1 /* $Cambridge: exim/src/src/spool_in.c,v 1.2 2004/12/16 15:11:47 tom Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2004 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* Functions for reading spool files. When compiling for a utility (eximon),
11 not all are needed, and some functionality can be cut out. */
18 #ifndef COMPILE_UTILITY
19 /*************************************************
20 * Open and lock data file *
21 *************************************************/
23 /* The data file is the one that is used for locking, because the header file
24 can get replaced during delivery because of header rewriting. The file has
25 to opened with write access so that we can get an exclusive lock, but in
26 fact it won't be written to. Just in case there's a major disaster (e.g.
27 overwriting some other file descriptor with the value of this one), open it
30 Argument: the id of the message
31 Returns: TRUE if file successfully opened and locked
33 Side effect: deliver_datafile is set to the fd of the open file.
37 spool_open_datafile(uschar
*id
)
42 uschar spoolname
[256];
44 /* If split_spool_directory is set, first look for the file in the appropriate
45 sub-directory of the input directory. If it is not found there, try the input
46 directory itself, to pick up leftovers from before the splitting. If split_
47 spool_directory is not set, first look in the main input directory. If it is
48 not found there, try the split sub-directory, in case it is left over from a
51 for (i
= 0; i
< 2; i
++)
54 message_subdir
[0] = (split_spool_directory
== (i
== 0))? id
[5] : 0;
55 sprintf(CS spoolname
, "%s/input/%s/%s-D", spool_directory
, message_subdir
, id
);
56 deliver_datafile
= Uopen(spoolname
, O_RDWR
| O_APPEND
, 0);
57 if (deliver_datafile
>= 0) break;
63 log_write(0, LOG_MAIN
, "Spool file %s-D not found", id
);
65 else log_write(0, LOG_MAIN
, "Spool error for %s: %s", spoolname
,
71 /* File is open and message_subdir is set. Set the close-on-exec flag, and lock
72 the file. We lock only the first line of the file (containing the message ID)
73 because this apparently is needed for running Exim under Cygwin. If the entire
74 file is locked in one process, a sub-process cannot access it, even when passed
75 an open file descriptor (at least, I think that's the Cygwin story). On real
76 Unix systems it doesn't make any difference as long as Exim is consistent in
79 fcntl(deliver_datafile
, F_SETFD
, fcntl(deliver_datafile
, F_GETFD
) |
82 lock_data
.l_type
= F_WRLCK
;
83 lock_data
.l_whence
= SEEK_SET
;
84 lock_data
.l_start
= 0;
85 lock_data
.l_len
= SPOOL_DATA_START_OFFSET
;
87 if (fcntl(deliver_datafile
, F_SETLK
, &lock_data
) < 0)
89 log_write(L_skip_delivery
,
91 "Spool file is locked (another process is handling this message)");
92 close(deliver_datafile
);
93 deliver_datafile
= -1;
98 /* Get the size of the data; don't include the leading filename line
99 in the count, but add one for the newline before the data. */
101 if (fstat(deliver_datafile
, &statbuf
) == 0)
103 message_body_size
= statbuf
.st_size
- SPOOL_DATA_START_OFFSET
;
104 message_size
= message_body_size
+ 1;
109 #endif /* COMPILE_UTILITY */
113 /*************************************************
114 * Read non-recipients tree from spool file *
115 *************************************************/
117 /* The tree of non-recipients is written to the spool file in a form that
118 makes it easy to read back into a tree. The format is as follows:
120 . Each node is preceded by two letter(Y/N) indicating whether it has left
121 or right children. There's one space after the two flags, before the name.
123 . The left subtree (if any) then follows, then the right subtree (if any).
125 This function is entered with the next input line in the buffer. Note we must
126 save the right flag before recursing with the same buffer.
128 Once the tree is read, we re-construct the balance fields by scanning the tree.
129 I forgot to write them out originally, and the compatible fix is to do it this
130 way. This initial local recursing function does the necessary.
135 Returns: maximum depth below the node, including the node itself
139 count_below(tree_node
*node
)
142 if (node
== NULL
) return 0;
143 nleft
= count_below(node
->left
);
144 nright
= count_below(node
->right
);
145 node
->balance
= (nleft
> nright
)? 1 : ((nright
> nleft
)? 2 : 0);
146 return 1 + ((nleft
> nright
)? nleft
: nright
);
149 /* This is the real function...
152 connect pointer to the root of the tree
153 f FILE to read data from
154 buffer contains next input line; further lines read into it
155 buffer_size size of the buffer
157 Returns: FALSE on format error
161 read_nonrecipients_tree(tree_node
**connect
, FILE *f
, uschar
*buffer
,
165 int n
= Ustrlen(buffer
);
166 BOOL right
= buffer
[1] == 'Y';
168 if (n
< 5) return FALSE
; /* malformed line */
169 buffer
[n
-1] = 0; /* Remove \n */
170 node
= store_get(sizeof(tree_node
) + n
- 3);
172 Ustrcpy(node
->name
, buffer
+ 3);
173 node
->data
.ptr
= NULL
;
175 if (buffer
[0] == 'Y')
177 if (Ufgets(buffer
, buffer_size
, f
) == NULL
||
178 !read_nonrecipients_tree(&node
->left
, f
, buffer
, buffer_size
))
181 else node
->left
= NULL
;
185 if (Ufgets(buffer
, buffer_size
, f
) == NULL
||
186 !read_nonrecipients_tree(&node
->right
, f
, buffer
, buffer_size
))
189 else node
->right
= NULL
;
191 (void) count_below(*connect
);
198 /*************************************************
199 * Read spool header file *
200 *************************************************/
202 /* This function reads a spool header file and places the data into the
203 appropriate global variables. The header portion is always read, but header
204 structures are built only if read_headers is set true. It isn't, for example,
205 while generating -bp output.
207 It may be possible for blocks of nulls (binary zeroes) to get written on the
208 end of a file if there is a system crash during writing. It was observed on an
209 earlier version of Exim that omitted to fsync() the files - this is thought to
210 have been the cause of that incident, but in any case, this code must be robust
211 against such an event, and if such a file is encountered, it must be treated as
215 name name of the header file, including the -H
216 read_headers TRUE if in-store header structures are to be built
217 subdir_set TRUE is message_subdir is already set
219 Returns: spool_read_OK success
220 spool_read_notopen open failed
221 spool_read_enverror error in the envelope portion
222 spool_read_hdrdrror error in the header portion
226 spool_read_header(uschar
*name
, BOOL read_headers
, BOOL subdir_set
)
232 BOOL inheader
= FALSE
;
233 uschar originator
[64];
235 /* Reset all the global variables to their default values. However, there is
236 one exception. DO NOT change the default value of dont_deliver, because it may
237 be forced by an external setting. */
239 for (n
= 0; n
< ACL_C_MAX
+ ACL_M_MAX
; n
++) acl_var
[n
] = NULL
;
241 authenticated_id
= NULL
;
242 authenticated_sender
= NULL
;
243 allow_unqualified_recipient
= FALSE
;
244 allow_unqualified_sender
= FALSE
;
247 deliver_firsttime
= FALSE
;
248 deliver_freeze
= FALSE
;
249 deliver_frozen_at
= 0;
250 deliver_manual_thaw
= FALSE
;
251 /* dont_deliver must NOT be reset */
252 header_list
= header_last
= NULL
;
253 host_lookup_failed
= FALSE
;
254 interface_address
= NULL
;
256 local_error_message
= FALSE
;
257 local_scan_data
= NULL
;
258 message_linecount
= 0;
259 received_protocol
= NULL
;
261 recipients_list
= NULL
;
262 sender_address
= NULL
;
263 sender_fullhost
= NULL
;
264 sender_helo_name
= NULL
;
265 sender_host_address
= NULL
;
266 sender_host_name
= NULL
;
267 sender_host_port
= 0;
268 sender_host_authenticated
= NULL
;
270 sender_local
= FALSE
;
271 sender_set_untrusted
= FALSE
;
272 tree_nonrecipients
= NULL
;
274 #ifdef EXPERIMENTAL_BRIGHTMAIL
280 tls_certificate_verified
= FALSE
;
285 #ifdef WITH_CONTENT_SCAN
287 spam_score_int
= NULL
;
290 /* Generate the full name and open the file. If message_subdir is already
291 set, just look in the given directory. Otherwise, look in both the split
292 and unsplit directories, as for the data file above. */
294 for (n
= 0; n
< 2; n
++)
297 message_subdir
[0] = (split_spool_directory
== (n
== 0))? name
[5] : 0;
298 sprintf(CS big_buffer
, "%s/input/%s/%s", spool_directory
, message_subdir
,
300 f
= Ufopen(big_buffer
, "rb");
301 if (f
!= NULL
) break;
302 if (n
!= 0 || subdir_set
|| errno
!= ENOENT
) return spool_read_notopen
;
307 #ifndef COMPILE_UTILITY
308 DEBUG(D_deliver
) debug_printf("reading spool file %s\n", name
);
309 #endif /* COMPILE_UTILITY */
311 /* The first line of a spool file contains the message id followed by -H (i.e.
312 the file name), in order to make the file self-identifying. */
314 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
315 if (Ustrlen(big_buffer
) != MESSAGE_ID_LENGTH
+ 3 ||
316 Ustrncmp(big_buffer
, name
, MESSAGE_ID_LENGTH
+ 2) != 0)
317 goto SPOOL_FORMAT_ERROR
;
319 /* The next three lines in the header file are in a fixed format. The first
320 contains the login, uid, and gid of the user who caused the file to be written.
321 The second contains the mail address of the message's sender, enclosed in <>.
322 The third contains the time the message was received, and the number of warning
323 messages for delivery delays that have been sent. */
325 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
327 if (sscanf(CS big_buffer
, "%s %ld %ld", originator
, &uid
, &gid
) != 3)
328 goto SPOOL_FORMAT_ERROR
;
329 originator_login
= string_copy(originator
);
330 originator_uid
= (uid_t
)uid
;
331 originator_gid
= (gid_t
)gid
;
333 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
334 n
= Ustrlen(big_buffer
);
335 if (n
< 3 || big_buffer
[0] != '<' || big_buffer
[n
-2] != '>')
336 goto SPOOL_FORMAT_ERROR
;
338 sender_address
= store_get(n
-2);
339 Ustrncpy(sender_address
, big_buffer
+1, n
-3);
340 sender_address
[n
-3] = 0;
342 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
343 if (sscanf(CS big_buffer
, "%d %d", &received_time
, &warning_count
) != 2)
344 goto SPOOL_FORMAT_ERROR
;
346 message_age
= time(NULL
) - received_time
;
348 #ifndef COMPILE_UTILITY
349 DEBUG(D_deliver
) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n",
350 originator_login
, (long int)originator_uid
, (long int)originator_gid
,
352 #endif /* COMPILE_UTILITY */
354 /* Now there may be a number of optional lines, each starting with "-".
355 If you add a new setting here, make sure you set the default above. */
359 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
360 if (big_buffer
[0] != '-') break;
362 big_buffer
[Ustrlen(big_buffer
) - 1] = 0;
363 if (Ustrncmp(big_buffer
, "-acl ", 5) == 0)
366 if (sscanf(CS big_buffer
+ 5, "%d %d", &index
, &count
) != 2)
367 goto SPOOL_FORMAT_ERROR
;
368 /* Ignore if index too big - might be if a later release with more
369 variables built this spool file. */
370 if (index
< ACL_C_MAX
+ ACL_M_MAX
)
372 acl_var
[index
] = store_get(count
+ 1);
373 if (fread(acl_var
[index
], 1, count
+1, f
) < count
) goto SPOOL_READ_ERROR
;
374 acl_var
[index
][count
] = 0;
377 else if (Ustrcmp(big_buffer
, "-local") == 0) sender_local
= TRUE
;
378 else if (Ustrcmp(big_buffer
, "-localerror") == 0)
379 local_error_message
= TRUE
;
380 else if (Ustrncmp(big_buffer
, "-local_scan ", 12) == 0)
381 local_scan_data
= string_copy(big_buffer
+ 12);
382 #ifdef WITH_CONTENT_SCAN
383 else if (Ustrncmp(big_buffer
, "-spam_score_int ", 16) == 0)
384 spam_score_int
= string_copy(big_buffer
+ 16);
386 #ifdef EXPERIMENTAL_BRIGHTMAIL
387 else if (Ustrncmp(big_buffer
, "-bmi_verdicts ", 14) == 0)
388 bmi_verdicts
= string_copy(big_buffer
+ 14);
390 else if (Ustrcmp(big_buffer
, "-host_lookup_failed") == 0)
391 host_lookup_failed
= TRUE
;
392 else if (Ustrncmp(big_buffer
, "-body_linecount", 15) == 0)
393 body_linecount
= Uatoi(big_buffer
+ 15);
394 else if (Ustrncmp(big_buffer
, "-body_zerocount", 15) == 0)
395 body_zerocount
= Uatoi(big_buffer
+ 15);
396 else if (Ustrncmp(big_buffer
, "-frozen", 7) == 0)
398 deliver_freeze
= TRUE
;
399 deliver_frozen_at
= Uatoi(big_buffer
+ 7);
401 else if (Ustrcmp(big_buffer
, "-allow_unqualified_recipient") == 0)
402 allow_unqualified_recipient
= TRUE
;
403 else if (Ustrcmp(big_buffer
, "-allow_unqualified_sender") == 0)
404 allow_unqualified_sender
= TRUE
;
405 else if (Ustrcmp(big_buffer
, "-deliver_firsttime") == 0)
406 deliver_firsttime
= TRUE
;
407 else if (Ustrcmp(big_buffer
, "-manual_thaw") == 0)
408 deliver_manual_thaw
= TRUE
;
409 else if (Ustrncmp(big_buffer
, "-auth_id", 8) == 0)
410 authenticated_id
= string_copy(big_buffer
+ 9);
411 else if (Ustrncmp(big_buffer
, "-auth_sender", 12) == 0)
412 authenticated_sender
= string_copy(big_buffer
+ 13);
413 else if (Ustrncmp(big_buffer
, "-sender_set_untrusted", 21) == 0)
414 sender_set_untrusted
= TRUE
;
417 else if (Ustrncmp(big_buffer
, "-tls_certificate_verified", 25) == 0)
418 tls_certificate_verified
= TRUE
;
419 else if (Ustrncmp(big_buffer
, "-tls_cipher", 11) == 0)
420 tls_cipher
= string_copy(big_buffer
+ 12);
421 else if (Ustrncmp(big_buffer
, "-tls_peerdn", 11) == 0)
422 tls_peerdn
= string_copy(big_buffer
+ 12);
425 /* We now record the port number after the address, separated by a
426 dot. For compatibility during upgrading, do nothing if there
427 isn't a value (it gets left at zero). */
429 else if (Ustrncmp(big_buffer
, "-host_address", 13) == 0)
431 sender_host_port
= host_extract_port(big_buffer
+ 14);
432 sender_host_address
= string_copy(big_buffer
+ 14);
435 else if (Ustrncmp(big_buffer
, "-interface_address", 18) == 0)
437 interface_port
= host_extract_port(big_buffer
+ 19);
438 interface_address
= string_copy(big_buffer
+ 19);
441 else if (Ustrncmp(big_buffer
, "-host_auth", 10) == 0)
442 sender_host_authenticated
= string_copy(big_buffer
+ 11);
443 else if (Ustrncmp(big_buffer
, "-host_name", 10) == 0)
444 sender_host_name
= string_copy(big_buffer
+ 11);
445 else if (Ustrncmp(big_buffer
, "-helo_name", 10) == 0)
446 sender_helo_name
= string_copy(big_buffer
+ 11);
447 else if (Ustrncmp(big_buffer
, "-ident", 6) == 0)
448 sender_ident
= string_copy(big_buffer
+ 7);
449 else if (Ustrncmp(big_buffer
, "-received_protocol", 18) == 0)
450 received_protocol
= string_copy(big_buffer
+ 19);
451 else if (Ustrncmp(big_buffer
, "-N", 2) == 0)
454 /* To allow new versions of Exim that add additional flags to interwork
455 with older versions that do not understand them, just ignore any flagged
456 lines that we don't recognize. Otherwise it wouldn't be possible to back
457 off a new version that left new-style flags written on the spool. That's
458 why the following line is commented out. */
460 /* else goto SPOOL_FORMAT_ERROR; */
463 /* Build sender_fullhost if required */
465 #ifndef COMPILE_UTILITY
466 host_build_sender_fullhost();
467 #endif /* COMPILE_UTILITY */
469 #ifndef COMPILE_UTILITY
471 debug_printf("sender_local=%d ident=%s\n", sender_local
,
472 (sender_ident
== NULL
)? US
"unset" : sender_ident
);
473 #endif /* COMPILE_UTILITY */
475 /* We now have the tree of addresses NOT to deliver to, or a line
476 containing "XX", indicating no tree. */
478 if (Ustrncmp(big_buffer
, "XX\n", 3) != 0 &&
479 !read_nonrecipients_tree(&tree_nonrecipients
, f
, big_buffer
, big_buffer_size
))
480 goto SPOOL_FORMAT_ERROR
;
482 #ifndef COMPILE_UTILITY
485 debug_printf("Non-recipients:\n");
486 debug_print_tree(tree_nonrecipients
);
488 #endif /* COMPILE_UTILITY */
490 /* After reading the tree, the next line has not yet been read into the
491 buffer. It contains the count of recipients which follow on separate lines. */
493 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
494 if (sscanf(CS big_buffer
, "%d", &rcount
) != 1) goto SPOOL_FORMAT_ERROR
;
496 #ifndef COMPILE_UTILITY
497 DEBUG(D_deliver
) debug_printf("recipients_count=%d\n", rcount
);
498 #endif /* COMPILE_UTILITY */
500 recipients_list_max
= rcount
;
501 recipients_list
= store_get(rcount
* sizeof(recipient_item
));
503 for (recipients_count
= 0; recipients_count
< rcount
; recipients_count
++)
507 uschar
*errors_to
= NULL
;
510 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
511 nn
= Ustrlen(big_buffer
);
512 if (nn
< 2) goto SPOOL_FORMAT_ERROR
;
514 /* Remove the newline; this terminates the address if there is no additional
517 p
= big_buffer
+ nn
- 1;
520 /* Look back from the end of the line for digits and special terminators.
521 Since an address must end with a domain, we can tell that extra data is
522 present by the presence of the terminator, which is always some character
523 that cannot exist in a domain. (If I'd thought of the need for additional
524 data early on, I'd have put it at the start, with the address at the end. As
525 it is, we have to operate backwards. Addresses are permitted to contain
528 This code has to cope with various versions of this data that have evolved
529 over time. In all cases, the line might just contain an address, with no
530 additional data. Otherwise, the possibilities are as follows:
532 Exim 3 type: <address><space><digits>,<digits>,<digits>
534 The second set of digits is the parent number for one_time addresses. The
535 other values were remnants of earlier experiments that were abandoned.
537 Exim 4 first type: <address><space><digits>
539 The digits are the parent number for one_time addresses.
541 Exim 4 new type: <address><space><data>#<type bits>
543 The type bits indicate what the contents of the data are.
545 Bit 01 indicates that, reading from right to left, the data
546 ends with <errors_to address><space><len>,<pno> where pno is
547 the parent number for one_time addresses, and len is the length
548 of the errors_to address (zero meaning none).
551 while (isdigit(*p
)) p
--;
553 /* Handle Exim 3 spool files */
558 while (isdigit(*(--p
)) || *p
== ',');
562 sscanf(CS p
, "%d,%d", &dummy
, &pno
);
566 /* Handle early Exim 4 spool files */
571 sscanf(CS p
, "%d", &pno
);
574 /* Handle current format Exim 4 spool files */
579 sscanf(CS p
+1, "%d", &flags
);
581 if ((flags
& 0x01) != 0) /* one_time data exists */
584 while (isdigit(*(--p
)) || *p
== ',' || *p
== '-');
585 sscanf(CS p
+1, "%d,%d", &len
, &pno
);
590 errors_to
= string_copy(p
);
594 *(--p
) = 0; /* Terminate address */
597 recipients_list
[recipients_count
].address
= string_copy(big_buffer
);
598 recipients_list
[recipients_count
].pno
= pno
;
599 recipients_list
[recipients_count
].errors_to
= errors_to
;
602 /* The remainder of the spool header file contains the headers for the message,
603 separated off from the previous data by a blank line. Each header is preceded
604 by a count of its length and either a certain letter (for various identified
605 headers), space (for a miscellaneous live header) or an asterisk (for a header
606 that has been rewritten). Count the Received: headers. We read the headers
607 always, in order to check on the format of the file, but only create a header
608 list if requested to do so. */
611 if (Ufgets(big_buffer
, big_buffer_size
, f
) == NULL
) goto SPOOL_READ_ERROR
;
612 if (big_buffer
[0] != '\n') goto SPOOL_FORMAT_ERROR
;
614 while ((n
= fgetc(f
)) != EOF
)
620 if (!isdigit(n
)) goto SPOOL_FORMAT_ERROR
;
622 fscanf(f
, "%d%c ", &n
, flag
);
623 if (flag
[0] != '*') message_size
+= n
; /* Omit non-transmitted headers */
627 h
= store_get(sizeof(header_line
));
631 h
->text
= store_get(n
+1);
633 if (h
->type
== htype_received
) received_count
++;
635 if (header_list
== NULL
) header_list
= h
;
636 else header_last
->next
= h
;
639 for (i
= 0; i
< n
; i
++)
642 if (c
== 0 || c
== EOF
) goto SPOOL_FORMAT_ERROR
;
643 if (c
== '\n' && h
->type
!= htype_old
) message_linecount
++;
649 /* Not requiring header data, just skip through the bytes */
651 else for (i
= 0; i
< n
; i
++)
654 if (c
== 0 || c
== EOF
) goto SPOOL_FORMAT_ERROR
;
658 /* We have successfully read the data in the header file. Update the message
659 line count by adding the body linecount to the header linecount. Close the file
660 and give a positive response. */
662 #ifndef COMPILE_UTILITY
663 DEBUG(D_deliver
) debug_printf("body_linecount=%d message_linecount=%d\n",
664 body_linecount
, message_linecount
);
665 #endif /* COMPILE_UTILITY */
667 message_linecount
+= body_linecount
;
670 return spool_read_OK
;
673 /* There was an error reading the spool or there was missing data,
674 or there was a format error. A "read error" with no errno means an
675 unexpected EOF, which we treat as a format error. */
682 #ifndef COMPILE_UTILITY
683 DEBUG(D_any
) debug_printf("Error while reading spool file %s\n", name
);
684 #endif /* COMPILE_UTILITY */
688 return inheader
? spool_read_hdrerror
: spool_read_enverror
;
693 #ifndef COMPILE_UTILITY
694 DEBUG(D_any
) debug_printf("Format error in spool file %s\n", name
);
695 #endif /* COMPILE_UTILITY */
698 errno
= ERRNO_SPOOLFORMAT
;
699 return inheader
? spool_read_hdrerror
: spool_read_enverror
;
702 /* End of spool_in.c */