Add equivalent for missing poll(2) #define
[exim.git] / src / src / deliver.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* The main code for delivering a message. */
9
10
11#include "exim.h"
e39fdc85 12#include "transports/smtp.h"
c29da374 13#include <sys/uio.h>
dadff1d4 14#include <assert.h>
059ec3d9
PH
15
16
17/* Data block for keeping track of subprocesses for parallel remote
18delivery. */
19
20typedef struct pardata {
21 address_item *addrlist; /* chain of addresses */
22 address_item *addr; /* next address data expected for */
23 pid_t pid; /* subprocess pid */
24 int fd; /* pipe fd for getting result from subprocess */
25 int transport_count; /* returned transport count value */
26 BOOL done; /* no more data needed */
27 uschar *msg; /* error message */
28 uschar *return_path; /* return_path for these addresses */
29} pardata;
30
31/* Values for the process_recipients variable */
32
33enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
34 RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
35 RECIP_FAIL_LOOP};
36
37/* Mutually recursive functions for marking addresses done. */
38
39static void child_done(address_item *, uschar *);
40static void address_done(address_item *, uschar *);
41
42/* Table for turning base-62 numbers into binary */
43
44static uschar tab62[] =
45 {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0, /* 0-9 */
46 0,10,11,12,13,14,15,16,17,18,19,20, /* A-K */
47 21,22,23,24,25,26,27,28,29,30,31,32, /* L-W */
48 33,34,35, 0, 0, 0, 0, 0, /* X-Z */
49 0,36,37,38,39,40,41,42,43,44,45,46, /* a-k */
50 47,48,49,50,51,52,53,54,55,56,57,58, /* l-w */
51 59,60,61}; /* x-z */
52
53
54/*************************************************
55* Local static variables *
56*************************************************/
57
58/* addr_duplicate is global because it needs to be seen from the Envelope-To
59writing code. */
60
61static address_item *addr_defer = NULL;
62static address_item *addr_failed = NULL;
63static address_item *addr_fallback = NULL;
64static address_item *addr_local = NULL;
65static address_item *addr_new = NULL;
66static address_item *addr_remote = NULL;
67static address_item *addr_route = NULL;
68static address_item *addr_succeed = NULL;
6c1c3d1d
WB
69static address_item *addr_dsntmp = NULL;
70static address_item *addr_senddsn = NULL;
059ec3d9
PH
71
72static FILE *message_log = NULL;
73static BOOL update_spool;
74static BOOL remove_journal;
75static int parcount = 0;
76static pardata *parlist = NULL;
77static int return_count;
78static uschar *frozen_info = US"";
79static uschar *used_return_path = NULL;
80
059ec3d9
PH
81
82
83/*************************************************
84* Make a new address item *
85*************************************************/
86
87/* This function gets the store and initializes with default values. The
88transport_return value defaults to DEFER, so that any unexpected failure to
89deliver does not wipe out the message. The default unique string is set to a
90copy of the address, so that its domain can be lowercased.
91
92Argument:
93 address the RFC822 address string
94 copy force a copy of the address
95
96Returns: a pointer to an initialized address_item
97*/
98
99address_item *
100deliver_make_addr(uschar *address, BOOL copy)
101{
102address_item *addr = store_get(sizeof(address_item));
103*addr = address_defaults;
104if (copy) address = string_copy(address);
105addr->address = address;
106addr->unique = string_copy(address);
107return addr;
108}
109
110
111
112
113/*************************************************
114* Set expansion values for an address *
115*************************************************/
116
117/* Certain expansion variables are valid only when handling an address or
118address list. This function sets them up or clears the values, according to its
119argument.
120
121Arguments:
122 addr the address in question, or NULL to clear values
123Returns: nothing
124*/
125
126void
127deliver_set_expansions(address_item *addr)
128{
d6c82d7b 129if (!addr)
059ec3d9 130 {
55414b25 131 const uschar ***p = address_expansions;
d6c82d7b 132 while (*p) **p++ = NULL;
059ec3d9
PH
133 return;
134 }
135
136/* Exactly what gets set depends on whether there is one or more addresses, and
137what they contain. These first ones are always set, taking their values from
138the first address. */
139
d6c82d7b 140if (!addr->host_list)
059ec3d9
PH
141 {
142 deliver_host = deliver_host_address = US"";
a7538db1 143 deliver_host_port = 0;
059ec3d9
PH
144 }
145else
146 {
147 deliver_host = addr->host_list->name;
148 deliver_host_address = addr->host_list->address;
a7538db1 149 deliver_host_port = addr->host_list->port;
059ec3d9
PH
150 }
151
152deliver_recipients = addr;
d43cbe25
JH
153deliver_address_data = addr->prop.address_data;
154deliver_domain_data = addr->prop.domain_data;
155deliver_localpart_data = addr->prop.localpart_data;
059ec3d9
PH
156
157/* These may be unset for multiple addresses */
158
159deliver_domain = addr->domain;
160self_hostname = addr->self_hostname;
161
8523533c
TK
162#ifdef EXPERIMENTAL_BRIGHTMAIL
163bmi_deliver = 1; /* deliver by default */
164bmi_alt_location = NULL;
165bmi_base64_verdict = NULL;
166bmi_base64_tracker_verdict = NULL;
167#endif
168
059ec3d9
PH
169/* If there's only one address we can set everything. */
170
d6c82d7b 171if (!addr->next)
059ec3d9
PH
172 {
173 address_item *addr_orig;
174
175 deliver_localpart = addr->local_part;
176 deliver_localpart_prefix = addr->prefix;
177 deliver_localpart_suffix = addr->suffix;
178
d6c82d7b 179 for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ;
059ec3d9
PH
180 deliver_domain_orig = addr_orig->domain;
181
182 /* Re-instate any prefix and suffix in the original local part. In all
183 normal cases, the address will have a router associated with it, and we can
184 choose the caseful or caseless version accordingly. However, when a system
185 filter sets up a pipe, file, or autoreply delivery, no router is involved.
186 In this case, though, there won't be any prefix or suffix to worry about. */
187
d6c82d7b
JH
188 deliver_localpart_orig = !addr_orig->router
189 ? addr_orig->local_part
190 : addr_orig->router->caseful_local_part
191 ? addr_orig->cc_local_part
192 : addr_orig->lc_local_part;
059ec3d9
PH
193
194 /* If there's a parent, make its domain and local part available, and if
195 delivering to a pipe or file, or sending an autoreply, get the local
196 part from the parent. For pipes and files, put the pipe or file string
197 into address_pipe and address_file. */
198
d6c82d7b 199 if (addr->parent)
059ec3d9
PH
200 {
201 deliver_domain_parent = addr->parent->domain;
d6c82d7b
JH
202 deliver_localpart_parent = !addr->parent->router
203 ? addr->parent->local_part
204 : addr->parent->router->caseful_local_part
205 ? addr->parent->cc_local_part
206 : addr->parent->lc_local_part;
059ec3d9
PH
207
208 /* File deliveries have their own flag because they need to be picked out
209 as special more often. */
210
211 if (testflag(addr, af_pfr))
212 {
d6c82d7b
JH
213 if (testflag(addr, af_file)) address_file = addr->local_part;
214 else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
059ec3d9
PH
215 deliver_localpart = addr->parent->local_part;
216 deliver_localpart_prefix = addr->parent->prefix;
217 deliver_localpart_suffix = addr->parent->suffix;
218 }
219 }
8523533c
TK
220
221#ifdef EXPERIMENTAL_BRIGHTMAIL
222 /* Set expansion variables related to Brightmail AntiSpam */
223 bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig);
224 bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict);
225 /* get message delivery status (0 - don't deliver | 1 - deliver) */
226 bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict);
227 /* if message is to be delivered, get eventual alternate location */
d6c82d7b 228 if (bmi_deliver == 1)
8523533c 229 bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict);
8523533c
TK
230#endif
231
059ec3d9
PH
232 }
233
234/* For multiple addresses, don't set local part, and leave the domain and
f7fd3850
PH
235self_hostname set only if it is the same for all of them. It is possible to
236have multiple pipe and file addresses, but only when all addresses have routed
237to the same pipe or file. */
059ec3d9
PH
238
239else
240 {
241 address_item *addr2;
f7fd3850
PH
242 if (testflag(addr, af_pfr))
243 {
d6c82d7b
JH
244 if (testflag(addr, af_file)) address_file = addr->local_part;
245 else if (addr->local_part[0] == '|') address_pipe = addr->local_part;
f7fd3850 246 }
d6c82d7b 247 for (addr2 = addr->next; addr2; addr2 = addr2->next)
059ec3d9 248 {
d6c82d7b 249 if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0)
059ec3d9 250 deliver_domain = NULL;
d6c82d7b
JH
251 if ( self_hostname
252 && ( !addr2->self_hostname
253 || Ustrcmp(self_hostname, addr2->self_hostname) != 0
254 ) )
059ec3d9 255 self_hostname = NULL;
d6c82d7b 256 if (!deliver_domain && !self_hostname) break;
059ec3d9
PH
257 }
258 }
259}
260
261
262
263
264/*************************************************
265* Open a msglog file *
266*************************************************/
267
268/* This function is used both for normal message logs, and for files in the
269msglog directory that are used to catch output from pipes. Try to create the
270directory if it does not exist. From release 4.21, normal message logs should
271be created when the message is received.
272
92b0827a
JH
273Called from deliver_message(), can be operating as root.
274
059ec3d9
PH
275Argument:
276 filename the file name
277 mode the mode required
278 error used for saying what failed
279
280Returns: a file descriptor, or -1 (with errno set)
281*/
282
283static int
284open_msglog_file(uschar *filename, int mode, uschar **error)
285{
92b0827a 286int fd, i;
059ec3d9 287
92b0827a 288for (i = 2; i > 0; i--)
059ec3d9 289 {
92b0827a
JH
290 fd = Uopen(filename,
291#ifdef O_CLOEXEC
292 O_CLOEXEC |
293#endif
294#ifdef O_NOFOLLOW
295 O_NOFOLLOW |
296#endif
297 O_WRONLY|O_APPEND|O_CREAT, mode);
298 if (fd >= 0)
299 {
300 /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
301 function is called as root). Double check the mode, because the group setting
302 doesn't always get set automatically. */
303
304#ifndef O_CLOEXEC
305 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
306#endif
307 if (fchown(fd, exim_uid, exim_gid) < 0)
308 {
309 *error = US"chown";
310 return -1;
311 }
312 if (fchmod(fd, mode) < 0)
313 {
314 *error = US"chmod";
315 return -1;
316 }
317 return fd;
318 }
319 if (errno != ENOENT)
320 break;
321
41313d92
JH
322 (void)directory_make(spool_directory,
323 spool_sname(US"msglog", message_subdir),
324 MSGLOG_DIRECTORY_MODE, TRUE);
059ec3d9 325 }
059ec3d9 326
92b0827a
JH
327*error = US"create";
328return -1;
059ec3d9
PH
329}
330
331
332
333
334/*************************************************
335* Write to msglog if required *
336*************************************************/
337
338/* Write to the message log, if configured. This function may also be called
339from transports.
340
341Arguments:
342 format a string format
343
344Returns: nothing
345*/
346
347void
348deliver_msglog(const char *format, ...)
349{
350va_list ap;
351if (!message_logs) return;
352va_start(ap, format);
353vfprintf(message_log, format, ap);
354fflush(message_log);
355va_end(ap);
356}
357
358
359
360
361/*************************************************
362* Replicate status for batch *
363*************************************************/
364
365/* When a transport handles a batch of addresses, it may treat them
366individually, or it may just put the status in the first one, and return FALSE,
367requesting that the status be copied to all the others externally. This is the
368replication function. As well as the status, it copies the transport pointer,
369which may have changed if appendfile passed the addresses on to a different
370transport.
371
372Argument: pointer to the first address in a chain
373Returns: nothing
374*/
375
376static void
377replicate_status(address_item *addr)
378{
379address_item *addr2;
d6c82d7b 380for (addr2 = addr->next; addr2; addr2 = addr2->next)
059ec3d9 381 {
d6c82d7b 382 addr2->transport = addr->transport;
059ec3d9 383 addr2->transport_return = addr->transport_return;
d6c82d7b
JH
384 addr2->basic_errno = addr->basic_errno;
385 addr2->more_errno = addr->more_errno;
32dfdf8b 386 addr2->delivery_usec = addr->delivery_usec;
d6c82d7b
JH
387 addr2->special_action = addr->special_action;
388 addr2->message = addr->message;
389 addr2->user_message = addr->user_message;
059ec3d9
PH
390 }
391}
392
393
394
395/*************************************************
396* Compare lists of hosts *
397*************************************************/
398
399/* This function is given two pointers to chains of host items, and it yields
400TRUE if the lists refer to the same hosts in the same order, except that
401
402(1) Multiple hosts with the same non-negative MX values are permitted to appear
403 in different orders. Round-robinning nameservers can cause this to happen.
404
405(2) Multiple hosts with the same negative MX values less than MX_NONE are also
406 permitted to appear in different orders. This is caused by randomizing
407 hosts lists.
408
409This enables Exim to use a single SMTP transaction for sending to two entirely
410different domains that happen to end up pointing at the same hosts.
411
412Arguments:
413 one points to the first host list
414 two points to the second host list
415
416Returns: TRUE if the lists refer to the same host set
417*/
418
419static BOOL
420same_hosts(host_item *one, host_item *two)
421{
d6c82d7b 422while (one && two)
059ec3d9
PH
423 {
424 if (Ustrcmp(one->name, two->name) != 0)
425 {
426 int mx = one->mx;
427 host_item *end_one = one;
428 host_item *end_two = two;
429
430 /* Batch up only if there was no MX and the list was not randomized */
431
432 if (mx == MX_NONE) return FALSE;
433
434 /* Find the ends of the shortest sequence of identical MX values */
435
d6c82d7b
JH
436 while ( end_one->next && end_one->next->mx == mx
437 && end_two->next && end_two->next->mx == mx)
059ec3d9
PH
438 {
439 end_one = end_one->next;
440 end_two = end_two->next;
441 }
442
443 /* If there aren't any duplicates, there's no match. */
444
445 if (end_one == one) return FALSE;
446
447 /* For each host in the 'one' sequence, check that it appears in the 'two'
448 sequence, returning FALSE if not. */
449
450 for (;;)
451 {
452 host_item *hi;
453 for (hi = two; hi != end_two->next; hi = hi->next)
454 if (Ustrcmp(one->name, hi->name) == 0) break;
455 if (hi == end_two->next) return FALSE;
456 if (one == end_one) break;
457 one = one->next;
458 }
459
460 /* All the hosts in the 'one' sequence were found in the 'two' sequence.
461 Ensure both are pointing at the last host, and carry on as for equality. */
462
463 two = end_two;
464 }
465
1c788856
JH
466 /* if the names matched but ports do not, mismatch */
467 else if (one->port != two->port)
468 return FALSE;
469
059ec3d9
PH
470 /* Hosts matched */
471
472 one = one->next;
473 two = two->next;
474 }
475
476/* True if both are NULL */
477
478return (one == two);
479}
480
481
482
483/*************************************************
484* Compare header lines *
485*************************************************/
486
487/* This function is given two pointers to chains of header items, and it yields
488TRUE if they are the same header texts in the same order.
489
490Arguments:
491 one points to the first header list
492 two points to the second header list
493
494Returns: TRUE if the lists refer to the same header set
495*/
496
497static BOOL
498same_headers(header_line *one, header_line *two)
499{
d6c82d7b 500for (;; one = one->next, two = two->next)
059ec3d9
PH
501 {
502 if (one == two) return TRUE; /* Includes the case where both NULL */
d6c82d7b 503 if (!one || !two) return FALSE;
059ec3d9 504 if (Ustrcmp(one->text, two->text) != 0) return FALSE;
059ec3d9
PH
505 }
506}
507
508
509
510/*************************************************
511* Compare string settings *
512*************************************************/
513
514/* This function is given two pointers to strings, and it returns
515TRUE if they are the same pointer, or if the two strings are the same.
516
517Arguments:
518 one points to the first string
519 two points to the second string
520
521Returns: TRUE or FALSE
522*/
523
524static BOOL
525same_strings(uschar *one, uschar *two)
526{
527if (one == two) return TRUE; /* Includes the case where both NULL */
d6c82d7b 528if (!one || !two) return FALSE;
059ec3d9
PH
529return (Ustrcmp(one, two) == 0);
530}
531
532
533
534/*************************************************
535* Compare uid/gid for addresses *
536*************************************************/
537
538/* This function is given a transport and two addresses. It yields TRUE if the
539uid/gid/initgroups settings for the two addresses are going to be the same when
540they are delivered.
541
542Arguments:
543 tp the transort
544 addr1 the first address
545 addr2 the second address
546
547Returns: TRUE or FALSE
548*/
549
550static BOOL
551same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
552{
d6c82d7b
JH
553if ( !tp->uid_set && !tp->expand_uid
554 && !tp->deliver_as_creator
555 && ( testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set)
556 || ( testflag(addr1, af_uid_set)
557 && ( addr1->uid != addr2->uid
558 || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups)
559 ) ) ) )
560 return FALSE;
059ec3d9 561
d6c82d7b
JH
562if ( !tp->gid_set && !tp->expand_gid
563 && ( testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set)
564 || ( testflag(addr1, af_gid_set)
565 && addr1->gid != addr2->gid
566 ) ) )
567 return FALSE;
059ec3d9
PH
568
569return TRUE;
570}
571
572
573
574
575/*************************************************
576* Record that an address is complete *
577*************************************************/
578
579/* This function records that an address is complete. This is straightforward
580for most addresses, where the unique address is just the full address with the
581domain lower cased. For homonyms (addresses that are the same as one of their
582ancestors) their are complications. Their unique addresses have \x\ prepended
583(where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
584cousins.
585
586Exim used to record the unique addresses of homonyms as "complete". This,
587however, fails when the pattern of redirection varies over time (e.g. if taking
588unseen copies at only some times of day) because the prepended numbers may vary
589from one delivery run to the next. This problem is solved by never recording
590prepended unique addresses as complete. Instead, when a homonymic address has
591actually been delivered via a transport, we record its basic unique address
592followed by the name of the transport. This is checked in subsequent delivery
593runs whenever an address is routed to a transport.
594
595If the completed address is a top-level one (has no parent, which means it
596cannot be homonymic) we also add the original address to the non-recipients
597tree, so that it gets recorded in the spool file and therefore appears as
598"done" in any spool listings. The original address may differ from the unique
599address in the case of the domain.
600
601Finally, this function scans the list of duplicates, marks as done any that
602match this address, and calls child_done() for their ancestors.
603
604Arguments:
605 addr address item that has been completed
606 now current time as a string
607
608Returns: nothing
609*/
610
611static void
612address_done(address_item *addr, uschar *now)
613{
614address_item *dup;
615
616update_spool = TRUE; /* Ensure spool gets updated */
617
618/* Top-level address */
619
d6c82d7b 620if (!addr->parent)
059ec3d9
PH
621 {
622 tree_add_nonrecipient(addr->unique);
623 tree_add_nonrecipient(addr->address);
624 }
625
626/* Homonymous child address */
627
628else if (testflag(addr, af_homonym))
629 {
d6c82d7b 630 if (addr->transport)
059ec3d9
PH
631 tree_add_nonrecipient(
632 string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
059ec3d9
PH
633 }
634
635/* Non-homonymous child address */
636
637else tree_add_nonrecipient(addr->unique);
638
639/* Check the list of duplicate addresses and ensure they are now marked
640done as well. */
641
d6c82d7b 642for (dup = addr_duplicate; dup; dup = dup->next)
059ec3d9
PH
643 if (Ustrcmp(addr->unique, dup->unique) == 0)
644 {
57730b52 645 tree_add_nonrecipient(dup->unique);
059ec3d9
PH
646 child_done(dup, now);
647 }
059ec3d9
PH
648}
649
650
651
652
653/*************************************************
654* Decrease counts in parents and mark done *
655*************************************************/
656
657/* This function is called when an address is complete. If there is a parent
658address, its count of children is decremented. If there are still other
659children outstanding, the function exits. Otherwise, if the count has become
660zero, address_done() is called to mark the parent and its duplicates complete.
661Then loop for any earlier ancestors.
662
663Arguments:
664 addr points to the completed address item
665 now the current time as a string, for writing to the message log
666
667Returns: nothing
668*/
669
670static void
671child_done(address_item *addr, uschar *now)
672{
673address_item *aa;
d6c82d7b 674while (addr->parent)
059ec3d9
PH
675 {
676 addr = addr->parent;
82f90600 677 if (--addr->child_count > 0) return; /* Incomplete parent */
059ec3d9
PH
678 address_done(addr, now);
679
680 /* Log the completion of all descendents only when there is no ancestor with
681 the same original address. */
682
d6c82d7b 683 for (aa = addr->parent; aa; aa = aa->parent)
059ec3d9 684 if (Ustrcmp(aa->address, addr->address) == 0) break;
d6c82d7b 685 if (aa) continue;
059ec3d9
PH
686
687 deliver_msglog("%s %s: children all complete\n", now, addr->address);
688 DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
689 }
690}
691
692
693
ac881e27
TF
694/*************************************************
695* Delivery logging support functions *
696*************************************************/
697
698/* The LOGGING() checks in d_log_interface() are complicated for backwards
699compatibility. When outgoing interface logging was originally added, it was
700conditional on just incoming_interface (which is off by default). The
701outgoing_interface option is on by default to preserve this behaviour, but
702you can enable incoming_interface and disable outgoing_interface to get I=
703fields on incoming lines only.
704
705Arguments:
acec9514 706 g The log line
ac881e27
TF
707 addr The address to be logged
708
709Returns: New value for s
710*/
059ec3d9 711
acec9514
JH
712static gstring *
713d_log_interface(gstring * g)
67d81c10 714{
ac881e27 715if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
d6c82d7b 716 && sending_ip_address)
ac881e27 717 {
acec9514
JH
718 g = string_append(g, 2, US" I=[", sending_ip_address);
719 g = LOGGING(outgoing_port)
720 ? string_append(g, 2, US"]:", string_sprintf("%d", sending_port))
721 : string_catn(g, US"]", 1);
ac881e27 722 }
acec9514 723return g;
67d81c10
JH
724}
725
ac881e27
TF
726
727
acec9514
JH
728static gstring *
729d_hostlog(gstring * g, address_item * addr)
ac881e27 730{
fc16abb4
JH
731host_item * h = addr->host_used;
732
acec9514 733g = string_append(g, 2, US" H=", h->name);
fc16abb4
JH
734
735if (LOGGING(dnssec) && h->dnssec == DS_YES)
acec9514 736 g = string_catn(g, US" DS", 3);
fc16abb4 737
acec9514 738g = string_append(g, 3, US" [", h->address, US"]");
fc16abb4 739
ac881e27 740if (LOGGING(outgoing_port))
acec9514 741 g = string_append(g, 2, US":", string_sprintf("%d", h->port));
e6d2a989
JH
742
743#ifdef SUPPORT_SOCKS
744if (LOGGING(proxy) && proxy_local_address)
745 {
acec9514 746 g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
e6d2a989 747 if (LOGGING(outgoing_port))
acec9514 748 g = string_append(g, 2, US":", string_sprintf("%d", proxy_local_port));
e6d2a989
JH
749 }
750#endif
751
acec9514 752g = d_log_interface(g);
a2673768
JH
753
754if (testflag(addr, af_tcp_fastopen))
acec9514 755 g = string_catn(g, US" TFO", 4);
a2673768 756
acec9514 757return g;
ac881e27
TF
758}
759
760
761
e6d2a989
JH
762
763
67d81c10 764#ifdef SUPPORT_TLS
acec9514
JH
765static gstring *
766d_tlslog(gstring * s, address_item * addr)
67d81c10 767{
d6c82d7b 768if (LOGGING(tls_cipher) && addr->cipher)
acec9514 769 s = string_append(s, 2, US" X=", addr->cipher);
d6c82d7b 770if (LOGGING(tls_certificate_verified) && addr->cipher)
acec9514 771 s = string_append(s, 2, US" CV=",
ac881e27
TF
772 testflag(addr, af_cert_verified)
773 ?
53a7196b 774#ifdef EXPERIMENTAL_DANE
ac881e27
TF
775 testflag(addr, af_dane_verified)
776 ? "dane"
777 :
53a7196b 778#endif
ac881e27
TF
779 "yes"
780 : "no");
d6c82d7b 781if (LOGGING(tls_peerdn) && addr->peerdn)
acec9514 782 s = string_append(s, 3, US" DN=\"", string_printing(addr->peerdn), US"\"");
ac881e27 783return s;
67d81c10
JH
784}
785#endif
786
a7538db1 787
14a465c3
JH
788
789
0cbf2b82 790#ifndef DISABLE_EVENT
b30275b8 791uschar *
55414b25 792event_raise(uschar * action, const uschar * event, uschar * ev_data)
a7538db1
JH
793{
794uschar * s;
795if (action)
796 {
797 DEBUG(D_deliver)
774ef2d7 798 debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n",
a7538db1
JH
799 event,
800 action, deliver_host_address);
801
774ef2d7
JH
802 event_name = event;
803 event_data = ev_data;
a7538db1
JH
804
805 if (!(s = expand_string(action)) && *expand_string_message)
806 log_write(0, LOG_MAIN|LOG_PANIC,
774ef2d7 807 "failed to expand event_action %s in %s: %s\n",
a7538db1
JH
808 event, transport_name, expand_string_message);
809
774ef2d7 810 event_name = event_data = NULL;
a7538db1
JH
811
812 /* If the expansion returns anything but an empty string, flag for
813 the caller to modify his normal processing
814 */
815 if (s && *s)
816 {
817 DEBUG(D_deliver)
774ef2d7 818 debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
b30275b8 819 return s;
a7538db1
JH
820 }
821 }
b30275b8 822return NULL;
a7538db1 823}
14a465c3 824
5ef5dd52 825void
55414b25 826msg_event_raise(const uschar * event, const address_item * addr)
14a465c3 827{
55414b25 828const uschar * save_domain = deliver_domain;
14a465c3 829uschar * save_local = deliver_localpart;
55414b25 830const uschar * save_host = deliver_host;
5ef5dd52
JB
831const uschar * save_address = deliver_host_address;
832const int save_port = deliver_host_port;
14a465c3
JH
833
834if (!addr->transport)
835 return;
836
837router_name = addr->router ? addr->router->name : NULL;
838transport_name = addr->transport->name;
839deliver_domain = addr->domain;
840deliver_localpart = addr->local_part;
c562fd30 841deliver_host = addr->host_used ? addr->host_used->name : NULL;
14a465c3 842
774ef2d7 843(void) event_raise(addr->transport->event_action, event,
5ef5dd52
JB
844 addr->host_used
845 || Ustrcmp(addr->transport->driver_name, "smtp") == 0
846 || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
4c0a7a9c 847 ? addr->message : NULL);
14a465c3 848
5ef5dd52
JB
849deliver_host_port = save_port;
850deliver_host_address = save_address;
c562fd30 851deliver_host = save_host;
14a465c3
JH
852deliver_localpart = save_local;
853deliver_domain = save_domain;
854router_name = transport_name = NULL;
855}
0cbf2b82 856#endif /*DISABLE_EVENT*/
14a465c3
JH
857
858
a7538db1 859
5dac72a7
JH
860/******************************************************************************/
861
862
863/*************************************************
864* Generate local prt for logging *
865*************************************************/
866
867/* This function is a subroutine for use in string_log_address() below.
868
869Arguments:
870 addr the address being logged
871 yield the current dynamic buffer pointer
5dac72a7
JH
872
873Returns: the new value of the buffer pointer
874*/
875
acec9514
JH
876static gstring *
877string_get_localpart(address_item * addr, gstring * yield)
5dac72a7
JH
878{
879uschar * s;
880
881s = addr->prefix;
882if (testflag(addr, af_include_affixes) && s)
883 {
884#ifdef SUPPORT_I18N
885 if (testflag(addr, af_utf8_downcvt))
886 s = string_localpart_utf8_to_alabel(s, NULL);
887#endif
acec9514 888 yield = string_cat(yield, s);
5dac72a7
JH
889 }
890
891s = addr->local_part;
892#ifdef SUPPORT_I18N
893if (testflag(addr, af_utf8_downcvt))
894 s = string_localpart_utf8_to_alabel(s, NULL);
895#endif
acec9514 896yield = string_cat(yield, s);
5dac72a7
JH
897
898s = addr->suffix;
899if (testflag(addr, af_include_affixes) && s)
900 {
901#ifdef SUPPORT_I18N
902 if (testflag(addr, af_utf8_downcvt))
903 s = string_localpart_utf8_to_alabel(s, NULL);
904#endif
acec9514 905 yield = string_cat(yield, s);
5dac72a7
JH
906 }
907
908return yield;
909}
910
911
912/*************************************************
913* Generate log address list *
914*************************************************/
915
916/* This function generates a list consisting of an address and its parents, for
917use in logging lines. For saved onetime aliased addresses, the onetime parent
918field is used. If the address was delivered by a transport with rcpt_include_
919affixes set, the af_include_affixes bit will be set in the address. In that
920case, we include the affixes here too.
921
922Arguments:
acec9514 923 g points to growing-string struct
5dac72a7
JH
924 addr bottom (ultimate) address
925 all_parents if TRUE, include all parents
926 success TRUE for successful delivery
927
928Returns: a growable string in dynamic store
929*/
930
acec9514
JH
931static gstring *
932string_log_address(gstring * g,
5dac72a7
JH
933 address_item *addr, BOOL all_parents, BOOL success)
934{
935BOOL add_topaddr = TRUE;
936address_item *topaddr;
937
938/* Find the ultimate parent */
939
940for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ;
941
942/* We start with just the local part for pipe, file, and reply deliveries, and
943for successful local deliveries from routers that have the log_as_local flag
944set. File deliveries from filters can be specified as non-absolute paths in
4c04137d 945cases where the transport is going to complete the path. If there is an error
5dac72a7
JH
946before this happens (expansion failure) the local part will not be updated, and
947so won't necessarily look like a path. Add extra text for this case. */
948
949if ( testflag(addr, af_pfr)
950 || ( success
951 && addr->router && addr->router->log_as_local
952 && addr->transport && addr->transport->info->local
953 ) )
954 {
955 if (testflag(addr, af_file) && addr->local_part[0] != '/')
acec9514
JH
956 g = string_catn(g, CUS"save ", 5);
957 g = string_get_localpart(addr, g);
5dac72a7
JH
958 }
959
960/* Other deliveries start with the full address. It we have split it into local
961part and domain, use those fields. Some early failures can happen before the
962splitting is done; in those cases use the original field. */
963
964else
965 {
acec9514 966 uschar * cmp = g->s + g->ptr;
5dac72a7
JH
967
968 if (addr->local_part)
969 {
970 const uschar * s;
acec9514
JH
971 g = string_get_localpart(addr, g);
972 g = string_catn(g, US"@", 1);
5dac72a7
JH
973 s = addr->domain;
974#ifdef SUPPORT_I18N
975 if (testflag(addr, af_utf8_downcvt))
976 s = string_localpart_utf8_to_alabel(s, NULL);
977#endif
acec9514 978 g = string_cat(g, s);
5dac72a7
JH
979 }
980 else
acec9514 981 g = string_cat(g, addr->address);
5dac72a7
JH
982
983 /* If the address we are going to print is the same as the top address,
984 and all parents are not being included, don't add on the top address. First
985 of all, do a caseless comparison; if this succeeds, do a caseful comparison
986 on the local parts. */
acec9514
JH
987 /*XXX dodgy coding. the string at "cmp" might not be nul-terminated if
988 we had to extend the allocation! */
5dac72a7 989
acec9514 990 g->s[g->ptr] = '\0';
5dac72a7
JH
991 if ( strcmpic(cmp, topaddr->address) == 0
992 && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0
993 && !addr->onetime_parent
994 && (!all_parents || !addr->parent || addr->parent == topaddr)
995 )
996 add_topaddr = FALSE;
997 }
998
999/* If all parents are requested, or this is a local pipe/file/reply, and
1000there is at least one intermediate parent, show it in brackets, and continue
1001with all of them if all are wanted. */
1002
1003if ( (all_parents || testflag(addr, af_pfr))
1004 && addr->parent
1005 && addr->parent != topaddr)
1006 {
1007 uschar *s = US" (";
1008 address_item *addr2;
1009 for (addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent)
1010 {
acec9514
JH
1011 g = string_catn(g, s, 2);
1012 g = string_cat (g, addr2->address);
5dac72a7
JH
1013 if (!all_parents) break;
1014 s = US", ";
1015 }
acec9514 1016 g = string_catn(g, US")", 1);
5dac72a7
JH
1017 }
1018
1019/* Add the top address if it is required */
1020
1021if (add_topaddr)
acec9514 1022 g = string_append(g, 3,
5dac72a7
JH
1023 US" <",
1024 addr->onetime_parent ? addr->onetime_parent : topaddr->address,
1025 US">");
1026
acec9514 1027return g;
5dac72a7
JH
1028}
1029
1030
32dfdf8b
JH
1031
1032void
1033timesince(struct timeval * diff, struct timeval * then)
1034{
1035gettimeofday(diff, NULL);
1036diff->tv_sec -= then->tv_sec;
1037if ((diff->tv_usec -= then->tv_usec) < 0)
1038 {
1039 diff->tv_sec--;
1040 diff->tv_usec += 1000*1000;
1041 }
1042}
1043
1044
1045
1046static uschar *
1047string_timediff(struct timeval * diff)
1048{
1049static uschar buf[sizeof("0.000s")];
1050
1051if (diff->tv_sec >= 5 || !LOGGING(millisec))
1052 return readconf_printtime((int)diff->tv_sec);
1053
1054sprintf(CS buf, "%d.%03ds", (int)diff->tv_sec, (int)diff->tv_usec/1000);
1055return buf;
1056}
1057
1058
0f1a8658 1059uschar *
32dfdf8b
JH
1060string_timesince(struct timeval * then)
1061{
1062struct timeval diff;
1063
1064timesince(&diff, then);
1065return string_timediff(&diff);
1066}
1067
5dac72a7
JH
1068/******************************************************************************/
1069
1070
1071
817d9f57 1072/* If msg is NULL this is a delivery log and logchar is used. Otherwise
67d81c10 1073this is a nonstandard call; no two-character delivery flag is written
817d9f57
JH
1074but sender-host and sender are prefixed and "msg" is inserted in the log line.
1075
1076Arguments:
1077 flags passed to log_write()
1078*/
e4bdf652 1079void
817d9f57 1080delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
e4bdf652 1081{
acec9514 1082gstring * g; /* Used for a temporary, expanding buffer, for building log lines */
5dac72a7 1083void * reset_point; /* released afterwards. */
e4bdf652 1084
e4bdf652
JH
1085/* Log the delivery on the main log. We use an extensible string to build up
1086the log line, and reset the store afterwards. Remote deliveries should always
1087have a pointer to the host item that succeeded; local deliveries can have a
1088pointer to a single host item in their host list, for use by the transport. */
1089
0cbf2b82 1090#ifndef DISABLE_EVENT
a7538db1 1091 /* presume no successful remote delivery */
783b385f 1092 lookup_dnssec_authenticated = NULL;
d68218c7
JH
1093#endif
1094
acec9514 1095g = reset_point = string_get(256);
e4bdf652 1096
817d9f57 1097if (msg)
acec9514 1098 g = string_append(g, 2, host_and_ident(TRUE), US" ");
817d9f57
JH
1099else
1100 {
acec9514
JH
1101 g->s[0] = logchar; g->ptr = 1;
1102 g = string_catn(g, US"> ", 2);
817d9f57 1103 }
acec9514 1104g = string_log_address(g, addr, LOGGING(all_parents), TRUE);
e4bdf652 1105
6c6d6e48 1106if (LOGGING(sender_on_delivery) || msg)
acec9514 1107 g = string_append(g, 3, US" F=<",
8c5d388a 1108#ifdef SUPPORT_I18N
3c8b3577
JH
1109 testflag(addr, af_utf8_downcvt)
1110 ? string_address_utf8_to_alabel(sender_address, NULL)
1111 :
1112#endif
1113 sender_address,
1114 US">");
e4bdf652 1115
afa6d3ad 1116if (*queue_name)
acec9514 1117 g = string_append(g, 2, US" Q=", queue_name);
afa6d3ad 1118
e4bdf652 1119#ifdef EXPERIMENTAL_SRS
d43cbe25 1120if(addr->prop.srs_sender)
acec9514 1121 g = string_append(g, 3, US" SRS=<", addr->prop.srs_sender, US">");
e4bdf652
JH
1122#endif
1123
1124/* You might think that the return path must always be set for a successful
1125delivery; indeed, I did for some time, until this statement crashed. The case
1126when it is not set is for a delivery to /dev/null which is optimised by not
1127being run at all. */
1128
d6c82d7b 1129if (used_return_path && LOGGING(return_path_on_delivery))
acec9514 1130 g = string_append(g, 3, US" P=<", used_return_path, US">");
e4bdf652 1131
817d9f57 1132if (msg)
acec9514 1133 g = string_append(g, 2, US" ", msg);
e4bdf652 1134
817d9f57 1135/* For a delivery from a system filter, there may not be a router */
d6c82d7b 1136if (addr->router)
acec9514 1137 g = string_append(g, 2, US" R=", addr->router->name);
e4bdf652 1138
acec9514 1139g = string_append(g, 2, US" T=", addr->transport->name);
e4bdf652 1140
6c6d6e48 1141if (LOGGING(delivery_size))
acec9514 1142 g = string_append(g, 2, US" S=",
e4bdf652
JH
1143 string_sprintf("%d", transport_count));
1144
1145/* Local delivery */
1146
1147if (addr->transport->info->local)
1148 {
a7538db1 1149 if (addr->host_list)
acec9514
JH
1150 g = string_append(g, 2, US" H=", addr->host_list->name);
1151 g = d_log_interface(g);
d6c82d7b 1152 if (addr->shadow_message)
acec9514 1153 g = string_cat(g, addr->shadow_message);
e4bdf652
JH
1154 }
1155
1156/* Remote delivery */
1157
1158else
1159 {
783b385f 1160 if (addr->host_used)
e4bdf652 1161 {
acec9514 1162 g = d_hostlog(g, addr);
e4bdf652 1163 if (continue_sequence > 1)
acec9514 1164 g = string_catn(g, US"*", 1);
d68218c7 1165
0cbf2b82 1166#ifndef DISABLE_EVENT
a7538db1
JH
1167 deliver_host_address = addr->host_used->address;
1168 deliver_host_port = addr->host_used->port;
029f4192 1169 deliver_host = addr->host_used->name;
783b385f
JH
1170
1171 /* DNS lookup status */
1172 lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
1173 : addr->host_used->dnssec==DS_NO ? US"no"
1174 : NULL;
a7538db1 1175#endif
e4bdf652
JH
1176 }
1177
a7538db1 1178#ifdef SUPPORT_TLS
acec9514 1179 g = d_tlslog(g, addr);
a7538db1 1180#endif
e4bdf652 1181
018c60d7 1182 if (addr->authenticator)
6f123593 1183 {
acec9514 1184 g = string_append(g, 2, US" A=", addr->authenticator);
018c60d7 1185 if (addr->auth_id)
c8e2fc1e 1186 {
acec9514 1187 g = string_append(g, 2, US":", addr->auth_id);
6c6d6e48 1188 if (LOGGING(smtp_mailauth) && addr->auth_sndr)
acec9514 1189 g = string_append(g, 2, US":", addr->auth_sndr);
c8e2fc1e 1190 }
6f123593
JH
1191 }
1192
a7538db1 1193#ifndef DISABLE_PRDR
7eb0e5d2 1194 if (testflag(addr, af_prdr_used))
acec9514 1195 g = string_catn(g, US" PRDR", 5);
a7538db1 1196#endif
e0cc6cda 1197
7eb0e5d2 1198 if (testflag(addr, af_chunking_used))
acec9514 1199 g = string_catn(g, US" K", 2);
76f44207
WB
1200 }
1201
1202/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */
fd98a5c6 1203
d6c82d7b
JH
1204if ( LOGGING(smtp_confirmation)
1205 && addr->message
1206 && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)
1207 )
76f44207 1208 {
b980ed83 1209 unsigned i;
1c5b1499 1210 unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024;
76f44207
WB
1211 uschar *p = big_buffer;
1212 uschar *ss = addr->message;
1213 *p++ = '\"';
b980ed83 1214 for (i = 0; i < lim && ss[i] != 0; i++) /* limit logged amount */
e4bdf652 1215 {
27520a68 1216 if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
76f44207 1217 *p++ = ss[i];
e4bdf652 1218 }
76f44207
WB
1219 *p++ = '\"';
1220 *p = 0;
acec9514 1221 g = string_append(g, 2, US" C=", big_buffer);
e4bdf652
JH
1222 }
1223
1224/* Time on queue and actual time taken to deliver */
1225
6c6d6e48 1226if (LOGGING(queue_time))
acec9514 1227 g = string_append(g, 2, US" QT=",
32dfdf8b 1228 string_timesince(&received_time));
e4bdf652 1229
6c6d6e48 1230if (LOGGING(deliver_time))
32dfdf8b 1231 {
f2ed27cf 1232 struct timeval diff = {.tv_sec = addr->more_errno, .tv_usec = addr->delivery_usec};
acec9514 1233 g = string_append(g, 2, US" DT=", string_timediff(&diff));
32dfdf8b 1234 }
e4bdf652
JH
1235
1236/* string_cat() always leaves room for the terminator. Release the
1237store we used to build the line after writing it. */
1238
acec9514 1239log_write(0, flags, "%s", string_from_gstring(g));
d68218c7 1240
0cbf2b82 1241#ifndef DISABLE_EVENT
774ef2d7 1242if (!msg) msg_event_raise(US"msg:delivery", addr);
d68218c7 1243#endif
14a465c3 1244
e4bdf652
JH
1245store_reset(reset_point);
1246return;
1247}
1248
1249
1250
5dac72a7
JH
1251static void
1252deferral_log(address_item * addr, uschar * now,
1253 int logflags, uschar * driver_name, uschar * driver_kind)
1254{
acec9514
JH
1255gstring * g;
1256void * reset_point;
5dac72a7
JH
1257
1258/* Build up the line that is used for both the message log and the main
1259log. */
1260
acec9514 1261g = reset_point = string_get(256);
5dac72a7
JH
1262
1263/* Create the address string for logging. Must not do this earlier, because
1264an OK result may be changed to FAIL when a pipe returns text. */
1265
acec9514 1266g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
5dac72a7
JH
1267
1268if (*queue_name)
acec9514 1269 g = string_append(g, 2, US" Q=", queue_name);
5dac72a7
JH
1270
1271/* Either driver_name contains something and driver_kind contains
1272" router" or " transport" (note the leading space), or driver_name is
1273a null string and driver_kind contains "routing" without the leading
1274space, if all routing has been deferred. When a domain has been held,
1275so nothing has been done at all, both variables contain null strings. */
1276
1277if (driver_name)
1278 {
1279 if (driver_kind[1] == 't' && addr->router)
acec9514
JH
1280 g = string_append(g, 2, US" R=", addr->router->name);
1281 g = string_cat(g, string_sprintf(" %c=%s", toupper(driver_kind[1]), driver_name));
5dac72a7
JH
1282 }
1283else if (driver_kind)
acec9514 1284 g = string_append(g, 2, US" ", driver_kind);
5dac72a7
JH
1285
1286/*XXX need an s+s+p sprintf */
acec9514 1287g = string_cat(g, string_sprintf(" defer (%d)", addr->basic_errno));
5dac72a7
JH
1288
1289if (addr->basic_errno > 0)
acec9514 1290 g = string_append(g, 2, US": ",
5dac72a7
JH
1291 US strerror(addr->basic_errno));
1292
1293if (addr->host_used)
1294 {
acec9514 1295 g = string_append(g, 5,
5dac72a7
JH
1296 US" H=", addr->host_used->name,
1297 US" [", addr->host_used->address, US"]");
1298 if (LOGGING(outgoing_port))
1299 {
1300 int port = addr->host_used->port;
acec9514 1301 g = string_append(g, 2,
5dac72a7
JH
1302 US":", port == PORT_NONE ? US"25" : string_sprintf("%d", port));
1303 }
1304 }
1305
1306if (addr->message)
acec9514 1307 g = string_append(g, 2, US": ", addr->message);
5dac72a7 1308
acec9514 1309(void) string_from_gstring(g);
5dac72a7
JH
1310
1311/* Log the deferment in the message log, but don't clutter it
1312up with retry-time defers after the first delivery attempt. */
1313
1314if (deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
acec9514 1315 deliver_msglog("%s %s\n", now, g->s);
5dac72a7
JH
1316
1317/* Write the main log and reset the store.
1318For errors of the type "retry time not reached" (also remotes skipped
1319on queue run), logging is controlled by L_retry_defer. Note that this kind
1320of error number is negative, and all the retry ones are less than any
1321others. */
1322
1323
1324log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags,
acec9514 1325 "== %s", g->s);
5dac72a7
JH
1326
1327store_reset(reset_point);
1328return;
1329}
1330
1331
1332
1333static void
1334failure_log(address_item * addr, uschar * driver_kind, uschar * now)
1335{
acec9514
JH
1336void * reset_point;
1337gstring * g = reset_point = string_get(256);
5dac72a7
JH
1338
1339/* Build up the log line for the message and main logs */
1340
5dac72a7
JH
1341/* Create the address string for logging. Must not do this earlier, because
1342an OK result may be changed to FAIL when a pipe returns text. */
1343
acec9514 1344g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
5dac72a7
JH
1345
1346if (LOGGING(sender_on_delivery))
acec9514 1347 g = string_append(g, 3, US" F=<", sender_address, US">");
5dac72a7
JH
1348
1349if (*queue_name)
acec9514 1350 g = string_append(g, 2, US" Q=", queue_name);
5dac72a7
JH
1351
1352/* Return path may not be set if no delivery actually happened */
1353
1354if (used_return_path && LOGGING(return_path_on_delivery))
acec9514 1355 g = string_append(g, 3, US" P=<", used_return_path, US">");
5dac72a7
JH
1356
1357if (addr->router)
acec9514 1358 g = string_append(g, 2, US" R=", addr->router->name);
5dac72a7 1359if (addr->transport)
acec9514 1360 g = string_append(g, 2, US" T=", addr->transport->name);
5dac72a7
JH
1361
1362if (addr->host_used)
acec9514 1363 g = d_hostlog(g, addr);
5dac72a7
JH
1364
1365#ifdef SUPPORT_TLS
acec9514 1366g = d_tlslog(g, addr);
5dac72a7
JH
1367#endif
1368
1369if (addr->basic_errno > 0)
acec9514 1370 g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
5dac72a7
JH
1371
1372if (addr->message)
acec9514 1373 g = string_append(g, 2, US": ", addr->message);
5dac72a7 1374
acec9514 1375(void) string_from_gstring(g);
5dac72a7
JH
1376
1377/* Do the logging. For the message log, "routing failed" for those cases,
1378just to make it clearer. */
1379
1380if (driver_kind)
acec9514 1381 deliver_msglog("%s %s failed for %s\n", now, driver_kind, g->s);
5dac72a7 1382else
acec9514 1383 deliver_msglog("%s %s\n", now, g->s);
5dac72a7 1384
acec9514 1385log_write(0, LOG_MAIN, "** %s", g->s);
5dac72a7
JH
1386
1387#ifndef DISABLE_EVENT
1388msg_event_raise(US"msg:fail:delivery", addr);
1389#endif
1390
1391store_reset(reset_point);
1392return;
1393}
1394
1395
1396
059ec3d9
PH
1397/*************************************************
1398* Actions at the end of handling an address *
1399*************************************************/
1400
1401/* This is a function for processing a single address when all that can be done
1402with it has been done.
1403
1404Arguments:
1405 addr points to the address block
1406 result the result of the delivery attempt
1407 logflags flags for log_write() (LOG_MAIN and/or LOG_PANIC)
1408 driver_type indicates which type of driver (transport, or router) was last
1409 to process the address
1410 logchar '=' or '-' for use when logging deliveries with => or ->
1411
1412Returns: nothing
1413*/
1414
1415static void
1416post_process_one(address_item *addr, int result, int logflags, int driver_type,
1417 int logchar)
1418{
1419uschar *now = tod_stamp(tod_log);
1420uschar *driver_kind = NULL;
1421uschar *driver_name = NULL;
059ec3d9 1422
059ec3d9
PH
1423DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);
1424
1425/* Set up driver kind and name for logging. Disable logging if the router or
1426transport has disabled it. */
1427
ba936fb8 1428if (driver_type == EXIM_DTYPE_TRANSPORT)
059ec3d9 1429 {
d6c82d7b 1430 if (addr->transport)
059ec3d9
PH
1431 {
1432 driver_name = addr->transport->name;
1433 driver_kind = US" transport";
1434 disable_logging = addr->transport->disable_logging;
1435 }
1436 else driver_kind = US"transporting";
1437 }
ba936fb8 1438else if (driver_type == EXIM_DTYPE_ROUTER)
059ec3d9 1439 {
d6c82d7b 1440 if (addr->router)
059ec3d9
PH
1441 {
1442 driver_name = addr->router->name;
1443 driver_kind = US" router";
1444 disable_logging = addr->router->disable_logging;
1445 }
1446 else driver_kind = US"routing";
1447 }
1448
1449/* If there's an error message set, ensure that it contains only printing
1450characters - it should, but occasionally things slip in and this at least
49c2d5ea
PH
1451stops the log format from getting wrecked. We also scan the message for an LDAP
1452expansion item that has a password setting, and flatten the password. This is a
1453fudge, but I don't know a cleaner way of doing this. (If the item is badly
1454malformed, it won't ever have gone near LDAP.) */
059ec3d9 1455
d6c82d7b 1456if (addr->message)
49c2d5ea 1457 {
55414b25 1458 const uschar * s = string_printing(addr->message);
f42deca9
JH
1459
1460 /* deconst cast ok as string_printing known to have alloc'n'copied */
1461 addr->message = expand_hide_passwords(US s);
49c2d5ea 1462 }
059ec3d9
PH
1463
1464/* If we used a transport that has one of the "return_output" options set, and
1465if it did in fact generate some output, then for return_output we treat the
1466message as failed if it was not already set that way, so that the output gets
1467returned to the sender, provided there is a sender to send it to. For
1468return_fail_output, do this only if the delivery failed. Otherwise we just
1469unlink the file, and remove the name so that if the delivery failed, we don't
1470try to send back an empty or unwanted file. The log_output options operate only
1471on a non-empty file.
1472
1473In any case, we close the message file, because we cannot afford to leave a
1474file-descriptor for one address while processing (maybe very many) others. */
1475
d6c82d7b 1476if (addr->return_file >= 0 && addr->return_filename)
059ec3d9
PH
1477 {
1478 BOOL return_output = FALSE;
1479 struct stat statbuf;
54fc8428 1480 (void)EXIMfsync(addr->return_file);
059ec3d9
PH
1481
1482 /* If there is no output, do nothing. */
1483
1484 if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
1485 {
1486 transport_instance *tb = addr->transport;
1487
1488 /* Handle logging options */
1489
d6c82d7b
JH
1490 if ( tb->log_output
1491 || result == FAIL && tb->log_fail_output
1492 || result == DEFER && tb->log_defer_output
1493 )
059ec3d9
PH
1494 {
1495 uschar *s;
1496 FILE *f = Ufopen(addr->return_filename, "rb");
d6c82d7b 1497 if (!f)
059ec3d9
PH
1498 log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
1499 "from %s transport: %s", addr->return_filename, tb->name,
1500 strerror(errno));
1501 else
d6c82d7b 1502 if ((s = US Ufgets(big_buffer, big_buffer_size, f)))
059ec3d9
PH
1503 {
1504 uschar *p = big_buffer + Ustrlen(big_buffer);
55414b25 1505 const uschar * sp;
059ec3d9
PH
1506 while (p > big_buffer && isspace(p[-1])) p--;
1507 *p = 0;
55414b25 1508 sp = string_printing(big_buffer);
059ec3d9 1509 log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
55414b25 1510 addr->address, tb->name, sp);
059ec3d9 1511 }
f1e894f3 1512 (void)fclose(f);
059ec3d9
PH
1513 }
1514
1515 /* Handle returning options, but only if there is an address to return
1516 the text to. */
1517
d6c82d7b 1518 if (sender_address[0] != 0 || addr->prop.errors_address)
059ec3d9
PH
1519 if (tb->return_output)
1520 {
1521 addr->transport_return = result = FAIL;
d6c82d7b 1522 if (addr->basic_errno == 0 && !addr->message)
059ec3d9
PH
1523 addr->message = US"return message generated";
1524 return_output = TRUE;
1525 }
1526 else
1527 if (tb->return_fail_output && result == FAIL) return_output = TRUE;
059ec3d9
PH
1528 }
1529
1530 /* Get rid of the file unless it might be returned, but close it in
1531 all cases. */
1532
1533 if (!return_output)
1534 {
1535 Uunlink(addr->return_filename);
1536 addr->return_filename = NULL;
1537 addr->return_file = -1;
1538 }
1539
f1e894f3 1540 (void)close(addr->return_file);
059ec3d9
PH
1541 }
1542
9d1c15ef 1543/* The success case happens only after delivery by a transport. */
059ec3d9
PH
1544
1545if (result == OK)
1546 {
1547 addr->next = addr_succeed;
1548 addr_succeed = addr;
1549
1550 /* Call address_done() to ensure that we don't deliver to this address again,
1551 and write appropriate things to the message log. If it is a child address, we
1552 call child_done() to scan the ancestors and mark them complete if this is the
1553 last child to complete. */
1554
1555 address_done(addr, now);
1556 DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
1557
d6c82d7b 1558 if (!addr->parent)
059ec3d9
PH
1559 deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
1560 driver_name, driver_kind);
059ec3d9
PH
1561 else
1562 {
1563 deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
1564 addr->parent->address, driver_name, driver_kind);
1565 child_done(addr, now);
1566 }
1567
774ef2d7 1568 /* Certificates for logging (via events) */
a7538db1 1569#ifdef SUPPORT_TLS
9d1c15ef
JH
1570 tls_out.ourcert = addr->ourcert;
1571 addr->ourcert = NULL;
1572 tls_out.peercert = addr->peercert;
1573 addr->peercert = NULL;
018058b2 1574
018058b2
JH
1575 tls_out.cipher = addr->cipher;
1576 tls_out.peerdn = addr->peerdn;
1577 tls_out.ocsp = addr->ocsp;
83b27293
JH
1578# ifdef EXPERIMENTAL_DANE
1579 tls_out.dane_verified = testflag(addr, af_dane_verified);
1580# endif
a7538db1 1581#endif
9d1c15ef 1582
817d9f57 1583 delivery_log(LOG_MAIN, addr, logchar, NULL);
9d1c15ef 1584
a7538db1 1585#ifdef SUPPORT_TLS
790fbb71
JH
1586 tls_free_cert(&tls_out.ourcert);
1587 tls_free_cert(&tls_out.peercert);
018058b2
JH
1588 tls_out.cipher = NULL;
1589 tls_out.peerdn = NULL;
1590 tls_out.ocsp = OCSP_NOT_REQ;
83b27293
JH
1591# ifdef EXPERIMENTAL_DANE
1592 tls_out.dane_verified = FALSE;
1593# endif
a7538db1 1594#endif
059ec3d9
PH
1595 }
1596
1597
1598/* Soft failure, or local delivery process failed; freezing may be
1599requested. */
1600
1601else if (result == DEFER || result == PANIC)
1602 {
1603 if (result == PANIC) logflags |= LOG_PANIC;
1604
1605 /* This puts them on the chain in reverse order. Do not change this, because
1606 the code for handling retries assumes that the one with the retry
1607 information is last. */
1608
1609 addr->next = addr_defer;
1610 addr_defer = addr;
1611
1612 /* The only currently implemented special action is to freeze the
1613 message. Logging of this is done later, just before the -H file is
1614 updated. */
1615
1616 if (addr->special_action == SPECIAL_FREEZE)
1617 {
1618 deliver_freeze = TRUE;
1619 deliver_frozen_at = time(NULL);
1620 update_spool = TRUE;
1621 }
1622
1623 /* If doing a 2-stage queue run, we skip writing to either the message
1624 log or the main log for SMTP defers. */
1625
1626 if (!queue_2stage || addr->basic_errno != 0)
5dac72a7 1627 deferral_log(addr, now, logflags, driver_name, driver_kind);
059ec3d9
PH
1628 }
1629
1630
1631/* Hard failure. If there is an address to which an error message can be sent,
1632put this address on the failed list. If not, put it on the deferred list and
1633freeze the mail message for human attention. The latter action can also be
1634explicitly requested by a router or transport. */
1635
1636else
1637 {
1638 /* If this is a delivery error, or a message for which no replies are
1639 wanted, and the message's age is greater than ignore_bounce_errors_after,
1640 force the af_ignore_error flag. This will cause the address to be discarded
1641 later (with a log entry). */
1642
10c50704 1643 if (!*sender_address && message_age >= ignore_bounce_errors_after)
7eb0e5d2 1644 addr->prop.ignore_error = TRUE;
059ec3d9
PH
1645
1646 /* Freeze the message if requested, or if this is a bounce message (or other
652e1b65
PH
1647 message with null sender) and this address does not have its own errors
1648 address. However, don't freeze if errors are being ignored. The actual code
1649 to ignore occurs later, instead of sending a message. Logging of freezing
1650 occurs later, just before writing the -H file. */
059ec3d9 1651
7eb0e5d2 1652 if ( !addr->prop.ignore_error
d6c82d7b
JH
1653 && ( addr->special_action == SPECIAL_FREEZE
1654 || (sender_address[0] == 0 && !addr->prop.errors_address)
1655 ) )
059ec3d9 1656 {
d6c82d7b
JH
1657 frozen_info = addr->special_action == SPECIAL_FREEZE
1658 ? US""
1659 : sender_local && !local_error_message
1660 ? US" (message created with -f <>)"
1661 : US" (delivery error message)";
059ec3d9
PH
1662 deliver_freeze = TRUE;
1663 deliver_frozen_at = time(NULL);
1664 update_spool = TRUE;
1665
1666 /* The address is put on the defer rather than the failed queue, because
1667 the message is being retained. */
1668
1669 addr->next = addr_defer;
1670 addr_defer = addr;
1671 }
1672
1673 /* Don't put the address on the nonrecipients tree yet; wait until an
1674 error message has been successfully sent. */
1675
1676 else
1677 {
1678 addr->next = addr_failed;
1679 addr_failed = addr;
1680 }
1681
5dac72a7 1682 failure_log(addr, driver_name ? NULL : driver_kind, now);
059ec3d9
PH
1683 }
1684
1685/* Ensure logging is turned on again in all cases */
1686
1687disable_logging = FALSE;
1688}
1689
1690
1691
1692
1693/*************************************************
1694* Address-independent error *
1695*************************************************/
1696
1697/* This function is called when there's an error that is not dependent on a
1698particular address, such as an expansion string failure. It puts the error into
1699all the addresses in a batch, logs the incident on the main and panic logs, and
1700clears the expansions. It is mostly called from local_deliver(), but can be
1701called for a remote delivery via findugid().
1702
1703Arguments:
1704 logit TRUE if (MAIN+PANIC) logging required
1705 addr the first of the chain of addresses
1706 code the error code
1707 format format string for error message, or NULL if already set in addr
1708 ... arguments for the format
1709
1710Returns: nothing
1711*/
1712
1713static void
1714common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
1715{
1716address_item *addr2;
1717addr->basic_errno = code;
1718
d6c82d7b 1719if (format)
059ec3d9
PH
1720 {
1721 va_list ap;
1722 uschar buffer[512];
1723 va_start(ap, format);
1724 if (!string_vformat(buffer, sizeof(buffer), CS format, ap))
1725 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
81f91683 1726 "common_error expansion was longer than " SIZE_T_FMT, sizeof(buffer));
059ec3d9
PH
1727 va_end(ap);
1728 addr->message = string_copy(buffer);
1729 }
1730
d6c82d7b 1731for (addr2 = addr->next; addr2; addr2 = addr2->next)
059ec3d9
PH
1732 {
1733 addr2->basic_errno = code;
1734 addr2->message = addr->message;
1735 }
1736
1737if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
1738deliver_set_expansions(NULL);
1739}
1740
1741
1742
1743
1744/*************************************************
1745* Check a "never users" list *
1746*************************************************/
1747
1748/* This function is called to check whether a uid is on one of the two "never
1749users" lists.
1750
1751Arguments:
1752 uid the uid to be checked
1753 nusers the list to be scanned; the first item in the list is the count
1754
1755Returns: TRUE if the uid is on the list
1756*/
1757
1758static BOOL
1759check_never_users(uid_t uid, uid_t *nusers)
1760{
1761int i;
d6c82d7b 1762if (!nusers) return FALSE;
059ec3d9
PH
1763for (i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
1764return FALSE;
1765}
1766
1767
1768
1769/*************************************************
1770* Find uid and gid for a transport *
1771*************************************************/
1772
1773/* This function is called for both local and remote deliveries, to find the
1774uid/gid under which to run the delivery. The values are taken preferentially
1775from the transport (either explicit or deliver_as_creator), then from the
1776address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
1777the resulting uid is on the "never_users" or the "fixed_never_users" list, a
1778panic error is logged, and the function fails (which normally leads to delivery
1779deferral).
1780
1781Arguments:
1782 addr the address (possibly a chain)
1783 tp the transport
1784 uidp pointer to uid field
1785 gidp pointer to gid field
1786 igfp pointer to the use_initgroups field
1787
1788Returns: FALSE if failed - error has been set in address(es)
1789*/
1790
1791static BOOL
1792findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
1793 BOOL *igfp)
1794{
d6c82d7b 1795uschar *nuname;
059ec3d9
PH
1796BOOL gid_set = FALSE;
1797
1798/* Default initgroups flag comes from the transport */
1799
1800*igfp = tp->initgroups;
1801
1802/* First see if there's a gid on the transport, either fixed or expandable.
1803The expanding function always logs failure itself. */
1804
1805if (tp->gid_set)
1806 {
1807 *gidp = tp->gid;
1808 gid_set = TRUE;
1809 }
d6c82d7b 1810else if (tp->expand_gid)
059ec3d9 1811 {
d6c82d7b
JH
1812 if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
1813 &(addr->message)))
059ec3d9
PH
1814 {
1815 common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
1816 return FALSE;
1817 }
d6c82d7b 1818 gid_set = TRUE;
059ec3d9
PH
1819 }
1820
911f6fde
PH
1821/* If the transport did not set a group, see if the router did. */
1822
1823if (!gid_set && testflag(addr, af_gid_set))
1824 {
1825 *gidp = addr->gid;
1826 gid_set = TRUE;
1827 }
1828
059ec3d9
PH
1829/* Pick up a uid from the transport if one is set. */
1830
1831if (tp->uid_set) *uidp = tp->uid;
1832
1833/* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
1834it does not provide a passwd value from which a gid can be taken. */
1835
d6c82d7b 1836else if (tp->expand_uid)
059ec3d9
PH
1837 {
1838 struct passwd *pw;
1839 if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
1840 uidp, &(addr->message)))
1841 {
1842 common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
1843 return FALSE;
1844 }
d6c82d7b 1845 if (!gid_set && pw)
059ec3d9
PH
1846 {
1847 *gidp = pw->pw_gid;
1848 gid_set = TRUE;
1849 }
1850 }
1851
1852/* If the transport doesn't set the uid, test the deliver_as_creator flag. */
1853
1854else if (tp->deliver_as_creator)
1855 {
1856 *uidp = originator_uid;
1857 if (!gid_set)
1858 {
1859 *gidp = originator_gid;
1860 gid_set = TRUE;
1861 }
1862 }
1863
911f6fde
PH
1864/* Otherwise see if the address specifies the uid and if so, take it and its
1865initgroups flag. */
059ec3d9
PH
1866
1867else if (testflag(addr, af_uid_set))
1868 {
1869 *uidp = addr->uid;
1870 *igfp = testflag(addr, af_initgroups);
059ec3d9
PH
1871 }
1872
1873/* Nothing has specified the uid - default to the Exim user, and group if the
1874gid is not set. */
1875
1876else
1877 {
1878 *uidp = exim_uid;
1879 if (!gid_set)
1880 {
1881 *gidp = exim_gid;
1882 gid_set = TRUE;
1883 }
1884 }
1885
911f6fde
PH
1886/* If no gid is set, it is a disaster. We default to the Exim gid only if
1887defaulting to the Exim uid. In other words, if the configuration has specified
1888a uid, it must also provide a gid. */
059ec3d9
PH
1889
1890if (!gid_set)
1891 {
1892 common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
1893 "%s transport", tp->name);
1894 return FALSE;
1895 }
1896
1897/* Check that the uid is not on the lists of banned uids that may not be used
1898for delivery processes. */
1899
d6c82d7b
JH
1900nuname = check_never_users(*uidp, never_users)
1901 ? US"never_users"
1902 : check_never_users(*uidp, fixed_never_users)
1903 ? US"fixed_never_users"
1904 : NULL;
1905if (nuname)
059ec3d9
PH
1906 {
1907 common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
1908 "is on the %s list", (long int)(*uidp), tp->name, nuname);
1909 return FALSE;
1910 }
1911
1912/* All is well */
1913
1914return TRUE;
1915}
1916
1917
1918
1919
1920/*************************************************
1921* Check the size of a message for a transport *
1922*************************************************/
1923
1924/* Checks that the message isn't too big for the selected transport.
1925This is called only when it is known that the limit is set.
1926
1927Arguments:
1928 tp the transport
1929 addr the (first) address being delivered
1930
1931Returns: OK
1932 DEFER expansion failed or did not yield an integer
1933 FAIL message too big
1934*/
1935
1936int
1937check_message_size(transport_instance *tp, address_item *addr)
1938{
1939int rc = OK;
1940int size_limit;
1941
1942deliver_set_expansions(addr);
d45b1de8 1943size_limit = expand_string_integer(tp->message_size_limit, TRUE);
059ec3d9
PH
1944deliver_set_expansions(NULL);
1945
d6c82d7b 1946if (expand_string_message)
059ec3d9
PH
1947 {
1948 rc = DEFER;
d6c82d7b
JH
1949 addr->message = size_limit == -1
1950 ? string_sprintf("failed to expand message_size_limit "
1951 "in %s transport: %s", tp->name, expand_string_message)
1952 : string_sprintf("invalid message_size_limit "
059ec3d9
PH
1953 "in %s transport: %s", tp->name, expand_string_message);
1954 }
1955else if (size_limit > 0 && message_size > size_limit)
1956 {
1957 rc = FAIL;
1958 addr->message =
1959 string_sprintf("message is too big (transport limit = %d)",
1960 size_limit);
1961 }
1962
1963return rc;
1964}
1965
1966
1967
1968/*************************************************
1969* Transport-time check for a previous delivery *
1970*************************************************/
1971
1972/* Check that this base address hasn't previously been delivered to its routed
c2c19e9d
PH
1973transport. If it has been delivered, mark it done. The check is necessary at
1974delivery time in order to handle homonymic addresses correctly in cases where
1975the pattern of redirection changes between delivery attempts (so the unique
1976fields change). Non-homonymic previous delivery is detected earlier, at routing
1977time (which saves unnecessary routing).
1978
1979Arguments:
1980 addr the address item
1981 testing TRUE if testing wanted only, without side effects
059ec3d9 1982
059ec3d9
PH
1983Returns: TRUE if previously delivered by the transport
1984*/
1985
1986static BOOL
c2c19e9d 1987previously_transported(address_item *addr, BOOL testing)
059ec3d9
PH
1988{
1989(void)string_format(big_buffer, big_buffer_size, "%s/%s",
1990 addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name);
1991
1992if (tree_search(tree_nonrecipients, big_buffer) != 0)
1993 {
1994 DEBUG(D_deliver|D_route|D_transport)
1995 debug_printf("%s was previously delivered (%s transport): discarded\n",
1996 addr->address, addr->transport->name);
c2c19e9d 1997 if (!testing) child_done(addr, tod_stamp(tod_log));
059ec3d9
PH
1998 return TRUE;
1999 }
2000
2001return FALSE;
2002}
2003
2004
2005
064a94c9
PH
2006/******************************************************
2007* Check for a given header in a header string *
2008******************************************************/
2009
2010/* This function is used when generating quota warnings. The configuration may
2011specify any header lines it likes in quota_warn_message. If certain of them are
2012missing, defaults are inserted, so we need to be able to test for the presence
2013of a given header.
2014
2015Arguments:
2016 hdr the required header name
2017 hstring the header string
2018
2019Returns: TRUE the header is in the string
2020 FALSE the header is not in the string
2021*/
2022
2023static BOOL
2024contains_header(uschar *hdr, uschar *hstring)
2025{
2026int len = Ustrlen(hdr);
2027uschar *p = hstring;
2028while (*p != 0)
2029 {
2030 if (strncmpic(p, hdr, len) == 0)
2031 {
2032 p += len;
2033 while (*p == ' ' || *p == '\t') p++;
2034 if (*p == ':') return TRUE;
2035 }
2036 while (*p != 0 && *p != '\n') p++;
2037 if (*p == '\n') p++;
2038 }
2039return FALSE;
2040}
2041
2042
2043
059ec3d9
PH
2044
2045/*************************************************
2046* Perform a local delivery *
2047*************************************************/
2048
2049/* Each local delivery is performed in a separate process which sets its
2050uid and gid as specified. This is a safer way than simply changing and
2051restoring using seteuid(); there is a body of opinion that seteuid() cannot be
2052used safely. From release 4, Exim no longer makes any use of it. Besides, not
2053all systems have seteuid().
2054
2055If the uid/gid are specified in the transport_instance, they are used; the
2056transport initialization must ensure that either both or neither are set.
2057Otherwise, the values associated with the address are used. If neither are set,
2058it is a configuration error.
2059
2060The transport or the address may specify a home directory (transport over-
2061rides), and if they do, this is set as $home. If neither have set a working
2062directory, this value is used for that as well. Otherwise $home is left unset
2063and the cwd is set to "/" - a directory that should be accessible to all users.
2064
2065Using a separate process makes it more complicated to get error information
2066back. We use a pipe to pass the return code and also an error code and error
2067text string back to the parent process.
2068
2069Arguments:
2070 addr points to an address block for this delivery; for "normal" local
2071 deliveries this is the only address to be delivered, but for
2072 pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
2073 a number of addresses can be handled simultaneously, and in this
2074 case addr will point to a chain of addresses with the same
2075 characteristics.
2076
2077 shadowing TRUE if running a shadow transport; this causes output from pipes
2078 to be ignored.
2079
2080Returns: nothing
2081*/
2082
2083static void
2084deliver_local(address_item *addr, BOOL shadowing)
2085{
2086BOOL use_initgroups;
2087uid_t uid;
2088gid_t gid;
2089int status, len, rc;
2090int pfd[2];
2091pid_t pid;
2092uschar *working_directory;
2093address_item *addr2;
2094transport_instance *tp = addr->transport;
2095
2096/* Set up the return path from the errors or sender address. If the transport
2097has its own return path setting, expand it and replace the existing value. */
2098
d6c82d7b 2099if(addr->prop.errors_address)
d43cbe25 2100 return_path = addr->prop.errors_address;
384152a6 2101#ifdef EXPERIMENTAL_SRS
d6c82d7b 2102else if (addr->prop.srs_sender)
d43cbe25 2103 return_path = addr->prop.srs_sender;
384152a6
TK
2104#endif
2105else
2106 return_path = sender_address;
059ec3d9 2107
d6c82d7b 2108if (tp->return_path)
059ec3d9
PH
2109 {
2110 uschar *new_return_path = expand_string(tp->return_path);
d6c82d7b 2111 if (!new_return_path)
059ec3d9
PH
2112 {
2113 if (!expand_string_forcedfail)
2114 {
2115 common_error(TRUE, addr, ERRNO_EXPANDFAIL,
2116 US"Failed to expand return path \"%s\" in %s transport: %s",
2117 tp->return_path, tp->name, expand_string_message);
2118 return;
2119 }
2120 }
2121 else return_path = new_return_path;
2122 }
2123
2124/* For local deliveries, one at a time, the value used for logging can just be
2125set directly, once and for all. */
2126
2127used_return_path = return_path;
2128
2129/* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
2130gets put into the address(es), and the expansions are unset, so we can just
2131return. */
2132
2133if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;
2134
5418e93b
PH
2135/* See if either the transport or the address specifies a home directory. A
2136home directory set in the address may already be expanded; a flag is set to
2137indicate that. In other cases we must expand it. */
059ec3d9 2138
d6c82d7b
JH
2139if ( (deliver_home = tp->home_dir) /* Set in transport, or */
2140 || ( (deliver_home = addr->home_dir) /* Set in address and */
2141 && !testflag(addr, af_home_expanded) /* not expanded */
2142 ) )
059ec3d9
PH
2143 {
2144 uschar *rawhome = deliver_home;
2145 deliver_home = NULL; /* in case it contains $home */
d6c82d7b 2146 if (!(deliver_home = expand_string(rawhome)))
059ec3d9
PH
2147 {
2148 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
2149 "to expand for %s transport: %s", rawhome, tp->name,
2150 expand_string_message);
2151 return;
2152 }
2153 if (*deliver_home != '/')
2154 {
2155 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
2156 "is not absolute for %s transport", deliver_home, tp->name);
2157 return;
2158 }
2159 }
2160
5418e93b
PH
2161/* See if either the transport or the address specifies a current directory,
2162and if so, expand it. If nothing is set, use the home directory, unless it is
2163also unset in which case use "/", which is assumed to be a directory to which
2164all users have access. It is necessary to be in a visible directory for some
2165operating systems when running pipes, as some commands (e.g. "rm" under Solaris
21662.5) require this. */
2167
d6c82d7b
JH
2168working_directory = tp->current_dir ? tp->current_dir : addr->current_dir;
2169if (working_directory)
059ec3d9
PH
2170 {
2171 uschar *raw = working_directory;
d6c82d7b 2172 if (!(working_directory = expand_string(raw)))
059ec3d9
PH
2173 {
2174 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
2175 "failed to expand for %s transport: %s", raw, tp->name,
2176 expand_string_message);
2177 return;
2178 }
2179 if (*working_directory != '/')
2180 {
2181 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
2182 "\"%s\" is not absolute for %s transport", working_directory, tp->name);
2183 return;
2184 }
2185 }
d6c82d7b 2186else working_directory = deliver_home ? deliver_home : US"/";
059ec3d9
PH
2187
2188/* If one of the return_output flags is set on the transport, create and open a
2189file in the message log directory for the transport to write its output onto.
2190This is mainly used by pipe transports. The file needs to be unique to the
2191address. This feature is not available for shadow transports. */
2192
d6c82d7b
JH
2193if ( !shadowing
2194 && ( tp->return_output || tp->return_fail_output
ec0eb1a3 2195 || tp->log_output || tp->log_fail_output || tp->log_defer_output
d6c82d7b 2196 ) )
059ec3d9 2197 {
41313d92
JH
2198 uschar * error;
2199
059ec3d9 2200 addr->return_filename =
41313d92
JH
2201 spool_fname(US"msglog", message_subdir, message_id,
2202 string_sprintf("-%d-%d", getpid(), return_count++));
4c0a7a9c 2203
41313d92 2204 if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0)
059ec3d9
PH
2205 {
2206 common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
2207 "to return message: %s", error, tp->name, strerror(errno));
2208 return;
2209 }
2210 }
2211
2212/* Create the pipe for inter-process communication. */
2213
2214if (pipe(pfd) != 0)
2215 {
2216 common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
2217 strerror(errno));
2218 return;
2219 }
2220
2221/* Now fork the process to do the real work in the subprocess, but first
2222ensure that all cached resources are freed so that the subprocess starts with
2223a clean slate and doesn't interfere with the parent process. */
2224
2225search_tidyup();
2226
2227if ((pid = fork()) == 0)
2228 {
2229 BOOL replicate = TRUE;
2230
2231 /* Prevent core dumps, as we don't want them in users' home directories.
2232 HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
2233 system. Some experimental/developing systems (e.g. GNU/Hurd) may define
2234 RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
a29e5231
PP
2235 complain if the error is "not supported".
2236
2237 There are two scenarios where changing the max limit has an effect. In one,
2238 the user is using a .forward and invoking a command of their choice via pipe;
2239 for these, we do need the max limit to be 0 unless the admin chooses to
2240 permit an increased limit. In the other, the command is invoked directly by
2241 the transport and is under administrator control, thus being able to raise
2242 the limit aids in debugging. So there's no general always-right answer.
2243
2244 Thus we inhibit core-dumps completely but let individual transports, while
2245 still root, re-raise the limits back up to aid debugging. We make the
2246 default be no core-dumps -- few enough people can use core dumps in
2247 diagnosis that it's reasonable to make them something that has to be explicitly requested.
2248 */
059ec3d9 2249
a7538db1 2250#ifdef RLIMIT_CORE
059ec3d9
PH
2251 struct rlimit rl;
2252 rl.rlim_cur = 0;
2253 rl.rlim_max = 0;
2254 if (setrlimit(RLIMIT_CORE, &rl) < 0)
2255 {
a7538db1 2256# ifdef SETRLIMIT_NOT_SUPPORTED
059ec3d9 2257 if (errno != ENOSYS && errno != ENOTSUP)
a7538db1 2258# endif
059ec3d9
PH
2259 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
2260 strerror(errno));
2261 }
a7538db1 2262#endif
059ec3d9
PH
2263
2264 /* Reset the random number generator, so different processes don't all
2265 have the same sequence. */
2266
2267 random_seed = 0;
2268
2269 /* If the transport has a setup entry, call this first, while still
2270 privileged. (Appendfile uses this to expand quota, for example, while
2271 able to read private files.) */
2272
d6c82d7b 2273 if (addr->transport->setup)
929ba01c 2274 switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid,
059ec3d9
PH
2275 &(addr->message)))
2276 {
2277 case DEFER:
d6c82d7b
JH
2278 addr->transport_return = DEFER;
2279 goto PASS_BACK;
059ec3d9
PH
2280
2281 case FAIL:
d6c82d7b
JH
2282 addr->transport_return = PANIC;
2283 goto PASS_BACK;
059ec3d9 2284 }
059ec3d9
PH
2285
2286 /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
2287 when the process becomes unprivileged, it won't be able to write to the
2288 process log. SIGHUP is ignored throughout exim, except when it is being
2289 run as a daemon. */
2290
2291 signal(SIGINT, SIG_IGN);
2292 signal(SIGTERM, SIG_IGN);
2293 signal(SIGUSR1, SIG_IGN);
2294
2295 /* Close the unwanted half of the pipe, and set close-on-exec for the other
2296 half - for transports that exec things (e.g. pipe). Then set the required
2297 gid/uid. */
2298
f1e894f3 2299 (void)close(pfd[pipe_read]);
ff790e47 2300 (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
059ec3d9
PH
2301 FD_CLOEXEC);
2302 exim_setugid(uid, gid, use_initgroups,
2303 string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
2304 addr->address, addr->transport->name));
2305
2306 DEBUG(D_deliver)
2307 {
2308 address_item *batched;
2309 debug_printf(" home=%s current=%s\n", deliver_home, working_directory);
d6c82d7b 2310 for (batched = addr->next; batched; batched = batched->next)
059ec3d9
PH
2311 debug_printf("additional batched address: %s\n", batched->address);
2312 }
2313
2314 /* Set an appropriate working directory. */
2315
2316 if (Uchdir(working_directory) < 0)
2317 {
2318 addr->transport_return = DEFER;
2319 addr->basic_errno = errno;
2320 addr->message = string_sprintf("failed to chdir to %s", working_directory);
2321 }
2322
2323 /* If successful, call the transport */
2324
2325 else
2326 {
2327 BOOL ok = TRUE;
2328 set_process_info("delivering %s to %s using %s", message_id,
2329 addr->local_part, addr->transport->name);
2330
2a47f028
JH
2331 /* Setting this global in the subprocess means we need never clear it */
2332 transport_name = addr->transport->name;
2333
059ec3d9
PH
2334 /* If a transport filter has been specified, set up its argument list.
2335 Any errors will get put into the address, and FALSE yielded. */
2336
d6c82d7b 2337 if (addr->transport->filter_command)
059ec3d9
PH
2338 {
2339 ok = transport_set_up_command(&transport_filter_argv,
2340 addr->transport->filter_command,
2341 TRUE, PANIC, addr, US"transport filter", NULL);
2342 transport_filter_timeout = addr->transport->filter_timeout;
2343 }
2344 else transport_filter_argv = NULL;
2345
2346 if (ok)
2347 {
2348 debug_print_string(addr->transport->debug_string);
2349 replicate = !(addr->transport->info->code)(addr->transport, addr);
2350 }
2351 }
2352
2353 /* Pass the results back down the pipe. If necessary, first replicate the
2354 status in the top address to the others in the batch. The label is the
2355 subject of a goto when a call to the transport's setup function fails. We
2356 pass the pointer to the transport back in case it got changed as a result of
2357 file_format in appendfile. */
2358
2359 PASS_BACK:
2360
2361 if (replicate) replicate_status(addr);
d6c82d7b 2362 for (addr2 = addr; addr2; addr2 = addr2->next)
059ec3d9
PH
2363 {
2364 int i;
2365 int local_part_length = Ustrlen(addr2->local_part);
2366 uschar *s;
1ac6b2e7 2367 int ret;
059ec3d9 2368
d6c82d7b
JH
2369 if( (ret = write(pfd[pipe_write], &addr2->transport_return, sizeof(int))) != sizeof(int)
2370 || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count)
2371 || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags)
2372 || (ret = write(pfd[pipe_write], &addr2->basic_errno, sizeof(int))) != sizeof(int)
2373 || (ret = write(pfd[pipe_write], &addr2->more_errno, sizeof(int))) != sizeof(int)
32dfdf8b 2374 || (ret = write(pfd[pipe_write], &addr2->delivery_usec, sizeof(int))) != sizeof(int)
d6c82d7b
JH
2375 || (ret = write(pfd[pipe_write], &addr2->special_action, sizeof(int))) != sizeof(int)
2376 || (ret = write(pfd[pipe_write], &addr2->transport,
1ac6b2e7 2377 sizeof(transport_instance *))) != sizeof(transport_instance *)
059ec3d9
PH
2378
2379 /* For a file delivery, pass back the local part, in case the original
2380 was only part of the final delivery path. This gives more complete
2381 logging. */
2382
1ac6b2e7 2383 || (testflag(addr2, af_file)
d6c82d7b 2384 && ( (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int)
1ac6b2e7
JH
2385 || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length
2386 )
2387 )
2388 )
a23ff3b4 2389 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
1ac6b2e7 2390 ret == -1 ? strerror(errno) : "short write");
059ec3d9
PH
2391
2392 /* Now any messages */
2393
2394 for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
2395 {
d6c82d7b
JH
2396 int message_length = s ? Ustrlen(s) + 1 : 0;
2397 if( (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
2398 || message_length > 0 && (ret = write(pfd[pipe_write], s, message_length)) != message_length
1ac6b2e7 2399 )
a23ff3b4 2400 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
1ac6b2e7 2401 ret == -1 ? strerror(errno) : "short write");
059ec3d9
PH
2402 }
2403 }
2404
2405 /* OK, this process is now done. Free any cached resources that it opened,
2406 and close the pipe we were writing down before exiting. */
2407
f1e894f3 2408 (void)close(pfd[pipe_write]);
059ec3d9
PH
2409 search_tidyup();
2410 exit(EXIT_SUCCESS);
2411 }
2412
2413/* Back in the main process: panic if the fork did not succeed. This seems
2414better than returning an error - if forking is failing it is probably best
2415not to try other deliveries for this message. */
2416
2417if (pid < 0)
2418 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
2419 addr->address);
2420
2421/* Read the pipe to get the delivery status codes and error messages. Our copy
2422of the writing end must be closed first, as otherwise read() won't return zero
2423on an empty pipe. We check that a status exists for each address before
2424overwriting the address structure. If data is missing, the default DEFER status
2425will remain. Afterwards, close the reading end. */
2426
f1e894f3 2427(void)close(pfd[pipe_write]);
059ec3d9 2428
d6c82d7b 2429for (addr2 = addr; addr2; addr2 = addr2->next)
059ec3d9 2430 {
d88f0784 2431 if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
059ec3d9
PH
2432 {
2433 int i;
2434 uschar **sptr;
2435
2436 addr2->transport_return = status;
d6c82d7b 2437 len = read(pfd[pipe_read], &transport_count,
059ec3d9 2438 sizeof(transport_count));
d6c82d7b
JH
2439 len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags));
2440 len = read(pfd[pipe_read], &addr2->basic_errno, sizeof(int));
2441 len = read(pfd[pipe_read], &addr2->more_errno, sizeof(int));
32dfdf8b 2442 len = read(pfd[pipe_read], &addr2->delivery_usec, sizeof(int));
d6c82d7b
JH
2443 len = read(pfd[pipe_read], &addr2->special_action, sizeof(int));
2444 len = read(pfd[pipe_read], &addr2->transport,
059ec3d9
PH
2445 sizeof(transport_instance *));
2446
2447 if (testflag(addr2, af_file))
2448 {
d88f0784
JH
2449 int llen;
2450 if ( read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
2451 || llen > 64*4 /* limit from rfc 5821, times I18N factor */
2452 )
2453 {
2454 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
2455 " from delivery subprocess");
2456 break;
2457 }
2458 /* sanity-checked llen so disable the Coverity error */
2459 /* coverity[tainted_data] */
2460 if (read(pfd[pipe_read], big_buffer, llen) != llen)
2461 {
2462 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
2463 " from delivery subprocess");
2464 break;
2465 }
2466 big_buffer[llen] = 0;
059ec3d9
PH
2467 addr2->local_part = string_copy(big_buffer);
2468 }
2469
d6c82d7b 2470 for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message)
059ec3d9
PH
2471 {
2472 int message_length;
d6c82d7b 2473 len = read(pfd[pipe_read], &message_length, sizeof(int));
059ec3d9
PH
2474 if (message_length > 0)
2475 {
d6c82d7b 2476 len = read(pfd[pipe_read], big_buffer, message_length);
dc8091e7 2477 big_buffer[big_buffer_size-1] = '\0'; /* guard byte */
059ec3d9
PH
2478 if (len > 0) *sptr = string_copy(big_buffer);
2479 }
2480 }
2481 }
2482
2483 else
2484 {
2485 log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
2486 "from delivery subprocess", addr2->unique);
2487 break;
2488 }
2489 }
2490
f1e894f3 2491(void)close(pfd[pipe_read]);
059ec3d9
PH
2492
2493/* Unless shadowing, write all successful addresses immediately to the journal
2494file, to ensure they are recorded asap. For homonymic addresses, use the base
2495address plus the transport name. Failure to write the journal is panic-worthy,
2496but don't stop, as it may prove possible subsequently to update the spool file
2497in order to record the delivery. */
2498
2499if (!shadowing)
2500 {
d6c82d7b
JH
2501 for (addr2 = addr; addr2; addr2 = addr2->next)
2502 if (addr2->transport_return == OK)
2503 {
2504 if (testflag(addr2, af_homonym))
2505 sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
2506 else
2507 sprintf(CS big_buffer, "%.500s\n", addr2->unique);
059ec3d9 2508
d6c82d7b
JH
2509 /* In the test harness, wait just a bit to let the subprocess finish off
2510 any debug output etc first. */
059ec3d9 2511
d6c82d7b 2512 if (running_in_test_harness) millisleep(300);
059ec3d9 2513
d6c82d7b
JH
2514 DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
2515 len = Ustrlen(big_buffer);
2516 if (write(journal_fd, big_buffer, len) != len)
2517 log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
2518 big_buffer, strerror(errno));
2519 }
059ec3d9
PH
2520
2521 /* Ensure the journal file is pushed out to disk. */
2522
54fc8428 2523 if (EXIMfsync(journal_fd) < 0)
059ec3d9
PH
2524 log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
2525 strerror(errno));
2526 }
2527
2528/* Wait for the process to finish. If it terminates with a non-zero code,
2529freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
2530status values of all the addresses as they are. Take care to handle the case
2531when the subprocess doesn't seem to exist. This has been seen on one system
2532when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
2533happens, wait() doesn't recognize the termination of child processes. Exim now
2534resets SIGCHLD to SIG_DFL, but this code should still be robust. */
2535
2536while ((rc = wait(&status)) != pid)
059ec3d9
PH
2537 if (rc < 0 && errno == ECHILD) /* Process has vanished */
2538 {
2539 log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
2540 addr->transport->driver_name);
2541 status = 0;
2542 break;
2543 }
059ec3d9
PH
2544
2545if ((status & 0xffff) != 0)
2546 {
2547 int msb = (status >> 8) & 255;
2548 int lsb = status & 255;
2549 int code = (msb == 0)? (lsb & 0x7f) : msb;
2550 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
2551 addr->special_action = SPECIAL_FREEZE;
2552 log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
2553 "status 0x%04x: %s %d",
2554 addr->transport->driver_name,
2555 status,
d6c82d7b 2556 msb == 0 ? "terminated by signal" : "exit code",
059ec3d9
PH
2557 code);
2558 }
2559
2560/* If SPECIAL_WARN is set in the top address, send a warning message. */
2561
d6c82d7b 2562if (addr->special_action == SPECIAL_WARN && addr->transport->warn_message)
059ec3d9
PH
2563 {
2564 int fd;
2565 uschar *warn_message;
d6c82d7b 2566 pid_t pid;
059ec3d9
PH
2567
2568 DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");
2569
d6c82d7b 2570 if (!(warn_message = expand_string(addr->transport->warn_message)))
059ec3d9
PH
2571 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
2572 "message for %s transport): %s", addr->transport->warn_message,
2573 addr->transport->name, expand_string_message);
d6c82d7b
JH
2574
2575 else if ((pid = child_open_exim(&fd)) > 0)
059ec3d9 2576 {
d6c82d7b
JH
2577 FILE *f = fdopen(fd, "wb");
2578 if (errors_reply_to && !contains_header(US"Reply-To", warn_message))
2579 fprintf(f, "Reply-To: %s\n", errors_reply_to);
2580 fprintf(f, "Auto-Submitted: auto-replied\n");
2581 if (!contains_header(US"From", warn_message))
2582 moan_write_from(f);
2583 fprintf(f, "%s", CS warn_message);
059ec3d9 2584
d6c82d7b 2585 /* Close and wait for child process to complete, without a timeout. */
059ec3d9 2586
d6c82d7b
JH
2587 (void)fclose(f);
2588 (void)child_close(pid, 0);
059ec3d9
PH
2589 }
2590
2591 addr->special_action = SPECIAL_NONE;
2592 }
2593}
2594
2595
2596
fa41615d 2597
3070ceee
JH
2598/* Check transport for the given concurrency limit. Return TRUE if over
2599the limit (or an expansion failure), else FALSE and if there was a limit,
2600the key for the hints database used for the concurrency count. */
fa41615d 2601
3070ceee
JH
2602static BOOL
2603tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key)
fa41615d 2604{
3070ceee
JH
2605unsigned max_parallel;
2606
2607if (!tp->max_parallel) return FALSE;
2608
2609max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE);
2610if (expand_string_message)
2611 {
2612 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option "
2613 "in %s transport (%s): %s", tp->name, addr->address,
2614 expand_string_message);
2615 return TRUE;
2616 }
2617
2618if (max_parallel > 0)
2619 {
2620 uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name);
2621 if (!enq_start(serialize_key, max_parallel))
2622 {
2623 address_item * next;
2624 DEBUG(D_transport)
2625 debug_printf("skipping tpt %s because concurrency limit %u reached\n",
2626 tp->name, max_parallel);
2627 do
2628 {
2629 next = addr->next;
2630 addr->message = US"concurrency limit reached for transport";
2631 addr->basic_errno = ERRNO_TRETRY;
ba936fb8 2632 post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
3070ceee
JH
2633 } while ((addr = next));
2634 return TRUE;
2635 }
2636 *key = serialize_key;
2637 }
2638return FALSE;
fa41615d
JH
2639}
2640
2641
2642
059ec3d9
PH
2643/*************************************************
2644* Do local deliveries *
2645*************************************************/
2646
2647/* This function processes the list of addresses in addr_local. True local
2648deliveries are always done one address at a time. However, local deliveries can
2649be batched up in some cases. Typically this is when writing batched SMTP output
2650files for use by some external transport mechanism, or when running local
2651deliveries over LMTP.
2652
2653Arguments: None
2654Returns: Nothing
2655*/
2656
2657static void
2658do_local_deliveries(void)
2659{
2660open_db dbblock;
2661open_db *dbm_file = NULL;
2662time_t now = time(NULL);
2663
2664/* Loop until we have exhausted the supply of local deliveries */
2665
d6c82d7b 2666while (addr_local)
059ec3d9 2667 {
32dfdf8b
JH
2668 struct timeval delivery_start;
2669 struct timeval deliver_time;
059ec3d9
PH
2670 address_item *addr2, *addr3, *nextaddr;
2671 int logflags = LOG_MAIN;
2672 int logchar = dont_deliver? '*' : '=';
2673 transport_instance *tp;
fa41615d 2674 uschar * serialize_key = NULL;
059ec3d9
PH
2675
2676 /* Pick the first undelivered address off the chain */
2677
2678 address_item *addr = addr_local;
2679 addr_local = addr->next;
2680 addr->next = NULL;
2681
2682 DEBUG(D_deliver|D_transport)
2683 debug_printf("--------> %s <--------\n", addr->address);
2684
2685 /* An internal disaster if there is no transport. Should not occur! */
2686
d6c82d7b 2687 if (!(tp = addr->transport))
059ec3d9
PH
2688 {
2689 logflags |= LOG_PANIC;
2690 disable_logging = FALSE; /* Jic */
d6c82d7b
JH
2691 addr->message = addr->router
2692 ? string_sprintf("No transport set by %s router", addr->router->name)
2693 : string_sprintf("No transport set by system filter");
ba936fb8 2694 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
059ec3d9
PH
2695 continue;
2696 }
2697
2698 /* Check that this base address hasn't previously been delivered to this
2699 transport. The check is necessary at this point to handle homonymic addresses
2700 correctly in cases where the pattern of redirection changes between delivery
2701 attempts. Non-homonymic previous delivery is detected earlier, at routing
2702 time. */
2703
c2c19e9d 2704 if (previously_transported(addr, FALSE)) continue;
059ec3d9
PH
2705
2706 /* There are weird cases where logging is disabled */
2707
2708 disable_logging = tp->disable_logging;
2709
f7fd3850
PH
2710 /* Check for batched addresses and possible amalgamation. Skip all the work
2711 if either batch_max <= 1 or there aren't any other addresses for local
2712 delivery. */
059ec3d9 2713
d6c82d7b 2714 if (tp->batch_max > 1 && addr_local)
059ec3d9
PH
2715 {
2716 int batch_count = 1;
2717 BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
d6c82d7b
JH
2718 BOOL uses_lp = ( testflag(addr, af_pfr)
2719 && (testflag(addr, af_file) || addr->local_part[0] == '|')
2720 )
2721 || readconf_depends((driver_instance *)tp, US"local_part");
059ec3d9
PH
2722 uschar *batch_id = NULL;
2723 address_item **anchor = &addr_local;
2724 address_item *last = addr;
2725 address_item *next;
2726
2727 /* Expand the batch_id string for comparison with other addresses.
2728 Expansion failure suppresses batching. */
2729
d6c82d7b 2730 if (tp->batch_id)
059ec3d9
PH
2731 {
2732 deliver_set_expansions(addr);
2733 batch_id = expand_string(tp->batch_id);
2734 deliver_set_expansions(NULL);
d6c82d7b 2735 if (!batch_id)
059ec3d9
PH
2736 {
2737 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2738 "in %s transport (%s): %s", tp->name, addr->address,
2739 expand_string_message);
2740 batch_count = tp->batch_max;
2741 }
2742 }
2743
2744 /* Until we reach the batch_max limit, pick off addresses which have the
2745 same characteristics. These are:
2746
2747 same transport
7816e254 2748 not previously delivered (see comment about 50 lines above)
059ec3d9 2749 same local part if the transport's configuration contains $local_part
f7fd3850 2750 or if this is a file or pipe delivery from a redirection
059ec3d9
PH
2751 same domain if the transport's configuration contains $domain
2752 same errors address
2753 same additional headers
2754 same headers to be removed
2755 same uid/gid for running the transport
2756 same first host if a host list is set
2757 */
2758
d6c82d7b 2759 while ((next = *anchor) && batch_count < tp->batch_max)
059ec3d9
PH
2760 {
2761 BOOL ok =
d6c82d7b
JH
2762 tp == next->transport
2763 && !previously_transported(next, TRUE)
7eb0e5d2
JH
2764 && testflag(addr, af_pfr) == testflag(next, af_pfr)
2765 && testflag(addr, af_file) == testflag(next, af_file)
d6c82d7b
JH
2766 && (!uses_lp || Ustrcmp(next->local_part, addr->local_part) == 0)
2767 && (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0)
2768 && same_strings(next->prop.errors_address, addr->prop.errors_address)
2769 && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
2770 && same_strings(next->prop.remove_headers, addr->prop.remove_headers)
2771 && same_ugid(tp, addr, next)
2772 && ( !addr->host_list && !next->host_list
2773 || addr->host_list
2774 && next->host_list
2775 && Ustrcmp(addr->host_list->name, next->host_list->name) == 0
2776 );
059ec3d9
PH
2777
2778 /* If the transport has a batch_id setting, batch_id will be non-NULL
2779 from the expansion outside the loop. Expand for this address and compare.
2780 Expansion failure makes this address ineligible for batching. */
2781
d6c82d7b 2782 if (ok && batch_id)
059ec3d9
PH
2783 {
2784 uschar *bid;
2785 address_item *save_nextnext = next->next;
2786 next->next = NULL; /* Expansion for a single address */
2787 deliver_set_expansions(next);
2788 next->next = save_nextnext;
2789 bid = expand_string(tp->batch_id);
2790 deliver_set_expansions(NULL);
d6c82d7b 2791 if (!bid)
059ec3d9
PH
2792 {
2793 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2794 "in %s transport (%s): %s", tp->name, next->address,
2795 expand_string_message);
2796 ok = FALSE;
2797 }
2798 else ok = (Ustrcmp(batch_id, bid) == 0);
2799 }
2800
2801 /* Take address into batch if OK. */
2802
2803 if (ok)
2804 {
2805 *anchor = next->next; /* Include the address */
2806 next->next = NULL;
2807 last->next = next;
2808 last = next;
2809 batch_count++;
2810 }
fa41615d 2811 else anchor = &next->next; /* Skip the address */
059ec3d9
PH
2812 }
2813 }
2814
2815 /* We now have one or more addresses that can be delivered in a batch. Check
2816 whether the transport is prepared to accept a message of this size. If not,
2817 fail them all forthwith. If the expansion fails, or does not yield an
2818 integer, defer delivery. */
2819
d6c82d7b 2820 if (tp->message_size_limit)
059ec3d9
PH
2821 {
2822 int rc = check_message_size(tp, addr);
2823 if (rc != OK)
2824 {
2825 replicate_status(addr);
d6c82d7b 2826 while (addr)
059ec3d9
PH
2827 {
2828 addr2 = addr->next;
ba936fb8 2829 post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0);
059ec3d9
PH
2830 addr = addr2;
2831 }
2832 continue; /* With next batch of addresses */
2833 }
2834 }
2835
2836 /* If we are not running the queue, or if forcing, all deliveries will be
2837 attempted. Otherwise, we must respect the retry times for each address. Even
2838 when not doing this, we need to set up the retry key string, and determine
2839 whether a retry record exists, because after a successful delivery, a delete
2840 retry item must be set up. Keep the retry database open only for the duration
2841 of these checks, rather than for all local deliveries, because some local
2842 deliveries (e.g. to pipes) can take a substantial time. */
2843
d6c82d7b 2844 if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE)))
059ec3d9
PH
2845 {
2846 DEBUG(D_deliver|D_retry|D_hints_lookup)
2847 debug_printf("no retry data available\n");
2848 }
2849
2850 addr2 = addr;
2851 addr3 = NULL;
d6c82d7b 2852 while (addr2)
059ec3d9
PH
2853 {
2854 BOOL ok = TRUE; /* to deliver this address */
2855 uschar *retry_key;
2856
2857 /* Set up the retry key to include the domain or not, and change its
2858 leading character from "R" to "T". Must make a copy before doing this,
2859 because the old key may be pointed to from a "delete" retry item after
2860 a routing delay. */
2861
2862 retry_key = string_copy(
d6c82d7b 2863 tp->retry_use_local_part ? addr2->address_retry_key :
059ec3d9
PH
2864 addr2->domain_retry_key);
2865 *retry_key = 'T';
2866
2867 /* Inspect the retry data. If there is no hints file, delivery happens. */
2868
d6c82d7b 2869 if (dbm_file)
059ec3d9
PH
2870 {
2871 dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key);
2872
2873 /* If there is no retry record, delivery happens. If there is,
2874 remember it exists so it can be deleted after a successful delivery. */
2875
d6c82d7b 2876 if (retry_record)
059ec3d9
PH
2877 {
2878 setflag(addr2, af_lt_retry_exists);
2879
2880 /* A retry record exists for this address. If queue running and not
2881 forcing, inspect its contents. If the record is too old, or if its
2882 retry time has come, or if it has passed its cutoff time, delivery
2883 will go ahead. */
2884
2885 DEBUG(D_retry)
2886 {
ea49d0e1
PH
2887 debug_printf("retry record exists: age=%s ",
2888 readconf_printtime(now - retry_record->time_stamp));
2889 debug_printf("(max %s)\n", readconf_printtime(retry_data_expire));
2890 debug_printf(" time to retry = %s expired = %d\n",
2891 readconf_printtime(retry_record->next_try - now),
2892 retry_record->expired);
059ec3d9
PH
2893 }
2894
2895 if (queue_running && !deliver_force)
2896 {
d6c82d7b
JH
2897 ok = (now - retry_record->time_stamp > retry_data_expire)
2898 || (now >= retry_record->next_try)
2899 || retry_record->expired;
059ec3d9
PH
2900
2901 /* If we haven't reached the retry time, there is one more check
1ddeb334 2902 to do, which is for the ultimate address timeout. */
059ec3d9
PH
2903
2904 if (!ok)
ba9af0af
TF
2905 ok = retry_ultimate_address_timeout(retry_key, addr2->domain,
2906 retry_record, now);
059ec3d9
PH
2907 }
2908 }
2909 else DEBUG(D_retry) debug_printf("no retry record exists\n");
2910 }
2911
2912 /* This address is to be delivered. Leave it on the chain. */
2913
2914 if (ok)
2915 {
2916 addr3 = addr2;
2917 addr2 = addr2->next;
2918 }
2919
2920 /* This address is to be deferred. Take it out of the chain, and
2921 post-process it as complete. Must take it out of the chain first,
2922 because post processing puts it on another chain. */
2923
2924 else
2925 {
2926 address_item *this = addr2;
2927 this->message = US"Retry time not yet reached";
2928 this->basic_errno = ERRNO_LRETRY;
d6c82d7b
JH
2929 addr2 = addr3 ? (addr3->next = addr2->next)
2930 : (addr = addr2->next);
ba936fb8 2931 post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
059ec3d9
PH
2932 }
2933 }
2934
d6c82d7b 2935 if (dbm_file) dbfn_close(dbm_file);
059ec3d9
PH
2936
2937 /* If there are no addresses left on the chain, they all deferred. Loop
2938 for the next set of addresses. */
2939
d6c82d7b 2940 if (!addr) continue;
059ec3d9 2941
fa41615d
JH
2942 /* If the transport is limited for parallellism, enforce that here.
2943 We use a hints DB entry, incremented here and decremented after
2944 the transport (and any shadow transport) completes. */
2945
3070ceee 2946 if (tpt_parallel_check(tp, addr, &serialize_key))
fa41615d 2947 {
fa41615d
JH
2948 if (expand_string_message)
2949 {
2950 logflags |= LOG_PANIC;
3070ceee
JH
2951 do
2952 {
2953 addr = addr->next;
ba936fb8 2954 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
3070ceee 2955 } while ((addr = addr2));
fa41615d 2956 }
3070ceee 2957 continue; /* Loop for the next set of addresses. */
fa41615d
JH
2958 }
2959
2960
059ec3d9
PH
2961 /* So, finally, we do have some addresses that can be passed to the
2962 transport. Before doing so, set up variables that are relevant to a
2963 single delivery. */
2964
2965 deliver_set_expansions(addr);
32dfdf8b
JH
2966
2967 gettimeofday(&delivery_start, NULL);
059ec3d9 2968 deliver_local(addr, FALSE);
32dfdf8b 2969 timesince(&deliver_time, &delivery_start);
059ec3d9
PH
2970
2971 /* If a shadow transport (which must perforce be another local transport), is
2972 defined, and its condition is met, we must pass the message to the shadow
2973 too, but only those addresses that succeeded. We do this by making a new
2974 chain of addresses - also to keep the original chain uncontaminated. We must
2975 use a chain rather than doing it one by one, because the shadow transport may
2976 batch.
2977
2978 NOTE: if the condition fails because of a lookup defer, there is nothing we
2979 can do! */
2980
d6c82d7b
JH
2981 if ( tp->shadow
2982 && ( !tp->shadow_condition
2983 || expand_check_condition(tp->shadow_condition, tp->name, US"transport")
2984 ) )
059ec3d9
PH
2985 {
2986 transport_instance *stp;
2987 address_item *shadow_addr = NULL;
2988 address_item **last = &shadow_addr;
2989
d6c82d7b 2990 for (stp = transports; stp; stp = stp->next)
059ec3d9
PH
2991 if (Ustrcmp(stp->name, tp->shadow) == 0) break;
2992
d6c82d7b 2993 if (!stp)
059ec3d9
PH
2994 log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
2995 tp->shadow);
2996
2997 /* Pick off the addresses that have succeeded, and make clones. Put into
2998 the shadow_message field a pointer to the shadow_message field of the real
2999 address. */
3000
d6c82d7b
JH
3001 else for (addr2 = addr; addr2; addr2 = addr2->next)
3002 if (addr2->transport_return == OK)
3003 {
3004 addr3 = store_get(sizeof(address_item));
3005 *addr3 = *addr2;
3006 addr3->next = NULL;
82f90600 3007 addr3->shadow_message = US &addr2->shadow_message;
d6c82d7b
JH
3008 addr3->transport = stp;
3009 addr3->transport_return = DEFER;
3010 addr3->return_filename = NULL;
3011 addr3->return_file = -1;
3012 *last = addr3;
82f90600 3013 last = &addr3->next;
d6c82d7b 3014 }
059ec3d9
PH
3015
3016 /* If we found any addresses to shadow, run the delivery, and stick any
3017 message back into the shadow_message field in the original. */
3018
d6c82d7b 3019 if (shadow_addr)
059ec3d9
PH
3020 {
3021 int save_count = transport_count;
3022
3023 DEBUG(D_deliver|D_transport)
3024 debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
3025 deliver_local(shadow_addr, TRUE);
3026
d6c82d7b 3027 for(; shadow_addr; shadow_addr = shadow_addr->next)
059ec3d9
PH
3028 {
3029 int sresult = shadow_addr->transport_return;
d6c82d7b
JH
3030 *(uschar **)shadow_addr->shadow_message =
3031 sresult == OK
3032 ? string_sprintf(" ST=%s", stp->name)
3033 : string_sprintf(" ST=%s (%s%s%s)", stp->name,
3034 shadow_addr->basic_errno <= 0
3035 ? US""
3036 : US strerror(shadow_addr->basic_errno),
3037 shadow_addr->basic_errno <= 0 || !shadow_addr->message
3038 ? US""
3039 : US": ",
3040 shadow_addr->message
3041 ? shadow_addr->message
3042 : shadow_addr->basic_errno <= 0
3043 ? US"unknown error"
3044 : US"");
059ec3d9
PH
3045
3046 DEBUG(D_deliver|D_transport)
3047 debug_printf("%s shadow transport returned %s for %s\n",
3048 stp->name,
d6c82d7b
JH
3049 sresult == OK ? "OK" :
3050 sresult == DEFER ? "DEFER" :
3051 sresult == FAIL ? "FAIL" :
3052 sresult == PANIC ? "PANIC" : "?",
059ec3d9
PH
3053 shadow_addr->address);
3054 }
3055
3056 DEBUG(D_deliver|D_transport)
3057 debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");
3058
3059 transport_count = save_count; /* Restore original transport count */
3060 }
3061 }
3062
3063 /* Cancel the expansions that were set up for the delivery. */
3064
3065 deliver_set_expansions(NULL);
3066
fa41615d
JH
3067 /* If the transport was parallelism-limited, decrement the hints DB record. */
3068
3069 if (serialize_key) enq_end(serialize_key);
3070
059ec3d9
PH
3071 /* Now we can process the results of the real transport. We must take each
3072 address off the chain first, because post_process_one() puts it on another
3073 chain. */
3074
d6c82d7b 3075 for (addr2 = addr; addr2; addr2 = nextaddr)
059ec3d9
PH
3076 {
3077 int result = addr2->transport_return;
3078 nextaddr = addr2->next;
3079
3080 DEBUG(D_deliver|D_transport)
3081 debug_printf("%s transport returned %s for %s\n",
3082 tp->name,
d6c82d7b
JH
3083 result == OK ? "OK" :
3084 result == DEFER ? "DEFER" :
3085 result == FAIL ? "FAIL" :
3086 result == PANIC ? "PANIC" : "?",
059ec3d9
PH
3087 addr2->address);
3088
3089 /* If there is a retry_record, or if delivery is deferred, build a retry
3090 item for setting a new retry time or deleting the old retry record from
3091 the database. These items are handled all together after all addresses
3092 have been handled (so the database is open just for a short time for
3093 updating). */
3094
3095 if (result == DEFER || testflag(addr2, af_lt_retry_exists))
3096 {
d6c82d7b
JH
3097 int flags = result == DEFER ? 0 : rf_delete;
3098 uschar *retry_key = string_copy(tp->retry_use_local_part
3099 ? addr2->address_retry_key : addr2->domain_retry_key);
059ec3d9
PH
3100 *retry_key = 'T';
3101 retry_add_item(addr2, retry_key, flags);
3102 }
3103
3104 /* Done with this address */
3105
32dfdf8b
JH
3106 if (result == OK)
3107 {
3108 addr2->more_errno = deliver_time.tv_sec;
3109 addr2->delivery_usec = deliver_time.tv_usec;
3110 }
ba936fb8 3111 post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar);
059ec3d9
PH
3112
3113 /* If a pipe delivery generated text to be sent back, the result may be
3114 changed to FAIL, and we must copy this for subsequent addresses in the
3115 batch. */
3116
3117 if (addr2->transport_return != result)
3118 {
d6c82d7b 3119 for (addr3 = nextaddr; addr3; addr3 = addr3->next)
059ec3d9
PH
3120 {
3121 addr3->transport_return = addr2->transport_return;
3122 addr3->basic_errno = addr2->basic_errno;
3123 addr3->message = addr2->message;
3124 }
3125 result = addr2->transport_return;
3126 }
3127
3128 /* Whether or not the result was changed to FAIL, we need to copy the
3129 return_file value from the first address into all the addresses of the
3130 batch, so they are all listed in the error message. */
3131
3132 addr2->return_file = addr->return_file;
3133
3134 /* Change log character for recording successful deliveries. */
3135
3136 if (result == OK) logchar = '-';
3137 }
3138 } /* Loop back for next batch of addresses */
3139}
3140
3141
3142
3143
3144/*************************************************
3145* Sort remote deliveries *
3146*************************************************/
3147
3148/* This function is called if remote_sort_domains is set. It arranges that the
3149chain of addresses for remote deliveries is ordered according to the strings
3150specified. Try to make this shuffling reasonably efficient by handling
3151sequences of addresses rather than just single ones.
3152
3153Arguments: None
3154Returns: Nothing
3155*/
3156
3157static void
3158sort_remote_deliveries(void)
3159{
3160int sep = 0;
3161address_item **aptr = &addr_remote;
55414b25 3162const uschar *listptr = remote_sort_domains;
059ec3d9
PH
3163uschar *pattern;
3164uschar patbuf[256];
3165
d6c82d7b
JH
3166while ( *aptr
3167 && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
3168 )
059ec3d9
PH
3169 {
3170 address_item *moved = NULL;
3171 address_item **bptr = &moved;
3172
d6c82d7b 3173 while (*aptr)
059ec3d9
PH
3174 {
3175 address_item **next;
3176 deliver_domain = (*aptr)->domain; /* set $domain */
55414b25 3177 if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
059ec3d9
PH
3178 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
3179 {
d6c82d7b 3180 aptr = &(*aptr)->next;
059ec3d9
PH
3181 continue;
3182 }
3183
d6c82d7b
JH
3184 next = &(*aptr)->next;
3185 while ( *next
3186 && (deliver_domain = (*next)->domain, /* Set $domain */
55414b25 3187 match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
d6c82d7b
JH
3188 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK
3189 )
3190 next = &(*next)->next;
059ec3d9
PH
3191
3192 /* If the batch of non-matchers is at the end, add on any that were
3193 extracted further up the chain, and end this iteration. Otherwise,
3194 extract them from the chain and hang on the moved chain. */
3195
d6c82d7b 3196 if (!*next)
059ec3d9
PH
3197 {
3198 *next = moved;
3199 break;
3200 }
3201
3202 *bptr = *aptr;
3203 *aptr = *next;
3204 *next = NULL;
3205 bptr = next;
d6c82d7b 3206 aptr = &(*aptr)->next;
059ec3d9
PH
3207 }
3208
3209 /* If the loop ended because the final address matched, *aptr will
3210 be NULL. Add on to the end any extracted non-matching addresses. If
3211 *aptr is not NULL, the loop ended via "break" when *next is null, that
3212 is, there was a string of non-matching addresses at the end. In this
3213 case the extracted addresses have already been added on the end. */
3214
d6c82d7b 3215 if (!*aptr) *aptr = moved;
059ec3d9
PH
3216 }
3217
3218DEBUG(D_deliver)
3219 {
3220 address_item *addr;
3221 debug_printf("remote addresses after sorting:\n");
d6c82d7b 3222 for (addr = addr_remote; addr; addr = addr->next)
059ec3d9
PH
3223 debug_printf(" %s\n", addr->address);
3224 }
3225}
3226
3227
3228
3229/*************************************************
3230* Read from pipe for remote delivery subprocess *
3231*************************************************/
3232
3233/* This function is called when the subprocess is complete, but can also be
3234called before it is complete, in order to empty a pipe that is full (to prevent
3235deadlock). It must therefore keep track of its progress in the parlist data
3236block.
3237
3238We read the pipe to get the delivery status codes and a possible error message
3239for each address, optionally preceded by unusability data for the hosts and
3240also by optional retry data.
3241
3242Read in large chunks into the big buffer and then scan through, interpreting
3243the data therein. In most cases, only a single read will be necessary. No
1c5466b9
PH
3244individual item will ever be anywhere near 2500 bytes in length, so by ensuring
3245that we read the next chunk when there is less than 2500 bytes left in the
3246non-final chunk, we can assume each item is complete in the buffer before
3247handling it. Each item is written using a single write(), which is atomic for
3248small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and
3249often bigger) so even if we are reading while the subprocess is still going, we
3250should never have only a partial item in the buffer.
059ec3d9 3251
2cee425a
HSHR
3252hs12: This assumption is not true anymore, since we got quit large items (certificate
3253information and such)
3254
059ec3d9
PH
3255Argument:
3256 poffset the offset of the parlist item
3257 eop TRUE if the process has completed
3258
3259Returns: TRUE if the terminating 'Z' item has been read,
3260 or there has been a disaster (i.e. no more data needed);
3261 FALSE otherwise
3262*/
3263
3264static BOOL
3265par_read_pipe(int poffset, BOOL eop)
3266{
3267host_item *h;
3268pardata *p = parlist + poffset;
3269address_item *addrlist = p->addrlist;
3270address_item *addr = p->addr;
3271pid_t pid = p->pid;
3272int fd = p->fd;
2cee425a 3273
059ec3d9
PH
3274uschar *msg = p->msg;
3275BOOL done = p->done;
059ec3d9
PH
3276
3277/* Loop through all items, reading from the pipe when necessary. The pipe
2cee425a
HSHR
3278used to be non-blocking. But I do not see a reason for using non-blocking I/O
3279here, as the preceding select() tells us, if data is available for reading.
3280
3281A read() on a "selected" handle should never block, but(!) it may return
3282less data then we expected. (The buffer size we pass to read() shouldn't be
3283understood as a "request", but as a "limit".)
3284
3285Each separate item is written to the pipe in a timely manner. But, especially for
3286larger items, the read(2) may already return partial data from the write(2).
3287
3288The write is atomic mostly (depending on the amount written), but atomic does
3289not imply "all or noting", it just is "not intermixed" with other writes on the
3290same channel (pipe).
6c454556
HSHR
3291
3292*/
059ec3d9
PH
3293
3294DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n",
2cee425a 3295 (int)p->pid, eop? "ended" : "not ended yet");
059ec3d9
PH
3296
3297while (!done)
3298 {
3299 retry_item *r, **rp;
2cee425a
HSHR
3300 uschar pipeheader[PIPE_HEADER_SIZE+1];
3301 uschar *id = &pipeheader[0];
3302 uschar *subid = &pipeheader[1];
3303 uschar *ptr = big_buffer;
3304 size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */
3305 ssize_t got;
3306
7845dbb3 3307 DEBUG(D_deliver) debug_printf(
0d68983b 3308 "expect %lu bytes (pipeheader) from tpt process %d\n", (u_long)required, pid);
2cee425a
HSHR
3309
3310 /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know,
3311 they're written in a timely manner, so waiting for the write shouldn't hurt a lot.
3312 If we get less, we can assume the subprocess do be done and do not expect any further
3313 information from it. */
7845dbb3 3314
2cee425a
HSHR
3315 got = readn(fd, pipeheader, required);
3316 if (got != required)
059ec3d9 3317 {
bb07bcd3
JH
3318 msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) "
3319 "from transport process %d for transport %s",
3320 got, PIPE_HEADER_SIZE, pid, addr->transport->driver_name);
3321 done = TRUE;
3322 break;
059ec3d9
PH
3323 }
3324
2cee425a
HSHR
3325 pipeheader[PIPE_HEADER_SIZE] = '\0';
3326 DEBUG(D_deliver)
7845dbb3
JH
3327 debug_printf("got %ld bytes (pipeheader) from transport process %d\n",
3328 (long) got, pid);
059ec3d9 3329
2cee425a
HSHR
3330 {
3331 /* If we can't decode the pipeheader, the subprocess seems to have a
3332 problem, we do not expect any furher information from it. */
3333 char *endc;
7845dbb3 3334 required = Ustrtol(pipeheader+2, &endc, 10);
bd21a787
WB
3335 if (*endc)
3336 {
2cee425a
HSHR
3337 msg = string_sprintf("failed to read pipe "
3338 "from transport process %d for transport %s: error decoding size from header",
3339 pid, addr->transport->driver_name);
bd21a787
WB
3340 done = TRUE;
3341 break;
3342 }
2cee425a 3343 }
bd21a787
WB
3344
3345 DEBUG(D_deliver)
7845dbb3 3346 debug_printf("expect %lu bytes (pipedata) from transport process %d\n",
0d68983b 3347 (u_long)required, pid);
2c0f3ea1 3348
2cee425a
HSHR
3349 /* Same as above, the transport process will write the bytes announced
3350 in a timely manner, so we can just wait for the bytes, getting less than expected
3351 is considered a problem of the subprocess, we do not expect anything else from it. */
3352 got = readn(fd, big_buffer, required);
3353 if (got != required)
8fa0a4d4 3354 {
bb07bcd3
JH
3355 msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT
3356 " bytes (pipedata) from transport process %d for transport %s",
3357 got, required, pid, addr->transport->driver_name);
3358 done = TRUE;
3359 break;
8fa0a4d4 3360 }
bd21a787 3361
059ec3d9
PH
3362 /* Handle each possible type of item, assuming the complete item is
3363 available in store. */
3364
2cee425a 3365 switch (*id)
059ec3d9
PH
3366 {
3367 /* Host items exist only if any hosts were marked unusable. Match
3368 up by checking the IP address. */
3369
3370 case 'H':
57cc2785
JH
3371 for (h = addrlist->host_list; h; h = h->next)
3372 {
3373 if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue;
3374 h->status = ptr[0];
3375 h->why = ptr[1];
3376 }
3377 ptr += 2;
3378 while (*ptr++);
3379 break;
059ec3d9
PH
3380
3381 /* Retry items are sent in a preceding R item for each address. This is
3382 kept separate to keep each message short enough to guarantee it won't
3383 be split in the pipe. Hopefully, in the majority of cases, there won't in
3384 fact be any retry items at all.
3385
3386 The complete set of retry items might include an item to delete a
3387 routing retry if there was a previous routing delay. However, routing
3388 retries are also used when a remote transport identifies an address error.
3389 In that case, there may also be an "add" item for the same key. Arrange
3390 that a "delete" item is dropped in favour of an "add" item. */
3391
3392 case 'R':
57cc2785 3393 if (!addr) goto ADDR_MISMATCH;
059ec3d9 3394
57cc2785
JH
3395 DEBUG(D_deliver|D_retry)
3396 debug_printf("reading retry information for %s from subprocess\n",
3397 ptr+1);
059ec3d9 3398
57cc2785 3399 /* Cut out any "delete" items on the list. */
059ec3d9 3400
57cc2785
JH
3401 for (rp = &addr->retries; (r = *rp); rp = &r->next)
3402 if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */
3403 {
3404 if (!(r->flags & rf_delete)) break; /* It was not "delete" */
3405 *rp = r->next; /* Excise a delete item */
3406 DEBUG(D_deliver|D_retry)
3407 debug_printf(" existing delete item dropped\n");
3408 }
059ec3d9 3409
57cc2785
JH
3410 /* We want to add a delete item only if there is no non-delete item;
3411 however we still have to step ptr through the data. */
059ec3d9 3412
57cc2785
JH
3413 if (!r || !(*ptr & rf_delete))
3414 {
3415 r = store_get(sizeof(retry_item));
3416 r->next = addr->retries;
3417 addr->retries = r;
3418 r->flags = *ptr++;
3419 r->key = string_copy(ptr);
3420 while (*ptr++);
32dfdf8b 3421 memcpy(&r->basic_errno, ptr, sizeof(r->basic_errno));
57cc2785 3422 ptr += sizeof(r->basic_errno);
32dfdf8b 3423 memcpy(&r->more_errno, ptr, sizeof(r->more_errno));
57cc2785
JH
3424 ptr += sizeof(r->more_errno);
3425 r->message = *ptr ? string_copy(ptr) : NULL;
3426 DEBUG(D_deliver|D_retry) debug_printf(" added %s item\n",
3427 r->flags & rf_delete ? "delete" : "retry");
3428 }
059ec3d9 3429
57cc2785
JH
3430 else
3431 {
3432 DEBUG(D_deliver|D_retry)
3433 debug_printf(" delete item not added: non-delete item exists\n");
3434 ptr++;
3435 while(*ptr++);
3436 ptr += sizeof(r->basic_errno) + sizeof(r->more_errno);
3437 }
059ec3d9 3438
57cc2785
JH
3439 while(*ptr++);
3440 break;
059ec3d9
PH
3441
3442 /* Put the amount of data written into the parlist block */
3443
3444 case 'S':
57cc2785
JH
3445 memcpy(&(p->transport_count), ptr, sizeof(transport_count));
3446 ptr += sizeof(transport_count);
3447 break;
059ec3d9
PH
3448
3449 /* Address items are in the order of items on the address chain. We
3450 remember the current address value in case this function is called
3451 several times to empty the pipe in stages. Information about delivery
3452 over TLS is sent in a preceding X item for each address. We don't put
3453 it in with the other info, in order to keep each message short enough to
3454 guarantee it won't be split in the pipe. */
3455
a7538db1 3456#ifdef SUPPORT_TLS
059ec3d9 3457 case 'X':
57cc2785 3458 if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */
2cee425a 3459 switch (*subid)
57cc2785
JH
3460 {
3461 case '1':
3462 addr->cipher = NULL;
3463 addr->peerdn = NULL;
9d1c15ef 3464
57cc2785
JH
3465 if (*ptr)
3466 addr->cipher = string_copy(ptr);
3467 while (*ptr++);
3468 if (*ptr)
3469 addr->peerdn = string_copy(ptr);
3470 break;
3471
3472 case '2':
3473 if (*ptr)
3474 (void) tls_import_cert(ptr, &addr->peercert);
3475 else
3476 addr->peercert = NULL;
3477 break;
3478
3479 case '3':
3480 if (*ptr)
3481 (void) tls_import_cert(ptr, &addr->ourcert);
3482 else
3483 addr->ourcert = NULL;
3484 break;
018058b2 3485
a7538db1 3486# ifndef DISABLE_OCSP
57cc2785
JH
3487 case '4':
3488 addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ;
3489 break;
a7538db1 3490# endif
57cc2785
JH
3491 }
3492 while (*ptr++);
3493 break;
a7538db1 3494#endif /*SUPPORT_TLS*/
059ec3d9 3495
6f123593 3496 case 'C': /* client authenticator information */
2cee425a 3497 switch (*subid)
57cc2785
JH
3498 {
3499 case '1': addr->authenticator = *ptr ? string_copy(ptr) : NULL; break;
3500 case '2': addr->auth_id = *ptr ? string_copy(ptr) : NULL; break;
3501 case '3': addr->auth_sndr = *ptr ? string_copy(ptr) : NULL; break;
3502 }
3503 while (*ptr++);
3504 break;
6f123593 3505
8ccd00b1 3506#ifndef DISABLE_PRDR
fd98a5c6 3507 case 'P':
7eb0e5d2 3508 setflag(addr, af_prdr_used);
57cc2785 3509 break;
fd98a5c6
JH
3510#endif
3511
e0cc6cda 3512 case 'K':
7eb0e5d2 3513 setflag(addr, af_chunking_used);
57cc2785 3514 break;
e0cc6cda 3515
a2673768 3516 case 'T':
1ccd5f67
JH
3517 setflag(addr, af_tcp_fastopen_conn);
3518 if (*subid > '0') setflag(addr, af_tcp_fastopen);
a2673768
JH
3519 break;
3520
6c1c3d1d 3521 case 'D':
57cc2785
JH
3522 if (!addr) goto ADDR_MISMATCH;
3523 memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
3524 ptr += sizeof(addr->dsn_aware);
3525 DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware);
059ec3d9 3526 break;
059ec3d9 3527
57cc2785
JH
3528 case 'A':
3529 if (!addr)
3530 {
3531 ADDR_MISMATCH:
3532 msg = string_sprintf("address count mismatch for data read from pipe "
3533 "for transport process %d for transport %s", pid,
3534 addrlist->transport->driver_name);
3535 done = TRUE;
e6d2a989 3536 break;
57cc2785 3537 }
e6d2a989 3538
2cee425a 3539 switch (*subid)
57cc2785
JH
3540 {
3541 #ifdef SUPPORT_SOCKS
3542 case '2': /* proxy information; must arrive before A0 and applies to that addr XXX oops*/
3543 proxy_session = TRUE; /*XXX should this be cleared somewhere? */
3544 if (*ptr == 0)
3545 ptr++;
3546 else
3547 {
3548 proxy_local_address = string_copy(ptr);
3549 while(*ptr++);
3550 memcpy(&proxy_local_port, ptr, sizeof(proxy_local_port));
3551 ptr += sizeof(proxy_local_port);
3552 }
3553 break;
3554 #endif
059ec3d9 3555
57cc2785
JH
3556 #ifdef EXPERIMENTAL_DSN_INFO
3557 case '1': /* must arrive before A0, and applies to that addr */
3558 /* Two strings: smtp_greeting and helo_response */
3559 addr->smtp_greeting = string_copy(ptr);
3560 while(*ptr++);
3561 addr->helo_response = string_copy(ptr);
3562 while(*ptr++);
3563 break;
3564 #endif
3565
3566 case '0':
3567 DEBUG(D_deliver) debug_printf("A0 %s tret %d\n", addr->address, *ptr);
3568 addr->transport_return = *ptr++;
3569 addr->special_action = *ptr++;
32dfdf8b 3570 memcpy(&addr->basic_errno, ptr, sizeof(addr->basic_errno));
57cc2785 3571 ptr += sizeof(addr->basic_errno);
32dfdf8b 3572 memcpy(&addr->more_errno, ptr, sizeof(addr->more_errno));
57cc2785 3573 ptr += sizeof(addr->more_errno);
32dfdf8b
JH
3574 memcpy(&addr->delivery_usec, ptr, sizeof(addr->delivery_usec));
3575