Merge branch 'bug/2390-tmpfile-race'
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
98913c8e 15#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
16# include <gnu/libc-version.h>
17#endif
18
f797c123
JH
19#ifdef USE_GNUTLS
20# include <gnutls/gnutls.h>
21# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22# define DISABLE_OCSP
23# endif
24#endif
25
6545de78
PP
26extern void init_lookup_list(void);
27
059ec3d9
PH
28
29
30/*************************************************
31* Function interface to store functions *
32*************************************************/
33
34/* We need some real functions to pass to the PCRE regular expression library
35for store allocation via Exim's store manager. The normal calls are actually
36macros that pass over location information to make tracing easier. These
37functions just interface to the standard macro calls. A good compiler will
38optimize out the tail recursion and so not make them too expensive. There
39are two sets of functions; one for use when we want to retain the compiled
40regular expression for a long time; the other for short-term use. */
41
42static void *
43function_store_get(size_t size)
44{
45return store_get((int)size);
46}
47
48static void
49function_dummy_free(void *block) { block = block; }
50
51static void *
52function_store_malloc(size_t size)
53{
54return store_malloc((int)size);
55}
56
57static void
58function_store_free(void *block)
59{
60store_free(block);
61}
62
63
64
65
66/*************************************************
98a90c36
PP
67* Enums for cmdline interface *
68*************************************************/
69
70enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
72
73
74
75
76/*************************************************
059ec3d9
PH
77* Compile regular expression and panic on fail *
78*************************************************/
79
80/* This function is called when failure to compile a regular expression leads
81to a panic exit. In other cases, pcre_compile() is called directly. In many
82cases where this function is used, the results of the compilation are to be
83placed in long-lived store, so we temporarily reset the store management
84functions that PCRE uses if the use_malloc flag is set.
85
86Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91Returns: pointer to the compiled pattern
92*/
93
94const pcre *
476be7e2 95regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
059ec3d9
PH
96{
97int offset;
98int options = PCRE_COPT;
99const pcre *yield;
100const uschar *error;
101if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106if (caseless) options |= PCRE_CASELESS;
476be7e2 107yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
059ec3d9
PH
108pcre_malloc = function_store_get;
109pcre_free = function_dummy_free;
110if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113return yield;
114}
115
116
117
118
119/*************************************************
120* Execute regular expression and set strings *
121*************************************************/
122
123/* This function runs a regular expression match, and sets up the pointers to
124the matched substrings.
125
126Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134Returns: TRUE or FALSE
135*/
136
137BOOL
1dc92d5a 138regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
059ec3d9
PH
139{
140int ovector[3*(EXPAND_MAXN+1)];
1dc92d5a
JH
141uschar * s = string_copy(subject); /* de-constifying */
142int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
ee8b8090 143 PCRE_EOPT | options, ovector, nelem(ovector));
059ec3d9
PH
144BOOL yield = n >= 0;
145if (n == 0) n = EXPAND_MAXN + 1;
146if (yield)
147 {
ee8b8090 148 expand_nmax = setup < 0 ? 0 : setup + 1;
d7978c0f 149 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
059ec3d9 150 {
1dc92d5a 151 expand_nstring[expand_nmax] = s + ovector[nn];
059ec3d9
PH
152 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
153 }
154 expand_nmax--;
155 }
156return yield;
157}
158
159
160
161
162/*************************************************
921b12ca
TF
163* Set up processing details *
164*************************************************/
165
166/* Save a text string for dumping when SIGUSR1 is received.
167Do checks for overruns.
168
169Arguments: format and arguments, as for printf()
170Returns: nothing
171*/
172
173void
174set_process_info(const char *format, ...)
175{
d12746bc
JH
176gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
177gstring * g;
178int len;
921b12ca 179va_list ap;
d12746bc
JH
180
181g = string_fmt_append(&gs, "%5d ", (int)getpid());
182len = g->ptr;
921b12ca 183va_start(ap, format);
d12746bc
JH
184if (!string_vformat(g, FALSE, format, ap))
185 {
186 gs.ptr = len;
187 g = string_cat(&gs, US"**** string overflowed buffer ****");
188 }
189g = string_catn(g, US"\n", 1);
190string_from_gstring(g);
191process_info_len = g->ptr;
921b12ca
TF
192DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
193va_end(ap);
194}
195
830832c9
HSHR
196/***********************************************
197* Handler for SIGTERM *
198***********************************************/
921b12ca 199
830832c9
HSHR
200static void
201term_handler(int sig)
202{
203 exit(1);
204}
921b12ca
TF
205
206
207/*************************************************
059ec3d9
PH
208* Handler for SIGUSR1 *
209*************************************************/
210
211/* SIGUSR1 causes any exim process to write to the process log details of
212what it is currently doing. It will only be used if the OS is capable of
213setting up a handler that causes automatic restarting of any system call
214that is in progress at the time.
215
921b12ca
TF
216This function takes care to be signal-safe.
217
059ec3d9
PH
218Argument: the signal number (SIGUSR1)
219Returns: nothing
220*/
221
222static void
223usr1_handler(int sig)
224{
921b12ca
TF
225int fd;
226
227os_restarting_signal(sig, usr1_handler);
228
cab0c277 229if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
921b12ca
TF
230 {
231 /* If we are already running as the Exim user, try to create it in the
232 current process (assuming spool_directory exists). Otherwise, if we are
233 root, do the creation in an exim:exim subprocess. */
234
235 int euid = geteuid();
236 if (euid == exim_uid)
237 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
238 else if (euid == root_uid)
239 fd = log_create_as_exim(process_log_path);
240 }
241
242/* If we are neither exim nor root, or if we failed to create the log file,
243give up. There is not much useful we can do with errors, since we don't want
244to disrupt whatever is going on outside the signal handler. */
245
246if (fd < 0) return;
247
2f21487f 248(void)write(fd, process_info, process_info_len);
921b12ca 249(void)close(fd);
059ec3d9
PH
250}
251
252
253
254/*************************************************
255* Timeout handler *
256*************************************************/
257
258/* This handler is enabled most of the time that Exim is running. The handler
259doesn't actually get used unless alarm() has been called to set a timer, to
260place a time limit on a system call of some kind. When the handler is run, it
261re-enables itself.
262
263There are some other SIGALRM handlers that are used in special cases when more
264than just a flag setting is required; for example, when reading a message's
265input. These are normally set up in the code module that uses them, and the
266SIGALRM handler is reset to this one afterwards.
267
268Argument: the signal value (SIGALRM)
269Returns: nothing
270*/
271
272void
273sigalrm_handler(int sig)
274{
275sig = sig; /* Keep picky compilers happy */
276sigalrm_seen = TRUE;
277os_non_restarting_signal(SIGALRM, sigalrm_handler);
278}
279
280
281
282/*************************************************
283* Sleep for a fractional time interval *
284*************************************************/
285
286/* This function is called by millisleep() and exim_wait_tick() to wait for a
287period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
288tedious. We do not expect setitimer() ever to fail, but if it does, the process
289will wait for ever, so we panic in this instance. (There was a case of this
290when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 291That's when I added the check. :-)
059ec3d9 292
0f8ba377
JH
293We assume it to be not worth sleeping for under 100us; this value will
294require revisiting as hardware advances. This avoids the issue of
295a zero-valued timer setting meaning "never fire".
296
059ec3d9
PH
297Argument: an itimerval structure containing the interval
298Returns: nothing
299*/
300
301static void
302milliwait(struct itimerval *itval)
303{
304sigset_t sigmask;
305sigset_t old_sigmask;
0f8ba377
JH
306
307if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
308 return;
059ec3d9
PH
309(void)sigemptyset(&sigmask); /* Empty mask */
310(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
311(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 312if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
313 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
314 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
315(void)sigfillset(&sigmask); /* All signals */
316(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
317(void)sigsuspend(&sigmask); /* Until SIGALRM */
318(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
319}
320
321
322
323
324/*************************************************
325* Millisecond sleep function *
326*************************************************/
327
328/* The basic sleep() function has a granularity of 1 second, which is too rough
329in some cases - for example, when using an increasing delay to slow down
330spammers.
331
332Argument: number of millseconds
333Returns: nothing
334*/
335
336void
337millisleep(int msec)
338{
339struct itimerval itval;
340itval.it_interval.tv_sec = 0;
341itval.it_interval.tv_usec = 0;
342itval.it_value.tv_sec = msec/1000;
343itval.it_value.tv_usec = (msec % 1000) * 1000;
344milliwait(&itval);
345}
346
347
348
349/*************************************************
350* Compare microsecond times *
351*************************************************/
352
353/*
354Arguments:
355 tv1 the first time
356 tv2 the second time
357
358Returns: -1, 0, or +1
359*/
360
32dfdf8b 361static int
059ec3d9
PH
362exim_tvcmp(struct timeval *t1, struct timeval *t2)
363{
364if (t1->tv_sec > t2->tv_sec) return +1;
365if (t1->tv_sec < t2->tv_sec) return -1;
366if (t1->tv_usec > t2->tv_usec) return +1;
367if (t1->tv_usec < t2->tv_usec) return -1;
368return 0;
369}
370
371
372
373
374/*************************************************
375* Clock tick wait function *
376*************************************************/
377
378/* Exim uses a time + a pid to generate a unique identifier in two places: its
379message IDs, and in file names for maildir deliveries. Because some OS now
380re-use pids within the same second, sub-second times are now being used.
4c04137d 381However, for absolute certainty, we must ensure the clock has ticked before
059ec3d9
PH
382allowing the relevant process to complete. At the time of implementation of
383this code (February 2003), the speed of processors is such that the clock will
384invariably have ticked already by the time a process has done its job. This
385function prepares for the time when things are faster - and it also copes with
386clocks that go backwards.
387
388Arguments:
389 then_tv A timeval which was used to create uniqueness; its usec field
390 has been rounded down to the value of the resolution.
391 We want to be sure the current time is greater than this.
392 resolution The resolution that was used to divide the microseconds
393 (1 for maildir, larger for message ids)
394
395Returns: nothing
396*/
397
398void
399exim_wait_tick(struct timeval *then_tv, int resolution)
400{
401struct timeval now_tv;
402long int now_true_usec;
403
404(void)gettimeofday(&now_tv, NULL);
405now_true_usec = now_tv.tv_usec;
406now_tv.tv_usec = (now_true_usec/resolution) * resolution;
407
408if (exim_tvcmp(&now_tv, then_tv) <= 0)
409 {
410 struct itimerval itval;
411 itval.it_interval.tv_sec = 0;
412 itval.it_interval.tv_usec = 0;
413 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
414 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
415
416 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
417 negative value for the microseconds is possible only in the case when "now"
418 is more than a second less than "then". That means that itval.it_value.tv_sec
419 is greater than zero. The following correction is therefore safe. */
420
421 if (itval.it_value.tv_usec < 0)
422 {
423 itval.it_value.tv_usec += 1000000;
424 itval.it_value.tv_sec -= 1;
425 }
426
427 DEBUG(D_transport|D_receive)
428 {
8768d548 429 if (!f.running_in_test_harness)
059ec3d9 430 {
d0291a0a 431 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
7437665e
JH
432 then_tv->tv_sec, (long) then_tv->tv_usec,
433 now_tv.tv_sec, (long) now_tv.tv_usec);
d0291a0a
JH
434 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
435 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
059ec3d9
PH
436 }
437 }
438
439 milliwait(&itval);
440 }
441}
442
443
444
445
446/*************************************************
2632889e
PH
447* Call fopen() with umask 777 and adjust mode *
448*************************************************/
449
450/* Exim runs with umask(0) so that files created with open() have the mode that
451is specified in the open() call. However, there are some files, typically in
452the spool directory, that are created with fopen(). They end up world-writeable
453if no precautions are taken. Although the spool directory is not accessible to
454the world, this is an untidiness. So this is a wrapper function for fopen()
455that sorts out the mode of the created file.
456
457Arguments:
458 filename the file name
459 options the fopen() options
460 mode the required mode
461
462Returns: the fopened FILE or NULL
463*/
464
465FILE *
1ba28e2b 466modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 467{
67d175de
PH
468mode_t saved_umask = umask(0777);
469FILE *f = Ufopen(filename, options);
470(void)umask(saved_umask);
2632889e
PH
471if (f != NULL) (void)fchmod(fileno(f), mode);
472return f;
473}
474
475
476
477
478/*************************************************
059ec3d9
PH
479* Ensure stdin, stdout, and stderr exist *
480*************************************************/
481
482/* Some operating systems grumble if an exec() happens without a standard
483input, output, and error (fds 0, 1, 2) being defined. The worry is that some
484file will be opened and will use these fd values, and then some other bit of
485code will assume, for example, that it can write error messages to stderr.
486This function ensures that fds 0, 1, and 2 are open if they do not already
487exist, by connecting them to /dev/null.
488
489This function is also used to ensure that std{in,out,err} exist at all times,
490so that if any library that Exim calls tries to use them, it doesn't crash.
491
492Arguments: None
493Returns: Nothing
494*/
495
496void
497exim_nullstd(void)
498{
059ec3d9
PH
499int devnull = -1;
500struct stat statbuf;
d7978c0f 501for (int i = 0; i <= 2; i++)
059ec3d9
PH
502 {
503 if (fstat(i, &statbuf) < 0 && errno == EBADF)
504 {
505 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
506 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
507 string_open_failed(errno, "/dev/null"));
1fe64dcc 508 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
509 }
510 }
1fe64dcc 511if (devnull > 2) (void)close(devnull);
059ec3d9
PH
512}
513
514
515
516
517/*************************************************
518* Close unwanted file descriptors for delivery *
519*************************************************/
520
521/* This function is called from a new process that has been forked to deliver
522an incoming message, either directly, or using exec.
523
524We want any smtp input streams to be closed in this new process. However, it
525has been observed that using fclose() here causes trouble. When reading in -bS
526input, duplicate copies of messages have been seen. The files will be sharing a
527file pointer with the parent process, and it seems that fclose() (at least on
528some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
529least sometimes. Hence we go for closing the underlying file descriptors.
530
531If TLS is active, we want to shut down the TLS library, but without molesting
532the parent's SSL connection.
533
534For delivery of a non-SMTP message, we want to close stdin and stdout (and
535stderr unless debugging) because the calling process might have set them up as
536pipes and be waiting for them to close before it waits for the submission
537process to terminate. If they aren't closed, they hold up the calling process
538until the initial delivery process finishes, which is not what we want.
539
540Exception: We do want it for synchronous delivery!
541
542And notwithstanding all the above, if D_resolver is set, implying resolver
543debugging, leave stdout open, because that's where the resolver writes its
544debugging output.
545
546When we close stderr (which implies we've also closed stdout), we also get rid
547of any controlling terminal.
548
549Arguments: None
550Returns: Nothing
551*/
552
553static void
554close_unwanted(void)
555{
556if (smtp_input)
557 {
74f1a423
JH
558#ifdef SUPPORT_TLS
559 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
560#endif
1fe64dcc
PH
561 (void)close(fileno(smtp_in));
562 (void)close(fileno(smtp_out));
059ec3d9
PH
563 smtp_in = NULL;
564 }
565else
566 {
1fe64dcc
PH
567 (void)close(0); /* stdin */
568 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
569 if (debug_selector == 0) /* stderr */
059ec3d9 570 {
8768d548 571 if (!f.synchronous_delivery)
059ec3d9 572 {
1fe64dcc 573 (void)close(2);
059ec3d9
PH
574 log_stderr = NULL;
575 }
576 (void)setsid();
577 }
578 }
579}
580
581
582
583
584/*************************************************
585* Set uid and gid *
586*************************************************/
587
588/* This function sets a new uid and gid permanently, optionally calling
589initgroups() to set auxiliary groups. There are some special cases when running
590Exim in unprivileged modes. In these situations the effective uid will not be
591root; if we already have the right effective uid/gid, and don't need to
592initialize any groups, leave things as they are.
593
594Arguments:
595 uid the uid
596 gid the gid
597 igflag TRUE if initgroups() wanted
598 msg text to use in debugging output and failure log
599
600Returns: nothing; bombs out on failure
601*/
602
603void
604exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
605{
606uid_t euid = geteuid();
607gid_t egid = getegid();
608
609if (euid == root_uid || euid != uid || egid != gid || igflag)
610 {
611 /* At least one OS returns +1 for initgroups failure, so just check for
612 non-zero. */
613
614 if (igflag)
615 {
616 struct passwd *pw = getpwuid(uid);
9af3c549
JH
617 if (!pw)
618 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
619 "no passwd entry for uid=%ld", (long int)uid);
620
621 if (initgroups(pw->pw_name, gid) != 0)
622 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
623 (long int)uid, strerror(errno));
059ec3d9
PH
624 }
625
626 if (setgid(gid) < 0 || setuid(uid) < 0)
059ec3d9
PH
627 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
628 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
059ec3d9
PH
629 }
630
631/* Debugging output included uid/gid and all groups */
632
633DEBUG(D_uid)
634 {
cd59ab18 635 int group_count, save_errno;
157d73b5 636 gid_t group_list[EXIM_GROUPLIST_SIZE];
059ec3d9
PH
637 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
638 (long int)geteuid(), (long int)getegid(), (long int)getpid());
157d73b5 639 group_count = getgroups(nelem(group_list), group_list);
cd59ab18 640 save_errno = errno;
059ec3d9
PH
641 debug_printf(" auxiliary group list:");
642 if (group_count > 0)
d7978c0f 643 for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
cd59ab18
PP
644 else if (group_count < 0)
645 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
646 else debug_printf(" <none>");
647 debug_printf("\n");
648 }
649}
650
651
652
653
654/*************************************************
655* Exit point *
656*************************************************/
657
658/* Exim exits via this function so that it always clears up any open
659databases.
660
661Arguments:
662 rc return code
663
664Returns: does not return
665*/
666
667void
9bfb7e1b 668exim_exit(int rc, const uschar * process)
059ec3d9
PH
669{
670search_tidyup();
671DEBUG(D_any)
9bfb7e1b
JH
672 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
673 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
674 process ? "(" : "", process, process ? ") " : "", rc);
059ec3d9
PH
675exit(rc);
676}
677
678
679
9af3c549
JH
680/* Print error string, then die */
681static void
682exim_fail(const char * fmt, ...)
683{
684va_list ap;
685va_start(ap, fmt);
686vfprintf(stderr, fmt, ap);
687exit(EXIT_FAILURE);
688}
689
690
059ec3d9
PH
691
692/*************************************************
693* Extract port from host address *
694*************************************************/
695
696/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
697It also checks the syntax of the address, and terminates it before the
698port data when a port is extracted.
059ec3d9
PH
699
700Argument:
701 address the address, with possible port on the end
702
703Returns: the port, or zero if there isn't one
704 bombs out on a syntax error
705*/
706
707static int
708check_port(uschar *address)
709{
7cd1141b 710int port = host_address_extract_port(address);
8e669ac1 711if (string_is_ip_address(address, NULL) == 0)
9af3c549 712 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
059ec3d9
PH
713return port;
714}
715
716
717
718/*************************************************
719* Test/verify an address *
720*************************************************/
721
722/* This function is called by the -bv and -bt code. It extracts a working
723address from a full RFC 822 address. This isn't really necessary per se, but it
724has the effect of collapsing source routes.
725
726Arguments:
727 s the address string
728 flags flag bits for verify_address()
729 exit_value to be set for failures
730
a5a28604 731Returns: nothing
059ec3d9
PH
732*/
733
734static void
735test_address(uschar *s, int flags, int *exit_value)
736{
737int start, end, domain;
738uschar *parse_error = NULL;
739uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
740 FALSE);
741if (address == NULL)
742 {
743 fprintf(stdout, "syntax error: %s\n", parse_error);
744 *exit_value = 2;
745 }
746else
747 {
748 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 749 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
750 if (rc == FAIL) *exit_value = 2;
751 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
752 }
753}
754
755
756
757/*************************************************
059ec3d9
PH
758* Show supported features *
759*************************************************/
760
059ec3d9 761static void
96508de1 762show_db_version(FILE * f)
059ec3d9
PH
763{
764#ifdef DB_VERSION_STRING
96508de1
JH
765DEBUG(D_any)
766 {
767 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
768 fprintf(f, " Runtime: %s\n",
769 db_version(NULL, NULL, NULL));
770 }
771else
772 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
773
059ec3d9
PH
774#elif defined(BTREEVERSION) && defined(HASHVERSION)
775 #ifdef USE_DB
776 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
777 #else
778 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
779 #endif
96508de1 780
059ec3d9
PH
781#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
782fprintf(f, "Probably ndbm\n");
783#elif defined(USE_TDB)
784fprintf(f, "Using tdb\n");
785#else
786 #ifdef USE_GDBM
787 fprintf(f, "Probably GDBM (native mode)\n");
788 #else
789 fprintf(f, "Probably GDBM (compatibility mode)\n");
790 #endif
791#endif
96508de1
JH
792}
793
794
795/* This function is called for -bV/--version and for -d to output the optional
796features of the current Exim binary.
797
798Arguments: a FILE for printing
799Returns: nothing
800*/
801
802static void
8768d548 803show_whats_supported(FILE * fp)
96508de1 804{
8768d548 805DEBUG(D_any) {} else show_db_version(fp);
059ec3d9 806
8768d548 807fprintf(fp, "Support for:");
9cec981f 808#ifdef SUPPORT_CRYPTEQ
8768d548 809 fprintf(fp, " crypteq");
9cec981f 810#endif
059ec3d9 811#if HAVE_ICONV
8768d548 812 fprintf(fp, " iconv()");
059ec3d9
PH
813#endif
814#if HAVE_IPV6
8768d548 815 fprintf(fp, " IPv6");
059ec3d9 816#endif
79378e0f 817#ifdef HAVE_SETCLASSRESOURCES
8768d548 818 fprintf(fp, " use_setclassresources");
929ba01c 819#endif
059ec3d9 820#ifdef SUPPORT_PAM
8768d548 821 fprintf(fp, " PAM");
059ec3d9
PH
822#endif
823#ifdef EXIM_PERL
8768d548 824 fprintf(fp, " Perl");
059ec3d9 825#endif
1a46a8c5 826#ifdef EXPAND_DLFUNC
8768d548 827 fprintf(fp, " Expand_dlfunc");
1a46a8c5 828#endif
059ec3d9 829#ifdef USE_TCP_WRAPPERS
8768d548 830 fprintf(fp, " TCPwrappers");
059ec3d9
PH
831#endif
832#ifdef SUPPORT_TLS
c11d665d 833# ifdef USE_GNUTLS
8768d548 834 fprintf(fp, " GnuTLS");
c11d665d 835# else
8768d548 836 fprintf(fp, " OpenSSL");
c11d665d 837# endif
059ec3d9 838#endif
b2f5a032 839#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
8768d548 840 fprintf(fp, " translate_ip_address");
b2f5a032 841#endif
f174f16e 842#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
8768d548 843 fprintf(fp, " move_frozen_messages");
f174f16e 844#endif
8523533c 845#ifdef WITH_CONTENT_SCAN
8768d548 846 fprintf(fp, " Content_Scanning");
8523533c 847#endif
c0635b6d 848#ifdef SUPPORT_DANE
8768d548 849 fprintf(fp, " DANE");
c0635b6d 850#endif
74f150bf 851#ifndef DISABLE_DKIM
8768d548 852 fprintf(fp, " DKIM");
74f150bf 853#endif
ef1bbb27 854#ifndef DISABLE_DNSSEC
8768d548 855 fprintf(fp, " DNSSEC");
ef1bbb27 856#endif
0cbf2b82 857#ifndef DISABLE_EVENT
8768d548 858 fprintf(fp, " Event");
0cbf2b82 859#endif
8c5d388a 860#ifdef SUPPORT_I18N
8768d548 861 fprintf(fp, " I18N");
8c5d388a 862#endif
74f150bf 863#ifndef DISABLE_OCSP
8768d548 864 fprintf(fp, " OCSP");
74f150bf 865#endif
4d832da1 866#ifndef DISABLE_PRDR
8768d548 867 fprintf(fp, " PRDR");
4d832da1 868#endif
cee5f132 869#ifdef SUPPORT_PROXY
8768d548 870 fprintf(fp, " PROXY");
cee5f132 871#endif
f0989ec0 872#ifdef SUPPORT_SOCKS
8768d548 873 fprintf(fp, " SOCKS");
f2de3a33 874#endif
7952eef9 875#ifdef SUPPORT_SPF
8768d548 876 fprintf(fp, " SPF");
7952eef9 877#endif
1a2dfad5 878#ifdef TCP_FASTOPEN
10ac8d7f 879 deliver_init();
8768d548 880 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
1a2dfad5 881#endif
5bde3efa 882#ifdef EXPERIMENTAL_LMDB
8768d548 883 fprintf(fp, " Experimental_LMDB");
5bde3efa 884#endif
3369a853 885#ifdef EXPERIMENTAL_QUEUEFILE
8768d548 886 fprintf(fp, " Experimental_QUEUEFILE");
3369a853 887#endif
8523533c 888#ifdef EXPERIMENTAL_SRS
8768d548 889 fprintf(fp, " Experimental_SRS");
8523533c 890#endif
617d3932 891#ifdef EXPERIMENTAL_ARC
8768d548 892 fprintf(fp, " Experimental_ARC");
617d3932 893#endif
8523533c 894#ifdef EXPERIMENTAL_BRIGHTMAIL
8768d548 895 fprintf(fp, " Experimental_Brightmail");
8523533c 896#endif
6a8f9482 897#ifdef EXPERIMENTAL_DCC
8768d548 898 fprintf(fp, " Experimental_DCC");
6a8f9482 899#endif
4840604e 900#ifdef EXPERIMENTAL_DMARC
8768d548 901 fprintf(fp, " Experimental_DMARC");
4840604e 902#endif
895fbaf2 903#ifdef EXPERIMENTAL_DSN_INFO
8768d548 904 fprintf(fp, " Experimental_DSN_info");
895fbaf2 905#endif
ee8b8090
JH
906#ifdef EXPERIMENTAL_PIPE_CONNECT
907 fprintf(fp, " Experimental_PIPE_CONNECT");
908#endif
8768d548 909fprintf(fp, "\n");
059ec3d9 910
8768d548 911fprintf(fp, "Lookups (built-in):");
e6d225ae 912#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
8768d548 913 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
059ec3d9 914#endif
e6d225ae 915#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
8768d548 916 fprintf(fp, " cdb");
059ec3d9 917#endif
e6d225ae 918#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
8768d548 919 fprintf(fp, " dbm dbmjz dbmnz");
059ec3d9 920#endif
e6d225ae 921#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
8768d548 922 fprintf(fp, " dnsdb");
059ec3d9 923#endif
e6d225ae 924#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
8768d548 925 fprintf(fp, " dsearch");
059ec3d9 926#endif
e6d225ae 927#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
8768d548 928 fprintf(fp, " ibase");
059ec3d9 929#endif
ffc92d69
JH
930#if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
931 fprintf(fp, " json");
932#endif
e6d225ae 933#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
8768d548 934 fprintf(fp, " ldap ldapdn ldapm");
059ec3d9 935#endif
5bde3efa 936#ifdef EXPERIMENTAL_LMDB
8768d548 937 fprintf(fp, " lmdb");
5bde3efa 938#endif
e6d225ae 939#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
8768d548 940 fprintf(fp, " mysql");
059ec3d9 941#endif
e6d225ae 942#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
8768d548 943 fprintf(fp, " nis nis0");
059ec3d9 944#endif
e6d225ae 945#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
8768d548 946 fprintf(fp, " nisplus");
059ec3d9 947#endif
e6d225ae 948#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
8768d548 949 fprintf(fp, " oracle");
059ec3d9 950#endif
e6d225ae 951#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
8768d548 952 fprintf(fp, " passwd");
059ec3d9 953#endif
e6d225ae 954#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
8768d548 955 fprintf(fp, " pgsql");
059ec3d9 956#endif
de78e2d5 957#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
8768d548 958 fprintf(fp, " redis");
de78e2d5 959#endif
e6d225ae 960#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
8768d548 961 fprintf(fp, " sqlite");
13b685f9 962#endif
e6d225ae 963#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
8768d548 964 fprintf(fp, " testdb");
059ec3d9 965#endif
e6d225ae 966#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
8768d548 967 fprintf(fp, " whoson");
059ec3d9 968#endif
8768d548 969fprintf(fp, "\n");
059ec3d9 970
8768d548
JH
971auth_show_supported(fp);
972route_show_supported(fp);
973transport_show_supported(fp);
059ec3d9 974
c11d665d 975#ifdef WITH_CONTENT_SCAN
8768d548 976malware_show_supported(fp);
c11d665d
JH
977#endif
978
059ec3d9
PH
979if (fixed_never_users[0] > 0)
980 {
981 int i;
8768d548 982 fprintf(fp, "Fixed never_users: ");
059ec3d9 983 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
8768d548
JH
984 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
985 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
059ec3d9 986 }
21c28500 987
8768d548 988fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
19bfe9e7 989
8768d548 990fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 991
6545de78
PP
992/* Everything else is details which are only worth reporting when debugging.
993Perhaps the tls_version_report should move into this too. */
994DEBUG(D_any) do {
995
b3c261f7
PP
996/* clang defines __GNUC__ (at least, for me) so test for it first */
997#if defined(__clang__)
8768d548 998 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
b3c261f7 999#elif defined(__GNUC__)
8768d548 1000 fprintf(fp, "Compiler: GCC [%s]\n",
b3c261f7
PP
1001# ifdef __VERSION__
1002 __VERSION__
1003# else
1004 "? unknown version ?"
1005# endif
1006 );
1007#else
8768d548 1008 fprintf(fp, "Compiler: <unknown>\n");
b3c261f7
PP
1009#endif
1010
98913c8e 1011#if defined(__GLIBC__) && !defined(__UCLIBC__)
8768d548 1012 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
01f3091a
JH
1013 __GLIBC__, __GLIBC_MINOR__);
1014 if (__GLIBC_PREREQ(2, 1))
8768d548 1015 fprintf(fp, " Runtime: %s\n",
01f3091a
JH
1016 gnu_get_libc_version());
1017#endif
1018
8768d548 1019show_db_version(fp);
96508de1 1020
754a0503 1021#ifdef SUPPORT_TLS
8768d548 1022 tls_version_report(fp);
754a0503 1023#endif
8c5d388a 1024#ifdef SUPPORT_I18N
8768d548 1025 utf8_version_report(fp);
b04be5e7 1026#endif
754a0503 1027
d7978c0f 1028 for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
fc362fc5 1029 if (authi->version_report)
8768d548 1030 (*authi->version_report)(fp);
6545de78 1031
decd95cb 1032 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
1033 characters; unless it's an ancient version of PCRE in which case it
1034 is not defined. */
1035#ifndef PCRE_PRERELEASE
01f3091a 1036# define PCRE_PRERELEASE
6475bd82
PP
1037#endif
1038#define QUOTE(X) #X
1039#define EXPAND_AND_QUOTE(X) QUOTE(X)
8768d548 1040 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
6545de78
PP
1041 " Runtime: %s\n",
1042 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1043 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1044 pcre_version());
6475bd82
PP
1045#undef QUOTE
1046#undef EXPAND_AND_QUOTE
6545de78
PP
1047
1048 init_lookup_list();
d7978c0f 1049 for (int i = 0; i < lookup_list_count; i++)
6545de78 1050 if (lookup_list[i]->version_report)
8768d548 1051 lookup_list[i]->version_report(fp);
6545de78 1052
b70d2586 1053#ifdef WHITELIST_D_MACROS
8768d548 1054 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
b70d2586 1055#else
8768d548 1056 fprintf(fp, "WHITELIST_D_MACROS unset\n");
b70d2586
PP
1057#endif
1058#ifdef TRUSTED_CONFIG_LIST
8768d548 1059 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
b70d2586 1060#else
8768d548 1061 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
b70d2586
PP
1062#endif
1063
6545de78 1064} while (0);
059ec3d9
PH
1065}
1066
1067
98a90c36
PP
1068/*************************************************
1069* Show auxiliary information about Exim *
1070*************************************************/
1071
1072static void
1073show_exim_information(enum commandline_info request, FILE *stream)
1074{
98a90c36
PP
1075switch(request)
1076 {
1077 case CMDINFO_NONE:
1078 fprintf(stream, "Oops, something went wrong.\n");
1079 return;
1080 case CMDINFO_HELP:
1081 fprintf(stream,
1082"The -bI: flag takes a string indicating which information to provide.\n"
1083"If the string is not recognised, you'll get this help (on stderr).\n"
1084"\n"
1085" exim -bI:help this information\n"
030caf2a
JS
1086" exim -bI:dscp list of known dscp value keywords\n"
1087" exim -bI:sieve list of supported sieve extensions\n"
98a90c36
PP
1088);
1089 return;
1090 case CMDINFO_SIEVE:
d7978c0f 1091 for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
98a90c36
PP
1092 fprintf(stream, "%s\n", *pp);
1093 return;
36a3ae5f
PP
1094 case CMDINFO_DSCP:
1095 dscp_list_to_stream(stream);
1096 return;
98a90c36
PP
1097 }
1098}
059ec3d9
PH
1099
1100
1101/*************************************************
1102* Quote a local part *
1103*************************************************/
1104
1105/* This function is used when a sender address or a From: or Sender: header
1106line is being created from the caller's login, or from an authenticated_id. It
1107applies appropriate quoting rules for a local part.
1108
1109Argument: the local part
1110Returns: the local part, quoted if necessary
1111*/
1112
1113uschar *
1114local_part_quote(uschar *lpart)
1115{
1116BOOL needs_quote = FALSE;
acec9514 1117gstring * g;
059ec3d9 1118
d7978c0f 1119for (uschar * t = lpart; !needs_quote && *t != 0; t++)
059ec3d9
PH
1120 {
1121 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1122 (*t != '.' || t == lpart || t[1] == 0);
1123 }
1124
1125if (!needs_quote) return lpart;
1126
acec9514 1127g = string_catn(NULL, US"\"", 1);
059ec3d9
PH
1128
1129for (;;)
1130 {
1131 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1132 if (nq == NULL)
1133 {
acec9514 1134 g = string_cat(g, lpart);
059ec3d9
PH
1135 break;
1136 }
acec9514
JH
1137 g = string_catn(g, lpart, nq - lpart);
1138 g = string_catn(g, US"\\", 1);
1139 g = string_catn(g, nq, 1);
059ec3d9
PH
1140 lpart = nq + 1;
1141 }
1142
acec9514
JH
1143g = string_catn(g, US"\"", 1);
1144return string_from_gstring(g);
059ec3d9
PH
1145}
1146
1147
1148
1149#ifdef USE_READLINE
1150/*************************************************
1151* Load readline() functions *
1152*************************************************/
1153
1154/* This function is called from testing executions that read data from stdin,
1155but only when running as the calling user. Currently, only -be does this. The
1156function loads the readline() function library and passes back the functions.
1157On some systems, it needs the curses library, so load that too, but try without
1158it if loading fails. All this functionality has to be requested at build time.
1159
1160Arguments:
1161 fn_readline_ptr pointer to where to put the readline pointer
1162 fn_addhist_ptr pointer to where to put the addhistory function
1163
1164Returns: the dlopen handle or NULL on failure
1165*/
1166
1167static void *
1ba28e2b
PP
1168set_readline(char * (**fn_readline_ptr)(const char *),
1169 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1170{
1171void *dlhandle;
e12f8c32 1172void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1173
e12f8c32 1174dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1175if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1176
1177if (dlhandle != NULL)
1178 {
1ba28e2b
PP
1179 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1180 * char * readline (const char *prompt);
1181 * void add_history (const char *string);
1182 */
1183 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1184 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1185 }
1186else
1187 {
1188 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1189 }
1190
1191return dlhandle;
1192}
1193#endif
1194
1195
1196
1197/*************************************************
1198* Get a line from stdin for testing things *
1199*************************************************/
1200
1201/* This function is called when running tests that can take a number of lines
1202of input (for example, -be and -bt). It handles continuations and trailing
1203spaces. And prompting and a blank line output on eof. If readline() is in use,
1204the arguments are non-NULL and provide the relevant functions.
1205
1206Arguments:
1207 fn_readline readline function or NULL
1208 fn_addhist addhist function or NULL
1209
1210Returns: pointer to dynamic memory, or NULL at end of file
1211*/
1212
1213static uschar *
1ba28e2b 1214get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9 1215{
acec9514 1216gstring * g = NULL;
059ec3d9 1217
acec9514 1218if (!fn_readline) { printf("> "); fflush(stdout); }
059ec3d9 1219
d7978c0f 1220for (int i = 0;; i++)
059ec3d9
PH
1221 {
1222 uschar buffer[1024];
1223 uschar *p, *ss;
1224
1225 #ifdef USE_READLINE
1226 char *readline_line = NULL;
1227 if (fn_readline != NULL)
1228 {
1229 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1230 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1231 p = US readline_line;
1232 }
1233 else
1234 #endif
1235
1236 /* readline() not in use */
1237
1238 {
1239 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1240 p = buffer;
1241 }
1242
1243 /* Handle the line */
1244
1245 ss = p + (int)Ustrlen(p);
1246 while (ss > p && isspace(ss[-1])) ss--;
1247
1248 if (i > 0)
1249 {
1250 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1251 }
1252
acec9514 1253 g = string_catn(g, p, ss - p);
059ec3d9
PH
1254
1255 #ifdef USE_READLINE
acec9514 1256 if (fn_readline) free(readline_line);
059ec3d9
PH
1257 #endif
1258
acec9514
JH
1259 /* g can only be NULL if ss==p */
1260 if (ss == p || g->s[g->ptr-1] != '\\')
059ec3d9 1261 break;
acec9514
JH
1262
1263 --g->ptr;
1264 (void) string_from_gstring(g);
059ec3d9
PH
1265 }
1266
acec9514
JH
1267if (!g) printf("\n");
1268return string_from_gstring(g);
059ec3d9
PH
1269}
1270
1271
1272
1273/*************************************************
81ea09ca
NM
1274* Output usage information for the program *
1275*************************************************/
1276
1277/* This function is called when there are no recipients
1278 or a specific --help argument was added.
1279
1280Arguments:
1281 progname information on what name we were called by
1282
1283Returns: DOES NOT RETURN
1284*/
1285
1286static void
1287exim_usage(uschar *progname)
1288{
1289
4c04137d 1290/* Handle specific program invocation variants */
81ea09ca 1291if (Ustrcmp(progname, US"-mailq") == 0)
9af3c549 1292 exim_fail(
e765a0f1 1293 "mailq - list the contents of the mail queue\n\n"
81ea09ca 1294 "For a list of options, see the Exim documentation.\n");
81ea09ca
NM
1295
1296/* Generic usage - we output this whatever happens */
9af3c549 1297exim_fail(
81ea09ca
NM
1298 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1299 "not directly from a shell command line. Options and/or arguments control\n"
1300 "what it does when called. For a list of options, see the Exim documentation.\n");
81ea09ca
NM
1301}
1302
1303
1304
1305/*************************************************
a7cbbf50
PP
1306* Validate that the macros given are okay *
1307*************************************************/
1308
1309/* Typically, Exim will drop privileges if macros are supplied. In some
1310cases, we want to not do so.
1311
a4034eb8 1312Arguments: opt_D_used - true if the commandline had a "-D" option
a7cbbf50
PP
1313Returns: true if trusted, false otherwise
1314*/
1315
1316static BOOL
a4034eb8 1317macros_trusted(BOOL opt_D_used)
a7cbbf50
PP
1318{
1319#ifdef WHITELIST_D_MACROS
d7978c0f 1320uschar *whitelisted, *end, *p, **whites;
a7cbbf50
PP
1321int white_count, i, n;
1322size_t len;
1323BOOL prev_char_item, found;
1324#endif
1325
a4034eb8 1326if (!opt_D_used)
a7cbbf50
PP
1327 return TRUE;
1328#ifndef WHITELIST_D_MACROS
1329return FALSE;
1330#else
1331
66581d1e
PP
1332/* We only trust -D overrides for some invoking users:
1333root, the exim run-time user, the optional config owner user.
1334I don't know why config-owner would be needed, but since they can own the
1335config files anyway, there's no security risk to letting them override -D. */
1336if ( ! ((real_uid == root_uid)
1337 || (real_uid == exim_uid)
1338#ifdef CONFIGURE_OWNER
1339 || (real_uid == config_uid)
1340#endif
1341 ))
1342 {
1343 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1344 return FALSE;
1345 }
1346
a7cbbf50
PP
1347/* Get a list of macros which are whitelisted */
1348whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1349prev_char_item = FALSE;
1350white_count = 0;
1351for (p = whitelisted; *p != '\0'; ++p)
1352 {
1353 if (*p == ':' || isspace(*p))
1354 {
1355 *p = '\0';
1356 if (prev_char_item)
1357 ++white_count;
1358 prev_char_item = FALSE;
1359 continue;
1360 }
1361 if (!prev_char_item)
1362 prev_char_item = TRUE;
1363 }
1364end = p;
1365if (prev_char_item)
1366 ++white_count;
1367if (!white_count)
1368 return FALSE;
1369whites = store_malloc(sizeof(uschar *) * (white_count+1));
1370for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1371 {
1372 if (*p != '\0')
1373 {
1374 whites[i++] = p;
1375 if (i == white_count)
1376 break;
1377 while (*p != '\0' && p < end)
1378 ++p;
1379 }
1380 }
1381whites[i] = NULL;
1382
1a7c9a48
JH
1383/* The list of commandline macros should be very short.
1384Accept the N*M complexity. */
d7978c0f 1385for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
1a7c9a48
JH
1386 {
1387 found = FALSE;
d7978c0f 1388 for (uschar ** w = whites; *w; ++w)
1a7c9a48
JH
1389 if (Ustrcmp(*w, m->name) == 0)
1390 {
1391 found = TRUE;
1392 break;
1393 }
1394 if (!found)
1395 return FALSE;
1396 if (!m->replacement)
1397 continue;
1398 if ((len = m->replen) == 0)
1399 continue;
1400 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1401 0, PCRE_EOPT, NULL, 0);
1402 if (n < 0)
1403 {
1404 if (n != PCRE_ERROR_NOMATCH)
1405 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1406 return FALSE;
1407 }
1408 }
43236f35 1409DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1410return TRUE;
1411#endif
1412}
1413
1414
1415/*************************************************
9650d98a
JH
1416* Expansion testing *
1417*************************************************/
1418
1419/* Expand and print one item, doing macro-processing.
1420
1421Arguments:
1422 item line for expansion
1423*/
1424
1425static void
1426expansion_test_line(uschar * line)
1427{
1428int len;
1429BOOL dummy_macexp;
1430
1431Ustrncpy(big_buffer, line, big_buffer_size);
1432big_buffer[big_buffer_size-1] = '\0';
1433len = Ustrlen(big_buffer);
1434
1435(void) macros_expand(0, &len, &dummy_macexp);
1436
1437if (isupper(big_buffer[0]))
1438 {
1439 if (macro_read_assignment(big_buffer))
1a7c9a48 1440 printf("Defined macro '%s'\n", mlast->name);
9650d98a
JH
1441 }
1442else
1443 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1444 else printf("Failed: %s\n", expand_string_message);
1445}
1446
1447
9af3c549 1448
9650d98a 1449/*************************************************
059ec3d9
PH
1450* Entry point and high-level code *
1451*************************************************/
1452
1453/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1454the appropriate action. All the necessary functions are present in the one
1455binary. I originally thought one should split it up, but it turns out that so
1456much of the apparatus is needed in each chunk that one might as well just have
1457it all available all the time, which then makes the coding easier as well.
1458
1459Arguments:
1460 argc count of entries in argv
1461 argv argument strings, with argv[0] being the program name
1462
1463Returns: EXIT_SUCCESS if terminated successfully
1464 EXIT_FAILURE otherwise, except when a message has been sent
1465 to the sender, and -oee was given
1466*/
1467
1468int
1469main(int argc, char **cargv)
1470{
1471uschar **argv = USS cargv;
1472int arg_receive_timeout = -1;
1473int arg_smtp_receive_timeout = -1;
1474int arg_error_handling = error_handling;
f05da2e8
PH
1475int filter_sfd = -1;
1476int filter_ufd = -1;
059ec3d9 1477int group_count;
1670ef10 1478int i, rv;
059ec3d9
PH
1479int list_queue_option = 0;
1480int msg_action = 0;
1481int msg_action_arg = -1;
1482int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1483int queue_only_reason = 0;
1484#ifdef EXIM_PERL
1485int perl_start_option = 0;
1486#endif
1487int recipients_arg = argc;
1488int sender_address_domain = 0;
1489int test_retry_arg = -1;
1490int test_rewrite_arg = -1;
3b7ac02c 1491gid_t original_egid;
059ec3d9
PH
1492BOOL arg_queue_only = FALSE;
1493BOOL bi_option = FALSE;
1494BOOL checking = FALSE;
1495BOOL count_queue = FALSE;
1496BOOL expansion_test = FALSE;
1497BOOL extract_recipients = FALSE;
f4ee74ac 1498BOOL flag_G = FALSE;
12f69989 1499BOOL flag_n = FALSE;
059ec3d9
PH
1500BOOL forced_delivery = FALSE;
1501BOOL f_end_dot = FALSE;
1502BOOL deliver_give_up = FALSE;
1503BOOL list_queue = FALSE;
1504BOOL list_options = FALSE;
bf3c2c6b 1505BOOL list_config = FALSE;
059ec3d9
PH
1506BOOL local_queue_only;
1507BOOL more = TRUE;
1508BOOL one_msg_action = FALSE;
4ab69ec7 1509BOOL opt_D_used = FALSE;
059ec3d9
PH
1510BOOL queue_only_set = FALSE;
1511BOOL receiving_message = TRUE;
33d73e3b 1512BOOL sender_ident_set = FALSE;
8669f003 1513BOOL session_local_queue_only;
059ec3d9
PH
1514BOOL unprivileged;
1515BOOL removed_privilege = FALSE;
81ea09ca 1516BOOL usage_wanted = FALSE;
059ec3d9
PH
1517BOOL verify_address_mode = FALSE;
1518BOOL verify_as_sender = FALSE;
1519BOOL version_printed = FALSE;
1520uschar *alias_arg = NULL;
1521uschar *called_as = US"";
a3fb9793 1522uschar *cmdline_syslog_name = NULL;
059ec3d9
PH
1523uschar *start_queue_run_id = NULL;
1524uschar *stop_queue_run_id = NULL;
328895cc 1525uschar *expansion_test_message = NULL;
059ec3d9
PH
1526uschar *ftest_domain = NULL;
1527uschar *ftest_localpart = NULL;
1528uschar *ftest_prefix = NULL;
1529uschar *ftest_suffix = NULL;
0ad2e0fc 1530uschar *log_oneline = NULL;
8544e77a 1531uschar *malware_test_file = NULL;
059ec3d9
PH
1532uschar *real_sender_address;
1533uschar *originator_home = US"/";
a3fb9793 1534size_t sz;
059ec3d9
PH
1535void *reset_point;
1536
1537struct passwd *pw;
1538struct stat statbuf;
1539pid_t passed_qr_pid = (pid_t)0;
1540int passed_qr_pipe = -1;
157d73b5 1541gid_t group_list[EXIM_GROUPLIST_SIZE];
059ec3d9 1542
98a90c36
PP
1543/* For the -bI: flag */
1544enum commandline_info info_flag = CMDINFO_NONE;
1545BOOL info_stdout = FALSE;
1546
059ec3d9
PH
1547/* Possible options for -R and -S */
1548
1549static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1550
1551/* Need to define this in case we need to change the environment in order
1552to get rid of a bogus time zone. We have to make it char rather than uschar
1553because some OS define it in /usr/include/unistd.h. */
1554
1555extern char **environ;
1556
35edf2ff 1557/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1558defined by ref:name at build time, we must now find the actual uid/gid values.
1559This is a feature to make the lives of binary distributors easier. */
1560
1561#ifdef EXIM_USERNAME
1562if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1563 {
10385c15 1564 if (exim_uid == 0)
9af3c549
JH
1565 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1566
084c1d8c
PP
1567 /* If ref:name uses a number as the name, route_finduser() returns
1568 TRUE with exim_uid set and pw coerced to NULL. */
1569 if (pw)
1570 exim_gid = pw->pw_gid;
1571#ifndef EXIM_GROUPNAME
1572 else
9af3c549 1573 exim_fail(
084c1d8c
PP
1574 "exim: ref:name should specify a usercode, not a group.\n"
1575 "exim: can't let you get away with it unless you also specify a group.\n");
084c1d8c 1576#endif
059ec3d9
PH
1577 }
1578else
9af3c549 1579 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
059ec3d9
PH
1580#endif
1581
1582#ifdef EXIM_GROUPNAME
1583if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
9af3c549 1584 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
059ec3d9
PH
1585#endif
1586
1587#ifdef CONFIGURE_OWNERNAME
1588if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
9af3c549 1589 exim_fail("exim: failed to find uid for user name \"%s\"\n",
059ec3d9 1590 CONFIGURE_OWNERNAME);
059ec3d9
PH
1591#endif
1592
79d4bc3d
PP
1593/* We default the system_filter_user to be the Exim run-time user, as a
1594sane non-root value. */
1595system_filter_uid = exim_uid;
1596
35edf2ff
PH
1597#ifdef CONFIGURE_GROUPNAME
1598if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
9af3c549 1599 exim_fail("exim: failed to find gid for group name \"%s\"\n",
35edf2ff 1600 CONFIGURE_GROUPNAME);
35edf2ff
PH
1601#endif
1602
92e6a3d9
JH
1603/* In the Cygwin environment, some initialization used to need doing.
1604It was fudged in by means of this macro; now no longer but we'll leave
1605it in case of others. */
059ec3d9
PH
1606
1607#ifdef OS_INIT
1608OS_INIT
1609#endif
1610
1611/* Check a field which is patched when we are running Exim within its
1612testing harness; do a fast initial check, and then the whole thing. */
1613
8768d548 1614f.running_in_test_harness =
059ec3d9 1615 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
8768d548 1616if (f.running_in_test_harness)
65a32f85 1617 debug_store = TRUE;
059ec3d9
PH
1618
1619/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1620at the start of a program; however, it seems that some environments do not
1621follow this. A "strange" locale can affect the formatting of timestamps, so we
1622make quite sure. */
1623
1624setlocale(LC_ALL, "C");
1625
1626/* Set up the default handler for timing using alarm(). */
1627
1628os_non_restarting_signal(SIGALRM, sigalrm_handler);
1629
1630/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1631because store_malloc writes a log entry on failure. */
1632
40c90bca 1633if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
9af3c549 1634 exim_fail("exim: failed to get store for log buffer\n");
059ec3d9 1635
6c6d6e48
TF
1636/* Initialize the default log options. */
1637
1638bits_set(log_selector, log_selector_size, log_default);
1639
059ec3d9
PH
1640/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1641NULL when the daemon is run and the file is closed. We have to use this
1642indirection, because some systems don't allow writing to the variable "stderr".
1643*/
1644
1645if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1646
1647/* Arrange for the PCRE regex library to use our store functions. Note that
1648the normal calls are actually macros that add additional arguments for
1649debugging purposes so we have to assign specially constructed functions here.
1650The default is to use store in the stacking pool, but this is overridden in the
1651regex_must_compile() function. */
1652
1653pcre_malloc = function_store_get;
1654pcre_free = function_dummy_free;
1655
1656/* Ensure there is a big buffer for temporary use in several places. It is put
1657in malloc store so that it can be freed for enlargement if necessary. */
1658
1659big_buffer = store_malloc(big_buffer_size);
1660
1661/* Set up the handler for the data request signal, and set the initial
1662descriptive text. */
1663
1664set_process_info("initializing");
1665os_restarting_signal(SIGUSR1, usr1_handler);
1666
830832c9
HSHR
1667/* If running in a dockerized environment, the TERM signal is only
1668delegated to the PID 1 if we request it by setting an signal handler */
1669if (getpid() == 1) signal(SIGTERM, term_handler);
1670
059ec3d9
PH
1671/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1672in the daemon code. For the rest of Exim's uses, we ignore it. */
1673
1674signal(SIGHUP, SIG_IGN);
1675
1676/* We don't want to die on pipe errors as the code is written to handle
1677the write error instead. */
1678
1679signal(SIGPIPE, SIG_IGN);
1680
1681/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1682set to SIG_IGN. This causes subprocesses that complete before the parent
1683process waits for them not to hang around, so when Exim calls wait(), nothing
1684is there. The wait() code has been made robust against this, but let's ensure
1685that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1686ending status. We use sigaction rather than plain signal() on those OS where
1687SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1688problem on AIX with this.) */
1689
1690#ifdef SA_NOCLDWAIT
1691 {
1692 struct sigaction act;
1693 act.sa_handler = SIG_DFL;
1694 sigemptyset(&(act.sa_mask));
1695 act.sa_flags = 0;
1696 sigaction(SIGCHLD, &act, NULL);
1697 }
1698#else
1699signal(SIGCHLD, SIG_DFL);
1700#endif
1701
1702/* Save the arguments for use if we re-exec exim as a daemon after receiving
1703SIGHUP. */
1704
1705sighup_argv = argv;
1706
1707/* Set up the version number. Set up the leading 'E' for the external form of
1708message ids, set the pointer to the internal form, and initialize it to
1709indicate no message being processed. */
1710
1711version_init();
1712message_id_option[0] = '-';
1713message_id_external = message_id_option + 1;
1714message_id_external[0] = 'E';
1715message_id = message_id_external + 1;
1716message_id[0] = 0;
1717
67d175de 1718/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1719created with the modes that it specifies. NOTE: Files created with fopen() have
1720a problem, which was not recognized till rather late (February 2006). With this
1721umask, such files will be world writeable. (They are all content scanning files
1722in the spool directory, which isn't world-accessible, so this is not a
1723disaster, but it's untidy.) I don't want to change this overall setting,
1724however, because it will interact badly with the open() calls. Instead, there's
1725now a function called modefopen() that fiddles with the umask while calling
1726fopen(). */
059ec3d9 1727
67d175de 1728(void)umask(0);
059ec3d9
PH
1729
1730/* Precompile the regular expression for matching a message id. Keep this in
1731step with the code that generates ids in the accept.c module. We need to do
1732this here, because the -M options check their arguments for syntactic validity
1733using mac_ismsgid, which uses this. */
1734
1735regex_ismsgid =
1736 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1737
a5bd321b 1738/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1739code, possibly extended, at the start of an error message. Note that the
1740terminating whitespace character is included. */
a5bd321b
PH
1741
1742regex_smtp_code =
1743 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1744 FALSE, TRUE);
1745
a7cbbf50
PP
1746#ifdef WHITELIST_D_MACROS
1747/* Precompile the regular expression used to filter the content of macros
1748given to -D for permissibility. */
1749
1750regex_whitelisted_macro =
1751 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1752#endif
1753
f38917cc
JH
1754for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1755
059ec3d9
PH
1756/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1757this seems to be a generally accepted convention, since one finds symbolic
1758links called "mailq" in standard OS configurations. */
1759
1760if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1761 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1762 {
1763 list_queue = TRUE;
1764 receiving_message = FALSE;
1765 called_as = US"-mailq";
1766 }
1767
1768/* If the program is called as "rmail" treat it as equivalent to
1769"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1770i.e. preventing a single dot on a line from terminating the message, and
1771returning with zero return code, even in cases of error (provided an error
1772message has been sent). */
1773
1774if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1775 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1776 {
8768d548 1777 f.dot_ends = FALSE;
059ec3d9
PH
1778 called_as = US"-rmail";
1779 errors_sender_rc = EXIT_SUCCESS;
1780 }
1781
1782/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1783this is a smail convention. */
1784
1785if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1786 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1787 {
1788 smtp_input = smtp_batched_input = TRUE;
1789 called_as = US"-rsmtp";
1790 }
1791
1792/* If the program is called as "runq" treat it as equivalent to "exim -q";
1793this is a smail convention. */
1794
1795if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1796 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1797 {
1798 queue_interval = 0;
1799 receiving_message = FALSE;
1800 called_as = US"-runq";
1801 }
1802
1803/* If the program is called as "newaliases" treat it as equivalent to
1804"exim -bi"; this is a sendmail convention. */
1805
1806if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1807 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1808 {
1809 bi_option = TRUE;
1810 receiving_message = FALSE;
1811 called_as = US"-newaliases";
1812 }
1813
1814/* Save the original effective uid for a couple of uses later. It should
1815normally be root, but in some esoteric environments it may not be. */
1816
1817original_euid = geteuid();
3b7ac02c 1818original_egid = getegid();
059ec3d9
PH
1819
1820/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1821to be the same as the real ones. This makes a difference only if Exim is setuid
1822(or setgid) to something other than root, which could be the case in some
1823special configurations. */
1824
1825real_uid = getuid();
1826real_gid = getgid();
1827
1828if (real_uid == root_uid)
1829 {
9af3c549
JH
1830 if ((rv = setgid(real_gid)))
1831 exim_fail("exim: setgid(%ld) failed: %s\n",
1670ef10 1832 (long int)real_gid, strerror(errno));
9af3c549
JH
1833 if ((rv = setuid(real_uid)))
1834 exim_fail("exim: setuid(%ld) failed: %s\n",
1670ef10 1835 (long int)real_uid, strerror(errno));
059ec3d9
PH
1836 }
1837
1838/* If neither the original real uid nor the original euid was root, Exim is
1839running in an unprivileged state. */
1840
1841unprivileged = (real_uid != root_uid && original_euid != root_uid);
1842
059ec3d9
PH
1843/* Scan the program's arguments. Some can be dealt with right away; others are
1844simply recorded for checking and handling afterwards. Do a high-level switch
1845on the second character (the one after '-'), to save some effort. */
1846
1847for (i = 1; i < argc; i++)
1848 {
1849 BOOL badarg = FALSE;
1850 uschar *arg = argv[i];
1851 uschar *argrest;
1852 int switchchar;
1853
1854 /* An argument not starting with '-' is the start of a recipients list;
1855 break out of the options-scanning loop. */
1856
1857 if (arg[0] != '-')
1858 {
1859 recipients_arg = i;
1860 break;
1861 }
1862
4c04137d 1863 /* An option consisting of -- terminates the options */
059ec3d9
PH
1864
1865 if (Ustrcmp(arg, "--") == 0)
1866 {
1867 recipients_arg = i + 1;
1868 break;
1869 }
1870
1871 /* Handle flagged options */
1872
1873 switchchar = arg[1];
1874 argrest = arg+2;
1875
1876 /* Make all -ex options synonymous with -oex arguments, since that
1877 is assumed by various callers. Also make -qR options synonymous with -R
1878 options, as that seems to be required as well. Allow for -qqR too, and
1879 the same for -S options. */
1880
1881 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1882 Ustrncmp(arg+1, "qR", 2) == 0 ||
1883 Ustrncmp(arg+1, "qS", 2) == 0)
1884 {
1885 switchchar = arg[2];
1886 argrest++;
1887 }
1888 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1889 {
1890 switchchar = arg[3];
1891 argrest += 2;
8768d548 1892 f.queue_2stage = TRUE;
059ec3d9
PH
1893 }
1894
1895 /* Make -r synonymous with -f, since it is a documented alias */
1896
1897 else if (arg[1] == 'r') switchchar = 'f';
1898
1899 /* Make -ov synonymous with -v */
1900
1901 else if (Ustrcmp(arg, "-ov") == 0)
1902 {
1903 switchchar = 'v';
1904 argrest++;
1905 }
1906
4b2241d2
PP
1907 /* deal with --option_aliases */
1908 else if (switchchar == '-')
1909 {
1910 if (Ustrcmp(argrest, "help") == 0)
1911 {
1912 usage_wanted = TRUE;
1913 break;
1914 }
1915 else if (Ustrcmp(argrest, "version") == 0)
1916 {
1917 switchchar = 'b';
73a46702 1918 argrest = US"V";
4b2241d2
PP
1919 }
1920 }
1921
059ec3d9
PH
1922 /* High-level switch on active initial letter */
1923
1924 switch(switchchar)
1925 {
a3fb9793
PP
1926
1927 /* sendmail uses -Ac and -Am to control which .cf file is used;
1928 we ignore them. */
1929 case 'A':
1930 if (*argrest == '\0') { badarg = TRUE; break; }
1931 else
1932 {
1933 BOOL ignore = FALSE;
1934 switch (*argrest)
1935 {
1936 case 'c':
1937 case 'm':
1938 if (*(argrest + 1) == '\0')
1939 ignore = TRUE;
1940 break;
1941 }
1942 if (!ignore) { badarg = TRUE; break; }
1943 }
1944 break;
1945
059ec3d9
PH
1946 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1947 so has no need of it. */
1948
1949 case 'B':
1950 if (*argrest == 0) i++; /* Skip over the type */
1951 break;
1952
1953
1954 case 'b':
1955 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1956
1957 /* -bd: Run in daemon mode, awaiting SMTP connections.
1958 -bdf: Ditto, but in the foreground.
1959 */
1960
1961 if (*argrest == 'd')
1962 {
8768d548
JH
1963 f.daemon_listen = TRUE;
1964 if (*(++argrest) == 'f') f.background_daemon = FALSE;
059ec3d9
PH
1965 else if (*argrest != 0) { badarg = TRUE; break; }
1966 }
1967
328895cc
PH
1968 /* -be: Run in expansion test mode
1969 -bem: Ditto, but read a message from a file first
1970 */
059ec3d9
PH
1971
1972 else if (*argrest == 'e')
328895cc 1973 {
059ec3d9 1974 expansion_test = checking = TRUE;
328895cc
PH
1975 if (argrest[1] == 'm')
1976 {
1977 if (++i >= argc) { badarg = TRUE; break; }
1978 expansion_test_message = argv[i];
1979 argrest++;
1980 }
1981 if (argrest[1] != 0) { badarg = TRUE; break; }
1982 }
059ec3d9 1983
f05da2e8
PH
1984 /* -bF: Run system filter test */
1985
1986 else if (*argrest == 'F')
1987 {
34e86e20 1988 filter_test |= checking = FTEST_SYSTEM;
f05da2e8
PH
1989 if (*(++argrest) != 0) { badarg = TRUE; break; }
1990 if (++i < argc) filter_test_sfile = argv[i]; else
9af3c549 1991 exim_fail("exim: file name expected after %s\n", argv[i-1]);
f05da2e8
PH
1992 }
1993
1994 /* -bf: Run user filter test
059ec3d9
PH
1995 -bfd: Set domain for filter testing
1996 -bfl: Set local part for filter testing
1997 -bfp: Set prefix for filter testing
1998 -bfs: Set suffix for filter testing
1999 */
2000
f05da2e8 2001 else if (*argrest == 'f')
059ec3d9 2002 {
f05da2e8 2003 if (*(++argrest) == 0)
059ec3d9 2004 {
34e86e20 2005 filter_test |= checking = FTEST_USER;
f05da2e8 2006 if (++i < argc) filter_test_ufile = argv[i]; else
9af3c549 2007 exim_fail("exim: file name expected after %s\n", argv[i-1]);
059ec3d9
PH
2008 }
2009 else
2010 {
2011 if (++i >= argc)
9af3c549 2012 exim_fail("exim: string expected after %s\n", arg);
059ec3d9
PH
2013 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2014 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2015 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2016 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2017 else { badarg = TRUE; break; }
2018 }
2019 }
2020
2021 /* -bh: Host checking - an IP address must follow. */
2022
2023 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2024 {
2025 if (++i >= argc) { badarg = TRUE; break; }
2026 sender_host_address = argv[i];
8768d548
JH
2027 host_checking = checking = f.log_testing_mode = TRUE;
2028 f.host_checking_callout = argrest[1] == 'c';
1a6230a3 2029 message_logs = FALSE;
059ec3d9
PH
2030 }
2031
2032 /* -bi: This option is used by sendmail to initialize *the* alias file,
2033 though it has the -oA option to specify a different file. Exim has no
2034 concept of *the* alias file, but since Sun's YP make script calls
2035 sendmail this way, some support must be provided. */
2036
2037 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2038
98a90c36
PP
2039 /* -bI: provide information, of the type to follow after a colon.
2040 This is an Exim flag. */
2041
2042 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2043 {
2044 uschar *p = &argrest[2];
2045 info_flag = CMDINFO_HELP;
2046 if (Ustrlen(p))
2047 {
2048 if (strcmpic(p, CUS"sieve") == 0)
2049 {
2050 info_flag = CMDINFO_SIEVE;
2051 info_stdout = TRUE;
2052 }
36a3ae5f
PP
2053 else if (strcmpic(p, CUS"dscp") == 0)
2054 {
2055 info_flag = CMDINFO_DSCP;
2056 info_stdout = TRUE;
2057 }
98a90c36
PP
2058 else if (strcmpic(p, CUS"help") == 0)
2059 {
2060 info_stdout = TRUE;
2061 }
2062 }
2063 }
2064
059ec3d9
PH
2065 /* -bm: Accept and deliver message - the default option. Reinstate
2066 receiving_message, which got turned off for all -b options. */
2067
2068 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2069
8544e77a
PP
2070 /* -bmalware: test the filename given for malware */
2071
2072 else if (Ustrcmp(argrest, "malware") == 0)
2073 {
2074 if (++i >= argc) { badarg = TRUE; break; }
34e86e20 2075 checking = TRUE;
8544e77a
PP
2076 malware_test_file = argv[i];
2077 }
2078
059ec3d9
PH
2079 /* -bnq: For locally originating messages, do not qualify unqualified
2080 addresses. In the envelope, this causes errors; in header lines they
2081 just get left. */
2082
2083 else if (Ustrcmp(argrest, "nq") == 0)
2084 {
8768d548
JH
2085 f.allow_unqualified_sender = FALSE;
2086 f.allow_unqualified_recipient = FALSE;
059ec3d9
PH
2087 }
2088
2089 /* -bpxx: List the contents of the mail queue, in various forms. If
2090 the option is -bpc, just a queue count is needed. Otherwise, if the
2091 first letter after p is r, then order is random. */
2092
2093 else if (*argrest == 'p')
2094 {
2095 if (*(++argrest) == 'c')
2096 {
2097 count_queue = TRUE;
2098 if (*(++argrest) != 0) badarg = TRUE;
2099 break;
2100 }
2101
2102 if (*argrest == 'r')
2103 {
2104 list_queue_option = 8;
2105 argrest++;
2106 }
2107 else list_queue_option = 0;
2108
2109 list_queue = TRUE;
2110
2111 /* -bp: List the contents of the mail queue, top-level only */
2112
2113 if (*argrest == 0) {}
2114
2115 /* -bpu: List the contents of the mail queue, top-level undelivered */
2116
2117 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2118
2119 /* -bpa: List the contents of the mail queue, including all delivered */
2120
2121 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2122
2123 /* Unknown after -bp[r] */
2124
2125 else
2126 {
2127 badarg = TRUE;
2128 break;
2129 }
2130 }
2131
2132
2133 /* -bP: List the configuration variables given as the address list.
2134 Force -v, so configuration errors get displayed. */
2135
2136 else if (Ustrcmp(argrest, "P") == 0)
2137 {
bf3c2c6b
HSHR
2138 /* -bP config: we need to setup here, because later,
2139 * when list_options is checked, the config is read already */
2140 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2141 {
2142 list_config = TRUE;
2143 readconf_save_config(version_string);
2144 }
2145 else
2146 {
2147 list_options = TRUE;
2148 debug_selector |= D_v;
2149 debug_file = stderr;
2150 }
059ec3d9
PH
2151 }
2152
2153 /* -brt: Test retry configuration lookup */
2154
2155 else if (Ustrcmp(argrest, "rt") == 0)
2156 {
34e86e20 2157 checking = TRUE;
059ec3d9
PH
2158 test_retry_arg = i + 1;
2159 goto END_ARG;
2160 }
2161
2162 /* -brw: Test rewrite configuration */
2163
2164 else if (Ustrcmp(argrest, "rw") == 0)
2165 {
34e86e20 2166 checking = TRUE;
059ec3d9
PH
2167 test_rewrite_arg = i + 1;
2168 goto END_ARG;
2169 }
2170
2171 /* -bS: Read SMTP commands on standard input, but produce no replies -
2172 all errors are reported by sending messages. */
2173
2174 else if (Ustrcmp(argrest, "S") == 0)
2175 smtp_input = smtp_batched_input = receiving_message = TRUE;
2176
2177 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2178 on standard output. */
2179
2180 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2181
2182 /* -bt: address testing mode */
2183
2184 else if (Ustrcmp(argrest, "t") == 0)
8768d548 2185 f.address_test_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2186
2187 /* -bv: verify addresses */
2188
2189 else if (Ustrcmp(argrest, "v") == 0)
8768d548 2190 verify_address_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2191
2192 /* -bvs: verify sender addresses */
2193
2194 else if (Ustrcmp(argrest, "vs") == 0)
2195 {
8768d548 2196 verify_address_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2197 verify_as_sender = TRUE;
2198 }
2199
2200 /* -bV: Print version string and support details */
2201
2202 else if (Ustrcmp(argrest, "V") == 0)
2203 {
2204 printf("Exim version %s #%s built %s\n", version_string,
2205 version_cnumber, version_date);
2206 printf("%s\n", CS version_copyright);
2207 version_printed = TRUE;
2208 show_whats_supported(stdout);
8768d548 2209 f.log_testing_mode = TRUE;
059ec3d9
PH
2210 }
2211
9ee44efb
PP
2212 /* -bw: inetd wait mode, accept a listening socket as stdin */
2213
2214 else if (*argrest == 'w')
2215 {
8768d548
JH
2216 f.inetd_wait_mode = TRUE;
2217 f.background_daemon = FALSE;
2218 f.daemon_listen = TRUE;
9ee44efb 2219 if (*(++argrest) != '\0')
9af3c549
JH
2220 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2221 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
9ee44efb
PP
2222 }
2223
059ec3d9
PH
2224 else badarg = TRUE;
2225 break;
2226
2227
2228 /* -C: change configuration file list; ignore if it isn't really
2229 a change! Enforce a prefix check if required. */
2230
2231 case 'C':
2232 if (*argrest == 0)
2233 {
2234 if(++i < argc) argrest = argv[i]; else
2235 { badarg = TRUE; break; }
2236 }
2237 if (Ustrcmp(config_main_filelist, argrest) != 0)
2238 {
2239 #ifdef ALT_CONFIG_PREFIX
2240 int sep = 0;
2241 int len = Ustrlen(ALT_CONFIG_PREFIX);
863bd541 2242 const uschar *list = argrest;
059ec3d9
PH
2243 uschar *filename;
2244 while((filename = string_nextinlist(&list, &sep, big_buffer,
2245 big_buffer_size)) != NULL)
2246 {
2247 if ((Ustrlen(filename) < len ||
2248 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2249 Ustrstr(filename, "/../") != NULL) &&
2250 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
9af3c549 2251 exim_fail("-C Permission denied\n");
059ec3d9
PH
2252 }
2253 #endif
261dc43e
DW
2254 if (real_uid != root_uid)
2255 {
90b6341f 2256 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2257
90b6341f
DW
2258 if (real_uid != exim_uid
2259 #ifdef CONFIGURE_OWNER
2260 && real_uid != config_uid
2261 #endif
2262 )
8768d548 2263 f.trusted_config = FALSE;
261dc43e
DW
2264 else
2265 {
90b6341f 2266 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2267 if (trust_list)
2268 {
2269 struct stat statbuf;
2270
2271 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2272 (statbuf.st_uid != root_uid /* owner not root */
2273 #ifdef CONFIGURE_OWNER
2274 && statbuf.st_uid != config_uid /* owner not the special one */
2275 #endif
2276 ) || /* or */
2277 (statbuf.st_gid != root_gid /* group not root */
2278 #ifdef CONFIGURE_GROUP
2279 && statbuf.st_gid != config_gid /* group not the special one */
2280 #endif
2281 && (statbuf.st_mode & 020) != 0 /* group writeable */
2282 ) || /* or */
2283 (statbuf.st_mode & 2) != 0) /* world writeable */
2284 {
8768d548 2285 f.trusted_config = FALSE;
261dc43e
DW
2286 fclose(trust_list);
2287 }
2288 else
2289 {
2290 /* Well, the trust list at least is up to scratch... */
2291 void *reset_point = store_get(0);
90b6341f
DW
2292 uschar *trusted_configs[32];
2293 int nr_configs = 0;
261dc43e
DW
2294 int i = 0;
2295
2296 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2297 {
2298 uschar *start = big_buffer, *nl;
2299 while (*start && isspace(*start))
2300 start++;
1e83d68b 2301 if (*start != '/')
261dc43e
DW
2302 continue;
2303 nl = Ustrchr(start, '\n');
2304 if (nl)
2305 *nl = 0;
90b6341f
DW
2306 trusted_configs[nr_configs++] = string_copy(start);
2307 if (nr_configs == 32)
261dc43e
DW
2308 break;
2309 }
2310 fclose(trust_list);
2311
90b6341f 2312 if (nr_configs)
261dc43e
DW
2313 {
2314 int sep = 0;
55414b25 2315 const uschar *list = argrest;
261dc43e 2316 uschar *filename;
8768d548 2317 while (f.trusted_config && (filename = string_nextinlist(&list,
261dc43e
DW
2318 &sep, big_buffer, big_buffer_size)) != NULL)
2319 {
90b6341f 2320 for (i=0; i < nr_configs; i++)
261dc43e 2321 {
90b6341f 2322 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2323 break;
2324 }
90b6341f 2325 if (i == nr_configs)
261dc43e 2326 {
8768d548 2327 f.trusted_config = FALSE;
261dc43e
DW
2328 break;
2329 }
2330 }
1e83d68b 2331 store_reset(reset_point);
261dc43e
DW
2332 }
2333 else
2334 {
2335 /* No valid prefixes found in trust_list file. */
8768d548 2336 f.trusted_config = FALSE;
261dc43e
DW
2337 }
2338 }
2339 }
2340 else
2341 {
2342 /* Could not open trust_list file. */
8768d548 2343 f.trusted_config = FALSE;
261dc43e
DW
2344 }
2345 }
2346 #else
2347 /* Not root; don't trust config */
8768d548 2348 f.trusted_config = FALSE;
261dc43e
DW
2349 #endif
2350 }
059ec3d9
PH
2351
2352 config_main_filelist = argrest;
8768d548 2353 f.config_changed = TRUE;
059ec3d9
PH
2354 }
2355 break;
2356
2357
2358 /* -D: set up a macro definition */
2359
2360 case 'D':
9af3c549
JH
2361#ifdef DISABLE_D_OPTION
2362 exim_fail("exim: -D is not available in this Exim binary\n");
2363#else
059ec3d9
PH
2364 {
2365 int ptr = 0;
059ec3d9
PH
2366 macro_item *m;
2367 uschar name[24];
2368 uschar *s = argrest;
2369
4ab69ec7 2370 opt_D_used = TRUE;
059ec3d9
PH
2371 while (isspace(*s)) s++;
2372
2373 if (*s < 'A' || *s > 'Z')
9af3c549 2374 exim_fail("exim: macro name set by -D must start with "
059ec3d9 2375 "an upper case letter\n");
059ec3d9
PH
2376
2377 while (isalnum(*s) || *s == '_')
2378 {
2379 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2380 s++;
2381 }
2382 name[ptr] = 0;
2383 if (ptr == 0) { badarg = TRUE; break; }
2384 while (isspace(*s)) s++;
2385 if (*s != 0)
2386 {
2387 if (*s++ != '=') { badarg = TRUE; break; }
2388 while (isspace(*s)) s++;
2389 }
2390
85e03244 2391 for (m = macros_user; m; m = m->next)
1a7c9a48 2392 if (Ustrcmp(m->name, name) == 0)
9af3c549 2393 exim_fail("exim: duplicated -D in command line\n");
059ec3d9 2394
85e03244 2395 m = macro_create(name, s, TRUE);
059ec3d9
PH
2396
2397 if (clmacro_count >= MAX_CLMACROS)
9af3c549 2398 exim_fail("exim: too many -D options on command line\n");
1a7c9a48
JH
2399 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2400 m->replacement);
059ec3d9
PH
2401 }
2402 #endif
2403 break;
2404
2405 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2406 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2407 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2408
2409 case 'd':
2410 if (Ustrcmp(argrest, "ropcr") == 0)
2411 {
2412 /* drop_cr = TRUE; */
2413 }
2414
2415 /* Use an intermediate variable so that we don't set debugging while
2416 decoding the debugging bits. */
2417
2418 else
2419 {
2420 unsigned int selector = D_default;
2421 debug_selector = 0;
2422 debug_file = NULL;
3d235903
PH
2423 if (*argrest == 'd')
2424 {
8768d548 2425 f.debug_daemon = TRUE;
3d235903
PH
2426 argrest++;
2427 }
059ec3d9 2428 if (*argrest != 0)
6c6d6e48
TF
2429 decode_bits(&selector, 1, debug_notall, argrest,
2430 debug_options, debug_options_count, US"debug", 0);
059ec3d9
PH
2431 debug_selector = selector;
2432 }
2433 break;
2434
2435
2436 /* -E: This is a local error message. This option is not intended for
2437 external use at all, but is not restricted to trusted callers because it
2438 does no harm (just suppresses certain error messages) and if Exim is run
2439 not setuid root it won't always be trusted when it generates error
2440 messages using this option. If there is a message id following -E, point
2441 message_reference at it, for logging. */
2442
2443 case 'E':
8768d548 2444 f.local_error_message = TRUE;
059ec3d9
PH
2445 if (mac_ismsgid(argrest)) message_reference = argrest;
2446 break;
2447
2448
2449 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2450 option, so it looks as if historically the -oex options are also callable
2451 without the leading -o. So we have to accept them. Before the switch,
2452 anything starting -oe has been converted to -e. Exim does not support all
2453 of the sendmail error options. */
2454
2455 case 'e':
2456 if (Ustrcmp(argrest, "e") == 0)
2457 {
2458 arg_error_handling = ERRORS_SENDER;
2459 errors_sender_rc = EXIT_SUCCESS;
2460 }
2461 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2462 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2463 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2464 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2465 else badarg = TRUE;
2466 break;
2467
2468
2469 /* -F: Set sender's full name, used instead of the gecos entry from
2470 the password file. Since users can usually alter their gecos entries,
2471 there's no security involved in using this instead. The data can follow
2472 the -F or be in the next argument. */
2473
2474 case 'F':
2475 if (*argrest == 0)
2476 {
2477 if(++i < argc) argrest = argv[i]; else
2478 { badarg = TRUE; break; }
2479 }
2480 originator_name = argrest;
8768d548 2481 f.sender_name_forced = TRUE;
059ec3d9
PH
2482 break;
2483
2484
2485 /* -f: Set sender's address - this value is only actually used if Exim is
2486 run by a trusted user, or if untrusted_set_sender is set and matches the
2487 address, except that the null address can always be set by any user. The
2488 test for this happens later, when the value given here is ignored when not
2489 permitted. For an untrusted user, the actual sender is still put in Sender:
2490 if it doesn't match the From: header (unless no_local_from_check is set).
2491 The data can follow the -f or be in the next argument. The -r switch is an
2492 obsolete form of -f but since there appear to be programs out there that
2493 use anything that sendmail has ever supported, better accept it - the
2494 synonymizing is done before the switch above.
2495
2496 At this stage, we must allow domain literal addresses, because we don't
2497 know what the setting of allow_domain_literals is yet. Ditto for trailing
2498 dots and strip_trailing_dot. */
2499
2500 case 'f':
2501 {
250b6871 2502 int dummy_start, dummy_end;
059ec3d9
PH
2503 uschar *errmess;
2504 if (*argrest == 0)
2505 {
2506 if (i+1 < argc) argrest = argv[++i]; else
2507 { badarg = TRUE; break; }
2508 }
2509 if (*argrest == 0)
059ec3d9 2510 sender_address = string_sprintf(""); /* Ensure writeable memory */
059ec3d9
PH
2511 else
2512 {
2513 uschar *temp = argrest + Ustrlen(argrest) - 1;
2514 while (temp >= argrest && isspace(*temp)) temp--;
2515 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2516 allow_domain_literals = TRUE;
2517 strip_trailing_dot = TRUE;
8c5d388a 2518#ifdef SUPPORT_I18N
250b6871
JH
2519 allow_utf8_domains = TRUE;
2520#endif
2521 sender_address = parse_extract_address(argrest, &errmess,
2522 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
8c5d388a 2523#ifdef SUPPORT_I18N
250b6871
JH
2524 message_smtputf8 = string_is_utf8(sender_address);
2525 allow_utf8_domains = FALSE;
2526#endif
059ec3d9
PH
2527 allow_domain_literals = FALSE;
2528 strip_trailing_dot = FALSE;
9af3c549
JH
2529 if (!sender_address)
2530 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
059ec3d9 2531 }
8768d548 2532 f.sender_address_forced = TRUE;
059ec3d9
PH
2533 }
2534 break;
2535
a3fb9793 2536 /* -G: sendmail invocation to specify that it's a gateway submission and
f4ee74ac
PP
2537 sendmail may complain about problems instead of fixing them.
2538 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2539 not at this time complain about problems. */
059ec3d9
PH
2540
2541 case 'G':
f4ee74ac 2542 flag_G = TRUE;
059ec3d9
PH
2543 break;
2544
2545 /* -h: Set the hop count for an incoming message. Exim does not currently
2546 support this; it always computes it by counting the Received: headers.
2547 To put it in will require a change to the spool header file format. */
2548
2549 case 'h':
2550 if (*argrest == 0)
2551 {
2552 if(++i < argc) argrest = argv[i]; else
2553 { badarg = TRUE; break; }
2554 }
2555 if (!isdigit(*argrest)) badarg = TRUE;
2556 break;
2557
2558
2559 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2560 not to be documented for sendmail but mailx (at least) uses it) */
2561
2562 case 'i':
8768d548 2563 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
059ec3d9
PH
2564 break;
2565
2566
a3fb9793
PP
2567 /* -L: set the identifier used for syslog; equivalent to setting
2568 syslog_processname in the config file, but needs to be an admin option. */
2569
2570 case 'L':
2571 if (*argrest == '\0')
2572 {
2573 if(++i < argc) argrest = argv[i]; else
2574 { badarg = TRUE; break; }
2575 }
9af3c549
JH
2576 if ((sz = Ustrlen(argrest)) > 32)
2577 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
a3fb9793 2578 if (sz < 1)
9af3c549 2579 exim_fail("exim: the -L syslog name is too short\n");
a3fb9793
PP
2580 cmdline_syslog_name = argrest;
2581 break;
2582
059ec3d9
PH
2583 case 'M':
2584 receiving_message = FALSE;
2585
2586 /* -MC: continue delivery of another message via an existing open
2587 file descriptor. This option is used for an internal call by the
2588 smtp transport when there is a pending message waiting to go to an
2589 address to which it has got a connection. Five subsequent arguments are
2590 required: transport name, host name, IP address, sequence number, and
2591 message_id. Transports may decline to create new processes if the sequence
2592 number gets too big. The channel is stdin. This (-MC) must be the last
2593 argument. There's a subsequent check that the real-uid is privileged.
2594
2595 If we are running in the test harness. delay for a bit, to let the process
2596 that set this one up complete. This makes for repeatability of the logging,
2597 etc. output. */
2598
2599 if (Ustrcmp(argrest, "C") == 0)
2600 {
41c7c167
PH
2601 union sockaddr_46 interface_sock;
2602 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2603
059ec3d9 2604 if (argc != i + 6)
9af3c549 2605 exim_fail("exim: too many or too few arguments after -MC\n");
059ec3d9
PH
2606
2607 if (msg_action_arg >= 0)
9af3c549 2608 exim_fail("exim: incompatible arguments\n");
059ec3d9
PH
2609
2610 continue_transport = argv[++i];
2611 continue_hostname = argv[++i];
2612 continue_host_address = argv[++i];
2613 continue_sequence = Uatoi(argv[++i]);
2614 msg_action = MSG_DELIVER;
2615 msg_action_arg = ++i;
2616 forced_delivery = TRUE;
2617 queue_run_pid = passed_qr_pid;
2618 queue_run_pipe = passed_qr_pipe;
2619
2620 if (!mac_ismsgid(argv[i]))
9af3c549 2621 exim_fail("exim: malformed message id %s after -MC option\n",
059ec3d9 2622 argv[i]);
059ec3d9 2623
875512a3
JH
2624 /* Set up $sending_ip_address and $sending_port, unless proxied */
2625
5013d912 2626 if (!continue_proxy_cipher)
875512a3
JH
2627 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2628 &size) == 0)
2629 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2630 &sending_port);
2631 else
9af3c549 2632 exim_fail("exim: getsockname() failed after -MC option: %s\n",
875512a3 2633 strerror(errno));
41c7c167 2634
8768d548 2635 if (f.running_in_test_harness) millisleep(500);
059ec3d9
PH
2636 break;
2637 }
2638
2d14f397
JH
2639 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2640 {
875512a3 2641 switch(argrest[1])
2d14f397 2642 {
059ec3d9
PH
2643 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2644 precedes -MC (see above). The flag indicates that the host to which
2645 Exim is connected has accepted an AUTH sequence. */
2646
8768d548 2647 case 'A': f.smtp_authenticated = TRUE; break;
059ec3d9 2648
6c1c3d1d
WB
2649 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2650 that exim is connected to supports the esmtp extension DSN */
28b3821f 2651
14de8063 2652 case 'D': smtp_peer_options |= OPTION_DSN; break;
6c1c3d1d 2653
e37f8a84 2654 /* -MCG: set the queue name, to a non-default value */
28b3821f 2655
2d14f397
JH
2656 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2657 else badarg = TRUE;
2658 break;
2659
2660 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2661
14de8063 2662 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
28b3821f 2663
059ec3d9
PH
2664 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2665 it preceded -MC (see above) */
2666
14de8063 2667 case 'P': smtp_peer_options |= OPTION_PIPE; break;
059ec3d9
PH
2668
2669 /* -MCQ: pass on the pid of the queue-running process that started
2670 this chain of deliveries and the fd of its synchronizing pipe; this
2671 is useful only when it precedes -MC (see above) */
2672
2d14f397
JH
2673 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2674 else badarg = TRUE;
2675 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2676 else badarg = TRUE;
2677 break;
059ec3d9
PH
2678
2679 /* -MCS: set the smtp_use_size flag; this is useful only when it
2680 precedes -MC (see above) */
2681
14de8063 2682 case 'S': smtp_peer_options |= OPTION_SIZE; break;
059ec3d9 2683
2d14f397 2684#ifdef SUPPORT_TLS
875512a3 2685 /* -MCt: similar to -MCT below but the connection is still open
aded2255 2686 via a proxy process which handles the TLS context and coding.
5013d912
JH
2687 Require three arguments for the proxied local address and port,
2688 and the TLS cipher. */
875512a3 2689
5013d912 2690 case 't': if (++i < argc) sending_ip_address = argv[i];
875512a3
JH
2691 else badarg = TRUE;
2692 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2693 else badarg = TRUE;
5013d912
JH
2694 if (++i < argc) continue_proxy_cipher = argv[i];
2695 else badarg = TRUE;
875512a3
JH
2696 /*FALLTHROUGH*/
2697
059ec3d9
PH
2698 /* -MCT: set the tls_offered flag; this is useful only when it
2699 precedes -MC (see above). The flag indicates that the host to which
2700 Exim is connected has offered TLS support. */
2701
14de8063 2702 case 'T': smtp_peer_options |= OPTION_TLS; break;
2d14f397
JH
2703#endif
2704
2705 default: badarg = TRUE; break;
2706 }
8ac90765
JH
2707 break;
2708 }
2709
059ec3d9
PH
2710 /* -M[x]: various operations on the following list of message ids:
2711 -M deliver the messages, ignoring next retry times and thawing
2712 -Mc deliver the messages, checking next retry times, no thawing
2713 -Mf freeze the messages
2714 -Mg give up on the messages
2715 -Mt thaw the messages
2716 -Mrm remove the messages
2717 In the above cases, this must be the last option. There are also the
2718 following options which are followed by a single message id, and which
2719 act on that message. Some of them use the "recipient" addresses as well.
2720 -Mar add recipient(s)
2721 -Mmad mark all recipients delivered
2722 -Mmd mark recipients(s) delivered
2723 -Mes edit sender
0ef732d9 2724 -Mset load a message for use with -be
059ec3d9 2725 -Mvb show body
a96603a0 2726 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2727 -Mvh show header
2728 -Mvl show log
2729 */
2730
2731 else if (*argrest == 0)
2732 {
2733 msg_action = MSG_DELIVER;
8768d548 2734 forced_delivery = f.deliver_force_thaw = TRUE;
059ec3d9
PH
2735 }
2736 else if (Ustrcmp(argrest, "ar") == 0)
2737 {
2738 msg_action = MSG_ADD_RECIPIENT;
2739 one_msg_action = TRUE;
2740 }
2741 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2742 else if (Ustrcmp(argrest, "es") == 0)
2743 {
2744 msg_action = MSG_EDIT_SENDER;
2745 one_msg_action = TRUE;
2746 }
2747 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2748 else if (Ustrcmp(argrest, "g") == 0)
2749 {
2750 msg_action = MSG_DELIVER;
2751 deliver_give_up = TRUE;
2752 }
2753 else if (Ustrcmp(argrest, "mad") == 0)
2754 {
2755 msg_action = MSG_MARK_ALL_DELIVERED;
2756 }
2757 else if (Ustrcmp(argrest, "md") == 0)
2758 {
2759 msg_action = MSG_MARK_DELIVERED;
2760 one_msg_action = TRUE;
2761 }
2762 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2763 else if (Ustrcmp(argrest, "set") == 0)
2764 {
2765 msg_action = MSG_LOAD;
2766 one_msg_action = TRUE;
2767 }
059ec3d9
PH
2768 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2769 else if (Ustrcmp(argrest, "vb") == 0)
2770 {
2771 msg_action = MSG_SHOW_BODY;
2772 one_msg_action = TRUE;
2773 }
a96603a0
PH
2774 else if (Ustrcmp(argrest, "vc") == 0)
2775 {
2776 msg_action = MSG_SHOW_COPY;
2777 one_msg_action = TRUE;
2778 }
059ec3d9
PH
2779 else if (Ustrcmp(argrest, "vh") == 0)
2780 {
2781 msg_action = MSG_SHOW_HEADER;
2782 one_msg_action = TRUE;
2783 }
2784 else if (Ustrcmp(argrest, "vl") == 0)
2785 {
2786 msg_action = MSG_SHOW_LOG;
2787 one_msg_action = TRUE;
2788 }
2789 else { badarg = TRUE; break; }
2790
2791 /* All the -Mxx options require at least one message id. */
2792
2793 msg_action_arg = i + 1;
2794 if (msg_action_arg >= argc)
9af3c549 2795 exim_fail("exim: no message ids given after %s option\n", arg);
059ec3d9
PH
2796
2797 /* Some require only message ids to follow */
2798
2799 if (!one_msg_action)
2800 {
d7978c0f 2801 for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
9af3c549 2802 exim_fail("exim: malformed message id %s after %s option\n",
059ec3d9 2803 argv[j], arg);
059ec3d9
PH
2804 goto END_ARG; /* Remaining args are ids */
2805 }
2806
2807 /* Others require only one message id, possibly followed by addresses,
2808 which will be handled as normal arguments. */
2809
2810 else
2811 {
2812 if (!mac_ismsgid(argv[msg_action_arg]))
9af3c549 2813 exim_fail("exim: malformed message id %s after %s option\n",
059ec3d9 2814 argv[msg_action_arg], arg);
059ec3d9
PH
2815 i++;
2816 }
2817 break;
2818
2819
2820 /* Some programs seem to call the -om option without the leading o;
2821 for sendmail it askes for "me too". Exim always does this. */
2822
2823 case 'm':
2824 if (*argrest != 0) badarg = TRUE;
2825 break;
2826
2827
2828 /* -N: don't do delivery - a debugging option that stops transports doing
2829 their thing. It implies debugging at the D_v level. */
2830
2831 case 'N':
2832 if (*argrest == 0)
2833 {
8768d548 2834 f.dont_deliver = TRUE;
059ec3d9
PH
2835 debug_selector |= D_v;
2836 debug_file = stderr;
2837 }
2838 else badarg = TRUE;
2839 break;
2840
2841
12f69989
PP
2842 /* -n: This means "don't alias" in sendmail, apparently.
2843 For normal invocations, it has no effect.
2844 It may affect some other options. */
059ec3d9
PH
2845
2846 case 'n':
12f69989 2847 flag_n = TRUE;
059ec3d9
PH
2848 break;
2849
2850 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2851 option to the specified value. This form uses long names. We need to handle
2852 -O option=value and -Ooption=value. */
2853
2854 case 'O':
2855 if (*argrest == 0)
2856 {
2857 if (++i >= argc)
9af3c549 2858 exim_fail("exim: string expected after -O\n");
059ec3d9
PH
2859 }
2860 break;
2861
2862 case 'o':
2863
2864 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2865 file" option). */
2866
2867 if (*argrest == 'A')
2868 {
2869 alias_arg = argrest + 1;
2870 if (alias_arg[0] == 0)
2871 {
2872 if (i+1 < argc) alias_arg = argv[++i]; else
9af3c549 2873 exim_fail("exim: string expected after -oA\n");
059ec3d9
PH
2874 }
2875 }
2876
2877 /* -oB: Set a connection message max value for remote deliveries */
2878
2879 else if (*argrest == 'B')
2880 {
2881 uschar *p = argrest + 1;
2882 if (p[0] == 0)
2883 {
2884 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2885 {
2886 connection_max_messages = 1;
2887 p = NULL;
2888 }
2889 }
2890
2891 if (p != NULL)
2892 {
2893 if (!isdigit(*p))
9af3c549 2894 exim_fail("exim: number expected after -oB\n");
059ec3d9
PH
2895 connection_max_messages = Uatoi(p);
2896 }
2897 }
2898
2899 /* -odb: background delivery */
2900
2901 else if (Ustrcmp(argrest, "db") == 0)
2902 {
8768d548 2903 f.synchronous_delivery = FALSE;
059ec3d9
PH
2904 arg_queue_only = FALSE;
2905 queue_only_set = TRUE;
2906 }
2907
2908 /* -odf: foreground delivery (smail-compatible option); same effect as
2909 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2910 */
2911
2912 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2913 {
8768d548 2914 f.synchronous_delivery = TRUE;
059ec3d9
PH
2915 arg_queue_only = FALSE;
2916 queue_only_set = TRUE;
2917 }
2918
2919 /* -odq: queue only */
2920
2921 else if (Ustrcmp(argrest, "dq") == 0)
2922 {
8768d548 2923 f.synchronous_delivery = FALSE;
059ec3d9
PH
2924 arg_queue_only = TRUE;
2925 queue_only_set = TRUE;
2926 }
2927
2928 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2929 but no remote delivery */
2930
2931 else if (Ustrcmp(argrest, "dqs") == 0)
2932 {
8768d548 2933 f.queue_smtp = TRUE;
059ec3d9
PH
2934 arg_queue_only = FALSE;
2935 queue_only_set = TRUE;
2936 }
2937
2938 /* -oex: Sendmail error flags. As these are also accepted without the
2939 leading -o prefix, for compatibility with vacation and other callers,
2940 they are handled with -e above. */
2941
2942 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2943 -oitrue: Another sendmail syntax for the same */
2944
2945 else if (Ustrcmp(argrest, "i") == 0 ||
2946 Ustrcmp(argrest, "itrue") == 0)
8768d548 2947 f.dot_ends = FALSE;
059ec3d9
PH
2948
2949 /* -oM*: Set various characteristics for an incoming message; actually
2950 acted on for trusted callers only. */
2951
2952 else if (*argrest == 'M')
2953 {
2954 if (i+1 >= argc)
9af3c549 2955 exim_fail("exim: data expected after -o%s\n", argrest);
059ec3d9
PH
2956
2957 /* -oMa: Set sender host address */
2958
2959 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2960
2961 /* -oMaa: Set authenticator name */
2962
2963 else if (Ustrcmp(argrest, "Maa") == 0)
2964 sender_host_authenticated = argv[++i];
2965
2966 /* -oMas: setting authenticated sender */
2967
2968 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2969
2970 /* -oMai: setting authenticated id */
2971
2972 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2973
2974 /* -oMi: Set incoming interface address */
2975
2976 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2977
d2af03f4
HS
2978 /* -oMm: Message reference */
2979
2980 else if (Ustrcmp(argrest, "Mm") == 0)
2981 {
2982 if (!mac_ismsgid(argv[i+1]))
9af3c549 2983 exim_fail("-oMm must be a valid message ID\n");
8768d548 2984 if (!f.trusted_config)
9af3c549 2985 exim_fail("-oMm must be called by a trusted user/config\n");
d2af03f4
HS
2986 message_reference = argv[++i];
2987 }
2988
059ec3d9
PH
2989 /* -oMr: Received protocol */
2990
65e061b7
HSHR
2991 else if (Ustrcmp(argrest, "Mr") == 0)
2992
2993 if (received_protocol)
9af3c549
JH
2994 exim_fail("received_protocol is set already\n");
2995 else
2996 received_protocol = argv[++i];
059ec3d9
PH
2997
2998 /* -oMs: Set sender host name */
2999
3000 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3001
3002 /* -oMt: Set sender ident */
3003
33d73e3b
PH
3004 else if (Ustrcmp(argrest, "Mt") == 0)
3005 {
3006 sender_ident_set = TRUE;
3007 sender_ident = argv[++i];
3008 }
059ec3d9
PH
3009
3010 /* Else a bad argument */
3011
3012 else
3013 {
3014 badarg = TRUE;
3015 break;
3016 }
3017 }
3018
3019 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3020 seem to call this as -m (undocumented), so that is also accepted (see
3021 above). */
3022
3023 else if (Ustrcmp(argrest, "m") == 0) {}
3024
3025 /* -oo: An ancient flag for old-style addresses which still seems to
3026 crop up in some calls (see in SCO). */
3027
3028 else if (Ustrcmp(argrest, "o") == 0) {}
3029
3030 /* -oP <name>: set pid file path for daemon */
3031
3032 else if (Ustrcmp(argrest, "P") == 0)
3033 override_pid_file_path = argv[++i];
3034
3035 /* -or <n>: set timeout for non-SMTP acceptance
3036 -os <n>: set timeout for SMTP acceptance */
3037
3038 else if (*argrest == 'r' || *argrest == 's')
3039 {
3040 int *tp = (*argrest == 'r')?
3041 &arg_receive_timeout : &arg_smtp_receive_timeout;
3042 if (argrest[1] == 0)
3043 {
3044 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3045 }
3046 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3047 if (*tp < 0)
9af3c549 3048 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
059ec3d9
PH
3049 }
3050
3051 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3052
3053 else if (Ustrcmp(argrest, "X") == 0)
3054 override_local_interfaces = argv[++i];
3055
3056 /* Unknown -o argument */
3057
3058 else badarg = TRUE;
3059 break;
3060
3061
3062 /* -ps: force Perl startup; -pd force delayed Perl startup */
3063
3064 case 'p':
3065 #ifdef EXIM_PERL
3066 if (*argrest == 's' && argrest[1] == 0)
3067 {
3068 perl_start_option = 1;
3069 break;
3070 }
3071 if (*argrest == 'd' && argrest[1] == 0)
3072 {
3073 perl_start_option = -1;
3074 break;
3075 }
3076 #endif
3077
3078 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3079 which sets the host protocol and host name */
3080
3081 if (*argrest == 0)
5bfe3b35
JH
3082 if (i+1 < argc)
3083 argrest = argv[++i];
3084 else
059ec3d9 3085 { badarg = TRUE; break; }
059ec3d9
PH
3086
3087 if (*argrest != 0)
3088 {
65e061b7
HSHR
3089 uschar *hn;
3090
3091 if (received_protocol)
9af3c549 3092 exim_fail("received_protocol is set already\n");
65e061b7
HSHR
3093
3094 hn = Ustrchr(argrest, ':');
059ec3d9 3095 if (hn == NULL)
059ec3d9 3096 received_protocol = argrest;
059ec3d9
PH
3097 else
3098 {
90341c71
JH
3099 int old_pool = store_pool;
3100 store_pool = POOL_PERM;
059ec3d9 3101 received_protocol = string_copyn(argrest, hn - argrest);
90341c71 3102 store_pool = old_pool;
059ec3d9
PH
3103 sender_host_name = hn + 1;
3104 }
3105 }
3106 break;
3107
3108
3109 case 'q':
3110 receiving_message = FALSE;
3cc66b45 3111 if (queue_interval >= 0)
9af3c549 3112 exim_fail("exim: -q specified more than once\n");
059ec3d9
PH
3113
3114 /* -qq...: Do queue runs in a 2-stage manner */
3115
3116 if (*argrest == 'q')
3117 {
8768d548 3118 f.queue_2stage = TRUE;
059ec3d9
PH
3119 argrest++;
3120 }
3121
3122 /* -qi...: Do only first (initial) deliveries */
3123
3124 if (*argrest == 'i')
3125 {
8768d548 3126 f.queue_run_first_delivery = TRUE;
059ec3d9
PH
3127 argrest++;
3128 }
3129
3130 /* -qf...: Run the queue, forcing deliveries
3131 -qff..: Ditto, forcing thawing as well */
3132
3133 if (*argrest == 'f')
3134 {
8768d548 3135 f.queue_run_force = TRUE;
55e70e76 3136 if (*++argrest == 'f')
059ec3d9 3137 {
8768d548 3138 f.deliver_force_thaw = TRUE;
059ec3d9
PH
3139 argrest++;
3140 }
3141 }
3142
3143 /* -q[f][f]l...: Run the queue only on local deliveries */
3144
3145 if (*argrest == 'l')
3146 {
8768d548 3147 f.queue_run_local = TRUE;
059ec3d9
PH
3148 argrest++;
3149 }
3150
55e70e76 3151 /* -q[f][f][l][G<name>]... Work on the named queue */
28b3821f
JH
3152
3153 if (*argrest == 'G')
3154 {
fa665e0b
JH
3155 int i;
3156 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3157 queue_name = string_copyn(argrest, i);
3158 argrest += i;
3159 if (*argrest == '/') argrest++;
28b3821f
JH
3160 }
3161
3162 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3163 only, optionally named, optionally starting from a given message id. */
059ec3d9
PH
3164
3165 if (*argrest == 0 &&
3166 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3167 {
3168 queue_interval = 0;
3169 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3170 start_queue_run_id = argv[++i];
3171 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3172 stop_queue_run_id = argv[++i];
3173 }
3174
fa665e0b
JH
3175 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3176 forced, optionally local only, optionally named. */
059ec3d9 3177
55e70e76
JH
3178 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3179 0, FALSE)) <= 0)
9af3c549 3180 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
059ec3d9
PH
3181 break;
3182
3183
3184 case 'R': /* Synonymous with -qR... */
3185 receiving_message = FALSE;
3186
3187 /* -Rf: As -R (below) but force all deliveries,
3188 -Rff: Ditto, but also thaw all frozen messages,
3189 -Rr: String is regex
3190 -Rrf: Regex and force
3191 -Rrff: Regex and force and thaw
3192
3193 in all cases provided there are no further characters in this
3194 argument. */
3195
3196 if (*argrest != 0)
d7978c0f 3197 for (int i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3198 if (Ustrcmp(argrest, rsopts[i]) == 0)
3199 {
8768d548
JH
3200 if (i != 2) f.queue_run_force = TRUE;
3201 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3202 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
059ec3d9
PH
3203 argrest += Ustrlen(rsopts[i]);
3204 }
059ec3d9
PH
3205
3206 /* -R: Set string to match in addresses for forced queue run to
3207 pick out particular messages. */
3208
55e70e76
JH
3209 if (*argrest)
3210 deliver_selectstring = argrest;
3211 else if (i+1 < argc)
3212 deliver_selectstring = argv[++i];
3213 else
9af3c549 3214 exim_fail("exim: string expected after -R\n");
059ec3d9
PH
3215 break;
3216
3217
3218 /* -r: an obsolete synonym for -f (see above) */
3219
3220
3221 /* -S: Like -R but works on sender. */
3222
3223 case 'S': /* Synonymous with -qS... */
3224 receiving_message = FALSE;
3225
3226 /* -Sf: As -S (below) but force all deliveries,
3227 -Sff: Ditto, but also thaw all frozen messages,
3228 -Sr: String is regex
3229 -Srf: Regex and force
3230 -Srff: Regex and force and thaw
3231
3232 in all cases provided there are no further characters in this
3233 argument. */
3234
55e70e76 3235 if (*argrest)
d7978c0f 3236 for (int i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3237 if (Ustrcmp(argrest, rsopts[i]) == 0)
3238 {
8768d548
JH
3239 if (i != 2) f.queue_run_force = TRUE;
3240 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3241 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
059ec3d9
PH
3242 argrest += Ustrlen(rsopts[i]);
3243 }
059ec3d9
PH
3244
3245 /* -S: Set string to match in addresses for forced queue run to
3246 pick out particular messages. */
3247
55e70e76
JH
3248 if (*argrest)
3249 deliver_selectstring_sender = argrest;
3250 else if (i+1 < argc)
3251 deliver_selectstring_sender = argv[++i];
3252 else
9af3c549 3253 exim_fail("exim: string expected after -S\n");
059ec3d9
PH
3254 break;
3255
3256 /* -Tqt is an option that is exclusively for use by the testing suite.
3257 It is not recognized in other circumstances. It allows for the setting up
3258 of explicit "queue times" so that various warning/retry things can be
3259 tested. Otherwise variability of clock ticks etc. cause problems. */
3260
3261 case 'T':
8768d548 3262 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
059ec3d9
PH
3263 fudged_queue_times = argv[++i];
3264 else badarg = TRUE;
3265 break;
3266
3267
3268 /* -t: Set flag to extract recipients from body of message. */
3269
3270 case 't':
3271 if (*argrest == 0) extract_recipients = TRUE;
3272
3273 /* -ti: Set flag to extract recipients from body of message, and also
3274 specify that dot does not end the message. */
3275
3276 else if (Ustrcmp(argrest, "i") == 0)
3277 {
3278 extract_recipients = TRUE;
8768d548 3279 f.dot_ends = FALSE;
059ec3d9
PH
3280 }
3281
3282 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3283
3284 #ifdef SUPPORT_TLS
817d9f57 3285 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
059ec3d9
PH
3286 #endif
3287
3288 else badarg = TRUE;
3289 break;
3290
3291
3292 /* -U: This means "initial user submission" in sendmail, apparently. The
3293 doc claims that in future sendmail may refuse syntactically invalid
3294 messages instead of fixing them. For the moment, we just ignore it. */
3295
3296 case 'U':
3297 break;
3298
3299
3300 /* -v: verify things - this is a very low-level debugging */
3301
3302 case 'v':
3303 if (*argrest == 0)
3304 {
3305 debug_selector |= D_v;
3306 debug_file = stderr;
3307 }
3308 else badarg = TRUE;
3309 break;
3310
3311
3312 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3313
3314 The -x flag tells the sendmail command that mail from a local
3315 mail program has National Language Support (NLS) extended characters
3316 in the body of the mail item. The sendmail command can send mail with
3317 extended NLS characters across networks that normally corrupts these
3318 8-bit characters.
3319
3320 As Exim is 8-bit clean, it just ignores this flag. */
3321
3322 case 'x':
3323 if (*argrest != 0) badarg = TRUE;
3324 break;
3325
a3fb9793
PP
3326 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3327 logs to that file. We swallow the parameter and otherwise ignore it. */
3328
3329 case 'X':
3330 if (*argrest == '\0')
a3fb9793 3331 if (++i >= argc)
9af3c549 3332 exim_fail("exim: string expected after -X\n");
0ad2e0fc
JH
3333 break;
3334
3335 case 'z':
3336 if (*argrest == '\0')
9af3c549
JH
3337 if (++i < argc)
3338 log_oneline = argv[i];
3339 else
3340 exim_fail("exim: file name expected after %s\n", argv[i-1]);
a3fb9793
PP
3341 break;
3342
059ec3d9
PH
3343 /* All other initial characters are errors */
3344
3345 default:
3346 badarg = TRUE;
3347 break;
3348 } /* End of high-level switch statement */
3349
3350 /* Failed to recognize the option, or syntax error */
3351
3352 if (badarg)
9af3c549 3353 exim_fail("exim abandoned: unknown, malformed, or incomplete "
059ec3d9 3354 "option %s\n", arg);
059ec3d9
PH
3355 }
3356
3357
3cc66b45
PH
3358/* If -R or -S have been specified without -q, assume a single queue run. */
3359
55e70e76
JH
3360if ( (deliver_selectstring || deliver_selectstring_sender)
3361 && queue_interval < 0)
3362 queue_interval = 0;
3cc66b45
PH
3363
3364
059ec3d9 3365END_ARG:
81ea09ca
NM
3366/* If usage_wanted is set we call the usage function - which never returns */
3367if (usage_wanted) exim_usage(called_as);
3368
3369/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3370if ((
3371 (smtp_input || extract_recipients || recipients_arg < argc) &&
8768d548 3372 (f.daemon_listen || queue_interval >= 0 || bi_option ||
059ec3d9 3373 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3374 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3375 ) ||
3376 (
3377 msg_action_arg > 0 &&
8768d548 3378 (f.daemon_listen || queue_interval > 0 || list_options ||
0ef732d9
PH
3379 (checking && msg_action != MSG_LOAD) ||
3380 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3381 ) ||
3382 (
8768d548 3383 (f.daemon_listen || queue_interval > 0) &&
059ec3d9 3384 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3385 bi_option)
059ec3d9
PH
3386 ) ||
3387 (
8768d548 3388 f.daemon_listen && queue_interval == 0
059ec3d9
PH
3389 ) ||
3390 (
8768d548 3391 f.inetd_wait_mode && queue_interval >= 0
9ee44efb
PP
3392 ) ||
3393 (
059ec3d9
PH
3394 list_options &&
3395 (checking || smtp_input || extract_recipients ||
f05da2e8 3396 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3397 ) ||
3398 (
3399 verify_address_mode &&
8768d548 3400 (f.address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3401 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3402 ) ||
3403 (
8768d548 3404 f.address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3405 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3406 ) ||
3407 (
f05da2e8 3408 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3409 extract_recipients)
3410 ) ||
3411 (
3412 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3413 ) ||
3414 (
3415 msg_action == MSG_LOAD &&
3416 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3417 )
3418 )
9af3c549 3419 exim_fail("exim: incompatible command-line options or arguments\n");
059ec3d9
PH
3420
3421/* If debugging is set up, set the file and the file descriptor to pass on to
3422child processes. It should, of course, be 2 for stderr. Also, force the daemon
3423to run in the foreground. */
3424
3425if (debug_selector != 0)
3426 {
3427 debug_file = stderr;
3428 debug_fd = fileno(debug_file);
8768d548
JH
3429 f.background_daemon = FALSE;
3430 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
059ec3d9
PH
3431 if (debug_selector != D_v) /* -v only doesn't show this */
3432 {
3433 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3434 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3435 debug_selector);
6545de78
PP
3436 if (!version_printed)
3437 show_whats_supported(stderr);
059ec3d9
PH
3438 }
3439 }
3440
3441/* When started with root privilege, ensure that the limits on the number of
3442open files and the number of processes (where that is accessible) are
3443sufficiently large, or are unset, in case Exim has been called from an
3444environment where the limits are screwed down. Not all OS have the ability to
3445change some of these limits. */
3446
3447if (unprivileged)
3448 {
3449 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3450 }
3451else
3452 {
3453 struct rlimit rlp;
3454
3455 #ifdef RLIMIT_NOFILE
3456 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3457 {
3458 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3459 strerror(errno));
3460 rlp.rlim_cur = rlp.rlim_max = 0;
3461 }
eb2c0248
PH
3462
3463 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3464 be exceeded. It turns out that some older OS have a fixed upper limit of
3465 256. */
eb2c0248 3466
059ec3d9
PH
3467 if (rlp.rlim_cur < 1000)
3468 {
3469 rlp.rlim_cur = rlp.rlim_max = 1000;
3470 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3471 {
a494b1e1
PH
3472 rlp.rlim_cur = rlp.rlim_max = 256;
3473 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3474 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3475 strerror(errno));
eb2c0248 3476 }
059ec3d9
PH
3477 }
3478 #endif
3479
3480 #ifdef RLIMIT_NPROC
3481 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3482 {
3483 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3484 strerror(errno));
3485 rlp.rlim_cur = rlp.rlim_max = 0;
3486 }
3487
3488 #ifdef RLIM_INFINITY
3489 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3490 {
3491 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3492 #else
3493 if (rlp.rlim_cur < 1000)
3494 {
3495 rlp.rlim_cur = rlp.rlim_max = 1000;
3496 #endif
3497 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3498 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3499 strerror(errno));
3500 }
3501 #endif
3502 }
3503
3504/* Exim is normally entered as root (but some special configurations are
3505possible that don't do this). However, it always spins off sub-processes that
3506set their uid and gid as required for local delivery. We don't want to pass on
3507any extra groups that root may belong to, so we want to get rid of them all at
3508this point.
3509
3510We need to obey setgroups() at this stage, before possibly giving up root
3511privilege for a changed configuration file, but later on we might need to
3512check on the additional groups for the admin user privilege - can't do that
3513till after reading the config, which might specify the exim gid. Therefore,
3514save the group list here first. */
3515
157d73b5 3516if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
9af3c549 3517 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
059ec3d9
PH
3518
3519/* There is a fundamental difference in some BSD systems in the matter of
3520groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3521known not to be different. On the "different" systems there is a single group
3522list, and the first entry in it is the current group. On all other versions of
3523Unix there is a supplementary group list, which is in *addition* to the current
3524group. Consequently, to get rid of all extraneous groups on a "standard" system
3525you pass over 0 groups to setgroups(), while on a "different" system you pass
3526over a single group - the current group, which is always the first group in the
3527list. Calling setgroups() with zero groups on a "different" system results in
3528an error return. The following code should cope with both types of system.
3529
3b7ac02c
JH
3530 Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
3531 the "setgroups() with zero groups" - and changes the egid.
3532 Thanks to that we had to stash the original_egid above, for use below
3533 in the call to exim_setugid().
3534
059ec3d9
PH
3535However, if this process isn't running as root, setgroups() can't be used
3536since you have to be root to run it, even if throwing away groups. Not being
3537root here happens only in some unusual configurations. We just ignore the
3538error. */
3539
9af3c549
JH
3540if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3541 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
059ec3d9
PH
3542
3543/* If the configuration file name has been altered by an argument on the
3544command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3545not root, or if this is a filter testing run, remove any setuid privilege the
3546program has and run as the underlying user.
059ec3d9 3547
cd25e41d
DW
3548The exim user is locked out of this, which severely restricts the use of -C
3549for some purposes.
059ec3d9
PH
3550
3551Otherwise, set the real ids to the effective values (should be root unless run
3552from inetd, which it can either be root or the exim uid, if one is configured).
3553
3554There is a private mechanism for bypassing some of this, in order to make it
3555possible to test lots of configurations automatically, without having either to
3556recompile each time, or to patch in an actual configuration file name and other
3557values (such as the path name). If running in the test harness, pretend that
3558configuration file changes and macro definitions haven't happened. */
3559
3560if (( /* EITHER */
8768d548 3561 (!f.trusted_config || /* Config changed, or */
a4034eb8 3562 !macros_trusted(opt_D_used)) && /* impermissible macros and */
059ec3d9 3563 real_uid != root_uid && /* Not root, and */
8768d548 3564 !f.running_in_test_harness /* Not fudged */
059ec3d9
PH
3565 ) || /* OR */
3566 expansion_test /* expansion testing */
3567 || /* OR */
f05da2e8 3568 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3569 {
3570 setgroups(group_count, group_list);
3571 exim_setugid(real_uid, real_gid, FALSE,
3572 US"-C, -D, -be or -bf forces real uid");
3573 removed_privilege = TRUE;
3574
3575 /* In the normal case when Exim is called like this, stderr is available
3576 and should be used for any logging information because attempts to write
3577 to the log will usually fail. To arrange this, we unset really_exim. However,
3578 if no stderr is available there is no point - we might as well have a go
b7487bce 3579 at the log (if it fails, syslog will be written).
059ec3d9 3580
b7487bce
PP
3581 Note that if the invoker is Exim, the logs remain available. Messing with
3582 this causes unlogged successful deliveries. */
3583
9af3c549 3584 if (log_stderr && real_uid != exim_uid)
8768d548 3585 f.really_exim = FALSE;
059ec3d9
PH
3586 }
3587
3588/* Privilege is to be retained for the moment. It may be dropped later,
3589depending on the job that this Exim process has been asked to do. For now, set
3590the real uid to the effective so that subsequent re-execs of Exim are done by a
3591privileged user. */
3592
9af3c549 3593else
3b7ac02c 3594 exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
059ec3d9 3595
f05da2e8 3596/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3597setups and reading the message. */
3598
9af3c549
JH
3599if (filter_test & FTEST_SYSTEM)
3600 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3601 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
f05da2e8 3602 strerror(errno));
f05da2e8 3603
9af3c549
JH
3604if (filter_test & FTEST_USER)
3605 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3606 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9 3607 strerror(errno));
059ec3d9 3608
8829633f
PP
3609/* Initialise lookup_list
3610If debugging, already called above via version reporting.
3611In either case, we initialise the list of available lookups while running
3612as root. All dynamically modules are loaded from a directory which is
3613hard-coded into the binary and is code which, if not a module, would be
3614part of Exim already. Ability to modify the content of the directory
3615is equivalent to the ability to modify a setuid binary!
3616
3617This needs to happen before we read the main configuration. */
3618init_lookup_list();
3619
8c5d388a 3620#ifdef SUPPORT_I18N
8768d548 3621if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
9d4319df
JH
3622#endif
3623
059ec3d9
PH
3624/* Read the main runtime configuration data; this gives up if there
3625is a failure. It leaves the configuration file open so that the subsequent
3de973a2 3626configuration data for delivery can be read if needed.
059ec3d9 3627