated_id. It | |
998 | applies appropriate quoting rules for a local part. | |
999 | ||
1000 | Argument: the local part | |
1001 | Returns: the local part, quoted if necessary | |
1002 | */ | |
1003 | ||
1004 | uschar * | |
1005 | local_part_quote(uschar *lpart) | |
1006 | { | |
1007 | BOOL needs_quote = FALSE; | |
1008 | int size, ptr; | |
1009 | uschar *yield; | |
1010 | uschar *t; | |
1011 | ||
1012 | for (t = lpart; !needs_quote && *t != 0; t++) | |
1013 | { | |
1014 | needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL && | |
1015 | (*t != '.' || t == lpart || t[1] == 0); | |
1016 | } | |
1017 | ||
1018 | if (!needs_quote) return lpart; | |
1019 | ||
1020 | size = ptr = 0; | |
1021 | yield = string_cat(NULL, &size, &ptr, US"\"", 1); | |
1022 | ||
1023 | for (;;) | |
1024 | { | |
1025 | uschar *nq = US Ustrpbrk(lpart, "\\\""); | |
1026 | if (nq == NULL) | |
1027 | { | |
1028 | yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart)); | |
1029 | break; | |
1030 | } | |
1031 | yield = string_cat(yield, &size, &ptr, lpart, nq - lpart); | |
1032 | yield = string_cat(yield, &size, &ptr, US"\\", 1); | |
1033 | yield = string_cat(yield, &size, &ptr, nq, 1); | |
1034 | lpart = nq + 1; | |
1035 | } | |
1036 | ||
1037 | yield = string_cat(yield, &size, &ptr, US"\"", 1); | |
1038 | yield[ptr] = 0; | |
1039 | return yield; | |
1040 | } | |
1041 | ||
1042 | ||
1043 | ||
1044 | #ifdef USE_READLINE | |
1045 | /************************************************* | |
1046 | * Load readline() functions * | |
1047 | *************************************************/ | |
1048 | ||
1049 | /* This function is called from testing executions that read data from stdin, | |
1050 | but only when running as the calling user. Currently, only -be does this. The | |
1051 | function loads the readline() function library and passes back the functions. | |
1052 | On some systems, it needs the curses library, so load that too, but try without | |
1053 | it if loading fails. All this functionality has to be requested at build time. | |
1054 | ||
1055 | Arguments: | |
1056 | fn_readline_ptr pointer to where to put the readline pointer | |
1057 | fn_addhist_ptr pointer to where to put the addhistory function | |
1058 | ||
1059 | Returns: the dlopen handle or NULL on failure | |
1060 | */ | |
1061 | ||
1062 | static void * | |
1063 | set_readline(char * (**fn_readline_ptr)(char *), | |
1064 | char * (**fn_addhist_ptr)(char *)) | |
1065 | { | |
1066 | void *dlhandle; | |
1067 | void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY); | |
1068 | ||
1069 | dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW); | |
1070 | if (dlhandle_curses != NULL) dlclose(dlhandle_curses); | |
1071 | ||
1072 | if (dlhandle != NULL) | |
1073 | { | |
1074 | *fn_readline_ptr = (char *(*)(char*))dlsym(dlhandle, "readline"); | |
1075 | *fn_addhist_ptr = (char *(*)(char*))dlsym(dlhandle, "add_history"); | |
1076 | } | |
1077 | else | |
1078 | { | |
1079 | DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror()); | |
1080 | } | |
1081 | ||
1082 | return dlhandle; | |
1083 | } | |
1084 | #endif | |
1085 | ||
1086 | ||
1087 | ||
1088 | /************************************************* | |
1089 | * Get a line from stdin for testing things * | |
1090 | *************************************************/ | |
1091 | ||
1092 | /* This function is called when running tests that can take a number of lines | |
1093 | of input (for example, -be and -bt). It handles continuations and trailing | |
1094 | spaces. And prompting and a blank line output on eof. If readline() is in use, | |
1095 | the arguments are non-NULL and provide the relevant functions. | |
1096 | ||
1097 | Arguments: | |
1098 | fn_readline readline function or NULL | |
1099 | fn_addhist addhist function or NULL | |
1100 | ||
1101 | Returns: pointer to dynamic memory, or NULL at end of file | |
1102 | */ | |
1103 | ||
1104 | static uschar * | |
1105 | get_stdinput(char *(*fn_readline)(char *), char *(*fn_addhist)(char *)) | |
1106 | { | |
1107 | int i; | |
1108 | int size = 0; | |
1109 | int ptr = 0; | |
1110 | uschar *yield = NULL; | |
1111 | ||
1112 | if (fn_readline == NULL) printf("> "); | |
1113 | ||
1114 | for (i = 0;; i++) | |
1115 | { | |
1116 | uschar buffer[1024]; | |
1117 | uschar *p, *ss; | |
1118 | ||
1119 | #ifdef USE_READLINE | |
1120 | char *readline_line = NULL; | |
1121 | if (fn_readline != NULL) | |
1122 | { | |
1123 | if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break; | |
1124 | if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line); | |
1125 | p = US readline_line; | |
1126 | } | |
1127 | else | |
1128 | #endif | |
1129 | ||
1130 | /* readline() not in use */ | |
1131 | ||
1132 | { | |
1133 | if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break; | |
1134 | p = buffer; | |
1135 | } | |
1136 | ||
1137 | /* Handle the line */ | |
1138 | ||
1139 | ss = p + (int)Ustrlen(p); | |
1140 | while (ss > p && isspace(ss[-1])) ss--; | |
1141 | ||
1142 | if (i > 0) | |
1143 | { | |
1144 | while (p < ss && isspace(*p)) p++; /* leading space after cont */ | |
1145 | } | |
1146 | ||
1147 | yield = string_cat(yield, &size, &ptr, p, ss - p); | |
1148 | ||
1149 | #ifdef USE_READLINE | |
1150 | if (fn_readline != NULL) free(readline_line); | |
1151 | #endif | |
1152 | ||
1153 | if (ss == p || yield[ptr-1] != '\\') | |
1154 | { | |
1155 | yield[ptr] = 0; | |
1156 | break; | |
1157 | } | |
1158 | yield[--ptr] = 0; | |
1159 | } | |
1160 | ||
1161 | if (yield == NULL) printf("\n"); | |
1162 | return yield; | |
1163 | } | |
1164 | ||
1165 | ||
1166 | ||
1167 | /************************************************* | |
1168 | * Entry point and high-level code * | |
1169 | *************************************************/ | |
1170 | ||
1171 | /* Entry point for the Exim mailer. Analyse the arguments and arrange to take | |
1172 | the appropriate action. All the necessary functions are present in the one | |
1173 | binary. I originally thought one should split it up, but it turns out that so | |
1174 | much of the apparatus is needed in each chunk that one might as well just have | |
1175 | it all available all the time, which then makes the coding easier as well. | |
1176 | ||
1177 | Arguments: | |
1178 | argc count of entries in argv | |
1179 | argv argument strings, with argv[0] being the program name | |
1180 | ||
1181 | Returns: EXIT_SUCCESS if terminated successfully | |
1182 | EXIT_FAILURE otherwise, except when a message has been sent | |
1183 | to the sender, and -oee was given | |
1184 | */ | |
1185 | ||
1186 | int | |
1187 | main(int argc, char **cargv) | |
1188 | { | |
1189 | uschar **argv = USS cargv; | |
1190 | int arg_receive_timeout = -1; | |
1191 | int arg_smtp_receive_timeout = -1; | |
1192 | int arg_error_handling = error_handling; | |
f05da2e8 PH |
1193 | int filter_sfd = -1; |
1194 | int filter_ufd = -1; | |
059ec3d9 PH |
1195 | int group_count; |
1196 | int i; | |
1197 | int list_queue_option = 0; | |
1198 | int msg_action = 0; | |
1199 | int msg_action_arg = -1; | |
1200 | int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]); | |
1201 | int queue_only_reason = 0; | |
1202 | #ifdef EXIM_PERL | |
1203 | int perl_start_option = 0; | |
1204 | #endif | |
1205 | int recipients_arg = argc; | |
1206 | int sender_address_domain = 0; | |
1207 | int test_retry_arg = -1; | |
1208 | int test_rewrite_arg = -1; | |
1209 | BOOL arg_queue_only = FALSE; | |
1210 | BOOL bi_option = FALSE; | |
1211 | BOOL checking = FALSE; | |
1212 | BOOL count_queue = FALSE; | |
1213 | BOOL expansion_test = FALSE; | |
1214 | BOOL extract_recipients = FALSE; | |
1215 | BOOL forced_delivery = FALSE; | |
1216 | BOOL f_end_dot = FALSE; | |
1217 | BOOL deliver_give_up = FALSE; | |
1218 | BOOL list_queue = FALSE; | |
1219 | BOOL list_options = FALSE; | |
1220 | BOOL local_queue_only; | |
1221 | BOOL more = TRUE; | |
1222 | BOOL one_msg_action = FALSE; | |
1223 | BOOL queue_only_set = FALSE; | |
1224 | BOOL receiving_message = TRUE; | |
1225 | BOOL unprivileged; | |
1226 | BOOL removed_privilege = FALSE; | |
1227 | BOOL verify_address_mode = FALSE; | |
1228 | BOOL verify_as_sender = FALSE; | |
1229 | BOOL version_printed = FALSE; | |
1230 | uschar *alias_arg = NULL; | |
1231 | uschar *called_as = US""; | |
1232 | uschar *start_queue_run_id = NULL; | |
1233 | uschar *stop_queue_run_id = NULL; | |
1234 | uschar *ftest_domain = NULL; | |
1235 | uschar *ftest_localpart = NULL; | |
1236 | uschar *ftest_prefix = NULL; | |
1237 | uschar *ftest_suffix = NULL; | |
1238 | uschar *real_sender_address; | |
1239 | uschar *originator_home = US"/"; | |
059ec3d9 PH |
1240 | void *reset_point; |
1241 | ||
1242 | struct passwd *pw; | |
1243 | struct stat statbuf; | |
1244 | pid_t passed_qr_pid = (pid_t)0; | |
1245 | int passed_qr_pipe = -1; | |
1246 | gid_t group_list[NGROUPS_MAX]; | |
1247 | ||
1248 | /* Possible options for -R and -S */ | |
1249 | ||
1250 | static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" }; | |
1251 | ||
1252 | /* Need to define this in case we need to change the environment in order | |
1253 | to get rid of a bogus time zone. We have to make it char rather than uschar | |
1254 | because some OS define it in /usr/include/unistd.h. */ | |
1255 | ||
1256 | extern char **environ; | |
1257 | ||
35edf2ff | 1258 | /* If the Exim user and/or group and/or the configuration file owner/group were |
059ec3d9 PH |
1259 | defined by ref:name at build time, we must now find the actual uid/gid values. |
1260 | This is a feature to make the lives of binary distributors easier. */ | |
1261 | ||
1262 | #ifdef EXIM_USERNAME | |
1263 | if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid)) | |
1264 | { | |
1265 | exim_gid = pw->pw_gid; | |
1266 | } | |
1267 | else | |
1268 | { | |
1269 | fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n", | |
1270 | EXIM_USERNAME); | |
1271 | exit(EXIT_FAILURE); | |
1272 | } | |
1273 | #endif | |
1274 | ||
1275 | #ifdef EXIM_GROUPNAME | |
1276 | if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid)) | |
1277 | { | |
1278 | fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n", | |
1279 | EXIM_GROUPNAME); | |
1280 | exit(EXIT_FAILURE); | |
1281 | } | |
1282 | #endif | |
1283 | ||
1284 | #ifdef CONFIGURE_OWNERNAME | |
1285 | if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid)) | |
1286 | { | |
1287 | fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n", | |
1288 | CONFIGURE_OWNERNAME); | |
1289 | exit(EXIT_FAILURE); | |
1290 | } | |
1291 | #endif | |
1292 | ||
35edf2ff PH |
1293 | #ifdef CONFIGURE_GROUPNAME |
1294 | if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid)) | |
1295 | { | |
1296 | fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n", | |
1297 | CONFIGURE_GROUPNAME); | |
1298 | exit(EXIT_FAILURE); | |
1299 | } | |
1300 | #endif | |
1301 | ||
059ec3d9 PH |
1302 | /* In the Cygwin environment, some initialization needs doing. It is fudged |
1303 | in by means of this macro. */ | |
1304 | ||
1305 | #ifdef OS_INIT | |
1306 | OS_INIT | |
1307 | #endif | |
1308 | ||
1309 | /* Check a field which is patched when we are running Exim within its | |
1310 | testing harness; do a fast initial check, and then the whole thing. */ | |
1311 | ||
1312 | running_in_test_harness = | |
1313 | *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0; | |
1314 | ||
1315 | /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed | |
1316 | at the start of a program; however, it seems that some environments do not | |
1317 | follow this. A "strange" locale can affect the formatting of timestamps, so we | |
1318 | make quite sure. */ | |
1319 | ||
1320 | setlocale(LC_ALL, "C"); | |
1321 | ||
1322 | /* Set up the default handler for timing using alarm(). */ | |
1323 | ||
1324 | os_non_restarting_signal(SIGALRM, sigalrm_handler); | |
1325 | ||
1326 | /* Ensure we have a buffer for constructing log entries. Use malloc directly, | |
1327 | because store_malloc writes a log entry on failure. */ | |
1328 | ||
1329 | log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE); | |
1330 | if (log_buffer == NULL) | |
1331 | { | |
1332 | fprintf(stderr, "exim: failed to get store for log buffer\n"); | |
1333 | exit(EXIT_FAILURE); | |
1334 | } | |
1335 | ||
1336 | /* Set log_stderr to stderr, provided that stderr exists. This gets reset to | |
1337 | NULL when the daemon is run and the file is closed. We have to use this | |
1338 | indirection, because some systems don't allow writing to the variable "stderr". | |
1339 | */ | |
1340 | ||
1341 | if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr; | |
1342 | ||
1343 | /* Arrange for the PCRE regex library to use our store functions. Note that | |
1344 | the normal calls are actually macros that add additional arguments for | |
1345 | debugging purposes so we have to assign specially constructed functions here. | |
1346 | The default is to use store in the stacking pool, but this is overridden in the | |
1347 | regex_must_compile() function. */ | |
1348 | ||
1349 | pcre_malloc = function_store_get; | |
1350 | pcre_free = function_dummy_free; | |
1351 | ||
1352 | /* Ensure there is a big buffer for temporary use in several places. It is put | |
1353 | in malloc store so that it can be freed for enlargement if necessary. */ | |
1354 | ||
1355 | big_buffer = store_malloc(big_buffer_size); | |
1356 | ||
1357 | /* Set up the handler for the data request signal, and set the initial | |
1358 | descriptive text. */ | |
1359 | ||
1360 | set_process_info("initializing"); | |
1361 | os_restarting_signal(SIGUSR1, usr1_handler); | |
1362 | ||
1363 | /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate | |
1364 | in the daemon code. For the rest of Exim's uses, we ignore it. */ | |
1365 | ||
1366 | signal(SIGHUP, SIG_IGN); | |
1367 | ||
1368 | /* We don't want to die on pipe errors as the code is written to handle | |
1369 | the write error instead. */ | |
1370 | ||
1371 | signal(SIGPIPE, SIG_IGN); | |
1372 | ||
1373 | /* Under some circumstance on some OS, Exim can get called with SIGCHLD | |
1374 | set to SIG_IGN. This causes subprocesses that complete before the parent | |
1375 | process waits for them not to hang around, so when Exim calls wait(), nothing | |
1376 | is there. The wait() code has been made robust against this, but let's ensure | |
1377 | that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process | |
1378 | ending status. We use sigaction rather than plain signal() on those OS where | |
1379 | SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a | |
1380 | problem on AIX with this.) */ | |
1381 | ||
1382 | #ifdef SA_NOCLDWAIT | |
1383 | { | |
1384 | struct sigaction act; | |
1385 | act.sa_handler = SIG_DFL; | |
1386 | sigemptyset(&(act.sa_mask)); | |
1387 | act.sa_flags = 0; | |
1388 | sigaction(SIGCHLD, &act, NULL); | |
1389 | } | |
1390 | #else | |
1391 | signal(SIGCHLD, SIG_DFL); | |
1392 | #endif | |
1393 | ||
1394 | /* Save the arguments for use if we re-exec exim as a daemon after receiving | |
1395 | SIGHUP. */ | |
1396 | ||
1397 | sighup_argv = argv; | |
1398 | ||
1399 | /* Set up the version number. Set up the leading 'E' for the external form of | |
1400 | message ids, set the pointer to the internal form, and initialize it to | |
1401 | indicate no message being processed. */ | |
1402 | ||
1403 | version_init(); | |
1404 | message_id_option[0] = '-'; | |
1405 | message_id_external = message_id_option + 1; | |
1406 | message_id_external[0] = 'E'; | |
1407 | message_id = message_id_external + 1; | |
1408 | message_id[0] = 0; | |
1409 | ||
1410 | /* Set the umask to zero so that any files that Exim creates are created | |
1411 | with the modes that it specifies. */ | |
1412 | ||
1413 | umask(0); | |
1414 | ||
1415 | /* Precompile the regular expression for matching a message id. Keep this in | |
1416 | step with the code that generates ids in the accept.c module. We need to do | |
1417 | this here, because the -M options check their arguments for syntactic validity | |
1418 | using mac_ismsgid, which uses this. */ | |
1419 | ||
1420 | regex_ismsgid = | |
1421 | regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE); | |
1422 | ||
1423 | /* If the program is called as "mailq" treat it as equivalent to "exim -bp"; | |
1424 | this seems to be a generally accepted convention, since one finds symbolic | |
1425 | links called "mailq" in standard OS configurations. */ | |
1426 | ||
1427 | if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) || | |
1428 | (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0)) | |
1429 | { | |
1430 | list_queue = TRUE; | |
1431 | receiving_message = FALSE; | |
1432 | called_as = US"-mailq"; | |
1433 | } | |
1434 | ||
1435 | /* If the program is called as "rmail" treat it as equivalent to | |
1436 | "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode, | |
1437 | i.e. preventing a single dot on a line from terminating the message, and | |
1438 | returning with zero return code, even in cases of error (provided an error | |
1439 | message has been sent). */ | |
1440 | ||
1441 | if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) || | |
1442 | (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0)) | |
1443 | { | |
1444 | dot_ends = FALSE; | |
1445 | called_as = US"-rmail"; | |
1446 | errors_sender_rc = EXIT_SUCCESS; | |
1447 | } | |
1448 | ||
1449 | /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS"; | |
1450 | this is a smail convention. */ | |
1451 | ||
1452 | if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) || | |
1453 | (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0)) | |
1454 | { | |
1455 | smtp_input = smtp_batched_input = TRUE; | |
1456 | called_as = US"-rsmtp"; | |
1457 | } | |
1458 | ||
1459 | /* If the program is called as "runq" treat it as equivalent to "exim -q"; | |
1460 | this is a smail convention. */ | |
1461 | ||
1462 | if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) || | |
1463 | (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0)) | |
1464 | { | |
1465 | queue_interval = 0; | |
1466 | receiving_message = FALSE; | |
1467 | called_as = US"-runq"; | |
1468 | } | |
1469 | ||
1470 | /* If the program is called as "newaliases" treat it as equivalent to | |
1471 | "exim -bi"; this is a sendmail convention. */ | |
1472 | ||
1473 | if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) || | |
1474 | (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0)) | |
1475 | { | |
1476 | bi_option = TRUE; | |
1477 | receiving_message = FALSE; | |
1478 | called_as = US"-newaliases"; | |
1479 | } | |
1480 | ||
1481 | /* Save the original effective uid for a couple of uses later. It should | |
1482 | normally be root, but in some esoteric environments it may not be. */ | |
1483 | ||
1484 | original_euid = geteuid(); | |
1485 | ||
1486 | /* Get the real uid and gid. If the caller is root, force the effective uid/gid | |
1487 | to be the same as the real ones. This makes a difference only if Exim is setuid | |
1488 | (or setgid) to something other than root, which could be the case in some | |
1489 | special configurations. */ | |
1490 | ||
1491 | real_uid = getuid(); | |
1492 | real_gid = getgid(); | |
1493 | ||
1494 | if (real_uid == root_uid) | |
1495 | { | |
1496 | setgid(real_gid); | |
1497 | setuid(real_uid); | |
1498 | } | |
1499 | ||
1500 | /* If neither the original real uid nor the original euid was root, Exim is | |
1501 | running in an unprivileged state. */ | |
1502 | ||
1503 | unprivileged = (real_uid != root_uid && original_euid != root_uid); | |
1504 | ||
1505 | /* If the first argument is --help, pretend there are no arguments. This will | |
1506 | cause a brief message to be given. */ | |
1507 | ||
1508 | if (argc > 1 && Ustrcmp(argv[1], "--help") == 0) argc = 1; | |
1509 | ||
1510 | /* Scan the program's arguments. Some can be dealt with right away; others are | |
1511 | simply recorded for checking and handling afterwards. Do a high-level switch | |
1512 | on the second character (the one after '-'), to save some effort. */ | |
1513 | ||
1514 | for (i = 1; i < argc; i++) | |
1515 | { | |
1516 | BOOL badarg = FALSE; | |
1517 | uschar *arg = argv[i]; | |
1518 | uschar *argrest; | |
1519 | int switchchar; | |
1520 | ||
1521 | /* An argument not starting with '-' is the start of a recipients list; | |
1522 | break out of the options-scanning loop. */ | |
1523 | ||
1524 | if (arg[0] != '-') | |
1525 | { | |
1526 | recipients_arg = i; | |
1527 | break; | |
1528 | } | |
1529 | ||
1530 | /* An option consistion of -- terminates the options */ | |
1531 | ||
1532 | if (Ustrcmp(arg, "--") == 0) | |
1533 | { | |
1534 | recipients_arg = i + 1; | |
1535 | break; | |
1536 | } | |
1537 | ||
1538 | /* Handle flagged options */ | |
1539 | ||
1540 | switchchar = arg[1]; | |
1541 | argrest = arg+2; | |
1542 | ||
1543 | /* Make all -ex options synonymous with -oex arguments, since that | |
1544 | is assumed by various callers. Also make -qR options synonymous with -R | |
1545 | options, as that seems to be required as well. Allow for -qqR too, and | |
1546 | the same for -S options. */ | |
1547 | ||
1548 | if (Ustrncmp(arg+1, "oe", 2) == 0 || | |
1549 | Ustrncmp(arg+1, "qR", 2) == 0 || | |
1550 | Ustrncmp(arg+1, "qS", 2) == 0) | |
1551 | { | |
1552 | switchchar = arg[2]; | |
1553 | argrest++; | |
1554 | } | |
1555 | else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0) | |
1556 | { | |
1557 | switchchar = arg[3]; | |
1558 | argrest += 2; | |
1559 | queue_2stage = TRUE; | |
1560 | } | |
1561 | ||
1562 | /* Make -r synonymous with -f, since it is a documented alias */ | |
1563 | ||
1564 | else if (arg[1] == 'r') switchchar = 'f'; | |
1565 | ||
1566 | /* Make -ov synonymous with -v */ | |
1567 | ||
1568 | else if (Ustrcmp(arg, "-ov") == 0) | |
1569 | { | |
1570 | switchchar = 'v'; | |
1571 | argrest++; | |
1572 | } | |
1573 | ||
1574 | /* High-level switch on active initial letter */ | |
1575 | ||
1576 | switch(switchchar) | |
1577 | { | |
1578 | /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean | |
1579 | so has no need of it. */ | |
1580 | ||
1581 | case 'B': | |
1582 | if (*argrest == 0) i++; /* Skip over the type */ | |
1583 | break; | |
1584 | ||
1585 | ||
1586 | case 'b': | |
1587 | receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */ | |
1588 | ||
1589 | /* -bd: Run in daemon mode, awaiting SMTP connections. | |
1590 | -bdf: Ditto, but in the foreground. | |
1591 | */ | |
1592 | ||
1593 | if (*argrest == 'd') | |
1594 | { | |
1595 | daemon_listen = TRUE; | |
1596 | if (*(++argrest) == 'f') background_daemon = FALSE; | |
1597 | else if (*argrest != 0) { badarg = TRUE; break; } | |
1598 | } | |
1599 | ||
1600 | /* -be: Run in expansion test mode */ | |
1601 | ||
1602 | else if (*argrest == 'e') | |
1603 | expansion_test = checking = TRUE; | |
1604 | ||
f05da2e8 PH |
1605 | /* -bF: Run system filter test */ |
1606 | ||
1607 | else if (*argrest == 'F') | |
1608 | { | |
1609 | filter_test |= FTEST_SYSTEM; | |
1610 | if (*(++argrest) != 0) { badarg = TRUE; break; } | |
1611 | if (++i < argc) filter_test_sfile = argv[i]; else | |
1612 | { | |
1613 | fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]); | |
1614 | exit(EXIT_FAILURE); | |
1615 | } | |
1616 | } | |
1617 | ||
1618 | /* -bf: Run user filter test | |
059ec3d9 PH |
1619 | -bfd: Set domain for filter testing |
1620 | -bfl: Set local part for filter testing | |
1621 | -bfp: Set prefix for filter testing | |
1622 | -bfs: Set suffix for filter testing | |
1623 | */ | |
1624 | ||
f05da2e8 | 1625 | else if (*argrest == 'f') |
059ec3d9 | 1626 | { |
f05da2e8 | 1627 | if (*(++argrest) == 0) |
059ec3d9 | 1628 | { |
f05da2e8 PH |
1629 | filter_test |= FTEST_USER; |
1630 | if (++i < argc) filter_test_ufile = argv[i]; else | |
059ec3d9 PH |
1631 | { |
1632 | fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]); | |
1633 | exit(EXIT_FAILURE); | |
1634 | } | |
1635 | } | |
1636 | else | |
1637 | { | |
1638 | if (++i >= argc) | |
1639 | { | |
1640 | fprintf(stderr, "exim: string expected after %s\n", arg); | |
1641 | exit(EXIT_FAILURE); | |
1642 | } | |
1643 | if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i]; | |
1644 | else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i]; | |
1645 | else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i]; | |
1646 | else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i]; | |
1647 | else { badarg = TRUE; break; } | |
1648 | } | |
1649 | } | |
1650 | ||
1651 | /* -bh: Host checking - an IP address must follow. */ | |
1652 | ||
1653 | else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0) | |
1654 | { | |
1655 | if (++i >= argc) { badarg = TRUE; break; } | |
1656 | sender_host_address = argv[i]; | |
1657 | host_checking = checking = log_testing_mode = TRUE; | |
1658 | host_checking_callout = argrest[1] == 'c'; | |
1659 | } | |
1660 | ||
1661 | /* -bi: This option is used by sendmail to initialize *the* alias file, | |
1662 | though it has the -oA option to specify a different file. Exim has no | |
1663 | concept of *the* alias file, but since Sun's YP make script calls | |
1664 | sendmail this way, some support must be provided. */ | |
1665 | ||
1666 | else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE; | |
1667 | ||
1668 | /* -bm: Accept and deliver message - the default option. Reinstate | |
1669 | receiving_message, which got turned off for all -b options. */ | |
1670 | ||
1671 | else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE; | |
1672 | ||
1673 | /* -bnq: For locally originating messages, do not qualify unqualified | |
1674 | addresses. In the envelope, this causes errors; in header lines they | |
1675 | just get left. */ | |
1676 | ||
1677 | else if (Ustrcmp(argrest, "nq") == 0) | |
1678 | { | |
1679 | allow_unqualified_sender = FALSE; | |
1680 | allow_unqualified_recipient = FALSE; | |
1681 | } | |
1682 | ||
1683 | /* -bpxx: List the contents of the mail queue, in various forms. If | |
1684 | the option is -bpc, just a queue count is needed. Otherwise, if the | |
1685 | first letter after p is r, then order is random. */ | |
1686 | ||
1687 | else if (*argrest == 'p') | |
1688 | { | |
1689 | if (*(++argrest) == 'c') | |
1690 | { | |
1691 | count_queue = TRUE; | |
1692 | if (*(++argrest) != 0) badarg = TRUE; | |
1693 | break; | |
1694 | } | |
1695 | ||
1696 | if (*argrest == 'r') | |
1697 | { | |
1698 | list_queue_option = 8; | |
1699 | argrest++; | |
1700 | } | |
1701 | else list_queue_option = 0; | |
1702 | ||
1703 | list_queue = TRUE; | |
1704 | ||
1705 | /* -bp: List the contents of the mail queue, top-level only */ | |
1706 | ||
1707 | if (*argrest == 0) {} | |
1708 | ||
1709 | /* -bpu: List the contents of the mail queue, top-level undelivered */ | |
1710 | ||
1711 | else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1; | |
1712 | ||
1713 | /* -bpa: List the contents of the mail queue, including all delivered */ | |
1714 | ||
1715 | else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2; | |
1716 | ||
1717 | /* Unknown after -bp[r] */ | |
1718 | ||
1719 | else | |
1720 | { | |
1721 | badarg = TRUE; | |
1722 | break; | |
1723 | } | |
1724 | } | |
1725 | ||
1726 | ||
1727 | /* -bP: List the configuration variables given as the address list. | |
1728 | Force -v, so configuration errors get displayed. */ | |
1729 | ||
1730 | else if (Ustrcmp(argrest, "P") == 0) | |
1731 | { | |
1732 | list_options = TRUE; | |
1733 | debug_selector |= D_v; | |
1734 | debug_file = stderr; | |
1735 | } | |
1736 | ||
1737 | /* -brt: Test retry configuration lookup */ | |
1738 | ||
1739 | else if (Ustrcmp(argrest, "rt") == 0) | |
1740 | { | |
1741 | test_retry_arg = i + 1; | |
1742 | goto END_ARG; | |
1743 | } | |
1744 | ||
1745 | /* -brw: Test rewrite configuration */ | |
1746 | ||
1747 | else if (Ustrcmp(argrest, "rw") == 0) | |
1748 | { | |
1749 | test_rewrite_arg = i + 1; | |
1750 | goto END_ARG; | |
1751 | } | |
1752 | ||
1753 | /* -bS: Read SMTP commands on standard input, but produce no replies - | |
1754 | all errors are reported by sending messages. */ | |
1755 | ||
1756 | else if (Ustrcmp(argrest, "S") == 0) | |
1757 | smtp_input = smtp_batched_input = receiving_message = TRUE; | |
1758 | ||
1759 | /* -bs: Read SMTP commands on standard input and produce SMTP replies | |
1760 | on standard output. */ | |
1761 | ||
1762 | else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE; | |
1763 | ||
1764 | /* -bt: address testing mode */ | |
1765 | ||
1766 | else if (Ustrcmp(argrest, "t") == 0) | |
1767 | address_test_mode = checking = log_testing_mode = TRUE; | |
1768 | ||
1769 | /* -bv: verify addresses */ | |
1770 | ||
1771 | else if (Ustrcmp(argrest, "v") == 0) | |
1772 | verify_address_mode = checking = log_testing_mode = TRUE; | |
1773 | ||
1774 | /* -bvs: verify sender addresses */ | |
1775 | ||
1776 | else if (Ustrcmp(argrest, "vs") == 0) | |
1777 | { | |
1778 | verify_address_mode = checking = log_testing_mode = TRUE; | |
1779 | verify_as_sender = TRUE; | |
1780 | } | |
1781 | ||
1782 | /* -bV: Print version string and support details */ | |
1783 | ||
1784 | else if (Ustrcmp(argrest, "V") == 0) | |
1785 | { | |
1786 | printf("Exim version %s #%s built %s\n", version_string, | |
1787 | version_cnumber, version_date); | |
1788 | printf("%s\n", CS version_copyright); | |
1789 | version_printed = TRUE; | |
1790 | show_whats_supported(stdout); | |
1791 | } | |
1792 | ||
1793 | else badarg = TRUE; | |
1794 | break; | |
1795 | ||
1796 | ||
1797 | /* -C: change configuration file list; ignore if it isn't really | |
1798 | a change! Enforce a prefix check if required. */ | |
1799 | ||
1800 | case 'C': | |
1801 | if (*argrest == 0) | |
1802 | { | |
1803 | if(++i < argc) argrest = argv[i]; else | |
1804 | { badarg = TRUE; break; } | |
1805 | } | |
1806 | if (Ustrcmp(config_main_filelist, argrest) != 0) | |
1807 | { | |
1808 | #ifdef ALT_CONFIG_PREFIX | |
1809 | int sep = 0; | |
1810 | int len = Ustrlen(ALT_CONFIG_PREFIX); | |
1811 | uschar *list = argrest; | |
1812 | uschar *filename; | |
1813 | while((filename = string_nextinlist(&list, &sep, big_buffer, | |
1814 | big_buffer_size)) != NULL) | |
1815 | { | |
1816 | if ((Ustrlen(filename) < len || | |
1817 | Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 || | |
1818 | Ustrstr(filename, "/../") != NULL) && | |
1819 | (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid)) | |
1820 | { | |
1821 | fprintf(stderr, "-C Permission denied\n"); | |
1822 | exit(EXIT_FAILURE); | |
1823 | } | |
1824 | } | |
1825 | #endif | |
1826 | ||
1827 | config_main_filelist = argrest; | |
1828 | config_changed = TRUE; | |
1829 | } | |
1830 | break; | |
1831 | ||
1832 | ||
1833 | /* -D: set up a macro definition */ | |
1834 | ||
1835 | case 'D': | |
1836 | #ifdef DISABLE_D_OPTION | |
1837 | fprintf(stderr, "exim: -D is not available in this Exim binary\n"); | |
1838 | exit(EXIT_FAILURE); | |
1839 | #else | |
1840 | { | |
1841 | int ptr = 0; | |
1842 | macro_item *mlast = NULL; | |
1843 | macro_item *m; | |
1844 | uschar name[24]; | |
1845 | uschar *s = argrest; | |
1846 | ||
1847 | while (isspace(*s)) s++; | |
1848 | ||
1849 | if (*s < 'A' || *s > 'Z') | |
1850 | { | |
1851 | fprintf(stderr, "exim: macro name set by -D must start with " | |
1852 | "an upper case letter\n"); | |
1853 | exit(EXIT_FAILURE); | |
1854 | } | |
1855 | ||
1856 | while (isalnum(*s) || *s == '_') | |
1857 | { | |
1858 | if (ptr < sizeof(name)-1) name[ptr++] = *s; | |
1859 | s++; | |
1860 | } | |
1861 | name[ptr] = 0; | |
1862 | if (ptr == 0) { badarg = TRUE; break; } | |
1863 | while (isspace(*s)) s++; | |
1864 | if (*s != 0) | |
1865 | { | |
1866 | if (*s++ != '=') { badarg = TRUE; break; } | |
1867 | while (isspace(*s)) s++; | |
1868 | } | |
1869 | ||
1870 | for (m = macros; m != NULL; m = m->next) | |
1871 | { | |
1872 | if (Ustrcmp(m->name, name) == 0) | |
1873 | { | |
1874 | fprintf(stderr, "exim: duplicated -D in command line\n"); | |
1875 | exit(EXIT_FAILURE); | |
1876 | } | |
1877 | mlast = m; | |
1878 | } | |
1879 | ||
1880 | m = store_get(sizeof(macro_item) + Ustrlen(name)); | |
1881 | m->next = NULL; | |
1882 | m->command_line = TRUE; | |
1883 | if (mlast == NULL) macros = m; else mlast->next = m; | |
1884 | Ustrcpy(m->name, name); | |
1885 | m->replacement = string_copy(s); | |
1886 | ||
1887 | if (clmacro_count >= MAX_CLMACROS) | |
1888 | { | |
1889 | fprintf(stderr, "exim: too many -D options on command line\n"); | |
1890 | exit(EXIT_FAILURE); | |
1891 | } | |
1892 | clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name, | |
1893 | m->replacement); | |
1894 | } | |
1895 | #endif | |
1896 | break; | |
1897 | ||
1898 | /* -d: Set debug level (see also -v below) or set the drop_cr option. | |
8e669ac1 | 1899 | The latter is now a no-op, retained for compatibility only. If -dd is used, |
3d235903 | 1900 | debugging subprocesses of the daemon is disabled. */ |
059ec3d9 PH |
1901 | |
1902 | case 'd': | |
1903 | if (Ustrcmp(argrest, "ropcr") == 0) | |
1904 | { | |
1905 | /* drop_cr = TRUE; */ | |
1906 | } | |
1907 | ||
1908 | /* Use an intermediate variable so that we don't set debugging while | |
1909 | decoding the debugging bits. */ | |
1910 | ||
1911 | else | |
1912 | { | |
1913 | unsigned int selector = D_default; | |
1914 | debug_selector = 0; | |
1915 | debug_file = NULL; | |
3d235903 PH |
1916 | if (*argrest == 'd') |
1917 | { | |
1918 | debug_daemon = TRUE; | |
1919 | argrest++; | |
1920 | } | |
059ec3d9 PH |
1921 | if (*argrest != 0) |
1922 | decode_bits(&selector, NULL, argrest, debug_options, | |
1923 | debug_options_count, US"debug"); | |
1924 | debug_selector = selector; | |
1925 | } | |
1926 | break; | |
1927 | ||
1928 | ||
1929 | /* -E: This is a local error message. This option is not intended for | |
1930 | external use at all, but is not restricted to trusted callers because it | |
1931 | does no harm (just suppresses certain error messages) and if Exim is run | |
1932 | not setuid root it won't always be trusted when it generates error | |
1933 | messages using this option. If there is a message id following -E, point | |
1934 | message_reference at it, for logging. */ | |
1935 | ||
1936 | case 'E': | |
1937 | local_error_message = TRUE; | |
1938 | if (mac_ismsgid(argrest)) message_reference = argrest; | |
1939 | break; | |
1940 | ||
1941 | ||
1942 | /* -ex: The vacation program calls sendmail with the undocumented "-eq" | |
1943 | option, so it looks as if historically the -oex options are also callable | |
1944 | without the leading -o. So we have to accept them. Before the switch, | |
1945 | anything starting -oe has been converted to -e. Exim does not support all | |
1946 | of the sendmail error options. */ | |
1947 | ||
1948 | case 'e': | |
1949 | if (Ustrcmp(argrest, "e") == 0) | |
1950 | { | |
1951 | arg_error_handling = ERRORS_SENDER; | |
1952 | errors_sender_rc = EXIT_SUCCESS; | |
1953 | } | |
1954 | else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER; | |
1955 | else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR; | |
1956 | else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR; | |
1957 | else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER; | |
1958 | else badarg = TRUE; | |
1959 | break; | |
1960 | ||
1961 | ||
1962 | /* -F: Set sender's full name, used instead of the gecos entry from | |
1963 | the password file. Since users can usually alter their gecos entries, | |
1964 | there's no security involved in using this instead. The data can follow | |
1965 | the -F or be in the next argument. */ | |
1966 | ||
1967 | case 'F': | |
1968 | if (*argrest == 0) | |
1969 | { | |
1970 | if(++i < argc) argrest = argv[i]; else | |
1971 | { badarg = TRUE; break; } | |
1972 | } | |
1973 | originator_name = argrest; | |
1974 | break; | |
1975 | ||
1976 | ||
1977 | /* -f: Set sender's address - this value is only actually used if Exim is | |
1978 | run by a trusted user, or if untrusted_set_sender is set and matches the | |
1979 | address, except that the null address can always be set by any user. The | |
1980 | test for this happens later, when the value given here is ignored when not | |
1981 | permitted. For an untrusted user, the actual sender is still put in Sender: | |
1982 | if it doesn't match the From: header (unless no_local_from_check is set). | |
1983 | The data can follow the -f or be in the next argument. The -r switch is an | |
1984 | obsolete form of -f but since there appear to be programs out there that | |
1985 | use anything that sendmail has ever supported, better accept it - the | |
1986 | synonymizing is done before the switch above. | |
1987 | ||
1988 | At this stage, we must allow domain literal addresses, because we don't | |
1989 | know what the setting of allow_domain_literals is yet. Ditto for trailing | |
1990 | dots and strip_trailing_dot. */ | |
1991 | ||
1992 | case 'f': | |
1993 | { | |
1994 | int start, end; | |
1995 | uschar *errmess; | |
1996 | if (*argrest == 0) | |
1997 | { | |
1998 | if (i+1 < argc) argrest = argv[++i]; else | |
1999 | { badarg = TRUE; break; } | |
2000 | } | |
2001 | if (*argrest == 0) | |
2002 | { | |
2003 | sender_address = string_sprintf(""); /* Ensure writeable memory */ | |
2004 | } | |
2005 | else | |
2006 | { | |
2007 | uschar *temp = argrest + Ustrlen(argrest) - 1; | |
2008 | while (temp >= argrest && isspace(*temp)) temp--; | |
2009 | if (temp >= argrest && *temp == '.') f_end_dot = TRUE; | |
2010 | allow_domain_literals = TRUE; | |
2011 | strip_trailing_dot = TRUE; | |
2012 | sender_address = parse_extract_address(argrest, &errmess, &start, &end, | |
2013 | &sender_address_domain, TRUE); | |
2014 | allow_domain_literals = FALSE; | |
2015 | strip_trailing_dot = FALSE; | |
2016 | if (sender_address == NULL) | |
2017 | { | |
2018 | fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess); | |
2019 | return EXIT_FAILURE; | |
2020 | } | |
2021 | } | |
2022 | sender_address_forced = TRUE; | |
2023 | } | |
2024 | break; | |
2025 | ||
2026 | /* This is some Sendmail thing which can be ignored */ | |
2027 | ||
2028 | case 'G': | |
2029 | break; | |
2030 | ||
2031 | /* -h: Set the hop count for an incoming message. Exim does not currently | |
2032 | support this; it always computes it by counting the Received: headers. | |
2033 | To put it in will require a change to the spool header file format. */ | |
2034 | ||
2035 | case 'h': | |
2036 | if (*argrest == 0) | |
2037 | { | |
2038 | if(++i < argc) argrest = argv[i]; else | |
2039 | { badarg = TRUE; break; } | |
2040 | } | |
2041 | if (!isdigit(*argrest)) badarg = TRUE; | |
2042 | break; | |
2043 | ||
2044 | ||
2045 | /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems | |
2046 | not to be documented for sendmail but mailx (at least) uses it) */ | |
2047 | ||
2048 | case 'i': | |
2049 | if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE; | |
2050 | break; | |
2051 | ||
2052 | ||
2053 | case 'M': | |
2054 | receiving_message = FALSE; | |
2055 | ||
2056 | /* -MC: continue delivery of another message via an existing open | |
2057 | file descriptor. This option is used for an internal call by the | |
2058 | smtp transport when there is a pending message waiting to go to an | |
2059 | address to which it has got a connection. Five subsequent arguments are | |
2060 | required: transport name, host name, IP address, sequence number, and | |
2061 | message_id. Transports may decline to create new processes if the sequence | |
2062 | number gets too big. The channel is stdin. This (-MC) must be the last | |
2063 | argument. There's a subsequent check that the real-uid is privileged. | |
2064 | ||
2065 | If we are running in the test harness. delay for a bit, to let the process | |
2066 | that set this one up complete. This makes for repeatability of the logging, | |
2067 | etc. output. */ | |
2068 | ||
2069 | if (Ustrcmp(argrest, "C") == 0) | |
2070 | { | |
2071 | if (argc != i + 6) | |
2072 | { | |
2073 | fprintf(stderr, "exim: too many or too few arguments after -MC\n"); | |
2074 | return EXIT_FAILURE; | |
2075 | } | |
2076 | ||
2077 | if (msg_action_arg >= 0) | |
2078 | { | |
2079 | fprintf(stderr, "exim: incompatible arguments\n"); | |
2080 | return EXIT_FAILURE; | |
2081 | } | |
2082 | ||
2083 | continue_transport = argv[++i]; | |
2084 | continue_hostname = argv[++i]; | |
2085 | continue_host_address = argv[++i]; | |
2086 | continue_sequence = Uatoi(argv[++i]); | |
2087 | msg_action = MSG_DELIVER; | |
2088 | msg_action_arg = ++i; | |
2089 | forced_delivery = TRUE; | |
2090 | queue_run_pid = passed_qr_pid; | |
2091 | queue_run_pipe = passed_qr_pipe; | |
2092 | ||
2093 | if (!mac_ismsgid(argv[i])) | |
2094 | { | |
2095 | fprintf(stderr, "exim: malformed message id %s after -MC option\n", | |
2096 | argv[i]); | |
2097 | return EXIT_FAILURE; | |
2098 | } | |
2099 | ||
2100 | if (running_in_test_harness) millisleep(500); | |
2101 | break; | |
2102 | } | |
2103 | ||
2104 | /* -MCA: set the smtp_authenticated flag; this is useful only when it | |
2105 | precedes -MC (see above). The flag indicates that the host to which | |
2106 | Exim is connected has accepted an AUTH sequence. */ | |
2107 | ||
2108 | else if (Ustrcmp(argrest, "CA") == 0) | |
2109 | { | |
2110 | smtp_authenticated = TRUE; | |
2111 | break; | |
2112 | } | |
2113 | ||
2114 | /* -MCP: set the smtp_use_pipelining flag; this is useful only when | |
2115 | it preceded -MC (see above) */ | |
2116 | ||
2117 | else if (Ustrcmp(argrest, "CP") == 0) | |
2118 | { | |
2119 | smtp_use_pipelining = TRUE; | |
2120 | break; | |
2121 | } | |
2122 | ||
2123 | /* -MCQ: pass on the pid of the queue-running process that started | |
2124 | this chain of deliveries and the fd of its synchronizing pipe; this | |
2125 | is useful only when it precedes -MC (see above) */ | |
2126 | ||
2127 | else if (Ustrcmp(argrest, "CQ") == 0) | |
2128 | { | |
2129 | if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i])); | |
2130 | else badarg = TRUE; | |
2131 | if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i])); | |
2132 | else badarg = TRUE; | |
2133 | break; | |
2134 | } | |
2135 | ||
2136 | /* -MCS: set the smtp_use_size flag; this is useful only when it | |
2137 | precedes -MC (see above) */ | |
2138 | ||
2139 | else if (Ustrcmp(argrest, "CS") == 0) | |
2140 | { | |
2141 | smtp_use_size = TRUE; | |
2142 | break; | |
2143 | } | |
2144 | ||
2145 | /* -MCT: set the tls_offered flag; this is useful only when it | |
2146 | precedes -MC (see above). The flag indicates that the host to which | |
2147 | Exim is connected has offered TLS support. */ | |
2148 | ||
2149 | #ifdef SUPPORT_TLS | |
2150 | else if (Ustrcmp(argrest, "CT") == 0) | |
2151 | { | |
2152 | tls_offered = TRUE; | |
2153 | break; | |
2154 | } | |
2155 | #endif | |
2156 | ||
2157 | /* -M[x]: various operations on the following list of message ids: | |
2158 | -M deliver the messages, ignoring next retry times and thawing | |
2159 | -Mc deliver the messages, checking next retry times, no thawing | |
2160 | -Mf freeze the messages | |
2161 | -Mg give up on the messages | |
2162 | -Mt thaw the messages | |
2163 | -Mrm remove the messages | |
2164 | In the above cases, this must be the last option. There are also the | |
2165 | following options which are followed by a single message id, and which | |
2166 | act on that message. Some of them use the "recipient" addresses as well. | |
2167 | -Mar add recipient(s) | |
2168 | -Mmad mark all recipients delivered | |
2169 | -Mmd mark recipients(s) delivered | |
2170 | -Mes edit sender | |
2171 | -Mvb show body | |
2172 | -Mvh show header | |
2173 | -Mvl show log | |
2174 | */ | |
2175 | ||
2176 | else if (*argrest == 0) | |
2177 | { | |
2178 | msg_action = MSG_DELIVER; | |
2179 | forced_delivery = deliver_force_thaw = TRUE; | |
2180 | } | |
2181 | else if (Ustrcmp(argrest, "ar") == 0) | |
2182 | { | |
2183 | msg_action = MSG_ADD_RECIPIENT; | |
2184 | one_msg_action = TRUE; | |
2185 | } | |
2186 | else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER; | |
2187 | else if (Ustrcmp(argrest, "es") == 0) | |
2188 | { | |
2189 | msg_action = MSG_EDIT_SENDER; | |
2190 | one_msg_action = TRUE; | |
2191 | } | |
2192 | else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE; | |
2193 | else if (Ustrcmp(argrest, "g") == 0) | |
2194 | { | |
2195 | msg_action = MSG_DELIVER; | |
2196 | deliver_give_up = TRUE; | |
2197 | } | |
2198 | else if (Ustrcmp(argrest, "mad") == 0) | |
2199 | { | |
2200 | msg_action = MSG_MARK_ALL_DELIVERED; | |
2201 | } | |
2202 | else if (Ustrcmp(argrest, "md") == 0) | |
2203 | { | |
2204 | msg_action = MSG_MARK_DELIVERED; | |
2205 | one_msg_action = TRUE; | |
2206 | } | |
2207 | else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE; | |
2208 | else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW; | |
2209 | else if (Ustrcmp(argrest, "vb") == 0) | |
2210 | { | |
2211 | msg_action = MSG_SHOW_BODY; | |
2212 | one_msg_action = TRUE; | |
2213 | } | |
2214 | else if (Ustrcmp(argrest, "vh") == 0) | |
2215 | { | |
2216 | msg_action = MSG_SHOW_HEADER; | |
2217 | one_msg_action = TRUE; | |
2218 | } | |
2219 | else if (Ustrcmp(argrest, "vl") == 0) | |
2220 | { | |
2221 | msg_action = MSG_SHOW_LOG; | |
2222 | one_msg_action = TRUE; | |
2223 | } | |
2224 | else { badarg = TRUE; break; } | |
2225 | ||
2226 | /* All the -Mxx options require at least one message id. */ | |
2227 | ||
2228 | msg_action_arg = i + 1; | |
2229 | if (msg_action_arg >= argc) | |
2230 | { | |
2231 | fprintf(stderr, "exim: no message ids given after %s option\n", arg); | |
2232 | return EXIT_FAILURE; | |
2233 | } | |
2234 | ||
2235 | /* Some require only message ids to follow */ | |
2236 | ||
2237 | if (!one_msg_action) | |
2238 | { | |
2239 | int j; | |
2240 | for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j])) | |
2241 | { | |
2242 | fprintf(stderr, "exim: malformed message id %s after %s option\n", | |
2243 | argv[j], arg); | |
2244 | return EXIT_FAILURE; | |
2245 | } | |
2246 | goto END_ARG; /* Remaining args are ids */ | |
2247 | } | |
2248 | ||
2249 | /* Others require only one message id, possibly followed by addresses, | |
2250 | which will be handled as normal arguments. */ | |
2251 | ||
2252 | else | |
2253 | { | |
2254 | if (!mac_ismsgid(argv[msg_action_arg])) | |
2255 | { | |
2256 | fprintf(stderr, "exim: malformed message id %s after %s option\n", | |
2257 | argv[msg_action_arg], arg); | |
2258 | return EXIT_FAILURE; | |
2259 | } | |
2260 | i++; | |
2261 | } | |
2262 | break; | |
2263 | ||
2264 | ||
2265 | /* Some programs seem to call the -om option without the leading o; | |
2266 | for sendmail it askes for "me too". Exim always does this. */ | |
2267 | ||
2268 | case 'm': | |
2269 | if (*argrest != 0) badarg = TRUE; | |
2270 | break; | |
2271 | ||
2272 | ||
2273 | /* -N: don't do delivery - a debugging option that stops transports doing | |
2274 | their thing. It implies debugging at the D_v level. */ | |
2275 | ||
2276 | case 'N': | |
2277 | if (*argrest == 0) | |
2278 | { | |
2279 | dont_deliver = TRUE; | |
2280 | debug_selector |= D_v; | |
2281 | debug_file = stderr; | |
2282 | } | |
2283 | else badarg = TRUE; | |
2284 | break; | |
2285 | ||
2286 | ||
2287 | /* -n: This means "don't alias" in sendmail, apparently. Just ignore | |
2288 | it. */ | |
2289 | ||
2290 | case 'n': | |
2291 | break; | |
2292 | ||
2293 | /* -O: Just ignore it. In sendmail, apparently -O option=value means set | |
2294 | option to the specified value. This form uses long names. We need to handle | |
2295 | -O option=value and -Ooption=value. */ | |
2296 | ||
2297 | case 'O': | |
2298 | if (*argrest == 0) | |
2299 | { | |
2300 | if (++i >= argc) | |
2301 | { | |
2302 | fprintf(stderr, "exim: string expected after -O\n"); | |
2303 | exit(EXIT_FAILURE); | |
2304 | } | |
2305 | } | |
2306 | break; | |
2307 | ||
2308 | case 'o': | |
2309 | ||
2310 | /* -oA: Set an argument for the bi command (sendmail's "alternate alias | |
2311 | file" option). */ | |
2312 | ||
2313 | if (*argrest == 'A') | |
2314 | { | |
2315 | alias_arg = argrest + 1; | |
2316 | if (alias_arg[0] == 0) | |
2317 | { | |
2318 | if (i+1 < argc) alias_arg = argv[++i]; else | |
2319 | { | |
2320 | fprintf(stderr, "exim: string expected after -oA\n"); | |
2321 | exit(EXIT_FAILURE); | |
2322 | } | |
2323 | } | |
2324 | } | |
2325 | ||
2326 | /* -oB: Set a connection message max value for remote deliveries */ | |
2327 | ||
2328 | else if (*argrest == 'B') | |
2329 | { | |
2330 | uschar *p = argrest + 1; | |
2331 | if (p[0] == 0) | |
2332 | { | |
2333 | if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else | |
2334 | { | |
2335 | connection_max_messages = 1; | |
2336 | p = NULL; | |
2337 | } | |
2338 | } | |
2339 | ||
2340 | if (p != NULL) | |
2341 | { | |
2342 | if (!isdigit(*p)) | |
2343 | { | |
2344 | fprintf(stderr, "exim: number expected after -oB\n"); | |
2345 | exit(EXIT_FAILURE); | |
2346 | } | |
2347 | connection_max_messages = Uatoi(p); | |
2348 | } | |
2349 | } | |
2350 | ||
2351 | /* -odb: background delivery */ | |
2352 | ||
2353 | else if (Ustrcmp(argrest, "db") == 0) | |
2354 | { | |
2355 | synchronous_delivery = FALSE; | |
2356 | arg_queue_only = FALSE; | |
2357 | queue_only_set = TRUE; | |
2358 | } | |
2359 | ||
2360 | /* -odf: foreground delivery (smail-compatible option); same effect as | |
2361 | -odi: interactive (synchronous) delivery (sendmail-compatible option) | |
2362 | */ | |
2363 | ||
2364 | else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0) | |
2365 | { | |
2366 | synchronous_delivery = TRUE; | |
2367 | arg_queue_only = FALSE; | |
2368 | queue_only_set = TRUE; | |
2369 | } | |
2370 | ||
2371 | /* -odq: queue only */ | |
2372 | ||
2373 | else if (Ustrcmp(argrest, "dq") == 0) | |
2374 | { | |
2375 | synchronous_delivery = FALSE; | |
2376 | arg_queue_only = TRUE; | |
2377 | queue_only_set = TRUE; | |
2378 | } | |
2379 | ||
2380 | /* -odqs: queue SMTP only - do local deliveries and remote routing, | |
2381 | but no remote delivery */ | |
2382 | ||
2383 | else if (Ustrcmp(argrest, "dqs") == 0) | |
2384 | { | |
2385 | queue_smtp = TRUE; | |
2386 | arg_queue_only = FALSE; | |
2387 | queue_only_set = TRUE; | |
2388 | } | |
2389 | ||
2390 | /* -oex: Sendmail error flags. As these are also accepted without the | |
2391 | leading -o prefix, for compatibility with vacation and other callers, | |
2392 | they are handled with -e above. */ | |
2393 | ||
2394 | /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i) | |
2395 | -oitrue: Another sendmail syntax for the same */ | |
2396 | ||
2397 | else if (Ustrcmp(argrest, "i") == 0 || | |
2398 | Ustrcmp(argrest, "itrue") == 0) | |
2399 | dot_ends = FALSE; | |
2400 | ||
2401 | /* -oM*: Set various characteristics for an incoming message; actually | |
2402 | acted on for trusted callers only. */ | |
2403 | ||
2404 | else if (*argrest == 'M') | |
2405 | { | |
2406 | if (i+1 >= argc) | |
2407 | { | |
2408 | fprintf(stderr, "exim: data expected after -o%s\n", argrest); | |
2409 | exit(EXIT_FAILURE); | |
2410 | } | |
2411 | ||
2412 | /* -oMa: Set sender host address */ | |
2413 | ||
2414 | if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i]; | |
2415 | ||
2416 | /* -oMaa: Set authenticator name */ | |
2417 | ||
2418 | else if (Ustrcmp(argrest, "Maa") == 0) | |
2419 | sender_host_authenticated = argv[++i]; | |
2420 | ||
2421 | /* -oMas: setting authenticated sender */ | |
2422 | ||
2423 | else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i]; | |
2424 | ||
2425 | /* -oMai: setting authenticated id */ | |
2426 | ||
2427 | else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i]; | |
2428 | ||
2429 | /* -oMi: Set incoming interface address */ | |
2430 | ||
2431 | else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i]; | |
2432 | ||
2433 | /* -oMr: Received protocol */ | |
2434 | ||
2435 | else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i]; | |
2436 | ||
2437 | /* -oMs: Set sender host name */ | |
2438 | ||
2439 | else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i]; | |
2440 | ||
2441 | /* -oMt: Set sender ident */ | |
2442 | ||
2443 | else if (Ustrcmp(argrest, "Mt") == 0) sender_ident = argv[++i]; | |
2444 | ||
2445 | /* Else a bad argument */ | |
2446 | ||
2447 | else | |
2448 | { | |
2449 | badarg = TRUE; | |
2450 | break; | |
2451 | } | |
2452 | } | |
2453 | ||
2454 | /* -om: Me-too flag for aliases. Exim always does this. Some programs | |
2455 | seem to call this as -m (undocumented), so that is also accepted (see | |
2456 | above). */ | |
2457 | ||
2458 | else if (Ustrcmp(argrest, "m") == 0) {} | |
2459 | ||
2460 | /* -oo: An ancient flag for old-style addresses which still seems to | |
2461 | crop up in some calls (see in SCO). */ | |
2462 | ||
2463 | else if (Ustrcmp(argrest, "o") == 0) {} | |
2464 | ||
2465 | /* -oP <name>: set pid file path for daemon */ | |
2466 | ||
2467 | else if (Ustrcmp(argrest, "P") == 0) | |
2468 | override_pid_file_path = argv[++i]; | |
2469 | ||
2470 | /* -or <n>: set timeout for non-SMTP acceptance | |
2471 | -os <n>: set timeout for SMTP acceptance */ | |
2472 | ||
2473 | else if (*argrest == 'r' || *argrest == 's') | |
2474 | { | |
2475 | int *tp = (*argrest == 'r')? | |
2476 | &arg_receive_timeout : &arg_smtp_receive_timeout; | |
2477 | if (argrest[1] == 0) | |
2478 | { | |
2479 | if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE); | |
2480 | } | |
2481 | else *tp = readconf_readtime(argrest + 1, 0, FALSE); | |
2482 | if (*tp < 0) | |
2483 | { | |
2484 | fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]); | |
2485 | exit(EXIT_FAILURE); | |
2486 | } | |
2487 | } | |
2488 | ||
2489 | /* -oX <list>: Override local_interfaces and/or default daemon ports */ | |
2490 | ||
2491 | else if (Ustrcmp(argrest, "X") == 0) | |
2492 | override_local_interfaces = argv[++i]; | |
2493 | ||
2494 | /* Unknown -o argument */ | |
2495 | ||
2496 | else badarg = TRUE; | |
2497 | break; | |
2498 | ||
2499 | ||
2500 | /* -ps: force Perl startup; -pd force delayed Perl startup */ | |
2501 | ||
2502 | case 'p': | |
2503 | #ifdef EXIM_PERL | |
2504 | if (*argrest == 's' && argrest[1] == 0) | |
2505 | { | |
2506 | perl_start_option = 1; | |
2507 | break; | |
2508 | } | |
2509 | if (*argrest == 'd' && argrest[1] == 0) | |
2510 | { | |
2511 | perl_start_option = -1; | |
2512 | break; | |
2513 | } | |
2514 | #endif | |
2515 | ||
2516 | /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval, | |
2517 | which sets the host protocol and host name */ | |
2518 | ||
2519 | if (*argrest == 0) | |
2520 | { | |
2521 | if (i+1 < argc) argrest = argv[++i]; else | |
2522 | { badarg = TRUE; break; } | |
2523 | } | |
2524 | ||
2525 | if (*argrest != 0) | |
2526 | { | |
2527 | uschar *hn = Ustrchr(argrest, ':'); | |
2528 | if (hn == NULL) | |
2529 | { | |
2530 | received_protocol = argrest; | |
2531 | } | |
2532 | else | |
2533 | { | |
2534 | received_protocol = string_copyn(argrest, hn - argrest); | |
2535 | sender_host_name = hn + 1; | |
2536 | } | |
2537 | } | |
2538 | break; | |
2539 | ||
2540 | ||
2541 | case 'q': | |
2542 | receiving_message = FALSE; | |
2543 | ||
2544 | /* -qq...: Do queue runs in a 2-stage manner */ | |
2545 | ||
2546 | if (*argrest == 'q') | |
2547 | { | |
2548 | queue_2stage = TRUE; | |
2549 | argrest++; | |
2550 | } | |
2551 | ||
2552 | /* -qi...: Do only first (initial) deliveries */ | |
2553 | ||
2554 | if (*argrest == 'i') | |
2555 | { | |
2556 | queue_run_first_delivery = TRUE; | |
2557 | argrest++; | |
2558 | } | |
2559 | ||
2560 | /* -qf...: Run the queue, forcing deliveries | |
2561 | -qff..: Ditto, forcing thawing as well */ | |
2562 | ||
2563 | if (*argrest == 'f') | |
2564 | { | |
2565 | queue_run_force = TRUE; | |
2566 | if (*(++argrest) == 'f') | |
2567 | { | |
2568 | deliver_force_thaw = TRUE; | |
2569 | argrest++; | |
2570 | } | |
2571 | } | |
2572 | ||
2573 | /* -q[f][f]l...: Run the queue only on local deliveries */ | |
2574 | ||
2575 | if (*argrest == 'l') | |
2576 | { | |
2577 | queue_run_local = TRUE; | |
2578 | argrest++; | |
2579 | } | |
2580 | ||
2581 | /* -q[f][f][l]: Run the queue, optionally forced, optionally local only, | |
2582 | optionally starting from a given message id. */ | |
2583 | ||
2584 | if (*argrest == 0 && | |
2585 | (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1]))) | |
2586 | { | |
2587 | queue_interval = 0; | |
2588 | if (i+1 < argc && mac_ismsgid(argv[i+1])) | |
2589 | start_queue_run_id = argv[++i]; | |
2590 | if (i+1 < argc && mac_ismsgid(argv[i+1])) | |
2591 | stop_queue_run_id = argv[++i]; | |
2592 | } | |
2593 | ||
2594 | /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced, | |
2595 | optionally local only. */ | |
2596 | ||
2597 | else | |
2598 | { | |
2599 | if (*argrest != 0) | |
2600 | queue_interval = readconf_readtime(argrest, 0, FALSE); | |
2601 | else | |
2602 | queue_interval = readconf_readtime(argv[++i], 0, FALSE); | |
2603 | if (queue_interval <= 0) | |
2604 | { | |
2605 | fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]); | |
2606 | exit(EXIT_FAILURE); | |
2607 | } | |
2608 | } | |
2609 | break; | |
2610 | ||
2611 | ||
2612 | case 'R': /* Synonymous with -qR... */ | |
2613 | receiving_message = FALSE; | |
2614 | ||
2615 | /* -Rf: As -R (below) but force all deliveries, | |
2616 | -Rff: Ditto, but also thaw all frozen messages, | |
2617 | -Rr: String is regex | |
2618 | -Rrf: Regex and force | |
2619 | -Rrff: Regex and force and thaw | |
2620 | ||
2621 | in all cases provided there are no further characters in this | |
2622 | argument. */ | |
2623 | ||
2624 | if (*argrest != 0) | |
2625 | { | |
2626 | int i; | |
2627 | for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++) | |
2628 | { | |
2629 | if (Ustrcmp(argrest, rsopts[i]) == 0) | |
2630 | { | |
2631 | if (i != 2) queue_run_force = TRUE; | |
2632 | if (i >= 2) deliver_selectstring_regex = TRUE; | |
2633 | if (i == 1 || i == 4) deliver_force_thaw = TRUE; | |
2634 | argrest += Ustrlen(rsopts[i]); | |
2635 | } | |
2636 | } | |
2637 | } | |
2638 | ||
2639 | /* -R: Set string to match in addresses for forced queue run to | |
2640 | pick out particular messages. */ | |
2641 | ||
2642 | if (*argrest == 0) | |
2643 | { | |
2644 | if (i+1 < argc) deliver_selectstring = argv[++i]; else | |
2645 | { | |
2646 | fprintf(stderr, "exim: string expected after -R\n"); | |
2647 | exit(EXIT_FAILURE); | |
2648 | } | |
2649 | } | |
2650 | else deliver_selectstring = argrest; | |
2651 | if (queue_interval < 0) queue_interval = 0; | |
2652 | break; | |
2653 | ||
2654 | ||
2655 | /* -r: an obsolete synonym for -f (see above) */ | |
2656 | ||
2657 | ||
2658 | /* -S: Like -R but works on sender. */ | |
2659 | ||
2660 | case 'S': /* Synonymous with -qS... */ | |
2661 | receiving_message = FALSE; | |
2662 | ||
2663 | /* -Sf: As -S (below) but force all deliveries, | |
2664 | -Sff: Ditto, but also thaw all frozen messages, | |
2665 | -Sr: String is regex | |
2666 | -Srf: Regex and force | |
2667 | -Srff: Regex and force and thaw | |
2668 | ||
2669 | in all cases provided there are no further characters in this | |
2670 | argument. */ | |
2671 | ||
2672 | if (*argrest != 0) | |
2673 | { | |
2674 | int i; | |
2675 | for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++) | |
2676 | { | |
2677 | if (Ustrcmp(argrest, rsopts[i]) == 0) | |
2678 | { | |
2679 | if (i != 2) queue_run_force = TRUE; | |
2680 | if (i >= 2) deliver_selectstring_sender_regex = TRUE; | |
2681 | if (i == 1 || i == 4) deliver_force_thaw = TRUE; | |
2682 | argrest += Ustrlen(rsopts[i]); | |
2683 | } | |
2684 | } | |
2685 | } | |
2686 | ||
2687 | /* -S: Set string to match in addresses for forced queue run to | |
2688 | pick out particular messages. */ | |
2689 | ||
2690 | if (*argrest == 0) | |
2691 | { | |
2692 | if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else | |
2693 | { | |
2694 | fprintf(stderr, "exim: string expected after -S\n"); | |
2695 | exit(EXIT_FAILURE); | |
2696 | } | |
2697 | } | |
2698 | else deliver_selectstring_sender = argrest; | |
2699 | if (queue_interval < 0) queue_interval = 0; | |
2700 | break; | |
2701 | ||
2702 | /* -Tqt is an option that is exclusively for use by the testing suite. | |
2703 | It is not recognized in other circumstances. It allows for the setting up | |
2704 | of explicit "queue times" so that various warning/retry things can be | |
2705 | tested. Otherwise variability of clock ticks etc. cause problems. */ | |
2706 | ||
2707 | case 'T': | |
2708 | if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0) | |
2709 | fudged_queue_times = argv[++i]; | |
2710 | else badarg = TRUE; | |
2711 | break; | |
2712 | ||
2713 | ||
2714 | /* -t: Set flag to extract recipients from body of message. */ | |
2715 | ||
2716 | case 't': | |
2717 | if (*argrest == 0) extract_recipients = TRUE; | |
2718 | ||
2719 | /* -ti: Set flag to extract recipients from body of message, and also | |
2720 | specify that dot does not end the message. */ | |
2721 | ||
2722 | else if (Ustrcmp(argrest, "i") == 0) | |
2723 | { | |
2724 | extract_recipients = TRUE; | |
2725 | dot_ends = FALSE; | |
2726 | } | |
2727 | ||
2728 | /* -tls-on-connect: don't wait for STARTTLS (for old clients) */ | |
2729 | ||
2730 | #ifdef SUPPORT_TLS | |
2731 | else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE; | |
2732 | #endif | |
2733 | ||
2734 | else badarg = TRUE; | |
2735 | break; | |
2736 | ||
2737 | ||
2738 | /* -U: This means "initial user submission" in sendmail, apparently. The | |
2739 | doc claims that in future sendmail may refuse syntactically invalid | |
2740 | messages instead of fixing them. For the moment, we just ignore it. */ | |
2741 | ||
2742 | case 'U': | |
2743 | break; | |
2744 | ||
2745 | ||
2746 | /* -v: verify things - this is a very low-level debugging */ | |
2747 | ||
2748 | case 'v': | |
2749 | if (*argrest == 0) | |
2750 | { | |
2751 | debug_selector |= D_v; | |
2752 | debug_file = stderr; | |
2753 | } | |
2754 | else badarg = TRUE; | |
2755 | break; | |
2756 | ||
2757 | ||
2758 | /* -x: AIX uses this to indicate some fancy 8-bit character stuff: | |
2759 | ||
2760 | The -x flag tells the sendmail command that mail from a local | |
2761 | mail program has National Language Support (NLS) extended characters | |
2762 | in the body of the mail item. The sendmail command can send mail with | |
2763 | extended NLS characters across networks that normally corrupts these | |
2764 | 8-bit characters. | |
2765 | ||
2766 | As Exim is 8-bit clean, it just ignores this flag. */ | |
2767 | ||
2768 | case 'x': | |
2769 | if (*argrest != 0) badarg = TRUE; | |
2770 | break; | |
2771 | ||
2772 | /* All other initial characters are errors */ | |
2773 | ||
2774 | default: | |
2775 | badarg = TRUE; | |
2776 | break; | |
2777 | } /* End of high-level switch statement */ | |
2778 | ||
2779 | /* Failed to recognize the option, or syntax error */ | |
2780 | ||
2781 | if (badarg) | |
2782 | { | |
2783 | fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete " | |
2784 | "option %s\n", arg); | |
2785 | exit(EXIT_FAILURE); | |
2786 | } | |
2787 | } | |
2788 | ||
2789 | ||
2790 | /* Arguments have been processed. Check for incompatibilities. */ | |
2791 | ||
2792 | END_ARG: | |
2793 | if (( | |
2794 | (smtp_input || extract_recipients || recipients_arg < argc) && | |
2795 | (daemon_listen || queue_interval >= 0 || bi_option || | |
2796 | test_retry_arg >= 0 || test_rewrite_arg >= 0 || | |
f05da2e8 | 2797 | filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action)) |
059ec3d9 PH |
2798 | ) || |
2799 | ( | |
2800 | msg_action_arg > 0 && | |
2801 | (daemon_listen || queue_interval >= 0 || list_options || checking || | |
2802 | bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0) | |
2803 | ) || | |
2804 | ( | |
2805 | (daemon_listen || queue_interval >= 0) && | |
2806 | (sender_address != NULL || list_options || list_queue || checking || | |
2807 | bi_option) | |
2808 | ) || | |
2809 | ( | |
2810 | daemon_listen && queue_interval == 0 | |
2811 | ) || | |
2812 | ( | |
2813 | list_options && | |
2814 | (checking || smtp_input || extract_recipients || | |
f05da2e8 | 2815 | filter_test != FTEST_NONE || bi_option) |
059ec3d9 PH |
2816 | ) || |
2817 | ( | |
2818 | verify_address_mode && | |
2819 | (address_test_mode || smtp_input || extract_recipients || | |
f05da2e8 | 2820 | filter_test != FTEST_NONE || bi_option) |
059ec3d9 PH |
2821 | ) || |
2822 | ( | |
2823 | address_test_mode && (smtp_input || extract_recipients || | |
f05da2e8 | 2824 | filter_test != FTEST_NONE || bi_option) |
059ec3d9 PH |
2825 | ) || |
2826 | ( | |
f05da2e8 | 2827 | smtp_input && (sender_address != NULL || filter_test != FTEST_NONE || |
059ec3d9 PH |
2828 | extract_recipients) |
2829 | ) || | |
2830 | ( | |
2831 | deliver_selectstring != NULL && queue_interval < 0 | |
2832 | ) | |
2833 | ) | |
2834 | { | |
2835 | fprintf(stderr, "exim: incompatible command-line options or arguments\n"); | |
2836 | exit(EXIT_FAILURE); | |
2837 | } | |
2838 | ||
2839 | /* If debugging is set up, set the file and the file descriptor to pass on to | |
2840 | child processes. It should, of course, be 2 for stderr. Also, force the daemon | |
2841 | to run in the foreground. */ | |
2842 | ||
2843 | if (debug_selector != 0) | |
2844 | { | |
2845 | debug_file = stderr; | |
2846 | debug_fd = fileno(debug_file); | |
2847 | background_daemon = FALSE; | |
2848 | if (running_in_test_harness) millisleep(100); /* lets caller finish */ | |
2849 | if (debug_selector != D_v) /* -v only doesn't show this */ | |
2850 | { | |
2851 | debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n", | |
2852 | version_string, (long int)real_uid, (long int)real_gid, (int)getpid(), | |
2853 | debug_selector); | |
2854 | show_whats_supported(stderr); | |
2855 | } | |
2856 | } | |
2857 | ||
2858 | /* When started with root privilege, ensure that the limits on the number of | |
2859 | open files and the number of processes (where that is accessible) are | |
2860 | sufficiently large, or are unset, in case Exim has been called from an | |
2861 | environment where the limits are screwed down. Not all OS have the ability to | |
2862 | change some of these limits. */ | |
2863 | ||
2864 | if (unprivileged) | |
2865 | { | |
2866 | DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:"); | |
2867 | } | |
2868 | else | |
2869 | { | |
2870 | struct rlimit rlp; | |
2871 | ||
2872 | #ifdef RLIMIT_NOFILE | |
2873 | if (getrlimit(RLIMIT_NOFILE, &rlp) < 0) | |
2874 | { | |
2875 | log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s", | |
2876 | strerror(errno)); | |
2877 | rlp.rlim_cur = rlp.rlim_max = 0; | |
2878 | } | |
eb2c0248 PH |
2879 | |
2880 | /* I originally chose 1000 as a nice big number that was unlikely to | |
a494b1e1 PH |
2881 | be exceeded. It turns out that some older OS have a fixed upper limit of |
2882 | 256. */ | |
eb2c0248 | 2883 | |
059ec3d9 PH |
2884 | if (rlp.rlim_cur < 1000) |
2885 | { | |
2886 | rlp.rlim_cur = rlp.rlim_max = 1000; | |
2887 | if (setrlimit(RLIMIT_NOFILE, &rlp) < 0) | |
eb2c0248 | 2888 | { |
a494b1e1 PH |
2889 | rlp.rlim_cur = rlp.rlim_max = 256; |
2890 | if (setrlimit(RLIMIT_NOFILE, &rlp) < 0) | |
2891 | log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s", | |
2892 | strerror(errno)); | |
eb2c0248 | 2893 | } |
059ec3d9 PH |
2894 | } |
2895 | #endif | |
2896 | ||
2897 | #ifdef RLIMIT_NPROC | |
2898 | if (getrlimit(RLIMIT_NPROC, &rlp) < 0) | |
2899 | { | |
2900 | log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s", | |
2901 | strerror(errno)); | |
2902 | rlp.rlim_cur = rlp.rlim_max = 0; | |
2903 | } | |
2904 | ||
2905 | #ifdef RLIM_INFINITY | |
2906 | if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000) | |
2907 | { | |
2908 | rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY; | |
2909 | #else | |
2910 | if (rlp.rlim_cur < 1000) | |
2911 | { | |
2912 | rlp.rlim_cur = rlp.rlim_max = 1000; | |
2913 | #endif | |
2914 | if (setrlimit(RLIMIT_NPROC, &rlp) < 0) | |
2915 | log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s", | |
2916 | strerror(errno)); | |
2917 | } | |
2918 | #endif | |
2919 | } | |
2920 | ||
2921 | /* Exim is normally entered as root (but some special configurations are | |
2922 | possible that don't do this). However, it always spins off sub-processes that | |
2923 | set their uid and gid as required for local delivery. We don't want to pass on | |
2924 | any extra groups that root may belong to, so we want to get rid of them all at | |
2925 | this point. | |
2926 | ||
2927 | We need to obey setgroups() at this stage, before possibly giving up root | |
2928 | privilege for a changed configuration file, but later on we might need to | |
2929 | check on the additional groups for the admin user privilege - can't do that | |
2930 | till after reading the config, which might specify the exim gid. Therefore, | |
2931 | save the group list here first. */ | |
2932 | ||
2933 | group_count = getgroups(NGROUPS_MAX, group_list); | |
2934 | ||
2935 | /* There is a fundamental difference in some BSD systems in the matter of | |
2936 | groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are | |
2937 | known not to be different. On the "different" systems there is a single group | |
2938 | list, and the first entry in it is the current group. On all other versions of | |
2939 | Unix there is a supplementary group list, which is in *addition* to the current | |
2940 | group. Consequently, to get rid of all extraneous groups on a "standard" system | |
2941 | you pass over 0 groups to setgroups(), while on a "different" system you pass | |
2942 | over a single group - the current group, which is always the first group in the | |
2943 | list. Calling setgroups() with zero groups on a "different" system results in | |
2944 | an error return. The following code should cope with both types of system. | |
2945 | ||
2946 | However, if this process isn't running as root, setgroups() can't be used | |
2947 | since you have to be root to run it, even if throwing away groups. Not being | |
2948 | root here happens only in some unusual configurations. We just ignore the | |
2949 | error. */ | |
2950 | ||
2951 | if (setgroups(0, NULL) != 0) | |
2952 | { | |
2953 | if (setgroups(1, group_list) != 0 && !unprivileged) | |
2954 | { | |
2955 | fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno)); | |
2956 | exit(EXIT_FAILURE); | |
2957 | } | |
2958 | } | |
2959 | ||
2960 | /* If the configuration file name has been altered by an argument on the | |
2961 | command line (either a new file name or a macro definition) and the caller is | |
2962 | not root or the exim user, or if this is a filter testing run, remove any | |
2963 | setuid privilege the program has, and run as the underlying user. | |
2964 | ||
2965 | If ALT_CONFIG_ROOT_ONLY is defined, the exim user is locked out of this, which | |
2966 | severely restricts the use of -C for some purposes. | |
2967 | ||
2968 | Otherwise, set the real ids to the effective values (should be root unless run | |
2969 | from inetd, which it can either be root or the exim uid, if one is configured). | |
2970 | ||
2971 | There is a private mechanism for bypassing some of this, in order to make it | |
2972 | possible to test lots of configurations automatically, without having either to | |
2973 | recompile each time, or to patch in an actual configuration file name and other | |
2974 | values (such as the path name). If running in the test harness, pretend that | |
2975 | configuration file changes and macro definitions haven't happened. */ | |
2976 | ||
2977 | if (( /* EITHER */ | |
2978 | (config_changed || macros != NULL) && /* Config changed, and */ | |
2979 | real_uid != root_uid && /* Not root, and */ | |
2980 | #ifndef ALT_CONFIG_ROOT_ONLY /* (when not locked out) */ | |
2981 | real_uid != exim_uid && /* Not exim, and */ | |
2982 | #endif | |
2983 | !running_in_test_harness /* Not fudged */ | |
2984 | ) || /* OR */ | |
2985 | expansion_test /* expansion testing */ | |
2986 | || /* OR */ | |
f05da2e8 | 2987 | filter_test != FTEST_NONE) /* Filter testing */ |
059ec3d9 PH |
2988 | { |
2989 | setgroups(group_count, group_list); | |
2990 | exim_setugid(real_uid, real_gid, FALSE, | |
2991 | US"-C, -D, -be or -bf forces real uid"); | |
2992 | removed_privilege = TRUE; | |
2993 | ||
2994 | /* In the normal case when Exim is called like this, stderr is available | |
2995 | and should be used for any logging information because attempts to write | |
2996 | to the log will usually fail. To arrange this, we unset really_exim. However, | |
2997 | if no stderr is available there is no point - we might as well have a go | |
2998 | at the log (if it fails, syslog will be written). */ | |
2999 | ||
3000 | if (log_stderr != NULL) really_exim = FALSE; | |
3001 | } | |
3002 | ||
3003 | /* Privilege is to be retained for the moment. It may be dropped later, | |
3004 | depending on the job that this Exim process has been asked to do. For now, set | |
3005 | the real uid to the effective so that subsequent re-execs of Exim are done by a | |
3006 | privileged user. */ | |
3007 | ||
3008 | else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective"); | |
3009 | ||
f05da2e8 | 3010 | /* If testing a filter, open the file(s) now, before wasting time doing other |
059ec3d9 PH |
3011 | setups and reading the message. */ |
3012 | ||
f05da2e8 PH |
3013 | if ((filter_test & FTEST_SYSTEM) != 0) |
3014 | { | |
3015 | filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0); | |
3016 | if (filter_sfd < 0) | |
3017 | { | |
3018 | fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile, | |
3019 | strerror(errno)); | |
3020 | return EXIT_FAILURE; | |
3021 | } | |
3022 | } | |
3023 | ||
3024 | if ((filter_test & FTEST_USER) != 0) | |
059ec3d9 | 3025 | { |
f05da2e8 PH |
3026 | filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0); |
3027 | if (filter_ufd < 0) | |
059ec3d9 | 3028 | { |
f05da2e8 | 3029 | fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile, |
059ec3d9 PH |
3030 | strerror(errno)); |
3031 | return EXIT_FAILURE; | |
3032 | } | |
3033 | } | |
3034 | ||
3035 | /* Read the main runtime configuration data; this gives up if there | |
3036 | is a failure. It leaves the configuration file open so that the subsequent | |
3037 | configuration data for delivery can be read if needed. */ | |
3038 | ||
3039 | readconf_main(); | |
3040 | ||
3041 | /* Handle the decoding of logging options. */ | |
3042 | ||
3043 | decode_bits(&log_write_selector, &log_extra_selector, log_selector_string, | |
3044 | log_options, log_options_count, US"log"); | |
3045 | ||
3046 | DEBUG(D_any) | |
3047 | { | |
3048 | debug_printf("configuration file is %s\n", config_main_filename); | |
3049 | debug_printf("log selectors = %08x %08x\n", log_write_selector, | |
3050 | log_extra_selector); | |
3051 | } | |
3052 | ||
3053 | /* If domain literals are not allowed, check the sender address that was | |
3054 | supplied with -f. Ditto for a stripped trailing dot. */ | |
3055 | ||
3056 | if (sender_address != NULL) | |
3057 | { | |
3058 | if (sender_address[sender_address_domain] == '[' && !allow_domain_literals) | |
3059 | { | |
3060 | fprintf(stderr, "exim: bad -f address \"%s\": domain literals not " | |
3061 | "allowed\n", sender_address); | |
3062 | return EXIT_FAILURE; | |
3063 | } | |
3064 | if (f_end_dot && !strip_trailing_dot) | |
3065 | { | |
3066 | fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed " | |
3067 | "(trailing dot not allowed)\n", sender_address); | |
3068 | return EXIT_FAILURE; | |
3069 | } | |
3070 | } | |
3071 | ||
3072 | /* Paranoia check of maximum lengths of certain strings. There is a check | |
3073 | on the length of the log file path in log.c, which will come into effect | |
3074 | if there are any calls to write the log earlier than this. However, if we | |
3075 | get this far but the string is very long, it is better to stop now than to | |
3076 | carry on and (e.g.) receive a message and then have to collapse. The call to | |
3077 | log_write() from here will cause the ultimate panic collapse if the complete | |
3078 | file name exceeds the buffer length. */ | |
3079 | ||
3080 | if (Ustrlen(log_file_path) > 200) | |
3081 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
3082 | "log_file_path is longer than 200 chars: aborting"); | |
3083 | ||
3084 | if (Ustrlen(pid_file_path) > 200) | |
3085 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
3086 | "pid_file_path is longer than 200 chars: aborting"); | |
3087 | ||
3088 | if (Ustrlen(spool_directory) > 200) | |
3089 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
3090 | "spool_directory is longer than 200 chars: aborting"); | |
3091 | ||
3092 | /* Length check on the process name given to syslog for its TAG field, | |
3093 | which is only permitted to be 32 characters or less. See RFC 3164. */ | |
3094 | ||
3095 | if (Ustrlen(syslog_processname) > 32) | |
3096 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
3097 | "syslog_processname is longer than 32 chars: aborting"); | |
3098 | ||
3099 | /* In some operating systems, the environment variable TMPDIR controls where | |
3100 | temporary files are created; Exim doesn't use these (apart from when delivering | |
3101 | to MBX mailboxes), but called libraries such as DBM libraries may require them. | |
3102 | If TMPDIR is found in the environment, reset it to the value defined in the | |
3103 | TMPDIR macro, if this macro is defined. */ | |
3104 | ||
3105 | #ifdef TMPDIR | |
3106 | { | |
3107 | uschar **p; | |
3108 | for (p = USS environ; *p != NULL; p++) | |
3109 | { | |
3110 | if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && | |
3111 | Ustrcmp(*p+7, TMPDIR) != 0) | |
3112 | { | |
3113 | uschar *newp = malloc(Ustrlen(TMPDIR) + 8); | |
3114 | sprintf(CS newp, "TMPDIR=%s", TMPDIR); | |
3115 | *p = newp; | |
3116 | DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR); | |
3117 | } | |
3118 | } | |
3119 | } | |
3120 | #endif | |
3121 | ||
3122 | /* Timezone handling. If timezone_string is "utc", set a flag to cause all | |
3123 | timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise, | |
3124 | we may need to get rid of a bogus timezone setting. This can arise when Exim is | |
3125 | called by a user who has set the TZ variable. This then affects the timestamps | |
3126 | in log files and in Received: headers, and any created Date: header lines. The | |
3127 | required timezone is settable in the configuration file, so nothing can be done | |
3128 | about this earlier - but hopefully nothing will normally be logged earlier than | |
3129 | this. We have to make a new environment if TZ is wrong, but don't bother if | |
3130 | timestamps_utc is set, because then all times are in UTC anyway. */ | |
3131 | ||
3132 | if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0) | |
3133 | { | |
3134 | timestamps_utc = TRUE; | |
3135 | } | |
3136 | else | |
3137 | { | |
3138 | uschar *envtz = US getenv("TZ"); | |
3139 | if ((envtz == NULL && timezone_string != NULL) || | |
3140 | (envtz != NULL && | |
3141 | (timezone_string == NULL || | |
3142 | Ustrcmp(timezone_string, envtz) != 0))) | |
3143 | { | |
3144 | uschar **p = USS environ; | |
3145 | uschar **new; | |
3146 | uschar **newp; | |
3147 | int count = 0; | |
3148 | while (*p++ != NULL) count++; | |
3149 | if (envtz == NULL) count++; | |
3150 | newp = new = malloc(sizeof(uschar *) * (count + 1)); | |
3151 | for (p = USS environ; *p != NULL; p++) | |
3152 | { | |
3153 | if (Ustrncmp(*p, "TZ=", 3) == 0) continue; | |
3154 | *newp++ = *p; | |
3155 | } | |
3156 | if (timezone_string != NULL) | |
3157 | { | |
3158 | *newp = malloc(Ustrlen(timezone_string) + 4); | |
3159 | sprintf(CS *newp++, "TZ=%s", timezone_string); | |
3160 | } | |
3161 | *newp = NULL; | |
3162 | environ = CSS new; | |
3163 | tzset(); | |
3164 | DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string, | |
3165 | tod_stamp(tod_log)); | |
3166 | } | |
3167 | } | |
3168 | ||
3169 | /* Handle the case when we have removed the setuid privilege because of -C or | |
3170 | -D. This means that the caller of Exim was not root, and, provided that | |
3171 | ALT_CONFIG_ROOT_ONLY is not defined, was not the Exim user that is built into | |
3172 | the binary. | |
3173 | ||
3174 | If ALT_CONFIG_ROOT_ONLY is not defined, there is a problem if it turns out we | |
3175 | were running as the exim user defined in the configuration file (different to | |
3176 | the one in the binary). The sysadmin may expect this case to retain privilege | |
3177 | because "the binary was called by the Exim user", but it hasn't, because of the | |
3178 | order in which it handles this stuff. There are two possibilities: | |
3179 | ||
3180 | (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order | |
3181 | to do message deliveries. Thus, the fact that it is running as a | |
3182 | non-privileged user is plausible, and might be wanted in some special | |
3183 | configurations. However, really_exim will have been set false when | |
3184 | privilege was dropped, to stop Exim trying to write to its normal log | |
3185 | files. Therefore, re-enable normal log processing, assuming the sysadmin | |
3186 | has set up the log directory correctly. | |
3187 | ||
3188 | (2) If deliver_drop_privilege is not set, the configuration won't work as | |
3189 | apparently intended, and so we log a panic message. In order to retain | |
3190 | root for -C or -D, the caller must either be root or the Exim user | |
3191 | defined in the binary (when deliver_drop_ privilege is false). | |
3192 | ||
3193 | If ALT_CONFIG_ROOT_ONLY is defined, we don't know whether we were called by the | |
3194 | built-in exim user or one defined in the configuration. In either event, | |
3195 | re-enable log processing, assuming the sysadmin knows what they are doing. */ | |
3196 | ||
3197 | if (removed_privilege && (config_changed || macros != NULL) && | |
3198 | real_uid == exim_uid) | |
3199 | { | |
3200 | #ifdef ALT_CONFIG_ROOT_ONLY | |
3201 | really_exim = TRUE; /* let logging work normally */ | |
3202 | #else | |
3203 | ||
3204 | if (deliver_drop_privilege) | |
3205 | really_exim = TRUE; /* let logging work normally */ | |
3206 | else | |
3207 | log_write(0, LOG_MAIN|LOG_PANIC, | |
3208 | "exim user (uid=%d) is defined only at runtime; privilege lost for %s", | |
3209 | (int)exim_uid, config_changed? "-C" : "-D"); | |
3210 | #endif | |
3211 | } | |
3212 | ||
3213 | /* Start up Perl interpreter if Perl support is configured and there is a | |
3214 | perl_startup option, and the configuration or the command line specifies | |
3215 | initializing starting. Note that the global variables are actually called | |
3216 | opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */ | |
3217 | ||
3218 | #ifdef EXIM_PERL | |
3219 | if (perl_start_option != 0) | |
3220 | opt_perl_at_start = (perl_start_option > 0); | |
3221 | if (opt_perl_at_start && opt_perl_startup != NULL) | |
3222 | { | |
3223 | uschar *errstr; | |
3224 | DEBUG(D_any) debug_printf("Starting Perl interpreter\n"); | |
3225 | errstr = init_perl(opt_perl_startup); | |
3226 | if (errstr != NULL) | |
3227 | { | |
3228 | fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr); | |
3229 | return EXIT_FAILURE; | |
3230 | } | |
3231 | opt_perl_started = TRUE; | |
3232 | } | |
3233 | #endif /* EXIM_PERL */ | |
3234 | ||
3235 | /* Log the arguments of the call if the configuration file said so. This is | |
3236 | a debugging feature for finding out what arguments certain MUAs actually use. | |
3237 | Don't attempt it if logging is disabled, or if listing variables or if | |
3238 | verifying/testing addresses or expansions. */ | |
3239 | ||
3240 | if ((log_extra_selector & LX_arguments) != 0 && really_exim | |
3241 | && !list_options && !checking) | |
3242 | { | |
3243 | int i; | |
3244 | uschar *p = big_buffer; | |
3245 | Ustrcpy(p, "cwd="); | |
3246 | (void)getcwd(CS p+4, big_buffer_size - 4); | |
3247 | while (*p) p++; | |
3248 | (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); | |
3249 | while (*p) p++; | |
3250 | for (i = 0; i < argc; i++) | |
3251 | { | |
3252 | int len = Ustrlen(argv[i]); | |
3253 | uschar *printing; | |
3254 | uschar *quote; | |
3255 | if (p + len + 8 >= big_buffer + big_buffer_size) | |
3256 | { | |
3257 | Ustrcpy(p, " ..."); | |
3258 | log_write(0, LOG_MAIN, "%s", big_buffer); | |
3259 | Ustrcpy(big_buffer, "..."); | |
3260 | p = big_buffer + 3; | |
3261 | } | |
3262 | printing = string_printing(argv[i]); | |
3263 | if (printing[0] == 0) quote = US"\""; else | |
3264 | { | |
3265 | uschar *pp = printing; | |
3266 | quote = US""; | |
3267 | while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; } | |
3268 | } | |
3269 | sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size - | |
3270 | (p - big_buffer) - 4), printing, quote); | |
3271 | while (*p) p++; | |
3272 | } | |
3273 | log_write(0, LOG_MAIN, "%s", big_buffer); | |
3274 | } | |
3275 | ||
3276 | /* Set the working directory to be the top-level spool directory. We don't rely | |
3277 | on this in the code, which always uses fully qualified names, but it's useful | |
3278 | for core dumps etc. Don't complain if it fails - the spool directory might not | |
3279 | be generally accessible and calls with the -C option (and others) have lost | |
3280 | privilege by now. */ | |
3281 | ||
3282 | if (Uchdir(spool_directory) != 0) | |
3283 | { | |
3284 | (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, TRUE); | |
3285 | (void)Uchdir(spool_directory); | |
3286 | } | |
3287 | ||
3288 | /* Handle calls with the -bi option. This is a sendmail option to rebuild *the* | |
3289 | alias file. Exim doesn't have such a concept, but this call is screwed into | |
3290 | Sun's YP makefiles. Handle this by calling a configured script, as the real | |
3291 | user who called Exim. The -oA option can be used to pass an argument to the | |
3292 | script. */ | |
3293 | ||
3294 | if (bi_option) | |
3295 | { | |
3296 | fclose(config_file); | |
3297 | if (bi_command != NULL) | |
3298 | { | |
3299 | int i = 0; | |
3300 | uschar *argv[3]; | |
3301 | argv[i++] = bi_command; | |
3302 | if (alias_arg != NULL) argv[i++] = alias_arg; | |
3303 | argv[i++] = NULL; | |
3304 | ||
3305 | setgroups(group_count, group_list); | |
3306 | exim_setugid(real_uid, real_gid, FALSE, US"running bi_command"); | |
3307 | ||
3308 | DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0], | |
3309 | (argv[1] == NULL)? US"" : argv[1]); | |
3310 | ||
3311 | execv(CS argv[0], (char *const *)argv); | |
3312 | fprintf(stderr, "exim: exec failed: %s\n", strerror(errno)); | |
3313 | exit(EXIT_FAILURE); | |
3314 | } | |
3315 | else | |
3316 | { | |
3317 | DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n"); | |
3318 | exit(EXIT_SUCCESS); | |
3319 | } | |
3320 | } | |
3321 | ||
3322 | /* If an action on specific messages is requested, or if a daemon or queue | |
3323 | runner is being started, we need to know if Exim was called by an admin user. | |
3324 | This is the case if the real user is root or exim, or if the real group is | |
3325 | exim, or if one of the supplementary groups is exim or a group listed in | |
3326 | admin_groups. We don't fail all message actions immediately if not admin_user, | |
3327 | since some actions can be performed by non-admin users. Instead, set admin_user | |
3328 | for later interrogation. */ | |
3329 | ||
3330 | if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid) | |
3331 | admin_user = TRUE; | |
3332 | else | |
3333 | { | |
3334 | int i, j; | |
3335 | ||
3336 | for (i = 0; i < group_count; i++) | |
3337 | { | |
3338 | if (group_list[i] == exim_gid) admin_user = TRUE; | |
3339 | else if (admin_groups != NULL) | |
3340 | { | |
3341 | for (j = 1; j <= (int)(admin_groups[0]); j++) | |
3342 | if (admin_groups[j] == group_list[i]) | |
3343 | { admin_user = TRUE; break; } | |
3344 | } | |
3345 | if (admin_user) break; | |
3346 | } | |
3347 | } | |
3348 | ||
3349 | /* Another group of privileged users are the trusted users. These are root, | |
3350 | exim, and any caller matching trusted_users or trusted_groups. Trusted callers | |
3351 | are permitted to specify sender_addresses with -f on the command line, and | |
3352 | other message parameters as well. */ | |
3353 | ||
3354 | if (real_uid == root_uid || real_uid == exim_uid) | |
3355 | trusted_caller = TRUE; | |
3356 | else | |
3357 | { | |
3358 | int i, j; | |
3359 | ||
3360 | if (trusted_users != NULL) | |
3361 | { | |
3362 | for (i = 1; i <= (int)(trusted_users[0]); i++) | |
3363 | if (trusted_users[i] == real_uid) | |
3364 | { trusted_caller = TRUE; break; } | |
3365 | } | |
3366 | ||
3367 | if (!trusted_caller && trusted_groups != NULL) | |
3368 | { | |
3369 | for (i = 1; i <= (int)(trusted_groups[0]); i++) | |
3370 | { | |
3371 | if (trusted_groups[i] == real_gid) | |
3372 | trusted_caller = TRUE; | |
3373 | else for (j = 0; j < group_count; j++) | |
3374 | { | |
3375 | if (trusted_groups[i] == group_list[j]) | |
3376 | { trusted_caller = TRUE; break; } | |
3377 | } | |
3378 | if (trusted_caller) break; | |
3379 | } | |
3380 | } | |
3381 | } | |
3382 | ||
3383 | if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n"); | |
3384 | if (admin_user) DEBUG(D_any) debug_printf("admin user\n"); | |
3385 | ||
3386 | /* Only an admin user may start the daemon or force a queue run in the default | |
3387 | configuration, but the queue run restriction can be relaxed. Only an admin | |
3388 | user may request that a message be returned to its sender forthwith. Only an | |
3389 | admin user may specify a debug level greater than D_v (because it might show | |
3390 | passwords, etc. in lookup queries). Only an admin user may request a queue | |
3391 | count. */ | |
3392 | ||
3393 | if (!admin_user) | |
3394 | { | |
3395 | BOOL debugset = (debug_selector & ~D_v) != 0; | |
3396 | if (deliver_give_up || daemon_listen || | |
3397 | (count_queue && queue_list_requires_admin) || | |
3398 | (list_queue && queue_list_requires_admin) || | |
3399 | (queue_interval >= 0 && prod_requires_admin) || | |
3400 | (debugset && !running_in_test_harness)) | |
3401 | { | |
3402 | fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : ""); | |
3403 | exit(EXIT_FAILURE); | |
3404 | } | |
3405 | } | |
3406 | ||
3407 | /* If the real user is not root or the exim uid, the argument for passing | |
3408 | in an open TCP/IP connection for another message is not permitted, nor is | |
3409 | running with the -N option for any delivery action, unless this call to exim is | |
3410 | one that supplied an input message, or we are using a patched exim for | |
3411 | regression testing. */ | |
3412 | ||
3413 | if (real_uid != root_uid && real_uid != exim_uid && | |
3414 | (continue_hostname != NULL || | |
3415 | (dont_deliver && | |
3416 | (queue_interval >= 0 || daemon_listen || msg_action_arg > 0) | |
3417 | )) && !running_in_test_harness) | |
3418 | { | |
3419 | fprintf(stderr, "exim: Permission denied\n"); | |
3420 | return EXIT_FAILURE; | |
3421 | } | |
3422 | ||
3423 | /* If the caller is not trusted, certain arguments are ignored when running for | |
f05da2e8 PH |
3424 | real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF). |
3425 | Note that authority for performing certain actions on messages is tested in the | |
059ec3d9 PH |
3426 | queue_action() function. */ |
3427 | ||
f05da2e8 | 3428 | if (!trusted_caller && !checking && filter_test == FTEST_NONE) |
059ec3d9 PH |
3429 | { |
3430 | sender_host_name = sender_host_address = interface_address = | |
3431 | sender_ident = received_protocol = NULL; | |
3432 | sender_host_port = interface_port = 0; | |
3433 | sender_host_authenticated = authenticated_sender = authenticated_id = NULL; | |
3434 | } | |
3435 | ||
3436 | /* If a sender host address is set, extract the optional port number off the | |
3437 | end of it and check its syntax. Do the same thing for the interface address. | |
3438 | Exim exits if the syntax is bad. */ | |
3439 | ||
3440 | else | |
3441 | { | |
3442 | if (sender_host_address != NULL) | |
3443 | sender_host_port = check_port(sender_host_address); | |
3444 | if (interface_address != NULL) | |
3445 | interface_port = check_port(interface_address); | |
3446 | } | |
3447 | ||
3448 | /* If an SMTP message is being received check to see if the standard input is a | |
3449 | TCP/IP socket. If it is, we assume that Exim was called from inetd if the | |
3450 | caller is root or the Exim user, or if the port is a privileged one. Otherwise, | |
3451 | barf. */ | |
3452 | ||
3453 | if (smtp_input) | |
3454 | { | |
3455 | union sockaddr_46 inetd_sock; | |
36a3b041 | 3456 | EXIM_SOCKLEN_T size = sizeof(inetd_sock); |
059ec3d9 PH |
3457 | if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0) |
3458 | { | |
3459 | int family = ((struct sockaddr *)(&inetd_sock))->sa_family; | |
3460 | if (family == AF_INET || family == AF_INET6) | |
3461 | { | |
3462 | union sockaddr_46 interface_sock; | |
3463 | size = sizeof(interface_sock); | |
3464 | ||
3465 | if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0) | |
3466 | interface_address = host_ntoa(-1, &interface_sock, NULL, | |
3467 | &interface_port); | |
3468 | ||
3469 | if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE; | |
3470 | ||
3471 | if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024) | |
3472 | { | |
3473 | is_inetd = TRUE; | |
3474 | sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock), | |
3475 | NULL, &sender_host_port); | |
3476 | if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from " | |
3477 | "inetd is not supported when mua_wrapper is set"); | |
3478 | } | |
3479 | else | |
3480 | { | |
3481 | fprintf(stderr, | |
3482 | "exim: Permission denied (unprivileged user, unprivileged port)\n"); | |
3483 | return EXIT_FAILURE; | |
3484 | } | |
3485 | } | |
3486 | } | |
3487 | } | |
3488 | ||
3489 | /* If the load average is going to be needed while receiving a message, get it | |
3490 | now for those OS that require the first call to os_getloadavg() to be done as | |
3491 | root. There will be further calls later for each message received. */ | |
3492 | ||
3493 | #ifdef LOAD_AVG_NEEDS_ROOT | |
3494 | if (receiving_message && | |
3495 | (queue_only_load >= 0 || | |
3496 | (is_inetd && smtp_load_reserve >= 0) | |
3497 | )) | |
3498 | { | |
3499 | load_average = os_getloadavg(); | |
3500 | } | |
3501 | #endif | |
3502 | ||
3503 | /* The queue_only configuration option can be overridden by -odx on the command | |
3504 | line, except that if queue_only_override is false, queue_only cannot be unset | |
3505 | from the command line. */ | |
3506 | ||
3507 | if (queue_only_set && (queue_only_override || arg_queue_only)) | |
3508 | queue_only = arg_queue_only; | |
3509 | ||
3510 | /* The receive_timeout and smtp_receive_timeout options can be overridden by | |
3511 | -or and -os. */ | |
3512 | ||
3513 | if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout; | |
3514 | if (arg_smtp_receive_timeout >= 0) | |
3515 | smtp_receive_timeout = arg_smtp_receive_timeout; | |
3516 | ||
3517 | /* If Exim was started with root privilege, unless we have already removed the | |
3518 | root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now | |
3519 | except when starting the daemon or doing some kind of delivery or address | |
3520 | testing (-bt). These are the only cases when root need to be retained. We run | |
3521 | as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is | |
3522 | retained only for starting the daemon. */ | |
3523 | ||
3524 | if (!unprivileged && /* originally had root AND */ | |
3525 | !removed_privilege && /* still got root AND */ | |
3526 | !daemon_listen && /* not starting the daemon */ | |
3527 | queue_interval <= 0 && /* (either kind of daemon) */ | |
3528 | ( /* AND EITHER */ | |
3529 | deliver_drop_privilege || /* requested unprivileged */ | |
3530 | ( /* OR */ | |
3531 | queue_interval < 0 && /* not running the queue */ | |
3532 | (msg_action_arg < 0 || /* and */ | |
3533 | msg_action != MSG_DELIVER) && /* not delivering and */ | |
3534 | (!checking || !address_test_mode) /* not address checking */ | |
3535 | ) | |
3536 | )) | |
3537 | { | |
3538 | exim_setugid(exim_uid, exim_gid, FALSE, US"privilege not needed"); | |
3539 | } | |
3540 | ||
3541 | /* When we are retaining a privileged uid, we still change to the exim gid. */ | |
3542 | ||
3543 | else setgid(exim_gid); | |
3544 | ||
3545 | /* Handle a request to list the delivery queue */ | |
3546 | ||
3547 | if (list_queue) | |
3548 | { | |
3549 | set_process_info("listing the queue"); | |
3550 | queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg); | |
3551 | exit(EXIT_SUCCESS); | |
3552 | } | |
3553 | ||
3554 | /* Handle a request to count the delivery queue */ | |
3555 | ||
3556 | if (count_queue) | |
3557 | { | |
3558 | set_process_info("counting the queue"); | |
3559 | queue_count(); | |
3560 | exit(EXIT_SUCCESS); | |
3561 | } | |
3562 | ||
3563 | /* Handle actions on specific messages, except for the force delivery action, | |
3564 | which is done below. Some actions take a whole list of message ids, which | |
3565 | are known to continue up to the end of the arguments. Others take a single | |
3566 | message id and then operate on the recipients list. */ | |
3567 | ||
3568 | if (msg_action_arg > 0 && msg_action != MSG_DELIVER) | |
3569 | { | |
3570 | int yield = EXIT_SUCCESS; | |
3571 | set_process_info("acting on specified messages"); | |
3572 | ||
3573 | if (!one_msg_action) | |
3574 | { | |
3575 | for (i = msg_action_arg; i < argc; i++) | |
3576 | if (!queue_action(argv[i], msg_action, NULL, 0, 0)) | |
3577 | yield = EXIT_FAILURE; | |
3578 | } | |
3579 | ||
3580 | else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc, | |
3581 | recipients_arg)) yield = EXIT_FAILURE; | |
3582 | exit(yield); | |
3583 | } | |
3584 | ||
3585 | /* All the modes below here require the remaining configuration sections | |
3586 | to be read, except that we can skip over the ACL setting when delivering | |
3587 | specific messages, or doing a queue run. (For various testing cases we could | |
3588 | skip too, but as they are rare, it doesn't really matter.) The argument is TRUE | |
3589 | for skipping. */ | |
3590 | ||
3591 | readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen)); | |
3592 | ||
3593 | /* The configuration data will have been read into POOL_PERM because we won't | |
3594 | ever want to reset back past it. Change the current pool to POOL_MAIN. In fact, | |
3595 | this is just a bit of pedantic tidiness. It wouldn't really matter if the | |
3596 | configuration were read into POOL_MAIN, because we don't do any resets till | |
3597 | later on. However, it seems right, and it does ensure that both pools get used. | |
3598 | */ | |
3599 | ||
3600 | store_pool = POOL_MAIN; | |
3601 | ||
3602 | /* Handle the -brt option. This is for checking out retry configurations. | |
3603 | The next three arguments are a domain name or a complete address, and | |
3604 | optionally two error numbers. All it does is to call the function that | |
3605 | scans the retry configuration data. */ | |
3606 | ||
3607 | if (test_retry_arg >= 0) | |
3608 | { | |
3609 | retry_config *yield; | |
3610 | int basic_errno = 0; | |
3611 | int more_errno = 0; | |
3612 | uschar *s1, *s2; | |
3613 | ||
3614 | if (test_retry_arg >= argc) | |
3615 | { | |
3616 | printf("-brt needs a domain or address argument\n"); | |
3617 | exim_exit(EXIT_FAILURE); | |
3618 | } | |
3619 | s1 = argv[test_retry_arg++]; | |
3620 | s2 = NULL; | |
3621 | ||
3622 | /* If the first argument contains no @ and no . it might be a local user | |
3623 | or it might be a single-component name. Treat as a domain. */ | |
3624 | ||
3625 | if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL) | |
3626 | { | |
3627 | printf("Warning: \"%s\" contains no '@' and no '.' characters. It is " | |
3628 | "being \ntreated as a one-component domain, not as a local part.\n\n", | |
3629 | s1); | |
3630 | } | |
3631 | ||
3632 | /* There may be an optional second domain arg. */ | |
3633 | ||
3634 | if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL) | |
3635 | s2 = argv[test_retry_arg++]; | |
3636 | ||
3637 | /* The final arg is an error name */ | |
3638 | ||
3639 | if (test_retry_arg < argc) | |
3640 | { | |
3641 | uschar *ss = argv[test_retry_arg]; | |
3642 | uschar *error = | |
3643 | readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno); | |
3644 | if (error != NULL) | |
3645 | { | |
3646 | printf("%s\n", CS error); | |
3647 | return EXIT_FAILURE; | |
3648 | } | |
3649 | ||
3650 | /* For the rcpt_4xx errors, a value of 255 means "any", and a code > 100 as | |
3651 | an error is for matching codes to the decade. Turn them into a real error | |
3652 | code, off the decade. */ | |
3653 | ||
3654 | if (basic_errno == ERRNO_RCPT4XX) | |
3655 | { | |
3656 | int code = (more_errno >> 8) & 255; | |
3657 | if (code == 255) | |
3658 | more_errno = (more_errno & 0xffff00ff) | (21 << 8); | |
3659 | else if (code > 100) | |
3660 | more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8); | |
3661 | } | |
3662 | } | |
3663 | ||
3664 | yield = retry_find_config(s1, s2, basic_errno, more_errno); | |
3665 | if (yield == NULL) printf("No retry information found\n"); else | |
3666 | { | |
3667 | retry_rule *r; | |
3668 | more_errno = yield->more_errno; | |
3669 | printf("Retry rule: %s ", yield->pattern); | |
3670 | ||
3671 | if (yield->basic_errno == ERRNO_EXIMQUOTA) | |
3672 | { | |
3673 | printf("quota%s%s ", | |
3674 | (more_errno > 0)? "_" : "", | |
3675 | (more_errno > 0)? readconf_printtime(more_errno) : US""); | |
3676 | } | |
3677 | else if (yield->basic_errno == ECONNREFUSED) | |
3678 | { | |
3679 | printf("refused%s%s ", | |
3680 | (more_errno > 0)? "_" : "", | |
3681 | (more_errno == 'M')? "MX" : | |
3682 | (more_errno == 'A')? "A" : ""); | |
3683 | } | |
3684 | else if (yield->basic_errno == ETIMEDOUT) | |
3685 | { | |
3686 | printf("timeout"); | |
3687 | if ((more_errno & RTEF_CTOUT) != 0) printf("_connect"); | |
3688 | more_errno &= 255; | |
3689 | if (more_errno != 0) printf("_%s", | |
3690 | (more_errno == 'M')? "MX" : "A"); | |
3691 | printf(" "); | |
3692 | } | |
3693 | else if (yield->basic_errno == ERRNO_AUTHFAIL) | |
3694 | printf("auth_failed "); | |
3695 | else printf("* "); | |
3696 | ||
3697 | for (r = yield->rules; r != NULL; r = r->next) | |
3698 | { | |
3699 | printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */ | |
3700 | printf(",%s", readconf_printtime(r->p1)); /* amalgamate */ | |
3701 | if (r->rule == 'G') | |
3702 | { | |
3703 | int x = r->p2; | |
3704 | int f = x % 1000; | |
3705 | int d = 100; | |
3706 | printf(",%d.", x/1000); | |
3707 | do | |
3708 | { | |
3709 | printf("%d", f/d); | |
3710 | f %= d; | |
3711 | d /= 10; | |
3712 | } | |
3713 | while (f != 0); | |
3714 | } | |
3715 | printf("; "); | |
3716 | } | |
3717 | ||
3718 | printf("\n"); | |
3719 | } | |
3720 | exim_exit(EXIT_SUCCESS); | |
3721 | } | |
3722 | ||
3723 | /* Handle a request to list one or more configuration options */ | |
3724 | ||
3725 | if (list_options) | |
3726 | { | |
3727 | set_process_info("listing variables"); | |
3728 | if (recipients_arg >= argc) readconf_print(US"all", NULL); | |
3729 | else for (i = recipients_arg; i < argc; i++) | |
3730 | { | |
3731 | if (i < argc - 1 && | |
3732 | (Ustrcmp(argv[i], "router") == 0 || | |
3733 | Ustrcmp(argv[i], "transport") == 0 || | |
3734 | Ustrcmp(argv[i], "authenticator") == 0)) | |
3735 | { | |
3736 | readconf_print(argv[i+1], argv[i]); | |
3737 | i++; | |
3738 | } | |
3739 | else readconf_print(argv[i], NULL); | |
3740 | } | |
3741 | exim_exit(EXIT_SUCCESS); | |
3742 | } | |
3743 | ||
3744 | ||
3745 | /* Handle a request to deliver one or more messages that are already on the | |
3746 | queue. Values of msg_action other than MSG_DELIVER are dealt with above. This | |
3747 | is typically used for a small number when prodding by hand (when the option | |
3748 | forced_delivery will be set) or when re-execing to regain root privilege. | |
3749 | Each message delivery must happen in a separate process, so we fork a process | |
3750 | for each one, and run them sequentially so that debugging output doesn't get | |
3751 | intertwined, and to avoid spawning too many processes if a long list is given. | |
3752 | However, don't fork for the last one; this saves a process in the common case | |
3753 | when Exim is called to deliver just one message. */ | |
3754 | ||
3755 | if (msg_action_arg > 0) | |
3756 | { | |
3757 | if (prod_requires_admin && !admin_user) | |
3758 | { | |
3759 | fprintf(stderr, "exim: Permission denied\n"); | |
3760 | exim_exit(EXIT_FAILURE); | |
3761 | } | |
3762 | set_process_info("delivering specified messages"); | |
3763 | if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE; | |
3764 | for (i = msg_action_arg; i < argc; i++) | |
3765 | { | |
3766 | int status; | |
3767 | pid_t pid; | |
3768 | if (i == argc - 1) | |
3769 | (void)deliver_message(argv[i], forced_delivery, deliver_give_up); | |
3770 | else if ((pid = fork()) == 0) | |
3771 | { | |
3772 | (void)deliver_message(argv[i], forced_delivery, deliver_give_up); | |
3773 | _exit(EXIT_SUCCESS); | |
3774 | } | |
3775 | else if (pid < 0) | |
3776 | { | |
3777 | fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i], | |
3778 | strerror(errno)); | |
3779 | exim_exit(EXIT_FAILURE); | |
3780 | } | |
3781 | else wait(&status); | |
3782 | } | |
3783 | exim_exit(EXIT_SUCCESS); | |
3784 | } | |
3785 | ||
3786 | ||
3787 | /* If only a single queue run is requested, without SMTP listening, we can just | |
3788 | turn into a queue runner, with an optional starting message id. */ | |
3789 | ||
3790 | if (queue_interval == 0 && !daemon_listen) | |
3791 | { | |
3792 | DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n", | |
3793 | (start_queue_run_id == NULL)? US"" : US" starting at ", | |
3794 | (start_queue_run_id == NULL)? US"" : start_queue_run_id, | |
3795 | (stop_queue_run_id == NULL)? US"" : US" stopping at ", | |
3796 | (stop_queue_run_id == NULL)? US"" : stop_queue_run_id); | |
3797 | set_process_info("running the queue (single queue run)"); | |
3798 | queue_run(start_queue_run_id, stop_queue_run_id, FALSE); | |
3799 | exim_exit(EXIT_SUCCESS); | |
3800 | } | |
3801 | ||
3802 | ||
3803 | /* Find the login name of the real user running this process. This is always | |
3804 | needed when receiving a message, because it is written into the spool file. It | |
3805 | may also be used to construct a from: or a sender: header, and in this case we | |
3806 | need the user's full name as well, so save a copy of it, checked for RFC822 | |
3807 | syntax and munged if necessary, if it hasn't previously been set by the -F | |
3808 | argument. We may try to get the passwd entry more than once, in case NIS or | |
3809 | other delays are in evidence. Save the home directory for use in filter testing | |
3810 | (only). */ | |
3811 | ||
3812 | for (i = 0;;) | |
3813 | { | |
3814 | if ((pw = getpwuid(real_uid)) != NULL) | |
3815 | { | |
3816 | originator_login = string_copy(US pw->pw_name); | |
3817 | originator_home = string_copy(US pw->pw_dir); | |
3818 | ||
3819 | /* If user name has not been set by -F, set it from the passwd entry | |
3820 | unless -f has been used to set the sender address by a trusted user. */ | |
3821 | ||
3822 | if (originator_name == NULL) | |
3823 | { | |
3824 | if (sender_address == NULL || | |
f05da2e8 | 3825 | (!trusted_caller && filter_test == FTEST_NONE)) |
059ec3d9 PH |
3826 | { |
3827 | uschar *name = US pw->pw_gecos; | |
3828 | uschar *amp = Ustrchr(name, '&'); | |
3829 | uschar buffer[256]; | |
3830 | ||
3831 | /* Most Unix specify that a '&' character in the gecos field is | |
3832 | replaced by a copy of the login name, and some even specify that | |
3833 | the first character should be upper cased, so that's what we do. */ | |
3834 | ||
3835 | if (amp != NULL) | |
3836 | { | |
3837 | int loffset; | |
3838 | string_format(buffer, sizeof(buffer), "%.*s%n%s%s", | |
3839 | amp - name, name, &loffset, originator_login, amp + 1); | |
3840 | buffer[loffset] = toupper(buffer[loffset]); | |
3841 | name = buffer; | |
3842 | } | |
3843 | ||
3844 | /* If a pattern for matching the gecos field was supplied, apply | |
3845 | it and then expand the name string. */ | |
3846 | ||
3847 | if (gecos_pattern != NULL && gecos_name != NULL) | |
3848 | { | |
3849 | const pcre *re; | |
3850 | re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */ | |
3851 | ||
3852 | if (regex_match_and_setup(re, name, 0, -1)) | |
3853 | { | |
3854 | uschar *new_name = expand_string(gecos_name); | |
3855 | expand_nmax = -1; | |
3856 | if (new_name != NULL) | |
3857 | { | |
3858 | DEBUG(D_receive) debug_printf("user name \"%s\" extracted from " | |
3859 | "gecos field \"%s\"\n", new_name, name); | |
3860 | name = new_name; | |
3861 | } | |
3862 | else DEBUG(D_receive) debug_printf("failed to expand gecos_name string " | |
3863 | "\"%s\": %s\n", gecos_name, expand_string_message); | |
3864 | } | |
3865 | else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match " | |
3866 | "gecos field \"%s\"\n", gecos_pattern, name); | |
3867 | store_free((void *)re); | |
3868 | } | |
3869 | originator_name = string_copy(name); | |
3870 | } | |
3871 | ||
3872 | /* A trusted caller has used -f but not -F */ | |
3873 | ||
3874 | else originator_name = US""; | |
3875 | } | |
3876 | ||
3877 | /* Break the retry loop */ | |
3878 | ||
3879 | break; | |
3880 | } | |
3881 | ||
3882 | if (++i > finduser_retries) break; | |
3883 | sleep(1); | |
3884 | } | |
3885 | ||
3886 | /* If we cannot get a user login, log the incident and give up, unless the | |
3887 | configuration specifies something to use. When running in the test harness, | |
3888 | any setting of unknown_login overrides the actual login name. */ | |
3889 | ||
3890 | if (originator_login == NULL || running_in_test_harness) | |
3891 | { | |
3892 | if (unknown_login != NULL) | |
3893 | { | |
3894 | originator_login = expand_string(unknown_login); | |
3895 | if (originator_name == NULL && unknown_username != NULL) | |
3896 | originator_name = expand_string(unknown_username); | |
3897 | if (originator_name == NULL) originator_name = US""; | |
3898 | } | |
3899 | if (originator_login == NULL) | |
3900 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d", | |
3901 | (int)real_uid); | |
3902 | } | |
3903 | ||
3904 | /* Ensure that the user name is in a suitable form for use as a "phrase" in an | |
3905 | RFC822 address.*/ | |
3906 | ||
3907 | originator_name = string_copy(parse_fix_phrase(originator_name, | |
3908 | Ustrlen(originator_name), big_buffer, big_buffer_size)); | |
3909 | ||
3910 | /* If a message is created by this call of Exim, the uid/gid of its originator | |
3911 | are those of the caller. These values are overridden if an existing message is | |
3912 | read in from the spool. */ | |
3913 | ||
3914 | originator_uid = real_uid; | |
3915 | originator_gid = real_gid; | |
3916 | ||
3917 | DEBUG(D_receive) debug_printf("originator: uid=%d gid=%d login=%s name=%s\n", | |
3918 | (int)originator_uid, (int)originator_gid, originator_login, originator_name); | |
3919 | ||
3920 | /* Run in daemon and/or queue-running mode. The function daemon_go() never | |
3921 | returns. We leave this till here so that the originator_ fields are available | |
3922 | for incoming messages via the daemon. */ | |
3923 | ||
3924 | if (daemon_listen || queue_interval > 0) | |
3925 | { | |
3926 | if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Daemon cannot be " | |
3927 | "run when mua_wrapper is set"); | |
3928 | daemon_go(); | |
3929 | } | |
3930 | ||
3931 | /* If the sender ident has not been set (by a trusted caller) set it to | |
3932 | the caller. This will get overwritten below for an inetd call. If a trusted | |
3933 | caller has set it empty, unset it. */ | |
3934 | ||
3935 | if (sender_ident == NULL) sender_ident = originator_login; | |
3936 | else if (sender_ident[0] == 0) sender_ident = NULL; | |
3937 | ||
3938 | /* Handle the -brw option, which is for checking out rewriting rules. Cause log | |
3939 | writes (on errors) to go to stderr instead. Can't do this earlier, as want the | |
3940 | originator_* variables set. */ | |
3941 | ||
3942 | if (test_rewrite_arg >= 0) | |
3943 | { | |
3944 | really_exim = FALSE; | |
3945 | if (test_rewrite_arg >= argc) | |
3946 | { | |
3947 | printf("-brw needs an address argument\n"); | |
3948 | exim_exit(EXIT_FAILURE); | |
3949 | } | |
3950 | rewrite_test(argv[test_rewrite_arg]); | |
3951 | exim_exit(EXIT_SUCCESS); | |
3952 | } | |
3953 | ||
3954 | /* A locally-supplied message is considered to be coming from a local user | |
3955 | unless a trusted caller supplies a sender address with -f, or is passing in the | |
3956 | message via SMTP (inetd invocation or otherwise). */ | |
3957 | ||
3958 | if ((sender_address == NULL && !smtp_input) || | |
f05da2e8 | 3959 | (!trusted_caller && filter_test == FTEST_NONE)) |
059ec3d9 PH |
3960 | { |
3961 | sender_local = TRUE; | |
3962 | ||
3963 | /* A trusted caller can supply authenticated_sender and authenticated_id | |
3964 | via -oMas and -oMai and if so, they will already be set. */ | |
3965 | ||
3966 | if (authenticated_sender == NULL) | |
3967 | authenticated_sender = string_sprintf("%s@%s", originator_login, | |
3968 | qualify_domain_sender); | |
3969 | if (authenticated_id == NULL) authenticated_id = originator_login; | |
3970 | } | |
3971 | ||
3972 | /* Trusted callers are always permitted to specify the sender address. | |
3973 | Untrusted callers may specify it if it matches untrusted_set_sender, or if what | |
3974 | is specified is the empty address. However, if a trusted caller does not | |
3975 | specify a sender address for SMTP input, we leave sender_address unset. This | |
3976 | causes the MAIL commands to be honoured. */ | |
3977 | ||
3978 | if ((!smtp_input && sender_address == NULL) || | |
3979 | !receive_check_set_sender(sender_address)) | |
3980 | { | |
3981 | /* Either the caller is not permitted to set a general sender, or this is | |
3982 | non-SMTP input and the trusted caller has not set a sender. If there is no | |
3983 | sender, or if a sender other than <> is set, override with the originator's | |
3984 | login (which will get qualified below), except when checking things. */ | |
3985 | ||
3986 | if (sender_address == NULL /* No sender_address set */ | |
3987 | || /* OR */ | |
3988 | (sender_address[0] != 0 && /* Non-empty sender address, AND */ | |
3989 | !checking && /* Not running tests, AND */ | |
f05da2e8 | 3990 | filter_test == FTEST_NONE)) /* Not testing a filter */ |
059ec3d9 PH |
3991 | { |
3992 | sender_address = originator_login; | |
3993 | sender_address_forced = FALSE; | |
3994 | sender_address_domain = 0; | |
3995 | } | |
3996 | } | |
3997 | ||
3998 | /* Remember whether an untrusted caller set the sender address */ | |
3999 | ||
4000 | sender_set_untrusted = sender_address != originator_login && !trusted_caller; | |
4001 | ||
4002 | /* Ensure that the sender address is fully qualified unless it is the empty | |
4003 | address, which indicates an error message, or doesn't exist (root caller, smtp | |
4004 | interface, no -f argument). */ | |
4005 | ||
4006 | if (sender_address != NULL && sender_address[0] != 0 && | |
4007 | sender_address_domain == 0) | |
4008 | sender_address = string_sprintf("%s@%s", local_part_quote(sender_address), | |
4009 | qualify_domain_sender); | |
4010 | ||
4011 | DEBUG(D_receive) debug_printf("sender address = %s\n", sender_address); | |
4012 | ||
4013 | /* Handle a request to verify a list of addresses, or test them for delivery. | |
4014 | This must follow the setting of the sender address, since routers can be | |
4015 | predicated upon the sender. If no arguments are given, read addresses from | |
4016 | stdin. Set debug_level to at least D_v to get full output for address testing. | |
4017 | */ | |
4018 | ||
4019 | if (verify_address_mode || address_test_mode) | |
4020 | { | |
4021 | int exit_value = 0; | |
4022 | int flags = vopt_qualify; | |
4023 | ||
4024 | if (verify_address_mode) | |
4025 | { | |
4026 | if (!verify_as_sender) flags |= vopt_is_recipient; | |
4027 | DEBUG(D_verify) debug_print_ids(US"Verifying:"); | |
4028 | } | |
4029 | ||
4030 | else | |
4031 | { | |
4032 | flags |= vopt_is_recipient; | |
4033 | debug_selector |= D_v; | |
4034 | debug_file = stderr; | |
4035 | debug_fd = fileno(debug_file); | |
4036 | DEBUG(D_verify) debug_print_ids(US"Address testing:"); | |
4037 | } | |
4038 | ||
4039 | if (recipients_arg < argc) | |
4040 | { | |
4041 | while (recipients_arg < argc) | |
4042 | { | |
4043 | uschar *s = argv[recipients_arg++]; | |
4044 | while (*s != 0) | |
4045 | { | |
4046 | BOOL finished = FALSE; | |
4047 | uschar *ss = parse_find_address_end(s, FALSE); | |
4048 | if (*ss == ',') *ss = 0; else finished = TRUE; | |
4049 | test_address(s, flags, &exit_value); | |
4050 | s = ss; | |
4051 | if (!finished) | |
4052 | while (*(++s) != 0 && (*s == ',' || isspace(*s))); | |
4053 | } | |
4054 | } | |
4055 | } | |
4056 | ||
4057 | else for (;;) | |
4058 | { | |
4059 | uschar *s = get_stdinput(NULL, NULL); | |
4060 | if (s == NULL) break; | |
4061 | test_address(s, flags, &exit_value); | |
4062 | } | |
4063 | ||
4064 | route_tidyup(); | |
4065 | exim_exit(exit_value); | |
4066 | } | |
4067 | ||
4068 | /* Handle expansion checking */ | |
4069 | ||
4070 | if (expansion_test) | |
4071 | { | |
4072 | if (recipients_arg < argc) | |
4073 | { | |
4074 | while (recipients_arg < argc) | |
4075 | { | |
4076 | uschar *s = argv[recipients_arg++]; | |
4077 | uschar *ss = expand_string(s); | |
4078 | if (ss == NULL) | |
4079 | printf ("Failed: %s\n", expand_string_message); | |
4080 | else printf("%s\n", CS ss); | |
4081 | } | |
4082 | } | |
4083 | ||
4084 | /* Read stdin */ | |
4085 | ||
4086 | else | |
4087 | { | |
4088 | char *(*fn_readline)(char *) = NULL; | |
4089 | char *(*fn_addhist)(char *) = NULL; | |
4090 | ||
4091 | #ifdef USE_READLINE | |
4092 | void *dlhandle = set_readline(&fn_readline, &fn_addhist); | |
4093 | #endif | |
4094 | ||
4095 | for (;;) | |
4096 | { | |
4097 | uschar *ss; | |
4098 | uschar *source = get_stdinput(fn_readline, fn_addhist); | |
4099 | if (source == NULL) break; | |
4100 | ss = expand_string(source); | |
4101 | if (ss == NULL) | |
4102 | printf ("Failed: %s\n", expand_string_message); | |
4103 | else printf("%s\n", CS ss); | |
4104 | } | |
4105 | ||
4106 | #ifdef USE_READLINE | |
4107 | if (dlhandle != NULL) dlclose(dlhandle); | |
4108 | #endif | |
4109 | } | |
4110 | ||
4111 | exim_exit(EXIT_SUCCESS); | |
4112 | } | |
4113 | ||
4114 | ||
4115 | /* The active host name is normally the primary host name, but it can be varied | |
4116 | for hosts that want to play several parts at once. We need to ensure that it is | |
4117 | set for host checking, and for receiving messages. */ | |
4118 | ||
4119 | smtp_active_hostname = primary_hostname; | |
4120 | if (raw_active_hostname != NULL) | |
4121 | { | |
4122 | uschar *nah = expand_string(raw_active_hostname); | |
4123 | if (nah == NULL) | |
4124 | { | |
4125 | if (!expand_string_forcedfail) | |
4126 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" " | |
4127 | "(smtp_active_hostname): %s", raw_active_hostname, | |
4128 | expand_string_message); | |
4129 | } | |
4130 | else if (nah[0] != 0) smtp_active_hostname = nah; | |
4131 | } | |
4132 | ||
4133 | /* Handle host checking: this facility mocks up an incoming SMTP call from a | |
4134 | given IP address so that the blocking and relay configuration can be tested. An | |
4135 | RFC 1413 call is made only if we are running in the test harness and an | |
4136 | incoming interface and both ports are specified, because there is no TCP/IP | |
4137 | call to find the ident for. */ | |
4138 | ||
4139 | if (host_checking) | |
4140 | { | |
8e669ac1 | 4141 | int x[4]; |
6f0c9a4f | 4142 | int size; |
8e669ac1 | 4143 | |
059ec3d9 PH |
4144 | sender_ident = NULL; |
4145 | if (running_in_test_harness && sender_host_port != 0 && | |
4146 | interface_address != NULL && interface_port != 0) | |
4147 | verify_get_ident(1413); | |
8e669ac1 | 4148 | |
6f0c9a4f PH |
4149 | /* In case the given address is a non-canonical IPv6 address, canonicize |
4150 | it. The code works for both IPv4 and IPv6, as it happens. */ | |
8e669ac1 | 4151 | |
6f0c9a4f PH |
4152 | size = host_aton(sender_host_address, x); |
4153 | sender_host_address = store_get(48); /* large enough for full IPv6 */ | |
4154 | (void)host_nmtoa(size, x, -1, sender_host_address, ':'); | |
4155 | ||
4156 | /* Now set up for testing */ | |
059ec3d9 PH |
4157 | |
4158 | host_build_sender_fullhost(); | |
4159 | smtp_input = TRUE; | |
4160 | smtp_in = stdin; | |
4161 | smtp_out = stdout; | |
4162 | sender_local = FALSE; | |
4163 | sender_host_notsocket = TRUE; | |
4164 | debug_file = stderr; | |
4165 | debug_fd = fileno(debug_file); | |
4166 | fprintf(stdout, "\n**** SMTP testing session as if from host %s\n" | |
4167 | "**** but without any ident (RFC 1413) callback.\n" | |
4168 | "**** This is not for real!\n\n", | |
4169 | sender_host_address); | |
4170 | ||
4171 | if (verify_check_host(&hosts_connection_nolog) == OK) | |
4172 | log_write_selector &= ~L_smtp_connection; | |
4173 | log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info()); | |
4174 | ||
4175 | if (smtp_start_session()) | |
4176 | { | |
4177 | reset_point = store_get(0); | |
4178 | for (;;) | |
4179 | { | |
4180 | store_reset(reset_point); | |
4181 | if (smtp_setup_msg() <= 0) break; | |
4182 | if (!receive_msg(FALSE)) break; | |
4183 | } | |
4184 | } | |
4185 | exim_exit(EXIT_SUCCESS); | |
4186 | } | |
4187 | ||
4188 | ||
4189 | /* Arrange for message reception if recipients or SMTP were specified; | |
4190 | otherwise complain unless a version print (-bV) happened or this is a filter | |
4191 | verification test. In the former case, show the configuration file name. */ | |
4192 | ||
4193 | if (recipients_arg >= argc && !extract_recipients && !smtp_input) | |
4194 | { | |
4195 | if (version_printed) | |
4196 | { | |
4197 | printf("Configuration file is %s\n", config_main_filename); | |
4198 | return EXIT_SUCCESS; | |
4199 | } | |
f05da2e8 | 4200 | if (filter_test == FTEST_NONE) |
059ec3d9 PH |
4201 | { |
4202 | fprintf(stderr, | |
4203 | "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n" | |
4204 | "not directly from a shell command line. Options and/or arguments control\n" | |
4205 | "what it does when called. For a list of options, see the Exim documentation.\n"); | |
4206 | return EXIT_FAILURE; | |
4207 | } | |
4208 | } | |
4209 | ||
4210 | ||
4211 | /* If mua_wrapper is set, Exim is being used to turn an MUA that submits on the | |
4212 | standard input into an MUA that submits to a smarthost over TCP/IP. We know | |
4213 | that we are not called from inetd, because that is rejected above. The | |
4214 | following configuration settings are forced here: | |
4215 | ||
4216 | (1) Synchronous delivery (-odi) | |
4217 | (2) Errors to stderr (-oep == -oeq) | |
4218 | (3) No parallel remote delivery | |
4219 | (4) Unprivileged delivery | |
4220 | ||
4221 | We don't force overall queueing options because there are several of them; | |
4222 | instead, queueing is avoided below when mua_wrapper is set. However, we do need | |
4223 | to override any SMTP queueing. */ | |
4224 | ||
4225 | if (mua_wrapper) | |
4226 | { | |
4227 | synchronous_delivery = TRUE; | |
4228 | arg_error_handling = ERRORS_STDERR; | |
4229 | remote_max_parallel = 1; | |
4230 | deliver_drop_privilege = TRUE; | |
4231 | queue_smtp = FALSE; | |
4232 | queue_smtp_domains = NULL; | |
4233 | } | |
4234 | ||
4235 | ||
4236 | /* Prepare to accept one or more new messages on the standard input. When a | |
4237 | message has been read, its id is returned in message_id[]. If doing immediate | |
4238 | delivery, we fork a delivery process for each received message, except for the | |
4239 | last one, where we can save a process switch. | |
4240 | ||
4241 | It is only in non-smtp mode that error_handling is allowed to be changed from | |
4242 | its default of ERRORS_SENDER by argument. (Idle thought: are any of the | |
4243 | sendmail error modes other than -oem ever actually used? Later: yes.) */ | |
4244 | ||
4245 | if (!smtp_input) error_handling = arg_error_handling; | |
4246 | ||
4247 | /* If this is an inetd call, ensure that stderr is closed to prevent panic | |
4248 | logging being sent down the socket and make an identd call to get the | |
4249 | sender_ident. */ | |
4250 | ||
4251 | else if (is_inetd) | |
4252 | { | |
4253 | fclose(stderr); | |
4254 | exim_nullstd(); /* Re-open to /dev/null */ | |
4255 | verify_get_ident(IDENT_PORT); | |
4256 | host_build_sender_fullhost(); | |
4257 | set_process_info("handling incoming connection from %s via inetd", | |
4258 | sender_fullhost); | |
4259 | } | |
4260 | ||
4261 | /* If the sender host address has been set, build sender_fullhost if it hasn't | |
4262 | already been done (which it will have been for inetd). This caters for the | |
4263 | case when it is forced by -oMa. However, we must flag that it isn't a socket, | |
4264 | so that the test for IP options is skipped for -bs input. */ | |
4265 | ||
4266 | if (sender_host_address != NULL && sender_fullhost == NULL) | |
4267 | { | |
4268 | host_build_sender_fullhost(); | |
4269 | set_process_info("handling incoming connection from %s via -oMa", | |
4270 | sender_fullhost); | |
4271 | sender_host_notsocket = TRUE; | |
4272 | } | |
4273 | ||
4274 | /* Otherwise, set the sender host as unknown except for inetd calls. This | |
4275 | prevents host checking in the case of -bs not from inetd and also for -bS. */ | |
4276 | ||
4277 | else if (!is_inetd) sender_host_unknown = TRUE; | |
4278 | ||
4279 | /* If stdout does not exist, then dup stdin to stdout. This can happen | |
4280 | if exim is started from inetd. In this case fd 0 will be set to the socket, | |
4281 | but fd 1 will not be set. This also happens for passed SMTP channels. */ | |
4282 | ||
4283 | if (fstat(1, &statbuf) < 0) dup2(0, 1); | |
4284 | ||
4285 | /* Set up the incoming protocol name and the state of the program. Root | |
4286 | is allowed to force received protocol via the -oMr option above, and if we are | |
4287 | in a non-local SMTP state it means we have come via inetd and the process info | |
4288 | has already been set up. We don't set received_protocol here for smtp input, | |
4289 | as it varies according to batch/HELO/EHLO/AUTH/TLS. */ | |
4290 | ||
4291 | if (smtp_input) | |
4292 | { | |
4293 | if (sender_local) set_process_info("accepting a local SMTP message from <%s>", | |
4294 | sender_address); | |
4295 | } | |
4296 | else | |
4297 | { | |
4298 | if (received_protocol == NULL) | |
4299 | received_protocol = string_sprintf("local%s", called_as); | |
4300 | set_process_info("accepting a local non-SMTP message from <%s>", | |
4301 | sender_address); | |
4302 | } | |
4303 | ||
4304 | /* Initialize the local_queue-only flag (this will be ignored if mua_wrapper is | |
4305 | set) */ | |
4306 | ||
4307 | queue_check_only(); | |
4308 | local_queue_only = queue_only; | |
4309 | ||
4310 | /* For non-SMTP and for batched SMTP input, check that there is enough space on | |
4311 | the spool if so configured. On failure, we must not attempt to send an error | |
4312 | message! (For interactive SMTP, the check happens at MAIL FROM and an SMTP | |
4313 | error code is given.) */ | |
4314 | ||
4315 | if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0)) | |
4316 | { | |
4317 | fprintf(stderr, "exim: insufficient disk space\n"); | |
4318 | return EXIT_FAILURE; | |
4319 | } | |
4320 | ||
4321 | /* If this is smtp input of any kind, handle the start of the SMTP | |
4322 | session. */ | |
4323 | ||
4324 | if (smtp_input) | |
4325 | { | |
4326 | smtp_in = stdin; | |
4327 | smtp_out = stdout; | |
4328 | if (verify_check_host(&hosts_connection_nolog) == OK) | |
4329 | log_write_selector &= ~L_smtp_connection; | |
4330 | log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info()); | |
4331 | if (!smtp_start_session()) | |
4332 | { | |
4333 | mac_smtp_fflush(); | |
4334 | exim_exit(EXIT_SUCCESS); | |
4335 | } | |
4336 | } | |
4337 | ||
4338 | /* Otherwise, set up the input size limit here */ | |
4339 | ||
4340 | else | |
4341 | { | |
4342 | thismessage_size_limit = expand_string_integer(message_size_limit); | |
4343 | if (thismessage_size_limit < 0) | |
4344 | { | |
4345 | if (thismessage_size_limit == -1) | |
4346 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand " | |
4347 | "message_size_limit: %s", expand_string_message); | |
4348 | else | |
4349 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "invalid value for " | |
4350 | "message_size_limit: %s", expand_string_message); | |
4351 | } | |
4352 | } | |
4353 | ||
4354 | /* Loop for several messages when reading SMTP input. If we fork any child | |
4355 | processes, we don't want to wait for them unless synchronous delivery is | |
4356 | requested, so set SIGCHLD to SIG_IGN in that case. This is not necessarily the | |
4357 | same as SIG_DFL, despite the fact that documentation often lists the default as | |
4358 | "ignore". This is a confusing area. This is what I know: | |
4359 | ||
4360 | At least on some systems (e.g. Solaris), just setting SIG_IGN causes child | |
4361 | processes that complete simply to go away without ever becoming defunct. You | |
4362 | can't then wait for them - but we don't want to wait for them in the | |
4363 | non-synchronous delivery case. However, this behaviour of SIG_IGN doesn't | |
4364 | happen for all OS (e.g. *BSD is different). | |
4365 | ||
4366 | But that's not the end of the story. Some (many? all?) systems have the | |
4367 | SA_NOCLDWAIT option for sigaction(). This requests the behaviour that Solaris | |
4368 | has by default, so it seems that the difference is merely one of default | |
4369 | (compare restarting vs non-restarting signals). | |
4370 | ||
4371 | To cover all cases, Exim sets SIG_IGN with SA_NOCLDWAIT here if it can. If not, | |
4372 | it just sets SIG_IGN. To be on the safe side it also calls waitpid() at the end | |
4373 | of the loop below. Paranoia rules. | |
4374 | ||
4375 | February 2003: That's *still* not the end of the story. There are now versions | |
4376 | of Linux (where SIG_IGN does work) that are picky. If, having set SIG_IGN, a | |
4377 | process then calls waitpid(), a grumble is written to the system log, because | |
4378 | this is logically inconsistent. In other words, it doesn't like the paranoia. | |
4379 | As a consequenc of this, the waitpid() below is now excluded if we are sure | |
4380 | that SIG_IGN works. */ | |
4381 | ||
4382 | if (!synchronous_delivery) | |
4383 | { | |
4384 | #ifdef SA_NOCLDWAIT | |
4385 | struct sigaction act; | |
4386 | act.sa_handler = SIG_IGN; | |
4387 | sigemptyset(&(act.sa_mask)); | |
4388 | act.sa_flags = SA_NOCLDWAIT; | |
4389 | sigaction(SIGCHLD, &act, NULL); | |
4390 | #else | |
4391 | signal(SIGCHLD, SIG_IGN); | |
4392 | #endif | |
4393 | } | |
4394 | ||
4395 | /* Save the current store pool point, for resetting at the start of | |
4396 | each message, and save the real sender address, if any. */ | |
4397 | ||
4398 | reset_point = store_get(0); | |
4399 | real_sender_address = sender_address; | |
4400 | ||
4401 | /* Loop to receive messages; receive_msg() returns TRUE if there are more | |
4402 | messages to be read (SMTP input), or FALSE otherwise (not SMTP, or SMTP channel | |
4403 | collapsed). */ | |
4404 | ||
4405 | while (more) | |
4406 | { | |
4407 | store_reset(reset_point); | |
4408 | message_id[0] = 0; | |
4409 | ||
4410 | /* In the SMTP case, we have to handle the initial SMTP input and build the | |
4411 | recipients list, before calling receive_msg() to read the message proper. | |
4412 | Whatever sender address is actually given in the SMTP transaction is | |
4413 | actually ignored for local senders - we use the actual sender, which is | |
4414 | normally either the underlying user running this process or a -f argument | |
4415 | provided by a trusted caller. It is saved in real_sender_address. | |
4416 | ||
4417 | However, if this value is NULL, we are dealing with a trusted caller when | |
4418 | -f was not used; in this case, the SMTP sender is allowed to stand. | |
4419 | ||
4420 | Also, if untrusted_set_sender is set, we permit sender addresses that match | |
4421 | anything in its list. | |
4422 | ||
4423 | The variable raw_sender_address holds the sender address before rewriting. */ | |
4424 | ||
4425 | if (smtp_input) | |
4426 | { | |
4427 | int rc; | |
4428 | if ((rc = smtp_setup_msg()) > 0) | |
4429 | { | |
4430 | if (real_sender_address != NULL && | |
4431 | !receive_check_set_sender(sender_address)) | |
4432 | { | |
4433 | sender_address = raw_sender = real_sender_address; | |
4434 | sender_address_unrewritten = NULL; | |
4435 | } | |
4436 | more = receive_msg(extract_recipients); | |
4437 | if (message_id[0] == 0) | |
4438 | { | |
4439 | if (more) continue; | |
4440 | exim_exit(EXIT_FAILURE); | |
4441 | } | |
4442 | } | |
4443 | else exim_exit((rc == 0)? EXIT_SUCCESS : EXIT_FAILURE); | |
4444 | } | |
4445 | ||
4446 | /* In the non-SMTP case, we have all the information from the command | |
4447 | line, but must process it in case it is in the more general RFC822 | |
4448 | format, and in any case, to detect syntax errors. Also, it appears that | |
4449 | the use of comma-separated lists as single arguments is common, so we | |
4450 | had better support them. */ | |
4451 | ||
4452 | else | |
4453 | { | |
4454 | int i; | |
4455 | int rcount = 0; | |
4456 | int count = argc - recipients_arg; | |
4457 | uschar **list = argv + recipients_arg; | |
eb2c0248 | 4458 | |
69358f02 | 4459 | /* These options cannot be changed dynamically for non-SMTP messages */ |
eb2c0248 | 4460 | |
69358f02 | 4461 | active_local_sender_retain = local_sender_retain; |
eb2c0248 | 4462 | active_local_from_check = local_from_check; |
059ec3d9 PH |
4463 | |
4464 | /* Save before any rewriting */ | |
4465 | ||
4466 | raw_sender = string_copy(sender_address); | |
4467 | ||
4468 | /* Loop for each argument */ | |
4469 | ||
4470 | for (i = 0; i < count; i++) | |
4471 | { | |
4472 | int start, end, domain; | |
4473 | uschar *errmess; | |
4474 | uschar *s = list[i]; | |
4475 | ||
4476 | /* Loop for each comma-separated address */ | |
4477 | ||
4478 | while (*s != 0) | |
4479 | { | |
4480 | BOOL finished = FALSE; | |
4481 | uschar *recipient; | |
4482 | uschar *ss = parse_find_address_end(s, FALSE); | |
4483 | ||
4484 | if (*ss == ',') *ss = 0; else finished = TRUE; | |
4485 | ||
4486 | /* Check max recipients - if -t was used, these aren't recipients */ | |
4487 | ||
4488 | if (recipients_max > 0 && ++rcount > recipients_max && | |
4489 | !extract_recipients) | |
4490 | { | |
4491 | if (error_handling == ERRORS_STDERR) | |
4492 | { | |
4493 | fprintf(stderr, "exim: too many recipients\n"); | |
4494 | exim_exit(EXIT_FAILURE); | |
4495 | } | |
4496 | else | |
4497 | { | |
4498 | return | |
4499 | moan_to_sender(ERRMESS_TOOMANYRECIP, NULL, NULL, stdin, TRUE)? | |
4500 | errors_sender_rc : EXIT_FAILURE; | |
4501 | } | |
4502 | } | |
4503 | ||
4504 | recipient = | |
4505 | parse_extract_address(s, &errmess, &start, &end, &domain, FALSE); | |
4506 | ||
4507 | if (domain == 0 && !allow_unqualified_recipient) | |
4508 | { | |
4509 | recipient = NULL; | |
4510 | errmess = US"unqualified recipient address not allowed"; | |
4511 | } | |
4512 | ||
4513 | if (recipient == NULL) | |
4514 | { | |
4515 | if (error_handling == ERRORS_STDERR) | |
4516 | { | |
4517 | fprintf(stderr, "exim: bad recipient address \"%s\": %s\n", | |
4518 | string_printing(list[i]), errmess); | |
4519 | exim_exit(EXIT_FAILURE); | |
4520 | } | |
4521 | else | |
4522 | { | |
4523 | error_block eblock; | |
4524 | eblock.next = NULL; | |
4525 | eblock.text1 = string_printing(list[i]); | |
4526 | eblock.text2 = errmess; | |
4527 | return | |
4528 | moan_to_sender(ERRMESS_BADARGADDRESS, &eblock, NULL, stdin, TRUE)? | |
4529 | errors_sender_rc : EXIT_FAILURE; | |
4530 | } | |
4531 | } | |
4532 | ||
4533 | receive_add_recipient(recipient, -1); | |
4534 | s = ss; | |
4535 | if (!finished) | |
4536 | while (*(++s) != 0 && (*s == ',' || isspace(*s))); | |
4537 | } | |
4538 | } | |
4539 | ||
4540 | /* Show the recipients when debugging */ | |
4541 | ||
4542 | DEBUG(D_receive) | |
4543 | { | |
4544 | int i; | |
4545 | if (sender_address != NULL) debug_printf("Sender: %s\n", sender_address); | |
4546 | if (recipients_list != NULL) | |
4547 | { | |
4548 | debug_printf("Recipients:\n"); | |
4549 | for (i = 0; i < recipients_count; i++) | |
4550 | debug_printf(" %s\n", recipients_list[i].address); | |
4551 | } | |
4552 | } | |
4553 | ||
f05da2e8 PH |
4554 | /* Read the data for the message. If filter_test is not FTEST_NONE, this |
4555 | will just read the headers for the message, and not write anything onto the | |
4556 | spool. */ | |
059ec3d9 PH |
4557 | |
4558 | message_ended = END_NOTENDED; | |
4559 | more = receive_msg(extract_recipients); | |
4560 | ||
4561 | /* more is always FALSE here (not SMTP message) when reading a message | |
4562 | for real; when reading the headers of a message for filter testing, | |
4563 | it is TRUE if the headers were terminated by '.' and FALSE otherwise. */ | |
4564 | ||
4565 | if (message_id[0] == 0) exim_exit(EXIT_FAILURE); | |
4566 | } /* Non-SMTP message reception */ | |
4567 | ||
4568 | /* If this is a filter testing run, there are headers in store, but | |
4569 | no message on the spool. Run the filtering code in testing mode, setting | |
4570 | the domain to the qualify domain and the local part to the current user, | |
4571 | unless they have been set by options. The prefix and suffix are left unset | |
4572 | unless specified. The the return path is set to to the sender unless it has | |
4573 | already been set from a return-path header in the message. */ | |
4574 | ||
f05da2e8 | 4575 | if (filter_test != FTEST_NONE) |
059ec3d9 PH |
4576 | { |
4577 | deliver_domain = (ftest_domain != NULL)? | |
4578 | ftest_domain : qualify_domain_recipient; | |
4579 | deliver_domain_orig = deliver_domain; | |
4580 | deliver_localpart = (ftest_localpart != NULL)? | |
4581 | ftest_localpart : originator_login; | |
4582 | deliver_localpart_orig = deliver_localpart; | |
4583 | deliver_localpart_prefix = ftest_prefix; | |
4584 | deliver_localpart_suffix = ftest_suffix; | |
4585 | deliver_home = originator_home; | |
4586 | ||
4587 | if (return_path == NULL) | |
4588 | { | |
4589 | printf("Return-path copied from sender\n"); | |
4590 | return_path = string_copy(sender_address); | |
4591 | } | |
4592 | else | |
4593 | { | |
4594 | printf("Return-path = %s\n", (return_path[0] == 0)? US"<>" : return_path); | |
4595 | } | |
4596 | printf("Sender = %s\n", (sender_address[0] == 0)? US"<>" : sender_address); | |
4597 | ||
4598 | receive_add_recipient( | |
4599 | string_sprintf("%s%s%s@%s", | |
4600 | (ftest_prefix == NULL)? US"" : ftest_prefix, | |
4601 | deliver_localpart, | |
4602 | (ftest_suffix == NULL)? US"" : ftest_suffix, | |
4603 | deliver_domain), -1); | |
4604 | ||
4605 | printf("Recipient = %s\n", recipients_list[0].address); | |
4606 | if (ftest_prefix != NULL) printf("Prefix = %s\n", ftest_prefix); | |
4607 | if (ftest_suffix != NULL) printf("Suffix = %s\n", ftest_suffix); | |
4608 | ||
4609 | chdir("/"); /* Get away from wherever the user is running this from */ | |
8e669ac1 PH |
4610 | |
4611 | /* Now we run either a system filter test, or a user filter test, or both. | |
4612 | In the latter case, headers added by the system filter will persist and be | |
4613 | available to the user filter. We need to copy the filter variables | |
f05da2e8 | 4614 | explicitly. */ |
8e669ac1 | 4615 | |
f05da2e8 PH |
4616 | if ((filter_test & FTEST_SYSTEM) != 0) |
4617 | { | |
4618 | if (!filter_runtest(filter_sfd, filter_test_sfile, TRUE, more)) | |
4619 | exim_exit(EXIT_FAILURE); | |
8e669ac1 PH |
4620 | } |
4621 | ||
f05da2e8 | 4622 | memcpy(filter_sn, filter_n, sizeof(filter_sn)); |
8e669ac1 | 4623 | |
f05da2e8 PH |
4624 | if ((filter_test & FTEST_USER) != 0) |
4625 | { | |
4626 | if (!filter_runtest(filter_ufd, filter_test_ufile, FALSE, more)) | |
4627 | exim_exit(EXIT_FAILURE); | |
8e669ac1 PH |
4628 | } |
4629 | ||
f05da2e8 | 4630 | exim_exit(EXIT_SUCCESS); |
059ec3d9 PH |
4631 | } |
4632 | ||
4633 | /* Else act on the result of message reception. We should not get here unless | |
4634 | message_id[0] is non-zero. If queue_only is set, local_queue_only will be | |
4635 | TRUE. If it is not, check on the number of messages received in this | |
4636 | connection. If that's OK and queue_only_load is set, check that the load | |
4637 | average is below it. If it is not, set local_queue_only TRUE. Note that it | |
4638 | then remains this way for any subsequent messages on the same SMTP connection. | |
4639 | This is a deliberate choice; even though the load average may fall, it | |
4640 | doesn't seem right to deliver later messages on the same call when not | |
4641 | delivering earlier ones. */ | |
4642 | ||
4643 | if (!local_queue_only) | |
4644 | { | |
4645 | if (smtp_accept_queue_per_connection > 0 && | |
4646 | receive_messagecount > smtp_accept_queue_per_connection) | |
4647 | { | |
4648 | local_queue_only = TRUE; | |
4649 | queue_only_reason = 2; | |
4650 | } | |
4651 | else if (queue_only_load >= 0) | |
4652 | { | |
4653 | local_queue_only = (load_average = os_getloadavg()) > queue_only_load; | |
4654 | if (local_queue_only) queue_only_reason = 3; | |
4655 | } | |
4656 | } | |
4657 | ||
4658 | /* If running as an MUA wrapper, all queueing options and freezing options | |
4659 | are ignored. */ | |
4660 | ||
4661 | if (mua_wrapper) | |
4662 | local_queue_only = queue_only_policy = deliver_freeze = FALSE; | |
4663 | ||
4664 | /* Log the queueing here, when it will get a message id attached, but | |
4665 | not if queue_only is set (case 0). Case 1 doesn't happen here (too many | |
4666 | connections). */ | |
4667 | ||
4668 | if (local_queue_only) switch(queue_only_reason) | |
4669 | { | |
4670 | case 2: | |
4671 | log_write(L_delay_delivery, | |
4672 | LOG_MAIN, "no immediate delivery: more than %d messages " | |
4673 | "received in one connection", smtp_accept_queue_per_connection); | |
4674 | break; | |
4675 | ||
4676 | case 3: | |
4677 | log_write(L_delay_delivery, | |
4678 | LOG_MAIN, "no immediate delivery: load average %.2f", | |
4679 | (double)load_average/1000.0); | |
4680 | break; | |
4681 | } | |
4682 | ||
4683 | /* Else do the delivery unless the ACL or local_scan() called for queue only | |
4684 | or froze the message. Always deliver in a separate process. A fork failure is | |
4685 | not a disaster, as the delivery will eventually happen on a subsequent queue | |
eb2c0248 PH |
4686 | run. The search cache must be tidied before the fork, as the parent will |
4687 | do it before exiting. The child will trigger a lookup failure and | |
4688 | thereby defer the delivery if it tries to use (for example) a cached ldap | |
4689 | connection that the parent has called unbind on. */ | |
059ec3d9 PH |
4690 | |
4691 | else if (!queue_only_policy && !deliver_freeze) | |
4692 | { | |
4693 | pid_t pid; | |
eb2c0248 PH |
4694 | search_tidyup(); |
4695 | ||
059ec3d9 PH |
4696 | if ((pid = fork()) == 0) |
4697 | { | |
4698 | int rc; | |
4699 | close_unwanted(); /* Close unwanted file descriptors and TLS */ | |
4700 | exim_nullstd(); /* Ensure std{in,out,err} exist */ | |
4701 | ||
4702 | /* Re-exec Exim if we need to regain privilege (note: in mua_wrapper | |
4703 | mode, deliver_drop_privilege is forced TRUE). */ | |
4704 | ||
4705 | if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged) | |
4706 | { | |
4707 | (void)child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 2, US"-Mc", | |
4708 | message_id); | |
4709 | /* Control does not return here. */ | |
4710 | } | |
4711 | ||
4712 | /* No need to re-exec */ | |
4713 | ||
4714 | rc = deliver_message(message_id, FALSE, FALSE); | |
4715 | search_tidyup(); | |
4716 | _exit((!mua_wrapper || rc == DELIVER_MUA_SUCCEEDED)? | |
4717 | EXIT_SUCCESS : EXIT_FAILURE); | |
4718 | } | |
4719 | ||
4720 | if (pid < 0) | |
4721 | { | |
4722 | log_write(0, LOG_MAIN|LOG_PANIC, "failed to fork automatic delivery " | |
4723 | "process: %s", strerror(errno)); | |
4724 | } | |
4725 | ||
4726 | /* In the parent, wait if synchronous delivery is required. This will | |
4727 | always be the case in MUA wrapper mode. */ | |
4728 | ||
4729 | else if (synchronous_delivery) | |
4730 | { | |
4731 | int status; | |
4732 | while (wait(&status) != pid); | |
4733 | if ((status & 0x00ff) != 0) | |
4734 | log_write(0, LOG_MAIN|LOG_PANIC, | |
4735 | "process %d crashed with signal %d while delivering %s", | |
4736 | (int)pid, status & 0x00ff, message_id); | |
4737 | if (mua_wrapper && (status & 0xffff) != 0) exim_exit(EXIT_FAILURE); | |
4738 | } | |
4739 | } | |
4740 | ||
4741 | /* The loop will repeat if more is TRUE. If we do not know know that the OS | |
4742 | automatically reaps children (see comments above the loop), clear away any | |
4743 | finished subprocesses here, in case there are lots of messages coming in | |
4744 | from the same source. */ | |
4745 | ||
4746 | #ifndef SIG_IGN_WORKS | |
4747 | while (waitpid(-1, NULL, WNOHANG) > 0); | |
4748 | #endif | |
4749 | } | |
4750 | ||
4751 | exim_exit(EXIT_SUCCESS); /* Never returns */ | |
4752 | return 0; /* To stop compiler warning */ | |
4753 | } | |
4754 | ||
4755 | /* End of exim.c */ |